1 /* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <netinet/in_systm.h>
20 #include <netinet/ip.h>
32 #include "openbsd-compat/sys-queue.h"
39 #include "pathnames.h"
47 #include "groupaccess.h"
49 static void add_listen_addr(ServerOptions *, char *, int);
50 static void add_one_listen_addr(ServerOptions *, char *, int);
52 /* Use of privilege separation or not */
53 extern int use_privsep;
56 /* Initializes the server options to their default values. */
59 initialize_server_options(ServerOptions *options)
61 memset(options, 0, sizeof(*options));
63 /* Portable-specific options */
64 options->use_pam = -1;
66 /* Standard Options */
67 options->num_ports = 0;
68 options->ports_from_cmdline = 0;
69 options->listen_addrs = NULL;
70 options->address_family = -1;
71 options->num_host_key_files = 0;
72 options->num_host_cert_files = 0;
73 options->pid_file = NULL;
74 options->server_key_bits = -1;
75 options->login_grace_time = -1;
76 options->key_regeneration_time = -1;
77 options->permit_root_login = PERMIT_NOT_SET;
78 options->ignore_rhosts = -1;
79 options->ignore_user_known_hosts = -1;
80 options->print_motd = -1;
81 options->print_lastlog = -1;
82 options->x11_forwarding = -1;
83 options->x11_display_offset = -1;
84 options->x11_use_localhost = -1;
85 options->xauth_location = NULL;
86 options->strict_modes = -1;
87 options->tcp_keep_alive = -1;
88 options->log_facility = SYSLOG_FACILITY_NOT_SET;
89 options->log_level = SYSLOG_LEVEL_NOT_SET;
90 options->rhosts_rsa_authentication = -1;
91 options->hostbased_authentication = -1;
92 options->hostbased_uses_name_from_packet_only = -1;
93 options->rsa_authentication = -1;
94 options->pubkey_authentication = -1;
95 options->kerberos_authentication = -1;
96 options->kerberos_or_local_passwd = -1;
97 options->kerberos_ticket_cleanup = -1;
98 options->kerberos_get_afs_token = -1;
99 options->gss_authentication=-1;
100 options->gss_cleanup_creds = -1;
101 options->password_authentication = -1;
102 options->kbd_interactive_authentication = -1;
103 options->challenge_response_authentication = -1;
104 options->permit_empty_passwd = -1;
105 options->permit_user_env = -1;
106 options->use_login = -1;
107 options->compression = -1;
108 options->allow_tcp_forwarding = -1;
109 options->allow_agent_forwarding = -1;
110 options->num_allow_users = 0;
111 options->num_deny_users = 0;
112 options->num_allow_groups = 0;
113 options->num_deny_groups = 0;
114 options->ciphers = NULL;
115 options->macs = NULL;
116 options->kex_algorithms = NULL;
117 options->protocol = SSH_PROTO_UNKNOWN;
118 options->gateway_ports = -1;
119 options->num_subsystems = 0;
120 options->max_startups_begin = -1;
121 options->max_startups_rate = -1;
122 options->max_startups = -1;
123 options->max_authtries = -1;
124 options->max_sessions = -1;
125 options->banner = NULL;
126 options->use_dns = -1;
127 options->client_alive_interval = -1;
128 options->client_alive_count_max = -1;
129 options->num_authkeys_files = 0;
130 options->num_accept_env = 0;
131 options->permit_tun = -1;
132 options->num_permitted_opens = -1;
133 options->adm_forced_command = NULL;
134 options->chroot_directory = NULL;
135 options->zero_knowledge_password_authentication = -1;
136 options->revoked_keys_file = NULL;
137 options->trusted_user_ca_keys = NULL;
138 options->authorized_principals_file = NULL;
139 options->ip_qos_interactive = -1;
140 options->ip_qos_bulk = -1;
144 fill_default_server_options(ServerOptions *options)
146 /* Portable-specific options */
147 if (options->use_pam == -1)
148 options->use_pam = 0;
150 /* Standard Options */
151 if (options->protocol == SSH_PROTO_UNKNOWN)
152 options->protocol = SSH_PROTO_2;
153 if (options->num_host_key_files == 0) {
154 /* fill default hostkeys for protocols */
155 if (options->protocol & SSH_PROTO_1)
156 options->host_key_files[options->num_host_key_files++] =
158 if (options->protocol & SSH_PROTO_2) {
159 options->host_key_files[options->num_host_key_files++] =
160 _PATH_HOST_RSA_KEY_FILE;
161 options->host_key_files[options->num_host_key_files++] =
162 _PATH_HOST_DSA_KEY_FILE;
163 #ifdef OPENSSL_HAS_ECC
164 options->host_key_files[options->num_host_key_files++] =
165 _PATH_HOST_ECDSA_KEY_FILE;
169 /* No certificates by default */
170 if (options->num_ports == 0)
171 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
172 if (options->listen_addrs == NULL)
173 add_listen_addr(options, NULL, 0);
174 if (options->pid_file == NULL)
175 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
176 if (options->server_key_bits == -1)
177 options->server_key_bits = 1024;
178 if (options->login_grace_time == -1)
179 options->login_grace_time = 120;
180 if (options->key_regeneration_time == -1)
181 options->key_regeneration_time = 3600;
182 if (options->permit_root_login == PERMIT_NOT_SET)
183 options->permit_root_login = PERMIT_YES;
184 if (options->ignore_rhosts == -1)
185 options->ignore_rhosts = 1;
186 if (options->ignore_user_known_hosts == -1)
187 options->ignore_user_known_hosts = 0;
188 if (options->print_motd == -1)
189 options->print_motd = 1;
190 if (options->print_lastlog == -1)
191 options->print_lastlog = 1;
192 if (options->x11_forwarding == -1)
193 options->x11_forwarding = 0;
194 if (options->x11_display_offset == -1)
195 options->x11_display_offset = 10;
196 if (options->x11_use_localhost == -1)
197 options->x11_use_localhost = 1;
198 if (options->xauth_location == NULL)
199 options->xauth_location = _PATH_XAUTH;
200 if (options->strict_modes == -1)
201 options->strict_modes = 1;
202 if (options->tcp_keep_alive == -1)
203 options->tcp_keep_alive = 1;
204 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
205 options->log_facility = SYSLOG_FACILITY_AUTH;
206 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
207 options->log_level = SYSLOG_LEVEL_INFO;
208 if (options->rhosts_rsa_authentication == -1)
209 options->rhosts_rsa_authentication = 0;
210 if (options->hostbased_authentication == -1)
211 options->hostbased_authentication = 0;
212 if (options->hostbased_uses_name_from_packet_only == -1)
213 options->hostbased_uses_name_from_packet_only = 0;
214 if (options->rsa_authentication == -1)
215 options->rsa_authentication = 1;
216 if (options->pubkey_authentication == -1)
217 options->pubkey_authentication = 1;
218 if (options->kerberos_authentication == -1)
219 options->kerberos_authentication = 0;
220 if (options->kerberos_or_local_passwd == -1)
221 options->kerberos_or_local_passwd = 1;
222 if (options->kerberos_ticket_cleanup == -1)
223 options->kerberos_ticket_cleanup = 1;
224 if (options->kerberos_get_afs_token == -1)
225 options->kerberos_get_afs_token = 0;
226 if (options->gss_authentication == -1)
227 options->gss_authentication = 0;
228 if (options->gss_cleanup_creds == -1)
229 options->gss_cleanup_creds = 1;
230 if (options->password_authentication == -1)
231 options->password_authentication = 1;
232 if (options->kbd_interactive_authentication == -1)
233 options->kbd_interactive_authentication = 0;
234 if (options->challenge_response_authentication == -1)
235 options->challenge_response_authentication = 1;
236 if (options->permit_empty_passwd == -1)
237 options->permit_empty_passwd = 0;
238 if (options->permit_user_env == -1)
239 options->permit_user_env = 0;
240 if (options->use_login == -1)
241 options->use_login = 0;
242 if (options->compression == -1)
243 options->compression = COMP_DELAYED;
244 if (options->allow_tcp_forwarding == -1)
245 options->allow_tcp_forwarding = 1;
246 if (options->allow_agent_forwarding == -1)
247 options->allow_agent_forwarding = 1;
248 if (options->gateway_ports == -1)
249 options->gateway_ports = 0;
250 if (options->max_startups == -1)
251 options->max_startups = 10;
252 if (options->max_startups_rate == -1)
253 options->max_startups_rate = 100; /* 100% */
254 if (options->max_startups_begin == -1)
255 options->max_startups_begin = options->max_startups;
256 if (options->max_authtries == -1)
257 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
258 if (options->max_sessions == -1)
259 options->max_sessions = DEFAULT_SESSIONS_MAX;
260 if (options->use_dns == -1)
261 options->use_dns = 1;
262 if (options->client_alive_interval == -1)
263 options->client_alive_interval = 0;
264 if (options->client_alive_count_max == -1)
265 options->client_alive_count_max = 3;
266 if (options->num_authkeys_files == 0) {
267 options->authorized_keys_files[options->num_authkeys_files++] =
268 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
269 options->authorized_keys_files[options->num_authkeys_files++] =
270 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
272 if (options->permit_tun == -1)
273 options->permit_tun = SSH_TUNMODE_NO;
274 if (options->zero_knowledge_password_authentication == -1)
275 options->zero_knowledge_password_authentication = 0;
276 if (options->ip_qos_interactive == -1)
277 options->ip_qos_interactive = IPTOS_LOWDELAY;
278 if (options->ip_qos_bulk == -1)
279 options->ip_qos_bulk = IPTOS_THROUGHPUT;
281 /* Turn privilege separation on by default */
282 if (use_privsep == -1)
283 use_privsep = PRIVSEP_ON;
286 if (use_privsep && options->compression == 1) {
287 error("This platform does not support both privilege "
288 "separation and compression");
289 error("Compression disabled");
290 options->compression = 0;
296 /* Keyword tokens. */
298 sBadOption, /* == unknown option */
299 /* Portable-specific options */
301 /* Standard Options */
302 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
303 sPermitRootLogin, sLogFacility, sLogLevel,
304 sRhostsRSAAuthentication, sRSAAuthentication,
305 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
306 sKerberosGetAFSToken,
307 sKerberosTgtPassing, sChallengeResponseAuthentication,
308 sPasswordAuthentication, sKbdInteractiveAuthentication,
309 sListenAddress, sAddressFamily,
310 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
311 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
312 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
313 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
314 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
315 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
316 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
317 sMaxStartups, sMaxAuthTries, sMaxSessions,
318 sBanner, sUseDNS, sHostbasedAuthentication,
319 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
320 sClientAliveCountMax, sAuthorizedKeysFile,
321 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
322 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
323 sUsePrivilegeSeparation, sAllowAgentForwarding,
324 sZeroKnowledgePasswordAuthentication, sHostCertificate,
325 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
326 sKexAlgorithms, sIPQoS,
327 sDeprecated, sUnsupported
330 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
331 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
332 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
334 /* Textual representation of the tokens. */
337 ServerOpCodes opcode;
340 /* Portable-specific options */
342 { "usepam", sUsePAM, SSHCFG_GLOBAL },
344 { "usepam", sUnsupported, SSHCFG_GLOBAL },
346 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
347 /* Standard Options */
348 { "port", sPort, SSHCFG_GLOBAL },
349 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
350 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
351 { "pidfile", sPidFile, SSHCFG_GLOBAL },
352 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
353 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
354 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
355 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
356 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
357 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
358 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
359 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
360 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
361 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
362 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
363 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
364 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
366 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
367 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
368 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
370 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
372 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
375 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
376 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
377 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
378 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
380 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
381 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
383 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
384 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
386 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
387 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
389 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
390 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
391 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
392 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
394 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
396 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
398 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
399 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
400 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
401 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
402 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
403 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
404 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
405 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
406 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
407 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
408 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
409 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
410 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
411 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
412 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
413 { "compression", sCompression, SSHCFG_GLOBAL },
414 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
415 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
416 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
417 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
418 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
419 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
420 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
421 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
422 { "ciphers", sCiphers, SSHCFG_GLOBAL },
423 { "macs", sMacs, SSHCFG_GLOBAL },
424 { "protocol", sProtocol, SSHCFG_GLOBAL },
425 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
426 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
427 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
428 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
429 { "maxsessions", sMaxSessions, SSHCFG_ALL },
430 { "banner", sBanner, SSHCFG_ALL },
431 { "usedns", sUseDNS, SSHCFG_GLOBAL },
432 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
433 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
434 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
435 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
436 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
437 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
438 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
439 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
440 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
441 { "match", sMatch, SSHCFG_ALL },
442 { "permitopen", sPermitOpen, SSHCFG_ALL },
443 { "forcecommand", sForceCommand, SSHCFG_ALL },
444 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
445 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
446 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
447 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
448 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
449 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
450 { "ipqos", sIPQoS, SSHCFG_ALL },
451 { NULL, sBadOption, 0 }
458 { SSH_TUNMODE_NO, "no" },
459 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
460 { SSH_TUNMODE_ETHERNET, "ethernet" },
461 { SSH_TUNMODE_YES, "yes" },
466 * Returns the number of the token pointed to by cp or sBadOption.
470 parse_token(const char *cp, const char *filename,
471 int linenum, u_int *flags)
475 for (i = 0; keywords[i].name; i++)
476 if (strcasecmp(cp, keywords[i].name) == 0) {
477 *flags = keywords[i].flags;
478 return keywords[i].opcode;
481 error("%s: line %d: Bad configuration option: %s",
482 filename, linenum, cp);
487 derelativise_path(const char *path)
489 char *expanded, *ret, cwd[MAXPATHLEN];
491 expanded = tilde_expand_filename(path, getuid());
492 if (*expanded == '/')
494 if (getcwd(cwd, sizeof(cwd)) == NULL)
495 fatal("%s: getcwd: %s", __func__, strerror(errno));
496 xasprintf(&ret, "%s/%s", cwd, expanded);
502 add_listen_addr(ServerOptions *options, char *addr, int port)
506 if (options->num_ports == 0)
507 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
508 if (options->address_family == -1)
509 options->address_family = AF_UNSPEC;
511 for (i = 0; i < options->num_ports; i++)
512 add_one_listen_addr(options, addr, options->ports[i]);
514 add_one_listen_addr(options, addr, port);
518 add_one_listen_addr(ServerOptions *options, char *addr, int port)
520 struct addrinfo hints, *ai, *aitop;
521 char strport[NI_MAXSERV];
524 memset(&hints, 0, sizeof(hints));
525 hints.ai_family = options->address_family;
526 hints.ai_socktype = SOCK_STREAM;
527 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
528 snprintf(strport, sizeof strport, "%d", port);
529 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
530 fatal("bad addr or host: %s (%s)",
531 addr ? addr : "<NULL>",
532 ssh_gai_strerror(gaierr));
533 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
535 ai->ai_next = options->listen_addrs;
536 options->listen_addrs = aitop;
540 * The strategy for the Match blocks is that the config file is parsed twice.
542 * The first time is at startup. activep is initialized to 1 and the
543 * directives in the global context are processed and acted on. Hitting a
544 * Match directive unsets activep and the directives inside the block are
545 * checked for syntax only.
547 * The second time is after a connection has been established but before
548 * authentication. activep is initialized to 2 and global config directives
549 * are ignored since they have already been processed. If the criteria in a
550 * Match block is met, activep is set and the subsequent directives
551 * processed and actioned until EOF or another Match block unsets it. Any
552 * options set are copied into the main server config.
554 * Potential additions/improvements:
555 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
557 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
558 * Match Address 192.168.0.*
563 * AllowTcpForwarding yes
564 * GatewayPorts clientspecified
567 * - Add a PermittedChannelRequests directive
569 * PermittedChannelRequests session,forwarded-tcpip
573 match_cfg_line_group(const char *grps, int line, const char *user)
581 if ((pw = getpwnam(user)) == NULL) {
582 debug("Can't match group at line %d because user %.100s does "
583 "not exist", line, user);
584 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
585 debug("Can't Match group because user %.100s not in any group "
586 "at line %d", user, line);
587 } else if (ga_match_pattern_list(grps) != 1) {
588 debug("user %.100s does not match group list %.100s at line %d",
591 debug("user %.100s matched group list %.100s at line %d", user,
601 match_cfg_line(char **condition, int line, const char *user, const char *host,
605 char *arg, *attrib, *cp = *condition;
609 debug3("checking syntax for 'Match %s'", cp);
611 debug3("checking match for '%s' user %s host %s addr %s", cp,
612 user ? user : "(null)", host ? host : "(null)",
613 address ? address : "(null)");
615 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
616 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
617 error("Missing Match criteria for %s", attrib);
621 if (strcasecmp(attrib, "user") == 0) {
626 if (match_pattern_list(user, arg, len, 0) != 1)
629 debug("user %.100s matched 'User %.100s' at "
630 "line %d", user, arg, line);
631 } else if (strcasecmp(attrib, "group") == 0) {
632 switch (match_cfg_line_group(arg, line, user)) {
638 } else if (strcasecmp(attrib, "host") == 0) {
643 if (match_hostname(host, arg, len) != 1)
646 debug("connection from %.100s matched 'Host "
647 "%.100s' at line %d", host, arg, line);
648 } else if (strcasecmp(attrib, "address") == 0) {
649 switch (addr_match_list(address, arg)) {
651 debug("connection from %.100s matched 'Address "
652 "%.100s' at line %d", address, arg, line);
662 error("Unsupported Match attribute %s", attrib);
667 debug3("match %sfound", result ? "" : "not ");
672 #define WHITESPACE " \t\r\n"
674 /* Multistate option parsing */
679 static const struct multistate multistate_addressfamily[] = {
681 { "inet6", AF_INET6 },
682 { "any", AF_UNSPEC },
685 static const struct multistate multistate_permitrootlogin[] = {
686 { "without-password", PERMIT_NO_PASSWD },
687 { "forced-commands-only", PERMIT_FORCED_ONLY },
688 { "yes", PERMIT_YES },
692 static const struct multistate multistate_compression[] = {
693 { "delayed", COMP_DELAYED },
694 { "yes", COMP_ZLIB },
698 static const struct multistate multistate_gatewayports[] = {
699 { "clientspecified", 2 },
704 static const struct multistate multistate_privsep[] = {
705 { "sandbox", PRIVSEP_SANDBOX },
706 { "yes", PRIVSEP_ON },
707 { "no", PRIVSEP_OFF },
712 process_server_config_line(ServerOptions *options, char *line,
713 const char *filename, int linenum, int *activep, const char *user,
714 const char *host, const char *address)
716 char *cp, **charptr, *arg, *p;
717 int cmdline = 0, *intptr, value, value2, n;
718 SyslogFacility *log_facility_ptr;
719 LogLevel *log_level_ptr;
720 ServerOpCodes opcode;
724 const struct multistate *multistate_ptr;
727 if ((arg = strdelim(&cp)) == NULL)
729 /* Ignore leading whitespace */
732 if (!arg || !*arg || *arg == '#')
736 opcode = parse_token(arg, filename, linenum, &flags);
738 if (activep == NULL) { /* We are processing a command line directive */
742 if (*activep && opcode != sMatch)
743 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
744 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
746 fatal("%s line %d: Directive '%s' is not allowed "
747 "within a Match block", filename, linenum, arg);
748 } else { /* this is a directive we have already processed */
756 /* Portable-specific options */
758 intptr = &options->use_pam;
761 /* Standard Options */
765 /* ignore ports from configfile if cmdline specifies ports */
766 if (options->ports_from_cmdline)
768 if (options->listen_addrs != NULL)
769 fatal("%s line %d: ports must be specified before "
770 "ListenAddress.", filename, linenum);
771 if (options->num_ports >= MAX_PORTS)
772 fatal("%s line %d: too many ports.",
775 if (!arg || *arg == '\0')
776 fatal("%s line %d: missing port number.",
778 options->ports[options->num_ports++] = a2port(arg);
779 if (options->ports[options->num_ports-1] <= 0)
780 fatal("%s line %d: Badly formatted port number.",
785 intptr = &options->server_key_bits;
788 if (!arg || *arg == '\0')
789 fatal("%s line %d: missing integer value.",
792 if (*activep && *intptr == -1)
796 case sLoginGraceTime:
797 intptr = &options->login_grace_time;
800 if (!arg || *arg == '\0')
801 fatal("%s line %d: missing time value.",
803 if ((value = convtime(arg)) == -1)
804 fatal("%s line %d: invalid time value.",
810 case sKeyRegenerationTime:
811 intptr = &options->key_regeneration_time;
816 if (arg == NULL || *arg == '\0')
817 fatal("%s line %d: missing address",
819 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
820 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
821 && strchr(p+1, ':') != NULL) {
822 add_listen_addr(options, arg, 0);
827 fatal("%s line %d: bad address:port usage",
829 p = cleanhostname(p);
832 else if ((port = a2port(arg)) <= 0)
833 fatal("%s line %d: bad port number", filename, linenum);
835 add_listen_addr(options, p, port);
840 intptr = &options->address_family;
841 multistate_ptr = multistate_addressfamily;
842 if (options->listen_addrs != NULL)
843 fatal("%s line %d: address family must be specified "
844 "before ListenAddress.", filename, linenum);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: missing argument.",
851 for (i = 0; multistate_ptr[i].key != NULL; i++) {
852 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
853 value = multistate_ptr[i].value;
858 fatal("%s line %d: unsupported option \"%s\".",
859 filename, linenum, arg);
860 if (*activep && *intptr == -1)
865 intptr = &options->num_host_key_files;
866 if (*intptr >= MAX_HOSTKEYS)
867 fatal("%s line %d: too many host keys specified (max %d).",
868 filename, linenum, MAX_HOSTKEYS);
869 charptr = &options->host_key_files[*intptr];
872 if (!arg || *arg == '\0')
873 fatal("%s line %d: missing file name.",
875 if (*activep && *charptr == NULL) {
876 *charptr = derelativise_path(arg);
877 /* increase optional counter */
879 *intptr = *intptr + 1;
883 case sHostCertificate:
884 intptr = &options->num_host_cert_files;
885 if (*intptr >= MAX_HOSTKEYS)
886 fatal("%s line %d: too many host certificates "
887 "specified (max %d).", filename, linenum,
889 charptr = &options->host_cert_files[*intptr];
894 charptr = &options->pid_file;
897 case sPermitRootLogin:
898 intptr = &options->permit_root_login;
899 multistate_ptr = multistate_permitrootlogin;
900 goto parse_multistate;
903 intptr = &options->ignore_rhosts;
906 if (!arg || *arg == '\0')
907 fatal("%s line %d: missing yes/no argument.",
909 value = 0; /* silence compiler */
910 if (strcmp(arg, "yes") == 0)
912 else if (strcmp(arg, "no") == 0)
915 fatal("%s line %d: Bad yes/no argument: %s",
916 filename, linenum, arg);
917 if (*activep && *intptr == -1)
921 case sIgnoreUserKnownHosts:
922 intptr = &options->ignore_user_known_hosts;
925 case sRhostsRSAAuthentication:
926 intptr = &options->rhosts_rsa_authentication;
929 case sHostbasedAuthentication:
930 intptr = &options->hostbased_authentication;
933 case sHostbasedUsesNameFromPacketOnly:
934 intptr = &options->hostbased_uses_name_from_packet_only;
937 case sRSAAuthentication:
938 intptr = &options->rsa_authentication;
941 case sPubkeyAuthentication:
942 intptr = &options->pubkey_authentication;
945 case sKerberosAuthentication:
946 intptr = &options->kerberos_authentication;
949 case sKerberosOrLocalPasswd:
950 intptr = &options->kerberos_or_local_passwd;
953 case sKerberosTicketCleanup:
954 intptr = &options->kerberos_ticket_cleanup;
957 case sKerberosGetAFSToken:
958 intptr = &options->kerberos_get_afs_token;
961 case sGssAuthentication:
962 intptr = &options->gss_authentication;
965 case sGssCleanupCreds:
966 intptr = &options->gss_cleanup_creds;
969 case sPasswordAuthentication:
970 intptr = &options->password_authentication;
973 case sZeroKnowledgePasswordAuthentication:
974 intptr = &options->zero_knowledge_password_authentication;
977 case sKbdInteractiveAuthentication:
978 intptr = &options->kbd_interactive_authentication;
981 case sChallengeResponseAuthentication:
982 intptr = &options->challenge_response_authentication;
986 intptr = &options->print_motd;
990 intptr = &options->print_lastlog;
994 intptr = &options->x11_forwarding;
997 case sX11DisplayOffset:
998 intptr = &options->x11_display_offset;
1001 case sX11UseLocalhost:
1002 intptr = &options->x11_use_localhost;
1005 case sXAuthLocation:
1006 charptr = &options->xauth_location;
1007 goto parse_filename;
1010 intptr = &options->strict_modes;
1014 intptr = &options->tcp_keep_alive;
1018 intptr = &options->permit_empty_passwd;
1021 case sPermitUserEnvironment:
1022 intptr = &options->permit_user_env;
1026 intptr = &options->use_login;
1030 intptr = &options->compression;
1031 multistate_ptr = multistate_compression;
1032 goto parse_multistate;
1035 intptr = &options->gateway_ports;
1036 multistate_ptr = multistate_gatewayports;
1037 goto parse_multistate;
1040 intptr = &options->use_dns;
1044 log_facility_ptr = &options->log_facility;
1045 arg = strdelim(&cp);
1046 value = log_facility_number(arg);
1047 if (value == SYSLOG_FACILITY_NOT_SET)
1048 fatal("%.200s line %d: unsupported log facility '%s'",
1049 filename, linenum, arg ? arg : "<NONE>");
1050 if (*log_facility_ptr == -1)
1051 *log_facility_ptr = (SyslogFacility) value;
1055 log_level_ptr = &options->log_level;
1056 arg = strdelim(&cp);
1057 value = log_level_number(arg);
1058 if (value == SYSLOG_LEVEL_NOT_SET)
1059 fatal("%.200s line %d: unsupported log level '%s'",
1060 filename, linenum, arg ? arg : "<NONE>");
1061 if (*log_level_ptr == -1)
1062 *log_level_ptr = (LogLevel) value;
1065 case sAllowTcpForwarding:
1066 intptr = &options->allow_tcp_forwarding;
1069 case sAllowAgentForwarding:
1070 intptr = &options->allow_agent_forwarding;
1073 case sUsePrivilegeSeparation:
1074 intptr = &use_privsep;
1075 multistate_ptr = multistate_privsep;
1076 goto parse_multistate;
1079 while ((arg = strdelim(&cp)) && *arg != '\0') {
1080 if (options->num_allow_users >= MAX_ALLOW_USERS)
1081 fatal("%s line %d: too many allow users.",
1083 options->allow_users[options->num_allow_users++] =
1089 while ((arg = strdelim(&cp)) && *arg != '\0') {
1090 if (options->num_deny_users >= MAX_DENY_USERS)
1091 fatal("%s line %d: too many deny users.",
1093 options->deny_users[options->num_deny_users++] =
1099 while ((arg = strdelim(&cp)) && *arg != '\0') {
1100 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1101 fatal("%s line %d: too many allow groups.",
1103 options->allow_groups[options->num_allow_groups++] =
1109 while ((arg = strdelim(&cp)) && *arg != '\0') {
1110 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1111 fatal("%s line %d: too many deny groups.",
1113 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1118 arg = strdelim(&cp);
1119 if (!arg || *arg == '\0')
1120 fatal("%s line %d: Missing argument.", filename, linenum);
1121 if (!ciphers_valid(arg))
1122 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1123 filename, linenum, arg ? arg : "<NONE>");
1124 if (options->ciphers == NULL)
1125 options->ciphers = xstrdup(arg);
1129 arg = strdelim(&cp);
1130 if (!arg || *arg == '\0')
1131 fatal("%s line %d: Missing argument.", filename, linenum);
1132 if (!mac_valid(arg))
1133 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1134 filename, linenum, arg ? arg : "<NONE>");
1135 if (options->macs == NULL)
1136 options->macs = xstrdup(arg);
1139 case sKexAlgorithms:
1140 arg = strdelim(&cp);
1141 if (!arg || *arg == '\0')
1142 fatal("%s line %d: Missing argument.",
1144 if (!kex_names_valid(arg))
1145 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1146 filename, linenum, arg ? arg : "<NONE>");
1147 if (options->kex_algorithms == NULL)
1148 options->kex_algorithms = xstrdup(arg);
1152 intptr = &options->protocol;
1153 arg = strdelim(&cp);
1154 if (!arg || *arg == '\0')
1155 fatal("%s line %d: Missing argument.", filename, linenum);
1156 value = proto_spec(arg);
1157 if (value == SSH_PROTO_UNKNOWN)
1158 fatal("%s line %d: Bad protocol spec '%s'.",
1159 filename, linenum, arg ? arg : "<NONE>");
1160 if (*intptr == SSH_PROTO_UNKNOWN)
1165 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1166 fatal("%s line %d: too many subsystems defined.",
1169 arg = strdelim(&cp);
1170 if (!arg || *arg == '\0')
1171 fatal("%s line %d: Missing subsystem name.",
1174 arg = strdelim(&cp);
1177 for (i = 0; i < options->num_subsystems; i++)
1178 if (strcmp(arg, options->subsystem_name[i]) == 0)
1179 fatal("%s line %d: Subsystem '%s' already defined.",
1180 filename, linenum, arg);
1181 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1182 arg = strdelim(&cp);
1183 if (!arg || *arg == '\0')
1184 fatal("%s line %d: Missing subsystem command.",
1186 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1188 /* Collect arguments (separate to executable) */
1190 len = strlen(p) + 1;
1191 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1192 len += 1 + strlen(arg);
1193 p = xrealloc(p, 1, len);
1194 strlcat(p, " ", len);
1195 strlcat(p, arg, len);
1197 options->subsystem_args[options->num_subsystems] = p;
1198 options->num_subsystems++;
1202 arg = strdelim(&cp);
1203 if (!arg || *arg == '\0')
1204 fatal("%s line %d: Missing MaxStartups spec.",
1206 if ((n = sscanf(arg, "%d:%d:%d",
1207 &options->max_startups_begin,
1208 &options->max_startups_rate,
1209 &options->max_startups)) == 3) {
1210 if (options->max_startups_begin >
1211 options->max_startups ||
1212 options->max_startups_rate > 100 ||
1213 options->max_startups_rate < 1)
1214 fatal("%s line %d: Illegal MaxStartups spec.",
1217 fatal("%s line %d: Illegal MaxStartups spec.",
1220 options->max_startups = options->max_startups_begin;
1224 intptr = &options->max_authtries;
1228 intptr = &options->max_sessions;
1232 charptr = &options->banner;
1233 goto parse_filename;
1236 * These options can contain %X options expanded at
1237 * connect time, so that you can specify paths like:
1239 * AuthorizedKeysFile /etc/ssh_keys/%u
1241 case sAuthorizedKeysFile:
1242 if (*activep && options->num_authkeys_files == 0) {
1243 while ((arg = strdelim(&cp)) && *arg != '\0') {
1244 if (options->num_authkeys_files >=
1246 fatal("%s line %d: "
1247 "too many authorized keys files.",
1249 options->authorized_keys_files[
1250 options->num_authkeys_files++] =
1251 tilde_expand_filename(arg, getuid());
1256 case sAuthorizedPrincipalsFile:
1257 charptr = &options->authorized_principals_file;
1258 arg = strdelim(&cp);
1259 if (!arg || *arg == '\0')
1260 fatal("%s line %d: missing file name.",
1262 if (*activep && *charptr == NULL) {
1263 *charptr = tilde_expand_filename(arg, getuid());
1264 /* increase optional counter */
1266 *intptr = *intptr + 1;
1270 case sClientAliveInterval:
1271 intptr = &options->client_alive_interval;
1274 case sClientAliveCountMax:
1275 intptr = &options->client_alive_count_max;
1279 while ((arg = strdelim(&cp)) && *arg != '\0') {
1280 if (strchr(arg, '=') != NULL)
1281 fatal("%s line %d: Invalid environment name.",
1283 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1284 fatal("%s line %d: too many allow env.",
1288 options->accept_env[options->num_accept_env++] =
1294 intptr = &options->permit_tun;
1295 arg = strdelim(&cp);
1296 if (!arg || *arg == '\0')
1297 fatal("%s line %d: Missing yes/point-to-point/"
1298 "ethernet/no argument.", filename, linenum);
1300 for (i = 0; tunmode_desc[i].val != -1; i++)
1301 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1302 value = tunmode_desc[i].val;
1306 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1307 "no argument: %s", filename, linenum, arg);
1314 fatal("Match directive not supported as a command-line "
1316 value = match_cfg_line(&cp, linenum, user, host, address);
1318 fatal("%s line %d: Bad Match condition", filename,
1324 arg = strdelim(&cp);
1325 if (!arg || *arg == '\0')
1326 fatal("%s line %d: missing PermitOpen specification",
1328 n = options->num_permitted_opens; /* modified later */
1329 if (strcmp(arg, "any") == 0) {
1330 if (*activep && n == -1) {
1331 channel_clear_adm_permitted_opens();
1332 options->num_permitted_opens = 0;
1336 if (*activep && n == -1)
1337 channel_clear_adm_permitted_opens();
1338 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1341 fatal("%s line %d: missing host in PermitOpen",
1343 p = cleanhostname(p);
1344 if (arg == NULL || (port = a2port(arg)) <= 0)
1345 fatal("%s line %d: bad port number in "
1346 "PermitOpen", filename, linenum);
1347 if (*activep && n == -1)
1348 options->num_permitted_opens =
1349 channel_add_adm_permitted_opens(p, port);
1355 fatal("%.200s line %d: Missing argument.", filename,
1357 len = strspn(cp, WHITESPACE);
1358 if (*activep && options->adm_forced_command == NULL)
1359 options->adm_forced_command = xstrdup(cp + len);
1362 case sChrootDirectory:
1363 charptr = &options->chroot_directory;
1365 arg = strdelim(&cp);
1366 if (!arg || *arg == '\0')
1367 fatal("%s line %d: missing file name.",
1369 if (*activep && *charptr == NULL)
1370 *charptr = xstrdup(arg);
1373 case sTrustedUserCAKeys:
1374 charptr = &options->trusted_user_ca_keys;
1375 goto parse_filename;
1378 charptr = &options->revoked_keys_file;
1379 goto parse_filename;
1382 arg = strdelim(&cp);
1383 if ((value = parse_ipqos(arg)) == -1)
1384 fatal("%s line %d: Bad IPQoS value: %s",
1385 filename, linenum, arg);
1386 arg = strdelim(&cp);
1389 else if ((value2 = parse_ipqos(arg)) == -1)
1390 fatal("%s line %d: Bad IPQoS value: %s",
1391 filename, linenum, arg);
1393 options->ip_qos_interactive = value;
1394 options->ip_qos_bulk = value2;
1399 logit("%s line %d: Deprecated option %s",
1400 filename, linenum, arg);
1402 arg = strdelim(&cp);
1406 logit("%s line %d: Unsupported option %s",
1407 filename, linenum, arg);
1409 arg = strdelim(&cp);
1413 fatal("%s line %d: Missing handler for opcode %s (%d)",
1414 filename, linenum, arg, opcode);
1416 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1417 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1418 filename, linenum, arg);
1422 /* Reads the server configuration file. */
1425 load_server_config(const char *filename, Buffer *conf)
1427 char line[1024], *cp;
1430 debug2("%s: filename %s", __func__, filename);
1431 if ((f = fopen(filename, "r")) == NULL) {
1436 while (fgets(line, sizeof(line), f)) {
1438 * Trim out comments and strip whitespace
1439 * NB - preserve newlines, they are needed to reproduce
1440 * line numbers later for error messages
1442 if ((cp = strchr(line, '#')) != NULL)
1443 memcpy(cp, "\n", 2);
1444 cp = line + strspn(line, " \t\r");
1446 buffer_append(conf, cp, strlen(cp));
1448 buffer_append(conf, "\0", 1);
1450 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1454 parse_server_match_config(ServerOptions *options, const char *user,
1455 const char *host, const char *address)
1459 initialize_server_options(&mo);
1460 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1461 copy_set_server_options(options, &mo, 0);
1465 #define M_CP_INTOPT(n) do {\
1469 #define M_CP_STROPT(n) do {\
1470 if (src->n != NULL) { \
1471 if (dst->n != NULL) \
1476 #define M_CP_STRARRAYOPT(n, num_n) do {\
1477 if (src->num_n != 0) { \
1478 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1479 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1484 * Copy any supported values that are set.
1486 * If the preauth flag is set, we do not bother copying the string or
1487 * array values that are not used pre-authentication, because any that we
1488 * do use must be explictly sent in mm_getpwnamallow().
1491 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1493 M_CP_INTOPT(password_authentication);
1494 M_CP_INTOPT(gss_authentication);
1495 M_CP_INTOPT(rsa_authentication);
1496 M_CP_INTOPT(pubkey_authentication);
1497 M_CP_INTOPT(kerberos_authentication);
1498 M_CP_INTOPT(hostbased_authentication);
1499 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1500 M_CP_INTOPT(kbd_interactive_authentication);
1501 M_CP_INTOPT(zero_knowledge_password_authentication);
1502 M_CP_INTOPT(permit_root_login);
1503 M_CP_INTOPT(permit_empty_passwd);
1505 M_CP_INTOPT(allow_tcp_forwarding);
1506 M_CP_INTOPT(allow_agent_forwarding);
1507 M_CP_INTOPT(permit_tun);
1508 M_CP_INTOPT(gateway_ports);
1509 M_CP_INTOPT(x11_display_offset);
1510 M_CP_INTOPT(x11_forwarding);
1511 M_CP_INTOPT(x11_use_localhost);
1512 M_CP_INTOPT(max_sessions);
1513 M_CP_INTOPT(max_authtries);
1514 M_CP_INTOPT(ip_qos_interactive);
1515 M_CP_INTOPT(ip_qos_bulk);
1517 /* See comment in servconf.h */
1518 COPY_MATCH_STRING_OPTS();
1521 * The only things that should be below this point are string options
1522 * which are only used after authentication.
1527 M_CP_STROPT(adm_forced_command);
1528 M_CP_STROPT(chroot_directory);
1533 #undef M_CP_STRARRAYOPT
1536 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1537 const char *user, const char *host, const char *address)
1539 int active, linenum, bad_options = 0;
1540 char *cp, *obuf, *cbuf;
1542 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1544 obuf = cbuf = xstrdup(buffer_ptr(conf));
1545 active = user ? 0 : 1;
1547 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1548 if (process_server_config_line(options, cp, filename,
1549 linenum++, &active, user, host, address) != 0)
1553 if (bad_options > 0)
1554 fatal("%s: terminating, %d bad configuration options",
1555 filename, bad_options);
1559 fmt_multistate_int(int val, const struct multistate *m)
1563 for (i = 0; m[i].key != NULL; i++) {
1564 if (m[i].value == val)
1571 fmt_intarg(ServerOpCodes code, int val)
1576 case sAddressFamily:
1577 return fmt_multistate_int(val, multistate_addressfamily);
1578 case sPermitRootLogin:
1579 return fmt_multistate_int(val, multistate_permitrootlogin);
1581 return fmt_multistate_int(val, multistate_gatewayports);
1583 return fmt_multistate_int(val, multistate_compression);
1584 case sUsePrivilegeSeparation:
1585 return fmt_multistate_int(val, multistate_privsep);
1592 case (SSH_PROTO_1|SSH_PROTO_2):
1610 lookup_opcode_name(ServerOpCodes code)
1614 for (i = 0; keywords[i].name != NULL; i++)
1615 if (keywords[i].opcode == code)
1616 return(keywords[i].name);
1621 dump_cfg_int(ServerOpCodes code, int val)
1623 printf("%s %d\n", lookup_opcode_name(code), val);
1627 dump_cfg_fmtint(ServerOpCodes code, int val)
1629 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1633 dump_cfg_string(ServerOpCodes code, const char *val)
1637 printf("%s %s\n", lookup_opcode_name(code), val);
1641 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1645 for (i = 0; i < count; i++)
1646 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1650 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1654 printf("%s", lookup_opcode_name(code));
1655 for (i = 0; i < count; i++)
1656 printf(" %s", vals[i]);
1661 dump_config(ServerOptions *o)
1665 struct addrinfo *ai;
1666 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1668 /* these are usually at the top of the config */
1669 for (i = 0; i < o->num_ports; i++)
1670 printf("port %d\n", o->ports[i]);
1671 dump_cfg_fmtint(sProtocol, o->protocol);
1672 dump_cfg_fmtint(sAddressFamily, o->address_family);
1674 /* ListenAddress must be after Port */
1675 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1676 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1677 sizeof(addr), port, sizeof(port),
1678 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1679 error("getnameinfo failed: %.100s",
1680 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1683 if (ai->ai_family == AF_INET6)
1684 printf("listenaddress [%s]:%s\n", addr, port);
1686 printf("listenaddress %s:%s\n", addr, port);
1690 /* integer arguments */
1692 dump_cfg_int(sUsePAM, o->use_pam);
1694 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1695 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1696 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1697 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1698 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1699 dump_cfg_int(sMaxSessions, o->max_sessions);
1700 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1701 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1703 /* formatted integer arguments */
1704 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1705 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1706 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1707 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1708 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1709 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1710 o->hostbased_uses_name_from_packet_only);
1711 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1712 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1714 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1715 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1716 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1718 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1722 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1723 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1726 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1727 o->zero_knowledge_password_authentication);
1729 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1730 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1731 o->kbd_interactive_authentication);
1732 dump_cfg_fmtint(sChallengeResponseAuthentication,
1733 o->challenge_response_authentication);
1734 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1735 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1736 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1737 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1738 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1739 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1740 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1741 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1742 dump_cfg_fmtint(sUseLogin, o->use_login);
1743 dump_cfg_fmtint(sCompression, o->compression);
1744 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1745 dump_cfg_fmtint(sUseDNS, o->use_dns);
1746 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1747 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1749 /* string arguments */
1750 dump_cfg_string(sPidFile, o->pid_file);
1751 dump_cfg_string(sXAuthLocation, o->xauth_location);
1752 dump_cfg_string(sCiphers, o->ciphers);
1753 dump_cfg_string(sMacs, o->macs);
1754 dump_cfg_string(sBanner, o->banner);
1755 dump_cfg_string(sForceCommand, o->adm_forced_command);
1756 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1757 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1758 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1759 dump_cfg_string(sAuthorizedPrincipalsFile,
1760 o->authorized_principals_file);
1762 /* string arguments requiring a lookup */
1763 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1764 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1766 /* string array arguments */
1767 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
1768 o->authorized_keys_files);
1769 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1771 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1772 o->host_cert_files);
1773 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1774 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1775 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1776 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1777 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1779 /* other arguments */
1780 for (i = 0; i < o->num_subsystems; i++)
1781 printf("subsystem %s %s\n", o->subsystem_name[i],
1782 o->subsystem_args[i]);
1784 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1785 o->max_startups_rate, o->max_startups);
1787 for (i = 0; tunmode_desc[i].val != -1; i++)
1788 if (tunmode_desc[i].val == o->permit_tun) {
1789 s = tunmode_desc[i].text;
1792 dump_cfg_string(sPermitTunnel, s);
1794 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
1795 printf("%s\n", iptos2str(o->ip_qos_bulk));
1797 channel_print_adm_permitted_opens();