Upgrade openssh. 1/2
[dragonfly.git] / crypto / openssh / servconf.c
1
2 /* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13
14 #include "includes.h"
15
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #ifdef __OpenBSD__
19 #include <sys/sysctl.h>
20 #endif
21
22 #include <netinet/in.h>
23 #include <netinet/in_systm.h>
24 #include <netinet/ip.h>
25 #ifdef HAVE_NET_ROUTE_H
26 #include <net/route.h>
27 #endif
28
29 #include <ctype.h>
30 #include <netdb.h>
31 #include <pwd.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <signal.h>
36 #include <unistd.h>
37 #include <limits.h>
38 #include <stdarg.h>
39 #include <errno.h>
40 #ifdef HAVE_UTIL_H
41 #include <util.h>
42 #endif
43 #ifdef USE_SYSTEM_GLOB
44 # include <glob.h>
45 #else
46 # include "openbsd-compat/glob.h"
47 #endif
48
49 #include "openbsd-compat/sys-queue.h"
50 #include "xmalloc.h"
51 #include "ssh.h"
52 #include "log.h"
53 #include "sshbuf.h"
54 #include "misc.h"
55 #include "servconf.h"
56 #include "compat.h"
57 #include "pathnames.h"
58 #include "cipher.h"
59 #include "sshkey.h"
60 #include "kex.h"
61 #include "mac.h"
62 #include "match.h"
63 #include "channels.h"
64 #include "groupaccess.h"
65 #include "canohost.h"
66 #include "packet.h"
67 #include "ssherr.h"
68 #include "hostfile.h"
69 #include "auth.h"
70 #include "myproposal.h"
71 #include "digest.h"
72
73 static void add_listen_addr(ServerOptions *, const char *,
74     const char *, int);
75 static void add_one_listen_addr(ServerOptions *, const char *,
76     const char *, int);
77 void parse_server_config_depth(ServerOptions *options, const char *filename,
78     struct sshbuf *conf, struct include_list *includes,
79     struct connection_info *connectinfo, int flags, int *activep, int depth);
80
81 /* Use of privilege separation or not */
82 extern int use_privsep;
83 extern struct sshbuf *cfg;
84
85 /* Initializes the server options to their default values. */
86
87 void
88 initialize_server_options(ServerOptions *options)
89 {
90         memset(options, 0, sizeof(*options));
91
92         /* Portable-specific options */
93         options->use_pam = -1;
94
95         /* Standard Options */
96         options->num_ports = 0;
97         options->ports_from_cmdline = 0;
98         options->queued_listen_addrs = NULL;
99         options->num_queued_listens = 0;
100         options->listen_addrs = NULL;
101         options->num_listen_addrs = 0;
102         options->address_family = -1;
103         options->routing_domain = NULL;
104         options->num_host_key_files = 0;
105         options->num_host_cert_files = 0;
106         options->host_key_agent = NULL;
107         options->pid_file = NULL;
108         options->login_grace_time = -1;
109         options->permit_root_login = PERMIT_NOT_SET;
110         options->ignore_rhosts = -1;
111         options->ignore_user_known_hosts = -1;
112         options->print_motd = -1;
113         options->print_lastlog = -1;
114         options->x11_forwarding = -1;
115         options->x11_display_offset = -1;
116         options->x11_use_localhost = -1;
117         options->permit_tty = -1;
118         options->permit_user_rc = -1;
119         options->xauth_location = NULL;
120         options->strict_modes = -1;
121         options->tcp_keep_alive = -1;
122         options->log_facility = SYSLOG_FACILITY_NOT_SET;
123         options->log_level = SYSLOG_LEVEL_NOT_SET;
124         options->hostbased_authentication = -1;
125         options->hostbased_uses_name_from_packet_only = -1;
126         options->hostbased_key_types = NULL;
127         options->hostkeyalgorithms = NULL;
128         options->pubkey_authentication = -1;
129         options->pubkey_auth_options = -1;
130         options->pubkey_key_types = NULL;
131         options->kerberos_authentication = -1;
132         options->kerberos_or_local_passwd = -1;
133         options->kerberos_ticket_cleanup = -1;
134         options->kerberos_get_afs_token = -1;
135         options->gss_authentication=-1;
136         options->gss_cleanup_creds = -1;
137         options->gss_strict_acceptor = -1;
138         options->password_authentication = -1;
139         options->kbd_interactive_authentication = -1;
140         options->challenge_response_authentication = -1;
141         options->permit_empty_passwd = -1;
142         options->permit_user_env = -1;
143         options->permit_user_env_whitelist = NULL;
144         options->compression = -1;
145         options->rekey_limit = -1;
146         options->rekey_interval = -1;
147         options->allow_tcp_forwarding = -1;
148         options->allow_streamlocal_forwarding = -1;
149         options->allow_agent_forwarding = -1;
150         options->num_allow_users = 0;
151         options->num_deny_users = 0;
152         options->num_allow_groups = 0;
153         options->num_deny_groups = 0;
154         options->ciphers = NULL;
155         options->macs = NULL;
156         options->kex_algorithms = NULL;
157         options->ca_sign_algorithms = NULL;
158         options->fwd_opts.gateway_ports = -1;
159         options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
160         options->fwd_opts.streamlocal_bind_unlink = -1;
161         options->num_subsystems = 0;
162         options->max_startups_begin = -1;
163         options->max_startups_rate = -1;
164         options->max_startups = -1;
165         options->max_authtries = -1;
166         options->max_sessions = -1;
167         options->banner = NULL;
168         options->use_dns = -1;
169         options->client_alive_interval = -1;
170         options->client_alive_count_max = -1;
171         options->num_authkeys_files = 0;
172         options->num_accept_env = 0;
173         options->num_setenv = 0;
174         options->permit_tun = -1;
175         options->permitted_opens = NULL;
176         options->permitted_listens = NULL;
177         options->adm_forced_command = NULL;
178         options->chroot_directory = NULL;
179         options->authorized_keys_command = NULL;
180         options->authorized_keys_command_user = NULL;
181         options->revoked_keys_file = NULL;
182         options->sk_provider = NULL;
183         options->trusted_user_ca_keys = NULL;
184         options->authorized_principals_file = NULL;
185         options->authorized_principals_command = NULL;
186         options->authorized_principals_command_user = NULL;
187         options->ip_qos_interactive = -1;
188         options->ip_qos_bulk = -1;
189         options->version_addendum = NULL;
190         options->fingerprint_hash = -1;
191         options->disable_forwarding = -1;
192         options->expose_userauth_info = -1;
193 }
194
195 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
196 static int
197 option_clear_or_none(const char *o)
198 {
199         return o == NULL || strcasecmp(o, "none") == 0;
200 }
201
202 static void
203 assemble_algorithms(ServerOptions *o)
204 {
205         char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
206         char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
207         int r;
208
209         all_cipher = cipher_alg_list(',', 0);
210         all_mac = mac_alg_list(',');
211         all_kex = kex_alg_list(',');
212         all_key = sshkey_alg_list(0, 0, 1, ',');
213         all_sig = sshkey_alg_list(0, 1, 1, ',');
214         /* remove unsupported algos from default lists */
215         def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
216         def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
217         def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
218         def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
219         def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
220 #define ASSEMBLE(what, defaults, all) \
221         do { \
222                 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
223                         fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
224         } while (0)
225         ASSEMBLE(ciphers, def_cipher, all_cipher);
226         ASSEMBLE(macs, def_mac, all_mac);
227         ASSEMBLE(kex_algorithms, def_kex, all_kex);
228         ASSEMBLE(hostkeyalgorithms, def_key, all_key);
229         ASSEMBLE(hostbased_key_types, def_key, all_key);
230         ASSEMBLE(pubkey_key_types, def_key, all_key);
231         ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
232 #undef ASSEMBLE
233         free(all_cipher);
234         free(all_mac);
235         free(all_kex);
236         free(all_key);
237         free(all_sig);
238         free(def_cipher);
239         free(def_mac);
240         free(def_kex);
241         free(def_key);
242         free(def_sig);
243 }
244
245 static void
246 array_append2(const char *file, const int line, const char *directive,
247     char ***array, int **iarray, u_int *lp, const char *s, int i)
248 {
249
250         if (*lp >= INT_MAX)
251                 fatal("%s line %d: Too many %s entries", file, line, directive);
252
253         if (iarray != NULL) {
254                 *iarray = xrecallocarray(*iarray, *lp, *lp + 1,
255                     sizeof(**iarray));
256                 (*iarray)[*lp] = i;
257         }
258
259         *array = xrecallocarray(*array, *lp, *lp + 1, sizeof(**array));
260         (*array)[*lp] = xstrdup(s);
261         (*lp)++;
262 }
263
264 static void
265 array_append(const char *file, const int line, const char *directive,
266     char ***array, u_int *lp, const char *s)
267 {
268         array_append2(file, line, directive, array, NULL, lp, s, 0);
269 }
270
271 void
272 servconf_add_hostkey(const char *file, const int line,
273     ServerOptions *options, const char *path, int userprovided)
274 {
275         char *apath = derelativise_path(path);
276
277         array_append2(file, line, "HostKey",
278             &options->host_key_files, &options->host_key_file_userprovided,
279             &options->num_host_key_files, apath, userprovided);
280         free(apath);
281 }
282
283 void
284 servconf_add_hostcert(const char *file, const int line,
285     ServerOptions *options, const char *path)
286 {
287         char *apath = derelativise_path(path);
288
289         array_append(file, line, "HostCertificate",
290             &options->host_cert_files, &options->num_host_cert_files, apath);
291         free(apath);
292 }
293
294 void
295 fill_default_server_options(ServerOptions *options)
296 {
297         u_int i;
298
299         /*
300          * Portable-specific options.
301          *
302          * Please do NOT under any circumstances change the default to 1,
303          * for any reason.  The use of PAM is not considered to be secure
304          * by default.
305          */
306         if (options->use_pam == -1)
307                 options->use_pam = 0;
308
309         /* Standard Options */
310         if (options->num_host_key_files == 0) {
311                 /* fill default hostkeys for protocols */
312                 servconf_add_hostkey("[default]", 0, options,
313                     _PATH_HOST_RSA_KEY_FILE, 0);
314 #ifdef OPENSSL_HAS_ECC
315                 servconf_add_hostkey("[default]", 0, options,
316                     _PATH_HOST_ECDSA_KEY_FILE, 0);
317 #endif
318                 servconf_add_hostkey("[default]", 0, options,
319                     _PATH_HOST_ED25519_KEY_FILE, 0);
320 #ifdef WITH_XMSS
321                 servconf_add_hostkey("[default]", 0, options,
322                     _PATH_HOST_XMSS_KEY_FILE, 0);
323 #endif /* WITH_XMSS */
324         }
325         /* No certificates by default */
326         if (options->num_ports == 0)
327                 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
328         if (options->address_family == -1)
329                 options->address_family = AF_UNSPEC;
330         if (options->listen_addrs == NULL)
331                 add_listen_addr(options, NULL, NULL, 0);
332         if (options->pid_file == NULL)
333                 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
334         if (options->login_grace_time == -1)
335                 options->login_grace_time = 120;
336         if (options->permit_root_login == PERMIT_NOT_SET)
337                 options->permit_root_login = PERMIT_NO_PASSWD;
338         if (options->ignore_rhosts == -1)
339                 options->ignore_rhosts = 1;
340         if (options->ignore_user_known_hosts == -1)
341                 options->ignore_user_known_hosts = 0;
342         if (options->print_motd == -1)
343                 options->print_motd = 1;
344         if (options->print_lastlog == -1)
345                 options->print_lastlog = 1;
346         if (options->x11_forwarding == -1)
347                 options->x11_forwarding = 0;
348         if (options->x11_display_offset == -1)
349                 options->x11_display_offset = 10;
350         if (options->x11_use_localhost == -1)
351                 options->x11_use_localhost = 1;
352         if (options->xauth_location == NULL)
353                 options->xauth_location = xstrdup(_PATH_XAUTH);
354         if (options->permit_tty == -1)
355                 options->permit_tty = 1;
356         if (options->permit_user_rc == -1)
357                 options->permit_user_rc = 1;
358         if (options->strict_modes == -1)
359                 options->strict_modes = 1;
360         if (options->tcp_keep_alive == -1)
361                 options->tcp_keep_alive = 1;
362         if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
363                 options->log_facility = SYSLOG_FACILITY_AUTH;
364         if (options->log_level == SYSLOG_LEVEL_NOT_SET)
365                 options->log_level = SYSLOG_LEVEL_INFO;
366         if (options->hostbased_authentication == -1)
367                 options->hostbased_authentication = 0;
368         if (options->hostbased_uses_name_from_packet_only == -1)
369                 options->hostbased_uses_name_from_packet_only = 0;
370         if (options->pubkey_authentication == -1)
371                 options->pubkey_authentication = 1;
372         if (options->pubkey_auth_options == -1)
373                 options->pubkey_auth_options = 0;
374         if (options->kerberos_authentication == -1)
375                 options->kerberos_authentication = 0;
376         if (options->kerberos_or_local_passwd == -1)
377                 options->kerberos_or_local_passwd = 1;
378         if (options->kerberos_ticket_cleanup == -1)
379                 options->kerberos_ticket_cleanup = 1;
380         if (options->kerberos_get_afs_token == -1)
381                 options->kerberos_get_afs_token = 0;
382         if (options->gss_authentication == -1)
383                 options->gss_authentication = 0;
384         if (options->gss_cleanup_creds == -1)
385                 options->gss_cleanup_creds = 1;
386         if (options->gss_strict_acceptor == -1)
387                 options->gss_strict_acceptor = 1;
388         /*
389          * Please do NOT under any circumstances change the default to 1,
390          * for any reason.  The use of plaintext passwords are not considered
391          * secure by default.
392          */
393         if (options->password_authentication == -1)
394                 options->password_authentication = 0;
395         if (options->kbd_interactive_authentication == -1)
396                 options->kbd_interactive_authentication = 0;
397         if (options->challenge_response_authentication == -1)
398                 options->challenge_response_authentication = 1;
399         if (options->permit_empty_passwd == -1)
400                 options->permit_empty_passwd = 0;
401         if (options->permit_user_env == -1) {
402                 options->permit_user_env = 0;
403                 options->permit_user_env_whitelist = NULL;
404         }
405         if (options->compression == -1)
406 #ifdef WITH_ZLIB
407                 options->compression = COMP_DELAYED;
408 #else
409                 options->compression = COMP_NONE;
410 #endif
411
412         if (options->rekey_limit == -1)
413                 options->rekey_limit = 0;
414         if (options->rekey_interval == -1)
415                 options->rekey_interval = 0;
416         if (options->allow_tcp_forwarding == -1)
417                 options->allow_tcp_forwarding = FORWARD_ALLOW;
418         if (options->allow_streamlocal_forwarding == -1)
419                 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
420         if (options->allow_agent_forwarding == -1)
421                 options->allow_agent_forwarding = 1;
422         if (options->fwd_opts.gateway_ports == -1)
423                 options->fwd_opts.gateway_ports = 0;
424         if (options->max_startups == -1)
425                 options->max_startups = 100;
426         if (options->max_startups_rate == -1)
427                 options->max_startups_rate = 30;                /* 30% */
428         if (options->max_startups_begin == -1)
429                 options->max_startups_begin = 10;
430         if (options->max_authtries == -1)
431                 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
432         if (options->max_sessions == -1)
433                 options->max_sessions = DEFAULT_SESSIONS_MAX;
434         if (options->use_dns == -1)
435                 options->use_dns = 0;
436         if (options->client_alive_interval == -1)
437                 options->client_alive_interval = 0;
438         if (options->client_alive_count_max == -1)
439                 options->client_alive_count_max = 3;
440         if (options->num_authkeys_files == 0) {
441                 array_append("[default]", 0, "AuthorizedKeysFiles",
442                     &options->authorized_keys_files,
443                     &options->num_authkeys_files,
444                     _PATH_SSH_USER_PERMITTED_KEYS);
445                 array_append("[default]", 0, "AuthorizedKeysFiles",
446                     &options->authorized_keys_files,
447                     &options->num_authkeys_files,
448                     _PATH_SSH_USER_PERMITTED_KEYS2);
449         }
450         if (options->permit_tun == -1)
451                 options->permit_tun = SSH_TUNMODE_NO;
452         if (options->ip_qos_interactive == -1)
453                 options->ip_qos_interactive = IPTOS_DSCP_AF21;
454         if (options->ip_qos_bulk == -1)
455                 options->ip_qos_bulk = IPTOS_DSCP_CS1;
456         if (options->version_addendum == NULL)
457                 options->version_addendum = xstrdup("");
458         if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
459                 options->fwd_opts.streamlocal_bind_mask = 0177;
460         if (options->fwd_opts.streamlocal_bind_unlink == -1)
461                 options->fwd_opts.streamlocal_bind_unlink = 0;
462         if (options->fingerprint_hash == -1)
463                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
464         if (options->disable_forwarding == -1)
465                 options->disable_forwarding = 0;
466         if (options->expose_userauth_info == -1)
467                 options->expose_userauth_info = 0;
468         if (options->sk_provider == NULL)
469                 options->sk_provider = xstrdup("internal");
470
471         assemble_algorithms(options);
472
473         /* Turn privilege separation and sandboxing on by default */
474         if (use_privsep == -1)
475                 use_privsep = PRIVSEP_ON;
476
477 #define CLEAR_ON_NONE(v) \
478         do { \
479                 if (option_clear_or_none(v)) { \
480                         free(v); \
481                         v = NULL; \
482                 } \
483         } while(0)
484         CLEAR_ON_NONE(options->pid_file);
485         CLEAR_ON_NONE(options->xauth_location);
486         CLEAR_ON_NONE(options->banner);
487         CLEAR_ON_NONE(options->trusted_user_ca_keys);
488         CLEAR_ON_NONE(options->revoked_keys_file);
489         CLEAR_ON_NONE(options->sk_provider);
490         CLEAR_ON_NONE(options->authorized_principals_file);
491         CLEAR_ON_NONE(options->adm_forced_command);
492         CLEAR_ON_NONE(options->chroot_directory);
493         CLEAR_ON_NONE(options->routing_domain);
494         CLEAR_ON_NONE(options->host_key_agent);
495         for (i = 0; i < options->num_host_key_files; i++)
496                 CLEAR_ON_NONE(options->host_key_files[i]);
497         for (i = 0; i < options->num_host_cert_files; i++)
498                 CLEAR_ON_NONE(options->host_cert_files[i]);
499 #undef CLEAR_ON_NONE
500
501         /* Similar handling for AuthenticationMethods=any */
502         if (options->num_auth_methods == 1 &&
503             strcmp(options->auth_methods[0], "any") == 0) {
504                 free(options->auth_methods[0]);
505                 options->auth_methods[0] = NULL;
506                 options->num_auth_methods = 0;
507         }
508
509 #ifndef HAVE_MMAP
510         if (use_privsep && options->compression == 1) {
511                 error("This platform does not support both privilege "
512                     "separation and compression");
513                 error("Compression disabled");
514                 options->compression = 0;
515         }
516 #endif
517 }
518
519 /* Keyword tokens. */
520 typedef enum {
521         sBadOption,             /* == unknown option */
522         /* Portable-specific options */
523         sUsePAM,
524         /* Standard Options */
525         sPort, sHostKeyFile, sLoginGraceTime,
526         sPermitRootLogin, sLogFacility, sLogLevel,
527         sRhostsRSAAuthentication, sRSAAuthentication,
528         sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
529         sKerberosGetAFSToken, sChallengeResponseAuthentication,
530         sPasswordAuthentication, sKbdInteractiveAuthentication,
531         sListenAddress, sAddressFamily,
532         sPrintMotd, sPrintLastLog, sIgnoreRhosts,
533         sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
534         sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
535         sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
536         sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
537         sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
538         sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
539         sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
540         sBanner, sUseDNS, sHostbasedAuthentication,
541         sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
542         sHostKeyAlgorithms,
543         sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
544         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
545         sAcceptEnv, sSetEnv, sPermitTunnel,
546         sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
547         sUsePrivilegeSeparation, sAllowAgentForwarding,
548         sHostCertificate, sInclude,
549         sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
550         sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
551         sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
552         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
553         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
554         sStreamLocalBindMask, sStreamLocalBindUnlink,
555         sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
556         sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
557         sDeprecated, sIgnore, sUnsupported
558 } ServerOpCodes;
559
560 #define SSHCFG_GLOBAL           0x01    /* allowed in main section of config */
561 #define SSHCFG_MATCH            0x02    /* allowed inside a Match section */
562 #define SSHCFG_ALL              (SSHCFG_GLOBAL|SSHCFG_MATCH)
563 #define SSHCFG_NEVERMATCH       0x04  /* Match never matches; internal only */
564
565 /* Textual representation of the tokens. */
566 static struct {
567         const char *name;
568         ServerOpCodes opcode;
569         u_int flags;
570 } keywords[] = {
571         /* Portable-specific options */
572 #ifdef USE_PAM
573         { "usepam", sUsePAM, SSHCFG_GLOBAL },
574 #else
575         { "usepam", sUnsupported, SSHCFG_GLOBAL },
576 #endif
577         { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
578         /* Standard Options */
579         { "port", sPort, SSHCFG_GLOBAL },
580         { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
581         { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },          /* alias */
582         { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
583         { "pidfile", sPidFile, SSHCFG_GLOBAL },
584         { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
585         { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
586         { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
587         { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
588         { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
589         { "loglevel", sLogLevel, SSHCFG_ALL },
590         { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
591         { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
592         { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
593         { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
594         { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
595         { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
596         { "rsaauthentication", sDeprecated, SSHCFG_ALL },
597         { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
598         { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
599         { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
600         { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
601 #ifdef KRB5
602         { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
603         { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
604         { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
605 #ifdef USE_AFS
606         { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
607 #else
608         { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
609 #endif
610 #else
611         { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
612         { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
613         { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
614         { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
615 #endif
616         { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
617         { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
618 #ifdef GSSAPI
619         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
620         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
621         { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
622 #else
623         { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
624         { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
625         { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
626 #endif
627         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
628         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
629         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
630         { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
631         { "checkmail", sDeprecated, SSHCFG_GLOBAL },
632         { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
633         { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
634         { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
635 #ifdef DISABLE_LASTLOG
636         { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
637 #else
638         { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
639 #endif
640         { "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
641         { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
642         { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
643         { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
644         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
645         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
646         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
647         { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
648         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
649         { "uselogin", sDeprecated, SSHCFG_GLOBAL },
650         { "compression", sCompression, SSHCFG_GLOBAL },
651         { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
652         { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
653         { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },  /* obsolete alias */
654         { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
655         { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
656         { "allowusers", sAllowUsers, SSHCFG_ALL },
657         { "denyusers", sDenyUsers, SSHCFG_ALL },
658         { "allowgroups", sAllowGroups, SSHCFG_ALL },
659         { "denygroups", sDenyGroups, SSHCFG_ALL },
660         { "ciphers", sCiphers, SSHCFG_GLOBAL },
661         { "macs", sMacs, SSHCFG_GLOBAL },
662         { "protocol", sIgnore, SSHCFG_GLOBAL },
663         { "gatewayports", sGatewayPorts, SSHCFG_ALL },
664         { "subsystem", sSubsystem, SSHCFG_GLOBAL },
665         { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
666         { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
667         { "maxsessions", sMaxSessions, SSHCFG_ALL },
668         { "banner", sBanner, SSHCFG_ALL },
669         { "usedns", sUseDNS, SSHCFG_GLOBAL },
670         { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
671         { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
672         { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
673         { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
674         { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
675         { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
676         { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
677         { "acceptenv", sAcceptEnv, SSHCFG_ALL },
678         { "setenv", sSetEnv, SSHCFG_ALL },
679         { "permittunnel", sPermitTunnel, SSHCFG_ALL },
680         { "permittty", sPermitTTY, SSHCFG_ALL },
681         { "permituserrc", sPermitUserRC, SSHCFG_ALL },
682         { "match", sMatch, SSHCFG_ALL },
683         { "permitopen", sPermitOpen, SSHCFG_ALL },
684         { "permitlisten", sPermitListen, SSHCFG_ALL },
685         { "forcecommand", sForceCommand, SSHCFG_ALL },
686         { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
687         { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
688         { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
689         { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
690         { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
691         { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
692         { "include", sInclude, SSHCFG_ALL },
693         { "ipqos", sIPQoS, SSHCFG_ALL },
694         { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
695         { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
696         { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
697         { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
698         { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
699         { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
700         { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
701         { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
702         { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
703         { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
704         { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
705         { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
706         { "rdomain", sRDomain, SSHCFG_ALL },
707         { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
708         { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
709         { NULL, sBadOption, 0 }
710 };
711
712 static struct {
713         int val;
714         char *text;
715 } tunmode_desc[] = {
716         { SSH_TUNMODE_NO, "no" },
717         { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
718         { SSH_TUNMODE_ETHERNET, "ethernet" },
719         { SSH_TUNMODE_YES, "yes" },
720         { -1, NULL }
721 };
722
723 /* Returns an opcode name from its number */
724
725 static const char *
726 lookup_opcode_name(ServerOpCodes code)
727 {
728         u_int i;
729
730         for (i = 0; keywords[i].name != NULL; i++)
731                 if (keywords[i].opcode == code)
732                         return(keywords[i].name);
733         return "UNKNOWN";
734 }
735
736
737 /*
738  * Returns the number of the token pointed to by cp or sBadOption.
739  */
740
741 static ServerOpCodes
742 parse_token(const char *cp, const char *filename,
743             int linenum, u_int *flags)
744 {
745         u_int i;
746
747         for (i = 0; keywords[i].name; i++)
748                 if (strcasecmp(cp, keywords[i].name) == 0) {
749                         *flags = keywords[i].flags;
750                         return keywords[i].opcode;
751                 }
752
753         error("%s: line %d: Bad configuration option: %s",
754             filename, linenum, cp);
755         return sBadOption;
756 }
757
758 char *
759 derelativise_path(const char *path)
760 {
761         char *expanded, *ret, cwd[PATH_MAX];
762
763         if (strcasecmp(path, "none") == 0)
764                 return xstrdup("none");
765         expanded = tilde_expand_filename(path, getuid());
766         if (path_absolute(expanded))
767                 return expanded;
768         if (getcwd(cwd, sizeof(cwd)) == NULL)
769                 fatal("%s: getcwd: %s", __func__, strerror(errno));
770         xasprintf(&ret, "%s/%s", cwd, expanded);
771         free(expanded);
772         return ret;
773 }
774
775 static void
776 add_listen_addr(ServerOptions *options, const char *addr,
777     const char *rdomain, int port)
778 {
779         u_int i;
780
781         if (port > 0)
782                 add_one_listen_addr(options, addr, rdomain, port);
783         else {
784                 for (i = 0; i < options->num_ports; i++) {
785                         add_one_listen_addr(options, addr, rdomain,
786                             options->ports[i]);
787                 }
788         }
789 }
790
791 static void
792 add_one_listen_addr(ServerOptions *options, const char *addr,
793     const char *rdomain, int port)
794 {
795         struct addrinfo hints, *ai, *aitop;
796         char strport[NI_MAXSERV];
797         int gaierr;
798         u_int i;
799
800         /* Find listen_addrs entry for this rdomain */
801         for (i = 0; i < options->num_listen_addrs; i++) {
802                 if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
803                         break;
804                 if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
805                         continue;
806                 if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
807                         break;
808         }
809         if (i >= options->num_listen_addrs) {
810                 /* No entry for this rdomain; allocate one */
811                 if (i >= INT_MAX)
812                         fatal("%s: too many listen addresses", __func__);
813                 options->listen_addrs = xrecallocarray(options->listen_addrs,
814                     options->num_listen_addrs, options->num_listen_addrs + 1,
815                     sizeof(*options->listen_addrs));
816                 i = options->num_listen_addrs++;
817                 if (rdomain != NULL)
818                         options->listen_addrs[i].rdomain = xstrdup(rdomain);
819         }
820         /* options->listen_addrs[i] points to the addresses for this rdomain */
821
822         memset(&hints, 0, sizeof(hints));
823         hints.ai_family = options->address_family;
824         hints.ai_socktype = SOCK_STREAM;
825         hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
826         snprintf(strport, sizeof strport, "%d", port);
827         if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
828                 fatal("bad addr or host: %s (%s)",
829                     addr ? addr : "<NULL>",
830                     ssh_gai_strerror(gaierr));
831         for (ai = aitop; ai->ai_next; ai = ai->ai_next)
832                 ;
833         ai->ai_next = options->listen_addrs[i].addrs;
834         options->listen_addrs[i].addrs = aitop;
835 }
836
837 /* Returns nonzero if the routing domain name is valid */
838 static int
839 valid_rdomain(const char *name)
840 {
841 #if defined(HAVE_SYS_VALID_RDOMAIN)
842         return sys_valid_rdomain(name);
843 #elif defined(__OpenBSD__)
844         const char *errstr;
845         long long num;
846         struct rt_tableinfo info;
847         int mib[6];
848         size_t miblen = sizeof(mib);
849
850         if (name == NULL)
851                 return 1;
852
853         num = strtonum(name, 0, 255, &errstr);
854         if (errstr != NULL)
855                 return 0;
856
857         /* Check whether the table actually exists */
858         memset(mib, 0, sizeof(mib));
859         mib[0] = CTL_NET;
860         mib[1] = PF_ROUTE;
861         mib[4] = NET_RT_TABLE;
862         mib[5] = (int)num;
863         if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
864                 return 0;
865
866         return 1;
867 #else /* defined(__OpenBSD__) */
868         error("Routing domains are not supported on this platform");
869         return 0;
870 #endif
871 }
872
873 /*
874  * Queue a ListenAddress to be processed once we have all of the Ports
875  * and AddressFamily options.
876  */
877 static void
878 queue_listen_addr(ServerOptions *options, const char *addr,
879     const char *rdomain, int port)
880 {
881         struct queued_listenaddr *qla;
882
883         options->queued_listen_addrs = xrecallocarray(
884             options->queued_listen_addrs,
885             options->num_queued_listens, options->num_queued_listens + 1,
886             sizeof(*options->queued_listen_addrs));
887         qla = &options->queued_listen_addrs[options->num_queued_listens++];
888         qla->addr = xstrdup(addr);
889         qla->port = port;
890         qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
891 }
892
893 /*
894  * Process queued (text) ListenAddress entries.
895  */
896 static void
897 process_queued_listen_addrs(ServerOptions *options)
898 {
899         u_int i;
900         struct queued_listenaddr *qla;
901
902         if (options->num_ports == 0)
903                 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
904         if (options->address_family == -1)
905                 options->address_family = AF_UNSPEC;
906
907         for (i = 0; i < options->num_queued_listens; i++) {
908                 qla = &options->queued_listen_addrs[i];
909                 add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
910                 free(qla->addr);
911                 free(qla->rdomain);
912         }
913         free(options->queued_listen_addrs);
914         options->queued_listen_addrs = NULL;
915         options->num_queued_listens = 0;
916 }
917
918 /*
919  * Inform channels layer of permitopen options for a single forwarding
920  * direction (local/remote).
921  */
922 static void
923 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
924     char **opens, u_int num_opens)
925 {
926         u_int i;
927         int port;
928         char *host, *arg, *oarg, ch;
929         int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
930         const char *what = lookup_opcode_name(opcode);
931
932         channel_clear_permission(ssh, FORWARD_ADM, where);
933         if (num_opens == 0)
934                 return; /* permit any */
935
936         /* handle keywords: "any" / "none" */
937         if (num_opens == 1 && strcmp(opens[0], "any") == 0)
938                 return;
939         if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
940                 channel_disable_admin(ssh, where);
941                 return;
942         }
943         /* Otherwise treat it as a list of permitted host:port */
944         for (i = 0; i < num_opens; i++) {
945                 oarg = arg = xstrdup(opens[i]);
946                 ch = '\0';
947                 host = hpdelim2(&arg, &ch);
948                 if (host == NULL || ch == '/')
949                         fatal("%s: missing host in %s", __func__, what);
950                 host = cleanhostname(host);
951                 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
952                         fatal("%s: bad port number in %s", __func__, what);
953                 /* Send it to channels layer */
954                 channel_add_permission(ssh, FORWARD_ADM,
955                     where, host, port);
956                 free(oarg);
957         }
958 }
959
960 /*
961  * Inform channels layer of permitopen options from configuration.
962  */
963 void
964 process_permitopen(struct ssh *ssh, ServerOptions *options)
965 {
966         process_permitopen_list(ssh, sPermitOpen,
967             options->permitted_opens, options->num_permitted_opens);
968         process_permitopen_list(ssh, sPermitListen,
969             options->permitted_listens,
970             options->num_permitted_listens);
971 }
972
973 struct connection_info *
974 get_connection_info(struct ssh *ssh, int populate, int use_dns)
975 {
976         static struct connection_info ci;
977
978         if (ssh == NULL || !populate)
979                 return &ci;
980         ci.host = auth_get_canonical_hostname(ssh, use_dns);
981         ci.address = ssh_remote_ipaddr(ssh);
982         ci.laddress = ssh_local_ipaddr(ssh);
983         ci.lport = ssh_local_port(ssh);
984         ci.rdomain = ssh_packet_rdomain_in(ssh);
985         return &ci;
986 }
987
988 /*
989  * The strategy for the Match blocks is that the config file is parsed twice.
990  *
991  * The first time is at startup.  activep is initialized to 1 and the
992  * directives in the global context are processed and acted on.  Hitting a
993  * Match directive unsets activep and the directives inside the block are
994  * checked for syntax only.
995  *
996  * The second time is after a connection has been established but before
997  * authentication.  activep is initialized to 2 and global config directives
998  * are ignored since they have already been processed.  If the criteria in a
999  * Match block is met, activep is set and the subsequent directives
1000  * processed and actioned until EOF or another Match block unsets it.  Any
1001  * options set are copied into the main server config.
1002  *
1003  * Potential additions/improvements:
1004  *  - Add Match support for pre-kex directives, eg. Ciphers.
1005  *
1006  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
1007  *      Match Address 192.168.0.*
1008  *              Tag trusted
1009  *      Match Group wheel
1010  *              Tag trusted
1011  *      Match Tag trusted
1012  *              AllowTcpForwarding yes
1013  *              GatewayPorts clientspecified
1014  *              [...]
1015  *
1016  *  - Add a PermittedChannelRequests directive
1017  *      Match Group shell
1018  *              PermittedChannelRequests session,forwarded-tcpip
1019  */
1020
1021 static int
1022 match_cfg_line_group(const char *grps, int line, const char *user)
1023 {
1024         int result = 0;
1025         struct passwd *pw;
1026
1027         if (user == NULL)
1028                 goto out;
1029
1030         if ((pw = getpwnam(user)) == NULL) {
1031                 debug("Can't match group at line %d because user %.100s does "
1032                     "not exist", line, user);
1033         } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1034                 debug("Can't Match group because user %.100s not in any group "
1035                     "at line %d", user, line);
1036         } else if (ga_match_pattern_list(grps) != 1) {
1037                 debug("user %.100s does not match group list %.100s at line %d",
1038                     user, grps, line);
1039         } else {
1040                 debug("user %.100s matched group list %.100s at line %d", user,
1041                     grps, line);
1042                 result = 1;
1043         }
1044 out:
1045         ga_free();
1046         return result;
1047 }
1048
1049 static void
1050 match_test_missing_fatal(const char *criteria, const char *attrib)
1051 {
1052         fatal("'Match %s' in configuration but '%s' not in connection "
1053             "test specification.", criteria, attrib);
1054 }
1055
1056 /*
1057  * All of the attributes on a single Match line are ANDed together, so we need
1058  * to check every attribute and set the result to zero if any attribute does
1059  * not match.
1060  */
1061 static int
1062 match_cfg_line(char **condition, int line, struct connection_info *ci)
1063 {
1064         int result = 1, attributes = 0, port;
1065         char *arg, *attrib, *cp = *condition;
1066
1067         if (ci == NULL)
1068                 debug3("checking syntax for 'Match %s'", cp);
1069         else
1070                 debug3("checking match for '%s' user %s host %s addr %s "
1071                     "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1072                     ci->host ? ci->host : "(null)",
1073                     ci->address ? ci->address : "(null)",
1074                     ci->laddress ? ci->laddress : "(null)", ci->lport);
1075
1076         while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1077                 attributes++;
1078                 if (strcasecmp(attrib, "all") == 0) {
1079                         if (attributes != 1 ||
1080                             ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
1081                                 error("'all' cannot be combined with other "
1082                                     "Match attributes");
1083                                 return -1;
1084                         }
1085                         *condition = cp;
1086                         return 1;
1087                 }
1088                 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
1089                         error("Missing Match criteria for %s", attrib);
1090                         return -1;
1091                 }
1092                 if (strcasecmp(attrib, "user") == 0) {
1093                         if (ci == NULL || (ci->test && ci->user == NULL)) {
1094                                 result = 0;
1095                                 continue;
1096                         }
1097                         if (ci->user == NULL)
1098                                 match_test_missing_fatal("User", "user");
1099                         if (match_usergroup_pattern_list(ci->user, arg) != 1)
1100                                 result = 0;
1101                         else
1102                                 debug("user %.100s matched 'User %.100s' at "
1103                                     "line %d", ci->user, arg, line);
1104                 } else if (strcasecmp(attrib, "group") == 0) {
1105                         if (ci == NULL || (ci->test && ci->user == NULL)) {
1106                                 result = 0;
1107                                 continue;
1108                         }
1109                         if (ci->user == NULL)
1110                                 match_test_missing_fatal("Group", "user");
1111                         switch (match_cfg_line_group(arg, line, ci->user)) {
1112                         case -1:
1113                                 return -1;
1114                         case 0:
1115                                 result = 0;
1116                         }
1117                 } else if (strcasecmp(attrib, "host") == 0) {
1118                         if (ci == NULL || (ci->test && ci->host == NULL)) {
1119                                 result = 0;
1120                                 continue;
1121                         }
1122                         if (ci->host == NULL)
1123                                 match_test_missing_fatal("Host", "host");
1124                         if (match_hostname(ci->host, arg) != 1)
1125                                 result = 0;
1126                         else
1127                                 debug("connection from %.100s matched 'Host "
1128                                     "%.100s' at line %d", ci->host, arg, line);
1129                 } else if (strcasecmp(attrib, "address") == 0) {
1130                         if (ci == NULL || (ci->test && ci->address == NULL)) {
1131                                 result = 0;
1132                                 continue;
1133                         }
1134                         if (ci->address == NULL)
1135                                 match_test_missing_fatal("Address", "addr");
1136                         switch (addr_match_list(ci->address, arg)) {
1137                         case 1:
1138                                 debug("connection from %.100s matched 'Address "
1139                                     "%.100s' at line %d", ci->address, arg, line);
1140                                 break;
1141                         case 0:
1142                         case -1:
1143                                 result = 0;
1144                                 break;
1145                         case -2:
1146                                 return -1;
1147                         }
1148                 } else if (strcasecmp(attrib, "localaddress") == 0){
1149                         if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1150                                 result = 0;
1151                                 continue;
1152                         }
1153                         if (ci->laddress == NULL)
1154                                 match_test_missing_fatal("LocalAddress",
1155                                     "laddr");
1156                         switch (addr_match_list(ci->laddress, arg)) {
1157                         case 1:
1158                                 debug("connection from %.100s matched "
1159                                     "'LocalAddress %.100s' at line %d",
1160                                     ci->laddress, arg, line);
1161                                 break;
1162                         case 0:
1163                         case -1:
1164                                 result = 0;
1165                                 break;
1166                         case -2:
1167                                 return -1;
1168                         }
1169                 } else if (strcasecmp(attrib, "localport") == 0) {
1170                         if ((port = a2port(arg)) == -1) {
1171                                 error("Invalid LocalPort '%s' on Match line",
1172                                     arg);
1173                                 return -1;
1174                         }
1175                         if (ci == NULL || (ci->test && ci->lport == -1)) {
1176                                 result = 0;
1177                                 continue;
1178                         }
1179                         if (ci->lport == 0)
1180                                 match_test_missing_fatal("LocalPort", "lport");
1181                         /* TODO support port lists */
1182                         if (port == ci->lport)
1183                                 debug("connection from %.100s matched "
1184                                     "'LocalPort %d' at line %d",
1185                                     ci->laddress, port, line);
1186                         else
1187                                 result = 0;
1188                 } else if (strcasecmp(attrib, "rdomain") == 0) {
1189                         if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1190                                 result = 0;
1191                                 continue;
1192                         }
1193                         if (ci->rdomain == NULL)
1194                                 match_test_missing_fatal("RDomain", "rdomain");
1195                         if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1196                                 result = 0;
1197                         else
1198                                 debug("user %.100s matched 'RDomain %.100s' at "
1199                                     "line %d", ci->rdomain, arg, line);
1200                 } else {
1201                         error("Unsupported Match attribute %s", attrib);
1202                         return -1;
1203                 }
1204         }
1205         if (attributes == 0) {
1206                 error("One or more attributes required for Match");
1207                 return -1;
1208         }
1209         if (ci != NULL)
1210                 debug3("match %sfound", result ? "" : "not ");
1211         *condition = cp;
1212         return result;
1213 }
1214
1215 #define WHITESPACE " \t\r\n"
1216
1217 /* Multistate option parsing */
1218 struct multistate {
1219         char *key;
1220         int value;
1221 };
1222 static const struct multistate multistate_flag[] = {
1223         { "yes",                        1 },
1224         { "no",                         0 },
1225         { NULL, -1 }
1226 };
1227 static const struct multistate multistate_ignore_rhosts[] = {
1228         { "yes",                        IGNORE_RHOSTS_YES },
1229         { "no",                         IGNORE_RHOSTS_NO },
1230         { "shosts-only",                IGNORE_RHOSTS_SHOSTS },
1231         { NULL, -1 }
1232 };
1233 static const struct multistate multistate_addressfamily[] = {
1234         { "inet",                       AF_INET },
1235         { "inet6",                      AF_INET6 },
1236         { "any",                        AF_UNSPEC },
1237         { NULL, -1 }
1238 };
1239 static const struct multistate multistate_permitrootlogin[] = {
1240         { "without-password",           PERMIT_NO_PASSWD },
1241         { "prohibit-password",          PERMIT_NO_PASSWD },
1242         { "forced-commands-only",       PERMIT_FORCED_ONLY },
1243         { "yes",                        PERMIT_YES },
1244         { "no",                         PERMIT_NO },
1245         { NULL, -1 }
1246 };
1247 static const struct multistate multistate_compression[] = {
1248 #ifdef WITH_ZLIB
1249         { "yes",                        COMP_DELAYED },
1250         { "delayed",                    COMP_DELAYED },
1251 #endif
1252         { "no",                         COMP_NONE },
1253         { NULL, -1 }
1254 };
1255 static const struct multistate multistate_gatewayports[] = {
1256         { "clientspecified",            2 },
1257         { "yes",                        1 },
1258         { "no",                         0 },
1259         { NULL, -1 }
1260 };
1261 static const struct multistate multistate_tcpfwd[] = {
1262         { "yes",                        FORWARD_ALLOW },
1263         { "all",                        FORWARD_ALLOW },
1264         { "no",                         FORWARD_DENY },
1265         { "remote",                     FORWARD_REMOTE },
1266         { "local",                      FORWARD_LOCAL },
1267         { NULL, -1 }
1268 };
1269
1270 static int
1271 process_server_config_line_depth(ServerOptions *options, char *line,
1272     const char *filename, int linenum, int *activep,
1273     struct connection_info *connectinfo, int inc_flags, int depth,
1274     struct include_list *includes)
1275 {
1276         char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
1277         int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1278         SyslogFacility *log_facility_ptr;
1279         LogLevel *log_level_ptr;
1280         ServerOpCodes opcode;
1281         u_int i, *uintptr, uvalue, flags = 0;
1282         size_t len;
1283         long long val64;
1284         const struct multistate *multistate_ptr;
1285         const char *errstr;
1286         struct include_item *item;
1287         glob_t gbuf;
1288
1289         /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1290         if ((len = strlen(line)) == 0)
1291                 return 0;
1292         for (len--; len > 0; len--) {
1293                 if (strchr(WHITESPACE "\f", line[len]) == NULL)
1294                         break;
1295                 line[len] = '\0';
1296         }
1297
1298         cp = line;
1299         if ((arg = strdelim(&cp)) == NULL)
1300                 return 0;
1301         /* Ignore leading whitespace */
1302         if (*arg == '\0')
1303                 arg = strdelim(&cp);
1304         if (!arg || !*arg || *arg == '#')
1305                 return 0;
1306         intptr = NULL;
1307         charptr = NULL;
1308         opcode = parse_token(arg, filename, linenum, &flags);
1309
1310         if (activep == NULL) { /* We are processing a command line directive */
1311                 cmdline = 1;
1312                 activep = &cmdline;
1313         }
1314         if (*activep && opcode != sMatch && opcode != sInclude)
1315                 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1316         if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1317                 if (connectinfo == NULL) {
1318                         fatal("%s line %d: Directive '%s' is not allowed "
1319                             "within a Match block", filename, linenum, arg);
1320                 } else { /* this is a directive we have already processed */
1321                         while (arg)
1322                                 arg = strdelim(&cp);
1323                         return 0;
1324                 }
1325         }
1326
1327         switch (opcode) {
1328         /* Portable-specific options */
1329         case sUsePAM:
1330                 intptr = &options->use_pam;
1331                 goto parse_flag;
1332
1333         /* Standard Options */
1334         case sBadOption:
1335                 return -1;
1336         case sPort:
1337                 /* ignore ports from configfile if cmdline specifies ports */
1338                 if (options->ports_from_cmdline)
1339                         return 0;
1340                 if (options->num_ports >= MAX_PORTS)
1341                         fatal("%s line %d: too many ports.",
1342                             filename, linenum);
1343                 arg = strdelim(&cp);
1344                 if (!arg || *arg == '\0')
1345                         fatal("%s line %d: missing port number.",
1346                             filename, linenum);
1347                 options->ports[options->num_ports++] = a2port(arg);
1348                 if (options->ports[options->num_ports-1] <= 0)
1349                         fatal("%s line %d: Badly formatted port number.",
1350                             filename, linenum);
1351                 break;
1352
1353         case sLoginGraceTime:
1354                 intptr = &options->login_grace_time;
1355  parse_time:
1356                 arg = strdelim(&cp);
1357                 if (!arg || *arg == '\0')
1358                         fatal("%s line %d: missing time value.",
1359                             filename, linenum);
1360                 if ((value = convtime(arg)) == -1)
1361                         fatal("%s line %d: invalid time value.",
1362                             filename, linenum);
1363                 if (*activep && *intptr == -1)
1364                         *intptr = value;
1365                 break;
1366
1367         case sListenAddress:
1368                 arg = strdelim(&cp);
1369                 if (arg == NULL || *arg == '\0')
1370                         fatal("%s line %d: missing address",
1371                             filename, linenum);
1372                 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1373                 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1374                     && strchr(p+1, ':') != NULL) {
1375                         port = 0;
1376                         p = arg;
1377                 } else {
1378                         arg2 = NULL;
1379                         ch = '\0';
1380                         p = hpdelim2(&arg, &ch);
1381                         if (p == NULL || ch == '/')
1382                                 fatal("%s line %d: bad address:port usage",
1383                                     filename, linenum);
1384                         p = cleanhostname(p);
1385                         if (arg == NULL)
1386                                 port = 0;
1387                         else if ((port = a2port(arg)) <= 0)
1388                                 fatal("%s line %d: bad port number",
1389                                     filename, linenum);
1390                 }
1391                 /* Optional routing table */
1392                 arg2 = NULL;
1393                 if ((arg = strdelim(&cp)) != NULL) {
1394                         if (strcmp(arg, "rdomain") != 0 ||
1395                             (arg2 = strdelim(&cp)) == NULL)
1396                                 fatal("%s line %d: bad ListenAddress syntax",
1397                                     filename, linenum);
1398                         if (!valid_rdomain(arg2))
1399                                 fatal("%s line %d: bad routing domain",
1400                                     filename, linenum);
1401                 }
1402
1403                 queue_listen_addr(options, p, arg2, port);
1404
1405                 break;
1406
1407         case sAddressFamily:
1408                 intptr = &options->address_family;
1409                 multistate_ptr = multistate_addressfamily;
1410  parse_multistate:
1411                 arg = strdelim(&cp);
1412                 if (!arg || *arg == '\0')
1413                         fatal("%s line %d: missing argument.",
1414                             filename, linenum);
1415                 value = -1;
1416                 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1417                         if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1418                                 value = multistate_ptr[i].value;
1419                                 break;
1420                         }
1421                 }
1422                 if (value == -1)
1423                         fatal("%s line %d: unsupported option \"%s\".",
1424                             filename, linenum, arg);
1425                 if (*activep && *intptr == -1)
1426                         *intptr = value;
1427                 break;
1428
1429         case sHostKeyFile:
1430                 arg = strdelim(&cp);
1431                 if (!arg || *arg == '\0')
1432                         fatal("%s line %d: missing file name.",
1433                             filename, linenum);
1434                 if (*activep) {
1435                         servconf_add_hostkey(filename, linenum,
1436                             options, arg, 1);
1437                 }
1438                 break;
1439
1440         case sHostKeyAgent:
1441                 charptr = &options->host_key_agent;
1442                 arg = strdelim(&cp);
1443                 if (!arg || *arg == '\0')
1444                         fatal("%s line %d: missing socket name.",
1445                             filename, linenum);
1446                 if (*activep && *charptr == NULL)
1447                         *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1448                             xstrdup(arg) : derelativise_path(arg);
1449                 break;
1450
1451         case sHostCertificate:
1452                 arg = strdelim(&cp);
1453                 if (!arg || *arg == '\0')
1454                         fatal("%s line %d: missing file name.",
1455                             filename, linenum);
1456                 if (*activep)
1457                         servconf_add_hostcert(filename, linenum, options, arg);
1458                 break;
1459
1460         case sPidFile:
1461                 charptr = &options->pid_file;
1462  parse_filename:
1463                 arg = strdelim(&cp);
1464                 if (!arg || *arg == '\0')
1465                         fatal("%s line %d: missing file name.",
1466                             filename, linenum);
1467                 if (*activep && *charptr == NULL) {
1468                         *charptr = derelativise_path(arg);
1469                         /* increase optional counter */
1470                         if (intptr != NULL)
1471                                 *intptr = *intptr + 1;
1472                 }
1473                 break;
1474
1475         case sPermitRootLogin:
1476                 intptr = &options->permit_root_login;
1477                 multistate_ptr = multistate_permitrootlogin;
1478                 goto parse_multistate;
1479
1480         case sIgnoreRhosts:
1481                 intptr = &options->ignore_rhosts;
1482                 multistate_ptr = multistate_ignore_rhosts;
1483                 goto parse_multistate;
1484
1485         case sIgnoreUserKnownHosts:
1486                 intptr = &options->ignore_user_known_hosts;
1487  parse_flag:
1488                 multistate_ptr = multistate_flag;
1489                 goto parse_multistate;
1490
1491         case sHostbasedAuthentication:
1492                 intptr = &options->hostbased_authentication;
1493                 goto parse_flag;
1494
1495         case sHostbasedUsesNameFromPacketOnly:
1496                 intptr = &options->hostbased_uses_name_from_packet_only;
1497                 goto parse_flag;
1498
1499         case sHostbasedAcceptedKeyTypes:
1500                 charptr = &options->hostbased_key_types;
1501  parse_keytypes:
1502                 arg = strdelim(&cp);
1503                 if (!arg || *arg == '\0')
1504                         fatal("%s line %d: Missing argument.",
1505                             filename, linenum);
1506                 if (*arg != '-' &&
1507                     !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1508                     arg + 1 : arg, 1))
1509                         fatal("%s line %d: Bad key types '%s'.",
1510                             filename, linenum, arg ? arg : "<NONE>");
1511                 if (*activep && *charptr == NULL)
1512                         *charptr = xstrdup(arg);
1513                 break;
1514
1515         case sHostKeyAlgorithms:
1516                 charptr = &options->hostkeyalgorithms;
1517                 goto parse_keytypes;
1518
1519         case sCASignatureAlgorithms:
1520                 charptr = &options->ca_sign_algorithms;
1521                 goto parse_keytypes;
1522
1523         case sPubkeyAuthentication:
1524                 intptr = &options->pubkey_authentication;
1525                 goto parse_flag;
1526
1527         case sPubkeyAcceptedKeyTypes:
1528                 charptr = &options->pubkey_key_types;
1529                 goto parse_keytypes;
1530
1531         case sPubkeyAuthOptions:
1532                 intptr = &options->pubkey_auth_options;
1533                 value = 0;
1534                 while ((arg = strdelim(&cp)) && *arg != '\0') {
1535                         if (strcasecmp(arg, "none") == 0)
1536                                 continue;
1537                         if (strcasecmp(arg, "touch-required") == 0)
1538                                 value |= PUBKEYAUTH_TOUCH_REQUIRED;
1539                         else {
1540                                 fatal("%s line %d: unsupported "
1541                                     "PubkeyAuthOptions option %s",
1542                                     filename, linenum, arg);
1543                         }
1544                 }
1545                 if (*activep && *intptr == -1)
1546                         *intptr = value;
1547                 break;
1548
1549         case sKerberosAuthentication:
1550                 intptr = &options->kerberos_authentication;
1551                 goto parse_flag;
1552
1553         case sKerberosOrLocalPasswd:
1554                 intptr = &options->kerberos_or_local_passwd;
1555                 goto parse_flag;
1556
1557         case sKerberosTicketCleanup:
1558                 intptr = &options->kerberos_ticket_cleanup;
1559                 goto parse_flag;
1560
1561         case sKerberosGetAFSToken:
1562                 intptr = &options->kerberos_get_afs_token;
1563                 goto parse_flag;
1564
1565         case sGssAuthentication:
1566                 intptr = &options->gss_authentication;
1567                 goto parse_flag;
1568
1569         case sGssCleanupCreds:
1570                 intptr = &options->gss_cleanup_creds;
1571                 goto parse_flag;
1572
1573         case sGssStrictAcceptor:
1574                 intptr = &options->gss_strict_acceptor;
1575                 goto parse_flag;
1576
1577         case sPasswordAuthentication:
1578                 intptr = &options->password_authentication;
1579                 goto parse_flag;
1580
1581         case sKbdInteractiveAuthentication:
1582                 intptr = &options->kbd_interactive_authentication;
1583                 goto parse_flag;
1584
1585         case sChallengeResponseAuthentication:
1586                 intptr = &options->challenge_response_authentication;
1587                 goto parse_flag;
1588
1589         case sPrintMotd:
1590                 intptr = &options->print_motd;
1591                 goto parse_flag;
1592
1593         case sPrintLastLog:
1594                 intptr = &options->print_lastlog;
1595                 goto parse_flag;
1596
1597         case sX11Forwarding:
1598                 intptr = &options->x11_forwarding;
1599                 goto parse_flag;
1600
1601         case sX11DisplayOffset:
1602                 intptr = &options->x11_display_offset;
1603  parse_int:
1604                 arg = strdelim(&cp);
1605                 if ((errstr = atoi_err(arg, &value)) != NULL)
1606                         fatal("%s line %d: integer value %s.",
1607                             filename, linenum, errstr);
1608                 if (*activep && *intptr == -1)
1609                         *intptr = value;
1610                 break;
1611
1612         case sX11UseLocalhost:
1613                 intptr = &options->x11_use_localhost;
1614                 goto parse_flag;
1615
1616         case sXAuthLocation:
1617                 charptr = &options->xauth_location;
1618                 goto parse_filename;
1619
1620         case sPermitTTY:
1621                 intptr = &options->permit_tty;
1622                 goto parse_flag;
1623
1624         case sPermitUserRC:
1625                 intptr = &options->permit_user_rc;
1626                 goto parse_flag;
1627
1628         case sStrictModes:
1629                 intptr = &options->strict_modes;
1630                 goto parse_flag;
1631
1632         case sTCPKeepAlive:
1633                 intptr = &options->tcp_keep_alive;
1634                 goto parse_flag;
1635
1636         case sEmptyPasswd:
1637                 intptr = &options->permit_empty_passwd;
1638                 goto parse_flag;
1639
1640         case sPermitUserEnvironment:
1641                 intptr = &options->permit_user_env;
1642                 charptr = &options->permit_user_env_whitelist;
1643                 arg = strdelim(&cp);
1644                 if (!arg || *arg == '\0')
1645                         fatal("%s line %d: missing argument.",
1646                             filename, linenum);
1647                 value = 0;
1648                 p = NULL;
1649                 if (strcmp(arg, "yes") == 0)
1650                         value = 1;
1651                 else if (strcmp(arg, "no") == 0)
1652                         value = 0;
1653                 else {
1654                         /* Pattern-list specified */
1655                         value = 1;
1656                         p = xstrdup(arg);
1657                 }
1658                 if (*activep && *intptr == -1) {
1659                         *intptr = value;
1660                         *charptr = p;
1661                         p = NULL;
1662                 }
1663                 free(p);
1664                 break;
1665
1666         case sCompression:
1667                 intptr = &options->compression;
1668                 multistate_ptr = multistate_compression;
1669                 goto parse_multistate;
1670
1671         case sRekeyLimit:
1672                 arg = strdelim(&cp);
1673                 if (!arg || *arg == '\0')
1674                         fatal("%.200s line %d: Missing argument.", filename,
1675                             linenum);
1676                 if (strcmp(arg, "default") == 0) {
1677                         val64 = 0;
1678                 } else {
1679                         if (scan_scaled(arg, &val64) == -1)
1680                                 fatal("%.200s line %d: Bad number '%s': %s",
1681                                     filename, linenum, arg, strerror(errno));
1682                         if (val64 != 0 && val64 < 16)
1683                                 fatal("%.200s line %d: RekeyLimit too small",
1684                                     filename, linenum);
1685                 }
1686                 if (*activep && options->rekey_limit == -1)
1687                         options->rekey_limit = val64;
1688                 if (cp != NULL) { /* optional rekey interval present */
1689                         if (strcmp(cp, "none") == 0) {
1690                                 (void)strdelim(&cp);    /* discard */
1691                                 break;
1692                         }
1693                         intptr = &options->rekey_interval;
1694                         goto parse_time;
1695                 }
1696                 break;
1697
1698         case sGatewayPorts:
1699                 intptr = &options->fwd_opts.gateway_ports;
1700                 multistate_ptr = multistate_gatewayports;
1701                 goto parse_multistate;
1702
1703         case sUseDNS:
1704                 intptr = &options->use_dns;
1705                 goto parse_flag;
1706
1707         case sLogFacility:
1708                 log_facility_ptr = &options->log_facility;
1709                 arg = strdelim(&cp);
1710                 value = log_facility_number(arg);
1711                 if (value == SYSLOG_FACILITY_NOT_SET)
1712                         fatal("%.200s line %d: unsupported log facility '%s'",
1713                             filename, linenum, arg ? arg : "<NONE>");
1714                 if (*log_facility_ptr == -1)
1715                         *log_facility_ptr = (SyslogFacility) value;
1716                 break;
1717
1718         case sLogLevel:
1719                 log_level_ptr = &options->log_level;
1720                 arg = strdelim(&cp);
1721                 value = log_level_number(arg);
1722                 if (value == SYSLOG_LEVEL_NOT_SET)
1723                         fatal("%.200s line %d: unsupported log level '%s'",
1724                             filename, linenum, arg ? arg : "<NONE>");
1725                 if (*activep && *log_level_ptr == -1)
1726                         *log_level_ptr = (LogLevel) value;
1727                 break;
1728
1729         case sAllowTcpForwarding:
1730                 intptr = &options->allow_tcp_forwarding;
1731                 multistate_ptr = multistate_tcpfwd;
1732                 goto parse_multistate;
1733
1734         case sAllowStreamLocalForwarding:
1735                 intptr = &options->allow_streamlocal_forwarding;
1736                 multistate_ptr = multistate_tcpfwd;
1737                 goto parse_multistate;
1738
1739         case sAllowAgentForwarding:
1740                 intptr = &options->allow_agent_forwarding;
1741                 goto parse_flag;
1742
1743         case sDisableForwarding:
1744                 intptr = &options->disable_forwarding;
1745                 goto parse_flag;
1746
1747         case sAllowUsers:
1748                 while ((arg = strdelim(&cp)) && *arg != '\0') {
1749                         if (match_user(NULL, NULL, NULL, arg) == -1)
1750                                 fatal("%s line %d: invalid AllowUsers pattern: "
1751                                     "\"%.100s\"", filename, linenum, arg);
1752                         if (!*activep)
1753                                 continue;
1754                         array_append(filename, linenum, "AllowUsers",
1755                             &options->allow_users, &options->num_allow_users,
1756                             arg);
1757                 }
1758                 break;
1759
1760         case sDenyUsers:
1761                 while ((arg = strdelim(&cp)) && *arg != '\0') {
1762                         if (match_user(NULL, NULL, NULL, arg) == -1)
1763                                 fatal("%s line %d: invalid DenyUsers pattern: "
1764                                     "\"%.100s\"", filename, linenum, arg);
1765                         if (!*activep)
1766                                 continue;
1767                         array_append(filename, linenum, "DenyUsers",
1768                             &options->deny_users, &options->num_deny_users,
1769                             arg);
1770                 }
1771                 break;
1772
1773         case sAllowGroups:
1774                 while ((arg = strdelim(&cp)) && *arg != '\0') {
1775                         if (!*activep)
1776                                 continue;
1777                         array_append(filename, linenum, "AllowGroups",
1778                             &options->allow_groups, &options->num_allow_groups,
1779                             arg);
1780                 }
1781                 break;
1782
1783         case sDenyGroups:
1784                 while ((arg = strdelim(&cp)) && *arg != '\0') {
1785                         if (!*activep)
1786                                 continue;
1787                         array_append(filename, linenum, "DenyGroups",
1788                             &options->deny_groups, &options->num_deny_groups,
1789                             arg);
1790                 }
1791                 break;
1792
1793         case sCiphers:
1794                 arg = strdelim(&cp);
1795                 if (!arg || *arg == '\0')
1796                         fatal("%s line %d: Missing argument.", filename, linenum);
1797                 if (*arg != '-' &&
1798                     !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1799                         fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1800                             filename, linenum, arg ? arg : "<NONE>");
1801                 if (options->ciphers == NULL)
1802                         options->ciphers = xstrdup(arg);
1803                 break;
1804
1805         case sMacs:
1806                 arg = strdelim(&cp);
1807                 if (!arg || *arg == '\0')
1808                         fatal("%s line %d: Missing argument.", filename, linenum);
1809                 if (*arg != '-' &&
1810                     !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1811                         fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1812                             filename, linenum, arg ? arg : "<NONE>");
1813                 if (options->macs == NULL)
1814                         options->macs = xstrdup(arg);
1815                 break;
1816
1817         case sKexAlgorithms:
1818                 arg = strdelim(&cp);
1819                 if (!arg || *arg == '\0')
1820                         fatal("%s line %d: Missing argument.",
1821                             filename, linenum);
1822                 if (*arg != '-' &&
1823                     !kex_names_valid(*arg == '+' || *arg == '^' ?
1824                     arg + 1 : arg))
1825                         fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1826                             filename, linenum, arg ? arg : "<NONE>");
1827                 if (options->kex_algorithms == NULL)
1828                         options->kex_algorithms = xstrdup(arg);
1829                 break;
1830
1831         case sSubsystem:
1832                 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1833                         fatal("%s line %d: too many subsystems defined.",
1834                             filename, linenum);
1835                 }
1836                 arg = strdelim(&cp);
1837                 if (!arg || *arg == '\0')
1838                         fatal("%s line %d: Missing subsystem name.",
1839                             filename, linenum);
1840                 if (!*activep) {
1841                         arg = strdelim(&cp);
1842                         break;
1843                 }
1844                 for (i = 0; i < options->num_subsystems; i++)
1845                         if (strcmp(arg, options->subsystem_name[i]) == 0)
1846                                 fatal("%s line %d: Subsystem '%s' already defined.",
1847                                     filename, linenum, arg);
1848                 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1849                 arg = strdelim(&cp);
1850                 if (!arg || *arg == '\0')
1851                         fatal("%s line %d: Missing subsystem command.",
1852                             filename, linenum);
1853                 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1854
1855                 /* Collect arguments (separate to executable) */
1856                 p = xstrdup(arg);
1857                 len = strlen(p) + 1;
1858                 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1859                         len += 1 + strlen(arg);
1860                         p = xreallocarray(p, 1, len);
1861                         strlcat(p, " ", len);
1862                         strlcat(p, arg, len);
1863                 }
1864                 options->subsystem_args[options->num_subsystems] = p;
1865                 options->num_subsystems++;
1866                 break;
1867
1868         case sMaxStartups:
1869                 arg = strdelim(&cp);
1870                 if (!arg || *arg == '\0')
1871                         fatal("%s line %d: Missing MaxStartups spec.",
1872                             filename, linenum);
1873                 if ((n = sscanf(arg, "%d:%d:%d",
1874                     &options->max_startups_begin,
1875                     &options->max_startups_rate,
1876                     &options->max_startups)) == 3) {
1877                         if (options->max_startups_begin >
1878                             options->max_startups ||
1879                             options->max_startups_rate > 100 ||
1880                             options->max_startups_rate < 1)
1881                                 fatal("%s line %d: Illegal MaxStartups spec.",
1882                                     filename, linenum);
1883                 } else if (n != 1)
1884                         fatal("%s line %d: Illegal MaxStartups spec.",
1885                             filename, linenum);
1886                 else
1887                         options->max_startups = options->max_startups_begin;
1888                 break;
1889
1890         case sMaxAuthTries:
1891                 intptr = &options->max_authtries;
1892                 goto parse_int;
1893
1894         case sMaxSessions:
1895                 intptr = &options->max_sessions;
1896                 goto parse_int;
1897
1898         case sBanner:
1899                 charptr = &options->banner;
1900                 goto parse_filename;
1901
1902         /*
1903          * These options can contain %X options expanded at
1904          * connect time, so that you can specify paths like:
1905          *
1906          * AuthorizedKeysFile   /etc/ssh_keys/%u
1907          */
1908         case sAuthorizedKeysFile:
1909                 if (*activep && options->num_authkeys_files == 0) {
1910                         while ((arg = strdelim(&cp)) && *arg != '\0') {
1911                                 arg = tilde_expand_filename(arg, getuid());
1912                                 array_append(filename, linenum,
1913                                     "AuthorizedKeysFile",
1914                                     &options->authorized_keys_files,
1915                                     &options->num_authkeys_files, arg);
1916                                 free(arg);
1917                         }
1918                 }
1919                 return 0;
1920
1921         case sAuthorizedPrincipalsFile:
1922                 charptr = &options->authorized_principals_file;
1923                 arg = strdelim(&cp);
1924                 if (!arg || *arg == '\0')
1925                         fatal("%s line %d: missing file name.",
1926                             filename, linenum);
1927                 if (*activep && *charptr == NULL) {
1928                         *charptr = tilde_expand_filename(arg, getuid());
1929                         /* increase optional counter */
1930                         if (intptr != NULL)
1931                                 *intptr = *intptr + 1;
1932                 }
1933                 break;
1934
1935         case sClientAliveInterval:
1936                 intptr = &options->client_alive_interval;
1937                 goto parse_time;
1938
1939         case sClientAliveCountMax:
1940                 intptr = &options->client_alive_count_max;
1941                 goto parse_int;
1942
1943         case sAcceptEnv:
1944                 while ((arg = strdelim(&cp)) && *arg != '\0') {
1945                         if (strchr(arg, '=') != NULL)
1946                                 fatal("%s line %d: Invalid environment name.",
1947                                     filename, linenum);
1948                         if (!*activep)
1949                                 continue;
1950                         array_append(filename, linenum, "AcceptEnv",
1951                             &options->accept_env, &options->num_accept_env,
1952                             arg);
1953                 }
1954                 break;
1955
1956         case sSetEnv:
1957                 uvalue = options->num_setenv;
1958                 while ((arg = strdelimw(&cp)) && *arg != '\0') {
1959                         if (strchr(arg, '=') == NULL)
1960                                 fatal("%s line %d: Invalid environment.",
1961                                     filename, linenum);
1962                         if (!*activep || uvalue != 0)
1963                                 continue;
1964                         array_append(filename, linenum, "SetEnv",
1965                             &options->setenv, &options->num_setenv, arg);
1966                 }
1967                 break;
1968
1969         case sPermitTunnel:
1970                 intptr = &options->permit_tun;
1971                 arg = strdelim(&cp);
1972                 if (!arg || *arg == '\0')
1973                         fatal("%s line %d: Missing yes/point-to-point/"
1974                             "ethernet/no argument.", filename, linenum);
1975                 value = -1;
1976                 for (i = 0; tunmode_desc[i].val != -1; i++)
1977                         if (strcmp(tunmode_desc[i].text, arg) == 0) {
1978                                 value = tunmode_desc[i].val;
1979                                 break;
1980                         }
1981                 if (value == -1)
1982                         fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1983                             "no argument: %s", filename, linenum, arg);
1984                 if (*activep && *intptr == -1)
1985                         *intptr = value;
1986                 break;
1987
1988         case sInclude:
1989                 if (cmdline) {
1990                         fatal("Include directive not supported as a "
1991                             "command-line option");
1992                 }
1993                 value = 0;
1994                 while ((arg2 = strdelim(&cp)) != NULL && *arg2 != '\0') {
1995                         value++;
1996                         found = 0;
1997                         if (*arg2 != '/' && *arg2 != '~') {
1998                                 xasprintf(&arg, "%s/%s", SSHDIR, arg2);
1999                         } else
2000                                 arg = xstrdup(arg2);
2001
2002                         /*
2003                          * Don't let included files clobber the containing
2004                          * file's Match state.
2005                          */
2006                         oactive = *activep;
2007
2008                         /* consult cache of include files */
2009                         TAILQ_FOREACH(item, includes, entry) {
2010                                 if (strcmp(item->selector, arg) != 0)
2011                                         continue;
2012                                 if (item->filename != NULL) {
2013                                         parse_server_config_depth(options,
2014                                             item->filename, item->contents,
2015                                             includes, connectinfo,
2016                                             (oactive ? 0 : SSHCFG_NEVERMATCH),
2017                                             activep, depth + 1);
2018                                 }
2019                                 found = 1;
2020                                 *activep = oactive;
2021                         }
2022                         if (found != 0) {
2023                                 free(arg);
2024                                 continue;
2025                         }
2026
2027                         /* requested glob was not in cache */
2028                         debug2("%s line %d: new include %s",
2029                             filename, linenum, arg);
2030                         if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2031                                 if (r != GLOB_NOMATCH) {
2032                                         fatal("%s line %d: include \"%s\" "
2033                                             "glob failed", filename,
2034                                             linenum, arg);
2035                                 }
2036                                 /*
2037                                  * If no entry matched then record a
2038                                  * placeholder to skip later glob calls.
2039                                  */
2040                                 debug2("%s line %d: no match for %s",
2041                                     filename, linenum, arg);
2042                                 item = xcalloc(1, sizeof(*item));
2043                                 item->selector = strdup(arg);
2044                                 TAILQ_INSERT_TAIL(includes,
2045                                     item, entry);
2046                         }
2047                         if (gbuf.gl_pathc > INT_MAX)
2048                                 fatal("%s: too many glob results", __func__);
2049                         for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2050                                 debug2("%s line %d: including %s",
2051                                     filename, linenum, gbuf.gl_pathv[n]);
2052                                 item = xcalloc(1, sizeof(*item));
2053                                 item->selector = strdup(arg);
2054                                 item->filename = strdup(gbuf.gl_pathv[n]);
2055                                 if ((item->contents = sshbuf_new()) == NULL) {
2056                                         fatal("%s: sshbuf_new failed",
2057                                             __func__);
2058                                 }
2059                                 load_server_config(item->filename,
2060                                     item->contents);
2061                                 parse_server_config_depth(options,
2062                                     item->filename, item->contents,
2063                                     includes, connectinfo,
2064                                     (oactive ? 0 : SSHCFG_NEVERMATCH),
2065                                     activep, depth + 1);
2066                                 *activep = oactive;
2067                                 TAILQ_INSERT_TAIL(includes, item, entry);
2068                         }
2069                         globfree(&gbuf);
2070                         free(arg);
2071                 }
2072                 if (value == 0) {
2073                         fatal("%s line %d: Include missing filename argument",
2074                             filename, linenum);
2075                 }
2076                 break;
2077
2078         case sMatch:
2079                 if (cmdline)
2080                         fatal("Match directive not supported as a command-line "
2081                            "option");
2082                 value = match_cfg_line(&cp, linenum, connectinfo);
2083                 if (value < 0)
2084                         fatal("%s line %d: Bad Match condition", filename,
2085                             linenum);
2086                 *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2087                 break;
2088
2089         case sPermitListen:
2090         case sPermitOpen:
2091                 if (opcode == sPermitListen) {
2092                         uintptr = &options->num_permitted_listens;
2093                         chararrayptr = &options->permitted_listens;
2094                 } else {
2095                         uintptr = &options->num_permitted_opens;
2096                         chararrayptr = &options->permitted_opens;
2097                 }
2098                 arg = strdelim(&cp);
2099                 if (!arg || *arg == '\0')
2100                         fatal("%s line %d: missing %s specification",
2101                             filename, linenum, lookup_opcode_name(opcode));
2102                 uvalue = *uintptr;      /* modified later */
2103                 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2104                         if (*activep && uvalue == 0) {
2105                                 *uintptr = 1;
2106                                 *chararrayptr = xcalloc(1,
2107                                     sizeof(**chararrayptr));
2108                                 (*chararrayptr)[0] = xstrdup(arg);
2109                         }
2110                         break;
2111                 }
2112                 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
2113                         if (opcode == sPermitListen &&
2114                             strchr(arg, ':') == NULL) {
2115                                 /*
2116                                  * Allow bare port number for PermitListen
2117                                  * to indicate a wildcard listen host.
2118                                  */
2119                                 xasprintf(&arg2, "*:%s", arg);
2120                         } else {
2121                                 arg2 = xstrdup(arg);
2122                                 ch = '\0';
2123                                 p = hpdelim2(&arg, &ch);
2124                                 if (p == NULL || ch == '/') {
2125                                         fatal("%s line %d: missing host in %s",
2126                                             filename, linenum,
2127                                             lookup_opcode_name(opcode));
2128                                 }
2129                                 p = cleanhostname(p);
2130                         }
2131                         if (arg == NULL ||
2132                             ((port = permitopen_port(arg)) < 0)) {
2133                                 fatal("%s line %d: bad port number in %s",
2134                                     filename, linenum,
2135                                     lookup_opcode_name(opcode));
2136                         }
2137                         if (*activep && uvalue == 0) {
2138                                 array_append(filename, linenum,
2139                                     lookup_opcode_name(opcode),
2140                                     chararrayptr, uintptr, arg2);
2141                         }
2142                         free(arg2);
2143                 }
2144                 break;
2145
2146         case sForceCommand:
2147                 if (cp == NULL || *cp == '\0')
2148                         fatal("%.200s line %d: Missing argument.", filename,
2149                             linenum);
2150                 len = strspn(cp, WHITESPACE);
2151                 if (*activep && options->adm_forced_command == NULL)
2152                         options->adm_forced_command = xstrdup(cp + len);
2153                 return 0;
2154
2155         case sChrootDirectory:
2156                 charptr = &options->chroot_directory;
2157
2158                 arg = strdelim(&cp);
2159                 if (!arg || *arg == '\0')
2160                         fatal("%s line %d: missing file name.",
2161                             filename, linenum);
2162                 if (*activep && *charptr == NULL)
2163                         *charptr = xstrdup(arg);
2164                 break;
2165
2166         case sTrustedUserCAKeys:
2167                 charptr = &options->trusted_user_ca_keys;
2168                 goto parse_filename;
2169
2170         case sRevokedKeys:
2171                 charptr = &options->revoked_keys_file;
2172                 goto parse_filename;
2173
2174         case sSecurityKeyProvider:
2175                 charptr = &options->sk_provider;
2176                 arg = strdelim(&cp);
2177                 if (!arg || *arg == '\0')
2178                         fatal("%s line %d: missing file name.",
2179                             filename, linenum);
2180                 if (*activep && *charptr == NULL) {
2181                         *charptr = strcasecmp(arg, "internal") == 0 ?
2182                             xstrdup(arg) : derelativise_path(arg);
2183                         /* increase optional counter */
2184                         if (intptr != NULL)
2185                                 *intptr = *intptr + 1;
2186                 }
2187                 break;
2188
2189         case sIPQoS:
2190                 arg = strdelim(&cp);
2191                 if ((value = parse_ipqos(arg)) == -1)
2192                         fatal("%s line %d: Bad IPQoS value: %s",
2193                             filename, linenum, arg);
2194                 arg = strdelim(&cp);
2195                 if (arg == NULL)
2196                         value2 = value;
2197                 else if ((value2 = parse_ipqos(arg)) == -1)
2198                         fatal("%s line %d: Bad IPQoS value: %s",
2199                             filename, linenum, arg);
2200                 if (*activep) {
2201                         options->ip_qos_interactive = value;
2202                         options->ip_qos_bulk = value2;
2203                 }
2204                 break;
2205
2206         case sVersionAddendum:
2207                 if (cp == NULL || *cp == '\0')
2208                         fatal("%.200s line %d: Missing argument.", filename,
2209                             linenum);
2210                 len = strspn(cp, WHITESPACE);
2211                 if (*activep && options->version_addendum == NULL) {
2212                         if (strcasecmp(cp + len, "none") == 0)
2213                                 options->version_addendum = xstrdup("");
2214                         else if (strchr(cp + len, '\r') != NULL)
2215                                 fatal("%.200s line %d: Invalid argument",
2216                                     filename, linenum);
2217                         else
2218                                 options->version_addendum = xstrdup(cp + len);
2219                 }
2220                 return 0;
2221
2222         case sAuthorizedKeysCommand:
2223                 if (cp == NULL)
2224                         fatal("%.200s line %d: Missing argument.", filename,
2225                             linenum);
2226                 len = strspn(cp, WHITESPACE);
2227                 if (*activep && options->authorized_keys_command == NULL) {
2228                         if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
2229                                 fatal("%.200s line %d: AuthorizedKeysCommand "
2230                                     "must be an absolute path",
2231                                     filename, linenum);
2232                         options->authorized_keys_command = xstrdup(cp + len);
2233                 }
2234                 return 0;
2235
2236         case sAuthorizedKeysCommandUser:
2237                 charptr = &options->authorized_keys_command_user;
2238
2239                 arg = strdelim(&cp);
2240                 if (!arg || *arg == '\0')
2241                         fatal("%s line %d: missing AuthorizedKeysCommandUser "
2242                             "argument.", filename, linenum);
2243                 if (*activep && *charptr == NULL)
2244                         *charptr = xstrdup(arg);
2245                 break;
2246
2247         case sAuthorizedPrincipalsCommand:
2248                 if (cp == NULL)
2249                         fatal("%.200s line %d: Missing argument.", filename,
2250                             linenum);
2251                 len = strspn(cp, WHITESPACE);
2252                 if (*activep &&
2253                     options->authorized_principals_command == NULL) {
2254                         if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
2255                                 fatal("%.200s line %d: "
2256                                     "AuthorizedPrincipalsCommand must be "
2257                                     "an absolute path", filename, linenum);
2258                         options->authorized_principals_command =
2259                             xstrdup(cp + len);
2260                 }
2261                 return 0;
2262
2263         case sAuthorizedPrincipalsCommandUser:
2264                 charptr = &options->authorized_principals_command_user;
2265
2266                 arg = strdelim(&cp);
2267                 if (!arg || *arg == '\0')
2268                         fatal("%s line %d: missing "
2269                             "AuthorizedPrincipalsCommandUser argument.",
2270                             filename, linenum);
2271                 if (*activep && *charptr == NULL)
2272                         *charptr = xstrdup(arg);
2273                 break;
2274
2275         case sAuthenticationMethods:
2276                 if (options->num_auth_methods == 0) {
2277                         value = 0; /* seen "any" pseudo-method */
2278                         value2 = 0; /* successfully parsed any method */
2279                         while ((arg = strdelim(&cp)) && *arg != '\0') {
2280                                 if (strcmp(arg, "any") == 0) {
2281                                         if (options->num_auth_methods > 0) {
2282                                                 fatal("%s line %d: \"any\" "
2283                                                     "must appear alone in "
2284                                                     "AuthenticationMethods",
2285                                                     filename, linenum);
2286                                         }
2287                                         value = 1;
2288                                 } else if (value) {
2289                                         fatal("%s line %d: \"any\" must appear "
2290                                             "alone in AuthenticationMethods",
2291                                             filename, linenum);
2292                                 } else if (auth2_methods_valid(arg, 0) != 0) {
2293                                         fatal("%s line %d: invalid "
2294                                             "authentication method list.",
2295                                             filename, linenum);
2296                                 }
2297                                 value2 = 1;
2298                                 if (!*activep)
2299                                         continue;
2300                                 array_append(filename, linenum,
2301                                     "AuthenticationMethods",
2302                                     &options->auth_methods,
2303                                     &options->num_auth_methods, arg);
2304                         }
2305                         if (value2 == 0) {
2306                                 fatal("%s line %d: no AuthenticationMethods "
2307                                     "specified", filename, linenum);
2308                         }
2309                 }
2310                 return 0;
2311
2312         case sStreamLocalBindMask:
2313                 arg = strdelim(&cp);
2314                 if (!arg || *arg == '\0')
2315                         fatal("%s line %d: missing StreamLocalBindMask "
2316                             "argument.", filename, linenum);
2317                 /* Parse mode in octal format */
2318                 value = strtol(arg, &p, 8);
2319                 if (arg == p || value < 0 || value > 0777)
2320                         fatal("%s line %d: Bad mask.", filename, linenum);
2321                 if (*activep)
2322                         options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2323                 break;
2324
2325         case sStreamLocalBindUnlink:
2326                 intptr = &options->fwd_opts.streamlocal_bind_unlink;
2327                 goto parse_flag;
2328
2329         case sFingerprintHash:
2330                 arg = strdelim(&cp);
2331                 if (!arg || *arg == '\0')
2332                         fatal("%.200s line %d: Missing argument.",
2333                             filename, linenum);
2334                 if ((value = ssh_digest_alg_by_name(arg)) == -1)
2335                         fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
2336                             filename, linenum, arg);
2337                 if (*activep)
2338                         options->fingerprint_hash = value;
2339                 break;
2340
2341         case sExposeAuthInfo:
2342                 intptr = &options->expose_userauth_info;
2343                 goto parse_flag;
2344
2345         case sRDomain:
2346 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2347                 fatal("%s line %d: setting RDomain not supported on this "
2348                     "platform.", filename, linenum);
2349 #endif
2350                 charptr = &options->routing_domain;
2351                 arg = strdelim(&cp);
2352                 if (!arg || *arg == '\0')
2353                         fatal("%.200s line %d: Missing argument.",
2354                             filename, linenum);
2355                 if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2356                     !valid_rdomain(arg))
2357                         fatal("%s line %d: bad routing domain",
2358                             filename, linenum);
2359                 if (*activep && *charptr == NULL)
2360                         *charptr = xstrdup(arg);
2361                 break;
2362
2363         case sDeprecated:
2364         case sIgnore:
2365         case sUnsupported:
2366                 do_log2(opcode == sIgnore ?
2367                     SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2368                     "%s line %d: %s option %s", filename, linenum,
2369                     opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
2370                 while (arg)
2371                     arg = strdelim(&cp);
2372                 break;
2373
2374         default:
2375                 fatal("%s line %d: Missing handler for opcode %s (%d)",
2376                     filename, linenum, arg, opcode);
2377         }
2378         if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
2379                 fatal("%s line %d: garbage at end of line; \"%.200s\".",
2380                     filename, linenum, arg);
2381         return 0;
2382 }
2383
2384 int
2385 process_server_config_line(ServerOptions *options, char *line,
2386     const char *filename, int linenum, int *activep,
2387     struct connection_info *connectinfo, struct include_list *includes)
2388 {
2389         return process_server_config_line_depth(options, line, filename,
2390             linenum, activep, connectinfo, 0, 0, includes);
2391 }
2392
2393
2394 /* Reads the server configuration file. */
2395
2396 void
2397 load_server_config(const char *filename, struct sshbuf *conf)
2398 {
2399         char *line = NULL, *cp;
2400         size_t linesize = 0;
2401         FILE *f;
2402         int r, lineno = 0;
2403
2404         debug2("%s: filename %s", __func__, filename);
2405         if ((f = fopen(filename, "r")) == NULL) {
2406                 perror(filename);
2407                 exit(1);
2408         }
2409         sshbuf_reset(conf);
2410         while (getline(&line, &linesize, f) != -1) {
2411                 lineno++;
2412                 /*
2413                  * Trim out comments and strip whitespace
2414                  * NB - preserve newlines, they are needed to reproduce
2415                  * line numbers later for error messages
2416                  */
2417                 if ((cp = strchr(line, '#')) != NULL)
2418                         memcpy(cp, "\n", 2);
2419                 cp = line + strspn(line, " \t\r");
2420                 if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2421                         fatal("%s: buffer error: %s", __func__, ssh_err(r));
2422         }
2423         free(line);
2424         if ((r = sshbuf_put_u8(conf, 0)) != 0)
2425                 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2426         fclose(f);
2427         debug2("%s: done config len = %zu", __func__, sshbuf_len(conf));
2428 }
2429
2430 void
2431 parse_server_match_config(ServerOptions *options,
2432    struct include_list *includes, struct connection_info *connectinfo)
2433 {
2434         ServerOptions mo;
2435
2436         initialize_server_options(&mo);
2437         parse_server_config(&mo, "reprocess config", cfg, includes,
2438             connectinfo);
2439         copy_set_server_options(options, &mo, 0);
2440 }
2441
2442 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2443 {
2444         char *p;
2445
2446         while ((p = strsep(&spec, ",")) && *p != '\0') {
2447                 if (strncmp(p, "addr=", 5) == 0) {
2448                         ci->address = xstrdup(p + 5);
2449                 } else if (strncmp(p, "host=", 5) == 0) {
2450                         ci->host = xstrdup(p + 5);
2451                 } else if (strncmp(p, "user=", 5) == 0) {
2452                         ci->user = xstrdup(p + 5);
2453                 } else if (strncmp(p, "laddr=", 6) == 0) {
2454                         ci->laddress = xstrdup(p + 6);
2455                 } else if (strncmp(p, "rdomain=", 8) == 0) {
2456                         ci->rdomain = xstrdup(p + 8);
2457                 } else if (strncmp(p, "lport=", 6) == 0) {
2458                         ci->lport = a2port(p + 6);
2459                         if (ci->lport == -1) {
2460                                 fprintf(stderr, "Invalid port '%s' in test mode"
2461                                    " specification %s\n", p+6, p);
2462                                 return -1;
2463                         }
2464                 } else {
2465                         fprintf(stderr, "Invalid test mode specification %s\n",
2466                            p);
2467                         return -1;
2468                 }
2469         }
2470         return 0;
2471 }
2472
2473 /*
2474  * Copy any supported values that are set.
2475  *
2476  * If the preauth flag is set, we do not bother copying the string or
2477  * array values that are not used pre-authentication, because any that we
2478  * do use must be explicitly sent in mm_getpwnamallow().
2479  */
2480 void
2481 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2482 {
2483 #define M_CP_INTOPT(n) do {\
2484         if (src->n != -1) \
2485                 dst->n = src->n; \
2486 } while (0)
2487
2488         M_CP_INTOPT(password_authentication);
2489         M_CP_INTOPT(gss_authentication);
2490         M_CP_INTOPT(pubkey_authentication);
2491         M_CP_INTOPT(pubkey_auth_options);
2492         M_CP_INTOPT(kerberos_authentication);
2493         M_CP_INTOPT(hostbased_authentication);
2494         M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2495         M_CP_INTOPT(kbd_interactive_authentication);
2496         M_CP_INTOPT(permit_root_login);
2497         M_CP_INTOPT(permit_empty_passwd);
2498         M_CP_INTOPT(ignore_rhosts);
2499
2500         M_CP_INTOPT(allow_tcp_forwarding);
2501         M_CP_INTOPT(allow_streamlocal_forwarding);
2502         M_CP_INTOPT(allow_agent_forwarding);
2503         M_CP_INTOPT(disable_forwarding);
2504         M_CP_INTOPT(expose_userauth_info);
2505         M_CP_INTOPT(permit_tun);
2506         M_CP_INTOPT(fwd_opts.gateway_ports);
2507         M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2508         M_CP_INTOPT(x11_display_offset);
2509         M_CP_INTOPT(x11_forwarding);
2510         M_CP_INTOPT(x11_use_localhost);
2511         M_CP_INTOPT(permit_tty);
2512         M_CP_INTOPT(permit_user_rc);
2513         M_CP_INTOPT(max_sessions);
2514         M_CP_INTOPT(max_authtries);
2515         M_CP_INTOPT(client_alive_count_max);
2516         M_CP_INTOPT(client_alive_interval);
2517         M_CP_INTOPT(ip_qos_interactive);
2518         M_CP_INTOPT(ip_qos_bulk);
2519         M_CP_INTOPT(rekey_limit);
2520         M_CP_INTOPT(rekey_interval);
2521         M_CP_INTOPT(log_level);
2522
2523         /*
2524          * The bind_mask is a mode_t that may be unsigned, so we can't use
2525          * M_CP_INTOPT - it does a signed comparison that causes compiler
2526          * warnings.
2527          */
2528         if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2529                 dst->fwd_opts.streamlocal_bind_mask =
2530                     src->fwd_opts.streamlocal_bind_mask;
2531         }
2532
2533         /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2534 #define M_CP_STROPT(n) do {\
2535         if (src->n != NULL && dst->n != src->n) { \
2536                 free(dst->n); \
2537                 dst->n = src->n; \
2538         } \
2539 } while(0)
2540 #define M_CP_STRARRAYOPT(s, num_s) do {\
2541         u_int i; \
2542         if (src->num_s != 0) { \
2543                 for (i = 0; i < dst->num_s; i++) \
2544                         free(dst->s[i]); \
2545                 free(dst->s); \
2546                 dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2547                 for (i = 0; i < src->num_s; i++) \
2548                         dst->s[i] = xstrdup(src->s[i]); \
2549                 dst->num_s = src->num_s; \
2550         } \
2551 } while(0)
2552
2553         /* See comment in servconf.h */
2554         COPY_MATCH_STRING_OPTS();
2555
2556         /* Arguments that accept '+...' need to be expanded */
2557         assemble_algorithms(dst);
2558
2559         /*
2560          * The only things that should be below this point are string options
2561          * which are only used after authentication.
2562          */
2563         if (preauth)
2564                 return;
2565
2566         /* These options may be "none" to clear a global setting */
2567         M_CP_STROPT(adm_forced_command);
2568         if (option_clear_or_none(dst->adm_forced_command)) {
2569                 free(dst->adm_forced_command);
2570                 dst->adm_forced_command = NULL;
2571         }
2572         M_CP_STROPT(chroot_directory);
2573         if (option_clear_or_none(dst->chroot_directory)) {
2574                 free(dst->chroot_directory);
2575                 dst->chroot_directory = NULL;
2576         }
2577 }
2578
2579 #undef M_CP_INTOPT
2580 #undef M_CP_STROPT
2581 #undef M_CP_STRARRAYOPT
2582
2583 #define SERVCONF_MAX_DEPTH      16
2584 void
2585 parse_server_config_depth(ServerOptions *options, const char *filename,
2586     struct sshbuf *conf, struct include_list *includes,
2587     struct connection_info *connectinfo, int flags, int *activep, int depth)
2588 {
2589         int linenum, bad_options = 0;
2590         char *cp, *obuf, *cbuf;
2591
2592         if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2593                 fatal("Too many recursive configuration includes");
2594
2595         debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
2596
2597         if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2598                 fatal("%s: sshbuf_dup_string failed", __func__);
2599         linenum = 1;
2600         while ((cp = strsep(&cbuf, "\n")) != NULL) {
2601                 if (process_server_config_line_depth(options, cp,
2602                     filename, linenum++, activep, connectinfo, flags,
2603                     depth, includes) != 0)
2604                         bad_options++;
2605         }
2606         free(obuf);
2607         if (bad_options > 0)
2608                 fatal("%s: terminating, %d bad configuration options",
2609                     filename, bad_options);
2610         process_queued_listen_addrs(options);
2611 }
2612
2613 void
2614 parse_server_config(ServerOptions *options, const char *filename,
2615     struct sshbuf *conf, struct include_list *includes,
2616     struct connection_info *connectinfo)
2617 {
2618         int active = connectinfo ? 0 : 1;
2619         parse_server_config_depth(options, filename, conf, includes,
2620             connectinfo, 0, &active, 0);
2621 }
2622
2623 static const char *
2624 fmt_multistate_int(int val, const struct multistate *m)
2625 {
2626         u_int i;
2627
2628         for (i = 0; m[i].key != NULL; i++) {
2629                 if (m[i].value == val)
2630                         return m[i].key;
2631         }
2632         return "UNKNOWN";
2633 }
2634
2635 static const char *
2636 fmt_intarg(ServerOpCodes code, int val)
2637 {
2638         if (val == -1)
2639                 return "unset";
2640         switch (code) {
2641         case sAddressFamily:
2642                 return fmt_multistate_int(val, multistate_addressfamily);
2643         case sPermitRootLogin:
2644                 return fmt_multistate_int(val, multistate_permitrootlogin);
2645         case sGatewayPorts:
2646                 return fmt_multistate_int(val, multistate_gatewayports);
2647         case sCompression:
2648                 return fmt_multistate_int(val, multistate_compression);
2649         case sAllowTcpForwarding:
2650                 return fmt_multistate_int(val, multistate_tcpfwd);
2651         case sAllowStreamLocalForwarding:
2652                 return fmt_multistate_int(val, multistate_tcpfwd);
2653         case sIgnoreRhosts:
2654                 return fmt_multistate_int(val, multistate_ignore_rhosts);
2655         case sFingerprintHash:
2656                 return ssh_digest_alg_name(val);
2657         default:
2658                 switch (val) {
2659                 case 0:
2660                         return "no";
2661                 case 1:
2662                         return "yes";
2663                 default:
2664                         return "UNKNOWN";
2665                 }
2666         }
2667 }
2668
2669 static void
2670 dump_cfg_int(ServerOpCodes code, int val)
2671 {
2672         printf("%s %d\n", lookup_opcode_name(code), val);
2673 }
2674
2675 static void
2676 dump_cfg_oct(ServerOpCodes code, int val)
2677 {
2678         printf("%s 0%o\n", lookup_opcode_name(code), val);
2679 }
2680
2681 static void
2682 dump_cfg_fmtint(ServerOpCodes code, int val)
2683 {
2684         printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2685 }
2686
2687 static void
2688 dump_cfg_string(ServerOpCodes code, const char *val)
2689 {
2690         printf("%s %s\n", lookup_opcode_name(code),
2691             val == NULL ? "none" : val);
2692 }
2693
2694 static void
2695 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2696 {
2697         u_int i;
2698
2699         for (i = 0; i < count; i++)
2700                 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2701 }
2702
2703 static void
2704 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2705 {
2706         u_int i;
2707
2708         if (count <= 0 && code != sAuthenticationMethods)
2709                 return;
2710         printf("%s", lookup_opcode_name(code));
2711         for (i = 0; i < count; i++)
2712                 printf(" %s",  vals[i]);
2713         if (code == sAuthenticationMethods && count == 0)
2714                 printf(" any");
2715         printf("\n");
2716 }
2717
2718 static char *
2719 format_listen_addrs(struct listenaddr *la)
2720 {
2721         int r;
2722         struct addrinfo *ai;
2723         char addr[NI_MAXHOST], port[NI_MAXSERV];
2724         char *laddr1 = xstrdup(""), *laddr2 = NULL;
2725
2726         /*
2727          * ListenAddress must be after Port.  add_one_listen_addr pushes
2728          * addresses onto a stack, so to maintain ordering we need to
2729          * print these in reverse order.
2730          */
2731         for (ai = la->addrs; ai; ai = ai->ai_next) {
2732                 if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2733                     sizeof(addr), port, sizeof(port),
2734                     NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2735                         error("getnameinfo: %.100s", ssh_gai_strerror(r));
2736                         continue;
2737                 }
2738                 laddr2 = laddr1;
2739                 if (ai->ai_family == AF_INET6) {
2740                         xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2741                             addr, port,
2742                             la->rdomain == NULL ? "" : " rdomain ",
2743                             la->rdomain == NULL ? "" : la->rdomain,
2744                             laddr2);
2745                 } else {
2746                         xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2747                             addr, port,
2748                             la->rdomain == NULL ? "" : " rdomain ",
2749                             la->rdomain == NULL ? "" : la->rdomain,
2750                             laddr2);
2751                 }
2752                 free(laddr2);
2753         }
2754         return laddr1;
2755 }
2756
2757 void
2758 dump_config(ServerOptions *o)
2759 {
2760         char *s;
2761         u_int i;
2762
2763         /* these are usually at the top of the config */
2764         for (i = 0; i < o->num_ports; i++)
2765                 printf("port %d\n", o->ports[i]);
2766         dump_cfg_fmtint(sAddressFamily, o->address_family);
2767
2768         for (i = 0; i < o->num_listen_addrs; i++) {
2769                 s = format_listen_addrs(&o->listen_addrs[i]);
2770                 printf("%s", s);
2771                 free(s);
2772         }
2773
2774         /* integer arguments */
2775 #ifdef USE_PAM
2776         dump_cfg_fmtint(sUsePAM, o->use_pam);
2777 #endif
2778         dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2779         dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2780         dump_cfg_int(sMaxAuthTries, o->max_authtries);
2781         dump_cfg_int(sMaxSessions, o->max_sessions);
2782         dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2783         dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2784         dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2785
2786         /* formatted integer arguments */
2787         dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2788         dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2789         dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2790         dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2791         dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2792             o->hostbased_uses_name_from_packet_only);
2793         dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2794 #ifdef KRB5
2795         dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2796         dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2797         dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2798 # ifdef USE_AFS
2799         dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2800 # endif
2801 #endif
2802 #ifdef GSSAPI
2803         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2804         dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2805 #endif
2806         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2807         dump_cfg_fmtint(sKbdInteractiveAuthentication,
2808             o->kbd_interactive_authentication);
2809         dump_cfg_fmtint(sChallengeResponseAuthentication,
2810             o->challenge_response_authentication);
2811         dump_cfg_fmtint(sPrintMotd, o->print_motd);
2812 #ifndef DISABLE_LASTLOG
2813         dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2814 #endif
2815         dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2816         dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2817         dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2818         dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2819         dump_cfg_fmtint(sStrictModes, o->strict_modes);
2820         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2821         dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2822         dump_cfg_fmtint(sCompression, o->compression);
2823         dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2824         dump_cfg_fmtint(sUseDNS, o->use_dns);
2825         dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2826         dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2827         dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2828         dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2829         dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2830         dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2831         dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2832
2833         /* string arguments */
2834         dump_cfg_string(sPidFile, o->pid_file);
2835         dump_cfg_string(sXAuthLocation, o->xauth_location);
2836         dump_cfg_string(sCiphers, o->ciphers);
2837         dump_cfg_string(sMacs, o->macs);
2838         dump_cfg_string(sBanner, o->banner);
2839         dump_cfg_string(sForceCommand, o->adm_forced_command);
2840         dump_cfg_string(sChrootDirectory, o->chroot_directory);
2841         dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2842         dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2843         dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
2844         dump_cfg_string(sAuthorizedPrincipalsFile,
2845             o->authorized_principals_file);
2846         dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2847             ? "none" : o->version_addendum);
2848         dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2849         dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2850         dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2851         dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2852         dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2853         dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
2854         dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
2855         dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
2856         dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
2857         dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
2858 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2859         dump_cfg_string(sRDomain, o->routing_domain);
2860 #endif
2861
2862         /* string arguments requiring a lookup */
2863         dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2864         dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2865
2866         /* string array arguments */
2867         dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2868             o->authorized_keys_files);
2869         dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2870              o->host_key_files);
2871         dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2872              o->host_cert_files);
2873         dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2874         dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2875         dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2876         dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2877         dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2878         dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
2879         dump_cfg_strarray_oneline(sAuthenticationMethods,
2880             o->num_auth_methods, o->auth_methods);
2881
2882         /* other arguments */
2883         for (i = 0; i < o->num_subsystems; i++)
2884                 printf("subsystem %s %s\n", o->subsystem_name[i],
2885                     o->subsystem_args[i]);
2886
2887         printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2888             o->max_startups_rate, o->max_startups);
2889
2890         s = NULL;
2891         for (i = 0; tunmode_desc[i].val != -1; i++) {
2892                 if (tunmode_desc[i].val == o->permit_tun) {
2893                         s = tunmode_desc[i].text;
2894                         break;
2895                 }
2896         }
2897         dump_cfg_string(sPermitTunnel, s);
2898
2899         printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2900         printf("%s\n", iptos2str(o->ip_qos_bulk));
2901
2902         printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2903             o->rekey_interval);
2904
2905         printf("permitopen");
2906         if (o->num_permitted_opens == 0)
2907                 printf(" any");
2908         else {
2909                 for (i = 0; i < o->num_permitted_opens; i++)
2910                         printf(" %s", o->permitted_opens[i]);
2911         }
2912         printf("\n");
2913         printf("permitlisten");
2914         if (o->num_permitted_listens == 0)
2915                 printf(" any");
2916         else {
2917                 for (i = 0; i < o->num_permitted_listens; i++)
2918                         printf(" %s", o->permitted_listens[i]);
2919         }
2920         printf("\n");
2921
2922         if (o->permit_user_env_whitelist == NULL) {
2923                 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2924         } else {
2925                 printf("permituserenvironment %s\n",
2926                     o->permit_user_env_whitelist);
2927         }
2928
2929         printf("pubkeyauthoptions");
2930         if (o->pubkey_auth_options == 0)
2931                 printf(" none");
2932         if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
2933                 printf(" touch-required");
2934         printf("\n");
2935 }