blob: 1f80de22d3ecefb3a53d66d0ba2b6d37c996a6b3 [file] [log] [blame]
Damien Miller565ca3f2006-08-19 00:23:15 +10001/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
Damien Millerd4a8b7e1999-10-27 13:42:43 +10002/*
Damien Miller95def091999-11-25 00:26:21 +11003 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller4af51302000-04-16 11:18:38 +10005 *
Damien Millere4340be2000-09-16 13:29:08 +11006 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
Damien Miller95def091999-11-25 00:26:21 +110011 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100012
13#include "includes.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100014
Damien Millere3b60b52006-07-10 21:08:03 +100015#include <sys/types.h>
16#include <sys/socket.h>
17
Damien Millerb8fe89c2006-07-24 14:51:00 +100018#include <netdb.h>
Damien Miller565ca3f2006-08-19 00:23:15 +100019#include <pwd.h>
Damien Millera7a73ee2006-08-05 11:37:59 +100020#include <stdio.h>
Damien Millere7a1e5c2006-08-05 11:34:19 +100021#include <stdlib.h>
Damien Millere3476ed2006-07-24 14:13:33 +100022#include <string.h>
Damien Millerd7834352006-08-05 12:39:39 +100023#include <signal.h>
Damien Millere6b3b612006-07-24 14:01:23 +100024#include <unistd.h>
Damien Millerd7834352006-08-05 12:39:39 +100025#include <stdarg.h>
Damien Millerbe43ebf2006-07-24 13:51:51 +100026
Damien Millerd7834352006-08-05 12:39:39 +100027#include "xmalloc.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100028#include "ssh.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000029#include "log.h"
Damien Millerd7834352006-08-05 12:39:39 +100030#include "buffer.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100031#include "servconf.h"
Damien Miller78928792000-04-12 20:17:38 +100032#include "compat.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000033#include "pathnames.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000034#include "misc.h"
35#include "cipher.h"
Damien Millerd7834352006-08-05 12:39:39 +100036#include "key.h"
Ben Lindstrom06b33aa2001-02-15 03:01:59 +000037#include "kex.h"
38#include "mac.h"
Darren Tucker45150472006-07-12 22:34:17 +100039#include "match.h"
Damien Miller9b439df2006-07-24 14:04:00 +100040#include "channels.h"
Damien Miller565ca3f2006-08-19 00:23:15 +100041#include "groupaccess.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000042
Ben Lindstrombba81212001-06-25 05:01:22 +000043static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
Damien Miller34132e52000-01-14 15:45:46 +110045
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000046/* Use of privilege separation or not */
47extern int use_privsep;
Darren Tucker45150472006-07-12 22:34:17 +100048extern Buffer cfg;
Ben Lindstrom226cfa02001-01-22 05:34:40 +000049
Damien Millerd4a8b7e1999-10-27 13:42:43 +100050/* Initializes the server options to their default values. */
51
Damien Miller4af51302000-04-16 11:18:38 +100052void
Damien Miller95def091999-11-25 00:26:21 +110053initialize_server_options(ServerOptions *options)
Damien Millerd4a8b7e1999-10-27 13:42:43 +100054{
Damien Miller95def091999-11-25 00:26:21 +110055 memset(options, 0, sizeof(*options));
Damien Miller726273e2001-11-12 11:40:11 +110056
57 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +100058 options->use_pam = -1;
Damien Miller726273e2001-11-12 11:40:11 +110059
60 /* Standard Options */
Damien Miller34132e52000-01-14 15:45:46 +110061 options->num_ports = 0;
62 options->ports_from_cmdline = 0;
63 options->listen_addrs = NULL;
Darren Tucker0f383232005-01-20 10:57:56 +110064 options->address_family = -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +110065 options->num_host_key_files = 0;
Damien Miller6f83b8e2000-05-02 09:23:45 +100066 options->pid_file = NULL;
Damien Miller95def091999-11-25 00:26:21 +110067 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
Ben Lindstromd8a90212001-02-15 03:08:27 +000070 options->permit_root_login = PERMIT_NOT_SET;
Damien Miller95def091999-11-25 00:26:21 +110071 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
Ben Lindstrom7bfff362001-03-26 05:45:53 +000074 options->print_lastlog = -1;
Damien Miller95def091999-11-25 00:26:21 +110075 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
Damien Miller95c249f2002-02-05 12:11:34 +110077 options->x11_use_localhost = -1;
Damien Millerd3a18572000-06-07 19:55:44 +100078 options->xauth_location = NULL;
Damien Miller95def091999-11-25 00:26:21 +110079 options->strict_modes = -1;
Damien Miller12c150e2003-12-17 16:31:10 +110080 options->tcp_keep_alive = -1;
Damien Millerfcd93202002-02-05 12:26:34 +110081 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
Damien Miller95def091999-11-25 00:26:21 +110083 options->rhosts_rsa_authentication = -1;
Ben Lindstrom5eabda32001-04-12 23:34:34 +000084 options->hostbased_authentication = -1;
85 options->hostbased_uses_name_from_packet_only = -1;
Damien Miller95def091999-11-25 00:26:21 +110086 options->rsa_authentication = -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +110087 options->pubkey_authentication = -1;
Damien Miller95def091999-11-25 00:26:21 +110088 options->kerberos_authentication = -1;
89 options->kerberos_or_local_passwd = -1;
90 options->kerberos_ticket_cleanup = -1;
Darren Tucker22ef5082003-12-31 11:37:34 +110091 options->kerberos_get_afs_token = -1;
Darren Tucker0efd1552003-08-26 11:49:55 +100092 options->gss_authentication=-1;
93 options->gss_cleanup_creds = -1;
Damien Miller95def091999-11-25 00:26:21 +110094 options->password_authentication = -1;
Damien Miller874d77b2000-10-14 16:23:11 +110095 options->kbd_interactive_authentication = -1;
Ben Lindstrom551ea372001-06-05 18:56:16 +000096 options->challenge_response_authentication = -1;
Damien Miller95def091999-11-25 00:26:21 +110097 options->permit_empty_passwd = -1;
Ben Lindstrom5d860f02002-08-01 01:28:38 +000098 options->permit_user_env = -1;
Damien Miller95def091999-11-25 00:26:21 +110099 options->use_login = -1;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000100 options->compression = -1;
Damien Miller50a41ed2000-10-16 12:14:42 +1100101 options->allow_tcp_forwarding = -1;
Damien Miller95def091999-11-25 00:26:21 +1100102 options->num_allow_users = 0;
103 options->num_deny_users = 0;
104 options->num_allow_groups = 0;
105 options->num_deny_groups = 0;
Damien Miller78928792000-04-12 20:17:38 +1000106 options->ciphers = NULL;
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000107 options->macs = NULL;
Damien Miller78928792000-04-12 20:17:38 +1000108 options->protocol = SSH_PROTO_UNKNOWN;
Damien Millere247cc42000-05-07 12:03:14 +1000109 options->gateway_ports = -1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000110 options->num_subsystems = 0;
Damien Miller942da032000-08-18 13:59:06 +1000111 options->max_startups_begin = -1;
112 options->max_startups_rate = -1;
Damien Miller37023962000-07-11 17:31:38 +1000113 options->max_startups = -1;
Darren Tucker89413db2004-05-24 10:36:23 +1000114 options->max_authtries = -1;
Ben Lindstrom48bd7c12001-01-09 00:35:42 +0000115 options->banner = NULL;
Damien Miller3a961dc2003-06-03 10:25:48 +1000116 options->use_dns = -1;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000117 options->client_alive_interval = -1;
118 options->client_alive_count_max = -1;
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000119 options->authorized_keys_file = NULL;
120 options->authorized_keys_file2 = NULL;
Darren Tucker46bc0752004-05-02 22:11:30 +1000121 options->num_accept_env = 0;
Damien Millerd27b9472005-12-13 19:29:02 +1100122 options->permit_tun = -1;
Damien Millera765cf42006-07-24 14:08:13 +1000123 options->num_permitted_opens = -1;
Damien Millere2754432006-07-24 14:06:47 +1000124 options->adm_forced_command = NULL;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000125}
126
Damien Miller4af51302000-04-16 11:18:38 +1000127void
Damien Miller95def091999-11-25 00:26:21 +1100128fill_default_server_options(ServerOptions *options)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000129{
Damien Miller726273e2001-11-12 11:40:11 +1100130 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000131 if (options->use_pam == -1)
Damien Miller5c3a5582003-09-23 22:12:38 +1000132 options->use_pam = 0;
Damien Miller726273e2001-11-12 11:40:11 +1100133
134 /* Standard Options */
Damien Miller0bc1bd82000-11-13 22:57:25 +1100135 if (options->protocol == SSH_PROTO_UNKNOWN)
136 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
137 if (options->num_host_key_files == 0) {
138 /* fill default hostkeys for protocols */
139 if (options->protocol & SSH_PROTO_1)
Damien Miller7fc23732002-01-22 23:19:11 +1100140 options->host_key_files[options->num_host_key_files++] =
141 _PATH_HOST_KEY_FILE;
142 if (options->protocol & SSH_PROTO_2) {
143 options->host_key_files[options->num_host_key_files++] =
144 _PATH_HOST_RSA_KEY_FILE;
145 options->host_key_files[options->num_host_key_files++] =
146 _PATH_HOST_DSA_KEY_FILE;
147 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100148 }
Damien Miller34132e52000-01-14 15:45:46 +1100149 if (options->num_ports == 0)
150 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
151 if (options->listen_addrs == NULL)
Ben Lindstrom19066a12001-04-12 23:39:26 +0000152 add_listen_addr(options, NULL, 0);
Damien Miller6f83b8e2000-05-02 09:23:45 +1000153 if (options->pid_file == NULL)
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000154 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
Damien Miller95def091999-11-25 00:26:21 +1100155 if (options->server_key_bits == -1)
156 options->server_key_bits = 768;
157 if (options->login_grace_time == -1)
Damien Millerc1348632002-09-05 14:35:14 +1000158 options->login_grace_time = 120;
Damien Miller95def091999-11-25 00:26:21 +1100159 if (options->key_regeneration_time == -1)
160 options->key_regeneration_time = 3600;
Ben Lindstromd8a90212001-02-15 03:08:27 +0000161 if (options->permit_root_login == PERMIT_NOT_SET)
162 options->permit_root_login = PERMIT_YES;
Damien Miller95def091999-11-25 00:26:21 +1100163 if (options->ignore_rhosts == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100164 options->ignore_rhosts = 1;
Damien Miller95def091999-11-25 00:26:21 +1100165 if (options->ignore_user_known_hosts == -1)
166 options->ignore_user_known_hosts = 0;
Damien Miller95def091999-11-25 00:26:21 +1100167 if (options->print_motd == -1)
168 options->print_motd = 1;
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000169 if (options->print_lastlog == -1)
170 options->print_lastlog = 1;
Damien Miller95def091999-11-25 00:26:21 +1100171 if (options->x11_forwarding == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100172 options->x11_forwarding = 0;
Damien Miller95def091999-11-25 00:26:21 +1100173 if (options->x11_display_offset == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100174 options->x11_display_offset = 10;
Damien Miller95c249f2002-02-05 12:11:34 +1100175 if (options->x11_use_localhost == -1)
176 options->x11_use_localhost = 1;
Damien Millerd3a18572000-06-07 19:55:44 +1000177 if (options->xauth_location == NULL)
Ben Lindstrom1bf11f62001-06-09 01:48:01 +0000178 options->xauth_location = _PATH_XAUTH;
Damien Miller95def091999-11-25 00:26:21 +1100179 if (options->strict_modes == -1)
180 options->strict_modes = 1;
Damien Miller12c150e2003-12-17 16:31:10 +1100181 if (options->tcp_keep_alive == -1)
182 options->tcp_keep_alive = 1;
Damien Millerfcd93202002-02-05 12:26:34 +1100183 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
Damien Miller95def091999-11-25 00:26:21 +1100184 options->log_facility = SYSLOG_FACILITY_AUTH;
Damien Millerfcd93202002-02-05 12:26:34 +1100185 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000186 options->log_level = SYSLOG_LEVEL_INFO;
Damien Miller95def091999-11-25 00:26:21 +1100187 if (options->rhosts_rsa_authentication == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100188 options->rhosts_rsa_authentication = 0;
Ben Lindstrom5eabda32001-04-12 23:34:34 +0000189 if (options->hostbased_authentication == -1)
190 options->hostbased_authentication = 0;
191 if (options->hostbased_uses_name_from_packet_only == -1)
192 options->hostbased_uses_name_from_packet_only = 0;
Damien Miller95def091999-11-25 00:26:21 +1100193 if (options->rsa_authentication == -1)
194 options->rsa_authentication = 1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100195 if (options->pubkey_authentication == -1)
196 options->pubkey_authentication = 1;
Damien Miller95def091999-11-25 00:26:21 +1100197 if (options->kerberos_authentication == -1)
Damien Millerd7de14b2002-04-23 21:04:51 +1000198 options->kerberos_authentication = 0;
Damien Miller95def091999-11-25 00:26:21 +1100199 if (options->kerberos_or_local_passwd == -1)
200 options->kerberos_or_local_passwd = 1;
201 if (options->kerberos_ticket_cleanup == -1)
202 options->kerberos_ticket_cleanup = 1;
Darren Tucker22ef5082003-12-31 11:37:34 +1100203 if (options->kerberos_get_afs_token == -1)
204 options->kerberos_get_afs_token = 0;
Darren Tucker0efd1552003-08-26 11:49:55 +1000205 if (options->gss_authentication == -1)
206 options->gss_authentication = 0;
207 if (options->gss_cleanup_creds == -1)
208 options->gss_cleanup_creds = 1;
Damien Miller95def091999-11-25 00:26:21 +1100209 if (options->password_authentication == -1)
210 options->password_authentication = 1;
Damien Miller874d77b2000-10-14 16:23:11 +1100211 if (options->kbd_interactive_authentication == -1)
212 options->kbd_interactive_authentication = 0;
Ben Lindstrom551ea372001-06-05 18:56:16 +0000213 if (options->challenge_response_authentication == -1)
214 options->challenge_response_authentication = 1;
Damien Miller95def091999-11-25 00:26:21 +1100215 if (options->permit_empty_passwd == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100216 options->permit_empty_passwd = 0;
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000217 if (options->permit_user_env == -1)
218 options->permit_user_env = 0;
Damien Miller95def091999-11-25 00:26:21 +1100219 if (options->use_login == -1)
220 options->use_login = 0;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000221 if (options->compression == -1)
Damien Miller9786e6e2005-07-26 21:54:56 +1000222 options->compression = COMP_DELAYED;
Damien Miller50a41ed2000-10-16 12:14:42 +1100223 if (options->allow_tcp_forwarding == -1)
224 options->allow_tcp_forwarding = 1;
Damien Millere247cc42000-05-07 12:03:14 +1000225 if (options->gateway_ports == -1)
226 options->gateway_ports = 0;
Damien Miller37023962000-07-11 17:31:38 +1000227 if (options->max_startups == -1)
228 options->max_startups = 10;
Damien Miller942da032000-08-18 13:59:06 +1000229 if (options->max_startups_rate == -1)
230 options->max_startups_rate = 100; /* 100% */
231 if (options->max_startups_begin == -1)
232 options->max_startups_begin = options->max_startups;
Darren Tucker89413db2004-05-24 10:36:23 +1000233 if (options->max_authtries == -1)
234 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
Damien Miller3a961dc2003-06-03 10:25:48 +1000235 if (options->use_dns == -1)
236 options->use_dns = 1;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000237 if (options->client_alive_interval == -1)
Damien Miller9f0f5c62001-12-21 14:45:46 +1100238 options->client_alive_interval = 0;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000239 if (options->client_alive_count_max == -1)
240 options->client_alive_count_max = 3;
Damien Miller75413ac2001-11-12 11:14:35 +1100241 if (options->authorized_keys_file2 == NULL) {
242 /* authorized_keys_file2 falls back to authorized_keys_file */
243 if (options->authorized_keys_file != NULL)
244 options->authorized_keys_file2 = options->authorized_keys_file;
245 else
246 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
247 }
248 if (options->authorized_keys_file == NULL)
249 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
Damien Millerd27b9472005-12-13 19:29:02 +1100250 if (options->permit_tun == -1)
Damien Miller7b58e802005-12-13 19:33:19 +1100251 options->permit_tun = SSH_TUNMODE_NO;
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000252
Ben Lindstromfb62a692002-06-06 19:47:11 +0000253 /* Turn privilege separation on by default */
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000254 if (use_privsep == -1)
Ben Lindstromfb62a692002-06-06 19:47:11 +0000255 use_privsep = 1;
Damien Miller4903eb42002-06-21 16:20:44 +1000256
Tim Rice40017b02002-07-14 13:36:49 -0700257#ifndef HAVE_MMAP
Damien Miller4903eb42002-06-21 16:20:44 +1000258 if (use_privsep && options->compression == 1) {
259 error("This platform does not support both privilege "
260 "separation and compression");
261 error("Compression disabled");
262 options->compression = 0;
263 }
264#endif
265
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000266}
267
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000268/* Keyword tokens. */
Damien Miller95def091999-11-25 00:26:21 +1100269typedef enum {
270 sBadOption, /* == unknown option */
Damien Miller726273e2001-11-12 11:40:11 +1100271 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000272 sUsePAM,
Damien Miller726273e2001-11-12 11:40:11 +1100273 /* Standard Options */
Damien Miller95def091999-11-25 00:26:21 +1100274 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
275 sPermitRootLogin, sLogFacility, sLogLevel,
Darren Tuckerec960f22003-08-13 20:37:05 +1000276 sRhostsRSAAuthentication, sRSAAuthentication,
Damien Miller95def091999-11-25 00:26:21 +1100277 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
Darren Tucker22ef5082003-12-31 11:37:34 +1100278 sKerberosGetAFSToken,
Darren Tucker6aaa58c2003-08-02 22:24:49 +1000279 sKerberosTgtPassing, sChallengeResponseAuthentication,
Darren Tucker0f383232005-01-20 10:57:56 +1100280 sPasswordAuthentication, sKbdInteractiveAuthentication,
281 sListenAddress, sAddressFamily,
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000282 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
Damien Miller95c249f2002-02-05 12:11:34 +1100283 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
Damien Miller12c150e2003-12-17 16:31:10 +1100284 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000285 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
Damien Miller50a41ed2000-10-16 12:14:42 +1100286 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000287 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
Darren Tucker89413db2004-05-24 10:36:23 +1000288 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
289 sMaxStartups, sMaxAuthTries,
Damien Miller3a961dc2003-06-03 10:25:48 +1000290 sBanner, sUseDNS, sHostbasedAuthentication,
Damien Miller9f0f5c62001-12-21 14:45:46 +1100291 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000292 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Damien Millerd27b9472005-12-13 19:29:02 +1100293 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
Damien Millere2754432006-07-24 14:06:47 +1000294 sMatch, sPermitOpen, sForceCommand,
Ben Lindstromc7431342002-03-22 03:11:49 +0000295 sUsePrivilegeSeparation,
Damien Millerf9b3feb2003-05-16 11:38:32 +1000296 sDeprecated, sUnsupported
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000297} ServerOpCodes;
298
Darren Tucker45150472006-07-12 22:34:17 +1000299#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
300#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
301#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
302
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000303/* Textual representation of the tokens. */
Damien Miller95def091999-11-25 00:26:21 +1100304static struct {
305 const char *name;
306 ServerOpCodes opcode;
Darren Tucker45150472006-07-12 22:34:17 +1000307 u_int flags;
Damien Miller95def091999-11-25 00:26:21 +1100308} keywords[] = {
Damien Miller726273e2001-11-12 11:40:11 +1100309 /* Portable-specific options */
Damien Miller6ac2c482003-05-16 11:42:35 +1000310#ifdef USE_PAM
Darren Tucker45150472006-07-12 22:34:17 +1000311 { "usepam", sUsePAM, SSHCFG_GLOBAL },
Damien Miller6ac2c482003-05-16 11:42:35 +1000312#else
Darren Tucker45150472006-07-12 22:34:17 +1000313 { "usepam", sUnsupported, SSHCFG_GLOBAL },
Damien Miller6ac2c482003-05-16 11:42:35 +1000314#endif
Darren Tucker45150472006-07-12 22:34:17 +1000315 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
Damien Miller726273e2001-11-12 11:40:11 +1100316 /* Standard Options */
Darren Tucker45150472006-07-12 22:34:17 +1000317 { "port", sPort, SSHCFG_GLOBAL },
318 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
319 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
320 { "pidfile", sPidFile, SSHCFG_GLOBAL },
321 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
322 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
323 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
324 { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
325 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
326 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
327 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
328 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
329 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
330 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
331 { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
332 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
333 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
Darren Tucker6aaa58c2003-08-02 22:24:49 +1000334#ifdef KRB5
Darren Tucker45150472006-07-12 22:34:17 +1000335 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
336 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
337 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
Darren Tucker3c78c5e2004-01-23 22:03:10 +1100338#ifdef USE_AFS
Darren Tucker45150472006-07-12 22:34:17 +1000339 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000340#else
Darren Tucker45150472006-07-12 22:34:17 +1000341 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker409cb322004-01-05 22:36:51 +1100342#endif
343#else
Darren Tucker45150472006-07-12 22:34:17 +1000344 { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
345 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
346 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
347 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000348#endif
Darren Tucker45150472006-07-12 22:34:17 +1000349 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
350 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker0efd1552003-08-26 11:49:55 +1000351#ifdef GSSAPI
Darren Tucker45150472006-07-12 22:34:17 +1000352 { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
353 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
Darren Tucker0efd1552003-08-26 11:49:55 +1000354#else
Darren Tucker45150472006-07-12 22:34:17 +1000355 { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
356 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker0efd1552003-08-26 11:49:55 +1000357#endif
Darren Tucker45150472006-07-12 22:34:17 +1000358 { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
359 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
360 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
361 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
362 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
363 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
364 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
365 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
366 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
367 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
368 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
Damien Millerd1de9952006-07-24 14:05:48 +1000369 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
370 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
371 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000372 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
373 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
374 { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
375 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
376 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
377 { "compression", sCompression, SSHCFG_GLOBAL },
378 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
379 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
380 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
381 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
382 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
383 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
384 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
385 { "ciphers", sCiphers, SSHCFG_GLOBAL },
386 { "macs", sMacs, SSHCFG_GLOBAL },
387 { "protocol", sProtocol, SSHCFG_GLOBAL },
388 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
389 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
390 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
391 { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
392 { "banner", sBanner, SSHCFG_GLOBAL },
393 { "usedns", sUseDNS, SSHCFG_GLOBAL },
394 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
395 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
396 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
397 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
398 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
399 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
400 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
401 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
402 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
Damien Miller9b439df2006-07-24 14:04:00 +1000403 { "match", sMatch, SSHCFG_ALL },
404 { "permitopen", sPermitOpen, SSHCFG_ALL },
Damien Millere2754432006-07-24 14:06:47 +1000405 { "forcecommand", sForceCommand, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000406 { NULL, sBadOption, 0 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000407};
408
Damien Miller5428f641999-11-25 11:54:57 +1100409/*
Ben Lindstrom3704c262001-04-02 18:20:03 +0000410 * Returns the number of the token pointed to by cp or sBadOption.
Damien Miller5428f641999-11-25 11:54:57 +1100411 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000412
Damien Miller4af51302000-04-16 11:18:38 +1000413static ServerOpCodes
Damien Miller95def091999-11-25 00:26:21 +1100414parse_token(const char *cp, const char *filename,
Darren Tucker45150472006-07-12 22:34:17 +1000415 int linenum, u_int *flags)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000416{
Ben Lindstrom46c16222000-12-22 01:43:59 +0000417 u_int i;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000418
Damien Miller95def091999-11-25 00:26:21 +1100419 for (i = 0; keywords[i].name; i++)
Darren Tucker45150472006-07-12 22:34:17 +1000420 if (strcasecmp(cp, keywords[i].name) == 0) {
421 *flags = keywords[i].flags;
Damien Miller95def091999-11-25 00:26:21 +1100422 return keywords[i].opcode;
Darren Tucker45150472006-07-12 22:34:17 +1000423 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000424
Ben Lindstromb5cdc662001-04-16 02:13:26 +0000425 error("%s: line %d: Bad configuration option: %s",
426 filename, linenum, cp);
Damien Miller95def091999-11-25 00:26:21 +1100427 return sBadOption;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000428}
429
Ben Lindstrombba81212001-06-25 05:01:22 +0000430static void
Ben Lindstrom19066a12001-04-12 23:39:26 +0000431add_listen_addr(ServerOptions *options, char *addr, u_short port)
Damien Miller34132e52000-01-14 15:45:46 +1100432{
Damien Millereccb9de2005-06-17 12:59:34 +1000433 u_int i;
Damien Miller34132e52000-01-14 15:45:46 +1100434
435 if (options->num_ports == 0)
436 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
Darren Tucker0f383232005-01-20 10:57:56 +1100437 if (options->address_family == -1)
438 options->address_family = AF_UNSPEC;
Ben Lindstrom19066a12001-04-12 23:39:26 +0000439 if (port == 0)
Ben Lindstromc510af42001-04-07 17:25:48 +0000440 for (i = 0; i < options->num_ports; i++)
441 add_one_listen_addr(options, addr, options->ports[i]);
442 else
Ben Lindstrom19066a12001-04-12 23:39:26 +0000443 add_one_listen_addr(options, addr, port);
Ben Lindstromc510af42001-04-07 17:25:48 +0000444}
445
Ben Lindstrombba81212001-06-25 05:01:22 +0000446static void
Ben Lindstromc510af42001-04-07 17:25:48 +0000447add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
448{
449 struct addrinfo hints, *ai, *aitop;
450 char strport[NI_MAXSERV];
451 int gaierr;
452
453 memset(&hints, 0, sizeof(hints));
Darren Tucker0f383232005-01-20 10:57:56 +1100454 hints.ai_family = options->address_family;
Ben Lindstromc510af42001-04-07 17:25:48 +0000455 hints.ai_socktype = SOCK_STREAM;
456 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
Ben Lindstrome1353632002-06-23 21:29:23 +0000457 snprintf(strport, sizeof strport, "%u", port);
Ben Lindstromc510af42001-04-07 17:25:48 +0000458 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
459 fatal("bad addr or host: %s (%s)",
460 addr ? addr : "<NULL>",
461 gai_strerror(gaierr));
462 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
463 ;
464 ai->ai_next = options->listen_addrs;
465 options->listen_addrs = aitop;
Damien Miller34132e52000-01-14 15:45:46 +1100466}
467
Darren Tucker45150472006-07-12 22:34:17 +1000468/*
469 * The strategy for the Match blocks is that the config file is parsed twice.
470 *
471 * The first time is at startup. activep is initialized to 1 and the
472 * directives in the global context are processed and acted on. Hitting a
473 * Match directive unsets activep and the directives inside the block are
474 * checked for syntax only.
475 *
476 * The second time is after a connection has been established but before
477 * authentication. activep is initialized to 2 and global config directives
478 * are ignored since they have already been processed. If the criteria in a
479 * Match block is met, activep is set and the subsequent directives
480 * processed and actioned until EOF or another Match block unsets it. Any
481 * options set are copied into the main server config.
482 *
483 * Potential additions/improvements:
484 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
485 *
486 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
487 * Match Address 192.168.0.*
488 * Tag trusted
489 * Match Group wheel
490 * Tag trusted
491 * Match Tag trusted
492 * AllowTcpForwarding yes
493 * GatewayPorts clientspecified
494 * [...]
495 *
496 * - Add a PermittedChannelRequests directive
497 * Match Group shell
498 * PermittedChannelRequests session,forwarded-tcpip
499 */
500
501static int
Damien Miller565ca3f2006-08-19 00:23:15 +1000502match_cfg_line_group(const char *grps, int line, const char *user)
503{
504 int result = 0;
505 u_int ngrps = 0;
506 char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
507 struct passwd *pw;
508
509 /*
510 * Even if we do not have a user yet, we still need to check for
511 * valid syntax.
512 */
513 arg = cp = xstrdup(grps);
514 while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
515 if (ngrps >= MAX_MATCH_GROUPS) {
516 error("line %d: too many groups in Match Group", line);
517 result = -1;
518 goto out;
519 }
520 grplist[ngrps++] = p;
521 }
522
523 if (user == NULL)
524 goto out;
525
526 if ((pw = getpwnam(user)) == NULL) {
527 debug("Can't match group at line %d because user %.100s does "
528 "not exist", line, user);
529 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
530 debug("Can't Match group because user %.100s not in any group "
531 "at line %d", user, line);
532 } else if (ga_match(grplist, ngrps) != 1) {
533 debug("user %.100s does not match group %.100s at line %d",
534 user, arg, line);
535 } else {
536 debug("user %.100s matched group %.100s at line %d", user,
537 arg, line);
538 result = 1;
539 }
540out:
541 ga_free();
542 xfree(arg);
543 return result;
544}
545
546static int
Darren Tucker45150472006-07-12 22:34:17 +1000547match_cfg_line(char **condition, int line, const char *user, const char *host,
548 const char *address)
549{
550 int result = 1;
551 char *arg, *attrib, *cp = *condition;
552 size_t len;
553
554 if (user == NULL)
555 debug3("checking syntax for 'Match %s'", cp);
556 else
557 debug3("checking match for '%s' user %s host %s addr %s", cp,
558 user ? user : "(null)", host ? host : "(null)",
559 address ? address : "(null)");
560
561 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
562 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
563 error("Missing Match criteria for %s", attrib);
564 return -1;
565 }
566 len = strlen(arg);
567 if (strcasecmp(attrib, "user") == 0) {
568 if (!user) {
569 result = 0;
570 continue;
571 }
572 if (match_pattern_list(user, arg, len, 0) != 1)
573 result = 0;
574 else
575 debug("user %.100s matched 'User %.100s' at "
576 "line %d", user, arg, line);
Damien Miller565ca3f2006-08-19 00:23:15 +1000577 } else if (strcasecmp(attrib, "group") == 0) {
578 switch (match_cfg_line_group(arg, line, user)) {
579 case -1:
580 return -1;
581 case 0:
582 result = 0;
583 }
Darren Tucker45150472006-07-12 22:34:17 +1000584 } else if (strcasecmp(attrib, "host") == 0) {
585 if (!host) {
586 result = 0;
587 continue;
588 }
589 if (match_hostname(host, arg, len) != 1)
590 result = 0;
591 else
592 debug("connection from %.100s matched 'Host "
593 "%.100s' at line %d", host, arg, line);
594 } else if (strcasecmp(attrib, "address") == 0) {
595 debug("address '%s' arg '%s'", address, arg);
596 if (!address) {
597 result = 0;
598 continue;
599 }
600 if (match_hostname(address, arg, len) != 1)
601 result = 0;
602 else
603 debug("connection from %.100s matched 'Address "
604 "%.100s' at line %d", address, arg, line);
605 } else {
606 error("Unsupported Match attribute %s", attrib);
607 return -1;
608 }
609 }
610 if (user != NULL)
611 debug3("match %sfound", result ? "" : "not ");
612 *condition = cp;
613 return result;
614}
615
Damien Millere2754432006-07-24 14:06:47 +1000616#define WHITESPACE " \t\r\n"
617
Ben Lindstromade03f62001-12-06 18:22:17 +0000618int
619process_server_config_line(ServerOptions *options, char *line,
Darren Tucker45150472006-07-12 22:34:17 +1000620 const char *filename, int linenum, int *activep, const char *user,
621 const char *host, const char *address)
Ben Lindstromade03f62001-12-06 18:22:17 +0000622{
623 char *cp, **charptr, *arg, *p;
Darren Tucker45150472006-07-12 22:34:17 +1000624 int cmdline = 0, *intptr, value, n;
Ben Lindstromade03f62001-12-06 18:22:17 +0000625 ServerOpCodes opcode;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100626 u_short port;
Darren Tucker45150472006-07-12 22:34:17 +1000627 u_int i, flags = 0;
Damien Miller917f9b62006-07-10 20:36:47 +1000628 size_t len;
Ben Lindstromade03f62001-12-06 18:22:17 +0000629
630 cp = line;
Damien Miller78f16cb2006-03-26 13:54:37 +1100631 if ((arg = strdelim(&cp)) == NULL)
Damien Miller928b2362006-03-26 13:53:32 +1100632 return 0;
Ben Lindstromade03f62001-12-06 18:22:17 +0000633 /* Ignore leading whitespace */
634 if (*arg == '\0')
635 arg = strdelim(&cp);
636 if (!arg || !*arg || *arg == '#')
637 return 0;
638 intptr = NULL;
639 charptr = NULL;
Darren Tucker45150472006-07-12 22:34:17 +1000640 opcode = parse_token(arg, filename, linenum, &flags);
641
642 if (activep == NULL) { /* We are processing a command line directive */
643 cmdline = 1;
644 activep = &cmdline;
645 }
646 if (*activep && opcode != sMatch)
647 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
648 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
649 if (user == NULL) {
650 fatal("%s line %d: Directive '%s' is not allowed "
651 "within a Match block", filename, linenum, arg);
652 } else { /* this is a directive we have already processed */
653 while (arg)
654 arg = strdelim(&cp);
655 return 0;
656 }
657 }
658
Ben Lindstromade03f62001-12-06 18:22:17 +0000659 switch (opcode) {
660 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000661 case sUsePAM:
662 intptr = &options->use_pam;
Ben Lindstromade03f62001-12-06 18:22:17 +0000663 goto parse_flag;
664
665 /* Standard Options */
666 case sBadOption:
667 return -1;
668 case sPort:
669 /* ignore ports from configfile if cmdline specifies ports */
670 if (options->ports_from_cmdline)
671 return 0;
672 if (options->listen_addrs != NULL)
673 fatal("%s line %d: ports must be specified before "
Damien Miller4fbf08a2002-01-22 23:35:09 +1100674 "ListenAddress.", filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000675 if (options->num_ports >= MAX_PORTS)
676 fatal("%s line %d: too many ports.",
677 filename, linenum);
678 arg = strdelim(&cp);
679 if (!arg || *arg == '\0')
680 fatal("%s line %d: missing port number.",
681 filename, linenum);
682 options->ports[options->num_ports++] = a2port(arg);
683 if (options->ports[options->num_ports-1] == 0)
684 fatal("%s line %d: Badly formatted port number.",
685 filename, linenum);
686 break;
687
688 case sServerKeyBits:
689 intptr = &options->server_key_bits;
690parse_int:
691 arg = strdelim(&cp);
692 if (!arg || *arg == '\0')
693 fatal("%s line %d: missing integer value.",
694 filename, linenum);
695 value = atoi(arg);
Darren Tucker45150472006-07-12 22:34:17 +1000696 if (*activep && *intptr == -1)
Ben Lindstromade03f62001-12-06 18:22:17 +0000697 *intptr = value;
698 break;
699
700 case sLoginGraceTime:
701 intptr = &options->login_grace_time;
702parse_time:
703 arg = strdelim(&cp);
704 if (!arg || *arg == '\0')
705 fatal("%s line %d: missing time value.",
706 filename, linenum);
707 if ((value = convtime(arg)) == -1)
708 fatal("%s line %d: invalid time value.",
709 filename, linenum);
710 if (*intptr == -1)
711 *intptr = value;
712 break;
713
714 case sKeyRegenerationTime:
715 intptr = &options->key_regeneration_time;
716 goto parse_time;
717
718 case sListenAddress:
719 arg = strdelim(&cp);
Damien Millerf91ee4c2005-03-01 21:24:33 +1100720 if (arg == NULL || *arg == '\0')
721 fatal("%s line %d: missing address",
Ben Lindstromade03f62001-12-06 18:22:17 +0000722 filename, linenum);
Damien Miller203c7052005-08-12 22:11:37 +1000723 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
724 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
725 && strchr(p+1, ':') != NULL) {
726 add_listen_addr(options, arg, 0);
727 break;
728 }
Damien Millerf91ee4c2005-03-01 21:24:33 +1100729 p = hpdelim(&arg);
730 if (p == NULL)
731 fatal("%s line %d: bad address:port usage",
732 filename, linenum);
733 p = cleanhostname(p);
734 if (arg == NULL)
735 port = 0;
736 else if ((port = a2port(arg)) == 0)
737 fatal("%s line %d: bad port number", filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000738
Damien Millerf91ee4c2005-03-01 21:24:33 +1100739 add_listen_addr(options, p, port);
740
Ben Lindstromade03f62001-12-06 18:22:17 +0000741 break;
742
Darren Tucker0f383232005-01-20 10:57:56 +1100743 case sAddressFamily:
744 arg = strdelim(&cp);
Damien Miller17b23d82005-05-26 12:11:56 +1000745 if (!arg || *arg == '\0')
746 fatal("%s line %d: missing address family.",
747 filename, linenum);
Darren Tucker0f383232005-01-20 10:57:56 +1100748 intptr = &options->address_family;
749 if (options->listen_addrs != NULL)
750 fatal("%s line %d: address family must be specified before "
751 "ListenAddress.", filename, linenum);
752 if (strcasecmp(arg, "inet") == 0)
753 value = AF_INET;
754 else if (strcasecmp(arg, "inet6") == 0)
755 value = AF_INET6;
756 else if (strcasecmp(arg, "any") == 0)
757 value = AF_UNSPEC;
758 else
759 fatal("%s line %d: unsupported address family \"%s\".",
760 filename, linenum, arg);
761 if (*intptr == -1)
762 *intptr = value;
763 break;
764
Ben Lindstromade03f62001-12-06 18:22:17 +0000765 case sHostKeyFile:
766 intptr = &options->num_host_key_files;
767 if (*intptr >= MAX_HOSTKEYS)
768 fatal("%s line %d: too many host keys specified (max %d).",
769 filename, linenum, MAX_HOSTKEYS);
770 charptr = &options->host_key_files[*intptr];
771parse_filename:
772 arg = strdelim(&cp);
773 if (!arg || *arg == '\0')
774 fatal("%s line %d: missing file name.",
775 filename, linenum);
Darren Tucker45150472006-07-12 22:34:17 +1000776 if (*activep && *charptr == NULL) {
Ben Lindstromade03f62001-12-06 18:22:17 +0000777 *charptr = tilde_expand_filename(arg, getuid());
778 /* increase optional counter */
779 if (intptr != NULL)
780 *intptr = *intptr + 1;
781 }
782 break;
783
784 case sPidFile:
785 charptr = &options->pid_file;
786 goto parse_filename;
787
788 case sPermitRootLogin:
789 intptr = &options->permit_root_login;
790 arg = strdelim(&cp);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: missing yes/"
793 "without-password/forced-commands-only/no "
794 "argument.", filename, linenum);
795 value = 0; /* silence compiler */
796 if (strcmp(arg, "without-password") == 0)
797 value = PERMIT_NO_PASSWD;
798 else if (strcmp(arg, "forced-commands-only") == 0)
799 value = PERMIT_FORCED_ONLY;
800 else if (strcmp(arg, "yes") == 0)
801 value = PERMIT_YES;
802 else if (strcmp(arg, "no") == 0)
803 value = PERMIT_NO;
804 else
805 fatal("%s line %d: Bad yes/"
806 "without-password/forced-commands-only/no "
807 "argument: %s", filename, linenum, arg);
808 if (*intptr == -1)
809 *intptr = value;
810 break;
811
812 case sIgnoreRhosts:
813 intptr = &options->ignore_rhosts;
814parse_flag:
815 arg = strdelim(&cp);
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: missing yes/no argument.",
818 filename, linenum);
819 value = 0; /* silence compiler */
820 if (strcmp(arg, "yes") == 0)
821 value = 1;
822 else if (strcmp(arg, "no") == 0)
823 value = 0;
824 else
825 fatal("%s line %d: Bad yes/no argument: %s",
826 filename, linenum, arg);
Darren Tucker45150472006-07-12 22:34:17 +1000827 if (*activep && *intptr == -1)
Ben Lindstromade03f62001-12-06 18:22:17 +0000828 *intptr = value;
829 break;
830
831 case sIgnoreUserKnownHosts:
832 intptr = &options->ignore_user_known_hosts;
833 goto parse_flag;
834
Ben Lindstromade03f62001-12-06 18:22:17 +0000835 case sRhostsRSAAuthentication:
836 intptr = &options->rhosts_rsa_authentication;
837 goto parse_flag;
838
839 case sHostbasedAuthentication:
840 intptr = &options->hostbased_authentication;
841 goto parse_flag;
842
843 case sHostbasedUsesNameFromPacketOnly:
844 intptr = &options->hostbased_uses_name_from_packet_only;
845 goto parse_flag;
846
847 case sRSAAuthentication:
848 intptr = &options->rsa_authentication;
849 goto parse_flag;
850
851 case sPubkeyAuthentication:
852 intptr = &options->pubkey_authentication;
853 goto parse_flag;
Damien Miller2aa0ab42003-05-15 12:05:28 +1000854
Ben Lindstromade03f62001-12-06 18:22:17 +0000855 case sKerberosAuthentication:
856 intptr = &options->kerberos_authentication;
857 goto parse_flag;
858
859 case sKerberosOrLocalPasswd:
860 intptr = &options->kerberos_or_local_passwd;
861 goto parse_flag;
862
863 case sKerberosTicketCleanup:
864 intptr = &options->kerberos_ticket_cleanup;
865 goto parse_flag;
Damien Miller2aa0ab42003-05-15 12:05:28 +1000866
Darren Tucker22ef5082003-12-31 11:37:34 +1100867 case sKerberosGetAFSToken:
868 intptr = &options->kerberos_get_afs_token;
869 goto parse_flag;
870
Darren Tucker0efd1552003-08-26 11:49:55 +1000871 case sGssAuthentication:
872 intptr = &options->gss_authentication;
873 goto parse_flag;
874
875 case sGssCleanupCreds:
876 intptr = &options->gss_cleanup_creds;
877 goto parse_flag;
878
Ben Lindstromade03f62001-12-06 18:22:17 +0000879 case sPasswordAuthentication:
880 intptr = &options->password_authentication;
881 goto parse_flag;
882
883 case sKbdInteractiveAuthentication:
884 intptr = &options->kbd_interactive_authentication;
885 goto parse_flag;
886
887 case sChallengeResponseAuthentication:
888 intptr = &options->challenge_response_authentication;
889 goto parse_flag;
890
891 case sPrintMotd:
892 intptr = &options->print_motd;
893 goto parse_flag;
894
895 case sPrintLastLog:
896 intptr = &options->print_lastlog;
897 goto parse_flag;
898
899 case sX11Forwarding:
900 intptr = &options->x11_forwarding;
901 goto parse_flag;
902
903 case sX11DisplayOffset:
904 intptr = &options->x11_display_offset;
905 goto parse_int;
906
Damien Miller95c249f2002-02-05 12:11:34 +1100907 case sX11UseLocalhost:
908 intptr = &options->x11_use_localhost;
909 goto parse_flag;
910
Ben Lindstromade03f62001-12-06 18:22:17 +0000911 case sXAuthLocation:
912 charptr = &options->xauth_location;
913 goto parse_filename;
914
915 case sStrictModes:
916 intptr = &options->strict_modes;
917 goto parse_flag;
918
Damien Miller12c150e2003-12-17 16:31:10 +1100919 case sTCPKeepAlive:
920 intptr = &options->tcp_keep_alive;
Ben Lindstromade03f62001-12-06 18:22:17 +0000921 goto parse_flag;
922
923 case sEmptyPasswd:
924 intptr = &options->permit_empty_passwd;
925 goto parse_flag;
926
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000927 case sPermitUserEnvironment:
928 intptr = &options->permit_user_env;
929 goto parse_flag;
930
Ben Lindstromade03f62001-12-06 18:22:17 +0000931 case sUseLogin:
932 intptr = &options->use_login;
933 goto parse_flag;
934
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000935 case sCompression:
936 intptr = &options->compression;
Damien Miller9786e6e2005-07-26 21:54:56 +1000937 arg = strdelim(&cp);
938 if (!arg || *arg == '\0')
939 fatal("%s line %d: missing yes/no/delayed "
940 "argument.", filename, linenum);
941 value = 0; /* silence compiler */
942 if (strcmp(arg, "delayed") == 0)
943 value = COMP_DELAYED;
944 else if (strcmp(arg, "yes") == 0)
945 value = COMP_ZLIB;
946 else if (strcmp(arg, "no") == 0)
947 value = COMP_NONE;
948 else
949 fatal("%s line %d: Bad yes/no/delayed "
950 "argument: %s", filename, linenum, arg);
951 if (*intptr == -1)
952 *intptr = value;
953 break;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000954
Ben Lindstromade03f62001-12-06 18:22:17 +0000955 case sGatewayPorts:
956 intptr = &options->gateway_ports;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100957 arg = strdelim(&cp);
958 if (!arg || *arg == '\0')
959 fatal("%s line %d: missing yes/no/clientspecified "
960 "argument.", filename, linenum);
961 value = 0; /* silence compiler */
962 if (strcmp(arg, "clientspecified") == 0)
963 value = 2;
964 else if (strcmp(arg, "yes") == 0)
965 value = 1;
966 else if (strcmp(arg, "no") == 0)
967 value = 0;
968 else
969 fatal("%s line %d: Bad yes/no/clientspecified "
970 "argument: %s", filename, linenum, arg);
971 if (*intptr == -1)
972 *intptr = value;
973 break;
Ben Lindstromade03f62001-12-06 18:22:17 +0000974
Damien Miller3a961dc2003-06-03 10:25:48 +1000975 case sUseDNS:
976 intptr = &options->use_dns;
Ben Lindstromade03f62001-12-06 18:22:17 +0000977 goto parse_flag;
978
979 case sLogFacility:
980 intptr = (int *) &options->log_facility;
981 arg = strdelim(&cp);
982 value = log_facility_number(arg);
Damien Millerfcd93202002-02-05 12:26:34 +1100983 if (value == SYSLOG_FACILITY_NOT_SET)
Ben Lindstromade03f62001-12-06 18:22:17 +0000984 fatal("%.200s line %d: unsupported log facility '%s'",
985 filename, linenum, arg ? arg : "<NONE>");
986 if (*intptr == -1)
987 *intptr = (SyslogFacility) value;
988 break;
989
990 case sLogLevel:
991 intptr = (int *) &options->log_level;
992 arg = strdelim(&cp);
993 value = log_level_number(arg);
Damien Millerfcd93202002-02-05 12:26:34 +1100994 if (value == SYSLOG_LEVEL_NOT_SET)
Ben Lindstromade03f62001-12-06 18:22:17 +0000995 fatal("%.200s line %d: unsupported log level '%s'",
996 filename, linenum, arg ? arg : "<NONE>");
997 if (*intptr == -1)
998 *intptr = (LogLevel) value;
999 break;
1000
1001 case sAllowTcpForwarding:
1002 intptr = &options->allow_tcp_forwarding;
1003 goto parse_flag;
1004
Ben Lindstrom7a2073c2002-03-22 02:30:41 +00001005 case sUsePrivilegeSeparation:
1006 intptr = &use_privsep;
1007 goto parse_flag;
1008
Ben Lindstromade03f62001-12-06 18:22:17 +00001009 case sAllowUsers:
1010 while ((arg = strdelim(&cp)) && *arg != '\0') {
1011 if (options->num_allow_users >= MAX_ALLOW_USERS)
1012 fatal("%s line %d: too many allow users.",
1013 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +00001014 options->allow_users[options->num_allow_users++] =
1015 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001016 }
1017 break;
1018
1019 case sDenyUsers:
1020 while ((arg = strdelim(&cp)) && *arg != '\0') {
1021 if (options->num_deny_users >= MAX_DENY_USERS)
Damien Miller4dec5d72006-08-05 11:38:40 +10001022 fatal("%s line %d: too many deny users.",
Ben Lindstromade03f62001-12-06 18:22:17 +00001023 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +00001024 options->deny_users[options->num_deny_users++] =
1025 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001026 }
1027 break;
1028
1029 case sAllowGroups:
1030 while ((arg = strdelim(&cp)) && *arg != '\0') {
1031 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1032 fatal("%s line %d: too many allow groups.",
1033 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +00001034 options->allow_groups[options->num_allow_groups++] =
1035 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001036 }
1037 break;
1038
1039 case sDenyGroups:
1040 while ((arg = strdelim(&cp)) && *arg != '\0') {
1041 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1042 fatal("%s line %d: too many deny groups.",
1043 filename, linenum);
1044 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1045 }
1046 break;
1047
1048 case sCiphers:
1049 arg = strdelim(&cp);
1050 if (!arg || *arg == '\0')
1051 fatal("%s line %d: Missing argument.", filename, linenum);
1052 if (!ciphers_valid(arg))
1053 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1054 filename, linenum, arg ? arg : "<NONE>");
1055 if (options->ciphers == NULL)
1056 options->ciphers = xstrdup(arg);
1057 break;
1058
1059 case sMacs:
1060 arg = strdelim(&cp);
1061 if (!arg || *arg == '\0')
1062 fatal("%s line %d: Missing argument.", filename, linenum);
1063 if (!mac_valid(arg))
1064 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1065 filename, linenum, arg ? arg : "<NONE>");
1066 if (options->macs == NULL)
1067 options->macs = xstrdup(arg);
1068 break;
1069
1070 case sProtocol:
1071 intptr = &options->protocol;
1072 arg = strdelim(&cp);
1073 if (!arg || *arg == '\0')
1074 fatal("%s line %d: Missing argument.", filename, linenum);
1075 value = proto_spec(arg);
1076 if (value == SSH_PROTO_UNKNOWN)
1077 fatal("%s line %d: Bad protocol spec '%s'.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001078 filename, linenum, arg ? arg : "<NONE>");
Ben Lindstromade03f62001-12-06 18:22:17 +00001079 if (*intptr == SSH_PROTO_UNKNOWN)
1080 *intptr = value;
1081 break;
1082
1083 case sSubsystem:
1084 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1085 fatal("%s line %d: too many subsystems defined.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001086 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +00001087 }
1088 arg = strdelim(&cp);
1089 if (!arg || *arg == '\0')
1090 fatal("%s line %d: Missing subsystem name.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001091 filename, linenum);
Darren Tucker45150472006-07-12 22:34:17 +10001092 if (!*activep) {
1093 arg = strdelim(&cp);
1094 break;
1095 }
Ben Lindstromade03f62001-12-06 18:22:17 +00001096 for (i = 0; i < options->num_subsystems; i++)
1097 if (strcmp(arg, options->subsystem_name[i]) == 0)
1098 fatal("%s line %d: Subsystem '%s' already defined.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001099 filename, linenum, arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001100 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1101 arg = strdelim(&cp);
1102 if (!arg || *arg == '\0')
1103 fatal("%s line %d: Missing subsystem command.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001104 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +00001105 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
Damien Miller917f9b62006-07-10 20:36:47 +10001106
1107 /* Collect arguments (separate to executable) */
1108 p = xstrdup(arg);
1109 len = strlen(p) + 1;
1110 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1111 len += 1 + strlen(arg);
1112 p = xrealloc(p, 1, len);
1113 strlcat(p, " ", len);
1114 strlcat(p, arg, len);
1115 }
1116 options->subsystem_args[options->num_subsystems] = p;
Ben Lindstromade03f62001-12-06 18:22:17 +00001117 options->num_subsystems++;
1118 break;
1119
1120 case sMaxStartups:
1121 arg = strdelim(&cp);
1122 if (!arg || *arg == '\0')
1123 fatal("%s line %d: Missing MaxStartups spec.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001124 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +00001125 if ((n = sscanf(arg, "%d:%d:%d",
1126 &options->max_startups_begin,
1127 &options->max_startups_rate,
1128 &options->max_startups)) == 3) {
1129 if (options->max_startups_begin >
1130 options->max_startups ||
1131 options->max_startups_rate > 100 ||
1132 options->max_startups_rate < 1)
1133 fatal("%s line %d: Illegal MaxStartups spec.",
1134 filename, linenum);
1135 } else if (n != 1)
1136 fatal("%s line %d: Illegal MaxStartups spec.",
1137 filename, linenum);
1138 else
1139 options->max_startups = options->max_startups_begin;
1140 break;
1141
Darren Tucker89413db2004-05-24 10:36:23 +10001142 case sMaxAuthTries:
1143 intptr = &options->max_authtries;
1144 goto parse_int;
1145
Ben Lindstromade03f62001-12-06 18:22:17 +00001146 case sBanner:
1147 charptr = &options->banner;
1148 goto parse_filename;
1149 /*
1150 * These options can contain %X options expanded at
1151 * connect time, so that you can specify paths like:
1152 *
1153 * AuthorizedKeysFile /etc/ssh_keys/%u
1154 */
1155 case sAuthorizedKeysFile:
1156 case sAuthorizedKeysFile2:
Damien Miller4dec5d72006-08-05 11:38:40 +10001157 charptr = (opcode == sAuthorizedKeysFile) ?
Ben Lindstromade03f62001-12-06 18:22:17 +00001158 &options->authorized_keys_file :
1159 &options->authorized_keys_file2;
1160 goto parse_filename;
1161
1162 case sClientAliveInterval:
1163 intptr = &options->client_alive_interval;
1164 goto parse_time;
1165
1166 case sClientAliveCountMax:
1167 intptr = &options->client_alive_count_max;
1168 goto parse_int;
1169
Darren Tucker46bc0752004-05-02 22:11:30 +10001170 case sAcceptEnv:
1171 while ((arg = strdelim(&cp)) && *arg != '\0') {
1172 if (strchr(arg, '=') != NULL)
1173 fatal("%s line %d: Invalid environment name.",
1174 filename, linenum);
1175 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1176 fatal("%s line %d: too many allow env.",
1177 filename, linenum);
Darren Tucker45150472006-07-12 22:34:17 +10001178 if (!*activep)
1179 break;
Darren Tucker46bc0752004-05-02 22:11:30 +10001180 options->accept_env[options->num_accept_env++] =
1181 xstrdup(arg);
1182 }
1183 break;
1184
Damien Millerd27b9472005-12-13 19:29:02 +11001185 case sPermitTunnel:
1186 intptr = &options->permit_tun;
Damien Miller7b58e802005-12-13 19:33:19 +11001187 arg = strdelim(&cp);
1188 if (!arg || *arg == '\0')
1189 fatal("%s line %d: Missing yes/point-to-point/"
1190 "ethernet/no argument.", filename, linenum);
1191 value = 0; /* silence compiler */
1192 if (strcasecmp(arg, "ethernet") == 0)
1193 value = SSH_TUNMODE_ETHERNET;
1194 else if (strcasecmp(arg, "point-to-point") == 0)
1195 value = SSH_TUNMODE_POINTOPOINT;
1196 else if (strcasecmp(arg, "yes") == 0)
1197 value = SSH_TUNMODE_YES;
1198 else if (strcasecmp(arg, "no") == 0)
1199 value = SSH_TUNMODE_NO;
1200 else
1201 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1202 "no argument: %s", filename, linenum, arg);
1203 if (*intptr == -1)
1204 *intptr = value;
1205 break;
Damien Millerd27b9472005-12-13 19:29:02 +11001206
Darren Tucker45150472006-07-12 22:34:17 +10001207 case sMatch:
1208 if (cmdline)
1209 fatal("Match directive not supported as a command-line "
1210 "option");
1211 value = match_cfg_line(&cp, linenum, user, host, address);
1212 if (value < 0)
1213 fatal("%s line %d: Bad Match condition", filename,
1214 linenum);
1215 *activep = value;
1216 break;
1217
Damien Miller9b439df2006-07-24 14:04:00 +10001218 case sPermitOpen:
1219 arg = strdelim(&cp);
1220 if (!arg || *arg == '\0')
1221 fatal("%s line %d: missing PermitOpen specification",
1222 filename, linenum);
1223 if (strcmp(arg, "any") == 0) {
Damien Millera765cf42006-07-24 14:08:13 +10001224 if (*activep) {
Damien Miller9b439df2006-07-24 14:04:00 +10001225 channel_clear_adm_permitted_opens();
Damien Millera765cf42006-07-24 14:08:13 +10001226 options->num_permitted_opens = 0;
1227 }
Damien Miller9b439df2006-07-24 14:04:00 +10001228 break;
1229 }
Damien Millera765cf42006-07-24 14:08:13 +10001230 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1231 p = hpdelim(&arg);
1232 if (p == NULL)
1233 fatal("%s line %d: missing host in PermitOpen",
1234 filename, linenum);
1235 p = cleanhostname(p);
1236 if (arg == NULL || (port = a2port(arg)) == 0)
1237 fatal("%s line %d: bad port number in "
1238 "PermitOpen", filename, linenum);
1239 if (*activep && options->num_permitted_opens == -1) {
1240 channel_clear_adm_permitted_opens();
1241 options->num_permitted_opens =
1242 channel_add_adm_permitted_opens(p, port);
1243 }
1244 }
Damien Miller9b439df2006-07-24 14:04:00 +10001245 break;
1246
Damien Millere2754432006-07-24 14:06:47 +10001247 case sForceCommand:
1248 if (cp == NULL)
1249 fatal("%.200s line %d: Missing argument.", filename,
1250 linenum);
1251 len = strspn(cp, WHITESPACE);
1252 if (*activep && options->adm_forced_command == NULL)
1253 options->adm_forced_command = xstrdup(cp + len);
1254 return 0;
1255
Ben Lindstromade03f62001-12-06 18:22:17 +00001256 case sDeprecated:
Damien Miller996acd22003-04-09 20:59:48 +10001257 logit("%s line %d: Deprecated option %s",
Ben Lindstromade03f62001-12-06 18:22:17 +00001258 filename, linenum, arg);
1259 while (arg)
1260 arg = strdelim(&cp);
1261 break;
1262
Damien Millerf9b3feb2003-05-16 11:38:32 +10001263 case sUnsupported:
1264 logit("%s line %d: Unsupported option %s",
1265 filename, linenum, arg);
1266 while (arg)
1267 arg = strdelim(&cp);
1268 break;
1269
Ben Lindstromade03f62001-12-06 18:22:17 +00001270 default:
1271 fatal("%s line %d: Missing handler for opcode %s (%d)",
1272 filename, linenum, arg, opcode);
1273 }
1274 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1275 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1276 filename, linenum, arg);
1277 return 0;
1278}
1279
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001280/* Reads the server configuration file. */
1281
Damien Miller4af51302000-04-16 11:18:38 +10001282void
Darren Tucker645ab752004-06-25 13:33:20 +10001283load_server_config(const char *filename, Buffer *conf)
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001284{
Darren Tucker645ab752004-06-25 13:33:20 +10001285 char line[1024], *cp;
Ben Lindstrome1353632002-06-23 21:29:23 +00001286 FILE *f;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001287
Darren Tucker645ab752004-06-25 13:33:20 +10001288 debug2("%s: filename %s", __func__, filename);
1289 if ((f = fopen(filename, "r")) == NULL) {
Damien Miller95def091999-11-25 00:26:21 +11001290 perror(filename);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001291 exit(1);
Damien Miller95def091999-11-25 00:26:21 +11001292 }
Darren Tucker645ab752004-06-25 13:33:20 +10001293 buffer_clear(conf);
Damien Miller95def091999-11-25 00:26:21 +11001294 while (fgets(line, sizeof(line), f)) {
Darren Tucker645ab752004-06-25 13:33:20 +10001295 /*
1296 * Trim out comments and strip whitespace
Darren Tuckerfc959702004-07-17 16:12:08 +10001297 * NB - preserve newlines, they are needed to reproduce
Darren Tucker645ab752004-06-25 13:33:20 +10001298 * line numbers later for error messages
1299 */
1300 if ((cp = strchr(line, '#')) != NULL)
1301 memcpy(cp, "\n", 2);
1302 cp = line + strspn(line, " \t\r");
1303
1304 buffer_append(conf, cp, strlen(cp));
1305 }
1306 buffer_append(conf, "\0", 1);
1307 fclose(f);
1308 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1309}
1310
1311void
Darren Tucker45150472006-07-12 22:34:17 +10001312parse_server_match_config(ServerOptions *options, const char *user,
1313 const char *host, const char *address)
Darren Tucker645ab752004-06-25 13:33:20 +10001314{
Darren Tucker45150472006-07-12 22:34:17 +10001315 ServerOptions mo;
1316
1317 initialize_server_options(&mo);
1318 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1319 copy_set_server_options(options, &mo);
1320}
1321
1322/* Copy any (supported) values that are set */
1323void
1324copy_set_server_options(ServerOptions *dst, ServerOptions *src)
1325{
1326 if (src->allow_tcp_forwarding != -1)
1327 dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
1328 if (src->gateway_ports != -1)
1329 dst->gateway_ports = src->gateway_ports;
Damien Millere2754432006-07-24 14:06:47 +10001330 if (src->adm_forced_command != NULL) {
1331 if (dst->adm_forced_command != NULL)
1332 xfree(dst->adm_forced_command);
1333 dst->adm_forced_command = src->adm_forced_command;
1334 }
Damien Millerd1de9952006-07-24 14:05:48 +10001335 if (src->x11_display_offset != -1)
1336 dst->x11_display_offset = src->x11_display_offset;
1337 if (src->x11_forwarding != -1)
1338 dst->x11_forwarding = src->x11_forwarding;
1339 if (src->x11_use_localhost != -1)
1340 dst->x11_use_localhost = src->x11_use_localhost;
Darren Tucker45150472006-07-12 22:34:17 +10001341}
1342
1343void
1344parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1345 const char *user, const char *host, const char *address)
1346{
1347 int active, linenum, bad_options = 0;
Darren Tucker9fbac712004-08-12 22:41:44 +10001348 char *cp, *obuf, *cbuf;
Darren Tucker645ab752004-06-25 13:33:20 +10001349
1350 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1351
Darren Tucker9fbac712004-08-12 22:41:44 +10001352 obuf = cbuf = xstrdup(buffer_ptr(conf));
Darren Tucker45150472006-07-12 22:34:17 +10001353 active = user ? 0 : 1;
Darren Tucker137e9c92004-08-13 21:30:24 +10001354 linenum = 1;
Darren Tucker47eede72005-03-14 23:08:12 +11001355 while ((cp = strsep(&cbuf, "\n")) != NULL) {
Darren Tucker645ab752004-06-25 13:33:20 +10001356 if (process_server_config_line(options, cp, filename,
Darren Tucker45150472006-07-12 22:34:17 +10001357 linenum++, &active, user, host, address) != 0)
Damien Miller95def091999-11-25 00:26:21 +11001358 bad_options++;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001359 }
Darren Tucker9fbac712004-08-12 22:41:44 +10001360 xfree(obuf);
Ben Lindstromb5cdc662001-04-16 02:13:26 +00001361 if (bad_options > 0)
1362 fatal("%s: terminating, %d bad configuration options",
1363 filename, bad_options);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001364}