blob: 1a7545171511fbcd704f8ce43d33fcd0b5e1cbc7 [file] [log] [blame]
Darren Tuckerf78bb412007-05-20 15:03:15 +10001/* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */
Damien Millerd4a8b7e1999-10-27 13:42:43 +10002/*
Damien Miller95def091999-11-25 00:26:21 +11003 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller4af51302000-04-16 11:18:38 +10005 *
Damien Millere4340be2000-09-16 13:29:08 +11006 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
Damien Miller95def091999-11-25 00:26:21 +110011 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100012
13#include "includes.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100014
Damien Millere3b60b52006-07-10 21:08:03 +100015#include <sys/types.h>
16#include <sys/socket.h>
17
Damien Millerb8fe89c2006-07-24 14:51:00 +100018#include <netdb.h>
Damien Miller565ca3f2006-08-19 00:23:15 +100019#include <pwd.h>
Damien Millera7a73ee2006-08-05 11:37:59 +100020#include <stdio.h>
Damien Millere7a1e5c2006-08-05 11:34:19 +100021#include <stdlib.h>
Damien Millere3476ed2006-07-24 14:13:33 +100022#include <string.h>
Damien Millerd7834352006-08-05 12:39:39 +100023#include <signal.h>
Damien Millere6b3b612006-07-24 14:01:23 +100024#include <unistd.h>
Damien Millerd7834352006-08-05 12:39:39 +100025#include <stdarg.h>
Damien Millerbe43ebf2006-07-24 13:51:51 +100026
Damien Millerd7834352006-08-05 12:39:39 +100027#include "xmalloc.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100028#include "ssh.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000029#include "log.h"
Damien Millerd7834352006-08-05 12:39:39 +100030#include "buffer.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100031#include "servconf.h"
Damien Miller78928792000-04-12 20:17:38 +100032#include "compat.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000033#include "pathnames.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000034#include "misc.h"
35#include "cipher.h"
Damien Millerd7834352006-08-05 12:39:39 +100036#include "key.h"
Ben Lindstrom06b33aa2001-02-15 03:01:59 +000037#include "kex.h"
38#include "mac.h"
Darren Tucker45150472006-07-12 22:34:17 +100039#include "match.h"
Damien Miller9b439df2006-07-24 14:04:00 +100040#include "channels.h"
Damien Miller565ca3f2006-08-19 00:23:15 +100041#include "groupaccess.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000042
Ben Lindstrombba81212001-06-25 05:01:22 +000043static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
Damien Miller34132e52000-01-14 15:45:46 +110045
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000046/* Use of privilege separation or not */
47extern int use_privsep;
Darren Tucker45150472006-07-12 22:34:17 +100048extern Buffer cfg;
Ben Lindstrom226cfa02001-01-22 05:34:40 +000049
Damien Millerd4a8b7e1999-10-27 13:42:43 +100050/* Initializes the server options to their default values. */
51
Damien Miller4af51302000-04-16 11:18:38 +100052void
Damien Miller95def091999-11-25 00:26:21 +110053initialize_server_options(ServerOptions *options)
Damien Millerd4a8b7e1999-10-27 13:42:43 +100054{
Damien Miller95def091999-11-25 00:26:21 +110055 memset(options, 0, sizeof(*options));
Damien Miller726273e2001-11-12 11:40:11 +110056
57 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +100058 options->use_pam = -1;
Damien Miller726273e2001-11-12 11:40:11 +110059
60 /* Standard Options */
Damien Miller34132e52000-01-14 15:45:46 +110061 options->num_ports = 0;
62 options->ports_from_cmdline = 0;
63 options->listen_addrs = NULL;
Darren Tucker0f383232005-01-20 10:57:56 +110064 options->address_family = -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +110065 options->num_host_key_files = 0;
Damien Miller6f83b8e2000-05-02 09:23:45 +100066 options->pid_file = NULL;
Damien Miller95def091999-11-25 00:26:21 +110067 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
Ben Lindstromd8a90212001-02-15 03:08:27 +000070 options->permit_root_login = PERMIT_NOT_SET;
Damien Miller95def091999-11-25 00:26:21 +110071 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
Ben Lindstrom7bfff362001-03-26 05:45:53 +000074 options->print_lastlog = -1;
Damien Miller95def091999-11-25 00:26:21 +110075 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
Damien Miller95c249f2002-02-05 12:11:34 +110077 options->x11_use_localhost = -1;
Damien Millerd3a18572000-06-07 19:55:44 +100078 options->xauth_location = NULL;
Damien Miller95def091999-11-25 00:26:21 +110079 options->strict_modes = -1;
Damien Miller12c150e2003-12-17 16:31:10 +110080 options->tcp_keep_alive = -1;
Damien Millerfcd93202002-02-05 12:26:34 +110081 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
Damien Miller95def091999-11-25 00:26:21 +110083 options->rhosts_rsa_authentication = -1;
Ben Lindstrom5eabda32001-04-12 23:34:34 +000084 options->hostbased_authentication = -1;
85 options->hostbased_uses_name_from_packet_only = -1;
Damien Miller95def091999-11-25 00:26:21 +110086 options->rsa_authentication = -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +110087 options->pubkey_authentication = -1;
Damien Miller95def091999-11-25 00:26:21 +110088 options->kerberos_authentication = -1;
89 options->kerberos_or_local_passwd = -1;
90 options->kerberos_ticket_cleanup = -1;
Darren Tucker22ef5082003-12-31 11:37:34 +110091 options->kerberos_get_afs_token = -1;
Darren Tucker0efd1552003-08-26 11:49:55 +100092 options->gss_authentication=-1;
93 options->gss_cleanup_creds = -1;
Damien Miller95def091999-11-25 00:26:21 +110094 options->password_authentication = -1;
Damien Miller874d77b2000-10-14 16:23:11 +110095 options->kbd_interactive_authentication = -1;
Ben Lindstrom551ea372001-06-05 18:56:16 +000096 options->challenge_response_authentication = -1;
Damien Miller95def091999-11-25 00:26:21 +110097 options->permit_empty_passwd = -1;
Ben Lindstrom5d860f02002-08-01 01:28:38 +000098 options->permit_user_env = -1;
Damien Miller95def091999-11-25 00:26:21 +110099 options->use_login = -1;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000100 options->compression = -1;
Damien Miller50a41ed2000-10-16 12:14:42 +1100101 options->allow_tcp_forwarding = -1;
Damien Miller95def091999-11-25 00:26:21 +1100102 options->num_allow_users = 0;
103 options->num_deny_users = 0;
104 options->num_allow_groups = 0;
105 options->num_deny_groups = 0;
Damien Miller78928792000-04-12 20:17:38 +1000106 options->ciphers = NULL;
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000107 options->macs = NULL;
Damien Miller78928792000-04-12 20:17:38 +1000108 options->protocol = SSH_PROTO_UNKNOWN;
Damien Millere247cc42000-05-07 12:03:14 +1000109 options->gateway_ports = -1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000110 options->num_subsystems = 0;
Damien Miller942da032000-08-18 13:59:06 +1000111 options->max_startups_begin = -1;
112 options->max_startups_rate = -1;
Damien Miller37023962000-07-11 17:31:38 +1000113 options->max_startups = -1;
Darren Tucker89413db2004-05-24 10:36:23 +1000114 options->max_authtries = -1;
Ben Lindstrom48bd7c12001-01-09 00:35:42 +0000115 options->banner = NULL;
Damien Miller3a961dc2003-06-03 10:25:48 +1000116 options->use_dns = -1;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000117 options->client_alive_interval = -1;
118 options->client_alive_count_max = -1;
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000119 options->authorized_keys_file = NULL;
120 options->authorized_keys_file2 = NULL;
Darren Tucker46bc0752004-05-02 22:11:30 +1000121 options->num_accept_env = 0;
Damien Millerd27b9472005-12-13 19:29:02 +1100122 options->permit_tun = -1;
Damien Millera765cf42006-07-24 14:08:13 +1000123 options->num_permitted_opens = -1;
Damien Millere2754432006-07-24 14:06:47 +1000124 options->adm_forced_command = NULL;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000125}
126
Damien Miller4af51302000-04-16 11:18:38 +1000127void
Damien Miller95def091999-11-25 00:26:21 +1100128fill_default_server_options(ServerOptions *options)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000129{
Damien Miller726273e2001-11-12 11:40:11 +1100130 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000131 if (options->use_pam == -1)
Damien Miller5c3a5582003-09-23 22:12:38 +1000132 options->use_pam = 0;
Damien Miller726273e2001-11-12 11:40:11 +1100133
134 /* Standard Options */
Damien Miller0bc1bd82000-11-13 22:57:25 +1100135 if (options->protocol == SSH_PROTO_UNKNOWN)
136 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
137 if (options->num_host_key_files == 0) {
138 /* fill default hostkeys for protocols */
139 if (options->protocol & SSH_PROTO_1)
Damien Miller7fc23732002-01-22 23:19:11 +1100140 options->host_key_files[options->num_host_key_files++] =
141 _PATH_HOST_KEY_FILE;
142 if (options->protocol & SSH_PROTO_2) {
143 options->host_key_files[options->num_host_key_files++] =
144 _PATH_HOST_RSA_KEY_FILE;
145 options->host_key_files[options->num_host_key_files++] =
146 _PATH_HOST_DSA_KEY_FILE;
147 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100148 }
Damien Miller34132e52000-01-14 15:45:46 +1100149 if (options->num_ports == 0)
150 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
151 if (options->listen_addrs == NULL)
Ben Lindstrom19066a12001-04-12 23:39:26 +0000152 add_listen_addr(options, NULL, 0);
Damien Miller6f83b8e2000-05-02 09:23:45 +1000153 if (options->pid_file == NULL)
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000154 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
Damien Miller95def091999-11-25 00:26:21 +1100155 if (options->server_key_bits == -1)
156 options->server_key_bits = 768;
157 if (options->login_grace_time == -1)
Damien Millerc1348632002-09-05 14:35:14 +1000158 options->login_grace_time = 120;
Damien Miller95def091999-11-25 00:26:21 +1100159 if (options->key_regeneration_time == -1)
160 options->key_regeneration_time = 3600;
Ben Lindstromd8a90212001-02-15 03:08:27 +0000161 if (options->permit_root_login == PERMIT_NOT_SET)
162 options->permit_root_login = PERMIT_YES;
Damien Miller95def091999-11-25 00:26:21 +1100163 if (options->ignore_rhosts == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100164 options->ignore_rhosts = 1;
Damien Miller95def091999-11-25 00:26:21 +1100165 if (options->ignore_user_known_hosts == -1)
166 options->ignore_user_known_hosts = 0;
Damien Miller95def091999-11-25 00:26:21 +1100167 if (options->print_motd == -1)
168 options->print_motd = 1;
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000169 if (options->print_lastlog == -1)
170 options->print_lastlog = 1;
Damien Miller95def091999-11-25 00:26:21 +1100171 if (options->x11_forwarding == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100172 options->x11_forwarding = 0;
Damien Miller95def091999-11-25 00:26:21 +1100173 if (options->x11_display_offset == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100174 options->x11_display_offset = 10;
Damien Miller95c249f2002-02-05 12:11:34 +1100175 if (options->x11_use_localhost == -1)
176 options->x11_use_localhost = 1;
Damien Millerd3a18572000-06-07 19:55:44 +1000177 if (options->xauth_location == NULL)
Ben Lindstrom1bf11f62001-06-09 01:48:01 +0000178 options->xauth_location = _PATH_XAUTH;
Damien Miller95def091999-11-25 00:26:21 +1100179 if (options->strict_modes == -1)
180 options->strict_modes = 1;
Damien Miller12c150e2003-12-17 16:31:10 +1100181 if (options->tcp_keep_alive == -1)
182 options->tcp_keep_alive = 1;
Damien Millerfcd93202002-02-05 12:26:34 +1100183 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
Damien Miller95def091999-11-25 00:26:21 +1100184 options->log_facility = SYSLOG_FACILITY_AUTH;
Damien Millerfcd93202002-02-05 12:26:34 +1100185 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000186 options->log_level = SYSLOG_LEVEL_INFO;
Damien Miller95def091999-11-25 00:26:21 +1100187 if (options->rhosts_rsa_authentication == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100188 options->rhosts_rsa_authentication = 0;
Ben Lindstrom5eabda32001-04-12 23:34:34 +0000189 if (options->hostbased_authentication == -1)
190 options->hostbased_authentication = 0;
191 if (options->hostbased_uses_name_from_packet_only == -1)
192 options->hostbased_uses_name_from_packet_only = 0;
Damien Miller95def091999-11-25 00:26:21 +1100193 if (options->rsa_authentication == -1)
194 options->rsa_authentication = 1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100195 if (options->pubkey_authentication == -1)
196 options->pubkey_authentication = 1;
Damien Miller95def091999-11-25 00:26:21 +1100197 if (options->kerberos_authentication == -1)
Damien Millerd7de14b2002-04-23 21:04:51 +1000198 options->kerberos_authentication = 0;
Damien Miller95def091999-11-25 00:26:21 +1100199 if (options->kerberos_or_local_passwd == -1)
200 options->kerberos_or_local_passwd = 1;
201 if (options->kerberos_ticket_cleanup == -1)
202 options->kerberos_ticket_cleanup = 1;
Darren Tucker22ef5082003-12-31 11:37:34 +1100203 if (options->kerberos_get_afs_token == -1)
204 options->kerberos_get_afs_token = 0;
Darren Tucker0efd1552003-08-26 11:49:55 +1000205 if (options->gss_authentication == -1)
206 options->gss_authentication = 0;
207 if (options->gss_cleanup_creds == -1)
208 options->gss_cleanup_creds = 1;
Damien Miller95def091999-11-25 00:26:21 +1100209 if (options->password_authentication == -1)
210 options->password_authentication = 1;
Damien Miller874d77b2000-10-14 16:23:11 +1100211 if (options->kbd_interactive_authentication == -1)
212 options->kbd_interactive_authentication = 0;
Ben Lindstrom551ea372001-06-05 18:56:16 +0000213 if (options->challenge_response_authentication == -1)
214 options->challenge_response_authentication = 1;
Damien Miller95def091999-11-25 00:26:21 +1100215 if (options->permit_empty_passwd == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100216 options->permit_empty_passwd = 0;
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000217 if (options->permit_user_env == -1)
218 options->permit_user_env = 0;
Damien Miller95def091999-11-25 00:26:21 +1100219 if (options->use_login == -1)
220 options->use_login = 0;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000221 if (options->compression == -1)
Damien Miller9786e6e2005-07-26 21:54:56 +1000222 options->compression = COMP_DELAYED;
Damien Miller50a41ed2000-10-16 12:14:42 +1100223 if (options->allow_tcp_forwarding == -1)
224 options->allow_tcp_forwarding = 1;
Damien Millere247cc42000-05-07 12:03:14 +1000225 if (options->gateway_ports == -1)
226 options->gateway_ports = 0;
Damien Miller37023962000-07-11 17:31:38 +1000227 if (options->max_startups == -1)
228 options->max_startups = 10;
Damien Miller942da032000-08-18 13:59:06 +1000229 if (options->max_startups_rate == -1)
230 options->max_startups_rate = 100; /* 100% */
231 if (options->max_startups_begin == -1)
232 options->max_startups_begin = options->max_startups;
Darren Tucker89413db2004-05-24 10:36:23 +1000233 if (options->max_authtries == -1)
234 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
Damien Miller3a961dc2003-06-03 10:25:48 +1000235 if (options->use_dns == -1)
236 options->use_dns = 1;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000237 if (options->client_alive_interval == -1)
Damien Miller9f0f5c62001-12-21 14:45:46 +1100238 options->client_alive_interval = 0;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000239 if (options->client_alive_count_max == -1)
240 options->client_alive_count_max = 3;
Damien Miller75413ac2001-11-12 11:14:35 +1100241 if (options->authorized_keys_file2 == NULL) {
242 /* authorized_keys_file2 falls back to authorized_keys_file */
243 if (options->authorized_keys_file != NULL)
244 options->authorized_keys_file2 = options->authorized_keys_file;
245 else
246 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
247 }
248 if (options->authorized_keys_file == NULL)
249 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
Damien Millerd27b9472005-12-13 19:29:02 +1100250 if (options->permit_tun == -1)
Damien Miller7b58e802005-12-13 19:33:19 +1100251 options->permit_tun = SSH_TUNMODE_NO;
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000252
Ben Lindstromfb62a692002-06-06 19:47:11 +0000253 /* Turn privilege separation on by default */
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000254 if (use_privsep == -1)
Ben Lindstromfb62a692002-06-06 19:47:11 +0000255 use_privsep = 1;
Damien Miller4903eb42002-06-21 16:20:44 +1000256
Tim Rice40017b02002-07-14 13:36:49 -0700257#ifndef HAVE_MMAP
Damien Miller4903eb42002-06-21 16:20:44 +1000258 if (use_privsep && options->compression == 1) {
259 error("This platform does not support both privilege "
260 "separation and compression");
261 error("Compression disabled");
262 options->compression = 0;
263 }
264#endif
265
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000266}
267
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000268/* Keyword tokens. */
Damien Miller95def091999-11-25 00:26:21 +1100269typedef enum {
270 sBadOption, /* == unknown option */
Damien Miller726273e2001-11-12 11:40:11 +1100271 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000272 sUsePAM,
Damien Miller726273e2001-11-12 11:40:11 +1100273 /* Standard Options */
Damien Miller95def091999-11-25 00:26:21 +1100274 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
275 sPermitRootLogin, sLogFacility, sLogLevel,
Darren Tuckerec960f22003-08-13 20:37:05 +1000276 sRhostsRSAAuthentication, sRSAAuthentication,
Damien Miller95def091999-11-25 00:26:21 +1100277 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
Darren Tucker22ef5082003-12-31 11:37:34 +1100278 sKerberosGetAFSToken,
Darren Tucker6aaa58c2003-08-02 22:24:49 +1000279 sKerberosTgtPassing, sChallengeResponseAuthentication,
Darren Tucker0f383232005-01-20 10:57:56 +1100280 sPasswordAuthentication, sKbdInteractiveAuthentication,
281 sListenAddress, sAddressFamily,
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000282 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
Damien Miller95c249f2002-02-05 12:11:34 +1100283 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
Damien Miller12c150e2003-12-17 16:31:10 +1100284 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000285 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
Damien Miller50a41ed2000-10-16 12:14:42 +1100286 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000287 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
Darren Tucker89413db2004-05-24 10:36:23 +1000288 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
289 sMaxStartups, sMaxAuthTries,
Damien Miller3a961dc2003-06-03 10:25:48 +1000290 sBanner, sUseDNS, sHostbasedAuthentication,
Damien Miller9f0f5c62001-12-21 14:45:46 +1100291 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000292 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Damien Millerd27b9472005-12-13 19:29:02 +1100293 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
Damien Millere2754432006-07-24 14:06:47 +1000294 sMatch, sPermitOpen, sForceCommand,
Ben Lindstromc7431342002-03-22 03:11:49 +0000295 sUsePrivilegeSeparation,
Damien Millerf9b3feb2003-05-16 11:38:32 +1000296 sDeprecated, sUnsupported
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000297} ServerOpCodes;
298
Darren Tucker45150472006-07-12 22:34:17 +1000299#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
300#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
301#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
302
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000303/* Textual representation of the tokens. */
Damien Miller95def091999-11-25 00:26:21 +1100304static struct {
305 const char *name;
306 ServerOpCodes opcode;
Darren Tucker45150472006-07-12 22:34:17 +1000307 u_int flags;
Damien Miller95def091999-11-25 00:26:21 +1100308} keywords[] = {
Damien Miller726273e2001-11-12 11:40:11 +1100309 /* Portable-specific options */
Damien Miller6ac2c482003-05-16 11:42:35 +1000310#ifdef USE_PAM
Darren Tucker45150472006-07-12 22:34:17 +1000311 { "usepam", sUsePAM, SSHCFG_GLOBAL },
Damien Miller6ac2c482003-05-16 11:42:35 +1000312#else
Darren Tucker45150472006-07-12 22:34:17 +1000313 { "usepam", sUnsupported, SSHCFG_GLOBAL },
Damien Miller6ac2c482003-05-16 11:42:35 +1000314#endif
Darren Tucker45150472006-07-12 22:34:17 +1000315 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
Damien Miller726273e2001-11-12 11:40:11 +1100316 /* Standard Options */
Darren Tucker45150472006-07-12 22:34:17 +1000317 { "port", sPort, SSHCFG_GLOBAL },
318 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
319 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
320 { "pidfile", sPidFile, SSHCFG_GLOBAL },
321 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
322 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
323 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
324 { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
325 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
326 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
327 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
Darren Tucker1629c072007-02-19 22:25:37 +1100328 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
329 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000330 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
Darren Tucker1629c072007-02-19 22:25:37 +1100331 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
332 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000333 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
Darren Tucker6aaa58c2003-08-02 22:24:49 +1000334#ifdef KRB5
Darren Tucker1629c072007-02-19 22:25:37 +1100335 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000336 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
337 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
Darren Tucker3c78c5e2004-01-23 22:03:10 +1100338#ifdef USE_AFS
Darren Tucker45150472006-07-12 22:34:17 +1000339 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000340#else
Darren Tucker45150472006-07-12 22:34:17 +1000341 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker409cb322004-01-05 22:36:51 +1100342#endif
343#else
Darren Tucker1629c072007-02-19 22:25:37 +1100344 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000345 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
346 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
347 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000348#endif
Darren Tucker45150472006-07-12 22:34:17 +1000349 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
350 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker0efd1552003-08-26 11:49:55 +1000351#ifdef GSSAPI
Darren Tucker1629c072007-02-19 22:25:37 +1100352 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000353 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
Darren Tucker0efd1552003-08-26 11:49:55 +1000354#else
Darren Tucker1629c072007-02-19 22:25:37 +1100355 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000356 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
Darren Tucker0efd1552003-08-26 11:49:55 +1000357#endif
Darren Tucker1629c072007-02-19 22:25:37 +1100358 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
359 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
Darren Tucker1d75f222007-03-01 21:31:28 +1100360 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
Darren Tucker45150472006-07-12 22:34:17 +1000361 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
362 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
363 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
364 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
365 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
366 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
367 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
368 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
Damien Millerd1de9952006-07-24 14:05:48 +1000369 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
370 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
371 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000372 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
373 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
374 { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
375 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
376 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
377 { "compression", sCompression, SSHCFG_GLOBAL },
378 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
379 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
380 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
381 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
382 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
383 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
384 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
385 { "ciphers", sCiphers, SSHCFG_GLOBAL },
386 { "macs", sMacs, SSHCFG_GLOBAL },
387 { "protocol", sProtocol, SSHCFG_GLOBAL },
388 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
389 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
390 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
391 { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
Darren Tucker1629c072007-02-19 22:25:37 +1100392 { "banner", sBanner, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000393 { "usedns", sUseDNS, SSHCFG_GLOBAL },
394 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
395 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
396 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
397 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
398 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
399 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
400 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
401 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
402 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
Damien Miller9b439df2006-07-24 14:04:00 +1000403 { "match", sMatch, SSHCFG_ALL },
404 { "permitopen", sPermitOpen, SSHCFG_ALL },
Damien Millere2754432006-07-24 14:06:47 +1000405 { "forcecommand", sForceCommand, SSHCFG_ALL },
Darren Tucker45150472006-07-12 22:34:17 +1000406 { NULL, sBadOption, 0 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000407};
408
Damien Miller5428f641999-11-25 11:54:57 +1100409/*
Ben Lindstrom3704c262001-04-02 18:20:03 +0000410 * Returns the number of the token pointed to by cp or sBadOption.
Damien Miller5428f641999-11-25 11:54:57 +1100411 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000412
Damien Miller4af51302000-04-16 11:18:38 +1000413static ServerOpCodes
Damien Miller95def091999-11-25 00:26:21 +1100414parse_token(const char *cp, const char *filename,
Darren Tucker45150472006-07-12 22:34:17 +1000415 int linenum, u_int *flags)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000416{
Ben Lindstrom46c16222000-12-22 01:43:59 +0000417 u_int i;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000418
Damien Miller95def091999-11-25 00:26:21 +1100419 for (i = 0; keywords[i].name; i++)
Darren Tucker45150472006-07-12 22:34:17 +1000420 if (strcasecmp(cp, keywords[i].name) == 0) {
421 *flags = keywords[i].flags;
Damien Miller95def091999-11-25 00:26:21 +1100422 return keywords[i].opcode;
Darren Tucker45150472006-07-12 22:34:17 +1000423 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000424
Ben Lindstromb5cdc662001-04-16 02:13:26 +0000425 error("%s: line %d: Bad configuration option: %s",
426 filename, linenum, cp);
Damien Miller95def091999-11-25 00:26:21 +1100427 return sBadOption;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000428}
429
Ben Lindstrombba81212001-06-25 05:01:22 +0000430static void
Ben Lindstrom19066a12001-04-12 23:39:26 +0000431add_listen_addr(ServerOptions *options, char *addr, u_short port)
Damien Miller34132e52000-01-14 15:45:46 +1100432{
Damien Millereccb9de2005-06-17 12:59:34 +1000433 u_int i;
Damien Miller34132e52000-01-14 15:45:46 +1100434
435 if (options->num_ports == 0)
436 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
Darren Tucker0f383232005-01-20 10:57:56 +1100437 if (options->address_family == -1)
438 options->address_family = AF_UNSPEC;
Ben Lindstrom19066a12001-04-12 23:39:26 +0000439 if (port == 0)
Ben Lindstromc510af42001-04-07 17:25:48 +0000440 for (i = 0; i < options->num_ports; i++)
441 add_one_listen_addr(options, addr, options->ports[i]);
442 else
Ben Lindstrom19066a12001-04-12 23:39:26 +0000443 add_one_listen_addr(options, addr, port);
Ben Lindstromc510af42001-04-07 17:25:48 +0000444}
445
Ben Lindstrombba81212001-06-25 05:01:22 +0000446static void
Ben Lindstromc510af42001-04-07 17:25:48 +0000447add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
448{
449 struct addrinfo hints, *ai, *aitop;
450 char strport[NI_MAXSERV];
451 int gaierr;
452
453 memset(&hints, 0, sizeof(hints));
Darren Tucker0f383232005-01-20 10:57:56 +1100454 hints.ai_family = options->address_family;
Ben Lindstromc510af42001-04-07 17:25:48 +0000455 hints.ai_socktype = SOCK_STREAM;
456 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
Ben Lindstrome1353632002-06-23 21:29:23 +0000457 snprintf(strport, sizeof strport, "%u", port);
Ben Lindstromc510af42001-04-07 17:25:48 +0000458 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
459 fatal("bad addr or host: %s (%s)",
460 addr ? addr : "<NULL>",
461 gai_strerror(gaierr));
462 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
463 ;
464 ai->ai_next = options->listen_addrs;
465 options->listen_addrs = aitop;
Damien Miller34132e52000-01-14 15:45:46 +1100466}
467
Darren Tucker45150472006-07-12 22:34:17 +1000468/*
469 * The strategy for the Match blocks is that the config file is parsed twice.
470 *
471 * The first time is at startup. activep is initialized to 1 and the
472 * directives in the global context are processed and acted on. Hitting a
473 * Match directive unsets activep and the directives inside the block are
474 * checked for syntax only.
475 *
476 * The second time is after a connection has been established but before
477 * authentication. activep is initialized to 2 and global config directives
478 * are ignored since they have already been processed. If the criteria in a
479 * Match block is met, activep is set and the subsequent directives
480 * processed and actioned until EOF or another Match block unsets it. Any
481 * options set are copied into the main server config.
482 *
483 * Potential additions/improvements:
484 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
485 *
486 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
487 * Match Address 192.168.0.*
488 * Tag trusted
489 * Match Group wheel
490 * Tag trusted
491 * Match Tag trusted
492 * AllowTcpForwarding yes
493 * GatewayPorts clientspecified
494 * [...]
495 *
496 * - Add a PermittedChannelRequests directive
497 * Match Group shell
498 * PermittedChannelRequests session,forwarded-tcpip
499 */
500
501static int
Damien Miller565ca3f2006-08-19 00:23:15 +1000502match_cfg_line_group(const char *grps, int line, const char *user)
503{
504 int result = 0;
505 u_int ngrps = 0;
506 char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
507 struct passwd *pw;
508
509 /*
510 * Even if we do not have a user yet, we still need to check for
511 * valid syntax.
512 */
513 arg = cp = xstrdup(grps);
514 while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
515 if (ngrps >= MAX_MATCH_GROUPS) {
516 error("line %d: too many groups in Match Group", line);
517 result = -1;
518 goto out;
519 }
520 grplist[ngrps++] = p;
521 }
522
523 if (user == NULL)
524 goto out;
525
526 if ((pw = getpwnam(user)) == NULL) {
527 debug("Can't match group at line %d because user %.100s does "
528 "not exist", line, user);
529 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
530 debug("Can't Match group because user %.100s not in any group "
531 "at line %d", user, line);
532 } else if (ga_match(grplist, ngrps) != 1) {
533 debug("user %.100s does not match group %.100s at line %d",
534 user, arg, line);
535 } else {
536 debug("user %.100s matched group %.100s at line %d", user,
537 arg, line);
538 result = 1;
539 }
540out:
541 ga_free();
542 xfree(arg);
543 return result;
544}
545
546static int
Darren Tucker45150472006-07-12 22:34:17 +1000547match_cfg_line(char **condition, int line, const char *user, const char *host,
548 const char *address)
549{
550 int result = 1;
551 char *arg, *attrib, *cp = *condition;
552 size_t len;
553
554 if (user == NULL)
555 debug3("checking syntax for 'Match %s'", cp);
556 else
557 debug3("checking match for '%s' user %s host %s addr %s", cp,
558 user ? user : "(null)", host ? host : "(null)",
559 address ? address : "(null)");
560
561 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
562 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
563 error("Missing Match criteria for %s", attrib);
564 return -1;
565 }
566 len = strlen(arg);
567 if (strcasecmp(attrib, "user") == 0) {
568 if (!user) {
569 result = 0;
570 continue;
571 }
572 if (match_pattern_list(user, arg, len, 0) != 1)
573 result = 0;
574 else
575 debug("user %.100s matched 'User %.100s' at "
576 "line %d", user, arg, line);
Damien Miller565ca3f2006-08-19 00:23:15 +1000577 } else if (strcasecmp(attrib, "group") == 0) {
578 switch (match_cfg_line_group(arg, line, user)) {
579 case -1:
580 return -1;
581 case 0:
582 result = 0;
583 }
Darren Tucker45150472006-07-12 22:34:17 +1000584 } else if (strcasecmp(attrib, "host") == 0) {
585 if (!host) {
586 result = 0;
587 continue;
588 }
589 if (match_hostname(host, arg, len) != 1)
590 result = 0;
591 else
592 debug("connection from %.100s matched 'Host "
593 "%.100s' at line %d", host, arg, line);
594 } else if (strcasecmp(attrib, "address") == 0) {
Darren Tucker45150472006-07-12 22:34:17 +1000595 if (!address) {
596 result = 0;
597 continue;
598 }
599 if (match_hostname(address, arg, len) != 1)
600 result = 0;
601 else
602 debug("connection from %.100s matched 'Address "
603 "%.100s' at line %d", address, arg, line);
604 } else {
605 error("Unsupported Match attribute %s", attrib);
606 return -1;
607 }
608 }
609 if (user != NULL)
610 debug3("match %sfound", result ? "" : "not ");
611 *condition = cp;
612 return result;
613}
614
Damien Millere2754432006-07-24 14:06:47 +1000615#define WHITESPACE " \t\r\n"
616
Ben Lindstromade03f62001-12-06 18:22:17 +0000617int
618process_server_config_line(ServerOptions *options, char *line,
Darren Tucker45150472006-07-12 22:34:17 +1000619 const char *filename, int linenum, int *activep, const char *user,
620 const char *host, const char *address)
Ben Lindstromade03f62001-12-06 18:22:17 +0000621{
622 char *cp, **charptr, *arg, *p;
Darren Tucker45150472006-07-12 22:34:17 +1000623 int cmdline = 0, *intptr, value, n;
Ben Lindstromade03f62001-12-06 18:22:17 +0000624 ServerOpCodes opcode;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100625 u_short port;
Darren Tucker45150472006-07-12 22:34:17 +1000626 u_int i, flags = 0;
Damien Miller917f9b62006-07-10 20:36:47 +1000627 size_t len;
Ben Lindstromade03f62001-12-06 18:22:17 +0000628
629 cp = line;
Damien Miller78f16cb2006-03-26 13:54:37 +1100630 if ((arg = strdelim(&cp)) == NULL)
Damien Miller928b2362006-03-26 13:53:32 +1100631 return 0;
Ben Lindstromade03f62001-12-06 18:22:17 +0000632 /* Ignore leading whitespace */
633 if (*arg == '\0')
634 arg = strdelim(&cp);
635 if (!arg || !*arg || *arg == '#')
636 return 0;
637 intptr = NULL;
638 charptr = NULL;
Darren Tucker45150472006-07-12 22:34:17 +1000639 opcode = parse_token(arg, filename, linenum, &flags);
640
641 if (activep == NULL) { /* We are processing a command line directive */
642 cmdline = 1;
643 activep = &cmdline;
644 }
645 if (*activep && opcode != sMatch)
646 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
647 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
648 if (user == NULL) {
649 fatal("%s line %d: Directive '%s' is not allowed "
650 "within a Match block", filename, linenum, arg);
651 } else { /* this is a directive we have already processed */
652 while (arg)
653 arg = strdelim(&cp);
654 return 0;
655 }
656 }
657
Ben Lindstromade03f62001-12-06 18:22:17 +0000658 switch (opcode) {
659 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000660 case sUsePAM:
661 intptr = &options->use_pam;
Ben Lindstromade03f62001-12-06 18:22:17 +0000662 goto parse_flag;
663
664 /* Standard Options */
665 case sBadOption:
666 return -1;
667 case sPort:
668 /* ignore ports from configfile if cmdline specifies ports */
669 if (options->ports_from_cmdline)
670 return 0;
671 if (options->listen_addrs != NULL)
672 fatal("%s line %d: ports must be specified before "
Damien Miller4fbf08a2002-01-22 23:35:09 +1100673 "ListenAddress.", filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000674 if (options->num_ports >= MAX_PORTS)
675 fatal("%s line %d: too many ports.",
676 filename, linenum);
677 arg = strdelim(&cp);
678 if (!arg || *arg == '\0')
679 fatal("%s line %d: missing port number.",
680 filename, linenum);
681 options->ports[options->num_ports++] = a2port(arg);
682 if (options->ports[options->num_ports-1] == 0)
683 fatal("%s line %d: Badly formatted port number.",
684 filename, linenum);
685 break;
686
687 case sServerKeyBits:
688 intptr = &options->server_key_bits;
689parse_int:
690 arg = strdelim(&cp);
691 if (!arg || *arg == '\0')
692 fatal("%s line %d: missing integer value.",
693 filename, linenum);
694 value = atoi(arg);
Darren Tucker45150472006-07-12 22:34:17 +1000695 if (*activep && *intptr == -1)
Ben Lindstromade03f62001-12-06 18:22:17 +0000696 *intptr = value;
697 break;
698
699 case sLoginGraceTime:
700 intptr = &options->login_grace_time;
701parse_time:
702 arg = strdelim(&cp);
703 if (!arg || *arg == '\0')
704 fatal("%s line %d: missing time value.",
705 filename, linenum);
706 if ((value = convtime(arg)) == -1)
707 fatal("%s line %d: invalid time value.",
708 filename, linenum);
709 if (*intptr == -1)
710 *intptr = value;
711 break;
712
713 case sKeyRegenerationTime:
714 intptr = &options->key_regeneration_time;
715 goto parse_time;
716
717 case sListenAddress:
718 arg = strdelim(&cp);
Damien Millerf91ee4c2005-03-01 21:24:33 +1100719 if (arg == NULL || *arg == '\0')
720 fatal("%s line %d: missing address",
Ben Lindstromade03f62001-12-06 18:22:17 +0000721 filename, linenum);
Damien Miller203c7052005-08-12 22:11:37 +1000722 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
723 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
724 && strchr(p+1, ':') != NULL) {
725 add_listen_addr(options, arg, 0);
726 break;
727 }
Damien Millerf91ee4c2005-03-01 21:24:33 +1100728 p = hpdelim(&arg);
729 if (p == NULL)
730 fatal("%s line %d: bad address:port usage",
731 filename, linenum);
732 p = cleanhostname(p);
733 if (arg == NULL)
734 port = 0;
735 else if ((port = a2port(arg)) == 0)
736 fatal("%s line %d: bad port number", filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000737
Damien Millerf91ee4c2005-03-01 21:24:33 +1100738 add_listen_addr(options, p, port);
739
Ben Lindstromade03f62001-12-06 18:22:17 +0000740 break;
741
Darren Tucker0f383232005-01-20 10:57:56 +1100742 case sAddressFamily:
743 arg = strdelim(&cp);
Damien Miller17b23d82005-05-26 12:11:56 +1000744 if (!arg || *arg == '\0')
745 fatal("%s line %d: missing address family.",
746 filename, linenum);
Darren Tucker0f383232005-01-20 10:57:56 +1100747 intptr = &options->address_family;
748 if (options->listen_addrs != NULL)
749 fatal("%s line %d: address family must be specified before "
750 "ListenAddress.", filename, linenum);
751 if (strcasecmp(arg, "inet") == 0)
752 value = AF_INET;
753 else if (strcasecmp(arg, "inet6") == 0)
754 value = AF_INET6;
755 else if (strcasecmp(arg, "any") == 0)
756 value = AF_UNSPEC;
757 else
758 fatal("%s line %d: unsupported address family \"%s\".",
759 filename, linenum, arg);
760 if (*intptr == -1)
761 *intptr = value;
762 break;
763
Ben Lindstromade03f62001-12-06 18:22:17 +0000764 case sHostKeyFile:
765 intptr = &options->num_host_key_files;
766 if (*intptr >= MAX_HOSTKEYS)
767 fatal("%s line %d: too many host keys specified (max %d).",
768 filename, linenum, MAX_HOSTKEYS);
769 charptr = &options->host_key_files[*intptr];
770parse_filename:
771 arg = strdelim(&cp);
772 if (!arg || *arg == '\0')
773 fatal("%s line %d: missing file name.",
774 filename, linenum);
Darren Tucker45150472006-07-12 22:34:17 +1000775 if (*activep && *charptr == NULL) {
Ben Lindstromade03f62001-12-06 18:22:17 +0000776 *charptr = tilde_expand_filename(arg, getuid());
777 /* increase optional counter */
778 if (intptr != NULL)
779 *intptr = *intptr + 1;
780 }
781 break;
782
783 case sPidFile:
784 charptr = &options->pid_file;
785 goto parse_filename;
786
787 case sPermitRootLogin:
788 intptr = &options->permit_root_login;
789 arg = strdelim(&cp);
790 if (!arg || *arg == '\0')
791 fatal("%s line %d: missing yes/"
792 "without-password/forced-commands-only/no "
793 "argument.", filename, linenum);
794 value = 0; /* silence compiler */
795 if (strcmp(arg, "without-password") == 0)
796 value = PERMIT_NO_PASSWD;
797 else if (strcmp(arg, "forced-commands-only") == 0)
798 value = PERMIT_FORCED_ONLY;
799 else if (strcmp(arg, "yes") == 0)
800 value = PERMIT_YES;
801 else if (strcmp(arg, "no") == 0)
802 value = PERMIT_NO;
803 else
804 fatal("%s line %d: Bad yes/"
805 "without-password/forced-commands-only/no "
806 "argument: %s", filename, linenum, arg);
807 if (*intptr == -1)
808 *intptr = value;
809 break;
810
811 case sIgnoreRhosts:
812 intptr = &options->ignore_rhosts;
813parse_flag:
814 arg = strdelim(&cp);
815 if (!arg || *arg == '\0')
816 fatal("%s line %d: missing yes/no argument.",
817 filename, linenum);
818 value = 0; /* silence compiler */
819 if (strcmp(arg, "yes") == 0)
820 value = 1;
821 else if (strcmp(arg, "no") == 0)
822 value = 0;
823 else
824 fatal("%s line %d: Bad yes/no argument: %s",
825 filename, linenum, arg);
Darren Tucker45150472006-07-12 22:34:17 +1000826 if (*activep && *intptr == -1)
Ben Lindstromade03f62001-12-06 18:22:17 +0000827 *intptr = value;
828 break;
829
830 case sIgnoreUserKnownHosts:
831 intptr = &options->ignore_user_known_hosts;
832 goto parse_flag;
833
Ben Lindstromade03f62001-12-06 18:22:17 +0000834 case sRhostsRSAAuthentication:
835 intptr = &options->rhosts_rsa_authentication;
836 goto parse_flag;
837
838 case sHostbasedAuthentication:
839 intptr = &options->hostbased_authentication;
840 goto parse_flag;
841
842 case sHostbasedUsesNameFromPacketOnly:
843 intptr = &options->hostbased_uses_name_from_packet_only;
844 goto parse_flag;
845
846 case sRSAAuthentication:
847 intptr = &options->rsa_authentication;
848 goto parse_flag;
849
850 case sPubkeyAuthentication:
851 intptr = &options->pubkey_authentication;
852 goto parse_flag;
Damien Miller2aa0ab42003-05-15 12:05:28 +1000853
Ben Lindstromade03f62001-12-06 18:22:17 +0000854 case sKerberosAuthentication:
855 intptr = &options->kerberos_authentication;
856 goto parse_flag;
857
858 case sKerberosOrLocalPasswd:
859 intptr = &options->kerberos_or_local_passwd;
860 goto parse_flag;
861
862 case sKerberosTicketCleanup:
863 intptr = &options->kerberos_ticket_cleanup;
864 goto parse_flag;
Damien Miller2aa0ab42003-05-15 12:05:28 +1000865
Darren Tucker22ef5082003-12-31 11:37:34 +1100866 case sKerberosGetAFSToken:
867 intptr = &options->kerberos_get_afs_token;
868 goto parse_flag;
869
Darren Tucker0efd1552003-08-26 11:49:55 +1000870 case sGssAuthentication:
871 intptr = &options->gss_authentication;
872 goto parse_flag;
873
874 case sGssCleanupCreds:
875 intptr = &options->gss_cleanup_creds;
876 goto parse_flag;
877
Ben Lindstromade03f62001-12-06 18:22:17 +0000878 case sPasswordAuthentication:
879 intptr = &options->password_authentication;
880 goto parse_flag;
881
882 case sKbdInteractiveAuthentication:
883 intptr = &options->kbd_interactive_authentication;
884 goto parse_flag;
885
886 case sChallengeResponseAuthentication:
887 intptr = &options->challenge_response_authentication;
888 goto parse_flag;
889
890 case sPrintMotd:
891 intptr = &options->print_motd;
892 goto parse_flag;
893
894 case sPrintLastLog:
895 intptr = &options->print_lastlog;
896 goto parse_flag;
897
898 case sX11Forwarding:
899 intptr = &options->x11_forwarding;
900 goto parse_flag;
901
902 case sX11DisplayOffset:
903 intptr = &options->x11_display_offset;
904 goto parse_int;
905
Damien Miller95c249f2002-02-05 12:11:34 +1100906 case sX11UseLocalhost:
907 intptr = &options->x11_use_localhost;
908 goto parse_flag;
909
Ben Lindstromade03f62001-12-06 18:22:17 +0000910 case sXAuthLocation:
911 charptr = &options->xauth_location;
912 goto parse_filename;
913
914 case sStrictModes:
915 intptr = &options->strict_modes;
916 goto parse_flag;
917
Damien Miller12c150e2003-12-17 16:31:10 +1100918 case sTCPKeepAlive:
919 intptr = &options->tcp_keep_alive;
Ben Lindstromade03f62001-12-06 18:22:17 +0000920 goto parse_flag;
921
922 case sEmptyPasswd:
923 intptr = &options->permit_empty_passwd;
924 goto parse_flag;
925
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000926 case sPermitUserEnvironment:
927 intptr = &options->permit_user_env;
928 goto parse_flag;
929
Ben Lindstromade03f62001-12-06 18:22:17 +0000930 case sUseLogin:
931 intptr = &options->use_login;
932 goto parse_flag;
933
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000934 case sCompression:
935 intptr = &options->compression;
Damien Miller9786e6e2005-07-26 21:54:56 +1000936 arg = strdelim(&cp);
937 if (!arg || *arg == '\0')
938 fatal("%s line %d: missing yes/no/delayed "
939 "argument.", filename, linenum);
940 value = 0; /* silence compiler */
941 if (strcmp(arg, "delayed") == 0)
942 value = COMP_DELAYED;
943 else if (strcmp(arg, "yes") == 0)
944 value = COMP_ZLIB;
945 else if (strcmp(arg, "no") == 0)
946 value = COMP_NONE;
947 else
948 fatal("%s line %d: Bad yes/no/delayed "
949 "argument: %s", filename, linenum, arg);
950 if (*intptr == -1)
951 *intptr = value;
952 break;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000953
Ben Lindstromade03f62001-12-06 18:22:17 +0000954 case sGatewayPorts:
955 intptr = &options->gateway_ports;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100956 arg = strdelim(&cp);
957 if (!arg || *arg == '\0')
958 fatal("%s line %d: missing yes/no/clientspecified "
959 "argument.", filename, linenum);
960 value = 0; /* silence compiler */
961 if (strcmp(arg, "clientspecified") == 0)
962 value = 2;
963 else if (strcmp(arg, "yes") == 0)
964 value = 1;
965 else if (strcmp(arg, "no") == 0)
966 value = 0;
967 else
968 fatal("%s line %d: Bad yes/no/clientspecified "
969 "argument: %s", filename, linenum, arg);
Darren Tucker82347a82007-02-25 20:37:52 +1100970 if (*activep && *intptr == -1)
Damien Millerf91ee4c2005-03-01 21:24:33 +1100971 *intptr = value;
972 break;
Ben Lindstromade03f62001-12-06 18:22:17 +0000973
Damien Miller3a961dc2003-06-03 10:25:48 +1000974 case sUseDNS:
975 intptr = &options->use_dns;
Ben Lindstromade03f62001-12-06 18:22:17 +0000976 goto parse_flag;
977
978 case sLogFacility:
979 intptr = (int *) &options->log_facility;
980 arg = strdelim(&cp);
981 value = log_facility_number(arg);
Damien Millerfcd93202002-02-05 12:26:34 +1100982 if (value == SYSLOG_FACILITY_NOT_SET)
Ben Lindstromade03f62001-12-06 18:22:17 +0000983 fatal("%.200s line %d: unsupported log facility '%s'",
984 filename, linenum, arg ? arg : "<NONE>");
985 if (*intptr == -1)
986 *intptr = (SyslogFacility) value;
987 break;
988
989 case sLogLevel:
990 intptr = (int *) &options->log_level;
991 arg = strdelim(&cp);
992 value = log_level_number(arg);
Damien Millerfcd93202002-02-05 12:26:34 +1100993 if (value == SYSLOG_LEVEL_NOT_SET)
Ben Lindstromade03f62001-12-06 18:22:17 +0000994 fatal("%.200s line %d: unsupported log level '%s'",
995 filename, linenum, arg ? arg : "<NONE>");
996 if (*intptr == -1)
997 *intptr = (LogLevel) value;
998 break;
999
1000 case sAllowTcpForwarding:
1001 intptr = &options->allow_tcp_forwarding;
1002 goto parse_flag;
1003
Ben Lindstrom7a2073c2002-03-22 02:30:41 +00001004 case sUsePrivilegeSeparation:
1005 intptr = &use_privsep;
1006 goto parse_flag;
1007
Ben Lindstromade03f62001-12-06 18:22:17 +00001008 case sAllowUsers:
1009 while ((arg = strdelim(&cp)) && *arg != '\0') {
1010 if (options->num_allow_users >= MAX_ALLOW_USERS)
1011 fatal("%s line %d: too many allow users.",
1012 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +00001013 options->allow_users[options->num_allow_users++] =
1014 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001015 }
1016 break;
1017
1018 case sDenyUsers:
1019 while ((arg = strdelim(&cp)) && *arg != '\0') {
1020 if (options->num_deny_users >= MAX_DENY_USERS)
Damien Miller4dec5d72006-08-05 11:38:40 +10001021 fatal("%s line %d: too many deny users.",
Ben Lindstromade03f62001-12-06 18:22:17 +00001022 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +00001023 options->deny_users[options->num_deny_users++] =
1024 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001025 }
1026 break;
1027
1028 case sAllowGroups:
1029 while ((arg = strdelim(&cp)) && *arg != '\0') {
1030 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1031 fatal("%s line %d: too many allow groups.",
1032 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +00001033 options->allow_groups[options->num_allow_groups++] =
1034 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001035 }
1036 break;
1037
1038 case sDenyGroups:
1039 while ((arg = strdelim(&cp)) && *arg != '\0') {
1040 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1041 fatal("%s line %d: too many deny groups.",
1042 filename, linenum);
1043 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1044 }
1045 break;
1046
1047 case sCiphers:
1048 arg = strdelim(&cp);
1049 if (!arg || *arg == '\0')
1050 fatal("%s line %d: Missing argument.", filename, linenum);
1051 if (!ciphers_valid(arg))
1052 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1053 filename, linenum, arg ? arg : "<NONE>");
1054 if (options->ciphers == NULL)
1055 options->ciphers = xstrdup(arg);
1056 break;
1057
1058 case sMacs:
1059 arg = strdelim(&cp);
1060 if (!arg || *arg == '\0')
1061 fatal("%s line %d: Missing argument.", filename, linenum);
1062 if (!mac_valid(arg))
1063 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1064 filename, linenum, arg ? arg : "<NONE>");
1065 if (options->macs == NULL)
1066 options->macs = xstrdup(arg);
1067 break;
1068
1069 case sProtocol:
1070 intptr = &options->protocol;
1071 arg = strdelim(&cp);
1072 if (!arg || *arg == '\0')
1073 fatal("%s line %d: Missing argument.", filename, linenum);
1074 value = proto_spec(arg);
1075 if (value == SSH_PROTO_UNKNOWN)
1076 fatal("%s line %d: Bad protocol spec '%s'.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001077 filename, linenum, arg ? arg : "<NONE>");
Ben Lindstromade03f62001-12-06 18:22:17 +00001078 if (*intptr == SSH_PROTO_UNKNOWN)
1079 *intptr = value;
1080 break;
1081
1082 case sSubsystem:
1083 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1084 fatal("%s line %d: too many subsystems defined.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001085 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +00001086 }
1087 arg = strdelim(&cp);
1088 if (!arg || *arg == '\0')
1089 fatal("%s line %d: Missing subsystem name.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001090 filename, linenum);
Darren Tucker45150472006-07-12 22:34:17 +10001091 if (!*activep) {
1092 arg = strdelim(&cp);
1093 break;
1094 }
Ben Lindstromade03f62001-12-06 18:22:17 +00001095 for (i = 0; i < options->num_subsystems; i++)
1096 if (strcmp(arg, options->subsystem_name[i]) == 0)
1097 fatal("%s line %d: Subsystem '%s' already defined.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001098 filename, linenum, arg);
Ben Lindstromade03f62001-12-06 18:22:17 +00001099 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1100 arg = strdelim(&cp);
1101 if (!arg || *arg == '\0')
1102 fatal("%s line %d: Missing subsystem command.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001103 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +00001104 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
Damien Miller917f9b62006-07-10 20:36:47 +10001105
1106 /* Collect arguments (separate to executable) */
1107 p = xstrdup(arg);
1108 len = strlen(p) + 1;
1109 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1110 len += 1 + strlen(arg);
1111 p = xrealloc(p, 1, len);
1112 strlcat(p, " ", len);
1113 strlcat(p, arg, len);
1114 }
1115 options->subsystem_args[options->num_subsystems] = p;
Ben Lindstromade03f62001-12-06 18:22:17 +00001116 options->num_subsystems++;
1117 break;
1118
1119 case sMaxStartups:
1120 arg = strdelim(&cp);
1121 if (!arg || *arg == '\0')
1122 fatal("%s line %d: Missing MaxStartups spec.",
Damien Miller9f0f5c62001-12-21 14:45:46 +11001123 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +00001124 if ((n = sscanf(arg, "%d:%d:%d",
1125 &options->max_startups_begin,
1126 &options->max_startups_rate,
1127 &options->max_startups)) == 3) {
1128 if (options->max_startups_begin >
1129 options->max_startups ||
1130 options->max_startups_rate > 100 ||
1131 options->max_startups_rate < 1)
1132 fatal("%s line %d: Illegal MaxStartups spec.",
1133 filename, linenum);
1134 } else if (n != 1)
1135 fatal("%s line %d: Illegal MaxStartups spec.",
1136 filename, linenum);
1137 else
1138 options->max_startups = options->max_startups_begin;
1139 break;
1140
Darren Tucker89413db2004-05-24 10:36:23 +10001141 case sMaxAuthTries:
1142 intptr = &options->max_authtries;
1143 goto parse_int;
1144
Ben Lindstromade03f62001-12-06 18:22:17 +00001145 case sBanner:
1146 charptr = &options->banner;
1147 goto parse_filename;
1148 /*
1149 * These options can contain %X options expanded at
1150 * connect time, so that you can specify paths like:
1151 *
1152 * AuthorizedKeysFile /etc/ssh_keys/%u
1153 */
1154 case sAuthorizedKeysFile:
1155 case sAuthorizedKeysFile2:
Damien Miller4dec5d72006-08-05 11:38:40 +10001156 charptr = (opcode == sAuthorizedKeysFile) ?
Ben Lindstromade03f62001-12-06 18:22:17 +00001157 &options->authorized_keys_file :
1158 &options->authorized_keys_file2;
1159 goto parse_filename;
1160
1161 case sClientAliveInterval:
1162 intptr = &options->client_alive_interval;
1163 goto parse_time;
1164
1165 case sClientAliveCountMax:
1166 intptr = &options->client_alive_count_max;
1167 goto parse_int;
1168
Darren Tucker46bc0752004-05-02 22:11:30 +10001169 case sAcceptEnv:
1170 while ((arg = strdelim(&cp)) && *arg != '\0') {
1171 if (strchr(arg, '=') != NULL)
1172 fatal("%s line %d: Invalid environment name.",
1173 filename, linenum);
1174 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1175 fatal("%s line %d: too many allow env.",
1176 filename, linenum);
Darren Tucker45150472006-07-12 22:34:17 +10001177 if (!*activep)
1178 break;
Darren Tucker46bc0752004-05-02 22:11:30 +10001179 options->accept_env[options->num_accept_env++] =
1180 xstrdup(arg);
1181 }
1182 break;
1183
Damien Millerd27b9472005-12-13 19:29:02 +11001184 case sPermitTunnel:
1185 intptr = &options->permit_tun;
Damien Miller7b58e802005-12-13 19:33:19 +11001186 arg = strdelim(&cp);
1187 if (!arg || *arg == '\0')
1188 fatal("%s line %d: Missing yes/point-to-point/"
1189 "ethernet/no argument.", filename, linenum);
1190 value = 0; /* silence compiler */
1191 if (strcasecmp(arg, "ethernet") == 0)
1192 value = SSH_TUNMODE_ETHERNET;
1193 else if (strcasecmp(arg, "point-to-point") == 0)
1194 value = SSH_TUNMODE_POINTOPOINT;
1195 else if (strcasecmp(arg, "yes") == 0)
1196 value = SSH_TUNMODE_YES;
1197 else if (strcasecmp(arg, "no") == 0)
1198 value = SSH_TUNMODE_NO;
1199 else
1200 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1201 "no argument: %s", filename, linenum, arg);
1202 if (*intptr == -1)
1203 *intptr = value;
1204 break;
Damien Millerd27b9472005-12-13 19:29:02 +11001205
Darren Tucker45150472006-07-12 22:34:17 +10001206 case sMatch:
1207 if (cmdline)
1208 fatal("Match directive not supported as a command-line "
1209 "option");
1210 value = match_cfg_line(&cp, linenum, user, host, address);
1211 if (value < 0)
1212 fatal("%s line %d: Bad Match condition", filename,
1213 linenum);
1214 *activep = value;
1215 break;
1216
Damien Miller9b439df2006-07-24 14:04:00 +10001217 case sPermitOpen:
1218 arg = strdelim(&cp);
1219 if (!arg || *arg == '\0')
1220 fatal("%s line %d: missing PermitOpen specification",
1221 filename, linenum);
Damien Miller9fc6a562007-01-05 16:29:02 +11001222 n = options->num_permitted_opens; /* modified later */
Damien Miller9b439df2006-07-24 14:04:00 +10001223 if (strcmp(arg, "any") == 0) {
Damien Miller9fc6a562007-01-05 16:29:02 +11001224 if (*activep && n == -1) {
Damien Miller9b439df2006-07-24 14:04:00 +10001225 channel_clear_adm_permitted_opens();
Damien Millera765cf42006-07-24 14:08:13 +10001226 options->num_permitted_opens = 0;
1227 }
Damien Miller9b439df2006-07-24 14:04:00 +10001228 break;
1229 }
Damien Millera29b95e2007-01-05 16:28:36 +11001230 if (*activep && n == -1)
1231 channel_clear_adm_permitted_opens();
Damien Millera765cf42006-07-24 14:08:13 +10001232 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1233 p = hpdelim(&arg);
1234 if (p == NULL)
1235 fatal("%s line %d: missing host in PermitOpen",
1236 filename, linenum);
1237 p = cleanhostname(p);
1238 if (arg == NULL || (port = a2port(arg)) == 0)
1239 fatal("%s line %d: bad port number in "
1240 "PermitOpen", filename, linenum);
Damien Millera29b95e2007-01-05 16:28:36 +11001241 if (*activep && n == -1)
Damien Millera765cf42006-07-24 14:08:13 +10001242 options->num_permitted_opens =
1243 channel_add_adm_permitted_opens(p, port);
Damien Millera765cf42006-07-24 14:08:13 +10001244 }
Damien Miller9b439df2006-07-24 14:04:00 +10001245 break;
1246
Damien Millere2754432006-07-24 14:06:47 +10001247 case sForceCommand:
1248 if (cp == NULL)
1249 fatal("%.200s line %d: Missing argument.", filename,
1250 linenum);
1251 len = strspn(cp, WHITESPACE);
1252 if (*activep && options->adm_forced_command == NULL)
1253 options->adm_forced_command = xstrdup(cp + len);
1254 return 0;
1255
Ben Lindstromade03f62001-12-06 18:22:17 +00001256 case sDeprecated:
Damien Miller996acd22003-04-09 20:59:48 +10001257 logit("%s line %d: Deprecated option %s",
Ben Lindstromade03f62001-12-06 18:22:17 +00001258 filename, linenum, arg);
1259 while (arg)
1260 arg = strdelim(&cp);
1261 break;
1262
Damien Millerf9b3feb2003-05-16 11:38:32 +10001263 case sUnsupported:
1264 logit("%s line %d: Unsupported option %s",
1265 filename, linenum, arg);
1266 while (arg)
1267 arg = strdelim(&cp);
1268 break;
1269
Ben Lindstromade03f62001-12-06 18:22:17 +00001270 default:
1271 fatal("%s line %d: Missing handler for opcode %s (%d)",
1272 filename, linenum, arg, opcode);
1273 }
1274 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1275 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1276 filename, linenum, arg);
1277 return 0;
1278}
1279
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001280/* Reads the server configuration file. */
1281
Damien Miller4af51302000-04-16 11:18:38 +10001282void
Darren Tucker645ab752004-06-25 13:33:20 +10001283load_server_config(const char *filename, Buffer *conf)
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001284{
Darren Tucker645ab752004-06-25 13:33:20 +10001285 char line[1024], *cp;
Ben Lindstrome1353632002-06-23 21:29:23 +00001286 FILE *f;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001287
Darren Tucker645ab752004-06-25 13:33:20 +10001288 debug2("%s: filename %s", __func__, filename);
1289 if ((f = fopen(filename, "r")) == NULL) {
Damien Miller95def091999-11-25 00:26:21 +11001290 perror(filename);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001291 exit(1);
Damien Miller95def091999-11-25 00:26:21 +11001292 }
Darren Tucker645ab752004-06-25 13:33:20 +10001293 buffer_clear(conf);
Damien Miller95def091999-11-25 00:26:21 +11001294 while (fgets(line, sizeof(line), f)) {
Darren Tucker645ab752004-06-25 13:33:20 +10001295 /*
1296 * Trim out comments and strip whitespace
Darren Tuckerfc959702004-07-17 16:12:08 +10001297 * NB - preserve newlines, they are needed to reproduce
Darren Tucker645ab752004-06-25 13:33:20 +10001298 * line numbers later for error messages
1299 */
1300 if ((cp = strchr(line, '#')) != NULL)
1301 memcpy(cp, "\n", 2);
1302 cp = line + strspn(line, " \t\r");
1303
1304 buffer_append(conf, cp, strlen(cp));
1305 }
1306 buffer_append(conf, "\0", 1);
1307 fclose(f);
1308 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1309}
1310
1311void
Darren Tucker45150472006-07-12 22:34:17 +10001312parse_server_match_config(ServerOptions *options, const char *user,
1313 const char *host, const char *address)
Darren Tucker645ab752004-06-25 13:33:20 +10001314{
Darren Tucker45150472006-07-12 22:34:17 +10001315 ServerOptions mo;
1316
1317 initialize_server_options(&mo);
1318 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
Darren Tucker1629c072007-02-19 22:25:37 +11001319 copy_set_server_options(options, &mo, 0);
Darren Tucker45150472006-07-12 22:34:17 +10001320}
1321
Darren Tucker1629c072007-02-19 22:25:37 +11001322/* Helper macros */
1323#define M_CP_INTOPT(n) do {\
1324 if (src->n != -1) \
1325 dst->n = src->n; \
1326} while (0)
1327#define M_CP_STROPT(n) do {\
1328 if (src->n != NULL) { \
1329 if (dst->n != NULL) \
1330 xfree(dst->n); \
1331 dst->n = src->n; \
1332 } \
1333} while(0)
1334
1335/*
1336 * Copy any supported values that are set.
1337 *
1338 * If the preauth flag is set, we do not bother copying the the string or
1339 * array values that are not used pre-authentication, because any that we
1340 * do use must be explictly sent in mm_getpwnamallow().
1341 */
Darren Tucker45150472006-07-12 22:34:17 +10001342void
Darren Tucker1629c072007-02-19 22:25:37 +11001343copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
Darren Tucker45150472006-07-12 22:34:17 +10001344{
Darren Tucker1629c072007-02-19 22:25:37 +11001345 M_CP_INTOPT(password_authentication);
1346 M_CP_INTOPT(gss_authentication);
1347 M_CP_INTOPT(rsa_authentication);
1348 M_CP_INTOPT(pubkey_authentication);
1349 M_CP_INTOPT(kerberos_authentication);
1350 M_CP_INTOPT(hostbased_authentication);
1351 M_CP_INTOPT(kbd_interactive_authentication);
Darren Tucker1629c072007-02-19 22:25:37 +11001352
1353 M_CP_INTOPT(allow_tcp_forwarding);
1354 M_CP_INTOPT(gateway_ports);
1355 M_CP_INTOPT(x11_display_offset);
1356 M_CP_INTOPT(x11_forwarding);
1357 M_CP_INTOPT(x11_use_localhost);
1358
1359 M_CP_STROPT(banner);
1360 if (preauth)
1361 return;
1362 M_CP_STROPT(adm_forced_command);
Darren Tucker45150472006-07-12 22:34:17 +10001363}
1364
Darren Tucker1629c072007-02-19 22:25:37 +11001365#undef M_CP_INTOPT
1366#undef M_CP_STROPT
1367
Darren Tucker45150472006-07-12 22:34:17 +10001368void
1369parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1370 const char *user, const char *host, const char *address)
1371{
1372 int active, linenum, bad_options = 0;
Darren Tucker9fbac712004-08-12 22:41:44 +10001373 char *cp, *obuf, *cbuf;
Darren Tucker645ab752004-06-25 13:33:20 +10001374
1375 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1376
Darren Tucker9fbac712004-08-12 22:41:44 +10001377 obuf = cbuf = xstrdup(buffer_ptr(conf));
Darren Tucker45150472006-07-12 22:34:17 +10001378 active = user ? 0 : 1;
Darren Tucker137e9c92004-08-13 21:30:24 +10001379 linenum = 1;
Darren Tucker47eede72005-03-14 23:08:12 +11001380 while ((cp = strsep(&cbuf, "\n")) != NULL) {
Darren Tucker645ab752004-06-25 13:33:20 +10001381 if (process_server_config_line(options, cp, filename,
Darren Tucker45150472006-07-12 22:34:17 +10001382 linenum++, &active, user, host, address) != 0)
Damien Miller95def091999-11-25 00:26:21 +11001383 bad_options++;
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001384 }
Darren Tucker9fbac712004-08-12 22:41:44 +10001385 xfree(obuf);
Ben Lindstromb5cdc662001-04-16 02:13:26 +00001386 if (bad_options > 0)
1387 fatal("%s: terminating, %d bad configuration options",
1388 filename, bad_options);
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001389}