servconf.c revision 323129
1 2/* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ 3/* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14#include "includes.h" 15__RCSID("$FreeBSD: stable/11/crypto/openssh/servconf.c 323129 2017-09-02 14:25:20Z des $"); 16 17#include <sys/types.h> 18#include <sys/socket.h> 19 20#include <netinet/in.h> 21#include <netinet/in_systm.h> 22#include <netinet/ip.h> 23 24#include <ctype.h> 25#include <fcntl.h> 26#include <netdb.h> 27#include <pwd.h> 28#include <stdio.h> 29#include <stdlib.h> 30#include <string.h> 31#include <signal.h> 32#include <unistd.h> 33#include <limits.h> 34#include <stdarg.h> 35#include <errno.h> 36#ifdef HAVE_UTIL_H 37#include <util.h> 38#endif 39 40#include "openbsd-compat/sys-queue.h" 41#include "xmalloc.h" 42#include "ssh.h" 43#include "log.h" 44#include "buffer.h" 45#include "misc.h" 46#include "servconf.h" 47#include "compat.h" 48#include "pathnames.h" 49#include "cipher.h" 50#include "key.h" 51#include "kex.h" 52#include "mac.h" 53#include "match.h" 54#include "channels.h" 55#include "groupaccess.h" 56#include "canohost.h" 57#include "packet.h" 58#include "hostfile.h" 59#include "auth.h" 60#include "myproposal.h" 61#include "digest.h" 62#include "version.h" 63 64static void add_listen_addr(ServerOptions *, char *, int); 65static void add_one_listen_addr(ServerOptions *, char *, int); 66 67/* Use of privilege separation or not */ 68extern int use_privsep; 69extern Buffer cfg; 70 71/* Initializes the server options to their default values. */ 72 73void 74initialize_server_options(ServerOptions *options) 75{ 76 memset(options, 0, sizeof(*options)); 77 78 /* Portable-specific options */ 79 options->use_pam = -1; 80 81 /* Standard Options */ 82 options->num_ports = 0; 83 options->ports_from_cmdline = 0; 84 options->queued_listen_addrs = NULL; 85 options->num_queued_listens = 0; 86 options->listen_addrs = NULL; 87 options->address_family = -1; 88 options->num_host_key_files = 0; 89 options->num_host_cert_files = 0; 90 options->host_key_agent = NULL; 91 options->pid_file = NULL; 92 options->server_key_bits = -1; 93 options->login_grace_time = -1; 94 options->key_regeneration_time = -1; 95 options->permit_root_login = PERMIT_NOT_SET; 96 options->ignore_rhosts = -1; 97 options->ignore_user_known_hosts = -1; 98 options->print_motd = -1; 99 options->print_lastlog = -1; 100 options->x11_forwarding = -1; 101 options->x11_display_offset = -1; 102 options->x11_use_localhost = -1; 103 options->permit_tty = -1; 104 options->permit_user_rc = -1; 105 options->xauth_location = NULL; 106 options->strict_modes = -1; 107 options->tcp_keep_alive = -1; 108 options->log_facility = SYSLOG_FACILITY_NOT_SET; 109 options->log_level = SYSLOG_LEVEL_NOT_SET; 110 options->rhosts_rsa_authentication = -1; 111 options->hostbased_authentication = -1; 112 options->hostbased_uses_name_from_packet_only = -1; 113 options->hostbased_key_types = NULL; 114 options->hostkeyalgorithms = NULL; 115 options->rsa_authentication = -1; 116 options->pubkey_authentication = -1; 117 options->pubkey_key_types = NULL; 118 options->kerberos_authentication = -1; 119 options->kerberos_or_local_passwd = -1; 120 options->kerberos_ticket_cleanup = -1; 121 options->kerberos_get_afs_token = -1; 122 options->gss_authentication=-1; 123 options->gss_cleanup_creds = -1; 124 options->gss_strict_acceptor = -1; 125 options->password_authentication = -1; 126 options->kbd_interactive_authentication = -1; 127 options->challenge_response_authentication = -1; 128 options->permit_empty_passwd = -1; 129 options->permit_user_env = -1; 130 options->use_login = -1; 131 options->compression = -1; 132 options->rekey_limit = -1; 133 options->rekey_interval = -1; 134 options->allow_tcp_forwarding = -1; 135 options->allow_streamlocal_forwarding = -1; 136 options->allow_agent_forwarding = -1; 137 options->num_allow_users = 0; 138 options->num_deny_users = 0; 139 options->num_allow_groups = 0; 140 options->num_deny_groups = 0; 141 options->ciphers = NULL; 142 options->macs = NULL; 143 options->kex_algorithms = NULL; 144 options->protocol = SSH_PROTO_UNKNOWN; 145 options->fwd_opts.gateway_ports = -1; 146 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 147 options->fwd_opts.streamlocal_bind_unlink = -1; 148 options->num_subsystems = 0; 149 options->max_startups_begin = -1; 150 options->max_startups_rate = -1; 151 options->max_startups = -1; 152 options->max_authtries = -1; 153 options->max_sessions = -1; 154 options->banner = NULL; 155 options->use_dns = -1; 156 options->client_alive_interval = -1; 157 options->client_alive_count_max = -1; 158 options->num_authkeys_files = 0; 159 options->num_accept_env = 0; 160 options->permit_tun = -1; 161 options->num_permitted_opens = -1; 162 options->adm_forced_command = NULL; 163 options->chroot_directory = NULL; 164 options->authorized_keys_command = NULL; 165 options->authorized_keys_command_user = NULL; 166 options->revoked_keys_file = NULL; 167 options->trusted_user_ca_keys = NULL; 168 options->authorized_principals_file = NULL; 169 options->authorized_principals_command = NULL; 170 options->authorized_principals_command_user = NULL; 171 options->ip_qos_interactive = -1; 172 options->ip_qos_bulk = -1; 173 options->version_addendum = NULL; 174 options->fingerprint_hash = -1; 175 options->use_blacklist = -1; 176} 177 178/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 179static int 180option_clear_or_none(const char *o) 181{ 182 return o == NULL || strcasecmp(o, "none") == 0; 183} 184 185static void 186assemble_algorithms(ServerOptions *o) 187{ 188 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || 189 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || 190 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || 191 kex_assemble_names(KEX_DEFAULT_PK_ALG, 192 &o->hostkeyalgorithms) != 0 || 193 kex_assemble_names(KEX_DEFAULT_PK_ALG, 194 &o->hostbased_key_types) != 0 || 195 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) 196 fatal("kex_assemble_names failed"); 197} 198 199void 200fill_default_server_options(ServerOptions *options) 201{ 202 int i; 203 204 /* Portable-specific options */ 205 if (options->use_pam == -1) 206 options->use_pam = 1; 207 208 /* Standard Options */ 209 if (options->protocol == SSH_PROTO_UNKNOWN) 210 options->protocol = SSH_PROTO_2; 211#define add_host_key_file(path) \ 212 do { \ 213 if (access((path), O_RDONLY) == 0) \ 214 options->host_key_files \ 215 [options->num_host_key_files++] = (path); \ 216 } while (0) 217 if (options->num_host_key_files == 0) { 218 /* fill default hostkeys for protocols */ 219 if (options->protocol & SSH_PROTO_1) 220 add_host_key_file(_PATH_HOST_KEY_FILE); 221 if (options->protocol & SSH_PROTO_2) { 222 add_host_key_file(_PATH_HOST_RSA_KEY_FILE); 223 add_host_key_file(_PATH_HOST_DSA_KEY_FILE); 224#ifdef OPENSSL_HAS_ECC 225 add_host_key_file(_PATH_HOST_ECDSA_KEY_FILE); 226#endif 227 add_host_key_file(_PATH_HOST_ED25519_KEY_FILE); 228 } 229 } 230#undef add_host_key_file 231 if (options->num_host_key_files == 0) 232 fatal("No host key files found"); 233 /* No certificates by default */ 234 if (options->num_ports == 0) 235 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 236 if (options->address_family == -1) 237 options->address_family = AF_UNSPEC; 238 if (options->listen_addrs == NULL) 239 add_listen_addr(options, NULL, 0); 240 if (options->pid_file == NULL) 241 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 242 if (options->server_key_bits == -1) 243 options->server_key_bits = 1024; 244 if (options->login_grace_time == -1) 245 options->login_grace_time = 120; 246 if (options->key_regeneration_time == -1) 247 options->key_regeneration_time = 3600; 248 if (options->permit_root_login == PERMIT_NOT_SET) 249 options->permit_root_login = PERMIT_NO; 250 if (options->ignore_rhosts == -1) 251 options->ignore_rhosts = 1; 252 if (options->ignore_user_known_hosts == -1) 253 options->ignore_user_known_hosts = 0; 254 if (options->print_motd == -1) 255 options->print_motd = 1; 256 if (options->print_lastlog == -1) 257 options->print_lastlog = 1; 258 if (options->x11_forwarding == -1) 259 options->x11_forwarding = 1; 260 if (options->x11_display_offset == -1) 261 options->x11_display_offset = 10; 262 if (options->x11_use_localhost == -1) 263 options->x11_use_localhost = 1; 264 if (options->xauth_location == NULL) 265 options->xauth_location = xstrdup(_PATH_XAUTH); 266 if (options->permit_tty == -1) 267 options->permit_tty = 1; 268 if (options->permit_user_rc == -1) 269 options->permit_user_rc = 1; 270 if (options->strict_modes == -1) 271 options->strict_modes = 1; 272 if (options->tcp_keep_alive == -1) 273 options->tcp_keep_alive = 1; 274 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 275 options->log_facility = SYSLOG_FACILITY_AUTH; 276 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 277 options->log_level = SYSLOG_LEVEL_INFO; 278 if (options->rhosts_rsa_authentication == -1) 279 options->rhosts_rsa_authentication = 0; 280 if (options->hostbased_authentication == -1) 281 options->hostbased_authentication = 0; 282 if (options->hostbased_uses_name_from_packet_only == -1) 283 options->hostbased_uses_name_from_packet_only = 0; 284 if (options->rsa_authentication == -1) 285 options->rsa_authentication = 1; 286 if (options->pubkey_authentication == -1) 287 options->pubkey_authentication = 1; 288 if (options->kerberos_authentication == -1) 289 options->kerberos_authentication = 0; 290 if (options->kerberos_or_local_passwd == -1) 291 options->kerberos_or_local_passwd = 1; 292 if (options->kerberos_ticket_cleanup == -1) 293 options->kerberos_ticket_cleanup = 1; 294 if (options->kerberos_get_afs_token == -1) 295 options->kerberos_get_afs_token = 0; 296 if (options->gss_authentication == -1) 297 options->gss_authentication = 0; 298 if (options->gss_cleanup_creds == -1) 299 options->gss_cleanup_creds = 1; 300 if (options->gss_strict_acceptor == -1) 301 options->gss_strict_acceptor = 0; 302 if (options->password_authentication == -1) 303 options->password_authentication = 0; 304 if (options->kbd_interactive_authentication == -1) 305 options->kbd_interactive_authentication = 0; 306 if (options->challenge_response_authentication == -1) 307 options->challenge_response_authentication = 1; 308 if (options->permit_empty_passwd == -1) 309 options->permit_empty_passwd = 0; 310 if (options->permit_user_env == -1) 311 options->permit_user_env = 0; 312 if (options->use_login == -1) 313 options->use_login = 0; 314 if (options->compression == -1) 315 options->compression = COMP_DELAYED; 316 if (options->rekey_limit == -1) 317 options->rekey_limit = 0; 318 if (options->rekey_interval == -1) 319 options->rekey_interval = 0; 320 if (options->allow_tcp_forwarding == -1) 321 options->allow_tcp_forwarding = FORWARD_ALLOW; 322 if (options->allow_streamlocal_forwarding == -1) 323 options->allow_streamlocal_forwarding = FORWARD_ALLOW; 324 if (options->allow_agent_forwarding == -1) 325 options->allow_agent_forwarding = 1; 326 if (options->fwd_opts.gateway_ports == -1) 327 options->fwd_opts.gateway_ports = 0; 328 if (options->max_startups == -1) 329 options->max_startups = 100; 330 if (options->max_startups_rate == -1) 331 options->max_startups_rate = 30; /* 30% */ 332 if (options->max_startups_begin == -1) 333 options->max_startups_begin = 10; 334 if (options->max_authtries == -1) 335 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 336 if (options->max_sessions == -1) 337 options->max_sessions = DEFAULT_SESSIONS_MAX; 338 if (options->use_dns == -1) 339 options->use_dns = 1; 340 if (options->client_alive_interval == -1) 341 options->client_alive_interval = 0; 342 if (options->client_alive_count_max == -1) 343 options->client_alive_count_max = 3; 344 if (options->num_authkeys_files == 0) { 345 options->authorized_keys_files[options->num_authkeys_files++] = 346 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 347 options->authorized_keys_files[options->num_authkeys_files++] = 348 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 349 } 350 if (options->permit_tun == -1) 351 options->permit_tun = SSH_TUNMODE_NO; 352 if (options->ip_qos_interactive == -1) 353 options->ip_qos_interactive = IPTOS_LOWDELAY; 354 if (options->ip_qos_bulk == -1) 355 options->ip_qos_bulk = IPTOS_THROUGHPUT; 356 if (options->version_addendum == NULL) 357 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); 358 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 359 options->fwd_opts.streamlocal_bind_mask = 0177; 360 if (options->fwd_opts.streamlocal_bind_unlink == -1) 361 options->fwd_opts.streamlocal_bind_unlink = 0; 362 if (options->fingerprint_hash == -1) 363 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 364 if (options->use_blacklist == -1) 365 options->use_blacklist = 0; 366 367 assemble_algorithms(options); 368 369 /* Turn privilege separation and sandboxing on by default */ 370 if (use_privsep == -1) 371 use_privsep = PRIVSEP_ON; 372 373#define CLEAR_ON_NONE(v) \ 374 do { \ 375 if (option_clear_or_none(v)) { \ 376 free(v); \ 377 v = NULL; \ 378 } \ 379 } while(0) 380 CLEAR_ON_NONE(options->pid_file); 381 CLEAR_ON_NONE(options->xauth_location); 382 CLEAR_ON_NONE(options->banner); 383 CLEAR_ON_NONE(options->trusted_user_ca_keys); 384 CLEAR_ON_NONE(options->revoked_keys_file); 385 CLEAR_ON_NONE(options->authorized_principals_file); 386 CLEAR_ON_NONE(options->adm_forced_command); 387 CLEAR_ON_NONE(options->chroot_directory); 388 for (i = 0; i < options->num_host_key_files; i++) 389 CLEAR_ON_NONE(options->host_key_files[i]); 390 for (i = 0; i < options->num_host_cert_files; i++) 391 CLEAR_ON_NONE(options->host_cert_files[i]); 392#undef CLEAR_ON_NONE 393 394 /* Similar handling for AuthenticationMethods=any */ 395 if (options->num_auth_methods == 1 && 396 strcmp(options->auth_methods[0], "any") == 0) { 397 free(options->auth_methods[0]); 398 options->auth_methods[0] = NULL; 399 options->num_auth_methods = 0; 400 } 401 402#ifndef HAVE_MMAP 403 if (use_privsep && options->compression == 1) { 404 error("This platform does not support both privilege " 405 "separation and compression"); 406 error("Compression disabled"); 407 options->compression = 0; 408 } 409#endif 410 411} 412 413/* Keyword tokens. */ 414typedef enum { 415 sBadOption, /* == unknown option */ 416 /* Portable-specific options */ 417 sUsePAM, 418 /* Standard Options */ 419 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, 420 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, 421 sRhostsRSAAuthentication, sRSAAuthentication, 422 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 423 sKerberosGetAFSToken, 424 sKerberosTgtPassing, sChallengeResponseAuthentication, 425 sPasswordAuthentication, sKbdInteractiveAuthentication, 426 sListenAddress, sAddressFamily, 427 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 428 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 429 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 430 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 431 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 432 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 433 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 434 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 435 sBanner, sUseDNS, sHostbasedAuthentication, 436 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, 437 sHostKeyAlgorithms, 438 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 439 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 440 sAcceptEnv, sPermitTunnel, 441 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 442 sUsePrivilegeSeparation, sAllowAgentForwarding, 443 sHostCertificate, 444 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 445 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, 446 sKexAlgorithms, sIPQoS, sVersionAddendum, 447 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 448 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 449 sStreamLocalBindMask, sStreamLocalBindUnlink, 450 sAllowStreamLocalForwarding, sFingerprintHash, 451 sUseBlacklist, 452 sDeprecated, sUnsupported 453} ServerOpCodes; 454 455#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 456#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 457#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 458 459/* Textual representation of the tokens. */ 460static struct { 461 const char *name; 462 ServerOpCodes opcode; 463 u_int flags; 464} keywords[] = { 465 /* Portable-specific options */ 466#ifdef USE_PAM 467 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 468#else 469 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 470#endif 471 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 472 /* Standard Options */ 473 { "port", sPort, SSHCFG_GLOBAL }, 474 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 475 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 476 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 477 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 478 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 479 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 480 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 481 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 482 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 483 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 484 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 485 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 486 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 487 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 488 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 489 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, 490 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 491 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 492 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 493 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 494#ifdef KRB5 495 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 496 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 497 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 498#ifdef USE_AFS 499 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 500#else 501 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 502#endif 503#else 504 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 505 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 506 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 507 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 508#endif 509 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 510 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 511#ifdef GSSAPI 512 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 513 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 514 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 515#else 516 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 517 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 518 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 519#endif 520 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 521 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 522 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 523 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 524 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 525 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 526 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 527 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 528#ifdef DISABLE_LASTLOG 529 { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, 530#else 531 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 532#endif 533 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 534 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 535 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 536 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 537 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 538 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 539 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 540 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 541 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 542 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 543 { "compression", sCompression, SSHCFG_GLOBAL }, 544 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 545 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 546 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 547 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 548 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 549 { "allowusers", sAllowUsers, SSHCFG_ALL }, 550 { "denyusers", sDenyUsers, SSHCFG_ALL }, 551 { "allowgroups", sAllowGroups, SSHCFG_ALL }, 552 { "denygroups", sDenyGroups, SSHCFG_ALL }, 553 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 554 { "macs", sMacs, SSHCFG_GLOBAL }, 555 { "protocol", sProtocol, SSHCFG_GLOBAL }, 556 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 557 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 558 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 559 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 560 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 561 { "banner", sBanner, SSHCFG_ALL }, 562 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 563 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 564 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 565 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 566 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 567 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 568 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 569 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 570 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 571 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 572 { "permittty", sPermitTTY, SSHCFG_ALL }, 573 { "permituserrc", sPermitUserRC, SSHCFG_ALL }, 574 { "match", sMatch, SSHCFG_ALL }, 575 { "permitopen", sPermitOpen, SSHCFG_ALL }, 576 { "forcecommand", sForceCommand, SSHCFG_ALL }, 577 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 578 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 579 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 580 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 581 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 582 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 583 { "ipqos", sIPQoS, SSHCFG_ALL }, 584 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, 585 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 586 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, 587 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, 588 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 589 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 590 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, 591 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 592 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 593 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 594 { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, 595 { "noneenabled", sUnsupported, SSHCFG_ALL }, 596 { "hpndisabled", sDeprecated, SSHCFG_ALL }, 597 { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, 598 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, 599 { NULL, sBadOption, 0 } 600}; 601 602static struct { 603 int val; 604 char *text; 605} tunmode_desc[] = { 606 { SSH_TUNMODE_NO, "no" }, 607 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 608 { SSH_TUNMODE_ETHERNET, "ethernet" }, 609 { SSH_TUNMODE_YES, "yes" }, 610 { -1, NULL } 611}; 612 613/* 614 * Returns the number of the token pointed to by cp or sBadOption. 615 */ 616 617static ServerOpCodes 618parse_token(const char *cp, const char *filename, 619 int linenum, u_int *flags) 620{ 621 u_int i; 622 623 for (i = 0; keywords[i].name; i++) 624 if (strcasecmp(cp, keywords[i].name) == 0) { 625 *flags = keywords[i].flags; 626 return keywords[i].opcode; 627 } 628 629 error("%s: line %d: Bad configuration option: %s", 630 filename, linenum, cp); 631 return sBadOption; 632} 633 634char * 635derelativise_path(const char *path) 636{ 637 char *expanded, *ret, cwd[PATH_MAX]; 638 639 if (strcasecmp(path, "none") == 0) 640 return xstrdup("none"); 641 expanded = tilde_expand_filename(path, getuid()); 642 if (*expanded == '/') 643 return expanded; 644 if (getcwd(cwd, sizeof(cwd)) == NULL) 645 fatal("%s: getcwd: %s", __func__, strerror(errno)); 646 xasprintf(&ret, "%s/%s", cwd, expanded); 647 free(expanded); 648 return ret; 649} 650 651static void 652add_listen_addr(ServerOptions *options, char *addr, int port) 653{ 654 u_int i; 655 656 if (port == 0) 657 for (i = 0; i < options->num_ports; i++) 658 add_one_listen_addr(options, addr, options->ports[i]); 659 else 660 add_one_listen_addr(options, addr, port); 661} 662 663static void 664add_one_listen_addr(ServerOptions *options, char *addr, int port) 665{ 666 struct addrinfo hints, *ai, *aitop; 667 char strport[NI_MAXSERV]; 668 int gaierr; 669 670 memset(&hints, 0, sizeof(hints)); 671 hints.ai_family = options->address_family; 672 hints.ai_socktype = SOCK_STREAM; 673 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 674 snprintf(strport, sizeof strport, "%d", port); 675 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 676 fatal("bad addr or host: %s (%s)", 677 addr ? addr : "<NULL>", 678 ssh_gai_strerror(gaierr)); 679 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 680 ; 681 ai->ai_next = options->listen_addrs; 682 options->listen_addrs = aitop; 683} 684 685/* 686 * Queue a ListenAddress to be processed once we have all of the Ports 687 * and AddressFamily options. 688 */ 689static void 690queue_listen_addr(ServerOptions *options, char *addr, int port) 691{ 692 options->queued_listen_addrs = xreallocarray( 693 options->queued_listen_addrs, options->num_queued_listens + 1, 694 sizeof(addr)); 695 options->queued_listen_ports = xreallocarray( 696 options->queued_listen_ports, options->num_queued_listens + 1, 697 sizeof(port)); 698 options->queued_listen_addrs[options->num_queued_listens] = 699 xstrdup(addr); 700 options->queued_listen_ports[options->num_queued_listens] = port; 701 options->num_queued_listens++; 702} 703 704/* 705 * Process queued (text) ListenAddress entries. 706 */ 707static void 708process_queued_listen_addrs(ServerOptions *options) 709{ 710 u_int i; 711 712 if (options->num_ports == 0) 713 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 714 if (options->address_family == -1) 715 options->address_family = AF_UNSPEC; 716 717 for (i = 0; i < options->num_queued_listens; i++) { 718 add_listen_addr(options, options->queued_listen_addrs[i], 719 options->queued_listen_ports[i]); 720 free(options->queued_listen_addrs[i]); 721 options->queued_listen_addrs[i] = NULL; 722 } 723 free(options->queued_listen_addrs); 724 options->queued_listen_addrs = NULL; 725 free(options->queued_listen_ports); 726 options->queued_listen_ports = NULL; 727 options->num_queued_listens = 0; 728} 729 730struct connection_info * 731get_connection_info(int populate, int use_dns) 732{ 733 struct ssh *ssh = active_state; /* XXX */ 734 static struct connection_info ci; 735 736 if (!populate) 737 return &ci; 738 ci.host = auth_get_canonical_hostname(ssh, use_dns); 739 ci.address = ssh_remote_ipaddr(ssh); 740 ci.laddress = ssh_local_ipaddr(ssh); 741 ci.lport = ssh_local_port(ssh); 742 return &ci; 743} 744 745/* 746 * The strategy for the Match blocks is that the config file is parsed twice. 747 * 748 * The first time is at startup. activep is initialized to 1 and the 749 * directives in the global context are processed and acted on. Hitting a 750 * Match directive unsets activep and the directives inside the block are 751 * checked for syntax only. 752 * 753 * The second time is after a connection has been established but before 754 * authentication. activep is initialized to 2 and global config directives 755 * are ignored since they have already been processed. If the criteria in a 756 * Match block is met, activep is set and the subsequent directives 757 * processed and actioned until EOF or another Match block unsets it. Any 758 * options set are copied into the main server config. 759 * 760 * Potential additions/improvements: 761 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 762 * 763 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 764 * Match Address 192.168.0.* 765 * Tag trusted 766 * Match Group wheel 767 * Tag trusted 768 * Match Tag trusted 769 * AllowTcpForwarding yes 770 * GatewayPorts clientspecified 771 * [...] 772 * 773 * - Add a PermittedChannelRequests directive 774 * Match Group shell 775 * PermittedChannelRequests session,forwarded-tcpip 776 */ 777 778static int 779match_cfg_line_group(const char *grps, int line, const char *user) 780{ 781 int result = 0; 782 struct passwd *pw; 783 784 if (user == NULL) 785 goto out; 786 787 if ((pw = getpwnam(user)) == NULL) { 788 debug("Can't match group at line %d because user %.100s does " 789 "not exist", line, user); 790 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 791 debug("Can't Match group because user %.100s not in any group " 792 "at line %d", user, line); 793 } else if (ga_match_pattern_list(grps) != 1) { 794 debug("user %.100s does not match group list %.100s at line %d", 795 user, grps, line); 796 } else { 797 debug("user %.100s matched group list %.100s at line %d", user, 798 grps, line); 799 result = 1; 800 } 801out: 802 ga_free(); 803 return result; 804} 805 806/* 807 * All of the attributes on a single Match line are ANDed together, so we need 808 * to check every attribute and set the result to zero if any attribute does 809 * not match. 810 */ 811static int 812match_cfg_line(char **condition, int line, struct connection_info *ci) 813{ 814 int result = 1, attributes = 0, port; 815 char *arg, *attrib, *cp = *condition; 816 817 if (ci == NULL) 818 debug3("checking syntax for 'Match %s'", cp); 819 else 820 debug3("checking match for '%s' user %s host %s addr %s " 821 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 822 ci->host ? ci->host : "(null)", 823 ci->address ? ci->address : "(null)", 824 ci->laddress ? ci->laddress : "(null)", ci->lport); 825 826 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 827 attributes++; 828 if (strcasecmp(attrib, "all") == 0) { 829 if (attributes != 1 || 830 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { 831 error("'all' cannot be combined with other " 832 "Match attributes"); 833 return -1; 834 } 835 *condition = cp; 836 return 1; 837 } 838 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 839 error("Missing Match criteria for %s", attrib); 840 return -1; 841 } 842 if (strcasecmp(attrib, "user") == 0) { 843 if (ci == NULL || ci->user == NULL) { 844 result = 0; 845 continue; 846 } 847 if (match_pattern_list(ci->user, arg, 0) != 1) 848 result = 0; 849 else 850 debug("user %.100s matched 'User %.100s' at " 851 "line %d", ci->user, arg, line); 852 } else if (strcasecmp(attrib, "group") == 0) { 853 if (ci == NULL || ci->user == NULL) { 854 result = 0; 855 continue; 856 } 857 switch (match_cfg_line_group(arg, line, ci->user)) { 858 case -1: 859 return -1; 860 case 0: 861 result = 0; 862 } 863 } else if (strcasecmp(attrib, "host") == 0) { 864 if (ci == NULL || ci->host == NULL) { 865 result = 0; 866 continue; 867 } 868 if (match_hostname(ci->host, arg) != 1) 869 result = 0; 870 else 871 debug("connection from %.100s matched 'Host " 872 "%.100s' at line %d", ci->host, arg, line); 873 } else if (strcasecmp(attrib, "address") == 0) { 874 if (ci == NULL || ci->address == NULL) { 875 result = 0; 876 continue; 877 } 878 switch (addr_match_list(ci->address, arg)) { 879 case 1: 880 debug("connection from %.100s matched 'Address " 881 "%.100s' at line %d", ci->address, arg, line); 882 break; 883 case 0: 884 case -1: 885 result = 0; 886 break; 887 case -2: 888 return -1; 889 } 890 } else if (strcasecmp(attrib, "localaddress") == 0){ 891 if (ci == NULL || ci->laddress == NULL) { 892 result = 0; 893 continue; 894 } 895 switch (addr_match_list(ci->laddress, arg)) { 896 case 1: 897 debug("connection from %.100s matched " 898 "'LocalAddress %.100s' at line %d", 899 ci->laddress, arg, line); 900 break; 901 case 0: 902 case -1: 903 result = 0; 904 break; 905 case -2: 906 return -1; 907 } 908 } else if (strcasecmp(attrib, "localport") == 0) { 909 if ((port = a2port(arg)) == -1) { 910 error("Invalid LocalPort '%s' on Match line", 911 arg); 912 return -1; 913 } 914 if (ci == NULL || ci->lport == 0) { 915 result = 0; 916 continue; 917 } 918 /* TODO support port lists */ 919 if (port == ci->lport) 920 debug("connection from %.100s matched " 921 "'LocalPort %d' at line %d", 922 ci->laddress, port, line); 923 else 924 result = 0; 925 } else { 926 error("Unsupported Match attribute %s", attrib); 927 return -1; 928 } 929 } 930 if (attributes == 0) { 931 error("One or more attributes required for Match"); 932 return -1; 933 } 934 if (ci != NULL) 935 debug3("match %sfound", result ? "" : "not "); 936 *condition = cp; 937 return result; 938} 939 940#define WHITESPACE " \t\r\n" 941 942/* Multistate option parsing */ 943struct multistate { 944 char *key; 945 int value; 946}; 947static const struct multistate multistate_addressfamily[] = { 948 { "inet", AF_INET }, 949 { "inet6", AF_INET6 }, 950 { "any", AF_UNSPEC }, 951 { NULL, -1 } 952}; 953static const struct multistate multistate_permitrootlogin[] = { 954 { "without-password", PERMIT_NO_PASSWD }, 955 { "prohibit-password", PERMIT_NO_PASSWD }, 956 { "forced-commands-only", PERMIT_FORCED_ONLY }, 957 { "yes", PERMIT_YES }, 958 { "no", PERMIT_NO }, 959 { NULL, -1 } 960}; 961static const struct multistate multistate_compression[] = { 962 { "delayed", COMP_DELAYED }, 963 { "yes", COMP_ZLIB }, 964 { "no", COMP_NONE }, 965 { NULL, -1 } 966}; 967static const struct multistate multistate_gatewayports[] = { 968 { "clientspecified", 2 }, 969 { "yes", 1 }, 970 { "no", 0 }, 971 { NULL, -1 } 972}; 973static const struct multistate multistate_privsep[] = { 974 { "yes", PRIVSEP_NOSANDBOX }, 975 { "sandbox", PRIVSEP_ON }, 976 { "nosandbox", PRIVSEP_NOSANDBOX }, 977 { "no", PRIVSEP_OFF }, 978 { NULL, -1 } 979}; 980static const struct multistate multistate_tcpfwd[] = { 981 { "yes", FORWARD_ALLOW }, 982 { "all", FORWARD_ALLOW }, 983 { "no", FORWARD_DENY }, 984 { "remote", FORWARD_REMOTE }, 985 { "local", FORWARD_LOCAL }, 986 { NULL, -1 } 987}; 988 989int 990process_server_config_line(ServerOptions *options, char *line, 991 const char *filename, int linenum, int *activep, 992 struct connection_info *connectinfo) 993{ 994 char *cp, **charptr, *arg, *p; 995 int cmdline = 0, *intptr, value, value2, n, port; 996 SyslogFacility *log_facility_ptr; 997 LogLevel *log_level_ptr; 998 ServerOpCodes opcode; 999 u_int i, flags = 0; 1000 size_t len; 1001 long long val64; 1002 const struct multistate *multistate_ptr; 1003 1004 cp = line; 1005 if ((arg = strdelim(&cp)) == NULL) 1006 return 0; 1007 /* Ignore leading whitespace */ 1008 if (*arg == '\0') 1009 arg = strdelim(&cp); 1010 if (!arg || !*arg || *arg == '#') 1011 return 0; 1012 intptr = NULL; 1013 charptr = NULL; 1014 opcode = parse_token(arg, filename, linenum, &flags); 1015 1016 if (activep == NULL) { /* We are processing a command line directive */ 1017 cmdline = 1; 1018 activep = &cmdline; 1019 } 1020 if (*activep && opcode != sMatch) 1021 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 1022 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 1023 if (connectinfo == NULL) { 1024 fatal("%s line %d: Directive '%s' is not allowed " 1025 "within a Match block", filename, linenum, arg); 1026 } else { /* this is a directive we have already processed */ 1027 while (arg) 1028 arg = strdelim(&cp); 1029 return 0; 1030 } 1031 } 1032 1033 switch (opcode) { 1034 /* Portable-specific options */ 1035 case sUsePAM: 1036 intptr = &options->use_pam; 1037 goto parse_flag; 1038 1039 /* Standard Options */ 1040 case sBadOption: 1041 return -1; 1042 case sPort: 1043 /* ignore ports from configfile if cmdline specifies ports */ 1044 if (options->ports_from_cmdline) 1045 return 0; 1046 if (options->num_ports >= MAX_PORTS) 1047 fatal("%s line %d: too many ports.", 1048 filename, linenum); 1049 arg = strdelim(&cp); 1050 if (!arg || *arg == '\0') 1051 fatal("%s line %d: missing port number.", 1052 filename, linenum); 1053 options->ports[options->num_ports++] = a2port(arg); 1054 if (options->ports[options->num_ports-1] <= 0) 1055 fatal("%s line %d: Badly formatted port number.", 1056 filename, linenum); 1057 break; 1058 1059 case sServerKeyBits: 1060 intptr = &options->server_key_bits; 1061 parse_int: 1062 arg = strdelim(&cp); 1063 if (!arg || *arg == '\0') 1064 fatal("%s line %d: missing integer value.", 1065 filename, linenum); 1066 value = atoi(arg); 1067 if (*activep && *intptr == -1) 1068 *intptr = value; 1069 break; 1070 1071 case sLoginGraceTime: 1072 intptr = &options->login_grace_time; 1073 parse_time: 1074 arg = strdelim(&cp); 1075 if (!arg || *arg == '\0') 1076 fatal("%s line %d: missing time value.", 1077 filename, linenum); 1078 if ((value = convtime(arg)) == -1) 1079 fatal("%s line %d: invalid time value.", 1080 filename, linenum); 1081 if (*activep && *intptr == -1) 1082 *intptr = value; 1083 break; 1084 1085 case sKeyRegenerationTime: 1086 intptr = &options->key_regeneration_time; 1087 goto parse_time; 1088 1089 case sListenAddress: 1090 arg = strdelim(&cp); 1091 if (arg == NULL || *arg == '\0') 1092 fatal("%s line %d: missing address", 1093 filename, linenum); 1094 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 1095 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 1096 && strchr(p+1, ':') != NULL) { 1097 queue_listen_addr(options, arg, 0); 1098 break; 1099 } 1100 p = hpdelim(&arg); 1101 if (p == NULL) 1102 fatal("%s line %d: bad address:port usage", 1103 filename, linenum); 1104 p = cleanhostname(p); 1105 if (arg == NULL) 1106 port = 0; 1107 else if ((port = a2port(arg)) <= 0) 1108 fatal("%s line %d: bad port number", filename, linenum); 1109 1110 queue_listen_addr(options, p, port); 1111 1112 break; 1113 1114 case sAddressFamily: 1115 intptr = &options->address_family; 1116 multistate_ptr = multistate_addressfamily; 1117 parse_multistate: 1118 arg = strdelim(&cp); 1119 if (!arg || *arg == '\0') 1120 fatal("%s line %d: missing argument.", 1121 filename, linenum); 1122 value = -1; 1123 for (i = 0; multistate_ptr[i].key != NULL; i++) { 1124 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 1125 value = multistate_ptr[i].value; 1126 break; 1127 } 1128 } 1129 if (value == -1) 1130 fatal("%s line %d: unsupported option \"%s\".", 1131 filename, linenum, arg); 1132 if (*activep && *intptr == -1) 1133 *intptr = value; 1134 break; 1135 1136 case sHostKeyFile: 1137 intptr = &options->num_host_key_files; 1138 if (*intptr >= MAX_HOSTKEYS) 1139 fatal("%s line %d: too many host keys specified (max %d).", 1140 filename, linenum, MAX_HOSTKEYS); 1141 charptr = &options->host_key_files[*intptr]; 1142 parse_filename: 1143 arg = strdelim(&cp); 1144 if (!arg || *arg == '\0') 1145 fatal("%s line %d: missing file name.", 1146 filename, linenum); 1147 if (*activep && *charptr == NULL) { 1148 *charptr = derelativise_path(arg); 1149 /* increase optional counter */ 1150 if (intptr != NULL) 1151 *intptr = *intptr + 1; 1152 } 1153 break; 1154 1155 case sHostKeyAgent: 1156 charptr = &options->host_key_agent; 1157 arg = strdelim(&cp); 1158 if (!arg || *arg == '\0') 1159 fatal("%s line %d: missing socket name.", 1160 filename, linenum); 1161 if (*activep && *charptr == NULL) 1162 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? 1163 xstrdup(arg) : derelativise_path(arg); 1164 break; 1165 1166 case sHostCertificate: 1167 intptr = &options->num_host_cert_files; 1168 if (*intptr >= MAX_HOSTKEYS) 1169 fatal("%s line %d: too many host certificates " 1170 "specified (max %d).", filename, linenum, 1171 MAX_HOSTCERTS); 1172 charptr = &options->host_cert_files[*intptr]; 1173 goto parse_filename; 1174 break; 1175 1176 case sPidFile: 1177 charptr = &options->pid_file; 1178 goto parse_filename; 1179 1180 case sPermitRootLogin: 1181 intptr = &options->permit_root_login; 1182 multistate_ptr = multistate_permitrootlogin; 1183 goto parse_multistate; 1184 1185 case sIgnoreRhosts: 1186 intptr = &options->ignore_rhosts; 1187 parse_flag: 1188 arg = strdelim(&cp); 1189 if (!arg || *arg == '\0') 1190 fatal("%s line %d: missing yes/no argument.", 1191 filename, linenum); 1192 value = 0; /* silence compiler */ 1193 if (strcmp(arg, "yes") == 0) 1194 value = 1; 1195 else if (strcmp(arg, "no") == 0) 1196 value = 0; 1197 else 1198 fatal("%s line %d: Bad yes/no argument: %s", 1199 filename, linenum, arg); 1200 if (*activep && *intptr == -1) 1201 *intptr = value; 1202 break; 1203 1204 case sIgnoreUserKnownHosts: 1205 intptr = &options->ignore_user_known_hosts; 1206 goto parse_flag; 1207 1208 case sRhostsRSAAuthentication: 1209 intptr = &options->rhosts_rsa_authentication; 1210 goto parse_flag; 1211 1212 case sHostbasedAuthentication: 1213 intptr = &options->hostbased_authentication; 1214 goto parse_flag; 1215 1216 case sHostbasedUsesNameFromPacketOnly: 1217 intptr = &options->hostbased_uses_name_from_packet_only; 1218 goto parse_flag; 1219 1220 case sHostbasedAcceptedKeyTypes: 1221 charptr = &options->hostbased_key_types; 1222 parse_keytypes: 1223 arg = strdelim(&cp); 1224 if (!arg || *arg == '\0') 1225 fatal("%s line %d: Missing argument.", 1226 filename, linenum); 1227 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) 1228 fatal("%s line %d: Bad key types '%s'.", 1229 filename, linenum, arg ? arg : "<NONE>"); 1230 if (*activep && *charptr == NULL) 1231 *charptr = xstrdup(arg); 1232 break; 1233 1234 case sHostKeyAlgorithms: 1235 charptr = &options->hostkeyalgorithms; 1236 goto parse_keytypes; 1237 1238 case sRSAAuthentication: 1239 intptr = &options->rsa_authentication; 1240 goto parse_flag; 1241 1242 case sPubkeyAuthentication: 1243 intptr = &options->pubkey_authentication; 1244 goto parse_flag; 1245 1246 case sPubkeyAcceptedKeyTypes: 1247 charptr = &options->pubkey_key_types; 1248 goto parse_keytypes; 1249 1250 case sKerberosAuthentication: 1251 intptr = &options->kerberos_authentication; 1252 goto parse_flag; 1253 1254 case sKerberosOrLocalPasswd: 1255 intptr = &options->kerberos_or_local_passwd; 1256 goto parse_flag; 1257 1258 case sKerberosTicketCleanup: 1259 intptr = &options->kerberos_ticket_cleanup; 1260 goto parse_flag; 1261 1262 case sKerberosGetAFSToken: 1263 intptr = &options->kerberos_get_afs_token; 1264 goto parse_flag; 1265 1266 case sGssAuthentication: 1267 intptr = &options->gss_authentication; 1268 goto parse_flag; 1269 1270 case sGssCleanupCreds: 1271 intptr = &options->gss_cleanup_creds; 1272 goto parse_flag; 1273 1274 case sGssStrictAcceptor: 1275 intptr = &options->gss_strict_acceptor; 1276 goto parse_flag; 1277 1278 case sPasswordAuthentication: 1279 intptr = &options->password_authentication; 1280 goto parse_flag; 1281 1282 case sKbdInteractiveAuthentication: 1283 intptr = &options->kbd_interactive_authentication; 1284 goto parse_flag; 1285 1286 case sChallengeResponseAuthentication: 1287 intptr = &options->challenge_response_authentication; 1288 goto parse_flag; 1289 1290 case sPrintMotd: 1291 intptr = &options->print_motd; 1292 goto parse_flag; 1293 1294 case sPrintLastLog: 1295 intptr = &options->print_lastlog; 1296 goto parse_flag; 1297 1298 case sX11Forwarding: 1299 intptr = &options->x11_forwarding; 1300 goto parse_flag; 1301 1302 case sX11DisplayOffset: 1303 intptr = &options->x11_display_offset; 1304 goto parse_int; 1305 1306 case sX11UseLocalhost: 1307 intptr = &options->x11_use_localhost; 1308 goto parse_flag; 1309 1310 case sXAuthLocation: 1311 charptr = &options->xauth_location; 1312 goto parse_filename; 1313 1314 case sPermitTTY: 1315 intptr = &options->permit_tty; 1316 goto parse_flag; 1317 1318 case sPermitUserRC: 1319 intptr = &options->permit_user_rc; 1320 goto parse_flag; 1321 1322 case sStrictModes: 1323 intptr = &options->strict_modes; 1324 goto parse_flag; 1325 1326 case sTCPKeepAlive: 1327 intptr = &options->tcp_keep_alive; 1328 goto parse_flag; 1329 1330 case sEmptyPasswd: 1331 intptr = &options->permit_empty_passwd; 1332 goto parse_flag; 1333 1334 case sPermitUserEnvironment: 1335 intptr = &options->permit_user_env; 1336 goto parse_flag; 1337 1338 case sUseLogin: 1339 intptr = &options->use_login; 1340 goto parse_flag; 1341 1342 case sCompression: 1343 intptr = &options->compression; 1344 multistate_ptr = multistate_compression; 1345 goto parse_multistate; 1346 1347 case sRekeyLimit: 1348 arg = strdelim(&cp); 1349 if (!arg || *arg == '\0') 1350 fatal("%.200s line %d: Missing argument.", filename, 1351 linenum); 1352 if (strcmp(arg, "default") == 0) { 1353 val64 = 0; 1354 } else { 1355 if (scan_scaled(arg, &val64) == -1) 1356 fatal("%.200s line %d: Bad number '%s': %s", 1357 filename, linenum, arg, strerror(errno)); 1358 if (val64 != 0 && val64 < 16) 1359 fatal("%.200s line %d: RekeyLimit too small", 1360 filename, linenum); 1361 } 1362 if (*activep && options->rekey_limit == -1) 1363 options->rekey_limit = val64; 1364 if (cp != NULL) { /* optional rekey interval present */ 1365 if (strcmp(cp, "none") == 0) { 1366 (void)strdelim(&cp); /* discard */ 1367 break; 1368 } 1369 intptr = &options->rekey_interval; 1370 goto parse_time; 1371 } 1372 break; 1373 1374 case sGatewayPorts: 1375 intptr = &options->fwd_opts.gateway_ports; 1376 multistate_ptr = multistate_gatewayports; 1377 goto parse_multistate; 1378 1379 case sUseDNS: 1380 intptr = &options->use_dns; 1381 goto parse_flag; 1382 1383 case sLogFacility: 1384 log_facility_ptr = &options->log_facility; 1385 arg = strdelim(&cp); 1386 value = log_facility_number(arg); 1387 if (value == SYSLOG_FACILITY_NOT_SET) 1388 fatal("%.200s line %d: unsupported log facility '%s'", 1389 filename, linenum, arg ? arg : "<NONE>"); 1390 if (*log_facility_ptr == -1) 1391 *log_facility_ptr = (SyslogFacility) value; 1392 break; 1393 1394 case sLogLevel: 1395 log_level_ptr = &options->log_level; 1396 arg = strdelim(&cp); 1397 value = log_level_number(arg); 1398 if (value == SYSLOG_LEVEL_NOT_SET) 1399 fatal("%.200s line %d: unsupported log level '%s'", 1400 filename, linenum, arg ? arg : "<NONE>"); 1401 if (*log_level_ptr == -1) 1402 *log_level_ptr = (LogLevel) value; 1403 break; 1404 1405 case sAllowTcpForwarding: 1406 intptr = &options->allow_tcp_forwarding; 1407 multistate_ptr = multistate_tcpfwd; 1408 goto parse_multistate; 1409 1410 case sAllowStreamLocalForwarding: 1411 intptr = &options->allow_streamlocal_forwarding; 1412 multistate_ptr = multistate_tcpfwd; 1413 goto parse_multistate; 1414 1415 case sAllowAgentForwarding: 1416 intptr = &options->allow_agent_forwarding; 1417 goto parse_flag; 1418 1419 case sUsePrivilegeSeparation: 1420 intptr = &use_privsep; 1421 multistate_ptr = multistate_privsep; 1422 goto parse_multistate; 1423 1424 case sAllowUsers: 1425 while ((arg = strdelim(&cp)) && *arg != '\0') { 1426 if (options->num_allow_users >= MAX_ALLOW_USERS) 1427 fatal("%s line %d: too many allow users.", 1428 filename, linenum); 1429 if (!*activep) 1430 continue; 1431 options->allow_users[options->num_allow_users++] = 1432 xstrdup(arg); 1433 } 1434 break; 1435 1436 case sDenyUsers: 1437 while ((arg = strdelim(&cp)) && *arg != '\0') { 1438 if (options->num_deny_users >= MAX_DENY_USERS) 1439 fatal("%s line %d: too many deny users.", 1440 filename, linenum); 1441 if (!*activep) 1442 continue; 1443 options->deny_users[options->num_deny_users++] = 1444 xstrdup(arg); 1445 } 1446 break; 1447 1448 case sAllowGroups: 1449 while ((arg = strdelim(&cp)) && *arg != '\0') { 1450 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1451 fatal("%s line %d: too many allow groups.", 1452 filename, linenum); 1453 if (!*activep) 1454 continue; 1455 options->allow_groups[options->num_allow_groups++] = 1456 xstrdup(arg); 1457 } 1458 break; 1459 1460 case sDenyGroups: 1461 while ((arg = strdelim(&cp)) && *arg != '\0') { 1462 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1463 fatal("%s line %d: too many deny groups.", 1464 filename, linenum); 1465 if (!*activep) 1466 continue; 1467 options->deny_groups[options->num_deny_groups++] = 1468 xstrdup(arg); 1469 } 1470 break; 1471 1472 case sCiphers: 1473 arg = strdelim(&cp); 1474 if (!arg || *arg == '\0') 1475 fatal("%s line %d: Missing argument.", filename, linenum); 1476 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) 1477 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1478 filename, linenum, arg ? arg : "<NONE>"); 1479 if (options->ciphers == NULL) 1480 options->ciphers = xstrdup(arg); 1481 break; 1482 1483 case sMacs: 1484 arg = strdelim(&cp); 1485 if (!arg || *arg == '\0') 1486 fatal("%s line %d: Missing argument.", filename, linenum); 1487 if (!mac_valid(*arg == '+' ? arg + 1 : arg)) 1488 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1489 filename, linenum, arg ? arg : "<NONE>"); 1490 if (options->macs == NULL) 1491 options->macs = xstrdup(arg); 1492 break; 1493 1494 case sKexAlgorithms: 1495 arg = strdelim(&cp); 1496 if (!arg || *arg == '\0') 1497 fatal("%s line %d: Missing argument.", 1498 filename, linenum); 1499 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) 1500 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1501 filename, linenum, arg ? arg : "<NONE>"); 1502 if (options->kex_algorithms == NULL) 1503 options->kex_algorithms = xstrdup(arg); 1504 break; 1505 1506 case sProtocol: 1507 intptr = &options->protocol; 1508 arg = strdelim(&cp); 1509 if (!arg || *arg == '\0') 1510 fatal("%s line %d: Missing argument.", filename, linenum); 1511 value = proto_spec(arg); 1512 if (value == SSH_PROTO_UNKNOWN) 1513 fatal("%s line %d: Bad protocol spec '%s'.", 1514 filename, linenum, arg ? arg : "<NONE>"); 1515 if (*intptr == SSH_PROTO_UNKNOWN) 1516 *intptr = value; 1517 break; 1518 1519 case sSubsystem: 1520 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1521 fatal("%s line %d: too many subsystems defined.", 1522 filename, linenum); 1523 } 1524 arg = strdelim(&cp); 1525 if (!arg || *arg == '\0') 1526 fatal("%s line %d: Missing subsystem name.", 1527 filename, linenum); 1528 if (!*activep) { 1529 arg = strdelim(&cp); 1530 break; 1531 } 1532 for (i = 0; i < options->num_subsystems; i++) 1533 if (strcmp(arg, options->subsystem_name[i]) == 0) 1534 fatal("%s line %d: Subsystem '%s' already defined.", 1535 filename, linenum, arg); 1536 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1537 arg = strdelim(&cp); 1538 if (!arg || *arg == '\0') 1539 fatal("%s line %d: Missing subsystem command.", 1540 filename, linenum); 1541 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1542 1543 /* Collect arguments (separate to executable) */ 1544 p = xstrdup(arg); 1545 len = strlen(p) + 1; 1546 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1547 len += 1 + strlen(arg); 1548 p = xreallocarray(p, 1, len); 1549 strlcat(p, " ", len); 1550 strlcat(p, arg, len); 1551 } 1552 options->subsystem_args[options->num_subsystems] = p; 1553 options->num_subsystems++; 1554 break; 1555 1556 case sMaxStartups: 1557 arg = strdelim(&cp); 1558 if (!arg || *arg == '\0') 1559 fatal("%s line %d: Missing MaxStartups spec.", 1560 filename, linenum); 1561 if ((n = sscanf(arg, "%d:%d:%d", 1562 &options->max_startups_begin, 1563 &options->max_startups_rate, 1564 &options->max_startups)) == 3) { 1565 if (options->max_startups_begin > 1566 options->max_startups || 1567 options->max_startups_rate > 100 || 1568 options->max_startups_rate < 1) 1569 fatal("%s line %d: Illegal MaxStartups spec.", 1570 filename, linenum); 1571 } else if (n != 1) 1572 fatal("%s line %d: Illegal MaxStartups spec.", 1573 filename, linenum); 1574 else 1575 options->max_startups = options->max_startups_begin; 1576 break; 1577 1578 case sMaxAuthTries: 1579 intptr = &options->max_authtries; 1580 goto parse_int; 1581 1582 case sMaxSessions: 1583 intptr = &options->max_sessions; 1584 goto parse_int; 1585 1586 case sBanner: 1587 charptr = &options->banner; 1588 goto parse_filename; 1589 1590 /* 1591 * These options can contain %X options expanded at 1592 * connect time, so that you can specify paths like: 1593 * 1594 * AuthorizedKeysFile /etc/ssh_keys/%u 1595 */ 1596 case sAuthorizedKeysFile: 1597 if (*activep && options->num_authkeys_files == 0) { 1598 while ((arg = strdelim(&cp)) && *arg != '\0') { 1599 if (options->num_authkeys_files >= 1600 MAX_AUTHKEYS_FILES) 1601 fatal("%s line %d: " 1602 "too many authorized keys files.", 1603 filename, linenum); 1604 options->authorized_keys_files[ 1605 options->num_authkeys_files++] = 1606 tilde_expand_filename(arg, getuid()); 1607 } 1608 } 1609 return 0; 1610 1611 case sAuthorizedPrincipalsFile: 1612 charptr = &options->authorized_principals_file; 1613 arg = strdelim(&cp); 1614 if (!arg || *arg == '\0') 1615 fatal("%s line %d: missing file name.", 1616 filename, linenum); 1617 if (*activep && *charptr == NULL) { 1618 *charptr = tilde_expand_filename(arg, getuid()); 1619 /* increase optional counter */ 1620 if (intptr != NULL) 1621 *intptr = *intptr + 1; 1622 } 1623 break; 1624 1625 case sClientAliveInterval: 1626 intptr = &options->client_alive_interval; 1627 goto parse_time; 1628 1629 case sClientAliveCountMax: 1630 intptr = &options->client_alive_count_max; 1631 goto parse_int; 1632 1633 case sAcceptEnv: 1634 while ((arg = strdelim(&cp)) && *arg != '\0') { 1635 if (strchr(arg, '=') != NULL) 1636 fatal("%s line %d: Invalid environment name.", 1637 filename, linenum); 1638 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1639 fatal("%s line %d: too many allow env.", 1640 filename, linenum); 1641 if (!*activep) 1642 continue; 1643 options->accept_env[options->num_accept_env++] = 1644 xstrdup(arg); 1645 } 1646 break; 1647 1648 case sPermitTunnel: 1649 intptr = &options->permit_tun; 1650 arg = strdelim(&cp); 1651 if (!arg || *arg == '\0') 1652 fatal("%s line %d: Missing yes/point-to-point/" 1653 "ethernet/no argument.", filename, linenum); 1654 value = -1; 1655 for (i = 0; tunmode_desc[i].val != -1; i++) 1656 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1657 value = tunmode_desc[i].val; 1658 break; 1659 } 1660 if (value == -1) 1661 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1662 "no argument: %s", filename, linenum, arg); 1663 if (*activep && *intptr == -1) 1664 *intptr = value; 1665 break; 1666 1667 case sMatch: 1668 if (cmdline) 1669 fatal("Match directive not supported as a command-line " 1670 "option"); 1671 value = match_cfg_line(&cp, linenum, connectinfo); 1672 if (value < 0) 1673 fatal("%s line %d: Bad Match condition", filename, 1674 linenum); 1675 *activep = value; 1676 break; 1677 1678 case sPermitOpen: 1679 arg = strdelim(&cp); 1680 if (!arg || *arg == '\0') 1681 fatal("%s line %d: missing PermitOpen specification", 1682 filename, linenum); 1683 n = options->num_permitted_opens; /* modified later */ 1684 if (strcmp(arg, "any") == 0) { 1685 if (*activep && n == -1) { 1686 channel_clear_adm_permitted_opens(); 1687 options->num_permitted_opens = 0; 1688 } 1689 break; 1690 } 1691 if (strcmp(arg, "none") == 0) { 1692 if (*activep && n == -1) { 1693 options->num_permitted_opens = 1; 1694 channel_disable_adm_local_opens(); 1695 } 1696 break; 1697 } 1698 if (*activep && n == -1) 1699 channel_clear_adm_permitted_opens(); 1700 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1701 p = hpdelim(&arg); 1702 if (p == NULL) 1703 fatal("%s line %d: missing host in PermitOpen", 1704 filename, linenum); 1705 p = cleanhostname(p); 1706 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1707 fatal("%s line %d: bad port number in " 1708 "PermitOpen", filename, linenum); 1709 if (*activep && n == -1) 1710 options->num_permitted_opens = 1711 channel_add_adm_permitted_opens(p, port); 1712 } 1713 break; 1714 1715 case sForceCommand: 1716 if (cp == NULL || *cp == '\0') 1717 fatal("%.200s line %d: Missing argument.", filename, 1718 linenum); 1719 len = strspn(cp, WHITESPACE); 1720 if (*activep && options->adm_forced_command == NULL) 1721 options->adm_forced_command = xstrdup(cp + len); 1722 return 0; 1723 1724 case sChrootDirectory: 1725 charptr = &options->chroot_directory; 1726 1727 arg = strdelim(&cp); 1728 if (!arg || *arg == '\0') 1729 fatal("%s line %d: missing file name.", 1730 filename, linenum); 1731 if (*activep && *charptr == NULL) 1732 *charptr = xstrdup(arg); 1733 break; 1734 1735 case sTrustedUserCAKeys: 1736 charptr = &options->trusted_user_ca_keys; 1737 goto parse_filename; 1738 1739 case sRevokedKeys: 1740 charptr = &options->revoked_keys_file; 1741 goto parse_filename; 1742 1743 case sIPQoS: 1744 arg = strdelim(&cp); 1745 if ((value = parse_ipqos(arg)) == -1) 1746 fatal("%s line %d: Bad IPQoS value: %s", 1747 filename, linenum, arg); 1748 arg = strdelim(&cp); 1749 if (arg == NULL) 1750 value2 = value; 1751 else if ((value2 = parse_ipqos(arg)) == -1) 1752 fatal("%s line %d: Bad IPQoS value: %s", 1753 filename, linenum, arg); 1754 if (*activep) { 1755 options->ip_qos_interactive = value; 1756 options->ip_qos_bulk = value2; 1757 } 1758 break; 1759 1760 case sVersionAddendum: 1761 if (cp == NULL || *cp == '\0') 1762 fatal("%.200s line %d: Missing argument.", filename, 1763 linenum); 1764 len = strspn(cp, WHITESPACE); 1765 if (*activep && options->version_addendum == NULL) { 1766 if (strcasecmp(cp + len, "none") == 0) 1767 options->version_addendum = xstrdup(""); 1768 else if (strchr(cp + len, '\r') != NULL) 1769 fatal("%.200s line %d: Invalid argument", 1770 filename, linenum); 1771 else 1772 options->version_addendum = xstrdup(cp + len); 1773 } 1774 return 0; 1775 1776 case sAuthorizedKeysCommand: 1777 if (cp == NULL) 1778 fatal("%.200s line %d: Missing argument.", filename, 1779 linenum); 1780 len = strspn(cp, WHITESPACE); 1781 if (*activep && options->authorized_keys_command == NULL) { 1782 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1783 fatal("%.200s line %d: AuthorizedKeysCommand " 1784 "must be an absolute path", 1785 filename, linenum); 1786 options->authorized_keys_command = xstrdup(cp + len); 1787 } 1788 return 0; 1789 1790 case sAuthorizedKeysCommandUser: 1791 charptr = &options->authorized_keys_command_user; 1792 1793 arg = strdelim(&cp); 1794 if (!arg || *arg == '\0') 1795 fatal("%s line %d: missing AuthorizedKeysCommandUser " 1796 "argument.", filename, linenum); 1797 if (*activep && *charptr == NULL) 1798 *charptr = xstrdup(arg); 1799 break; 1800 1801 case sAuthorizedPrincipalsCommand: 1802 if (cp == NULL) 1803 fatal("%.200s line %d: Missing argument.", filename, 1804 linenum); 1805 len = strspn(cp, WHITESPACE); 1806 if (*activep && 1807 options->authorized_principals_command == NULL) { 1808 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1809 fatal("%.200s line %d: " 1810 "AuthorizedPrincipalsCommand must be " 1811 "an absolute path", filename, linenum); 1812 options->authorized_principals_command = 1813 xstrdup(cp + len); 1814 } 1815 return 0; 1816 1817 case sAuthorizedPrincipalsCommandUser: 1818 charptr = &options->authorized_principals_command_user; 1819 1820 arg = strdelim(&cp); 1821 if (!arg || *arg == '\0') 1822 fatal("%s line %d: missing " 1823 "AuthorizedPrincipalsCommandUser argument.", 1824 filename, linenum); 1825 if (*activep && *charptr == NULL) 1826 *charptr = xstrdup(arg); 1827 break; 1828 1829 case sAuthenticationMethods: 1830 if (options->num_auth_methods == 0) { 1831 value = 0; /* seen "any" pseudo-method */ 1832 value2 = 0; /* sucessfully parsed any method */ 1833 while ((arg = strdelim(&cp)) && *arg != '\0') { 1834 if (options->num_auth_methods >= 1835 MAX_AUTH_METHODS) 1836 fatal("%s line %d: " 1837 "too many authentication methods.", 1838 filename, linenum); 1839 if (strcmp(arg, "any") == 0) { 1840 if (options->num_auth_methods > 0) { 1841 fatal("%s line %d: \"any\" " 1842 "must appear alone in " 1843 "AuthenticationMethods", 1844 filename, linenum); 1845 } 1846 value = 1; 1847 } else if (value) { 1848 fatal("%s line %d: \"any\" must appear " 1849 "alone in AuthenticationMethods", 1850 filename, linenum); 1851 } else if (auth2_methods_valid(arg, 0) != 0) { 1852 fatal("%s line %d: invalid " 1853 "authentication method list.", 1854 filename, linenum); 1855 } 1856 value2 = 1; 1857 if (!*activep) 1858 continue; 1859 options->auth_methods[ 1860 options->num_auth_methods++] = xstrdup(arg); 1861 } 1862 if (value2 == 0) { 1863 fatal("%s line %d: no AuthenticationMethods " 1864 "specified", filename, linenum); 1865 } 1866 } 1867 return 0; 1868 1869 case sStreamLocalBindMask: 1870 arg = strdelim(&cp); 1871 if (!arg || *arg == '\0') 1872 fatal("%s line %d: missing StreamLocalBindMask " 1873 "argument.", filename, linenum); 1874 /* Parse mode in octal format */ 1875 value = strtol(arg, &p, 8); 1876 if (arg == p || value < 0 || value > 0777) 1877 fatal("%s line %d: Bad mask.", filename, linenum); 1878 if (*activep) 1879 options->fwd_opts.streamlocal_bind_mask = (mode_t)value; 1880 break; 1881 1882 case sStreamLocalBindUnlink: 1883 intptr = &options->fwd_opts.streamlocal_bind_unlink; 1884 goto parse_flag; 1885 1886 case sFingerprintHash: 1887 arg = strdelim(&cp); 1888 if (!arg || *arg == '\0') 1889 fatal("%.200s line %d: Missing argument.", 1890 filename, linenum); 1891 if ((value = ssh_digest_alg_by_name(arg)) == -1) 1892 fatal("%.200s line %d: Invalid hash algorithm \"%s\".", 1893 filename, linenum, arg); 1894 if (*activep) 1895 options->fingerprint_hash = value; 1896 break; 1897 1898 case sUseBlacklist: 1899 intptr = &options->use_blacklist; 1900 goto parse_flag; 1901 1902 case sDeprecated: 1903 logit("%s line %d: Deprecated option %s", 1904 filename, linenum, arg); 1905 while (arg) 1906 arg = strdelim(&cp); 1907 break; 1908 1909 case sUnsupported: 1910 logit("%s line %d: Unsupported option %s", 1911 filename, linenum, arg); 1912 while (arg) 1913 arg = strdelim(&cp); 1914 break; 1915 1916 default: 1917 fatal("%s line %d: Missing handler for opcode %s (%d)", 1918 filename, linenum, arg, opcode); 1919 } 1920 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1921 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1922 filename, linenum, arg); 1923 return 0; 1924} 1925 1926/* Reads the server configuration file. */ 1927 1928void 1929load_server_config(const char *filename, Buffer *conf) 1930{ 1931 char line[4096], *cp; 1932 FILE *f; 1933 int lineno = 0; 1934 1935 debug2("%s: filename %s", __func__, filename); 1936 if ((f = fopen(filename, "r")) == NULL) { 1937 perror(filename); 1938 exit(1); 1939 } 1940 buffer_clear(conf); 1941 while (fgets(line, sizeof(line), f)) { 1942 lineno++; 1943 if (strlen(line) == sizeof(line) - 1) 1944 fatal("%s line %d too long", filename, lineno); 1945 /* 1946 * Trim out comments and strip whitespace 1947 * NB - preserve newlines, they are needed to reproduce 1948 * line numbers later for error messages 1949 */ 1950 if ((cp = strchr(line, '#')) != NULL) 1951 memcpy(cp, "\n", 2); 1952 cp = line + strspn(line, " \t\r"); 1953 1954 buffer_append(conf, cp, strlen(cp)); 1955 } 1956 buffer_append(conf, "\0", 1); 1957 fclose(f); 1958 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1959} 1960 1961void 1962parse_server_match_config(ServerOptions *options, 1963 struct connection_info *connectinfo) 1964{ 1965 ServerOptions mo; 1966 1967 initialize_server_options(&mo); 1968 parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1969 copy_set_server_options(options, &mo, 0); 1970} 1971 1972int parse_server_match_testspec(struct connection_info *ci, char *spec) 1973{ 1974 char *p; 1975 1976 while ((p = strsep(&spec, ",")) && *p != '\0') { 1977 if (strncmp(p, "addr=", 5) == 0) { 1978 ci->address = xstrdup(p + 5); 1979 } else if (strncmp(p, "host=", 5) == 0) { 1980 ci->host = xstrdup(p + 5); 1981 } else if (strncmp(p, "user=", 5) == 0) { 1982 ci->user = xstrdup(p + 5); 1983 } else if (strncmp(p, "laddr=", 6) == 0) { 1984 ci->laddress = xstrdup(p + 6); 1985 } else if (strncmp(p, "lport=", 6) == 0) { 1986 ci->lport = a2port(p + 6); 1987 if (ci->lport == -1) { 1988 fprintf(stderr, "Invalid port '%s' in test mode" 1989 " specification %s\n", p+6, p); 1990 return -1; 1991 } 1992 } else { 1993 fprintf(stderr, "Invalid test mode specification %s\n", 1994 p); 1995 return -1; 1996 } 1997 } 1998 return 0; 1999} 2000 2001/* 2002 * returns 1 for a complete spec, 0 for partial spec and -1 for an 2003 * empty spec. 2004 */ 2005int server_match_spec_complete(struct connection_info *ci) 2006{ 2007 if (ci->user && ci->host && ci->address) 2008 return 1; /* complete */ 2009 if (!ci->user && !ci->host && !ci->address) 2010 return -1; /* empty */ 2011 return 0; /* partial */ 2012} 2013 2014/* 2015 * Copy any supported values that are set. 2016 * 2017 * If the preauth flag is set, we do not bother copying the string or 2018 * array values that are not used pre-authentication, because any that we 2019 * do use must be explictly sent in mm_getpwnamallow(). 2020 */ 2021void 2022copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 2023{ 2024#define M_CP_INTOPT(n) do {\ 2025 if (src->n != -1) \ 2026 dst->n = src->n; \ 2027} while (0) 2028 2029 M_CP_INTOPT(password_authentication); 2030 M_CP_INTOPT(gss_authentication); 2031 M_CP_INTOPT(rsa_authentication); 2032 M_CP_INTOPT(pubkey_authentication); 2033 M_CP_INTOPT(kerberos_authentication); 2034 M_CP_INTOPT(hostbased_authentication); 2035 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 2036 M_CP_INTOPT(kbd_interactive_authentication); 2037 M_CP_INTOPT(permit_root_login); 2038 M_CP_INTOPT(permit_empty_passwd); 2039 2040 M_CP_INTOPT(allow_tcp_forwarding); 2041 M_CP_INTOPT(allow_streamlocal_forwarding); 2042 M_CP_INTOPT(allow_agent_forwarding); 2043 M_CP_INTOPT(permit_tun); 2044 M_CP_INTOPT(fwd_opts.gateway_ports); 2045 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 2046 M_CP_INTOPT(x11_display_offset); 2047 M_CP_INTOPT(x11_forwarding); 2048 M_CP_INTOPT(x11_use_localhost); 2049 M_CP_INTOPT(permit_tty); 2050 M_CP_INTOPT(permit_user_rc); 2051 M_CP_INTOPT(max_sessions); 2052 M_CP_INTOPT(max_authtries); 2053 M_CP_INTOPT(ip_qos_interactive); 2054 M_CP_INTOPT(ip_qos_bulk); 2055 M_CP_INTOPT(rekey_limit); 2056 M_CP_INTOPT(rekey_interval); 2057 2058 /* 2059 * The bind_mask is a mode_t that may be unsigned, so we can't use 2060 * M_CP_INTOPT - it does a signed comparison that causes compiler 2061 * warnings. 2062 */ 2063 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { 2064 dst->fwd_opts.streamlocal_bind_mask = 2065 src->fwd_opts.streamlocal_bind_mask; 2066 } 2067 2068 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 2069#define M_CP_STROPT(n) do {\ 2070 if (src->n != NULL && dst->n != src->n) { \ 2071 free(dst->n); \ 2072 dst->n = src->n; \ 2073 } \ 2074} while(0) 2075#define M_CP_STRARRAYOPT(n, num_n) do {\ 2076 if (src->num_n != 0) { \ 2077 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 2078 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 2079 } \ 2080} while(0) 2081 2082 /* See comment in servconf.h */ 2083 COPY_MATCH_STRING_OPTS(); 2084 2085 /* Arguments that accept '+...' need to be expanded */ 2086 assemble_algorithms(dst); 2087 2088 /* 2089 * The only things that should be below this point are string options 2090 * which are only used after authentication. 2091 */ 2092 if (preauth) 2093 return; 2094 2095 /* These options may be "none" to clear a global setting */ 2096 M_CP_STROPT(adm_forced_command); 2097 if (option_clear_or_none(dst->adm_forced_command)) { 2098 free(dst->adm_forced_command); 2099 dst->adm_forced_command = NULL; 2100 } 2101 M_CP_STROPT(chroot_directory); 2102 if (option_clear_or_none(dst->chroot_directory)) { 2103 free(dst->chroot_directory); 2104 dst->chroot_directory = NULL; 2105 } 2106} 2107 2108#undef M_CP_INTOPT 2109#undef M_CP_STROPT 2110#undef M_CP_STRARRAYOPT 2111 2112void 2113parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 2114 struct connection_info *connectinfo) 2115{ 2116 int active, linenum, bad_options = 0; 2117 char *cp, *obuf, *cbuf; 2118 2119 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 2120 2121 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) 2122 fatal("%s: sshbuf_dup_string failed", __func__); 2123 active = connectinfo ? 0 : 1; 2124 linenum = 1; 2125 while ((cp = strsep(&cbuf, "\n")) != NULL) { 2126 if (process_server_config_line(options, cp, filename, 2127 linenum++, &active, connectinfo) != 0) 2128 bad_options++; 2129 } 2130 free(obuf); 2131 if (bad_options > 0) 2132 fatal("%s: terminating, %d bad configuration options", 2133 filename, bad_options); 2134 process_queued_listen_addrs(options); 2135} 2136 2137static const char * 2138fmt_multistate_int(int val, const struct multistate *m) 2139{ 2140 u_int i; 2141 2142 for (i = 0; m[i].key != NULL; i++) { 2143 if (m[i].value == val) 2144 return m[i].key; 2145 } 2146 return "UNKNOWN"; 2147} 2148 2149static const char * 2150fmt_intarg(ServerOpCodes code, int val) 2151{ 2152 if (val == -1) 2153 return "unset"; 2154 switch (code) { 2155 case sAddressFamily: 2156 return fmt_multistate_int(val, multistate_addressfamily); 2157 case sPermitRootLogin: 2158 return fmt_multistate_int(val, multistate_permitrootlogin); 2159 case sGatewayPorts: 2160 return fmt_multistate_int(val, multistate_gatewayports); 2161 case sCompression: 2162 return fmt_multistate_int(val, multistate_compression); 2163 case sUsePrivilegeSeparation: 2164 return fmt_multistate_int(val, multistate_privsep); 2165 case sAllowTcpForwarding: 2166 return fmt_multistate_int(val, multistate_tcpfwd); 2167 case sAllowStreamLocalForwarding: 2168 return fmt_multistate_int(val, multistate_tcpfwd); 2169 case sFingerprintHash: 2170 return ssh_digest_alg_name(val); 2171 case sProtocol: 2172 switch (val) { 2173 case SSH_PROTO_1: 2174 return "1"; 2175 case SSH_PROTO_2: 2176 return "2"; 2177 case (SSH_PROTO_1|SSH_PROTO_2): 2178 return "2,1"; 2179 default: 2180 return "UNKNOWN"; 2181 } 2182 default: 2183 switch (val) { 2184 case 0: 2185 return "no"; 2186 case 1: 2187 return "yes"; 2188 default: 2189 return "UNKNOWN"; 2190 } 2191 } 2192} 2193 2194static const char * 2195lookup_opcode_name(ServerOpCodes code) 2196{ 2197 u_int i; 2198 2199 for (i = 0; keywords[i].name != NULL; i++) 2200 if (keywords[i].opcode == code) 2201 return(keywords[i].name); 2202 return "UNKNOWN"; 2203} 2204 2205static void 2206dump_cfg_int(ServerOpCodes code, int val) 2207{ 2208 printf("%s %d\n", lookup_opcode_name(code), val); 2209} 2210 2211static void 2212dump_cfg_oct(ServerOpCodes code, int val) 2213{ 2214 printf("%s 0%o\n", lookup_opcode_name(code), val); 2215} 2216 2217static void 2218dump_cfg_fmtint(ServerOpCodes code, int val) 2219{ 2220 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 2221} 2222 2223static void 2224dump_cfg_string(ServerOpCodes code, const char *val) 2225{ 2226 if (val == NULL) 2227 return; 2228 printf("%s %s\n", lookup_opcode_name(code), 2229 val == NULL ? "none" : val); 2230} 2231 2232static void 2233dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 2234{ 2235 u_int i; 2236 2237 for (i = 0; i < count; i++) 2238 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 2239} 2240 2241static void 2242dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 2243{ 2244 u_int i; 2245 2246 if (count <= 0 && code != sAuthenticationMethods) 2247 return; 2248 printf("%s", lookup_opcode_name(code)); 2249 for (i = 0; i < count; i++) 2250 printf(" %s", vals[i]); 2251 if (code == sAuthenticationMethods && count == 0) 2252 printf(" any"); 2253 printf("\n"); 2254} 2255 2256void 2257dump_config(ServerOptions *o) 2258{ 2259 u_int i; 2260 int ret; 2261 struct addrinfo *ai; 2262 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 2263 char *laddr1 = xstrdup(""), *laddr2 = NULL; 2264 2265 /* these are usually at the top of the config */ 2266 for (i = 0; i < o->num_ports; i++) 2267 printf("port %d\n", o->ports[i]); 2268 dump_cfg_fmtint(sProtocol, o->protocol); 2269 dump_cfg_fmtint(sAddressFamily, o->address_family); 2270 2271 /* 2272 * ListenAddress must be after Port. add_one_listen_addr pushes 2273 * addresses onto a stack, so to maintain ordering we need to 2274 * print these in reverse order. 2275 */ 2276 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 2277 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 2278 sizeof(addr), port, sizeof(port), 2279 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 2280 error("getnameinfo failed: %.100s", 2281 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 2282 strerror(errno)); 2283 } else { 2284 laddr2 = laddr1; 2285 if (ai->ai_family == AF_INET6) 2286 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s", 2287 addr, port, laddr2); 2288 else 2289 xasprintf(&laddr1, "listenaddress %s:%s\n%s", 2290 addr, port, laddr2); 2291 free(laddr2); 2292 } 2293 } 2294 printf("%s", laddr1); 2295 free(laddr1); 2296 2297 /* integer arguments */ 2298#ifdef USE_PAM 2299 dump_cfg_fmtint(sUsePAM, o->use_pam); 2300#endif 2301 dump_cfg_int(sServerKeyBits, o->server_key_bits); 2302 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2303 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 2304 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2305 dump_cfg_int(sMaxAuthTries, o->max_authtries); 2306 dump_cfg_int(sMaxSessions, o->max_sessions); 2307 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 2308 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 2309 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); 2310 2311 /* formatted integer arguments */ 2312 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2313 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2314 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2315 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 2316 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2317 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2318 o->hostbased_uses_name_from_packet_only); 2319 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 2320 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2321#ifdef KRB5 2322 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2323 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 2324 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 2325# ifdef USE_AFS 2326 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 2327# endif 2328#endif 2329#ifdef GSSAPI 2330 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2331 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2332#endif 2333 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2334 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2335 o->kbd_interactive_authentication); 2336 dump_cfg_fmtint(sChallengeResponseAuthentication, 2337 o->challenge_response_authentication); 2338 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2339#ifndef DISABLE_LASTLOG 2340 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2341#endif 2342 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2343 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2344 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2345 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); 2346 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2347 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2348 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2349 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2350 dump_cfg_fmtint(sUseLogin, o->use_login); 2351 dump_cfg_fmtint(sCompression, o->compression); 2352 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2353 dump_cfg_fmtint(sUseDNS, o->use_dns); 2354 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2355 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2356 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2357 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2358 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2359 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2360 dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); 2361 2362 /* string arguments */ 2363 dump_cfg_string(sPidFile, o->pid_file); 2364 dump_cfg_string(sXAuthLocation, o->xauth_location); 2365 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); 2366 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); 2367 dump_cfg_string(sBanner, o->banner); 2368 dump_cfg_string(sForceCommand, o->adm_forced_command); 2369 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2370 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2371 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2372 dump_cfg_string(sAuthorizedPrincipalsFile, 2373 o->authorized_principals_file); 2374 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' 2375 ? "none" : o->version_addendum); 2376 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2377 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2378 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); 2379 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); 2380 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2381 dump_cfg_string(sKexAlgorithms, 2382 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2383 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2384 o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2385 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2386 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); 2387 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2388 o->pubkey_key_types : KEX_DEFAULT_PK_ALG); 2389 2390 /* string arguments requiring a lookup */ 2391 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2392 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 2393 2394 /* string array arguments */ 2395 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 2396 o->authorized_keys_files); 2397 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 2398 o->host_key_files); 2399 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, 2400 o->host_cert_files); 2401 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 2402 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2403 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2404 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2405 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2406 dump_cfg_strarray_oneline(sAuthenticationMethods, 2407 o->num_auth_methods, o->auth_methods); 2408 2409 /* other arguments */ 2410 for (i = 0; i < o->num_subsystems; i++) 2411 printf("subsystem %s %s\n", o->subsystem_name[i], 2412 o->subsystem_args[i]); 2413 2414 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2415 o->max_startups_rate, o->max_startups); 2416 2417 for (i = 0; tunmode_desc[i].val != -1; i++) 2418 if (tunmode_desc[i].val == o->permit_tun) { 2419 s = tunmode_desc[i].text; 2420 break; 2421 } 2422 dump_cfg_string(sPermitTunnel, s); 2423 2424 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2425 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2426 2427 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, 2428 o->rekey_interval); 2429 2430 channel_print_adm_permitted_opens(); 2431} 2432