1 /* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
38 #include "pathnames.h"
50 /* Format of the configuration file:
52 # Configuration data is parsed as follows:
53 # 1. command line options
54 # 2. user-specific file
56 # Any configuration value is only changed the first time it is set.
57 # Thus, host-specific definitions should be at the beginning of the
58 # configuration file, and defaults at the end.
60 # Host-specific declarations. These may override anything above. A single
61 # host may match multiple declarations; these are processed in the order
62 # that they are given in.
68 HostName another.host.name.real.org
75 RemoteForward 9999 shadows.cs.hut.fi:9999
81 PasswordAuthentication no
85 ProxyCommand ssh-proxy %h %p
88 PublicKeyAuthentication no
92 PasswordAuthentication no
98 # Defaults for various options
102 PasswordAuthentication yes
103 RSAAuthentication yes
104 RhostsRSAAuthentication yes
105 StrictHostKeyChecking yes
107 IdentityFile ~/.ssh/identity
113 /* Keyword tokens. */
117 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
118 oGatewayPorts, oExitOnForwardFailure,
119 oPasswordAuthentication, oRSAAuthentication,
120 oChallengeResponseAuthentication, oXAuthLocation,
121 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
122 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
123 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
124 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
125 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
126 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
127 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
128 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
129 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
130 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
131 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
132 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
133 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
134 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
136 oSendEnv, oControlPath, oControlMaster, oControlPersist,
138 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
139 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
140 oKexAlgorithms, oIPQoS, oRequestTTY,
141 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
143 oDeprecated, oUnsupported
146 /* Textual representations of the tokens. */
152 { "forwardagent", oForwardAgent },
153 { "forwardx11", oForwardX11 },
154 { "forwardx11trusted", oForwardX11Trusted },
155 { "forwardx11timeout", oForwardX11Timeout },
156 { "exitonforwardfailure", oExitOnForwardFailure },
157 { "xauthlocation", oXAuthLocation },
158 { "gatewayports", oGatewayPorts },
159 { "useprivilegedport", oUsePrivilegedPort },
160 { "rhostsauthentication", oDeprecated },
161 { "passwordauthentication", oPasswordAuthentication },
162 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
163 { "kbdinteractivedevices", oKbdInteractiveDevices },
164 { "rsaauthentication", oRSAAuthentication },
165 { "pubkeyauthentication", oPubkeyAuthentication },
166 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
167 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
168 { "hostbasedauthentication", oHostbasedAuthentication },
169 { "challengeresponseauthentication", oChallengeResponseAuthentication },
170 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
171 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
172 { "kerberosauthentication", oUnsupported },
173 { "kerberostgtpassing", oUnsupported },
174 { "afstokenpassing", oUnsupported },
176 { "gssapiauthentication", oGssAuthentication },
177 { "gssapidelegatecredentials", oGssDelegateCreds },
179 { "gssapiauthentication", oUnsupported },
180 { "gssapidelegatecredentials", oUnsupported },
182 { "fallbacktorsh", oDeprecated },
183 { "usersh", oDeprecated },
184 { "identityfile", oIdentityFile },
185 { "identityfile2", oIdentityFile }, /* obsolete */
186 { "identitiesonly", oIdentitiesOnly },
187 { "hostname", oHostName },
188 { "hostkeyalias", oHostKeyAlias },
189 { "proxycommand", oProxyCommand },
191 { "cipher", oCipher },
192 { "ciphers", oCiphers },
194 { "protocol", oProtocol },
195 { "remoteforward", oRemoteForward },
196 { "localforward", oLocalForward },
199 { "escapechar", oEscapeChar },
200 { "globalknownhostsfile", oGlobalKnownHostsFile },
201 { "globalknownhostsfile2", oDeprecated },
202 { "userknownhostsfile", oUserKnownHostsFile },
203 { "userknownhostsfile2", oDeprecated },
204 { "connectionattempts", oConnectionAttempts },
205 { "batchmode", oBatchMode },
206 { "checkhostip", oCheckHostIP },
207 { "stricthostkeychecking", oStrictHostKeyChecking },
208 { "compression", oCompression },
209 { "compressionlevel", oCompressionLevel },
210 { "tcpkeepalive", oTCPKeepAlive },
211 { "keepalive", oTCPKeepAlive }, /* obsolete */
212 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
213 { "loglevel", oLogLevel },
214 { "dynamicforward", oDynamicForward },
215 { "preferredauthentications", oPreferredAuthentications },
216 { "hostkeyalgorithms", oHostKeyAlgorithms },
217 { "bindaddress", oBindAddress },
219 { "smartcarddevice", oPKCS11Provider },
220 { "pkcs11provider", oPKCS11Provider },
222 { "smartcarddevice", oUnsupported },
223 { "pkcs11provider", oUnsupported },
225 { "clearallforwardings", oClearAllForwardings },
226 { "enablesshkeysign", oEnableSSHKeysign },
227 { "verifyhostkeydns", oVerifyHostKeyDNS },
228 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
229 { "rekeylimit", oRekeyLimit },
230 { "connecttimeout", oConnectTimeout },
231 { "addressfamily", oAddressFamily },
232 { "serveraliveinterval", oServerAliveInterval },
233 { "serveralivecountmax", oServerAliveCountMax },
234 { "versionaddendum", oVersionAddendum },
235 { "sendenv", oSendEnv },
236 { "controlpath", oControlPath },
237 { "controlmaster", oControlMaster },
238 { "controlpersist", oControlPersist },
239 { "hashknownhosts", oHashKnownHosts },
240 { "tunnel", oTunnel },
241 { "tunneldevice", oTunnelDevice },
242 { "localcommand", oLocalCommand },
243 { "permitlocalcommand", oPermitLocalCommand },
244 { "visualhostkey", oVisualHostKey },
245 { "useroaming", oUseRoaming },
247 { "zeroknowledgepasswordauthentication",
248 oZeroKnowledgePasswordAuthentication },
250 { "zeroknowledgepasswordauthentication", oUnsupported },
252 { "kexalgorithms", oKexAlgorithms },
254 { "requesttty", oRequestTTY },
255 { "noneenabled", oNoneEnabled },
256 { "tcprcvbufpoll", oTcpRcvBufPoll },
257 { "tcprcvbuf", oTcpRcvBuf },
258 { "noneswitch", oNoneSwitch },
259 { "hpndisabled", oHPNDisabled },
260 { "hpnbuffersize", oHPNBufferSize },
266 * Adds a local TCP/IP port forward to options. Never returns if there is an
271 add_local_forward(Options *options, const Forward *newfwd)
274 #ifndef NO_IPPORT_RESERVED_CONCEPT
275 extern uid_t original_real_uid;
276 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
277 fatal("Privileged ports can only be forwarded by root.");
279 options->local_forwards = xrealloc(options->local_forwards,
280 options->num_local_forwards + 1,
281 sizeof(*options->local_forwards));
282 fwd = &options->local_forwards[options->num_local_forwards++];
284 fwd->listen_host = newfwd->listen_host;
285 fwd->listen_port = newfwd->listen_port;
286 fwd->connect_host = newfwd->connect_host;
287 fwd->connect_port = newfwd->connect_port;
291 * Adds a remote TCP/IP port forward to options. Never returns if there is
296 add_remote_forward(Options *options, const Forward *newfwd)
300 options->remote_forwards = xrealloc(options->remote_forwards,
301 options->num_remote_forwards + 1,
302 sizeof(*options->remote_forwards));
303 fwd = &options->remote_forwards[options->num_remote_forwards++];
305 fwd->listen_host = newfwd->listen_host;
306 fwd->listen_port = newfwd->listen_port;
307 fwd->connect_host = newfwd->connect_host;
308 fwd->connect_port = newfwd->connect_port;
309 fwd->allocated_port = 0;
313 clear_forwardings(Options *options)
317 for (i = 0; i < options->num_local_forwards; i++) {
318 if (options->local_forwards[i].listen_host != NULL)
319 xfree(options->local_forwards[i].listen_host);
320 xfree(options->local_forwards[i].connect_host);
322 if (options->num_local_forwards > 0) {
323 xfree(options->local_forwards);
324 options->local_forwards = NULL;
326 options->num_local_forwards = 0;
327 for (i = 0; i < options->num_remote_forwards; i++) {
328 if (options->remote_forwards[i].listen_host != NULL)
329 xfree(options->remote_forwards[i].listen_host);
330 xfree(options->remote_forwards[i].connect_host);
332 if (options->num_remote_forwards > 0) {
333 xfree(options->remote_forwards);
334 options->remote_forwards = NULL;
336 options->num_remote_forwards = 0;
337 options->tun_open = SSH_TUNMODE_NO;
341 * Returns the number of the token pointed to by cp or oBadOption.
345 parse_token(const char *cp, const char *filename, int linenum)
349 for (i = 0; keywords[i].name; i++)
350 if (strcasecmp(cp, keywords[i].name) == 0)
351 return keywords[i].opcode;
353 error("%s: line %d: Bad configuration option: %s",
354 filename, linenum, cp);
359 * Processes a single option line as used in the configuration files. This
360 * only sets those values that have not already been set.
362 #define WHITESPACE " \t\r\n"
365 process_config_line(Options *options, const char *host,
366 char *line, const char *filename, int linenum,
369 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
370 char **cpptr, fwdarg[256];
371 u_int *uintptr, max_entries = 0;
372 int negated, opcode, *intptr, value, value2, scale;
373 LogLevel *log_level_ptr;
374 long long orig, val64;
378 /* Strip trailing whitespace */
379 for (len = strlen(line) - 1; len > 0; len--) {
380 if (strchr(WHITESPACE, line[len]) == NULL)
386 /* Get the keyword. (Each line is supposed to begin with a keyword). */
387 if ((keyword = strdelim(&s)) == NULL)
389 /* Ignore leading whitespace. */
390 if (*keyword == '\0')
391 keyword = strdelim(&s);
392 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
395 opcode = parse_token(keyword, filename, linenum);
399 /* don't panic, but count bad options */
402 case oConnectTimeout:
403 intptr = &options->connection_timeout;
406 if (!arg || *arg == '\0')
407 fatal("%s line %d: missing time value.",
409 if ((value = convtime(arg)) == -1)
410 fatal("%s line %d: invalid time value.",
412 if (*activep && *intptr == -1)
417 intptr = &options->forward_agent;
420 if (!arg || *arg == '\0')
421 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
422 value = 0; /* To avoid compiler warning... */
423 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
425 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
428 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
429 if (*activep && *intptr == -1)
434 intptr = &options->forward_x11;
437 case oForwardX11Trusted:
438 intptr = &options->forward_x11_trusted;
441 case oForwardX11Timeout:
442 intptr = &options->forward_x11_timeout;
446 intptr = &options->gateway_ports;
449 case oExitOnForwardFailure:
450 intptr = &options->exit_on_forward_failure;
453 case oUsePrivilegedPort:
454 intptr = &options->use_privileged_port;
457 case oPasswordAuthentication:
458 intptr = &options->password_authentication;
461 case oZeroKnowledgePasswordAuthentication:
462 intptr = &options->zero_knowledge_password_authentication;
465 case oKbdInteractiveAuthentication:
466 intptr = &options->kbd_interactive_authentication;
469 case oKbdInteractiveDevices:
470 charptr = &options->kbd_interactive_devices;
473 case oPubkeyAuthentication:
474 intptr = &options->pubkey_authentication;
477 case oRSAAuthentication:
478 intptr = &options->rsa_authentication;
481 case oRhostsRSAAuthentication:
482 intptr = &options->rhosts_rsa_authentication;
485 case oHostbasedAuthentication:
486 intptr = &options->hostbased_authentication;
489 case oChallengeResponseAuthentication:
490 intptr = &options->challenge_response_authentication;
493 case oGssAuthentication:
494 intptr = &options->gss_authentication;
497 case oGssDelegateCreds:
498 intptr = &options->gss_deleg_creds;
502 intptr = &options->batch_mode;
506 intptr = &options->check_host_ip;
510 intptr = &options->none_enabled;
513 /* we check to see if the command comes from the */
514 /* command line or not. If it does then enable it */
515 /* otherwise fail. NONE should never be a default configuration */
517 if(strcmp(filename,"command-line")==0)
519 intptr = &options->none_switch;
522 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
523 error("Continuing...");
524 debug("NoneSwitch directive found in %.200s.", filename);
529 intptr = &options->hpn_disabled;
533 intptr = &options->hpn_buffer_size;
537 intptr = &options->tcp_rcv_buf_poll;
540 case oVerifyHostKeyDNS:
541 intptr = &options->verify_host_key_dns;
544 case oStrictHostKeyChecking:
545 intptr = &options->strict_host_key_checking;
548 if (!arg || *arg == '\0')
549 fatal("%.200s line %d: Missing yes/no/ask argument.",
551 value = 0; /* To avoid compiler warning... */
552 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
554 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
556 else if (strcmp(arg, "ask") == 0)
559 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
560 if (*activep && *intptr == -1)
565 intptr = &options->compression;
569 intptr = &options->tcp_keep_alive;
572 case oNoHostAuthenticationForLocalhost:
573 intptr = &options->no_host_authentication_for_localhost;
576 case oNumberOfPasswordPrompts:
577 intptr = &options->number_of_password_prompts;
580 case oCompressionLevel:
581 intptr = &options->compression_level;
586 if (!arg || *arg == '\0')
587 fatal("%.200s line %d: Missing argument.", filename, linenum);
588 if (arg[0] < '0' || arg[0] > '9')
589 fatal("%.200s line %d: Bad number.", filename, linenum);
590 orig = val64 = strtoll(arg, &endofnumber, 10);
591 if (arg == endofnumber)
592 fatal("%.200s line %d: Bad number.", filename, linenum);
593 switch (toupper(*endofnumber)) {
607 fatal("%.200s line %d: Invalid RekeyLimit suffix",
611 /* detect integer wrap and too-large limits */
612 if ((val64 / scale) != orig || val64 > UINT_MAX)
613 fatal("%.200s line %d: RekeyLimit too large",
616 fatal("%.200s line %d: RekeyLimit too small",
618 if (*activep && options->rekey_limit == -1)
619 options->rekey_limit = (u_int32_t)val64;
624 if (!arg || *arg == '\0')
625 fatal("%.200s line %d: Missing argument.", filename, linenum);
627 intptr = &options->num_identity_files;
628 if (*intptr >= SSH_MAX_IDENTITY_FILES)
629 fatal("%.200s line %d: Too many identity files specified (max %d).",
630 filename, linenum, SSH_MAX_IDENTITY_FILES);
631 charptr = &options->identity_files[*intptr];
632 *charptr = xstrdup(arg);
633 *intptr = *intptr + 1;
638 charptr=&options->xauth_location;
642 charptr = &options->user;
645 if (!arg || *arg == '\0')
646 fatal("%.200s line %d: Missing argument.",
648 if (*activep && *charptr == NULL)
649 *charptr = xstrdup(arg);
652 case oGlobalKnownHostsFile:
653 cpptr = (char **)&options->system_hostfiles;
654 uintptr = &options->num_system_hostfiles;
655 max_entries = SSH_MAX_HOSTS_FILES;
657 if (*activep && *uintptr == 0) {
658 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
659 if ((*uintptr) >= max_entries)
661 "too many authorized keys files.",
663 cpptr[(*uintptr)++] = xstrdup(arg);
668 case oUserKnownHostsFile:
669 cpptr = (char **)&options->user_hostfiles;
670 uintptr = &options->num_user_hostfiles;
671 max_entries = SSH_MAX_HOSTS_FILES;
672 goto parse_char_array;
675 charptr = &options->hostname;
679 charptr = &options->host_key_alias;
682 case oPreferredAuthentications:
683 charptr = &options->preferred_authentications;
687 charptr = &options->bind_address;
690 case oPKCS11Provider:
691 charptr = &options->pkcs11_provider;
695 charptr = &options->proxy_command;
698 fatal("%.200s line %d: Missing argument.", filename, linenum);
699 len = strspn(s, WHITESPACE "=");
700 if (*activep && *charptr == NULL)
701 *charptr = xstrdup(s + len);
705 intptr = &options->port;
708 if (!arg || *arg == '\0')
709 fatal("%.200s line %d: Missing argument.", filename, linenum);
710 if (arg[0] < '0' || arg[0] > '9')
711 fatal("%.200s line %d: Bad number.", filename, linenum);
713 /* Octal, decimal, or hex format? */
714 value = strtol(arg, &endofnumber, 0);
715 if (arg == endofnumber)
716 fatal("%.200s line %d: Bad number.", filename, linenum);
717 if (*activep && *intptr == -1)
721 case oConnectionAttempts:
722 intptr = &options->connection_attempts;
726 intptr = &options->tcp_rcv_buf;
730 intptr = &options->cipher;
732 if (!arg || *arg == '\0')
733 fatal("%.200s line %d: Missing argument.", filename, linenum);
734 value = cipher_number(arg);
736 fatal("%.200s line %d: Bad cipher '%s'.",
737 filename, linenum, arg ? arg : "<NONE>");
738 if (*activep && *intptr == -1)
744 if (!arg || *arg == '\0')
745 fatal("%.200s line %d: Missing argument.", filename, linenum);
746 if (!ciphers_valid(arg))
747 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
748 filename, linenum, arg ? arg : "<NONE>");
749 if (*activep && options->ciphers == NULL)
750 options->ciphers = xstrdup(arg);
755 if (!arg || *arg == '\0')
756 fatal("%.200s line %d: Missing argument.", filename, linenum);
758 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
759 filename, linenum, arg ? arg : "<NONE>");
760 if (*activep && options->macs == NULL)
761 options->macs = xstrdup(arg);
766 if (!arg || *arg == '\0')
767 fatal("%.200s line %d: Missing argument.",
769 if (!kex_names_valid(arg))
770 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
771 filename, linenum, arg ? arg : "<NONE>");
772 if (*activep && options->kex_algorithms == NULL)
773 options->kex_algorithms = xstrdup(arg);
776 case oHostKeyAlgorithms:
778 if (!arg || *arg == '\0')
779 fatal("%.200s line %d: Missing argument.", filename, linenum);
780 if (!key_names_valid2(arg))
781 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
782 filename, linenum, arg ? arg : "<NONE>");
783 if (*activep && options->hostkeyalgorithms == NULL)
784 options->hostkeyalgorithms = xstrdup(arg);
788 intptr = &options->protocol;
790 if (!arg || *arg == '\0')
791 fatal("%.200s line %d: Missing argument.", filename, linenum);
792 value = proto_spec(arg);
793 if (value == SSH_PROTO_UNKNOWN)
794 fatal("%.200s line %d: Bad protocol spec '%s'.",
795 filename, linenum, arg ? arg : "<NONE>");
796 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
801 log_level_ptr = &options->log_level;
803 value = log_level_number(arg);
804 if (value == SYSLOG_LEVEL_NOT_SET)
805 fatal("%.200s line %d: unsupported log level '%s'",
806 filename, linenum, arg ? arg : "<NONE>");
807 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
808 *log_level_ptr = (LogLevel) value;
813 case oDynamicForward:
815 if (arg == NULL || *arg == '\0')
816 fatal("%.200s line %d: Missing port argument.",
819 if (opcode == oLocalForward ||
820 opcode == oRemoteForward) {
822 if (arg2 == NULL || *arg2 == '\0')
823 fatal("%.200s line %d: Missing target argument.",
826 /* construct a string for parse_forward */
827 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
828 } else if (opcode == oDynamicForward) {
829 strlcpy(fwdarg, arg, sizeof(fwdarg));
832 if (parse_forward(&fwd, fwdarg,
833 opcode == oDynamicForward ? 1 : 0,
834 opcode == oRemoteForward ? 1 : 0) == 0)
835 fatal("%.200s line %d: Bad forwarding specification.",
839 if (opcode == oLocalForward ||
840 opcode == oDynamicForward)
841 add_local_forward(options, &fwd);
842 else if (opcode == oRemoteForward)
843 add_remote_forward(options, &fwd);
847 case oClearAllForwardings:
848 intptr = &options->clear_forwardings;
854 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
855 negated = *arg == '!';
858 if (match_pattern(host, arg)) {
860 debug("%.200s line %d: Skipping Host "
861 "block because of negated match "
862 "for %.100s", filename, linenum,
868 arg2 = arg; /* logged below */
873 debug("%.200s line %d: Applying options for %.100s",
874 filename, linenum, arg2);
875 /* Avoid garbage check below, as strdelim is done. */
879 intptr = &options->escape_char;
881 if (!arg || *arg == '\0')
882 fatal("%.200s line %d: Missing argument.", filename, linenum);
883 if (arg[0] == '^' && arg[2] == 0 &&
884 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
885 value = (u_char) arg[1] & 31;
886 else if (strlen(arg) == 1)
887 value = (u_char) arg[0];
888 else if (strcmp(arg, "none") == 0)
889 value = SSH_ESCAPECHAR_NONE;
891 fatal("%.200s line %d: Bad escape character.",
894 value = 0; /* Avoid compiler warning. */
896 if (*activep && *intptr == -1)
902 if (!arg || *arg == '\0')
903 fatal("%s line %d: missing address family.",
905 intptr = &options->address_family;
906 if (strcasecmp(arg, "inet") == 0)
908 else if (strcasecmp(arg, "inet6") == 0)
910 else if (strcasecmp(arg, "any") == 0)
913 fatal("Unsupported AddressFamily \"%s\"", arg);
914 if (*activep && *intptr == -1)
918 case oEnableSSHKeysign:
919 intptr = &options->enable_ssh_keysign;
922 case oIdentitiesOnly:
923 intptr = &options->identities_only;
926 case oServerAliveInterval:
927 intptr = &options->server_alive_interval;
930 case oServerAliveCountMax:
931 intptr = &options->server_alive_count_max;
934 case oVersionAddendum:
935 ssh_version_set_addendum(strtok(s, "\n"));
938 } while (arg != NULL && *arg != '\0');
942 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
943 if (strchr(arg, '=') != NULL)
944 fatal("%s line %d: Invalid environment name.",
948 if (options->num_send_env >= MAX_SEND_ENV)
949 fatal("%s line %d: too many send env.",
951 options->send_env[options->num_send_env++] =
957 charptr = &options->control_path;
961 intptr = &options->control_master;
963 if (!arg || *arg == '\0')
964 fatal("%.200s line %d: Missing ControlMaster argument.",
966 value = 0; /* To avoid compiler warning... */
967 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
968 value = SSHCTL_MASTER_YES;
969 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
970 value = SSHCTL_MASTER_NO;
971 else if (strcmp(arg, "auto") == 0)
972 value = SSHCTL_MASTER_AUTO;
973 else if (strcmp(arg, "ask") == 0)
974 value = SSHCTL_MASTER_ASK;
975 else if (strcmp(arg, "autoask") == 0)
976 value = SSHCTL_MASTER_AUTO_ASK;
978 fatal("%.200s line %d: Bad ControlMaster argument.",
980 if (*activep && *intptr == -1)
984 case oControlPersist:
985 /* no/false/yes/true, or a time spec */
986 intptr = &options->control_persist;
988 if (!arg || *arg == '\0')
989 fatal("%.200s line %d: Missing ControlPersist"
990 " argument.", filename, linenum);
992 value2 = 0; /* timeout */
993 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
995 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
997 else if ((value2 = convtime(arg)) >= 0)
1000 fatal("%.200s line %d: Bad ControlPersist argument.",
1002 if (*activep && *intptr == -1) {
1004 options->control_persist_timeout = value2;
1008 case oHashKnownHosts:
1009 intptr = &options->hash_known_hosts;
1013 intptr = &options->tun_open;
1015 if (!arg || *arg == '\0')
1016 fatal("%s line %d: Missing yes/point-to-point/"
1017 "ethernet/no argument.", filename, linenum);
1018 value = 0; /* silence compiler */
1019 if (strcasecmp(arg, "ethernet") == 0)
1020 value = SSH_TUNMODE_ETHERNET;
1021 else if (strcasecmp(arg, "point-to-point") == 0)
1022 value = SSH_TUNMODE_POINTOPOINT;
1023 else if (strcasecmp(arg, "yes") == 0)
1024 value = SSH_TUNMODE_DEFAULT;
1025 else if (strcasecmp(arg, "no") == 0)
1026 value = SSH_TUNMODE_NO;
1028 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1029 "no argument: %s", filename, linenum, arg);
1036 if (!arg || *arg == '\0')
1037 fatal("%.200s line %d: Missing argument.", filename, linenum);
1038 value = a2tun(arg, &value2);
1039 if (value == SSH_TUNID_ERR)
1040 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1042 options->tun_local = value;
1043 options->tun_remote = value2;
1048 charptr = &options->local_command;
1051 case oPermitLocalCommand:
1052 intptr = &options->permit_local_command;
1055 case oVisualHostKey:
1056 intptr = &options->visual_host_key;
1061 if ((value = parse_ipqos(arg)) == -1)
1062 fatal("%s line %d: Bad IPQoS value: %s",
1063 filename, linenum, arg);
1067 else if ((value2 = parse_ipqos(arg)) == -1)
1068 fatal("%s line %d: Bad IPQoS value: %s",
1069 filename, linenum, arg);
1071 options->ip_qos_interactive = value;
1072 options->ip_qos_bulk = value2;
1077 intptr = &options->use_roaming;
1082 if (!arg || *arg == '\0')
1083 fatal("%s line %d: missing argument.",
1085 intptr = &options->request_tty;
1086 if (strcasecmp(arg, "yes") == 0)
1087 value = REQUEST_TTY_YES;
1088 else if (strcasecmp(arg, "no") == 0)
1089 value = REQUEST_TTY_NO;
1090 else if (strcasecmp(arg, "force") == 0)
1091 value = REQUEST_TTY_FORCE;
1092 else if (strcasecmp(arg, "auto") == 0)
1093 value = REQUEST_TTY_AUTO;
1095 fatal("Unsupported RequestTTY \"%s\"", arg);
1096 if (*activep && *intptr == -1)
1101 debug("%s line %d: Deprecated option \"%s\"",
1102 filename, linenum, keyword);
1106 error("%s line %d: Unsupported option \"%s\"",
1107 filename, linenum, keyword);
1111 fatal("process_config_line: Unimplemented opcode %d", opcode);
1114 /* Check that there is no garbage at end of line. */
1115 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1116 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1117 filename, linenum, arg);
1124 * Reads the config file and modifies the options accordingly. Options
1125 * should already be initialized before this call. This never returns if
1126 * there is an error. If the file does not exist, this returns 0.
1130 read_config_file(const char *filename, const char *host, Options *options,
1135 int active, linenum;
1136 int bad_options = 0;
1138 if ((f = fopen(filename, "r")) == NULL)
1144 if (fstat(fileno(f), &sb) == -1)
1145 fatal("fstat %s: %s", filename, strerror(errno));
1146 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1147 (sb.st_mode & 022) != 0))
1148 fatal("Bad owner or permissions on %s", filename);
1151 debug("Reading configuration data %.200s", filename);
1154 * Mark that we are now processing the options. This flag is turned
1155 * on/off by Host specifications.
1159 while (fgets(line, sizeof(line), f)) {
1160 /* Update line number counter. */
1162 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1166 if (bad_options > 0)
1167 fatal("%s: terminating, %d bad configuration options",
1168 filename, bad_options);
1173 * Initializes options to special values that indicate that they have not yet
1174 * been set. Read_config_file will only set options with this value. Options
1175 * are processed in the following order: command line, user config file,
1176 * system config file. Last, fill_default_options is called.
1180 initialize_options(Options * options)
1182 memset(options, 'X', sizeof(*options));
1183 options->forward_agent = -1;
1184 options->forward_x11 = -1;
1185 options->forward_x11_trusted = -1;
1186 options->forward_x11_timeout = -1;
1187 options->exit_on_forward_failure = -1;
1188 options->xauth_location = NULL;
1189 options->gateway_ports = -1;
1190 options->use_privileged_port = -1;
1191 options->rsa_authentication = -1;
1192 options->pubkey_authentication = -1;
1193 options->challenge_response_authentication = -1;
1194 options->gss_authentication = -1;
1195 options->gss_deleg_creds = -1;
1196 options->password_authentication = -1;
1197 options->kbd_interactive_authentication = -1;
1198 options->kbd_interactive_devices = NULL;
1199 options->rhosts_rsa_authentication = -1;
1200 options->hostbased_authentication = -1;
1201 options->batch_mode = -1;
1202 options->check_host_ip = -1;
1203 options->strict_host_key_checking = -1;
1204 options->compression = -1;
1205 options->tcp_keep_alive = -1;
1206 options->compression_level = -1;
1208 options->address_family = -1;
1209 options->connection_attempts = -1;
1210 options->connection_timeout = -1;
1211 options->number_of_password_prompts = -1;
1212 options->cipher = -1;
1213 options->ciphers = NULL;
1214 options->macs = NULL;
1215 options->kex_algorithms = NULL;
1216 options->hostkeyalgorithms = NULL;
1217 options->protocol = SSH_PROTO_UNKNOWN;
1218 options->num_identity_files = 0;
1219 options->hostname = NULL;
1220 options->host_key_alias = NULL;
1221 options->proxy_command = NULL;
1222 options->user = NULL;
1223 options->escape_char = -1;
1224 options->num_system_hostfiles = 0;
1225 options->num_user_hostfiles = 0;
1226 options->local_forwards = NULL;
1227 options->num_local_forwards = 0;
1228 options->remote_forwards = NULL;
1229 options->num_remote_forwards = 0;
1230 options->clear_forwardings = -1;
1231 options->log_level = SYSLOG_LEVEL_NOT_SET;
1232 options->preferred_authentications = NULL;
1233 options->bind_address = NULL;
1234 options->pkcs11_provider = NULL;
1235 options->enable_ssh_keysign = - 1;
1236 options->no_host_authentication_for_localhost = - 1;
1237 options->identities_only = - 1;
1238 options->rekey_limit = - 1;
1239 options->verify_host_key_dns = -1;
1240 options->server_alive_interval = -1;
1241 options->server_alive_count_max = -1;
1242 options->num_send_env = 0;
1243 options->control_path = NULL;
1244 options->control_master = -1;
1245 options->control_persist = -1;
1246 options->control_persist_timeout = 0;
1247 options->hash_known_hosts = -1;
1248 options->tun_open = -1;
1249 options->tun_local = -1;
1250 options->tun_remote = -1;
1251 options->local_command = NULL;
1252 options->permit_local_command = -1;
1253 options->use_roaming = -1;
1254 options->visual_host_key = -1;
1255 options->zero_knowledge_password_authentication = -1;
1256 options->ip_qos_interactive = -1;
1257 options->ip_qos_bulk = -1;
1258 options->request_tty = -1;
1259 options->none_switch = -1;
1260 options->none_enabled = -1;
1261 options->hpn_disabled = -1;
1262 options->hpn_buffer_size = -1;
1263 options->tcp_rcv_buf_poll = -1;
1264 options->tcp_rcv_buf = -1;
1268 * Called after processing other sources of option data, this fills those
1269 * options for which no value has been specified with their default values.
1273 fill_default_options(Options * options)
1277 if (options->forward_agent == -1)
1278 options->forward_agent = 0;
1279 if (options->forward_x11 == -1)
1280 options->forward_x11 = 0;
1281 if (options->forward_x11_trusted == -1)
1282 options->forward_x11_trusted = 0;
1283 if (options->forward_x11_timeout == -1)
1284 options->forward_x11_timeout = 1200;
1285 if (options->exit_on_forward_failure == -1)
1286 options->exit_on_forward_failure = 0;
1287 if (options->xauth_location == NULL)
1288 options->xauth_location = _PATH_XAUTH;
1289 if (options->gateway_ports == -1)
1290 options->gateway_ports = 0;
1291 if (options->use_privileged_port == -1)
1292 options->use_privileged_port = 0;
1293 if (options->rsa_authentication == -1)
1294 options->rsa_authentication = 1;
1295 if (options->pubkey_authentication == -1)
1296 options->pubkey_authentication = 1;
1297 if (options->challenge_response_authentication == -1)
1298 options->challenge_response_authentication = 1;
1299 if (options->gss_authentication == -1)
1300 options->gss_authentication = 0;
1301 if (options->gss_deleg_creds == -1)
1302 options->gss_deleg_creds = 0;
1303 if (options->password_authentication == -1)
1304 options->password_authentication = 1;
1305 if (options->kbd_interactive_authentication == -1)
1306 options->kbd_interactive_authentication = 1;
1307 if (options->rhosts_rsa_authentication == -1)
1308 options->rhosts_rsa_authentication = 0;
1309 if (options->hostbased_authentication == -1)
1310 options->hostbased_authentication = 0;
1311 if (options->batch_mode == -1)
1312 options->batch_mode = 0;
1313 if (options->check_host_ip == -1)
1314 options->check_host_ip = 0;
1315 if (options->strict_host_key_checking == -1)
1316 options->strict_host_key_checking = 2; /* 2 is default */
1317 if (options->compression == -1)
1318 options->compression = 0;
1319 if (options->tcp_keep_alive == -1)
1320 options->tcp_keep_alive = 1;
1321 if (options->compression_level == -1)
1322 options->compression_level = 6;
1323 if (options->port == -1)
1324 options->port = 0; /* Filled in ssh_connect. */
1325 if (options->address_family == -1)
1326 options->address_family = AF_UNSPEC;
1327 if (options->connection_attempts == -1)
1328 options->connection_attempts = 1;
1329 if (options->number_of_password_prompts == -1)
1330 options->number_of_password_prompts = 3;
1331 /* Selected in ssh_login(). */
1332 if (options->cipher == -1)
1333 options->cipher = SSH_CIPHER_NOT_SET;
1334 /* options->ciphers, default set in myproposals.h */
1335 /* options->macs, default set in myproposals.h */
1336 /* options->kex_algorithms, default set in myproposals.h */
1337 /* options->hostkeyalgorithms, default set in myproposals.h */
1338 if (options->protocol == SSH_PROTO_UNKNOWN)
1339 options->protocol = SSH_PROTO_2;
1340 if (options->num_identity_files == 0) {
1341 if (options->protocol & SSH_PROTO_1) {
1342 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1343 options->identity_files[options->num_identity_files] =
1345 snprintf(options->identity_files[options->num_identity_files++],
1346 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1348 if (options->protocol & SSH_PROTO_2) {
1349 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1350 options->identity_files[options->num_identity_files] =
1352 snprintf(options->identity_files[options->num_identity_files++],
1353 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1355 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1356 options->identity_files[options->num_identity_files] =
1358 snprintf(options->identity_files[options->num_identity_files++],
1359 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1360 #ifdef OPENSSL_HAS_ECC
1361 len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1;
1362 options->identity_files[options->num_identity_files] =
1364 snprintf(options->identity_files[options->num_identity_files++],
1365 len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA);
1369 if (options->escape_char == -1)
1370 options->escape_char = '~';
1371 if (options->num_system_hostfiles == 0) {
1372 options->system_hostfiles[options->num_system_hostfiles++] =
1373 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1374 options->system_hostfiles[options->num_system_hostfiles++] =
1375 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1377 if (options->num_user_hostfiles == 0) {
1378 options->user_hostfiles[options->num_user_hostfiles++] =
1379 xstrdup(_PATH_SSH_USER_HOSTFILE);
1380 options->user_hostfiles[options->num_user_hostfiles++] =
1381 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1383 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1384 options->log_level = SYSLOG_LEVEL_INFO;
1385 if (options->clear_forwardings == 1)
1386 clear_forwardings(options);
1387 if (options->no_host_authentication_for_localhost == - 1)
1388 options->no_host_authentication_for_localhost = 0;
1389 if (options->identities_only == -1)
1390 options->identities_only = 0;
1391 if (options->enable_ssh_keysign == -1)
1392 options->enable_ssh_keysign = 0;
1393 if (options->rekey_limit == -1)
1394 options->rekey_limit = 0;
1395 if (options->verify_host_key_dns == -1)
1396 options->verify_host_key_dns = 0;
1397 if (options->server_alive_interval == -1)
1398 options->server_alive_interval = 0;
1399 if (options->server_alive_count_max == -1)
1400 options->server_alive_count_max = 3;
1401 if (options->none_switch == -1)
1402 options->none_switch = 0;
1403 if (options->hpn_disabled == -1)
1404 options->hpn_disabled = 0;
1405 if (options->hpn_buffer_size > -1)
1407 /* if a user tries to set the size to 0 set it to 1KB */
1408 if (options->hpn_buffer_size == 0)
1409 options->hpn_buffer_size = 1024;
1410 /*limit the buffer to 64MB*/
1411 if (options->hpn_buffer_size > 65536)
1413 options->hpn_buffer_size = 65536*1024;
1414 debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1416 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1418 if (options->tcp_rcv_buf == 0)
1419 options->tcp_rcv_buf = 1;
1420 if (options->tcp_rcv_buf > -1)
1421 options->tcp_rcv_buf *=1024;
1422 if (options->tcp_rcv_buf_poll == -1)
1423 options->tcp_rcv_buf_poll = 1;
1424 if (options->control_master == -1)
1425 options->control_master = 0;
1426 if (options->control_persist == -1) {
1427 options->control_persist = 0;
1428 options->control_persist_timeout = 0;
1430 if (options->hash_known_hosts == -1)
1431 options->hash_known_hosts = 0;
1432 if (options->tun_open == -1)
1433 options->tun_open = SSH_TUNMODE_NO;
1434 if (options->tun_local == -1)
1435 options->tun_local = SSH_TUNID_ANY;
1436 if (options->tun_remote == -1)
1437 options->tun_remote = SSH_TUNID_ANY;
1438 if (options->permit_local_command == -1)
1439 options->permit_local_command = 0;
1440 if (options->use_roaming == -1)
1441 options->use_roaming = 1;
1442 if (options->visual_host_key == -1)
1443 options->visual_host_key = 0;
1444 if (options->zero_knowledge_password_authentication == -1)
1445 options->zero_knowledge_password_authentication = 0;
1446 if (options->ip_qos_interactive == -1)
1447 options->ip_qos_interactive = IPTOS_LOWDELAY;
1448 if (options->ip_qos_bulk == -1)
1449 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1450 if (options->request_tty == -1)
1451 options->request_tty = REQUEST_TTY_AUTO;
1452 /* options->local_command should not be set by default */
1453 /* options->proxy_command should not be set by default */
1454 /* options->user will be set in the main program if appropriate */
1455 /* options->hostname will be set in the main program if appropriate */
1456 /* options->host_key_alias should not be set by default */
1457 /* options->preferred_authentications will be set in ssh */
1462 * parses a string containing a port forwarding specification of the form:
1464 * [listenhost:]listenport:connecthost:connectport
1466 * [listenhost:]listenport
1467 * returns number of arguments parsed or zero on error
1470 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1473 char *p, *cp, *fwdarg[4];
1475 memset(fwd, '\0', sizeof(*fwd));
1477 cp = p = xstrdup(fwdspec);
1479 /* skip leading spaces */
1480 while (isspace(*cp))
1483 for (i = 0; i < 4; ++i)
1484 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1487 /* Check for trailing garbage */
1489 i = 0; /* failure */
1493 fwd->listen_host = NULL;
1494 fwd->listen_port = a2port(fwdarg[0]);
1495 fwd->connect_host = xstrdup("socks");
1499 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1500 fwd->listen_port = a2port(fwdarg[1]);
1501 fwd->connect_host = xstrdup("socks");
1505 fwd->listen_host = NULL;
1506 fwd->listen_port = a2port(fwdarg[0]);
1507 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1508 fwd->connect_port = a2port(fwdarg[2]);
1512 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1513 fwd->listen_port = a2port(fwdarg[1]);
1514 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1515 fwd->connect_port = a2port(fwdarg[3]);
1518 i = 0; /* failure */
1524 if (!(i == 1 || i == 2))
1527 if (!(i == 3 || i == 4))
1529 if (fwd->connect_port <= 0)
1533 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1536 if (fwd->connect_host != NULL &&
1537 strlen(fwd->connect_host) >= NI_MAXHOST)
1539 if (fwd->listen_host != NULL &&
1540 strlen(fwd->listen_host) >= NI_MAXHOST)
1547 if (fwd->connect_host != NULL) {
1548 xfree(fwd->connect_host);
1549 fwd->connect_host = NULL;
1551 if (fwd->listen_host != NULL) {
1552 xfree(fwd->listen_host);
1553 fwd->listen_host = NULL;