2 /* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
38 #include "openbsd-compat/sys-queue.h"
46 #include "pathnames.h"
53 #include "groupaccess.h"
58 #include "myproposal.h"
61 static void add_listen_addr(ServerOptions *, char *, int);
62 static void add_one_listen_addr(ServerOptions *, char *, int);
64 /* Use of privilege separation or not */
65 extern int use_privsep;
68 /* Initializes the server options to their default values. */
71 initialize_server_options(ServerOptions *options)
73 memset(options, 0, sizeof(*options));
75 /* Portable-specific options */
76 options->use_pam = -1;
78 /* Standard Options */
79 options->num_ports = 0;
80 options->ports_from_cmdline = 0;
81 options->queued_listen_addrs = NULL;
82 options->num_queued_listens = 0;
83 options->listen_addrs = NULL;
84 options->address_family = -1;
85 options->num_host_key_files = 0;
86 options->num_host_cert_files = 0;
87 options->host_key_agent = NULL;
88 options->pid_file = NULL;
89 options->login_grace_time = -1;
90 options->permit_root_login = PERMIT_NOT_SET;
91 options->ignore_rhosts = -1;
92 options->ignore_user_known_hosts = -1;
93 options->print_motd = -1;
94 options->print_lastlog = -1;
95 options->x11_forwarding = -1;
96 options->x11_display_offset = -1;
97 options->x11_use_localhost = -1;
98 options->permit_tty = -1;
99 options->permit_user_rc = -1;
100 options->xauth_location = NULL;
101 options->strict_modes = -1;
102 options->tcp_keep_alive = -1;
103 options->log_facility = SYSLOG_FACILITY_NOT_SET;
104 options->log_level = SYSLOG_LEVEL_NOT_SET;
105 options->hostbased_authentication = -1;
106 options->hostbased_uses_name_from_packet_only = -1;
107 options->hostbased_key_types = NULL;
108 options->hostkeyalgorithms = NULL;
109 options->pubkey_authentication = -1;
110 options->pubkey_key_types = NULL;
111 options->kerberos_authentication = -1;
112 options->kerberos_or_local_passwd = -1;
113 options->kerberos_ticket_cleanup = -1;
114 options->kerberos_get_afs_token = -1;
115 options->gss_authentication=-1;
116 options->gss_cleanup_creds = -1;
117 options->gss_strict_acceptor = -1;
118 options->password_authentication = -1;
119 options->kbd_interactive_authentication = -1;
120 options->challenge_response_authentication = -1;
121 options->permit_empty_passwd = -1;
122 options->permit_user_env = -1;
123 options->compression = -1;
124 options->rekey_limit = -1;
125 options->rekey_interval = -1;
126 options->allow_tcp_forwarding = -1;
127 options->allow_streamlocal_forwarding = -1;
128 options->allow_agent_forwarding = -1;
129 options->num_allow_users = 0;
130 options->num_deny_users = 0;
131 options->num_allow_groups = 0;
132 options->num_deny_groups = 0;
133 options->ciphers = NULL;
134 options->macs = NULL;
135 options->kex_algorithms = NULL;
136 options->fwd_opts.gateway_ports = -1;
137 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
138 options->fwd_opts.streamlocal_bind_unlink = -1;
139 options->num_subsystems = 0;
140 options->max_startups_begin = -1;
141 options->max_startups_rate = -1;
142 options->max_startups = -1;
143 options->max_authtries = -1;
144 options->max_sessions = -1;
145 options->banner = NULL;
146 options->use_dns = -1;
147 options->client_alive_interval = -1;
148 options->client_alive_count_max = -1;
149 options->num_authkeys_files = 0;
150 options->num_accept_env = 0;
151 options->permit_tun = -1;
152 options->permitted_opens = NULL;
153 options->adm_forced_command = NULL;
154 options->chroot_directory = NULL;
155 options->authorized_keys_command = NULL;
156 options->authorized_keys_command_user = NULL;
157 options->revoked_keys_file = NULL;
158 options->trusted_user_ca_keys = NULL;
159 options->authorized_principals_file = NULL;
160 options->authorized_principals_command = NULL;
161 options->authorized_principals_command_user = NULL;
162 options->ip_qos_interactive = -1;
163 options->ip_qos_bulk = -1;
164 options->version_addendum = NULL;
165 options->fingerprint_hash = -1;
166 options->disable_forwarding = -1;
167 options->expose_userauth_info = -1;
170 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
172 option_clear_or_none(const char *o)
174 return o == NULL || strcasecmp(o, "none") == 0;
178 assemble_algorithms(ServerOptions *o)
180 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
181 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
182 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
183 kex_assemble_names(KEX_DEFAULT_PK_ALG,
184 &o->hostkeyalgorithms) != 0 ||
185 kex_assemble_names(KEX_DEFAULT_PK_ALG,
186 &o->hostbased_key_types) != 0 ||
187 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
188 fatal("kex_assemble_names failed");
192 fill_default_server_options(ServerOptions *options)
196 /* Portable-specific options */
197 if (options->use_pam == -1)
198 options->use_pam = 0;
200 /* Standard Options */
201 if (options->num_host_key_files == 0) {
202 /* fill default hostkeys for protocols */
203 options->host_key_files[options->num_host_key_files++] =
204 _PATH_HOST_RSA_KEY_FILE;
205 options->host_key_files[options->num_host_key_files++] =
206 _PATH_HOST_DSA_KEY_FILE;
207 #ifdef OPENSSL_HAS_ECC
208 options->host_key_files[options->num_host_key_files++] =
209 _PATH_HOST_ECDSA_KEY_FILE;
211 options->host_key_files[options->num_host_key_files++] =
212 _PATH_HOST_ED25519_KEY_FILE;
214 /* No certificates by default */
215 if (options->num_ports == 0)
216 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
217 if (options->address_family == -1)
218 options->address_family = AF_UNSPEC;
219 if (options->listen_addrs == NULL)
220 add_listen_addr(options, NULL, 0);
221 if (options->pid_file == NULL)
222 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
223 if (options->login_grace_time == -1)
224 options->login_grace_time = 120;
225 if (options->permit_root_login == PERMIT_NOT_SET)
226 options->permit_root_login = PERMIT_NO_PASSWD;
227 if (options->ignore_rhosts == -1)
228 options->ignore_rhosts = 1;
229 if (options->ignore_user_known_hosts == -1)
230 options->ignore_user_known_hosts = 0;
231 if (options->print_motd == -1)
232 options->print_motd = 1;
233 if (options->print_lastlog == -1)
234 options->print_lastlog = 1;
235 if (options->x11_forwarding == -1)
236 options->x11_forwarding = 0;
237 if (options->x11_display_offset == -1)
238 options->x11_display_offset = 10;
239 if (options->x11_use_localhost == -1)
240 options->x11_use_localhost = 1;
241 if (options->xauth_location == NULL)
242 options->xauth_location = xstrdup(_PATH_XAUTH);
243 if (options->permit_tty == -1)
244 options->permit_tty = 1;
245 if (options->permit_user_rc == -1)
246 options->permit_user_rc = 1;
247 if (options->strict_modes == -1)
248 options->strict_modes = 1;
249 if (options->tcp_keep_alive == -1)
250 options->tcp_keep_alive = 1;
251 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
252 options->log_facility = SYSLOG_FACILITY_AUTH;
253 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
254 options->log_level = SYSLOG_LEVEL_INFO;
255 if (options->hostbased_authentication == -1)
256 options->hostbased_authentication = 0;
257 if (options->hostbased_uses_name_from_packet_only == -1)
258 options->hostbased_uses_name_from_packet_only = 0;
259 if (options->pubkey_authentication == -1)
260 options->pubkey_authentication = 1;
261 if (options->kerberos_authentication == -1)
262 options->kerberos_authentication = 0;
263 if (options->kerberos_or_local_passwd == -1)
264 options->kerberos_or_local_passwd = 1;
265 if (options->kerberos_ticket_cleanup == -1)
266 options->kerberos_ticket_cleanup = 1;
267 if (options->kerberos_get_afs_token == -1)
268 options->kerberos_get_afs_token = 0;
269 if (options->gss_authentication == -1)
270 options->gss_authentication = 0;
271 if (options->gss_cleanup_creds == -1)
272 options->gss_cleanup_creds = 1;
273 if (options->gss_strict_acceptor == -1)
274 options->gss_strict_acceptor = 1;
275 if (options->password_authentication == -1)
276 options->password_authentication = 1;
277 if (options->kbd_interactive_authentication == -1)
278 options->kbd_interactive_authentication = 0;
279 if (options->challenge_response_authentication == -1)
280 options->challenge_response_authentication = 1;
281 if (options->permit_empty_passwd == -1)
282 options->permit_empty_passwd = 0;
283 if (options->permit_user_env == -1)
284 options->permit_user_env = 0;
285 if (options->compression == -1)
286 options->compression = COMP_DELAYED;
287 if (options->rekey_limit == -1)
288 options->rekey_limit = 0;
289 if (options->rekey_interval == -1)
290 options->rekey_interval = 0;
291 if (options->allow_tcp_forwarding == -1)
292 options->allow_tcp_forwarding = FORWARD_ALLOW;
293 if (options->allow_streamlocal_forwarding == -1)
294 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
295 if (options->allow_agent_forwarding == -1)
296 options->allow_agent_forwarding = 1;
297 if (options->fwd_opts.gateway_ports == -1)
298 options->fwd_opts.gateway_ports = 0;
299 if (options->max_startups == -1)
300 options->max_startups = 100;
301 if (options->max_startups_rate == -1)
302 options->max_startups_rate = 30; /* 30% */
303 if (options->max_startups_begin == -1)
304 options->max_startups_begin = 10;
305 if (options->max_authtries == -1)
306 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
307 if (options->max_sessions == -1)
308 options->max_sessions = DEFAULT_SESSIONS_MAX;
309 if (options->use_dns == -1)
310 options->use_dns = 0;
311 if (options->client_alive_interval == -1)
312 options->client_alive_interval = 0;
313 if (options->client_alive_count_max == -1)
314 options->client_alive_count_max = 3;
315 if (options->num_authkeys_files == 0) {
316 options->authorized_keys_files[options->num_authkeys_files++] =
317 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
318 options->authorized_keys_files[options->num_authkeys_files++] =
319 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
321 if (options->permit_tun == -1)
322 options->permit_tun = SSH_TUNMODE_NO;
323 if (options->ip_qos_interactive == -1)
324 options->ip_qos_interactive = IPTOS_LOWDELAY;
325 if (options->ip_qos_bulk == -1)
326 options->ip_qos_bulk = IPTOS_THROUGHPUT;
327 if (options->version_addendum == NULL)
328 options->version_addendum = xstrdup("");
329 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
330 options->fwd_opts.streamlocal_bind_mask = 0177;
331 if (options->fwd_opts.streamlocal_bind_unlink == -1)
332 options->fwd_opts.streamlocal_bind_unlink = 0;
333 if (options->fingerprint_hash == -1)
334 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
335 if (options->disable_forwarding == -1)
336 options->disable_forwarding = 0;
337 if (options->expose_userauth_info == -1)
338 options->expose_userauth_info = 0;
340 assemble_algorithms(options);
342 /* Turn privilege separation and sandboxing on by default */
343 if (use_privsep == -1)
344 use_privsep = PRIVSEP_ON;
346 #define CLEAR_ON_NONE(v) \
348 if (option_clear_or_none(v)) { \
353 CLEAR_ON_NONE(options->pid_file);
354 CLEAR_ON_NONE(options->xauth_location);
355 CLEAR_ON_NONE(options->banner);
356 CLEAR_ON_NONE(options->trusted_user_ca_keys);
357 CLEAR_ON_NONE(options->revoked_keys_file);
358 CLEAR_ON_NONE(options->authorized_principals_file);
359 CLEAR_ON_NONE(options->adm_forced_command);
360 CLEAR_ON_NONE(options->chroot_directory);
361 for (i = 0; i < options->num_host_key_files; i++)
362 CLEAR_ON_NONE(options->host_key_files[i]);
363 for (i = 0; i < options->num_host_cert_files; i++)
364 CLEAR_ON_NONE(options->host_cert_files[i]);
367 /* Similar handling for AuthenticationMethods=any */
368 if (options->num_auth_methods == 1 &&
369 strcmp(options->auth_methods[0], "any") == 0) {
370 free(options->auth_methods[0]);
371 options->auth_methods[0] = NULL;
372 options->num_auth_methods = 0;
376 if (use_privsep && options->compression == 1) {
377 error("This platform does not support both privilege "
378 "separation and compression");
379 error("Compression disabled");
380 options->compression = 0;
386 /* Keyword tokens. */
388 sBadOption, /* == unknown option */
389 /* Portable-specific options */
391 /* Standard Options */
392 sPort, sHostKeyFile, sLoginGraceTime,
393 sPermitRootLogin, sLogFacility, sLogLevel,
394 sRhostsRSAAuthentication, sRSAAuthentication,
395 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
396 sKerberosGetAFSToken,
397 sKerberosTgtPassing, sChallengeResponseAuthentication,
398 sPasswordAuthentication, sKbdInteractiveAuthentication,
399 sListenAddress, sAddressFamily,
400 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
401 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
402 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
403 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
404 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
405 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
406 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
407 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
408 sBanner, sUseDNS, sHostbasedAuthentication,
409 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
411 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
412 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
413 sAcceptEnv, sPermitTunnel,
414 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
415 sUsePrivilegeSeparation, sAllowAgentForwarding,
417 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
418 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
419 sKexAlgorithms, sIPQoS, sVersionAddendum,
420 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
421 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
422 sStreamLocalBindMask, sStreamLocalBindUnlink,
423 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
425 sDeprecated, sIgnore, sUnsupported
428 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
429 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
430 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
432 /* Textual representation of the tokens. */
435 ServerOpCodes opcode;
438 /* Portable-specific options */
440 { "usepam", sUsePAM, SSHCFG_GLOBAL },
442 { "usepam", sUnsupported, SSHCFG_GLOBAL },
444 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
445 /* Standard Options */
446 { "port", sPort, SSHCFG_GLOBAL },
447 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
448 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
449 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
450 { "pidfile", sPidFile, SSHCFG_GLOBAL },
451 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
452 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
453 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
454 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
455 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
456 { "loglevel", sLogLevel, SSHCFG_ALL },
457 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
458 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
459 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
460 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
461 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
462 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
463 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
464 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
465 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
466 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
468 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
469 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
470 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
472 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
474 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
477 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
478 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
479 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
480 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
482 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
483 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
485 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
486 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
487 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
489 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
490 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
491 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
493 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
494 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
495 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
496 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
497 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
498 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
499 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
500 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
501 #ifdef DISABLE_LASTLOG
502 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
504 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
506 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
507 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
508 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
509 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
510 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
511 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
512 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
513 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
514 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
515 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
516 { "compression", sCompression, SSHCFG_GLOBAL },
517 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
518 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
519 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
520 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
521 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
522 { "allowusers", sAllowUsers, SSHCFG_ALL },
523 { "denyusers", sDenyUsers, SSHCFG_ALL },
524 { "allowgroups", sAllowGroups, SSHCFG_ALL },
525 { "denygroups", sDenyGroups, SSHCFG_ALL },
526 { "ciphers", sCiphers, SSHCFG_GLOBAL },
527 { "macs", sMacs, SSHCFG_GLOBAL },
528 { "protocol", sIgnore, SSHCFG_GLOBAL },
529 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
530 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
531 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
532 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
533 { "maxsessions", sMaxSessions, SSHCFG_ALL },
534 { "banner", sBanner, SSHCFG_ALL },
535 { "usedns", sUseDNS, SSHCFG_GLOBAL },
536 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
537 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
538 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
539 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
540 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
541 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
542 { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
543 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
544 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
545 { "permittty", sPermitTTY, SSHCFG_ALL },
546 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
547 { "match", sMatch, SSHCFG_ALL },
548 { "permitopen", sPermitOpen, SSHCFG_ALL },
549 { "forcecommand", sForceCommand, SSHCFG_ALL },
550 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
551 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
552 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
553 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
554 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
555 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
556 { "ipqos", sIPQoS, SSHCFG_ALL },
557 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
558 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
559 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
560 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
561 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
562 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
563 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
564 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
565 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
566 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
567 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
568 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
569 { NULL, sBadOption, 0 }
576 { SSH_TUNMODE_NO, "no" },
577 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
578 { SSH_TUNMODE_ETHERNET, "ethernet" },
579 { SSH_TUNMODE_YES, "yes" },
584 * Returns the number of the token pointed to by cp or sBadOption.
588 parse_token(const char *cp, const char *filename,
589 int linenum, u_int *flags)
593 for (i = 0; keywords[i].name; i++)
594 if (strcasecmp(cp, keywords[i].name) == 0) {
595 *flags = keywords[i].flags;
596 return keywords[i].opcode;
599 error("%s: line %d: Bad configuration option: %s",
600 filename, linenum, cp);
605 derelativise_path(const char *path)
607 char *expanded, *ret, cwd[PATH_MAX];
609 if (strcasecmp(path, "none") == 0)
610 return xstrdup("none");
611 expanded = tilde_expand_filename(path, getuid());
612 if (*expanded == '/')
614 if (getcwd(cwd, sizeof(cwd)) == NULL)
615 fatal("%s: getcwd: %s", __func__, strerror(errno));
616 xasprintf(&ret, "%s/%s", cwd, expanded);
622 add_listen_addr(ServerOptions *options, char *addr, int port)
627 for (i = 0; i < options->num_ports; i++)
628 add_one_listen_addr(options, addr, options->ports[i]);
630 add_one_listen_addr(options, addr, port);
634 add_one_listen_addr(ServerOptions *options, char *addr, int port)
636 struct addrinfo hints, *ai, *aitop;
637 char strport[NI_MAXSERV];
640 memset(&hints, 0, sizeof(hints));
641 hints.ai_family = options->address_family;
642 hints.ai_socktype = SOCK_STREAM;
643 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
644 snprintf(strport, sizeof strport, "%d", port);
645 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
646 fatal("bad addr or host: %s (%s)",
647 addr ? addr : "<NULL>",
648 ssh_gai_strerror(gaierr));
649 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
651 ai->ai_next = options->listen_addrs;
652 options->listen_addrs = aitop;
656 * Queue a ListenAddress to be processed once we have all of the Ports
657 * and AddressFamily options.
660 queue_listen_addr(ServerOptions *options, char *addr, int port)
662 options->queued_listen_addrs = xreallocarray(
663 options->queued_listen_addrs, options->num_queued_listens + 1,
665 options->queued_listen_ports = xreallocarray(
666 options->queued_listen_ports, options->num_queued_listens + 1,
668 options->queued_listen_addrs[options->num_queued_listens] =
670 options->queued_listen_ports[options->num_queued_listens] = port;
671 options->num_queued_listens++;
675 * Process queued (text) ListenAddress entries.
678 process_queued_listen_addrs(ServerOptions *options)
682 if (options->num_ports == 0)
683 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
684 if (options->address_family == -1)
685 options->address_family = AF_UNSPEC;
687 for (i = 0; i < options->num_queued_listens; i++) {
688 add_listen_addr(options, options->queued_listen_addrs[i],
689 options->queued_listen_ports[i]);
690 free(options->queued_listen_addrs[i]);
691 options->queued_listen_addrs[i] = NULL;
693 free(options->queued_listen_addrs);
694 options->queued_listen_addrs = NULL;
695 free(options->queued_listen_ports);
696 options->queued_listen_ports = NULL;
697 options->num_queued_listens = 0;
701 * Inform channels layer of permitopen options from configuration.
704 process_permitopen(struct ssh *ssh, ServerOptions *options)
708 char *host, *arg, *oarg;
710 channel_clear_adm_permitted_opens(ssh);
711 if (options->num_permitted_opens == 0)
712 return; /* permit any */
714 /* handle keywords: "any" / "none" */
715 if (options->num_permitted_opens == 1 &&
716 strcmp(options->permitted_opens[0], "any") == 0)
718 if (options->num_permitted_opens == 1 &&
719 strcmp(options->permitted_opens[0], "none") == 0) {
720 channel_disable_adm_local_opens(ssh);
723 /* Otherwise treat it as a list of permitted host:port */
724 for (i = 0; i < options->num_permitted_opens; i++) {
725 oarg = arg = xstrdup(options->permitted_opens[i]);
726 host = hpdelim(&arg);
728 fatal("%s: missing host in PermitOpen", __func__);
729 host = cleanhostname(host);
730 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
731 fatal("%s: bad port number in PermitOpen", __func__);
732 /* Send it to channels layer */
733 channel_add_adm_permitted_opens(ssh, host, port);
738 struct connection_info *
739 get_connection_info(int populate, int use_dns)
741 struct ssh *ssh = active_state; /* XXX */
742 static struct connection_info ci;
746 ci.host = auth_get_canonical_hostname(ssh, use_dns);
747 ci.address = ssh_remote_ipaddr(ssh);
748 ci.laddress = ssh_local_ipaddr(ssh);
749 ci.lport = ssh_local_port(ssh);
754 * The strategy for the Match blocks is that the config file is parsed twice.
756 * The first time is at startup. activep is initialized to 1 and the
757 * directives in the global context are processed and acted on. Hitting a
758 * Match directive unsets activep and the directives inside the block are
759 * checked for syntax only.
761 * The second time is after a connection has been established but before
762 * authentication. activep is initialized to 2 and global config directives
763 * are ignored since they have already been processed. If the criteria in a
764 * Match block is met, activep is set and the subsequent directives
765 * processed and actioned until EOF or another Match block unsets it. Any
766 * options set are copied into the main server config.
768 * Potential additions/improvements:
769 * - Add Match support for pre-kex directives, eg. Ciphers.
771 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
772 * Match Address 192.168.0.*
777 * AllowTcpForwarding yes
778 * GatewayPorts clientspecified
781 * - Add a PermittedChannelRequests directive
783 * PermittedChannelRequests session,forwarded-tcpip
787 match_cfg_line_group(const char *grps, int line, const char *user)
795 if ((pw = getpwnam(user)) == NULL) {
796 debug("Can't match group at line %d because user %.100s does "
797 "not exist", line, user);
798 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
799 debug("Can't Match group because user %.100s not in any group "
800 "at line %d", user, line);
801 } else if (ga_match_pattern_list(grps) != 1) {
802 debug("user %.100s does not match group list %.100s at line %d",
805 debug("user %.100s matched group list %.100s at line %d", user,
815 * All of the attributes on a single Match line are ANDed together, so we need
816 * to check every attribute and set the result to zero if any attribute does
820 match_cfg_line(char **condition, int line, struct connection_info *ci)
822 int result = 1, attributes = 0, port;
823 char *arg, *attrib, *cp = *condition;
826 debug3("checking syntax for 'Match %s'", cp);
828 debug3("checking match for '%s' user %s host %s addr %s "
829 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
830 ci->host ? ci->host : "(null)",
831 ci->address ? ci->address : "(null)",
832 ci->laddress ? ci->laddress : "(null)", ci->lport);
834 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
836 if (strcasecmp(attrib, "all") == 0) {
837 if (attributes != 1 ||
838 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
839 error("'all' cannot be combined with other "
846 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
847 error("Missing Match criteria for %s", attrib);
850 if (strcasecmp(attrib, "user") == 0) {
851 if (ci == NULL || ci->user == NULL) {
855 if (match_pattern_list(ci->user, arg, 0) != 1)
858 debug("user %.100s matched 'User %.100s' at "
859 "line %d", ci->user, arg, line);
860 } else if (strcasecmp(attrib, "group") == 0) {
861 if (ci == NULL || ci->user == NULL) {
865 switch (match_cfg_line_group(arg, line, ci->user)) {
871 } else if (strcasecmp(attrib, "host") == 0) {
872 if (ci == NULL || ci->host == NULL) {
876 if (match_hostname(ci->host, arg) != 1)
879 debug("connection from %.100s matched 'Host "
880 "%.100s' at line %d", ci->host, arg, line);
881 } else if (strcasecmp(attrib, "address") == 0) {
882 if (ci == NULL || ci->address == NULL) {
886 switch (addr_match_list(ci->address, arg)) {
888 debug("connection from %.100s matched 'Address "
889 "%.100s' at line %d", ci->address, arg, line);
898 } else if (strcasecmp(attrib, "localaddress") == 0){
899 if (ci == NULL || ci->laddress == NULL) {
903 switch (addr_match_list(ci->laddress, arg)) {
905 debug("connection from %.100s matched "
906 "'LocalAddress %.100s' at line %d",
907 ci->laddress, arg, line);
916 } else if (strcasecmp(attrib, "localport") == 0) {
917 if ((port = a2port(arg)) == -1) {
918 error("Invalid LocalPort '%s' on Match line",
922 if (ci == NULL || ci->lport == 0) {
926 /* TODO support port lists */
927 if (port == ci->lport)
928 debug("connection from %.100s matched "
929 "'LocalPort %d' at line %d",
930 ci->laddress, port, line);
934 error("Unsupported Match attribute %s", attrib);
938 if (attributes == 0) {
939 error("One or more attributes required for Match");
943 debug3("match %sfound", result ? "" : "not ");
948 #define WHITESPACE " \t\r\n"
950 /* Multistate option parsing */
955 static const struct multistate multistate_addressfamily[] = {
957 { "inet6", AF_INET6 },
958 { "any", AF_UNSPEC },
961 static const struct multistate multistate_permitrootlogin[] = {
962 { "without-password", PERMIT_NO_PASSWD },
963 { "prohibit-password", PERMIT_NO_PASSWD },
964 { "forced-commands-only", PERMIT_FORCED_ONLY },
965 { "yes", PERMIT_YES },
969 static const struct multistate multistate_compression[] = {
970 { "yes", COMP_DELAYED },
971 { "delayed", COMP_DELAYED },
975 static const struct multistate multistate_gatewayports[] = {
976 { "clientspecified", 2 },
981 static const struct multistate multistate_tcpfwd[] = {
982 { "yes", FORWARD_ALLOW },
983 { "all", FORWARD_ALLOW },
984 { "no", FORWARD_DENY },
985 { "remote", FORWARD_REMOTE },
986 { "local", FORWARD_LOCAL },
991 process_server_config_line(ServerOptions *options, char *line,
992 const char *filename, int linenum, int *activep,
993 struct connection_info *connectinfo)
995 char *cp, **charptr, *arg, *arg2, *p;
996 int cmdline = 0, *intptr, value, value2, n, port;
997 SyslogFacility *log_facility_ptr;
998 LogLevel *log_level_ptr;
999 ServerOpCodes opcode;
1003 const struct multistate *multistate_ptr;
1005 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1006 if ((len = strlen(line)) == 0)
1008 for (len--; len > 0; len--) {
1009 if (strchr(WHITESPACE "\f", line[len]) == NULL)
1015 if ((arg = strdelim(&cp)) == NULL)
1017 /* Ignore leading whitespace */
1019 arg = strdelim(&cp);
1020 if (!arg || !*arg || *arg == '#')
1024 opcode = parse_token(arg, filename, linenum, &flags);
1026 if (activep == NULL) { /* We are processing a command line directive */
1030 if (*activep && opcode != sMatch)
1031 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1032 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1033 if (connectinfo == NULL) {
1034 fatal("%s line %d: Directive '%s' is not allowed "
1035 "within a Match block", filename, linenum, arg);
1036 } else { /* this is a directive we have already processed */
1038 arg = strdelim(&cp);
1044 /* Portable-specific options */
1046 intptr = &options->use_pam;
1049 /* Standard Options */
1053 /* ignore ports from configfile if cmdline specifies ports */
1054 if (options->ports_from_cmdline)
1056 if (options->num_ports >= MAX_PORTS)
1057 fatal("%s line %d: too many ports.",
1059 arg = strdelim(&cp);
1060 if (!arg || *arg == '\0')
1061 fatal("%s line %d: missing port number.",
1063 options->ports[options->num_ports++] = a2port(arg);
1064 if (options->ports[options->num_ports-1] <= 0)
1065 fatal("%s line %d: Badly formatted port number.",
1069 case sLoginGraceTime:
1070 intptr = &options->login_grace_time;
1072 arg = strdelim(&cp);
1073 if (!arg || *arg == '\0')
1074 fatal("%s line %d: missing time value.",
1076 if ((value = convtime(arg)) == -1)
1077 fatal("%s line %d: invalid time value.",
1079 if (*activep && *intptr == -1)
1083 case sListenAddress:
1084 arg = strdelim(&cp);
1085 if (arg == NULL || *arg == '\0')
1086 fatal("%s line %d: missing address",
1088 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1089 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1090 && strchr(p+1, ':') != NULL) {
1091 queue_listen_addr(options, arg, 0);
1096 fatal("%s line %d: bad address:port usage",
1098 p = cleanhostname(p);
1101 else if ((port = a2port(arg)) <= 0)
1102 fatal("%s line %d: bad port number", filename, linenum);
1104 queue_listen_addr(options, p, port);
1108 case sAddressFamily:
1109 intptr = &options->address_family;
1110 multistate_ptr = multistate_addressfamily;
1112 arg = strdelim(&cp);
1113 if (!arg || *arg == '\0')
1114 fatal("%s line %d: missing argument.",
1117 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1118 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1119 value = multistate_ptr[i].value;
1124 fatal("%s line %d: unsupported option \"%s\".",
1125 filename, linenum, arg);
1126 if (*activep && *intptr == -1)
1131 intptr = &options->num_host_key_files;
1132 if (*intptr >= MAX_HOSTKEYS)
1133 fatal("%s line %d: too many host keys specified (max %d).",
1134 filename, linenum, MAX_HOSTKEYS);
1135 charptr = &options->host_key_files[*intptr];
1137 arg = strdelim(&cp);
1138 if (!arg || *arg == '\0')
1139 fatal("%s line %d: missing file name.",
1141 if (*activep && *charptr == NULL) {
1142 *charptr = derelativise_path(arg);
1143 /* increase optional counter */
1145 *intptr = *intptr + 1;
1150 charptr = &options->host_key_agent;
1151 arg = strdelim(&cp);
1152 if (!arg || *arg == '\0')
1153 fatal("%s line %d: missing socket name.",
1155 if (*activep && *charptr == NULL)
1156 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1157 xstrdup(arg) : derelativise_path(arg);
1160 case sHostCertificate:
1161 intptr = &options->num_host_cert_files;
1162 if (*intptr >= MAX_HOSTKEYS)
1163 fatal("%s line %d: too many host certificates "
1164 "specified (max %d).", filename, linenum,
1166 charptr = &options->host_cert_files[*intptr];
1167 goto parse_filename;
1170 charptr = &options->pid_file;
1171 goto parse_filename;
1173 case sPermitRootLogin:
1174 intptr = &options->permit_root_login;
1175 multistate_ptr = multistate_permitrootlogin;
1176 goto parse_multistate;
1179 intptr = &options->ignore_rhosts;
1181 arg = strdelim(&cp);
1182 if (!arg || *arg == '\0')
1183 fatal("%s line %d: missing yes/no argument.",
1185 value = 0; /* silence compiler */
1186 if (strcmp(arg, "yes") == 0)
1188 else if (strcmp(arg, "no") == 0)
1191 fatal("%s line %d: Bad yes/no argument: %s",
1192 filename, linenum, arg);
1193 if (*activep && *intptr == -1)
1197 case sIgnoreUserKnownHosts:
1198 intptr = &options->ignore_user_known_hosts;
1201 case sHostbasedAuthentication:
1202 intptr = &options->hostbased_authentication;
1205 case sHostbasedUsesNameFromPacketOnly:
1206 intptr = &options->hostbased_uses_name_from_packet_only;
1209 case sHostbasedAcceptedKeyTypes:
1210 charptr = &options->hostbased_key_types;
1212 arg = strdelim(&cp);
1213 if (!arg || *arg == '\0')
1214 fatal("%s line %d: Missing argument.",
1217 !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1218 fatal("%s line %d: Bad key types '%s'.",
1219 filename, linenum, arg ? arg : "<NONE>");
1220 if (*activep && *charptr == NULL)
1221 *charptr = xstrdup(arg);
1224 case sHostKeyAlgorithms:
1225 charptr = &options->hostkeyalgorithms;
1226 goto parse_keytypes;
1228 case sPubkeyAuthentication:
1229 intptr = &options->pubkey_authentication;
1232 case sPubkeyAcceptedKeyTypes:
1233 charptr = &options->pubkey_key_types;
1234 goto parse_keytypes;
1236 case sKerberosAuthentication:
1237 intptr = &options->kerberos_authentication;
1240 case sKerberosOrLocalPasswd:
1241 intptr = &options->kerberos_or_local_passwd;
1244 case sKerberosTicketCleanup:
1245 intptr = &options->kerberos_ticket_cleanup;
1248 case sKerberosGetAFSToken:
1249 intptr = &options->kerberos_get_afs_token;
1252 case sGssAuthentication:
1253 intptr = &options->gss_authentication;
1256 case sGssCleanupCreds:
1257 intptr = &options->gss_cleanup_creds;
1260 case sGssStrictAcceptor:
1261 intptr = &options->gss_strict_acceptor;
1264 case sPasswordAuthentication:
1265 intptr = &options->password_authentication;
1268 case sKbdInteractiveAuthentication:
1269 intptr = &options->kbd_interactive_authentication;
1272 case sChallengeResponseAuthentication:
1273 intptr = &options->challenge_response_authentication;
1277 intptr = &options->print_motd;
1281 intptr = &options->print_lastlog;
1284 case sX11Forwarding:
1285 intptr = &options->x11_forwarding;
1288 case sX11DisplayOffset:
1289 intptr = &options->x11_display_offset;
1291 arg = strdelim(&cp);
1292 if (!arg || *arg == '\0')
1293 fatal("%s line %d: missing integer value.",
1296 if (*activep && *intptr == -1)
1300 case sX11UseLocalhost:
1301 intptr = &options->x11_use_localhost;
1304 case sXAuthLocation:
1305 charptr = &options->xauth_location;
1306 goto parse_filename;
1309 intptr = &options->permit_tty;
1313 intptr = &options->permit_user_rc;
1317 intptr = &options->strict_modes;
1321 intptr = &options->tcp_keep_alive;
1325 intptr = &options->permit_empty_passwd;
1328 case sPermitUserEnvironment:
1329 intptr = &options->permit_user_env;
1333 intptr = &options->compression;
1334 multistate_ptr = multistate_compression;
1335 goto parse_multistate;
1338 arg = strdelim(&cp);
1339 if (!arg || *arg == '\0')
1340 fatal("%.200s line %d: Missing argument.", filename,
1342 if (strcmp(arg, "default") == 0) {
1345 if (scan_scaled(arg, &val64) == -1)
1346 fatal("%.200s line %d: Bad number '%s': %s",
1347 filename, linenum, arg, strerror(errno));
1348 if (val64 != 0 && val64 < 16)
1349 fatal("%.200s line %d: RekeyLimit too small",
1352 if (*activep && options->rekey_limit == -1)
1353 options->rekey_limit = val64;
1354 if (cp != NULL) { /* optional rekey interval present */
1355 if (strcmp(cp, "none") == 0) {
1356 (void)strdelim(&cp); /* discard */
1359 intptr = &options->rekey_interval;
1365 intptr = &options->fwd_opts.gateway_ports;
1366 multistate_ptr = multistate_gatewayports;
1367 goto parse_multistate;
1370 intptr = &options->use_dns;
1374 log_facility_ptr = &options->log_facility;
1375 arg = strdelim(&cp);
1376 value = log_facility_number(arg);
1377 if (value == SYSLOG_FACILITY_NOT_SET)
1378 fatal("%.200s line %d: unsupported log facility '%s'",
1379 filename, linenum, arg ? arg : "<NONE>");
1380 if (*log_facility_ptr == -1)
1381 *log_facility_ptr = (SyslogFacility) value;
1385 log_level_ptr = &options->log_level;
1386 arg = strdelim(&cp);
1387 value = log_level_number(arg);
1388 if (value == SYSLOG_LEVEL_NOT_SET)
1389 fatal("%.200s line %d: unsupported log level '%s'",
1390 filename, linenum, arg ? arg : "<NONE>");
1391 if (*activep && *log_level_ptr == -1)
1392 *log_level_ptr = (LogLevel) value;
1395 case sAllowTcpForwarding:
1396 intptr = &options->allow_tcp_forwarding;
1397 multistate_ptr = multistate_tcpfwd;
1398 goto parse_multistate;
1400 case sAllowStreamLocalForwarding:
1401 intptr = &options->allow_streamlocal_forwarding;
1402 multistate_ptr = multistate_tcpfwd;
1403 goto parse_multistate;
1405 case sAllowAgentForwarding:
1406 intptr = &options->allow_agent_forwarding;
1409 case sDisableForwarding:
1410 intptr = &options->disable_forwarding;
1414 while ((arg = strdelim(&cp)) && *arg != '\0') {
1415 if (options->num_allow_users >= MAX_ALLOW_USERS)
1416 fatal("%s line %d: too many allow users.",
1418 if (match_user(NULL, NULL, NULL, arg) == -1)
1419 fatal("%s line %d: invalid AllowUsers pattern: "
1420 "\"%.100s\"", filename, linenum, arg);
1423 options->allow_users[options->num_allow_users++] =
1429 while ((arg = strdelim(&cp)) && *arg != '\0') {
1430 if (options->num_deny_users >= MAX_DENY_USERS)
1431 fatal("%s line %d: too many deny users.",
1433 if (match_user(NULL, NULL, NULL, arg) == -1)
1434 fatal("%s line %d: invalid DenyUsers pattern: "
1435 "\"%.100s\"", filename, linenum, arg);
1438 options->deny_users[options->num_deny_users++] =
1444 while ((arg = strdelim(&cp)) && *arg != '\0') {
1445 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1446 fatal("%s line %d: too many allow groups.",
1450 options->allow_groups[options->num_allow_groups++] =
1456 while ((arg = strdelim(&cp)) && *arg != '\0') {
1457 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1458 fatal("%s line %d: too many deny groups.",
1462 options->deny_groups[options->num_deny_groups++] =
1468 arg = strdelim(&cp);
1469 if (!arg || *arg == '\0')
1470 fatal("%s line %d: Missing argument.", filename, linenum);
1471 if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
1472 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1473 filename, linenum, arg ? arg : "<NONE>");
1474 if (options->ciphers == NULL)
1475 options->ciphers = xstrdup(arg);
1479 arg = strdelim(&cp);
1480 if (!arg || *arg == '\0')
1481 fatal("%s line %d: Missing argument.", filename, linenum);
1482 if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
1483 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1484 filename, linenum, arg ? arg : "<NONE>");
1485 if (options->macs == NULL)
1486 options->macs = xstrdup(arg);
1489 case sKexAlgorithms:
1490 arg = strdelim(&cp);
1491 if (!arg || *arg == '\0')
1492 fatal("%s line %d: Missing argument.",
1495 !kex_names_valid(*arg == '+' ? arg + 1 : arg))
1496 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1497 filename, linenum, arg ? arg : "<NONE>");
1498 if (options->kex_algorithms == NULL)
1499 options->kex_algorithms = xstrdup(arg);
1503 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1504 fatal("%s line %d: too many subsystems defined.",
1507 arg = strdelim(&cp);
1508 if (!arg || *arg == '\0')
1509 fatal("%s line %d: Missing subsystem name.",
1512 arg = strdelim(&cp);
1515 for (i = 0; i < options->num_subsystems; i++)
1516 if (strcmp(arg, options->subsystem_name[i]) == 0)
1517 fatal("%s line %d: Subsystem '%s' already defined.",
1518 filename, linenum, arg);
1519 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1520 arg = strdelim(&cp);
1521 if (!arg || *arg == '\0')
1522 fatal("%s line %d: Missing subsystem command.",
1524 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1526 /* Collect arguments (separate to executable) */
1528 len = strlen(p) + 1;
1529 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1530 len += 1 + strlen(arg);
1531 p = xreallocarray(p, 1, len);
1532 strlcat(p, " ", len);
1533 strlcat(p, arg, len);
1535 options->subsystem_args[options->num_subsystems] = p;
1536 options->num_subsystems++;
1540 arg = strdelim(&cp);
1541 if (!arg || *arg == '\0')
1542 fatal("%s line %d: Missing MaxStartups spec.",
1544 if ((n = sscanf(arg, "%d:%d:%d",
1545 &options->max_startups_begin,
1546 &options->max_startups_rate,
1547 &options->max_startups)) == 3) {
1548 if (options->max_startups_begin >
1549 options->max_startups ||
1550 options->max_startups_rate > 100 ||
1551 options->max_startups_rate < 1)
1552 fatal("%s line %d: Illegal MaxStartups spec.",
1555 fatal("%s line %d: Illegal MaxStartups spec.",
1558 options->max_startups = options->max_startups_begin;
1562 intptr = &options->max_authtries;
1566 intptr = &options->max_sessions;
1570 charptr = &options->banner;
1571 goto parse_filename;
1574 * These options can contain %X options expanded at
1575 * connect time, so that you can specify paths like:
1577 * AuthorizedKeysFile /etc/ssh_keys/%u
1579 case sAuthorizedKeysFile:
1580 if (*activep && options->num_authkeys_files == 0) {
1581 while ((arg = strdelim(&cp)) && *arg != '\0') {
1582 if (options->num_authkeys_files >=
1584 fatal("%s line %d: "
1585 "too many authorized keys files.",
1587 options->authorized_keys_files[
1588 options->num_authkeys_files++] =
1589 tilde_expand_filename(arg, getuid());
1594 case sAuthorizedPrincipalsFile:
1595 charptr = &options->authorized_principals_file;
1596 arg = strdelim(&cp);
1597 if (!arg || *arg == '\0')
1598 fatal("%s line %d: missing file name.",
1600 if (*activep && *charptr == NULL) {
1601 *charptr = tilde_expand_filename(arg, getuid());
1602 /* increase optional counter */
1604 *intptr = *intptr + 1;
1608 case sClientAliveInterval:
1609 intptr = &options->client_alive_interval;
1612 case sClientAliveCountMax:
1613 intptr = &options->client_alive_count_max;
1617 while ((arg = strdelim(&cp)) && *arg != '\0') {
1618 if (strchr(arg, '=') != NULL)
1619 fatal("%s line %d: Invalid environment name.",
1621 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1622 fatal("%s line %d: too many allow env.",
1626 options->accept_env[options->num_accept_env++] =
1632 intptr = &options->permit_tun;
1633 arg = strdelim(&cp);
1634 if (!arg || *arg == '\0')
1635 fatal("%s line %d: Missing yes/point-to-point/"
1636 "ethernet/no argument.", filename, linenum);
1638 for (i = 0; tunmode_desc[i].val != -1; i++)
1639 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1640 value = tunmode_desc[i].val;
1644 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1645 "no argument: %s", filename, linenum, arg);
1646 if (*activep && *intptr == -1)
1652 fatal("Match directive not supported as a command-line "
1654 value = match_cfg_line(&cp, linenum, connectinfo);
1656 fatal("%s line %d: Bad Match condition", filename,
1662 arg = strdelim(&cp);
1663 if (!arg || *arg == '\0')
1664 fatal("%s line %d: missing PermitOpen specification",
1666 value = options->num_permitted_opens; /* modified later */
1667 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
1668 if (*activep && value == 0) {
1669 options->num_permitted_opens = 1;
1670 options->permitted_opens = xcalloc(1,
1671 sizeof(*options->permitted_opens));
1672 options->permitted_opens[0] = xstrdup(arg);
1676 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1677 arg2 = xstrdup(arg);
1680 fatal("%s line %d: missing host in PermitOpen",
1682 p = cleanhostname(p);
1683 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1684 fatal("%s line %d: bad port number in "
1685 "PermitOpen", filename, linenum);
1686 if (*activep && value == 0) {
1687 options->permitted_opens = xrecallocarray(
1688 options->permitted_opens,
1689 options->num_permitted_opens,
1690 options->num_permitted_opens + 1,
1691 sizeof(*options->permitted_opens));
1692 i = options->num_permitted_opens++;
1693 options->permitted_opens[i] = arg2;
1700 if (cp == NULL || *cp == '\0')
1701 fatal("%.200s line %d: Missing argument.", filename,
1703 len = strspn(cp, WHITESPACE);
1704 if (*activep && options->adm_forced_command == NULL)
1705 options->adm_forced_command = xstrdup(cp + len);
1708 case sChrootDirectory:
1709 charptr = &options->chroot_directory;
1711 arg = strdelim(&cp);
1712 if (!arg || *arg == '\0')
1713 fatal("%s line %d: missing file name.",
1715 if (*activep && *charptr == NULL)
1716 *charptr = xstrdup(arg);
1719 case sTrustedUserCAKeys:
1720 charptr = &options->trusted_user_ca_keys;
1721 goto parse_filename;
1724 charptr = &options->revoked_keys_file;
1725 goto parse_filename;
1728 arg = strdelim(&cp);
1729 if ((value = parse_ipqos(arg)) == -1)
1730 fatal("%s line %d: Bad IPQoS value: %s",
1731 filename, linenum, arg);
1732 arg = strdelim(&cp);
1735 else if ((value2 = parse_ipqos(arg)) == -1)
1736 fatal("%s line %d: Bad IPQoS value: %s",
1737 filename, linenum, arg);
1739 options->ip_qos_interactive = value;
1740 options->ip_qos_bulk = value2;
1744 case sVersionAddendum:
1745 if (cp == NULL || *cp == '\0')
1746 fatal("%.200s line %d: Missing argument.", filename,
1748 len = strspn(cp, WHITESPACE);
1749 if (*activep && options->version_addendum == NULL) {
1750 if (strcasecmp(cp + len, "none") == 0)
1751 options->version_addendum = xstrdup("");
1752 else if (strchr(cp + len, '\r') != NULL)
1753 fatal("%.200s line %d: Invalid argument",
1756 options->version_addendum = xstrdup(cp + len);
1760 case sAuthorizedKeysCommand:
1762 fatal("%.200s line %d: Missing argument.", filename,
1764 len = strspn(cp, WHITESPACE);
1765 if (*activep && options->authorized_keys_command == NULL) {
1766 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1767 fatal("%.200s line %d: AuthorizedKeysCommand "
1768 "must be an absolute path",
1770 options->authorized_keys_command = xstrdup(cp + len);
1774 case sAuthorizedKeysCommandUser:
1775 charptr = &options->authorized_keys_command_user;
1777 arg = strdelim(&cp);
1778 if (!arg || *arg == '\0')
1779 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1780 "argument.", filename, linenum);
1781 if (*activep && *charptr == NULL)
1782 *charptr = xstrdup(arg);
1785 case sAuthorizedPrincipalsCommand:
1787 fatal("%.200s line %d: Missing argument.", filename,
1789 len = strspn(cp, WHITESPACE);
1791 options->authorized_principals_command == NULL) {
1792 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1793 fatal("%.200s line %d: "
1794 "AuthorizedPrincipalsCommand must be "
1795 "an absolute path", filename, linenum);
1796 options->authorized_principals_command =
1801 case sAuthorizedPrincipalsCommandUser:
1802 charptr = &options->authorized_principals_command_user;
1804 arg = strdelim(&cp);
1805 if (!arg || *arg == '\0')
1806 fatal("%s line %d: missing "
1807 "AuthorizedPrincipalsCommandUser argument.",
1809 if (*activep && *charptr == NULL)
1810 *charptr = xstrdup(arg);
1813 case sAuthenticationMethods:
1814 if (options->num_auth_methods == 0) {
1815 value = 0; /* seen "any" pseudo-method */
1816 value2 = 0; /* sucessfully parsed any method */
1817 while ((arg = strdelim(&cp)) && *arg != '\0') {
1818 if (options->num_auth_methods >=
1820 fatal("%s line %d: "
1821 "too many authentication methods.",
1823 if (strcmp(arg, "any") == 0) {
1824 if (options->num_auth_methods > 0) {
1825 fatal("%s line %d: \"any\" "
1826 "must appear alone in "
1827 "AuthenticationMethods",
1832 fatal("%s line %d: \"any\" must appear "
1833 "alone in AuthenticationMethods",
1835 } else if (auth2_methods_valid(arg, 0) != 0) {
1836 fatal("%s line %d: invalid "
1837 "authentication method list.",
1843 options->auth_methods[
1844 options->num_auth_methods++] = xstrdup(arg);
1847 fatal("%s line %d: no AuthenticationMethods "
1848 "specified", filename, linenum);
1853 case sStreamLocalBindMask:
1854 arg = strdelim(&cp);
1855 if (!arg || *arg == '\0')
1856 fatal("%s line %d: missing StreamLocalBindMask "
1857 "argument.", filename, linenum);
1858 /* Parse mode in octal format */
1859 value = strtol(arg, &p, 8);
1860 if (arg == p || value < 0 || value > 0777)
1861 fatal("%s line %d: Bad mask.", filename, linenum);
1863 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1866 case sStreamLocalBindUnlink:
1867 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1870 case sFingerprintHash:
1871 arg = strdelim(&cp);
1872 if (!arg || *arg == '\0')
1873 fatal("%.200s line %d: Missing argument.",
1875 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1876 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1877 filename, linenum, arg);
1879 options->fingerprint_hash = value;
1882 case sExposeAuthInfo:
1883 intptr = &options->expose_userauth_info;
1889 do_log2(opcode == sIgnore ?
1890 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
1891 "%s line %d: %s option %s", filename, linenum,
1892 opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
1894 arg = strdelim(&cp);
1898 fatal("%s line %d: Missing handler for opcode %s (%d)",
1899 filename, linenum, arg, opcode);
1901 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1902 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1903 filename, linenum, arg);
1907 /* Reads the server configuration file. */
1910 load_server_config(const char *filename, Buffer *conf)
1912 char line[4096], *cp;
1916 debug2("%s: filename %s", __func__, filename);
1917 if ((f = fopen(filename, "r")) == NULL) {
1922 while (fgets(line, sizeof(line), f)) {
1924 if (strlen(line) == sizeof(line) - 1)
1925 fatal("%s line %d too long", filename, lineno);
1927 * Trim out comments and strip whitespace
1928 * NB - preserve newlines, they are needed to reproduce
1929 * line numbers later for error messages
1931 if ((cp = strchr(line, '#')) != NULL)
1932 memcpy(cp, "\n", 2);
1933 cp = line + strspn(line, " \t\r");
1935 buffer_append(conf, cp, strlen(cp));
1937 buffer_append(conf, "\0", 1);
1939 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1943 parse_server_match_config(ServerOptions *options,
1944 struct connection_info *connectinfo)
1948 initialize_server_options(&mo);
1949 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1950 copy_set_server_options(options, &mo, 0);
1953 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1957 while ((p = strsep(&spec, ",")) && *p != '\0') {
1958 if (strncmp(p, "addr=", 5) == 0) {
1959 ci->address = xstrdup(p + 5);
1960 } else if (strncmp(p, "host=", 5) == 0) {
1961 ci->host = xstrdup(p + 5);
1962 } else if (strncmp(p, "user=", 5) == 0) {
1963 ci->user = xstrdup(p + 5);
1964 } else if (strncmp(p, "laddr=", 6) == 0) {
1965 ci->laddress = xstrdup(p + 6);
1966 } else if (strncmp(p, "lport=", 6) == 0) {
1967 ci->lport = a2port(p + 6);
1968 if (ci->lport == -1) {
1969 fprintf(stderr, "Invalid port '%s' in test mode"
1970 " specification %s\n", p+6, p);
1974 fprintf(stderr, "Invalid test mode specification %s\n",
1983 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1986 int server_match_spec_complete(struct connection_info *ci)
1988 if (ci->user && ci->host && ci->address)
1989 return 1; /* complete */
1990 if (!ci->user && !ci->host && !ci->address)
1991 return -1; /* empty */
1992 return 0; /* partial */
1996 * Copy any supported values that are set.
1998 * If the preauth flag is set, we do not bother copying the string or
1999 * array values that are not used pre-authentication, because any that we
2000 * do use must be explictly sent in mm_getpwnamallow().
2003 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2005 #define M_CP_INTOPT(n) do {\
2010 M_CP_INTOPT(password_authentication);
2011 M_CP_INTOPT(gss_authentication);
2012 M_CP_INTOPT(pubkey_authentication);
2013 M_CP_INTOPT(kerberos_authentication);
2014 M_CP_INTOPT(hostbased_authentication);
2015 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2016 M_CP_INTOPT(kbd_interactive_authentication);
2017 M_CP_INTOPT(permit_root_login);
2018 M_CP_INTOPT(permit_empty_passwd);
2020 M_CP_INTOPT(allow_tcp_forwarding);
2021 M_CP_INTOPT(allow_streamlocal_forwarding);
2022 M_CP_INTOPT(allow_agent_forwarding);
2023 M_CP_INTOPT(disable_forwarding);
2024 M_CP_INTOPT(expose_userauth_info);
2025 M_CP_INTOPT(permit_tun);
2026 M_CP_INTOPT(fwd_opts.gateway_ports);
2027 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2028 M_CP_INTOPT(x11_display_offset);
2029 M_CP_INTOPT(x11_forwarding);
2030 M_CP_INTOPT(x11_use_localhost);
2031 M_CP_INTOPT(permit_tty);
2032 M_CP_INTOPT(permit_user_rc);
2033 M_CP_INTOPT(max_sessions);
2034 M_CP_INTOPT(max_authtries);
2035 M_CP_INTOPT(client_alive_count_max);
2036 M_CP_INTOPT(client_alive_interval);
2037 M_CP_INTOPT(ip_qos_interactive);
2038 M_CP_INTOPT(ip_qos_bulk);
2039 M_CP_INTOPT(rekey_limit);
2040 M_CP_INTOPT(rekey_interval);
2041 M_CP_INTOPT(log_level);
2044 * The bind_mask is a mode_t that may be unsigned, so we can't use
2045 * M_CP_INTOPT - it does a signed comparison that causes compiler
2048 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2049 dst->fwd_opts.streamlocal_bind_mask =
2050 src->fwd_opts.streamlocal_bind_mask;
2053 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2054 #define M_CP_STROPT(n) do {\
2055 if (src->n != NULL && dst->n != src->n) { \
2060 #define M_CP_STRARRAYOPT(n, num_n) do {\
2061 if (src->num_n != 0) { \
2062 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2063 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2066 #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
2067 if (src->num_n != 0) { \
2068 dst->n = xcalloc(src->num_n, sizeof(*dst->n)); \
2069 M_CP_STRARRAYOPT(n, num_n); \
2070 dst->num_n = src->num_n; \
2074 /* See comment in servconf.h */
2075 COPY_MATCH_STRING_OPTS();
2077 /* Arguments that accept '+...' need to be expanded */
2078 assemble_algorithms(dst);
2081 * The only things that should be below this point are string options
2082 * which are only used after authentication.
2087 /* These options may be "none" to clear a global setting */
2088 M_CP_STROPT(adm_forced_command);
2089 if (option_clear_or_none(dst->adm_forced_command)) {
2090 free(dst->adm_forced_command);
2091 dst->adm_forced_command = NULL;
2093 M_CP_STROPT(chroot_directory);
2094 if (option_clear_or_none(dst->chroot_directory)) {
2095 free(dst->chroot_directory);
2096 dst->chroot_directory = NULL;
2102 #undef M_CP_STRARRAYOPT
2103 #undef M_CP_STRARRAYOPT_ALLOC
2106 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2107 struct connection_info *connectinfo)
2109 int active, linenum, bad_options = 0;
2110 char *cp, *obuf, *cbuf;
2112 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2114 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2115 fatal("%s: sshbuf_dup_string failed", __func__);
2116 active = connectinfo ? 0 : 1;
2118 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2119 if (process_server_config_line(options, cp, filename,
2120 linenum++, &active, connectinfo) != 0)
2124 if (bad_options > 0)
2125 fatal("%s: terminating, %d bad configuration options",
2126 filename, bad_options);
2127 process_queued_listen_addrs(options);
2131 fmt_multistate_int(int val, const struct multistate *m)
2135 for (i = 0; m[i].key != NULL; i++) {
2136 if (m[i].value == val)
2143 fmt_intarg(ServerOpCodes code, int val)
2148 case sAddressFamily:
2149 return fmt_multistate_int(val, multistate_addressfamily);
2150 case sPermitRootLogin:
2151 return fmt_multistate_int(val, multistate_permitrootlogin);
2153 return fmt_multistate_int(val, multistate_gatewayports);
2155 return fmt_multistate_int(val, multistate_compression);
2156 case sAllowTcpForwarding:
2157 return fmt_multistate_int(val, multistate_tcpfwd);
2158 case sAllowStreamLocalForwarding:
2159 return fmt_multistate_int(val, multistate_tcpfwd);
2160 case sFingerprintHash:
2161 return ssh_digest_alg_name(val);
2175 lookup_opcode_name(ServerOpCodes code)
2179 for (i = 0; keywords[i].name != NULL; i++)
2180 if (keywords[i].opcode == code)
2181 return(keywords[i].name);
2186 dump_cfg_int(ServerOpCodes code, int val)
2188 printf("%s %d\n", lookup_opcode_name(code), val);
2192 dump_cfg_oct(ServerOpCodes code, int val)
2194 printf("%s 0%o\n", lookup_opcode_name(code), val);
2198 dump_cfg_fmtint(ServerOpCodes code, int val)
2200 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2204 dump_cfg_string(ServerOpCodes code, const char *val)
2206 printf("%s %s\n", lookup_opcode_name(code),
2207 val == NULL ? "none" : val);
2211 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2215 for (i = 0; i < count; i++)
2216 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2220 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2224 if (count <= 0 && code != sAuthenticationMethods)
2226 printf("%s", lookup_opcode_name(code));
2227 for (i = 0; i < count; i++)
2228 printf(" %s", vals[i]);
2229 if (code == sAuthenticationMethods && count == 0)
2235 dump_config(ServerOptions *o)
2239 struct addrinfo *ai;
2240 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2241 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2243 /* these are usually at the top of the config */
2244 for (i = 0; i < o->num_ports; i++)
2245 printf("port %d\n", o->ports[i]);
2246 dump_cfg_fmtint(sAddressFamily, o->address_family);
2249 * ListenAddress must be after Port. add_one_listen_addr pushes
2250 * addresses onto a stack, so to maintain ordering we need to
2251 * print these in reverse order.
2253 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2254 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2255 sizeof(addr), port, sizeof(port),
2256 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2257 error("getnameinfo failed: %.100s",
2258 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2262 if (ai->ai_family == AF_INET6)
2263 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2264 addr, port, laddr2);
2266 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2267 addr, port, laddr2);
2271 printf("%s", laddr1);
2274 /* integer arguments */
2276 dump_cfg_fmtint(sUsePAM, o->use_pam);
2278 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2279 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2280 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2281 dump_cfg_int(sMaxSessions, o->max_sessions);
2282 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2283 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2284 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2286 /* formatted integer arguments */
2287 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2288 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2289 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2290 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2291 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2292 o->hostbased_uses_name_from_packet_only);
2293 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2295 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2296 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2297 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2299 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2303 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2304 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2306 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2307 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2308 o->kbd_interactive_authentication);
2309 dump_cfg_fmtint(sChallengeResponseAuthentication,
2310 o->challenge_response_authentication);
2311 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2312 #ifndef DISABLE_LASTLOG
2313 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2315 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2316 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2317 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2318 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2319 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2320 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2321 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2322 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2323 dump_cfg_fmtint(sCompression, o->compression);
2324 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2325 dump_cfg_fmtint(sUseDNS, o->use_dns);
2326 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2327 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2328 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2329 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2330 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2331 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2332 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2334 /* string arguments */
2335 dump_cfg_string(sPidFile, o->pid_file);
2336 dump_cfg_string(sXAuthLocation, o->xauth_location);
2337 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2338 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2339 dump_cfg_string(sBanner, o->banner);
2340 dump_cfg_string(sForceCommand, o->adm_forced_command);
2341 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2342 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2343 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2344 dump_cfg_string(sAuthorizedPrincipalsFile,
2345 o->authorized_principals_file);
2346 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2347 ? "none" : o->version_addendum);
2348 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2349 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2350 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2351 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2352 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2353 dump_cfg_string(sKexAlgorithms,
2354 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2355 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2356 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2357 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2358 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2359 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2360 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2362 /* string arguments requiring a lookup */
2363 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2364 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2366 /* string array arguments */
2367 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2368 o->authorized_keys_files);
2369 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2371 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2372 o->host_cert_files);
2373 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2374 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2375 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2376 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2377 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2378 dump_cfg_strarray_oneline(sAuthenticationMethods,
2379 o->num_auth_methods, o->auth_methods);
2381 /* other arguments */
2382 for (i = 0; i < o->num_subsystems; i++)
2383 printf("subsystem %s %s\n", o->subsystem_name[i],
2384 o->subsystem_args[i]);
2386 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2387 o->max_startups_rate, o->max_startups);
2389 for (i = 0; tunmode_desc[i].val != -1; i++)
2390 if (tunmode_desc[i].val == o->permit_tun) {
2391 s = tunmode_desc[i].text;
2394 dump_cfg_string(sPermitTunnel, s);
2396 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2397 printf("%s\n", iptos2str(o->ip_qos_bulk));
2399 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2402 printf("permitopen");
2403 if (o->num_permitted_opens == 0)
2406 for (i = 0; i < o->num_permitted_opens; i++)
2407 printf(" %s", o->permitted_opens[i]);