1 /* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
133 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
134 oDeprecated, oUnsupported
137 /* Textual representations of the tokens. */
143 { "forwardagent", oForwardAgent },
144 { "forwardx11", oForwardX11 },
145 { "forwardx11trusted", oForwardX11Trusted },
146 { "exitonforwardfailure", oExitOnForwardFailure },
147 { "xauthlocation", oXAuthLocation },
148 { "gatewayports", oGatewayPorts },
149 { "useprivilegedport", oUsePrivilegedPort },
150 { "rhostsauthentication", oDeprecated },
151 { "passwordauthentication", oPasswordAuthentication },
152 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
153 { "kbdinteractivedevices", oKbdInteractiveDevices },
154 { "rsaauthentication", oRSAAuthentication },
155 { "pubkeyauthentication", oPubkeyAuthentication },
156 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
157 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
158 { "hostbasedauthentication", oHostbasedAuthentication },
159 { "challengeresponseauthentication", oChallengeResponseAuthentication },
160 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
161 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
162 { "kerberosauthentication", oUnsupported },
163 { "kerberostgtpassing", oUnsupported },
164 { "afstokenpassing", oUnsupported },
166 { "gssapiauthentication", oGssAuthentication },
167 { "gssapidelegatecredentials", oGssDelegateCreds },
169 { "gssapiauthentication", oUnsupported },
170 { "gssapidelegatecredentials", oUnsupported },
172 { "fallbacktorsh", oDeprecated },
173 { "usersh", oDeprecated },
174 { "identityfile", oIdentityFile },
175 { "identityfile2", oIdentityFile }, /* obsolete */
176 { "identitiesonly", oIdentitiesOnly },
177 { "hostname", oHostName },
178 { "hostkeyalias", oHostKeyAlias },
179 { "proxycommand", oProxyCommand },
181 { "cipher", oCipher },
182 { "ciphers", oCiphers },
184 { "protocol", oProtocol },
185 { "remoteforward", oRemoteForward },
186 { "localforward", oLocalForward },
189 { "escapechar", oEscapeChar },
190 { "globalknownhostsfile", oGlobalKnownHostsFile },
191 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
192 { "userknownhostsfile", oUserKnownHostsFile },
193 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
194 { "connectionattempts", oConnectionAttempts },
195 { "batchmode", oBatchMode },
196 { "checkhostip", oCheckHostIP },
197 { "stricthostkeychecking", oStrictHostKeyChecking },
198 { "compression", oCompression },
199 { "compressionlevel", oCompressionLevel },
200 { "tcpkeepalive", oTCPKeepAlive },
201 { "keepalive", oTCPKeepAlive }, /* obsolete */
202 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
203 { "loglevel", oLogLevel },
204 { "dynamicforward", oDynamicForward },
205 { "preferredauthentications", oPreferredAuthentications },
206 { "hostkeyalgorithms", oHostKeyAlgorithms },
207 { "bindaddress", oBindAddress },
209 { "smartcarddevice", oSmartcardDevice },
211 { "smartcarddevice", oUnsupported },
213 { "clearallforwardings", oClearAllForwardings },
214 { "enablesshkeysign", oEnableSSHKeysign },
215 { "verifyhostkeydns", oVerifyHostKeyDNS },
216 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
217 { "rekeylimit", oRekeyLimit },
218 { "connecttimeout", oConnectTimeout },
219 { "addressfamily", oAddressFamily },
220 { "serveraliveinterval", oServerAliveInterval },
221 { "serveralivecountmax", oServerAliveCountMax },
222 { "sendenv", oSendEnv },
223 { "controlpath", oControlPath },
224 { "controlmaster", oControlMaster },
225 { "hashknownhosts", oHashKnownHosts },
226 { "tunnel", oTunnel },
227 { "tunneldevice", oTunnelDevice },
228 { "localcommand", oLocalCommand },
229 { "permitlocalcommand", oPermitLocalCommand },
230 { "visualhostkey", oVisualHostKey },
232 { "zeroknowledgepasswordauthentication",
233 oZeroKnowledgePasswordAuthentication },
235 { "zeroknowledgepasswordauthentication", oUnsupported },
242 * Adds a local TCP/IP port forward to options. Never returns if there is an
247 add_local_forward(Options *options, const Forward *newfwd)
250 #ifndef NO_IPPORT_RESERVED_CONCEPT
251 extern uid_t original_real_uid;
252 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
253 fatal("Privileged ports can only be forwarded by root.");
255 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
256 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
257 fwd = &options->local_forwards[options->num_local_forwards++];
259 fwd->listen_host = newfwd->listen_host;
260 fwd->listen_port = newfwd->listen_port;
261 fwd->connect_host = newfwd->connect_host;
262 fwd->connect_port = newfwd->connect_port;
266 * Adds a remote TCP/IP port forward to options. Never returns if there is
271 add_remote_forward(Options *options, const Forward *newfwd)
274 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
275 fatal("Too many remote forwards (max %d).",
276 SSH_MAX_FORWARDS_PER_DIRECTION);
277 fwd = &options->remote_forwards[options->num_remote_forwards++];
279 fwd->listen_host = newfwd->listen_host;
280 fwd->listen_port = newfwd->listen_port;
281 fwd->connect_host = newfwd->connect_host;
282 fwd->connect_port = newfwd->connect_port;
286 clear_forwardings(Options *options)
290 for (i = 0; i < options->num_local_forwards; i++) {
291 if (options->local_forwards[i].listen_host != NULL)
292 xfree(options->local_forwards[i].listen_host);
293 xfree(options->local_forwards[i].connect_host);
295 options->num_local_forwards = 0;
296 for (i = 0; i < options->num_remote_forwards; i++) {
297 if (options->remote_forwards[i].listen_host != NULL)
298 xfree(options->remote_forwards[i].listen_host);
299 xfree(options->remote_forwards[i].connect_host);
301 options->num_remote_forwards = 0;
302 options->tun_open = SSH_TUNMODE_NO;
306 * Returns the number of the token pointed to by cp or oBadOption.
310 parse_token(const char *cp, const char *filename, int linenum)
314 for (i = 0; keywords[i].name; i++)
315 if (strcasecmp(cp, keywords[i].name) == 0)
316 return keywords[i].opcode;
318 error("%s: line %d: Bad configuration option: %s",
319 filename, linenum, cp);
324 * Processes a single option line as used in the configuration files. This
325 * only sets those values that have not already been set.
327 #define WHITESPACE " \t\r\n"
330 process_config_line(Options *options, const char *host,
331 char *line, const char *filename, int linenum,
334 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
335 int opcode, *intptr, value, value2, scale;
336 LogLevel *log_level_ptr;
337 long long orig, val64;
341 /* Strip trailing whitespace */
342 for (len = strlen(line) - 1; len > 0; len--) {
343 if (strchr(WHITESPACE, line[len]) == NULL)
349 /* Get the keyword. (Each line is supposed to begin with a keyword). */
350 if ((keyword = strdelim(&s)) == NULL)
352 /* Ignore leading whitespace. */
353 if (*keyword == '\0')
354 keyword = strdelim(&s);
355 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
358 opcode = parse_token(keyword, filename, linenum);
362 /* don't panic, but count bad options */
365 case oConnectTimeout:
366 intptr = &options->connection_timeout;
369 if (!arg || *arg == '\0')
370 fatal("%s line %d: missing time value.",
372 if ((value = convtime(arg)) == -1)
373 fatal("%s line %d: invalid time value.",
375 if (*activep && *intptr == -1)
380 intptr = &options->forward_agent;
383 if (!arg || *arg == '\0')
384 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
385 value = 0; /* To avoid compiler warning... */
386 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
388 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
391 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
392 if (*activep && *intptr == -1)
397 intptr = &options->forward_x11;
400 case oForwardX11Trusted:
401 intptr = &options->forward_x11_trusted;
405 intptr = &options->gateway_ports;
408 case oExitOnForwardFailure:
409 intptr = &options->exit_on_forward_failure;
412 case oUsePrivilegedPort:
413 intptr = &options->use_privileged_port;
416 case oPasswordAuthentication:
417 intptr = &options->password_authentication;
420 case oZeroKnowledgePasswordAuthentication:
421 intptr = &options->zero_knowledge_password_authentication;
424 case oKbdInteractiveAuthentication:
425 intptr = &options->kbd_interactive_authentication;
428 case oKbdInteractiveDevices:
429 charptr = &options->kbd_interactive_devices;
432 case oPubkeyAuthentication:
433 intptr = &options->pubkey_authentication;
436 case oRSAAuthentication:
437 intptr = &options->rsa_authentication;
440 case oRhostsRSAAuthentication:
441 intptr = &options->rhosts_rsa_authentication;
444 case oHostbasedAuthentication:
445 intptr = &options->hostbased_authentication;
448 case oChallengeResponseAuthentication:
449 intptr = &options->challenge_response_authentication;
452 case oGssAuthentication:
453 intptr = &options->gss_authentication;
456 case oGssDelegateCreds:
457 intptr = &options->gss_deleg_creds;
461 intptr = &options->batch_mode;
465 intptr = &options->check_host_ip;
468 case oVerifyHostKeyDNS:
469 intptr = &options->verify_host_key_dns;
472 case oStrictHostKeyChecking:
473 intptr = &options->strict_host_key_checking;
476 if (!arg || *arg == '\0')
477 fatal("%.200s line %d: Missing yes/no/ask argument.",
479 value = 0; /* To avoid compiler warning... */
480 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
482 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
484 else if (strcmp(arg, "ask") == 0)
487 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
488 if (*activep && *intptr == -1)
493 intptr = &options->compression;
497 intptr = &options->tcp_keep_alive;
500 case oNoHostAuthenticationForLocalhost:
501 intptr = &options->no_host_authentication_for_localhost;
504 case oNumberOfPasswordPrompts:
505 intptr = &options->number_of_password_prompts;
508 case oCompressionLevel:
509 intptr = &options->compression_level;
514 if (!arg || *arg == '\0')
515 fatal("%.200s line %d: Missing argument.", filename, linenum);
516 if (arg[0] < '0' || arg[0] > '9')
517 fatal("%.200s line %d: Bad number.", filename, linenum);
518 orig = val64 = strtoll(arg, &endofnumber, 10);
519 if (arg == endofnumber)
520 fatal("%.200s line %d: Bad number.", filename, linenum);
521 switch (toupper(*endofnumber)) {
535 fatal("%.200s line %d: Invalid RekeyLimit suffix",
539 /* detect integer wrap and too-large limits */
540 if ((val64 / scale) != orig || val64 > UINT_MAX)
541 fatal("%.200s line %d: RekeyLimit too large",
544 fatal("%.200s line %d: RekeyLimit too small",
546 if (*activep && options->rekey_limit == -1)
547 options->rekey_limit = (u_int32_t)val64;
552 if (!arg || *arg == '\0')
553 fatal("%.200s line %d: Missing argument.", filename, linenum);
555 intptr = &options->num_identity_files;
556 if (*intptr >= SSH_MAX_IDENTITY_FILES)
557 fatal("%.200s line %d: Too many identity files specified (max %d).",
558 filename, linenum, SSH_MAX_IDENTITY_FILES);
559 charptr = &options->identity_files[*intptr];
560 *charptr = xstrdup(arg);
561 *intptr = *intptr + 1;
566 charptr=&options->xauth_location;
570 charptr = &options->user;
573 if (!arg || *arg == '\0')
574 fatal("%.200s line %d: Missing argument.", filename, linenum);
575 if (*activep && *charptr == NULL)
576 *charptr = xstrdup(arg);
579 case oGlobalKnownHostsFile:
580 charptr = &options->system_hostfile;
583 case oUserKnownHostsFile:
584 charptr = &options->user_hostfile;
587 case oGlobalKnownHostsFile2:
588 charptr = &options->system_hostfile2;
591 case oUserKnownHostsFile2:
592 charptr = &options->user_hostfile2;
596 charptr = &options->hostname;
600 charptr = &options->host_key_alias;
603 case oPreferredAuthentications:
604 charptr = &options->preferred_authentications;
608 charptr = &options->bind_address;
611 case oSmartcardDevice:
612 charptr = &options->smartcard_device;
616 charptr = &options->proxy_command;
619 fatal("%.200s line %d: Missing argument.", filename, linenum);
620 len = strspn(s, WHITESPACE "=");
621 if (*activep && *charptr == NULL)
622 *charptr = xstrdup(s + len);
626 intptr = &options->port;
629 if (!arg || *arg == '\0')
630 fatal("%.200s line %d: Missing argument.", filename, linenum);
631 if (arg[0] < '0' || arg[0] > '9')
632 fatal("%.200s line %d: Bad number.", filename, linenum);
634 /* Octal, decimal, or hex format? */
635 value = strtol(arg, &endofnumber, 0);
636 if (arg == endofnumber)
637 fatal("%.200s line %d: Bad number.", filename, linenum);
638 if (*activep && *intptr == -1)
642 case oConnectionAttempts:
643 intptr = &options->connection_attempts;
647 intptr = &options->cipher;
649 if (!arg || *arg == '\0')
650 fatal("%.200s line %d: Missing argument.", filename, linenum);
651 value = cipher_number(arg);
653 fatal("%.200s line %d: Bad cipher '%s'.",
654 filename, linenum, arg ? arg : "<NONE>");
655 if (*activep && *intptr == -1)
661 if (!arg || *arg == '\0')
662 fatal("%.200s line %d: Missing argument.", filename, linenum);
663 if (!ciphers_valid(arg))
664 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
665 filename, linenum, arg ? arg : "<NONE>");
666 if (*activep && options->ciphers == NULL)
667 options->ciphers = xstrdup(arg);
672 if (!arg || *arg == '\0')
673 fatal("%.200s line %d: Missing argument.", filename, linenum);
675 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
676 filename, linenum, arg ? arg : "<NONE>");
677 if (*activep && options->macs == NULL)
678 options->macs = xstrdup(arg);
681 case oHostKeyAlgorithms:
683 if (!arg || *arg == '\0')
684 fatal("%.200s line %d: Missing argument.", filename, linenum);
685 if (!key_names_valid2(arg))
686 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
687 filename, linenum, arg ? arg : "<NONE>");
688 if (*activep && options->hostkeyalgorithms == NULL)
689 options->hostkeyalgorithms = xstrdup(arg);
693 intptr = &options->protocol;
695 if (!arg || *arg == '\0')
696 fatal("%.200s line %d: Missing argument.", filename, linenum);
697 value = proto_spec(arg);
698 if (value == SSH_PROTO_UNKNOWN)
699 fatal("%.200s line %d: Bad protocol spec '%s'.",
700 filename, linenum, arg ? arg : "<NONE>");
701 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
706 log_level_ptr = &options->log_level;
708 value = log_level_number(arg);
709 if (value == SYSLOG_LEVEL_NOT_SET)
710 fatal("%.200s line %d: unsupported log level '%s'",
711 filename, linenum, arg ? arg : "<NONE>");
712 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
713 *log_level_ptr = (LogLevel) value;
718 case oDynamicForward:
720 if (arg == NULL || *arg == '\0')
721 fatal("%.200s line %d: Missing port argument.",
724 if (opcode == oLocalForward ||
725 opcode == oRemoteForward) {
727 if (arg2 == NULL || *arg2 == '\0')
728 fatal("%.200s line %d: Missing target argument.",
731 /* construct a string for parse_forward */
732 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
733 } else if (opcode == oDynamicForward) {
734 strlcpy(fwdarg, arg, sizeof(fwdarg));
737 if (parse_forward(&fwd, fwdarg,
738 opcode == oDynamicForward ? 1 : 0,
739 opcode == oRemoteForward ? 1 : 0) == 0)
740 fatal("%.200s line %d: Bad forwarding specification.",
744 if (opcode == oLocalForward ||
745 opcode == oDynamicForward)
746 add_local_forward(options, &fwd);
747 else if (opcode == oRemoteForward)
748 add_remote_forward(options, &fwd);
752 case oClearAllForwardings:
753 intptr = &options->clear_forwardings;
758 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
759 if (match_pattern(host, arg)) {
760 debug("Applying options for %.100s", arg);
764 /* Avoid garbage check below, as strdelim is done. */
768 intptr = &options->escape_char;
770 if (!arg || *arg == '\0')
771 fatal("%.200s line %d: Missing argument.", filename, linenum);
772 if (arg[0] == '^' && arg[2] == 0 &&
773 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
774 value = (u_char) arg[1] & 31;
775 else if (strlen(arg) == 1)
776 value = (u_char) arg[0];
777 else if (strcmp(arg, "none") == 0)
778 value = SSH_ESCAPECHAR_NONE;
780 fatal("%.200s line %d: Bad escape character.",
783 value = 0; /* Avoid compiler warning. */
785 if (*activep && *intptr == -1)
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: missing address family.",
794 intptr = &options->address_family;
795 if (strcasecmp(arg, "inet") == 0)
797 else if (strcasecmp(arg, "inet6") == 0)
799 else if (strcasecmp(arg, "any") == 0)
802 fatal("Unsupported AddressFamily \"%s\"", arg);
803 if (*activep && *intptr == -1)
807 case oEnableSSHKeysign:
808 intptr = &options->enable_ssh_keysign;
811 case oIdentitiesOnly:
812 intptr = &options->identities_only;
815 case oServerAliveInterval:
816 intptr = &options->server_alive_interval;
819 case oServerAliveCountMax:
820 intptr = &options->server_alive_count_max;
824 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
825 if (strchr(arg, '=') != NULL)
826 fatal("%s line %d: Invalid environment name.",
830 if (options->num_send_env >= MAX_SEND_ENV)
831 fatal("%s line %d: too many send env.",
833 options->send_env[options->num_send_env++] =
839 charptr = &options->control_path;
843 intptr = &options->control_master;
845 if (!arg || *arg == '\0')
846 fatal("%.200s line %d: Missing ControlMaster argument.",
848 value = 0; /* To avoid compiler warning... */
849 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
850 value = SSHCTL_MASTER_YES;
851 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
852 value = SSHCTL_MASTER_NO;
853 else if (strcmp(arg, "auto") == 0)
854 value = SSHCTL_MASTER_AUTO;
855 else if (strcmp(arg, "ask") == 0)
856 value = SSHCTL_MASTER_ASK;
857 else if (strcmp(arg, "autoask") == 0)
858 value = SSHCTL_MASTER_AUTO_ASK;
860 fatal("%.200s line %d: Bad ControlMaster argument.",
862 if (*activep && *intptr == -1)
866 case oHashKnownHosts:
867 intptr = &options->hash_known_hosts;
871 intptr = &options->tun_open;
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: Missing yes/point-to-point/"
875 "ethernet/no argument.", filename, linenum);
876 value = 0; /* silence compiler */
877 if (strcasecmp(arg, "ethernet") == 0)
878 value = SSH_TUNMODE_ETHERNET;
879 else if (strcasecmp(arg, "point-to-point") == 0)
880 value = SSH_TUNMODE_POINTOPOINT;
881 else if (strcasecmp(arg, "yes") == 0)
882 value = SSH_TUNMODE_DEFAULT;
883 else if (strcasecmp(arg, "no") == 0)
884 value = SSH_TUNMODE_NO;
886 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
887 "no argument: %s", filename, linenum, arg);
894 if (!arg || *arg == '\0')
895 fatal("%.200s line %d: Missing argument.", filename, linenum);
896 value = a2tun(arg, &value2);
897 if (value == SSH_TUNID_ERR)
898 fatal("%.200s line %d: Bad tun device.", filename, linenum);
900 options->tun_local = value;
901 options->tun_remote = value2;
906 charptr = &options->local_command;
909 case oPermitLocalCommand:
910 intptr = &options->permit_local_command;
914 intptr = &options->visual_host_key;
918 debug("%s line %d: Deprecated option \"%s\"",
919 filename, linenum, keyword);
923 error("%s line %d: Unsupported option \"%s\"",
924 filename, linenum, keyword);
928 fatal("process_config_line: Unimplemented opcode %d", opcode);
931 /* Check that there is no garbage at end of line. */
932 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
933 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
934 filename, linenum, arg);
941 * Reads the config file and modifies the options accordingly. Options
942 * should already be initialized before this call. This never returns if
943 * there is an error. If the file does not exist, this returns 0.
947 read_config_file(const char *filename, const char *host, Options *options,
955 if ((f = fopen(filename, "r")) == NULL)
961 if (fstat(fileno(f), &sb) == -1)
962 fatal("fstat %s: %s", filename, strerror(errno));
963 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
964 (sb.st_mode & 022) != 0))
965 fatal("Bad owner or permissions on %s", filename);
968 debug("Reading configuration data %.200s", filename);
971 * Mark that we are now processing the options. This flag is turned
972 * on/off by Host specifications.
976 while (fgets(line, sizeof(line), f)) {
977 /* Update line number counter. */
979 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
984 fatal("%s: terminating, %d bad configuration options",
985 filename, bad_options);
990 * Initializes options to special values that indicate that they have not yet
991 * been set. Read_config_file will only set options with this value. Options
992 * are processed in the following order: command line, user config file,
993 * system config file. Last, fill_default_options is called.
997 initialize_options(Options * options)
999 memset(options, 'X', sizeof(*options));
1000 options->forward_agent = -1;
1001 options->forward_x11 = -1;
1002 options->forward_x11_trusted = -1;
1003 options->exit_on_forward_failure = -1;
1004 options->xauth_location = NULL;
1005 options->gateway_ports = -1;
1006 options->use_privileged_port = -1;
1007 options->rsa_authentication = -1;
1008 options->pubkey_authentication = -1;
1009 options->challenge_response_authentication = -1;
1010 options->gss_authentication = -1;
1011 options->gss_deleg_creds = -1;
1012 options->password_authentication = -1;
1013 options->kbd_interactive_authentication = -1;
1014 options->kbd_interactive_devices = NULL;
1015 options->rhosts_rsa_authentication = -1;
1016 options->hostbased_authentication = -1;
1017 options->batch_mode = -1;
1018 options->check_host_ip = -1;
1019 options->strict_host_key_checking = -1;
1020 options->compression = -1;
1021 options->tcp_keep_alive = -1;
1022 options->compression_level = -1;
1024 options->address_family = -1;
1025 options->connection_attempts = -1;
1026 options->connection_timeout = -1;
1027 options->number_of_password_prompts = -1;
1028 options->cipher = -1;
1029 options->ciphers = NULL;
1030 options->macs = NULL;
1031 options->hostkeyalgorithms = NULL;
1032 options->protocol = SSH_PROTO_UNKNOWN;
1033 options->num_identity_files = 0;
1034 options->hostname = NULL;
1035 options->host_key_alias = NULL;
1036 options->proxy_command = NULL;
1037 options->user = NULL;
1038 options->escape_char = -1;
1039 options->system_hostfile = NULL;
1040 options->user_hostfile = NULL;
1041 options->system_hostfile2 = NULL;
1042 options->user_hostfile2 = NULL;
1043 options->num_local_forwards = 0;
1044 options->num_remote_forwards = 0;
1045 options->clear_forwardings = -1;
1046 options->log_level = SYSLOG_LEVEL_NOT_SET;
1047 options->preferred_authentications = NULL;
1048 options->bind_address = NULL;
1049 options->smartcard_device = NULL;
1050 options->enable_ssh_keysign = - 1;
1051 options->no_host_authentication_for_localhost = - 1;
1052 options->identities_only = - 1;
1053 options->rekey_limit = - 1;
1054 options->verify_host_key_dns = -1;
1055 options->server_alive_interval = -1;
1056 options->server_alive_count_max = -1;
1057 options->num_send_env = 0;
1058 options->control_path = NULL;
1059 options->control_master = -1;
1060 options->hash_known_hosts = -1;
1061 options->tun_open = -1;
1062 options->tun_local = -1;
1063 options->tun_remote = -1;
1064 options->local_command = NULL;
1065 options->permit_local_command = -1;
1066 options->visual_host_key = -1;
1067 options->zero_knowledge_password_authentication = -1;
1071 * Called after processing other sources of option data, this fills those
1072 * options for which no value has been specified with their default values.
1076 fill_default_options(Options * options)
1080 if (options->forward_agent == -1)
1081 options->forward_agent = 0;
1082 if (options->forward_x11 == -1)
1083 options->forward_x11 = 0;
1084 if (options->forward_x11_trusted == -1)
1085 options->forward_x11_trusted = 0;
1086 if (options->exit_on_forward_failure == -1)
1087 options->exit_on_forward_failure = 0;
1088 if (options->xauth_location == NULL)
1089 options->xauth_location = _PATH_XAUTH;
1090 if (options->gateway_ports == -1)
1091 options->gateway_ports = 0;
1092 if (options->use_privileged_port == -1)
1093 options->use_privileged_port = 0;
1094 if (options->rsa_authentication == -1)
1095 options->rsa_authentication = 1;
1096 if (options->pubkey_authentication == -1)
1097 options->pubkey_authentication = 1;
1098 if (options->challenge_response_authentication == -1)
1099 options->challenge_response_authentication = 1;
1100 if (options->gss_authentication == -1)
1101 options->gss_authentication = 0;
1102 if (options->gss_deleg_creds == -1)
1103 options->gss_deleg_creds = 0;
1104 if (options->password_authentication == -1)
1105 options->password_authentication = 1;
1106 if (options->kbd_interactive_authentication == -1)
1107 options->kbd_interactive_authentication = 1;
1108 if (options->rhosts_rsa_authentication == -1)
1109 options->rhosts_rsa_authentication = 0;
1110 if (options->hostbased_authentication == -1)
1111 options->hostbased_authentication = 0;
1112 if (options->batch_mode == -1)
1113 options->batch_mode = 0;
1114 if (options->check_host_ip == -1)
1115 options->check_host_ip = 1;
1116 if (options->strict_host_key_checking == -1)
1117 options->strict_host_key_checking = 2; /* 2 is default */
1118 if (options->compression == -1)
1119 options->compression = 0;
1120 if (options->tcp_keep_alive == -1)
1121 options->tcp_keep_alive = 1;
1122 if (options->compression_level == -1)
1123 options->compression_level = 6;
1124 if (options->port == -1)
1125 options->port = 0; /* Filled in ssh_connect. */
1126 if (options->address_family == -1)
1127 options->address_family = AF_UNSPEC;
1128 if (options->connection_attempts == -1)
1129 options->connection_attempts = 1;
1130 if (options->number_of_password_prompts == -1)
1131 options->number_of_password_prompts = 3;
1132 /* Selected in ssh_login(). */
1133 if (options->cipher == -1)
1134 options->cipher = SSH_CIPHER_NOT_SET;
1135 /* options->ciphers, default set in myproposals.h */
1136 /* options->macs, default set in myproposals.h */
1137 /* options->hostkeyalgorithms, default set in myproposals.h */
1138 if (options->protocol == SSH_PROTO_UNKNOWN)
1139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1140 if (options->num_identity_files == 0) {
1141 if (options->protocol & SSH_PROTO_1) {
1142 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1143 options->identity_files[options->num_identity_files] =
1145 snprintf(options->identity_files[options->num_identity_files++],
1146 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1148 if (options->protocol & SSH_PROTO_2) {
1149 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1150 options->identity_files[options->num_identity_files] =
1152 snprintf(options->identity_files[options->num_identity_files++],
1153 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1155 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1156 options->identity_files[options->num_identity_files] =
1158 snprintf(options->identity_files[options->num_identity_files++],
1159 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1162 if (options->escape_char == -1)
1163 options->escape_char = '~';
1164 if (options->system_hostfile == NULL)
1165 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1166 if (options->user_hostfile == NULL)
1167 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1168 if (options->system_hostfile2 == NULL)
1169 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1170 if (options->user_hostfile2 == NULL)
1171 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1172 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1173 options->log_level = SYSLOG_LEVEL_INFO;
1174 if (options->clear_forwardings == 1)
1175 clear_forwardings(options);
1176 if (options->no_host_authentication_for_localhost == - 1)
1177 options->no_host_authentication_for_localhost = 0;
1178 if (options->identities_only == -1)
1179 options->identities_only = 0;
1180 if (options->enable_ssh_keysign == -1)
1181 options->enable_ssh_keysign = 0;
1182 if (options->rekey_limit == -1)
1183 options->rekey_limit = 0;
1184 if (options->verify_host_key_dns == -1)
1185 options->verify_host_key_dns = 0;
1186 if (options->server_alive_interval == -1)
1187 options->server_alive_interval = 0;
1188 if (options->server_alive_count_max == -1)
1189 options->server_alive_count_max = 3;
1190 if (options->control_master == -1)
1191 options->control_master = 0;
1192 if (options->hash_known_hosts == -1)
1193 options->hash_known_hosts = 0;
1194 if (options->tun_open == -1)
1195 options->tun_open = SSH_TUNMODE_NO;
1196 if (options->tun_local == -1)
1197 options->tun_local = SSH_TUNID_ANY;
1198 if (options->tun_remote == -1)
1199 options->tun_remote = SSH_TUNID_ANY;
1200 if (options->permit_local_command == -1)
1201 options->permit_local_command = 0;
1202 if (options->visual_host_key == -1)
1203 options->visual_host_key = 0;
1204 if (options->zero_knowledge_password_authentication == -1)
1205 options->zero_knowledge_password_authentication = 0;
1206 /* options->local_command should not be set by default */
1207 /* options->proxy_command should not be set by default */
1208 /* options->user will be set in the main program if appropriate */
1209 /* options->hostname will be set in the main program if appropriate */
1210 /* options->host_key_alias should not be set by default */
1211 /* options->preferred_authentications will be set in ssh */
1216 * parses a string containing a port forwarding specification of the form:
1218 * [listenhost:]listenport:connecthost:connectport
1220 * [listenhost:]listenport
1221 * returns number of arguments parsed or zero on error
1224 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1227 char *p, *cp, *fwdarg[4];
1229 memset(fwd, '\0', sizeof(*fwd));
1231 cp = p = xstrdup(fwdspec);
1233 /* skip leading spaces */
1234 while (isspace(*cp))
1237 for (i = 0; i < 4; ++i)
1238 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1241 /* Check for trailing garbage */
1243 i = 0; /* failure */
1247 fwd->listen_host = NULL;
1248 fwd->listen_port = a2port(fwdarg[0]);
1249 fwd->connect_host = xstrdup("socks");
1253 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1254 fwd->listen_port = a2port(fwdarg[1]);
1255 fwd->connect_host = xstrdup("socks");
1259 fwd->listen_host = NULL;
1260 fwd->listen_port = a2port(fwdarg[0]);
1261 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1262 fwd->connect_port = a2port(fwdarg[2]);
1266 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1267 fwd->listen_port = a2port(fwdarg[1]);
1268 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1269 fwd->connect_port = a2port(fwdarg[3]);
1272 i = 0; /* failure */
1278 if (!(i == 1 || i == 2))
1281 if (!(i == 3 || i == 4))
1283 if (fwd->connect_port <= 0)
1287 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1290 if (fwd->connect_host != NULL &&
1291 strlen(fwd->connect_host) >= NI_MAXHOST)
1293 if (fwd->listen_host != NULL &&
1294 strlen(fwd->listen_host) >= NI_MAXHOST)
1301 if (fwd->connect_host != NULL) {
1302 xfree(fwd->connect_host);
1303 fwd->connect_host = NULL;
1305 if (fwd->listen_host != NULL) {
1306 xfree(fwd->listen_host);
1307 fwd->listen_host = NULL;
projects / dragonfly.git / blob