1 /* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
40 #include "pathnames.h"
50 /* Format of the configuration file:
52 # Configuration data is parsed as follows:
53 # 1. command line options
54 # 2. user-specific file
56 # Any configuration value is only changed the first time it is set.
57 # Thus, host-specific definitions should be at the beginning of the
58 # configuration file, and defaults at the end.
60 # Host-specific declarations. These may override anything above. A single
61 # host may match multiple declarations; these are processed in the order
62 # that they are given in.
68 HostName another.host.name.real.org
75 RemoteForward 9999 shadows.cs.hut.fi:9999
81 PasswordAuthentication no
85 ProxyCommand ssh-proxy %h %p
88 PublicKeyAuthentication no
92 PasswordAuthentication no
98 # Defaults for various options
102 PasswordAuthentication yes
103 RSAAuthentication yes
104 RhostsRSAAuthentication yes
105 StrictHostKeyChecking yes
107 IdentityFile ~/.ssh/identity
113 /* Keyword tokens. */
117 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
118 oGatewayPorts, oExitOnForwardFailure,
119 oPasswordAuthentication, oRSAAuthentication,
120 oChallengeResponseAuthentication, oXAuthLocation,
121 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
122 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
123 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
124 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
125 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
126 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
127 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
128 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
129 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
131 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
132 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
133 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
134 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
135 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
137 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
138 oSendEnv, oControlPath, oControlMaster, oControlPersist,
140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
142 oKexAlgorithms, oIPQoS, oRequestTTY,
143 oProtocolKeepAlives, oSetupTimeOut,
144 oDeprecated, oUnsupported
147 /* Textual representations of the tokens. */
153 { "forwardagent", oForwardAgent },
154 { "forwardx11", oForwardX11 },
155 { "forwardx11trusted", oForwardX11Trusted },
156 { "forwardx11timeout", oForwardX11Timeout },
157 { "exitonforwardfailure", oExitOnForwardFailure },
158 { "xauthlocation", oXAuthLocation },
159 { "gatewayports", oGatewayPorts },
160 { "useprivilegedport", oUsePrivilegedPort },
161 { "rhostsauthentication", oDeprecated },
162 { "passwordauthentication", oPasswordAuthentication },
163 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
164 { "kbdinteractivedevices", oKbdInteractiveDevices },
165 { "useblacklistedkeys", oUseBlacklistedKeys },
166 { "rsaauthentication", oRSAAuthentication },
167 { "pubkeyauthentication", oPubkeyAuthentication },
168 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
169 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
170 { "hostbasedauthentication", oHostbasedAuthentication },
171 { "challengeresponseauthentication", oChallengeResponseAuthentication },
172 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
173 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
174 { "kerberosauthentication", oUnsupported },
175 { "kerberostgtpassing", oUnsupported },
176 { "afstokenpassing", oUnsupported },
178 { "gssapiauthentication", oGssAuthentication },
179 { "gssapikeyexchange", oGssKeyEx },
180 { "gssapidelegatecredentials", oGssDelegateCreds },
181 { "gssapitrustdns", oGssTrustDns },
182 { "gssapiclientidentity", oGssClientIdentity },
183 { "gssapiserveridentity", oGssServerIdentity },
184 { "gssapirenewalforcesrekey", oGssRenewalRekey },
186 { "gssapiauthentication", oUnsupported },
187 { "gssapikeyexchange", oUnsupported },
188 { "gssapidelegatecredentials", oUnsupported },
189 { "gssapitrustdns", oUnsupported },
190 { "gssapiclientidentity", oUnsupported },
191 { "gssapirenewalforcesrekey", oUnsupported },
193 { "fallbacktorsh", oDeprecated },
194 { "usersh", oDeprecated },
195 { "identityfile", oIdentityFile },
196 { "identityfile2", oIdentityFile }, /* obsolete */
197 { "identitiesonly", oIdentitiesOnly },
198 { "hostname", oHostName },
199 { "hostkeyalias", oHostKeyAlias },
200 { "proxycommand", oProxyCommand },
202 { "cipher", oCipher },
203 { "ciphers", oCiphers },
205 { "protocol", oProtocol },
206 { "remoteforward", oRemoteForward },
207 { "localforward", oLocalForward },
210 { "escapechar", oEscapeChar },
211 { "globalknownhostsfile", oGlobalKnownHostsFile },
212 { "globalknownhostsfile2", oDeprecated },
213 { "userknownhostsfile", oUserKnownHostsFile },
214 { "userknownhostsfile2", oDeprecated },
215 { "connectionattempts", oConnectionAttempts },
216 { "batchmode", oBatchMode },
217 { "checkhostip", oCheckHostIP },
218 { "stricthostkeychecking", oStrictHostKeyChecking },
219 { "compression", oCompression },
220 { "compressionlevel", oCompressionLevel },
221 { "tcpkeepalive", oTCPKeepAlive },
222 { "keepalive", oTCPKeepAlive }, /* obsolete */
223 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
224 { "loglevel", oLogLevel },
225 { "dynamicforward", oDynamicForward },
226 { "preferredauthentications", oPreferredAuthentications },
227 { "hostkeyalgorithms", oHostKeyAlgorithms },
228 { "bindaddress", oBindAddress },
230 { "smartcarddevice", oPKCS11Provider },
231 { "pkcs11provider", oPKCS11Provider },
233 { "smartcarddevice", oUnsupported },
234 { "pkcs11provider", oUnsupported },
236 { "clearallforwardings", oClearAllForwardings },
237 { "enablesshkeysign", oEnableSSHKeysign },
238 { "verifyhostkeydns", oVerifyHostKeyDNS },
239 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
240 { "rekeylimit", oRekeyLimit },
241 { "connecttimeout", oConnectTimeout },
242 { "addressfamily", oAddressFamily },
243 { "serveraliveinterval", oServerAliveInterval },
244 { "serveralivecountmax", oServerAliveCountMax },
245 { "sendenv", oSendEnv },
246 { "controlpath", oControlPath },
247 { "controlmaster", oControlMaster },
248 { "controlpersist", oControlPersist },
249 { "hashknownhosts", oHashKnownHosts },
250 { "tunnel", oTunnel },
251 { "tunneldevice", oTunnelDevice },
252 { "localcommand", oLocalCommand },
253 { "permitlocalcommand", oPermitLocalCommand },
254 { "visualhostkey", oVisualHostKey },
255 { "useroaming", oUseRoaming },
257 { "zeroknowledgepasswordauthentication",
258 oZeroKnowledgePasswordAuthentication },
260 { "zeroknowledgepasswordauthentication", oUnsupported },
262 { "kexalgorithms", oKexAlgorithms },
264 { "requesttty", oRequestTTY },
265 { "protocolkeepalives", oProtocolKeepAlives },
266 { "setuptimeout", oSetupTimeOut },
272 * Adds a local TCP/IP port forward to options. Never returns if there is an
277 add_local_forward(Options *options, const Forward *newfwd)
280 #ifndef NO_IPPORT_RESERVED_CONCEPT
281 extern uid_t original_real_uid;
282 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
283 fatal("Privileged ports can only be forwarded by root.");
285 options->local_forwards = xrealloc(options->local_forwards,
286 options->num_local_forwards + 1,
287 sizeof(*options->local_forwards));
288 fwd = &options->local_forwards[options->num_local_forwards++];
290 fwd->listen_host = newfwd->listen_host;
291 fwd->listen_port = newfwd->listen_port;
292 fwd->connect_host = newfwd->connect_host;
293 fwd->connect_port = newfwd->connect_port;
297 * Adds a remote TCP/IP port forward to options. Never returns if there is
302 add_remote_forward(Options *options, const Forward *newfwd)
306 options->remote_forwards = xrealloc(options->remote_forwards,
307 options->num_remote_forwards + 1,
308 sizeof(*options->remote_forwards));
309 fwd = &options->remote_forwards[options->num_remote_forwards++];
311 fwd->listen_host = newfwd->listen_host;
312 fwd->listen_port = newfwd->listen_port;
313 fwd->connect_host = newfwd->connect_host;
314 fwd->connect_port = newfwd->connect_port;
315 fwd->allocated_port = 0;
319 clear_forwardings(Options *options)
323 for (i = 0; i < options->num_local_forwards; i++) {
324 if (options->local_forwards[i].listen_host != NULL)
325 xfree(options->local_forwards[i].listen_host);
326 xfree(options->local_forwards[i].connect_host);
328 if (options->num_local_forwards > 0) {
329 xfree(options->local_forwards);
330 options->local_forwards = NULL;
332 options->num_local_forwards = 0;
333 for (i = 0; i < options->num_remote_forwards; i++) {
334 if (options->remote_forwards[i].listen_host != NULL)
335 xfree(options->remote_forwards[i].listen_host);
336 xfree(options->remote_forwards[i].connect_host);
338 if (options->num_remote_forwards > 0) {
339 xfree(options->remote_forwards);
340 options->remote_forwards = NULL;
342 options->num_remote_forwards = 0;
343 options->tun_open = SSH_TUNMODE_NO;
347 * Returns the number of the token pointed to by cp or oBadOption.
351 parse_token(const char *cp, const char *filename, int linenum)
355 for (i = 0; keywords[i].name; i++)
356 if (strcasecmp(cp, keywords[i].name) == 0)
357 return keywords[i].opcode;
359 error("%s: line %d: Bad configuration option: %s",
360 filename, linenum, cp);
365 * Processes a single option line as used in the configuration files. This
366 * only sets those values that have not already been set.
368 #define WHITESPACE " \t\r\n"
371 process_config_line(Options *options, const char *host,
372 char *line, const char *filename, int linenum,
375 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
376 char **cpptr, fwdarg[256];
377 u_int *uintptr, max_entries = 0;
378 int negated, opcode, *intptr, value, value2, scale;
379 LogLevel *log_level_ptr;
380 long long orig, val64;
384 /* Strip trailing whitespace */
385 for (len = strlen(line) - 1; len > 0; len--) {
386 if (strchr(WHITESPACE, line[len]) == NULL)
392 /* Get the keyword. (Each line is supposed to begin with a keyword). */
393 if ((keyword = strdelim(&s)) == NULL)
395 /* Ignore leading whitespace. */
396 if (*keyword == '\0')
397 keyword = strdelim(&s);
398 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
401 opcode = parse_token(keyword, filename, linenum);
405 /* don't panic, but count bad options */
408 case oConnectTimeout:
409 intptr = &options->connection_timeout;
412 if (!arg || *arg == '\0')
413 fatal("%s line %d: missing time value.",
415 if ((value = convtime(arg)) == -1)
416 fatal("%s line %d: invalid time value.",
418 if (*activep && *intptr == -1)
423 intptr = &options->forward_agent;
426 if (!arg || *arg == '\0')
427 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
428 value = 0; /* To avoid compiler warning... */
429 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
431 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
434 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
435 if (*activep && *intptr == -1)
440 intptr = &options->forward_x11;
443 case oForwardX11Trusted:
444 intptr = &options->forward_x11_trusted;
447 case oForwardX11Timeout:
448 intptr = &options->forward_x11_timeout;
452 intptr = &options->gateway_ports;
455 case oExitOnForwardFailure:
456 intptr = &options->exit_on_forward_failure;
459 case oUsePrivilegedPort:
460 intptr = &options->use_privileged_port;
463 case oPasswordAuthentication:
464 intptr = &options->password_authentication;
467 case oZeroKnowledgePasswordAuthentication:
468 intptr = &options->zero_knowledge_password_authentication;
471 case oKbdInteractiveAuthentication:
472 intptr = &options->kbd_interactive_authentication;
475 case oKbdInteractiveDevices:
476 charptr = &options->kbd_interactive_devices;
479 case oPubkeyAuthentication:
480 intptr = &options->pubkey_authentication;
483 case oRSAAuthentication:
484 intptr = &options->rsa_authentication;
487 case oRhostsRSAAuthentication:
488 intptr = &options->rhosts_rsa_authentication;
491 case oHostbasedAuthentication:
492 intptr = &options->hostbased_authentication;
495 case oChallengeResponseAuthentication:
496 intptr = &options->challenge_response_authentication;
499 case oUseBlacklistedKeys:
500 intptr = &options->use_blacklisted_keys;
503 case oGssAuthentication:
504 intptr = &options->gss_authentication;
508 intptr = &options->gss_keyex;
511 case oGssDelegateCreds:
512 intptr = &options->gss_deleg_creds;
516 intptr = &options->gss_trust_dns;
519 case oGssClientIdentity:
520 charptr = &options->gss_client_identity;
523 case oGssServerIdentity:
524 charptr = &options->gss_server_identity;
527 case oGssRenewalRekey:
528 intptr = &options->gss_renewal_rekey;
532 intptr = &options->batch_mode;
536 intptr = &options->check_host_ip;
539 case oVerifyHostKeyDNS:
540 intptr = &options->verify_host_key_dns;
543 case oStrictHostKeyChecking:
544 intptr = &options->strict_host_key_checking;
547 if (!arg || *arg == '\0')
548 fatal("%.200s line %d: Missing yes/no/ask argument.",
550 value = 0; /* To avoid compiler warning... */
551 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
553 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
555 else if (strcmp(arg, "ask") == 0)
558 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
559 if (*activep && *intptr == -1)
564 intptr = &options->compression;
568 intptr = &options->tcp_keep_alive;
571 case oNoHostAuthenticationForLocalhost:
572 intptr = &options->no_host_authentication_for_localhost;
575 case oNumberOfPasswordPrompts:
576 intptr = &options->number_of_password_prompts;
579 case oCompressionLevel:
580 intptr = &options->compression_level;
585 if (!arg || *arg == '\0')
586 fatal("%.200s line %d: Missing argument.", filename, linenum);
587 if (arg[0] < '0' || arg[0] > '9')
588 fatal("%.200s line %d: Bad number.", filename, linenum);
589 orig = val64 = strtoll(arg, &endofnumber, 10);
590 if (arg == endofnumber)
591 fatal("%.200s line %d: Bad number.", filename, linenum);
592 switch (toupper(*endofnumber)) {
606 fatal("%.200s line %d: Invalid RekeyLimit suffix",
610 /* detect integer wrap and too-large limits */
611 if ((val64 / scale) != orig || val64 > UINT_MAX)
612 fatal("%.200s line %d: RekeyLimit too large",
615 fatal("%.200s line %d: RekeyLimit too small",
617 if (*activep && options->rekey_limit == -1)
618 options->rekey_limit = (u_int32_t)val64;
623 if (!arg || *arg == '\0')
624 fatal("%.200s line %d: Missing argument.", filename, linenum);
626 intptr = &options->num_identity_files;
627 if (*intptr >= SSH_MAX_IDENTITY_FILES)
628 fatal("%.200s line %d: Too many identity files specified (max %d).",
629 filename, linenum, SSH_MAX_IDENTITY_FILES);
630 charptr = &options->identity_files[*intptr];
631 *charptr = xstrdup(arg);
632 *intptr = *intptr + 1;
637 charptr=&options->xauth_location;
641 charptr = &options->user;
644 if (!arg || *arg == '\0')
645 fatal("%.200s line %d: Missing argument.",
647 if (*activep && *charptr == NULL)
648 *charptr = xstrdup(arg);
651 case oGlobalKnownHostsFile:
652 cpptr = (char **)&options->system_hostfiles;
653 uintptr = &options->num_system_hostfiles;
654 max_entries = SSH_MAX_HOSTS_FILES;
656 if (*activep && *uintptr == 0) {
657 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
658 if ((*uintptr) >= max_entries)
660 "too many authorized keys files.",
662 cpptr[(*uintptr)++] = xstrdup(arg);
667 case oUserKnownHostsFile:
668 cpptr = (char **)&options->user_hostfiles;
669 uintptr = &options->num_user_hostfiles;
670 max_entries = SSH_MAX_HOSTS_FILES;
671 goto parse_char_array;
674 charptr = &options->hostname;
678 charptr = &options->host_key_alias;
681 case oPreferredAuthentications:
682 charptr = &options->preferred_authentications;
686 charptr = &options->bind_address;
689 case oPKCS11Provider:
690 charptr = &options->pkcs11_provider;
694 charptr = &options->proxy_command;
697 fatal("%.200s line %d: Missing argument.", filename, linenum);
698 len = strspn(s, WHITESPACE "=");
699 if (*activep && *charptr == NULL)
700 *charptr = xstrdup(s + len);
704 intptr = &options->port;
707 if (!arg || *arg == '\0')
708 fatal("%.200s line %d: Missing argument.", filename, linenum);
709 if (arg[0] < '0' || arg[0] > '9')
710 fatal("%.200s line %d: Bad number.", filename, linenum);
712 /* Octal, decimal, or hex format? */
713 value = strtol(arg, &endofnumber, 0);
714 if (arg == endofnumber)
715 fatal("%.200s line %d: Bad number.", filename, linenum);
716 if (*activep && *intptr == -1)
720 case oConnectionAttempts:
721 intptr = &options->connection_attempts;
725 intptr = &options->cipher;
727 if (!arg || *arg == '\0')
728 fatal("%.200s line %d: Missing argument.", filename, linenum);
729 value = cipher_number(arg);
731 fatal("%.200s line %d: Bad cipher '%s'.",
732 filename, linenum, arg ? arg : "<NONE>");
733 if (*activep && *intptr == -1)
739 if (!arg || *arg == '\0')
740 fatal("%.200s line %d: Missing argument.", filename, linenum);
741 if (!ciphers_valid(arg))
742 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
743 filename, linenum, arg ? arg : "<NONE>");
744 if (*activep && options->ciphers == NULL)
745 options->ciphers = xstrdup(arg);
750 if (!arg || *arg == '\0')
751 fatal("%.200s line %d: Missing argument.", filename, linenum);
753 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
754 filename, linenum, arg ? arg : "<NONE>");
755 if (*activep && options->macs == NULL)
756 options->macs = xstrdup(arg);
761 if (!arg || *arg == '\0')
762 fatal("%.200s line %d: Missing argument.",
764 if (!kex_names_valid(arg))
765 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
766 filename, linenum, arg ? arg : "<NONE>");
767 if (*activep && options->kex_algorithms == NULL)
768 options->kex_algorithms = xstrdup(arg);
771 case oHostKeyAlgorithms:
773 if (!arg || *arg == '\0')
774 fatal("%.200s line %d: Missing argument.", filename, linenum);
775 if (!key_names_valid2(arg))
776 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
777 filename, linenum, arg ? arg : "<NONE>");
778 if (*activep && options->hostkeyalgorithms == NULL)
779 options->hostkeyalgorithms = xstrdup(arg);
783 intptr = &options->protocol;
785 if (!arg || *arg == '\0')
786 fatal("%.200s line %d: Missing argument.", filename, linenum);
787 value = proto_spec(arg);
788 if (value == SSH_PROTO_UNKNOWN)
789 fatal("%.200s line %d: Bad protocol spec '%s'.",
790 filename, linenum, arg ? arg : "<NONE>");
791 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
796 log_level_ptr = &options->log_level;
798 value = log_level_number(arg);
799 if (value == SYSLOG_LEVEL_NOT_SET)
800 fatal("%.200s line %d: unsupported log level '%s'",
801 filename, linenum, arg ? arg : "<NONE>");
802 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
803 *log_level_ptr = (LogLevel) value;
808 case oDynamicForward:
810 if (arg == NULL || *arg == '\0')
811 fatal("%.200s line %d: Missing port argument.",
814 if (opcode == oLocalForward ||
815 opcode == oRemoteForward) {
817 if (arg2 == NULL || *arg2 == '\0')
818 fatal("%.200s line %d: Missing target argument.",
821 /* construct a string for parse_forward */
822 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
823 } else if (opcode == oDynamicForward) {
824 strlcpy(fwdarg, arg, sizeof(fwdarg));
827 if (parse_forward(&fwd, fwdarg,
828 opcode == oDynamicForward ? 1 : 0,
829 opcode == oRemoteForward ? 1 : 0) == 0)
830 fatal("%.200s line %d: Bad forwarding specification.",
834 if (opcode == oLocalForward ||
835 opcode == oDynamicForward)
836 add_local_forward(options, &fwd);
837 else if (opcode == oRemoteForward)
838 add_remote_forward(options, &fwd);
842 case oClearAllForwardings:
843 intptr = &options->clear_forwardings;
849 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
850 negated = *arg == '!';
853 if (match_pattern(host, arg)) {
855 debug("%.200s line %d: Skipping Host "
856 "block because of negated match "
857 "for %.100s", filename, linenum,
863 arg2 = arg; /* logged below */
868 debug("%.200s line %d: Applying options for %.100s",
869 filename, linenum, arg2);
870 /* Avoid garbage check below, as strdelim is done. */
874 intptr = &options->escape_char;
876 if (!arg || *arg == '\0')
877 fatal("%.200s line %d: Missing argument.", filename, linenum);
878 if (arg[0] == '^' && arg[2] == 0 &&
879 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
880 value = (u_char) arg[1] & 31;
881 else if (strlen(arg) == 1)
882 value = (u_char) arg[0];
883 else if (strcmp(arg, "none") == 0)
884 value = SSH_ESCAPECHAR_NONE;
886 fatal("%.200s line %d: Bad escape character.",
889 value = 0; /* Avoid compiler warning. */
891 if (*activep && *intptr == -1)
897 if (!arg || *arg == '\0')
898 fatal("%s line %d: missing address family.",
900 intptr = &options->address_family;
901 if (strcasecmp(arg, "inet") == 0)
903 else if (strcasecmp(arg, "inet6") == 0)
905 else if (strcasecmp(arg, "any") == 0)
908 fatal("Unsupported AddressFamily \"%s\"", arg);
909 if (*activep && *intptr == -1)
913 case oEnableSSHKeysign:
914 intptr = &options->enable_ssh_keysign;
917 case oIdentitiesOnly:
918 intptr = &options->identities_only;
921 case oServerAliveInterval:
922 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
923 case oSetupTimeOut: /* Debian-specific compatibility alias */
924 intptr = &options->server_alive_interval;
927 case oServerAliveCountMax:
928 intptr = &options->server_alive_count_max;
932 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
933 if (strchr(arg, '=') != NULL)
934 fatal("%s line %d: Invalid environment name.",
938 if (options->num_send_env >= MAX_SEND_ENV)
939 fatal("%s line %d: too many send env.",
941 options->send_env[options->num_send_env++] =
947 charptr = &options->control_path;
951 intptr = &options->control_master;
953 if (!arg || *arg == '\0')
954 fatal("%.200s line %d: Missing ControlMaster argument.",
956 value = 0; /* To avoid compiler warning... */
957 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
958 value = SSHCTL_MASTER_YES;
959 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
960 value = SSHCTL_MASTER_NO;
961 else if (strcmp(arg, "auto") == 0)
962 value = SSHCTL_MASTER_AUTO;
963 else if (strcmp(arg, "ask") == 0)
964 value = SSHCTL_MASTER_ASK;
965 else if (strcmp(arg, "autoask") == 0)
966 value = SSHCTL_MASTER_AUTO_ASK;
968 fatal("%.200s line %d: Bad ControlMaster argument.",
970 if (*activep && *intptr == -1)
974 case oControlPersist:
975 /* no/false/yes/true, or a time spec */
976 intptr = &options->control_persist;
978 if (!arg || *arg == '\0')
979 fatal("%.200s line %d: Missing ControlPersist"
980 " argument.", filename, linenum);
982 value2 = 0; /* timeout */
983 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
985 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
987 else if ((value2 = convtime(arg)) >= 0)
990 fatal("%.200s line %d: Bad ControlPersist argument.",
992 if (*activep && *intptr == -1) {
994 options->control_persist_timeout = value2;
998 case oHashKnownHosts:
999 intptr = &options->hash_known_hosts;
1003 intptr = &options->tun_open;
1005 if (!arg || *arg == '\0')
1006 fatal("%s line %d: Missing yes/point-to-point/"
1007 "ethernet/no argument.", filename, linenum);
1008 value = 0; /* silence compiler */
1009 if (strcasecmp(arg, "ethernet") == 0)
1010 value = SSH_TUNMODE_ETHERNET;
1011 else if (strcasecmp(arg, "point-to-point") == 0)
1012 value = SSH_TUNMODE_POINTOPOINT;
1013 else if (strcasecmp(arg, "yes") == 0)
1014 value = SSH_TUNMODE_DEFAULT;
1015 else if (strcasecmp(arg, "no") == 0)
1016 value = SSH_TUNMODE_NO;
1018 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1019 "no argument: %s", filename, linenum, arg);
1026 if (!arg || *arg == '\0')
1027 fatal("%.200s line %d: Missing argument.", filename, linenum);
1028 value = a2tun(arg, &value2);
1029 if (value == SSH_TUNID_ERR)
1030 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1032 options->tun_local = value;
1033 options->tun_remote = value2;
1038 charptr = &options->local_command;
1041 case oPermitLocalCommand:
1042 intptr = &options->permit_local_command;
1045 case oVisualHostKey:
1046 intptr = &options->visual_host_key;
1051 if ((value = parse_ipqos(arg)) == -1)
1052 fatal("%s line %d: Bad IPQoS value: %s",
1053 filename, linenum, arg);
1057 else if ((value2 = parse_ipqos(arg)) == -1)
1058 fatal("%s line %d: Bad IPQoS value: %s",
1059 filename, linenum, arg);
1061 options->ip_qos_interactive = value;
1062 options->ip_qos_bulk = value2;
1067 intptr = &options->use_roaming;
1072 if (!arg || *arg == '\0')
1073 fatal("%s line %d: missing argument.",
1075 intptr = &options->request_tty;
1076 if (strcasecmp(arg, "yes") == 0)
1077 value = REQUEST_TTY_YES;
1078 else if (strcasecmp(arg, "no") == 0)
1079 value = REQUEST_TTY_NO;
1080 else if (strcasecmp(arg, "force") == 0)
1081 value = REQUEST_TTY_FORCE;
1082 else if (strcasecmp(arg, "auto") == 0)
1083 value = REQUEST_TTY_AUTO;
1085 fatal("Unsupported RequestTTY \"%s\"", arg);
1086 if (*activep && *intptr == -1)
1091 debug("%s line %d: Deprecated option \"%s\"",
1092 filename, linenum, keyword);
1096 error("%s line %d: Unsupported option \"%s\"",
1097 filename, linenum, keyword);
1101 fatal("process_config_line: Unimplemented opcode %d", opcode);
1104 /* Check that there is no garbage at end of line. */
1105 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1106 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1107 filename, linenum, arg);
1114 * Reads the config file and modifies the options accordingly. Options
1115 * should already be initialized before this call. This never returns if
1116 * there is an error. If the file does not exist, this returns 0.
1120 read_config_file(const char *filename, const char *host, Options *options,
1125 int active, linenum;
1126 int bad_options = 0;
1128 if ((f = fopen(filename, "r")) == NULL)
1134 if (fstat(fileno(f), &sb) == -1)
1135 fatal("fstat %s: %s", filename, strerror(errno));
1136 if (!secure_permissions(&sb, getuid()))
1137 fatal("Bad owner or permissions on %s", filename);
1140 debug("Reading configuration data %.200s", filename);
1143 * Mark that we are now processing the options. This flag is turned
1144 * on/off by Host specifications.
1148 while (fgets(line, sizeof(line), f)) {
1149 /* Update line number counter. */
1151 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1155 if (bad_options > 0)
1156 fatal("%s: terminating, %d bad configuration options",
1157 filename, bad_options);
1162 * Initializes options to special values that indicate that they have not yet
1163 * been set. Read_config_file will only set options with this value. Options
1164 * are processed in the following order: command line, user config file,
1165 * system config file. Last, fill_default_options is called.
1169 initialize_options(Options * options)
1171 memset(options, 'X', sizeof(*options));
1172 options->forward_agent = -1;
1173 options->forward_x11 = -1;
1174 options->forward_x11_trusted = -1;
1175 options->forward_x11_timeout = -1;
1176 options->exit_on_forward_failure = -1;
1177 options->xauth_location = NULL;
1178 options->gateway_ports = -1;
1179 options->use_privileged_port = -1;
1180 options->rsa_authentication = -1;
1181 options->pubkey_authentication = -1;
1182 options->challenge_response_authentication = -1;
1183 options->gss_authentication = -1;
1184 options->gss_keyex = -1;
1185 options->gss_deleg_creds = -1;
1186 options->gss_trust_dns = -1;
1187 options->gss_renewal_rekey = -1;
1188 options->gss_client_identity = NULL;
1189 options->gss_server_identity = NULL;
1190 options->password_authentication = -1;
1191 options->kbd_interactive_authentication = -1;
1192 options->kbd_interactive_devices = NULL;
1193 options->rhosts_rsa_authentication = -1;
1194 options->hostbased_authentication = -1;
1195 options->use_blacklisted_keys = -1;
1196 options->batch_mode = -1;
1197 options->check_host_ip = -1;
1198 options->strict_host_key_checking = -1;
1199 options->compression = -1;
1200 options->tcp_keep_alive = -1;
1201 options->compression_level = -1;
1203 options->address_family = -1;
1204 options->connection_attempts = -1;
1205 options->connection_timeout = -1;
1206 options->number_of_password_prompts = -1;
1207 options->cipher = -1;
1208 options->ciphers = NULL;
1209 options->macs = NULL;
1210 options->kex_algorithms = NULL;
1211 options->hostkeyalgorithms = NULL;
1212 options->protocol = SSH_PROTO_UNKNOWN;
1213 options->num_identity_files = 0;
1214 options->hostname = NULL;
1215 options->host_key_alias = NULL;
1216 options->proxy_command = NULL;
1217 options->user = NULL;
1218 options->escape_char = -1;
1219 options->num_system_hostfiles = 0;
1220 options->num_user_hostfiles = 0;
1221 options->local_forwards = NULL;
1222 options->num_local_forwards = 0;
1223 options->remote_forwards = NULL;
1224 options->num_remote_forwards = 0;
1225 options->clear_forwardings = -1;
1226 options->log_level = SYSLOG_LEVEL_NOT_SET;
1227 options->preferred_authentications = NULL;
1228 options->bind_address = NULL;
1229 options->pkcs11_provider = NULL;
1230 options->enable_ssh_keysign = - 1;
1231 options->no_host_authentication_for_localhost = - 1;
1232 options->identities_only = - 1;
1233 options->rekey_limit = - 1;
1234 options->verify_host_key_dns = -1;
1235 options->server_alive_interval = -1;
1236 options->server_alive_count_max = -1;
1237 options->num_send_env = 0;
1238 options->control_path = NULL;
1239 options->control_master = -1;
1240 options->control_persist = -1;
1241 options->control_persist_timeout = 0;
1242 options->hash_known_hosts = -1;
1243 options->tun_open = -1;
1244 options->tun_local = -1;
1245 options->tun_remote = -1;
1246 options->local_command = NULL;
1247 options->permit_local_command = -1;
1248 options->use_roaming = -1;
1249 options->visual_host_key = -1;
1250 options->zero_knowledge_password_authentication = -1;
1251 options->ip_qos_interactive = -1;
1252 options->ip_qos_bulk = -1;
1253 options->request_tty = -1;
1257 * Called after processing other sources of option data, this fills those
1258 * options for which no value has been specified with their default values.
1262 fill_default_options(Options * options)
1266 if (options->forward_agent == -1)
1267 options->forward_agent = 0;
1268 if (options->forward_x11 == -1)
1269 options->forward_x11 = 0;
1270 if (options->forward_x11_trusted == -1)
1271 options->forward_x11_trusted = 1;
1272 if (options->forward_x11_timeout == -1)
1273 options->forward_x11_timeout = 1200;
1274 if (options->exit_on_forward_failure == -1)
1275 options->exit_on_forward_failure = 0;
1276 if (options->xauth_location == NULL)
1277 options->xauth_location = _PATH_XAUTH;
1278 if (options->gateway_ports == -1)
1279 options->gateway_ports = 0;
1280 if (options->use_privileged_port == -1)
1281 options->use_privileged_port = 0;
1282 if (options->rsa_authentication == -1)
1283 options->rsa_authentication = 1;
1284 if (options->pubkey_authentication == -1)
1285 options->pubkey_authentication = 1;
1286 if (options->challenge_response_authentication == -1)
1287 options->challenge_response_authentication = 1;
1288 if (options->gss_authentication == -1)
1289 options->gss_authentication = 0;
1290 if (options->gss_keyex == -1)
1291 options->gss_keyex = 0;
1292 if (options->gss_deleg_creds == -1)
1293 options->gss_deleg_creds = 0;
1294 if (options->gss_trust_dns == -1)
1295 options->gss_trust_dns = 0;
1296 if (options->gss_renewal_rekey == -1)
1297 options->gss_renewal_rekey = 0;
1298 if (options->password_authentication == -1)
1299 options->password_authentication = 1;
1300 if (options->kbd_interactive_authentication == -1)
1301 options->kbd_interactive_authentication = 1;
1302 if (options->rhosts_rsa_authentication == -1)
1303 options->rhosts_rsa_authentication = 0;
1304 if (options->hostbased_authentication == -1)
1305 options->hostbased_authentication = 0;
1306 if (options->use_blacklisted_keys == -1)
1307 options->use_blacklisted_keys = 0;
1308 if (options->batch_mode == -1)
1309 options->batch_mode = 0;
1310 if (options->check_host_ip == -1)
1311 options->check_host_ip = 1;
1312 if (options->strict_host_key_checking == -1)
1313 options->strict_host_key_checking = 2; /* 2 is default */
1314 if (options->compression == -1)
1315 options->compression = 0;
1316 if (options->tcp_keep_alive == -1)
1317 options->tcp_keep_alive = 1;
1318 if (options->compression_level == -1)
1319 options->compression_level = 6;
1320 if (options->port == -1)
1321 options->port = 0; /* Filled in ssh_connect. */
1322 if (options->address_family == -1)
1323 options->address_family = AF_UNSPEC;
1324 if (options->connection_attempts == -1)
1325 options->connection_attempts = 1;
1326 if (options->number_of_password_prompts == -1)
1327 options->number_of_password_prompts = 3;
1328 /* Selected in ssh_login(). */
1329 if (options->cipher == -1)
1330 options->cipher = SSH_CIPHER_NOT_SET;
1331 /* options->ciphers, default set in myproposals.h */
1332 /* options->macs, default set in myproposals.h */
1333 /* options->kex_algorithms, default set in myproposals.h */
1334 /* options->hostkeyalgorithms, default set in myproposals.h */
1335 if (options->protocol == SSH_PROTO_UNKNOWN)
1336 options->protocol = SSH_PROTO_2;
1337 if (options->num_identity_files == 0) {
1338 if (options->protocol & SSH_PROTO_1) {
1339 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1340 options->identity_files[options->num_identity_files] =
1342 snprintf(options->identity_files[options->num_identity_files++],
1343 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1345 if (options->protocol & SSH_PROTO_2) {
1346 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1347 options->identity_files[options->num_identity_files] =
1349 snprintf(options->identity_files[options->num_identity_files++],
1350 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1352 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1353 options->identity_files[options->num_identity_files] =
1355 snprintf(options->identity_files[options->num_identity_files++],
1356 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1357 #ifdef OPENSSL_HAS_ECC
1358 len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1;
1359 options->identity_files[options->num_identity_files] =
1361 snprintf(options->identity_files[options->num_identity_files++],
1362 len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA);
1366 if (options->escape_char == -1)
1367 options->escape_char = '~';
1368 if (options->num_system_hostfiles == 0) {
1369 options->system_hostfiles[options->num_system_hostfiles++] =
1370 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1371 options->system_hostfiles[options->num_system_hostfiles++] =
1372 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1374 if (options->num_user_hostfiles == 0) {
1375 options->user_hostfiles[options->num_user_hostfiles++] =
1376 xstrdup(_PATH_SSH_USER_HOSTFILE);
1377 options->user_hostfiles[options->num_user_hostfiles++] =
1378 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1380 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1381 options->log_level = SYSLOG_LEVEL_INFO;
1382 if (options->clear_forwardings == 1)
1383 clear_forwardings(options);
1384 if (options->no_host_authentication_for_localhost == - 1)
1385 options->no_host_authentication_for_localhost = 0;
1386 if (options->identities_only == -1)
1387 options->identities_only = 0;
1388 if (options->enable_ssh_keysign == -1)
1389 options->enable_ssh_keysign = 0;
1390 if (options->rekey_limit == -1)
1391 options->rekey_limit = 0;
1392 if (options->verify_host_key_dns == -1)
1393 options->verify_host_key_dns = 0;
1394 if (options->server_alive_interval == -1) {
1395 /* in batch mode, default is 5mins */
1396 if (options->batch_mode == 1)
1397 options->server_alive_interval = 300;
1399 options->server_alive_interval = 0;
1401 if (options->server_alive_count_max == -1)
1402 options->server_alive_count_max = 3;
1403 if (options->control_master == -1)
1404 options->control_master = 0;
1405 if (options->control_persist == -1) {
1406 options->control_persist = 0;
1407 options->control_persist_timeout = 0;
1409 if (options->hash_known_hosts == -1)
1410 options->hash_known_hosts = 0;
1411 if (options->tun_open == -1)
1412 options->tun_open = SSH_TUNMODE_NO;
1413 if (options->tun_local == -1)
1414 options->tun_local = SSH_TUNID_ANY;
1415 if (options->tun_remote == -1)
1416 options->tun_remote = SSH_TUNID_ANY;
1417 if (options->permit_local_command == -1)
1418 options->permit_local_command = 0;
1419 if (options->use_roaming == -1)
1420 options->use_roaming = 1;
1421 if (options->visual_host_key == -1)
1422 options->visual_host_key = 0;
1423 if (options->zero_knowledge_password_authentication == -1)
1424 options->zero_knowledge_password_authentication = 0;
1425 if (options->ip_qos_interactive == -1)
1426 options->ip_qos_interactive = IPTOS_LOWDELAY;
1427 if (options->ip_qos_bulk == -1)
1428 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1429 if (options->request_tty == -1)
1430 options->request_tty = REQUEST_TTY_AUTO;
1431 /* options->local_command should not be set by default */
1432 /* options->proxy_command should not be set by default */
1433 /* options->user will be set in the main program if appropriate */
1434 /* options->hostname will be set in the main program if appropriate */
1435 /* options->host_key_alias should not be set by default */
1436 /* options->preferred_authentications will be set in ssh */
1441 * parses a string containing a port forwarding specification of the form:
1443 * [listenhost:]listenport:connecthost:connectport
1445 * [listenhost:]listenport
1446 * returns number of arguments parsed or zero on error
1449 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1452 char *p, *cp, *fwdarg[4];
1454 memset(fwd, '\0', sizeof(*fwd));
1456 cp = p = xstrdup(fwdspec);
1458 /* skip leading spaces */
1459 while (isspace(*cp))
1462 for (i = 0; i < 4; ++i)
1463 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1466 /* Check for trailing garbage */
1468 i = 0; /* failure */
1472 fwd->listen_host = NULL;
1473 fwd->listen_port = a2port(fwdarg[0]);
1474 fwd->connect_host = xstrdup("socks");
1478 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1479 fwd->listen_port = a2port(fwdarg[1]);
1480 fwd->connect_host = xstrdup("socks");
1484 fwd->listen_host = NULL;
1485 fwd->listen_port = a2port(fwdarg[0]);
1486 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1487 fwd->connect_port = a2port(fwdarg[2]);
1491 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1492 fwd->listen_port = a2port(fwdarg[1]);
1493 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1494 fwd->connect_port = a2port(fwdarg[3]);
1497 i = 0; /* failure */
1503 if (!(i == 1 || i == 2))
1506 if (!(i == 3 || i == 4))
1508 if (fwd->connect_port <= 0)
1512 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1515 if (fwd->connect_host != NULL &&
1516 strlen(fwd->connect_host) >= NI_MAXHOST)
1518 if (fwd->listen_host != NULL &&
1519 strlen(fwd->listen_host) >= NI_MAXHOST)
1526 if (fwd->connect_host != NULL) {
1527 xfree(fwd->connect_host);
1528 fwd->connect_host = NULL;
1530 if (fwd->listen_host != NULL) {
1531 xfree(fwd->listen_host);
1532 fwd->listen_host = NULL;