1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
| 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
|
13RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
14RCSID("$FreeBSD: head/crypto/openssh/servconf.c 126277 2004-02-26 10:52:33Z des $");
| 13RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $");
14RCSID("$FreeBSD: head/crypto/openssh/servconf.c 137019 2004-10-28 16:11:31Z des $");
|
15
16#include "ssh.h"
17#include "log.h"
18#include "servconf.h"
19#include "xmalloc.h"
20#include "compat.h"
21#include "pathnames.h"
| 15
16#include "ssh.h"
17#include "log.h"
18#include "servconf.h"
19#include "xmalloc.h"
20#include "compat.h"
21#include "pathnames.h"
|
22#include "tildexpand.h"
| |
23#include "misc.h"
24#include "cipher.h"
25#include "kex.h"
26#include "mac.h"
27
28static void add_listen_addr(ServerOptions *, char *, u_short);
29static void add_one_listen_addr(ServerOptions *, char *, u_short);
30
31/* AF_UNSPEC or AF_INET or AF_INET6 */
32extern int IPv4or6;
33/* Use of privilege separation or not */
34extern int use_privsep;
35
36/* Initializes the server options to their default values. */
37
38void
39initialize_server_options(ServerOptions *options)
40{
41 memset(options, 0, sizeof(*options));
42
43 /* Portable-specific options */
44 options->use_pam = -1;
45
46 /* Standard Options */
47 options->num_ports = 0;
48 options->ports_from_cmdline = 0;
49 options->listen_addrs = NULL;
50 options->num_host_key_files = 0;
51 options->pid_file = NULL;
52 options->server_key_bits = -1;
53 options->login_grace_time = -1;
54 options->key_regeneration_time = -1;
55 options->permit_root_login = PERMIT_NOT_SET;
56 options->ignore_rhosts = -1;
57 options->ignore_user_known_hosts = -1;
58 options->print_motd = -1;
59 options->print_lastlog = -1;
60 options->x11_forwarding = -1;
61 options->x11_display_offset = -1;
62 options->x11_use_localhost = -1;
63 options->xauth_location = NULL;
64 options->strict_modes = -1;
65 options->tcp_keep_alive = -1;
66 options->log_facility = SYSLOG_FACILITY_NOT_SET;
67 options->log_level = SYSLOG_LEVEL_NOT_SET;
68 options->rhosts_rsa_authentication = -1;
69 options->hostbased_authentication = -1;
70 options->hostbased_uses_name_from_packet_only = -1;
71 options->rsa_authentication = -1;
72 options->pubkey_authentication = -1;
73 options->kerberos_authentication = -1;
74 options->kerberos_or_local_passwd = -1;
75 options->kerberos_ticket_cleanup = -1;
76 options->kerberos_get_afs_token = -1;
77 options->gss_authentication=-1;
78 options->gss_cleanup_creds = -1;
79 options->password_authentication = -1;
80 options->kbd_interactive_authentication = -1;
81 options->challenge_response_authentication = -1;
82 options->permit_empty_passwd = -1;
83 options->permit_user_env = -1;
84 options->use_login = -1;
85 options->compression = -1;
86 options->allow_tcp_forwarding = -1;
87 options->num_allow_users = 0;
88 options->num_deny_users = 0;
89 options->num_allow_groups = 0;
90 options->num_deny_groups = 0;
91 options->ciphers = NULL;
92 options->macs = NULL;
93 options->protocol = SSH_PROTO_UNKNOWN;
94 options->gateway_ports = -1;
95 options->num_subsystems = 0;
96 options->max_startups_begin = -1;
97 options->max_startups_rate = -1;
98 options->max_startups = -1;
| 22#include "misc.h"
23#include "cipher.h"
24#include "kex.h"
25#include "mac.h"
26
27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
29
30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
32/* Use of privilege separation or not */
33extern int use_privsep;
34
35/* Initializes the server options to their default values. */
36
37void
38initialize_server_options(ServerOptions *options)
39{
40 memset(options, 0, sizeof(*options));
41
42 /* Portable-specific options */
43 options->use_pam = -1;
44
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
61 options->x11_use_localhost = -1;
62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->tcp_keep_alive = -1;
65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
75 options->kerberos_get_afs_token = -1;
76 options->gss_authentication=-1;
77 options->gss_cleanup_creds = -1;
78 options->password_authentication = -1;
79 options->kbd_interactive_authentication = -1;
80 options->challenge_response_authentication = -1;
81 options->permit_empty_passwd = -1;
82 options->permit_user_env = -1;
83 options->use_login = -1;
84 options->compression = -1;
85 options->allow_tcp_forwarding = -1;
86 options->num_allow_users = 0;
87 options->num_deny_users = 0;
88 options->num_allow_groups = 0;
89 options->num_deny_groups = 0;
90 options->ciphers = NULL;
91 options->macs = NULL;
92 options->protocol = SSH_PROTO_UNKNOWN;
93 options->gateway_ports = -1;
94 options->num_subsystems = 0;
95 options->max_startups_begin = -1;
96 options->max_startups_rate = -1;
97 options->max_startups = -1;
|
| 98 options->max_authtries = -1;
|
99 options->banner = NULL;
100 options->use_dns = -1;
101 options->client_alive_interval = -1;
102 options->client_alive_count_max = -1;
103 options->authorized_keys_file = NULL;
104 options->authorized_keys_file2 = NULL;
| 99 options->banner = NULL;
100 options->use_dns = -1;
101 options->client_alive_interval = -1;
102 options->client_alive_count_max = -1;
103 options->authorized_keys_file = NULL;
104 options->authorized_keys_file2 = NULL;
|
| 105 options->num_accept_env = 0;
|
105
106 /* Needs to be accessable in many places */
107 use_privsep = -1;
108}
109
110void
111fill_default_server_options(ServerOptions *options)
112{
113 /* Portable-specific options */
114 if (options->use_pam == -1)
115 options->use_pam = 1;
116
117 /* Standard Options */
118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_KEY_FILE;
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_DSA_KEY_FILE;
128 }
129 }
130 if (options->num_ports == 0)
131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
132 if (options->listen_addrs == NULL)
133 add_listen_addr(options, NULL, 0);
134 if (options->pid_file == NULL)
135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
136 if (options->server_key_bits == -1)
137 options->server_key_bits = 768;
138 if (options->login_grace_time == -1)
139 options->login_grace_time = 120;
140 if (options->key_regeneration_time == -1)
141 options->key_regeneration_time = 3600;
142 if (options->permit_root_login == PERMIT_NOT_SET)
143 options->permit_root_login = PERMIT_NO;
144 if (options->ignore_rhosts == -1)
145 options->ignore_rhosts = 1;
146 if (options->ignore_user_known_hosts == -1)
147 options->ignore_user_known_hosts = 0;
148 if (options->print_motd == -1)
149 options->print_motd = 1;
150 if (options->print_lastlog == -1)
151 options->print_lastlog = 1;
152 if (options->x11_forwarding == -1)
153 options->x11_forwarding = 1;
154 if (options->x11_display_offset == -1)
155 options->x11_display_offset = 10;
156 if (options->x11_use_localhost == -1)
157 options->x11_use_localhost = 1;
158 if (options->xauth_location == NULL)
159 options->xauth_location = _PATH_XAUTH;
160 if (options->strict_modes == -1)
161 options->strict_modes = 1;
162 if (options->tcp_keep_alive == -1)
163 options->tcp_keep_alive = 1;
164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
165 options->log_facility = SYSLOG_FACILITY_AUTH;
166 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
167 options->log_level = SYSLOG_LEVEL_INFO;
168 if (options->rhosts_rsa_authentication == -1)
169 options->rhosts_rsa_authentication = 0;
170 if (options->hostbased_authentication == -1)
171 options->hostbased_authentication = 0;
172 if (options->hostbased_uses_name_from_packet_only == -1)
173 options->hostbased_uses_name_from_packet_only = 0;
174 if (options->rsa_authentication == -1)
175 options->rsa_authentication = 1;
176 if (options->pubkey_authentication == -1)
177 options->pubkey_authentication = 1;
178 if (options->kerberos_authentication == -1)
179 options->kerberos_authentication = 0;
180 if (options->kerberos_or_local_passwd == -1)
181 options->kerberos_or_local_passwd = 1;
182 if (options->kerberos_ticket_cleanup == -1)
183 options->kerberos_ticket_cleanup = 1;
184 if (options->kerberos_get_afs_token == -1)
185 options->kerberos_get_afs_token = 0;
186 if (options->gss_authentication == -1)
187 options->gss_authentication = 0;
188 if (options->gss_cleanup_creds == -1)
189 options->gss_cleanup_creds = 1;
190 if (options->password_authentication == -1)
191#ifdef USE_PAM
192 options->password_authentication = 0;
193#else
194 options->password_authentication = 1;
195#endif
196 if (options->kbd_interactive_authentication == -1)
197 options->kbd_interactive_authentication = 0;
198 if (options->challenge_response_authentication == -1)
199 options->challenge_response_authentication = 1;
200 if (options->permit_empty_passwd == -1)
201 options->permit_empty_passwd = 0;
202 if (options->permit_user_env == -1)
203 options->permit_user_env = 0;
204 if (options->use_login == -1)
205 options->use_login = 0;
206 if (options->compression == -1)
207 options->compression = 1;
208 if (options->allow_tcp_forwarding == -1)
209 options->allow_tcp_forwarding = 1;
210 if (options->gateway_ports == -1)
211 options->gateway_ports = 0;
212 if (options->max_startups == -1)
213 options->max_startups = 10;
214 if (options->max_startups_rate == -1)
215 options->max_startups_rate = 100; /* 100% */
216 if (options->max_startups_begin == -1)
217 options->max_startups_begin = options->max_startups;
| 106
107 /* Needs to be accessable in many places */
108 use_privsep = -1;
109}
110
111void
112fill_default_server_options(ServerOptions *options)
113{
114 /* Portable-specific options */
115 if (options->use_pam == -1)
116 options->use_pam = 1;
117
118 /* Standard Options */
119 if (options->protocol == SSH_PROTO_UNKNOWN)
120 options->protocol = SSH_PROTO_2;
121 if (options->num_host_key_files == 0) {
122 /* fill default hostkeys for protocols */
123 if (options->protocol & SSH_PROTO_1)
124 options->host_key_files[options->num_host_key_files++] =
125 _PATH_HOST_KEY_FILE;
126 if (options->protocol & SSH_PROTO_2) {
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
130 }
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_NO;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 1;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192#ifdef USE_PAM
193 options->password_authentication = 0;
194#else
195 options->password_authentication = 1;
196#endif
197 if (options->kbd_interactive_authentication == -1)
198 options->kbd_interactive_authentication = 0;
199 if (options->challenge_response_authentication == -1)
200 options->challenge_response_authentication = 1;
201 if (options->permit_empty_passwd == -1)
202 options->permit_empty_passwd = 0;
203 if (options->permit_user_env == -1)
204 options->permit_user_env = 0;
205 if (options->use_login == -1)
206 options->use_login = 0;
207 if (options->compression == -1)
208 options->compression = 1;
209 if (options->allow_tcp_forwarding == -1)
210 options->allow_tcp_forwarding = 1;
211 if (options->gateway_ports == -1)
212 options->gateway_ports = 0;
213 if (options->max_startups == -1)
214 options->max_startups = 10;
215 if (options->max_startups_rate == -1)
216 options->max_startups_rate = 100; /* 100% */
217 if (options->max_startups_begin == -1)
218 options->max_startups_begin = options->max_startups;
|
| 219 if (options->max_authtries == -1)
220 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
218 if (options->use_dns == -1)
219 options->use_dns = 1;
220 if (options->client_alive_interval == -1)
221 options->client_alive_interval = 0;
222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
228 else
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 }
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233
234 /* Turn privilege separation on by default */
235 if (use_privsep == -1)
236 use_privsep = 1;
237
238#ifndef HAVE_MMAP
239 if (use_privsep && options->compression == 1) {
240 error("This platform does not support both privilege "
241 "separation and compression");
242 error("Compression disabled");
243 options->compression = 0;
244 }
245#endif
246
247}
248
249/* Keyword tokens. */
250typedef enum {
251 sBadOption, /* == unknown option */
252 /* Portable-specific options */
253 sUsePAM,
254 /* Standard Options */
255 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
256 sPermitRootLogin, sLogFacility, sLogLevel,
257 sRhostsRSAAuthentication, sRSAAuthentication,
258 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
259 sKerberosGetAFSToken,
260 sKerberosTgtPassing, sChallengeResponseAuthentication,
261 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
| 221 if (options->use_dns == -1)
222 options->use_dns = 1;
223 if (options->client_alive_interval == -1)
224 options->client_alive_interval = 0;
225 if (options->client_alive_count_max == -1)
226 options->client_alive_count_max = 3;
227 if (options->authorized_keys_file2 == NULL) {
228 /* authorized_keys_file2 falls back to authorized_keys_file */
229 if (options->authorized_keys_file != NULL)
230 options->authorized_keys_file2 = options->authorized_keys_file;
231 else
232 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
233 }
234 if (options->authorized_keys_file == NULL)
235 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
236
237 /* Turn privilege separation on by default */
238 if (use_privsep == -1)
239 use_privsep = 1;
240
241#ifndef HAVE_MMAP
242 if (use_privsep && options->compression == 1) {
243 error("This platform does not support both privilege "
244 "separation and compression");
245 error("Compression disabled");
246 options->compression = 0;
247 }
248#endif
249
250}
251
252/* Keyword tokens. */
253typedef enum {
254 sBadOption, /* == unknown option */
255 /* Portable-specific options */
256 sUsePAM,
257 /* Standard Options */
258 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
259 sPermitRootLogin, sLogFacility, sLogLevel,
260 sRhostsRSAAuthentication, sRSAAuthentication,
261 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
262 sKerberosGetAFSToken,
263 sKerberosTgtPassing, sChallengeResponseAuthentication,
264 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
| 271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
|
269 sBanner, sUseDNS, sHostbasedAuthentication,
270 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
271 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
| 273 sBanner, sUseDNS, sHostbasedAuthentication,
274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
272 sGssAuthentication, sGssCleanupCreds,
| 276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
|
273 sUsePrivilegeSeparation,
274 sVersionAddendum,
275 sDeprecated, sUnsupported
276} ServerOpCodes;
277
278/* Textual representation of the tokens. */
279static struct {
280 const char *name;
281 ServerOpCodes opcode;
282} keywords[] = {
283 /* Portable-specific options */
284#ifdef USE_PAM
285 { "usepam", sUsePAM },
286#else
287 { "usepam", sUnsupported },
288#endif
289 { "pamauthenticationviakbdint", sDeprecated },
290 /* Standard Options */
291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
293 { "hostdsakey", sHostKeyFile }, /* alias */
294 { "pidfile", sPidFile },
295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
301 { "rhostsauthentication", sDeprecated },
302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
305 { "rsaauthentication", sRSAAuthentication },
306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
308#ifdef KRB5
309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
312#ifdef USE_AFS
313 { "kerberosgetafstoken", sKerberosGetAFSToken },
314#else
315 { "kerberosgetafstoken", sUnsupported },
316#endif
317#else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
321 { "kerberosgetafstoken", sUnsupported },
322#endif
323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
327 { "gssapicleanupcredentials", sGssCleanupCreds },
328#else
329 { "gssapiauthentication", sUnsupported },
330 { "gssapicleanupcredentials", sUnsupported },
331#endif
332 { "passwordauthentication", sPasswordAuthentication },
333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
336 { "checkmail", sDeprecated },
337 { "listenaddress", sListenAddress },
338 { "printmotd", sPrintMotd },
339 { "printlastlog", sPrintLastLog },
340 { "ignorerhosts", sIgnoreRhosts },
341 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
342 { "x11forwarding", sX11Forwarding },
343 { "x11displayoffset", sX11DisplayOffset },
344 { "x11uselocalhost", sX11UseLocalhost },
345 { "xauthlocation", sXAuthLocation },
346 { "strictmodes", sStrictModes },
347 { "permitemptypasswords", sEmptyPasswd },
348 { "permituserenvironment", sPermitUserEnvironment },
349 { "uselogin", sUseLogin },
350 { "compression", sCompression },
351 { "tcpkeepalive", sTCPKeepAlive },
352 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
353 { "allowtcpforwarding", sAllowTcpForwarding },
354 { "allowusers", sAllowUsers },
355 { "denyusers", sDenyUsers },
356 { "allowgroups", sAllowGroups },
357 { "denygroups", sDenyGroups },
358 { "ciphers", sCiphers },
359 { "macs", sMacs },
360 { "protocol", sProtocol },
361 { "gatewayports", sGatewayPorts },
362 { "subsystem", sSubsystem },
363 { "maxstartups", sMaxStartups },
| 277 sUsePrivilegeSeparation,
278 sVersionAddendum,
279 sDeprecated, sUnsupported
280} ServerOpCodes;
281
282/* Textual representation of the tokens. */
283static struct {
284 const char *name;
285 ServerOpCodes opcode;
286} keywords[] = {
287 /* Portable-specific options */
288#ifdef USE_PAM
289 { "usepam", sUsePAM },
290#else
291 { "usepam", sUnsupported },
292#endif
293 { "pamauthenticationviakbdint", sDeprecated },
294 /* Standard Options */
295 { "port", sPort },
296 { "hostkey", sHostKeyFile },
297 { "hostdsakey", sHostKeyFile }, /* alias */
298 { "pidfile", sPidFile },
299 { "serverkeybits", sServerKeyBits },
300 { "logingracetime", sLoginGraceTime },
301 { "keyregenerationinterval", sKeyRegenerationTime },
302 { "permitrootlogin", sPermitRootLogin },
303 { "syslogfacility", sLogFacility },
304 { "loglevel", sLogLevel },
305 { "rhostsauthentication", sDeprecated },
306 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
307 { "hostbasedauthentication", sHostbasedAuthentication },
308 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
309 { "rsaauthentication", sRSAAuthentication },
310 { "pubkeyauthentication", sPubkeyAuthentication },
311 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
312#ifdef KRB5
313 { "kerberosauthentication", sKerberosAuthentication },
314 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
315 { "kerberosticketcleanup", sKerberosTicketCleanup },
316#ifdef USE_AFS
317 { "kerberosgetafstoken", sKerberosGetAFSToken },
318#else
319 { "kerberosgetafstoken", sUnsupported },
320#endif
321#else
322 { "kerberosauthentication", sUnsupported },
323 { "kerberosorlocalpasswd", sUnsupported },
324 { "kerberosticketcleanup", sUnsupported },
325 { "kerberosgetafstoken", sUnsupported },
326#endif
327 { "kerberostgtpassing", sUnsupported },
328 { "afstokenpassing", sUnsupported },
329#ifdef GSSAPI
330 { "gssapiauthentication", sGssAuthentication },
331 { "gssapicleanupcredentials", sGssCleanupCreds },
332#else
333 { "gssapiauthentication", sUnsupported },
334 { "gssapicleanupcredentials", sUnsupported },
335#endif
336 { "passwordauthentication", sPasswordAuthentication },
337 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
338 { "challengeresponseauthentication", sChallengeResponseAuthentication },
339 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
340 { "checkmail", sDeprecated },
341 { "listenaddress", sListenAddress },
342 { "printmotd", sPrintMotd },
343 { "printlastlog", sPrintLastLog },
344 { "ignorerhosts", sIgnoreRhosts },
345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
346 { "x11forwarding", sX11Forwarding },
347 { "x11displayoffset", sX11DisplayOffset },
348 { "x11uselocalhost", sX11UseLocalhost },
349 { "xauthlocation", sXAuthLocation },
350 { "strictmodes", sStrictModes },
351 { "permitemptypasswords", sEmptyPasswd },
352 { "permituserenvironment", sPermitUserEnvironment },
353 { "uselogin", sUseLogin },
354 { "compression", sCompression },
355 { "tcpkeepalive", sTCPKeepAlive },
356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
357 { "allowtcpforwarding", sAllowTcpForwarding },
358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
362 { "ciphers", sCiphers },
363 { "macs", sMacs },
364 { "protocol", sProtocol },
365 { "gatewayports", sGatewayPorts },
366 { "subsystem", sSubsystem },
367 { "maxstartups", sMaxStartups },
|
| 368 { "maxauthtries", sMaxAuthTries },
|
364 { "banner", sBanner },
365 { "usedns", sUseDNS },
366 { "verifyreversemapping", sDeprecated },
367 { "reversemappingcheck", sDeprecated },
368 { "clientaliveinterval", sClientAliveInterval },
369 { "clientalivecountmax", sClientAliveCountMax },
370 { "authorizedkeysfile", sAuthorizedKeysFile },
371 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
372 { "useprivilegeseparation", sUsePrivilegeSeparation},
| 369 { "banner", sBanner },
370 { "usedns", sUseDNS },
371 { "verifyreversemapping", sDeprecated },
372 { "reversemappingcheck", sDeprecated },
373 { "clientaliveinterval", sClientAliveInterval },
374 { "clientalivecountmax", sClientAliveCountMax },
375 { "authorizedkeysfile", sAuthorizedKeysFile },
376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
377 { "useprivilegeseparation", sUsePrivilegeSeparation},
|
| 378 { "acceptenv", sAcceptEnv },
|
373 { "versionaddendum", sVersionAddendum },
374 { NULL, sBadOption }
375};
376
377/*
378 * Returns the number of the token pointed to by cp or sBadOption.
379 */
380
381static ServerOpCodes
382parse_token(const char *cp, const char *filename,
383 int linenum)
384{
385 u_int i;
386
387 for (i = 0; keywords[i].name; i++)
388 if (strcasecmp(cp, keywords[i].name) == 0)
389 return keywords[i].opcode;
390
391 error("%s: line %d: Bad configuration option: %s",
392 filename, linenum, cp);
393 return sBadOption;
394}
395
396static void
397add_listen_addr(ServerOptions *options, char *addr, u_short port)
398{
399 int i;
400
401 if (options->num_ports == 0)
402 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
403 if (port == 0)
404 for (i = 0; i < options->num_ports; i++)
405 add_one_listen_addr(options, addr, options->ports[i]);
406 else
407 add_one_listen_addr(options, addr, port);
408}
409
410static void
411add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
412{
413 struct addrinfo hints, *ai, *aitop;
414 char strport[NI_MAXSERV];
415 int gaierr;
416
417 memset(&hints, 0, sizeof(hints));
418 hints.ai_family = IPv4or6;
419 hints.ai_socktype = SOCK_STREAM;
420 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
421 snprintf(strport, sizeof strport, "%u", port);
422 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
423 fatal("bad addr or host: %s (%s)",
424 addr ? addr : "<NULL>",
425 gai_strerror(gaierr));
426 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
427 ;
428 ai->ai_next = options->listen_addrs;
429 options->listen_addrs = aitop;
430}
431
432int
433process_server_config_line(ServerOptions *options, char *line,
434 const char *filename, int linenum)
435{
436 char *cp, **charptr, *arg, *p;
437 int *intptr, value, i, n;
438 ServerOpCodes opcode;
439
440 cp = line;
441 arg = strdelim(&cp);
442 /* Ignore leading whitespace */
443 if (*arg == '\0')
444 arg = strdelim(&cp);
445 if (!arg || !*arg || *arg == '#')
446 return 0;
447 intptr = NULL;
448 charptr = NULL;
449 opcode = parse_token(arg, filename, linenum);
450 switch (opcode) {
451 /* Portable-specific options */
452 case sUsePAM:
453 intptr = &options->use_pam;
454 goto parse_flag;
455
456 /* Standard Options */
457 case sBadOption:
458 return -1;
459 case sPort:
460 /* ignore ports from configfile if cmdline specifies ports */
461 if (options->ports_from_cmdline)
462 return 0;
463 if (options->listen_addrs != NULL)
464 fatal("%s line %d: ports must be specified before "
465 "ListenAddress.", filename, linenum);
466 if (options->num_ports >= MAX_PORTS)
467 fatal("%s line %d: too many ports.",
468 filename, linenum);
469 arg = strdelim(&cp);
470 if (!arg || *arg == '\0')
471 fatal("%s line %d: missing port number.",
472 filename, linenum);
473 options->ports[options->num_ports++] = a2port(arg);
474 if (options->ports[options->num_ports-1] == 0)
475 fatal("%s line %d: Badly formatted port number.",
476 filename, linenum);
477 break;
478
479 case sServerKeyBits:
480 intptr = &options->server_key_bits;
481parse_int:
482 arg = strdelim(&cp);
483 if (!arg || *arg == '\0')
484 fatal("%s line %d: missing integer value.",
485 filename, linenum);
486 value = atoi(arg);
487 if (*intptr == -1)
488 *intptr = value;
489 break;
490
491 case sLoginGraceTime:
492 intptr = &options->login_grace_time;
493parse_time:
494 arg = strdelim(&cp);
495 if (!arg || *arg == '\0')
496 fatal("%s line %d: missing time value.",
497 filename, linenum);
498 if ((value = convtime(arg)) == -1)
499 fatal("%s line %d: invalid time value.",
500 filename, linenum);
501 if (*intptr == -1)
502 *intptr = value;
503 break;
504
505 case sKeyRegenerationTime:
506 intptr = &options->key_regeneration_time;
507 goto parse_time;
508
509 case sListenAddress:
510 arg = strdelim(&cp);
511 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
512 fatal("%s line %d: missing inet addr.",
513 filename, linenum);
514 if (*arg == '[') {
515 if ((p = strchr(arg, ']')) == NULL)
516 fatal("%s line %d: bad ipv6 inet addr usage.",
517 filename, linenum);
518 arg++;
519 memmove(p, p+1, strlen(p+1)+1);
520 } else if (((p = strchr(arg, ':')) == NULL) ||
521 (strchr(p+1, ':') != NULL)) {
522 add_listen_addr(options, arg, 0);
523 break;
524 }
525 if (*p == ':') {
526 u_short port;
527
528 p++;
529 if (*p == '\0')
530 fatal("%s line %d: bad inet addr:port usage.",
531 filename, linenum);
532 else {
533 *(p-1) = '\0';
534 if ((port = a2port(p)) == 0)
535 fatal("%s line %d: bad port number.",
536 filename, linenum);
537 add_listen_addr(options, arg, port);
538 }
539 } else if (*p == '\0')
540 add_listen_addr(options, arg, 0);
541 else
542 fatal("%s line %d: bad inet addr usage.",
543 filename, linenum);
544 break;
545
546 case sHostKeyFile:
547 intptr = &options->num_host_key_files;
548 if (*intptr >= MAX_HOSTKEYS)
549 fatal("%s line %d: too many host keys specified (max %d).",
550 filename, linenum, MAX_HOSTKEYS);
551 charptr = &options->host_key_files[*intptr];
552parse_filename:
553 arg = strdelim(&cp);
554 if (!arg || *arg == '\0')
555 fatal("%s line %d: missing file name.",
556 filename, linenum);
557 if (*charptr == NULL) {
558 *charptr = tilde_expand_filename(arg, getuid());
559 /* increase optional counter */
560 if (intptr != NULL)
561 *intptr = *intptr + 1;
562 }
563 break;
564
565 case sPidFile:
566 charptr = &options->pid_file;
567 goto parse_filename;
568
569 case sPermitRootLogin:
570 intptr = &options->permit_root_login;
571 arg = strdelim(&cp);
572 if (!arg || *arg == '\0')
573 fatal("%s line %d: missing yes/"
574 "without-password/forced-commands-only/no "
575 "argument.", filename, linenum);
576 value = 0; /* silence compiler */
577 if (strcmp(arg, "without-password") == 0)
578 value = PERMIT_NO_PASSWD;
579 else if (strcmp(arg, "forced-commands-only") == 0)
580 value = PERMIT_FORCED_ONLY;
581 else if (strcmp(arg, "yes") == 0)
582 value = PERMIT_YES;
583 else if (strcmp(arg, "no") == 0)
584 value = PERMIT_NO;
585 else
586 fatal("%s line %d: Bad yes/"
587 "without-password/forced-commands-only/no "
588 "argument: %s", filename, linenum, arg);
589 if (*intptr == -1)
590 *intptr = value;
591 break;
592
593 case sIgnoreRhosts:
594 intptr = &options->ignore_rhosts;
595parse_flag:
596 arg = strdelim(&cp);
597 if (!arg || *arg == '\0')
598 fatal("%s line %d: missing yes/no argument.",
599 filename, linenum);
600 value = 0; /* silence compiler */
601 if (strcmp(arg, "yes") == 0)
602 value = 1;
603 else if (strcmp(arg, "no") == 0)
604 value = 0;
605 else
606 fatal("%s line %d: Bad yes/no argument: %s",
607 filename, linenum, arg);
608 if (*intptr == -1)
609 *intptr = value;
610 break;
611
612 case sIgnoreUserKnownHosts:
613 intptr = &options->ignore_user_known_hosts;
614 goto parse_flag;
615
616 case sRhostsRSAAuthentication:
617 intptr = &options->rhosts_rsa_authentication;
618 goto parse_flag;
619
620 case sHostbasedAuthentication:
621 intptr = &options->hostbased_authentication;
622 goto parse_flag;
623
624 case sHostbasedUsesNameFromPacketOnly:
625 intptr = &options->hostbased_uses_name_from_packet_only;
626 goto parse_flag;
627
628 case sRSAAuthentication:
629 intptr = &options->rsa_authentication;
630 goto parse_flag;
631
632 case sPubkeyAuthentication:
633 intptr = &options->pubkey_authentication;
634 goto parse_flag;
635
636 case sKerberosAuthentication:
637 intptr = &options->kerberos_authentication;
638 goto parse_flag;
639
640 case sKerberosOrLocalPasswd:
641 intptr = &options->kerberos_or_local_passwd;
642 goto parse_flag;
643
644 case sKerberosTicketCleanup:
645 intptr = &options->kerberos_ticket_cleanup;
646 goto parse_flag;
647
648 case sKerberosGetAFSToken:
649 intptr = &options->kerberos_get_afs_token;
650 goto parse_flag;
651
652 case sGssAuthentication:
653 intptr = &options->gss_authentication;
654 goto parse_flag;
655
656 case sGssCleanupCreds:
657 intptr = &options->gss_cleanup_creds;
658 goto parse_flag;
659
660 case sPasswordAuthentication:
661 intptr = &options->password_authentication;
662 goto parse_flag;
663
664 case sKbdInteractiveAuthentication:
665 intptr = &options->kbd_interactive_authentication;
666 goto parse_flag;
667
668 case sChallengeResponseAuthentication:
669 intptr = &options->challenge_response_authentication;
670 goto parse_flag;
671
672 case sPrintMotd:
673 intptr = &options->print_motd;
674 goto parse_flag;
675
676 case sPrintLastLog:
677 intptr = &options->print_lastlog;
678 goto parse_flag;
679
680 case sX11Forwarding:
681 intptr = &options->x11_forwarding;
682 goto parse_flag;
683
684 case sX11DisplayOffset:
685 intptr = &options->x11_display_offset;
686 goto parse_int;
687
688 case sX11UseLocalhost:
689 intptr = &options->x11_use_localhost;
690 goto parse_flag;
691
692 case sXAuthLocation:
693 charptr = &options->xauth_location;
694 goto parse_filename;
695
696 case sStrictModes:
697 intptr = &options->strict_modes;
698 goto parse_flag;
699
700 case sTCPKeepAlive:
701 intptr = &options->tcp_keep_alive;
702 goto parse_flag;
703
704 case sEmptyPasswd:
705 intptr = &options->permit_empty_passwd;
706 goto parse_flag;
707
708 case sPermitUserEnvironment:
709 intptr = &options->permit_user_env;
710 goto parse_flag;
711
712 case sUseLogin:
713 intptr = &options->use_login;
714 goto parse_flag;
715
716 case sCompression:
717 intptr = &options->compression;
718 goto parse_flag;
719
720 case sGatewayPorts:
721 intptr = &options->gateway_ports;
722 goto parse_flag;
723
724 case sUseDNS:
725 intptr = &options->use_dns;
726 goto parse_flag;
727
728 case sLogFacility:
729 intptr = (int *) &options->log_facility;
730 arg = strdelim(&cp);
731 value = log_facility_number(arg);
732 if (value == SYSLOG_FACILITY_NOT_SET)
733 fatal("%.200s line %d: unsupported log facility '%s'",
734 filename, linenum, arg ? arg : "<NONE>");
735 if (*intptr == -1)
736 *intptr = (SyslogFacility) value;
737 break;
738
739 case sLogLevel:
740 intptr = (int *) &options->log_level;
741 arg = strdelim(&cp);
742 value = log_level_number(arg);
743 if (value == SYSLOG_LEVEL_NOT_SET)
744 fatal("%.200s line %d: unsupported log level '%s'",
745 filename, linenum, arg ? arg : "<NONE>");
746 if (*intptr == -1)
747 *intptr = (LogLevel) value;
748 break;
749
750 case sAllowTcpForwarding:
751 intptr = &options->allow_tcp_forwarding;
752 goto parse_flag;
753
754 case sUsePrivilegeSeparation:
755 intptr = &use_privsep;
756 goto parse_flag;
757
758 case sAllowUsers:
759 while ((arg = strdelim(&cp)) && *arg != '\0') {
760 if (options->num_allow_users >= MAX_ALLOW_USERS)
761 fatal("%s line %d: too many allow users.",
762 filename, linenum);
763 options->allow_users[options->num_allow_users++] =
764 xstrdup(arg);
765 }
766 break;
767
768 case sDenyUsers:
769 while ((arg = strdelim(&cp)) && *arg != '\0') {
770 if (options->num_deny_users >= MAX_DENY_USERS)
771 fatal( "%s line %d: too many deny users.",
772 filename, linenum);
773 options->deny_users[options->num_deny_users++] =
774 xstrdup(arg);
775 }
776 break;
777
778 case sAllowGroups:
779 while ((arg = strdelim(&cp)) && *arg != '\0') {
780 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
781 fatal("%s line %d: too many allow groups.",
782 filename, linenum);
783 options->allow_groups[options->num_allow_groups++] =
784 xstrdup(arg);
785 }
786 break;
787
788 case sDenyGroups:
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_deny_groups >= MAX_DENY_GROUPS)
791 fatal("%s line %d: too many deny groups.",
792 filename, linenum);
793 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
794 }
795 break;
796
797 case sCiphers:
798 arg = strdelim(&cp);
799 if (!arg || *arg == '\0')
800 fatal("%s line %d: Missing argument.", filename, linenum);
801 if (!ciphers_valid(arg))
802 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
803 filename, linenum, arg ? arg : "<NONE>");
804 if (options->ciphers == NULL)
805 options->ciphers = xstrdup(arg);
806 break;
807
808 case sMacs:
809 arg = strdelim(&cp);
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: Missing argument.", filename, linenum);
812 if (!mac_valid(arg))
813 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
814 filename, linenum, arg ? arg : "<NONE>");
815 if (options->macs == NULL)
816 options->macs = xstrdup(arg);
817 break;
818
819 case sProtocol:
820 intptr = &options->protocol;
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
824 value = proto_spec(arg);
825 if (value == SSH_PROTO_UNKNOWN)
826 fatal("%s line %d: Bad protocol spec '%s'.",
827 filename, linenum, arg ? arg : "<NONE>");
828 if (*intptr == SSH_PROTO_UNKNOWN)
829 *intptr = value;
830 break;
831
832 case sSubsystem:
833 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
834 fatal("%s line %d: too many subsystems defined.",
835 filename, linenum);
836 }
837 arg = strdelim(&cp);
838 if (!arg || *arg == '\0')
839 fatal("%s line %d: Missing subsystem name.",
840 filename, linenum);
841 for (i = 0; i < options->num_subsystems; i++)
842 if (strcmp(arg, options->subsystem_name[i]) == 0)
843 fatal("%s line %d: Subsystem '%s' already defined.",
844 filename, linenum, arg);
845 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
846 arg = strdelim(&cp);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing subsystem command.",
849 filename, linenum);
850 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
851 options->num_subsystems++;
852 break;
853
854 case sMaxStartups:
855 arg = strdelim(&cp);
856 if (!arg || *arg == '\0')
857 fatal("%s line %d: Missing MaxStartups spec.",
858 filename, linenum);
859 if ((n = sscanf(arg, "%d:%d:%d",
860 &options->max_startups_begin,
861 &options->max_startups_rate,
862 &options->max_startups)) == 3) {
863 if (options->max_startups_begin >
864 options->max_startups ||
865 options->max_startups_rate > 100 ||
866 options->max_startups_rate < 1)
867 fatal("%s line %d: Illegal MaxStartups spec.",
868 filename, linenum);
869 } else if (n != 1)
870 fatal("%s line %d: Illegal MaxStartups spec.",
871 filename, linenum);
872 else
873 options->max_startups = options->max_startups_begin;
874 break;
875
| 379 { "versionaddendum", sVersionAddendum },
380 { NULL, sBadOption }
381};
382
383/*
384 * Returns the number of the token pointed to by cp or sBadOption.
385 */
386
387static ServerOpCodes
388parse_token(const char *cp, const char *filename,
389 int linenum)
390{
391 u_int i;
392
393 for (i = 0; keywords[i].name; i++)
394 if (strcasecmp(cp, keywords[i].name) == 0)
395 return keywords[i].opcode;
396
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
399 return sBadOption;
400}
401
402static void
403add_listen_addr(ServerOptions *options, char *addr, u_short port)
404{
405 int i;
406
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
409 if (port == 0)
410 for (i = 0; i < options->num_ports; i++)
411 add_one_listen_addr(options, addr, options->ports[i]);
412 else
413 add_one_listen_addr(options, addr, port);
414}
415
416static void
417add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
418{
419 struct addrinfo hints, *ai, *aitop;
420 char strport[NI_MAXSERV];
421 int gaierr;
422
423 memset(&hints, 0, sizeof(hints));
424 hints.ai_family = IPv4or6;
425 hints.ai_socktype = SOCK_STREAM;
426 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
427 snprintf(strport, sizeof strport, "%u", port);
428 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
429 fatal("bad addr or host: %s (%s)",
430 addr ? addr : "<NULL>",
431 gai_strerror(gaierr));
432 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
433 ;
434 ai->ai_next = options->listen_addrs;
435 options->listen_addrs = aitop;
436}
437
438int
439process_server_config_line(ServerOptions *options, char *line,
440 const char *filename, int linenum)
441{
442 char *cp, **charptr, *arg, *p;
443 int *intptr, value, i, n;
444 ServerOpCodes opcode;
445
446 cp = line;
447 arg = strdelim(&cp);
448 /* Ignore leading whitespace */
449 if (*arg == '\0')
450 arg = strdelim(&cp);
451 if (!arg || !*arg || *arg == '#')
452 return 0;
453 intptr = NULL;
454 charptr = NULL;
455 opcode = parse_token(arg, filename, linenum);
456 switch (opcode) {
457 /* Portable-specific options */
458 case sUsePAM:
459 intptr = &options->use_pam;
460 goto parse_flag;
461
462 /* Standard Options */
463 case sBadOption:
464 return -1;
465 case sPort:
466 /* ignore ports from configfile if cmdline specifies ports */
467 if (options->ports_from_cmdline)
468 return 0;
469 if (options->listen_addrs != NULL)
470 fatal("%s line %d: ports must be specified before "
471 "ListenAddress.", filename, linenum);
472 if (options->num_ports >= MAX_PORTS)
473 fatal("%s line %d: too many ports.",
474 filename, linenum);
475 arg = strdelim(&cp);
476 if (!arg || *arg == '\0')
477 fatal("%s line %d: missing port number.",
478 filename, linenum);
479 options->ports[options->num_ports++] = a2port(arg);
480 if (options->ports[options->num_ports-1] == 0)
481 fatal("%s line %d: Badly formatted port number.",
482 filename, linenum);
483 break;
484
485 case sServerKeyBits:
486 intptr = &options->server_key_bits;
487parse_int:
488 arg = strdelim(&cp);
489 if (!arg || *arg == '\0')
490 fatal("%s line %d: missing integer value.",
491 filename, linenum);
492 value = atoi(arg);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sLoginGraceTime:
498 intptr = &options->login_grace_time;
499parse_time:
500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing time value.",
503 filename, linenum);
504 if ((value = convtime(arg)) == -1)
505 fatal("%s line %d: invalid time value.",
506 filename, linenum);
507 if (*intptr == -1)
508 *intptr = value;
509 break;
510
511 case sKeyRegenerationTime:
512 intptr = &options->key_regeneration_time;
513 goto parse_time;
514
515 case sListenAddress:
516 arg = strdelim(&cp);
517 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
518 fatal("%s line %d: missing inet addr.",
519 filename, linenum);
520 if (*arg == '[') {
521 if ((p = strchr(arg, ']')) == NULL)
522 fatal("%s line %d: bad ipv6 inet addr usage.",
523 filename, linenum);
524 arg++;
525 memmove(p, p+1, strlen(p+1)+1);
526 } else if (((p = strchr(arg, ':')) == NULL) ||
527 (strchr(p+1, ':') != NULL)) {
528 add_listen_addr(options, arg, 0);
529 break;
530 }
531 if (*p == ':') {
532 u_short port;
533
534 p++;
535 if (*p == '\0')
536 fatal("%s line %d: bad inet addr:port usage.",
537 filename, linenum);
538 else {
539 *(p-1) = '\0';
540 if ((port = a2port(p)) == 0)
541 fatal("%s line %d: bad port number.",
542 filename, linenum);
543 add_listen_addr(options, arg, port);
544 }
545 } else if (*p == '\0')
546 add_listen_addr(options, arg, 0);
547 else
548 fatal("%s line %d: bad inet addr usage.",
549 filename, linenum);
550 break;
551
552 case sHostKeyFile:
553 intptr = &options->num_host_key_files;
554 if (*intptr >= MAX_HOSTKEYS)
555 fatal("%s line %d: too many host keys specified (max %d).",
556 filename, linenum, MAX_HOSTKEYS);
557 charptr = &options->host_key_files[*intptr];
558parse_filename:
559 arg = strdelim(&cp);
560 if (!arg || *arg == '\0')
561 fatal("%s line %d: missing file name.",
562 filename, linenum);
563 if (*charptr == NULL) {
564 *charptr = tilde_expand_filename(arg, getuid());
565 /* increase optional counter */
566 if (intptr != NULL)
567 *intptr = *intptr + 1;
568 }
569 break;
570
571 case sPidFile:
572 charptr = &options->pid_file;
573 goto parse_filename;
574
575 case sPermitRootLogin:
576 intptr = &options->permit_root_login;
577 arg = strdelim(&cp);
578 if (!arg || *arg == '\0')
579 fatal("%s line %d: missing yes/"
580 "without-password/forced-commands-only/no "
581 "argument.", filename, linenum);
582 value = 0; /* silence compiler */
583 if (strcmp(arg, "without-password") == 0)
584 value = PERMIT_NO_PASSWD;
585 else if (strcmp(arg, "forced-commands-only") == 0)
586 value = PERMIT_FORCED_ONLY;
587 else if (strcmp(arg, "yes") == 0)
588 value = PERMIT_YES;
589 else if (strcmp(arg, "no") == 0)
590 value = PERMIT_NO;
591 else
592 fatal("%s line %d: Bad yes/"
593 "without-password/forced-commands-only/no "
594 "argument: %s", filename, linenum, arg);
595 if (*intptr == -1)
596 *intptr = value;
597 break;
598
599 case sIgnoreRhosts:
600 intptr = &options->ignore_rhosts;
601parse_flag:
602 arg = strdelim(&cp);
603 if (!arg || *arg == '\0')
604 fatal("%s line %d: missing yes/no argument.",
605 filename, linenum);
606 value = 0; /* silence compiler */
607 if (strcmp(arg, "yes") == 0)
608 value = 1;
609 else if (strcmp(arg, "no") == 0)
610 value = 0;
611 else
612 fatal("%s line %d: Bad yes/no argument: %s",
613 filename, linenum, arg);
614 if (*intptr == -1)
615 *intptr = value;
616 break;
617
618 case sIgnoreUserKnownHosts:
619 intptr = &options->ignore_user_known_hosts;
620 goto parse_flag;
621
622 case sRhostsRSAAuthentication:
623 intptr = &options->rhosts_rsa_authentication;
624 goto parse_flag;
625
626 case sHostbasedAuthentication:
627 intptr = &options->hostbased_authentication;
628 goto parse_flag;
629
630 case sHostbasedUsesNameFromPacketOnly:
631 intptr = &options->hostbased_uses_name_from_packet_only;
632 goto parse_flag;
633
634 case sRSAAuthentication:
635 intptr = &options->rsa_authentication;
636 goto parse_flag;
637
638 case sPubkeyAuthentication:
639 intptr = &options->pubkey_authentication;
640 goto parse_flag;
641
642 case sKerberosAuthentication:
643 intptr = &options->kerberos_authentication;
644 goto parse_flag;
645
646 case sKerberosOrLocalPasswd:
647 intptr = &options->kerberos_or_local_passwd;
648 goto parse_flag;
649
650 case sKerberosTicketCleanup:
651 intptr = &options->kerberos_ticket_cleanup;
652 goto parse_flag;
653
654 case sKerberosGetAFSToken:
655 intptr = &options->kerberos_get_afs_token;
656 goto parse_flag;
657
658 case sGssAuthentication:
659 intptr = &options->gss_authentication;
660 goto parse_flag;
661
662 case sGssCleanupCreds:
663 intptr = &options->gss_cleanup_creds;
664 goto parse_flag;
665
666 case sPasswordAuthentication:
667 intptr = &options->password_authentication;
668 goto parse_flag;
669
670 case sKbdInteractiveAuthentication:
671 intptr = &options->kbd_interactive_authentication;
672 goto parse_flag;
673
674 case sChallengeResponseAuthentication:
675 intptr = &options->challenge_response_authentication;
676 goto parse_flag;
677
678 case sPrintMotd:
679 intptr = &options->print_motd;
680 goto parse_flag;
681
682 case sPrintLastLog:
683 intptr = &options->print_lastlog;
684 goto parse_flag;
685
686 case sX11Forwarding:
687 intptr = &options->x11_forwarding;
688 goto parse_flag;
689
690 case sX11DisplayOffset:
691 intptr = &options->x11_display_offset;
692 goto parse_int;
693
694 case sX11UseLocalhost:
695 intptr = &options->x11_use_localhost;
696 goto parse_flag;
697
698 case sXAuthLocation:
699 charptr = &options->xauth_location;
700 goto parse_filename;
701
702 case sStrictModes:
703 intptr = &options->strict_modes;
704 goto parse_flag;
705
706 case sTCPKeepAlive:
707 intptr = &options->tcp_keep_alive;
708 goto parse_flag;
709
710 case sEmptyPasswd:
711 intptr = &options->permit_empty_passwd;
712 goto parse_flag;
713
714 case sPermitUserEnvironment:
715 intptr = &options->permit_user_env;
716 goto parse_flag;
717
718 case sUseLogin:
719 intptr = &options->use_login;
720 goto parse_flag;
721
722 case sCompression:
723 intptr = &options->compression;
724 goto parse_flag;
725
726 case sGatewayPorts:
727 intptr = &options->gateway_ports;
728 goto parse_flag;
729
730 case sUseDNS:
731 intptr = &options->use_dns;
732 goto parse_flag;
733
734 case sLogFacility:
735 intptr = (int *) &options->log_facility;
736 arg = strdelim(&cp);
737 value = log_facility_number(arg);
738 if (value == SYSLOG_FACILITY_NOT_SET)
739 fatal("%.200s line %d: unsupported log facility '%s'",
740 filename, linenum, arg ? arg : "<NONE>");
741 if (*intptr == -1)
742 *intptr = (SyslogFacility) value;
743 break;
744
745 case sLogLevel:
746 intptr = (int *) &options->log_level;
747 arg = strdelim(&cp);
748 value = log_level_number(arg);
749 if (value == SYSLOG_LEVEL_NOT_SET)
750 fatal("%.200s line %d: unsupported log level '%s'",
751 filename, linenum, arg ? arg : "<NONE>");
752 if (*intptr == -1)
753 *intptr = (LogLevel) value;
754 break;
755
756 case sAllowTcpForwarding:
757 intptr = &options->allow_tcp_forwarding;
758 goto parse_flag;
759
760 case sUsePrivilegeSeparation:
761 intptr = &use_privsep;
762 goto parse_flag;
763
764 case sAllowUsers:
765 while ((arg = strdelim(&cp)) && *arg != '\0') {
766 if (options->num_allow_users >= MAX_ALLOW_USERS)
767 fatal("%s line %d: too many allow users.",
768 filename, linenum);
769 options->allow_users[options->num_allow_users++] =
770 xstrdup(arg);
771 }
772 break;
773
774 case sDenyUsers:
775 while ((arg = strdelim(&cp)) && *arg != '\0') {
776 if (options->num_deny_users >= MAX_DENY_USERS)
777 fatal( "%s line %d: too many deny users.",
778 filename, linenum);
779 options->deny_users[options->num_deny_users++] =
780 xstrdup(arg);
781 }
782 break;
783
784 case sAllowGroups:
785 while ((arg = strdelim(&cp)) && *arg != '\0') {
786 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
787 fatal("%s line %d: too many allow groups.",
788 filename, linenum);
789 options->allow_groups[options->num_allow_groups++] =
790 xstrdup(arg);
791 }
792 break;
793
794 case sDenyGroups:
795 while ((arg = strdelim(&cp)) && *arg != '\0') {
796 if (options->num_deny_groups >= MAX_DENY_GROUPS)
797 fatal("%s line %d: too many deny groups.",
798 filename, linenum);
799 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
800 }
801 break;
802
803 case sCiphers:
804 arg = strdelim(&cp);
805 if (!arg || *arg == '\0')
806 fatal("%s line %d: Missing argument.", filename, linenum);
807 if (!ciphers_valid(arg))
808 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
809 filename, linenum, arg ? arg : "<NONE>");
810 if (options->ciphers == NULL)
811 options->ciphers = xstrdup(arg);
812 break;
813
814 case sMacs:
815 arg = strdelim(&cp);
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: Missing argument.", filename, linenum);
818 if (!mac_valid(arg))
819 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
820 filename, linenum, arg ? arg : "<NONE>");
821 if (options->macs == NULL)
822 options->macs = xstrdup(arg);
823 break;
824
825 case sProtocol:
826 intptr = &options->protocol;
827 arg = strdelim(&cp);
828 if (!arg || *arg == '\0')
829 fatal("%s line %d: Missing argument.", filename, linenum);
830 value = proto_spec(arg);
831 if (value == SSH_PROTO_UNKNOWN)
832 fatal("%s line %d: Bad protocol spec '%s'.",
833 filename, linenum, arg ? arg : "<NONE>");
834 if (*intptr == SSH_PROTO_UNKNOWN)
835 *intptr = value;
836 break;
837
838 case sSubsystem:
839 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
840 fatal("%s line %d: too many subsystems defined.",
841 filename, linenum);
842 }
843 arg = strdelim(&cp);
844 if (!arg || *arg == '\0')
845 fatal("%s line %d: Missing subsystem name.",
846 filename, linenum);
847 for (i = 0; i < options->num_subsystems; i++)
848 if (strcmp(arg, options->subsystem_name[i]) == 0)
849 fatal("%s line %d: Subsystem '%s' already defined.",
850 filename, linenum, arg);
851 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
852 arg = strdelim(&cp);
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: Missing subsystem command.",
855 filename, linenum);
856 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
857 options->num_subsystems++;
858 break;
859
860 case sMaxStartups:
861 arg = strdelim(&cp);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing MaxStartups spec.",
864 filename, linenum);
865 if ((n = sscanf(arg, "%d:%d:%d",
866 &options->max_startups_begin,
867 &options->max_startups_rate,
868 &options->max_startups)) == 3) {
869 if (options->max_startups_begin >
870 options->max_startups ||
871 options->max_startups_rate > 100 ||
872 options->max_startups_rate < 1)
873 fatal("%s line %d: Illegal MaxStartups spec.",
874 filename, linenum);
875 } else if (n != 1)
876 fatal("%s line %d: Illegal MaxStartups spec.",
877 filename, linenum);
878 else
879 options->max_startups = options->max_startups_begin;
880 break;
881
|
| 882 case sMaxAuthTries:
883 intptr = &options->max_authtries;
884 goto parse_int;
885
|
876 case sBanner:
877 charptr = &options->banner;
878 goto parse_filename;
879 /*
880 * These options can contain %X options expanded at
881 * connect time, so that you can specify paths like:
882 *
883 * AuthorizedKeysFile /etc/ssh_keys/%u
884 */
885 case sAuthorizedKeysFile:
886 case sAuthorizedKeysFile2:
887 charptr = (opcode == sAuthorizedKeysFile ) ?
888 &options->authorized_keys_file :
889 &options->authorized_keys_file2;
890 goto parse_filename;
891
892 case sClientAliveInterval:
893 intptr = &options->client_alive_interval;
894 goto parse_time;
895
896 case sClientAliveCountMax:
897 intptr = &options->client_alive_count_max;
898 goto parse_int;
899
| 886 case sBanner:
887 charptr = &options->banner;
888 goto parse_filename;
889 /*
890 * These options can contain %X options expanded at
891 * connect time, so that you can specify paths like:
892 *
893 * AuthorizedKeysFile /etc/ssh_keys/%u
894 */
895 case sAuthorizedKeysFile:
896 case sAuthorizedKeysFile2:
897 charptr = (opcode == sAuthorizedKeysFile ) ?
898 &options->authorized_keys_file :
899 &options->authorized_keys_file2;
900 goto parse_filename;
901
902 case sClientAliveInterval:
903 intptr = &options->client_alive_interval;
904 goto parse_time;
905
906 case sClientAliveCountMax:
907 intptr = &options->client_alive_count_max;
908 goto parse_int;
909
|
| 910 case sAcceptEnv:
911 while ((arg = strdelim(&cp)) && *arg != '\0') {
912 if (strchr(arg, '=') != NULL)
913 fatal("%s line %d: Invalid environment name.",
914 filename, linenum);
915 if (options->num_accept_env >= MAX_ACCEPT_ENV)
916 fatal("%s line %d: too many allow env.",
917 filename, linenum);
918 options->accept_env[options->num_accept_env++] =
919 xstrdup(arg);
920 }
921 break;
922
|
900 case sVersionAddendum:
901 ssh_version_set_addendum(strtok(cp, "\n"));
902 do {
903 arg = strdelim(&cp);
904 } while (arg != NULL && *arg != '\0');
905 break;
906
907 case sDeprecated:
908 logit("%s line %d: Deprecated option %s",
909 filename, linenum, arg);
910 while (arg)
911 arg = strdelim(&cp);
912 break;
913
914 case sUnsupported:
915 logit("%s line %d: Unsupported option %s",
916 filename, linenum, arg);
917 while (arg)
918 arg = strdelim(&cp);
919 break;
920
921 default:
922 fatal("%s line %d: Missing handler for opcode %s (%d)",
923 filename, linenum, arg, opcode);
924 }
925 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
926 fatal("%s line %d: garbage at end of line; \"%.200s\".",
927 filename, linenum, arg);
928 return 0;
929}
930
931/* Reads the server configuration file. */
932
933void
| 923 case sVersionAddendum:
924 ssh_version_set_addendum(strtok(cp, "\n"));
925 do {
926 arg = strdelim(&cp);
927 } while (arg != NULL && *arg != '\0');
928 break;
929
930 case sDeprecated:
931 logit("%s line %d: Deprecated option %s",
932 filename, linenum, arg);
933 while (arg)
934 arg = strdelim(&cp);
935 break;
936
937 case sUnsupported:
938 logit("%s line %d: Unsupported option %s",
939 filename, linenum, arg);
940 while (arg)
941 arg = strdelim(&cp);
942 break;
943
944 default:
945 fatal("%s line %d: Missing handler for opcode %s (%d)",
946 filename, linenum, arg, opcode);
947 }
948 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
949 fatal("%s line %d: garbage at end of line; \"%.200s\".",
950 filename, linenum, arg);
951 return 0;
952}
953
954/* Reads the server configuration file. */
955
956void
|
934read_server_config(ServerOptions *options, const char *filename)
| 957load_server_config(const char *filename, Buffer *conf)
|
935{
| 958{
|
936 int linenum, bad_options = 0;
937 char line[1024];
| 959 char line[1024], *cp;
|
938 FILE *f;
939
| 960 FILE *f;
961
|
940 debug2("read_server_config: filename %s", filename);
941 f = fopen(filename, "r");
942 if (!f) {
| 962 debug2("%s: filename %s", __func__, filename);
963 if ((f = fopen(filename, "r")) == NULL) {
|
943 perror(filename);
944 exit(1);
945 }
| 964 perror(filename);
965 exit(1);
966 }
|
946 linenum = 0;
| 967 buffer_clear(conf);
|
947 while (fgets(line, sizeof(line), f)) {
| 968 while (fgets(line, sizeof(line), f)) {
|
948 /* Update line number counter. */
949 linenum++;
950 if (process_server_config_line(options, line, filename, linenum) != 0)
951 bad_options++;
| 969 /*
970 * Trim out comments and strip whitespace
971 * NB - preserve newlines, they are needed to reproduce
972 * line numbers later for error messages
973 */
974 if ((cp = strchr(line, '#')) != NULL)
975 memcpy(cp, "\n", 2);
976 cp = line + strspn(line, " \t\r");
977
978 buffer_append(conf, cp, strlen(cp));
|
952 }
| 979 }
|
| 980 buffer_append(conf, "\0", 1);
|
953 fclose(f);
| 981 fclose(f);
|
| 982 debug2("%s: done config len = %d", __func__, buffer_len(conf));
983}
984
985void
986parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
987{
988 int linenum, bad_options = 0;
989 char *cp, *obuf, *cbuf;
990
991 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
992
993 obuf = cbuf = xstrdup(buffer_ptr(conf));
994 linenum = 1;
995 while((cp = strsep(&cbuf, "\n")) != NULL) {
996 if (process_server_config_line(options, cp, filename,
997 linenum++) != 0)
998 bad_options++;
999 }
1000 xfree(obuf);
|
954 if (bad_options > 0)
955 fatal("%s: terminating, %d bad configuration options",
956 filename, bad_options);
957}
| 1001 if (bad_options > 0)
1002 fatal("%s: terminating, %d bad configuration options",
1003 filename, bad_options);
1004}
|