servconf.h revision 256281
1145516Sdarrenr/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */ 2255332Scy/* $FreeBSD: stable/10/crypto/openssh/servconf.h 255767 2013-09-21 21:36:09Z des $ */ 3145516Sdarrenr 4145516Sdarrenr/* 5145516Sdarrenr * Author: Tatu Ylonen <ylo@cs.hut.fi> 6145516Sdarrenr * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 7145516Sdarrenr * All rights reserved 8145516Sdarrenr * Definitions for server configuration data and for the functions reading it. 9145516Sdarrenr * 10145516Sdarrenr * As far as I am concerned, the code I have written for this software 11145516Sdarrenr * can be used freely for any purpose. Any derived versions of this 12145516Sdarrenr * software must be clearly marked as such, and if the derived work is 13145516Sdarrenr * incompatible with the protocol description in the RFC file, it must be 14145516Sdarrenr * called by a name other than "ssh" or "Secure Shell". 15145516Sdarrenr */ 16145516Sdarrenr 17145516Sdarrenr#ifndef SERVCONF_H 18145516Sdarrenr#define SERVCONF_H 19145516Sdarrenr 20145516Sdarrenr#define MAX_PORTS 256 /* Max # ports. */ 21145516Sdarrenr 22145516Sdarrenr#define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ 23145516Sdarrenr#define MAX_DENY_USERS 256 /* Max # users on deny list. */ 24145516Sdarrenr#define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ 25145516Sdarrenr#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ 26145516Sdarrenr#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ 27145516Sdarrenr#define MAX_HOSTKEYS 256 /* Max # hostkeys. */ 28145516Sdarrenr#define MAX_HOSTCERTS 256 /* Max # host certificates. */ 29145516Sdarrenr#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ 30145516Sdarrenr#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ 31145516Sdarrenr#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ 32145516Sdarrenr#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */ 33145516Sdarrenr 34145516Sdarrenr/* permit_root_login */ 35145516Sdarrenr#define PERMIT_NOT_SET -1 36145516Sdarrenr#define PERMIT_NO 0 37145516Sdarrenr#define PERMIT_FORCED_ONLY 1 38145516Sdarrenr#define PERMIT_NO_PASSWD 2 39145516Sdarrenr#define PERMIT_YES 3 40255332Scy 41145516Sdarrenr/* use_privsep */ 42145516Sdarrenr#define PRIVSEP_OFF 0 43145516Sdarrenr#define PRIVSEP_ON 1 44145516Sdarrenr#define PRIVSEP_NOSANDBOX 2 45145516Sdarrenr 46145516Sdarrenr/* AllowTCPForwarding */ 47255332Scy#define FORWARD_DENY 0 48255332Scy#define FORWARD_REMOTE (1) 49255332Scy#define FORWARD_LOCAL (1<<1) 50255332Scy#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) 51255332Scy 52255332Scy#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ 53145516Sdarrenr#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ 54255332Scy 55255332Scy/* Magic name for internal sftp-server */ 56145516Sdarrenr#define INTERNAL_SFTP_NAME "internal-sftp" 57255332Scy 58255332Scytypedef struct { 59255332Scy u_int num_ports; 60255332Scy u_int ports_from_cmdline; 61145516Sdarrenr int ports[MAX_PORTS]; /* Port number to listen on. */ 62255332Scy char *listen_addr; /* Address on which the server listens. */ 63255332Scy struct addrinfo *listen_addrs; /* Addresses on which the server listens. */ 64145516Sdarrenr int address_family; /* Address family used by the server. */ 65255332Scy char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */ 66145516Sdarrenr int num_host_key_files; /* Number of files for host keys. */ 67255332Scy char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ 68255332Scy int num_host_cert_files; /* Number of files for host certs. */ 69255332Scy char *host_key_agent; /* ssh-agent socket for host keys. */ 70145516Sdarrenr char *pid_file; /* Where to put our pid */ 71255332Scy int server_key_bits;/* Size of the server key. */ 72255332Scy int login_grace_time; /* Disconnect if no auth in this time 73145516Sdarrenr * (sec). */ 74255332Scy int key_regeneration_time; /* Server key lifetime (seconds). */ 75145516Sdarrenr int permit_root_login; /* PERMIT_*, see above */ 76255332Scy int ignore_rhosts; /* Ignore .rhosts and .shosts. */ 77145516Sdarrenr int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts 78145516Sdarrenr * for RhostsRsaAuth */ 79145516Sdarrenr int print_motd; /* If true, print /etc/motd. */ 80145516Sdarrenr int print_lastlog; /* If true, print lastlog */ 81145516Sdarrenr int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ 82145516Sdarrenr int x11_display_offset; /* What DISPLAY number to start 83145516Sdarrenr * searching at */ 84145516Sdarrenr int x11_use_localhost; /* If true, use localhost for fake X11 server. */ 85145516Sdarrenr char *xauth_location; /* Location of xauth program */ 86255332Scy int strict_modes; /* If true, require string home dir modes. */ 87145516Sdarrenr int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ 88145516Sdarrenr int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ 89145516Sdarrenr int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ 90145516Sdarrenr char *ciphers; /* Supported SSH2 ciphers. */ 91145516Sdarrenr char *macs; /* Supported SSH2 macs. */ 92145516Sdarrenr char *kex_algorithms; /* SSH2 kex methods in order of preference. */ 93145516Sdarrenr int protocol; /* Supported protocol versions. */ 94145516Sdarrenr int gateway_ports; /* If true, allow remote connects to forwarded ports. */ 95145516Sdarrenr SyslogFacility log_facility; /* Facility for system logging. */ 96145516Sdarrenr LogLevel log_level; /* Level for system logging. */ 97145516Sdarrenr int rhosts_rsa_authentication; /* If true, permit rhosts RSA 98145516Sdarrenr * authentication. */ 99145516Sdarrenr int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ 100255332Scy int hostbased_uses_name_from_packet_only; /* experimental */ 101255332Scy int rsa_authentication; /* If true, permit RSA authentication. */ 102255332Scy int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ 103255332Scy int kerberos_authentication; /* If true, permit Kerberos 104255332Scy * authentication. */ 105255332Scy int kerberos_or_local_passwd; /* If true, permit kerberos 106255332Scy * and any other password 107255332Scy * authentication mechanism, 108255332Scy * such as SecurID or 109145516Sdarrenr * /etc/passwd */ 110145516Sdarrenr int kerberos_ticket_cleanup; /* If true, destroy ticket 111145516Sdarrenr * file on logout. */ 112145516Sdarrenr int kerberos_get_afs_token; /* If true, try to get AFS token if 113145516Sdarrenr * authenticated with Kerberos. */ 114145516Sdarrenr int gss_authentication; /* If true, permit GSSAPI authentication */ 115145516Sdarrenr int gss_cleanup_creds; /* If true, destroy cred cache on logout */ 116145516Sdarrenr int password_authentication; /* If true, permit password 117145516Sdarrenr * authentication. */ 118145516Sdarrenr int kbd_interactive_authentication; /* If true, permit */ 119255332Scy int challenge_response_authentication; 120255332Scy int zero_knowledge_password_authentication; 121255332Scy /* If true, permit jpake auth */ 122255332Scy int permit_empty_passwd; /* If false, do not permit empty 123255332Scy * passwords. */ 124255332Scy int permit_user_env; /* If true, read ~/.ssh/environment */ 125255332Scy int use_login; /* If true, login(1) is used */ 126145516Sdarrenr int compression; /* If true, compression is allowed */ 127255332Scy int allow_tcp_forwarding; /* One of FORWARD_* */ 128145516Sdarrenr int allow_agent_forwarding; 129145516Sdarrenr u_int num_allow_users; 130145516Sdarrenr char *allow_users[MAX_ALLOW_USERS]; 131145516Sdarrenr u_int num_deny_users; 132145516Sdarrenr char *deny_users[MAX_DENY_USERS]; 133145516Sdarrenr u_int num_allow_groups; 134145516Sdarrenr char *allow_groups[MAX_ALLOW_GROUPS]; 135145516Sdarrenr u_int num_deny_groups; 136255332Scy char *deny_groups[MAX_DENY_GROUPS]; 137145516Sdarrenr 138145516Sdarrenr u_int num_subsystems; 139145516Sdarrenr char *subsystem_name[MAX_SUBSYSTEMS]; 140145516Sdarrenr char *subsystem_command[MAX_SUBSYSTEMS]; 141145516Sdarrenr char *subsystem_args[MAX_SUBSYSTEMS]; 142145516Sdarrenr 143145516Sdarrenr u_int num_accept_env; 144145516Sdarrenr char *accept_env[MAX_ACCEPT_ENV]; 145255332Scy 146255332Scy int max_startups_begin; 147145516Sdarrenr int max_startups_rate; 148145516Sdarrenr int max_startups; 149145516Sdarrenr int max_authtries; 150145516Sdarrenr int max_sessions; 151145516Sdarrenr char *banner; /* SSH-2 banner message */ 152145516Sdarrenr int use_dns; 153145516Sdarrenr int client_alive_interval; /* 154145516Sdarrenr * poke the client this often to 155255332Scy * see if it's still there 156255332Scy */ 157255332Scy int client_alive_count_max; /* 158145516Sdarrenr * If the client is unresponsive 159145516Sdarrenr * for this many intervals above, 160145516Sdarrenr * disconnect the session 161145516Sdarrenr */ 162145516Sdarrenr 163145516Sdarrenr u_int num_authkeys_files; /* Files containing public keys */ 164145516Sdarrenr char *authorized_keys_files[MAX_AUTHKEYS_FILES]; 165145516Sdarrenr 166145516Sdarrenr char *adm_forced_command; 167145516Sdarrenr 168145516Sdarrenr int use_pam; /* Enable auth via PAM */ 169145516Sdarrenr 170145516Sdarrenr int permit_tun; 171255332Scy 172145516Sdarrenr int num_permitted_opens; 173145516Sdarrenr 174145516Sdarrenr char *chroot_directory; 175145516Sdarrenr char *revoked_keys_file; 176145516Sdarrenr char *trusted_user_ca_keys; 177145516Sdarrenr char *authorized_principals_file; 178255332Scy char *authorized_keys_command; 179255332Scy char *authorized_keys_command_user; 180145516Sdarrenr 181145516Sdarrenr int64_t rekey_limit; 182145516Sdarrenr int rekey_interval; 183145516Sdarrenr 184145516Sdarrenr char *version_addendum; /* Appended to SSH banner */ 185145516Sdarrenr 186255332Scy int hpn_disabled; /* Disable HPN functionality. */ 187145516Sdarrenr int hpn_buffer_size; /* Set HPN buffer size - default 2MB.*/ 188145516Sdarrenr int tcp_rcv_buf_poll; /* Poll TCP rcv window in autotuning 189145516Sdarrenr * kernels. */ 190145516Sdarrenr u_int num_auth_methods; 191145516Sdarrenr char *auth_methods[MAX_AUTH_METHODS]; 192255332Scy 193145516Sdarrenr#ifdef NONE_CIPHER_ENABLED 194145516Sdarrenr int none_enabled; /* Enable NONE cipher switch. */ 195145516Sdarrenr#endif 196145516Sdarrenr} ServerOptions; 197145516Sdarrenr 198145516Sdarrenr/* Information about the incoming connection as used by Match */ 199145516Sdarrenrstruct connection_info { 200145516Sdarrenr const char *user; 201145516Sdarrenr const char *host; /* possibly resolved hostname */ 202145516Sdarrenr const char *address; /* remote address */ 203145516Sdarrenr const char *laddress; /* local address */ 204145516Sdarrenr int lport; /* local port */ 205255332Scy}; 206255332Scy 207145516Sdarrenr 208145516Sdarrenr/* 209145516Sdarrenr * These are string config options that must be copied between the 210145516Sdarrenr * Match sub-config and the main config, and must be sent from the 211145516Sdarrenr * privsep slave to the privsep master. We use a macro to ensure all 212145516Sdarrenr * the options are copied and the copies are done in the correct order. 213145516Sdarrenr */ 214145516Sdarrenr#define COPY_MATCH_STRING_OPTS() do { \ 215145516Sdarrenr M_CP_STROPT(banner); \ 216145516Sdarrenr M_CP_STROPT(trusted_user_ca_keys); \ 217145516Sdarrenr M_CP_STROPT(revoked_keys_file); \ 218145516Sdarrenr M_CP_STROPT(authorized_principals_file); \ 219145516Sdarrenr M_CP_STROPT(authorized_keys_command); \ 220145516Sdarrenr M_CP_STROPT(authorized_keys_command_user); \ 221145516Sdarrenr M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ 222145516Sdarrenr M_CP_STRARRAYOPT(allow_users, num_allow_users); \ 223145516Sdarrenr M_CP_STRARRAYOPT(deny_users, num_deny_users); \ 224145516Sdarrenr M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ 225145516Sdarrenr M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ 226145516Sdarrenr M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 227145516Sdarrenr M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 228145516Sdarrenr } while (0) 229145516Sdarrenr 230145516Sdarrenrstruct connection_info *get_connection_info(int, int); 231145516Sdarrenrvoid initialize_server_options(ServerOptions *); 232145516Sdarrenrvoid fill_default_server_options(ServerOptions *); 233145516Sdarrenrint process_server_config_line(ServerOptions *, char *, const char *, int, 234145516Sdarrenr int *, struct connection_info *); 235145516Sdarrenrvoid load_server_config(const char *, Buffer *); 236145516Sdarrenrvoid parse_server_config(ServerOptions *, const char *, Buffer *, 237145516Sdarrenr struct connection_info *); 238145516Sdarrenrvoid parse_server_match_config(ServerOptions *, struct connection_info *); 239145516Sdarrenrint parse_server_match_testspec(struct connection_info *, char *); 240255332Scyint server_match_spec_complete(struct connection_info *); 241145516Sdarrenrvoid copy_set_server_options(ServerOptions *, ServerOptions *, int); 242145516Sdarrenrvoid dump_config(ServerOptions *); 243145516Sdarrenrchar *derelativise_path(const char *); 244145516Sdarrenr 245145516Sdarrenr#endif /* SERVCONF_H */ 246145516Sdarrenr