2 /* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
33 #include "openbsd-compat/sys-queue.h"
40 #include "pathnames.h"
48 #include "groupaccess.h"
52 static void add_listen_addr(ServerOptions *, char *, int);
53 static void add_one_listen_addr(ServerOptions *, char *, int);
55 /* Use of privilege separation or not */
56 extern int use_privsep;
59 /* Initializes the server options to their default values. */
62 initialize_server_options(ServerOptions *options)
64 memset(options, 0, sizeof(*options));
66 /* Portable-specific options */
67 options->use_pam = -1;
69 /* Standard Options */
70 options->num_ports = 0;
71 options->ports_from_cmdline = 0;
72 options->listen_addrs = NULL;
73 options->address_family = -1;
74 options->num_host_key_files = 0;
75 options->num_host_cert_files = 0;
76 options->pid_file = NULL;
77 options->server_key_bits = -1;
78 options->login_grace_time = -1;
79 options->key_regeneration_time = -1;
80 options->permit_root_login = PERMIT_NOT_SET;
81 options->ignore_rhosts = -1;
82 options->ignore_user_known_hosts = -1;
83 options->print_motd = -1;
84 options->print_lastlog = -1;
85 options->x11_forwarding = -1;
86 options->x11_display_offset = -1;
87 options->x11_use_localhost = -1;
88 options->xauth_location = NULL;
89 options->strict_modes = -1;
90 options->tcp_keep_alive = -1;
91 options->log_facility = SYSLOG_FACILITY_NOT_SET;
92 options->log_level = SYSLOG_LEVEL_NOT_SET;
93 options->rhosts_rsa_authentication = -1;
94 options->hostbased_authentication = -1;
95 options->hostbased_uses_name_from_packet_only = -1;
96 options->rsa_authentication = -1;
97 options->pubkey_authentication = -1;
98 options->kerberos_authentication = -1;
99 options->kerberos_or_local_passwd = -1;
100 options->kerberos_ticket_cleanup = -1;
101 options->kerberos_get_afs_token = -1;
102 options->gss_authentication=-1;
103 options->gss_cleanup_creds = -1;
104 options->password_authentication = -1;
105 options->kbd_interactive_authentication = -1;
106 options->challenge_response_authentication = -1;
107 options->permit_empty_passwd = -1;
108 options->permit_user_env = -1;
109 options->use_login = -1;
110 options->compression = -1;
111 options->allow_tcp_forwarding = -1;
112 options->allow_agent_forwarding = -1;
113 options->num_allow_users = 0;
114 options->num_deny_users = 0;
115 options->num_allow_groups = 0;
116 options->num_deny_groups = 0;
117 options->ciphers = NULL;
118 options->macs = NULL;
119 options->kex_algorithms = NULL;
120 options->protocol = SSH_PROTO_UNKNOWN;
121 options->gateway_ports = -1;
122 options->num_subsystems = 0;
123 options->max_startups_begin = -1;
124 options->max_startups_rate = -1;
125 options->max_startups = -1;
126 options->max_authtries = -1;
127 options->max_sessions = -1;
128 options->banner = NULL;
129 options->use_dns = -1;
130 options->client_alive_interval = -1;
131 options->client_alive_count_max = -1;
132 options->num_authkeys_files = 0;
133 options->num_accept_env = 0;
134 options->permit_tun = -1;
135 options->num_permitted_opens = -1;
136 options->adm_forced_command = NULL;
137 options->chroot_directory = NULL;
138 options->zero_knowledge_password_authentication = -1;
139 options->revoked_keys_file = NULL;
140 options->trusted_user_ca_keys = NULL;
141 options->authorized_principals_file = NULL;
142 options->ip_qos_interactive = -1;
143 options->ip_qos_bulk = -1;
144 options->version_addendum = NULL;
148 fill_default_server_options(ServerOptions *options)
150 /* Portable-specific options */
151 if (options->use_pam == -1)
152 options->use_pam = 0;
154 /* Standard Options */
155 if (options->protocol == SSH_PROTO_UNKNOWN)
156 options->protocol = SSH_PROTO_2;
157 if (options->num_host_key_files == 0) {
158 /* fill default hostkeys for protocols */
159 if (options->protocol & SSH_PROTO_1)
160 options->host_key_files[options->num_host_key_files++] =
162 if (options->protocol & SSH_PROTO_2) {
163 options->host_key_files[options->num_host_key_files++] =
164 _PATH_HOST_RSA_KEY_FILE;
165 options->host_key_files[options->num_host_key_files++] =
166 _PATH_HOST_DSA_KEY_FILE;
167 #ifdef OPENSSL_HAS_ECC
168 options->host_key_files[options->num_host_key_files++] =
169 _PATH_HOST_ECDSA_KEY_FILE;
173 /* No certificates by default */
174 if (options->num_ports == 0)
175 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
176 if (options->listen_addrs == NULL)
177 add_listen_addr(options, NULL, 0);
178 if (options->pid_file == NULL)
179 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
180 if (options->server_key_bits == -1)
181 options->server_key_bits = 1024;
182 if (options->login_grace_time == -1)
183 options->login_grace_time = 120;
184 if (options->key_regeneration_time == -1)
185 options->key_regeneration_time = 3600;
186 if (options->permit_root_login == PERMIT_NOT_SET)
187 options->permit_root_login = PERMIT_YES;
188 if (options->ignore_rhosts == -1)
189 options->ignore_rhosts = 1;
190 if (options->ignore_user_known_hosts == -1)
191 options->ignore_user_known_hosts = 0;
192 if (options->print_motd == -1)
193 options->print_motd = 1;
194 if (options->print_lastlog == -1)
195 options->print_lastlog = 1;
196 if (options->x11_forwarding == -1)
197 options->x11_forwarding = 0;
198 if (options->x11_display_offset == -1)
199 options->x11_display_offset = 10;
200 if (options->x11_use_localhost == -1)
201 options->x11_use_localhost = 1;
202 if (options->xauth_location == NULL)
203 options->xauth_location = _PATH_XAUTH;
204 if (options->strict_modes == -1)
205 options->strict_modes = 1;
206 if (options->tcp_keep_alive == -1)
207 options->tcp_keep_alive = 1;
208 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
209 options->log_facility = SYSLOG_FACILITY_AUTH;
210 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
211 options->log_level = SYSLOG_LEVEL_INFO;
212 if (options->rhosts_rsa_authentication == -1)
213 options->rhosts_rsa_authentication = 0;
214 if (options->hostbased_authentication == -1)
215 options->hostbased_authentication = 0;
216 if (options->hostbased_uses_name_from_packet_only == -1)
217 options->hostbased_uses_name_from_packet_only = 0;
218 if (options->rsa_authentication == -1)
219 options->rsa_authentication = 1;
220 if (options->pubkey_authentication == -1)
221 options->pubkey_authentication = 1;
222 if (options->kerberos_authentication == -1)
223 options->kerberos_authentication = 0;
224 if (options->kerberos_or_local_passwd == -1)
225 options->kerberos_or_local_passwd = 1;
226 if (options->kerberos_ticket_cleanup == -1)
227 options->kerberos_ticket_cleanup = 1;
228 if (options->kerberos_get_afs_token == -1)
229 options->kerberos_get_afs_token = 0;
230 if (options->gss_authentication == -1)
231 options->gss_authentication = 0;
232 if (options->gss_cleanup_creds == -1)
233 options->gss_cleanup_creds = 1;
234 if (options->password_authentication == -1)
235 options->password_authentication = 1;
236 if (options->kbd_interactive_authentication == -1)
237 options->kbd_interactive_authentication = 0;
238 if (options->challenge_response_authentication == -1)
239 options->challenge_response_authentication = 1;
240 if (options->permit_empty_passwd == -1)
241 options->permit_empty_passwd = 0;
242 if (options->permit_user_env == -1)
243 options->permit_user_env = 0;
244 if (options->use_login == -1)
245 options->use_login = 0;
246 if (options->compression == -1)
247 options->compression = COMP_DELAYED;
248 if (options->allow_tcp_forwarding == -1)
249 options->allow_tcp_forwarding = 1;
250 if (options->allow_agent_forwarding == -1)
251 options->allow_agent_forwarding = 1;
252 if (options->gateway_ports == -1)
253 options->gateway_ports = 0;
254 if (options->max_startups == -1)
255 options->max_startups = 10;
256 if (options->max_startups_rate == -1)
257 options->max_startups_rate = 100; /* 100% */
258 if (options->max_startups_begin == -1)
259 options->max_startups_begin = options->max_startups;
260 if (options->max_authtries == -1)
261 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
262 if (options->max_sessions == -1)
263 options->max_sessions = DEFAULT_SESSIONS_MAX;
264 if (options->use_dns == -1)
265 options->use_dns = 1;
266 if (options->client_alive_interval == -1)
267 options->client_alive_interval = 0;
268 if (options->client_alive_count_max == -1)
269 options->client_alive_count_max = 3;
270 if (options->num_authkeys_files == 0) {
271 options->authorized_keys_files[options->num_authkeys_files++] =
272 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
273 options->authorized_keys_files[options->num_authkeys_files++] =
274 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
276 if (options->permit_tun == -1)
277 options->permit_tun = SSH_TUNMODE_NO;
278 if (options->zero_knowledge_password_authentication == -1)
279 options->zero_knowledge_password_authentication = 0;
280 if (options->ip_qos_interactive == -1)
281 options->ip_qos_interactive = IPTOS_LOWDELAY;
282 if (options->ip_qos_bulk == -1)
283 options->ip_qos_bulk = IPTOS_THROUGHPUT;
284 if (options->version_addendum == NULL)
285 options->version_addendum = xstrdup("");
286 /* Turn privilege separation on by default */
287 if (use_privsep == -1)
288 use_privsep = PRIVSEP_NOSANDBOX;
291 if (use_privsep && options->compression == 1) {
292 error("This platform does not support both privilege "
293 "separation and compression");
294 error("Compression disabled");
295 options->compression = 0;
301 /* Keyword tokens. */
303 sBadOption, /* == unknown option */
304 /* Portable-specific options */
306 /* Standard Options */
307 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
308 sPermitRootLogin, sLogFacility, sLogLevel,
309 sRhostsRSAAuthentication, sRSAAuthentication,
310 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
311 sKerberosGetAFSToken,
312 sKerberosTgtPassing, sChallengeResponseAuthentication,
313 sPasswordAuthentication, sKbdInteractiveAuthentication,
314 sListenAddress, sAddressFamily,
315 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
316 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
317 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
318 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
319 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
320 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
321 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
322 sMaxStartups, sMaxAuthTries, sMaxSessions,
323 sBanner, sUseDNS, sHostbasedAuthentication,
324 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
325 sClientAliveCountMax, sAuthorizedKeysFile,
326 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
327 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
328 sUsePrivilegeSeparation, sAllowAgentForwarding,
329 sZeroKnowledgePasswordAuthentication, sHostCertificate,
330 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
331 sKexAlgorithms, sIPQoS, sVersionAddendum,
332 sDeprecated, sUnsupported
335 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
336 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
337 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
339 /* Textual representation of the tokens. */
342 ServerOpCodes opcode;
345 /* Portable-specific options */
347 { "usepam", sUsePAM, SSHCFG_GLOBAL },
349 { "usepam", sUnsupported, SSHCFG_GLOBAL },
351 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
352 /* Standard Options */
353 { "port", sPort, SSHCFG_GLOBAL },
354 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
355 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
356 { "pidfile", sPidFile, SSHCFG_GLOBAL },
357 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
358 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
359 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
360 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
361 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
362 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
363 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
364 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
365 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
366 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
367 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
368 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
369 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
371 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
372 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
373 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
375 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
377 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
380 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
381 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
382 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
383 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
385 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
386 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
388 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
389 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
391 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
392 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
394 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
395 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
396 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
397 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
399 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
401 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
403 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
404 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
405 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
406 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
407 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
408 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
409 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
410 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
411 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
412 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
413 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
414 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
415 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
416 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
417 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
418 { "compression", sCompression, SSHCFG_GLOBAL },
419 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
420 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
421 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
422 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
423 { "allowusers", sAllowUsers, SSHCFG_ALL },
424 { "denyusers", sDenyUsers, SSHCFG_ALL },
425 { "allowgroups", sAllowGroups, SSHCFG_ALL },
426 { "denygroups", sDenyGroups, SSHCFG_ALL },
427 { "ciphers", sCiphers, SSHCFG_GLOBAL },
428 { "macs", sMacs, SSHCFG_GLOBAL },
429 { "protocol", sProtocol, SSHCFG_GLOBAL },
430 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
431 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
432 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
433 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
434 { "maxsessions", sMaxSessions, SSHCFG_ALL },
435 { "banner", sBanner, SSHCFG_ALL },
436 { "usedns", sUseDNS, SSHCFG_GLOBAL },
437 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
438 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
439 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
440 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
441 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
442 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
443 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
444 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
445 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
446 { "match", sMatch, SSHCFG_ALL },
447 { "permitopen", sPermitOpen, SSHCFG_ALL },
448 { "forcecommand", sForceCommand, SSHCFG_ALL },
449 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
450 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
451 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
452 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
453 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
454 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
455 { "ipqos", sIPQoS, SSHCFG_ALL },
456 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
457 { NULL, sBadOption, 0 }
464 { SSH_TUNMODE_NO, "no" },
465 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
466 { SSH_TUNMODE_ETHERNET, "ethernet" },
467 { SSH_TUNMODE_YES, "yes" },
472 * Returns the number of the token pointed to by cp or sBadOption.
476 parse_token(const char *cp, const char *filename,
477 int linenum, u_int *flags)
481 for (i = 0; keywords[i].name; i++)
482 if (strcasecmp(cp, keywords[i].name) == 0) {
483 *flags = keywords[i].flags;
484 return keywords[i].opcode;
487 error("%s: line %d: Bad configuration option: %s",
488 filename, linenum, cp);
493 derelativise_path(const char *path)
495 char *expanded, *ret, cwd[MAXPATHLEN];
497 expanded = tilde_expand_filename(path, getuid());
498 if (*expanded == '/')
500 if (getcwd(cwd, sizeof(cwd)) == NULL)
501 fatal("%s: getcwd: %s", __func__, strerror(errno));
502 xasprintf(&ret, "%s/%s", cwd, expanded);
508 add_listen_addr(ServerOptions *options, char *addr, int port)
512 if (options->num_ports == 0)
513 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
514 if (options->address_family == -1)
515 options->address_family = AF_UNSPEC;
517 for (i = 0; i < options->num_ports; i++)
518 add_one_listen_addr(options, addr, options->ports[i]);
520 add_one_listen_addr(options, addr, port);
524 add_one_listen_addr(ServerOptions *options, char *addr, int port)
526 struct addrinfo hints, *ai, *aitop;
527 char strport[NI_MAXSERV];
530 memset(&hints, 0, sizeof(hints));
531 hints.ai_family = options->address_family;
532 hints.ai_socktype = SOCK_STREAM;
533 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
534 snprintf(strport, sizeof strport, "%d", port);
535 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
536 fatal("bad addr or host: %s (%s)",
537 addr ? addr : "<NULL>",
538 ssh_gai_strerror(gaierr));
539 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
541 ai->ai_next = options->listen_addrs;
542 options->listen_addrs = aitop;
545 struct connection_info *
546 get_connection_info(int populate, int use_dns)
548 static struct connection_info ci;
552 ci.host = get_canonical_hostname(use_dns);
553 ci.address = get_remote_ipaddr();
554 ci.laddress = get_local_ipaddr(packet_get_connection_in());
555 ci.lport = get_local_port();
560 * The strategy for the Match blocks is that the config file is parsed twice.
562 * The first time is at startup. activep is initialized to 1 and the
563 * directives in the global context are processed and acted on. Hitting a
564 * Match directive unsets activep and the directives inside the block are
565 * checked for syntax only.
567 * The second time is after a connection has been established but before
568 * authentication. activep is initialized to 2 and global config directives
569 * are ignored since they have already been processed. If the criteria in a
570 * Match block is met, activep is set and the subsequent directives
571 * processed and actioned until EOF or another Match block unsets it. Any
572 * options set are copied into the main server config.
574 * Potential additions/improvements:
575 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
577 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
578 * Match Address 192.168.0.*
583 * AllowTcpForwarding yes
584 * GatewayPorts clientspecified
587 * - Add a PermittedChannelRequests directive
589 * PermittedChannelRequests session,forwarded-tcpip
593 match_cfg_line_group(const char *grps, int line, const char *user)
601 if ((pw = getpwnam(user)) == NULL) {
602 debug("Can't match group at line %d because user %.100s does "
603 "not exist", line, user);
604 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
605 debug("Can't Match group because user %.100s not in any group "
606 "at line %d", user, line);
607 } else if (ga_match_pattern_list(grps) != 1) {
608 debug("user %.100s does not match group list %.100s at line %d",
611 debug("user %.100s matched group list %.100s at line %d", user,
621 * All of the attributes on a single Match line are ANDed together, so we need to check every
622 * attribute and set the result to zero if any attribute does not match.
625 match_cfg_line(char **condition, int line, struct connection_info *ci)
627 int result = 1, port;
628 char *arg, *attrib, *cp = *condition;
632 debug3("checking syntax for 'Match %s'", cp);
634 debug3("checking match for '%s' user %s host %s addr %s "
635 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
636 ci->host ? ci->host : "(null)",
637 ci->address ? ci->address : "(null)",
638 ci->laddress ? ci->laddress : "(null)", ci->lport);
640 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
641 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
642 error("Missing Match criteria for %s", attrib);
646 if (strcasecmp(attrib, "user") == 0) {
647 if (ci == NULL || ci->user == NULL) {
651 if (match_pattern_list(ci->user, arg, len, 0) != 1)
654 debug("user %.100s matched 'User %.100s' at "
655 "line %d", ci->user, arg, line);
656 } else if (strcasecmp(attrib, "group") == 0) {
657 if (ci == NULL || ci->user == NULL) {
661 switch (match_cfg_line_group(arg, line, ci->user)) {
667 } else if (strcasecmp(attrib, "host") == 0) {
668 if (ci == NULL || ci->host == NULL) {
672 if (match_hostname(ci->host, arg, len) != 1)
675 debug("connection from %.100s matched 'Host "
676 "%.100s' at line %d", ci->host, arg, line);
677 } else if (strcasecmp(attrib, "address") == 0) {
678 if (ci == NULL || ci->address == NULL) {
682 switch (addr_match_list(ci->address, arg)) {
684 debug("connection from %.100s matched 'Address "
685 "%.100s' at line %d", ci->address, arg, line);
694 } else if (strcasecmp(attrib, "localaddress") == 0){
695 if (ci == NULL || ci->laddress == NULL) {
699 switch (addr_match_list(ci->laddress, arg)) {
701 debug("connection from %.100s matched "
702 "'LocalAddress %.100s' at line %d",
703 ci->laddress, arg, line);
712 } else if (strcasecmp(attrib, "localport") == 0) {
713 if ((port = a2port(arg)) == -1) {
714 error("Invalid LocalPort '%s' on Match line",
718 if (ci == NULL || ci->lport == 0) {
722 /* TODO support port lists */
723 if (port == ci->lport)
724 debug("connection from %.100s matched "
725 "'LocalPort %d' at line %d",
726 ci->laddress, port, line);
730 error("Unsupported Match attribute %s", attrib);
735 debug3("match %sfound", result ? "" : "not ");
740 #define WHITESPACE " \t\r\n"
742 /* Multistate option parsing */
747 static const struct multistate multistate_addressfamily[] = {
749 { "inet6", AF_INET6 },
750 { "any", AF_UNSPEC },
753 static const struct multistate multistate_permitrootlogin[] = {
754 { "without-password", PERMIT_NO_PASSWD },
755 { "forced-commands-only", PERMIT_FORCED_ONLY },
756 { "yes", PERMIT_YES },
760 static const struct multistate multistate_compression[] = {
761 { "delayed", COMP_DELAYED },
762 { "yes", COMP_ZLIB },
766 static const struct multistate multistate_gatewayports[] = {
767 { "clientspecified", 2 },
772 static const struct multistate multistate_privsep[] = {
773 { "yes", PRIVSEP_NOSANDBOX },
774 { "sandbox", PRIVSEP_ON },
775 { "nosandbox", PRIVSEP_NOSANDBOX },
776 { "no", PRIVSEP_OFF },
781 process_server_config_line(ServerOptions *options, char *line,
782 const char *filename, int linenum, int *activep,
783 struct connection_info *connectinfo)
785 char *cp, **charptr, *arg, *p;
786 int cmdline = 0, *intptr, value, value2, n;
787 SyslogFacility *log_facility_ptr;
788 LogLevel *log_level_ptr;
789 ServerOpCodes opcode;
793 const struct multistate *multistate_ptr;
796 if ((arg = strdelim(&cp)) == NULL)
798 /* Ignore leading whitespace */
801 if (!arg || !*arg || *arg == '#')
805 opcode = parse_token(arg, filename, linenum, &flags);
807 if (activep == NULL) { /* We are processing a command line directive */
811 if (*activep && opcode != sMatch)
812 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
813 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
814 if (connectinfo == NULL) {
815 fatal("%s line %d: Directive '%s' is not allowed "
816 "within a Match block", filename, linenum, arg);
817 } else { /* this is a directive we have already processed */
825 /* Portable-specific options */
827 intptr = &options->use_pam;
830 /* Standard Options */
834 /* ignore ports from configfile if cmdline specifies ports */
835 if (options->ports_from_cmdline)
837 if (options->listen_addrs != NULL)
838 fatal("%s line %d: ports must be specified before "
839 "ListenAddress.", filename, linenum);
840 if (options->num_ports >= MAX_PORTS)
841 fatal("%s line %d: too many ports.",
844 if (!arg || *arg == '\0')
845 fatal("%s line %d: missing port number.",
847 options->ports[options->num_ports++] = a2port(arg);
848 if (options->ports[options->num_ports-1] <= 0)
849 fatal("%s line %d: Badly formatted port number.",
854 intptr = &options->server_key_bits;
857 if (!arg || *arg == '\0')
858 fatal("%s line %d: missing integer value.",
861 if (*activep && *intptr == -1)
865 case sLoginGraceTime:
866 intptr = &options->login_grace_time;
869 if (!arg || *arg == '\0')
870 fatal("%s line %d: missing time value.",
872 if ((value = convtime(arg)) == -1)
873 fatal("%s line %d: invalid time value.",
879 case sKeyRegenerationTime:
880 intptr = &options->key_regeneration_time;
885 if (arg == NULL || *arg == '\0')
886 fatal("%s line %d: missing address",
888 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
889 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
890 && strchr(p+1, ':') != NULL) {
891 add_listen_addr(options, arg, 0);
896 fatal("%s line %d: bad address:port usage",
898 p = cleanhostname(p);
901 else if ((port = a2port(arg)) <= 0)
902 fatal("%s line %d: bad port number", filename, linenum);
904 add_listen_addr(options, p, port);
909 intptr = &options->address_family;
910 multistate_ptr = multistate_addressfamily;
911 if (options->listen_addrs != NULL)
912 fatal("%s line %d: address family must be specified "
913 "before ListenAddress.", filename, linenum);
916 if (!arg || *arg == '\0')
917 fatal("%s line %d: missing argument.",
920 for (i = 0; multistate_ptr[i].key != NULL; i++) {
921 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
922 value = multistate_ptr[i].value;
927 fatal("%s line %d: unsupported option \"%s\".",
928 filename, linenum, arg);
929 if (*activep && *intptr == -1)
934 intptr = &options->num_host_key_files;
935 if (*intptr >= MAX_HOSTKEYS)
936 fatal("%s line %d: too many host keys specified (max %d).",
937 filename, linenum, MAX_HOSTKEYS);
938 charptr = &options->host_key_files[*intptr];
941 if (!arg || *arg == '\0')
942 fatal("%s line %d: missing file name.",
944 if (*activep && *charptr == NULL) {
945 *charptr = derelativise_path(arg);
946 /* increase optional counter */
948 *intptr = *intptr + 1;
952 case sHostCertificate:
953 intptr = &options->num_host_cert_files;
954 if (*intptr >= MAX_HOSTKEYS)
955 fatal("%s line %d: too many host certificates "
956 "specified (max %d).", filename, linenum,
958 charptr = &options->host_cert_files[*intptr];
963 charptr = &options->pid_file;
966 case sPermitRootLogin:
967 intptr = &options->permit_root_login;
968 multistate_ptr = multistate_permitrootlogin;
969 goto parse_multistate;
972 intptr = &options->ignore_rhosts;
975 if (!arg || *arg == '\0')
976 fatal("%s line %d: missing yes/no argument.",
978 value = 0; /* silence compiler */
979 if (strcmp(arg, "yes") == 0)
981 else if (strcmp(arg, "no") == 0)
984 fatal("%s line %d: Bad yes/no argument: %s",
985 filename, linenum, arg);
986 if (*activep && *intptr == -1)
990 case sIgnoreUserKnownHosts:
991 intptr = &options->ignore_user_known_hosts;
994 case sRhostsRSAAuthentication:
995 intptr = &options->rhosts_rsa_authentication;
998 case sHostbasedAuthentication:
999 intptr = &options->hostbased_authentication;
1002 case sHostbasedUsesNameFromPacketOnly:
1003 intptr = &options->hostbased_uses_name_from_packet_only;
1006 case sRSAAuthentication:
1007 intptr = &options->rsa_authentication;
1010 case sPubkeyAuthentication:
1011 intptr = &options->pubkey_authentication;
1014 case sKerberosAuthentication:
1015 intptr = &options->kerberos_authentication;
1018 case sKerberosOrLocalPasswd:
1019 intptr = &options->kerberos_or_local_passwd;
1022 case sKerberosTicketCleanup:
1023 intptr = &options->kerberos_ticket_cleanup;
1026 case sKerberosGetAFSToken:
1027 intptr = &options->kerberos_get_afs_token;
1030 case sGssAuthentication:
1031 intptr = &options->gss_authentication;
1034 case sGssCleanupCreds:
1035 intptr = &options->gss_cleanup_creds;
1038 case sPasswordAuthentication:
1039 intptr = &options->password_authentication;
1042 case sZeroKnowledgePasswordAuthentication:
1043 intptr = &options->zero_knowledge_password_authentication;
1046 case sKbdInteractiveAuthentication:
1047 intptr = &options->kbd_interactive_authentication;
1050 case sChallengeResponseAuthentication:
1051 intptr = &options->challenge_response_authentication;
1055 intptr = &options->print_motd;
1059 intptr = &options->print_lastlog;
1062 case sX11Forwarding:
1063 intptr = &options->x11_forwarding;
1066 case sX11DisplayOffset:
1067 intptr = &options->x11_display_offset;
1070 case sX11UseLocalhost:
1071 intptr = &options->x11_use_localhost;
1074 case sXAuthLocation:
1075 charptr = &options->xauth_location;
1076 goto parse_filename;
1079 intptr = &options->strict_modes;
1083 intptr = &options->tcp_keep_alive;
1087 intptr = &options->permit_empty_passwd;
1090 case sPermitUserEnvironment:
1091 intptr = &options->permit_user_env;
1095 intptr = &options->use_login;
1099 intptr = &options->compression;
1100 multistate_ptr = multistate_compression;
1101 goto parse_multistate;
1104 intptr = &options->gateway_ports;
1105 multistate_ptr = multistate_gatewayports;
1106 goto parse_multistate;
1109 intptr = &options->use_dns;
1113 log_facility_ptr = &options->log_facility;
1114 arg = strdelim(&cp);
1115 value = log_facility_number(arg);
1116 if (value == SYSLOG_FACILITY_NOT_SET)
1117 fatal("%.200s line %d: unsupported log facility '%s'",
1118 filename, linenum, arg ? arg : "<NONE>");
1119 if (*log_facility_ptr == -1)
1120 *log_facility_ptr = (SyslogFacility) value;
1124 log_level_ptr = &options->log_level;
1125 arg = strdelim(&cp);
1126 value = log_level_number(arg);
1127 if (value == SYSLOG_LEVEL_NOT_SET)
1128 fatal("%.200s line %d: unsupported log level '%s'",
1129 filename, linenum, arg ? arg : "<NONE>");
1130 if (*log_level_ptr == -1)
1131 *log_level_ptr = (LogLevel) value;
1134 case sAllowTcpForwarding:
1135 intptr = &options->allow_tcp_forwarding;
1138 case sAllowAgentForwarding:
1139 intptr = &options->allow_agent_forwarding;
1142 case sUsePrivilegeSeparation:
1143 intptr = &use_privsep;
1144 multistate_ptr = multistate_privsep;
1145 goto parse_multistate;
1148 while ((arg = strdelim(&cp)) && *arg != '\0') {
1149 if (options->num_allow_users >= MAX_ALLOW_USERS)
1150 fatal("%s line %d: too many allow users.",
1154 options->allow_users[options->num_allow_users++] =
1160 while ((arg = strdelim(&cp)) && *arg != '\0') {
1161 if (options->num_deny_users >= MAX_DENY_USERS)
1162 fatal("%s line %d: too many deny users.",
1166 options->deny_users[options->num_deny_users++] =
1172 while ((arg = strdelim(&cp)) && *arg != '\0') {
1173 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1174 fatal("%s line %d: too many allow groups.",
1178 options->allow_groups[options->num_allow_groups++] =
1184 while ((arg = strdelim(&cp)) && *arg != '\0') {
1185 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1186 fatal("%s line %d: too many deny groups.",
1190 options->deny_groups[options->num_deny_groups++] =
1196 arg = strdelim(&cp);
1197 if (!arg || *arg == '\0')
1198 fatal("%s line %d: Missing argument.", filename, linenum);
1199 if (!ciphers_valid(arg))
1200 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1201 filename, linenum, arg ? arg : "<NONE>");
1202 if (options->ciphers == NULL)
1203 options->ciphers = xstrdup(arg);
1207 arg = strdelim(&cp);
1208 if (!arg || *arg == '\0')
1209 fatal("%s line %d: Missing argument.", filename, linenum);
1210 if (!mac_valid(arg))
1211 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1212 filename, linenum, arg ? arg : "<NONE>");
1213 if (options->macs == NULL)
1214 options->macs = xstrdup(arg);
1217 case sKexAlgorithms:
1218 arg = strdelim(&cp);
1219 if (!arg || *arg == '\0')
1220 fatal("%s line %d: Missing argument.",
1222 if (!kex_names_valid(arg))
1223 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1224 filename, linenum, arg ? arg : "<NONE>");
1225 if (options->kex_algorithms == NULL)
1226 options->kex_algorithms = xstrdup(arg);
1230 intptr = &options->protocol;
1231 arg = strdelim(&cp);
1232 if (!arg || *arg == '\0')
1233 fatal("%s line %d: Missing argument.", filename, linenum);
1234 value = proto_spec(arg);
1235 if (value == SSH_PROTO_UNKNOWN)
1236 fatal("%s line %d: Bad protocol spec '%s'.",
1237 filename, linenum, arg ? arg : "<NONE>");
1238 if (*intptr == SSH_PROTO_UNKNOWN)
1243 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1244 fatal("%s line %d: too many subsystems defined.",
1247 arg = strdelim(&cp);
1248 if (!arg || *arg == '\0')
1249 fatal("%s line %d: Missing subsystem name.",
1252 arg = strdelim(&cp);
1255 for (i = 0; i < options->num_subsystems; i++)
1256 if (strcmp(arg, options->subsystem_name[i]) == 0)
1257 fatal("%s line %d: Subsystem '%s' already defined.",
1258 filename, linenum, arg);
1259 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1260 arg = strdelim(&cp);
1261 if (!arg || *arg == '\0')
1262 fatal("%s line %d: Missing subsystem command.",
1264 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1266 /* Collect arguments (separate to executable) */
1268 len = strlen(p) + 1;
1269 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1270 len += 1 + strlen(arg);
1271 p = xrealloc(p, 1, len);
1272 strlcat(p, " ", len);
1273 strlcat(p, arg, len);
1275 options->subsystem_args[options->num_subsystems] = p;
1276 options->num_subsystems++;
1280 arg = strdelim(&cp);
1281 if (!arg || *arg == '\0')
1282 fatal("%s line %d: Missing MaxStartups spec.",
1284 if ((n = sscanf(arg, "%d:%d:%d",
1285 &options->max_startups_begin,
1286 &options->max_startups_rate,
1287 &options->max_startups)) == 3) {
1288 if (options->max_startups_begin >
1289 options->max_startups ||
1290 options->max_startups_rate > 100 ||
1291 options->max_startups_rate < 1)
1292 fatal("%s line %d: Illegal MaxStartups spec.",
1295 fatal("%s line %d: Illegal MaxStartups spec.",
1298 options->max_startups = options->max_startups_begin;
1302 intptr = &options->max_authtries;
1306 intptr = &options->max_sessions;
1310 charptr = &options->banner;
1311 goto parse_filename;
1314 * These options can contain %X options expanded at
1315 * connect time, so that you can specify paths like:
1317 * AuthorizedKeysFile /etc/ssh_keys/%u
1319 case sAuthorizedKeysFile:
1320 if (*activep && options->num_authkeys_files == 0) {
1321 while ((arg = strdelim(&cp)) && *arg != '\0') {
1322 if (options->num_authkeys_files >=
1324 fatal("%s line %d: "
1325 "too many authorized keys files.",
1327 options->authorized_keys_files[
1328 options->num_authkeys_files++] =
1329 tilde_expand_filename(arg, getuid());
1334 case sAuthorizedPrincipalsFile:
1335 charptr = &options->authorized_principals_file;
1336 arg = strdelim(&cp);
1337 if (!arg || *arg == '\0')
1338 fatal("%s line %d: missing file name.",
1340 if (*activep && *charptr == NULL) {
1341 *charptr = tilde_expand_filename(arg, getuid());
1342 /* increase optional counter */
1344 *intptr = *intptr + 1;
1348 case sClientAliveInterval:
1349 intptr = &options->client_alive_interval;
1352 case sClientAliveCountMax:
1353 intptr = &options->client_alive_count_max;
1357 while ((arg = strdelim(&cp)) && *arg != '\0') {
1358 if (strchr(arg, '=') != NULL)
1359 fatal("%s line %d: Invalid environment name.",
1361 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1362 fatal("%s line %d: too many allow env.",
1366 options->accept_env[options->num_accept_env++] =
1372 intptr = &options->permit_tun;
1373 arg = strdelim(&cp);
1374 if (!arg || *arg == '\0')
1375 fatal("%s line %d: Missing yes/point-to-point/"
1376 "ethernet/no argument.", filename, linenum);
1378 for (i = 0; tunmode_desc[i].val != -1; i++)
1379 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1380 value = tunmode_desc[i].val;
1384 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1385 "no argument: %s", filename, linenum, arg);
1392 fatal("Match directive not supported as a command-line "
1394 value = match_cfg_line(&cp, linenum, connectinfo);
1396 fatal("%s line %d: Bad Match condition", filename,
1402 arg = strdelim(&cp);
1403 if (!arg || *arg == '\0')
1404 fatal("%s line %d: missing PermitOpen specification",
1406 n = options->num_permitted_opens; /* modified later */
1407 if (strcmp(arg, "any") == 0) {
1408 if (*activep && n == -1) {
1409 channel_clear_adm_permitted_opens();
1410 options->num_permitted_opens = 0;
1414 if (strcmp(arg, "none") == 0) {
1415 if (*activep && n == -1) {
1416 channel_clear_adm_permitted_opens();
1417 options->num_permitted_opens = 1;
1418 channel_disable_adm_local_opens();
1422 if (*activep && n == -1)
1423 channel_clear_adm_permitted_opens();
1424 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1427 fatal("%s line %d: missing host in PermitOpen",
1429 p = cleanhostname(p);
1430 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1431 fatal("%s line %d: bad port number in "
1432 "PermitOpen", filename, linenum);
1433 if (*activep && n == -1)
1434 options->num_permitted_opens =
1435 channel_add_adm_permitted_opens(p, port);
1441 fatal("%.200s line %d: Missing argument.", filename,
1443 len = strspn(cp, WHITESPACE);
1444 if (*activep && options->adm_forced_command == NULL)
1445 options->adm_forced_command = xstrdup(cp + len);
1448 case sChrootDirectory:
1449 charptr = &options->chroot_directory;
1451 arg = strdelim(&cp);
1452 if (!arg || *arg == '\0')
1453 fatal("%s line %d: missing file name.",
1455 if (*activep && *charptr == NULL)
1456 *charptr = xstrdup(arg);
1459 case sTrustedUserCAKeys:
1460 charptr = &options->trusted_user_ca_keys;
1461 goto parse_filename;
1464 charptr = &options->revoked_keys_file;
1465 goto parse_filename;
1468 arg = strdelim(&cp);
1469 if ((value = parse_ipqos(arg)) == -1)
1470 fatal("%s line %d: Bad IPQoS value: %s",
1471 filename, linenum, arg);
1472 arg = strdelim(&cp);
1475 else if ((value2 = parse_ipqos(arg)) == -1)
1476 fatal("%s line %d: Bad IPQoS value: %s",
1477 filename, linenum, arg);
1479 options->ip_qos_interactive = value;
1480 options->ip_qos_bulk = value2;
1484 case sVersionAddendum:
1486 fatal("%.200s line %d: Missing argument.", filename,
1488 len = strspn(cp, WHITESPACE);
1489 if (*activep && options->version_addendum == NULL) {
1490 if (strcasecmp(cp + len, "none") == 0)
1491 options->version_addendum = xstrdup("");
1492 else if (strchr(cp + len, '\r') != NULL)
1493 fatal("%.200s line %d: Invalid argument",
1496 options->version_addendum = xstrdup(cp + len);
1501 logit("%s line %d: Deprecated option %s",
1502 filename, linenum, arg);
1504 arg = strdelim(&cp);
1508 logit("%s line %d: Unsupported option %s",
1509 filename, linenum, arg);
1511 arg = strdelim(&cp);
1515 fatal("%s line %d: Missing handler for opcode %s (%d)",
1516 filename, linenum, arg, opcode);
1518 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1519 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1520 filename, linenum, arg);
1524 /* Reads the server configuration file. */
1527 load_server_config(const char *filename, Buffer *conf)
1529 char line[4096], *cp;
1533 debug2("%s: filename %s", __func__, filename);
1534 if ((f = fopen(filename, "r")) == NULL) {
1539 while (fgets(line, sizeof(line), f)) {
1541 if (strlen(line) == sizeof(line) - 1)
1542 fatal("%s line %d too long", filename, lineno);
1544 * Trim out comments and strip whitespace
1545 * NB - preserve newlines, they are needed to reproduce
1546 * line numbers later for error messages
1548 if ((cp = strchr(line, '#')) != NULL)
1549 memcpy(cp, "\n", 2);
1550 cp = line + strspn(line, " \t\r");
1552 buffer_append(conf, cp, strlen(cp));
1554 buffer_append(conf, "\0", 1);
1556 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1560 parse_server_match_config(ServerOptions *options,
1561 struct connection_info *connectinfo)
1565 initialize_server_options(&mo);
1566 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1567 copy_set_server_options(options, &mo, 0);
1570 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1574 while ((p = strsep(&spec, ",")) && *p != '\0') {
1575 if (strncmp(p, "addr=", 5) == 0) {
1576 ci->address = xstrdup(p + 5);
1577 } else if (strncmp(p, "host=", 5) == 0) {
1578 ci->host = xstrdup(p + 5);
1579 } else if (strncmp(p, "user=", 5) == 0) {
1580 ci->user = xstrdup(p + 5);
1581 } else if (strncmp(p, "laddr=", 6) == 0) {
1582 ci->laddress = xstrdup(p + 6);
1583 } else if (strncmp(p, "lport=", 6) == 0) {
1584 ci->lport = a2port(p + 6);
1585 if (ci->lport == -1) {
1586 fprintf(stderr, "Invalid port '%s' in test mode"
1587 " specification %s\n", p+6, p);
1591 fprintf(stderr, "Invalid test mode specification %s\n",
1600 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1603 int server_match_spec_complete(struct connection_info *ci)
1605 if (ci->user && ci->host && ci->address)
1606 return 1; /* complete */
1607 if (!ci->user && !ci->host && !ci->address)
1608 return -1; /* empty */
1609 return 0; /* partial */
1613 #define M_CP_INTOPT(n) do {\
1617 #define M_CP_STROPT(n) do {\
1618 if (src->n != NULL) { \
1619 if (dst->n != NULL) \
1624 #define M_CP_STRARRAYOPT(n, num_n) do {\
1625 if (src->num_n != 0) { \
1626 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1627 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1632 * Copy any supported values that are set.
1634 * If the preauth flag is set, we do not bother copying the string or
1635 * array values that are not used pre-authentication, because any that we
1636 * do use must be explictly sent in mm_getpwnamallow().
1639 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1641 M_CP_INTOPT(password_authentication);
1642 M_CP_INTOPT(gss_authentication);
1643 M_CP_INTOPT(rsa_authentication);
1644 M_CP_INTOPT(pubkey_authentication);
1645 M_CP_INTOPT(kerberos_authentication);
1646 M_CP_INTOPT(hostbased_authentication);
1647 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1648 M_CP_INTOPT(kbd_interactive_authentication);
1649 M_CP_INTOPT(zero_knowledge_password_authentication);
1650 M_CP_INTOPT(permit_root_login);
1651 M_CP_INTOPT(permit_empty_passwd);
1653 M_CP_INTOPT(allow_tcp_forwarding);
1654 M_CP_INTOPT(allow_agent_forwarding);
1655 M_CP_INTOPT(permit_tun);
1656 M_CP_INTOPT(gateway_ports);
1657 M_CP_INTOPT(x11_display_offset);
1658 M_CP_INTOPT(x11_forwarding);
1659 M_CP_INTOPT(x11_use_localhost);
1660 M_CP_INTOPT(max_sessions);
1661 M_CP_INTOPT(max_authtries);
1662 M_CP_INTOPT(ip_qos_interactive);
1663 M_CP_INTOPT(ip_qos_bulk);
1665 /* See comment in servconf.h */
1666 COPY_MATCH_STRING_OPTS();
1669 * The only things that should be below this point are string options
1670 * which are only used after authentication.
1675 M_CP_STROPT(adm_forced_command);
1676 M_CP_STROPT(chroot_directory);
1681 #undef M_CP_STRARRAYOPT
1684 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1685 struct connection_info *connectinfo)
1687 int active, linenum, bad_options = 0;
1688 char *cp, *obuf, *cbuf;
1690 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1692 obuf = cbuf = xstrdup(buffer_ptr(conf));
1693 active = connectinfo ? 0 : 1;
1695 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1696 if (process_server_config_line(options, cp, filename,
1697 linenum++, &active, connectinfo) != 0)
1701 if (bad_options > 0)
1702 fatal("%s: terminating, %d bad configuration options",
1703 filename, bad_options);
1707 fmt_multistate_int(int val, const struct multistate *m)
1711 for (i = 0; m[i].key != NULL; i++) {
1712 if (m[i].value == val)
1719 fmt_intarg(ServerOpCodes code, int val)
1724 case sAddressFamily:
1725 return fmt_multistate_int(val, multistate_addressfamily);
1726 case sPermitRootLogin:
1727 return fmt_multistate_int(val, multistate_permitrootlogin);
1729 return fmt_multistate_int(val, multistate_gatewayports);
1731 return fmt_multistate_int(val, multistate_compression);
1732 case sUsePrivilegeSeparation:
1733 return fmt_multistate_int(val, multistate_privsep);
1740 case (SSH_PROTO_1|SSH_PROTO_2):
1758 lookup_opcode_name(ServerOpCodes code)
1762 for (i = 0; keywords[i].name != NULL; i++)
1763 if (keywords[i].opcode == code)
1764 return(keywords[i].name);
1769 dump_cfg_int(ServerOpCodes code, int val)
1771 printf("%s %d\n", lookup_opcode_name(code), val);
1775 dump_cfg_fmtint(ServerOpCodes code, int val)
1777 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1781 dump_cfg_string(ServerOpCodes code, const char *val)
1785 printf("%s %s\n", lookup_opcode_name(code), val);
1789 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1793 for (i = 0; i < count; i++)
1794 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1798 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1802 printf("%s", lookup_opcode_name(code));
1803 for (i = 0; i < count; i++)
1804 printf(" %s", vals[i]);
1809 dump_config(ServerOptions *o)
1813 struct addrinfo *ai;
1814 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1816 /* these are usually at the top of the config */
1817 for (i = 0; i < o->num_ports; i++)
1818 printf("port %d\n", o->ports[i]);
1819 dump_cfg_fmtint(sProtocol, o->protocol);
1820 dump_cfg_fmtint(sAddressFamily, o->address_family);
1822 /* ListenAddress must be after Port */
1823 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1824 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1825 sizeof(addr), port, sizeof(port),
1826 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1827 error("getnameinfo failed: %.100s",
1828 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1831 if (ai->ai_family == AF_INET6)
1832 printf("listenaddress [%s]:%s\n", addr, port);
1834 printf("listenaddress %s:%s\n", addr, port);
1838 /* integer arguments */
1840 dump_cfg_int(sUsePAM, o->use_pam);
1842 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1843 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1844 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1845 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1846 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1847 dump_cfg_int(sMaxSessions, o->max_sessions);
1848 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1849 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1851 /* formatted integer arguments */
1852 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1853 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1854 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1855 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1856 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1857 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1858 o->hostbased_uses_name_from_packet_only);
1859 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1860 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1862 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1863 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1864 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1866 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1870 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1871 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1874 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1875 o->zero_knowledge_password_authentication);
1877 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1878 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1879 o->kbd_interactive_authentication);
1880 dump_cfg_fmtint(sChallengeResponseAuthentication,
1881 o->challenge_response_authentication);
1882 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1883 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1884 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1885 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1886 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1887 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1888 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1889 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1890 dump_cfg_fmtint(sUseLogin, o->use_login);
1891 dump_cfg_fmtint(sCompression, o->compression);
1892 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1893 dump_cfg_fmtint(sUseDNS, o->use_dns);
1894 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1895 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1897 /* string arguments */
1898 dump_cfg_string(sPidFile, o->pid_file);
1899 dump_cfg_string(sXAuthLocation, o->xauth_location);
1900 dump_cfg_string(sCiphers, o->ciphers);
1901 dump_cfg_string(sMacs, o->macs);
1902 dump_cfg_string(sBanner, o->banner);
1903 dump_cfg_string(sForceCommand, o->adm_forced_command);
1904 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1905 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1906 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1907 dump_cfg_string(sAuthorizedPrincipalsFile,
1908 o->authorized_principals_file);
1909 dump_cfg_string(sVersionAddendum, o->version_addendum);
1911 /* string arguments requiring a lookup */
1912 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1913 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1915 /* string array arguments */
1916 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
1917 o->authorized_keys_files);
1918 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1920 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1921 o->host_cert_files);
1922 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1923 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1924 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1925 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1926 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1928 /* other arguments */
1929 for (i = 0; i < o->num_subsystems; i++)
1930 printf("subsystem %s %s\n", o->subsystem_name[i],
1931 o->subsystem_args[i]);
1933 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1934 o->max_startups_rate, o->max_startups);
1936 for (i = 0; tunmode_desc[i].val != -1; i++)
1937 if (tunmode_desc[i].val == o->permit_tun) {
1938 s = tunmode_desc[i].text;
1941 dump_cfg_string(sPermitTunnel, s);
1943 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
1944 printf("%s\n", iptos2str(o->ip_qos_bulk));
1946 channel_print_adm_permitted_opens();