1 /* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <netinet/in_systm.h>
20 #include <netinet/ip.h>
32 #include "openbsd-compat/sys-queue.h"
39 #include "pathnames.h"
47 #include "groupaccess.h"
49 static void add_listen_addr(ServerOptions *, char *, int);
50 static void add_one_listen_addr(ServerOptions *, char *, int);
52 /* Use of privilege separation or not */
53 extern int use_privsep;
56 /* Initializes the server options to their default values. */
59 initialize_server_options(ServerOptions *options)
61 memset(options, 0, sizeof(*options));
63 /* Portable-specific options */
64 options->use_pam = -1;
66 /* Standard Options */
67 options->num_ports = 0;
68 options->ports_from_cmdline = 0;
69 options->listen_addrs = NULL;
70 options->address_family = -1;
71 options->num_host_key_files = 0;
72 options->num_host_cert_files = 0;
73 options->pid_file = NULL;
74 options->server_key_bits = -1;
75 options->login_grace_time = -1;
76 options->key_regeneration_time = -1;
77 options->permit_root_login = PERMIT_NOT_SET;
78 options->ignore_rhosts = -1;
79 options->ignore_user_known_hosts = -1;
80 options->print_motd = -1;
81 options->print_lastlog = -1;
82 options->x11_forwarding = -1;
83 options->x11_display_offset = -1;
84 options->x11_use_localhost = -1;
85 options->xauth_location = NULL;
86 options->strict_modes = -1;
87 options->tcp_keep_alive = -1;
88 options->log_facility = SYSLOG_FACILITY_NOT_SET;
89 options->log_level = SYSLOG_LEVEL_NOT_SET;
90 options->rhosts_rsa_authentication = -1;
91 options->hostbased_authentication = -1;
92 options->hostbased_uses_name_from_packet_only = -1;
93 options->rsa_authentication = -1;
94 options->pubkey_authentication = -1;
95 options->kerberos_authentication = -1;
96 options->kerberos_or_local_passwd = -1;
97 options->kerberos_ticket_cleanup = -1;
98 options->kerberos_get_afs_token = -1;
99 options->gss_authentication=-1;
100 options->gss_keyex = -1;
101 options->gss_require_mic = -1;
102 options->gss_cleanup_creds = -1;
103 options->gss_strict_acceptor = -1;
104 options->gss_store_rekey = -1;
105 options->password_authentication = -1;
106 options->kbd_interactive_authentication = -1;
107 options->challenge_response_authentication = -1;
108 options->permit_blacklisted_keys = -1;
109 options->permit_empty_passwd = -1;
110 options->permit_user_env = -1;
111 options->use_login = -1;
112 options->compression = -1;
113 options->allow_tcp_forwarding = -1;
114 options->allow_agent_forwarding = -1;
115 options->num_allow_users = 0;
116 options->num_deny_users = 0;
117 options->num_allow_groups = 0;
118 options->num_deny_groups = 0;
119 options->ciphers = NULL;
120 options->macs = NULL;
121 options->kex_algorithms = NULL;
122 options->protocol = SSH_PROTO_UNKNOWN;
123 options->gateway_ports = -1;
124 options->num_subsystems = 0;
125 options->max_startups_begin = -1;
126 options->max_startups_rate = -1;
127 options->max_startups = -1;
128 options->max_authtries = -1;
129 options->max_sessions = -1;
130 options->banner = NULL;
131 options->use_dns = -1;
132 options->client_alive_interval = -1;
133 options->client_alive_count_max = -1;
134 options->num_authkeys_files = 0;
135 options->num_accept_env = 0;
136 options->permit_tun = -1;
137 options->num_permitted_opens = -1;
138 options->adm_forced_command = NULL;
139 options->chroot_directory = NULL;
140 options->zero_knowledge_password_authentication = -1;
141 options->revoked_keys_file = NULL;
142 options->trusted_user_ca_keys = NULL;
143 options->authorized_principals_file = NULL;
144 options->ip_qos_interactive = -1;
145 options->ip_qos_bulk = -1;
146 options->debian_banner = -1;
150 fill_default_server_options(ServerOptions *options)
152 /* Portable-specific options */
153 if (options->use_pam == -1)
154 options->use_pam = 0;
156 /* Standard Options */
157 if (options->protocol == SSH_PROTO_UNKNOWN)
158 options->protocol = SSH_PROTO_2;
159 if (options->num_host_key_files == 0) {
160 /* fill default hostkeys for protocols */
161 if (options->protocol & SSH_PROTO_1)
162 options->host_key_files[options->num_host_key_files++] =
164 if (options->protocol & SSH_PROTO_2) {
165 options->host_key_files[options->num_host_key_files++] =
166 _PATH_HOST_RSA_KEY_FILE;
167 options->host_key_files[options->num_host_key_files++] =
168 _PATH_HOST_DSA_KEY_FILE;
169 #ifdef OPENSSL_HAS_ECC
170 options->host_key_files[options->num_host_key_files++] =
171 _PATH_HOST_ECDSA_KEY_FILE;
175 /* No certificates by default */
176 if (options->num_ports == 0)
177 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
178 if (options->listen_addrs == NULL)
179 add_listen_addr(options, NULL, 0);
180 if (options->pid_file == NULL)
181 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
182 if (options->server_key_bits == -1)
183 options->server_key_bits = 1024;
184 if (options->login_grace_time == -1)
185 options->login_grace_time = 120;
186 if (options->key_regeneration_time == -1)
187 options->key_regeneration_time = 3600;
188 if (options->permit_root_login == PERMIT_NOT_SET)
189 options->permit_root_login = PERMIT_YES;
190 if (options->ignore_rhosts == -1)
191 options->ignore_rhosts = 1;
192 if (options->ignore_user_known_hosts == -1)
193 options->ignore_user_known_hosts = 0;
194 if (options->print_motd == -1)
195 options->print_motd = 1;
196 if (options->print_lastlog == -1)
197 options->print_lastlog = 1;
198 if (options->x11_forwarding == -1)
199 options->x11_forwarding = 0;
200 if (options->x11_display_offset == -1)
201 options->x11_display_offset = 10;
202 if (options->x11_use_localhost == -1)
203 options->x11_use_localhost = 1;
204 if (options->xauth_location == NULL)
205 options->xauth_location = _PATH_XAUTH;
206 if (options->strict_modes == -1)
207 options->strict_modes = 1;
208 if (options->tcp_keep_alive == -1)
209 options->tcp_keep_alive = 1;
210 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
211 options->log_facility = SYSLOG_FACILITY_AUTH;
212 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
213 options->log_level = SYSLOG_LEVEL_INFO;
214 if (options->rhosts_rsa_authentication == -1)
215 options->rhosts_rsa_authentication = 0;
216 if (options->hostbased_authentication == -1)
217 options->hostbased_authentication = 0;
218 if (options->hostbased_uses_name_from_packet_only == -1)
219 options->hostbased_uses_name_from_packet_only = 0;
220 if (options->rsa_authentication == -1)
221 options->rsa_authentication = 1;
222 if (options->pubkey_authentication == -1)
223 options->pubkey_authentication = 1;
224 if (options->kerberos_authentication == -1)
225 options->kerberos_authentication = 0;
226 if (options->kerberos_or_local_passwd == -1)
227 options->kerberos_or_local_passwd = 1;
228 if (options->kerberos_ticket_cleanup == -1)
229 options->kerberos_ticket_cleanup = 1;
230 if (options->kerberos_get_afs_token == -1)
231 options->kerberos_get_afs_token = 0;
232 if (options->gss_authentication == -1)
233 options->gss_authentication = 0;
234 if (options->gss_keyex == -1)
235 options->gss_keyex = 0;
236 if (options->gss_require_mic == -1)
237 options->gss_require_mic = 1;
238 if (options->gss_cleanup_creds == -1)
239 options->gss_cleanup_creds = 1;
240 if (options->gss_strict_acceptor == -1)
241 options->gss_strict_acceptor = 1;
242 if (options->gss_store_rekey == -1)
243 options->gss_store_rekey = 0;
244 if (options->password_authentication == -1)
245 options->password_authentication = 1;
246 if (options->kbd_interactive_authentication == -1)
247 options->kbd_interactive_authentication = 0;
248 if (options->challenge_response_authentication == -1)
249 options->challenge_response_authentication = 1;
250 if (options->permit_blacklisted_keys == -1)
251 options->permit_blacklisted_keys = 0;
252 if (options->permit_empty_passwd == -1)
253 options->permit_empty_passwd = 0;
254 if (options->permit_user_env == -1)
255 options->permit_user_env = 0;
256 if (options->use_login == -1)
257 options->use_login = 0;
258 if (options->compression == -1)
259 options->compression = COMP_DELAYED;
260 if (options->allow_tcp_forwarding == -1)
261 options->allow_tcp_forwarding = 1;
262 if (options->allow_agent_forwarding == -1)
263 options->allow_agent_forwarding = 1;
264 if (options->gateway_ports == -1)
265 options->gateway_ports = 0;
266 if (options->max_startups == -1)
267 options->max_startups = 10;
268 if (options->max_startups_rate == -1)
269 options->max_startups_rate = 100; /* 100% */
270 if (options->max_startups_begin == -1)
271 options->max_startups_begin = options->max_startups;
272 if (options->max_authtries == -1)
273 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
274 if (options->max_sessions == -1)
275 options->max_sessions = DEFAULT_SESSIONS_MAX;
276 if (options->use_dns == -1)
277 options->use_dns = 1;
278 if (options->client_alive_interval == -1)
279 options->client_alive_interval = 0;
280 if (options->client_alive_count_max == -1)
281 options->client_alive_count_max = 3;
282 if (options->num_authkeys_files == 0) {
283 options->authorized_keys_files[options->num_authkeys_files++] =
284 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
285 options->authorized_keys_files[options->num_authkeys_files++] =
286 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
288 if (options->permit_tun == -1)
289 options->permit_tun = SSH_TUNMODE_NO;
290 if (options->zero_knowledge_password_authentication == -1)
291 options->zero_knowledge_password_authentication = 0;
292 if (options->ip_qos_interactive == -1)
293 options->ip_qos_interactive = IPTOS_LOWDELAY;
294 if (options->ip_qos_bulk == -1)
295 options->ip_qos_bulk = IPTOS_THROUGHPUT;
296 if (options->debian_banner == -1)
297 options->debian_banner = 1;
299 /* Turn privilege separation on by default */
300 if (use_privsep == -1)
301 use_privsep = PRIVSEP_ON;
304 if (use_privsep && options->compression == 1) {
305 error("This platform does not support both privilege "
306 "separation and compression");
307 error("Compression disabled");
308 options->compression = 0;
314 /* Keyword tokens. */
316 sBadOption, /* == unknown option */
317 /* Portable-specific options */
319 /* Standard Options */
320 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
321 sPermitRootLogin, sLogFacility, sLogLevel,
322 sRhostsRSAAuthentication, sRSAAuthentication,
323 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
324 sKerberosGetAFSToken,
325 sKerberosTgtPassing, sChallengeResponseAuthentication,
326 sPasswordAuthentication, sKbdInteractiveAuthentication,
327 sListenAddress, sAddressFamily,
328 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
329 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
330 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
331 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
332 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
333 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
334 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
335 sMaxStartups, sMaxAuthTries, sMaxSessions,
336 sBanner, sUseDNS, sHostbasedAuthentication,
337 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
338 sClientAliveCountMax, sAuthorizedKeysFile,
339 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
340 sGssKeyEx, sGssStoreRekey,
342 sAcceptEnv, sPermitTunnel,
343 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
344 sUsePrivilegeSeparation, sAllowAgentForwarding,
345 sZeroKnowledgePasswordAuthentication, sHostCertificate,
346 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
347 sKexAlgorithms, sIPQoS,
349 sDeprecated, sUnsupported
352 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
353 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
354 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
356 /* Textual representation of the tokens. */
359 ServerOpCodes opcode;
362 /* Portable-specific options */
364 { "usepam", sUsePAM, SSHCFG_GLOBAL },
366 { "usepam", sUnsupported, SSHCFG_GLOBAL },
368 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
369 /* Standard Options */
370 { "port", sPort, SSHCFG_GLOBAL },
371 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
372 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
373 { "pidfile", sPidFile, SSHCFG_GLOBAL },
374 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
375 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
376 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
377 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
378 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
379 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
380 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
381 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
382 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
383 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
384 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
385 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
386 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
388 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
389 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
390 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
392 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
394 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
397 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
398 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
399 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
400 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
402 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
403 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
405 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
406 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
407 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
408 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
409 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
410 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
411 { "gssapirequiremic", sGssReqMIC, SSHCFG_GLOBAL },
413 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
414 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
415 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
416 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
417 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
418 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
419 { "gssapirequiremic", sUnsupported, SSHCFG_GLOBAL },
421 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
422 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
423 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
424 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
425 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
426 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
428 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
430 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
432 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
433 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
434 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
435 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
436 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
437 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
438 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
439 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
440 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
441 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
442 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
443 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
444 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
445 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
446 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
447 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
448 { "compression", sCompression, SSHCFG_GLOBAL },
449 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
450 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
451 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
452 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
453 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
454 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
455 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
456 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
457 { "ciphers", sCiphers, SSHCFG_GLOBAL },
458 { "macs", sMacs, SSHCFG_GLOBAL },
459 { "protocol", sProtocol, SSHCFG_GLOBAL },
460 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
461 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
462 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
463 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
464 { "maxsessions", sMaxSessions, SSHCFG_ALL },
465 { "banner", sBanner, SSHCFG_ALL },
466 { "usedns", sUseDNS, SSHCFG_GLOBAL },
467 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
468 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
469 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
470 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
471 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
472 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
473 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
474 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
475 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
476 { "match", sMatch, SSHCFG_ALL },
477 { "permitopen", sPermitOpen, SSHCFG_ALL },
478 { "forcecommand", sForceCommand, SSHCFG_ALL },
479 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
480 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
481 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
482 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
483 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
484 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
485 { "ipqos", sIPQoS, SSHCFG_ALL },
486 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
487 { NULL, sBadOption, 0 }
494 { SSH_TUNMODE_NO, "no" },
495 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
496 { SSH_TUNMODE_ETHERNET, "ethernet" },
497 { SSH_TUNMODE_YES, "yes" },
502 * Returns the number of the token pointed to by cp or sBadOption.
506 parse_token(const char *cp, const char *filename,
507 int linenum, u_int *flags)
511 for (i = 0; keywords[i].name; i++)
512 if (strcasecmp(cp, keywords[i].name) == 0) {
513 *flags = keywords[i].flags;
514 return keywords[i].opcode;
517 error("%s: line %d: Bad configuration option: %s",
518 filename, linenum, cp);
523 derelativise_path(const char *path)
525 char *expanded, *ret, cwd[MAXPATHLEN];
527 expanded = tilde_expand_filename(path, getuid());
528 if (*expanded == '/')
530 if (getcwd(cwd, sizeof(cwd)) == NULL)
531 fatal("%s: getcwd: %s", __func__, strerror(errno));
532 xasprintf(&ret, "%s/%s", cwd, expanded);
538 add_listen_addr(ServerOptions *options, char *addr, int port)
542 if (options->num_ports == 0)
543 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
544 if (options->address_family == -1)
545 options->address_family = AF_UNSPEC;
547 for (i = 0; i < options->num_ports; i++)
548 add_one_listen_addr(options, addr, options->ports[i]);
550 add_one_listen_addr(options, addr, port);
554 add_one_listen_addr(ServerOptions *options, char *addr, int port)
556 struct addrinfo hints, *ai, *aitop;
557 char strport[NI_MAXSERV];
560 memset(&hints, 0, sizeof(hints));
561 hints.ai_family = options->address_family;
562 hints.ai_socktype = SOCK_STREAM;
563 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
564 snprintf(strport, sizeof strport, "%d", port);
565 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
566 fatal("bad addr or host: %s (%s)",
567 addr ? addr : "<NULL>",
568 ssh_gai_strerror(gaierr));
569 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
571 ai->ai_next = options->listen_addrs;
572 options->listen_addrs = aitop;
576 * The strategy for the Match blocks is that the config file is parsed twice.
578 * The first time is at startup. activep is initialized to 1 and the
579 * directives in the global context are processed and acted on. Hitting a
580 * Match directive unsets activep and the directives inside the block are
581 * checked for syntax only.
583 * The second time is after a connection has been established but before
584 * authentication. activep is initialized to 2 and global config directives
585 * are ignored since they have already been processed. If the criteria in a
586 * Match block is met, activep is set and the subsequent directives
587 * processed and actioned until EOF or another Match block unsets it. Any
588 * options set are copied into the main server config.
590 * Potential additions/improvements:
591 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
593 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
594 * Match Address 192.168.0.*
599 * AllowTcpForwarding yes
600 * GatewayPorts clientspecified
603 * - Add a PermittedChannelRequests directive
605 * PermittedChannelRequests session,forwarded-tcpip
609 match_cfg_line_group(const char *grps, int line, const char *user)
617 if ((pw = getpwnam(user)) == NULL) {
618 debug("Can't match group at line %d because user %.100s does "
619 "not exist", line, user);
620 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
621 debug("Can't Match group because user %.100s not in any group "
622 "at line %d", user, line);
623 } else if (ga_match_pattern_list(grps) != 1) {
624 debug("user %.100s does not match group list %.100s at line %d",
627 debug("user %.100s matched group list %.100s at line %d", user,
637 match_cfg_line(char **condition, int line, const char *user, const char *host,
641 char *arg, *attrib, *cp = *condition;
645 debug3("checking syntax for 'Match %s'", cp);
647 debug3("checking match for '%s' user %s host %s addr %s", cp,
648 user ? user : "(null)", host ? host : "(null)",
649 address ? address : "(null)");
651 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
652 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
653 error("Missing Match criteria for %s", attrib);
657 if (strcasecmp(attrib, "user") == 0) {
662 if (match_pattern_list(user, arg, len, 0) != 1)
665 debug("user %.100s matched 'User %.100s' at "
666 "line %d", user, arg, line);
667 } else if (strcasecmp(attrib, "group") == 0) {
668 switch (match_cfg_line_group(arg, line, user)) {
674 } else if (strcasecmp(attrib, "host") == 0) {
679 if (match_hostname(host, arg, len) != 1)
682 debug("connection from %.100s matched 'Host "
683 "%.100s' at line %d", host, arg, line);
684 } else if (strcasecmp(attrib, "address") == 0) {
685 switch (addr_match_list(address, arg)) {
687 debug("connection from %.100s matched 'Address "
688 "%.100s' at line %d", address, arg, line);
698 error("Unsupported Match attribute %s", attrib);
703 debug3("match %sfound", result ? "" : "not ");
708 #define WHITESPACE " \t\r\n"
710 /* Multistate option parsing */
715 static const struct multistate multistate_addressfamily[] = {
717 { "inet6", AF_INET6 },
718 { "any", AF_UNSPEC },
721 static const struct multistate multistate_permitrootlogin[] = {
722 { "without-password", PERMIT_NO_PASSWD },
723 { "forced-commands-only", PERMIT_FORCED_ONLY },
724 { "yes", PERMIT_YES },
728 static const struct multistate multistate_compression[] = {
729 { "delayed", COMP_DELAYED },
730 { "yes", COMP_ZLIB },
734 static const struct multistate multistate_gatewayports[] = {
735 { "clientspecified", 2 },
740 static const struct multistate multistate_privsep[] = {
741 { "sandbox", PRIVSEP_SANDBOX },
742 { "yes", PRIVSEP_ON },
743 { "no", PRIVSEP_OFF },
748 process_server_config_line(ServerOptions *options, char *line,
749 const char *filename, int linenum, int *activep, const char *user,
750 const char *host, const char *address)
752 char *cp, **charptr, *arg, *p;
753 int cmdline = 0, *intptr, value, value2, n;
754 SyslogFacility *log_facility_ptr;
755 LogLevel *log_level_ptr;
756 ServerOpCodes opcode;
760 const struct multistate *multistate_ptr;
763 if ((arg = strdelim(&cp)) == NULL)
765 /* Ignore leading whitespace */
768 if (!arg || !*arg || *arg == '#')
772 opcode = parse_token(arg, filename, linenum, &flags);
774 if (activep == NULL) { /* We are processing a command line directive */
778 if (*activep && opcode != sMatch)
779 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
780 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
782 fatal("%s line %d: Directive '%s' is not allowed "
783 "within a Match block", filename, linenum, arg);
784 } else { /* this is a directive we have already processed */
792 /* Portable-specific options */
794 intptr = &options->use_pam;
797 /* Standard Options */
801 /* ignore ports from configfile if cmdline specifies ports */
802 if (options->ports_from_cmdline)
804 if (options->listen_addrs != NULL)
805 fatal("%s line %d: ports must be specified before "
806 "ListenAddress.", filename, linenum);
807 if (options->num_ports >= MAX_PORTS)
808 fatal("%s line %d: too many ports.",
811 if (!arg || *arg == '\0')
812 fatal("%s line %d: missing port number.",
814 options->ports[options->num_ports++] = a2port(arg);
815 if (options->ports[options->num_ports-1] <= 0)
816 fatal("%s line %d: Badly formatted port number.",
821 intptr = &options->server_key_bits;
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: missing integer value.",
828 if (*activep && *intptr == -1)
832 case sLoginGraceTime:
833 intptr = &options->login_grace_time;
836 if (!arg || *arg == '\0')
837 fatal("%s line %d: missing time value.",
839 if ((value = convtime(arg)) == -1)
840 fatal("%s line %d: invalid time value.",
846 case sKeyRegenerationTime:
847 intptr = &options->key_regeneration_time;
852 if (arg == NULL || *arg == '\0')
853 fatal("%s line %d: missing address",
855 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
856 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
857 && strchr(p+1, ':') != NULL) {
858 add_listen_addr(options, arg, 0);
863 fatal("%s line %d: bad address:port usage",
865 p = cleanhostname(p);
868 else if ((port = a2port(arg)) <= 0)
869 fatal("%s line %d: bad port number", filename, linenum);
871 add_listen_addr(options, p, port);
876 intptr = &options->address_family;
877 multistate_ptr = multistate_addressfamily;
878 if (options->listen_addrs != NULL)
879 fatal("%s line %d: address family must be specified "
880 "before ListenAddress.", filename, linenum);
883 if (!arg || *arg == '\0')
884 fatal("%s line %d: missing argument.",
887 for (i = 0; multistate_ptr[i].key != NULL; i++) {
888 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
889 value = multistate_ptr[i].value;
894 fatal("%s line %d: unsupported option \"%s\".",
895 filename, linenum, arg);
896 if (*activep && *intptr == -1)
901 intptr = &options->num_host_key_files;
902 if (*intptr >= MAX_HOSTKEYS)
903 fatal("%s line %d: too many host keys specified (max %d).",
904 filename, linenum, MAX_HOSTKEYS);
905 charptr = &options->host_key_files[*intptr];
908 if (!arg || *arg == '\0')
909 fatal("%s line %d: missing file name.",
911 if (*activep && *charptr == NULL) {
912 *charptr = derelativise_path(arg);
913 /* increase optional counter */
915 *intptr = *intptr + 1;
919 case sHostCertificate:
920 intptr = &options->num_host_cert_files;
921 if (*intptr >= MAX_HOSTKEYS)
922 fatal("%s line %d: too many host certificates "
923 "specified (max %d).", filename, linenum,
925 charptr = &options->host_cert_files[*intptr];
930 charptr = &options->pid_file;
933 case sPermitRootLogin:
934 intptr = &options->permit_root_login;
935 multistate_ptr = multistate_permitrootlogin;
936 goto parse_multistate;
939 intptr = &options->ignore_rhosts;
942 if (!arg || *arg == '\0')
943 fatal("%s line %d: missing yes/no argument.",
945 value = 0; /* silence compiler */
946 if (strcmp(arg, "yes") == 0)
948 else if (strcmp(arg, "no") == 0)
951 fatal("%s line %d: Bad yes/no argument: %s",
952 filename, linenum, arg);
953 if (*activep && *intptr == -1)
957 case sIgnoreUserKnownHosts:
958 intptr = &options->ignore_user_known_hosts;
961 case sRhostsRSAAuthentication:
962 intptr = &options->rhosts_rsa_authentication;
965 case sHostbasedAuthentication:
966 intptr = &options->hostbased_authentication;
969 case sHostbasedUsesNameFromPacketOnly:
970 intptr = &options->hostbased_uses_name_from_packet_only;
973 case sRSAAuthentication:
974 intptr = &options->rsa_authentication;
977 case sPubkeyAuthentication:
978 intptr = &options->pubkey_authentication;
981 case sKerberosAuthentication:
982 intptr = &options->kerberos_authentication;
985 case sKerberosOrLocalPasswd:
986 intptr = &options->kerberos_or_local_passwd;
989 case sKerberosTicketCleanup:
990 intptr = &options->kerberos_ticket_cleanup;
993 case sKerberosGetAFSToken:
994 intptr = &options->kerberos_get_afs_token;
997 case sGssAuthentication:
998 intptr = &options->gss_authentication;
1002 intptr = &options->gss_keyex;
1006 intptr = &options->gss_require_mic;
1009 case sGssCleanupCreds:
1010 intptr = &options->gss_cleanup_creds;
1013 case sGssStrictAcceptor:
1014 intptr = &options->gss_strict_acceptor;
1017 case sGssStoreRekey:
1018 intptr = &options->gss_store_rekey;
1021 case sPasswordAuthentication:
1022 intptr = &options->password_authentication;
1025 case sZeroKnowledgePasswordAuthentication:
1026 intptr = &options->zero_knowledge_password_authentication;
1029 case sKbdInteractiveAuthentication:
1030 intptr = &options->kbd_interactive_authentication;
1033 case sChallengeResponseAuthentication:
1034 intptr = &options->challenge_response_authentication;
1038 intptr = &options->print_motd;
1042 intptr = &options->print_lastlog;
1045 case sX11Forwarding:
1046 intptr = &options->x11_forwarding;
1049 case sX11DisplayOffset:
1050 intptr = &options->x11_display_offset;
1053 case sX11UseLocalhost:
1054 intptr = &options->x11_use_localhost;
1057 case sXAuthLocation:
1058 charptr = &options->xauth_location;
1059 goto parse_filename;
1062 intptr = &options->strict_modes;
1066 intptr = &options->tcp_keep_alive;
1069 case sPermitBlacklistedKeys:
1070 intptr = &options->permit_blacklisted_keys;
1074 intptr = &options->permit_empty_passwd;
1077 case sPermitUserEnvironment:
1078 intptr = &options->permit_user_env;
1082 intptr = &options->use_login;
1086 intptr = &options->compression;
1087 multistate_ptr = multistate_compression;
1088 goto parse_multistate;
1091 intptr = &options->gateway_ports;
1092 multistate_ptr = multistate_gatewayports;
1093 goto parse_multistate;
1096 intptr = &options->use_dns;
1100 log_facility_ptr = &options->log_facility;
1101 arg = strdelim(&cp);
1102 value = log_facility_number(arg);
1103 if (value == SYSLOG_FACILITY_NOT_SET)
1104 fatal("%.200s line %d: unsupported log facility '%s'",
1105 filename, linenum, arg ? arg : "<NONE>");
1106 if (*log_facility_ptr == -1)
1107 *log_facility_ptr = (SyslogFacility) value;
1111 log_level_ptr = &options->log_level;
1112 arg = strdelim(&cp);
1113 value = log_level_number(arg);
1114 if (value == SYSLOG_LEVEL_NOT_SET)
1115 fatal("%.200s line %d: unsupported log level '%s'",
1116 filename, linenum, arg ? arg : "<NONE>");
1117 if (*log_level_ptr == -1)
1118 *log_level_ptr = (LogLevel) value;
1121 case sAllowTcpForwarding:
1122 intptr = &options->allow_tcp_forwarding;
1125 case sAllowAgentForwarding:
1126 intptr = &options->allow_agent_forwarding;
1129 case sUsePrivilegeSeparation:
1130 intptr = &use_privsep;
1131 multistate_ptr = multistate_privsep;
1132 goto parse_multistate;
1135 while ((arg = strdelim(&cp)) && *arg != '\0') {
1136 if (options->num_allow_users >= MAX_ALLOW_USERS)
1137 fatal("%s line %d: too many allow users.",
1139 options->allow_users[options->num_allow_users++] =
1145 while ((arg = strdelim(&cp)) && *arg != '\0') {
1146 if (options->num_deny_users >= MAX_DENY_USERS)
1147 fatal("%s line %d: too many deny users.",
1149 options->deny_users[options->num_deny_users++] =
1155 while ((arg = strdelim(&cp)) && *arg != '\0') {
1156 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1157 fatal("%s line %d: too many allow groups.",
1159 options->allow_groups[options->num_allow_groups++] =
1165 while ((arg = strdelim(&cp)) && *arg != '\0') {
1166 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1167 fatal("%s line %d: too many deny groups.",
1169 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1174 arg = strdelim(&cp);
1175 if (!arg || *arg == '\0')
1176 fatal("%s line %d: Missing argument.", filename, linenum);
1177 if (!ciphers_valid(arg))
1178 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1179 filename, linenum, arg ? arg : "<NONE>");
1180 if (options->ciphers == NULL)
1181 options->ciphers = xstrdup(arg);
1185 arg = strdelim(&cp);
1186 if (!arg || *arg == '\0')
1187 fatal("%s line %d: Missing argument.", filename, linenum);
1188 if (!mac_valid(arg))
1189 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1190 filename, linenum, arg ? arg : "<NONE>");
1191 if (options->macs == NULL)
1192 options->macs = xstrdup(arg);
1195 case sKexAlgorithms:
1196 arg = strdelim(&cp);
1197 if (!arg || *arg == '\0')
1198 fatal("%s line %d: Missing argument.",
1200 if (!kex_names_valid(arg))
1201 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1202 filename, linenum, arg ? arg : "<NONE>");
1203 if (options->kex_algorithms == NULL)
1204 options->kex_algorithms = xstrdup(arg);
1208 intptr = &options->protocol;
1209 arg = strdelim(&cp);
1210 if (!arg || *arg == '\0')
1211 fatal("%s line %d: Missing argument.", filename, linenum);
1212 value = proto_spec(arg);
1213 if (value == SSH_PROTO_UNKNOWN)
1214 fatal("%s line %d: Bad protocol spec '%s'.",
1215 filename, linenum, arg ? arg : "<NONE>");
1216 if (*intptr == SSH_PROTO_UNKNOWN)
1221 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1222 fatal("%s line %d: too many subsystems defined.",
1225 arg = strdelim(&cp);
1226 if (!arg || *arg == '\0')
1227 fatal("%s line %d: Missing subsystem name.",
1230 arg = strdelim(&cp);
1233 for (i = 0; i < options->num_subsystems; i++)
1234 if (strcmp(arg, options->subsystem_name[i]) == 0)
1235 fatal("%s line %d: Subsystem '%s' already defined.",
1236 filename, linenum, arg);
1237 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1238 arg = strdelim(&cp);
1239 if (!arg || *arg == '\0')
1240 fatal("%s line %d: Missing subsystem command.",
1242 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1244 /* Collect arguments (separate to executable) */
1246 len = strlen(p) + 1;
1247 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1248 len += 1 + strlen(arg);
1249 p = xrealloc(p, 1, len);
1250 strlcat(p, " ", len);
1251 strlcat(p, arg, len);
1253 options->subsystem_args[options->num_subsystems] = p;
1254 options->num_subsystems++;
1258 arg = strdelim(&cp);
1259 if (!arg || *arg == '\0')
1260 fatal("%s line %d: Missing MaxStartups spec.",
1262 if ((n = sscanf(arg, "%d:%d:%d",
1263 &options->max_startups_begin,
1264 &options->max_startups_rate,
1265 &options->max_startups)) == 3) {
1266 if (options->max_startups_begin >
1267 options->max_startups ||
1268 options->max_startups_rate > 100 ||
1269 options->max_startups_rate < 1)
1270 fatal("%s line %d: Illegal MaxStartups spec.",
1273 fatal("%s line %d: Illegal MaxStartups spec.",
1276 options->max_startups = options->max_startups_begin;
1280 intptr = &options->max_authtries;
1284 intptr = &options->max_sessions;
1288 charptr = &options->banner;
1289 goto parse_filename;
1292 * These options can contain %X options expanded at
1293 * connect time, so that you can specify paths like:
1295 * AuthorizedKeysFile /etc/ssh_keys/%u
1297 case sAuthorizedKeysFile:
1298 if (*activep && options->num_authkeys_files == 0) {
1299 while ((arg = strdelim(&cp)) && *arg != '\0') {
1300 if (options->num_authkeys_files >=
1302 fatal("%s line %d: "
1303 "too many authorized keys files.",
1305 options->authorized_keys_files[
1306 options->num_authkeys_files++] =
1307 tilde_expand_filename(arg, getuid());
1312 case sAuthorizedPrincipalsFile:
1313 charptr = &options->authorized_principals_file;
1314 arg = strdelim(&cp);
1315 if (!arg || *arg == '\0')
1316 fatal("%s line %d: missing file name.",
1318 if (*activep && *charptr == NULL) {
1319 *charptr = tilde_expand_filename(arg, getuid());
1320 /* increase optional counter */
1322 *intptr = *intptr + 1;
1326 case sClientAliveInterval:
1327 intptr = &options->client_alive_interval;
1330 case sClientAliveCountMax:
1331 intptr = &options->client_alive_count_max;
1335 while ((arg = strdelim(&cp)) && *arg != '\0') {
1336 if (strchr(arg, '=') != NULL)
1337 fatal("%s line %d: Invalid environment name.",
1339 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1340 fatal("%s line %d: too many allow env.",
1344 options->accept_env[options->num_accept_env++] =
1350 intptr = &options->permit_tun;
1351 arg = strdelim(&cp);
1352 if (!arg || *arg == '\0')
1353 fatal("%s line %d: Missing yes/point-to-point/"
1354 "ethernet/no argument.", filename, linenum);
1356 for (i = 0; tunmode_desc[i].val != -1; i++)
1357 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1358 value = tunmode_desc[i].val;
1362 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1363 "no argument: %s", filename, linenum, arg);
1370 fatal("Match directive not supported as a command-line "
1372 value = match_cfg_line(&cp, linenum, user, host, address);
1374 fatal("%s line %d: Bad Match condition", filename,
1380 arg = strdelim(&cp);
1381 if (!arg || *arg == '\0')
1382 fatal("%s line %d: missing PermitOpen specification",
1384 n = options->num_permitted_opens; /* modified later */
1385 if (strcmp(arg, "any") == 0) {
1386 if (*activep && n == -1) {
1387 channel_clear_adm_permitted_opens();
1388 options->num_permitted_opens = 0;
1392 if (*activep && n == -1)
1393 channel_clear_adm_permitted_opens();
1394 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1397 fatal("%s line %d: missing host in PermitOpen",
1399 p = cleanhostname(p);
1400 if (arg == NULL || (port = a2port(arg)) <= 0)
1401 fatal("%s line %d: bad port number in "
1402 "PermitOpen", filename, linenum);
1403 if (*activep && n == -1)
1404 options->num_permitted_opens =
1405 channel_add_adm_permitted_opens(p, port);
1411 fatal("%.200s line %d: Missing argument.", filename,
1413 len = strspn(cp, WHITESPACE);
1414 if (*activep && options->adm_forced_command == NULL)
1415 options->adm_forced_command = xstrdup(cp + len);
1418 case sChrootDirectory:
1419 charptr = &options->chroot_directory;
1421 arg = strdelim(&cp);
1422 if (!arg || *arg == '\0')
1423 fatal("%s line %d: missing file name.",
1425 if (*activep && *charptr == NULL)
1426 *charptr = xstrdup(arg);
1429 case sTrustedUserCAKeys:
1430 charptr = &options->trusted_user_ca_keys;
1431 goto parse_filename;
1434 charptr = &options->revoked_keys_file;
1435 goto parse_filename;
1438 arg = strdelim(&cp);
1439 if ((value = parse_ipqos(arg)) == -1)
1440 fatal("%s line %d: Bad IPQoS value: %s",
1441 filename, linenum, arg);
1442 arg = strdelim(&cp);
1445 else if ((value2 = parse_ipqos(arg)) == -1)
1446 fatal("%s line %d: Bad IPQoS value: %s",
1447 filename, linenum, arg);
1449 options->ip_qos_interactive = value;
1450 options->ip_qos_bulk = value2;
1455 intptr = &options->debian_banner;
1459 logit("%s line %d: Deprecated option %s",
1460 filename, linenum, arg);
1462 arg = strdelim(&cp);
1466 logit("%s line %d: Unsupported option %s",
1467 filename, linenum, arg);
1469 arg = strdelim(&cp);
1473 fatal("%s line %d: Missing handler for opcode %s (%d)",
1474 filename, linenum, arg, opcode);
1476 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1477 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1478 filename, linenum, arg);
1482 /* Reads the server configuration file. */
1485 load_server_config(const char *filename, Buffer *conf)
1487 char line[1024], *cp;
1490 debug2("%s: filename %s", __func__, filename);
1491 if ((f = fopen(filename, "r")) == NULL) {
1496 while (fgets(line, sizeof(line), f)) {
1498 * Trim out comments and strip whitespace
1499 * NB - preserve newlines, they are needed to reproduce
1500 * line numbers later for error messages
1502 if ((cp = strchr(line, '#')) != NULL)
1503 memcpy(cp, "\n", 2);
1504 cp = line + strspn(line, " \t\r");
1506 buffer_append(conf, cp, strlen(cp));
1508 buffer_append(conf, "\0", 1);
1510 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1514 parse_server_match_config(ServerOptions *options, const char *user,
1515 const char *host, const char *address)
1519 initialize_server_options(&mo);
1520 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1521 copy_set_server_options(options, &mo, 0);
1525 #define M_CP_INTOPT(n) do {\
1529 #define M_CP_STROPT(n) do {\
1530 if (src->n != NULL) { \
1531 if (dst->n != NULL) \
1536 #define M_CP_STRARRAYOPT(n, num_n) do {\
1537 if (src->num_n != 0) { \
1538 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1539 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1544 * Copy any supported values that are set.
1546 * If the preauth flag is set, we do not bother copying the string or
1547 * array values that are not used pre-authentication, because any that we
1548 * do use must be explictly sent in mm_getpwnamallow().
1551 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1553 M_CP_INTOPT(password_authentication);
1554 M_CP_INTOPT(gss_authentication);
1555 M_CP_INTOPT(rsa_authentication);
1556 M_CP_INTOPT(pubkey_authentication);
1557 M_CP_INTOPT(kerberos_authentication);
1558 M_CP_INTOPT(hostbased_authentication);
1559 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1560 M_CP_INTOPT(kbd_interactive_authentication);
1561 M_CP_INTOPT(zero_knowledge_password_authentication);
1562 M_CP_INTOPT(permit_root_login);
1563 M_CP_INTOPT(permit_empty_passwd);
1565 M_CP_INTOPT(allow_tcp_forwarding);
1566 M_CP_INTOPT(allow_agent_forwarding);
1567 M_CP_INTOPT(permit_tun);
1568 M_CP_INTOPT(gateway_ports);
1569 M_CP_INTOPT(x11_display_offset);
1570 M_CP_INTOPT(x11_forwarding);
1571 M_CP_INTOPT(x11_use_localhost);
1572 M_CP_INTOPT(max_sessions);
1573 M_CP_INTOPT(max_authtries);
1574 M_CP_INTOPT(ip_qos_interactive);
1575 M_CP_INTOPT(ip_qos_bulk);
1577 /* See comment in servconf.h */
1578 COPY_MATCH_STRING_OPTS();
1581 * The only things that should be below this point are string options
1582 * which are only used after authentication.
1587 M_CP_STROPT(adm_forced_command);
1588 M_CP_STROPT(chroot_directory);
1593 #undef M_CP_STRARRAYOPT
1596 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1597 const char *user, const char *host, const char *address)
1599 int active, linenum, bad_options = 0;
1600 char *cp, *obuf, *cbuf;
1602 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1604 obuf = cbuf = xstrdup(buffer_ptr(conf));
1605 active = user ? 0 : 1;
1607 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1608 if (process_server_config_line(options, cp, filename,
1609 linenum++, &active, user, host, address) != 0)
1613 if (bad_options > 0)
1614 fatal("%s: terminating, %d bad configuration options",
1615 filename, bad_options);
1619 fmt_multistate_int(int val, const struct multistate *m)
1623 for (i = 0; m[i].key != NULL; i++) {
1624 if (m[i].value == val)
1631 fmt_intarg(ServerOpCodes code, int val)
1636 case sAddressFamily:
1637 return fmt_multistate_int(val, multistate_addressfamily);
1638 case sPermitRootLogin:
1639 return fmt_multistate_int(val, multistate_permitrootlogin);
1641 return fmt_multistate_int(val, multistate_gatewayports);
1643 return fmt_multistate_int(val, multistate_compression);
1644 case sUsePrivilegeSeparation:
1645 return fmt_multistate_int(val, multistate_privsep);
1652 case (SSH_PROTO_1|SSH_PROTO_2):
1670 lookup_opcode_name(ServerOpCodes code)
1674 for (i = 0; keywords[i].name != NULL; i++)
1675 if (keywords[i].opcode == code)
1676 return(keywords[i].name);
1681 dump_cfg_int(ServerOpCodes code, int val)
1683 printf("%s %d\n", lookup_opcode_name(code), val);
1687 dump_cfg_fmtint(ServerOpCodes code, int val)
1689 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1693 dump_cfg_string(ServerOpCodes code, const char *val)
1697 printf("%s %s\n", lookup_opcode_name(code), val);
1701 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1705 for (i = 0; i < count; i++)
1706 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1710 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1714 printf("%s", lookup_opcode_name(code));
1715 for (i = 0; i < count; i++)
1716 printf(" %s", vals[i]);
1721 dump_config(ServerOptions *o)
1725 struct addrinfo *ai;
1726 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1728 /* these are usually at the top of the config */
1729 for (i = 0; i < o->num_ports; i++)
1730 printf("port %d\n", o->ports[i]);
1731 dump_cfg_fmtint(sProtocol, o->protocol);
1732 dump_cfg_fmtint(sAddressFamily, o->address_family);
1734 /* ListenAddress must be after Port */
1735 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1736 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1737 sizeof(addr), port, sizeof(port),
1738 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1739 error("getnameinfo failed: %.100s",
1740 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1743 if (ai->ai_family == AF_INET6)
1744 printf("listenaddress [%s]:%s\n", addr, port);
1746 printf("listenaddress %s:%s\n", addr, port);
1750 /* integer arguments */
1752 dump_cfg_int(sUsePAM, o->use_pam);
1754 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1755 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1756 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1757 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1758 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1759 dump_cfg_int(sMaxSessions, o->max_sessions);
1760 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1761 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1763 /* formatted integer arguments */
1764 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1765 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1766 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1767 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1768 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1769 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1770 o->hostbased_uses_name_from_packet_only);
1771 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1772 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1774 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1775 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1776 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1778 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1782 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1783 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
1784 dump_cfg_fmtint(sGssReqMIC, o->gss_require_mic);
1785 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1786 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
1787 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
1790 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1791 o->zero_knowledge_password_authentication);
1793 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1794 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1795 o->kbd_interactive_authentication);
1796 dump_cfg_fmtint(sChallengeResponseAuthentication,
1797 o->challenge_response_authentication);
1798 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1799 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1800 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1801 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1802 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1803 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1804 dump_cfg_fmtint(sPermitBlacklistedKeys, o->permit_blacklisted_keys);
1805 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1806 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1807 dump_cfg_fmtint(sUseLogin, o->use_login);
1808 dump_cfg_fmtint(sCompression, o->compression);
1809 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1810 dump_cfg_fmtint(sUseDNS, o->use_dns);
1811 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1812 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1814 /* string arguments */
1815 dump_cfg_string(sPidFile, o->pid_file);
1816 dump_cfg_string(sXAuthLocation, o->xauth_location);
1817 dump_cfg_string(sCiphers, o->ciphers);
1818 dump_cfg_string(sMacs, o->macs);
1819 dump_cfg_string(sBanner, o->banner);
1820 dump_cfg_string(sForceCommand, o->adm_forced_command);
1821 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1822 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1823 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1824 dump_cfg_string(sAuthorizedPrincipalsFile,
1825 o->authorized_principals_file);
1827 /* string arguments requiring a lookup */
1828 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1829 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1831 /* string array arguments */
1832 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
1833 o->authorized_keys_files);
1834 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1836 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1837 o->host_cert_files);
1838 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1839 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1840 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1841 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1842 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1844 /* other arguments */
1845 for (i = 0; i < o->num_subsystems; i++)
1846 printf("subsystem %s %s\n", o->subsystem_name[i],
1847 o->subsystem_args[i]);
1849 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1850 o->max_startups_rate, o->max_startups);
1852 for (i = 0; tunmode_desc[i].val != -1; i++)
1853 if (tunmode_desc[i].val == o->permit_tun) {
1854 s = tunmode_desc[i].text;
1857 dump_cfg_string(sPermitTunnel, s);
1859 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
1860 printf("%s\n", iptos2str(o->ip_qos_bulk));
1862 channel_print_adm_permitted_opens();