1 /* $OpenBSD: servconf.c,v 1.209 2010/06/22 04:22:59 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->num_host_cert_files = 0;
69 options->pid_file = NULL;
70 options->server_key_bits = -1;
71 options->login_grace_time = -1;
72 options->key_regeneration_time = -1;
73 options->permit_root_login = PERMIT_NOT_SET;
74 options->ignore_rhosts = -1;
75 options->ignore_user_known_hosts = -1;
76 options->print_motd = -1;
77 options->print_lastlog = -1;
78 options->x11_forwarding = -1;
79 options->x11_display_offset = -1;
80 options->x11_use_localhost = -1;
81 options->xauth_location = NULL;
82 options->strict_modes = -1;
83 options->tcp_keep_alive = -1;
84 options->log_facility = SYSLOG_FACILITY_NOT_SET;
85 options->log_level = SYSLOG_LEVEL_NOT_SET;
86 options->rhosts_rsa_authentication = -1;
87 options->hostbased_authentication = -1;
88 options->hostbased_uses_name_from_packet_only = -1;
89 options->rsa_authentication = -1;
90 options->pubkey_authentication = -1;
91 options->kerberos_authentication = -1;
92 options->kerberos_or_local_passwd = -1;
93 options->kerberos_ticket_cleanup = -1;
94 options->kerberos_get_afs_token = -1;
95 options->gss_authentication=-1;
96 options->gss_cleanup_creds = -1;
97 options->password_authentication = -1;
98 options->kbd_interactive_authentication = -1;
99 options->challenge_response_authentication = -1;
100 options->permit_empty_passwd = -1;
101 options->permit_user_env = -1;
102 options->use_login = -1;
103 options->compression = -1;
104 options->allow_tcp_forwarding = -1;
105 options->allow_agent_forwarding = -1;
106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
110 options->ciphers = NULL;
111 options->macs = NULL;
112 options->protocol = SSH_PROTO_UNKNOWN;
113 options->gateway_ports = -1;
114 options->num_subsystems = 0;
115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
117 options->max_startups = -1;
118 options->max_authtries = -1;
119 options->max_sessions = -1;
120 options->banner = NULL;
121 options->use_dns = -1;
122 options->client_alive_interval = -1;
123 options->client_alive_count_max = -1;
124 options->authorized_keys_file = NULL;
125 options->authorized_keys_file2 = NULL;
126 options->num_accept_env = 0;
127 options->permit_tun = -1;
128 options->num_permitted_opens = -1;
129 options->adm_forced_command = NULL;
130 options->chroot_directory = NULL;
131 options->zero_knowledge_password_authentication = -1;
132 options->revoked_keys_file = NULL;
133 options->trusted_user_ca_keys = NULL;
134 options->authorized_principals_file = NULL;
138 fill_default_server_options(ServerOptions *options)
140 /* Portable-specific options */
141 if (options->use_pam == -1)
142 options->use_pam = 0;
144 /* Standard Options */
145 if (options->protocol == SSH_PROTO_UNKNOWN)
146 options->protocol = SSH_PROTO_2;
147 if (options->num_host_key_files == 0) {
148 /* fill default hostkeys for protocols */
149 if (options->protocol & SSH_PROTO_1)
150 options->host_key_files[options->num_host_key_files++] =
152 if (options->protocol & SSH_PROTO_2) {
153 options->host_key_files[options->num_host_key_files++] =
154 _PATH_HOST_RSA_KEY_FILE;
155 options->host_key_files[options->num_host_key_files++] =
156 _PATH_HOST_DSA_KEY_FILE;
159 /* No certificates by default */
160 if (options->num_ports == 0)
161 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
162 if (options->listen_addrs == NULL)
163 add_listen_addr(options, NULL, 0);
164 if (options->pid_file == NULL)
165 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
166 if (options->server_key_bits == -1)
167 options->server_key_bits = 1024;
168 if (options->login_grace_time == -1)
169 options->login_grace_time = 120;
170 if (options->key_regeneration_time == -1)
171 options->key_regeneration_time = 3600;
172 if (options->permit_root_login == PERMIT_NOT_SET)
173 options->permit_root_login = PERMIT_YES;
174 if (options->ignore_rhosts == -1)
175 options->ignore_rhosts = 1;
176 if (options->ignore_user_known_hosts == -1)
177 options->ignore_user_known_hosts = 0;
178 if (options->print_motd == -1)
179 options->print_motd = 1;
180 if (options->print_lastlog == -1)
181 options->print_lastlog = 1;
182 if (options->x11_forwarding == -1)
183 options->x11_forwarding = 0;
184 if (options->x11_display_offset == -1)
185 options->x11_display_offset = 10;
186 if (options->x11_use_localhost == -1)
187 options->x11_use_localhost = 1;
188 if (options->xauth_location == NULL)
189 options->xauth_location = _PATH_XAUTH;
190 if (options->strict_modes == -1)
191 options->strict_modes = 1;
192 if (options->tcp_keep_alive == -1)
193 options->tcp_keep_alive = 1;
194 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
195 options->log_facility = SYSLOG_FACILITY_AUTH;
196 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
197 options->log_level = SYSLOG_LEVEL_INFO;
198 if (options->rhosts_rsa_authentication == -1)
199 options->rhosts_rsa_authentication = 0;
200 if (options->hostbased_authentication == -1)
201 options->hostbased_authentication = 0;
202 if (options->hostbased_uses_name_from_packet_only == -1)
203 options->hostbased_uses_name_from_packet_only = 0;
204 if (options->rsa_authentication == -1)
205 options->rsa_authentication = 1;
206 if (options->pubkey_authentication == -1)
207 options->pubkey_authentication = 1;
208 if (options->kerberos_authentication == -1)
209 options->kerberos_authentication = 0;
210 if (options->kerberos_or_local_passwd == -1)
211 options->kerberos_or_local_passwd = 1;
212 if (options->kerberos_ticket_cleanup == -1)
213 options->kerberos_ticket_cleanup = 1;
214 if (options->kerberos_get_afs_token == -1)
215 options->kerberos_get_afs_token = 0;
216 if (options->gss_authentication == -1)
217 options->gss_authentication = 0;
218 if (options->gss_cleanup_creds == -1)
219 options->gss_cleanup_creds = 1;
220 if (options->password_authentication == -1)
221 options->password_authentication = 1;
222 if (options->kbd_interactive_authentication == -1)
223 options->kbd_interactive_authentication = 0;
224 if (options->challenge_response_authentication == -1)
225 options->challenge_response_authentication = 1;
226 if (options->permit_empty_passwd == -1)
227 options->permit_empty_passwd = 0;
228 if (options->permit_user_env == -1)
229 options->permit_user_env = 0;
230 if (options->use_login == -1)
231 options->use_login = 0;
232 if (options->compression == -1)
233 options->compression = COMP_DELAYED;
234 if (options->allow_tcp_forwarding == -1)
235 options->allow_tcp_forwarding = 1;
236 if (options->allow_agent_forwarding == -1)
237 options->allow_agent_forwarding = 1;
238 if (options->gateway_ports == -1)
239 options->gateway_ports = 0;
240 if (options->max_startups == -1)
241 options->max_startups = 10;
242 if (options->max_startups_rate == -1)
243 options->max_startups_rate = 100; /* 100% */
244 if (options->max_startups_begin == -1)
245 options->max_startups_begin = options->max_startups;
246 if (options->max_authtries == -1)
247 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
248 if (options->max_sessions == -1)
249 options->max_sessions = DEFAULT_SESSIONS_MAX;
250 if (options->use_dns == -1)
251 options->use_dns = 1;
252 if (options->client_alive_interval == -1)
253 options->client_alive_interval = 0;
254 if (options->client_alive_count_max == -1)
255 options->client_alive_count_max = 3;
256 if (options->authorized_keys_file2 == NULL) {
257 /* authorized_keys_file2 falls back to authorized_keys_file */
258 if (options->authorized_keys_file != NULL)
259 options->authorized_keys_file2 = options->authorized_keys_file;
261 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
263 if (options->authorized_keys_file == NULL)
264 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
265 if (options->permit_tun == -1)
266 options->permit_tun = SSH_TUNMODE_NO;
267 if (options->zero_knowledge_password_authentication == -1)
268 options->zero_knowledge_password_authentication = 0;
270 /* Turn privilege separation on by default */
271 if (use_privsep == -1)
275 if (use_privsep && options->compression == 1) {
276 error("This platform does not support both privilege "
277 "separation and compression");
278 error("Compression disabled");
279 options->compression = 0;
285 /* Keyword tokens. */
287 sBadOption, /* == unknown option */
288 /* Portable-specific options */
290 /* Standard Options */
291 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
292 sPermitRootLogin, sLogFacility, sLogLevel,
293 sRhostsRSAAuthentication, sRSAAuthentication,
294 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
295 sKerberosGetAFSToken,
296 sKerberosTgtPassing, sChallengeResponseAuthentication,
297 sPasswordAuthentication, sKbdInteractiveAuthentication,
298 sListenAddress, sAddressFamily,
299 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
300 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
301 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
302 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
303 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
304 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
305 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
306 sMaxStartups, sMaxAuthTries, sMaxSessions,
307 sBanner, sUseDNS, sHostbasedAuthentication,
308 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
309 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
310 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
311 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
312 sUsePrivilegeSeparation, sAllowAgentForwarding,
313 sZeroKnowledgePasswordAuthentication, sHostCertificate,
314 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
315 sDeprecated, sUnsupported
318 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
319 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
320 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
322 /* Textual representation of the tokens. */
325 ServerOpCodes opcode;
328 /* Portable-specific options */
330 { "usepam", sUsePAM, SSHCFG_GLOBAL },
332 { "usepam", sUnsupported, SSHCFG_GLOBAL },
334 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
335 /* Standard Options */
336 { "port", sPort, SSHCFG_GLOBAL },
337 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
338 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
339 { "pidfile", sPidFile, SSHCFG_GLOBAL },
340 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
341 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
342 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
343 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
344 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
345 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
346 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
347 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
348 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
349 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
350 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
351 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
352 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
354 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
355 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
356 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
358 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
360 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
363 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
364 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
365 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
366 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
368 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
369 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
371 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
372 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
374 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
375 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
377 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
378 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
379 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
380 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
382 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
384 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
386 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
387 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
388 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
389 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
390 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
391 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
392 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
393 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
394 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
395 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
396 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
397 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
398 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
399 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
400 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
401 { "compression", sCompression, SSHCFG_GLOBAL },
402 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
403 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
404 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
405 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
406 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
407 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
408 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
409 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
410 { "ciphers", sCiphers, SSHCFG_GLOBAL },
411 { "macs", sMacs, SSHCFG_GLOBAL },
412 { "protocol", sProtocol, SSHCFG_GLOBAL },
413 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
414 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
415 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
416 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
417 { "maxsessions", sMaxSessions, SSHCFG_ALL },
418 { "banner", sBanner, SSHCFG_ALL },
419 { "usedns", sUseDNS, SSHCFG_GLOBAL },
420 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
421 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
422 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
423 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
424 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
425 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
426 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
427 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
428 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
429 { "match", sMatch, SSHCFG_ALL },
430 { "permitopen", sPermitOpen, SSHCFG_ALL },
431 { "forcecommand", sForceCommand, SSHCFG_ALL },
432 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
433 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
434 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
435 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
436 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
437 { NULL, sBadOption, 0 }
444 { SSH_TUNMODE_NO, "no" },
445 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
446 { SSH_TUNMODE_ETHERNET, "ethernet" },
447 { SSH_TUNMODE_YES, "yes" },
452 * Returns the number of the token pointed to by cp or sBadOption.
456 parse_token(const char *cp, const char *filename,
457 int linenum, u_int *flags)
461 for (i = 0; keywords[i].name; i++)
462 if (strcasecmp(cp, keywords[i].name) == 0) {
463 *flags = keywords[i].flags;
464 return keywords[i].opcode;
467 error("%s: line %d: Bad configuration option: %s",
468 filename, linenum, cp);
473 derelativise_path(const char *path)
475 char *expanded, *ret, cwd[MAXPATHLEN];
477 expanded = tilde_expand_filename(path, getuid());
478 if (*expanded == '/')
480 if (getcwd(cwd, sizeof(cwd)) == NULL)
481 fatal("%s: getcwd: %s", __func__, strerror(errno));
482 xasprintf(&ret, "%s/%s", cwd, expanded);
488 add_listen_addr(ServerOptions *options, char *addr, int port)
492 if (options->num_ports == 0)
493 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
494 if (options->address_family == -1)
495 options->address_family = AF_UNSPEC;
497 for (i = 0; i < options->num_ports; i++)
498 add_one_listen_addr(options, addr, options->ports[i]);
500 add_one_listen_addr(options, addr, port);
504 add_one_listen_addr(ServerOptions *options, char *addr, int port)
506 struct addrinfo hints, *ai, *aitop;
507 char strport[NI_MAXSERV];
510 memset(&hints, 0, sizeof(hints));
511 hints.ai_family = options->address_family;
512 hints.ai_socktype = SOCK_STREAM;
513 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
514 snprintf(strport, sizeof strport, "%d", port);
515 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
516 fatal("bad addr or host: %s (%s)",
517 addr ? addr : "<NULL>",
518 ssh_gai_strerror(gaierr));
519 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
521 ai->ai_next = options->listen_addrs;
522 options->listen_addrs = aitop;
526 * The strategy for the Match blocks is that the config file is parsed twice.
528 * The first time is at startup. activep is initialized to 1 and the
529 * directives in the global context are processed and acted on. Hitting a
530 * Match directive unsets activep and the directives inside the block are
531 * checked for syntax only.
533 * The second time is after a connection has been established but before
534 * authentication. activep is initialized to 2 and global config directives
535 * are ignored since they have already been processed. If the criteria in a
536 * Match block is met, activep is set and the subsequent directives
537 * processed and actioned until EOF or another Match block unsets it. Any
538 * options set are copied into the main server config.
540 * Potential additions/improvements:
541 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
543 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
544 * Match Address 192.168.0.*
549 * AllowTcpForwarding yes
550 * GatewayPorts clientspecified
553 * - Add a PermittedChannelRequests directive
555 * PermittedChannelRequests session,forwarded-tcpip
559 match_cfg_line_group(const char *grps, int line, const char *user)
567 if ((pw = getpwnam(user)) == NULL) {
568 debug("Can't match group at line %d because user %.100s does "
569 "not exist", line, user);
570 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
571 debug("Can't Match group because user %.100s not in any group "
572 "at line %d", user, line);
573 } else if (ga_match_pattern_list(grps) != 1) {
574 debug("user %.100s does not match group list %.100s at line %d",
577 debug("user %.100s matched group list %.100s at line %d", user,
587 match_cfg_line(char **condition, int line, const char *user, const char *host,
591 char *arg, *attrib, *cp = *condition;
595 debug3("checking syntax for 'Match %s'", cp);
597 debug3("checking match for '%s' user %s host %s addr %s", cp,
598 user ? user : "(null)", host ? host : "(null)",
599 address ? address : "(null)");
601 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
602 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
603 error("Missing Match criteria for %s", attrib);
607 if (strcasecmp(attrib, "user") == 0) {
612 if (match_pattern_list(user, arg, len, 0) != 1)
615 debug("user %.100s matched 'User %.100s' at "
616 "line %d", user, arg, line);
617 } else if (strcasecmp(attrib, "group") == 0) {
618 switch (match_cfg_line_group(arg, line, user)) {
624 } else if (strcasecmp(attrib, "host") == 0) {
629 if (match_hostname(host, arg, len) != 1)
632 debug("connection from %.100s matched 'Host "
633 "%.100s' at line %d", host, arg, line);
634 } else if (strcasecmp(attrib, "address") == 0) {
635 switch (addr_match_list(address, arg)) {
637 debug("connection from %.100s matched 'Address "
638 "%.100s' at line %d", address, arg, line);
648 error("Unsupported Match attribute %s", attrib);
653 debug3("match %sfound", result ? "" : "not ");
658 #define WHITESPACE " \t\r\n"
661 process_server_config_line(ServerOptions *options, char *line,
662 const char *filename, int linenum, int *activep, const char *user,
663 const char *host, const char *address)
665 char *cp, **charptr, *arg, *p;
666 int cmdline = 0, *intptr, value, n;
667 SyslogFacility *log_facility_ptr;
668 LogLevel *log_level_ptr;
669 ServerOpCodes opcode;
675 if ((arg = strdelim(&cp)) == NULL)
677 /* Ignore leading whitespace */
680 if (!arg || !*arg || *arg == '#')
684 opcode = parse_token(arg, filename, linenum, &flags);
686 if (activep == NULL) { /* We are processing a command line directive */
690 if (*activep && opcode != sMatch)
691 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
692 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
694 fatal("%s line %d: Directive '%s' is not allowed "
695 "within a Match block", filename, linenum, arg);
696 } else { /* this is a directive we have already processed */
704 /* Portable-specific options */
706 intptr = &options->use_pam;
709 /* Standard Options */
713 /* ignore ports from configfile if cmdline specifies ports */
714 if (options->ports_from_cmdline)
716 if (options->listen_addrs != NULL)
717 fatal("%s line %d: ports must be specified before "
718 "ListenAddress.", filename, linenum);
719 if (options->num_ports >= MAX_PORTS)
720 fatal("%s line %d: too many ports.",
723 if (!arg || *arg == '\0')
724 fatal("%s line %d: missing port number.",
726 options->ports[options->num_ports++] = a2port(arg);
727 if (options->ports[options->num_ports-1] <= 0)
728 fatal("%s line %d: Badly formatted port number.",
733 intptr = &options->server_key_bits;
736 if (!arg || *arg == '\0')
737 fatal("%s line %d: missing integer value.",
740 if (*activep && *intptr == -1)
744 case sLoginGraceTime:
745 intptr = &options->login_grace_time;
748 if (!arg || *arg == '\0')
749 fatal("%s line %d: missing time value.",
751 if ((value = convtime(arg)) == -1)
752 fatal("%s line %d: invalid time value.",
758 case sKeyRegenerationTime:
759 intptr = &options->key_regeneration_time;
764 if (arg == NULL || *arg == '\0')
765 fatal("%s line %d: missing address",
767 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
768 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
769 && strchr(p+1, ':') != NULL) {
770 add_listen_addr(options, arg, 0);
775 fatal("%s line %d: bad address:port usage",
777 p = cleanhostname(p);
780 else if ((port = a2port(arg)) <= 0)
781 fatal("%s line %d: bad port number", filename, linenum);
783 add_listen_addr(options, p, port);
789 if (!arg || *arg == '\0')
790 fatal("%s line %d: missing address family.",
792 intptr = &options->address_family;
793 if (options->listen_addrs != NULL)
794 fatal("%s line %d: address family must be specified before "
795 "ListenAddress.", filename, linenum);
796 if (strcasecmp(arg, "inet") == 0)
798 else if (strcasecmp(arg, "inet6") == 0)
800 else if (strcasecmp(arg, "any") == 0)
803 fatal("%s line %d: unsupported address family \"%s\".",
804 filename, linenum, arg);
810 intptr = &options->num_host_key_files;
811 if (*intptr >= MAX_HOSTKEYS)
812 fatal("%s line %d: too many host keys specified (max %d).",
813 filename, linenum, MAX_HOSTKEYS);
814 charptr = &options->host_key_files[*intptr];
817 if (!arg || *arg == '\0')
818 fatal("%s line %d: missing file name.",
820 if (*activep && *charptr == NULL) {
821 *charptr = derelativise_path(arg);
822 /* increase optional counter */
824 *intptr = *intptr + 1;
828 case sHostCertificate:
829 intptr = &options->num_host_cert_files;
830 if (*intptr >= MAX_HOSTKEYS)
831 fatal("%s line %d: too many host certificates "
832 "specified (max %d).", filename, linenum,
834 charptr = &options->host_cert_files[*intptr];
839 charptr = &options->pid_file;
842 case sPermitRootLogin:
843 intptr = &options->permit_root_login;
845 if (!arg || *arg == '\0')
846 fatal("%s line %d: missing yes/"
847 "without-password/forced-commands-only/no "
848 "argument.", filename, linenum);
849 value = 0; /* silence compiler */
850 if (strcmp(arg, "without-password") == 0)
851 value = PERMIT_NO_PASSWD;
852 else if (strcmp(arg, "forced-commands-only") == 0)
853 value = PERMIT_FORCED_ONLY;
854 else if (strcmp(arg, "yes") == 0)
856 else if (strcmp(arg, "no") == 0)
859 fatal("%s line %d: Bad yes/"
860 "without-password/forced-commands-only/no "
861 "argument: %s", filename, linenum, arg);
862 if (*activep && *intptr == -1)
867 intptr = &options->ignore_rhosts;
870 if (!arg || *arg == '\0')
871 fatal("%s line %d: missing yes/no argument.",
873 value = 0; /* silence compiler */
874 if (strcmp(arg, "yes") == 0)
876 else if (strcmp(arg, "no") == 0)
879 fatal("%s line %d: Bad yes/no argument: %s",
880 filename, linenum, arg);
881 if (*activep && *intptr == -1)
885 case sIgnoreUserKnownHosts:
886 intptr = &options->ignore_user_known_hosts;
889 case sRhostsRSAAuthentication:
890 intptr = &options->rhosts_rsa_authentication;
893 case sHostbasedAuthentication:
894 intptr = &options->hostbased_authentication;
897 case sHostbasedUsesNameFromPacketOnly:
898 intptr = &options->hostbased_uses_name_from_packet_only;
901 case sRSAAuthentication:
902 intptr = &options->rsa_authentication;
905 case sPubkeyAuthentication:
906 intptr = &options->pubkey_authentication;
909 case sKerberosAuthentication:
910 intptr = &options->kerberos_authentication;
913 case sKerberosOrLocalPasswd:
914 intptr = &options->kerberos_or_local_passwd;
917 case sKerberosTicketCleanup:
918 intptr = &options->kerberos_ticket_cleanup;
921 case sKerberosGetAFSToken:
922 intptr = &options->kerberos_get_afs_token;
925 case sGssAuthentication:
926 intptr = &options->gss_authentication;
929 case sGssCleanupCreds:
930 intptr = &options->gss_cleanup_creds;
933 case sPasswordAuthentication:
934 intptr = &options->password_authentication;
937 case sZeroKnowledgePasswordAuthentication:
938 intptr = &options->zero_knowledge_password_authentication;
941 case sKbdInteractiveAuthentication:
942 intptr = &options->kbd_interactive_authentication;
945 case sChallengeResponseAuthentication:
946 intptr = &options->challenge_response_authentication;
950 intptr = &options->print_motd;
954 intptr = &options->print_lastlog;
958 intptr = &options->x11_forwarding;
961 case sX11DisplayOffset:
962 intptr = &options->x11_display_offset;
965 case sX11UseLocalhost:
966 intptr = &options->x11_use_localhost;
970 charptr = &options->xauth_location;
974 intptr = &options->strict_modes;
978 intptr = &options->tcp_keep_alive;
982 intptr = &options->permit_empty_passwd;
985 case sPermitUserEnvironment:
986 intptr = &options->permit_user_env;
990 intptr = &options->use_login;
994 intptr = &options->compression;
996 if (!arg || *arg == '\0')
997 fatal("%s line %d: missing yes/no/delayed "
998 "argument.", filename, linenum);
999 value = 0; /* silence compiler */
1000 if (strcmp(arg, "delayed") == 0)
1001 value = COMP_DELAYED;
1002 else if (strcmp(arg, "yes") == 0)
1004 else if (strcmp(arg, "no") == 0)
1007 fatal("%s line %d: Bad yes/no/delayed "
1008 "argument: %s", filename, linenum, arg);
1014 intptr = &options->gateway_ports;
1015 arg = strdelim(&cp);
1016 if (!arg || *arg == '\0')
1017 fatal("%s line %d: missing yes/no/clientspecified "
1018 "argument.", filename, linenum);
1019 value = 0; /* silence compiler */
1020 if (strcmp(arg, "clientspecified") == 0)
1022 else if (strcmp(arg, "yes") == 0)
1024 else if (strcmp(arg, "no") == 0)
1027 fatal("%s line %d: Bad yes/no/clientspecified "
1028 "argument: %s", filename, linenum, arg);
1029 if (*activep && *intptr == -1)
1034 intptr = &options->use_dns;
1038 log_facility_ptr = &options->log_facility;
1039 arg = strdelim(&cp);
1040 value = log_facility_number(arg);
1041 if (value == SYSLOG_FACILITY_NOT_SET)
1042 fatal("%.200s line %d: unsupported log facility '%s'",
1043 filename, linenum, arg ? arg : "<NONE>");
1044 if (*log_facility_ptr == -1)
1045 *log_facility_ptr = (SyslogFacility) value;
1049 log_level_ptr = &options->log_level;
1050 arg = strdelim(&cp);
1051 value = log_level_number(arg);
1052 if (value == SYSLOG_LEVEL_NOT_SET)
1053 fatal("%.200s line %d: unsupported log level '%s'",
1054 filename, linenum, arg ? arg : "<NONE>");
1055 if (*log_level_ptr == -1)
1056 *log_level_ptr = (LogLevel) value;
1059 case sAllowTcpForwarding:
1060 intptr = &options->allow_tcp_forwarding;
1063 case sAllowAgentForwarding:
1064 intptr = &options->allow_agent_forwarding;
1067 case sUsePrivilegeSeparation:
1068 intptr = &use_privsep;
1072 while ((arg = strdelim(&cp)) && *arg != '\0') {
1073 if (options->num_allow_users >= MAX_ALLOW_USERS)
1074 fatal("%s line %d: too many allow users.",
1076 options->allow_users[options->num_allow_users++] =
1082 while ((arg = strdelim(&cp)) && *arg != '\0') {
1083 if (options->num_deny_users >= MAX_DENY_USERS)
1084 fatal("%s line %d: too many deny users.",
1086 options->deny_users[options->num_deny_users++] =
1092 while ((arg = strdelim(&cp)) && *arg != '\0') {
1093 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1094 fatal("%s line %d: too many allow groups.",
1096 options->allow_groups[options->num_allow_groups++] =
1102 while ((arg = strdelim(&cp)) && *arg != '\0') {
1103 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1104 fatal("%s line %d: too many deny groups.",
1106 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1111 arg = strdelim(&cp);
1112 if (!arg || *arg == '\0')
1113 fatal("%s line %d: Missing argument.", filename, linenum);
1114 if (!ciphers_valid(arg))
1115 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1116 filename, linenum, arg ? arg : "<NONE>");
1117 if (options->ciphers == NULL)
1118 options->ciphers = xstrdup(arg);
1122 arg = strdelim(&cp);
1123 if (!arg || *arg == '\0')
1124 fatal("%s line %d: Missing argument.", filename, linenum);
1125 if (!mac_valid(arg))
1126 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1127 filename, linenum, arg ? arg : "<NONE>");
1128 if (options->macs == NULL)
1129 options->macs = xstrdup(arg);
1133 intptr = &options->protocol;
1134 arg = strdelim(&cp);
1135 if (!arg || *arg == '\0')
1136 fatal("%s line %d: Missing argument.", filename, linenum);
1137 value = proto_spec(arg);
1138 if (value == SSH_PROTO_UNKNOWN)
1139 fatal("%s line %d: Bad protocol spec '%s'.",
1140 filename, linenum, arg ? arg : "<NONE>");
1141 if (*intptr == SSH_PROTO_UNKNOWN)
1146 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1147 fatal("%s line %d: too many subsystems defined.",
1150 arg = strdelim(&cp);
1151 if (!arg || *arg == '\0')
1152 fatal("%s line %d: Missing subsystem name.",
1155 arg = strdelim(&cp);
1158 for (i = 0; i < options->num_subsystems; i++)
1159 if (strcmp(arg, options->subsystem_name[i]) == 0)
1160 fatal("%s line %d: Subsystem '%s' already defined.",
1161 filename, linenum, arg);
1162 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1163 arg = strdelim(&cp);
1164 if (!arg || *arg == '\0')
1165 fatal("%s line %d: Missing subsystem command.",
1167 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1169 /* Collect arguments (separate to executable) */
1171 len = strlen(p) + 1;
1172 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1173 len += 1 + strlen(arg);
1174 p = xrealloc(p, 1, len);
1175 strlcat(p, " ", len);
1176 strlcat(p, arg, len);
1178 options->subsystem_args[options->num_subsystems] = p;
1179 options->num_subsystems++;
1183 arg = strdelim(&cp);
1184 if (!arg || *arg == '\0')
1185 fatal("%s line %d: Missing MaxStartups spec.",
1187 if ((n = sscanf(arg, "%d:%d:%d",
1188 &options->max_startups_begin,
1189 &options->max_startups_rate,
1190 &options->max_startups)) == 3) {
1191 if (options->max_startups_begin >
1192 options->max_startups ||
1193 options->max_startups_rate > 100 ||
1194 options->max_startups_rate < 1)
1195 fatal("%s line %d: Illegal MaxStartups spec.",
1198 fatal("%s line %d: Illegal MaxStartups spec.",
1201 options->max_startups = options->max_startups_begin;
1205 intptr = &options->max_authtries;
1209 intptr = &options->max_sessions;
1213 charptr = &options->banner;
1214 goto parse_filename;
1217 * These options can contain %X options expanded at
1218 * connect time, so that you can specify paths like:
1220 * AuthorizedKeysFile /etc/ssh_keys/%u
1222 case sAuthorizedKeysFile:
1223 charptr = &options->authorized_keys_file;
1224 goto parse_tilde_filename;
1225 case sAuthorizedKeysFile2:
1226 charptr = &options->authorized_keys_file2;
1227 goto parse_tilde_filename;
1228 case sAuthorizedPrincipalsFile:
1229 charptr = &options->authorized_principals_file;
1230 parse_tilde_filename:
1231 arg = strdelim(&cp);
1232 if (!arg || *arg == '\0')
1233 fatal("%s line %d: missing file name.",
1235 if (*activep && *charptr == NULL) {
1236 *charptr = tilde_expand_filename(arg, getuid());
1237 /* increase optional counter */
1239 *intptr = *intptr + 1;
1243 case sClientAliveInterval:
1244 intptr = &options->client_alive_interval;
1247 case sClientAliveCountMax:
1248 intptr = &options->client_alive_count_max;
1252 while ((arg = strdelim(&cp)) && *arg != '\0') {
1253 if (strchr(arg, '=') != NULL)
1254 fatal("%s line %d: Invalid environment name.",
1256 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1257 fatal("%s line %d: too many allow env.",
1261 options->accept_env[options->num_accept_env++] =
1267 intptr = &options->permit_tun;
1268 arg = strdelim(&cp);
1269 if (!arg || *arg == '\0')
1270 fatal("%s line %d: Missing yes/point-to-point/"
1271 "ethernet/no argument.", filename, linenum);
1273 for (i = 0; tunmode_desc[i].val != -1; i++)
1274 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1275 value = tunmode_desc[i].val;
1279 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1280 "no argument: %s", filename, linenum, arg);
1287 fatal("Match directive not supported as a command-line "
1289 value = match_cfg_line(&cp, linenum, user, host, address);
1291 fatal("%s line %d: Bad Match condition", filename,
1297 arg = strdelim(&cp);
1298 if (!arg || *arg == '\0')
1299 fatal("%s line %d: missing PermitOpen specification",
1301 n = options->num_permitted_opens; /* modified later */
1302 if (strcmp(arg, "any") == 0) {
1303 if (*activep && n == -1) {
1304 channel_clear_adm_permitted_opens();
1305 options->num_permitted_opens = 0;
1309 if (*activep && n == -1)
1310 channel_clear_adm_permitted_opens();
1311 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1314 fatal("%s line %d: missing host in PermitOpen",
1316 p = cleanhostname(p);
1317 if (arg == NULL || (port = a2port(arg)) <= 0)
1318 fatal("%s line %d: bad port number in "
1319 "PermitOpen", filename, linenum);
1320 if (*activep && n == -1)
1321 options->num_permitted_opens =
1322 channel_add_adm_permitted_opens(p, port);
1328 fatal("%.200s line %d: Missing argument.", filename,
1330 len = strspn(cp, WHITESPACE);
1331 if (*activep && options->adm_forced_command == NULL)
1332 options->adm_forced_command = xstrdup(cp + len);
1335 case sChrootDirectory:
1336 charptr = &options->chroot_directory;
1338 arg = strdelim(&cp);
1339 if (!arg || *arg == '\0')
1340 fatal("%s line %d: missing file name.",
1342 if (*activep && *charptr == NULL)
1343 *charptr = xstrdup(arg);
1346 case sTrustedUserCAKeys:
1347 charptr = &options->trusted_user_ca_keys;
1348 goto parse_filename;
1351 charptr = &options->revoked_keys_file;
1352 goto parse_filename;
1355 logit("%s line %d: Deprecated option %s",
1356 filename, linenum, arg);
1358 arg = strdelim(&cp);
1362 logit("%s line %d: Unsupported option %s",
1363 filename, linenum, arg);
1365 arg = strdelim(&cp);
1369 fatal("%s line %d: Missing handler for opcode %s (%d)",
1370 filename, linenum, arg, opcode);
1372 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1373 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1374 filename, linenum, arg);
1378 /* Reads the server configuration file. */
1381 load_server_config(const char *filename, Buffer *conf)
1383 char line[1024], *cp;
1386 debug2("%s: filename %s", __func__, filename);
1387 if ((f = fopen(filename, "r")) == NULL) {
1392 while (fgets(line, sizeof(line), f)) {
1394 * Trim out comments and strip whitespace
1395 * NB - preserve newlines, they are needed to reproduce
1396 * line numbers later for error messages
1398 if ((cp = strchr(line, '#')) != NULL)
1399 memcpy(cp, "\n", 2);
1400 cp = line + strspn(line, " \t\r");
1402 buffer_append(conf, cp, strlen(cp));
1404 buffer_append(conf, "\0", 1);
1406 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1410 parse_server_match_config(ServerOptions *options, const char *user,
1411 const char *host, const char *address)
1415 initialize_server_options(&mo);
1416 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1417 copy_set_server_options(options, &mo, 0);
1421 #define M_CP_INTOPT(n) do {\
1425 #define M_CP_STROPT(n) do {\
1426 if (src->n != NULL) { \
1427 if (dst->n != NULL) \
1434 * Copy any supported values that are set.
1436 * If the preauth flag is set, we do not bother copying the string or
1437 * array values that are not used pre-authentication, because any that we
1438 * do use must be explictly sent in mm_getpwnamallow().
1441 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1443 M_CP_INTOPT(password_authentication);
1444 M_CP_INTOPT(gss_authentication);
1445 M_CP_INTOPT(rsa_authentication);
1446 M_CP_INTOPT(pubkey_authentication);
1447 M_CP_INTOPT(kerberos_authentication);
1448 M_CP_INTOPT(hostbased_authentication);
1449 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1450 M_CP_INTOPT(kbd_interactive_authentication);
1451 M_CP_INTOPT(zero_knowledge_password_authentication);
1452 M_CP_INTOPT(permit_root_login);
1453 M_CP_INTOPT(permit_empty_passwd);
1455 M_CP_INTOPT(allow_tcp_forwarding);
1456 M_CP_INTOPT(allow_agent_forwarding);
1457 M_CP_INTOPT(permit_tun);
1458 M_CP_INTOPT(gateway_ports);
1459 M_CP_INTOPT(x11_display_offset);
1460 M_CP_INTOPT(x11_forwarding);
1461 M_CP_INTOPT(x11_use_localhost);
1462 M_CP_INTOPT(max_sessions);
1463 M_CP_INTOPT(max_authtries);
1465 M_CP_STROPT(banner);
1468 M_CP_STROPT(adm_forced_command);
1469 M_CP_STROPT(chroot_directory);
1470 M_CP_STROPT(trusted_user_ca_keys);
1471 M_CP_STROPT(revoked_keys_file);
1472 M_CP_STROPT(authorized_keys_file);
1473 M_CP_STROPT(authorized_keys_file2);
1474 M_CP_STROPT(authorized_principals_file);
1481 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1482 const char *user, const char *host, const char *address)
1484 int active, linenum, bad_options = 0;
1485 char *cp, *obuf, *cbuf;
1487 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1489 obuf = cbuf = xstrdup(buffer_ptr(conf));
1490 active = user ? 0 : 1;
1492 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1493 if (process_server_config_line(options, cp, filename,
1494 linenum++, &active, user, host, address) != 0)
1498 if (bad_options > 0)
1499 fatal("%s: terminating, %d bad configuration options",
1500 filename, bad_options);
1504 fmt_intarg(ServerOpCodes code, int val)
1506 if (code == sAddressFamily) {
1518 if (code == sPermitRootLogin) {
1520 case PERMIT_NO_PASSWD:
1521 return "without-password";
1522 case PERMIT_FORCED_ONLY:
1523 return "forced-commands-only";
1528 if (code == sProtocol) {
1534 case (SSH_PROTO_1|SSH_PROTO_2):
1540 if (code == sGatewayPorts && val == 2)
1541 return "clientspecified";
1542 if (code == sCompression && val == COMP_DELAYED)
1556 lookup_opcode_name(ServerOpCodes code)
1560 for (i = 0; keywords[i].name != NULL; i++)
1561 if (keywords[i].opcode == code)
1562 return(keywords[i].name);
1567 dump_cfg_int(ServerOpCodes code, int val)
1569 printf("%s %d\n", lookup_opcode_name(code), val);
1573 dump_cfg_fmtint(ServerOpCodes code, int val)
1575 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1579 dump_cfg_string(ServerOpCodes code, const char *val)
1583 printf("%s %s\n", lookup_opcode_name(code), val);
1587 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1591 for (i = 0; i < count; i++)
1592 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1596 dump_config(ServerOptions *o)
1600 struct addrinfo *ai;
1601 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1603 /* these are usually at the top of the config */
1604 for (i = 0; i < o->num_ports; i++)
1605 printf("port %d\n", o->ports[i]);
1606 dump_cfg_fmtint(sProtocol, o->protocol);
1607 dump_cfg_fmtint(sAddressFamily, o->address_family);
1609 /* ListenAddress must be after Port */
1610 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1611 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1612 sizeof(addr), port, sizeof(port),
1613 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1614 error("getnameinfo failed: %.100s",
1615 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1618 if (ai->ai_family == AF_INET6)
1619 printf("listenaddress [%s]:%s\n", addr, port);
1621 printf("listenaddress %s:%s\n", addr, port);
1625 /* integer arguments */
1627 dump_cfg_int(sUsePAM, o->use_pam);
1629 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1630 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1631 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1632 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1633 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1634 dump_cfg_int(sMaxSessions, o->max_sessions);
1635 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1636 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1638 /* formatted integer arguments */
1639 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1640 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1641 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1642 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1643 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1644 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1645 o->hostbased_uses_name_from_packet_only);
1646 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1647 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1649 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1650 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1651 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1653 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1657 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1658 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1661 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1662 o->zero_knowledge_password_authentication);
1664 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1665 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1666 o->kbd_interactive_authentication);
1667 dump_cfg_fmtint(sChallengeResponseAuthentication,
1668 o->challenge_response_authentication);
1669 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1670 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1671 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1672 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1673 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1674 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1675 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1676 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1677 dump_cfg_fmtint(sUseLogin, o->use_login);
1678 dump_cfg_fmtint(sCompression, o->compression);
1679 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1680 dump_cfg_fmtint(sUseDNS, o->use_dns);
1681 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1682 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1684 /* string arguments */
1685 dump_cfg_string(sPidFile, o->pid_file);
1686 dump_cfg_string(sXAuthLocation, o->xauth_location);
1687 dump_cfg_string(sCiphers, o->ciphers);
1688 dump_cfg_string(sMacs, o->macs);
1689 dump_cfg_string(sBanner, o->banner);
1690 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1691 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1692 dump_cfg_string(sForceCommand, o->adm_forced_command);
1693 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1694 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1695 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1696 dump_cfg_string(sAuthorizedPrincipalsFile,
1697 o->authorized_principals_file);
1699 /* string arguments requiring a lookup */
1700 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1701 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1703 /* string array arguments */
1704 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1706 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1707 o->host_cert_files);
1708 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1709 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1710 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1711 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1712 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1714 /* other arguments */
1715 for (i = 0; i < o->num_subsystems; i++)
1716 printf("subsystem %s %s\n", o->subsystem_name[i],
1717 o->subsystem_args[i]);
1719 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1720 o->max_startups_rate, o->max_startups);
1722 for (i = 0; tunmode_desc[i].val != -1; i++)
1723 if (tunmode_desc[i].val == o->permit_tun) {
1724 s = tunmode_desc[i].text;
1727 dump_cfg_string(sPermitTunnel, s);
1729 channel_print_adm_permitted_opens();