1 /* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
38 #include "pathnames.h"
51 /* Format of the configuration file:
53 # Configuration data is parsed as follows:
54 # 1. command line options
55 # 2. user-specific file
57 # Any configuration value is only changed the first time it is set.
58 # Thus, host-specific definitions should be at the beginning of the
59 # configuration file, and defaults at the end.
61 # Host-specific declarations. These may override anything above. A single
62 # host may match multiple declarations; these are processed in the order
63 # that they are given in.
69 HostName another.host.name.real.org
76 RemoteForward 9999 shadows.cs.hut.fi:9999
82 PasswordAuthentication no
86 ProxyCommand ssh-proxy %h %p
89 PublicKeyAuthentication no
93 PasswordAuthentication no
99 # Defaults for various options
103 PasswordAuthentication yes
104 RSAAuthentication yes
105 RhostsRSAAuthentication yes
106 StrictHostKeyChecking yes
108 IdentityFile ~/.ssh/identity
114 /* Keyword tokens. */
118 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
119 oGatewayPorts, oExitOnForwardFailure,
120 oPasswordAuthentication, oRSAAuthentication,
121 oChallengeResponseAuthentication, oXAuthLocation,
122 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
123 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
124 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
125 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
126 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
127 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
128 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
129 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
130 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
131 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
132 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
133 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
134 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
135 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
136 oGssServerIdentity, oGssPasswordPrompt, oGssMechanismOid,
137 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
138 oSendEnv, oControlPath, oControlMaster, oControlPersist,
140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
142 oKexAlgorithms, oIPQoS, oRequestTTY,
143 oDeprecated, oUnsupported
146 /* Textual representations of the tokens. */
152 { "forwardagent", oForwardAgent },
153 { "forwardx11", oForwardX11 },
154 { "forwardx11trusted", oForwardX11Trusted },
155 { "forwardx11timeout", oForwardX11Timeout },
156 { "exitonforwardfailure", oExitOnForwardFailure },
157 { "xauthlocation", oXAuthLocation },
158 { "gatewayports", oGatewayPorts },
159 { "useprivilegedport", oUsePrivilegedPort },
160 { "rhostsauthentication", oDeprecated },
161 { "passwordauthentication", oPasswordAuthentication },
162 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
163 { "kbdinteractivedevices", oKbdInteractiveDevices },
164 { "rsaauthentication", oRSAAuthentication },
165 { "pubkeyauthentication", oPubkeyAuthentication },
166 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
167 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
168 { "hostbasedauthentication", oHostbasedAuthentication },
169 { "challengeresponseauthentication", oChallengeResponseAuthentication },
170 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
171 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
172 { "kerberosauthentication", oUnsupported },
173 { "kerberostgtpassing", oUnsupported },
174 { "afstokenpassing", oUnsupported },
176 { "gssapiauthentication", oGssAuthentication },
177 { "gssapikeyexchange", oGssKeyEx },
178 { "gssapidelegatecredentials", oGssDelegateCreds },
179 { "gssapitrustdns", oGssTrustDns },
180 { "gssapiclientidentity", oGssClientIdentity },
181 { "gssapiserveridentity", oGssServerIdentity },
182 { "gssapirenewalforcesrekey", oGssRenewalRekey },
183 { "gssapipasswordprompt", oGssPasswordPrompt },
184 { "gssapimechanismoid", oGssMechanismOid },
186 { "gssapiauthentication", oUnsupported },
187 { "gssapikeyexchange", oUnsupported },
188 { "gssapidelegatecredentials", oUnsupported },
189 { "gssapitrustdns", oUnsupported },
190 { "gssapiclientidentity", oUnsupported },
191 { "gssapirenewalforcesrekey", oUnsupported },
192 { "gssapipasswordprompt", oUnsupported },
193 { "gssapimechanismoid", oUnsupported },
195 { "fallbacktorsh", oDeprecated },
196 { "usersh", oDeprecated },
197 { "identityfile", oIdentityFile },
198 { "identityfile2", oIdentityFile }, /* obsolete */
199 { "identitiesonly", oIdentitiesOnly },
200 { "hostname", oHostName },
201 { "hostkeyalias", oHostKeyAlias },
202 { "proxycommand", oProxyCommand },
204 { "cipher", oCipher },
205 { "ciphers", oCiphers },
207 { "protocol", oProtocol },
208 { "remoteforward", oRemoteForward },
209 { "localforward", oLocalForward },
212 { "escapechar", oEscapeChar },
213 { "globalknownhostsfile", oGlobalKnownHostsFile },
214 { "globalknownhostsfile2", oDeprecated },
215 { "userknownhostsfile", oUserKnownHostsFile },
216 { "userknownhostsfile2", oDeprecated },
217 { "connectionattempts", oConnectionAttempts },
218 { "batchmode", oBatchMode },
219 { "checkhostip", oCheckHostIP },
220 { "stricthostkeychecking", oStrictHostKeyChecking },
221 { "compression", oCompression },
222 { "compressionlevel", oCompressionLevel },
223 { "tcpkeepalive", oTCPKeepAlive },
224 { "keepalive", oTCPKeepAlive }, /* obsolete */
225 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
226 { "loglevel", oLogLevel },
227 { "dynamicforward", oDynamicForward },
228 { "preferredauthentications", oPreferredAuthentications },
229 { "hostkeyalgorithms", oHostKeyAlgorithms },
230 { "bindaddress", oBindAddress },
232 { "smartcarddevice", oPKCS11Provider },
233 { "pkcs11provider", oPKCS11Provider },
235 { "smartcarddevice", oUnsupported },
236 { "pkcs11provider", oUnsupported },
238 { "clearallforwardings", oClearAllForwardings },
239 { "enablesshkeysign", oEnableSSHKeysign },
240 { "verifyhostkeydns", oVerifyHostKeyDNS },
241 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
242 { "rekeylimit", oRekeyLimit },
243 { "connecttimeout", oConnectTimeout },
244 { "addressfamily", oAddressFamily },
245 { "serveraliveinterval", oServerAliveInterval },
246 { "serveralivecountmax", oServerAliveCountMax },
247 { "sendenv", oSendEnv },
248 { "controlpath", oControlPath },
249 { "controlmaster", oControlMaster },
250 { "controlpersist", oControlPersist },
251 { "hashknownhosts", oHashKnownHosts },
252 { "tunnel", oTunnel },
253 { "tunneldevice", oTunnelDevice },
254 { "localcommand", oLocalCommand },
255 { "permitlocalcommand", oPermitLocalCommand },
256 { "visualhostkey", oVisualHostKey },
257 { "useroaming", oUseRoaming },
259 { "zeroknowledgepasswordauthentication",
260 oZeroKnowledgePasswordAuthentication },
262 { "zeroknowledgepasswordauthentication", oUnsupported },
264 { "kexalgorithms", oKexAlgorithms },
266 { "requesttty", oRequestTTY },
273 mechanism_oid(const char *arg);
277 * Adds a local TCP/IP port forward to options. Never returns if there is an
282 add_local_forward(Options *options, const Forward *newfwd)
285 #ifndef NO_IPPORT_RESERVED_CONCEPT
286 extern uid_t original_real_uid;
287 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
288 fatal("Privileged ports can only be forwarded by root.");
290 options->local_forwards = xrealloc(options->local_forwards,
291 options->num_local_forwards + 1,
292 sizeof(*options->local_forwards));
293 fwd = &options->local_forwards[options->num_local_forwards++];
295 fwd->listen_host = newfwd->listen_host;
296 fwd->listen_port = newfwd->listen_port;
297 fwd->connect_host = newfwd->connect_host;
298 fwd->connect_port = newfwd->connect_port;
302 * Adds a remote TCP/IP port forward to options. Never returns if there is
307 add_remote_forward(Options *options, const Forward *newfwd)
311 options->remote_forwards = xrealloc(options->remote_forwards,
312 options->num_remote_forwards + 1,
313 sizeof(*options->remote_forwards));
314 fwd = &options->remote_forwards[options->num_remote_forwards++];
316 fwd->listen_host = newfwd->listen_host;
317 fwd->listen_port = newfwd->listen_port;
318 fwd->connect_host = newfwd->connect_host;
319 fwd->connect_port = newfwd->connect_port;
320 fwd->allocated_port = 0;
324 clear_forwardings(Options *options)
328 for (i = 0; i < options->num_local_forwards; i++) {
329 if (options->local_forwards[i].listen_host != NULL)
330 xfree(options->local_forwards[i].listen_host);
331 xfree(options->local_forwards[i].connect_host);
333 if (options->num_local_forwards > 0) {
334 xfree(options->local_forwards);
335 options->local_forwards = NULL;
337 options->num_local_forwards = 0;
338 for (i = 0; i < options->num_remote_forwards; i++) {
339 if (options->remote_forwards[i].listen_host != NULL)
340 xfree(options->remote_forwards[i].listen_host);
341 xfree(options->remote_forwards[i].connect_host);
343 if (options->num_remote_forwards > 0) {
344 xfree(options->remote_forwards);
345 options->remote_forwards = NULL;
347 options->num_remote_forwards = 0;
348 options->tun_open = SSH_TUNMODE_NO;
352 * Returns the number of the token pointed to by cp or oBadOption.
356 parse_token(const char *cp, const char *filename, int linenum)
360 for (i = 0; keywords[i].name; i++)
361 if (strcasecmp(cp, keywords[i].name) == 0)
362 return keywords[i].opcode;
364 error("%s: line %d: Bad configuration option: %s",
365 filename, linenum, cp);
370 * Processes a single option line as used in the configuration files. This
371 * only sets those values that have not already been set.
373 #define WHITESPACE " \t\r\n"
376 process_config_line(Options *options, const char *host,
377 char *line, const char *filename, int linenum,
380 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
381 char **cpptr, fwdarg[256];
382 u_int *uintptr, max_entries = 0;
383 int negated, opcode, *intptr, value, value2, scale;
384 LogLevel *log_level_ptr;
385 long long orig, val64;
389 /* Strip trailing whitespace */
390 for (len = strlen(line) - 1; len > 0; len--) {
391 if (strchr(WHITESPACE, line[len]) == NULL)
397 /* Get the keyword. (Each line is supposed to begin with a keyword). */
398 if ((keyword = strdelim(&s)) == NULL)
400 /* Ignore leading whitespace. */
401 if (*keyword == '\0')
402 keyword = strdelim(&s);
403 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
406 opcode = parse_token(keyword, filename, linenum);
410 /* don't panic, but count bad options */
413 case oConnectTimeout:
414 intptr = &options->connection_timeout;
417 if (!arg || *arg == '\0')
418 fatal("%s line %d: missing time value.",
420 if ((value = convtime(arg)) == -1)
421 fatal("%s line %d: invalid time value.",
423 if (*activep && *intptr == -1)
428 intptr = &options->forward_agent;
431 if (!arg || *arg == '\0')
432 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
433 value = 0; /* To avoid compiler warning... */
434 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
436 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
439 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
440 if (*activep && *intptr == -1)
445 intptr = &options->forward_x11;
448 case oForwardX11Trusted:
449 intptr = &options->forward_x11_trusted;
452 case oForwardX11Timeout:
453 intptr = &options->forward_x11_timeout;
457 intptr = &options->gateway_ports;
460 case oExitOnForwardFailure:
461 intptr = &options->exit_on_forward_failure;
464 case oUsePrivilegedPort:
465 intptr = &options->use_privileged_port;
468 case oPasswordAuthentication:
469 intptr = &options->password_authentication;
472 case oZeroKnowledgePasswordAuthentication:
473 intptr = &options->zero_knowledge_password_authentication;
476 case oKbdInteractiveAuthentication:
477 intptr = &options->kbd_interactive_authentication;
480 case oKbdInteractiveDevices:
481 charptr = &options->kbd_interactive_devices;
484 case oPubkeyAuthentication:
485 intptr = &options->pubkey_authentication;
488 case oRSAAuthentication:
489 intptr = &options->rsa_authentication;
492 case oRhostsRSAAuthentication:
493 intptr = &options->rhosts_rsa_authentication;
496 case oHostbasedAuthentication:
497 intptr = &options->hostbased_authentication;
500 case oChallengeResponseAuthentication:
501 intptr = &options->challenge_response_authentication;
504 case oGssAuthentication:
505 intptr = &options->gss_authentication;
509 intptr = &options->gss_keyex;
512 case oGssDelegateCreds:
513 intptr = &options->gss_deleg_creds;
517 intptr = &options->gss_trust_dns;
520 case oGssClientIdentity:
521 charptr = &options->gss_client_identity;
524 case oGssServerIdentity:
525 charptr = &options->gss_server_identity;
528 case oGssRenewalRekey:
529 intptr = &options->gss_renewal_rekey;
532 case oGssPasswordPrompt:
533 intptr = &options->gss_password_prompt;
537 case oGssMechanismOid: {
542 if (!arg || *arg == '\0')
543 fatal("%.200s line %d: Missing argument.", filename, linenum);
544 oid = mechanism_oid(arg);
545 if (oid == GSS_C_NO_OID)
546 fatal("%.200s line %d: Bad GSS mechanism OID '%s'.",
547 filename, linenum, arg ? arg : "<NONE>");
548 if (*activep && options->gss_mechanism_oid == GSS_C_NO_OID)
549 options->gss_mechanism_oid = oid;
551 gss_release_oid(&minor, &oid);
557 intptr = &options->batch_mode;
561 intptr = &options->check_host_ip;
564 case oVerifyHostKeyDNS:
565 intptr = &options->verify_host_key_dns;
568 case oStrictHostKeyChecking:
569 intptr = &options->strict_host_key_checking;
572 if (!arg || *arg == '\0')
573 fatal("%.200s line %d: Missing yes/no/ask argument.",
575 value = 0; /* To avoid compiler warning... */
576 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
578 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
580 else if (strcmp(arg, "ask") == 0)
583 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
584 if (*activep && *intptr == -1)
589 intptr = &options->compression;
593 intptr = &options->tcp_keep_alive;
596 case oNoHostAuthenticationForLocalhost:
597 intptr = &options->no_host_authentication_for_localhost;
600 case oNumberOfPasswordPrompts:
601 intptr = &options->number_of_password_prompts;
604 case oCompressionLevel:
605 intptr = &options->compression_level;
610 if (!arg || *arg == '\0')
611 fatal("%.200s line %d: Missing argument.", filename, linenum);
612 if (arg[0] < '0' || arg[0] > '9')
613 fatal("%.200s line %d: Bad number.", filename, linenum);
614 orig = val64 = strtoll(arg, &endofnumber, 10);
615 if (arg == endofnumber)
616 fatal("%.200s line %d: Bad number.", filename, linenum);
617 switch (toupper(*endofnumber)) {
631 fatal("%.200s line %d: Invalid RekeyLimit suffix",
635 /* detect integer wrap and too-large limits */
636 if ((val64 / scale) != orig || val64 > UINT_MAX)
637 fatal("%.200s line %d: RekeyLimit too large",
640 fatal("%.200s line %d: RekeyLimit too small",
642 if (*activep && options->rekey_limit == -1)
643 options->rekey_limit = (u_int32_t)val64;
648 if (!arg || *arg == '\0')
649 fatal("%.200s line %d: Missing argument.", filename, linenum);
651 intptr = &options->num_identity_files;
652 if (*intptr >= SSH_MAX_IDENTITY_FILES)
653 fatal("%.200s line %d: Too many identity files specified (max %d).",
654 filename, linenum, SSH_MAX_IDENTITY_FILES);
655 charptr = &options->identity_files[*intptr];
656 *charptr = xstrdup(arg);
657 *intptr = *intptr + 1;
662 charptr=&options->xauth_location;
666 charptr = &options->user;
669 if (!arg || *arg == '\0')
670 fatal("%.200s line %d: Missing argument.",
672 if (*activep && *charptr == NULL)
673 *charptr = xstrdup(arg);
676 case oGlobalKnownHostsFile:
677 cpptr = (char **)&options->system_hostfiles;
678 uintptr = &options->num_system_hostfiles;
679 max_entries = SSH_MAX_HOSTS_FILES;
681 if (*activep && *uintptr == 0) {
682 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
683 if ((*uintptr) >= max_entries)
685 "too many authorized keys files.",
687 cpptr[(*uintptr)++] = xstrdup(arg);
692 case oUserKnownHostsFile:
693 cpptr = (char **)&options->user_hostfiles;
694 uintptr = &options->num_user_hostfiles;
695 max_entries = SSH_MAX_HOSTS_FILES;
696 goto parse_char_array;
699 charptr = &options->hostname;
703 charptr = &options->host_key_alias;
706 case oPreferredAuthentications:
707 charptr = &options->preferred_authentications;
711 charptr = &options->bind_address;
714 case oPKCS11Provider:
715 charptr = &options->pkcs11_provider;
719 charptr = &options->proxy_command;
722 fatal("%.200s line %d: Missing argument.", filename, linenum);
723 len = strspn(s, WHITESPACE "=");
724 if (*activep && *charptr == NULL)
725 *charptr = xstrdup(s + len);
729 intptr = &options->port;
732 if (!arg || *arg == '\0')
733 fatal("%.200s line %d: Missing argument.", filename, linenum);
734 if (arg[0] < '0' || arg[0] > '9')
735 fatal("%.200s line %d: Bad number.", filename, linenum);
737 /* Octal, decimal, or hex format? */
738 value = strtol(arg, &endofnumber, 0);
739 if (arg == endofnumber)
740 fatal("%.200s line %d: Bad number.", filename, linenum);
741 if (*activep && *intptr == -1)
745 case oConnectionAttempts:
746 intptr = &options->connection_attempts;
750 intptr = &options->cipher;
752 if (!arg || *arg == '\0')
753 fatal("%.200s line %d: Missing argument.", filename, linenum);
754 value = cipher_number(arg);
756 fatal("%.200s line %d: Bad cipher '%s'.",
757 filename, linenum, arg ? arg : "<NONE>");
758 if (*activep && *intptr == -1)
764 if (!arg || *arg == '\0')
765 fatal("%.200s line %d: Missing argument.", filename, linenum);
766 if (!ciphers_valid(arg))
767 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
768 filename, linenum, arg ? arg : "<NONE>");
769 if (*activep && options->ciphers == NULL)
770 options->ciphers = xstrdup(arg);
775 if (!arg || *arg == '\0')
776 fatal("%.200s line %d: Missing argument.", filename, linenum);
778 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
779 filename, linenum, arg ? arg : "<NONE>");
780 if (*activep && options->macs == NULL)
781 options->macs = xstrdup(arg);
786 if (!arg || *arg == '\0')
787 fatal("%.200s line %d: Missing argument.",
789 if (!kex_names_valid(arg))
790 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
791 filename, linenum, arg ? arg : "<NONE>");
792 if (*activep && options->kex_algorithms == NULL)
793 options->kex_algorithms = xstrdup(arg);
796 case oHostKeyAlgorithms:
798 if (!arg || *arg == '\0')
799 fatal("%.200s line %d: Missing argument.", filename, linenum);
800 if (!key_names_valid2(arg))
801 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
802 filename, linenum, arg ? arg : "<NONE>");
803 if (*activep && options->hostkeyalgorithms == NULL)
804 options->hostkeyalgorithms = xstrdup(arg);
808 intptr = &options->protocol;
810 if (!arg || *arg == '\0')
811 fatal("%.200s line %d: Missing argument.", filename, linenum);
812 value = proto_spec(arg);
813 if (value == SSH_PROTO_UNKNOWN)
814 fatal("%.200s line %d: Bad protocol spec '%s'.",
815 filename, linenum, arg ? arg : "<NONE>");
816 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
821 log_level_ptr = &options->log_level;
823 value = log_level_number(arg);
824 if (value == SYSLOG_LEVEL_NOT_SET)
825 fatal("%.200s line %d: unsupported log level '%s'",
826 filename, linenum, arg ? arg : "<NONE>");
827 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
828 *log_level_ptr = (LogLevel) value;
833 case oDynamicForward:
835 if (arg == NULL || *arg == '\0')
836 fatal("%.200s line %d: Missing port argument.",
839 if (opcode == oLocalForward ||
840 opcode == oRemoteForward) {
842 if (arg2 == NULL || *arg2 == '\0')
843 fatal("%.200s line %d: Missing target argument.",
846 /* construct a string for parse_forward */
847 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
848 } else if (opcode == oDynamicForward) {
849 strlcpy(fwdarg, arg, sizeof(fwdarg));
852 if (parse_forward(&fwd, fwdarg,
853 opcode == oDynamicForward ? 1 : 0,
854 opcode == oRemoteForward ? 1 : 0) == 0)
855 fatal("%.200s line %d: Bad forwarding specification.",
859 if (opcode == oLocalForward ||
860 opcode == oDynamicForward)
861 add_local_forward(options, &fwd);
862 else if (opcode == oRemoteForward)
863 add_remote_forward(options, &fwd);
867 case oClearAllForwardings:
868 intptr = &options->clear_forwardings;
874 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
875 negated = *arg == '!';
878 if (match_pattern(host, arg)) {
880 debug("%.200s line %d: Skipping Host "
881 "block because of negated match "
882 "for %.100s", filename, linenum,
888 arg2 = arg; /* logged below */
893 debug("%.200s line %d: Applying options for %.100s",
894 filename, linenum, arg2);
895 /* Avoid garbage check below, as strdelim is done. */
899 intptr = &options->escape_char;
901 if (!arg || *arg == '\0')
902 fatal("%.200s line %d: Missing argument.", filename, linenum);
903 if (arg[0] == '^' && arg[2] == 0 &&
904 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
905 value = (u_char) arg[1] & 31;
906 else if (strlen(arg) == 1)
907 value = (u_char) arg[0];
908 else if (strcmp(arg, "none") == 0)
909 value = SSH_ESCAPECHAR_NONE;
911 fatal("%.200s line %d: Bad escape character.",
914 value = 0; /* Avoid compiler warning. */
916 if (*activep && *intptr == -1)
922 if (!arg || *arg == '\0')
923 fatal("%s line %d: missing address family.",
925 intptr = &options->address_family;
926 if (strcasecmp(arg, "inet") == 0)
928 else if (strcasecmp(arg, "inet6") == 0)
930 else if (strcasecmp(arg, "any") == 0)
933 fatal("Unsupported AddressFamily \"%s\"", arg);
934 if (*activep && *intptr == -1)
938 case oEnableSSHKeysign:
939 intptr = &options->enable_ssh_keysign;
942 case oIdentitiesOnly:
943 intptr = &options->identities_only;
946 case oServerAliveInterval:
947 intptr = &options->server_alive_interval;
950 case oServerAliveCountMax:
951 intptr = &options->server_alive_count_max;
955 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
956 if (strchr(arg, '=') != NULL)
957 fatal("%s line %d: Invalid environment name.",
961 if (options->num_send_env >= MAX_SEND_ENV)
962 fatal("%s line %d: too many send env.",
964 options->send_env[options->num_send_env++] =
970 charptr = &options->control_path;
974 intptr = &options->control_master;
976 if (!arg || *arg == '\0')
977 fatal("%.200s line %d: Missing ControlMaster argument.",
979 value = 0; /* To avoid compiler warning... */
980 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
981 value = SSHCTL_MASTER_YES;
982 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
983 value = SSHCTL_MASTER_NO;
984 else if (strcmp(arg, "auto") == 0)
985 value = SSHCTL_MASTER_AUTO;
986 else if (strcmp(arg, "ask") == 0)
987 value = SSHCTL_MASTER_ASK;
988 else if (strcmp(arg, "autoask") == 0)
989 value = SSHCTL_MASTER_AUTO_ASK;
991 fatal("%.200s line %d: Bad ControlMaster argument.",
993 if (*activep && *intptr == -1)
997 case oControlPersist:
998 /* no/false/yes/true, or a time spec */
999 intptr = &options->control_persist;
1001 if (!arg || *arg == '\0')
1002 fatal("%.200s line %d: Missing ControlPersist"
1003 " argument.", filename, linenum);
1005 value2 = 0; /* timeout */
1006 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
1008 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
1010 else if ((value2 = convtime(arg)) >= 0)
1013 fatal("%.200s line %d: Bad ControlPersist argument.",
1015 if (*activep && *intptr == -1) {
1017 options->control_persist_timeout = value2;
1021 case oHashKnownHosts:
1022 intptr = &options->hash_known_hosts;
1026 intptr = &options->tun_open;
1028 if (!arg || *arg == '\0')
1029 fatal("%s line %d: Missing yes/point-to-point/"
1030 "ethernet/no argument.", filename, linenum);
1031 value = 0; /* silence compiler */
1032 if (strcasecmp(arg, "ethernet") == 0)
1033 value = SSH_TUNMODE_ETHERNET;
1034 else if (strcasecmp(arg, "point-to-point") == 0)
1035 value = SSH_TUNMODE_POINTOPOINT;
1036 else if (strcasecmp(arg, "yes") == 0)
1037 value = SSH_TUNMODE_DEFAULT;
1038 else if (strcasecmp(arg, "no") == 0)
1039 value = SSH_TUNMODE_NO;
1041 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1042 "no argument: %s", filename, linenum, arg);
1049 if (!arg || *arg == '\0')
1050 fatal("%.200s line %d: Missing argument.", filename, linenum);
1051 value = a2tun(arg, &value2);
1052 if (value == SSH_TUNID_ERR)
1053 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1055 options->tun_local = value;
1056 options->tun_remote = value2;
1061 charptr = &options->local_command;
1064 case oPermitLocalCommand:
1065 intptr = &options->permit_local_command;
1068 case oVisualHostKey:
1069 intptr = &options->visual_host_key;
1074 if ((value = parse_ipqos(arg)) == -1)
1075 fatal("%s line %d: Bad IPQoS value: %s",
1076 filename, linenum, arg);
1080 else if ((value2 = parse_ipqos(arg)) == -1)
1081 fatal("%s line %d: Bad IPQoS value: %s",
1082 filename, linenum, arg);
1084 options->ip_qos_interactive = value;
1085 options->ip_qos_bulk = value2;
1090 intptr = &options->use_roaming;
1095 if (!arg || *arg == '\0')
1096 fatal("%s line %d: missing argument.",
1098 intptr = &options->request_tty;
1099 if (strcasecmp(arg, "yes") == 0)
1100 value = REQUEST_TTY_YES;
1101 else if (strcasecmp(arg, "no") == 0)
1102 value = REQUEST_TTY_NO;
1103 else if (strcasecmp(arg, "force") == 0)
1104 value = REQUEST_TTY_FORCE;
1105 else if (strcasecmp(arg, "auto") == 0)
1106 value = REQUEST_TTY_AUTO;
1108 fatal("Unsupported RequestTTY \"%s\"", arg);
1109 if (*activep && *intptr == -1)
1114 debug("%s line %d: Deprecated option \"%s\"",
1115 filename, linenum, keyword);
1119 error("%s line %d: Unsupported option \"%s\"",
1120 filename, linenum, keyword);
1124 fatal("process_config_line: Unimplemented opcode %d", opcode);
1127 /* Check that there is no garbage at end of line. */
1128 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1129 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1130 filename, linenum, arg);
1137 * Reads the config file and modifies the options accordingly. Options
1138 * should already be initialized before this call. This never returns if
1139 * there is an error. If the file does not exist, this returns 0.
1143 read_config_file(const char *filename, const char *host, Options *options,
1148 int active, linenum;
1149 int bad_options = 0;
1151 if ((f = fopen(filename, "r")) == NULL)
1157 if (fstat(fileno(f), &sb) == -1)
1158 fatal("fstat %s: %s", filename, strerror(errno));
1159 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1160 (sb.st_mode & 022) != 0))
1161 fatal("Bad owner or permissions on %s", filename);
1164 debug("Reading configuration data %.200s", filename);
1167 * Mark that we are now processing the options. This flag is turned
1168 * on/off by Host specifications.
1172 while (fgets(line, sizeof(line), f)) {
1173 /* Update line number counter. */
1175 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1179 if (bad_options > 0)
1180 fatal("%s: terminating, %d bad configuration options",
1181 filename, bad_options);
1186 * Initializes options to special values that indicate that they have not yet
1187 * been set. Read_config_file will only set options with this value. Options
1188 * are processed in the following order: command line, user config file,
1189 * system config file. Last, fill_default_options is called.
1193 initialize_options(Options * options)
1195 memset(options, 'X', sizeof(*options));
1196 options->forward_agent = -1;
1197 options->forward_x11 = -1;
1198 options->forward_x11_trusted = -1;
1199 options->forward_x11_timeout = -1;
1200 options->exit_on_forward_failure = -1;
1201 options->xauth_location = NULL;
1202 options->gateway_ports = -1;
1203 options->use_privileged_port = -1;
1204 options->rsa_authentication = -1;
1205 options->pubkey_authentication = -1;
1206 options->challenge_response_authentication = -1;
1207 options->gss_authentication = -1;
1208 options->gss_keyex = -1;
1209 options->gss_deleg_creds = -1;
1210 options->gss_trust_dns = -1;
1211 options->gss_renewal_rekey = -1;
1212 options->gss_client_identity = NULL;
1213 options->gss_server_identity = NULL;
1214 options->gss_password_prompt = -1;
1215 options->gss_mechanism_oid = NULL;
1216 options->password_authentication = -1;
1217 options->kbd_interactive_authentication = -1;
1218 options->kbd_interactive_devices = NULL;
1219 options->rhosts_rsa_authentication = -1;
1220 options->hostbased_authentication = -1;
1221 options->batch_mode = -1;
1222 options->check_host_ip = -1;
1223 options->strict_host_key_checking = -1;
1224 options->compression = -1;
1225 options->tcp_keep_alive = -1;
1226 options->compression_level = -1;
1228 options->address_family = -1;
1229 options->connection_attempts = -1;
1230 options->connection_timeout = -1;
1231 options->number_of_password_prompts = -1;
1232 options->cipher = -1;
1233 options->ciphers = NULL;
1234 options->macs = NULL;
1235 options->kex_algorithms = NULL;
1236 options->hostkeyalgorithms = NULL;
1237 options->protocol = SSH_PROTO_UNKNOWN;
1238 options->num_identity_files = 0;
1239 options->hostname = NULL;
1240 options->host_key_alias = NULL;
1241 options->proxy_command = NULL;
1242 options->user = NULL;
1243 options->escape_char = -1;
1244 options->num_system_hostfiles = 0;
1245 options->num_user_hostfiles = 0;
1246 options->local_forwards = NULL;
1247 options->num_local_forwards = 0;
1248 options->remote_forwards = NULL;
1249 options->num_remote_forwards = 0;
1250 options->clear_forwardings = -1;
1251 options->log_level = SYSLOG_LEVEL_NOT_SET;
1252 options->preferred_authentications = NULL;
1253 options->bind_address = NULL;
1254 options->pkcs11_provider = NULL;
1255 options->enable_ssh_keysign = - 1;
1256 options->no_host_authentication_for_localhost = - 1;
1257 options->identities_only = - 1;
1258 options->rekey_limit = - 1;
1259 options->verify_host_key_dns = -1;
1260 options->server_alive_interval = -1;
1261 options->server_alive_count_max = -1;
1262 options->num_send_env = 0;
1263 options->control_path = NULL;
1264 options->control_master = -1;
1265 options->control_persist = -1;
1266 options->control_persist_timeout = 0;
1267 options->hash_known_hosts = -1;
1268 options->tun_open = -1;
1269 options->tun_local = -1;
1270 options->tun_remote = -1;
1271 options->local_command = NULL;
1272 options->permit_local_command = -1;
1273 options->use_roaming = -1;
1274 options->visual_host_key = -1;
1275 options->zero_knowledge_password_authentication = -1;
1276 options->ip_qos_interactive = -1;
1277 options->ip_qos_bulk = -1;
1278 options->request_tty = -1;
1282 * Called after processing other sources of option data, this fills those
1283 * options for which no value has been specified with their default values.
1287 fill_default_options(Options * options)
1291 if (options->forward_agent == -1)
1292 options->forward_agent = 0;
1293 if (options->forward_x11 == -1)
1294 options->forward_x11 = 0;
1295 if (options->forward_x11_trusted == -1)
1296 options->forward_x11_trusted = 0;
1297 if (options->forward_x11_timeout == -1)
1298 options->forward_x11_timeout = 1200;
1299 if (options->exit_on_forward_failure == -1)
1300 options->exit_on_forward_failure = 0;
1301 if (options->xauth_location == NULL)
1302 options->xauth_location = _PATH_XAUTH;
1303 if (options->gateway_ports == -1)
1304 options->gateway_ports = 0;
1305 if (options->use_privileged_port == -1)
1306 options->use_privileged_port = 0;
1307 if (options->rsa_authentication == -1)
1308 options->rsa_authentication = 1;
1309 if (options->pubkey_authentication == -1)
1310 options->pubkey_authentication = 1;
1311 if (options->challenge_response_authentication == -1)
1312 options->challenge_response_authentication = 1;
1313 if (options->gss_authentication == -1)
1314 options->gss_authentication = 0;
1315 if (options->gss_keyex == -1)
1316 options->gss_keyex = 0;
1317 if (options->gss_deleg_creds == -1)
1318 options->gss_deleg_creds = 0;
1319 if (options->gss_trust_dns == -1)
1320 options->gss_trust_dns = 0;
1321 if (options->gss_renewal_rekey == -1)
1322 options->gss_renewal_rekey = 0;
1323 if (options->gss_password_prompt == -1)
1324 options->gss_password_prompt = 0;
1325 if (options->password_authentication == -1)
1326 options->password_authentication = 1;
1327 if (options->kbd_interactive_authentication == -1)
1328 options->kbd_interactive_authentication = 1;
1329 if (options->rhosts_rsa_authentication == -1)
1330 options->rhosts_rsa_authentication = 0;
1331 if (options->hostbased_authentication == -1)
1332 options->hostbased_authentication = 0;
1333 if (options->batch_mode == -1)
1334 options->batch_mode = 0;
1335 if (options->check_host_ip == -1)
1336 options->check_host_ip = 1;
1337 if (options->strict_host_key_checking == -1)
1338 options->strict_host_key_checking = 2; /* 2 is default */
1339 if (options->compression == -1)
1340 options->compression = 0;
1341 if (options->tcp_keep_alive == -1)
1342 options->tcp_keep_alive = 1;
1343 if (options->compression_level == -1)
1344 options->compression_level = 6;
1345 if (options->port == -1)
1346 options->port = 0; /* Filled in ssh_connect. */
1347 if (options->address_family == -1)
1348 options->address_family = AF_UNSPEC;
1349 if (options->connection_attempts == -1)
1350 options->connection_attempts = 1;
1351 if (options->number_of_password_prompts == -1)
1352 options->number_of_password_prompts = 3;
1353 /* Selected in ssh_login(). */
1354 if (options->cipher == -1)
1355 options->cipher = SSH_CIPHER_NOT_SET;
1356 /* options->ciphers, default set in myproposals.h */
1357 /* options->macs, default set in myproposals.h */
1358 /* options->kex_algorithms, default set in myproposals.h */
1359 /* options->hostkeyalgorithms, default set in myproposals.h */
1360 if (options->protocol == SSH_PROTO_UNKNOWN)
1361 options->protocol = SSH_PROTO_2;
1362 if (options->num_identity_files == 0) {
1363 if (options->protocol & SSH_PROTO_1) {
1364 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1365 options->identity_files[options->num_identity_files] =
1367 snprintf(options->identity_files[options->num_identity_files++],
1368 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1370 if (options->protocol & SSH_PROTO_2) {
1371 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1372 options->identity_files[options->num_identity_files] =
1374 snprintf(options->identity_files[options->num_identity_files++],
1375 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1377 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1378 options->identity_files[options->num_identity_files] =
1380 snprintf(options->identity_files[options->num_identity_files++],
1381 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1382 #ifdef OPENSSL_HAS_ECC
1383 len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1;
1384 options->identity_files[options->num_identity_files] =
1386 snprintf(options->identity_files[options->num_identity_files++],
1387 len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA);
1391 if (options->escape_char == -1)
1392 options->escape_char = '~';
1393 if (options->num_system_hostfiles == 0) {
1394 options->system_hostfiles[options->num_system_hostfiles++] =
1395 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1396 options->system_hostfiles[options->num_system_hostfiles++] =
1397 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1399 if (options->num_user_hostfiles == 0) {
1400 options->user_hostfiles[options->num_user_hostfiles++] =
1401 xstrdup(_PATH_SSH_USER_HOSTFILE);
1402 options->user_hostfiles[options->num_user_hostfiles++] =
1403 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1405 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1406 options->log_level = SYSLOG_LEVEL_INFO;
1407 if (options->clear_forwardings == 1)
1408 clear_forwardings(options);
1409 if (options->no_host_authentication_for_localhost == - 1)
1410 options->no_host_authentication_for_localhost = 0;
1411 if (options->identities_only == -1)
1412 options->identities_only = 0;
1413 if (options->enable_ssh_keysign == -1)
1414 options->enable_ssh_keysign = 0;
1415 if (options->rekey_limit == -1)
1416 options->rekey_limit = 0;
1417 if (options->verify_host_key_dns == -1)
1418 options->verify_host_key_dns = 0;
1419 if (options->server_alive_interval == -1)
1420 options->server_alive_interval = 0;
1421 if (options->server_alive_count_max == -1)
1422 options->server_alive_count_max = 3;
1423 if (options->control_master == -1)
1424 options->control_master = 0;
1425 if (options->control_persist == -1) {
1426 options->control_persist = 0;
1427 options->control_persist_timeout = 0;
1429 if (options->hash_known_hosts == -1)
1430 options->hash_known_hosts = 0;
1431 if (options->tun_open == -1)
1432 options->tun_open = SSH_TUNMODE_NO;
1433 if (options->tun_local == -1)
1434 options->tun_local = SSH_TUNID_ANY;
1435 if (options->tun_remote == -1)
1436 options->tun_remote = SSH_TUNID_ANY;
1437 if (options->permit_local_command == -1)
1438 options->permit_local_command = 0;
1439 if (options->use_roaming == -1)
1440 options->use_roaming = 1;
1441 if (options->visual_host_key == -1)
1442 options->visual_host_key = 0;
1443 if (options->zero_knowledge_password_authentication == -1)
1444 options->zero_knowledge_password_authentication = 0;
1445 if (options->ip_qos_interactive == -1)
1446 options->ip_qos_interactive = IPTOS_LOWDELAY;
1447 if (options->ip_qos_bulk == -1)
1448 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1449 if (options->request_tty == -1)
1450 options->request_tty = REQUEST_TTY_AUTO;
1451 /* options->local_command should not be set by default */
1452 /* options->proxy_command should not be set by default */
1453 /* options->user will be set in the main program if appropriate */
1454 /* options->hostname will be set in the main program if appropriate */
1455 /* options->host_key_alias should not be set by default */
1456 /* options->preferred_authentications will be set in ssh */
1461 * parses a string containing a port forwarding specification of the form:
1463 * [listenhost:]listenport:connecthost:connectport
1465 * [listenhost:]listenport
1466 * returns number of arguments parsed or zero on error
1469 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1472 char *p, *cp, *fwdarg[4];
1474 memset(fwd, '\0', sizeof(*fwd));
1476 cp = p = xstrdup(fwdspec);
1478 /* skip leading spaces */
1479 while (isspace(*cp))
1482 for (i = 0; i < 4; ++i)
1483 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1486 /* Check for trailing garbage */
1488 i = 0; /* failure */
1492 fwd->listen_host = NULL;
1493 fwd->listen_port = a2port(fwdarg[0]);
1494 fwd->connect_host = xstrdup("socks");
1498 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1499 fwd->listen_port = a2port(fwdarg[1]);
1500 fwd->connect_host = xstrdup("socks");
1504 fwd->listen_host = NULL;
1505 fwd->listen_port = a2port(fwdarg[0]);
1506 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1507 fwd->connect_port = a2port(fwdarg[2]);
1511 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1512 fwd->listen_port = a2port(fwdarg[1]);
1513 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1514 fwd->connect_port = a2port(fwdarg[3]);
1517 i = 0; /* failure */
1523 if (!(i == 1 || i == 2))
1526 if (!(i == 3 || i == 4))
1528 if (fwd->connect_port <= 0)
1532 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1535 if (fwd->connect_host != NULL &&
1536 strlen(fwd->connect_host) >= NI_MAXHOST)
1538 if (fwd->listen_host != NULL &&
1539 strlen(fwd->listen_host) >= NI_MAXHOST)
1546 if (fwd->connect_host != NULL) {
1547 xfree(fwd->connect_host);
1548 fwd->connect_host = NULL;
1550 if (fwd->listen_host != NULL) {
1551 xfree(fwd->listen_host);
1552 fwd->listen_host = NULL;
1559 mechanism_oid(const char *oidstr)
1562 gss_buffer_desc oidBuf;
1563 size_t oidstrLen, i;
1565 gss_OID ret = GSS_C_NO_OID;
1567 oidstrLen = strlen(oidstr);
1569 oidBuf.length = 2 + oidstrLen + 2;
1570 oidBuf.value = xmalloc(oidBuf.length + 1);
1571 if (oidBuf.value == NULL)
1574 p = (char *)oidBuf.value;
1577 for (i = 0; i < oidstrLen; i++)
1578 *p++ = oidstr[i] == '.' ? ' ' : oidstr[i];
1583 gss_str_to_oid(&minor, &oidBuf, &ret);
1585 xfree(oidBuf.value);