1 /* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <netinet/in_systm.h>
20 #include <netinet/ip.h>
32 #include "openbsd-compat/sys-queue.h"
39 #include "pathnames.h"
47 #include "groupaccess.h"
49 static void add_listen_addr(ServerOptions *, char *, int);
50 static void add_one_listen_addr(ServerOptions *, char *, int);
52 /* Use of privilege separation or not */
53 extern int use_privsep;
56 /* Initializes the server options to their default values. */
59 initialize_server_options(ServerOptions *options)
61 memset(options, 0, sizeof(*options));
63 /* Portable-specific options */
64 options->use_pam = -1;
66 /* Standard Options */
67 options->num_ports = 0;
68 options->ports_from_cmdline = 0;
69 options->listen_addrs = NULL;
70 options->address_family = -1;
71 options->num_host_key_files = 0;
72 options->num_host_cert_files = 0;
73 options->pid_file = NULL;
74 options->server_key_bits = -1;
75 options->login_grace_time = -1;
76 options->key_regeneration_time = -1;
77 options->permit_root_login = PERMIT_NOT_SET;
78 options->ignore_rhosts = -1;
79 options->ignore_user_known_hosts = -1;
80 options->print_motd = -1;
81 options->print_lastlog = -1;
82 options->x11_forwarding = -1;
83 options->x11_display_offset = -1;
84 options->x11_use_localhost = -1;
85 options->xauth_location = NULL;
86 options->strict_modes = -1;
87 options->tcp_keep_alive = -1;
88 options->log_facility = SYSLOG_FACILITY_NOT_SET;
89 options->log_level = SYSLOG_LEVEL_NOT_SET;
90 options->rhosts_rsa_authentication = -1;
91 options->hostbased_authentication = -1;
92 options->hostbased_uses_name_from_packet_only = -1;
93 options->rsa_authentication = -1;
94 options->pubkey_authentication = -1;
95 options->kerberos_authentication = -1;
96 options->kerberos_or_local_passwd = -1;
97 options->kerberos_ticket_cleanup = -1;
98 options->kerberos_get_afs_token = -1;
99 options->gss_authentication=-1;
100 options->gss_keyex = -1;
101 options->gss_cleanup_creds = -1;
102 options->gss_strict_acceptor = -1;
103 options->gss_store_rekey = -1;
104 options->password_authentication = -1;
105 options->kbd_interactive_authentication = -1;
106 options->challenge_response_authentication = -1;
107 options->permit_blacklisted_keys = -1;
108 options->permit_empty_passwd = -1;
109 options->permit_user_env = -1;
110 options->use_login = -1;
111 options->compression = -1;
112 options->allow_tcp_forwarding = -1;
113 options->allow_agent_forwarding = -1;
114 options->num_allow_users = 0;
115 options->num_deny_users = 0;
116 options->num_allow_groups = 0;
117 options->num_deny_groups = 0;
118 options->ciphers = NULL;
119 options->macs = NULL;
120 options->kex_algorithms = NULL;
121 options->protocol = SSH_PROTO_UNKNOWN;
122 options->gateway_ports = -1;
123 options->num_subsystems = 0;
124 options->max_startups_begin = -1;
125 options->max_startups_rate = -1;
126 options->max_startups = -1;
127 options->max_authtries = -1;
128 options->max_sessions = -1;
129 options->banner = NULL;
130 options->use_dns = -1;
131 options->client_alive_interval = -1;
132 options->client_alive_count_max = -1;
133 options->num_authkeys_files = 0;
134 options->num_accept_env = 0;
135 options->permit_tun = -1;
136 options->num_permitted_opens = -1;
137 options->adm_forced_command = NULL;
138 options->chroot_directory = NULL;
139 options->zero_knowledge_password_authentication = -1;
140 options->revoked_keys_file = NULL;
141 options->trusted_user_ca_keys = NULL;
142 options->authorized_principals_file = NULL;
143 options->ip_qos_interactive = -1;
144 options->ip_qos_bulk = -1;
145 options->debian_banner = -1;
149 fill_default_server_options(ServerOptions *options)
151 /* Portable-specific options */
152 if (options->use_pam == -1)
153 options->use_pam = 0;
155 /* Standard Options */
156 if (options->protocol == SSH_PROTO_UNKNOWN)
157 options->protocol = SSH_PROTO_2;
158 if (options->num_host_key_files == 0) {
159 /* fill default hostkeys for protocols */
160 if (options->protocol & SSH_PROTO_1)
161 options->host_key_files[options->num_host_key_files++] =
163 if (options->protocol & SSH_PROTO_2) {
164 options->host_key_files[options->num_host_key_files++] =
165 _PATH_HOST_RSA_KEY_FILE;
166 options->host_key_files[options->num_host_key_files++] =
167 _PATH_HOST_DSA_KEY_FILE;
168 #ifdef OPENSSL_HAS_ECC
169 options->host_key_files[options->num_host_key_files++] =
170 _PATH_HOST_ECDSA_KEY_FILE;
174 /* No certificates by default */
175 if (options->num_ports == 0)
176 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
177 if (options->listen_addrs == NULL)
178 add_listen_addr(options, NULL, 0);
179 if (options->pid_file == NULL)
180 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
181 if (options->server_key_bits == -1)
182 options->server_key_bits = 1024;
183 if (options->login_grace_time == -1)
184 options->login_grace_time = 120;
185 if (options->key_regeneration_time == -1)
186 options->key_regeneration_time = 3600;
187 if (options->permit_root_login == PERMIT_NOT_SET)
188 options->permit_root_login = PERMIT_YES;
189 if (options->ignore_rhosts == -1)
190 options->ignore_rhosts = 1;
191 if (options->ignore_user_known_hosts == -1)
192 options->ignore_user_known_hosts = 0;
193 if (options->print_motd == -1)
194 options->print_motd = 1;
195 if (options->print_lastlog == -1)
196 options->print_lastlog = 1;
197 if (options->x11_forwarding == -1)
198 options->x11_forwarding = 0;
199 if (options->x11_display_offset == -1)
200 options->x11_display_offset = 10;
201 if (options->x11_use_localhost == -1)
202 options->x11_use_localhost = 1;
203 if (options->xauth_location == NULL)
204 options->xauth_location = _PATH_XAUTH;
205 if (options->strict_modes == -1)
206 options->strict_modes = 1;
207 if (options->tcp_keep_alive == -1)
208 options->tcp_keep_alive = 1;
209 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
210 options->log_facility = SYSLOG_FACILITY_AUTH;
211 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
212 options->log_level = SYSLOG_LEVEL_INFO;
213 if (options->rhosts_rsa_authentication == -1)
214 options->rhosts_rsa_authentication = 0;
215 if (options->hostbased_authentication == -1)
216 options->hostbased_authentication = 0;
217 if (options->hostbased_uses_name_from_packet_only == -1)
218 options->hostbased_uses_name_from_packet_only = 0;
219 if (options->rsa_authentication == -1)
220 options->rsa_authentication = 1;
221 if (options->pubkey_authentication == -1)
222 options->pubkey_authentication = 1;
223 if (options->kerberos_authentication == -1)
224 options->kerberos_authentication = 0;
225 if (options->kerberos_or_local_passwd == -1)
226 options->kerberos_or_local_passwd = 1;
227 if (options->kerberos_ticket_cleanup == -1)
228 options->kerberos_ticket_cleanup = 1;
229 if (options->kerberos_get_afs_token == -1)
230 options->kerberos_get_afs_token = 0;
231 if (options->gss_authentication == -1)
232 options->gss_authentication = 0;
233 if (options->gss_keyex == -1)
234 options->gss_keyex = 0;
235 if (options->gss_cleanup_creds == -1)
236 options->gss_cleanup_creds = 1;
237 if (options->gss_strict_acceptor == -1)
238 options->gss_strict_acceptor = 1;
239 if (options->gss_store_rekey == -1)
240 options->gss_store_rekey = 0;
241 if (options->password_authentication == -1)
242 options->password_authentication = 1;
243 if (options->kbd_interactive_authentication == -1)
244 options->kbd_interactive_authentication = 0;
245 if (options->challenge_response_authentication == -1)
246 options->challenge_response_authentication = 1;
247 if (options->permit_blacklisted_keys == -1)
248 options->permit_blacklisted_keys = 0;
249 if (options->permit_empty_passwd == -1)
250 options->permit_empty_passwd = 0;
251 if (options->permit_user_env == -1)
252 options->permit_user_env = 0;
253 if (options->use_login == -1)
254 options->use_login = 0;
255 if (options->compression == -1)
256 options->compression = COMP_DELAYED;
257 if (options->allow_tcp_forwarding == -1)
258 options->allow_tcp_forwarding = 1;
259 if (options->allow_agent_forwarding == -1)
260 options->allow_agent_forwarding = 1;
261 if (options->gateway_ports == -1)
262 options->gateway_ports = 0;
263 if (options->max_startups == -1)
264 options->max_startups = 10;
265 if (options->max_startups_rate == -1)
266 options->max_startups_rate = 100; /* 100% */
267 if (options->max_startups_begin == -1)
268 options->max_startups_begin = options->max_startups;
269 if (options->max_authtries == -1)
270 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
271 if (options->max_sessions == -1)
272 options->max_sessions = DEFAULT_SESSIONS_MAX;
273 if (options->use_dns == -1)
274 options->use_dns = 1;
275 if (options->client_alive_interval == -1)
276 options->client_alive_interval = 0;
277 if (options->client_alive_count_max == -1)
278 options->client_alive_count_max = 3;
279 if (options->num_authkeys_files == 0) {
280 options->authorized_keys_files[options->num_authkeys_files++] =
281 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
282 options->authorized_keys_files[options->num_authkeys_files++] =
283 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
285 if (options->permit_tun == -1)
286 options->permit_tun = SSH_TUNMODE_NO;
287 if (options->zero_knowledge_password_authentication == -1)
288 options->zero_knowledge_password_authentication = 0;
289 if (options->ip_qos_interactive == -1)
290 options->ip_qos_interactive = IPTOS_LOWDELAY;
291 if (options->ip_qos_bulk == -1)
292 options->ip_qos_bulk = IPTOS_THROUGHPUT;
293 if (options->debian_banner == -1)
294 options->debian_banner = 1;
296 /* Turn privilege separation on by default */
297 if (use_privsep == -1)
298 use_privsep = PRIVSEP_ON;
301 if (use_privsep && options->compression == 1) {
302 error("This platform does not support both privilege "
303 "separation and compression");
304 error("Compression disabled");
305 options->compression = 0;
311 /* Keyword tokens. */
313 sBadOption, /* == unknown option */
314 /* Portable-specific options */
316 /* Standard Options */
317 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
318 sPermitRootLogin, sLogFacility, sLogLevel,
319 sRhostsRSAAuthentication, sRSAAuthentication,
320 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
321 sKerberosGetAFSToken,
322 sKerberosTgtPassing, sChallengeResponseAuthentication,
323 sPasswordAuthentication, sKbdInteractiveAuthentication,
324 sListenAddress, sAddressFamily,
325 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
326 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
327 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
328 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
329 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
330 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
331 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
332 sMaxStartups, sMaxAuthTries, sMaxSessions,
333 sBanner, sUseDNS, sHostbasedAuthentication,
334 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
335 sClientAliveCountMax, sAuthorizedKeysFile,
336 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
337 sGssKeyEx, sGssStoreRekey,
338 sAcceptEnv, sPermitTunnel,
339 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
340 sUsePrivilegeSeparation, sAllowAgentForwarding,
341 sZeroKnowledgePasswordAuthentication, sHostCertificate,
342 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
343 sKexAlgorithms, sIPQoS,
345 sDeprecated, sUnsupported
348 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
349 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
350 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
352 /* Textual representation of the tokens. */
355 ServerOpCodes opcode;
358 /* Portable-specific options */
360 { "usepam", sUsePAM, SSHCFG_GLOBAL },
362 { "usepam", sUnsupported, SSHCFG_GLOBAL },
364 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
365 /* Standard Options */
366 { "port", sPort, SSHCFG_GLOBAL },
367 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
368 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
369 { "pidfile", sPidFile, SSHCFG_GLOBAL },
370 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
371 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
372 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
373 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
374 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
375 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
376 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
377 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
378 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
379 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
380 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
381 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
382 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
384 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
385 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
386 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
388 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
390 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
393 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
394 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
395 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
396 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
398 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
399 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
401 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
402 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
403 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
404 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
405 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
406 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
408 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
409 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
410 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
411 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
412 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
413 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
415 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
416 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
417 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
418 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
419 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
420 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
422 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
424 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
426 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
427 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
428 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
429 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
430 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
431 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
432 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
433 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
434 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
435 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
436 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
437 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
438 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
439 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
440 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
441 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
442 { "compression", sCompression, SSHCFG_GLOBAL },
443 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
444 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
445 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
446 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
447 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
448 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
449 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
450 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
451 { "ciphers", sCiphers, SSHCFG_GLOBAL },
452 { "macs", sMacs, SSHCFG_GLOBAL },
453 { "protocol", sProtocol, SSHCFG_GLOBAL },
454 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
455 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
456 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
457 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
458 { "maxsessions", sMaxSessions, SSHCFG_ALL },
459 { "banner", sBanner, SSHCFG_ALL },
460 { "usedns", sUseDNS, SSHCFG_GLOBAL },
461 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
462 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
463 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
464 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
465 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
466 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
467 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
468 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
469 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
470 { "match", sMatch, SSHCFG_ALL },
471 { "permitopen", sPermitOpen, SSHCFG_ALL },
472 { "forcecommand", sForceCommand, SSHCFG_ALL },
473 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
474 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
475 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
476 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
477 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
478 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
479 { "ipqos", sIPQoS, SSHCFG_ALL },
480 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
481 { NULL, sBadOption, 0 }
488 { SSH_TUNMODE_NO, "no" },
489 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
490 { SSH_TUNMODE_ETHERNET, "ethernet" },
491 { SSH_TUNMODE_YES, "yes" },
496 * Returns the number of the token pointed to by cp or sBadOption.
500 parse_token(const char *cp, const char *filename,
501 int linenum, u_int *flags)
505 for (i = 0; keywords[i].name; i++)
506 if (strcasecmp(cp, keywords[i].name) == 0) {
507 *flags = keywords[i].flags;
508 return keywords[i].opcode;
511 error("%s: line %d: Bad configuration option: %s",
512 filename, linenum, cp);
517 derelativise_path(const char *path)
519 char *expanded, *ret, cwd[MAXPATHLEN];
521 expanded = tilde_expand_filename(path, getuid());
522 if (*expanded == '/')
524 if (getcwd(cwd, sizeof(cwd)) == NULL)
525 fatal("%s: getcwd: %s", __func__, strerror(errno));
526 xasprintf(&ret, "%s/%s", cwd, expanded);
532 add_listen_addr(ServerOptions *options, char *addr, int port)
536 if (options->num_ports == 0)
537 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
538 if (options->address_family == -1)
539 options->address_family = AF_UNSPEC;
541 for (i = 0; i < options->num_ports; i++)
542 add_one_listen_addr(options, addr, options->ports[i]);
544 add_one_listen_addr(options, addr, port);
548 add_one_listen_addr(ServerOptions *options, char *addr, int port)
550 struct addrinfo hints, *ai, *aitop;
551 char strport[NI_MAXSERV];
554 memset(&hints, 0, sizeof(hints));
555 hints.ai_family = options->address_family;
556 hints.ai_socktype = SOCK_STREAM;
557 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
558 snprintf(strport, sizeof strport, "%d", port);
559 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
560 fatal("bad addr or host: %s (%s)",
561 addr ? addr : "<NULL>",
562 ssh_gai_strerror(gaierr));
563 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
565 ai->ai_next = options->listen_addrs;
566 options->listen_addrs = aitop;
570 * The strategy for the Match blocks is that the config file is parsed twice.
572 * The first time is at startup. activep is initialized to 1 and the
573 * directives in the global context are processed and acted on. Hitting a
574 * Match directive unsets activep and the directives inside the block are
575 * checked for syntax only.
577 * The second time is after a connection has been established but before
578 * authentication. activep is initialized to 2 and global config directives
579 * are ignored since they have already been processed. If the criteria in a
580 * Match block is met, activep is set and the subsequent directives
581 * processed and actioned until EOF or another Match block unsets it. Any
582 * options set are copied into the main server config.
584 * Potential additions/improvements:
585 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
587 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
588 * Match Address 192.168.0.*
593 * AllowTcpForwarding yes
594 * GatewayPorts clientspecified
597 * - Add a PermittedChannelRequests directive
599 * PermittedChannelRequests session,forwarded-tcpip
603 match_cfg_line_group(const char *grps, int line, const char *user)
611 if ((pw = getpwnam(user)) == NULL) {
612 debug("Can't match group at line %d because user %.100s does "
613 "not exist", line, user);
614 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
615 debug("Can't Match group because user %.100s not in any group "
616 "at line %d", user, line);
617 } else if (ga_match_pattern_list(grps) != 1) {
618 debug("user %.100s does not match group list %.100s at line %d",
621 debug("user %.100s matched group list %.100s at line %d", user,
631 match_cfg_line(char **condition, int line, const char *user, const char *host,
635 char *arg, *attrib, *cp = *condition;
639 debug3("checking syntax for 'Match %s'", cp);
641 debug3("checking match for '%s' user %s host %s addr %s", cp,
642 user ? user : "(null)", host ? host : "(null)",
643 address ? address : "(null)");
645 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
646 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
647 error("Missing Match criteria for %s", attrib);
651 if (strcasecmp(attrib, "user") == 0) {
656 if (match_pattern_list(user, arg, len, 0) != 1)
659 debug("user %.100s matched 'User %.100s' at "
660 "line %d", user, arg, line);
661 } else if (strcasecmp(attrib, "group") == 0) {
662 switch (match_cfg_line_group(arg, line, user)) {
668 } else if (strcasecmp(attrib, "host") == 0) {
673 if (match_hostname(host, arg, len) != 1)
676 debug("connection from %.100s matched 'Host "
677 "%.100s' at line %d", host, arg, line);
678 } else if (strcasecmp(attrib, "address") == 0) {
679 switch (addr_match_list(address, arg)) {
681 debug("connection from %.100s matched 'Address "
682 "%.100s' at line %d", address, arg, line);
692 error("Unsupported Match attribute %s", attrib);
697 debug3("match %sfound", result ? "" : "not ");
702 #define WHITESPACE " \t\r\n"
704 /* Multistate option parsing */
709 static const struct multistate multistate_addressfamily[] = {
711 { "inet6", AF_INET6 },
712 { "any", AF_UNSPEC },
715 static const struct multistate multistate_permitrootlogin[] = {
716 { "without-password", PERMIT_NO_PASSWD },
717 { "forced-commands-only", PERMIT_FORCED_ONLY },
718 { "yes", PERMIT_YES },
722 static const struct multistate multistate_compression[] = {
723 { "delayed", COMP_DELAYED },
724 { "yes", COMP_ZLIB },
728 static const struct multistate multistate_gatewayports[] = {
729 { "clientspecified", 2 },
734 static const struct multistate multistate_privsep[] = {
735 { "sandbox", PRIVSEP_SANDBOX },
736 { "yes", PRIVSEP_ON },
737 { "no", PRIVSEP_OFF },
742 process_server_config_line(ServerOptions *options, char *line,
743 const char *filename, int linenum, int *activep, const char *user,
744 const char *host, const char *address)
746 char *cp, **charptr, *arg, *p;
747 int cmdline = 0, *intptr, value, value2, n;
748 SyslogFacility *log_facility_ptr;
749 LogLevel *log_level_ptr;
750 ServerOpCodes opcode;
754 const struct multistate *multistate_ptr;
757 if ((arg = strdelim(&cp)) == NULL)
759 /* Ignore leading whitespace */
762 if (!arg || !*arg || *arg == '#')
766 opcode = parse_token(arg, filename, linenum, &flags);
768 if (activep == NULL) { /* We are processing a command line directive */
772 if (*activep && opcode != sMatch)
773 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
774 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
776 fatal("%s line %d: Directive '%s' is not allowed "
777 "within a Match block", filename, linenum, arg);
778 } else { /* this is a directive we have already processed */
786 /* Portable-specific options */
788 intptr = &options->use_pam;
791 /* Standard Options */
795 /* ignore ports from configfile if cmdline specifies ports */
796 if (options->ports_from_cmdline)
798 if (options->listen_addrs != NULL)
799 fatal("%s line %d: ports must be specified before "
800 "ListenAddress.", filename, linenum);
801 if (options->num_ports >= MAX_PORTS)
802 fatal("%s line %d: too many ports.",
805 if (!arg || *arg == '\0')
806 fatal("%s line %d: missing port number.",
808 options->ports[options->num_ports++] = a2port(arg);
809 if (options->ports[options->num_ports-1] <= 0)
810 fatal("%s line %d: Badly formatted port number.",
815 intptr = &options->server_key_bits;
818 if (!arg || *arg == '\0')
819 fatal("%s line %d: missing integer value.",
822 if (*activep && *intptr == -1)
826 case sLoginGraceTime:
827 intptr = &options->login_grace_time;
830 if (!arg || *arg == '\0')
831 fatal("%s line %d: missing time value.",
833 if ((value = convtime(arg)) == -1)
834 fatal("%s line %d: invalid time value.",
840 case sKeyRegenerationTime:
841 intptr = &options->key_regeneration_time;
846 if (arg == NULL || *arg == '\0')
847 fatal("%s line %d: missing address",
849 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
850 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
851 && strchr(p+1, ':') != NULL) {
852 add_listen_addr(options, arg, 0);
857 fatal("%s line %d: bad address:port usage",
859 p = cleanhostname(p);
862 else if ((port = a2port(arg)) <= 0)
863 fatal("%s line %d: bad port number", filename, linenum);
865 add_listen_addr(options, p, port);
870 intptr = &options->address_family;
871 multistate_ptr = multistate_addressfamily;
872 if (options->listen_addrs != NULL)
873 fatal("%s line %d: address family must be specified "
874 "before ListenAddress.", filename, linenum);
877 if (!arg || *arg == '\0')
878 fatal("%s line %d: missing argument.",
881 for (i = 0; multistate_ptr[i].key != NULL; i++) {
882 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
883 value = multistate_ptr[i].value;
888 fatal("%s line %d: unsupported option \"%s\".",
889 filename, linenum, arg);
890 if (*activep && *intptr == -1)
895 intptr = &options->num_host_key_files;
896 if (*intptr >= MAX_HOSTKEYS)
897 fatal("%s line %d: too many host keys specified (max %d).",
898 filename, linenum, MAX_HOSTKEYS);
899 charptr = &options->host_key_files[*intptr];
902 if (!arg || *arg == '\0')
903 fatal("%s line %d: missing file name.",
905 if (*activep && *charptr == NULL) {
906 *charptr = derelativise_path(arg);
907 /* increase optional counter */
909 *intptr = *intptr + 1;
913 case sHostCertificate:
914 intptr = &options->num_host_cert_files;
915 if (*intptr >= MAX_HOSTKEYS)
916 fatal("%s line %d: too many host certificates "
917 "specified (max %d).", filename, linenum,
919 charptr = &options->host_cert_files[*intptr];
924 charptr = &options->pid_file;
927 case sPermitRootLogin:
928 intptr = &options->permit_root_login;
929 multistate_ptr = multistate_permitrootlogin;
930 goto parse_multistate;
933 intptr = &options->ignore_rhosts;
936 if (!arg || *arg == '\0')
937 fatal("%s line %d: missing yes/no argument.",
939 value = 0; /* silence compiler */
940 if (strcmp(arg, "yes") == 0)
942 else if (strcmp(arg, "no") == 0)
945 fatal("%s line %d: Bad yes/no argument: %s",
946 filename, linenum, arg);
947 if (*activep && *intptr == -1)
951 case sIgnoreUserKnownHosts:
952 intptr = &options->ignore_user_known_hosts;
955 case sRhostsRSAAuthentication:
956 intptr = &options->rhosts_rsa_authentication;
959 case sHostbasedAuthentication:
960 intptr = &options->hostbased_authentication;
963 case sHostbasedUsesNameFromPacketOnly:
964 intptr = &options->hostbased_uses_name_from_packet_only;
967 case sRSAAuthentication:
968 intptr = &options->rsa_authentication;
971 case sPubkeyAuthentication:
972 intptr = &options->pubkey_authentication;
975 case sKerberosAuthentication:
976 intptr = &options->kerberos_authentication;
979 case sKerberosOrLocalPasswd:
980 intptr = &options->kerberos_or_local_passwd;
983 case sKerberosTicketCleanup:
984 intptr = &options->kerberos_ticket_cleanup;
987 case sKerberosGetAFSToken:
988 intptr = &options->kerberos_get_afs_token;
991 case sGssAuthentication:
992 intptr = &options->gss_authentication;
996 intptr = &options->gss_keyex;
999 case sGssCleanupCreds:
1000 intptr = &options->gss_cleanup_creds;
1003 case sGssStrictAcceptor:
1004 intptr = &options->gss_strict_acceptor;
1007 case sGssStoreRekey:
1008 intptr = &options->gss_store_rekey;
1011 case sPasswordAuthentication:
1012 intptr = &options->password_authentication;
1015 case sZeroKnowledgePasswordAuthentication:
1016 intptr = &options->zero_knowledge_password_authentication;
1019 case sKbdInteractiveAuthentication:
1020 intptr = &options->kbd_interactive_authentication;
1023 case sChallengeResponseAuthentication:
1024 intptr = &options->challenge_response_authentication;
1028 intptr = &options->print_motd;
1032 intptr = &options->print_lastlog;
1035 case sX11Forwarding:
1036 intptr = &options->x11_forwarding;
1039 case sX11DisplayOffset:
1040 intptr = &options->x11_display_offset;
1043 case sX11UseLocalhost:
1044 intptr = &options->x11_use_localhost;
1047 case sXAuthLocation:
1048 charptr = &options->xauth_location;
1049 goto parse_filename;
1052 intptr = &options->strict_modes;
1056 intptr = &options->tcp_keep_alive;
1059 case sPermitBlacklistedKeys:
1060 intptr = &options->permit_blacklisted_keys;
1064 intptr = &options->permit_empty_passwd;
1067 case sPermitUserEnvironment:
1068 intptr = &options->permit_user_env;
1072 intptr = &options->use_login;
1076 intptr = &options->compression;
1077 multistate_ptr = multistate_compression;
1078 goto parse_multistate;
1081 intptr = &options->gateway_ports;
1082 multistate_ptr = multistate_gatewayports;
1083 goto parse_multistate;
1086 intptr = &options->use_dns;
1090 log_facility_ptr = &options->log_facility;
1091 arg = strdelim(&cp);
1092 value = log_facility_number(arg);
1093 if (value == SYSLOG_FACILITY_NOT_SET)
1094 fatal("%.200s line %d: unsupported log facility '%s'",
1095 filename, linenum, arg ? arg : "<NONE>");
1096 if (*log_facility_ptr == -1)
1097 *log_facility_ptr = (SyslogFacility) value;
1101 log_level_ptr = &options->log_level;
1102 arg = strdelim(&cp);
1103 value = log_level_number(arg);
1104 if (value == SYSLOG_LEVEL_NOT_SET)
1105 fatal("%.200s line %d: unsupported log level '%s'",
1106 filename, linenum, arg ? arg : "<NONE>");
1107 if (*log_level_ptr == -1)
1108 *log_level_ptr = (LogLevel) value;
1111 case sAllowTcpForwarding:
1112 intptr = &options->allow_tcp_forwarding;
1115 case sAllowAgentForwarding:
1116 intptr = &options->allow_agent_forwarding;
1119 case sUsePrivilegeSeparation:
1120 intptr = &use_privsep;
1121 multistate_ptr = multistate_privsep;
1122 goto parse_multistate;
1125 while ((arg = strdelim(&cp)) && *arg != '\0') {
1126 if (options->num_allow_users >= MAX_ALLOW_USERS)
1127 fatal("%s line %d: too many allow users.",
1129 options->allow_users[options->num_allow_users++] =
1135 while ((arg = strdelim(&cp)) && *arg != '\0') {
1136 if (options->num_deny_users >= MAX_DENY_USERS)
1137 fatal("%s line %d: too many deny users.",
1139 options->deny_users[options->num_deny_users++] =
1145 while ((arg = strdelim(&cp)) && *arg != '\0') {
1146 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1147 fatal("%s line %d: too many allow groups.",
1149 options->allow_groups[options->num_allow_groups++] =
1155 while ((arg = strdelim(&cp)) && *arg != '\0') {
1156 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1157 fatal("%s line %d: too many deny groups.",
1159 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1164 arg = strdelim(&cp);
1165 if (!arg || *arg == '\0')
1166 fatal("%s line %d: Missing argument.", filename, linenum);
1167 if (!ciphers_valid(arg))
1168 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1169 filename, linenum, arg ? arg : "<NONE>");
1170 if (options->ciphers == NULL)
1171 options->ciphers = xstrdup(arg);
1175 arg = strdelim(&cp);
1176 if (!arg || *arg == '\0')
1177 fatal("%s line %d: Missing argument.", filename, linenum);
1178 if (!mac_valid(arg))
1179 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1180 filename, linenum, arg ? arg : "<NONE>");
1181 if (options->macs == NULL)
1182 options->macs = xstrdup(arg);
1185 case sKexAlgorithms:
1186 arg = strdelim(&cp);
1187 if (!arg || *arg == '\0')
1188 fatal("%s line %d: Missing argument.",
1190 if (!kex_names_valid(arg))
1191 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1192 filename, linenum, arg ? arg : "<NONE>");
1193 if (options->kex_algorithms == NULL)
1194 options->kex_algorithms = xstrdup(arg);
1198 intptr = &options->protocol;
1199 arg = strdelim(&cp);
1200 if (!arg || *arg == '\0')
1201 fatal("%s line %d: Missing argument.", filename, linenum);
1202 value = proto_spec(arg);
1203 if (value == SSH_PROTO_UNKNOWN)
1204 fatal("%s line %d: Bad protocol spec '%s'.",
1205 filename, linenum, arg ? arg : "<NONE>");
1206 if (*intptr == SSH_PROTO_UNKNOWN)
1211 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1212 fatal("%s line %d: too many subsystems defined.",
1215 arg = strdelim(&cp);
1216 if (!arg || *arg == '\0')
1217 fatal("%s line %d: Missing subsystem name.",
1220 arg = strdelim(&cp);
1223 for (i = 0; i < options->num_subsystems; i++)
1224 if (strcmp(arg, options->subsystem_name[i]) == 0)
1225 fatal("%s line %d: Subsystem '%s' already defined.",
1226 filename, linenum, arg);
1227 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1228 arg = strdelim(&cp);
1229 if (!arg || *arg == '\0')
1230 fatal("%s line %d: Missing subsystem command.",
1232 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1234 /* Collect arguments (separate to executable) */
1236 len = strlen(p) + 1;
1237 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1238 len += 1 + strlen(arg);
1239 p = xrealloc(p, 1, len);
1240 strlcat(p, " ", len);
1241 strlcat(p, arg, len);
1243 options->subsystem_args[options->num_subsystems] = p;
1244 options->num_subsystems++;
1248 arg = strdelim(&cp);
1249 if (!arg || *arg == '\0')
1250 fatal("%s line %d: Missing MaxStartups spec.",
1252 if ((n = sscanf(arg, "%d:%d:%d",
1253 &options->max_startups_begin,
1254 &options->max_startups_rate,
1255 &options->max_startups)) == 3) {
1256 if (options->max_startups_begin >
1257 options->max_startups ||
1258 options->max_startups_rate > 100 ||
1259 options->max_startups_rate < 1)
1260 fatal("%s line %d: Illegal MaxStartups spec.",
1263 fatal("%s line %d: Illegal MaxStartups spec.",
1266 options->max_startups = options->max_startups_begin;
1270 intptr = &options->max_authtries;
1274 intptr = &options->max_sessions;
1278 charptr = &options->banner;
1279 goto parse_filename;
1282 * These options can contain %X options expanded at
1283 * connect time, so that you can specify paths like:
1285 * AuthorizedKeysFile /etc/ssh_keys/%u
1287 case sAuthorizedKeysFile:
1288 if (*activep && options->num_authkeys_files == 0) {
1289 while ((arg = strdelim(&cp)) && *arg != '\0') {
1290 if (options->num_authkeys_files >=
1292 fatal("%s line %d: "
1293 "too many authorized keys files.",
1295 options->authorized_keys_files[
1296 options->num_authkeys_files++] =
1297 tilde_expand_filename(arg, getuid());
1302 case sAuthorizedPrincipalsFile:
1303 charptr = &options->authorized_principals_file;
1304 arg = strdelim(&cp);
1305 if (!arg || *arg == '\0')
1306 fatal("%s line %d: missing file name.",
1308 if (*activep && *charptr == NULL) {
1309 *charptr = tilde_expand_filename(arg, getuid());
1310 /* increase optional counter */
1312 *intptr = *intptr + 1;
1316 case sClientAliveInterval:
1317 intptr = &options->client_alive_interval;
1320 case sClientAliveCountMax:
1321 intptr = &options->client_alive_count_max;
1325 while ((arg = strdelim(&cp)) && *arg != '\0') {
1326 if (strchr(arg, '=') != NULL)
1327 fatal("%s line %d: Invalid environment name.",
1329 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1330 fatal("%s line %d: too many allow env.",
1334 options->accept_env[options->num_accept_env++] =
1340 intptr = &options->permit_tun;
1341 arg = strdelim(&cp);
1342 if (!arg || *arg == '\0')
1343 fatal("%s line %d: Missing yes/point-to-point/"
1344 "ethernet/no argument.", filename, linenum);
1346 for (i = 0; tunmode_desc[i].val != -1; i++)
1347 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1348 value = tunmode_desc[i].val;
1352 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1353 "no argument: %s", filename, linenum, arg);
1360 fatal("Match directive not supported as a command-line "
1362 value = match_cfg_line(&cp, linenum, user, host, address);
1364 fatal("%s line %d: Bad Match condition", filename,
1370 arg = strdelim(&cp);
1371 if (!arg || *arg == '\0')
1372 fatal("%s line %d: missing PermitOpen specification",
1374 n = options->num_permitted_opens; /* modified later */
1375 if (strcmp(arg, "any") == 0) {
1376 if (*activep && n == -1) {
1377 channel_clear_adm_permitted_opens();
1378 options->num_permitted_opens = 0;
1382 if (*activep && n == -1)
1383 channel_clear_adm_permitted_opens();
1384 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1387 fatal("%s line %d: missing host in PermitOpen",
1389 p = cleanhostname(p);
1390 if (arg == NULL || (port = a2port(arg)) <= 0)
1391 fatal("%s line %d: bad port number in "
1392 "PermitOpen", filename, linenum);
1393 if (*activep && n == -1)
1394 options->num_permitted_opens =
1395 channel_add_adm_permitted_opens(p, port);
1401 fatal("%.200s line %d: Missing argument.", filename,
1403 len = strspn(cp, WHITESPACE);
1404 if (*activep && options->adm_forced_command == NULL)
1405 options->adm_forced_command = xstrdup(cp + len);
1408 case sChrootDirectory:
1409 charptr = &options->chroot_directory;
1411 arg = strdelim(&cp);
1412 if (!arg || *arg == '\0')
1413 fatal("%s line %d: missing file name.",
1415 if (*activep && *charptr == NULL)
1416 *charptr = xstrdup(arg);
1419 case sTrustedUserCAKeys:
1420 charptr = &options->trusted_user_ca_keys;
1421 goto parse_filename;
1424 charptr = &options->revoked_keys_file;
1425 goto parse_filename;
1428 arg = strdelim(&cp);
1429 if ((value = parse_ipqos(arg)) == -1)
1430 fatal("%s line %d: Bad IPQoS value: %s",
1431 filename, linenum, arg);
1432 arg = strdelim(&cp);
1435 else if ((value2 = parse_ipqos(arg)) == -1)
1436 fatal("%s line %d: Bad IPQoS value: %s",
1437 filename, linenum, arg);
1439 options->ip_qos_interactive = value;
1440 options->ip_qos_bulk = value2;
1445 intptr = &options->debian_banner;
1449 logit("%s line %d: Deprecated option %s",
1450 filename, linenum, arg);
1452 arg = strdelim(&cp);
1456 logit("%s line %d: Unsupported option %s",
1457 filename, linenum, arg);
1459 arg = strdelim(&cp);
1463 fatal("%s line %d: Missing handler for opcode %s (%d)",
1464 filename, linenum, arg, opcode);
1466 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1467 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1468 filename, linenum, arg);
1472 /* Reads the server configuration file. */
1475 load_server_config(const char *filename, Buffer *conf)
1477 char line[1024], *cp;
1480 debug2("%s: filename %s", __func__, filename);
1481 if ((f = fopen(filename, "r")) == NULL) {
1486 while (fgets(line, sizeof(line), f)) {
1488 * Trim out comments and strip whitespace
1489 * NB - preserve newlines, they are needed to reproduce
1490 * line numbers later for error messages
1492 if ((cp = strchr(line, '#')) != NULL)
1493 memcpy(cp, "\n", 2);
1494 cp = line + strspn(line, " \t\r");
1496 buffer_append(conf, cp, strlen(cp));
1498 buffer_append(conf, "\0", 1);
1500 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1504 parse_server_match_config(ServerOptions *options, const char *user,
1505 const char *host, const char *address)
1509 initialize_server_options(&mo);
1510 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1511 copy_set_server_options(options, &mo, 0);
1515 #define M_CP_INTOPT(n) do {\
1519 #define M_CP_STROPT(n) do {\
1520 if (src->n != NULL) { \
1521 if (dst->n != NULL) \
1526 #define M_CP_STRARRAYOPT(n, num_n) do {\
1527 if (src->num_n != 0) { \
1528 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1529 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1534 * Copy any supported values that are set.
1536 * If the preauth flag is set, we do not bother copying the string or
1537 * array values that are not used pre-authentication, because any that we
1538 * do use must be explictly sent in mm_getpwnamallow().
1541 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1543 M_CP_INTOPT(password_authentication);
1544 M_CP_INTOPT(gss_authentication);
1545 M_CP_INTOPT(rsa_authentication);
1546 M_CP_INTOPT(pubkey_authentication);
1547 M_CP_INTOPT(kerberos_authentication);
1548 M_CP_INTOPT(hostbased_authentication);
1549 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1550 M_CP_INTOPT(kbd_interactive_authentication);
1551 M_CP_INTOPT(zero_knowledge_password_authentication);
1552 M_CP_INTOPT(permit_root_login);
1553 M_CP_INTOPT(permit_empty_passwd);
1555 M_CP_INTOPT(allow_tcp_forwarding);
1556 M_CP_INTOPT(allow_agent_forwarding);
1557 M_CP_INTOPT(permit_tun);
1558 M_CP_INTOPT(gateway_ports);
1559 M_CP_INTOPT(x11_display_offset);
1560 M_CP_INTOPT(x11_forwarding);
1561 M_CP_INTOPT(x11_use_localhost);
1562 M_CP_INTOPT(max_sessions);
1563 M_CP_INTOPT(max_authtries);
1564 M_CP_INTOPT(ip_qos_interactive);
1565 M_CP_INTOPT(ip_qos_bulk);
1567 /* See comment in servconf.h */
1568 COPY_MATCH_STRING_OPTS();
1571 * The only things that should be below this point are string options
1572 * which are only used after authentication.
1577 M_CP_STROPT(adm_forced_command);
1578 M_CP_STROPT(chroot_directory);
1583 #undef M_CP_STRARRAYOPT
1586 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1587 const char *user, const char *host, const char *address)
1589 int active, linenum, bad_options = 0;
1590 char *cp, *obuf, *cbuf;
1592 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1594 obuf = cbuf = xstrdup(buffer_ptr(conf));
1595 active = user ? 0 : 1;
1597 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1598 if (process_server_config_line(options, cp, filename,
1599 linenum++, &active, user, host, address) != 0)
1603 if (bad_options > 0)
1604 fatal("%s: terminating, %d bad configuration options",
1605 filename, bad_options);
1609 fmt_multistate_int(int val, const struct multistate *m)
1613 for (i = 0; m[i].key != NULL; i++) {
1614 if (m[i].value == val)
1621 fmt_intarg(ServerOpCodes code, int val)
1626 case sAddressFamily:
1627 return fmt_multistate_int(val, multistate_addressfamily);
1628 case sPermitRootLogin:
1629 return fmt_multistate_int(val, multistate_permitrootlogin);
1631 return fmt_multistate_int(val, multistate_gatewayports);
1633 return fmt_multistate_int(val, multistate_compression);
1634 case sUsePrivilegeSeparation:
1635 return fmt_multistate_int(val, multistate_privsep);
1642 case (SSH_PROTO_1|SSH_PROTO_2):
1660 lookup_opcode_name(ServerOpCodes code)
1664 for (i = 0; keywords[i].name != NULL; i++)
1665 if (keywords[i].opcode == code)
1666 return(keywords[i].name);
1671 dump_cfg_int(ServerOpCodes code, int val)
1673 printf("%s %d\n", lookup_opcode_name(code), val);
1677 dump_cfg_fmtint(ServerOpCodes code, int val)
1679 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1683 dump_cfg_string(ServerOpCodes code, const char *val)
1687 printf("%s %s\n", lookup_opcode_name(code), val);
1691 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1695 for (i = 0; i < count; i++)
1696 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1700 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1704 printf("%s", lookup_opcode_name(code));
1705 for (i = 0; i < count; i++)
1706 printf(" %s", vals[i]);
1711 dump_config(ServerOptions *o)
1715 struct addrinfo *ai;
1716 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1718 /* these are usually at the top of the config */
1719 for (i = 0; i < o->num_ports; i++)
1720 printf("port %d\n", o->ports[i]);
1721 dump_cfg_fmtint(sProtocol, o->protocol);
1722 dump_cfg_fmtint(sAddressFamily, o->address_family);
1724 /* ListenAddress must be after Port */
1725 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1726 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1727 sizeof(addr), port, sizeof(port),
1728 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1729 error("getnameinfo failed: %.100s",
1730 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1733 if (ai->ai_family == AF_INET6)
1734 printf("listenaddress [%s]:%s\n", addr, port);
1736 printf("listenaddress %s:%s\n", addr, port);
1740 /* integer arguments */
1742 dump_cfg_int(sUsePAM, o->use_pam);
1744 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1745 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1746 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1747 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1748 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1749 dump_cfg_int(sMaxSessions, o->max_sessions);
1750 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1751 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1753 /* formatted integer arguments */
1754 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1755 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1756 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1757 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1758 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1759 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1760 o->hostbased_uses_name_from_packet_only);
1761 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1762 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1764 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1765 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1766 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1768 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1772 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1773 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
1774 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1775 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
1776 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
1779 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1780 o->zero_knowledge_password_authentication);
1782 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1783 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1784 o->kbd_interactive_authentication);
1785 dump_cfg_fmtint(sChallengeResponseAuthentication,
1786 o->challenge_response_authentication);
1787 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1788 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1789 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1790 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1791 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1792 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1793 dump_cfg_fmtint(sPermitBlacklistedKeys, o->permit_blacklisted_keys);
1794 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1795 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1796 dump_cfg_fmtint(sUseLogin, o->use_login);
1797 dump_cfg_fmtint(sCompression, o->compression);
1798 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1799 dump_cfg_fmtint(sUseDNS, o->use_dns);
1800 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1801 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1803 /* string arguments */
1804 dump_cfg_string(sPidFile, o->pid_file);
1805 dump_cfg_string(sXAuthLocation, o->xauth_location);
1806 dump_cfg_string(sCiphers, o->ciphers);
1807 dump_cfg_string(sMacs, o->macs);
1808 dump_cfg_string(sBanner, o->banner);
1809 dump_cfg_string(sForceCommand, o->adm_forced_command);
1810 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1811 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1812 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1813 dump_cfg_string(sAuthorizedPrincipalsFile,
1814 o->authorized_principals_file);
1816 /* string arguments requiring a lookup */
1817 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1818 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1820 /* string array arguments */
1821 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
1822 o->authorized_keys_files);
1823 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1825 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1826 o->host_cert_files);
1827 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1828 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1829 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1830 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1831 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1833 /* other arguments */
1834 for (i = 0; i < o->num_subsystems; i++)
1835 printf("subsystem %s %s\n", o->subsystem_name[i],
1836 o->subsystem_args[i]);
1838 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1839 o->max_startups_rate, o->max_startups);
1841 for (i = 0; tunmode_desc[i].val != -1; i++)
1842 if (tunmode_desc[i].val == o->permit_tun) {
1843 s = tunmode_desc[i].text;
1846 dump_cfg_string(sPermitTunnel, s);
1848 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
1849 printf("%s\n", iptos2str(o->ip_qos_bulk));
1851 channel_print_adm_permitted_opens();