servconf.c revision 98941
1/* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12#include "includes.h" 13RCSID("$OpenBSD: servconf.c,v 1.111 2002/06/20 23:05:55 markus Exp $"); 14 15#if defined(KRB4) 16#include <krb.h> 17#endif 18#if defined(KRB5) 19#ifdef HEIMDAL 20#include <krb.h> 21#else 22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 23 * keytab */ 24#define KEYFILE "/etc/krb5.keytab" 25#endif 26#endif 27#ifdef AFS 28#include <kafs.h> 29#endif 30 31#include "ssh.h" 32#include "log.h" 33#include "servconf.h" 34#include "xmalloc.h" 35#include "compat.h" 36#include "pathnames.h" 37#include "tildexpand.h" 38#include "misc.h" 39#include "cipher.h" 40#include "kex.h" 41#include "mac.h" 42 43static void add_listen_addr(ServerOptions *, char *, u_short); 44static void add_one_listen_addr(ServerOptions *, char *, u_short); 45 46/* AF_UNSPEC or AF_INET or AF_INET6 */ 47extern int IPv4or6; 48/* Use of privilege separation or not */ 49extern int use_privsep; 50 51/* Initializes the server options to their default values. */ 52 53void 54initialize_server_options(ServerOptions *options) 55{ 56 memset(options, 0, sizeof(*options)); 57 58 /* Portable-specific options */ 59 options->pam_authentication_via_kbd_int = -1; 60 61 /* Standard Options */ 62 options->num_ports = 0; 63 options->ports_from_cmdline = 0; 64 options->listen_addrs = NULL; 65 options->num_host_key_files = 0; 66 options->pid_file = NULL; 67 options->server_key_bits = -1; 68 options->login_grace_time = -1; 69 options->key_regeneration_time = -1; 70 options->permit_root_login = PERMIT_NOT_SET; 71 options->ignore_rhosts = -1; 72 options->ignore_user_known_hosts = -1; 73 options->print_motd = -1; 74 options->print_lastlog = -1; 75 options->x11_forwarding = -1; 76 options->x11_display_offset = -1; 77 options->x11_use_localhost = -1; 78 options->xauth_location = NULL; 79 options->strict_modes = -1; 80 options->keepalives = -1; 81 options->log_facility = SYSLOG_FACILITY_NOT_SET; 82 options->log_level = SYSLOG_LEVEL_NOT_SET; 83 options->rhosts_authentication = -1; 84 options->rhosts_rsa_authentication = -1; 85 options->hostbased_authentication = -1; 86 options->hostbased_uses_name_from_packet_only = -1; 87 options->rsa_authentication = -1; 88 options->pubkey_authentication = -1; 89#if defined(KRB4) || defined(KRB5) 90 options->kerberos_authentication = -1; 91 options->kerberos_or_local_passwd = -1; 92 options->kerberos_ticket_cleanup = -1; 93#endif 94#if defined(AFS) || defined(KRB5) 95 options->kerberos_tgt_passing = -1; 96#endif 97#ifdef AFS 98 options->afs_token_passing = -1; 99#endif 100 options->password_authentication = -1; 101 options->kbd_interactive_authentication = -1; 102 options->challenge_response_authentication = -1; 103 options->permit_empty_passwd = -1; 104 options->use_login = -1; 105 options->compression = -1; 106 options->allow_tcp_forwarding = -1; 107 options->num_allow_users = 0; 108 options->num_deny_users = 0; 109 options->num_allow_groups = 0; 110 options->num_deny_groups = 0; 111 options->ciphers = NULL; 112 options->macs = NULL; 113 options->protocol = SSH_PROTO_UNKNOWN; 114 options->gateway_ports = -1; 115 options->num_subsystems = 0; 116 options->max_startups_begin = -1; 117 options->max_startups_rate = -1; 118 options->max_startups = -1; 119 options->banner = NULL; 120 options->verify_reverse_mapping = -1; 121 options->client_alive_interval = -1; 122 options->client_alive_count_max = -1; 123 options->authorized_keys_file = NULL; 124 options->authorized_keys_file2 = NULL; 125 126 /* Needs to be accessable in many places */ 127 use_privsep = -1; 128} 129 130void 131fill_default_server_options(ServerOptions *options) 132{ 133 /* Portable-specific options */ 134 if (options->pam_authentication_via_kbd_int == -1) 135 options->pam_authentication_via_kbd_int = 0; 136 137 /* Standard Options */ 138 if (options->protocol == SSH_PROTO_UNKNOWN) 139 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 140 if (options->num_host_key_files == 0) { 141 /* fill default hostkeys for protocols */ 142 if (options->protocol & SSH_PROTO_1) 143 options->host_key_files[options->num_host_key_files++] = 144 _PATH_HOST_KEY_FILE; 145 if (options->protocol & SSH_PROTO_2) { 146 options->host_key_files[options->num_host_key_files++] = 147 _PATH_HOST_RSA_KEY_FILE; 148 options->host_key_files[options->num_host_key_files++] = 149 _PATH_HOST_DSA_KEY_FILE; 150 } 151 } 152 if (options->num_ports == 0) 153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 154 if (options->listen_addrs == NULL) 155 add_listen_addr(options, NULL, 0); 156 if (options->pid_file == NULL) 157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 158 if (options->server_key_bits == -1) 159 options->server_key_bits = 768; 160 if (options->login_grace_time == -1) 161 options->login_grace_time = 600; 162 if (options->key_regeneration_time == -1) 163 options->key_regeneration_time = 3600; 164 if (options->permit_root_login == PERMIT_NOT_SET) 165 options->permit_root_login = PERMIT_YES; 166 if (options->ignore_rhosts == -1) 167 options->ignore_rhosts = 1; 168 if (options->ignore_user_known_hosts == -1) 169 options->ignore_user_known_hosts = 0; 170 if (options->print_motd == -1) 171 options->print_motd = 1; 172 if (options->print_lastlog == -1) 173 options->print_lastlog = 1; 174 if (options->x11_forwarding == -1) 175 options->x11_forwarding = 0; 176 if (options->x11_display_offset == -1) 177 options->x11_display_offset = 10; 178 if (options->x11_use_localhost == -1) 179 options->x11_use_localhost = 1; 180 if (options->xauth_location == NULL) 181 options->xauth_location = _PATH_XAUTH; 182 if (options->strict_modes == -1) 183 options->strict_modes = 1; 184 if (options->keepalives == -1) 185 options->keepalives = 1; 186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 187 options->log_facility = SYSLOG_FACILITY_AUTH; 188 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 189 options->log_level = SYSLOG_LEVEL_INFO; 190 if (options->rhosts_authentication == -1) 191 options->rhosts_authentication = 0; 192 if (options->rhosts_rsa_authentication == -1) 193 options->rhosts_rsa_authentication = 0; 194 if (options->hostbased_authentication == -1) 195 options->hostbased_authentication = 0; 196 if (options->hostbased_uses_name_from_packet_only == -1) 197 options->hostbased_uses_name_from_packet_only = 0; 198 if (options->rsa_authentication == -1) 199 options->rsa_authentication = 1; 200 if (options->pubkey_authentication == -1) 201 options->pubkey_authentication = 1; 202#if defined(KRB4) || defined(KRB5) 203 if (options->kerberos_authentication == -1) 204 options->kerberos_authentication = 0; 205 if (options->kerberos_or_local_passwd == -1) 206 options->kerberos_or_local_passwd = 1; 207 if (options->kerberos_ticket_cleanup == -1) 208 options->kerberos_ticket_cleanup = 1; 209#endif 210#if defined(AFS) || defined(KRB5) 211 if (options->kerberos_tgt_passing == -1) 212 options->kerberos_tgt_passing = 0; 213#endif 214#ifdef AFS 215 if (options->afs_token_passing == -1) 216 options->afs_token_passing = 0; 217#endif 218 if (options->password_authentication == -1) 219 options->password_authentication = 1; 220 if (options->kbd_interactive_authentication == -1) 221 options->kbd_interactive_authentication = 0; 222 if (options->challenge_response_authentication == -1) 223 options->challenge_response_authentication = 1; 224 if (options->permit_empty_passwd == -1) 225 options->permit_empty_passwd = 0; 226 if (options->use_login == -1) 227 options->use_login = 0; 228 if (options->compression == -1) 229 options->compression = 1; 230 if (options->allow_tcp_forwarding == -1) 231 options->allow_tcp_forwarding = 1; 232 if (options->gateway_ports == -1) 233 options->gateway_ports = 0; 234 if (options->max_startups == -1) 235 options->max_startups = 10; 236 if (options->max_startups_rate == -1) 237 options->max_startups_rate = 100; /* 100% */ 238 if (options->max_startups_begin == -1) 239 options->max_startups_begin = options->max_startups; 240 if (options->verify_reverse_mapping == -1) 241 options->verify_reverse_mapping = 0; 242 if (options->client_alive_interval == -1) 243 options->client_alive_interval = 0; 244 if (options->client_alive_count_max == -1) 245 options->client_alive_count_max = 3; 246 if (options->authorized_keys_file2 == NULL) { 247 /* authorized_keys_file2 falls back to authorized_keys_file */ 248 if (options->authorized_keys_file != NULL) 249 options->authorized_keys_file2 = options->authorized_keys_file; 250 else 251 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 252 } 253 if (options->authorized_keys_file == NULL) 254 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 255 256 /* Turn privilege separation on by default */ 257 if (use_privsep == -1) 258 use_privsep = 1; 259 260#if !defined(HAVE_MMAP) || !defined(MAP_ANON) 261 if (use_privsep && options->compression == 1) { 262 error("This platform does not support both privilege " 263 "separation and compression"); 264 error("Compression disabled"); 265 options->compression = 0; 266 } 267#endif 268 269} 270 271/* Keyword tokens. */ 272typedef enum { 273 sBadOption, /* == unknown option */ 274 /* Portable-specific options */ 275 sPAMAuthenticationViaKbdInt, 276 /* Standard Options */ 277 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 278 sPermitRootLogin, sLogFacility, sLogLevel, 279 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 280#if defined(KRB4) || defined(KRB5) 281 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 282#endif 283#if defined(AFS) || defined(KRB5) 284 sKerberosTgtPassing, 285#endif 286#ifdef AFS 287 sAFSTokenPassing, 288#endif 289 sChallengeResponseAuthentication, 290 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 291 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 292 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 293 sStrictModes, sEmptyPasswd, sKeepAlives, 294 sUseLogin, sAllowTcpForwarding, sCompression, 295 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 296 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 297 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 298 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 299 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 300 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 301 sUsePrivilegeSeparation, 302 sDeprecated 303} ServerOpCodes; 304 305/* Textual representation of the tokens. */ 306static struct { 307 const char *name; 308 ServerOpCodes opcode; 309} keywords[] = { 310 /* Portable-specific options */ 311 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, 312 /* Standard Options */ 313 { "port", sPort }, 314 { "hostkey", sHostKeyFile }, 315 { "hostdsakey", sHostKeyFile }, /* alias */ 316 { "pidfile", sPidFile }, 317 { "serverkeybits", sServerKeyBits }, 318 { "logingracetime", sLoginGraceTime }, 319 { "keyregenerationinterval", sKeyRegenerationTime }, 320 { "permitrootlogin", sPermitRootLogin }, 321 { "syslogfacility", sLogFacility }, 322 { "loglevel", sLogLevel }, 323 { "rhostsauthentication", sRhostsAuthentication }, 324 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 325 { "hostbasedauthentication", sHostbasedAuthentication }, 326 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 327 { "rsaauthentication", sRSAAuthentication }, 328 { "pubkeyauthentication", sPubkeyAuthentication }, 329 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 330#if defined(KRB4) || defined(KRB5) 331 { "kerberosauthentication", sKerberosAuthentication }, 332 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 333 { "kerberosticketcleanup", sKerberosTicketCleanup }, 334#endif 335#if defined(AFS) || defined(KRB5) 336 { "kerberostgtpassing", sKerberosTgtPassing }, 337#endif 338#ifdef AFS 339 { "afstokenpassing", sAFSTokenPassing }, 340#endif 341 { "passwordauthentication", sPasswordAuthentication }, 342 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 343 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 344 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 345 { "checkmail", sDeprecated }, 346 { "listenaddress", sListenAddress }, 347 { "printmotd", sPrintMotd }, 348 { "printlastlog", sPrintLastLog }, 349 { "ignorerhosts", sIgnoreRhosts }, 350 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 351 { "x11forwarding", sX11Forwarding }, 352 { "x11displayoffset", sX11DisplayOffset }, 353 { "x11uselocalhost", sX11UseLocalhost }, 354 { "xauthlocation", sXAuthLocation }, 355 { "strictmodes", sStrictModes }, 356 { "permitemptypasswords", sEmptyPasswd }, 357 { "uselogin", sUseLogin }, 358 { "compression", sCompression }, 359 { "keepalive", sKeepAlives }, 360 { "allowtcpforwarding", sAllowTcpForwarding }, 361 { "allowusers", sAllowUsers }, 362 { "denyusers", sDenyUsers }, 363 { "allowgroups", sAllowGroups }, 364 { "denygroups", sDenyGroups }, 365 { "ciphers", sCiphers }, 366 { "macs", sMacs }, 367 { "protocol", sProtocol }, 368 { "gatewayports", sGatewayPorts }, 369 { "subsystem", sSubsystem }, 370 { "maxstartups", sMaxStartups }, 371 { "banner", sBanner }, 372 { "verifyreversemapping", sVerifyReverseMapping }, 373 { "reversemappingcheck", sVerifyReverseMapping }, 374 { "clientaliveinterval", sClientAliveInterval }, 375 { "clientalivecountmax", sClientAliveCountMax }, 376 { "authorizedkeysfile", sAuthorizedKeysFile }, 377 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 378 { "useprivilegeseparation", sUsePrivilegeSeparation}, 379 { NULL, sBadOption } 380}; 381 382/* 383 * Returns the number of the token pointed to by cp or sBadOption. 384 */ 385 386static ServerOpCodes 387parse_token(const char *cp, const char *filename, 388 int linenum) 389{ 390 u_int i; 391 392 for (i = 0; keywords[i].name; i++) 393 if (strcasecmp(cp, keywords[i].name) == 0) 394 return keywords[i].opcode; 395 396 error("%s: line %d: Bad configuration option: %s", 397 filename, linenum, cp); 398 return sBadOption; 399} 400 401static void 402add_listen_addr(ServerOptions *options, char *addr, u_short port) 403{ 404 int i; 405 406 if (options->num_ports == 0) 407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 408 if (port == 0) 409 for (i = 0; i < options->num_ports; i++) 410 add_one_listen_addr(options, addr, options->ports[i]); 411 else 412 add_one_listen_addr(options, addr, port); 413} 414 415static void 416add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 417{ 418 struct addrinfo hints, *ai, *aitop; 419 char strport[NI_MAXSERV]; 420 int gaierr; 421 422 memset(&hints, 0, sizeof(hints)); 423 hints.ai_family = IPv4or6; 424 hints.ai_socktype = SOCK_STREAM; 425 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 426 snprintf(strport, sizeof strport, "%d", port); 427 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 428 fatal("bad addr or host: %s (%s)", 429 addr ? addr : "<NULL>", 430 gai_strerror(gaierr)); 431 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 432 ; 433 ai->ai_next = options->listen_addrs; 434 options->listen_addrs = aitop; 435} 436 437int 438process_server_config_line(ServerOptions *options, char *line, 439 const char *filename, int linenum) 440{ 441 char *cp, **charptr, *arg, *p; 442 int *intptr, value; 443 ServerOpCodes opcode; 444 int i, n; 445 446 cp = line; 447 arg = strdelim(&cp); 448 /* Ignore leading whitespace */ 449 if (*arg == '\0') 450 arg = strdelim(&cp); 451 if (!arg || !*arg || *arg == '#') 452 return 0; 453 intptr = NULL; 454 charptr = NULL; 455 opcode = parse_token(arg, filename, linenum); 456 switch (opcode) { 457 /* Portable-specific options */ 458 case sPAMAuthenticationViaKbdInt: 459 intptr = &options->pam_authentication_via_kbd_int; 460 goto parse_flag; 461 462 /* Standard Options */ 463 case sBadOption: 464 return -1; 465 case sPort: 466 /* ignore ports from configfile if cmdline specifies ports */ 467 if (options->ports_from_cmdline) 468 return 0; 469 if (options->listen_addrs != NULL) 470 fatal("%s line %d: ports must be specified before " 471 "ListenAddress.", filename, linenum); 472 if (options->num_ports >= MAX_PORTS) 473 fatal("%s line %d: too many ports.", 474 filename, linenum); 475 arg = strdelim(&cp); 476 if (!arg || *arg == '\0') 477 fatal("%s line %d: missing port number.", 478 filename, linenum); 479 options->ports[options->num_ports++] = a2port(arg); 480 if (options->ports[options->num_ports-1] == 0) 481 fatal("%s line %d: Badly formatted port number.", 482 filename, linenum); 483 break; 484 485 case sServerKeyBits: 486 intptr = &options->server_key_bits; 487parse_int: 488 arg = strdelim(&cp); 489 if (!arg || *arg == '\0') 490 fatal("%s line %d: missing integer value.", 491 filename, linenum); 492 value = atoi(arg); 493 if (*intptr == -1) 494 *intptr = value; 495 break; 496 497 case sLoginGraceTime: 498 intptr = &options->login_grace_time; 499parse_time: 500 arg = strdelim(&cp); 501 if (!arg || *arg == '\0') 502 fatal("%s line %d: missing time value.", 503 filename, linenum); 504 if ((value = convtime(arg)) == -1) 505 fatal("%s line %d: invalid time value.", 506 filename, linenum); 507 if (*intptr == -1) 508 *intptr = value; 509 break; 510 511 case sKeyRegenerationTime: 512 intptr = &options->key_regeneration_time; 513 goto parse_time; 514 515 case sListenAddress: 516 arg = strdelim(&cp); 517 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 518 fatal("%s line %d: missing inet addr.", 519 filename, linenum); 520 if (*arg == '[') { 521 if ((p = strchr(arg, ']')) == NULL) 522 fatal("%s line %d: bad ipv6 inet addr usage.", 523 filename, linenum); 524 arg++; 525 memmove(p, p+1, strlen(p+1)+1); 526 } else if (((p = strchr(arg, ':')) == NULL) || 527 (strchr(p+1, ':') != NULL)) { 528 add_listen_addr(options, arg, 0); 529 break; 530 } 531 if (*p == ':') { 532 u_short port; 533 534 p++; 535 if (*p == '\0') 536 fatal("%s line %d: bad inet addr:port usage.", 537 filename, linenum); 538 else { 539 *(p-1) = '\0'; 540 if ((port = a2port(p)) == 0) 541 fatal("%s line %d: bad port number.", 542 filename, linenum); 543 add_listen_addr(options, arg, port); 544 } 545 } else if (*p == '\0') 546 add_listen_addr(options, arg, 0); 547 else 548 fatal("%s line %d: bad inet addr usage.", 549 filename, linenum); 550 break; 551 552 case sHostKeyFile: 553 intptr = &options->num_host_key_files; 554 if (*intptr >= MAX_HOSTKEYS) 555 fatal("%s line %d: too many host keys specified (max %d).", 556 filename, linenum, MAX_HOSTKEYS); 557 charptr = &options->host_key_files[*intptr]; 558parse_filename: 559 arg = strdelim(&cp); 560 if (!arg || *arg == '\0') 561 fatal("%s line %d: missing file name.", 562 filename, linenum); 563 if (*charptr == NULL) { 564 *charptr = tilde_expand_filename(arg, getuid()); 565 /* increase optional counter */ 566 if (intptr != NULL) 567 *intptr = *intptr + 1; 568 } 569 break; 570 571 case sPidFile: 572 charptr = &options->pid_file; 573 goto parse_filename; 574 575 case sPermitRootLogin: 576 intptr = &options->permit_root_login; 577 arg = strdelim(&cp); 578 if (!arg || *arg == '\0') 579 fatal("%s line %d: missing yes/" 580 "without-password/forced-commands-only/no " 581 "argument.", filename, linenum); 582 value = 0; /* silence compiler */ 583 if (strcmp(arg, "without-password") == 0) 584 value = PERMIT_NO_PASSWD; 585 else if (strcmp(arg, "forced-commands-only") == 0) 586 value = PERMIT_FORCED_ONLY; 587 else if (strcmp(arg, "yes") == 0) 588 value = PERMIT_YES; 589 else if (strcmp(arg, "no") == 0) 590 value = PERMIT_NO; 591 else 592 fatal("%s line %d: Bad yes/" 593 "without-password/forced-commands-only/no " 594 "argument: %s", filename, linenum, arg); 595 if (*intptr == -1) 596 *intptr = value; 597 break; 598 599 case sIgnoreRhosts: 600 intptr = &options->ignore_rhosts; 601parse_flag: 602 arg = strdelim(&cp); 603 if (!arg || *arg == '\0') 604 fatal("%s line %d: missing yes/no argument.", 605 filename, linenum); 606 value = 0; /* silence compiler */ 607 if (strcmp(arg, "yes") == 0) 608 value = 1; 609 else if (strcmp(arg, "no") == 0) 610 value = 0; 611 else 612 fatal("%s line %d: Bad yes/no argument: %s", 613 filename, linenum, arg); 614 if (*intptr == -1) 615 *intptr = value; 616 break; 617 618 case sIgnoreUserKnownHosts: 619 intptr = &options->ignore_user_known_hosts; 620 goto parse_flag; 621 622 case sRhostsAuthentication: 623 intptr = &options->rhosts_authentication; 624 goto parse_flag; 625 626 case sRhostsRSAAuthentication: 627 intptr = &options->rhosts_rsa_authentication; 628 goto parse_flag; 629 630 case sHostbasedAuthentication: 631 intptr = &options->hostbased_authentication; 632 goto parse_flag; 633 634 case sHostbasedUsesNameFromPacketOnly: 635 intptr = &options->hostbased_uses_name_from_packet_only; 636 goto parse_flag; 637 638 case sRSAAuthentication: 639 intptr = &options->rsa_authentication; 640 goto parse_flag; 641 642 case sPubkeyAuthentication: 643 intptr = &options->pubkey_authentication; 644 goto parse_flag; 645#if defined(KRB4) || defined(KRB5) 646 case sKerberosAuthentication: 647 intptr = &options->kerberos_authentication; 648 goto parse_flag; 649 650 case sKerberosOrLocalPasswd: 651 intptr = &options->kerberos_or_local_passwd; 652 goto parse_flag; 653 654 case sKerberosTicketCleanup: 655 intptr = &options->kerberos_ticket_cleanup; 656 goto parse_flag; 657#endif 658#if defined(AFS) || defined(KRB5) 659 case sKerberosTgtPassing: 660 intptr = &options->kerberos_tgt_passing; 661 goto parse_flag; 662#endif 663#ifdef AFS 664 case sAFSTokenPassing: 665 intptr = &options->afs_token_passing; 666 goto parse_flag; 667#endif 668 669 case sPasswordAuthentication: 670 intptr = &options->password_authentication; 671 goto parse_flag; 672 673 case sKbdInteractiveAuthentication: 674 intptr = &options->kbd_interactive_authentication; 675 goto parse_flag; 676 677 case sChallengeResponseAuthentication: 678 intptr = &options->challenge_response_authentication; 679 goto parse_flag; 680 681 case sPrintMotd: 682 intptr = &options->print_motd; 683 goto parse_flag; 684 685 case sPrintLastLog: 686 intptr = &options->print_lastlog; 687 goto parse_flag; 688 689 case sX11Forwarding: 690 intptr = &options->x11_forwarding; 691 goto parse_flag; 692 693 case sX11DisplayOffset: 694 intptr = &options->x11_display_offset; 695 goto parse_int; 696 697 case sX11UseLocalhost: 698 intptr = &options->x11_use_localhost; 699 goto parse_flag; 700 701 case sXAuthLocation: 702 charptr = &options->xauth_location; 703 goto parse_filename; 704 705 case sStrictModes: 706 intptr = &options->strict_modes; 707 goto parse_flag; 708 709 case sKeepAlives: 710 intptr = &options->keepalives; 711 goto parse_flag; 712 713 case sEmptyPasswd: 714 intptr = &options->permit_empty_passwd; 715 goto parse_flag; 716 717 case sUseLogin: 718 intptr = &options->use_login; 719 goto parse_flag; 720 721 case sCompression: 722 intptr = &options->compression; 723 goto parse_flag; 724 725 case sGatewayPorts: 726 intptr = &options->gateway_ports; 727 goto parse_flag; 728 729 case sVerifyReverseMapping: 730 intptr = &options->verify_reverse_mapping; 731 goto parse_flag; 732 733 case sLogFacility: 734 intptr = (int *) &options->log_facility; 735 arg = strdelim(&cp); 736 value = log_facility_number(arg); 737 if (value == SYSLOG_FACILITY_NOT_SET) 738 fatal("%.200s line %d: unsupported log facility '%s'", 739 filename, linenum, arg ? arg : "<NONE>"); 740 if (*intptr == -1) 741 *intptr = (SyslogFacility) value; 742 break; 743 744 case sLogLevel: 745 intptr = (int *) &options->log_level; 746 arg = strdelim(&cp); 747 value = log_level_number(arg); 748 if (value == SYSLOG_LEVEL_NOT_SET) 749 fatal("%.200s line %d: unsupported log level '%s'", 750 filename, linenum, arg ? arg : "<NONE>"); 751 if (*intptr == -1) 752 *intptr = (LogLevel) value; 753 break; 754 755 case sAllowTcpForwarding: 756 intptr = &options->allow_tcp_forwarding; 757 goto parse_flag; 758 759 case sUsePrivilegeSeparation: 760 intptr = &use_privsep; 761 goto parse_flag; 762 763 case sAllowUsers: 764 while ((arg = strdelim(&cp)) && *arg != '\0') { 765 if (options->num_allow_users >= MAX_ALLOW_USERS) 766 fatal("%s line %d: too many allow users.", 767 filename, linenum); 768 options->allow_users[options->num_allow_users++] = xstrdup(arg); 769 } 770 break; 771 772 case sDenyUsers: 773 while ((arg = strdelim(&cp)) && *arg != '\0') { 774 if (options->num_deny_users >= MAX_DENY_USERS) 775 fatal( "%s line %d: too many deny users.", 776 filename, linenum); 777 options->deny_users[options->num_deny_users++] = xstrdup(arg); 778 } 779 break; 780 781 case sAllowGroups: 782 while ((arg = strdelim(&cp)) && *arg != '\0') { 783 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 784 fatal("%s line %d: too many allow groups.", 785 filename, linenum); 786 options->allow_groups[options->num_allow_groups++] = xstrdup(arg); 787 } 788 break; 789 790 case sDenyGroups: 791 while ((arg = strdelim(&cp)) && *arg != '\0') { 792 if (options->num_deny_groups >= MAX_DENY_GROUPS) 793 fatal("%s line %d: too many deny groups.", 794 filename, linenum); 795 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 796 } 797 break; 798 799 case sCiphers: 800 arg = strdelim(&cp); 801 if (!arg || *arg == '\0') 802 fatal("%s line %d: Missing argument.", filename, linenum); 803 if (!ciphers_valid(arg)) 804 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 805 filename, linenum, arg ? arg : "<NONE>"); 806 if (options->ciphers == NULL) 807 options->ciphers = xstrdup(arg); 808 break; 809 810 case sMacs: 811 arg = strdelim(&cp); 812 if (!arg || *arg == '\0') 813 fatal("%s line %d: Missing argument.", filename, linenum); 814 if (!mac_valid(arg)) 815 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 816 filename, linenum, arg ? arg : "<NONE>"); 817 if (options->macs == NULL) 818 options->macs = xstrdup(arg); 819 break; 820 821 case sProtocol: 822 intptr = &options->protocol; 823 arg = strdelim(&cp); 824 if (!arg || *arg == '\0') 825 fatal("%s line %d: Missing argument.", filename, linenum); 826 value = proto_spec(arg); 827 if (value == SSH_PROTO_UNKNOWN) 828 fatal("%s line %d: Bad protocol spec '%s'.", 829 filename, linenum, arg ? arg : "<NONE>"); 830 if (*intptr == SSH_PROTO_UNKNOWN) 831 *intptr = value; 832 break; 833 834 case sSubsystem: 835 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 836 fatal("%s line %d: too many subsystems defined.", 837 filename, linenum); 838 } 839 arg = strdelim(&cp); 840 if (!arg || *arg == '\0') 841 fatal("%s line %d: Missing subsystem name.", 842 filename, linenum); 843 for (i = 0; i < options->num_subsystems; i++) 844 if (strcmp(arg, options->subsystem_name[i]) == 0) 845 fatal("%s line %d: Subsystem '%s' already defined.", 846 filename, linenum, arg); 847 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 848 arg = strdelim(&cp); 849 if (!arg || *arg == '\0') 850 fatal("%s line %d: Missing subsystem command.", 851 filename, linenum); 852 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 853 options->num_subsystems++; 854 break; 855 856 case sMaxStartups: 857 arg = strdelim(&cp); 858 if (!arg || *arg == '\0') 859 fatal("%s line %d: Missing MaxStartups spec.", 860 filename, linenum); 861 if ((n = sscanf(arg, "%d:%d:%d", 862 &options->max_startups_begin, 863 &options->max_startups_rate, 864 &options->max_startups)) == 3) { 865 if (options->max_startups_begin > 866 options->max_startups || 867 options->max_startups_rate > 100 || 868 options->max_startups_rate < 1) 869 fatal("%s line %d: Illegal MaxStartups spec.", 870 filename, linenum); 871 } else if (n != 1) 872 fatal("%s line %d: Illegal MaxStartups spec.", 873 filename, linenum); 874 else 875 options->max_startups = options->max_startups_begin; 876 break; 877 878 case sBanner: 879 charptr = &options->banner; 880 goto parse_filename; 881 /* 882 * These options can contain %X options expanded at 883 * connect time, so that you can specify paths like: 884 * 885 * AuthorizedKeysFile /etc/ssh_keys/%u 886 */ 887 case sAuthorizedKeysFile: 888 case sAuthorizedKeysFile2: 889 charptr = (opcode == sAuthorizedKeysFile ) ? 890 &options->authorized_keys_file : 891 &options->authorized_keys_file2; 892 goto parse_filename; 893 894 case sClientAliveInterval: 895 intptr = &options->client_alive_interval; 896 goto parse_time; 897 898 case sClientAliveCountMax: 899 intptr = &options->client_alive_count_max; 900 goto parse_int; 901 902 case sDeprecated: 903 log("%s line %d: Deprecated option %s", 904 filename, linenum, arg); 905 while (arg) 906 arg = strdelim(&cp); 907 break; 908 909 default: 910 fatal("%s line %d: Missing handler for opcode %s (%d)", 911 filename, linenum, arg, opcode); 912 } 913 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 914 fatal("%s line %d: garbage at end of line; \"%.200s\".", 915 filename, linenum, arg); 916 return 0; 917} 918 919/* Reads the server configuration file. */ 920 921void 922read_server_config(ServerOptions *options, const char *filename) 923{ 924 FILE *f; 925 char line[1024]; 926 int linenum; 927 int bad_options = 0; 928 929 f = fopen(filename, "r"); 930 if (!f) { 931 perror(filename); 932 exit(1); 933 } 934 linenum = 0; 935 while (fgets(line, sizeof(line), f)) { 936 /* Update line number counter. */ 937 linenum++; 938 if (process_server_config_line(options, line, filename, linenum) != 0) 939 bad_options++; 940 } 941 fclose(f); 942 if (bad_options > 0) 943 fatal("%s: terminating, %d bad configuration options", 944 filename, bad_options); 945} 946