Damien Miller | d4a8b7e | 1999-10-27 13:42:43 +1000 | [diff] [blame^] | 1 | /* |
| 2 | |
| 3 | servconf.c |
| 4 | |
| 5 | Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 6 | |
| 7 | Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 8 | All rights reserved |
| 9 | |
| 10 | Created: Mon Aug 21 15:48:58 1995 ylo |
| 11 | |
| 12 | */ |
| 13 | |
| 14 | #include "includes.h" |
| 15 | RCSID("$Id: servconf.c,v 1.1 1999/10/27 03:42:45 damien Exp $"); |
| 16 | |
| 17 | #include "ssh.h" |
| 18 | #include "servconf.h" |
| 19 | #include "xmalloc.h" |
| 20 | |
| 21 | /* Initializes the server options to their default values. */ |
| 22 | |
| 23 | void initialize_server_options(ServerOptions *options) |
| 24 | { |
| 25 | memset(options, 0, sizeof(*options)); |
| 26 | options->port = -1; |
| 27 | options->listen_addr.s_addr = htonl(INADDR_ANY); |
| 28 | options->host_key_file = NULL; |
| 29 | options->server_key_bits = -1; |
| 30 | options->login_grace_time = -1; |
| 31 | options->key_regeneration_time = -1; |
| 32 | options->permit_root_login = -1; |
| 33 | options->ignore_rhosts = -1; |
| 34 | options->quiet_mode = -1; |
| 35 | options->fascist_logging = -1; |
| 36 | options->print_motd = -1; |
| 37 | options->check_mail = -1; |
| 38 | options->x11_forwarding = -1; |
| 39 | options->x11_display_offset = -1; |
| 40 | options->strict_modes = -1; |
| 41 | options->keepalives = -1; |
| 42 | options->log_facility = (SyslogFacility)-1; |
| 43 | options->rhosts_authentication = -1; |
| 44 | options->rhosts_rsa_authentication = -1; |
| 45 | options->rsa_authentication = -1; |
| 46 | #ifdef KRB4 |
| 47 | options->kerberos_authentication = -1; |
| 48 | options->kerberos_or_local_passwd = -1; |
| 49 | options->kerberos_ticket_cleanup = -1; |
| 50 | #endif |
| 51 | #ifdef AFS |
| 52 | options->kerberos_tgt_passing = -1; |
| 53 | options->afs_token_passing = -1; |
| 54 | #endif |
| 55 | options->password_authentication = -1; |
| 56 | #ifdef SKEY |
| 57 | options->skey_authentication = -1; |
| 58 | #endif |
| 59 | options->permit_empty_passwd = -1; |
| 60 | options->use_login = -1; |
| 61 | options->num_allow_users = 0; |
| 62 | options->num_deny_users = 0; |
| 63 | options->num_allow_groups = 0; |
| 64 | options->num_deny_groups = 0; |
| 65 | } |
| 66 | |
| 67 | void fill_default_server_options(ServerOptions *options) |
| 68 | { |
| 69 | if (options->port == -1) |
| 70 | { |
| 71 | struct servent *sp; |
| 72 | |
| 73 | sp = getservbyname(SSH_SERVICE_NAME, "tcp"); |
| 74 | if (sp) |
| 75 | options->port = ntohs(sp->s_port); |
| 76 | else |
| 77 | options->port = SSH_DEFAULT_PORT; |
| 78 | endservent(); |
| 79 | } |
| 80 | if (options->host_key_file == NULL) |
| 81 | options->host_key_file = HOST_KEY_FILE; |
| 82 | if (options->server_key_bits == -1) |
| 83 | options->server_key_bits = 768; |
| 84 | if (options->login_grace_time == -1) |
| 85 | options->login_grace_time = 600; |
| 86 | if (options->key_regeneration_time == -1) |
| 87 | options->key_regeneration_time = 3600; |
| 88 | if (options->permit_root_login == -1) |
| 89 | options->permit_root_login = 1; /* yes */ |
| 90 | if (options->ignore_rhosts == -1) |
| 91 | options->ignore_rhosts = 0; |
| 92 | if (options->quiet_mode == -1) |
| 93 | options->quiet_mode = 0; |
| 94 | if (options->check_mail == -1) |
| 95 | options->check_mail = 0; |
| 96 | if (options->fascist_logging == -1) |
| 97 | options->fascist_logging = 1; |
| 98 | if (options->print_motd == -1) |
| 99 | options->print_motd = 1; |
| 100 | if (options->x11_forwarding == -1) |
| 101 | options->x11_forwarding = 1; |
| 102 | if (options->x11_display_offset == -1) |
| 103 | options->x11_display_offset = 1; |
| 104 | if (options->strict_modes == -1) |
| 105 | options->strict_modes = 1; |
| 106 | if (options->keepalives == -1) |
| 107 | options->keepalives = 1; |
| 108 | if (options->log_facility == (SyslogFacility)(-1)) |
| 109 | options->log_facility = SYSLOG_FACILITY_AUTH; |
| 110 | if (options->rhosts_authentication == -1) |
| 111 | options->rhosts_authentication = 0; |
| 112 | if (options->rhosts_rsa_authentication == -1) |
| 113 | options->rhosts_rsa_authentication = 1; |
| 114 | if (options->rsa_authentication == -1) |
| 115 | options->rsa_authentication = 1; |
| 116 | #ifdef KRB4 |
| 117 | if (options->kerberos_authentication == -1) |
| 118 | options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); |
| 119 | if (options->kerberos_or_local_passwd == -1) |
| 120 | options->kerberos_or_local_passwd = 1; |
| 121 | if (options->kerberos_ticket_cleanup == -1) |
| 122 | options->kerberos_ticket_cleanup = 1; |
| 123 | #endif /* KRB4 */ |
| 124 | #ifdef AFS |
| 125 | if (options->kerberos_tgt_passing == -1) |
| 126 | options->kerberos_tgt_passing = 0; |
| 127 | if (options->afs_token_passing == -1) |
| 128 | options->afs_token_passing = k_hasafs(); |
| 129 | #endif /* AFS */ |
| 130 | if (options->password_authentication == -1) |
| 131 | options->password_authentication = 1; |
| 132 | #ifdef SKEY |
| 133 | if (options->skey_authentication == -1) |
| 134 | options->skey_authentication = 1; |
| 135 | #endif |
| 136 | if (options->permit_empty_passwd == -1) |
| 137 | options->permit_empty_passwd = 1; |
| 138 | if (options->use_login == -1) |
| 139 | options->use_login = 0; |
| 140 | } |
| 141 | |
| 142 | #define WHITESPACE " \t\r\n" |
| 143 | |
| 144 | /* Keyword tokens. */ |
| 145 | typedef enum |
| 146 | { |
| 147 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
| 148 | sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility, |
| 149 | sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, |
| 150 | #ifdef KRB4 |
| 151 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
| 152 | #endif |
| 153 | #ifdef AFS |
| 154 | sKerberosTgtPassing, sAFSTokenPassing, |
| 155 | #endif |
| 156 | #ifdef SKEY |
| 157 | sSkeyAuthentication, |
| 158 | #endif |
| 159 | sPasswordAuthentication, sListenAddress, |
| 160 | sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, |
| 161 | sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, |
| 162 | sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups |
| 163 | |
| 164 | } ServerOpCodes; |
| 165 | |
| 166 | /* Textual representation of the tokens. */ |
| 167 | static struct |
| 168 | { |
| 169 | const char *name; |
| 170 | ServerOpCodes opcode; |
| 171 | } keywords[] = |
| 172 | { |
| 173 | { "port", sPort }, |
| 174 | { "hostkey", sHostKeyFile }, |
| 175 | { "serverkeybits", sServerKeyBits }, |
| 176 | { "logingracetime", sLoginGraceTime }, |
| 177 | { "keyregenerationinterval", sKeyRegenerationTime }, |
| 178 | { "permitrootlogin", sPermitRootLogin }, |
| 179 | { "quietmode", sQuietMode }, |
| 180 | { "fascistlogging", sFascistLogging }, |
| 181 | { "syslogfacility", sLogFacility }, |
| 182 | { "rhostsauthentication", sRhostsAuthentication }, |
| 183 | { "rhostsrsaauthentication", sRhostsRSAAuthentication }, |
| 184 | { "rsaauthentication", sRSAAuthentication }, |
| 185 | #ifdef KRB4 |
| 186 | { "kerberosauthentication", sKerberosAuthentication }, |
| 187 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
| 188 | { "kerberosticketcleanup", sKerberosTicketCleanup }, |
| 189 | #endif |
| 190 | #ifdef AFS |
| 191 | { "kerberostgtpassing", sKerberosTgtPassing }, |
| 192 | { "afstokenpassing", sAFSTokenPassing }, |
| 193 | #endif |
| 194 | { "passwordauthentication", sPasswordAuthentication }, |
| 195 | #ifdef SKEY |
| 196 | { "skeyauthentication", sSkeyAuthentication }, |
| 197 | #endif |
| 198 | { "checkmail", sCheckMail }, |
| 199 | { "listenaddress", sListenAddress }, |
| 200 | { "printmotd", sPrintMotd }, |
| 201 | { "ignorerhosts", sIgnoreRhosts }, |
| 202 | { "x11forwarding", sX11Forwarding }, |
| 203 | { "x11displayoffset", sX11DisplayOffset }, |
| 204 | { "strictmodes", sStrictModes }, |
| 205 | { "permitemptypasswords", sEmptyPasswd }, |
| 206 | { "uselogin", sUseLogin }, |
| 207 | { "randomseed", sRandomSeedFile }, |
| 208 | { "keepalive", sKeepAlives }, |
| 209 | { "allowusers", sAllowUsers }, |
| 210 | { "denyusers", sDenyUsers }, |
| 211 | { "allowgroups", sAllowGroups }, |
| 212 | { "denygroups", sDenyGroups }, |
| 213 | { NULL, 0 } |
| 214 | }; |
| 215 | |
| 216 | static struct |
| 217 | { |
| 218 | const char *name; |
| 219 | SyslogFacility facility; |
| 220 | } log_facilities[] = |
| 221 | { |
| 222 | { "DAEMON", SYSLOG_FACILITY_DAEMON }, |
| 223 | { "USER", SYSLOG_FACILITY_USER }, |
| 224 | { "AUTH", SYSLOG_FACILITY_AUTH }, |
| 225 | { "LOCAL0", SYSLOG_FACILITY_LOCAL0 }, |
| 226 | { "LOCAL1", SYSLOG_FACILITY_LOCAL1 }, |
| 227 | { "LOCAL2", SYSLOG_FACILITY_LOCAL2 }, |
| 228 | { "LOCAL3", SYSLOG_FACILITY_LOCAL3 }, |
| 229 | { "LOCAL4", SYSLOG_FACILITY_LOCAL4 }, |
| 230 | { "LOCAL5", SYSLOG_FACILITY_LOCAL5 }, |
| 231 | { "LOCAL6", SYSLOG_FACILITY_LOCAL6 }, |
| 232 | { "LOCAL7", SYSLOG_FACILITY_LOCAL7 }, |
| 233 | { NULL, 0 } |
| 234 | }; |
| 235 | |
| 236 | /* Returns the number of the token pointed to by cp of length len. |
| 237 | Never returns if the token is not known. */ |
| 238 | |
| 239 | static ServerOpCodes parse_token(const char *cp, const char *filename, |
| 240 | int linenum) |
| 241 | { |
| 242 | unsigned int i; |
| 243 | |
| 244 | for (i = 0; keywords[i].name; i++) |
| 245 | if (strcmp(cp, keywords[i].name) == 0) |
| 246 | return keywords[i].opcode; |
| 247 | |
| 248 | fprintf(stderr, "%s line %d: Bad configuration option: %s\n", |
| 249 | filename, linenum, cp); |
| 250 | exit(1); |
| 251 | } |
| 252 | |
| 253 | /* Reads the server configuration file. */ |
| 254 | |
| 255 | void read_server_config(ServerOptions *options, const char *filename) |
| 256 | { |
| 257 | FILE *f; |
| 258 | char line[1024]; |
| 259 | char *cp, **charptr; |
| 260 | int linenum, *intptr, i, value; |
| 261 | ServerOpCodes opcode; |
| 262 | |
| 263 | f = fopen(filename, "r"); |
| 264 | if (!f) |
| 265 | { |
| 266 | perror(filename); |
| 267 | exit(1); |
| 268 | } |
| 269 | |
| 270 | linenum = 0; |
| 271 | while (fgets(line, sizeof(line), f)) |
| 272 | { |
| 273 | linenum++; |
| 274 | cp = line + strspn(line, WHITESPACE); |
| 275 | if (!*cp || *cp == '#') |
| 276 | continue; |
| 277 | cp = strtok(cp, WHITESPACE); |
| 278 | { |
| 279 | char *t = cp; |
| 280 | for (; *t != 0; t++) |
| 281 | if ('A' <= *t && *t <= 'Z') |
| 282 | *t = *t - 'A' + 'a'; /* tolower */ |
| 283 | |
| 284 | } |
| 285 | opcode = parse_token(cp, filename, linenum); |
| 286 | switch (opcode) |
| 287 | { |
| 288 | case sPort: |
| 289 | intptr = &options->port; |
| 290 | parse_int: |
| 291 | cp = strtok(NULL, WHITESPACE); |
| 292 | if (!cp) |
| 293 | { |
| 294 | fprintf(stderr, "%s line %d: missing integer value.\n", |
| 295 | filename, linenum); |
| 296 | exit(1); |
| 297 | } |
| 298 | value = atoi(cp); |
| 299 | if (*intptr == -1) |
| 300 | *intptr = value; |
| 301 | break; |
| 302 | |
| 303 | case sServerKeyBits: |
| 304 | intptr = &options->server_key_bits; |
| 305 | goto parse_int; |
| 306 | |
| 307 | case sLoginGraceTime: |
| 308 | intptr = &options->login_grace_time; |
| 309 | goto parse_int; |
| 310 | |
| 311 | case sKeyRegenerationTime: |
| 312 | intptr = &options->key_regeneration_time; |
| 313 | goto parse_int; |
| 314 | |
| 315 | case sListenAddress: |
| 316 | cp = strtok(NULL, WHITESPACE); |
| 317 | if (!cp) |
| 318 | { |
| 319 | fprintf(stderr, "%s line %d: missing inet addr.\n", |
| 320 | filename, linenum); |
| 321 | exit(1); |
| 322 | } |
| 323 | options->listen_addr.s_addr = inet_addr(cp); |
| 324 | break; |
| 325 | |
| 326 | case sHostKeyFile: |
| 327 | charptr = &options->host_key_file; |
| 328 | cp = strtok(NULL, WHITESPACE); |
| 329 | if (!cp) |
| 330 | { |
| 331 | fprintf(stderr, "%s line %d: missing file name.\n", |
| 332 | filename, linenum); |
| 333 | exit(1); |
| 334 | } |
| 335 | if (*charptr == NULL) |
| 336 | *charptr = tilde_expand_filename(cp, getuid()); |
| 337 | break; |
| 338 | |
| 339 | case sRandomSeedFile: |
| 340 | fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", |
| 341 | filename, linenum); |
| 342 | cp = strtok(NULL, WHITESPACE); |
| 343 | break; |
| 344 | |
| 345 | case sPermitRootLogin: |
| 346 | intptr = &options->permit_root_login; |
| 347 | cp = strtok(NULL, WHITESPACE); |
| 348 | if (!cp) |
| 349 | { |
| 350 | fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n", |
| 351 | filename, linenum); |
| 352 | exit(1); |
| 353 | } |
| 354 | if (strcmp(cp, "without-password") == 0) |
| 355 | value = 2; |
| 356 | else if (strcmp(cp, "yes") == 0) |
| 357 | value = 1; |
| 358 | else if (strcmp(cp, "no") == 0) |
| 359 | value = 0; |
| 360 | else |
| 361 | { |
| 362 | fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n", |
| 363 | filename, linenum, cp); |
| 364 | exit(1); |
| 365 | } |
| 366 | if (*intptr == -1) |
| 367 | *intptr = value; |
| 368 | break; |
| 369 | |
| 370 | case sIgnoreRhosts: |
| 371 | intptr = &options->ignore_rhosts; |
| 372 | parse_flag: |
| 373 | cp = strtok(NULL, WHITESPACE); |
| 374 | if (!cp) |
| 375 | { |
| 376 | fprintf(stderr, "%s line %d: missing yes/no argument.\n", |
| 377 | filename, linenum); |
| 378 | exit(1); |
| 379 | } |
| 380 | if (strcmp(cp, "yes") == 0) |
| 381 | value = 1; |
| 382 | else |
| 383 | if (strcmp(cp, "no") == 0) |
| 384 | value = 0; |
| 385 | else |
| 386 | { |
| 387 | fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n", |
| 388 | filename, linenum, cp); |
| 389 | exit(1); |
| 390 | } |
| 391 | if (*intptr == -1) |
| 392 | *intptr = value; |
| 393 | break; |
| 394 | |
| 395 | case sQuietMode: |
| 396 | intptr = &options->quiet_mode; |
| 397 | goto parse_flag; |
| 398 | |
| 399 | case sFascistLogging: |
| 400 | intptr = &options->fascist_logging; |
| 401 | goto parse_flag; |
| 402 | |
| 403 | case sRhostsAuthentication: |
| 404 | intptr = &options->rhosts_authentication; |
| 405 | goto parse_flag; |
| 406 | |
| 407 | case sRhostsRSAAuthentication: |
| 408 | intptr = &options->rhosts_rsa_authentication; |
| 409 | goto parse_flag; |
| 410 | |
| 411 | case sRSAAuthentication: |
| 412 | intptr = &options->rsa_authentication; |
| 413 | goto parse_flag; |
| 414 | |
| 415 | #ifdef KRB4 |
| 416 | case sKerberosAuthentication: |
| 417 | intptr = &options->kerberos_authentication; |
| 418 | goto parse_flag; |
| 419 | |
| 420 | case sKerberosOrLocalPasswd: |
| 421 | intptr = &options->kerberos_or_local_passwd; |
| 422 | goto parse_flag; |
| 423 | |
| 424 | case sKerberosTicketCleanup: |
| 425 | intptr = &options->kerberos_ticket_cleanup; |
| 426 | goto parse_flag; |
| 427 | #endif |
| 428 | |
| 429 | #ifdef AFS |
| 430 | case sKerberosTgtPassing: |
| 431 | intptr = &options->kerberos_tgt_passing; |
| 432 | goto parse_flag; |
| 433 | |
| 434 | case sAFSTokenPassing: |
| 435 | intptr = &options->afs_token_passing; |
| 436 | goto parse_flag; |
| 437 | #endif |
| 438 | |
| 439 | case sPasswordAuthentication: |
| 440 | intptr = &options->password_authentication; |
| 441 | goto parse_flag; |
| 442 | |
| 443 | case sCheckMail: |
| 444 | intptr = &options->check_mail; |
| 445 | goto parse_flag; |
| 446 | |
| 447 | #ifdef SKEY |
| 448 | case sSkeyAuthentication: |
| 449 | intptr = &options->skey_authentication; |
| 450 | goto parse_flag; |
| 451 | #endif |
| 452 | |
| 453 | case sPrintMotd: |
| 454 | intptr = &options->print_motd; |
| 455 | goto parse_flag; |
| 456 | |
| 457 | case sX11Forwarding: |
| 458 | intptr = &options->x11_forwarding; |
| 459 | goto parse_flag; |
| 460 | |
| 461 | case sX11DisplayOffset: |
| 462 | intptr = &options->x11_display_offset; |
| 463 | goto parse_int; |
| 464 | |
| 465 | case sStrictModes: |
| 466 | intptr = &options->strict_modes; |
| 467 | goto parse_flag; |
| 468 | |
| 469 | case sKeepAlives: |
| 470 | intptr = &options->keepalives; |
| 471 | goto parse_flag; |
| 472 | |
| 473 | case sEmptyPasswd: |
| 474 | intptr = &options->permit_empty_passwd; |
| 475 | goto parse_flag; |
| 476 | |
| 477 | case sUseLogin: |
| 478 | intptr = &options->use_login; |
| 479 | goto parse_flag; |
| 480 | |
| 481 | case sLogFacility: |
| 482 | cp = strtok(NULL, WHITESPACE); |
| 483 | if (!cp) |
| 484 | { |
| 485 | fprintf(stderr, "%s line %d: missing facility name.\n", |
| 486 | filename, linenum); |
| 487 | exit(1); |
| 488 | } |
| 489 | for (i = 0; log_facilities[i].name; i++) |
| 490 | if (strcmp(log_facilities[i].name, cp) == 0) |
| 491 | break; |
| 492 | if (!log_facilities[i].name) |
| 493 | { |
| 494 | fprintf(stderr, "%s line %d: unsupported log facility %s\n", |
| 495 | filename, linenum, cp); |
| 496 | exit(1); |
| 497 | } |
| 498 | if (options->log_facility == (SyslogFacility)(-1)) |
| 499 | options->log_facility = log_facilities[i].facility; |
| 500 | break; |
| 501 | |
| 502 | case sAllowUsers: |
| 503 | while ((cp = strtok(NULL, WHITESPACE))) |
| 504 | { |
| 505 | if (options->num_allow_users >= MAX_ALLOW_USERS) |
| 506 | { |
| 507 | fprintf(stderr, "%s line %d: too many allow users.\n", |
| 508 | filename, linenum); |
| 509 | exit(1); |
| 510 | } |
| 511 | options->allow_users[options->num_allow_users++] = xstrdup(cp); |
| 512 | } |
| 513 | break; |
| 514 | |
| 515 | case sDenyUsers: |
| 516 | while ((cp = strtok(NULL, WHITESPACE))) |
| 517 | { |
| 518 | if (options->num_deny_users >= MAX_DENY_USERS) |
| 519 | { |
| 520 | fprintf(stderr, "%s line %d: too many deny users.\n", |
| 521 | filename, linenum); |
| 522 | exit(1); |
| 523 | } |
| 524 | options->deny_users[options->num_deny_users++] = xstrdup(cp); |
| 525 | } |
| 526 | break; |
| 527 | |
| 528 | case sAllowGroups: |
| 529 | while ((cp = strtok(NULL, WHITESPACE))) |
| 530 | { |
| 531 | if (options->num_allow_groups >= MAX_ALLOW_GROUPS) |
| 532 | { |
| 533 | fprintf(stderr, "%s line %d: too many allow groups.\n", |
| 534 | filename, linenum); |
| 535 | exit(1); |
| 536 | } |
| 537 | options->allow_groups[options->num_allow_groups++] = xstrdup(cp); |
| 538 | } |
| 539 | break; |
| 540 | |
| 541 | case sDenyGroups: |
| 542 | while ((cp = strtok(NULL, WHITESPACE))) |
| 543 | { |
| 544 | if (options->num_deny_groups >= MAX_DENY_GROUPS) |
| 545 | { |
| 546 | fprintf(stderr, "%s line %d: too many deny groups.\n", |
| 547 | filename, linenum); |
| 548 | exit(1); |
| 549 | } |
| 550 | options->deny_groups[options->num_deny_groups++] = xstrdup(cp); |
| 551 | } |
| 552 | break; |
| 553 | |
| 554 | default: |
| 555 | fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", |
| 556 | filename, linenum, cp, opcode); |
| 557 | exit(1); |
| 558 | } |
| 559 | if (strtok(NULL, WHITESPACE) != NULL) |
| 560 | { |
| 561 | fprintf(stderr, "%s line %d: garbage at end of line.\n", |
| 562 | filename, linenum); |
| 563 | exit(1); |
| 564 | } |
| 565 | } |
| 566 | fclose(f); |
| 567 | } |