servconf.h revision 248619
190075Sobrien/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ 2132718Skan/* $FreeBSD: head/crypto/openssh/servconf.h 248619 2013-03-22 17:55:38Z des $ */ 390075Sobrien 490075Sobrien/* 590075Sobrien * Author: Tatu Ylonen <ylo@cs.hut.fi> 690075Sobrien * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 790075Sobrien * All rights reserved 890075Sobrien * Definitions for server configuration data and for the functions reading it. 990075Sobrien * 1090075Sobrien * As far as I am concerned, the code I have written for this software 1190075Sobrien * can be used freely for any purpose. Any derived versions of this 1290075Sobrien * software must be clearly marked as such, and if the derived work is 1390075Sobrien * incompatible with the protocol description in the RFC file, it must be 1490075Sobrien * called by a name other than "ssh" or "Secure Shell". 1590075Sobrien */ 1690075Sobrien 1790075Sobrien#ifndef SERVCONF_H 1890075Sobrien#define SERVCONF_H 1990075Sobrien 2090075Sobrien#define MAX_PORTS 256 /* Max # ports. */ 2190075Sobrien 2290075Sobrien#define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ 2390075Sobrien#define MAX_DENY_USERS 256 /* Max # users on deny list. */ 2490075Sobrien#define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ 2590075Sobrien#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ 2690075Sobrien#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ 2790075Sobrien#define MAX_HOSTKEYS 256 /* Max # hostkeys. */ 2890075Sobrien#define MAX_HOSTCERTS 256 /* Max # host certificates. */ 2990075Sobrien#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ 3090075Sobrien#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ 3190075Sobrien#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ 3290075Sobrien#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */ 3390075Sobrien 3490075Sobrien/* permit_root_login */ 3590075Sobrien#define PERMIT_NOT_SET -1 3690075Sobrien#define PERMIT_NO 0 3790075Sobrien#define PERMIT_FORCED_ONLY 1 3890075Sobrien#define PERMIT_NO_PASSWD 2 3990075Sobrien#define PERMIT_YES 3 4090075Sobrien 4190075Sobrien/* use_privsep */ 4290075Sobrien#define PRIVSEP_OFF 0 43132718Skan#define PRIVSEP_ON 1 4490075Sobrien#define PRIVSEP_NOSANDBOX 2 4590075Sobrien 4690075Sobrien/* AllowTCPForwarding */ 4790075Sobrien#define FORWARD_DENY 0 4890075Sobrien#define FORWARD_REMOTE (1) 4990075Sobrien#define FORWARD_LOCAL (1<<1) 5090075Sobrien#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) 5190075Sobrien 5290075Sobrien#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ 53132718Skan#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ 5490075Sobrien 5590075Sobrien/* Magic name for internal sftp-server */ 5690075Sobrien#define INTERNAL_SFTP_NAME "internal-sftp" 57117395Skan 58117395Skantypedef struct { 59117395Skan u_int num_ports; 60132718Skan u_int ports_from_cmdline; 61132718Skan int ports[MAX_PORTS]; /* Port number to listen on. */ 62132718Skan char *listen_addr; /* Address on which the server listens. */ 63117395Skan struct addrinfo *listen_addrs; /* Addresses on which the server listens. */ 64117395Skan int address_family; /* Address family used by the server. */ 65117395Skan char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */ 66117395Skan int num_host_key_files; /* Number of files for host keys. */ 67117395Skan char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ 6890075Sobrien int num_host_cert_files; /* Number of files for host certs. */ 6990075Sobrien char *pid_file; /* Where to put our pid */ 7090075Sobrien int server_key_bits;/* Size of the server key. */ 7190075Sobrien int login_grace_time; /* Disconnect if no auth in this time 7290075Sobrien * (sec). */ 73117395Skan int key_regeneration_time; /* Server key lifetime (seconds). */ 74117395Skan int permit_root_login; /* PERMIT_*, see above */ 75117395Skan int ignore_rhosts; /* Ignore .rhosts and .shosts. */ 76117395Skan int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts 77117395Skan * for RhostsRsaAuth */ 78117395Skan int print_motd; /* If true, print /etc/motd. */ 79117395Skan int print_lastlog; /* If true, print lastlog */ 80117395Skan int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ 81117395Skan int x11_display_offset; /* What DISPLAY number to start 82117395Skan * searching at */ 83117395Skan int x11_use_localhost; /* If true, use localhost for fake X11 server. */ 84117395Skan char *xauth_location; /* Location of xauth program */ 8590075Sobrien int strict_modes; /* If true, require string home dir modes. */ 8690075Sobrien int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ 8790075Sobrien int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ 8890075Sobrien int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ 8990075Sobrien char *ciphers; /* Supported SSH2 ciphers. */ 9090075Sobrien char *macs; /* Supported SSH2 macs. */ 9190075Sobrien char *kex_algorithms; /* SSH2 kex methods in order of preference. */ 9290075Sobrien int protocol; /* Supported protocol versions. */ 9390075Sobrien int gateway_ports; /* If true, allow remote connects to forwarded ports. */ 9490075Sobrien SyslogFacility log_facility; /* Facility for system logging. */ 9590075Sobrien LogLevel log_level; /* Level for system logging. */ 9690075Sobrien int rhosts_rsa_authentication; /* If true, permit rhosts RSA 9790075Sobrien * authentication. */ 9890075Sobrien int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ 9990075Sobrien int hostbased_uses_name_from_packet_only; /* experimental */ 10090075Sobrien int rsa_authentication; /* If true, permit RSA authentication. */ 10190075Sobrien int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ 10290075Sobrien int kerberos_authentication; /* If true, permit Kerberos 10390075Sobrien * authentication. */ 10490075Sobrien int kerberos_or_local_passwd; /* If true, permit kerberos 10590075Sobrien * and any other password 10690075Sobrien * authentication mechanism, 10790075Sobrien * such as SecurID or 10890075Sobrien * /etc/passwd */ 109117395Skan int kerberos_ticket_cleanup; /* If true, destroy ticket 110117395Skan * file on logout. */ 111117395Skan int kerberos_get_afs_token; /* If true, try to get AFS token if 11290075Sobrien * authenticated with Kerberos. */ 11390075Sobrien int gss_authentication; /* If true, permit GSSAPI authentication */ 11490075Sobrien int gss_cleanup_creds; /* If true, destroy cred cache on logout */ 11590075Sobrien int password_authentication; /* If true, permit password 11690075Sobrien * authentication. */ 11790075Sobrien int kbd_interactive_authentication; /* If true, permit */ 11890075Sobrien int challenge_response_authentication; 11990075Sobrien int zero_knowledge_password_authentication; 12090075Sobrien /* If true, permit jpake auth */ 12190075Sobrien int permit_empty_passwd; /* If false, do not permit empty 12290075Sobrien * passwords. */ 12390075Sobrien int permit_user_env; /* If true, read ~/.ssh/environment */ 12490075Sobrien int use_login; /* If true, login(1) is used */ 12590075Sobrien int compression; /* If true, compression is allowed */ 12690075Sobrien int allow_tcp_forwarding; /* One of FORWARD_* */ 127117395Skan int allow_agent_forwarding; 128117395Skan u_int num_allow_users; 129117395Skan char *allow_users[MAX_ALLOW_USERS]; 130117395Skan u_int num_deny_users; 131117395Skan char *deny_users[MAX_DENY_USERS]; 132117395Skan u_int num_allow_groups; 133117395Skan char *allow_groups[MAX_ALLOW_GROUPS]; 134117395Skan u_int num_deny_groups; 135117395Skan char *deny_groups[MAX_DENY_GROUPS]; 136117395Skan 137117395Skan u_int num_subsystems; 138117395Skan char *subsystem_name[MAX_SUBSYSTEMS]; 139117395Skan char *subsystem_command[MAX_SUBSYSTEMS]; 140117395Skan char *subsystem_args[MAX_SUBSYSTEMS]; 141117395Skan 142117395Skan u_int num_accept_env; 143132718Skan char *accept_env[MAX_ACCEPT_ENV]; 144132718Skan 14590075Sobrien int max_startups_begin; 14690075Sobrien int max_startups_rate; 14790075Sobrien int max_startups; 14890075Sobrien int max_authtries; 14990075Sobrien int max_sessions; 15090075Sobrien char *banner; /* SSH-2 banner message */ 15190075Sobrien int use_dns; 15290075Sobrien int client_alive_interval; /* 153132718Skan * poke the client this often to 154132718Skan * see if it's still there 155132718Skan */ 156132718Skan int client_alive_count_max; /* 157132718Skan * If the client is unresponsive 158132718Skan * for this many intervals above, 159132718Skan * disconnect the session 160132718Skan */ 161132718Skan 162132718Skan u_int num_authkeys_files; /* Files containing public keys */ 163132718Skan char *authorized_keys_files[MAX_AUTHKEYS_FILES]; 164132718Skan 165132718Skan char *adm_forced_command; 166132718Skan 167132718Skan int use_pam; /* Enable auth via PAM */ 168132718Skan 169132718Skan int permit_tun; 170132718Skan 171132718Skan int num_permitted_opens; 172132718Skan 17390075Sobrien char *chroot_directory; 17490075Sobrien char *revoked_keys_file; 17590075Sobrien char *trusted_user_ca_keys; 17690075Sobrien char *authorized_principals_file; 17790075Sobrien char *authorized_keys_command; 17890075Sobrien char *authorized_keys_command_user; 17990075Sobrien 18090075Sobrien char *version_addendum; /* Appended to SSH banner */ 18190075Sobrien 18290075Sobrien int hpn_disabled; /* Disable HPN functionality. */ 18390075Sobrien int hpn_buffer_size; /* Set HPN buffer size - default 2MB.*/ 18490075Sobrien int tcp_rcv_buf_poll; /* Poll TCP rcv window in autotuning 18590075Sobrien * kernels. */ 18690075Sobrien u_int num_auth_methods; 18790075Sobrien char *auth_methods[MAX_AUTH_METHODS]; 18890075Sobrien 18990075Sobrien#ifdef NONE_CIPHER_ENABLED 19090075Sobrien int none_enabled; /* Enable NONE cipher switch. */ 191117395Skan#endif 192132718Skan} ServerOptions; 193117395Skan 19490075Sobrien/* Information about the incoming connection as used by Match */ 19590075Sobrienstruct connection_info { 19690075Sobrien const char *user; 19790075Sobrien const char *host; /* possibly resolved hostname */ 19890075Sobrien const char *address; /* remote address */ 19990075Sobrien const char *laddress; /* local address */ 20090075Sobrien int lport; /* local port */ 201117395Skan}; 202117395Skan 203117395Skan 20490075Sobrien/* 205117395Skan * These are string config options that must be copied between the 206117395Skan * Match sub-config and the main config, and must be sent from the 207132718Skan * privsep slave to the privsep master. We use a macro to ensure all 208132718Skan * the options are copied and the copies are done in the correct order. 209132718Skan */ 210132718Skan#define COPY_MATCH_STRING_OPTS() do { \ 21190075Sobrien M_CP_STROPT(banner); \ 21290075Sobrien M_CP_STROPT(trusted_user_ca_keys); \ 21390075Sobrien M_CP_STROPT(revoked_keys_file); \ 21490075Sobrien M_CP_STROPT(authorized_principals_file); \ 21590075Sobrien M_CP_STROPT(authorized_keys_command); \ 21690075Sobrien M_CP_STROPT(authorized_keys_command_user); \ 21790075Sobrien M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ 21890075Sobrien M_CP_STRARRAYOPT(allow_users, num_allow_users); \ 21990075Sobrien M_CP_STRARRAYOPT(deny_users, num_deny_users); \ 22090075Sobrien M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ 22190075Sobrien M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ 222132718Skan M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 223117395Skan M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 224117395Skan } while (0) 225117395Skan 226117395Skanstruct connection_info *get_connection_info(int, int); 227117395Skanvoid initialize_server_options(ServerOptions *); 228117395Skanvoid fill_default_server_options(ServerOptions *); 229132718Skanint process_server_config_line(ServerOptions *, char *, const char *, int, 230132718Skan int *, struct connection_info *); 231117395Skanvoid load_server_config(const char *, Buffer *); 232117395Skanvoid parse_server_config(ServerOptions *, const char *, Buffer *, 233132718Skan struct connection_info *); 23490075Sobrienvoid parse_server_match_config(ServerOptions *, struct connection_info *); 235117395Skanint parse_server_match_testspec(struct connection_info *, char *); 236117395Skanint server_match_spec_complete(struct connection_info *); 237117395Skanvoid copy_set_server_options(ServerOptions *, ServerOptions *, int); 238117395Skanvoid dump_config(ServerOptions *); 239117395Skanchar *derelativise_path(const char *); 240117395Skan 241117395Skan#endif /* SERVCONF_H */ 242117395Skan