1 /* $OpenBSD: servconf.c,v 1.213 2010/11/13 23:27:50 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <netinet/in_systm.h>
20 #include <netinet/ip.h>
32 #include "openbsd-compat/sys-queue.h"
39 #include "pathnames.h"
47 #include "groupaccess.h"
49 static void add_listen_addr(ServerOptions *, char *, int);
50 static void add_one_listen_addr(ServerOptions *, char *, int);
52 /* Use of privilege separation or not */
53 extern int use_privsep;
56 /* Initializes the server options to their default values. */
59 initialize_server_options(ServerOptions *options)
61 memset(options, 0, sizeof(*options));
63 /* Portable-specific options */
64 options->use_pam = -1;
66 /* Standard Options */
67 options->num_ports = 0;
68 options->ports_from_cmdline = 0;
69 options->listen_addrs = NULL;
70 options->address_family = -1;
71 options->num_host_key_files = 0;
72 options->num_host_cert_files = 0;
73 options->pid_file = NULL;
74 options->server_key_bits = -1;
75 options->login_grace_time = -1;
76 options->key_regeneration_time = -1;
77 options->permit_root_login = PERMIT_NOT_SET;
78 options->ignore_rhosts = -1;
79 options->ignore_user_known_hosts = -1;
80 options->print_motd = -1;
81 options->print_lastlog = -1;
82 options->x11_forwarding = -1;
83 options->x11_display_offset = -1;
84 options->x11_use_localhost = -1;
85 options->xauth_location = NULL;
86 options->strict_modes = -1;
87 options->tcp_keep_alive = -1;
88 options->log_facility = SYSLOG_FACILITY_NOT_SET;
89 options->log_level = SYSLOG_LEVEL_NOT_SET;
90 options->rhosts_rsa_authentication = -1;
91 options->hostbased_authentication = -1;
92 options->hostbased_uses_name_from_packet_only = -1;
93 options->rsa_authentication = -1;
94 options->pubkey_authentication = -1;
95 options->kerberos_authentication = -1;
96 options->kerberos_or_local_passwd = -1;
97 options->kerberos_ticket_cleanup = -1;
98 options->kerberos_get_afs_token = -1;
99 options->gss_authentication=-1;
100 options->gss_keyex = -1;
101 options->gss_cleanup_creds = -1;
102 options->gss_strict_acceptor = -1;
103 options->password_authentication = -1;
104 options->kbd_interactive_authentication = -1;
105 options->challenge_response_authentication = -1;
106 options->permit_empty_passwd = -1;
107 options->permit_user_env = -1;
108 options->use_login = -1;
109 options->compression = -1;
110 options->allow_tcp_forwarding = -1;
111 options->allow_agent_forwarding = -1;
112 options->num_allow_users = 0;
113 options->num_deny_users = 0;
114 options->num_allow_groups = 0;
115 options->num_deny_groups = 0;
116 options->ciphers = NULL;
117 options->macs = NULL;
118 options->kex_algorithms = NULL;
119 options->protocol = SSH_PROTO_UNKNOWN;
120 options->gateway_ports = -1;
121 options->num_subsystems = 0;
122 options->max_startups_begin = -1;
123 options->max_startups_rate = -1;
124 options->max_startups = -1;
125 options->max_authtries = -1;
126 options->max_sessions = -1;
127 options->banner = NULL;
128 options->use_dns = -1;
129 options->client_alive_interval = -1;
130 options->client_alive_count_max = -1;
131 options->authorized_keys_file = NULL;
132 options->authorized_keys_file2 = NULL;
133 options->num_accept_env = 0;
134 options->permit_tun = -1;
135 options->num_permitted_opens = -1;
136 options->adm_forced_command = NULL;
137 options->chroot_directory = NULL;
138 options->zero_knowledge_password_authentication = -1;
139 options->revoked_keys_file = NULL;
140 options->trusted_user_ca_keys = NULL;
141 options->authorized_principals_file = NULL;
142 options->ip_qos_interactive = -1;
143 options->ip_qos_bulk = -1;
147 fill_default_server_options(ServerOptions *options)
149 /* Portable-specific options */
150 if (options->use_pam == -1)
151 options->use_pam = 0;
153 /* Standard Options */
154 if (options->protocol == SSH_PROTO_UNKNOWN)
155 options->protocol = SSH_PROTO_2;
156 if (options->num_host_key_files == 0) {
157 /* fill default hostkeys for protocols */
158 if (options->protocol & SSH_PROTO_1)
159 options->host_key_files[options->num_host_key_files++] =
161 if (options->protocol & SSH_PROTO_2) {
162 options->host_key_files[options->num_host_key_files++] =
163 _PATH_HOST_RSA_KEY_FILE;
164 options->host_key_files[options->num_host_key_files++] =
165 _PATH_HOST_DSA_KEY_FILE;
166 #ifdef OPENSSL_HAS_ECC
167 options->host_key_files[options->num_host_key_files++] =
168 _PATH_HOST_ECDSA_KEY_FILE;
172 /* No certificates by default */
173 if (options->num_ports == 0)
174 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
175 if (options->listen_addrs == NULL)
176 add_listen_addr(options, NULL, 0);
177 if (options->pid_file == NULL)
178 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
179 if (options->server_key_bits == -1)
180 options->server_key_bits = 1024;
181 if (options->login_grace_time == -1)
182 options->login_grace_time = 120;
183 if (options->key_regeneration_time == -1)
184 options->key_regeneration_time = 3600;
185 if (options->permit_root_login == PERMIT_NOT_SET)
186 options->permit_root_login = PERMIT_YES;
187 if (options->ignore_rhosts == -1)
188 options->ignore_rhosts = 1;
189 if (options->ignore_user_known_hosts == -1)
190 options->ignore_user_known_hosts = 0;
191 if (options->print_motd == -1)
192 options->print_motd = 1;
193 if (options->print_lastlog == -1)
194 options->print_lastlog = 1;
195 if (options->x11_forwarding == -1)
196 options->x11_forwarding = 0;
197 if (options->x11_display_offset == -1)
198 options->x11_display_offset = 10;
199 if (options->x11_use_localhost == -1)
200 options->x11_use_localhost = 1;
201 if (options->xauth_location == NULL)
202 options->xauth_location = _PATH_XAUTH;
203 if (options->strict_modes == -1)
204 options->strict_modes = 1;
205 if (options->tcp_keep_alive == -1)
206 options->tcp_keep_alive = 1;
207 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
208 options->log_facility = SYSLOG_FACILITY_AUTH;
209 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
210 options->log_level = SYSLOG_LEVEL_INFO;
211 if (options->rhosts_rsa_authentication == -1)
212 options->rhosts_rsa_authentication = 0;
213 if (options->hostbased_authentication == -1)
214 options->hostbased_authentication = 0;
215 if (options->hostbased_uses_name_from_packet_only == -1)
216 options->hostbased_uses_name_from_packet_only = 0;
217 if (options->rsa_authentication == -1)
218 options->rsa_authentication = 1;
219 if (options->pubkey_authentication == -1)
220 options->pubkey_authentication = 1;
221 if (options->kerberos_authentication == -1)
222 options->kerberos_authentication = 0;
223 if (options->kerberos_or_local_passwd == -1)
224 options->kerberos_or_local_passwd = 1;
225 if (options->kerberos_ticket_cleanup == -1)
226 options->kerberos_ticket_cleanup = 1;
227 if (options->kerberos_get_afs_token == -1)
228 options->kerberos_get_afs_token = 0;
229 if (options->gss_authentication == -1)
230 options->gss_authentication = 0;
231 if (options->gss_keyex == -1)
232 options->gss_keyex = 0;
233 if (options->gss_cleanup_creds == -1)
234 options->gss_cleanup_creds = 1;
235 if (options->gss_strict_acceptor == -1)
236 options->gss_strict_acceptor = 1;
237 if (options->password_authentication == -1)
238 options->password_authentication = 1;
239 if (options->kbd_interactive_authentication == -1)
240 options->kbd_interactive_authentication = 0;
241 if (options->challenge_response_authentication == -1)
242 options->challenge_response_authentication = 1;
243 if (options->permit_empty_passwd == -1)
244 options->permit_empty_passwd = 0;
245 if (options->permit_user_env == -1)
246 options->permit_user_env = 0;
247 if (options->use_login == -1)
248 options->use_login = 0;
249 if (options->compression == -1)
250 options->compression = COMP_DELAYED;
251 if (options->allow_tcp_forwarding == -1)
252 options->allow_tcp_forwarding = 1;
253 if (options->allow_agent_forwarding == -1)
254 options->allow_agent_forwarding = 1;
255 if (options->gateway_ports == -1)
256 options->gateway_ports = 0;
257 if (options->max_startups == -1)
258 options->max_startups = 10;
259 if (options->max_startups_rate == -1)
260 options->max_startups_rate = 100; /* 100% */
261 if (options->max_startups_begin == -1)
262 options->max_startups_begin = options->max_startups;
263 if (options->max_authtries == -1)
264 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
265 if (options->max_sessions == -1)
266 options->max_sessions = DEFAULT_SESSIONS_MAX;
267 if (options->use_dns == -1)
268 options->use_dns = 1;
269 if (options->client_alive_interval == -1)
270 options->client_alive_interval = 0;
271 if (options->client_alive_count_max == -1)
272 options->client_alive_count_max = 3;
273 if (options->authorized_keys_file2 == NULL) {
274 /* authorized_keys_file2 falls back to authorized_keys_file */
275 if (options->authorized_keys_file != NULL)
276 options->authorized_keys_file2 = xstrdup(options->authorized_keys_file);
278 options->authorized_keys_file2 = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
280 if (options->authorized_keys_file == NULL)
281 options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
282 if (options->permit_tun == -1)
283 options->permit_tun = SSH_TUNMODE_NO;
284 if (options->zero_knowledge_password_authentication == -1)
285 options->zero_knowledge_password_authentication = 0;
286 if (options->ip_qos_interactive == -1)
287 options->ip_qos_interactive = IPTOS_LOWDELAY;
288 if (options->ip_qos_bulk == -1)
289 options->ip_qos_bulk = IPTOS_THROUGHPUT;
291 /* Turn privilege separation on by default */
292 if (use_privsep == -1)
296 if (use_privsep && options->compression == 1) {
297 error("This platform does not support both privilege "
298 "separation and compression");
299 error("Compression disabled");
300 options->compression = 0;
306 /* Keyword tokens. */
308 sBadOption, /* == unknown option */
309 /* Portable-specific options */
311 /* Standard Options */
312 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
313 sPermitRootLogin, sLogFacility, sLogLevel,
314 sRhostsRSAAuthentication, sRSAAuthentication,
315 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
316 sKerberosGetAFSToken,
317 sKerberosTgtPassing, sChallengeResponseAuthentication,
318 sPasswordAuthentication, sKbdInteractiveAuthentication,
319 sListenAddress, sAddressFamily,
320 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
321 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
322 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
323 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
324 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
325 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
326 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
327 sMaxStartups, sMaxAuthTries, sMaxSessions,
328 sBanner, sUseDNS, sHostbasedAuthentication,
329 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
330 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
331 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
333 sAcceptEnv, sPermitTunnel,
334 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
335 sUsePrivilegeSeparation, sAllowAgentForwarding,
336 sZeroKnowledgePasswordAuthentication, sHostCertificate,
337 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
338 sKexAlgorithms, sIPQoS,
339 sDeprecated, sUnsupported
342 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
343 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
344 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
346 /* Textual representation of the tokens. */
349 ServerOpCodes opcode;
352 /* Portable-specific options */
354 { "usepam", sUsePAM, SSHCFG_GLOBAL },
356 { "usepam", sUnsupported, SSHCFG_GLOBAL },
358 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
359 /* Standard Options */
360 { "port", sPort, SSHCFG_GLOBAL },
361 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
362 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
363 { "pidfile", sPidFile, SSHCFG_GLOBAL },
364 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
365 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
366 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
367 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
368 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
369 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
370 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
371 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
372 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
373 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
374 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
375 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
376 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
378 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
379 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
380 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
382 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
384 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
387 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
388 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
389 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
390 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
392 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
393 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
395 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
396 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
397 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
398 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
399 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
401 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
402 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
403 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
404 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
405 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
407 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
408 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
409 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
410 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
411 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
412 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
414 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
416 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
418 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
419 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
420 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
421 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
422 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
423 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
424 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
425 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
426 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
427 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
428 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
429 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
430 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
431 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
432 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
433 { "compression", sCompression, SSHCFG_GLOBAL },
434 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
435 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
436 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
437 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
438 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
439 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
440 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
441 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
442 { "ciphers", sCiphers, SSHCFG_GLOBAL },
443 { "macs", sMacs, SSHCFG_GLOBAL },
444 { "protocol", sProtocol, SSHCFG_GLOBAL },
445 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
446 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
447 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
448 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
449 { "maxsessions", sMaxSessions, SSHCFG_ALL },
450 { "banner", sBanner, SSHCFG_ALL },
451 { "usedns", sUseDNS, SSHCFG_GLOBAL },
452 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
453 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
454 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
455 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
456 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
457 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
458 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
459 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
460 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
461 { "match", sMatch, SSHCFG_ALL },
462 { "permitopen", sPermitOpen, SSHCFG_ALL },
463 { "forcecommand", sForceCommand, SSHCFG_ALL },
464 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
465 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
466 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
467 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
468 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
469 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
470 { "ipqos", sIPQoS, SSHCFG_ALL },
471 { NULL, sBadOption, 0 }
478 { SSH_TUNMODE_NO, "no" },
479 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
480 { SSH_TUNMODE_ETHERNET, "ethernet" },
481 { SSH_TUNMODE_YES, "yes" },
486 * Returns the number of the token pointed to by cp or sBadOption.
490 parse_token(const char *cp, const char *filename,
491 int linenum, u_int *flags)
495 for (i = 0; keywords[i].name; i++)
496 if (strcasecmp(cp, keywords[i].name) == 0) {
497 *flags = keywords[i].flags;
498 return keywords[i].opcode;
501 error("%s: line %d: Bad configuration option: %s",
502 filename, linenum, cp);
507 derelativise_path(const char *path)
509 char *expanded, *ret, cwd[MAXPATHLEN];
511 expanded = tilde_expand_filename(path, getuid());
512 if (*expanded == '/')
514 if (getcwd(cwd, sizeof(cwd)) == NULL)
515 fatal("%s: getcwd: %s", __func__, strerror(errno));
516 xasprintf(&ret, "%s/%s", cwd, expanded);
522 add_listen_addr(ServerOptions *options, char *addr, int port)
526 if (options->num_ports == 0)
527 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
528 if (options->address_family == -1)
529 options->address_family = AF_UNSPEC;
531 for (i = 0; i < options->num_ports; i++)
532 add_one_listen_addr(options, addr, options->ports[i]);
534 add_one_listen_addr(options, addr, port);
538 add_one_listen_addr(ServerOptions *options, char *addr, int port)
540 struct addrinfo hints, *ai, *aitop;
541 char strport[NI_MAXSERV];
544 memset(&hints, 0, sizeof(hints));
545 hints.ai_family = options->address_family;
546 hints.ai_socktype = SOCK_STREAM;
547 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
548 snprintf(strport, sizeof strport, "%d", port);
549 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
550 fatal("bad addr or host: %s (%s)",
551 addr ? addr : "<NULL>",
552 ssh_gai_strerror(gaierr));
553 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
555 ai->ai_next = options->listen_addrs;
556 options->listen_addrs = aitop;
560 * The strategy for the Match blocks is that the config file is parsed twice.
562 * The first time is at startup. activep is initialized to 1 and the
563 * directives in the global context are processed and acted on. Hitting a
564 * Match directive unsets activep and the directives inside the block are
565 * checked for syntax only.
567 * The second time is after a connection has been established but before
568 * authentication. activep is initialized to 2 and global config directives
569 * are ignored since they have already been processed. If the criteria in a
570 * Match block is met, activep is set and the subsequent directives
571 * processed and actioned until EOF or another Match block unsets it. Any
572 * options set are copied into the main server config.
574 * Potential additions/improvements:
575 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
577 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
578 * Match Address 192.168.0.*
583 * AllowTcpForwarding yes
584 * GatewayPorts clientspecified
587 * - Add a PermittedChannelRequests directive
589 * PermittedChannelRequests session,forwarded-tcpip
593 match_cfg_line_group(const char *grps, int line, const char *user)
601 if ((pw = getpwnam(user)) == NULL) {
602 debug("Can't match group at line %d because user %.100s does "
603 "not exist", line, user);
604 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
605 debug("Can't Match group because user %.100s not in any group "
606 "at line %d", user, line);
607 } else if (ga_match_pattern_list(grps) != 1) {
608 debug("user %.100s does not match group list %.100s at line %d",
611 debug("user %.100s matched group list %.100s at line %d", user,
621 match_cfg_line(char **condition, int line, const char *user, const char *host,
625 char *arg, *attrib, *cp = *condition;
629 debug3("checking syntax for 'Match %s'", cp);
631 debug3("checking match for '%s' user %s host %s addr %s", cp,
632 user ? user : "(null)", host ? host : "(null)",
633 address ? address : "(null)");
635 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
636 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
637 error("Missing Match criteria for %s", attrib);
641 if (strcasecmp(attrib, "user") == 0) {
646 if (match_pattern_list(user, arg, len, 0) != 1)
649 debug("user %.100s matched 'User %.100s' at "
650 "line %d", user, arg, line);
651 } else if (strcasecmp(attrib, "group") == 0) {
652 switch (match_cfg_line_group(arg, line, user)) {
658 } else if (strcasecmp(attrib, "host") == 0) {
663 if (match_hostname(host, arg, len) != 1)
666 debug("connection from %.100s matched 'Host "
667 "%.100s' at line %d", host, arg, line);
668 } else if (strcasecmp(attrib, "address") == 0) {
669 switch (addr_match_list(address, arg)) {
671 debug("connection from %.100s matched 'Address "
672 "%.100s' at line %d", address, arg, line);
682 error("Unsupported Match attribute %s", attrib);
687 debug3("match %sfound", result ? "" : "not ");
692 #define WHITESPACE " \t\r\n"
695 process_server_config_line(ServerOptions *options, char *line,
696 const char *filename, int linenum, int *activep, const char *user,
697 const char *host, const char *address)
699 char *cp, **charptr, *arg, *p;
700 int cmdline = 0, *intptr, value, value2, n;
701 SyslogFacility *log_facility_ptr;
702 LogLevel *log_level_ptr;
703 ServerOpCodes opcode;
709 if ((arg = strdelim(&cp)) == NULL)
711 /* Ignore leading whitespace */
714 if (!arg || !*arg || *arg == '#')
718 opcode = parse_token(arg, filename, linenum, &flags);
720 if (activep == NULL) { /* We are processing a command line directive */
724 if (*activep && opcode != sMatch)
725 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
726 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
728 fatal("%s line %d: Directive '%s' is not allowed "
729 "within a Match block", filename, linenum, arg);
730 } else { /* this is a directive we have already processed */
738 /* Portable-specific options */
740 intptr = &options->use_pam;
743 /* Standard Options */
747 /* ignore ports from configfile if cmdline specifies ports */
748 if (options->ports_from_cmdline)
750 if (options->listen_addrs != NULL)
751 fatal("%s line %d: ports must be specified before "
752 "ListenAddress.", filename, linenum);
753 if (options->num_ports >= MAX_PORTS)
754 fatal("%s line %d: too many ports.",
757 if (!arg || *arg == '\0')
758 fatal("%s line %d: missing port number.",
760 options->ports[options->num_ports++] = a2port(arg);
761 if (options->ports[options->num_ports-1] <= 0)
762 fatal("%s line %d: Badly formatted port number.",
767 intptr = &options->server_key_bits;
770 if (!arg || *arg == '\0')
771 fatal("%s line %d: missing integer value.",
774 if (*activep && *intptr == -1)
778 case sLoginGraceTime:
779 intptr = &options->login_grace_time;
782 if (!arg || *arg == '\0')
783 fatal("%s line %d: missing time value.",
785 if ((value = convtime(arg)) == -1)
786 fatal("%s line %d: invalid time value.",
792 case sKeyRegenerationTime:
793 intptr = &options->key_regeneration_time;
798 if (arg == NULL || *arg == '\0')
799 fatal("%s line %d: missing address",
801 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
802 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
803 && strchr(p+1, ':') != NULL) {
804 add_listen_addr(options, arg, 0);
809 fatal("%s line %d: bad address:port usage",
811 p = cleanhostname(p);
814 else if ((port = a2port(arg)) <= 0)
815 fatal("%s line %d: bad port number", filename, linenum);
817 add_listen_addr(options, p, port);
823 if (!arg || *arg == '\0')
824 fatal("%s line %d: missing address family.",
826 intptr = &options->address_family;
827 if (options->listen_addrs != NULL)
828 fatal("%s line %d: address family must be specified before "
829 "ListenAddress.", filename, linenum);
830 if (strcasecmp(arg, "inet") == 0)
832 else if (strcasecmp(arg, "inet6") == 0)
834 else if (strcasecmp(arg, "any") == 0)
837 fatal("%s line %d: unsupported address family \"%s\".",
838 filename, linenum, arg);
844 intptr = &options->num_host_key_files;
845 if (*intptr >= MAX_HOSTKEYS)
846 fatal("%s line %d: too many host keys specified (max %d).",
847 filename, linenum, MAX_HOSTKEYS);
848 charptr = &options->host_key_files[*intptr];
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: missing file name.",
854 if (*activep && *charptr == NULL) {
855 *charptr = derelativise_path(arg);
856 /* increase optional counter */
858 *intptr = *intptr + 1;
862 case sHostCertificate:
863 intptr = &options->num_host_cert_files;
864 if (*intptr >= MAX_HOSTKEYS)
865 fatal("%s line %d: too many host certificates "
866 "specified (max %d).", filename, linenum,
868 charptr = &options->host_cert_files[*intptr];
873 charptr = &options->pid_file;
876 case sPermitRootLogin:
877 intptr = &options->permit_root_login;
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: missing yes/"
881 "without-password/forced-commands-only/no "
882 "argument.", filename, linenum);
883 value = 0; /* silence compiler */
884 if (strcmp(arg, "without-password") == 0)
885 value = PERMIT_NO_PASSWD;
886 else if (strcmp(arg, "forced-commands-only") == 0)
887 value = PERMIT_FORCED_ONLY;
888 else if (strcmp(arg, "yes") == 0)
890 else if (strcmp(arg, "no") == 0)
893 fatal("%s line %d: Bad yes/"
894 "without-password/forced-commands-only/no "
895 "argument: %s", filename, linenum, arg);
896 if (*activep && *intptr == -1)
901 intptr = &options->ignore_rhosts;
904 if (!arg || *arg == '\0')
905 fatal("%s line %d: missing yes/no argument.",
907 value = 0; /* silence compiler */
908 if (strcmp(arg, "yes") == 0)
910 else if (strcmp(arg, "no") == 0)
913 fatal("%s line %d: Bad yes/no argument: %s",
914 filename, linenum, arg);
915 if (*activep && *intptr == -1)
919 case sIgnoreUserKnownHosts:
920 intptr = &options->ignore_user_known_hosts;
923 case sRhostsRSAAuthentication:
924 intptr = &options->rhosts_rsa_authentication;
927 case sHostbasedAuthentication:
928 intptr = &options->hostbased_authentication;
931 case sHostbasedUsesNameFromPacketOnly:
932 intptr = &options->hostbased_uses_name_from_packet_only;
935 case sRSAAuthentication:
936 intptr = &options->rsa_authentication;
939 case sPubkeyAuthentication:
940 intptr = &options->pubkey_authentication;
943 case sKerberosAuthentication:
944 intptr = &options->kerberos_authentication;
947 case sKerberosOrLocalPasswd:
948 intptr = &options->kerberos_or_local_passwd;
951 case sKerberosTicketCleanup:
952 intptr = &options->kerberos_ticket_cleanup;
955 case sKerberosGetAFSToken:
956 intptr = &options->kerberos_get_afs_token;
959 case sGssAuthentication:
960 intptr = &options->gss_authentication;
964 intptr = &options->gss_keyex;
967 case sGssCleanupCreds:
968 intptr = &options->gss_cleanup_creds;
971 case sGssStrictAcceptor:
972 intptr = &options->gss_strict_acceptor;
975 case sPasswordAuthentication:
976 intptr = &options->password_authentication;
979 case sZeroKnowledgePasswordAuthentication:
980 intptr = &options->zero_knowledge_password_authentication;
983 case sKbdInteractiveAuthentication:
984 intptr = &options->kbd_interactive_authentication;
987 case sChallengeResponseAuthentication:
988 intptr = &options->challenge_response_authentication;
992 intptr = &options->print_motd;
996 intptr = &options->print_lastlog;
1000 intptr = &options->x11_forwarding;
1003 case sX11DisplayOffset:
1004 intptr = &options->x11_display_offset;
1007 case sX11UseLocalhost:
1008 intptr = &options->x11_use_localhost;
1011 case sXAuthLocation:
1012 charptr = &options->xauth_location;
1013 goto parse_filename;
1016 intptr = &options->strict_modes;
1020 intptr = &options->tcp_keep_alive;
1024 intptr = &options->permit_empty_passwd;
1027 case sPermitUserEnvironment:
1028 intptr = &options->permit_user_env;
1032 intptr = &options->use_login;
1036 intptr = &options->compression;
1037 arg = strdelim(&cp);
1038 if (!arg || *arg == '\0')
1039 fatal("%s line %d: missing yes/no/delayed "
1040 "argument.", filename, linenum);
1041 value = 0; /* silence compiler */
1042 if (strcmp(arg, "delayed") == 0)
1043 value = COMP_DELAYED;
1044 else if (strcmp(arg, "yes") == 0)
1046 else if (strcmp(arg, "no") == 0)
1049 fatal("%s line %d: Bad yes/no/delayed "
1050 "argument: %s", filename, linenum, arg);
1056 intptr = &options->gateway_ports;
1057 arg = strdelim(&cp);
1058 if (!arg || *arg == '\0')
1059 fatal("%s line %d: missing yes/no/clientspecified "
1060 "argument.", filename, linenum);
1061 value = 0; /* silence compiler */
1062 if (strcmp(arg, "clientspecified") == 0)
1064 else if (strcmp(arg, "yes") == 0)
1066 else if (strcmp(arg, "no") == 0)
1069 fatal("%s line %d: Bad yes/no/clientspecified "
1070 "argument: %s", filename, linenum, arg);
1071 if (*activep && *intptr == -1)
1076 intptr = &options->use_dns;
1080 log_facility_ptr = &options->log_facility;
1081 arg = strdelim(&cp);
1082 value = log_facility_number(arg);
1083 if (value == SYSLOG_FACILITY_NOT_SET)
1084 fatal("%.200s line %d: unsupported log facility '%s'",
1085 filename, linenum, arg ? arg : "<NONE>");
1086 if (*log_facility_ptr == -1)
1087 *log_facility_ptr = (SyslogFacility) value;
1091 log_level_ptr = &options->log_level;
1092 arg = strdelim(&cp);
1093 value = log_level_number(arg);
1094 if (value == SYSLOG_LEVEL_NOT_SET)
1095 fatal("%.200s line %d: unsupported log level '%s'",
1096 filename, linenum, arg ? arg : "<NONE>");
1097 if (*log_level_ptr == -1)
1098 *log_level_ptr = (LogLevel) value;
1101 case sAllowTcpForwarding:
1102 intptr = &options->allow_tcp_forwarding;
1105 case sAllowAgentForwarding:
1106 intptr = &options->allow_agent_forwarding;
1109 case sUsePrivilegeSeparation:
1110 intptr = &use_privsep;
1114 while ((arg = strdelim(&cp)) && *arg != '\0') {
1115 if (options->num_allow_users >= MAX_ALLOW_USERS)
1116 fatal("%s line %d: too many allow users.",
1118 options->allow_users[options->num_allow_users++] =
1124 while ((arg = strdelim(&cp)) && *arg != '\0') {
1125 if (options->num_deny_users >= MAX_DENY_USERS)
1126 fatal("%s line %d: too many deny users.",
1128 options->deny_users[options->num_deny_users++] =
1134 while ((arg = strdelim(&cp)) && *arg != '\0') {
1135 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1136 fatal("%s line %d: too many allow groups.",
1138 options->allow_groups[options->num_allow_groups++] =
1144 while ((arg = strdelim(&cp)) && *arg != '\0') {
1145 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1146 fatal("%s line %d: too many deny groups.",
1148 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1153 arg = strdelim(&cp);
1154 if (!arg || *arg == '\0')
1155 fatal("%s line %d: Missing argument.", filename, linenum);
1156 if (!ciphers_valid(arg))
1157 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1158 filename, linenum, arg ? arg : "<NONE>");
1159 if (options->ciphers == NULL)
1160 options->ciphers = xstrdup(arg);
1164 arg = strdelim(&cp);
1165 if (!arg || *arg == '\0')
1166 fatal("%s line %d: Missing argument.", filename, linenum);
1167 if (!mac_valid(arg))
1168 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1169 filename, linenum, arg ? arg : "<NONE>");
1170 if (options->macs == NULL)
1171 options->macs = xstrdup(arg);
1174 case sKexAlgorithms:
1175 arg = strdelim(&cp);
1176 if (!arg || *arg == '\0')
1177 fatal("%s line %d: Missing argument.",
1179 if (!kex_names_valid(arg))
1180 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1181 filename, linenum, arg ? arg : "<NONE>");
1182 if (options->kex_algorithms == NULL)
1183 options->kex_algorithms = xstrdup(arg);
1187 intptr = &options->protocol;
1188 arg = strdelim(&cp);
1189 if (!arg || *arg == '\0')
1190 fatal("%s line %d: Missing argument.", filename, linenum);
1191 value = proto_spec(arg);
1192 if (value == SSH_PROTO_UNKNOWN)
1193 fatal("%s line %d: Bad protocol spec '%s'.",
1194 filename, linenum, arg ? arg : "<NONE>");
1195 if (*intptr == SSH_PROTO_UNKNOWN)
1200 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1201 fatal("%s line %d: too many subsystems defined.",
1204 arg = strdelim(&cp);
1205 if (!arg || *arg == '\0')
1206 fatal("%s line %d: Missing subsystem name.",
1209 arg = strdelim(&cp);
1212 for (i = 0; i < options->num_subsystems; i++)
1213 if (strcmp(arg, options->subsystem_name[i]) == 0)
1214 fatal("%s line %d: Subsystem '%s' already defined.",
1215 filename, linenum, arg);
1216 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1217 arg = strdelim(&cp);
1218 if (!arg || *arg == '\0')
1219 fatal("%s line %d: Missing subsystem command.",
1221 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1223 /* Collect arguments (separate to executable) */
1225 len = strlen(p) + 1;
1226 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1227 len += 1 + strlen(arg);
1228 p = xrealloc(p, 1, len);
1229 strlcat(p, " ", len);
1230 strlcat(p, arg, len);
1232 options->subsystem_args[options->num_subsystems] = p;
1233 options->num_subsystems++;
1237 arg = strdelim(&cp);
1238 if (!arg || *arg == '\0')
1239 fatal("%s line %d: Missing MaxStartups spec.",
1241 if ((n = sscanf(arg, "%d:%d:%d",
1242 &options->max_startups_begin,
1243 &options->max_startups_rate,
1244 &options->max_startups)) == 3) {
1245 if (options->max_startups_begin >
1246 options->max_startups ||
1247 options->max_startups_rate > 100 ||
1248 options->max_startups_rate < 1)
1249 fatal("%s line %d: Illegal MaxStartups spec.",
1252 fatal("%s line %d: Illegal MaxStartups spec.",
1255 options->max_startups = options->max_startups_begin;
1259 intptr = &options->max_authtries;
1263 intptr = &options->max_sessions;
1267 charptr = &options->banner;
1268 goto parse_filename;
1271 * These options can contain %X options expanded at
1272 * connect time, so that you can specify paths like:
1274 * AuthorizedKeysFile /etc/ssh_keys/%u
1276 case sAuthorizedKeysFile:
1277 charptr = &options->authorized_keys_file;
1278 goto parse_tilde_filename;
1279 case sAuthorizedKeysFile2:
1280 charptr = &options->authorized_keys_file2;
1281 goto parse_tilde_filename;
1282 case sAuthorizedPrincipalsFile:
1283 charptr = &options->authorized_principals_file;
1284 parse_tilde_filename:
1285 arg = strdelim(&cp);
1286 if (!arg || *arg == '\0')
1287 fatal("%s line %d: missing file name.",
1289 if (*activep && *charptr == NULL) {
1290 *charptr = tilde_expand_filename(arg, getuid());
1291 /* increase optional counter */
1293 *intptr = *intptr + 1;
1297 case sClientAliveInterval:
1298 intptr = &options->client_alive_interval;
1301 case sClientAliveCountMax:
1302 intptr = &options->client_alive_count_max;
1306 while ((arg = strdelim(&cp)) && *arg != '\0') {
1307 if (strchr(arg, '=') != NULL)
1308 fatal("%s line %d: Invalid environment name.",
1310 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1311 fatal("%s line %d: too many allow env.",
1315 options->accept_env[options->num_accept_env++] =
1321 intptr = &options->permit_tun;
1322 arg = strdelim(&cp);
1323 if (!arg || *arg == '\0')
1324 fatal("%s line %d: Missing yes/point-to-point/"
1325 "ethernet/no argument.", filename, linenum);
1327 for (i = 0; tunmode_desc[i].val != -1; i++)
1328 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1329 value = tunmode_desc[i].val;
1333 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1334 "no argument: %s", filename, linenum, arg);
1341 fatal("Match directive not supported as a command-line "
1343 value = match_cfg_line(&cp, linenum, user, host, address);
1345 fatal("%s line %d: Bad Match condition", filename,
1351 arg = strdelim(&cp);
1352 if (!arg || *arg == '\0')
1353 fatal("%s line %d: missing PermitOpen specification",
1355 n = options->num_permitted_opens; /* modified later */
1356 if (strcmp(arg, "any") == 0) {
1357 if (*activep && n == -1) {
1358 channel_clear_adm_permitted_opens();
1359 options->num_permitted_opens = 0;
1363 if (*activep && n == -1)
1364 channel_clear_adm_permitted_opens();
1365 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1368 fatal("%s line %d: missing host in PermitOpen",
1370 p = cleanhostname(p);
1371 if (arg == NULL || (port = a2port(arg)) <= 0)
1372 fatal("%s line %d: bad port number in "
1373 "PermitOpen", filename, linenum);
1374 if (*activep && n == -1)
1375 options->num_permitted_opens =
1376 channel_add_adm_permitted_opens(p, port);
1382 fatal("%.200s line %d: Missing argument.", filename,
1384 len = strspn(cp, WHITESPACE);
1385 if (*activep && options->adm_forced_command == NULL)
1386 options->adm_forced_command = xstrdup(cp + len);
1389 case sChrootDirectory:
1390 charptr = &options->chroot_directory;
1392 arg = strdelim(&cp);
1393 if (!arg || *arg == '\0')
1394 fatal("%s line %d: missing file name.",
1396 if (*activep && *charptr == NULL)
1397 *charptr = xstrdup(arg);
1400 case sTrustedUserCAKeys:
1401 charptr = &options->trusted_user_ca_keys;
1402 goto parse_filename;
1405 charptr = &options->revoked_keys_file;
1406 goto parse_filename;
1409 arg = strdelim(&cp);
1410 if ((value = parse_ipqos(arg)) == -1)
1411 fatal("%s line %d: Bad IPQoS value: %s",
1412 filename, linenum, arg);
1413 arg = strdelim(&cp);
1416 else if ((value2 = parse_ipqos(arg)) == -1)
1417 fatal("%s line %d: Bad IPQoS value: %s",
1418 filename, linenum, arg);
1420 options->ip_qos_interactive = value;
1421 options->ip_qos_bulk = value2;
1426 logit("%s line %d: Deprecated option %s",
1427 filename, linenum, arg);
1429 arg = strdelim(&cp);
1433 logit("%s line %d: Unsupported option %s",
1434 filename, linenum, arg);
1436 arg = strdelim(&cp);
1440 fatal("%s line %d: Missing handler for opcode %s (%d)",
1441 filename, linenum, arg, opcode);
1443 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1444 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1445 filename, linenum, arg);
1449 /* Reads the server configuration file. */
1452 load_server_config(const char *filename, Buffer *conf)
1454 char line[1024], *cp;
1457 debug2("%s: filename %s", __func__, filename);
1458 if ((f = fopen(filename, "r")) == NULL) {
1463 while (fgets(line, sizeof(line), f)) {
1465 * Trim out comments and strip whitespace
1466 * NB - preserve newlines, they are needed to reproduce
1467 * line numbers later for error messages
1469 if ((cp = strchr(line, '#')) != NULL)
1470 memcpy(cp, "\n", 2);
1471 cp = line + strspn(line, " \t\r");
1473 buffer_append(conf, cp, strlen(cp));
1475 buffer_append(conf, "\0", 1);
1477 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1481 parse_server_match_config(ServerOptions *options, const char *user,
1482 const char *host, const char *address)
1486 initialize_server_options(&mo);
1487 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1488 copy_set_server_options(options, &mo, 0);
1492 #define M_CP_INTOPT(n) do {\
1496 #define M_CP_STROPT(n) do {\
1497 if (src->n != NULL) { \
1498 if (dst->n != NULL) \
1505 * Copy any supported values that are set.
1507 * If the preauth flag is set, we do not bother copying the string or
1508 * array values that are not used pre-authentication, because any that we
1509 * do use must be explictly sent in mm_getpwnamallow().
1512 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1514 M_CP_INTOPT(password_authentication);
1515 M_CP_INTOPT(gss_authentication);
1516 M_CP_INTOPT(rsa_authentication);
1517 M_CP_INTOPT(pubkey_authentication);
1518 M_CP_INTOPT(kerberos_authentication);
1519 M_CP_INTOPT(hostbased_authentication);
1520 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1521 M_CP_INTOPT(kbd_interactive_authentication);
1522 M_CP_INTOPT(zero_knowledge_password_authentication);
1523 M_CP_INTOPT(permit_root_login);
1524 M_CP_INTOPT(permit_empty_passwd);
1526 M_CP_INTOPT(allow_tcp_forwarding);
1527 M_CP_INTOPT(allow_agent_forwarding);
1528 M_CP_INTOPT(permit_tun);
1529 M_CP_INTOPT(gateway_ports);
1530 M_CP_INTOPT(x11_display_offset);
1531 M_CP_INTOPT(x11_forwarding);
1532 M_CP_INTOPT(x11_use_localhost);
1533 M_CP_INTOPT(max_sessions);
1534 M_CP_INTOPT(max_authtries);
1535 M_CP_INTOPT(ip_qos_interactive);
1536 M_CP_INTOPT(ip_qos_bulk);
1538 M_CP_STROPT(banner);
1541 M_CP_STROPT(adm_forced_command);
1542 M_CP_STROPT(chroot_directory);
1543 M_CP_STROPT(trusted_user_ca_keys);
1544 M_CP_STROPT(revoked_keys_file);
1545 M_CP_STROPT(authorized_keys_file);
1546 M_CP_STROPT(authorized_keys_file2);
1547 M_CP_STROPT(authorized_principals_file);
1554 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1555 const char *user, const char *host, const char *address)
1557 int active, linenum, bad_options = 0;
1558 char *cp, *obuf, *cbuf;
1560 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1562 obuf = cbuf = xstrdup(buffer_ptr(conf));
1563 active = user ? 0 : 1;
1565 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1566 if (process_server_config_line(options, cp, filename,
1567 linenum++, &active, user, host, address) != 0)
1571 if (bad_options > 0)
1572 fatal("%s: terminating, %d bad configuration options",
1573 filename, bad_options);
1577 fmt_intarg(ServerOpCodes code, int val)
1579 if (code == sAddressFamily) {
1591 if (code == sPermitRootLogin) {
1593 case PERMIT_NO_PASSWD:
1594 return "without-password";
1595 case PERMIT_FORCED_ONLY:
1596 return "forced-commands-only";
1601 if (code == sProtocol) {
1607 case (SSH_PROTO_1|SSH_PROTO_2):
1613 if (code == sGatewayPorts && val == 2)
1614 return "clientspecified";
1615 if (code == sCompression && val == COMP_DELAYED)
1629 lookup_opcode_name(ServerOpCodes code)
1633 for (i = 0; keywords[i].name != NULL; i++)
1634 if (keywords[i].opcode == code)
1635 return(keywords[i].name);
1640 dump_cfg_int(ServerOpCodes code, int val)
1642 printf("%s %d\n", lookup_opcode_name(code), val);
1646 dump_cfg_fmtint(ServerOpCodes code, int val)
1648 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1652 dump_cfg_string(ServerOpCodes code, const char *val)
1656 printf("%s %s\n", lookup_opcode_name(code), val);
1660 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1664 for (i = 0; i < count; i++)
1665 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1669 dump_config(ServerOptions *o)
1673 struct addrinfo *ai;
1674 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1676 /* these are usually at the top of the config */
1677 for (i = 0; i < o->num_ports; i++)
1678 printf("port %d\n", o->ports[i]);
1679 dump_cfg_fmtint(sProtocol, o->protocol);
1680 dump_cfg_fmtint(sAddressFamily, o->address_family);
1682 /* ListenAddress must be after Port */
1683 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1684 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1685 sizeof(addr), port, sizeof(port),
1686 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1687 error("getnameinfo failed: %.100s",
1688 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1691 if (ai->ai_family == AF_INET6)
1692 printf("listenaddress [%s]:%s\n", addr, port);
1694 printf("listenaddress %s:%s\n", addr, port);
1698 /* integer arguments */
1700 dump_cfg_int(sUsePAM, o->use_pam);
1702 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1703 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1704 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1705 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1706 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1707 dump_cfg_int(sMaxSessions, o->max_sessions);
1708 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1709 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1711 /* formatted integer arguments */
1712 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1713 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1714 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1715 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1716 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1717 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1718 o->hostbased_uses_name_from_packet_only);
1719 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1720 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1722 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1723 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1724 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1726 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1730 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1731 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
1732 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1733 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
1736 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1737 o->zero_knowledge_password_authentication);
1739 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1740 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1741 o->kbd_interactive_authentication);
1742 dump_cfg_fmtint(sChallengeResponseAuthentication,
1743 o->challenge_response_authentication);
1744 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1745 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1746 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1747 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1748 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1749 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1750 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1751 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1752 dump_cfg_fmtint(sUseLogin, o->use_login);
1753 dump_cfg_fmtint(sCompression, o->compression);
1754 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1755 dump_cfg_fmtint(sUseDNS, o->use_dns);
1756 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1757 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1759 /* string arguments */
1760 dump_cfg_string(sPidFile, o->pid_file);
1761 dump_cfg_string(sXAuthLocation, o->xauth_location);
1762 dump_cfg_string(sCiphers, o->ciphers);
1763 dump_cfg_string(sMacs, o->macs);
1764 dump_cfg_string(sBanner, o->banner);
1765 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1766 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1767 dump_cfg_string(sForceCommand, o->adm_forced_command);
1768 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1769 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1770 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1771 dump_cfg_string(sAuthorizedPrincipalsFile,
1772 o->authorized_principals_file);
1774 /* string arguments requiring a lookup */
1775 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1776 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1778 /* string array arguments */
1779 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1781 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1782 o->host_cert_files);
1783 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1784 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1785 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1786 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1787 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1789 /* other arguments */
1790 for (i = 0; i < o->num_subsystems; i++)
1791 printf("subsystem %s %s\n", o->subsystem_name[i],
1792 o->subsystem_args[i]);
1794 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1795 o->max_startups_rate, o->max_startups);
1797 for (i = 0; tunmode_desc[i].val != -1; i++)
1798 if (tunmode_desc[i].val == o->permit_tun) {
1799 s = tunmode_desc[i].text;
1802 dump_cfg_string(sPermitTunnel, s);
1804 printf("ipqos 0x%02x 0x%02x\n", o->ip_qos_interactive, o->ip_qos_bulk);
1806 channel_print_adm_permitted_opens();