Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 917f9b6b6eb560e205a787bd8f38d4b9741c9a9f / . / servconf.c
blob: af0ad1a3556c92644c5340dbe4db3ad28fe21548 [file] [log] [blame]
Damien Miller917f9b62006-07-10 20:36:47 +1000[diff] [blame^]1/* $OpenBSD: servconf.c,v 1.151 2006/07/06 10:47:05 djm Exp $ */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]2/*
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]5 *
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]11 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]12
13#include "includes.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]14
15#include "ssh.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]16#include "log.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]17#include "servconf.h"
18#include "xmalloc.h"
Damien Miller78928792000-04-12 20:17:38 +1000[diff] [blame]19#include "compat.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]20#include "pathnames.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]21#include "misc.h"
22#include "cipher.h"
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]23#include "kex.h"
24#include "mac.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]25
Ben Lindstrombba81212001-06-25 05:01:22 +0000[diff] [blame]26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]28
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]29/* Use of privilege separation or not */
30extern int use_privsep;
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]31
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]32/* Initializes the server options to their default values. */
33
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]34void
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]35initialize_server_options(ServerOptions *options)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]36{
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]37 memset(options, 0, sizeof(*options));
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]38
39 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000[diff] [blame]40 options->use_pam = -1;
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]41
42 /* Standard Options */
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]46 options->address_family = -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]47 options->num_host_key_files = 0;
Damien Miller6f83b8e2000-05-02 09:23:45 +1000[diff] [blame]48 options->pid_file = NULL;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
Ben Lindstromd8a90212001-02-15 03:08:27 +0000[diff] [blame]52 options->permit_root_login = PERMIT_NOT_SET;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000[diff] [blame]56 options->print_lastlog = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
Damien Miller95c249f2002-02-05 12:11:34 +1100[diff] [blame]59 options->x11_use_localhost = -1;
Damien Millerd3a18572000-06-07 19:55:44 +1000[diff] [blame]60 options->xauth_location = NULL;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]61 options->strict_modes = -1;
Damien Miller12c150e2003-12-17 16:31:10 +1100[diff] [blame]62 options->tcp_keep_alive = -1;
Damien Millerfcd93202002-02-05 12:26:34 +1100[diff] [blame]63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]65 options->rhosts_rsa_authentication = -1;
Ben Lindstrom5eabda32001-04-12 23:34:34 +0000[diff] [blame]66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]68 options->rsa_authentication = -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]69 options->pubkey_authentication = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]73 options->kerberos_get_afs_token = -1;
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]76 options->password_authentication = -1;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]77 options->kbd_interactive_authentication = -1;
Ben Lindstrom551ea372001-06-05 18:56:16 +0000[diff] [blame]78 options->challenge_response_authentication = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]79 options->permit_empty_passwd = -1;
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]80 options->permit_user_env = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]81 options->use_login = -1;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000[diff] [blame]82 options->compression = -1;
Damien Miller50a41ed2000-10-16 12:14:42 +1100[diff] [blame]83 options->allow_tcp_forwarding = -1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
Damien Miller78928792000-04-12 20:17:38 +1000[diff] [blame]88 options->ciphers = NULL;
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]89 options->macs = NULL;
Damien Miller78928792000-04-12 20:17:38 +1000[diff] [blame]90 options->protocol = SSH_PROTO_UNKNOWN;
Damien Millere247cc42000-05-07 12:03:14 +1000[diff] [blame]91 options->gateway_ports = -1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]92 options->num_subsystems = 0;
Damien Miller942da032000-08-18 13:59:06 +1000[diff] [blame]93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
Damien Miller37023962000-07-11 17:31:38 +1000[diff] [blame]95 options->max_startups = -1;
Darren Tucker89413db2004-05-24 10:36:23 +1000[diff] [blame]96 options->max_authtries = -1;
Ben Lindstrom48bd7c12001-01-09 00:35:42 +0000[diff] [blame]97 options->banner = NULL;
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]98 options->use_dns = -1;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000[diff] [blame]99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000[diff] [blame]101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
Darren Tucker46bc0752004-05-02 22:11:30 +1000[diff] [blame]103 options->num_accept_env = 0;
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]104 options->permit_tun = -1;
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]105
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]106 /* Needs to be accessable in many places */
107 use_privsep = -1;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]108}
109
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]110void
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]111fill_default_server_options(ServerOptions *options)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]112{
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]113 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000[diff] [blame]114 if (options->use_pam == -1)
Damien Miller5c3a5582003-09-23 22:12:38 +1000[diff] [blame]115 options->use_pam = 0;
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]116
117 /* Standard Options */
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
Damien Miller7fc23732002-01-22 23:19:11 +1100[diff] [blame]123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_KEY_FILE;
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
130 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]131 }
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
Ben Lindstrom19066a12001-04-12 23:39:26 +0000[diff] [blame]135 add_listen_addr(options, NULL, 0);
Damien Miller6f83b8e2000-05-02 09:23:45 +1000[diff] [blame]136 if (options->pid_file == NULL)
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
Damien Millerc1348632002-09-05 14:35:14 +1000[diff] [blame]141 options->login_grace_time = 120;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
Ben Lindstromd8a90212001-02-15 03:08:27 +0000[diff] [blame]144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]146 if (options->ignore_rhosts == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100[diff] [blame]147 options->ignore_rhosts = 1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]150 if (options->print_motd == -1)
151 options->print_motd = 1;
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000[diff] [blame]152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]154 if (options->x11_forwarding == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100[diff] [blame]155 options->x11_forwarding = 0;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]156 if (options->x11_display_offset == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100[diff] [blame]157 options->x11_display_offset = 10;
Damien Miller95c249f2002-02-05 12:11:34 +1100[diff] [blame]158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
Damien Millerd3a18572000-06-07 19:55:44 +1000[diff] [blame]160 if (options->xauth_location == NULL)
Ben Lindstrom1bf11f62001-06-09 01:48:01 +0000[diff] [blame]161 options->xauth_location = _PATH_XAUTH;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
Damien Miller12c150e2003-12-17 16:31:10 +1100[diff] [blame]164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
Damien Millerfcd93202002-02-05 12:26:34 +1100[diff] [blame]166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]167 options->log_facility = SYSLOG_FACILITY_AUTH;
Damien Millerfcd93202002-02-05 12:26:34 +1100[diff] [blame]168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000[diff] [blame]169 options->log_level = SYSLOG_LEVEL_INFO;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]170 if (options->rhosts_rsa_authentication == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100[diff] [blame]171 options->rhosts_rsa_authentication = 0;
Ben Lindstrom5eabda32001-04-12 23:34:34 +0000[diff] [blame]172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]180 if (options->kerberos_authentication == -1)
Damien Millerd7de14b2002-04-23 21:04:51 +1000[diff] [blame]181 options->kerberos_authentication = 0;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
Ben Lindstrom551ea372001-06-05 18:56:16 +0000[diff] [blame]196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]198 if (options->permit_empty_passwd == -1)
Damien Miller98c7ad62000-03-09 21:27:49 +1100[diff] [blame]199 options->permit_empty_passwd = 0;
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]202 if (options->use_login == -1)
203 options->use_login = 0;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000[diff] [blame]204 if (options->compression == -1)
Damien Miller9786e6e2005-07-26 21:54:56 +1000[diff] [blame]205 options->compression = COMP_DELAYED;
Damien Miller50a41ed2000-10-16 12:14:42 +1100[diff] [blame]206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
Damien Millere247cc42000-05-07 12:03:14 +1000[diff] [blame]208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
Damien Miller37023962000-07-11 17:31:38 +1000[diff] [blame]210 if (options->max_startups == -1)
211 options->max_startups = 10;
Damien Miller942da032000-08-18 13:59:06 +1000[diff] [blame]212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
Darren Tucker89413db2004-05-24 10:36:23 +1000[diff] [blame]216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]218 if (options->use_dns == -1)
219 options->use_dns = 1;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000[diff] [blame]220 if (options->client_alive_interval == -1)
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]221 options->client_alive_interval = 0;
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000[diff] [blame]222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
Damien Miller75413ac2001-11-12 11:14:35 +1100[diff] [blame]224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
228 else
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 }
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]233 if (options->permit_tun == -1)
Damien Miller7b58e802005-12-13 19:33:19 +1100[diff] [blame]234 options->permit_tun = SSH_TUNMODE_NO;
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]235
Ben Lindstromfb62a692002-06-06 19:47:11 +0000[diff] [blame]236 /* Turn privilege separation on by default */
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]237 if (use_privsep == -1)
Ben Lindstromfb62a692002-06-06 19:47:11 +0000[diff] [blame]238 use_privsep = 1;
Damien Miller4903eb42002-06-21 16:20:44 +1000[diff] [blame]239
Tim Rice40017b02002-07-14 13:36:49 -0700[diff] [blame]240#ifndef HAVE_MMAP
Damien Miller4903eb42002-06-21 16:20:44 +1000[diff] [blame]241 if (use_privsep && options->compression == 1) {
242 error("This platform does not support both privilege "
243 "separation and compression");
244 error("Compression disabled");
245 options->compression = 0;
246 }
247#endif
248
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]249}
250
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]251/* Keyword tokens. */
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]252typedef enum {
253 sBadOption, /* == unknown option */
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]254 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000[diff] [blame]255 sUsePAM,
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]256 /* Standard Options */
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]257 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
258 sPermitRootLogin, sLogFacility, sLogLevel,
Darren Tuckerec960f22003-08-13 20:37:05 +1000[diff] [blame]259 sRhostsRSAAuthentication, sRSAAuthentication,
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]260 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]261 sKerberosGetAFSToken,
Darren Tucker6aaa58c2003-08-02 22:24:49 +1000[diff] [blame]262 sKerberosTgtPassing, sChallengeResponseAuthentication,
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]263 sPasswordAuthentication, sKbdInteractiveAuthentication,
264 sListenAddress, sAddressFamily,
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000[diff] [blame]265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
Damien Miller95c249f2002-02-05 12:11:34 +1100[diff] [blame]266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
Damien Miller12c150e2003-12-17 16:31:10 +1100[diff] [blame]267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
Damien Miller50a41ed2000-10-16 12:14:42 +1100[diff] [blame]269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
Darren Tucker89413db2004-05-24 10:36:23 +1000[diff] [blame]271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]273 sBanner, sUseDNS, sHostbasedAuthentication,
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000[diff] [blame]275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
Ben Lindstromc7431342002-03-22 03:11:49 +0000[diff] [blame]277 sUsePrivilegeSeparation,
Damien Millerf9b3feb2003-05-16 11:38:32 +1000[diff] [blame]278 sDeprecated, sUnsupported
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]279} ServerOpCodes;
280
281/* Textual representation of the tokens. */
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]282static struct {
283 const char *name;
284 ServerOpCodes opcode;
285} keywords[] = {
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]286 /* Portable-specific options */
Damien Miller6ac2c482003-05-16 11:42:35 +1000[diff] [blame]287#ifdef USE_PAM
Damien Miller30912f72003-08-26 10:48:14 +1000[diff] [blame]288 { "usepam", sUsePAM },
Damien Miller6ac2c482003-05-16 11:42:35 +1000[diff] [blame]289#else
Damien Miller30912f72003-08-26 10:48:14 +1000[diff] [blame]290 { "usepam", sUnsupported },
Damien Miller6ac2c482003-05-16 11:42:35 +1000[diff] [blame]291#endif
Damien Miller30912f72003-08-26 10:48:14 +1000[diff] [blame]292 { "pamauthenticationviakbdint", sDeprecated },
Damien Miller726273e2001-11-12 11:40:11 +1100[diff] [blame]293 /* Standard Options */
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]294 { "port", sPort },
295 { "hostkey", sHostKeyFile },
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]296 { "hostdsakey", sHostKeyFile }, /* alias */
Kevin Stevesef4eea92001-02-05 12:42:17 +0000[diff] [blame]297 { "pidfile", sPidFile },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]298 { "serverkeybits", sServerKeyBits },
299 { "logingracetime", sLoginGraceTime },
300 { "keyregenerationinterval", sKeyRegenerationTime },
301 { "permitrootlogin", sPermitRootLogin },
302 { "syslogfacility", sLogFacility },
303 { "loglevel", sLogLevel },
Darren Tuckerec960f22003-08-13 20:37:05 +1000[diff] [blame]304 { "rhostsauthentication", sDeprecated },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]305 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
Ben Lindstrom5eabda32001-04-12 23:34:34 +0000[diff] [blame]306 { "hostbasedauthentication", sHostbasedAuthentication },
307 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]308 { "rsaauthentication", sRSAAuthentication },
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]309 { "pubkeyauthentication", sPubkeyAuthentication },
310 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
Darren Tucker6aaa58c2003-08-02 22:24:49 +1000[diff] [blame]311#ifdef KRB5
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]312 { "kerberosauthentication", sKerberosAuthentication },
313 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
314 { "kerberosticketcleanup", sKerberosTicketCleanup },
Darren Tucker3c78c5e2004-01-23 22:03:10 +1100[diff] [blame]315#ifdef USE_AFS
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]316 { "kerberosgetafstoken", sKerberosGetAFSToken },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000[diff] [blame]317#else
Darren Tucker409cb322004-01-05 22:36:51 +1100[diff] [blame]318 { "kerberosgetafstoken", sUnsupported },
319#endif
320#else
Damien Millerf9b3feb2003-05-16 11:38:32 +1000[diff] [blame]321 { "kerberosauthentication", sUnsupported },
322 { "kerberosorlocalpasswd", sUnsupported },
323 { "kerberosticketcleanup", sUnsupported },
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]324 { "kerberosgetafstoken", sUnsupported },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000[diff] [blame]325#endif
Damien Miller1a0c0b92003-09-02 22:51:17 +1000[diff] [blame]326 { "kerberostgtpassing", sUnsupported },
Damien Millerf9b3feb2003-05-16 11:38:32 +1000[diff] [blame]327 { "afstokenpassing", sUnsupported },
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]328#ifdef GSSAPI
329 { "gssapiauthentication", sGssAuthentication },
Darren Tuckera49d36e2003-10-02 16:20:54 +1000[diff] [blame]330 { "gssapicleanupcredentials", sGssCleanupCreds },
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]331#else
332 { "gssapiauthentication", sUnsupported },
Darren Tuckera49d36e2003-10-02 16:20:54 +1000[diff] [blame]333 { "gssapicleanupcredentials", sUnsupported },
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]334#endif
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]335 { "passwordauthentication", sPasswordAuthentication },
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]336 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
Ben Lindstrom95fb2dd2001-01-23 03:12:10 +0000[diff] [blame]337 { "challengeresponseauthentication", sChallengeResponseAuthentication },
338 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
Ben Lindstrom91e98682001-09-12 16:32:14 +0000[diff] [blame]339 { "checkmail", sDeprecated },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]340 { "listenaddress", sListenAddress },
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]341 { "addressfamily", sAddressFamily },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]342 { "printmotd", sPrintMotd },
Ben Lindstrom7bfff362001-03-26 05:45:53 +0000[diff] [blame]343 { "printlastlog", sPrintLastLog },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]344 { "ignorerhosts", sIgnoreRhosts },
345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
346 { "x11forwarding", sX11Forwarding },
347 { "x11displayoffset", sX11DisplayOffset },
Damien Miller95c249f2002-02-05 12:11:34 +1100[diff] [blame]348 { "x11uselocalhost", sX11UseLocalhost },
Damien Millerd3a18572000-06-07 19:55:44 +1000[diff] [blame]349 { "xauthlocation", sXAuthLocation },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]350 { "strictmodes", sStrictModes },
351 { "permitemptypasswords", sEmptyPasswd },
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]352 { "permituserenvironment", sPermitUserEnvironment },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]353 { "uselogin", sUseLogin },
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000[diff] [blame]354 { "compression", sCompression },
Damien Miller12c150e2003-12-17 16:31:10 +1100[diff] [blame]355 { "tcpkeepalive", sTCPKeepAlive },
356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
Damien Miller50a41ed2000-10-16 12:14:42 +1100[diff] [blame]357 { "allowtcpforwarding", sAllowTcpForwarding },
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
Damien Miller78928792000-04-12 20:17:38 +1000[diff] [blame]362 { "ciphers", sCiphers },
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]363 { "macs", sMacs },
Damien Miller78928792000-04-12 20:17:38 +1000[diff] [blame]364 { "protocol", sProtocol },
Damien Millere247cc42000-05-07 12:03:14 +1000[diff] [blame]365 { "gatewayports", sGatewayPorts },
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]366 { "subsystem", sSubsystem },
Damien Miller37023962000-07-11 17:31:38 +1000[diff] [blame]367 { "maxstartups", sMaxStartups },
Darren Tucker89413db2004-05-24 10:36:23 +1000[diff] [blame]368 { "maxauthtries", sMaxAuthTries },
Ben Lindstrom48bd7c12001-01-09 00:35:42 +0000[diff] [blame]369 { "banner", sBanner },
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]370 { "usedns", sUseDNS },
371 { "verifyreversemapping", sDeprecated },
372 { "reversemappingcheck", sDeprecated },
Ben Lindstrom5744dc42001-04-13 23:28:01 +0000[diff] [blame]373 { "clientaliveinterval", sClientAliveInterval },
374 { "clientalivecountmax", sClientAliveCountMax },
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000[diff] [blame]375 { "authorizedkeysfile", sAuthorizedKeysFile },
376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]377 { "useprivilegeseparation", sUsePrivilegeSeparation},
Darren Tucker46bc0752004-05-02 22:11:30 +1000[diff] [blame]378 { "acceptenv", sAcceptEnv },
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]379 { "permittunnel", sPermitTunnel },
Ben Lindstrom65366a82001-12-06 16:32:47 +0000[diff] [blame]380 { NULL, sBadOption }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]381};
382
Damien Miller5428f641999-11-25 11:54:57 +1100[diff] [blame]383/*
Ben Lindstrom3704c262001-04-02 18:20:03 +0000[diff] [blame]384 * Returns the number of the token pointed to by cp or sBadOption.
Damien Miller5428f641999-11-25 11:54:57 +1100[diff] [blame]385 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]386
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]387static ServerOpCodes
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]388parse_token(const char *cp, const char *filename,
389 int linenum)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]390{
Ben Lindstrom46c16222000-12-22 01:43:59 +0000[diff] [blame]391 u_int i;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]392
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]393 for (i = 0; keywords[i].name; i++)
Damien Miller5428f641999-11-25 11:54:57 +1100[diff] [blame]394 if (strcasecmp(cp, keywords[i].name) == 0)
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]395 return keywords[i].opcode;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]396
Ben Lindstromb5cdc662001-04-16 02:13:26 +0000[diff] [blame]397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]399 return sBadOption;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]400}
401
Ben Lindstrombba81212001-06-25 05:01:22 +0000[diff] [blame]402static void
Ben Lindstrom19066a12001-04-12 23:39:26 +0000[diff] [blame]403add_listen_addr(ServerOptions *options, char *addr, u_short port)
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]404{
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]405 u_int i;
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]406
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]409 if (options->address_family == -1)
410 options->address_family = AF_UNSPEC;
Ben Lindstrom19066a12001-04-12 23:39:26 +0000[diff] [blame]411 if (port == 0)
Ben Lindstromc510af42001-04-07 17:25:48 +0000[diff] [blame]412 for (i = 0; i < options->num_ports; i++)
413 add_one_listen_addr(options, addr, options->ports[i]);
414 else
Ben Lindstrom19066a12001-04-12 23:39:26 +0000[diff] [blame]415 add_one_listen_addr(options, addr, port);
Ben Lindstromc510af42001-04-07 17:25:48 +0000[diff] [blame]416}
417
Ben Lindstrombba81212001-06-25 05:01:22 +0000[diff] [blame]418static void
Ben Lindstromc510af42001-04-07 17:25:48 +0000[diff] [blame]419add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
420{
421 struct addrinfo hints, *ai, *aitop;
422 char strport[NI_MAXSERV];
423 int gaierr;
424
425 memset(&hints, 0, sizeof(hints));
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]426 hints.ai_family = options->address_family;
Ben Lindstromc510af42001-04-07 17:25:48 +0000[diff] [blame]427 hints.ai_socktype = SOCK_STREAM;
428 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
Ben Lindstrome1353632002-06-23 21:29:23 +0000[diff] [blame]429 snprintf(strport, sizeof strport, "%u", port);
Ben Lindstromc510af42001-04-07 17:25:48 +0000[diff] [blame]430 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
431 fatal("bad addr or host: %s (%s)",
432 addr ? addr : "<NULL>",
433 gai_strerror(gaierr));
434 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
435 ;
436 ai->ai_next = options->listen_addrs;
437 options->listen_addrs = aitop;
Damien Miller34132e52000-01-14 15:45:46 +1100[diff] [blame]438}
439
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]440int
441process_server_config_line(ServerOptions *options, char *line,
442 const char *filename, int linenum)
443{
444 char *cp, **charptr, *arg, *p;
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]445 int *intptr, value, n;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]446 ServerOpCodes opcode;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]447 u_short port;
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]448 u_int i;
Damien Miller917f9b62006-07-10 20:36:47 +1000[diff] [blame^]449 size_t len;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]450
451 cp = line;
Damien Miller78f16cb2006-03-26 13:54:37 +1100[diff] [blame]452 if ((arg = strdelim(&cp)) == NULL)
Damien Miller928b2362006-03-26 13:53:32 +1100[diff] [blame]453 return 0;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]454 /* Ignore leading whitespace */
455 if (*arg == '\0')
456 arg = strdelim(&cp);
457 if (!arg || !*arg || *arg == '#')
458 return 0;
459 intptr = NULL;
460 charptr = NULL;
461 opcode = parse_token(arg, filename, linenum);
462 switch (opcode) {
463 /* Portable-specific options */
Damien Miller4e448a32003-05-14 15:11:48 +1000[diff] [blame]464 case sUsePAM:
465 intptr = &options->use_pam;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]466 goto parse_flag;
467
468 /* Standard Options */
469 case sBadOption:
470 return -1;
471 case sPort:
472 /* ignore ports from configfile if cmdline specifies ports */
473 if (options->ports_from_cmdline)
474 return 0;
475 if (options->listen_addrs != NULL)
476 fatal("%s line %d: ports must be specified before "
Damien Miller4fbf08a2002-01-22 23:35:09 +1100[diff] [blame]477 "ListenAddress.", filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]478 if (options->num_ports >= MAX_PORTS)
479 fatal("%s line %d: too many ports.",
480 filename, linenum);
481 arg = strdelim(&cp);
482 if (!arg || *arg == '\0')
483 fatal("%s line %d: missing port number.",
484 filename, linenum);
485 options->ports[options->num_ports++] = a2port(arg);
486 if (options->ports[options->num_ports-1] == 0)
487 fatal("%s line %d: Badly formatted port number.",
488 filename, linenum);
489 break;
490
491 case sServerKeyBits:
492 intptr = &options->server_key_bits;
493parse_int:
494 arg = strdelim(&cp);
495 if (!arg || *arg == '\0')
496 fatal("%s line %d: missing integer value.",
497 filename, linenum);
498 value = atoi(arg);
499 if (*intptr == -1)
500 *intptr = value;
501 break;
502
503 case sLoginGraceTime:
504 intptr = &options->login_grace_time;
505parse_time:
506 arg = strdelim(&cp);
507 if (!arg || *arg == '\0')
508 fatal("%s line %d: missing time value.",
509 filename, linenum);
510 if ((value = convtime(arg)) == -1)
511 fatal("%s line %d: invalid time value.",
512 filename, linenum);
513 if (*intptr == -1)
514 *intptr = value;
515 break;
516
517 case sKeyRegenerationTime:
518 intptr = &options->key_regeneration_time;
519 goto parse_time;
520
521 case sListenAddress:
522 arg = strdelim(&cp);
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]523 if (arg == NULL || *arg == '\0')
524 fatal("%s line %d: missing address",
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]525 filename, linenum);
Damien Miller203c7052005-08-12 22:11:37 +1000[diff] [blame]526 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
527 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
528 && strchr(p+1, ':') != NULL) {
529 add_listen_addr(options, arg, 0);
530 break;
531 }
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]532 p = hpdelim(&arg);
533 if (p == NULL)
534 fatal("%s line %d: bad address:port usage",
535 filename, linenum);
536 p = cleanhostname(p);
537 if (arg == NULL)
538 port = 0;
539 else if ((port = a2port(arg)) == 0)
540 fatal("%s line %d: bad port number", filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]541
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]542 add_listen_addr(options, p, port);
543
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]544 break;
545
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]546 case sAddressFamily:
547 arg = strdelim(&cp);
Damien Miller17b23d82005-05-26 12:11:56 +1000[diff] [blame]548 if (!arg || *arg == '\0')
549 fatal("%s line %d: missing address family.",
550 filename, linenum);
Darren Tucker0f383232005-01-20 10:57:56 +1100[diff] [blame]551 intptr = &options->address_family;
552 if (options->listen_addrs != NULL)
553 fatal("%s line %d: address family must be specified before "
554 "ListenAddress.", filename, linenum);
555 if (strcasecmp(arg, "inet") == 0)
556 value = AF_INET;
557 else if (strcasecmp(arg, "inet6") == 0)
558 value = AF_INET6;
559 else if (strcasecmp(arg, "any") == 0)
560 value = AF_UNSPEC;
561 else
562 fatal("%s line %d: unsupported address family \"%s\".",
563 filename, linenum, arg);
564 if (*intptr == -1)
565 *intptr = value;
566 break;
567
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]568 case sHostKeyFile:
569 intptr = &options->num_host_key_files;
570 if (*intptr >= MAX_HOSTKEYS)
571 fatal("%s line %d: too many host keys specified (max %d).",
572 filename, linenum, MAX_HOSTKEYS);
573 charptr = &options->host_key_files[*intptr];
574parse_filename:
575 arg = strdelim(&cp);
576 if (!arg || *arg == '\0')
577 fatal("%s line %d: missing file name.",
578 filename, linenum);
579 if (*charptr == NULL) {
580 *charptr = tilde_expand_filename(arg, getuid());
581 /* increase optional counter */
582 if (intptr != NULL)
583 *intptr = *intptr + 1;
584 }
585 break;
586
587 case sPidFile:
588 charptr = &options->pid_file;
589 goto parse_filename;
590
591 case sPermitRootLogin:
592 intptr = &options->permit_root_login;
593 arg = strdelim(&cp);
594 if (!arg || *arg == '\0')
595 fatal("%s line %d: missing yes/"
596 "without-password/forced-commands-only/no "
597 "argument.", filename, linenum);
598 value = 0; /* silence compiler */
599 if (strcmp(arg, "without-password") == 0)
600 value = PERMIT_NO_PASSWD;
601 else if (strcmp(arg, "forced-commands-only") == 0)
602 value = PERMIT_FORCED_ONLY;
603 else if (strcmp(arg, "yes") == 0)
604 value = PERMIT_YES;
605 else if (strcmp(arg, "no") == 0)
606 value = PERMIT_NO;
607 else
608 fatal("%s line %d: Bad yes/"
609 "without-password/forced-commands-only/no "
610 "argument: %s", filename, linenum, arg);
611 if (*intptr == -1)
612 *intptr = value;
613 break;
614
615 case sIgnoreRhosts:
616 intptr = &options->ignore_rhosts;
617parse_flag:
618 arg = strdelim(&cp);
619 if (!arg || *arg == '\0')
620 fatal("%s line %d: missing yes/no argument.",
621 filename, linenum);
622 value = 0; /* silence compiler */
623 if (strcmp(arg, "yes") == 0)
624 value = 1;
625 else if (strcmp(arg, "no") == 0)
626 value = 0;
627 else
628 fatal("%s line %d: Bad yes/no argument: %s",
629 filename, linenum, arg);
630 if (*intptr == -1)
631 *intptr = value;
632 break;
633
634 case sIgnoreUserKnownHosts:
635 intptr = &options->ignore_user_known_hosts;
636 goto parse_flag;
637
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]638 case sRhostsRSAAuthentication:
639 intptr = &options->rhosts_rsa_authentication;
640 goto parse_flag;
641
642 case sHostbasedAuthentication:
643 intptr = &options->hostbased_authentication;
644 goto parse_flag;
645
646 case sHostbasedUsesNameFromPacketOnly:
647 intptr = &options->hostbased_uses_name_from_packet_only;
648 goto parse_flag;
649
650 case sRSAAuthentication:
651 intptr = &options->rsa_authentication;
652 goto parse_flag;
653
654 case sPubkeyAuthentication:
655 intptr = &options->pubkey_authentication;
656 goto parse_flag;
Damien Miller2aa0ab42003-05-15 12:05:28 +1000[diff] [blame]657
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]658 case sKerberosAuthentication:
659 intptr = &options->kerberos_authentication;
660 goto parse_flag;
661
662 case sKerberosOrLocalPasswd:
663 intptr = &options->kerberos_or_local_passwd;
664 goto parse_flag;
665
666 case sKerberosTicketCleanup:
667 intptr = &options->kerberos_ticket_cleanup;
668 goto parse_flag;
Damien Miller2aa0ab42003-05-15 12:05:28 +1000[diff] [blame]669
Darren Tucker22ef5082003-12-31 11:37:34 +1100[diff] [blame]670 case sKerberosGetAFSToken:
671 intptr = &options->kerberos_get_afs_token;
672 goto parse_flag;
673
Darren Tucker0efd1552003-08-26 11:49:55 +1000[diff] [blame]674 case sGssAuthentication:
675 intptr = &options->gss_authentication;
676 goto parse_flag;
677
678 case sGssCleanupCreds:
679 intptr = &options->gss_cleanup_creds;
680 goto parse_flag;
681
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]682 case sPasswordAuthentication:
683 intptr = &options->password_authentication;
684 goto parse_flag;
685
686 case sKbdInteractiveAuthentication:
687 intptr = &options->kbd_interactive_authentication;
688 goto parse_flag;
689
690 case sChallengeResponseAuthentication:
691 intptr = &options->challenge_response_authentication;
692 goto parse_flag;
693
694 case sPrintMotd:
695 intptr = &options->print_motd;
696 goto parse_flag;
697
698 case sPrintLastLog:
699 intptr = &options->print_lastlog;
700 goto parse_flag;
701
702 case sX11Forwarding:
703 intptr = &options->x11_forwarding;
704 goto parse_flag;
705
706 case sX11DisplayOffset:
707 intptr = &options->x11_display_offset;
708 goto parse_int;
709
Damien Miller95c249f2002-02-05 12:11:34 +1100[diff] [blame]710 case sX11UseLocalhost:
711 intptr = &options->x11_use_localhost;
712 goto parse_flag;
713
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]714 case sXAuthLocation:
715 charptr = &options->xauth_location;
716 goto parse_filename;
717
718 case sStrictModes:
719 intptr = &options->strict_modes;
720 goto parse_flag;
721
Damien Miller12c150e2003-12-17 16:31:10 +1100[diff] [blame]722 case sTCPKeepAlive:
723 intptr = &options->tcp_keep_alive;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]724 goto parse_flag;
725
726 case sEmptyPasswd:
727 intptr = &options->permit_empty_passwd;
728 goto parse_flag;
729
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]730 case sPermitUserEnvironment:
731 intptr = &options->permit_user_env;
732 goto parse_flag;
733
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]734 case sUseLogin:
735 intptr = &options->use_login;
736 goto parse_flag;
737
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000[diff] [blame]738 case sCompression:
739 intptr = &options->compression;
Damien Miller9786e6e2005-07-26 21:54:56 +1000[diff] [blame]740 arg = strdelim(&cp);
741 if (!arg || *arg == '\0')
742 fatal("%s line %d: missing yes/no/delayed "
743 "argument.", filename, linenum);
744 value = 0; /* silence compiler */
745 if (strcmp(arg, "delayed") == 0)
746 value = COMP_DELAYED;
747 else if (strcmp(arg, "yes") == 0)
748 value = COMP_ZLIB;
749 else if (strcmp(arg, "no") == 0)
750 value = COMP_NONE;
751 else
752 fatal("%s line %d: Bad yes/no/delayed "
753 "argument: %s", filename, linenum, arg);
754 if (*intptr == -1)
755 *intptr = value;
756 break;
Ben Lindstrom23e0f662002-06-21 01:09:47 +0000[diff] [blame]757
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]758 case sGatewayPorts:
759 intptr = &options->gateway_ports;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]760 arg = strdelim(&cp);
761 if (!arg || *arg == '\0')
762 fatal("%s line %d: missing yes/no/clientspecified "
763 "argument.", filename, linenum);
764 value = 0; /* silence compiler */
765 if (strcmp(arg, "clientspecified") == 0)
766 value = 2;
767 else if (strcmp(arg, "yes") == 0)
768 value = 1;
769 else if (strcmp(arg, "no") == 0)
770 value = 0;
771 else
772 fatal("%s line %d: Bad yes/no/clientspecified "
773 "argument: %s", filename, linenum, arg);
774 if (*intptr == -1)
775 *intptr = value;
776 break;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]777
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]778 case sUseDNS:
779 intptr = &options->use_dns;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]780 goto parse_flag;
781
782 case sLogFacility:
783 intptr = (int *) &options->log_facility;
784 arg = strdelim(&cp);
785 value = log_facility_number(arg);
Damien Millerfcd93202002-02-05 12:26:34 +1100[diff] [blame]786 if (value == SYSLOG_FACILITY_NOT_SET)
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]787 fatal("%.200s line %d: unsupported log facility '%s'",
788 filename, linenum, arg ? arg : "<NONE>");
789 if (*intptr == -1)
790 *intptr = (SyslogFacility) value;
791 break;
792
793 case sLogLevel:
794 intptr = (int *) &options->log_level;
795 arg = strdelim(&cp);
796 value = log_level_number(arg);
Damien Millerfcd93202002-02-05 12:26:34 +1100[diff] [blame]797 if (value == SYSLOG_LEVEL_NOT_SET)
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]798 fatal("%.200s line %d: unsupported log level '%s'",
799 filename, linenum, arg ? arg : "<NONE>");
800 if (*intptr == -1)
801 *intptr = (LogLevel) value;
802 break;
803
804 case sAllowTcpForwarding:
805 intptr = &options->allow_tcp_forwarding;
806 goto parse_flag;
807
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]808 case sUsePrivilegeSeparation:
809 intptr = &use_privsep;
810 goto parse_flag;
811
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]812 case sAllowUsers:
813 while ((arg = strdelim(&cp)) && *arg != '\0') {
814 if (options->num_allow_users >= MAX_ALLOW_USERS)
815 fatal("%s line %d: too many allow users.",
816 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +0000[diff] [blame]817 options->allow_users[options->num_allow_users++] =
818 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]819 }
820 break;
821
822 case sDenyUsers:
823 while ((arg = strdelim(&cp)) && *arg != '\0') {
824 if (options->num_deny_users >= MAX_DENY_USERS)
825 fatal( "%s line %d: too many deny users.",
826 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +0000[diff] [blame]827 options->deny_users[options->num_deny_users++] =
828 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]829 }
830 break;
831
832 case sAllowGroups:
833 while ((arg = strdelim(&cp)) && *arg != '\0') {
834 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
835 fatal("%s line %d: too many allow groups.",
836 filename, linenum);
Ben Lindstrome1353632002-06-23 21:29:23 +0000[diff] [blame]837 options->allow_groups[options->num_allow_groups++] =
838 xstrdup(arg);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]839 }
840 break;
841
842 case sDenyGroups:
843 while ((arg = strdelim(&cp)) && *arg != '\0') {
844 if (options->num_deny_groups >= MAX_DENY_GROUPS)
845 fatal("%s line %d: too many deny groups.",
846 filename, linenum);
847 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
848 }
849 break;
850
851 case sCiphers:
852 arg = strdelim(&cp);
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: Missing argument.", filename, linenum);
855 if (!ciphers_valid(arg))
856 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
857 filename, linenum, arg ? arg : "<NONE>");
858 if (options->ciphers == NULL)
859 options->ciphers = xstrdup(arg);
860 break;
861
862 case sMacs:
863 arg = strdelim(&cp);
864 if (!arg || *arg == '\0')
865 fatal("%s line %d: Missing argument.", filename, linenum);
866 if (!mac_valid(arg))
867 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
868 filename, linenum, arg ? arg : "<NONE>");
869 if (options->macs == NULL)
870 options->macs = xstrdup(arg);
871 break;
872
873 case sProtocol:
874 intptr = &options->protocol;
875 arg = strdelim(&cp);
876 if (!arg || *arg == '\0')
877 fatal("%s line %d: Missing argument.", filename, linenum);
878 value = proto_spec(arg);
879 if (value == SSH_PROTO_UNKNOWN)
880 fatal("%s line %d: Bad protocol spec '%s'.",
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]881 filename, linenum, arg ? arg : "<NONE>");
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]882 if (*intptr == SSH_PROTO_UNKNOWN)
883 *intptr = value;
884 break;
885
886 case sSubsystem:
887 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
888 fatal("%s line %d: too many subsystems defined.",
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]889 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]890 }
891 arg = strdelim(&cp);
892 if (!arg || *arg == '\0')
893 fatal("%s line %d: Missing subsystem name.",
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]894 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]895 for (i = 0; i < options->num_subsystems; i++)
896 if (strcmp(arg, options->subsystem_name[i]) == 0)
897 fatal("%s line %d: Subsystem '%s' already defined.",
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]898 filename, linenum, arg);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]899 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
900 arg = strdelim(&cp);
901 if (!arg || *arg == '\0')
902 fatal("%s line %d: Missing subsystem command.",
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]903 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]904 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
Damien Miller917f9b62006-07-10 20:36:47 +1000[diff] [blame^]905
906 /* Collect arguments (separate to executable) */
907 p = xstrdup(arg);
908 len = strlen(p) + 1;
909 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
910 len += 1 + strlen(arg);
911 p = xrealloc(p, 1, len);
912 strlcat(p, " ", len);
913 strlcat(p, arg, len);
914 }
915 options->subsystem_args[options->num_subsystems] = p;
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]916 options->num_subsystems++;
917 break;
918
919 case sMaxStartups:
920 arg = strdelim(&cp);
921 if (!arg || *arg == '\0')
922 fatal("%s line %d: Missing MaxStartups spec.",
Damien Miller9f0f5c62001-12-21 14:45:46 +1100[diff] [blame]923 filename, linenum);
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]924 if ((n = sscanf(arg, "%d:%d:%d",
925 &options->max_startups_begin,
926 &options->max_startups_rate,
927 &options->max_startups)) == 3) {
928 if (options->max_startups_begin >
929 options->max_startups ||
930 options->max_startups_rate > 100 ||
931 options->max_startups_rate < 1)
932 fatal("%s line %d: Illegal MaxStartups spec.",
933 filename, linenum);
934 } else if (n != 1)
935 fatal("%s line %d: Illegal MaxStartups spec.",
936 filename, linenum);
937 else
938 options->max_startups = options->max_startups_begin;
939 break;
940
Darren Tucker89413db2004-05-24 10:36:23 +1000[diff] [blame]941 case sMaxAuthTries:
942 intptr = &options->max_authtries;
943 goto parse_int;
944
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]945 case sBanner:
946 charptr = &options->banner;
947 goto parse_filename;
948 /*
949 * These options can contain %X options expanded at
950 * connect time, so that you can specify paths like:
951 *
952 * AuthorizedKeysFile /etc/ssh_keys/%u
953 */
954 case sAuthorizedKeysFile:
955 case sAuthorizedKeysFile2:
956 charptr = (opcode == sAuthorizedKeysFile ) ?
957 &options->authorized_keys_file :
958 &options->authorized_keys_file2;
959 goto parse_filename;
960
961 case sClientAliveInterval:
962 intptr = &options->client_alive_interval;
963 goto parse_time;
964
965 case sClientAliveCountMax:
966 intptr = &options->client_alive_count_max;
967 goto parse_int;
968
Darren Tucker46bc0752004-05-02 22:11:30 +1000[diff] [blame]969 case sAcceptEnv:
970 while ((arg = strdelim(&cp)) && *arg != '\0') {
971 if (strchr(arg, '=') != NULL)
972 fatal("%s line %d: Invalid environment name.",
973 filename, linenum);
974 if (options->num_accept_env >= MAX_ACCEPT_ENV)
975 fatal("%s line %d: too many allow env.",
976 filename, linenum);
977 options->accept_env[options->num_accept_env++] =
978 xstrdup(arg);
979 }
980 break;
981
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]982 case sPermitTunnel:
983 intptr = &options->permit_tun;
Damien Miller7b58e802005-12-13 19:33:19 +1100[diff] [blame]984 arg = strdelim(&cp);
985 if (!arg || *arg == '\0')
986 fatal("%s line %d: Missing yes/point-to-point/"
987 "ethernet/no argument.", filename, linenum);
988 value = 0; /* silence compiler */
989 if (strcasecmp(arg, "ethernet") == 0)
990 value = SSH_TUNMODE_ETHERNET;
991 else if (strcasecmp(arg, "point-to-point") == 0)
992 value = SSH_TUNMODE_POINTOPOINT;
993 else if (strcasecmp(arg, "yes") == 0)
994 value = SSH_TUNMODE_YES;
995 else if (strcasecmp(arg, "no") == 0)
996 value = SSH_TUNMODE_NO;
997 else
998 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
999 "no argument: %s", filename, linenum, arg);
1000 if (*intptr == -1)
1001 *intptr = value;
1002 break;
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]1003
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]1004 case sDeprecated:
Damien Miller996acd22003-04-09 20:59:48 +1000[diff] [blame]1005 logit("%s line %d: Deprecated option %s",
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]1006 filename, linenum, arg);
1007 while (arg)
1008 arg = strdelim(&cp);
1009 break;
1010
Damien Millerf9b3feb2003-05-16 11:38:32 +1000[diff] [blame]1011 case sUnsupported:
1012 logit("%s line %d: Unsupported option %s",
1013 filename, linenum, arg);
1014 while (arg)
1015 arg = strdelim(&cp);
1016 break;
1017
Ben Lindstromade03f62001-12-06 18:22:17 +0000[diff] [blame]1018 default:
1019 fatal("%s line %d: Missing handler for opcode %s (%d)",
1020 filename, linenum, arg, opcode);
1021 }
1022 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1023 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1024 filename, linenum, arg);
1025 return 0;
1026}
1027
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1028/* Reads the server configuration file. */
1029
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]1030void
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1031load_server_config(const char *filename, Buffer *conf)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1032{
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1033 char line[1024], *cp;
Ben Lindstrome1353632002-06-23 21:29:23 +0000[diff] [blame]1034 FILE *f;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1035
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1036 debug2("%s: filename %s", __func__, filename);
1037 if ((f = fopen(filename, "r")) == NULL) {
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]1038 perror(filename);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1039 exit(1);
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]1040 }
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1041 buffer_clear(conf);
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]1042 while (fgets(line, sizeof(line), f)) {
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1043 /*
1044 * Trim out comments and strip whitespace
Darren Tuckerfc959702004-07-17 16:12:08 +1000[diff] [blame]1045 * NB - preserve newlines, they are needed to reproduce
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1046 * line numbers later for error messages
1047 */
1048 if ((cp = strchr(line, '#')) != NULL)
1049 memcpy(cp, "\n", 2);
1050 cp = line + strspn(line, " \t\r");
1051
1052 buffer_append(conf, cp, strlen(cp));
1053 }
1054 buffer_append(conf, "\0", 1);
1055 fclose(f);
1056 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1057}
1058
1059void
1060parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1061{
1062 int linenum, bad_options = 0;
Darren Tucker9fbac712004-08-12 22:41:44 +1000[diff] [blame]1063 char *cp, *obuf, *cbuf;
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1064
1065 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1066
Darren Tucker9fbac712004-08-12 22:41:44 +1000[diff] [blame]1067 obuf = cbuf = xstrdup(buffer_ptr(conf));
Darren Tucker137e9c92004-08-13 21:30:24 +1000[diff] [blame]1068 linenum = 1;
Darren Tucker47eede72005-03-14 23:08:12 +1100[diff] [blame]1069 while ((cp = strsep(&cbuf, "\n")) != NULL) {
Darren Tucker645ab752004-06-25 13:33:20 +1000[diff] [blame]1070 if (process_server_config_line(options, cp, filename,
1071 linenum++) != 0)
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]1072 bad_options++;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1073 }
Darren Tucker9fbac712004-08-12 22:41:44 +1000[diff] [blame]1074 xfree(obuf);
Ben Lindstromb5cdc662001-04-16 02:13:26 +0000[diff] [blame]1075 if (bad_options > 0)
1076 fatal("%s: terminating, %d bad configuration options",
1077 filename, bad_options);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1078}