Commit | Line | Data |
---|---|---|
36e94dc5 | 1 | /* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */ |
16c343f1 PA |
2 | |
3 | /* | |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
5 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
6 | * All rights reserved | |
7 | * Definitions for server configuration data and for the functions reading it. | |
8 | * | |
9 | * As far as I am concerned, the code I have written for this software | |
10 | * can be used freely for any purpose. Any derived versions of this | |
11 | * software must be clearly marked as such, and if the derived work is | |
12 | * incompatible with the protocol description in the RFC file, it must be | |
13 | * called by a name other than "ssh" or "Secure Shell". | |
14 | */ | |
15 | ||
16 | #ifndef SERVCONF_H | |
17 | #define SERVCONF_H | |
18 | ||
19 | #define MAX_PORTS 256 /* Max # ports. */ | |
20 | ||
21 | #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ | |
22 | #define MAX_DENY_USERS 256 /* Max # users on deny list. */ | |
23 | #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ | |
24 | #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ | |
25 | #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ | |
26 | #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ | |
856ea928 | 27 | #define MAX_HOSTCERTS 256 /* Max # host certificates. */ |
16c343f1 PA |
28 | #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ |
29 | #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ | |
1c188a7f | 30 | #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ |
36e94dc5 | 31 | #define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */ |
16c343f1 PA |
32 | |
33 | /* permit_root_login */ | |
34 | #define PERMIT_NOT_SET -1 | |
35 | #define PERMIT_NO 0 | |
36 | #define PERMIT_FORCED_ONLY 1 | |
37 | #define PERMIT_NO_PASSWD 2 | |
38 | #define PERMIT_YES 3 | |
39 | ||
1c188a7f PA |
40 | /* use_privsep */ |
41 | #define PRIVSEP_OFF 0 | |
42 | #define PRIVSEP_ON 1 | |
99e85e0d | 43 | #define PRIVSEP_NOSANDBOX 2 |
1c188a7f | 44 | |
36e94dc5 PA |
45 | /* AllowTCPForwarding */ |
46 | #define FORWARD_DENY 0 | |
47 | #define FORWARD_REMOTE (1) | |
48 | #define FORWARD_LOCAL (1<<1) | |
49 | #define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) | |
50 | ||
16c343f1 | 51 | #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ |
c8c467ee | 52 | #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ |
16c343f1 PA |
53 | |
54 | /* Magic name for internal sftp-server */ | |
55 | #define INTERNAL_SFTP_NAME "internal-sftp" | |
56 | ||
57 | typedef struct { | |
cb5eb4f1 PA |
58 | u_int num_ports; |
59 | u_int ports_from_cmdline; | |
60 | int ports[MAX_PORTS]; /* Port number to listen on. */ | |
16c343f1 PA |
61 | char *listen_addr; /* Address on which the server listens. */ |
62 | struct addrinfo *listen_addrs; /* Addresses on which the server listens. */ | |
63 | int address_family; /* Address family used by the server. */ | |
64 | char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */ | |
65 | int num_host_key_files; /* Number of files for host keys. */ | |
856ea928 PA |
66 | char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ |
67 | int num_host_cert_files; /* Number of files for host certs. */ | |
36e94dc5 | 68 | char *host_key_agent; /* ssh-agent socket for host keys. */ |
16c343f1 PA |
69 | char *pid_file; /* Where to put our pid */ |
70 | int server_key_bits;/* Size of the server key. */ | |
71 | int login_grace_time; /* Disconnect if no auth in this time | |
72 | * (sec). */ | |
73 | int key_regeneration_time; /* Server key lifetime (seconds). */ | |
74 | int permit_root_login; /* PERMIT_*, see above */ | |
75 | int ignore_rhosts; /* Ignore .rhosts and .shosts. */ | |
76 | int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts | |
77 | * for RhostsRsaAuth */ | |
78 | int print_motd; /* If true, print /etc/motd. */ | |
79 | int print_lastlog; /* If true, print lastlog */ | |
80 | int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ | |
81 | int x11_display_offset; /* What DISPLAY number to start | |
82 | * searching at */ | |
83 | int x11_use_localhost; /* If true, use localhost for fake X11 server. */ | |
84 | char *xauth_location; /* Location of xauth program */ | |
36e94dc5 PA |
85 | int permit_tty; /* If false, deny pty allocation */ |
86 | int permit_user_rc; /* If false, deny ~/.ssh/rc execution */ | |
16c343f1 PA |
87 | int strict_modes; /* If true, require string home dir modes. */ |
88 | int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ | |
9f304aaf PA |
89 | int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ |
90 | int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ | |
16c343f1 PA |
91 | char *ciphers; /* Supported SSH2 ciphers. */ |
92 | char *macs; /* Supported SSH2 macs. */ | |
9f304aaf | 93 | char *kex_algorithms; /* SSH2 kex methods in order of preference. */ |
16c343f1 | 94 | int protocol; /* Supported protocol versions. */ |
36e94dc5 | 95 | struct ForwardOptions fwd_opts; /* forwarding options */ |
16c343f1 PA |
96 | SyslogFacility log_facility; /* Facility for system logging. */ |
97 | LogLevel log_level; /* Level for system logging. */ | |
98 | int rhosts_rsa_authentication; /* If true, permit rhosts RSA | |
99 | * authentication. */ | |
100 | int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ | |
101 | int hostbased_uses_name_from_packet_only; /* experimental */ | |
102 | int rsa_authentication; /* If true, permit RSA authentication. */ | |
103 | int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ | |
104 | int kerberos_authentication; /* If true, permit Kerberos | |
105 | * authentication. */ | |
106 | int kerberos_or_local_passwd; /* If true, permit kerberos | |
107 | * and any other password | |
108 | * authentication mechanism, | |
109 | * such as SecurID or | |
110 | * /etc/passwd */ | |
111 | int kerberos_ticket_cleanup; /* If true, destroy ticket | |
112 | * file on logout. */ | |
113 | int kerberos_get_afs_token; /* If true, try to get AFS token if | |
114 | * authenticated with Kerberos. */ | |
115 | int gss_authentication; /* If true, permit GSSAPI authentication */ | |
116 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ | |
117 | int password_authentication; /* If true, permit password | |
118 | * authentication. */ | |
119 | int kbd_interactive_authentication; /* If true, permit */ | |
120 | int challenge_response_authentication; | |
74abe2e5 | 121 | int permit_blacklisted_keys; /* If true, permit */ |
16c343f1 PA |
122 | int permit_empty_passwd; /* If false, do not permit empty |
123 | * passwords. */ | |
124 | int permit_user_env; /* If true, read ~/.ssh/environment */ | |
125 | int use_login; /* If true, login(1) is used */ | |
126 | int compression; /* If true, compression is allowed */ | |
36e94dc5 PA |
127 | int allow_tcp_forwarding; /* One of FORWARD_* */ |
128 | int allow_streamlocal_forwarding; /* One of FORWARD_* */ | |
c8c467ee | 129 | int allow_agent_forwarding; |
16c343f1 PA |
130 | u_int num_allow_users; |
131 | char *allow_users[MAX_ALLOW_USERS]; | |
132 | u_int num_deny_users; | |
133 | char *deny_users[MAX_DENY_USERS]; | |
134 | u_int num_allow_groups; | |
135 | char *allow_groups[MAX_ALLOW_GROUPS]; | |
136 | u_int num_deny_groups; | |
137 | char *deny_groups[MAX_DENY_GROUPS]; | |
138 | ||
139 | u_int num_subsystems; | |
140 | char *subsystem_name[MAX_SUBSYSTEMS]; | |
141 | char *subsystem_command[MAX_SUBSYSTEMS]; | |
142 | char *subsystem_args[MAX_SUBSYSTEMS]; | |
143 | ||
144 | u_int num_accept_env; | |
145 | char *accept_env[MAX_ACCEPT_ENV]; | |
146 | ||
147 | int max_startups_begin; | |
148 | int max_startups_rate; | |
149 | int max_startups; | |
150 | int max_authtries; | |
c8c467ee | 151 | int max_sessions; |
16c343f1 PA |
152 | char *banner; /* SSH-2 banner message */ |
153 | int use_dns; | |
154 | int client_alive_interval; /* | |
155 | * poke the client this often to | |
156 | * see if it's still there | |
157 | */ | |
158 | int client_alive_count_max; /* | |
159 | * If the client is unresponsive | |
160 | * for this many intervals above, | |
161 | * disconnect the session | |
162 | */ | |
163 | ||
1c188a7f PA |
164 | u_int num_authkeys_files; /* Files containing public keys */ |
165 | char *authorized_keys_files[MAX_AUTHKEYS_FILES]; | |
16c343f1 PA |
166 | |
167 | char *adm_forced_command; | |
168 | ||
169 | int use_pam; /* Enable auth via PAM */ | |
c29cd1cc PA |
170 | int none_enabled; /* enable NONE cipher switch */ |
171 | int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ | |
172 | int hpn_disabled; /* disable hpn functionality. false by default */ | |
173 | int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ | |
16c343f1 PA |
174 | |
175 | int permit_tun; | |
176 | ||
177 | int num_permitted_opens; | |
178 | ||
179 | char *chroot_directory; | |
856ea928 PA |
180 | char *revoked_keys_file; |
181 | char *trusted_user_ca_keys; | |
182 | char *authorized_principals_file; | |
36e94dc5 PA |
183 | char *authorized_keys_command; |
184 | char *authorized_keys_command_user; | |
185 | ||
186 | int64_t rekey_limit; | |
187 | int rekey_interval; | |
99e85e0d PA |
188 | |
189 | char *version_addendum; /* Appended to SSH banner */ | |
36e94dc5 PA |
190 | |
191 | u_int num_auth_methods; | |
192 | char *auth_methods[MAX_AUTH_METHODS]; | |
16c343f1 PA |
193 | } ServerOptions; |
194 | ||
99e85e0d PA |
195 | /* Information about the incoming connection as used by Match */ |
196 | struct connection_info { | |
197 | const char *user; | |
198 | const char *host; /* possibly resolved hostname */ | |
199 | const char *address; /* remote address */ | |
200 | const char *laddress; /* local address */ | |
201 | int lport; /* local port */ | |
202 | }; | |
203 | ||
204 | ||
1c188a7f PA |
205 | /* |
206 | * These are string config options that must be copied between the | |
207 | * Match sub-config and the main config, and must be sent from the | |
208 | * privsep slave to the privsep master. We use a macro to ensure all | |
209 | * the options are copied and the copies are done in the correct order. | |
36e94dc5 PA |
210 | * |
211 | * NB. an option must appear in servconf.c:copy_set_server_options() or | |
212 | * COPY_MATCH_STRING_OPTS here but never both. | |
1c188a7f PA |
213 | */ |
214 | #define COPY_MATCH_STRING_OPTS() do { \ | |
215 | M_CP_STROPT(banner); \ | |
216 | M_CP_STROPT(trusted_user_ca_keys); \ | |
217 | M_CP_STROPT(revoked_keys_file); \ | |
218 | M_CP_STROPT(authorized_principals_file); \ | |
36e94dc5 PA |
219 | M_CP_STROPT(authorized_keys_command); \ |
220 | M_CP_STROPT(authorized_keys_command_user); \ | |
1c188a7f | 221 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ |
99e85e0d PA |
222 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ |
223 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ | |
224 | M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ | |
225 | M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ | |
226 | M_CP_STRARRAYOPT(accept_env, num_accept_env); \ | |
36e94dc5 | 227 | M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ |
1c188a7f PA |
228 | } while (0) |
229 | ||
99e85e0d | 230 | struct connection_info *get_connection_info(int, int); |
16c343f1 PA |
231 | void initialize_server_options(ServerOptions *); |
232 | void fill_default_server_options(ServerOptions *); | |
233 | int process_server_config_line(ServerOptions *, char *, const char *, int, | |
99e85e0d | 234 | int *, struct connection_info *); |
16c343f1 PA |
235 | void load_server_config(const char *, Buffer *); |
236 | void parse_server_config(ServerOptions *, const char *, Buffer *, | |
99e85e0d PA |
237 | struct connection_info *); |
238 | void parse_server_match_config(ServerOptions *, struct connection_info *); | |
239 | int parse_server_match_testspec(struct connection_info *, char *); | |
240 | int server_match_spec_complete(struct connection_info *); | |
16c343f1 | 241 | void copy_set_server_options(ServerOptions *, ServerOptions *, int); |
c8c467ee | 242 | void dump_config(ServerOptions *); |
856ea928 | 243 | char *derelativise_path(const char *); |
16c343f1 PA |
244 | |
245 | #endif /* SERVCONF_H */ |