Blame - servconf.c - platform/external/openssh

blob: 97c268e3c7a99497a874ac07c14628b796875590 [file] [log] [blame]

djm@openbsd.org	868109b	2015-07-01 02:39:06 +0000	[diff] [blame]	1
sf@openbsd.org	168b46f	2018-07-09 13:37:10 +0000	[diff] [blame^]	2	/* $OpenBSD: servconf.c,v 1.337 2018/07/09 13:37:10 sf Exp $ */
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	3	/*
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
				5	* All rights reserved
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	6	*
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	7	* As far as I am concerned, the code I have written for this software
				8	* can be used freely for any purpose. Any derived versions of this
				9	* software must be clearly marked as such, and if the derived work is
				10	* incompatible with the protocol description in the RFC file, it must be
				11	* called by a name other than "ssh" or "Secure Shell".
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	12	*/
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	13
				14	#include "includes.h"
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	15
Damien Miller	e3b60b5	2006-07-10 21:08:03 +1000	[diff] [blame]	16	#include <sys/types.h>
				17	#include <sys/socket.h>
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	18	#ifdef HAVE_SYS_SYSCTL_H
				19	#include <sys/sysctl.h>
				20	#endif
Damien Miller	e3b60b5	2006-07-10 21:08:03 +1000	[diff] [blame]	21
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	22	#include <netinet/in.h>
				23	#include <netinet/in_systm.h>
				24	#include <netinet/ip.h>
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	25	#ifdef HAVE_NET_ROUTE_H
				26	#include <net/route.h>
				27	#endif
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	28
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	29	#include <ctype.h>
Damien Miller	b8fe89c	2006-07-24 14:51:00 +1000	[diff] [blame]	30	#include <netdb.h>
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	31	#include <pwd.h>
Damien Miller	a7a73ee	2006-08-05 11:37:59 +1000	[diff] [blame]	32	#include <stdio.h>
Damien Miller	e7a1e5c	2006-08-05 11:34:19 +1000	[diff] [blame]	33	#include <stdlib.h>
Damien Miller	e3476ed	2006-07-24 14:13:33 +1000	[diff] [blame]	34	#include <string.h>
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	35	#include <signal.h>
Damien Miller	e6b3b61	2006-07-24 14:01:23 +1000	[diff] [blame]	36	#include <unistd.h>
deraadt@openbsd.org	2ae4f33	2015-01-16 06:40:12 +0000	[diff] [blame]	37	#include <limits.h>
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	38	#include <stdarg.h>
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	39	#include <errno.h>
Darren Tucker	e194ba4	2013-05-16 20:47:31 +1000	[diff] [blame]	40	#ifdef HAVE_UTIL_H
Darren Tucker	b7ee852	2013-05-16 20:33:10 +1000	[diff] [blame]	41	#include <util.h>
Darren Tucker	e194ba4	2013-05-16 20:47:31 +1000	[diff] [blame]	42	#endif
Damien Miller	be43ebf	2006-07-24 13:51:51 +1000	[diff] [blame]	43
Damien Miller	b84886b	2008-05-19 15:05:07 +1000	[diff] [blame]	44	#include "openbsd-compat/sys-queue.h"
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	45	#include "xmalloc.h"
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	46	#include "ssh.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	47	#include "log.h"
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	48	#include "buffer.h"
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	49	#include "misc.h"
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	50	#include "servconf.h"
Damien Miller	7892879	2000-04-12 20:17:38 +1000	[diff] [blame]	51	#include "compat.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	52	#include "pathnames.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	53	#include "cipher.h"
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	54	#include "key.h"
Ben Lindstrom	06b33aa	2001-02-15 03:01:59 +0000	[diff] [blame]	55	#include "kex.h"
				56	#include "mac.h"
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	57	#include "match.h"
Damien Miller	9b439df	2006-07-24 14:04:00 +1000	[diff] [blame]	58	#include "channels.h"
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	59	#include "groupaccess.h"
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	60	#include "canohost.h"
				61	#include "packet.h"
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	62	#include "hostfile.h"
				63	#include "auth.h"
djm@openbsd.org	57d378e	2014-08-19 23:58:28 +0000	[diff] [blame]	64	#include "myproposal.h"
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	65	#include "digest.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	66
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	67	static void add_listen_addr(ServerOptions , const char ,
				68	const char *, int);
				69	static void add_one_listen_addr(ServerOptions , const char ,
				70	const char *, int);
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	71
Ben Lindstrom	7a2073c	2002-03-22 02:30:41 +0000	[diff] [blame]	72	/* Use of privilege separation or not */
				73	extern int use_privsep;
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	74	extern Buffer cfg;
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	75
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	76	/* Initializes the server options to their default values. */
				77
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	78	void
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	79	initialize_server_options(ServerOptions *options)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	80	{
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	81	memset(options, 0, sizeof(*options));
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	82
				83	/* Portable-specific options */
Damien Miller	4e448a3	2003-05-14 15:11:48 +1000	[diff] [blame]	84	options->use_pam = -1;
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	85
				86	/* Standard Options */
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	87	options->num_ports = 0;
				88	options->ports_from_cmdline = 0;
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	89	options->queued_listen_addrs = NULL;
				90	options->num_queued_listens = 0;
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	91	options->listen_addrs = NULL;
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	92	options->num_listen_addrs = 0;
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	93	options->address_family = -1;
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	94	options->routing_domain = NULL;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	95	options->num_host_key_files = 0;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	96	options->num_host_cert_files = 0;
Damien Miller	85b45e0	2013-07-20 13:21:52 +1000	[diff] [blame]	97	options->host_key_agent = NULL;
Damien Miller	6f83b8e	2000-05-02 09:23:45 +1000	[diff] [blame]	98	options->pid_file = NULL;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	99	options->login_grace_time = -1;
chris@openbsd.org	3d5728a	2015-07-31 15:38:09 +0000	[diff] [blame]	100	options->permit_root_login = PERMIT_NOT_SET;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	101	options->ignore_rhosts = -1;
				102	options->ignore_user_known_hosts = -1;
				103	options->print_motd = -1;
Ben Lindstrom	7bfff36	2001-03-26 05:45:53 +0000	[diff] [blame]	104	options->print_lastlog = -1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	105	options->x11_forwarding = -1;
				106	options->x11_display_offset = -1;
Damien Miller	95c249f	2002-02-05 12:11:34 +1100	[diff] [blame]	107	options->x11_use_localhost = -1;
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	108	options->permit_tty = -1;
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	109	options->permit_user_rc = -1;
Damien Miller	d3a1857	2000-06-07 19:55:44 +1000	[diff] [blame]	110	options->xauth_location = NULL;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	111	options->strict_modes = -1;
Damien Miller	12c150e	2003-12-17 16:31:10 +1100	[diff] [blame]	112	options->tcp_keep_alive = -1;
Damien Miller	fcd9320	2002-02-05 12:26:34 +1100	[diff] [blame]	113	options->log_facility = SYSLOG_FACILITY_NOT_SET;
				114	options->log_level = SYSLOG_LEVEL_NOT_SET;
Ben Lindstrom	5eabda3	2001-04-12 23:34:34 +0000	[diff] [blame]	115	options->hostbased_authentication = -1;
				116	options->hostbased_uses_name_from_packet_only = -1;
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	117	options->hostbased_key_types = NULL;
markus@openbsd.org	3a1638d	2015-07-10 06:21:53 +0000	[diff] [blame]	118	options->hostkeyalgorithms = NULL;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	119	options->pubkey_authentication = -1;
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	120	options->pubkey_key_types = NULL;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	121	options->kerberos_authentication = -1;
				122	options->kerberos_or_local_passwd = -1;
				123	options->kerberos_ticket_cleanup = -1;
Darren Tucker	22ef508	2003-12-31 11:37:34 +1100	[diff] [blame]	124	options->kerberos_get_afs_token = -1;
Darren Tucker	0efd155	2003-08-26 11:49:55 +1000	[diff] [blame]	125	options->gss_authentication=-1;
				126	options->gss_cleanup_creds = -1;
djm@openbsd.org	d7c31da	2015-05-22 03:50:02 +0000	[diff] [blame]	127	options->gss_strict_acceptor = -1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	128	options->password_authentication = -1;
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	129	options->kbd_interactive_authentication = -1;
Ben Lindstrom	551ea37	2001-06-05 18:56:16 +0000	[diff] [blame]	130	options->challenge_response_authentication = -1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	131	options->permit_empty_passwd = -1;
Ben Lindstrom	5d860f0	2002-08-01 01:28:38 +0000	[diff] [blame]	132	options->permit_user_env = -1;
djm@openbsd.org	95344c2	2018-07-03 10:59:35 +0000	[diff] [blame]	133	options->permit_user_env_whitelist = NULL;
Ben Lindstrom	23e0f66	2002-06-21 01:09:47 +0000	[diff] [blame]	134	options->compression = -1;
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	135	options->rekey_limit = -1;
				136	options->rekey_interval = -1;
Damien Miller	50a41ed	2000-10-16 12:14:42 +1100	[diff] [blame]	137	options->allow_tcp_forwarding = -1;
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	138	options->allow_streamlocal_forwarding = -1;
Damien Miller	4f755cd	2008-05-19 14:57:41 +1000	[diff] [blame]	139	options->allow_agent_forwarding = -1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	140	options->num_allow_users = 0;
				141	options->num_deny_users = 0;
				142	options->num_allow_groups = 0;
				143	options->num_deny_groups = 0;
Damien Miller	7892879	2000-04-12 20:17:38 +1000	[diff] [blame]	144	options->ciphers = NULL;
Ben Lindstrom	06b33aa	2001-02-15 03:01:59 +0000	[diff] [blame]	145	options->macs = NULL;
Damien Miller	d5f62bf	2010-09-24 22:11:14 +1000	[diff] [blame]	146	options->kex_algorithms = NULL;
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	147	options->fwd_opts.gateway_ports = -1;
				148	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
				149	options->fwd_opts.streamlocal_bind_unlink = -1;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	150	options->num_subsystems = 0;
Damien Miller	942da03	2000-08-18 13:59:06 +1000	[diff] [blame]	151	options->max_startups_begin = -1;
				152	options->max_startups_rate = -1;
Damien Miller	3702396	2000-07-11 17:31:38 +1000	[diff] [blame]	153	options->max_startups = -1;
Darren Tucker	89413db	2004-05-24 10:36:23 +1000	[diff] [blame]	154	options->max_authtries = -1;
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	155	options->max_sessions = -1;
Ben Lindstrom	48bd7c1	2001-01-09 00:35:42 +0000	[diff] [blame]	156	options->banner = NULL;
Damien Miller	3a961dc	2003-06-03 10:25:48 +1000	[diff] [blame]	157	options->use_dns = -1;
Ben Lindstrom	5744dc4	2001-04-13 23:28:01 +0000	[diff] [blame]	158	options->client_alive_interval = -1;
				159	options->client_alive_count_max = -1;
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	160	options->num_authkeys_files = 0;
Darren Tucker	46bc075	2004-05-02 22:11:30 +1000	[diff] [blame]	161	options->num_accept_env = 0;
djm@openbsd.org	2801375	2018-06-09 03:03:10 +0000	[diff] [blame]	162	options->num_setenv = 0;
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	163	options->permit_tun = -1;
djm@openbsd.org	dbee411	2017-09-12 06:32:07 +0000	[diff] [blame]	164	options->permitted_opens = NULL;
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	165	options->permitted_listens = NULL;
Damien Miller	e275443	2006-07-24 14:06:47 +1000	[diff] [blame]	166	options->adm_forced_command = NULL;
Damien Miller	d8cb1f1	2008-02-10 22:40:12 +1100	[diff] [blame]	167	options->chroot_directory = NULL;
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	168	options->authorized_keys_command = NULL;
				169	options->authorized_keys_command_user = NULL;
Damien Miller	1aed65e	2010-03-04 21:53:35 +1100	[diff] [blame]	170	options->revoked_keys_file = NULL;
				171	options->trusted_user_ca_keys = NULL;
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	172	options->authorized_principals_file = NULL;
djm@openbsd.org	bcc50d8	2015-05-21 06:43:30 +0000	[diff] [blame]	173	options->authorized_principals_command = NULL;
				174	options->authorized_principals_command_user = NULL;
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	175	options->ip_qos_interactive = -1;
				176	options->ip_qos_bulk = -1;
Damien Miller	2352881	2012-04-22 11:24:43 +1000	[diff] [blame]	177	options->version_addendum = NULL;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	178	options->fingerprint_hash = -1;
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	179	options->disable_forwarding = -1;
djm@openbsd.org	8f57495	2017-06-24 06:34:38 +0000	[diff] [blame]	180	options->expose_userauth_info = -1;
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	181	}
				182
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	183	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
				184	static int
				185	option_clear_or_none(const char *o)
				186	{
				187	return o == NULL \|\| strcasecmp(o, "none") == 0;
				188	}
				189
djm@openbsd.org	ed08510	2015-10-29 08:05:01 +0000	[diff] [blame]	190	static void
				191	assemble_algorithms(ServerOptions *o)
				192	{
djm@openbsd.org	312d2f2	2018-07-04 13:49:31 +0000	[diff] [blame]	193	char all_cipher, all_mac, all_kex, all_key;
				194
				195	all_cipher = cipher_alg_list(',', 0);
				196	all_mac = mac_alg_list(',');
				197	all_kex = kex_alg_list(',');
				198	all_key = sshkey_alg_list(0, 0, 1, ',');
				199	if (kex_assemble_names(&o->ciphers,
				200	KEX_SERVER_ENCRYPT, all_cipher) != 0 \|\|
				201	kex_assemble_names(&o->macs,
				202	KEX_SERVER_MAC, all_mac) != 0 \|\|
				203	kex_assemble_names(&o->kex_algorithms,
				204	KEX_SERVER_KEX, all_kex) != 0 \|\|
				205	kex_assemble_names(&o->hostkeyalgorithms,
				206	KEX_DEFAULT_PK_ALG, all_key) != 0 \|\|
				207	kex_assemble_names(&o->hostbased_key_types,
				208	KEX_DEFAULT_PK_ALG, all_key) != 0 \|\|
				209	kex_assemble_names(&o->pubkey_key_types,
				210	KEX_DEFAULT_PK_ALG, all_key) != 0)
djm@openbsd.org	ed08510	2015-10-29 08:05:01 +0000	[diff] [blame]	211	fatal("kex_assemble_names failed");
djm@openbsd.org	312d2f2	2018-07-04 13:49:31 +0000	[diff] [blame]	212	free(all_cipher);
				213	free(all_mac);
				214	free(all_kex);
				215	free(all_key);
djm@openbsd.org	ed08510	2015-10-29 08:05:01 +0000	[diff] [blame]	216	}
				217
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	218	static void
				219	array_append(const char file, const int line, const char directive,
				220	char **array, u_int lp, const char *s)
				221	{
				222
				223	if (*lp >= INT_MAX)
				224	fatal("%s line %d: Too many %s entries", file, line, directive);
				225
				226	array = xrecallocarray(array, lp, lp + 1, sizeof(**array));
				227	(array)[lp] = xstrdup(s);
				228	(*lp)++;
				229	}
				230
				231	void
				232	servconf_add_hostkey(const char *file, const int line,
				233	ServerOptions options, const char path)
				234	{
				235	char *apath = derelativise_path(path);
				236
				237	array_append(file, line, "HostKey",
				238	&options->host_key_files, &options->num_host_key_files, apath);
				239	free(apath);
				240	}
				241
				242	void
				243	servconf_add_hostcert(const char *file, const int line,
				244	ServerOptions options, const char path)
				245	{
				246	char *apath = derelativise_path(path);
				247
				248	array_append(file, line, "HostCertificate",
				249	&options->host_cert_files, &options->num_host_cert_files, apath);
				250	free(apath);
				251	}
				252
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	253	void
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	254	fill_default_server_options(ServerOptions *options)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	255	{
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	256	u_int i;
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	257
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	258	/* Portable-specific options */
Damien Miller	4e448a3	2003-05-14 15:11:48 +1000	[diff] [blame]	259	if (options->use_pam == -1)
Damien Miller	5c3a558	2003-09-23 22:12:38 +1000	[diff] [blame]	260	options->use_pam = 0;
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	261
				262	/* Standard Options */
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	263	if (options->num_host_key_files == 0) {
				264	/* fill default hostkeys for protocols */
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	265	servconf_add_hostkey("[default]", 0, options,
				266	_PATH_HOST_RSA_KEY_FILE);
Damien Miller	dd190dd	2010-11-11 14:17:02 +1100	[diff] [blame]	267	#ifdef OPENSSL_HAS_ECC
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	268	servconf_add_hostkey("[default]", 0, options,
				269	_PATH_HOST_ECDSA_KEY_FILE);
Damien Miller	dd190dd	2010-11-11 14:17:02 +1100	[diff] [blame]	270	#endif
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	271	servconf_add_hostkey("[default]", 0, options,
				272	_PATH_HOST_ED25519_KEY_FILE);
markus@openbsd.org	5886b92	2018-03-01 20:32:16 +0000	[diff] [blame]	273	#ifdef WITH_XMSS
markus@openbsd.org	1b11ea7	2018-02-23 15:58:37 +0000	[diff] [blame]	274	servconf_add_hostkey("[default]", 0, options,
				275	_PATH_HOST_XMSS_KEY_FILE);
markus@openbsd.org	5886b92	2018-03-01 20:32:16 +0000	[diff] [blame]	276	#endif /* WITH_XMSS */
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	277	}
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	278	/* No certificates by default */
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	279	if (options->num_ports == 0)
				280	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	281	if (options->address_family == -1)
				282	options->address_family = AF_UNSPEC;
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	283	if (options->listen_addrs == NULL)
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	284	add_listen_addr(options, NULL, NULL, 0);
Damien Miller	6f83b8e	2000-05-02 09:23:45 +1000	[diff] [blame]	285	if (options->pid_file == NULL)
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	286	options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	287	if (options->login_grace_time == -1)
Damien Miller	c134863	2002-09-05 14:35:14 +1000	[diff] [blame]	288	options->login_grace_time = 120;
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	289	if (options->permit_root_login == PERMIT_NOT_SET)
chris@openbsd.org	3d5728a	2015-07-31 15:38:09 +0000	[diff] [blame]	290	options->permit_root_login = PERMIT_NO_PASSWD;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	291	if (options->ignore_rhosts == -1)
Damien Miller	98c7ad6	2000-03-09 21:27:49 +1100	[diff] [blame]	292	options->ignore_rhosts = 1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	293	if (options->ignore_user_known_hosts == -1)
				294	options->ignore_user_known_hosts = 0;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	295	if (options->print_motd == -1)
				296	options->print_motd = 1;
Ben Lindstrom	7bfff36	2001-03-26 05:45:53 +0000	[diff] [blame]	297	if (options->print_lastlog == -1)
				298	options->print_lastlog = 1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	299	if (options->x11_forwarding == -1)
Damien Miller	98c7ad6	2000-03-09 21:27:49 +1100	[diff] [blame]	300	options->x11_forwarding = 0;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	301	if (options->x11_display_offset == -1)
Damien Miller	98c7ad6	2000-03-09 21:27:49 +1100	[diff] [blame]	302	options->x11_display_offset = 10;
Damien Miller	95c249f	2002-02-05 12:11:34 +1100	[diff] [blame]	303	if (options->x11_use_localhost == -1)
				304	options->x11_use_localhost = 1;
Damien Miller	d3a1857	2000-06-07 19:55:44 +1000	[diff] [blame]	305	if (options->xauth_location == NULL)
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	306	options->xauth_location = xstrdup(_PATH_XAUTH);
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	307	if (options->permit_tty == -1)
				308	options->permit_tty = 1;
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	309	if (options->permit_user_rc == -1)
				310	options->permit_user_rc = 1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	311	if (options->strict_modes == -1)
				312	options->strict_modes = 1;
Damien Miller	12c150e	2003-12-17 16:31:10 +1100	[diff] [blame]	313	if (options->tcp_keep_alive == -1)
				314	options->tcp_keep_alive = 1;
Damien Miller	fcd9320	2002-02-05 12:26:34 +1100	[diff] [blame]	315	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	316	options->log_facility = SYSLOG_FACILITY_AUTH;
Damien Miller	fcd9320	2002-02-05 12:26:34 +1100	[diff] [blame]	317	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	318	options->log_level = SYSLOG_LEVEL_INFO;
Ben Lindstrom	5eabda3	2001-04-12 23:34:34 +0000	[diff] [blame]	319	if (options->hostbased_authentication == -1)
				320	options->hostbased_authentication = 0;
				321	if (options->hostbased_uses_name_from_packet_only == -1)
				322	options->hostbased_uses_name_from_packet_only = 0;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	323	if (options->pubkey_authentication == -1)
				324	options->pubkey_authentication = 1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	325	if (options->kerberos_authentication == -1)
Damien Miller	d7de14b	2002-04-23 21:04:51 +1000	[diff] [blame]	326	options->kerberos_authentication = 0;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	327	if (options->kerberos_or_local_passwd == -1)
				328	options->kerberos_or_local_passwd = 1;
				329	if (options->kerberos_ticket_cleanup == -1)
				330	options->kerberos_ticket_cleanup = 1;
Darren Tucker	22ef508	2003-12-31 11:37:34 +1100	[diff] [blame]	331	if (options->kerberos_get_afs_token == -1)
				332	options->kerberos_get_afs_token = 0;
Darren Tucker	0efd155	2003-08-26 11:49:55 +1000	[diff] [blame]	333	if (options->gss_authentication == -1)
				334	options->gss_authentication = 0;
				335	if (options->gss_cleanup_creds == -1)
				336	options->gss_cleanup_creds = 1;
djm@openbsd.org	d7c31da	2015-05-22 03:50:02 +0000	[diff] [blame]	337	if (options->gss_strict_acceptor == -1)
djm@openbsd.org	13bd2e2	2017-01-06 03:45:41 +0000	[diff] [blame]	338	options->gss_strict_acceptor = 1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	339	if (options->password_authentication == -1)
				340	options->password_authentication = 1;
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	341	if (options->kbd_interactive_authentication == -1)
				342	options->kbd_interactive_authentication = 0;
Ben Lindstrom	551ea37	2001-06-05 18:56:16 +0000	[diff] [blame]	343	if (options->challenge_response_authentication == -1)
				344	options->challenge_response_authentication = 1;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	345	if (options->permit_empty_passwd == -1)
Damien Miller	98c7ad6	2000-03-09 21:27:49 +1100	[diff] [blame]	346	options->permit_empty_passwd = 0;
djm@openbsd.org	95344c2	2018-07-03 10:59:35 +0000	[diff] [blame]	347	if (options->permit_user_env == -1) {
Ben Lindstrom	5d860f0	2002-08-01 01:28:38 +0000	[diff] [blame]	348	options->permit_user_env = 0;
djm@openbsd.org	95344c2	2018-07-03 10:59:35 +0000	[diff] [blame]	349	options->permit_user_env_whitelist = NULL;
				350	}
Ben Lindstrom	23e0f66	2002-06-21 01:09:47 +0000	[diff] [blame]	351	if (options->compression == -1)
sf@openbsd.org	168b46f	2018-07-09 13:37:10 +0000	[diff] [blame^]	352	options->compression = COMP_DELAYED;
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	353	if (options->rekey_limit == -1)
				354	options->rekey_limit = 0;
				355	if (options->rekey_interval == -1)
				356	options->rekey_interval = 0;
Damien Miller	50a41ed	2000-10-16 12:14:42 +1100	[diff] [blame]	357	if (options->allow_tcp_forwarding == -1)
Damien Miller	aa5b3f8	2012-12-03 09:50:54 +1100	[diff] [blame]	358	options->allow_tcp_forwarding = FORWARD_ALLOW;
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	359	if (options->allow_streamlocal_forwarding == -1)
				360	options->allow_streamlocal_forwarding = FORWARD_ALLOW;
Damien Miller	4f755cd	2008-05-19 14:57:41 +1000	[diff] [blame]	361	if (options->allow_agent_forwarding == -1)
				362	options->allow_agent_forwarding = 1;
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	363	if (options->fwd_opts.gateway_ports == -1)
				364	options->fwd_opts.gateway_ports = 0;
Damien Miller	3702396	2000-07-11 17:31:38 +1000	[diff] [blame]	365	if (options->max_startups == -1)
Damien Miller	1f583df	2013-02-12 11:02:08 +1100	[diff] [blame]	366	options->max_startups = 100;
Damien Miller	942da03	2000-08-18 13:59:06 +1000	[diff] [blame]	367	if (options->max_startups_rate == -1)
Damien Miller	1f583df	2013-02-12 11:02:08 +1100	[diff] [blame]	368	options->max_startups_rate = 30; /* 30% */
Damien Miller	942da03	2000-08-18 13:59:06 +1000	[diff] [blame]	369	if (options->max_startups_begin == -1)
Damien Miller	1f583df	2013-02-12 11:02:08 +1100	[diff] [blame]	370	options->max_startups_begin = 10;
Darren Tucker	89413db	2004-05-24 10:36:23 +1000	[diff] [blame]	371	if (options->max_authtries == -1)
				372	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	373	if (options->max_sessions == -1)
				374	options->max_sessions = DEFAULT_SESSIONS_MAX;
Damien Miller	3a961dc	2003-06-03 10:25:48 +1000	[diff] [blame]	375	if (options->use_dns == -1)
deraadt@openbsd.org	3cd5103	2015-02-02 01:57:44 +0000	[diff] [blame]	376	options->use_dns = 0;
Ben Lindstrom	5744dc4	2001-04-13 23:28:01 +0000	[diff] [blame]	377	if (options->client_alive_interval == -1)
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	378	options->client_alive_interval = 0;
Ben Lindstrom	5744dc4	2001-04-13 23:28:01 +0000	[diff] [blame]	379	if (options->client_alive_count_max == -1)
				380	options->client_alive_count_max = 3;
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	381	if (options->num_authkeys_files == 0) {
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	382	array_append("[default]", 0, "AuthorizedKeysFiles",
				383	&options->authorized_keys_files,
				384	&options->num_authkeys_files,
				385	_PATH_SSH_USER_PERMITTED_KEYS);
				386	array_append("[default]", 0, "AuthorizedKeysFiles",
				387	&options->authorized_keys_files,
				388	&options->num_authkeys_files,
				389	_PATH_SSH_USER_PERMITTED_KEYS2);
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	390	}
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	391	if (options->permit_tun == -1)
Damien Miller	7b58e80	2005-12-13 19:33:19 +1100	[diff] [blame]	392	options->permit_tun = SSH_TUNMODE_NO;
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	393	if (options->ip_qos_interactive == -1)
job@openbsd.org	5ee8448	2018-04-04 15:12:17 +0000	[diff] [blame]	394	options->ip_qos_interactive = IPTOS_DSCP_AF21;
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	395	if (options->ip_qos_bulk == -1)
job@openbsd.org	5ee8448	2018-04-04 15:12:17 +0000	[diff] [blame]	396	options->ip_qos_bulk = IPTOS_DSCP_CS1;
Damien Miller	2352881	2012-04-22 11:24:43 +1000	[diff] [blame]	397	if (options->version_addendum == NULL)
				398	options->version_addendum = xstrdup("");
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	399	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
				400	options->fwd_opts.streamlocal_bind_mask = 0177;
				401	if (options->fwd_opts.streamlocal_bind_unlink == -1)
				402	options->fwd_opts.streamlocal_bind_unlink = 0;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	403	if (options->fingerprint_hash == -1)
				404	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	405	if (options->disable_forwarding == -1)
				406	options->disable_forwarding = 0;
djm@openbsd.org	8f57495	2017-06-24 06:34:38 +0000	[diff] [blame]	407	if (options->expose_userauth_info == -1)
				408	options->expose_userauth_info = 0;
djm@openbsd.org	f9eca24	2015-07-30 00:01:34 +0000	[diff] [blame]	409
djm@openbsd.org	ed08510	2015-10-29 08:05:01 +0000	[diff] [blame]	410	assemble_algorithms(options);
djm@openbsd.org	f9eca24	2015-07-30 00:01:34 +0000	[diff] [blame]	411
djm@openbsd.org	c5c3f32	2016-02-17 05:29:04 +0000	[diff] [blame]	412	/* Turn privilege separation and sandboxing on by default */
Ben Lindstrom	7a2073c	2002-03-22 02:30:41 +0000	[diff] [blame]	413	if (use_privsep == -1)
djm@openbsd.org	c5c3f32	2016-02-17 05:29:04 +0000	[diff] [blame]	414	use_privsep = PRIVSEP_ON;
Damien Miller	4903eb4	2002-06-21 16:20:44 +1000	[diff] [blame]	415
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	416	#define CLEAR_ON_NONE(v) \
				417	do { \
				418	if (option_clear_or_none(v)) { \
				419	free(v); \
				420	v = NULL; \
				421	} \
				422	} while(0)
				423	CLEAR_ON_NONE(options->pid_file);
				424	CLEAR_ON_NONE(options->xauth_location);
				425	CLEAR_ON_NONE(options->banner);
				426	CLEAR_ON_NONE(options->trusted_user_ca_keys);
				427	CLEAR_ON_NONE(options->revoked_keys_file);
djm@openbsd.org	7e8528c	2015-05-01 04:17:51 +0000	[diff] [blame]	428	CLEAR_ON_NONE(options->authorized_principals_file);
djm@openbsd.org	9fd0468	2015-11-13 04:38:06 +0000	[diff] [blame]	429	CLEAR_ON_NONE(options->adm_forced_command);
				430	CLEAR_ON_NONE(options->chroot_directory);
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	431	CLEAR_ON_NONE(options->routing_domain);
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	432	for (i = 0; i < options->num_host_key_files; i++)
				433	CLEAR_ON_NONE(options->host_key_files[i]);
				434	for (i = 0; i < options->num_host_cert_files; i++)
				435	CLEAR_ON_NONE(options->host_cert_files[i]);
				436	#undef CLEAR_ON_NONE
				437
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	438	/* Similar handling for AuthenticationMethods=any */
				439	if (options->num_auth_methods == 1 &&
				440	strcmp(options->auth_methods[0], "any") == 0) {
				441	free(options->auth_methods[0]);
				442	options->auth_methods[0] = NULL;
				443	options->num_auth_methods = 0;
				444	}
				445
Tim Rice	40017b0	2002-07-14 13:36:49 -0700	[diff] [blame]	446	#ifndef HAVE_MMAP
Damien Miller	4903eb4	2002-06-21 16:20:44 +1000	[diff] [blame]	447	if (use_privsep && options->compression == 1) {
				448	error("This platform does not support both privilege "
				449	"separation and compression");
				450	error("Compression disabled");
				451	options->compression = 0;
				452	}
				453	#endif
				454
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	455	}
				456
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	457	/* Keyword tokens. */
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	458	typedef enum {
				459	sBadOption, /* == unknown option */
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	460	/* Portable-specific options */
Damien Miller	4e448a3	2003-05-14 15:11:48 +1000	[diff] [blame]	461	sUsePAM,
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	462	/* Standard Options */
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	463	sPort, sHostKeyFile, sLoginGraceTime,
				464	sPermitRootLogin, sLogFacility, sLogLevel,
Darren Tucker	ec960f2	2003-08-13 20:37:05 +1000	[diff] [blame]	465	sRhostsRSAAuthentication, sRSAAuthentication,
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	466	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
dtucker@openbsd.org	745771f	2018-02-09 02:37:36 +0000	[diff] [blame]	467	sKerberosGetAFSToken, sChallengeResponseAuthentication,
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	468	sPasswordAuthentication, sKbdInteractiveAuthentication,
				469	sListenAddress, sAddressFamily,
Ben Lindstrom	7bfff36	2001-03-26 05:45:53 +0000	[diff] [blame]	470	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
Damien Miller	95c249f	2002-02-05 12:11:34 +1100	[diff] [blame]	471	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	472	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
djm@openbsd.org	83b5818	2016-08-19 03:18:06 +0000	[diff] [blame]	473	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	474	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	475	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	476	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
				477	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
Damien Miller	3a961dc	2003-06-03 10:25:48 +1000	[diff] [blame]	478	sBanner, sUseDNS, sHostbasedAuthentication,
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	479	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
markus@openbsd.org	3a1638d	2015-07-10 06:21:53 +0000	[diff] [blame]	480	sHostKeyAlgorithms,
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	481	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
djm@openbsd.org	d7c31da	2015-05-22 03:50:02 +0000	[diff] [blame]	482	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
djm@openbsd.org	2801375	2018-06-09 03:03:10 +0000	[diff] [blame]	483	sAcceptEnv, sSetEnv, sPermitTunnel,
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	484	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
Darren Tucker	7bd98e7	2010-01-10 10:31:12 +1100	[diff] [blame]	485	sUsePrivilegeSeparation, sAllowAgentForwarding,
Damien Miller	7cc194f	2014-02-04 11:12:56 +1100	[diff] [blame]	486	sHostCertificate,
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	487	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
djm@openbsd.org	bcc50d8	2015-05-21 06:43:30 +0000	[diff] [blame]	488	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
Damien Miller	2352881	2012-04-22 11:24:43 +1000	[diff] [blame]	489	sKexAlgorithms, sIPQoS, sVersionAddendum,
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	490	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	491	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	492	sStreamLocalBindMask, sStreamLocalBindUnlink,
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	493	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	494	sExposeAuthInfo, sRDomain,
djm@openbsd.org	ae363d7	2016-08-25 23:57:54 +0000	[diff] [blame]	495	sDeprecated, sIgnore, sUnsupported
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	496	} ServerOpCodes;
				497
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	498	#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
				499	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
				500	#define SSHCFG_ALL (SSHCFG_GLOBAL\|SSHCFG_MATCH)
				501
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	502	/* Textual representation of the tokens. */
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	503	static struct {
				504	const char *name;
				505	ServerOpCodes opcode;
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	506	u_int flags;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	507	} keywords[] = {
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	508	/* Portable-specific options */
Damien Miller	6ac2c48	2003-05-16 11:42:35 +1000	[diff] [blame]	509	#ifdef USE_PAM
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	510	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
Damien Miller	6ac2c48	2003-05-16 11:42:35 +1000	[diff] [blame]	511	#else
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	512	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
Damien Miller	6ac2c48	2003-05-16 11:42:35 +1000	[diff] [blame]	513	#endif
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	514	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
Damien Miller	726273e	2001-11-12 11:40:11 +1100	[diff] [blame]	515	/* Standard Options */
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	516	{ "port", sPort, SSHCFG_GLOBAL },
				517	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
				518	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
Damien Miller	85b45e0	2013-07-20 13:21:52 +1000	[diff] [blame]	519	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	520	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	521	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	522	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	523	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
Darren Tucker	15f9427	2008-01-01 20:36:56 +1100	[diff] [blame]	524	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	525	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
djm@openbsd.org	54cd41a	2017-05-17 01:24:17 +0000	[diff] [blame]	526	{ "loglevel", sLogLevel, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	527	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	528	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	529	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
Damien Miller	ab6de35	2010-06-26 09:38:45 +1000	[diff] [blame]	530	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	531	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
markus@openbsd.org	3a1638d	2015-07-10 06:21:53 +0000	[diff] [blame]	532	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	533	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	534	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	535	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
Darren Tucker	64cee36	2009-06-21 20:26:17 +1000	[diff] [blame]	536	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
Darren Tucker	6aaa58c	2003-08-02 22:24:49 +1000	[diff] [blame]	537	#ifdef KRB5
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	538	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	539	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
				540	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
Darren Tucker	3c78c5e	2004-01-23 22:03:10 +1100	[diff] [blame]	541	#ifdef USE_AFS
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	542	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
Damien Miller	f9b3feb	2003-05-16 11:38:32 +1000	[diff] [blame]	543	#else
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	544	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker	409cb32	2004-01-05 22:36:51 +1100	[diff] [blame]	545	#endif
				546	#else
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	547	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	548	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
				549	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
				550	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Damien Miller	f9b3feb	2003-05-16 11:38:32 +1000	[diff] [blame]	551	#endif
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	552	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
				553	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker	0efd155	2003-08-26 11:49:55 +1000	[diff] [blame]	554	#ifdef GSSAPI
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	555	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	556	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
djm@openbsd.org	d7c31da	2015-05-22 03:50:02 +0000	[diff] [blame]	557	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
Darren Tucker	0efd155	2003-08-26 11:49:55 +1000	[diff] [blame]	558	#else
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	559	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	560	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
djm@openbsd.org	d7c31da	2015-05-22 03:50:02 +0000	[diff] [blame]	561	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker	0efd155	2003-08-26 11:49:55 +1000	[diff] [blame]	562	#endif
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	563	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
				564	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
Darren Tucker	1d75f22	2007-03-01 21:31:28 +1100	[diff] [blame]	565	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	566	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
				567	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
				568	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
				569	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
				570	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
Damien Miller	ac908c1	2015-10-22 09:35:24 +1100	[diff] [blame]	571	#ifdef DISABLE_LASTLOG
				572	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
				573	#else
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	574	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
Damien Miller	ac908c1	2015-10-22 09:35:24 +1100	[diff] [blame]	575	#endif
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	576	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
				577	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
Damien Miller	d1de995	2006-07-24 14:05:48 +1000	[diff] [blame]	578	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
				579	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
				580	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	581	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
				582	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
Damien Miller	51bde60	2008-11-03 19:23:10 +1100	[diff] [blame]	583	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	584	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
djm@openbsd.org	83b5818	2016-08-19 03:18:06 +0000	[diff] [blame]	585	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	586	{ "compression", sCompression, SSHCFG_GLOBAL },
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	587	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	588	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
				589	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
				590	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
Damien Miller	4f755cd	2008-05-19 14:57:41 +1000	[diff] [blame]	591	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	592	{ "allowusers", sAllowUsers, SSHCFG_ALL },
				593	{ "denyusers", sDenyUsers, SSHCFG_ALL },
				594	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
				595	{ "denygroups", sDenyGroups, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	596	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
				597	{ "macs", sMacs, SSHCFG_GLOBAL },
djm@openbsd.org	ae363d7	2016-08-25 23:57:54 +0000	[diff] [blame]	598	{ "protocol", sIgnore, SSHCFG_GLOBAL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	599	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
				600	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
				601	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
Damien Miller	307c1d1	2008-06-16 07:56:20 +1000	[diff] [blame]	602	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	603	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	604	{ "banner", sBanner, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	605	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
				606	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
				607	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
markus@openbsd.org	f0ddede	2016-11-23 23:14:15 +0000	[diff] [blame]	608	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
				609	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
Damien Miller	ab6de35	2010-06-26 09:38:45 +1000	[diff] [blame]	610	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	611	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
djm@openbsd.org	6670594	2017-03-14 07:19:07 +0000	[diff] [blame]	612	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	613	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
djm@openbsd.org	2801375	2018-06-09 03:03:10 +0000	[diff] [blame]	614	{ "setenv", sSetEnv, SSHCFG_ALL },
Damien Miller	ab6de35	2010-06-26 09:38:45 +1000	[diff] [blame]	615	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	616	{ "permittty", sPermitTTY, SSHCFG_ALL },
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	617	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
Darren Tucker	64cee36	2009-06-21 20:26:17 +1000	[diff] [blame]	618	{ "match", sMatch, SSHCFG_ALL },
Damien Miller	9b439df	2006-07-24 14:04:00 +1000	[diff] [blame]	619	{ "permitopen", sPermitOpen, SSHCFG_ALL },
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	620	{ "permitlisten", sPermitListen, SSHCFG_ALL },
Damien Miller	e275443	2006-07-24 14:06:47 +1000	[diff] [blame]	621	{ "forcecommand", sForceCommand, SSHCFG_ALL },
Damien Miller	d8cb1f1	2008-02-10 22:40:12 +1100	[diff] [blame]	622	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	623	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
Damien Miller	1aed65e	2010-03-04 21:53:35 +1100	[diff] [blame]	624	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
				625	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
Damien Miller	ab6de35	2010-06-26 09:38:45 +1000	[diff] [blame]	626	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
Damien Miller	d5f62bf	2010-09-24 22:11:14 +1000	[diff] [blame]	627	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	628	{ "ipqos", sIPQoS, SSHCFG_ALL },
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	629	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
				630	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
djm@openbsd.org	bcc50d8	2015-05-21 06:43:30 +0000	[diff] [blame]	631	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
				632	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
Damien Miller	2352881	2012-04-22 11:24:43 +1000	[diff] [blame]	633	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	634	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	635	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
				636	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
				637	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	638	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	639	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
djm@openbsd.org	8f57495	2017-06-24 06:34:38 +0000	[diff] [blame]	640	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	641	{ "rdomain", sRDomain, SSHCFG_ALL },
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	642	{ NULL, sBadOption, 0 }
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	643	};
				644
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	645	static struct {
				646	int val;
				647	char *text;
				648	} tunmode_desc[] = {
				649	{ SSH_TUNMODE_NO, "no" },
				650	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
				651	{ SSH_TUNMODE_ETHERNET, "ethernet" },
				652	{ SSH_TUNMODE_YES, "yes" },
				653	{ -1, NULL }
				654	};
				655
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	656	/* Returns an opcode name from its number */
				657
				658	static const char *
				659	lookup_opcode_name(ServerOpCodes code)
				660	{
				661	u_int i;
				662
				663	for (i = 0; keywords[i].name != NULL; i++)
				664	if (keywords[i].opcode == code)
				665	return(keywords[i].name);
				666	return "UNKNOWN";
				667	}
				668
				669
Damien Miller	5428f64	1999-11-25 11:54:57 +1100	[diff] [blame]	670	/*
Ben Lindstrom	3704c26	2001-04-02 18:20:03 +0000	[diff] [blame]	671	* Returns the number of the token pointed to by cp or sBadOption.
Damien Miller	5428f64	1999-11-25 11:54:57 +1100	[diff] [blame]	672	*/
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	673
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	674	static ServerOpCodes
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	675	parse_token(const char cp, const char filename,
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	676	int linenum, u_int *flags)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	677	{
Ben Lindstrom	46c1622	2000-12-22 01:43:59 +0000	[diff] [blame]	678	u_int i;
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	679
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	680	for (i = 0; keywords[i].name; i++)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	681	if (strcasecmp(cp, keywords[i].name) == 0) {
				682	*flags = keywords[i].flags;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	683	return keywords[i].opcode;
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	684	}
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	685
Ben Lindstrom	b5cdc66	2001-04-16 02:13:26 +0000	[diff] [blame]	686	error("%s: line %d: Bad configuration option: %s",
				687	filename, linenum, cp);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	688	return sBadOption;
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	689	}
				690
Darren Tucker	88b6fb2	2010-01-13 22:44:29 +1100	[diff] [blame]	691	char *
				692	derelativise_path(const char *path)
				693	{
deraadt@openbsd.org	2ae4f33	2015-01-16 06:40:12 +0000	[diff] [blame]	694	char expanded, ret, cwd[PATH_MAX];
Darren Tucker	88b6fb2	2010-01-13 22:44:29 +1100	[diff] [blame]	695
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	696	if (strcasecmp(path, "none") == 0)
				697	return xstrdup("none");
Darren Tucker	88b6fb2	2010-01-13 22:44:29 +1100	[diff] [blame]	698	expanded = tilde_expand_filename(path, getuid());
				699	if (*expanded == '/')
				700	return expanded;
Damien Miller	44451d0	2010-03-26 10:40:04 +1100	[diff] [blame]	701	if (getcwd(cwd, sizeof(cwd)) == NULL)
Darren Tucker	88b6fb2	2010-01-13 22:44:29 +1100	[diff] [blame]	702	fatal("%s: getcwd: %s", __func__, strerror(errno));
				703	xasprintf(&ret, "%s/%s", cwd, expanded);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	704	free(expanded);
Darren Tucker	88b6fb2	2010-01-13 22:44:29 +1100	[diff] [blame]	705	return ret;
				706	}
				707
Ben Lindstrom	bba8121	2001-06-25 05:01:22 +0000	[diff] [blame]	708	static void
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	709	add_listen_addr(ServerOptions options, const char addr,
				710	const char *rdomain, int port)
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	711	{
Damien Miller	eccb9de	2005-06-17 12:59:34 +1000	[diff] [blame]	712	u_int i;
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	713
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	714	if (port > 0)
				715	add_one_listen_addr(options, addr, rdomain, port);
				716	else {
				717	for (i = 0; i < options->num_ports; i++) {
				718	add_one_listen_addr(options, addr, rdomain,
				719	options->ports[i]);
				720	}
				721	}
Ben Lindstrom	c510af4	2001-04-07 17:25:48 +0000	[diff] [blame]	722	}
				723
Ben Lindstrom	bba8121	2001-06-25 05:01:22 +0000	[diff] [blame]	724	static void
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	725	add_one_listen_addr(ServerOptions options, const char addr,
				726	const char *rdomain, int port)
Ben Lindstrom	c510af4	2001-04-07 17:25:48 +0000	[diff] [blame]	727	{
				728	struct addrinfo hints, ai, aitop;
				729	char strport[NI_MAXSERV];
				730	int gaierr;
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	731	u_int i;
				732
				733	/* Find listen_addrs entry for this rdomain */
				734	for (i = 0; i < options->num_listen_addrs; i++) {
				735	if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
				736	break;
				737	if (rdomain == NULL \|\| options->listen_addrs[i].rdomain == NULL)
				738	continue;
				739	if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
				740	break;
				741	}
				742	if (i >= options->num_listen_addrs) {
				743	/* No entry for this rdomain; allocate one */
				744	if (i >= INT_MAX)
				745	fatal("%s: too many listen addresses", __func__);
				746	options->listen_addrs = xrecallocarray(options->listen_addrs,
				747	options->num_listen_addrs, options->num_listen_addrs + 1,
				748	sizeof(*options->listen_addrs));
				749	i = options->num_listen_addrs++;
				750	if (rdomain != NULL)
				751	options->listen_addrs[i].rdomain = xstrdup(rdomain);
				752	}
				753	/* options->listen_addrs[i] points to the addresses for this rdomain */
Ben Lindstrom	c510af4	2001-04-07 17:25:48 +0000	[diff] [blame]	754
				755	memset(&hints, 0, sizeof(hints));
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	756	hints.ai_family = options->address_family;
Ben Lindstrom	c510af4	2001-04-07 17:25:48 +0000	[diff] [blame]	757	hints.ai_socktype = SOCK_STREAM;
				758	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
Damien Miller	3dc71ad	2009-01-28 16:31:22 +1100	[diff] [blame]	759	snprintf(strport, sizeof strport, "%d", port);
Ben Lindstrom	c510af4	2001-04-07 17:25:48 +0000	[diff] [blame]	760	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
				761	fatal("bad addr or host: %s (%s)",
				762	addr ? addr : "<NULL>",
Darren Tucker	4abde77	2007-12-29 02:43:51 +1100	[diff] [blame]	763	ssh_gai_strerror(gaierr));
Ben Lindstrom	c510af4	2001-04-07 17:25:48 +0000	[diff] [blame]	764	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
				765	;
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	766	ai->ai_next = options->listen_addrs[i].addrs;
				767	options->listen_addrs[i].addrs = aitop;
				768	}
				769
				770	/* Returns nonzero if the routing domain name is valid */
				771	static int
				772	valid_rdomain(const char *name)
				773	{
Damien Miller	43c29bb	2017-10-25 13:10:59 +1100	[diff] [blame]	774	#if defined(HAVE_SYS_VALID_RDOMAIN)
Damien Miller	2de5c6b	2017-10-27 08:42:33 +1100	[diff] [blame]	775	return sys_valid_rdomain(name);
Damien Miller	43c29bb	2017-10-25 13:10:59 +1100	[diff] [blame]	776	#elif defined(__OpenBSD__)
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	777	const char *errstr;
				778	long long num;
				779	struct rt_tableinfo info;
				780	int mib[6];
				781	size_t miblen = sizeof(mib);
				782
				783	if (name == NULL)
				784	return 1;
				785
				786	num = strtonum(name, 0, 255, &errstr);
				787	if (errstr != NULL)
				788	return 0;
				789
				790	/* Check whether the table actually exists */
				791	memset(mib, 0, sizeof(mib));
				792	mib[0] = CTL_NET;
				793	mib[1] = PF_ROUTE;
				794	mib[4] = NET_RT_TABLE;
				795	mib[5] = (int)num;
				796	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
				797	return 0;
				798
				799	return 1;
Damien Miller	43c29bb	2017-10-25 13:10:59 +1100	[diff] [blame]	800	#else /* defined(__OpenBSD__) */
				801	error("Routing domains are not supported on this platform");
				802	return 0;
				803	#endif
Damien Miller	34132e5	2000-01-14 15:45:46 +1100	[diff] [blame]	804	}
				805
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	806	/*
				807	* Queue a ListenAddress to be processed once we have all of the Ports
				808	* and AddressFamily options.
				809	*/
				810	static void
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	811	queue_listen_addr(ServerOptions options, const char addr,
				812	const char *rdomain, int port)
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	813	{
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	814	struct queued_listenaddr *qla;
				815
				816	options->queued_listen_addrs = xrecallocarray(
				817	options->queued_listen_addrs,
				818	options->num_queued_listens, options->num_queued_listens + 1,
				819	sizeof(*options->queued_listen_addrs));
				820	qla = &options->queued_listen_addrs[options->num_queued_listens++];
				821	qla->addr = xstrdup(addr);
				822	qla->port = port;
				823	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	824	}
				825
				826	/*
				827	* Process queued (text) ListenAddress entries.
				828	*/
				829	static void
				830	process_queued_listen_addrs(ServerOptions *options)
				831	{
				832	u_int i;
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	833	struct queued_listenaddr *qla;
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	834
				835	if (options->num_ports == 0)
				836	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
				837	if (options->address_family == -1)
				838	options->address_family = AF_UNSPEC;
				839
				840	for (i = 0; i < options->num_queued_listens; i++) {
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	841	qla = &options->queued_listen_addrs[i];
				842	add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
				843	free(qla->addr);
				844	free(qla->rdomain);
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	845	}
				846	free(options->queued_listen_addrs);
				847	options->queued_listen_addrs = NULL;
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	848	options->num_queued_listens = 0;
				849	}
				850
djm@openbsd.org	dbee411	2017-09-12 06:32:07 +0000	[diff] [blame]	851	/*
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	852	* Inform channels layer of permitopen options for a single forwarding
				853	* direction (local/remote).
				854	*/
				855	static void
				856	process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
				857	char **opens, u_int num_opens)
				858	{
				859	u_int i;
				860	int port;
				861	char host, arg, *oarg;
				862	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
				863	const char *what = lookup_opcode_name(opcode);
				864
				865	channel_clear_permission(ssh, FORWARD_ADM, where);
				866	if (num_opens == 0)
				867	return; /* permit any */
				868
				869	/* handle keywords: "any" / "none" */
				870	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
				871	return;
				872	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
				873	channel_disable_admin(ssh, where);
				874	return;
				875	}
				876	/* Otherwise treat it as a list of permitted host:port */
				877	for (i = 0; i < num_opens; i++) {
				878	oarg = arg = xstrdup(opens[i]);
				879	host = hpdelim(&arg);
				880	if (host == NULL)
				881	fatal("%s: missing host in %s", __func__, what);
				882	host = cleanhostname(host);
				883	if (arg == NULL \|\| ((port = permitopen_port(arg)) < 0))
				884	fatal("%s: bad port number in %s", __func__, what);
				885	/* Send it to channels layer */
				886	channel_add_permission(ssh, FORWARD_ADM,
				887	where, host, port);
				888	free(oarg);
				889	}
				890	}
				891
				892	/*
djm@openbsd.org	dbee411	2017-09-12 06:32:07 +0000	[diff] [blame]	893	* Inform channels layer of permitopen options from configuration.
				894	*/
				895	void
				896	process_permitopen(struct ssh ssh, ServerOptions options)
				897	{
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	898	process_permitopen_list(ssh, sPermitOpen,
				899	options->permitted_opens, options->num_permitted_opens);
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	900	process_permitopen_list(ssh, sPermitListen,
				901	options->permitted_listens,
				902	options->num_permitted_listens);
djm@openbsd.org	dbee411	2017-09-12 06:32:07 +0000	[diff] [blame]	903	}
				904
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	905	struct connection_info *
				906	get_connection_info(int populate, int use_dns)
				907	{
djm@openbsd.org	9576726	2016-03-07 19:02:43 +0000	[diff] [blame]	908	struct ssh ssh = active_state; / XXX */
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	909	static struct connection_info ci;
				910
				911	if (!populate)
				912	return &ci;
djm@openbsd.org	9576726	2016-03-07 19:02:43 +0000	[diff] [blame]	913	ci.host = auth_get_canonical_hostname(ssh, use_dns);
				914	ci.address = ssh_remote_ipaddr(ssh);
				915	ci.laddress = ssh_local_ipaddr(ssh);
				916	ci.lport = ssh_local_port(ssh);
djm@openbsd.org	68af80e	2017-10-25 00:19:47 +0000	[diff] [blame]	917	ci.rdomain = ssh_packet_rdomain_in(ssh);
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	918	return &ci;
				919	}
				920
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	921	/*
				922	* The strategy for the Match blocks is that the config file is parsed twice.
				923	*
				924	* The first time is at startup. activep is initialized to 1 and the
				925	* directives in the global context are processed and acted on. Hitting a
				926	* Match directive unsets activep and the directives inside the block are
				927	* checked for syntax only.
				928	*
				929	* The second time is after a connection has been established but before
				930	* authentication. activep is initialized to 2 and global config directives
				931	* are ignored since they have already been processed. If the criteria in a
				932	* Match block is met, activep is set and the subsequent directives
				933	* processed and actioned until EOF or another Match block unsets it. Any
				934	* options set are copied into the main server config.
				935	*
				936	* Potential additions/improvements:
djm@openbsd.org	ae363d7	2016-08-25 23:57:54 +0000	[diff] [blame]	937	* - Add Match support for pre-kex directives, eg. Ciphers.
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	938	*
				939	* - Add a Tag directive (idea from David Leonard) ala pf, eg:
				940	* Match Address 192.168.0.*
				941	* Tag trusted
				942	* Match Group wheel
				943	* Tag trusted
				944	* Match Tag trusted
				945	* AllowTcpForwarding yes
				946	* GatewayPorts clientspecified
				947	* [...]
				948	*
				949	* - Add a PermittedChannelRequests directive
				950	* Match Group shell
				951	* PermittedChannelRequests session,forwarded-tcpip
				952	*/
				953
				954	static int
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	955	match_cfg_line_group(const char grps, int line, const char user)
				956	{
				957	int result = 0;
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	958	struct passwd *pw;
				959
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	960	if (user == NULL)
				961	goto out;
				962
				963	if ((pw = getpwnam(user)) == NULL) {
				964	debug("Can't match group at line %d because user %.100s does "
				965	"not exist", line, user);
				966	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
				967	debug("Can't Match group because user %.100s not in any group "
				968	"at line %d", user, line);
Darren Tucker	b03fd02	2008-07-04 13:51:12 +1000	[diff] [blame]	969	} else if (ga_match_pattern_list(grps) != 1) {
				970	debug("user %.100s does not match group list %.100s at line %d",
				971	user, grps, line);
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	972	} else {
Darren Tucker	b03fd02	2008-07-04 13:51:12 +1000	[diff] [blame]	973	debug("user %.100s matched group list %.100s at line %d", user,
				974	grps, line);
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	975	result = 1;
				976	}
				977	out:
				978	ga_free();
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	979	return result;
				980	}
				981
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	982	static void
				983	match_test_missing_fatal(const char criteria, const char attrib)
				984	{
				985	fatal("'Match %s' in configuration but '%s' not in connection "
				986	"test specification.", criteria, attrib);
				987	}
				988
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	989	/*
Darren Tucker	bb6cc07	2012-09-17 13:25:06 +1000	[diff] [blame]	990	* All of the attributes on a single Match line are ANDed together, so we need
Damien Miller	03bf2e6	2013-10-24 21:01:26 +1100	[diff] [blame]	991	* to check every attribute and set the result to zero if any attribute does
Darren Tucker	bb6cc07	2012-09-17 13:25:06 +1000	[diff] [blame]	992	* not match.
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	993	*/
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	994	static int
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	995	match_cfg_line(char *condition, int line, struct connection_info ci)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	996	{
Damien Miller	cf31f38	2013-10-24 21:02:56 +1100	[diff] [blame]	997	int result = 1, attributes = 0, port;
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	998	char arg, attrib, cp = condition;
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	999
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1000	if (ci == NULL)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1001	debug3("checking syntax for 'Match %s'", cp);
				1002	else
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1003	debug3("checking match for '%s' user %s host %s addr %s "
				1004	"laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
				1005	ci->host ? ci->host : "(null)",
				1006	ci->address ? ci->address : "(null)",
				1007	ci->laddress ? ci->laddress : "(null)", ci->lport);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1008
				1009	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
Damien Miller	cf31f38	2013-10-24 21:02:56 +1100	[diff] [blame]	1010	attributes++;
				1011	if (strcasecmp(attrib, "all") == 0) {
				1012	if (attributes != 1 \|\|
				1013	((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
				1014	error("'all' cannot be combined with other "
				1015	"Match attributes");
				1016	return -1;
				1017	}
				1018	*condition = cp;
				1019	return 1;
				1020	}
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1021	if ((arg = strdelim(&cp)) == NULL \|\| *arg == '\0') {
				1022	error("Missing Match criteria for %s", attrib);
				1023	return -1;
				1024	}
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1025	if (strcasecmp(attrib, "user") == 0) {
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1026	if (ci == NULL) {
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1027	result = 0;
				1028	continue;
				1029	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1030	if (ci->user == NULL)
				1031	match_test_missing_fatal("User", "user");
djm@openbsd.org	e661a86	2015-05-04 06:10:48 +0000	[diff] [blame]	1032	if (match_pattern_list(ci->user, arg, 0) != 1)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1033	result = 0;
				1034	else
				1035	debug("user %.100s matched 'User %.100s' at "
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1036	"line %d", ci->user, arg, line);
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	1037	} else if (strcasecmp(attrib, "group") == 0) {
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1038	if (ci == NULL) {
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1039	result = 0;
				1040	continue;
				1041	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1042	if (ci->user == NULL)
				1043	match_test_missing_fatal("Group", "user");
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1044	switch (match_cfg_line_group(arg, line, ci->user)) {
Damien Miller	565ca3f	2006-08-19 00:23:15 +1000	[diff] [blame]	1045	case -1:
				1046	return -1;
				1047	case 0:
				1048	result = 0;
				1049	}
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1050	} else if (strcasecmp(attrib, "host") == 0) {
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1051	if (ci == NULL) {
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1052	result = 0;
				1053	continue;
				1054	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1055	if (ci->host == NULL)
				1056	match_test_missing_fatal("Host", "host");
djm@openbsd.org	e661a86	2015-05-04 06:10:48 +0000	[diff] [blame]	1057	if (match_hostname(ci->host, arg) != 1)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1058	result = 0;
				1059	else
				1060	debug("connection from %.100s matched 'Host "
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1061	"%.100s' at line %d", ci->host, arg, line);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1062	} else if (strcasecmp(attrib, "address") == 0) {
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1063	if (ci == NULL) {
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1064	result = 0;
				1065	continue;
				1066	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1067	if (ci->address == NULL)
				1068	match_test_missing_fatal("Address", "addr");
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1069	switch (addr_match_list(ci->address, arg)) {
Darren Tucker	7a3935d	2008-06-10 22:59:10 +1000	[diff] [blame]	1070	case 1:
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1071	debug("connection from %.100s matched 'Address "
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1072	"%.100s' at line %d", ci->address, arg, line);
Darren Tucker	7a3935d	2008-06-10 22:59:10 +1000	[diff] [blame]	1073	break;
				1074	case 0:
Darren Tucker	896ad5a	2008-06-11 09:34:46 +1000	[diff] [blame]	1075	case -1:
Darren Tucker	7a3935d	2008-06-10 22:59:10 +1000	[diff] [blame]	1076	result = 0;
				1077	break;
Darren Tucker	896ad5a	2008-06-11 09:34:46 +1000	[diff] [blame]	1078	case -2:
Darren Tucker	7a3935d	2008-06-10 22:59:10 +1000	[diff] [blame]	1079	return -1;
				1080	}
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1081	} else if (strcasecmp(attrib, "localaddress") == 0){
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1082	if (ci == NULL) {
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1083	result = 0;
				1084	continue;
				1085	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1086	if (ci->laddress == NULL)
				1087	match_test_missing_fatal("LocalAddress",
				1088	"laddr");
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1089	switch (addr_match_list(ci->laddress, arg)) {
				1090	case 1:
				1091	debug("connection from %.100s matched "
				1092	"'LocalAddress %.100s' at line %d",
				1093	ci->laddress, arg, line);
				1094	break;
				1095	case 0:
				1096	case -1:
				1097	result = 0;
				1098	break;
				1099	case -2:
				1100	return -1;
				1101	}
				1102	} else if (strcasecmp(attrib, "localport") == 0) {
				1103	if ((port = a2port(arg)) == -1) {
				1104	error("Invalid LocalPort '%s' on Match line",
				1105	arg);
				1106	return -1;
				1107	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1108	if (ci == NULL) {
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1109	result = 0;
				1110	continue;
				1111	}
dtucker@openbsd.org@openbsd.org	0208a48	2017-11-03 03:18:53 +0000	[diff] [blame]	1112	if (ci->lport == 0)
				1113	match_test_missing_fatal("LocalPort", "lport");
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1114	/* TODO support port lists */
				1115	if (port == ci->lport)
				1116	debug("connection from %.100s matched "
				1117	"'LocalPort %d' at line %d",
				1118	ci->laddress, port, line);
				1119	else
				1120	result = 0;
djm@openbsd.org	68af80e	2017-10-25 00:19:47 +0000	[diff] [blame]	1121	} else if (strcasecmp(attrib, "rdomain") == 0) {
				1122	if (ci == NULL \|\| ci->rdomain == NULL) {
				1123	result = 0;
				1124	continue;
				1125	}
				1126	if (match_pattern_list(ci->rdomain, arg, 0) != 1)
				1127	result = 0;
				1128	else
				1129	debug("user %.100s matched 'RDomain %.100s' at "
				1130	"line %d", ci->rdomain, arg, line);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1131	} else {
				1132	error("Unsupported Match attribute %s", attrib);
				1133	return -1;
				1134	}
				1135	}
Damien Miller	cf31f38	2013-10-24 21:02:56 +1100	[diff] [blame]	1136	if (attributes == 0) {
				1137	error("One or more attributes required for Match");
				1138	return -1;
				1139	}
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1140	if (ci != NULL)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1141	debug3("match %sfound", result ? "" : "not ");
				1142	*condition = cp;
				1143	return result;
				1144	}
				1145
Damien Miller	e275443	2006-07-24 14:06:47 +1000	[diff] [blame]	1146	#define WHITESPACE " \t\r\n"
				1147
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1148	/* Multistate option parsing */
				1149	struct multistate {
				1150	char *key;
				1151	int value;
				1152	};
djm@openbsd.org@openbsd.org	33edb6e	2017-11-03 05:18:44 +0000	[diff] [blame]	1153	static const struct multistate multistate_flag[] = {
				1154	{ "yes", 1 },
				1155	{ "no", 0 },
				1156	{ NULL, -1 }
				1157	};
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1158	static const struct multistate multistate_addressfamily[] = {
				1159	{ "inet", AF_INET },
				1160	{ "inet6", AF_INET6 },
				1161	{ "any", AF_UNSPEC },
				1162	{ NULL, -1 }
				1163	};
				1164	static const struct multistate multistate_permitrootlogin[] = {
				1165	{ "without-password", PERMIT_NO_PASSWD },
deraadt@openbsd.org	1dc8d93	2015-08-06 14:53:21 +0000	[diff] [blame]	1166	{ "prohibit-password", PERMIT_NO_PASSWD },
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1167	{ "forced-commands-only", PERMIT_FORCED_ONLY },
				1168	{ "yes", PERMIT_YES },
				1169	{ "no", PERMIT_NO },
				1170	{ NULL, -1 }
				1171	};
				1172	static const struct multistate multistate_compression[] = {
sf@openbsd.org	168b46f	2018-07-09 13:37:10 +0000	[diff] [blame^]	1173	{ "yes", COMP_DELAYED },
				1174	{ "delayed", COMP_DELAYED },
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1175	{ "no", COMP_NONE },
				1176	{ NULL, -1 }
				1177	};
				1178	static const struct multistate multistate_gatewayports[] = {
				1179	{ "clientspecified", 2 },
				1180	{ "yes", 1 },
				1181	{ "no", 0 },
				1182	{ NULL, -1 }
				1183	};
Damien Miller	aa5b3f8	2012-12-03 09:50:54 +1100	[diff] [blame]	1184	static const struct multistate multistate_tcpfwd[] = {
				1185	{ "yes", FORWARD_ALLOW },
				1186	{ "all", FORWARD_ALLOW },
				1187	{ "no", FORWARD_DENY },
				1188	{ "remote", FORWARD_REMOTE },
				1189	{ "local", FORWARD_LOCAL },
				1190	{ NULL, -1 }
				1191	};
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1192
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1193	int
				1194	process_server_config_line(ServerOptions options, char line,
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1195	const char filename, int linenum, int activep,
				1196	struct connection_info *connectinfo)
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1197	{
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1198	char cp, chararrayptr, charptr, arg, arg2, *p;
Darren Tucker	9113d0c	2013-05-16 20:48:14 +1000	[diff] [blame]	1199	int cmdline = 0, *intptr, value, value2, n, port;
Darren Tucker	1e44c5d	2008-01-01 20:32:26 +1100	[diff] [blame]	1200	SyslogFacility *log_facility_ptr;
				1201	LogLevel *log_level_ptr;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1202	ServerOpCodes opcode;
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1203	u_int i, *uintptr, uvalue, flags = 0;
Damien Miller	917f9b6	2006-07-10 20:36:47 +1000	[diff] [blame]	1204	size_t len;
Darren Tucker	9113d0c	2013-05-16 20:48:14 +1000	[diff] [blame]	1205	long long val64;
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1206	const struct multistate *multistate_ptr;
dtucker@openbsd.org	609d96b	2017-12-05 23:59:47 +0000	[diff] [blame]	1207	const char *errstr;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1208
djm@openbsd.org	c924b2e	2017-02-03 05:05:56 +0000	[diff] [blame]	1209	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
				1210	if ((len = strlen(line)) == 0)
				1211	return 0;
				1212	for (len--; len > 0; len--) {
				1213	if (strchr(WHITESPACE "\f", line[len]) == NULL)
				1214	break;
				1215	line[len] = '\0';
				1216	}
				1217
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1218	cp = line;
Damien Miller	78f16cb	2006-03-26 13:54:37 +1100	[diff] [blame]	1219	if ((arg = strdelim(&cp)) == NULL)
Damien Miller	928b236	2006-03-26 13:53:32 +1100	[diff] [blame]	1220	return 0;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1221	/* Ignore leading whitespace */
				1222	if (*arg == '\0')
				1223	arg = strdelim(&cp);
				1224	if (!arg \|\| !arg \|\| arg == '#')
				1225	return 0;
				1226	intptr = NULL;
				1227	charptr = NULL;
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1228	opcode = parse_token(arg, filename, linenum, &flags);
				1229
				1230	if (activep == NULL) { /* We are processing a command line directive */
				1231	cmdline = 1;
				1232	activep = &cmdline;
				1233	}
				1234	if (*activep && opcode != sMatch)
				1235	debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
				1236	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1237	if (connectinfo == NULL) {
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1238	fatal("%s line %d: Directive '%s' is not allowed "
				1239	"within a Match block", filename, linenum, arg);
				1240	} else { /* this is a directive we have already processed */
				1241	while (arg)
				1242	arg = strdelim(&cp);
				1243	return 0;
				1244	}
				1245	}
				1246
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1247	switch (opcode) {
				1248	/* Portable-specific options */
Damien Miller	4e448a3	2003-05-14 15:11:48 +1000	[diff] [blame]	1249	case sUsePAM:
				1250	intptr = &options->use_pam;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1251	goto parse_flag;
				1252
				1253	/* Standard Options */
				1254	case sBadOption:
				1255	return -1;
				1256	case sPort:
				1257	/* ignore ports from configfile if cmdline specifies ports */
				1258	if (options->ports_from_cmdline)
				1259	return 0;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1260	if (options->num_ports >= MAX_PORTS)
				1261	fatal("%s line %d: too many ports.",
				1262	filename, linenum);
				1263	arg = strdelim(&cp);
				1264	if (!arg \|\| *arg == '\0')
				1265	fatal("%s line %d: missing port number.",
				1266	filename, linenum);
				1267	options->ports[options->num_ports++] = a2port(arg);
Damien Miller	3dc71ad	2009-01-28 16:31:22 +1100	[diff] [blame]	1268	if (options->ports[options->num_ports-1] <= 0)
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1269	fatal("%s line %d: Badly formatted port number.",
				1270	filename, linenum);
				1271	break;
				1272
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1273	case sLoginGraceTime:
				1274	intptr = &options->login_grace_time;
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	1275	parse_time:
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1276	arg = strdelim(&cp);
				1277	if (!arg \|\| *arg == '\0')
				1278	fatal("%s line %d: missing time value.",
				1279	filename, linenum);
				1280	if ((value = convtime(arg)) == -1)
				1281	fatal("%s line %d: invalid time value.",
				1282	filename, linenum);
djm@openbsd.org	9559d7d	2015-05-01 07:08:08 +0000	[diff] [blame]	1283	if (activep && intptr == -1)
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1284	*intptr = value;
				1285	break;
				1286
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1287	case sListenAddress:
				1288	arg = strdelim(&cp);
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	1289	if (arg == NULL \|\| *arg == '\0')
				1290	fatal("%s line %d: missing address",
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1291	filename, linenum);
Damien Miller	203c705	2005-08-12 22:11:37 +1000	[diff] [blame]	1292	/* check for bare IPv6 address: no "[]" and 2 or more ":" */
				1293	if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
				1294	&& strchr(p+1, ':') != NULL) {
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	1295	port = 0;
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	1296	p = arg;
				1297	} else {
				1298	p = hpdelim(&arg);
				1299	if (p == NULL)
				1300	fatal("%s line %d: bad address:port usage",
				1301	filename, linenum);
				1302	p = cleanhostname(p);
				1303	if (arg == NULL)
				1304	port = 0;
				1305	else if ((port = a2port(arg)) <= 0)
				1306	fatal("%s line %d: bad port number",
				1307	filename, linenum);
				1308	}
				1309	/* Optional routing table */
				1310	arg2 = NULL;
				1311	if ((arg = strdelim(&cp)) != NULL) {
				1312	if (strcmp(arg, "rdomain") != 0 \|\|
				1313	(arg2 = strdelim(&cp)) == NULL)
				1314	fatal("%s line %d: bad ListenAddress syntax",
				1315	filename, linenum);
				1316	if (!valid_rdomain(arg2))
				1317	fatal("%s line %d: bad routing domain",
				1318	filename, linenum);
				1319	}
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1320
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	1321	queue_listen_addr(options, p, arg2, port);
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	1322
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1323	break;
				1324
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	1325	case sAddressFamily:
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1326	intptr = &options->address_family;
				1327	multistate_ptr = multistate_addressfamily;
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1328	parse_multistate:
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	1329	arg = strdelim(&cp);
Damien Miller	17b23d8	2005-05-26 12:11:56 +1000	[diff] [blame]	1330	if (!arg \|\| *arg == '\0')
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1331	fatal("%s line %d: missing argument.",
Damien Miller	17b23d8	2005-05-26 12:11:56 +1000	[diff] [blame]	1332	filename, linenum);
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1333	value = -1;
				1334	for (i = 0; multistate_ptr[i].key != NULL; i++) {
				1335	if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
				1336	value = multistate_ptr[i].value;
				1337	break;
				1338	}
				1339	}
				1340	if (value == -1)
				1341	fatal("%s line %d: unsupported option \"%s\".",
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	1342	filename, linenum, arg);
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1343	if (activep && intptr == -1)
Darren Tucker	0f38323	2005-01-20 10:57:56 +1100	[diff] [blame]	1344	*intptr = value;
				1345	break;
				1346
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1347	case sHostKeyFile:
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1348	arg = strdelim(&cp);
				1349	if (!arg \|\| *arg == '\0')
				1350	fatal("%s line %d: missing file name.",
				1351	filename, linenum);
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1352	if (*activep)
				1353	servconf_add_hostkey(filename, linenum, options, arg);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1354	break;
				1355
Damien Miller	85b45e0	2013-07-20 13:21:52 +1000	[diff] [blame]	1356	case sHostKeyAgent:
				1357	charptr = &options->host_key_agent;
				1358	arg = strdelim(&cp);
				1359	if (!arg \|\| *arg == '\0')
				1360	fatal("%s line %d: missing socket name.",
				1361	filename, linenum);
				1362	if (activep && charptr == NULL)
				1363	*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
				1364	xstrdup(arg) : derelativise_path(arg);
				1365	break;
				1366
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	1367	case sHostCertificate:
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1368	arg = strdelim(&cp);
				1369	if (!arg \|\| *arg == '\0')
				1370	fatal("%s line %d: missing file name.",
				1371	filename, linenum);
				1372	if (*activep)
				1373	servconf_add_hostcert(filename, linenum, options, arg);
				1374	break;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	1375
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1376	case sPidFile:
				1377	charptr = &options->pid_file;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1378	parse_filename:
				1379	arg = strdelim(&cp);
				1380	if (!arg \|\| *arg == '\0')
				1381	fatal("%s line %d: missing file name.",
				1382	filename, linenum);
				1383	if (activep && charptr == NULL) {
				1384	*charptr = derelativise_path(arg);
				1385	/* increase optional counter */
				1386	if (intptr != NULL)
				1387	intptr = intptr + 1;
				1388	}
				1389	break;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1390
				1391	case sPermitRootLogin:
				1392	intptr = &options->permit_root_login;
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1393	multistate_ptr = multistate_permitrootlogin;
				1394	goto parse_multistate;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1395
				1396	case sIgnoreRhosts:
				1397	intptr = &options->ignore_rhosts;
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	1398	parse_flag:
djm@openbsd.org@openbsd.org	33edb6e	2017-11-03 05:18:44 +0000	[diff] [blame]	1399	multistate_ptr = multistate_flag;
				1400	goto parse_multistate;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1401
				1402	case sIgnoreUserKnownHosts:
				1403	intptr = &options->ignore_user_known_hosts;
				1404	goto parse_flag;
				1405
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1406	case sHostbasedAuthentication:
				1407	intptr = &options->hostbased_authentication;
				1408	goto parse_flag;
				1409
				1410	case sHostbasedUsesNameFromPacketOnly:
				1411	intptr = &options->hostbased_uses_name_from_packet_only;
				1412	goto parse_flag;
				1413
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	1414	case sHostbasedAcceptedKeyTypes:
				1415	charptr = &options->hostbased_key_types;
				1416	parse_keytypes:
				1417	arg = strdelim(&cp);
				1418	if (!arg \|\| *arg == '\0')
				1419	fatal("%s line %d: Missing argument.",
				1420	filename, linenum);
djm@openbsd.org	68bc8cf	2017-02-03 23:01:19 +0000	[diff] [blame]	1421	if (*arg != '-' &&
				1422	!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	1423	fatal("%s line %d: Bad key types '%s'.",
				1424	filename, linenum, arg ? arg : "<NONE>");
				1425	if (activep && charptr == NULL)
				1426	*charptr = xstrdup(arg);
				1427	break;
				1428
markus@openbsd.org	3a1638d	2015-07-10 06:21:53 +0000	[diff] [blame]	1429	case sHostKeyAlgorithms:
				1430	charptr = &options->hostkeyalgorithms;
				1431	goto parse_keytypes;
				1432
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1433	case sPubkeyAuthentication:
				1434	intptr = &options->pubkey_authentication;
				1435	goto parse_flag;
Damien Miller	2aa0ab4	2003-05-15 12:05:28 +1000	[diff] [blame]	1436
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	1437	case sPubkeyAcceptedKeyTypes:
				1438	charptr = &options->pubkey_key_types;
				1439	goto parse_keytypes;
				1440
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1441	case sKerberosAuthentication:
				1442	intptr = &options->kerberos_authentication;
				1443	goto parse_flag;
				1444
				1445	case sKerberosOrLocalPasswd:
				1446	intptr = &options->kerberos_or_local_passwd;
				1447	goto parse_flag;
				1448
				1449	case sKerberosTicketCleanup:
				1450	intptr = &options->kerberos_ticket_cleanup;
				1451	goto parse_flag;
Damien Miller	2aa0ab4	2003-05-15 12:05:28 +1000	[diff] [blame]	1452
Darren Tucker	22ef508	2003-12-31 11:37:34 +1100	[diff] [blame]	1453	case sKerberosGetAFSToken:
				1454	intptr = &options->kerberos_get_afs_token;
				1455	goto parse_flag;
				1456
Darren Tucker	0efd155	2003-08-26 11:49:55 +1000	[diff] [blame]	1457	case sGssAuthentication:
				1458	intptr = &options->gss_authentication;
				1459	goto parse_flag;
				1460
				1461	case sGssCleanupCreds:
				1462	intptr = &options->gss_cleanup_creds;
				1463	goto parse_flag;
				1464
djm@openbsd.org	d7c31da	2015-05-22 03:50:02 +0000	[diff] [blame]	1465	case sGssStrictAcceptor:
				1466	intptr = &options->gss_strict_acceptor;
				1467	goto parse_flag;
				1468
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1469	case sPasswordAuthentication:
				1470	intptr = &options->password_authentication;
				1471	goto parse_flag;
				1472
				1473	case sKbdInteractiveAuthentication:
				1474	intptr = &options->kbd_interactive_authentication;
				1475	goto parse_flag;
				1476
				1477	case sChallengeResponseAuthentication:
				1478	intptr = &options->challenge_response_authentication;
				1479	goto parse_flag;
				1480
				1481	case sPrintMotd:
				1482	intptr = &options->print_motd;
				1483	goto parse_flag;
				1484
				1485	case sPrintLastLog:
				1486	intptr = &options->print_lastlog;
				1487	goto parse_flag;
				1488
				1489	case sX11Forwarding:
				1490	intptr = &options->x11_forwarding;
				1491	goto parse_flag;
				1492
				1493	case sX11DisplayOffset:
				1494	intptr = &options->x11_display_offset;
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	1495	parse_int:
				1496	arg = strdelim(&cp);
dtucker@openbsd.org	609d96b	2017-12-05 23:59:47 +0000	[diff] [blame]	1497	if ((errstr = atoi_err(arg, &value)) != NULL)
				1498	fatal("%s line %d: integer value %s.",
				1499	filename, linenum, errstr);
naddy@openbsd.org	c38ea63	2016-08-15 12:27:56 +0000	[diff] [blame]	1500	if (activep && intptr == -1)
				1501	*intptr = value;
				1502	break;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1503
Damien Miller	95c249f	2002-02-05 12:11:34 +1100	[diff] [blame]	1504	case sX11UseLocalhost:
				1505	intptr = &options->x11_use_localhost;
				1506	goto parse_flag;
				1507
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1508	case sXAuthLocation:
				1509	charptr = &options->xauth_location;
				1510	goto parse_filename;
				1511
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	1512	case sPermitTTY:
				1513	intptr = &options->permit_tty;
				1514	goto parse_flag;
				1515
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	1516	case sPermitUserRC:
				1517	intptr = &options->permit_user_rc;
				1518	goto parse_flag;
				1519
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1520	case sStrictModes:
				1521	intptr = &options->strict_modes;
				1522	goto parse_flag;
				1523
Damien Miller	12c150e	2003-12-17 16:31:10 +1100	[diff] [blame]	1524	case sTCPKeepAlive:
				1525	intptr = &options->tcp_keep_alive;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1526	goto parse_flag;
				1527
				1528	case sEmptyPasswd:
				1529	intptr = &options->permit_empty_passwd;
				1530	goto parse_flag;
				1531
Ben Lindstrom	5d860f0	2002-08-01 01:28:38 +0000	[diff] [blame]	1532	case sPermitUserEnvironment:
				1533	intptr = &options->permit_user_env;
djm@openbsd.org	95344c2	2018-07-03 10:59:35 +0000	[diff] [blame]	1534	charptr = &options->permit_user_env_whitelist;
				1535	arg = strdelim(&cp);
				1536	if (!arg \|\| *arg == '\0')
				1537	fatal("%s line %d: missing argument.",
				1538	filename, linenum);
				1539	value = 0;
				1540	p = NULL;
				1541	if (strcmp(arg, "yes") == 0)
				1542	value = 1;
				1543	else if (strcmp(arg, "no") == 0)
				1544	value = 0;
				1545	else {
				1546	/* Pattern-list specified */
				1547	value = 1;
				1548	p = xstrdup(arg);
				1549	}
				1550	if (activep && intptr == -1) {
				1551	*intptr = value;
				1552	*charptr = p;
				1553	p = NULL;
				1554	}
				1555	free(p);
				1556	break;
Ben Lindstrom	5d860f0	2002-08-01 01:28:38 +0000	[diff] [blame]	1557
Ben Lindstrom	23e0f66	2002-06-21 01:09:47 +0000	[diff] [blame]	1558	case sCompression:
				1559	intptr = &options->compression;
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1560	multistate_ptr = multistate_compression;
				1561	goto parse_multistate;
Ben Lindstrom	23e0f66	2002-06-21 01:09:47 +0000	[diff] [blame]	1562
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	1563	case sRekeyLimit:
				1564	arg = strdelim(&cp);
				1565	if (!arg \|\| *arg == '\0')
				1566	fatal("%.200s line %d: Missing argument.", filename,
				1567	linenum);
				1568	if (strcmp(arg, "default") == 0) {
				1569	val64 = 0;
				1570	} else {
Darren Tucker	b7ee852	2013-05-16 20:33:10 +1000	[diff] [blame]	1571	if (scan_scaled(arg, &val64) == -1)
				1572	fatal("%.200s line %d: Bad number '%s': %s",
				1573	filename, linenum, arg, strerror(errno));
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	1574	if (val64 != 0 && val64 < 16)
				1575	fatal("%.200s line %d: RekeyLimit too small",
				1576	filename, linenum);
				1577	}
				1578	if (*activep && options->rekey_limit == -1)
dtucker@openbsd.org	921ff00	2016-01-29 02:54:45 +0000	[diff] [blame]	1579	options->rekey_limit = val64;
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	1580	if (cp != NULL) { /* optional rekey interval present */
				1581	if (strcmp(cp, "none") == 0) {
				1582	(void)strdelim(&cp); /* discard */
				1583	break;
				1584	}
				1585	intptr = &options->rekey_interval;
				1586	goto parse_time;
				1587	}
				1588	break;
				1589
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1590	case sGatewayPorts:
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	1591	intptr = &options->fwd_opts.gateway_ports;
Damien Miller	3332212	2011-06-20 14:43:11 +1000	[diff] [blame]	1592	multistate_ptr = multistate_gatewayports;
				1593	goto parse_multistate;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1594
Damien Miller	3a961dc	2003-06-03 10:25:48 +1000	[diff] [blame]	1595	case sUseDNS:
				1596	intptr = &options->use_dns;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1597	goto parse_flag;
				1598
				1599	case sLogFacility:
Darren Tucker	1e44c5d	2008-01-01 20:32:26 +1100	[diff] [blame]	1600	log_facility_ptr = &options->log_facility;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1601	arg = strdelim(&cp);
				1602	value = log_facility_number(arg);
Damien Miller	fcd9320	2002-02-05 12:26:34 +1100	[diff] [blame]	1603	if (value == SYSLOG_FACILITY_NOT_SET)
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1604	fatal("%.200s line %d: unsupported log facility '%s'",
				1605	filename, linenum, arg ? arg : "<NONE>");
Darren Tucker	1e44c5d	2008-01-01 20:32:26 +1100	[diff] [blame]	1606	if (*log_facility_ptr == -1)
				1607	*log_facility_ptr = (SyslogFacility) value;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1608	break;
				1609
				1610	case sLogLevel:
Darren Tucker	1e44c5d	2008-01-01 20:32:26 +1100	[diff] [blame]	1611	log_level_ptr = &options->log_level;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1612	arg = strdelim(&cp);
				1613	value = log_level_number(arg);
Damien Miller	fcd9320	2002-02-05 12:26:34 +1100	[diff] [blame]	1614	if (value == SYSLOG_LEVEL_NOT_SET)
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1615	fatal("%.200s line %d: unsupported log level '%s'",
				1616	filename, linenum, arg ? arg : "<NONE>");
djm@openbsd.org	54cd41a	2017-05-17 01:24:17 +0000	[diff] [blame]	1617	if (activep && log_level_ptr == -1)
Darren Tucker	1e44c5d	2008-01-01 20:32:26 +1100	[diff] [blame]	1618	*log_level_ptr = (LogLevel) value;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1619	break;
				1620
				1621	case sAllowTcpForwarding:
				1622	intptr = &options->allow_tcp_forwarding;
Damien Miller	aa5b3f8	2012-12-03 09:50:54 +1100	[diff] [blame]	1623	multistate_ptr = multistate_tcpfwd;
				1624	goto parse_multistate;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1625
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	1626	case sAllowStreamLocalForwarding:
				1627	intptr = &options->allow_streamlocal_forwarding;
				1628	multistate_ptr = multistate_tcpfwd;
				1629	goto parse_multistate;
				1630
Damien Miller	4f755cd	2008-05-19 14:57:41 +1000	[diff] [blame]	1631	case sAllowAgentForwarding:
				1632	intptr = &options->allow_agent_forwarding;
				1633	goto parse_flag;
				1634
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	1635	case sDisableForwarding:
				1636	intptr = &options->disable_forwarding;
				1637	goto parse_flag;
				1638
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1639	case sAllowUsers:
				1640	while ((arg = strdelim(&cp)) && *arg != '\0') {
djm@openbsd.org	010359b	2016-11-06 05:46:37 +0000	[diff] [blame]	1641	if (match_user(NULL, NULL, NULL, arg) == -1)
				1642	fatal("%s line %d: invalid AllowUsers pattern: "
				1643	"\"%.100s\"", filename, linenum, arg);
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	1644	if (!*activep)
				1645	continue;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1646	array_append(filename, linenum, "AllowUsers",
				1647	&options->allow_users, &options->num_allow_users,
				1648	arg);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1649	}
				1650	break;
				1651
				1652	case sDenyUsers:
				1653	while ((arg = strdelim(&cp)) && *arg != '\0') {
djm@openbsd.org	010359b	2016-11-06 05:46:37 +0000	[diff] [blame]	1654	if (match_user(NULL, NULL, NULL, arg) == -1)
				1655	fatal("%s line %d: invalid DenyUsers pattern: "
				1656	"\"%.100s\"", filename, linenum, arg);
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	1657	if (!*activep)
				1658	continue;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1659	array_append(filename, linenum, "DenyUsers",
				1660	&options->deny_users, &options->num_deny_users,
				1661	arg);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1662	}
				1663	break;
				1664
				1665	case sAllowGroups:
				1666	while ((arg = strdelim(&cp)) && *arg != '\0') {
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	1667	if (!*activep)
				1668	continue;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1669	array_append(filename, linenum, "AllowGroups",
				1670	&options->allow_groups, &options->num_allow_groups,
				1671	arg);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1672	}
				1673	break;
				1674
				1675	case sDenyGroups:
				1676	while ((arg = strdelim(&cp)) && *arg != '\0') {
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	1677	if (!*activep)
				1678	continue;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1679	array_append(filename, linenum, "DenyGroups",
				1680	&options->deny_groups, &options->num_deny_groups,
				1681	arg);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1682	}
				1683	break;
				1684
				1685	case sCiphers:
				1686	arg = strdelim(&cp);
				1687	if (!arg \|\| *arg == '\0')
				1688	fatal("%s line %d: Missing argument.", filename, linenum);
djm@openbsd.org	68bc8cf	2017-02-03 23:01:19 +0000	[diff] [blame]	1689	if (arg != '-' && !ciphers_valid(arg == '+' ? arg + 1 : arg))
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1690	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
				1691	filename, linenum, arg ? arg : "<NONE>");
				1692	if (options->ciphers == NULL)
				1693	options->ciphers = xstrdup(arg);
				1694	break;
				1695
				1696	case sMacs:
				1697	arg = strdelim(&cp);
				1698	if (!arg \|\| *arg == '\0')
				1699	fatal("%s line %d: Missing argument.", filename, linenum);
djm@openbsd.org	68bc8cf	2017-02-03 23:01:19 +0000	[diff] [blame]	1700	if (arg != '-' && !mac_valid(arg == '+' ? arg + 1 : arg))
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1701	fatal("%s line %d: Bad SSH2 mac spec '%s'.",
				1702	filename, linenum, arg ? arg : "<NONE>");
				1703	if (options->macs == NULL)
				1704	options->macs = xstrdup(arg);
				1705	break;
				1706
Damien Miller	d5f62bf	2010-09-24 22:11:14 +1000	[diff] [blame]	1707	case sKexAlgorithms:
				1708	arg = strdelim(&cp);
				1709	if (!arg \|\| *arg == '\0')
				1710	fatal("%s line %d: Missing argument.",
				1711	filename, linenum);
djm@openbsd.org	68bc8cf	2017-02-03 23:01:19 +0000	[diff] [blame]	1712	if (*arg != '-' &&
				1713	!kex_names_valid(*arg == '+' ? arg + 1 : arg))
Damien Miller	d5f62bf	2010-09-24 22:11:14 +1000	[diff] [blame]	1714	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
				1715	filename, linenum, arg ? arg : "<NONE>");
				1716	if (options->kex_algorithms == NULL)
				1717	options->kex_algorithms = xstrdup(arg);
				1718	break;
				1719
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1720	case sSubsystem:
				1721	if (options->num_subsystems >= MAX_SUBSYSTEMS) {
				1722	fatal("%s line %d: too many subsystems defined.",
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	1723	filename, linenum);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1724	}
				1725	arg = strdelim(&cp);
				1726	if (!arg \|\| *arg == '\0')
				1727	fatal("%s line %d: Missing subsystem name.",
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	1728	filename, linenum);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1729	if (!*activep) {
				1730	arg = strdelim(&cp);
				1731	break;
				1732	}
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1733	for (i = 0; i < options->num_subsystems; i++)
				1734	if (strcmp(arg, options->subsystem_name[i]) == 0)
				1735	fatal("%s line %d: Subsystem '%s' already defined.",
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	1736	filename, linenum, arg);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1737	options->subsystem_name[options->num_subsystems] = xstrdup(arg);
				1738	arg = strdelim(&cp);
				1739	if (!arg \|\| *arg == '\0')
				1740	fatal("%s line %d: Missing subsystem command.",
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	1741	filename, linenum);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1742	options->subsystem_command[options->num_subsystems] = xstrdup(arg);
Damien Miller	917f9b6	2006-07-10 20:36:47 +1000	[diff] [blame]	1743
				1744	/* Collect arguments (separate to executable) */
				1745	p = xstrdup(arg);
				1746	len = strlen(p) + 1;
				1747	while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
				1748	len += 1 + strlen(arg);
deraadt@openbsd.org	657a5fb	2015-04-24 01:36:00 +0000	[diff] [blame]	1749	p = xreallocarray(p, 1, len);
Damien Miller	917f9b6	2006-07-10 20:36:47 +1000	[diff] [blame]	1750	strlcat(p, " ", len);
				1751	strlcat(p, arg, len);
				1752	}
				1753	options->subsystem_args[options->num_subsystems] = p;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1754	options->num_subsystems++;
				1755	break;
				1756
				1757	case sMaxStartups:
				1758	arg = strdelim(&cp);
				1759	if (!arg \|\| *arg == '\0')
				1760	fatal("%s line %d: Missing MaxStartups spec.",
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	1761	filename, linenum);
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1762	if ((n = sscanf(arg, "%d:%d:%d",
				1763	&options->max_startups_begin,
				1764	&options->max_startups_rate,
				1765	&options->max_startups)) == 3) {
				1766	if (options->max_startups_begin >
				1767	options->max_startups \|\|
				1768	options->max_startups_rate > 100 \|\|
				1769	options->max_startups_rate < 1)
				1770	fatal("%s line %d: Illegal MaxStartups spec.",
				1771	filename, linenum);
				1772	} else if (n != 1)
				1773	fatal("%s line %d: Illegal MaxStartups spec.",
				1774	filename, linenum);
				1775	else
				1776	options->max_startups = options->max_startups_begin;
				1777	break;
				1778
Darren Tucker	89413db	2004-05-24 10:36:23 +1000	[diff] [blame]	1779	case sMaxAuthTries:
				1780	intptr = &options->max_authtries;
				1781	goto parse_int;
				1782
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	1783	case sMaxSessions:
				1784	intptr = &options->max_sessions;
				1785	goto parse_int;
				1786
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1787	case sBanner:
				1788	charptr = &options->banner;
				1789	goto parse_filename;
Damien Miller	d8cb1f1	2008-02-10 22:40:12 +1100	[diff] [blame]	1790
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1791	/*
				1792	* These options can contain %X options expanded at
				1793	* connect time, so that you can specify paths like:
				1794	*
				1795	* AuthorizedKeysFile /etc/ssh_keys/%u
				1796	*/
				1797	case sAuthorizedKeysFile:
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	1798	if (*activep && options->num_authkeys_files == 0) {
				1799	while ((arg = strdelim(&cp)) && *arg != '\0') {
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1800	arg = tilde_expand_filename(arg, getuid());
				1801	array_append(filename, linenum,
				1802	"AuthorizedKeysFile",
				1803	&options->authorized_keys_files,
				1804	&options->num_authkeys_files, arg);
				1805	free(arg);
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	1806	}
				1807	}
				1808	return 0;
				1809
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	1810	case sAuthorizedPrincipalsFile:
				1811	charptr = &options->authorized_principals_file;
Damien Miller	c4cb47b	2010-03-22 05:52:26 +1100	[diff] [blame]	1812	arg = strdelim(&cp);
				1813	if (!arg \|\| *arg == '\0')
				1814	fatal("%s line %d: missing file name.",
				1815	filename, linenum);
				1816	if (activep && charptr == NULL) {
Damien Miller	4a5f0d3	2010-03-22 05:53:04 +1100	[diff] [blame]	1817	*charptr = tilde_expand_filename(arg, getuid());
Damien Miller	c4cb47b	2010-03-22 05:52:26 +1100	[diff] [blame]	1818	/* increase optional counter */
				1819	if (intptr != NULL)
				1820	intptr = intptr + 1;
				1821	}
				1822	break;
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	1823
				1824	case sClientAliveInterval:
				1825	intptr = &options->client_alive_interval;
				1826	goto parse_time;
				1827
				1828	case sClientAliveCountMax:
				1829	intptr = &options->client_alive_count_max;
				1830	goto parse_int;
				1831
Darren Tucker	46bc075	2004-05-02 22:11:30 +1000	[diff] [blame]	1832	case sAcceptEnv:
				1833	while ((arg = strdelim(&cp)) && *arg != '\0') {
				1834	if (strchr(arg, '=') != NULL)
				1835	fatal("%s line %d: Invalid environment name.",
				1836	filename, linenum);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1837	if (!*activep)
Damien Miller	c24da77	2012-06-20 21:53:58 +1000	[diff] [blame]	1838	continue;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1839	array_append(filename, linenum, "AcceptEnv",
				1840	&options->accept_env, &options->num_accept_env,
				1841	arg);
Darren Tucker	46bc075	2004-05-02 22:11:30 +1000	[diff] [blame]	1842	}
				1843	break;
				1844
djm@openbsd.org	2801375	2018-06-09 03:03:10 +0000	[diff] [blame]	1845	case sSetEnv:
				1846	uvalue = options->num_setenv;
				1847	while ((arg = strdelimw(&cp)) && *arg != '\0') {
				1848	if (strchr(arg, '=') == NULL)
				1849	fatal("%s line %d: Invalid environment.",
				1850	filename, linenum);
				1851	if (!*activep \|\| uvalue != 0)
				1852	continue;
				1853	array_append(filename, linenum, "SetEnv",
				1854	&options->setenv, &options->num_setenv, arg);
				1855	}
				1856	break;
				1857
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	1858	case sPermitTunnel:
				1859	intptr = &options->permit_tun;
Damien Miller	7b58e80	2005-12-13 19:33:19 +1100	[diff] [blame]	1860	arg = strdelim(&cp);
				1861	if (!arg \|\| *arg == '\0')
				1862	fatal("%s line %d: Missing yes/point-to-point/"
				1863	"ethernet/no argument.", filename, linenum);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	1864	value = -1;
				1865	for (i = 0; tunmode_desc[i].val != -1; i++)
				1866	if (strcmp(tunmode_desc[i].text, arg) == 0) {
				1867	value = tunmode_desc[i].val;
				1868	break;
				1869	}
				1870	if (value == -1)
Damien Miller	7b58e80	2005-12-13 19:33:19 +1100	[diff] [blame]	1871	fatal("%s line %d: Bad yes/point-to-point/ethernet/"
				1872	"no argument: %s", filename, linenum, arg);
djm@openbsd.org	9559d7d	2015-05-01 07:08:08 +0000	[diff] [blame]	1873	if (activep && intptr == -1)
Damien Miller	7b58e80	2005-12-13 19:33:19 +1100	[diff] [blame]	1874	*intptr = value;
				1875	break;
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	1876
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1877	case sMatch:
				1878	if (cmdline)
				1879	fatal("Match directive not supported as a command-line "
				1880	"option");
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	1881	value = match_cfg_line(&cp, linenum, connectinfo);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	1882	if (value < 0)
				1883	fatal("%s line %d: Bad Match condition", filename,
				1884	linenum);
				1885	*activep = value;
				1886	break;
				1887
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	1888	case sPermitListen:
Damien Miller	9b439df	2006-07-24 14:04:00 +1000	[diff] [blame]	1889	case sPermitOpen:
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	1890	if (opcode == sPermitListen) {
				1891	uintptr = &options->num_permitted_listens;
				1892	chararrayptr = &options->permitted_listens;
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1893	} else {
				1894	uintptr = &options->num_permitted_opens;
				1895	chararrayptr = &options->permitted_opens;
				1896	}
Damien Miller	9b439df	2006-07-24 14:04:00 +1000	[diff] [blame]	1897	arg = strdelim(&cp);
				1898	if (!arg \|\| *arg == '\0')
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1899	fatal("%s line %d: missing %s specification",
				1900	filename, linenum, lookup_opcode_name(opcode));
				1901	uvalue = uintptr; / modified later */
djm@openbsd.org	dbee411	2017-09-12 06:32:07 +0000	[diff] [blame]	1902	if (strcmp(arg, "any") == 0 \|\| strcmp(arg, "none") == 0) {
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1903	if (*activep && uvalue == 0) {
				1904	*uintptr = 1;
				1905	*chararrayptr = xcalloc(1,
				1906	sizeof(**chararrayptr));
				1907	(*chararrayptr)[0] = xstrdup(arg);
dtucker@openbsd.org	30484e5	2017-09-18 09:41:52 +0000	[diff] [blame]	1908	}
Damien Miller	c608148	2012-04-22 11:18:53 +1000	[diff] [blame]	1909	break;
				1910	}
Damien Miller	a765cf4	2006-07-24 14:08:13 +1000	[diff] [blame]	1911	for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
djm@openbsd.org	87ddd67	2018-06-19 02:59:41 +0000	[diff] [blame]	1912	if (opcode == sPermitListen &&
				1913	strchr(arg, ':') == NULL) {
				1914	/*
				1915	* Allow bare port number for PermitListen
				1916	* to indicate a wildcard listen host.
				1917	*/
				1918	xasprintf(&arg2, "*:%s", arg);
				1919	} else {
				1920	arg2 = xstrdup(arg);
				1921	p = hpdelim(&arg);
				1922	if (p == NULL) {
				1923	fatal("%s line %d: missing host in %s",
				1924	filename, linenum,
				1925	lookup_opcode_name(opcode));
				1926	}
				1927	p = cleanhostname(p);
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1928	}
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1929	if (arg == NULL \|\|
				1930	((port = permitopen_port(arg)) < 0)) {
				1931	fatal("%s line %d: bad port number in %s",
				1932	filename, linenum,
				1933	lookup_opcode_name(opcode));
				1934	}
				1935	if (*activep && uvalue == 0) {
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1936	array_append(filename, linenum,
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	1937	lookup_opcode_name(opcode),
				1938	chararrayptr, uintptr, arg2);
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	1939	}
				1940	free(arg2);
Damien Miller	a765cf4	2006-07-24 14:08:13 +1000	[diff] [blame]	1941	}
Damien Miller	9b439df	2006-07-24 14:04:00 +1000	[diff] [blame]	1942	break;
				1943
Damien Miller	e275443	2006-07-24 14:06:47 +1000	[diff] [blame]	1944	case sForceCommand:
dtucker@openbsd.org	bd902b8	2015-04-23 04:53:53 +0000	[diff] [blame]	1945	if (cp == NULL \|\| *cp == '\0')
Damien Miller	e275443	2006-07-24 14:06:47 +1000	[diff] [blame]	1946	fatal("%.200s line %d: Missing argument.", filename,
				1947	linenum);
				1948	len = strspn(cp, WHITESPACE);
				1949	if (*activep && options->adm_forced_command == NULL)
				1950	options->adm_forced_command = xstrdup(cp + len);
				1951	return 0;
				1952
Damien Miller	d8cb1f1	2008-02-10 22:40:12 +1100	[diff] [blame]	1953	case sChrootDirectory:
				1954	charptr = &options->chroot_directory;
Damien Miller	54e3773	2008-02-10 22:48:55 +1100	[diff] [blame]	1955
				1956	arg = strdelim(&cp);
				1957	if (!arg \|\| *arg == '\0')
				1958	fatal("%s line %d: missing file name.",
				1959	filename, linenum);
				1960	if (activep && charptr == NULL)
				1961	*charptr = xstrdup(arg);
				1962	break;
Damien Miller	d8cb1f1	2008-02-10 22:40:12 +1100	[diff] [blame]	1963
Damien Miller	1aed65e	2010-03-04 21:53:35 +1100	[diff] [blame]	1964	case sTrustedUserCAKeys:
				1965	charptr = &options->trusted_user_ca_keys;
				1966	goto parse_filename;
				1967
				1968	case sRevokedKeys:
				1969	charptr = &options->revoked_keys_file;
				1970	goto parse_filename;
				1971
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	1972	case sIPQoS:
				1973	arg = strdelim(&cp);
				1974	if ((value = parse_ipqos(arg)) == -1)
				1975	fatal("%s line %d: Bad IPQoS value: %s",
				1976	filename, linenum, arg);
				1977	arg = strdelim(&cp);
				1978	if (arg == NULL)
				1979	value2 = value;
				1980	else if ((value2 = parse_ipqos(arg)) == -1)
				1981	fatal("%s line %d: Bad IPQoS value: %s",
				1982	filename, linenum, arg);
				1983	if (*activep) {
				1984	options->ip_qos_interactive = value;
				1985	options->ip_qos_bulk = value2;
				1986	}
				1987	break;
				1988
Damien Miller	2352881	2012-04-22 11:24:43 +1000	[diff] [blame]	1989	case sVersionAddendum:
dtucker@openbsd.org	bd902b8	2015-04-23 04:53:53 +0000	[diff] [blame]	1990	if (cp == NULL \|\| *cp == '\0')
Damien Miller	2352881	2012-04-22 11:24:43 +1000	[diff] [blame]	1991	fatal("%.200s line %d: Missing argument.", filename,
				1992	linenum);
				1993	len = strspn(cp, WHITESPACE);
				1994	if (*activep && options->version_addendum == NULL) {
				1995	if (strcasecmp(cp + len, "none") == 0)
				1996	options->version_addendum = xstrdup("");
				1997	else if (strchr(cp + len, '\r') != NULL)
				1998	fatal("%.200s line %d: Invalid argument",
				1999	filename, linenum);
				2000	else
				2001	options->version_addendum = xstrdup(cp + len);
				2002	}
				2003	return 0;
				2004
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	2005	case sAuthorizedKeysCommand:
jsg@openbsd.org	72bba3d	2014-11-24 03:39:22 +0000	[diff] [blame]	2006	if (cp == NULL)
				2007	fatal("%.200s line %d: Missing argument.", filename,
				2008	linenum);
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	2009	len = strspn(cp, WHITESPACE);
				2010	if (*activep && options->authorized_keys_command == NULL) {
				2011	if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
				2012	fatal("%.200s line %d: AuthorizedKeysCommand "
				2013	"must be an absolute path",
				2014	filename, linenum);
				2015	options->authorized_keys_command = xstrdup(cp + len);
				2016	}
				2017	return 0;
				2018
				2019	case sAuthorizedKeysCommandUser:
				2020	charptr = &options->authorized_keys_command_user;
				2021
				2022	arg = strdelim(&cp);
jsg@openbsd.org	72bba3d	2014-11-24 03:39:22 +0000	[diff] [blame]	2023	if (!arg \|\| *arg == '\0')
				2024	fatal("%s line %d: missing AuthorizedKeysCommandUser "
				2025	"argument.", filename, linenum);
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	2026	if (activep && charptr == NULL)
				2027	*charptr = xstrdup(arg);
				2028	break;
				2029
djm@openbsd.org	bcc50d8	2015-05-21 06:43:30 +0000	[diff] [blame]	2030	case sAuthorizedPrincipalsCommand:
				2031	if (cp == NULL)
				2032	fatal("%.200s line %d: Missing argument.", filename,
				2033	linenum);
				2034	len = strspn(cp, WHITESPACE);
				2035	if (*activep &&
				2036	options->authorized_principals_command == NULL) {
				2037	if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
				2038	fatal("%.200s line %d: "
				2039	"AuthorizedPrincipalsCommand must be "
				2040	"an absolute path", filename, linenum);
				2041	options->authorized_principals_command =
				2042	xstrdup(cp + len);
				2043	}
				2044	return 0;
				2045
				2046	case sAuthorizedPrincipalsCommandUser:
				2047	charptr = &options->authorized_principals_command_user;
				2048
				2049	arg = strdelim(&cp);
				2050	if (!arg \|\| *arg == '\0')
				2051	fatal("%s line %d: missing "
				2052	"AuthorizedPrincipalsCommandUser argument.",
				2053	filename, linenum);
				2054	if (activep && charptr == NULL)
				2055	*charptr = xstrdup(arg);
				2056	break;
				2057
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	2058	case sAuthenticationMethods:
djm@openbsd.org	9559d7d	2015-05-01 07:08:08 +0000	[diff] [blame]	2059	if (options->num_auth_methods == 0) {
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	2060	value = 0; /* seen "any" pseudo-method */
djm@openbsd.org	001aa55	2018-04-10 00:10:49 +0000	[diff] [blame]	2061	value2 = 0; /* successfully parsed any method */
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	2062	while ((arg = strdelim(&cp)) && *arg != '\0') {
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	2063	if (strcmp(arg, "any") == 0) {
				2064	if (options->num_auth_methods > 0) {
				2065	fatal("%s line %d: \"any\" "
				2066	"must appear alone in "
				2067	"AuthenticationMethods",
				2068	filename, linenum);
				2069	}
				2070	value = 1;
				2071	} else if (value) {
				2072	fatal("%s line %d: \"any\" must appear "
				2073	"alone in AuthenticationMethods",
				2074	filename, linenum);
				2075	} else if (auth2_methods_valid(arg, 0) != 0) {
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	2076	fatal("%s line %d: invalid "
				2077	"authentication method list.",
				2078	filename, linenum);
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	2079	}
djm@openbsd.org	46ecd19	2016-06-23 05:17:51 +0000	[diff] [blame]	2080	value2 = 1;
djm@openbsd.org	9559d7d	2015-05-01 07:08:08 +0000	[diff] [blame]	2081	if (!*activep)
				2082	continue;
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	2083	array_append(filename, linenum,
				2084	"AuthenticationMethods",
				2085	&options->auth_methods,
				2086	&options->num_auth_methods, arg);
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	2087	}
djm@openbsd.org	46ecd19	2016-06-23 05:17:51 +0000	[diff] [blame]	2088	if (value2 == 0) {
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	2089	fatal("%s line %d: no AuthenticationMethods "
				2090	"specified", filename, linenum);
				2091	}
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	2092	}
				2093	return 0;
				2094
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2095	case sStreamLocalBindMask:
				2096	arg = strdelim(&cp);
				2097	if (!arg \|\| *arg == '\0')
djm@openbsd.org	9559d7d	2015-05-01 07:08:08 +0000	[diff] [blame]	2098	fatal("%s line %d: missing StreamLocalBindMask "
				2099	"argument.", filename, linenum);
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2100	/* Parse mode in octal format */
				2101	value = strtol(arg, &p, 8);
				2102	if (arg == p \|\| value < 0 \|\| value > 0777)
				2103	fatal("%s line %d: Bad mask.", filename, linenum);
djm@openbsd.org	9559d7d	2015-05-01 07:08:08 +0000	[diff] [blame]	2104	if (*activep)
				2105	options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2106	break;
				2107
				2108	case sStreamLocalBindUnlink:
				2109	intptr = &options->fwd_opts.streamlocal_bind_unlink;
				2110	goto parse_flag;
				2111
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	2112	case sFingerprintHash:
				2113	arg = strdelim(&cp);
				2114	if (!arg \|\| *arg == '\0')
				2115	fatal("%.200s line %d: Missing argument.",
				2116	filename, linenum);
				2117	if ((value = ssh_digest_alg_by_name(arg)) == -1)
				2118	fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
				2119	filename, linenum, arg);
				2120	if (*activep)
				2121	options->fingerprint_hash = value;
				2122	break;
				2123
djm@openbsd.org	8f57495	2017-06-24 06:34:38 +0000	[diff] [blame]	2124	case sExposeAuthInfo:
				2125	intptr = &options->expose_userauth_info;
				2126	goto parse_flag;
				2127
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	2128	case sRDomain:
				2129	charptr = &options->routing_domain;
				2130	arg = strdelim(&cp);
				2131	if (!arg \|\| *arg == '\0')
				2132	fatal("%.200s line %d: Missing argument.",
				2133	filename, linenum);
				2134	if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
				2135	!valid_rdomain(arg))
				2136	fatal("%s line %d: bad routing domain",
				2137	filename, linenum);
				2138	if (activep && charptr == NULL)
				2139	*charptr = xstrdup(arg);
dtucker@openbsd.org	168ecec	2017-12-05 23:56:07 +0000	[diff] [blame]	2140	break;
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	2141
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	2142	case sDeprecated:
djm@openbsd.org	ae363d7	2016-08-25 23:57:54 +0000	[diff] [blame]	2143	case sIgnore:
Damien Miller	f9b3feb	2003-05-16 11:38:32 +1000	[diff] [blame]	2144	case sUnsupported:
djm@openbsd.org	ae363d7	2016-08-25 23:57:54 +0000	[diff] [blame]	2145	do_log2(opcode == sIgnore ?
				2146	SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
				2147	"%s line %d: %s option %s", filename, linenum,
				2148	opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
Damien Miller	f9b3feb	2003-05-16 11:38:32 +1000	[diff] [blame]	2149	while (arg)
				2150	arg = strdelim(&cp);
				2151	break;
				2152
Ben Lindstrom	ade03f6	2001-12-06 18:22:17 +0000	[diff] [blame]	2153	default:
				2154	fatal("%s line %d: Missing handler for opcode %s (%d)",
				2155	filename, linenum, arg, opcode);
				2156	}
				2157	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
				2158	fatal("%s line %d: garbage at end of line; \"%.200s\".",
				2159	filename, linenum, arg);
				2160	return 0;
				2161	}
				2162
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	2163	/* Reads the server configuration file. */
				2164
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	2165	void
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2166	load_server_config(const char filename, Buffer conf)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	2167	{
markus@openbsd.org	7f90635	2018-06-06 18:29:18 +0000	[diff] [blame]	2168	char line = NULL, cp;
				2169	size_t linesize = 0;
Ben Lindstrom	e135363	2002-06-23 21:29:23 +0000	[diff] [blame]	2170	FILE *f;
Damien Miller	46cb75a	2012-07-31 12:22:37 +1000	[diff] [blame]	2171	int lineno = 0;
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	2172
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2173	debug2("%s: filename %s", __func__, filename);
				2174	if ((f = fopen(filename, "r")) == NULL) {
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	2175	perror(filename);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	2176	exit(1);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	2177	}
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2178	buffer_clear(conf);
markus@openbsd.org	7f90635	2018-06-06 18:29:18 +0000	[diff] [blame]	2179	while (getline(&line, &linesize, f) != -1) {
Damien Miller	46cb75a	2012-07-31 12:22:37 +1000	[diff] [blame]	2180	lineno++;
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2181	/*
				2182	* Trim out comments and strip whitespace
Darren Tucker	fc95970	2004-07-17 16:12:08 +1000	[diff] [blame]	2183	* NB - preserve newlines, they are needed to reproduce
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2184	* line numbers later for error messages
				2185	*/
				2186	if ((cp = strchr(line, '#')) != NULL)
				2187	memcpy(cp, "\n", 2);
				2188	cp = line + strspn(line, " \t\r");
				2189
				2190	buffer_append(conf, cp, strlen(cp));
				2191	}
markus@openbsd.org	7f90635	2018-06-06 18:29:18 +0000	[diff] [blame]	2192	free(line);
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2193	buffer_append(conf, "\0", 1);
				2194	fclose(f);
				2195	debug2("%s: done config len = %d", __func__, buffer_len(conf));
				2196	}
				2197
				2198	void
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2199	parse_server_match_config(ServerOptions *options,
				2200	struct connection_info *connectinfo)
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2201	{
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2202	ServerOptions mo;
				2203
				2204	initialize_server_options(&mo);
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2205	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2206	copy_set_server_options(options, &mo, 0);
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2207	}
				2208
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2209	int parse_server_match_testspec(struct connection_info ci, char spec)
				2210	{
				2211	char *p;
				2212
				2213	while ((p = strsep(&spec, ",")) && *p != '\0') {
				2214	if (strncmp(p, "addr=", 5) == 0) {
				2215	ci->address = xstrdup(p + 5);
				2216	} else if (strncmp(p, "host=", 5) == 0) {
				2217	ci->host = xstrdup(p + 5);
				2218	} else if (strncmp(p, "user=", 5) == 0) {
				2219	ci->user = xstrdup(p + 5);
				2220	} else if (strncmp(p, "laddr=", 6) == 0) {
				2221	ci->laddress = xstrdup(p + 6);
djm@openbsd.org	68af80e	2017-10-25 00:19:47 +0000	[diff] [blame]	2222	} else if (strncmp(p, "rdomain=", 8) == 0) {
				2223	ci->rdomain = xstrdup(p + 8);
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2224	} else if (strncmp(p, "lport=", 6) == 0) {
				2225	ci->lport = a2port(p + 6);
				2226	if (ci->lport == -1) {
				2227	fprintf(stderr, "Invalid port '%s' in test mode"
				2228	" specification %s\n", p+6, p);
				2229	return -1;
				2230	}
				2231	} else {
				2232	fprintf(stderr, "Invalid test mode specification %s\n",
				2233	p);
				2234	return -1;
				2235	}
				2236	}
				2237	return 0;
				2238	}
				2239
				2240	/*
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2241	* Copy any supported values that are set.
				2242	*
Darren Tucker	3b59dfa	2009-06-21 17:54:47 +1000	[diff] [blame]	2243	* If the preauth flag is set, we do not bother copying the string or
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2244	* array values that are not used pre-authentication, because any that we
djm@openbsd.org	001aa55	2018-04-10 00:10:49 +0000	[diff] [blame]	2245	* do use must be explicitly sent in mm_getpwnamallow().
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2246	*/
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2247	void
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2248	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2249	{
Damien Miller	534b2cc	2013-12-05 14:07:27 +1100	[diff] [blame]	2250	#define M_CP_INTOPT(n) do {\
				2251	if (src->n != -1) \
				2252	dst->n = src->n; \
				2253	} while (0)
				2254
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2255	M_CP_INTOPT(password_authentication);
				2256	M_CP_INTOPT(gss_authentication);
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2257	M_CP_INTOPT(pubkey_authentication);
				2258	M_CP_INTOPT(kerberos_authentication);
				2259	M_CP_INTOPT(hostbased_authentication);
Damien Miller	ab6de35	2010-06-26 09:38:45 +1000	[diff] [blame]	2260	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2261	M_CP_INTOPT(kbd_interactive_authentication);
Darren Tucker	15f9427	2008-01-01 20:36:56 +1100	[diff] [blame]	2262	M_CP_INTOPT(permit_root_login);
Damien Miller	51bde60	2008-11-03 19:23:10 +1100	[diff] [blame]	2263	M_CP_INTOPT(permit_empty_passwd);
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2264
				2265	M_CP_INTOPT(allow_tcp_forwarding);
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2266	M_CP_INTOPT(allow_streamlocal_forwarding);
Damien Miller	4f755cd	2008-05-19 14:57:41 +1000	[diff] [blame]	2267	M_CP_INTOPT(allow_agent_forwarding);
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	2268	M_CP_INTOPT(disable_forwarding);
djm@openbsd.org	8f57495	2017-06-24 06:34:38 +0000	[diff] [blame]	2269	M_CP_INTOPT(expose_userauth_info);
Damien Miller	ab6de35	2010-06-26 09:38:45 +1000	[diff] [blame]	2270	M_CP_INTOPT(permit_tun);
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2271	M_CP_INTOPT(fwd_opts.gateway_ports);
djm@openbsd.org	cfefbce	2016-05-03 15:57:39 +0000	[diff] [blame]	2272	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2273	M_CP_INTOPT(x11_display_offset);
				2274	M_CP_INTOPT(x11_forwarding);
				2275	M_CP_INTOPT(x11_use_localhost);
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	2276	M_CP_INTOPT(permit_tty);
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	2277	M_CP_INTOPT(permit_user_rc);
Damien Miller	7207f64	2008-05-19 15:34:50 +1000	[diff] [blame]	2278	M_CP_INTOPT(max_sessions);
Damien Miller	307c1d1	2008-06-16 07:56:20 +1000	[diff] [blame]	2279	M_CP_INTOPT(max_authtries);
markus@openbsd.org	f0ddede	2016-11-23 23:14:15 +0000	[diff] [blame]	2280	M_CP_INTOPT(client_alive_count_max);
				2281	M_CP_INTOPT(client_alive_interval);
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	2282	M_CP_INTOPT(ip_qos_interactive);
				2283	M_CP_INTOPT(ip_qos_bulk);
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	2284	M_CP_INTOPT(rekey_limit);
				2285	M_CP_INTOPT(rekey_interval);
djm@openbsd.org	54cd41a	2017-05-17 01:24:17 +0000	[diff] [blame]	2286	M_CP_INTOPT(log_level);
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2287
djm@openbsd.org	cfefbce	2016-05-03 15:57:39 +0000	[diff] [blame]	2288	/*
				2289	* The bind_mask is a mode_t that may be unsigned, so we can't use
				2290	* M_CP_INTOPT - it does a signed comparison that causes compiler
				2291	* warnings.
				2292	*/
dtucker@openbsd.org	9faae50	2016-05-04 14:00:09 +0000	[diff] [blame]	2293	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
djm@openbsd.org	cfefbce	2016-05-03 15:57:39 +0000	[diff] [blame]	2294	dst->fwd_opts.streamlocal_bind_mask =
				2295	src->fwd_opts.streamlocal_bind_mask;
				2296	}
				2297
Damien Miller	534b2cc	2013-12-05 14:07:27 +1100	[diff] [blame]	2298	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
				2299	#define M_CP_STROPT(n) do {\
				2300	if (src->n != NULL && dst->n != src->n) { \
				2301	free(dst->n); \
				2302	dst->n = src->n; \
				2303	} \
				2304	} while(0)
djm@openbsd.org	dceabc7	2017-10-05 15:52:03 +0000	[diff] [blame]	2305	#define M_CP_STRARRAYOPT(s, num_s) do {\
				2306	u_int i; \
				2307	if (src->num_s != 0) { \
				2308	for (i = 0; i < dst->num_s; i++) \
				2309	free(dst->s[i]); \
				2310	free(dst->s); \
				2311	dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
				2312	for (i = 0; i < src->num_s; i++) \
				2313	dst->s[i] = xstrdup(src->s[i]); \
				2314	dst->num_s = src->num_s; \
djm@openbsd.org	66bf74a	2017-10-02 19:33:20 +0000	[diff] [blame]	2315	} \
				2316	} while(0)
Damien Miller	534b2cc	2013-12-05 14:07:27 +1100	[diff] [blame]	2317
Damien Miller	f2e407e	2011-05-20 19:04:14 +1000	[diff] [blame]	2318	/* See comment in servconf.h */
				2319	COPY_MATCH_STRING_OPTS();
Damien Miller	5d74e58	2011-05-20 19:03:31 +1000	[diff] [blame]	2320
djm@openbsd.org	ed08510	2015-10-29 08:05:01 +0000	[diff] [blame]	2321	/* Arguments that accept '+...' need to be expanded */
				2322	assemble_algorithms(dst);
				2323
Damien Miller	c241190	2011-05-20 19:03:49 +1000	[diff] [blame]	2324	/*
				2325	* The only things that should be below this point are string options
				2326	* which are only used after authentication.
				2327	*/
Damien Miller	5d74e58	2011-05-20 19:03:31 +1000	[diff] [blame]	2328	if (preauth)
				2329	return;
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	2330
djm@openbsd.org	9fd0468	2015-11-13 04:38:06 +0000	[diff] [blame]	2331	/* These options may be "none" to clear a global setting */
Damien Miller	5d74e58	2011-05-20 19:03:31 +1000	[diff] [blame]	2332	M_CP_STROPT(adm_forced_command);
djm@openbsd.org	9fd0468	2015-11-13 04:38:06 +0000	[diff] [blame]	2333	if (option_clear_or_none(dst->adm_forced_command)) {
				2334	free(dst->adm_forced_command);
				2335	dst->adm_forced_command = NULL;
				2336	}
Damien Miller	5d74e58	2011-05-20 19:03:31 +1000	[diff] [blame]	2337	M_CP_STROPT(chroot_directory);
djm@openbsd.org	9fd0468	2015-11-13 04:38:06 +0000	[diff] [blame]	2338	if (option_clear_or_none(dst->chroot_directory)) {
				2339	free(dst->chroot_directory);
				2340	dst->chroot_directory = NULL;
				2341	}
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2342	}
				2343
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2344	#undef M_CP_INTOPT
				2345	#undef M_CP_STROPT
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	2346	#undef M_CP_STRARRAYOPT
Darren Tucker	1629c07	2007-02-19 22:25:37 +1100	[diff] [blame]	2347
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2348	void
				2349	parse_server_config(ServerOptions options, const char filename, Buffer *conf,
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2350	struct connection_info *connectinfo)
Darren Tucker	4515047	2006-07-12 22:34:17 +1000	[diff] [blame]	2351	{
				2352	int active, linenum, bad_options = 0;
Darren Tucker	9fbac71	2004-08-12 22:41:44 +1000	[diff] [blame]	2353	char cp, obuf, *cbuf;
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2354
				2355	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
				2356
djm@openbsd.org	1a31d02	2016-05-02 08:49:03 +0000	[diff] [blame]	2357	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
				2358	fatal("%s: sshbuf_dup_string failed", __func__);
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2359	active = connectinfo ? 0 : 1;
Darren Tucker	137e9c9	2004-08-13 21:30:24 +1000	[diff] [blame]	2360	linenum = 1;
Darren Tucker	47eede7	2005-03-14 23:08:12 +1100	[diff] [blame]	2361	while ((cp = strsep(&cbuf, "\n")) != NULL) {
Darren Tucker	645ab75	2004-06-25 13:33:20 +1000	[diff] [blame]	2362	if (process_server_config_line(options, cp, filename,
Darren Tucker	fbcf827	2012-05-19 19:37:01 +1000	[diff] [blame]	2363	linenum++, &active, connectinfo) != 0)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	2364	bad_options++;
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	2365	}
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	2366	free(obuf);
Ben Lindstrom	b5cdc66	2001-04-16 02:13:26 +0000	[diff] [blame]	2367	if (bad_options > 0)
				2368	fatal("%s: terminating, %d bad configuration options",
				2369	filename, bad_options);
dtucker@openbsd.org	531a57a	2015-04-29 03:48:56 +0000	[diff] [blame]	2370	process_queued_listen_addrs(options);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	2371	}
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2372
				2373	static const char *
Damien Miller	82c5587	2011-06-23 08:20:30 +1000	[diff] [blame]	2374	fmt_multistate_int(int val, const struct multistate *m)
				2375	{
				2376	u_int i;
				2377
				2378	for (i = 0; m[i].key != NULL; i++) {
				2379	if (m[i].value == val)
				2380	return m[i].key;
				2381	}
				2382	return "UNKNOWN";
				2383	}
				2384
				2385	static const char *
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2386	fmt_intarg(ServerOpCodes code, int val)
				2387	{
Damien Miller	82c5587	2011-06-23 08:20:30 +1000	[diff] [blame]	2388	if (val == -1)
				2389	return "unset";
				2390	switch (code) {
				2391	case sAddressFamily:
				2392	return fmt_multistate_int(val, multistate_addressfamily);
				2393	case sPermitRootLogin:
				2394	return fmt_multistate_int(val, multistate_permitrootlogin);
				2395	case sGatewayPorts:
				2396	return fmt_multistate_int(val, multistate_gatewayports);
				2397	case sCompression:
				2398	return fmt_multistate_int(val, multistate_compression);
Damien Miller	aa5b3f8	2012-12-03 09:50:54 +1100	[diff] [blame]	2399	case sAllowTcpForwarding:
				2400	return fmt_multistate_int(val, multistate_tcpfwd);
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2401	case sAllowStreamLocalForwarding:
				2402	return fmt_multistate_int(val, multistate_tcpfwd);
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	2403	case sFingerprintHash:
				2404	return ssh_digest_alg_name(val);
Damien Miller	82c5587	2011-06-23 08:20:30 +1000	[diff] [blame]	2405	default:
				2406	switch (val) {
				2407	case 0:
				2408	return "no";
				2409	case 1:
				2410	return "yes";
				2411	default:
				2412	return "UNKNOWN";
				2413	}
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2414	}
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2415	}
				2416
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2417	static void
				2418	dump_cfg_int(ServerOpCodes code, int val)
				2419	{
				2420	printf("%s %d\n", lookup_opcode_name(code), val);
				2421	}
				2422
				2423	static void
dtucker@openbsd.org	1108ae2	2015-04-23 04:59:10 +0000	[diff] [blame]	2424	dump_cfg_oct(ServerOpCodes code, int val)
				2425	{
				2426	printf("%s 0%o\n", lookup_opcode_name(code), val);
				2427	}
				2428
				2429	static void
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2430	dump_cfg_fmtint(ServerOpCodes code, int val)
				2431	{
				2432	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
				2433	}
				2434
				2435	static void
				2436	dump_cfg_string(ServerOpCodes code, const char *val)
				2437	{
djm@openbsd.org	161cf41	2014-12-22 07:55:51 +0000	[diff] [blame]	2438	printf("%s %s\n", lookup_opcode_name(code),
				2439	val == NULL ? "none" : val);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2440	}
				2441
				2442	static void
				2443	dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
				2444	{
				2445	u_int i;
				2446
				2447	for (i = 0; i < count; i++)
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	2448	printf("%s %s\n", lookup_opcode_name(code), vals[i]);
				2449	}
				2450
				2451	static void
				2452	dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
				2453	{
				2454	u_int i;
				2455
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	2456	if (count <= 0 && code != sAuthenticationMethods)
dtucker@openbsd.org	40132ff	2015-04-17 04:12:35 +0000	[diff] [blame]	2457	return;
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	2458	printf("%s", lookup_opcode_name(code));
				2459	for (i = 0; i < count; i++)
				2460	printf(" %s", vals[i]);
djm@openbsd.org	b64faeb	2016-06-17 05:03:40 +0000	[diff] [blame]	2461	if (code == sAuthenticationMethods && count == 0)
				2462	printf(" any");
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	2463	printf("\n");
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2464	}
				2465
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2466	static char *
				2467	format_listen_addrs(struct listenaddr *la)
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2468	{
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2469	int r;
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2470	struct addrinfo *ai;
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2471	char addr[NI_MAXHOST], port[NI_MAXSERV];
dtucker@openbsd.org	1108ae2	2015-04-23 04:59:10 +0000	[diff] [blame]	2472	char laddr1 = xstrdup(""), laddr2 = NULL;
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2473
dtucker@openbsd.org	1108ae2	2015-04-23 04:59:10 +0000	[diff] [blame]	2474	/*
				2475	* ListenAddress must be after Port. add_one_listen_addr pushes
				2476	* addresses onto a stack, so to maintain ordering we need to
				2477	* print these in reverse order.
				2478	*/
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2479	for (ai = la->addrs; ai; ai = ai->ai_next) {
				2480	if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2481	sizeof(addr), port, sizeof(port),
				2482	NI_NUMERICHOST\|NI_NUMERICSERV)) != 0) {
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2483	error("getnameinfo: %.100s", ssh_gai_strerror(r));
				2484	continue;
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2485	}
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2486	laddr2 = laddr1;
				2487	if (ai->ai_family == AF_INET6) {
				2488	xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
				2489	addr, port,
				2490	la->rdomain == NULL ? "" : " rdomain ",
				2491	la->rdomain == NULL ? "" : la->rdomain,
				2492	laddr2);
				2493	} else {
				2494	xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
				2495	addr, port,
				2496	la->rdomain == NULL ? "" : " rdomain ",
				2497	la->rdomain == NULL ? "" : la->rdomain,
				2498	laddr2);
				2499	}
				2500	free(laddr2);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2501	}
djm@openbsd.org	acf559e	2017-10-25 00:15:35 +0000	[diff] [blame]	2502	return laddr1;
				2503	}
				2504
				2505	void
				2506	dump_config(ServerOptions *o)
				2507	{
				2508	char *s;
				2509	u_int i;
				2510
				2511	/* these are usually at the top of the config */
				2512	for (i = 0; i < o->num_ports; i++)
				2513	printf("port %d\n", o->ports[i]);
				2514	dump_cfg_fmtint(sAddressFamily, o->address_family);
				2515
				2516	for (i = 0; i < o->num_listen_addrs; i++) {
				2517	s = format_listen_addrs(&o->listen_addrs[i]);
				2518	printf("%s", s);
				2519	free(s);
				2520	}
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2521
				2522	/* integer arguments */
Damien Miller	212f0b0	2008-07-23 17:42:29 +1000	[diff] [blame]	2523	#ifdef USE_PAM
Darren Tucker	70860b6	2015-04-17 10:56:13 +1000	[diff] [blame]	2524	dump_cfg_fmtint(sUsePAM, o->use_pam);
Damien Miller	212f0b0	2008-07-23 17:42:29 +1000	[diff] [blame]	2525	#endif
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2526	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2527	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
				2528	dump_cfg_int(sMaxAuthTries, o->max_authtries);
Damien Miller	7fc5c0f	2008-11-05 16:12:11 +1100	[diff] [blame]	2529	dump_cfg_int(sMaxSessions, o->max_sessions);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2530	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
				2531	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dtucker@openbsd.org	1108ae2	2015-04-23 04:59:10 +0000	[diff] [blame]	2532	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2533
				2534	/* formatted integer arguments */
				2535	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
				2536	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
				2537	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2538	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
				2539	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
				2540	o->hostbased_uses_name_from_packet_only);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2541	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
Damien Miller	6ef430d	2008-07-23 17:40:04 +1000	[diff] [blame]	2542	#ifdef KRB5
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2543	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
				2544	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
				2545	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
Damien Miller	6ef430d	2008-07-23 17:40:04 +1000	[diff] [blame]	2546	# ifdef USE_AFS
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2547	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
Damien Miller	6ef430d	2008-07-23 17:40:04 +1000	[diff] [blame]	2548	# endif
				2549	#endif
				2550	#ifdef GSSAPI
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2551	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
				2552	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
Damien Miller	6ef430d	2008-07-23 17:40:04 +1000	[diff] [blame]	2553	#endif
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2554	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
				2555	dump_cfg_fmtint(sKbdInteractiveAuthentication,
				2556	o->kbd_interactive_authentication);
				2557	dump_cfg_fmtint(sChallengeResponseAuthentication,
				2558	o->challenge_response_authentication);
				2559	dump_cfg_fmtint(sPrintMotd, o->print_motd);
Darren Tucker	fd4e4f2	2016-02-24 10:44:25 +1100	[diff] [blame]	2560	#ifndef DISABLE_LASTLOG
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2561	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
Darren Tucker	fd4e4f2	2016-02-24 10:44:25 +1100	[diff] [blame]	2562	#endif
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2563	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
				2564	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
Damien Miller	5ff30c6	2013-10-30 22:21:50 +1100	[diff] [blame]	2565	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
Damien Miller	72e6b5c	2014-07-04 09:00:04 +1000	[diff] [blame]	2566	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2567	dump_cfg_fmtint(sStrictModes, o->strict_modes);
				2568	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
				2569	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2570	dump_cfg_fmtint(sCompression, o->compression);
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2571	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2572	dump_cfg_fmtint(sUseDNS, o->use_dns);
				2573	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dtucker@openbsd.org	40132ff	2015-04-17 04:12:35 +0000	[diff] [blame]	2574	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
djm@openbsd.org	7844f35	2016-11-30 03:00:05 +0000	[diff] [blame]	2575	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	2576	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
djm@openbsd.org	771c2f5	2016-05-03 15:25:06 +0000	[diff] [blame]	2577	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	2578	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
djm@openbsd.org	8f57495	2017-06-24 06:34:38 +0000	[diff] [blame]	2579	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2580
				2581	/* string arguments */
				2582	dump_cfg_string(sPidFile, o->pid_file);
				2583	dump_cfg_string(sXAuthLocation, o->xauth_location);
djm@openbsd.org	57d378e	2014-08-19 23:58:28 +0000	[diff] [blame]	2584	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
				2585	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2586	dump_cfg_string(sBanner, o->banner);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2587	dump_cfg_string(sForceCommand, o->adm_forced_command);
Darren Tucker	d330045	2010-01-10 19:26:43 +1100	[diff] [blame]	2588	dump_cfg_string(sChrootDirectory, o->chroot_directory);
Damien Miller	1aed65e	2010-03-04 21:53:35 +1100	[diff] [blame]	2589	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
				2590	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	2591	dump_cfg_string(sAuthorizedPrincipalsFile,
				2592	o->authorized_principals_file);
dtucker@openbsd.org	40132ff	2015-04-17 04:12:35 +0000	[diff] [blame]	2593	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
				2594	? "none" : o->version_addendum);
Damien Miller	09d3e12	2012-10-31 08:58:58 +1100	[diff] [blame]	2595	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
				2596	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
djm@openbsd.org	bcc50d8	2015-05-21 06:43:30 +0000	[diff] [blame]	2597	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
				2598	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
Damien Miller	85b45e0	2013-07-20 13:21:52 +1000	[diff] [blame]	2599	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
djm@openbsd.org	57d378e	2014-08-19 23:58:28 +0000	[diff] [blame]	2600	dump_cfg_string(sKexAlgorithms,
djm@openbsd.org	259a02e	2014-10-13 00:38:35 +0000	[diff] [blame]	2601	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	2602	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
				2603	o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
markus@openbsd.org	3a1638d	2015-07-10 06:21:53 +0000	[diff] [blame]	2604	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
				2605	o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	2606	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
				2607	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
djm@openbsd.org	35eb33f	2017-10-25 00:17:08 +0000	[diff] [blame]	2608	dump_cfg_string(sRDomain, o->routing_domain);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2609
				2610	/* string arguments requiring a lookup */
				2611	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
				2612	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
				2613
				2614	/* string array arguments */
Damien Miller	d8478b6	2011-05-29 21:39:36 +1000	[diff] [blame]	2615	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
				2616	o->authorized_keys_files);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2617	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
				2618	o->host_key_files);
dtucker@openbsd.org	40132ff	2015-04-17 04:12:35 +0000	[diff] [blame]	2619	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	2620	o->host_cert_files);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2621	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
				2622	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
				2623	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
				2624	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
				2625	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
djm@openbsd.org	2801375	2018-06-09 03:03:10 +0000	[diff] [blame]	2626	dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
Damien Miller	a6e3f01	2012-11-04 23:21:40 +1100	[diff] [blame]	2627	dump_cfg_strarray_oneline(sAuthenticationMethods,
				2628	o->num_auth_methods, o->auth_methods);
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2629
				2630	/* other arguments */
				2631	for (i = 0; i < o->num_subsystems; i++)
				2632	printf("subsystem %s %s\n", o->subsystem_name[i],
				2633	o->subsystem_args[i]);
				2634
				2635	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
				2636	o->max_startups_rate, o->max_startups);
				2637
djm@openbsd.org	d685e5a	2017-10-25 02:10:39 +0000	[diff] [blame]	2638	s = NULL;
				2639	for (i = 0; tunmode_desc[i].val != -1; i++) {
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2640	if (tunmode_desc[i].val == o->permit_tun) {
				2641	s = tunmode_desc[i].text;
				2642	break;
				2643	}
djm@openbsd.org	d685e5a	2017-10-25 02:10:39 +0000	[diff] [blame]	2644	}
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2645	dump_cfg_string(sPermitTunnel, s);
				2646
Damien Miller	9147586	2011-05-05 14:14:34 +1000	[diff] [blame]	2647	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
				2648	printf("%s\n", iptos2str(o->ip_qos_bulk));
Damien Miller	0dac6fb	2010-11-20 15:19:38 +1100	[diff] [blame]	2649
dtucker@openbsd.org	921ff00	2016-01-29 02:54:45 +0000	[diff] [blame]	2650	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
Damien Miller	a6d6c1f	2013-08-21 02:40:01 +1000	[diff] [blame]	2651	o->rekey_interval);
Darren Tucker	5f96f3b	2013-05-16 20:29:28 +1000	[diff] [blame]	2652
djm@openbsd.org	dbee411	2017-09-12 06:32:07 +0000	[diff] [blame]	2653	printf("permitopen");
				2654	if (o->num_permitted_opens == 0)
				2655	printf(" any");
				2656	else {
				2657	for (i = 0; i < o->num_permitted_opens; i++)
				2658	printf(" %s", o->permitted_opens[i]);
				2659	}
				2660	printf("\n");
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	2661	printf("permitlisten");
				2662	if (o->num_permitted_listens == 0)
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	2663	printf(" any");
				2664	else {
djm@openbsd.org	93c06ab	2018-06-06 18:23:32 +0000	[diff] [blame]	2665	for (i = 0; i < o->num_permitted_listens; i++)
				2666	printf(" %s", o->permitted_listens[i]);
djm@openbsd.org	115063a	2018-06-06 18:22:41 +0000	[diff] [blame]	2667	}
				2668	printf("\n");
djm@openbsd.org	95344c2	2018-07-03 10:59:35 +0000	[diff] [blame]	2669
				2670	if (o->permit_user_env_whitelist == NULL) {
				2671	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
				2672	} else {
				2673	printf("permituserenvironment %s\n",
				2674	o->permit_user_env_whitelist);
				2675	}
				2676
Darren Tucker	e7140f2	2008-06-10 23:01:51 +1000	[diff] [blame]	2677	}