1/* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12#include "includes.h"
| 1/* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12#include "includes.h"
|
13RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $"); 14RCSID("$FreeBSD: head/crypto/openssh/servconf.c 126277 2004-02-26 10:52:33Z des $");
| 13RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $"); 14RCSID("$FreeBSD: head/crypto/openssh/servconf.c 137019 2004-10-28 16:11:31Z des $");
|
15 16#include "ssh.h" 17#include "log.h" 18#include "servconf.h" 19#include "xmalloc.h" 20#include "compat.h" 21#include "pathnames.h"
| 15 16#include "ssh.h" 17#include "log.h" 18#include "servconf.h" 19#include "xmalloc.h" 20#include "compat.h" 21#include "pathnames.h"
|
22#include "tildexpand.h"
| |
23#include "misc.h" 24#include "cipher.h" 25#include "kex.h" 26#include "mac.h" 27 28static void add_listen_addr(ServerOptions *, char *, u_short); 29static void add_one_listen_addr(ServerOptions *, char *, u_short); 30 31/* AF_UNSPEC or AF_INET or AF_INET6 */ 32extern int IPv4or6; 33/* Use of privilege separation or not */ 34extern int use_privsep; 35 36/* Initializes the server options to their default values. */ 37 38void 39initialize_server_options(ServerOptions *options) 40{ 41 memset(options, 0, sizeof(*options)); 42 43 /* Portable-specific options */ 44 options->use_pam = -1; 45 46 /* Standard Options */ 47 options->num_ports = 0; 48 options->ports_from_cmdline = 0; 49 options->listen_addrs = NULL; 50 options->num_host_key_files = 0; 51 options->pid_file = NULL; 52 options->server_key_bits = -1; 53 options->login_grace_time = -1; 54 options->key_regeneration_time = -1; 55 options->permit_root_login = PERMIT_NOT_SET; 56 options->ignore_rhosts = -1; 57 options->ignore_user_known_hosts = -1; 58 options->print_motd = -1; 59 options->print_lastlog = -1; 60 options->x11_forwarding = -1; 61 options->x11_display_offset = -1; 62 options->x11_use_localhost = -1; 63 options->xauth_location = NULL; 64 options->strict_modes = -1; 65 options->tcp_keep_alive = -1; 66 options->log_facility = SYSLOG_FACILITY_NOT_SET; 67 options->log_level = SYSLOG_LEVEL_NOT_SET; 68 options->rhosts_rsa_authentication = -1; 69 options->hostbased_authentication = -1; 70 options->hostbased_uses_name_from_packet_only = -1; 71 options->rsa_authentication = -1; 72 options->pubkey_authentication = -1; 73 options->kerberos_authentication = -1; 74 options->kerberos_or_local_passwd = -1; 75 options->kerberos_ticket_cleanup = -1; 76 options->kerberos_get_afs_token = -1; 77 options->gss_authentication=-1; 78 options->gss_cleanup_creds = -1; 79 options->password_authentication = -1; 80 options->kbd_interactive_authentication = -1; 81 options->challenge_response_authentication = -1; 82 options->permit_empty_passwd = -1; 83 options->permit_user_env = -1; 84 options->use_login = -1; 85 options->compression = -1; 86 options->allow_tcp_forwarding = -1; 87 options->num_allow_users = 0; 88 options->num_deny_users = 0; 89 options->num_allow_groups = 0; 90 options->num_deny_groups = 0; 91 options->ciphers = NULL; 92 options->macs = NULL; 93 options->protocol = SSH_PROTO_UNKNOWN; 94 options->gateway_ports = -1; 95 options->num_subsystems = 0; 96 options->max_startups_begin = -1; 97 options->max_startups_rate = -1; 98 options->max_startups = -1;
| 22#include "misc.h" 23#include "cipher.h" 24#include "kex.h" 25#include "mac.h" 26 27static void add_listen_addr(ServerOptions *, char *, u_short); 28static void add_one_listen_addr(ServerOptions *, char *, u_short); 29 30/* AF_UNSPEC or AF_INET or AF_INET6 */ 31extern int IPv4or6; 32/* Use of privilege separation or not */ 33extern int use_privsep; 34 35/* Initializes the server options to their default values. */ 36 37void 38initialize_server_options(ServerOptions *options) 39{ 40 memset(options, 0, sizeof(*options)); 41 42 /* Portable-specific options */ 43 options->use_pam = -1; 44 45 /* Standard Options */ 46 options->num_ports = 0; 47 options->ports_from_cmdline = 0; 48 options->listen_addrs = NULL; 49 options->num_host_key_files = 0; 50 options->pid_file = NULL; 51 options->server_key_bits = -1; 52 options->login_grace_time = -1; 53 options->key_regeneration_time = -1; 54 options->permit_root_login = PERMIT_NOT_SET; 55 options->ignore_rhosts = -1; 56 options->ignore_user_known_hosts = -1; 57 options->print_motd = -1; 58 options->print_lastlog = -1; 59 options->x11_forwarding = -1; 60 options->x11_display_offset = -1; 61 options->x11_use_localhost = -1; 62 options->xauth_location = NULL; 63 options->strict_modes = -1; 64 options->tcp_keep_alive = -1; 65 options->log_facility = SYSLOG_FACILITY_NOT_SET; 66 options->log_level = SYSLOG_LEVEL_NOT_SET; 67 options->rhosts_rsa_authentication = -1; 68 options->hostbased_authentication = -1; 69 options->hostbased_uses_name_from_packet_only = -1; 70 options->rsa_authentication = -1; 71 options->pubkey_authentication = -1; 72 options->kerberos_authentication = -1; 73 options->kerberos_or_local_passwd = -1; 74 options->kerberos_ticket_cleanup = -1; 75 options->kerberos_get_afs_token = -1; 76 options->gss_authentication=-1; 77 options->gss_cleanup_creds = -1; 78 options->password_authentication = -1; 79 options->kbd_interactive_authentication = -1; 80 options->challenge_response_authentication = -1; 81 options->permit_empty_passwd = -1; 82 options->permit_user_env = -1; 83 options->use_login = -1; 84 options->compression = -1; 85 options->allow_tcp_forwarding = -1; 86 options->num_allow_users = 0; 87 options->num_deny_users = 0; 88 options->num_allow_groups = 0; 89 options->num_deny_groups = 0; 90 options->ciphers = NULL; 91 options->macs = NULL; 92 options->protocol = SSH_PROTO_UNKNOWN; 93 options->gateway_ports = -1; 94 options->num_subsystems = 0; 95 options->max_startups_begin = -1; 96 options->max_startups_rate = -1; 97 options->max_startups = -1;
|
| 98 options->max_authtries = -1;
|
99 options->banner = NULL; 100 options->use_dns = -1; 101 options->client_alive_interval = -1; 102 options->client_alive_count_max = -1; 103 options->authorized_keys_file = NULL; 104 options->authorized_keys_file2 = NULL;
| 99 options->banner = NULL; 100 options->use_dns = -1; 101 options->client_alive_interval = -1; 102 options->client_alive_count_max = -1; 103 options->authorized_keys_file = NULL; 104 options->authorized_keys_file2 = NULL;
|
| 105 options->num_accept_env = 0;
|
105 106 /* Needs to be accessable in many places */ 107 use_privsep = -1; 108} 109 110void 111fill_default_server_options(ServerOptions *options) 112{ 113 /* Portable-specific options */ 114 if (options->use_pam == -1) 115 options->use_pam = 1; 116 117 /* Standard Options */ 118 if (options->protocol == SSH_PROTO_UNKNOWN) 119 options->protocol = SSH_PROTO_2; 120 if (options->num_host_key_files == 0) { 121 /* fill default hostkeys for protocols */ 122 if (options->protocol & SSH_PROTO_1) 123 options->host_key_files[options->num_host_key_files++] = 124 _PATH_HOST_KEY_FILE; 125 if (options->protocol & SSH_PROTO_2) { 126 options->host_key_files[options->num_host_key_files++] = 127 _PATH_HOST_DSA_KEY_FILE; 128 } 129 } 130 if (options->num_ports == 0) 131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 132 if (options->listen_addrs == NULL) 133 add_listen_addr(options, NULL, 0); 134 if (options->pid_file == NULL) 135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 136 if (options->server_key_bits == -1) 137 options->server_key_bits = 768; 138 if (options->login_grace_time == -1) 139 options->login_grace_time = 120; 140 if (options->key_regeneration_time == -1) 141 options->key_regeneration_time = 3600; 142 if (options->permit_root_login == PERMIT_NOT_SET) 143 options->permit_root_login = PERMIT_NO; 144 if (options->ignore_rhosts == -1) 145 options->ignore_rhosts = 1; 146 if (options->ignore_user_known_hosts == -1) 147 options->ignore_user_known_hosts = 0; 148 if (options->print_motd == -1) 149 options->print_motd = 1; 150 if (options->print_lastlog == -1) 151 options->print_lastlog = 1; 152 if (options->x11_forwarding == -1) 153 options->x11_forwarding = 1; 154 if (options->x11_display_offset == -1) 155 options->x11_display_offset = 10; 156 if (options->x11_use_localhost == -1) 157 options->x11_use_localhost = 1; 158 if (options->xauth_location == NULL) 159 options->xauth_location = _PATH_XAUTH; 160 if (options->strict_modes == -1) 161 options->strict_modes = 1; 162 if (options->tcp_keep_alive == -1) 163 options->tcp_keep_alive = 1; 164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 165 options->log_facility = SYSLOG_FACILITY_AUTH; 166 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 167 options->log_level = SYSLOG_LEVEL_INFO; 168 if (options->rhosts_rsa_authentication == -1) 169 options->rhosts_rsa_authentication = 0; 170 if (options->hostbased_authentication == -1) 171 options->hostbased_authentication = 0; 172 if (options->hostbased_uses_name_from_packet_only == -1) 173 options->hostbased_uses_name_from_packet_only = 0; 174 if (options->rsa_authentication == -1) 175 options->rsa_authentication = 1; 176 if (options->pubkey_authentication == -1) 177 options->pubkey_authentication = 1; 178 if (options->kerberos_authentication == -1) 179 options->kerberos_authentication = 0; 180 if (options->kerberos_or_local_passwd == -1) 181 options->kerberos_or_local_passwd = 1; 182 if (options->kerberos_ticket_cleanup == -1) 183 options->kerberos_ticket_cleanup = 1; 184 if (options->kerberos_get_afs_token == -1) 185 options->kerberos_get_afs_token = 0; 186 if (options->gss_authentication == -1) 187 options->gss_authentication = 0; 188 if (options->gss_cleanup_creds == -1) 189 options->gss_cleanup_creds = 1; 190 if (options->password_authentication == -1) 191#ifdef USE_PAM 192 options->password_authentication = 0; 193#else 194 options->password_authentication = 1; 195#endif 196 if (options->kbd_interactive_authentication == -1) 197 options->kbd_interactive_authentication = 0; 198 if (options->challenge_response_authentication == -1) 199 options->challenge_response_authentication = 1; 200 if (options->permit_empty_passwd == -1) 201 options->permit_empty_passwd = 0; 202 if (options->permit_user_env == -1) 203 options->permit_user_env = 0; 204 if (options->use_login == -1) 205 options->use_login = 0; 206 if (options->compression == -1) 207 options->compression = 1; 208 if (options->allow_tcp_forwarding == -1) 209 options->allow_tcp_forwarding = 1; 210 if (options->gateway_ports == -1) 211 options->gateway_ports = 0; 212 if (options->max_startups == -1) 213 options->max_startups = 10; 214 if (options->max_startups_rate == -1) 215 options->max_startups_rate = 100; /* 100% */ 216 if (options->max_startups_begin == -1) 217 options->max_startups_begin = options->max_startups;
| 106 107 /* Needs to be accessable in many places */ 108 use_privsep = -1; 109} 110 111void 112fill_default_server_options(ServerOptions *options) 113{ 114 /* Portable-specific options */ 115 if (options->use_pam == -1) 116 options->use_pam = 1; 117 118 /* Standard Options */ 119 if (options->protocol == SSH_PROTO_UNKNOWN) 120 options->protocol = SSH_PROTO_2; 121 if (options->num_host_key_files == 0) { 122 /* fill default hostkeys for protocols */ 123 if (options->protocol & SSH_PROTO_1) 124 options->host_key_files[options->num_host_key_files++] = 125 _PATH_HOST_KEY_FILE; 126 if (options->protocol & SSH_PROTO_2) { 127 options->host_key_files[options->num_host_key_files++] = 128 _PATH_HOST_DSA_KEY_FILE; 129 } 130 } 131 if (options->num_ports == 0) 132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 133 if (options->listen_addrs == NULL) 134 add_listen_addr(options, NULL, 0); 135 if (options->pid_file == NULL) 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 137 if (options->server_key_bits == -1) 138 options->server_key_bits = 768; 139 if (options->login_grace_time == -1) 140 options->login_grace_time = 120; 141 if (options->key_regeneration_time == -1) 142 options->key_regeneration_time = 3600; 143 if (options->permit_root_login == PERMIT_NOT_SET) 144 options->permit_root_login = PERMIT_NO; 145 if (options->ignore_rhosts == -1) 146 options->ignore_rhosts = 1; 147 if (options->ignore_user_known_hosts == -1) 148 options->ignore_user_known_hosts = 0; 149 if (options->print_motd == -1) 150 options->print_motd = 1; 151 if (options->print_lastlog == -1) 152 options->print_lastlog = 1; 153 if (options->x11_forwarding == -1) 154 options->x11_forwarding = 1; 155 if (options->x11_display_offset == -1) 156 options->x11_display_offset = 10; 157 if (options->x11_use_localhost == -1) 158 options->x11_use_localhost = 1; 159 if (options->xauth_location == NULL) 160 options->xauth_location = _PATH_XAUTH; 161 if (options->strict_modes == -1) 162 options->strict_modes = 1; 163 if (options->tcp_keep_alive == -1) 164 options->tcp_keep_alive = 1; 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 166 options->log_facility = SYSLOG_FACILITY_AUTH; 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 168 options->log_level = SYSLOG_LEVEL_INFO; 169 if (options->rhosts_rsa_authentication == -1) 170 options->rhosts_rsa_authentication = 0; 171 if (options->hostbased_authentication == -1) 172 options->hostbased_authentication = 0; 173 if (options->hostbased_uses_name_from_packet_only == -1) 174 options->hostbased_uses_name_from_packet_only = 0; 175 if (options->rsa_authentication == -1) 176 options->rsa_authentication = 1; 177 if (options->pubkey_authentication == -1) 178 options->pubkey_authentication = 1; 179 if (options->kerberos_authentication == -1) 180 options->kerberos_authentication = 0; 181 if (options->kerberos_or_local_passwd == -1) 182 options->kerberos_or_local_passwd = 1; 183 if (options->kerberos_ticket_cleanup == -1) 184 options->kerberos_ticket_cleanup = 1; 185 if (options->kerberos_get_afs_token == -1) 186 options->kerberos_get_afs_token = 0; 187 if (options->gss_authentication == -1) 188 options->gss_authentication = 0; 189 if (options->gss_cleanup_creds == -1) 190 options->gss_cleanup_creds = 1; 191 if (options->password_authentication == -1) 192#ifdef USE_PAM 193 options->password_authentication = 0; 194#else 195 options->password_authentication = 1; 196#endif 197 if (options->kbd_interactive_authentication == -1) 198 options->kbd_interactive_authentication = 0; 199 if (options->challenge_response_authentication == -1) 200 options->challenge_response_authentication = 1; 201 if (options->permit_empty_passwd == -1) 202 options->permit_empty_passwd = 0; 203 if (options->permit_user_env == -1) 204 options->permit_user_env = 0; 205 if (options->use_login == -1) 206 options->use_login = 0; 207 if (options->compression == -1) 208 options->compression = 1; 209 if (options->allow_tcp_forwarding == -1) 210 options->allow_tcp_forwarding = 1; 211 if (options->gateway_ports == -1) 212 options->gateway_ports = 0; 213 if (options->max_startups == -1) 214 options->max_startups = 10; 215 if (options->max_startups_rate == -1) 216 options->max_startups_rate = 100; /* 100% */ 217 if (options->max_startups_begin == -1) 218 options->max_startups_begin = options->max_startups;
|
| 219 if (options->max_authtries == -1) 220 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
218 if (options->use_dns == -1) 219 options->use_dns = 1; 220 if (options->client_alive_interval == -1) 221 options->client_alive_interval = 0; 222 if (options->client_alive_count_max == -1) 223 options->client_alive_count_max = 3; 224 if (options->authorized_keys_file2 == NULL) { 225 /* authorized_keys_file2 falls back to authorized_keys_file */ 226 if (options->authorized_keys_file != NULL) 227 options->authorized_keys_file2 = options->authorized_keys_file; 228 else 229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 230 } 231 if (options->authorized_keys_file == NULL) 232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 233 234 /* Turn privilege separation on by default */ 235 if (use_privsep == -1) 236 use_privsep = 1; 237 238#ifndef HAVE_MMAP 239 if (use_privsep && options->compression == 1) { 240 error("This platform does not support both privilege " 241 "separation and compression"); 242 error("Compression disabled"); 243 options->compression = 0; 244 } 245#endif 246 247} 248 249/* Keyword tokens. */ 250typedef enum { 251 sBadOption, /* == unknown option */ 252 /* Portable-specific options */ 253 sUsePAM, 254 /* Standard Options */ 255 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 256 sPermitRootLogin, sLogFacility, sLogLevel, 257 sRhostsRSAAuthentication, sRSAAuthentication, 258 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 259 sKerberosGetAFSToken, 260 sKerberosTgtPassing, sChallengeResponseAuthentication, 261 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 264 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
| 221 if (options->use_dns == -1) 222 options->use_dns = 1; 223 if (options->client_alive_interval == -1) 224 options->client_alive_interval = 0; 225 if (options->client_alive_count_max == -1) 226 options->client_alive_count_max = 3; 227 if (options->authorized_keys_file2 == NULL) { 228 /* authorized_keys_file2 falls back to authorized_keys_file */ 229 if (options->authorized_keys_file != NULL) 230 options->authorized_keys_file2 = options->authorized_keys_file; 231 else 232 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 233 } 234 if (options->authorized_keys_file == NULL) 235 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 236 237 /* Turn privilege separation on by default */ 238 if (use_privsep == -1) 239 use_privsep = 1; 240 241#ifndef HAVE_MMAP 242 if (use_privsep && options->compression == 1) { 243 error("This platform does not support both privilege " 244 "separation and compression"); 245 error("Compression disabled"); 246 options->compression = 0; 247 } 248#endif 249 250} 251 252/* Keyword tokens. */ 253typedef enum { 254 sBadOption, /* == unknown option */ 255 /* Portable-specific options */ 256 sUsePAM, 257 /* Standard Options */ 258 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 259 sPermitRootLogin, sLogFacility, sLogLevel, 260 sRhostsRSAAuthentication, sRSAAuthentication, 261 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 262 sKerberosGetAFSToken, 263 sKerberosTgtPassing, sChallengeResponseAuthentication, 264 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 265 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 267 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
| 271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 272 sMaxStartups, sMaxAuthTries,
|
269 sBanner, sUseDNS, sHostbasedAuthentication, 270 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 271 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
| 273 sBanner, sUseDNS, sHostbasedAuthentication, 274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
272 sGssAuthentication, sGssCleanupCreds,
| 276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
|
273 sUsePrivilegeSeparation, 274 sVersionAddendum, 275 sDeprecated, sUnsupported 276} ServerOpCodes; 277 278/* Textual representation of the tokens. */ 279static struct { 280 const char *name; 281 ServerOpCodes opcode; 282} keywords[] = { 283 /* Portable-specific options */ 284#ifdef USE_PAM 285 { "usepam", sUsePAM }, 286#else 287 { "usepam", sUnsupported }, 288#endif 289 { "pamauthenticationviakbdint", sDeprecated }, 290 /* Standard Options */ 291 { "port", sPort }, 292 { "hostkey", sHostKeyFile }, 293 { "hostdsakey", sHostKeyFile }, /* alias */ 294 { "pidfile", sPidFile }, 295 { "serverkeybits", sServerKeyBits }, 296 { "logingracetime", sLoginGraceTime }, 297 { "keyregenerationinterval", sKeyRegenerationTime }, 298 { "permitrootlogin", sPermitRootLogin }, 299 { "syslogfacility", sLogFacility }, 300 { "loglevel", sLogLevel }, 301 { "rhostsauthentication", sDeprecated }, 302 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 303 { "hostbasedauthentication", sHostbasedAuthentication }, 304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 305 { "rsaauthentication", sRSAAuthentication }, 306 { "pubkeyauthentication", sPubkeyAuthentication }, 307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 308#ifdef KRB5 309 { "kerberosauthentication", sKerberosAuthentication }, 310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 311 { "kerberosticketcleanup", sKerberosTicketCleanup }, 312#ifdef USE_AFS 313 { "kerberosgetafstoken", sKerberosGetAFSToken }, 314#else 315 { "kerberosgetafstoken", sUnsupported }, 316#endif 317#else 318 { "kerberosauthentication", sUnsupported }, 319 { "kerberosorlocalpasswd", sUnsupported }, 320 { "kerberosticketcleanup", sUnsupported }, 321 { "kerberosgetafstoken", sUnsupported }, 322#endif 323 { "kerberostgtpassing", sUnsupported }, 324 { "afstokenpassing", sUnsupported }, 325#ifdef GSSAPI 326 { "gssapiauthentication", sGssAuthentication }, 327 { "gssapicleanupcredentials", sGssCleanupCreds }, 328#else 329 { "gssapiauthentication", sUnsupported }, 330 { "gssapicleanupcredentials", sUnsupported }, 331#endif 332 { "passwordauthentication", sPasswordAuthentication }, 333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 334 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 336 { "checkmail", sDeprecated }, 337 { "listenaddress", sListenAddress }, 338 { "printmotd", sPrintMotd }, 339 { "printlastlog", sPrintLastLog }, 340 { "ignorerhosts", sIgnoreRhosts }, 341 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 342 { "x11forwarding", sX11Forwarding }, 343 { "x11displayoffset", sX11DisplayOffset }, 344 { "x11uselocalhost", sX11UseLocalhost }, 345 { "xauthlocation", sXAuthLocation }, 346 { "strictmodes", sStrictModes }, 347 { "permitemptypasswords", sEmptyPasswd }, 348 { "permituserenvironment", sPermitUserEnvironment }, 349 { "uselogin", sUseLogin }, 350 { "compression", sCompression }, 351 { "tcpkeepalive", sTCPKeepAlive }, 352 { "keepalive", sTCPKeepAlive }, /* obsolete alias */ 353 { "allowtcpforwarding", sAllowTcpForwarding }, 354 { "allowusers", sAllowUsers }, 355 { "denyusers", sDenyUsers }, 356 { "allowgroups", sAllowGroups }, 357 { "denygroups", sDenyGroups }, 358 { "ciphers", sCiphers }, 359 { "macs", sMacs }, 360 { "protocol", sProtocol }, 361 { "gatewayports", sGatewayPorts }, 362 { "subsystem", sSubsystem }, 363 { "maxstartups", sMaxStartups },
| 277 sUsePrivilegeSeparation, 278 sVersionAddendum, 279 sDeprecated, sUnsupported 280} ServerOpCodes; 281 282/* Textual representation of the tokens. */ 283static struct { 284 const char *name; 285 ServerOpCodes opcode; 286} keywords[] = { 287 /* Portable-specific options */ 288#ifdef USE_PAM 289 { "usepam", sUsePAM }, 290#else 291 { "usepam", sUnsupported }, 292#endif 293 { "pamauthenticationviakbdint", sDeprecated }, 294 /* Standard Options */ 295 { "port", sPort }, 296 { "hostkey", sHostKeyFile }, 297 { "hostdsakey", sHostKeyFile }, /* alias */ 298 { "pidfile", sPidFile }, 299 { "serverkeybits", sServerKeyBits }, 300 { "logingracetime", sLoginGraceTime }, 301 { "keyregenerationinterval", sKeyRegenerationTime }, 302 { "permitrootlogin", sPermitRootLogin }, 303 { "syslogfacility", sLogFacility }, 304 { "loglevel", sLogLevel }, 305 { "rhostsauthentication", sDeprecated }, 306 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 307 { "hostbasedauthentication", sHostbasedAuthentication }, 308 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 309 { "rsaauthentication", sRSAAuthentication }, 310 { "pubkeyauthentication", sPubkeyAuthentication }, 311 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 312#ifdef KRB5 313 { "kerberosauthentication", sKerberosAuthentication }, 314 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 315 { "kerberosticketcleanup", sKerberosTicketCleanup }, 316#ifdef USE_AFS 317 { "kerberosgetafstoken", sKerberosGetAFSToken }, 318#else 319 { "kerberosgetafstoken", sUnsupported }, 320#endif 321#else 322 { "kerberosauthentication", sUnsupported }, 323 { "kerberosorlocalpasswd", sUnsupported }, 324 { "kerberosticketcleanup", sUnsupported }, 325 { "kerberosgetafstoken", sUnsupported }, 326#endif 327 { "kerberostgtpassing", sUnsupported }, 328 { "afstokenpassing", sUnsupported }, 329#ifdef GSSAPI 330 { "gssapiauthentication", sGssAuthentication }, 331 { "gssapicleanupcredentials", sGssCleanupCreds }, 332#else 333 { "gssapiauthentication", sUnsupported }, 334 { "gssapicleanupcredentials", sUnsupported }, 335#endif 336 { "passwordauthentication", sPasswordAuthentication }, 337 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 338 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 339 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 340 { "checkmail", sDeprecated }, 341 { "listenaddress", sListenAddress }, 342 { "printmotd", sPrintMotd }, 343 { "printlastlog", sPrintLastLog }, 344 { "ignorerhosts", sIgnoreRhosts }, 345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 346 { "x11forwarding", sX11Forwarding }, 347 { "x11displayoffset", sX11DisplayOffset }, 348 { "x11uselocalhost", sX11UseLocalhost }, 349 { "xauthlocation", sXAuthLocation }, 350 { "strictmodes", sStrictModes }, 351 { "permitemptypasswords", sEmptyPasswd }, 352 { "permituserenvironment", sPermitUserEnvironment }, 353 { "uselogin", sUseLogin }, 354 { "compression", sCompression }, 355 { "tcpkeepalive", sTCPKeepAlive }, 356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */ 357 { "allowtcpforwarding", sAllowTcpForwarding }, 358 { "allowusers", sAllowUsers }, 359 { "denyusers", sDenyUsers }, 360 { "allowgroups", sAllowGroups }, 361 { "denygroups", sDenyGroups }, 362 { "ciphers", sCiphers }, 363 { "macs", sMacs }, 364 { "protocol", sProtocol }, 365 { "gatewayports", sGatewayPorts }, 366 { "subsystem", sSubsystem }, 367 { "maxstartups", sMaxStartups },
|
| 368 { "maxauthtries", sMaxAuthTries },
|
364 { "banner", sBanner }, 365 { "usedns", sUseDNS }, 366 { "verifyreversemapping", sDeprecated }, 367 { "reversemappingcheck", sDeprecated }, 368 { "clientaliveinterval", sClientAliveInterval }, 369 { "clientalivecountmax", sClientAliveCountMax }, 370 { "authorizedkeysfile", sAuthorizedKeysFile }, 371 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 372 { "useprivilegeseparation", sUsePrivilegeSeparation},
| 369 { "banner", sBanner }, 370 { "usedns", sUseDNS }, 371 { "verifyreversemapping", sDeprecated }, 372 { "reversemappingcheck", sDeprecated }, 373 { "clientaliveinterval", sClientAliveInterval }, 374 { "clientalivecountmax", sClientAliveCountMax }, 375 { "authorizedkeysfile", sAuthorizedKeysFile }, 376 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 377 { "useprivilegeseparation", sUsePrivilegeSeparation},
|
| 378 { "acceptenv", sAcceptEnv },
|
373 { "versionaddendum", sVersionAddendum }, 374 { NULL, sBadOption } 375}; 376 377/* 378 * Returns the number of the token pointed to by cp or sBadOption. 379 */ 380 381static ServerOpCodes 382parse_token(const char *cp, const char *filename, 383 int linenum) 384{ 385 u_int i; 386 387 for (i = 0; keywords[i].name; i++) 388 if (strcasecmp(cp, keywords[i].name) == 0) 389 return keywords[i].opcode; 390 391 error("%s: line %d: Bad configuration option: %s", 392 filename, linenum, cp); 393 return sBadOption; 394} 395 396static void 397add_listen_addr(ServerOptions *options, char *addr, u_short port) 398{ 399 int i; 400 401 if (options->num_ports == 0) 402 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 403 if (port == 0) 404 for (i = 0; i < options->num_ports; i++) 405 add_one_listen_addr(options, addr, options->ports[i]); 406 else 407 add_one_listen_addr(options, addr, port); 408} 409 410static void 411add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 412{ 413 struct addrinfo hints, *ai, *aitop; 414 char strport[NI_MAXSERV]; 415 int gaierr; 416 417 memset(&hints, 0, sizeof(hints)); 418 hints.ai_family = IPv4or6; 419 hints.ai_socktype = SOCK_STREAM; 420 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 421 snprintf(strport, sizeof strport, "%u", port); 422 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 423 fatal("bad addr or host: %s (%s)", 424 addr ? addr : "<NULL>", 425 gai_strerror(gaierr)); 426 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 427 ; 428 ai->ai_next = options->listen_addrs; 429 options->listen_addrs = aitop; 430} 431 432int 433process_server_config_line(ServerOptions *options, char *line, 434 const char *filename, int linenum) 435{ 436 char *cp, **charptr, *arg, *p; 437 int *intptr, value, i, n; 438 ServerOpCodes opcode; 439 440 cp = line; 441 arg = strdelim(&cp); 442 /* Ignore leading whitespace */ 443 if (*arg == '\0') 444 arg = strdelim(&cp); 445 if (!arg || !*arg || *arg == '#') 446 return 0; 447 intptr = NULL; 448 charptr = NULL; 449 opcode = parse_token(arg, filename, linenum); 450 switch (opcode) { 451 /* Portable-specific options */ 452 case sUsePAM: 453 intptr = &options->use_pam; 454 goto parse_flag; 455 456 /* Standard Options */ 457 case sBadOption: 458 return -1; 459 case sPort: 460 /* ignore ports from configfile if cmdline specifies ports */ 461 if (options->ports_from_cmdline) 462 return 0; 463 if (options->listen_addrs != NULL) 464 fatal("%s line %d: ports must be specified before " 465 "ListenAddress.", filename, linenum); 466 if (options->num_ports >= MAX_PORTS) 467 fatal("%s line %d: too many ports.", 468 filename, linenum); 469 arg = strdelim(&cp); 470 if (!arg || *arg == '\0') 471 fatal("%s line %d: missing port number.", 472 filename, linenum); 473 options->ports[options->num_ports++] = a2port(arg); 474 if (options->ports[options->num_ports-1] == 0) 475 fatal("%s line %d: Badly formatted port number.", 476 filename, linenum); 477 break; 478 479 case sServerKeyBits: 480 intptr = &options->server_key_bits; 481parse_int: 482 arg = strdelim(&cp); 483 if (!arg || *arg == '\0') 484 fatal("%s line %d: missing integer value.", 485 filename, linenum); 486 value = atoi(arg); 487 if (*intptr == -1) 488 *intptr = value; 489 break; 490 491 case sLoginGraceTime: 492 intptr = &options->login_grace_time; 493parse_time: 494 arg = strdelim(&cp); 495 if (!arg || *arg == '\0') 496 fatal("%s line %d: missing time value.", 497 filename, linenum); 498 if ((value = convtime(arg)) == -1) 499 fatal("%s line %d: invalid time value.", 500 filename, linenum); 501 if (*intptr == -1) 502 *intptr = value; 503 break; 504 505 case sKeyRegenerationTime: 506 intptr = &options->key_regeneration_time; 507 goto parse_time; 508 509 case sListenAddress: 510 arg = strdelim(&cp); 511 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 512 fatal("%s line %d: missing inet addr.", 513 filename, linenum); 514 if (*arg == '[') { 515 if ((p = strchr(arg, ']')) == NULL) 516 fatal("%s line %d: bad ipv6 inet addr usage.", 517 filename, linenum); 518 arg++; 519 memmove(p, p+1, strlen(p+1)+1); 520 } else if (((p = strchr(arg, ':')) == NULL) || 521 (strchr(p+1, ':') != NULL)) { 522 add_listen_addr(options, arg, 0); 523 break; 524 } 525 if (*p == ':') { 526 u_short port; 527 528 p++; 529 if (*p == '\0') 530 fatal("%s line %d: bad inet addr:port usage.", 531 filename, linenum); 532 else { 533 *(p-1) = '\0'; 534 if ((port = a2port(p)) == 0) 535 fatal("%s line %d: bad port number.", 536 filename, linenum); 537 add_listen_addr(options, arg, port); 538 } 539 } else if (*p == '\0') 540 add_listen_addr(options, arg, 0); 541 else 542 fatal("%s line %d: bad inet addr usage.", 543 filename, linenum); 544 break; 545 546 case sHostKeyFile: 547 intptr = &options->num_host_key_files; 548 if (*intptr >= MAX_HOSTKEYS) 549 fatal("%s line %d: too many host keys specified (max %d).", 550 filename, linenum, MAX_HOSTKEYS); 551 charptr = &options->host_key_files[*intptr]; 552parse_filename: 553 arg = strdelim(&cp); 554 if (!arg || *arg == '\0') 555 fatal("%s line %d: missing file name.", 556 filename, linenum); 557 if (*charptr == NULL) { 558 *charptr = tilde_expand_filename(arg, getuid()); 559 /* increase optional counter */ 560 if (intptr != NULL) 561 *intptr = *intptr + 1; 562 } 563 break; 564 565 case sPidFile: 566 charptr = &options->pid_file; 567 goto parse_filename; 568 569 case sPermitRootLogin: 570 intptr = &options->permit_root_login; 571 arg = strdelim(&cp); 572 if (!arg || *arg == '\0') 573 fatal("%s line %d: missing yes/" 574 "without-password/forced-commands-only/no " 575 "argument.", filename, linenum); 576 value = 0; /* silence compiler */ 577 if (strcmp(arg, "without-password") == 0) 578 value = PERMIT_NO_PASSWD; 579 else if (strcmp(arg, "forced-commands-only") == 0) 580 value = PERMIT_FORCED_ONLY; 581 else if (strcmp(arg, "yes") == 0) 582 value = PERMIT_YES; 583 else if (strcmp(arg, "no") == 0) 584 value = PERMIT_NO; 585 else 586 fatal("%s line %d: Bad yes/" 587 "without-password/forced-commands-only/no " 588 "argument: %s", filename, linenum, arg); 589 if (*intptr == -1) 590 *intptr = value; 591 break; 592 593 case sIgnoreRhosts: 594 intptr = &options->ignore_rhosts; 595parse_flag: 596 arg = strdelim(&cp); 597 if (!arg || *arg == '\0') 598 fatal("%s line %d: missing yes/no argument.", 599 filename, linenum); 600 value = 0; /* silence compiler */ 601 if (strcmp(arg, "yes") == 0) 602 value = 1; 603 else if (strcmp(arg, "no") == 0) 604 value = 0; 605 else 606 fatal("%s line %d: Bad yes/no argument: %s", 607 filename, linenum, arg); 608 if (*intptr == -1) 609 *intptr = value; 610 break; 611 612 case sIgnoreUserKnownHosts: 613 intptr = &options->ignore_user_known_hosts; 614 goto parse_flag; 615 616 case sRhostsRSAAuthentication: 617 intptr = &options->rhosts_rsa_authentication; 618 goto parse_flag; 619 620 case sHostbasedAuthentication: 621 intptr = &options->hostbased_authentication; 622 goto parse_flag; 623 624 case sHostbasedUsesNameFromPacketOnly: 625 intptr = &options->hostbased_uses_name_from_packet_only; 626 goto parse_flag; 627 628 case sRSAAuthentication: 629 intptr = &options->rsa_authentication; 630 goto parse_flag; 631 632 case sPubkeyAuthentication: 633 intptr = &options->pubkey_authentication; 634 goto parse_flag; 635 636 case sKerberosAuthentication: 637 intptr = &options->kerberos_authentication; 638 goto parse_flag; 639 640 case sKerberosOrLocalPasswd: 641 intptr = &options->kerberos_or_local_passwd; 642 goto parse_flag; 643 644 case sKerberosTicketCleanup: 645 intptr = &options->kerberos_ticket_cleanup; 646 goto parse_flag; 647 648 case sKerberosGetAFSToken: 649 intptr = &options->kerberos_get_afs_token; 650 goto parse_flag; 651 652 case sGssAuthentication: 653 intptr = &options->gss_authentication; 654 goto parse_flag; 655 656 case sGssCleanupCreds: 657 intptr = &options->gss_cleanup_creds; 658 goto parse_flag; 659 660 case sPasswordAuthentication: 661 intptr = &options->password_authentication; 662 goto parse_flag; 663 664 case sKbdInteractiveAuthentication: 665 intptr = &options->kbd_interactive_authentication; 666 goto parse_flag; 667 668 case sChallengeResponseAuthentication: 669 intptr = &options->challenge_response_authentication; 670 goto parse_flag; 671 672 case sPrintMotd: 673 intptr = &options->print_motd; 674 goto parse_flag; 675 676 case sPrintLastLog: 677 intptr = &options->print_lastlog; 678 goto parse_flag; 679 680 case sX11Forwarding: 681 intptr = &options->x11_forwarding; 682 goto parse_flag; 683 684 case sX11DisplayOffset: 685 intptr = &options->x11_display_offset; 686 goto parse_int; 687 688 case sX11UseLocalhost: 689 intptr = &options->x11_use_localhost; 690 goto parse_flag; 691 692 case sXAuthLocation: 693 charptr = &options->xauth_location; 694 goto parse_filename; 695 696 case sStrictModes: 697 intptr = &options->strict_modes; 698 goto parse_flag; 699 700 case sTCPKeepAlive: 701 intptr = &options->tcp_keep_alive; 702 goto parse_flag; 703 704 case sEmptyPasswd: 705 intptr = &options->permit_empty_passwd; 706 goto parse_flag; 707 708 case sPermitUserEnvironment: 709 intptr = &options->permit_user_env; 710 goto parse_flag; 711 712 case sUseLogin: 713 intptr = &options->use_login; 714 goto parse_flag; 715 716 case sCompression: 717 intptr = &options->compression; 718 goto parse_flag; 719 720 case sGatewayPorts: 721 intptr = &options->gateway_ports; 722 goto parse_flag; 723 724 case sUseDNS: 725 intptr = &options->use_dns; 726 goto parse_flag; 727 728 case sLogFacility: 729 intptr = (int *) &options->log_facility; 730 arg = strdelim(&cp); 731 value = log_facility_number(arg); 732 if (value == SYSLOG_FACILITY_NOT_SET) 733 fatal("%.200s line %d: unsupported log facility '%s'", 734 filename, linenum, arg ? arg : "<NONE>"); 735 if (*intptr == -1) 736 *intptr = (SyslogFacility) value; 737 break; 738 739 case sLogLevel: 740 intptr = (int *) &options->log_level; 741 arg = strdelim(&cp); 742 value = log_level_number(arg); 743 if (value == SYSLOG_LEVEL_NOT_SET) 744 fatal("%.200s line %d: unsupported log level '%s'", 745 filename, linenum, arg ? arg : "<NONE>"); 746 if (*intptr == -1) 747 *intptr = (LogLevel) value; 748 break; 749 750 case sAllowTcpForwarding: 751 intptr = &options->allow_tcp_forwarding; 752 goto parse_flag; 753 754 case sUsePrivilegeSeparation: 755 intptr = &use_privsep; 756 goto parse_flag; 757 758 case sAllowUsers: 759 while ((arg = strdelim(&cp)) && *arg != '\0') { 760 if (options->num_allow_users >= MAX_ALLOW_USERS) 761 fatal("%s line %d: too many allow users.", 762 filename, linenum); 763 options->allow_users[options->num_allow_users++] = 764 xstrdup(arg); 765 } 766 break; 767 768 case sDenyUsers: 769 while ((arg = strdelim(&cp)) && *arg != '\0') { 770 if (options->num_deny_users >= MAX_DENY_USERS) 771 fatal( "%s line %d: too many deny users.", 772 filename, linenum); 773 options->deny_users[options->num_deny_users++] = 774 xstrdup(arg); 775 } 776 break; 777 778 case sAllowGroups: 779 while ((arg = strdelim(&cp)) && *arg != '\0') { 780 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 781 fatal("%s line %d: too many allow groups.", 782 filename, linenum); 783 options->allow_groups[options->num_allow_groups++] = 784 xstrdup(arg); 785 } 786 break; 787 788 case sDenyGroups: 789 while ((arg = strdelim(&cp)) && *arg != '\0') { 790 if (options->num_deny_groups >= MAX_DENY_GROUPS) 791 fatal("%s line %d: too many deny groups.", 792 filename, linenum); 793 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 794 } 795 break; 796 797 case sCiphers: 798 arg = strdelim(&cp); 799 if (!arg || *arg == '\0') 800 fatal("%s line %d: Missing argument.", filename, linenum); 801 if (!ciphers_valid(arg)) 802 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 803 filename, linenum, arg ? arg : "<NONE>"); 804 if (options->ciphers == NULL) 805 options->ciphers = xstrdup(arg); 806 break; 807 808 case sMacs: 809 arg = strdelim(&cp); 810 if (!arg || *arg == '\0') 811 fatal("%s line %d: Missing argument.", filename, linenum); 812 if (!mac_valid(arg)) 813 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 814 filename, linenum, arg ? arg : "<NONE>"); 815 if (options->macs == NULL) 816 options->macs = xstrdup(arg); 817 break; 818 819 case sProtocol: 820 intptr = &options->protocol; 821 arg = strdelim(&cp); 822 if (!arg || *arg == '\0') 823 fatal("%s line %d: Missing argument.", filename, linenum); 824 value = proto_spec(arg); 825 if (value == SSH_PROTO_UNKNOWN) 826 fatal("%s line %d: Bad protocol spec '%s'.", 827 filename, linenum, arg ? arg : "<NONE>"); 828 if (*intptr == SSH_PROTO_UNKNOWN) 829 *intptr = value; 830 break; 831 832 case sSubsystem: 833 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 834 fatal("%s line %d: too many subsystems defined.", 835 filename, linenum); 836 } 837 arg = strdelim(&cp); 838 if (!arg || *arg == '\0') 839 fatal("%s line %d: Missing subsystem name.", 840 filename, linenum); 841 for (i = 0; i < options->num_subsystems; i++) 842 if (strcmp(arg, options->subsystem_name[i]) == 0) 843 fatal("%s line %d: Subsystem '%s' already defined.", 844 filename, linenum, arg); 845 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 846 arg = strdelim(&cp); 847 if (!arg || *arg == '\0') 848 fatal("%s line %d: Missing subsystem command.", 849 filename, linenum); 850 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 851 options->num_subsystems++; 852 break; 853 854 case sMaxStartups: 855 arg = strdelim(&cp); 856 if (!arg || *arg == '\0') 857 fatal("%s line %d: Missing MaxStartups spec.", 858 filename, linenum); 859 if ((n = sscanf(arg, "%d:%d:%d", 860 &options->max_startups_begin, 861 &options->max_startups_rate, 862 &options->max_startups)) == 3) { 863 if (options->max_startups_begin > 864 options->max_startups || 865 options->max_startups_rate > 100 || 866 options->max_startups_rate < 1) 867 fatal("%s line %d: Illegal MaxStartups spec.", 868 filename, linenum); 869 } else if (n != 1) 870 fatal("%s line %d: Illegal MaxStartups spec.", 871 filename, linenum); 872 else 873 options->max_startups = options->max_startups_begin; 874 break; 875
| 379 { "versionaddendum", sVersionAddendum }, 380 { NULL, sBadOption } 381}; 382 383/* 384 * Returns the number of the token pointed to by cp or sBadOption. 385 */ 386 387static ServerOpCodes 388parse_token(const char *cp, const char *filename, 389 int linenum) 390{ 391 u_int i; 392 393 for (i = 0; keywords[i].name; i++) 394 if (strcasecmp(cp, keywords[i].name) == 0) 395 return keywords[i].opcode; 396 397 error("%s: line %d: Bad configuration option: %s", 398 filename, linenum, cp); 399 return sBadOption; 400} 401 402static void 403add_listen_addr(ServerOptions *options, char *addr, u_short port) 404{ 405 int i; 406 407 if (options->num_ports == 0) 408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 409 if (port == 0) 410 for (i = 0; i < options->num_ports; i++) 411 add_one_listen_addr(options, addr, options->ports[i]); 412 else 413 add_one_listen_addr(options, addr, port); 414} 415 416static void 417add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 418{ 419 struct addrinfo hints, *ai, *aitop; 420 char strport[NI_MAXSERV]; 421 int gaierr; 422 423 memset(&hints, 0, sizeof(hints)); 424 hints.ai_family = IPv4or6; 425 hints.ai_socktype = SOCK_STREAM; 426 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 427 snprintf(strport, sizeof strport, "%u", port); 428 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 429 fatal("bad addr or host: %s (%s)", 430 addr ? addr : "<NULL>", 431 gai_strerror(gaierr)); 432 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 433 ; 434 ai->ai_next = options->listen_addrs; 435 options->listen_addrs = aitop; 436} 437 438int 439process_server_config_line(ServerOptions *options, char *line, 440 const char *filename, int linenum) 441{ 442 char *cp, **charptr, *arg, *p; 443 int *intptr, value, i, n; 444 ServerOpCodes opcode; 445 446 cp = line; 447 arg = strdelim(&cp); 448 /* Ignore leading whitespace */ 449 if (*arg == '\0') 450 arg = strdelim(&cp); 451 if (!arg || !*arg || *arg == '#') 452 return 0; 453 intptr = NULL; 454 charptr = NULL; 455 opcode = parse_token(arg, filename, linenum); 456 switch (opcode) { 457 /* Portable-specific options */ 458 case sUsePAM: 459 intptr = &options->use_pam; 460 goto parse_flag; 461 462 /* Standard Options */ 463 case sBadOption: 464 return -1; 465 case sPort: 466 /* ignore ports from configfile if cmdline specifies ports */ 467 if (options->ports_from_cmdline) 468 return 0; 469 if (options->listen_addrs != NULL) 470 fatal("%s line %d: ports must be specified before " 471 "ListenAddress.", filename, linenum); 472 if (options->num_ports >= MAX_PORTS) 473 fatal("%s line %d: too many ports.", 474 filename, linenum); 475 arg = strdelim(&cp); 476 if (!arg || *arg == '\0') 477 fatal("%s line %d: missing port number.", 478 filename, linenum); 479 options->ports[options->num_ports++] = a2port(arg); 480 if (options->ports[options->num_ports-1] == 0) 481 fatal("%s line %d: Badly formatted port number.", 482 filename, linenum); 483 break; 484 485 case sServerKeyBits: 486 intptr = &options->server_key_bits; 487parse_int: 488 arg = strdelim(&cp); 489 if (!arg || *arg == '\0') 490 fatal("%s line %d: missing integer value.", 491 filename, linenum); 492 value = atoi(arg); 493 if (*intptr == -1) 494 *intptr = value; 495 break; 496 497 case sLoginGraceTime: 498 intptr = &options->login_grace_time; 499parse_time: 500 arg = strdelim(&cp); 501 if (!arg || *arg == '\0') 502 fatal("%s line %d: missing time value.", 503 filename, linenum); 504 if ((value = convtime(arg)) == -1) 505 fatal("%s line %d: invalid time value.", 506 filename, linenum); 507 if (*intptr == -1) 508 *intptr = value; 509 break; 510 511 case sKeyRegenerationTime: 512 intptr = &options->key_regeneration_time; 513 goto parse_time; 514 515 case sListenAddress: 516 arg = strdelim(&cp); 517 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 518 fatal("%s line %d: missing inet addr.", 519 filename, linenum); 520 if (*arg == '[') { 521 if ((p = strchr(arg, ']')) == NULL) 522 fatal("%s line %d: bad ipv6 inet addr usage.", 523 filename, linenum); 524 arg++; 525 memmove(p, p+1, strlen(p+1)+1); 526 } else if (((p = strchr(arg, ':')) == NULL) || 527 (strchr(p+1, ':') != NULL)) { 528 add_listen_addr(options, arg, 0); 529 break; 530 } 531 if (*p == ':') { 532 u_short port; 533 534 p++; 535 if (*p == '\0') 536 fatal("%s line %d: bad inet addr:port usage.", 537 filename, linenum); 538 else { 539 *(p-1) = '\0'; 540 if ((port = a2port(p)) == 0) 541 fatal("%s line %d: bad port number.", 542 filename, linenum); 543 add_listen_addr(options, arg, port); 544 } 545 } else if (*p == '\0') 546 add_listen_addr(options, arg, 0); 547 else 548 fatal("%s line %d: bad inet addr usage.", 549 filename, linenum); 550 break; 551 552 case sHostKeyFile: 553 intptr = &options->num_host_key_files; 554 if (*intptr >= MAX_HOSTKEYS) 555 fatal("%s line %d: too many host keys specified (max %d).", 556 filename, linenum, MAX_HOSTKEYS); 557 charptr = &options->host_key_files[*intptr]; 558parse_filename: 559 arg = strdelim(&cp); 560 if (!arg || *arg == '\0') 561 fatal("%s line %d: missing file name.", 562 filename, linenum); 563 if (*charptr == NULL) { 564 *charptr = tilde_expand_filename(arg, getuid()); 565 /* increase optional counter */ 566 if (intptr != NULL) 567 *intptr = *intptr + 1; 568 } 569 break; 570 571 case sPidFile: 572 charptr = &options->pid_file; 573 goto parse_filename; 574 575 case sPermitRootLogin: 576 intptr = &options->permit_root_login; 577 arg = strdelim(&cp); 578 if (!arg || *arg == '\0') 579 fatal("%s line %d: missing yes/" 580 "without-password/forced-commands-only/no " 581 "argument.", filename, linenum); 582 value = 0; /* silence compiler */ 583 if (strcmp(arg, "without-password") == 0) 584 value = PERMIT_NO_PASSWD; 585 else if (strcmp(arg, "forced-commands-only") == 0) 586 value = PERMIT_FORCED_ONLY; 587 else if (strcmp(arg, "yes") == 0) 588 value = PERMIT_YES; 589 else if (strcmp(arg, "no") == 0) 590 value = PERMIT_NO; 591 else 592 fatal("%s line %d: Bad yes/" 593 "without-password/forced-commands-only/no " 594 "argument: %s", filename, linenum, arg); 595 if (*intptr == -1) 596 *intptr = value; 597 break; 598 599 case sIgnoreRhosts: 600 intptr = &options->ignore_rhosts; 601parse_flag: 602 arg = strdelim(&cp); 603 if (!arg || *arg == '\0') 604 fatal("%s line %d: missing yes/no argument.", 605 filename, linenum); 606 value = 0; /* silence compiler */ 607 if (strcmp(arg, "yes") == 0) 608 value = 1; 609 else if (strcmp(arg, "no") == 0) 610 value = 0; 611 else 612 fatal("%s line %d: Bad yes/no argument: %s", 613 filename, linenum, arg); 614 if (*intptr == -1) 615 *intptr = value; 616 break; 617 618 case sIgnoreUserKnownHosts: 619 intptr = &options->ignore_user_known_hosts; 620 goto parse_flag; 621 622 case sRhostsRSAAuthentication: 623 intptr = &options->rhosts_rsa_authentication; 624 goto parse_flag; 625 626 case sHostbasedAuthentication: 627 intptr = &options->hostbased_authentication; 628 goto parse_flag; 629 630 case sHostbasedUsesNameFromPacketOnly: 631 intptr = &options->hostbased_uses_name_from_packet_only; 632 goto parse_flag; 633 634 case sRSAAuthentication: 635 intptr = &options->rsa_authentication; 636 goto parse_flag; 637 638 case sPubkeyAuthentication: 639 intptr = &options->pubkey_authentication; 640 goto parse_flag; 641 642 case sKerberosAuthentication: 643 intptr = &options->kerberos_authentication; 644 goto parse_flag; 645 646 case sKerberosOrLocalPasswd: 647 intptr = &options->kerberos_or_local_passwd; 648 goto parse_flag; 649 650 case sKerberosTicketCleanup: 651 intptr = &options->kerberos_ticket_cleanup; 652 goto parse_flag; 653 654 case sKerberosGetAFSToken: 655 intptr = &options->kerberos_get_afs_token; 656 goto parse_flag; 657 658 case sGssAuthentication: 659 intptr = &options->gss_authentication; 660 goto parse_flag; 661 662 case sGssCleanupCreds: 663 intptr = &options->gss_cleanup_creds; 664 goto parse_flag; 665 666 case sPasswordAuthentication: 667 intptr = &options->password_authentication; 668 goto parse_flag; 669 670 case sKbdInteractiveAuthentication: 671 intptr = &options->kbd_interactive_authentication; 672 goto parse_flag; 673 674 case sChallengeResponseAuthentication: 675 intptr = &options->challenge_response_authentication; 676 goto parse_flag; 677 678 case sPrintMotd: 679 intptr = &options->print_motd; 680 goto parse_flag; 681 682 case sPrintLastLog: 683 intptr = &options->print_lastlog; 684 goto parse_flag; 685 686 case sX11Forwarding: 687 intptr = &options->x11_forwarding; 688 goto parse_flag; 689 690 case sX11DisplayOffset: 691 intptr = &options->x11_display_offset; 692 goto parse_int; 693 694 case sX11UseLocalhost: 695 intptr = &options->x11_use_localhost; 696 goto parse_flag; 697 698 case sXAuthLocation: 699 charptr = &options->xauth_location; 700 goto parse_filename; 701 702 case sStrictModes: 703 intptr = &options->strict_modes; 704 goto parse_flag; 705 706 case sTCPKeepAlive: 707 intptr = &options->tcp_keep_alive; 708 goto parse_flag; 709 710 case sEmptyPasswd: 711 intptr = &options->permit_empty_passwd; 712 goto parse_flag; 713 714 case sPermitUserEnvironment: 715 intptr = &options->permit_user_env; 716 goto parse_flag; 717 718 case sUseLogin: 719 intptr = &options->use_login; 720 goto parse_flag; 721 722 case sCompression: 723 intptr = &options->compression; 724 goto parse_flag; 725 726 case sGatewayPorts: 727 intptr = &options->gateway_ports; 728 goto parse_flag; 729 730 case sUseDNS: 731 intptr = &options->use_dns; 732 goto parse_flag; 733 734 case sLogFacility: 735 intptr = (int *) &options->log_facility; 736 arg = strdelim(&cp); 737 value = log_facility_number(arg); 738 if (value == SYSLOG_FACILITY_NOT_SET) 739 fatal("%.200s line %d: unsupported log facility '%s'", 740 filename, linenum, arg ? arg : "<NONE>"); 741 if (*intptr == -1) 742 *intptr = (SyslogFacility) value; 743 break; 744 745 case sLogLevel: 746 intptr = (int *) &options->log_level; 747 arg = strdelim(&cp); 748 value = log_level_number(arg); 749 if (value == SYSLOG_LEVEL_NOT_SET) 750 fatal("%.200s line %d: unsupported log level '%s'", 751 filename, linenum, arg ? arg : "<NONE>"); 752 if (*intptr == -1) 753 *intptr = (LogLevel) value; 754 break; 755 756 case sAllowTcpForwarding: 757 intptr = &options->allow_tcp_forwarding; 758 goto parse_flag; 759 760 case sUsePrivilegeSeparation: 761 intptr = &use_privsep; 762 goto parse_flag; 763 764 case sAllowUsers: 765 while ((arg = strdelim(&cp)) && *arg != '\0') { 766 if (options->num_allow_users >= MAX_ALLOW_USERS) 767 fatal("%s line %d: too many allow users.", 768 filename, linenum); 769 options->allow_users[options->num_allow_users++] = 770 xstrdup(arg); 771 } 772 break; 773 774 case sDenyUsers: 775 while ((arg = strdelim(&cp)) && *arg != '\0') { 776 if (options->num_deny_users >= MAX_DENY_USERS) 777 fatal( "%s line %d: too many deny users.", 778 filename, linenum); 779 options->deny_users[options->num_deny_users++] = 780 xstrdup(arg); 781 } 782 break; 783 784 case sAllowGroups: 785 while ((arg = strdelim(&cp)) && *arg != '\0') { 786 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 787 fatal("%s line %d: too many allow groups.", 788 filename, linenum); 789 options->allow_groups[options->num_allow_groups++] = 790 xstrdup(arg); 791 } 792 break; 793 794 case sDenyGroups: 795 while ((arg = strdelim(&cp)) && *arg != '\0') { 796 if (options->num_deny_groups >= MAX_DENY_GROUPS) 797 fatal("%s line %d: too many deny groups.", 798 filename, linenum); 799 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 800 } 801 break; 802 803 case sCiphers: 804 arg = strdelim(&cp); 805 if (!arg || *arg == '\0') 806 fatal("%s line %d: Missing argument.", filename, linenum); 807 if (!ciphers_valid(arg)) 808 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 809 filename, linenum, arg ? arg : "<NONE>"); 810 if (options->ciphers == NULL) 811 options->ciphers = xstrdup(arg); 812 break; 813 814 case sMacs: 815 arg = strdelim(&cp); 816 if (!arg || *arg == '\0') 817 fatal("%s line %d: Missing argument.", filename, linenum); 818 if (!mac_valid(arg)) 819 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 820 filename, linenum, arg ? arg : "<NONE>"); 821 if (options->macs == NULL) 822 options->macs = xstrdup(arg); 823 break; 824 825 case sProtocol: 826 intptr = &options->protocol; 827 arg = strdelim(&cp); 828 if (!arg || *arg == '\0') 829 fatal("%s line %d: Missing argument.", filename, linenum); 830 value = proto_spec(arg); 831 if (value == SSH_PROTO_UNKNOWN) 832 fatal("%s line %d: Bad protocol spec '%s'.", 833 filename, linenum, arg ? arg : "<NONE>"); 834 if (*intptr == SSH_PROTO_UNKNOWN) 835 *intptr = value; 836 break; 837 838 case sSubsystem: 839 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 840 fatal("%s line %d: too many subsystems defined.", 841 filename, linenum); 842 } 843 arg = strdelim(&cp); 844 if (!arg || *arg == '\0') 845 fatal("%s line %d: Missing subsystem name.", 846 filename, linenum); 847 for (i = 0; i < options->num_subsystems; i++) 848 if (strcmp(arg, options->subsystem_name[i]) == 0) 849 fatal("%s line %d: Subsystem '%s' already defined.", 850 filename, linenum, arg); 851 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 852 arg = strdelim(&cp); 853 if (!arg || *arg == '\0') 854 fatal("%s line %d: Missing subsystem command.", 855 filename, linenum); 856 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 857 options->num_subsystems++; 858 break; 859 860 case sMaxStartups: 861 arg = strdelim(&cp); 862 if (!arg || *arg == '\0') 863 fatal("%s line %d: Missing MaxStartups spec.", 864 filename, linenum); 865 if ((n = sscanf(arg, "%d:%d:%d", 866 &options->max_startups_begin, 867 &options->max_startups_rate, 868 &options->max_startups)) == 3) { 869 if (options->max_startups_begin > 870 options->max_startups || 871 options->max_startups_rate > 100 || 872 options->max_startups_rate < 1) 873 fatal("%s line %d: Illegal MaxStartups spec.", 874 filename, linenum); 875 } else if (n != 1) 876 fatal("%s line %d: Illegal MaxStartups spec.", 877 filename, linenum); 878 else 879 options->max_startups = options->max_startups_begin; 880 break; 881
|
| 882 case sMaxAuthTries: 883 intptr = &options->max_authtries; 884 goto parse_int; 885
|
876 case sBanner: 877 charptr = &options->banner; 878 goto parse_filename; 879 /* 880 * These options can contain %X options expanded at 881 * connect time, so that you can specify paths like: 882 * 883 * AuthorizedKeysFile /etc/ssh_keys/%u 884 */ 885 case sAuthorizedKeysFile: 886 case sAuthorizedKeysFile2: 887 charptr = (opcode == sAuthorizedKeysFile ) ? 888 &options->authorized_keys_file : 889 &options->authorized_keys_file2; 890 goto parse_filename; 891 892 case sClientAliveInterval: 893 intptr = &options->client_alive_interval; 894 goto parse_time; 895 896 case sClientAliveCountMax: 897 intptr = &options->client_alive_count_max; 898 goto parse_int; 899
| 886 case sBanner: 887 charptr = &options->banner; 888 goto parse_filename; 889 /* 890 * These options can contain %X options expanded at 891 * connect time, so that you can specify paths like: 892 * 893 * AuthorizedKeysFile /etc/ssh_keys/%u 894 */ 895 case sAuthorizedKeysFile: 896 case sAuthorizedKeysFile2: 897 charptr = (opcode == sAuthorizedKeysFile ) ? 898 &options->authorized_keys_file : 899 &options->authorized_keys_file2; 900 goto parse_filename; 901 902 case sClientAliveInterval: 903 intptr = &options->client_alive_interval; 904 goto parse_time; 905 906 case sClientAliveCountMax: 907 intptr = &options->client_alive_count_max; 908 goto parse_int; 909
|
| 910 case sAcceptEnv: 911 while ((arg = strdelim(&cp)) && *arg != '\0') { 912 if (strchr(arg, '=') != NULL) 913 fatal("%s line %d: Invalid environment name.", 914 filename, linenum); 915 if (options->num_accept_env >= MAX_ACCEPT_ENV) 916 fatal("%s line %d: too many allow env.", 917 filename, linenum); 918 options->accept_env[options->num_accept_env++] = 919 xstrdup(arg); 920 } 921 break; 922
|
900 case sVersionAddendum: 901 ssh_version_set_addendum(strtok(cp, "\n")); 902 do { 903 arg = strdelim(&cp); 904 } while (arg != NULL && *arg != '\0'); 905 break; 906 907 case sDeprecated: 908 logit("%s line %d: Deprecated option %s", 909 filename, linenum, arg); 910 while (arg) 911 arg = strdelim(&cp); 912 break; 913 914 case sUnsupported: 915 logit("%s line %d: Unsupported option %s", 916 filename, linenum, arg); 917 while (arg) 918 arg = strdelim(&cp); 919 break; 920 921 default: 922 fatal("%s line %d: Missing handler for opcode %s (%d)", 923 filename, linenum, arg, opcode); 924 } 925 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 926 fatal("%s line %d: garbage at end of line; \"%.200s\".", 927 filename, linenum, arg); 928 return 0; 929} 930 931/* Reads the server configuration file. */ 932 933void
| 923 case sVersionAddendum: 924 ssh_version_set_addendum(strtok(cp, "\n")); 925 do { 926 arg = strdelim(&cp); 927 } while (arg != NULL && *arg != '\0'); 928 break; 929 930 case sDeprecated: 931 logit("%s line %d: Deprecated option %s", 932 filename, linenum, arg); 933 while (arg) 934 arg = strdelim(&cp); 935 break; 936 937 case sUnsupported: 938 logit("%s line %d: Unsupported option %s", 939 filename, linenum, arg); 940 while (arg) 941 arg = strdelim(&cp); 942 break; 943 944 default: 945 fatal("%s line %d: Missing handler for opcode %s (%d)", 946 filename, linenum, arg, opcode); 947 } 948 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 949 fatal("%s line %d: garbage at end of line; \"%.200s\".", 950 filename, linenum, arg); 951 return 0; 952} 953 954/* Reads the server configuration file. */ 955 956void
|
934read_server_config(ServerOptions *options, const char *filename)
| 957load_server_config(const char *filename, Buffer *conf)
|
935{
| 958{
|
936 int linenum, bad_options = 0; 937 char line[1024];
| 959 char line[1024], *cp;
|
938 FILE *f; 939
| 960 FILE *f; 961
|
940 debug2("read_server_config: filename %s", filename); 941 f = fopen(filename, "r"); 942 if (!f) {
| 962 debug2("%s: filename %s", __func__, filename); 963 if ((f = fopen(filename, "r")) == NULL) {
|
943 perror(filename); 944 exit(1); 945 }
| 964 perror(filename); 965 exit(1); 966 }
|
946 linenum = 0;
| 967 buffer_clear(conf);
|
947 while (fgets(line, sizeof(line), f)) {
| 968 while (fgets(line, sizeof(line), f)) {
|
948 /* Update line number counter. */ 949 linenum++; 950 if (process_server_config_line(options, line, filename, linenum) != 0) 951 bad_options++;
| 969 /* 970 * Trim out comments and strip whitespace 971 * NB - preserve newlines, they are needed to reproduce 972 * line numbers later for error messages 973 */ 974 if ((cp = strchr(line, '#')) != NULL) 975 memcpy(cp, "\n", 2); 976 cp = line + strspn(line, " \t\r"); 977 978 buffer_append(conf, cp, strlen(cp));
|
952 }
| 979 }
|
| 980 buffer_append(conf, "\0", 1);
|
953 fclose(f);
| 981 fclose(f);
|
| 982 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 983} 984 985void 986parse_server_config(ServerOptions *options, const char *filename, Buffer *conf) 987{ 988 int linenum, bad_options = 0; 989 char *cp, *obuf, *cbuf; 990 991 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 992 993 obuf = cbuf = xstrdup(buffer_ptr(conf)); 994 linenum = 1; 995 while((cp = strsep(&cbuf, "\n")) != NULL) { 996 if (process_server_config_line(options, cp, filename, 997 linenum++) != 0) 998 bad_options++; 999 } 1000 xfree(obuf);
|
954 if (bad_options > 0) 955 fatal("%s: terminating, %d bad configuration options", 956 filename, bad_options); 957}
| 1001 if (bad_options > 0) 1002 fatal("%s: terminating, %d bad configuration options", 1003 filename, bad_options); 1004}
|