1 /* $OpenBSD: servconf.c,v 1.213 2010/11/13 23:27:50 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <netinet/in_systm.h>
20 #include <netinet/ip.h>
32 #include "openbsd-compat/sys-queue.h"
39 #include "pathnames.h"
47 #include "groupaccess.h"
50 static void add_listen_addr(ServerOptions *, char *, int);
51 static void add_one_listen_addr(ServerOptions *, char *, int);
53 /* Use of privilege separation or not */
54 extern int use_privsep;
57 /* Initializes the server options to their default values. */
60 initialize_server_options(ServerOptions *options)
62 memset(options, 0, sizeof(*options));
64 /* Portable-specific options */
65 options->use_pam = -1;
67 /* Standard Options */
68 options->num_ports = 0;
69 options->ports_from_cmdline = 0;
70 options->listen_addrs = NULL;
71 options->address_family = -1;
72 options->num_host_key_files = 0;
73 options->num_host_cert_files = 0;
74 options->pid_file = NULL;
75 options->server_key_bits = -1;
76 options->login_grace_time = -1;
77 options->key_regeneration_time = -1;
78 options->permit_root_login = PERMIT_NOT_SET;
79 options->ignore_rhosts = -1;
80 options->ignore_user_known_hosts = -1;
81 options->print_motd = -1;
82 options->print_lastlog = -1;
83 options->x11_forwarding = -1;
84 options->x11_display_offset = -1;
85 options->x11_use_localhost = -1;
86 options->xauth_location = NULL;
87 options->strict_modes = -1;
88 options->tcp_keep_alive = -1;
89 options->log_facility = SYSLOG_FACILITY_NOT_SET;
90 options->log_level = SYSLOG_LEVEL_NOT_SET;
91 options->rhosts_rsa_authentication = -1;
92 options->hostbased_authentication = -1;
93 options->hostbased_uses_name_from_packet_only = -1;
94 options->rsa_authentication = -1;
95 options->pubkey_authentication = -1;
96 options->kerberos_authentication = -1;
97 options->kerberos_or_local_passwd = -1;
98 options->kerberos_ticket_cleanup = -1;
99 options->kerberos_get_afs_token = -1;
100 options->gss_authentication=-1;
101 options->gss_cleanup_creds = -1;
102 options->password_authentication = -1;
103 options->kbd_interactive_authentication = -1;
104 options->challenge_response_authentication = -1;
105 options->permit_blacklisted_keys = -1;
106 options->permit_empty_passwd = -1;
107 options->permit_user_env = -1;
108 options->use_login = -1;
109 options->compression = -1;
110 options->allow_tcp_forwarding = -1;
111 options->allow_agent_forwarding = -1;
112 options->num_allow_users = 0;
113 options->num_deny_users = 0;
114 options->num_allow_groups = 0;
115 options->num_deny_groups = 0;
116 options->ciphers = NULL;
117 options->macs = NULL;
118 options->kex_algorithms = NULL;
119 options->protocol = SSH_PROTO_UNKNOWN;
120 options->gateway_ports = -1;
121 options->num_subsystems = 0;
122 options->max_startups_begin = -1;
123 options->max_startups_rate = -1;
124 options->max_startups = -1;
125 options->max_authtries = -1;
126 options->max_sessions = -1;
127 options->banner = NULL;
128 options->use_dns = -1;
129 options->client_alive_interval = -1;
130 options->client_alive_count_max = -1;
131 options->authorized_keys_file = NULL;
132 options->authorized_keys_file2 = NULL;
133 options->num_accept_env = 0;
134 options->permit_tun = -1;
135 options->num_permitted_opens = -1;
136 options->adm_forced_command = NULL;
137 options->chroot_directory = NULL;
138 options->zero_knowledge_password_authentication = -1;
139 options->none_enabled = -1;
140 options->tcp_rcv_buf_poll = -1;
141 options->hpn_disabled = -1;
142 options->hpn_buffer_size = -1;
143 options->revoked_keys_file = NULL;
144 options->trusted_user_ca_keys = NULL;
145 options->authorized_principals_file = NULL;
146 options->ip_qos_interactive = -1;
147 options->ip_qos_bulk = -1;
151 fill_default_server_options(ServerOptions *options)
153 /* needed for hpn socket tests */
156 int socksizelen = sizeof(int);
158 /* Portable-specific options */
159 if (options->use_pam == -1)
160 options->use_pam = 0;
162 /* Standard Options */
163 if (options->protocol == SSH_PROTO_UNKNOWN)
164 options->protocol = SSH_PROTO_2;
165 if (options->num_host_key_files == 0) {
166 /* fill default hostkeys for protocols */
167 if (options->protocol & SSH_PROTO_1)
168 options->host_key_files[options->num_host_key_files++] =
170 if (options->protocol & SSH_PROTO_2) {
171 options->host_key_files[options->num_host_key_files++] =
172 _PATH_HOST_RSA_KEY_FILE;
173 options->host_key_files[options->num_host_key_files++] =
174 _PATH_HOST_DSA_KEY_FILE;
175 #ifdef OPENSSL_HAS_ECC
176 options->host_key_files[options->num_host_key_files++] =
177 _PATH_HOST_ECDSA_KEY_FILE;
181 /* No certificates by default */
182 if (options->num_ports == 0)
183 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
184 if (options->listen_addrs == NULL)
185 add_listen_addr(options, NULL, 0);
186 if (options->pid_file == NULL)
187 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
188 if (options->server_key_bits == -1)
189 options->server_key_bits = 1024;
190 if (options->login_grace_time == -1)
191 options->login_grace_time = 120;
192 if (options->key_regeneration_time == -1)
193 options->key_regeneration_time = 3600;
194 if (options->permit_root_login == PERMIT_NOT_SET)
195 options->permit_root_login = PERMIT_NO;
196 if (options->ignore_rhosts == -1)
197 options->ignore_rhosts = 1;
198 if (options->ignore_user_known_hosts == -1)
199 options->ignore_user_known_hosts = 0;
200 if (options->print_motd == -1)
201 options->print_motd = 1;
202 if (options->print_lastlog == -1)
203 options->print_lastlog = 1;
204 if (options->x11_forwarding == -1)
205 options->x11_forwarding = 1;
206 if (options->x11_display_offset == -1)
207 options->x11_display_offset = 10;
208 if (options->x11_use_localhost == -1)
209 options->x11_use_localhost = 1;
210 if (options->xauth_location == NULL)
211 options->xauth_location = _PATH_XAUTH;
212 if (options->strict_modes == -1)
213 options->strict_modes = 1;
214 if (options->tcp_keep_alive == -1)
215 options->tcp_keep_alive = 1;
216 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
217 options->log_facility = SYSLOG_FACILITY_AUTH;
218 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
219 options->log_level = SYSLOG_LEVEL_INFO;
220 if (options->rhosts_rsa_authentication == -1)
221 options->rhosts_rsa_authentication = 0;
222 if (options->hostbased_authentication == -1)
223 options->hostbased_authentication = 0;
224 if (options->hostbased_uses_name_from_packet_only == -1)
225 options->hostbased_uses_name_from_packet_only = 0;
226 if (options->rsa_authentication == -1)
227 options->rsa_authentication = 1;
228 if (options->pubkey_authentication == -1)
229 options->pubkey_authentication = 1;
230 if (options->kerberos_authentication == -1)
231 options->kerberos_authentication = 0;
232 if (options->kerberos_or_local_passwd == -1)
233 options->kerberos_or_local_passwd = 1;
234 if (options->kerberos_ticket_cleanup == -1)
235 options->kerberos_ticket_cleanup = 1;
236 if (options->kerberos_get_afs_token == -1)
237 options->kerberos_get_afs_token = 0;
238 if (options->gss_authentication == -1)
239 options->gss_authentication = 0;
240 if (options->gss_cleanup_creds == -1)
241 options->gss_cleanup_creds = 1;
242 if (options->password_authentication == -1)
243 options->password_authentication = 1;
244 if (options->kbd_interactive_authentication == -1)
245 options->kbd_interactive_authentication = 0;
246 if (options->challenge_response_authentication == -1)
247 options->challenge_response_authentication = 1;
248 if (options->permit_blacklisted_keys == -1)
249 options->permit_blacklisted_keys = 0;
250 if (options->permit_empty_passwd == -1)
251 options->permit_empty_passwd = 0;
252 if (options->permit_user_env == -1)
253 options->permit_user_env = 0;
254 if (options->use_login == -1)
255 options->use_login = 0;
256 if (options->compression == -1)
257 options->compression = COMP_DELAYED;
258 if (options->allow_tcp_forwarding == -1)
259 options->allow_tcp_forwarding = 1;
260 if (options->allow_agent_forwarding == -1)
261 options->allow_agent_forwarding = 1;
262 if (options->gateway_ports == -1)
263 options->gateway_ports = 0;
264 if (options->max_startups == -1)
265 options->max_startups = 10;
266 if (options->max_startups_rate == -1)
267 options->max_startups_rate = 100; /* 100% */
268 if (options->max_startups_begin == -1)
269 options->max_startups_begin = options->max_startups;
270 if (options->max_authtries == -1)
271 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
272 if (options->max_sessions == -1)
273 options->max_sessions = DEFAULT_SESSIONS_MAX;
274 if (options->use_dns == -1)
275 options->use_dns = 1;
276 if (options->client_alive_interval == -1)
277 options->client_alive_interval = 0;
278 if (options->client_alive_count_max == -1)
279 options->client_alive_count_max = 3;
280 if (options->authorized_keys_file2 == NULL) {
281 /* authorized_keys_file2 falls back to authorized_keys_file */
282 if (options->authorized_keys_file != NULL)
283 options->authorized_keys_file2 = xstrdup(options->authorized_keys_file);
285 options->authorized_keys_file2 = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
287 if (options->authorized_keys_file == NULL)
288 options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
289 if (options->permit_tun == -1)
290 options->permit_tun = SSH_TUNMODE_NO;
291 if (options->zero_knowledge_password_authentication == -1)
292 options->zero_knowledge_password_authentication = 0;
293 if (options->ip_qos_interactive == -1)
294 options->ip_qos_interactive = IPTOS_LOWDELAY;
295 if (options->ip_qos_bulk == -1)
296 options->ip_qos_bulk = IPTOS_THROUGHPUT;
298 if (options->hpn_disabled == -1)
299 options->hpn_disabled = 0;
301 if (options->hpn_buffer_size == -1) {
302 /* option not explicitly set. Now we have to figure out */
303 /* what value to use */
304 if (options->hpn_disabled == 1) {
305 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
307 /* get the current RCV size and set it to that */
308 /*create a socket but don't connect it */
309 /* we use that the get the rcv socket size */
310 sock = socket(AF_INET, SOCK_STREAM, 0);
311 getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
312 &socksize, &socksizelen);
314 options->hpn_buffer_size = socksize;
315 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
319 /* we have to do this incase the user sets both values in a contradictory */
320 /* manner. hpn_disabled overrrides hpn_buffer_size*/
321 if (options->hpn_disabled <= 0) {
322 if (options->hpn_buffer_size == 0)
323 options->hpn_buffer_size = 1;
324 /* limit the maximum buffer to 64MB */
325 if (options->hpn_buffer_size > 64*1024) {
326 options->hpn_buffer_size = 64*1024*1024;
328 options->hpn_buffer_size *= 1024;
331 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
334 /* Turn privilege separation on by default */
335 if (use_privsep == -1)
339 if (use_privsep && options->compression == 1) {
340 error("This platform does not support both privilege "
341 "separation and compression");
342 error("Compression disabled");
343 options->compression = 0;
349 /* Keyword tokens. */
351 sBadOption, /* == unknown option */
352 /* Portable-specific options */
354 /* Standard Options */
355 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
356 sPermitRootLogin, sLogFacility, sLogLevel,
357 sRhostsRSAAuthentication, sRSAAuthentication,
358 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
359 sKerberosGetAFSToken,
360 sKerberosTgtPassing, sChallengeResponseAuthentication,
361 sPasswordAuthentication, sKbdInteractiveAuthentication,
362 sListenAddress, sAddressFamily,
363 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
364 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
365 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
366 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
367 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
368 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
369 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
370 sMaxStartups, sMaxAuthTries, sMaxSessions,
371 sBanner, sUseDNS, sHostbasedAuthentication,
372 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
373 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
374 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
375 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
376 sUsePrivilegeSeparation, sAllowAgentForwarding,
377 sZeroKnowledgePasswordAuthentication, sHostCertificate,
378 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
379 sKexAlgorithms, sIPQoS,
380 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
382 sDeprecated, sUnsupported
385 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
386 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
387 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
389 /* Textual representation of the tokens. */
392 ServerOpCodes opcode;
395 /* Portable-specific options */
397 { "usepam", sUsePAM, SSHCFG_GLOBAL },
399 { "usepam", sUnsupported, SSHCFG_GLOBAL },
401 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
402 /* Standard Options */
403 { "port", sPort, SSHCFG_GLOBAL },
404 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
405 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
406 { "pidfile", sPidFile, SSHCFG_GLOBAL },
407 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
408 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
409 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
410 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
411 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
412 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
413 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
414 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
415 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
416 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
417 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
418 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
419 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
421 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
422 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
423 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
425 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
427 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
430 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
431 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
432 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
433 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
435 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
436 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
438 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
439 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
441 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
442 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
444 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
445 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
446 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
447 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
449 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
451 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
453 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
454 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
455 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
456 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
457 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
458 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
459 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
460 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
461 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
462 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
463 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
464 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
465 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
466 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
467 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
468 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
469 { "compression", sCompression, SSHCFG_GLOBAL },
470 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
471 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
472 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
473 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
474 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
475 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
476 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
477 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
478 { "ciphers", sCiphers, SSHCFG_GLOBAL },
479 { "macs", sMacs, SSHCFG_GLOBAL },
480 { "protocol", sProtocol, SSHCFG_GLOBAL },
481 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
482 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
483 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
484 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
485 { "maxsessions", sMaxSessions, SSHCFG_ALL },
486 { "banner", sBanner, SSHCFG_ALL },
487 { "usedns", sUseDNS, SSHCFG_GLOBAL },
488 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
489 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
490 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
491 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
492 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
493 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
494 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
495 { "versionaddendum", sVersionAddendum , SSHCFG_GLOBAL },
496 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
497 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
498 { "match", sMatch, SSHCFG_ALL },
499 { "permitopen", sPermitOpen, SSHCFG_ALL },
500 { "forcecommand", sForceCommand, SSHCFG_ALL },
501 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
502 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
503 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
504 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
505 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
506 { "noneenabled", sNoneEnabled },
507 { "hpndisabled", sHPNDisabled },
508 { "hpnbuffersize", sHPNBufferSize },
509 { "tcprcvbufpoll", sTcpRcvBufPoll },
510 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
511 { "ipqos", sIPQoS, SSHCFG_ALL },
512 { NULL, sBadOption, 0 }
519 { SSH_TUNMODE_NO, "no" },
520 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
521 { SSH_TUNMODE_ETHERNET, "ethernet" },
522 { SSH_TUNMODE_YES, "yes" },
527 * Returns the number of the token pointed to by cp or sBadOption.
531 parse_token(const char *cp, const char *filename,
532 int linenum, u_int *flags)
536 for (i = 0; keywords[i].name; i++)
537 if (strcasecmp(cp, keywords[i].name) == 0) {
538 debug ("Config token is %s", keywords[i].name);
539 *flags = keywords[i].flags;
540 return keywords[i].opcode;
543 error("%s: line %d: Bad configuration option: %s",
544 filename, linenum, cp);
549 derelativise_path(const char *path)
551 char *expanded, *ret, cwd[MAXPATHLEN];
553 expanded = tilde_expand_filename(path, getuid());
554 if (*expanded == '/')
556 if (getcwd(cwd, sizeof(cwd)) == NULL)
557 fatal("%s: getcwd: %s", __func__, strerror(errno));
558 xasprintf(&ret, "%s/%s", cwd, expanded);
564 add_listen_addr(ServerOptions *options, char *addr, int port)
568 if (options->num_ports == 0)
569 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
570 if (options->address_family == -1)
571 options->address_family = AF_UNSPEC;
573 for (i = 0; i < options->num_ports; i++)
574 add_one_listen_addr(options, addr, options->ports[i]);
576 add_one_listen_addr(options, addr, port);
580 add_one_listen_addr(ServerOptions *options, char *addr, int port)
582 struct addrinfo hints, *ai, *aitop;
583 char strport[NI_MAXSERV];
586 memset(&hints, 0, sizeof(hints));
587 hints.ai_family = options->address_family;
588 hints.ai_socktype = SOCK_STREAM;
589 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
590 snprintf(strport, sizeof strport, "%d", port);
591 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
592 fatal("bad addr or host: %s (%s)",
593 addr ? addr : "<NULL>",
594 ssh_gai_strerror(gaierr));
595 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
597 ai->ai_next = options->listen_addrs;
598 options->listen_addrs = aitop;
602 * The strategy for the Match blocks is that the config file is parsed twice.
604 * The first time is at startup. activep is initialized to 1 and the
605 * directives in the global context are processed and acted on. Hitting a
606 * Match directive unsets activep and the directives inside the block are
607 * checked for syntax only.
609 * The second time is after a connection has been established but before
610 * authentication. activep is initialized to 2 and global config directives
611 * are ignored since they have already been processed. If the criteria in a
612 * Match block is met, activep is set and the subsequent directives
613 * processed and actioned until EOF or another Match block unsets it. Any
614 * options set are copied into the main server config.
616 * Potential additions/improvements:
617 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
619 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
620 * Match Address 192.168.0.*
625 * AllowTcpForwarding yes
626 * GatewayPorts clientspecified
629 * - Add a PermittedChannelRequests directive
631 * PermittedChannelRequests session,forwarded-tcpip
635 match_cfg_line_group(const char *grps, int line, const char *user)
643 if ((pw = getpwnam(user)) == NULL) {
644 debug("Can't match group at line %d because user %.100s does "
645 "not exist", line, user);
646 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
647 debug("Can't Match group because user %.100s not in any group "
648 "at line %d", user, line);
649 } else if (ga_match_pattern_list(grps) != 1) {
650 debug("user %.100s does not match group list %.100s at line %d",
653 debug("user %.100s matched group list %.100s at line %d", user,
663 match_cfg_line(char **condition, int line, const char *user, const char *host,
667 char *arg, *attrib, *cp = *condition;
671 debug3("checking syntax for 'Match %s'", cp);
673 debug3("checking match for '%s' user %s host %s addr %s", cp,
674 user ? user : "(null)", host ? host : "(null)",
675 address ? address : "(null)");
677 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
678 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
679 error("Missing Match criteria for %s", attrib);
683 if (strcasecmp(attrib, "user") == 0) {
688 if (match_pattern_list(user, arg, len, 0) != 1)
691 debug("user %.100s matched 'User %.100s' at "
692 "line %d", user, arg, line);
693 } else if (strcasecmp(attrib, "group") == 0) {
694 switch (match_cfg_line_group(arg, line, user)) {
700 } else if (strcasecmp(attrib, "host") == 0) {
705 if (match_hostname(host, arg, len) != 1)
708 debug("connection from %.100s matched 'Host "
709 "%.100s' at line %d", host, arg, line);
710 } else if (strcasecmp(attrib, "address") == 0) {
711 switch (addr_match_list(address, arg)) {
713 debug("connection from %.100s matched 'Address "
714 "%.100s' at line %d", address, arg, line);
724 error("Unsupported Match attribute %s", attrib);
729 debug3("match %sfound", result ? "" : "not ");
734 #define WHITESPACE " \t\r\n"
737 process_server_config_line(ServerOptions *options, char *line,
738 const char *filename, int linenum, int *activep, const char *user,
739 const char *host, const char *address)
741 char *cp, **charptr, *arg, *p;
742 int cmdline = 0, *intptr, value, value2, n;
743 SyslogFacility *log_facility_ptr;
744 LogLevel *log_level_ptr;
745 ServerOpCodes opcode;
751 if ((arg = strdelim(&cp)) == NULL)
753 /* Ignore leading whitespace */
756 if (!arg || !*arg || *arg == '#')
760 opcode = parse_token(arg, filename, linenum, &flags);
762 if (activep == NULL) { /* We are processing a command line directive */
766 if (*activep && opcode != sMatch)
767 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
768 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
770 fatal("%s line %d: Directive '%s' is not allowed "
771 "within a Match block", filename, linenum, arg);
772 } else { /* this is a directive we have already processed */
780 /* Portable-specific options */
782 intptr = &options->use_pam;
785 /* Standard Options */
789 /* ignore ports from configfile if cmdline specifies ports */
790 if (options->ports_from_cmdline)
792 if (options->listen_addrs != NULL)
793 fatal("%s line %d: ports must be specified before "
794 "ListenAddress.", filename, linenum);
795 if (options->num_ports >= MAX_PORTS)
796 fatal("%s line %d: too many ports.",
799 if (!arg || *arg == '\0')
800 fatal("%s line %d: missing port number.",
802 options->ports[options->num_ports++] = a2port(arg);
803 if (options->ports[options->num_ports-1] <= 0)
804 fatal("%s line %d: Badly formatted port number.",
809 intptr = &options->server_key_bits;
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: missing integer value.",
816 if (*activep && *intptr == -1)
820 case sLoginGraceTime:
821 intptr = &options->login_grace_time;
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: missing time value.",
827 if ((value = convtime(arg)) == -1)
828 fatal("%s line %d: invalid time value.",
834 case sKeyRegenerationTime:
835 intptr = &options->key_regeneration_time;
840 if (arg == NULL || *arg == '\0')
841 fatal("%s line %d: missing address",
843 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
844 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
845 && strchr(p+1, ':') != NULL) {
846 add_listen_addr(options, arg, 0);
851 fatal("%s line %d: bad address:port usage",
853 p = cleanhostname(p);
856 else if ((port = a2port(arg)) <= 0)
857 fatal("%s line %d: bad port number", filename, linenum);
859 add_listen_addr(options, p, port);
865 if (!arg || *arg == '\0')
866 fatal("%s line %d: missing address family.",
868 intptr = &options->address_family;
869 if (options->listen_addrs != NULL)
870 fatal("%s line %d: address family must be specified before "
871 "ListenAddress.", filename, linenum);
872 if (strcasecmp(arg, "inet") == 0)
874 else if (strcasecmp(arg, "inet6") == 0)
876 else if (strcasecmp(arg, "any") == 0)
879 fatal("%s line %d: unsupported address family \"%s\".",
880 filename, linenum, arg);
886 intptr = &options->num_host_key_files;
887 if (*intptr >= MAX_HOSTKEYS)
888 fatal("%s line %d: too many host keys specified (max %d).",
889 filename, linenum, MAX_HOSTKEYS);
890 charptr = &options->host_key_files[*intptr];
893 if (!arg || *arg == '\0')
894 fatal("%s line %d: missing file name.",
896 if (*activep && *charptr == NULL) {
897 *charptr = derelativise_path(arg);
898 /* increase optional counter */
900 *intptr = *intptr + 1;
904 case sHostCertificate:
905 intptr = &options->num_host_cert_files;
906 if (*intptr >= MAX_HOSTKEYS)
907 fatal("%s line %d: too many host certificates "
908 "specified (max %d).", filename, linenum,
910 charptr = &options->host_cert_files[*intptr];
915 charptr = &options->pid_file;
918 case sPermitRootLogin:
919 intptr = &options->permit_root_login;
921 if (!arg || *arg == '\0')
922 fatal("%s line %d: missing yes/"
923 "without-password/forced-commands-only/no "
924 "argument.", filename, linenum);
925 value = 0; /* silence compiler */
926 if (strcmp(arg, "without-password") == 0)
927 value = PERMIT_NO_PASSWD;
928 else if (strcmp(arg, "forced-commands-only") == 0)
929 value = PERMIT_FORCED_ONLY;
930 else if (strcmp(arg, "yes") == 0)
932 else if (strcmp(arg, "no") == 0)
935 fatal("%s line %d: Bad yes/"
936 "without-password/forced-commands-only/no "
937 "argument: %s", filename, linenum, arg);
938 if (*activep && *intptr == -1)
943 intptr = &options->ignore_rhosts;
946 if (!arg || *arg == '\0')
947 fatal("%s line %d: missing yes/no argument.",
949 value = 0; /* silence compiler */
950 if (strcmp(arg, "yes") == 0)
952 else if (strcmp(arg, "no") == 0)
955 fatal("%s line %d: Bad yes/no argument: %s",
956 filename, linenum, arg);
957 if (*activep && *intptr == -1)
962 intptr = &options->none_enabled;
966 intptr = &options->tcp_rcv_buf_poll;
970 intptr = &options->hpn_disabled;
974 intptr = &options->hpn_buffer_size;
977 case sIgnoreUserKnownHosts:
978 intptr = &options->ignore_user_known_hosts;
981 case sRhostsRSAAuthentication:
982 intptr = &options->rhosts_rsa_authentication;
985 case sHostbasedAuthentication:
986 intptr = &options->hostbased_authentication;
989 case sHostbasedUsesNameFromPacketOnly:
990 intptr = &options->hostbased_uses_name_from_packet_only;
993 case sRSAAuthentication:
994 intptr = &options->rsa_authentication;
997 case sPubkeyAuthentication:
998 intptr = &options->pubkey_authentication;
1001 case sKerberosAuthentication:
1002 intptr = &options->kerberos_authentication;
1005 case sKerberosOrLocalPasswd:
1006 intptr = &options->kerberos_or_local_passwd;
1009 case sKerberosTicketCleanup:
1010 intptr = &options->kerberos_ticket_cleanup;
1013 case sKerberosGetAFSToken:
1014 intptr = &options->kerberos_get_afs_token;
1017 case sGssAuthentication:
1018 intptr = &options->gss_authentication;
1021 case sGssCleanupCreds:
1022 intptr = &options->gss_cleanup_creds;
1025 case sPasswordAuthentication:
1026 intptr = &options->password_authentication;
1029 case sZeroKnowledgePasswordAuthentication:
1030 intptr = &options->zero_knowledge_password_authentication;
1033 case sKbdInteractiveAuthentication:
1034 intptr = &options->kbd_interactive_authentication;
1037 case sChallengeResponseAuthentication:
1038 intptr = &options->challenge_response_authentication;
1042 intptr = &options->print_motd;
1046 intptr = &options->print_lastlog;
1049 case sX11Forwarding:
1050 intptr = &options->x11_forwarding;
1053 case sX11DisplayOffset:
1054 intptr = &options->x11_display_offset;
1057 case sX11UseLocalhost:
1058 intptr = &options->x11_use_localhost;
1061 case sXAuthLocation:
1062 charptr = &options->xauth_location;
1063 goto parse_filename;
1066 intptr = &options->strict_modes;
1070 intptr = &options->tcp_keep_alive;
1073 case sPermitBlacklistedKeys:
1074 intptr = &options->permit_blacklisted_keys;
1078 intptr = &options->permit_empty_passwd;
1081 case sPermitUserEnvironment:
1082 intptr = &options->permit_user_env;
1086 intptr = &options->use_login;
1090 intptr = &options->compression;
1091 arg = strdelim(&cp);
1092 if (!arg || *arg == '\0')
1093 fatal("%s line %d: missing yes/no/delayed "
1094 "argument.", filename, linenum);
1095 value = 0; /* silence compiler */
1096 if (strcmp(arg, "delayed") == 0)
1097 value = COMP_DELAYED;
1098 else if (strcmp(arg, "yes") == 0)
1100 else if (strcmp(arg, "no") == 0)
1103 fatal("%s line %d: Bad yes/no/delayed "
1104 "argument: %s", filename, linenum, arg);
1110 intptr = &options->gateway_ports;
1111 arg = strdelim(&cp);
1112 if (!arg || *arg == '\0')
1113 fatal("%s line %d: missing yes/no/clientspecified "
1114 "argument.", filename, linenum);
1115 value = 0; /* silence compiler */
1116 if (strcmp(arg, "clientspecified") == 0)
1118 else if (strcmp(arg, "yes") == 0)
1120 else if (strcmp(arg, "no") == 0)
1123 fatal("%s line %d: Bad yes/no/clientspecified "
1124 "argument: %s", filename, linenum, arg);
1125 if (*activep && *intptr == -1)
1130 intptr = &options->use_dns;
1134 log_facility_ptr = &options->log_facility;
1135 arg = strdelim(&cp);
1136 value = log_facility_number(arg);
1137 if (value == SYSLOG_FACILITY_NOT_SET)
1138 fatal("%.200s line %d: unsupported log facility '%s'",
1139 filename, linenum, arg ? arg : "<NONE>");
1140 if (*log_facility_ptr == -1)
1141 *log_facility_ptr = (SyslogFacility) value;
1145 log_level_ptr = &options->log_level;
1146 arg = strdelim(&cp);
1147 value = log_level_number(arg);
1148 if (value == SYSLOG_LEVEL_NOT_SET)
1149 fatal("%.200s line %d: unsupported log level '%s'",
1150 filename, linenum, arg ? arg : "<NONE>");
1151 if (*log_level_ptr == -1)
1152 *log_level_ptr = (LogLevel) value;
1155 case sAllowTcpForwarding:
1156 intptr = &options->allow_tcp_forwarding;
1159 case sAllowAgentForwarding:
1160 intptr = &options->allow_agent_forwarding;
1163 case sUsePrivilegeSeparation:
1164 intptr = &use_privsep;
1168 while ((arg = strdelim(&cp)) && *arg != '\0') {
1169 if (options->num_allow_users >= MAX_ALLOW_USERS)
1170 fatal("%s line %d: too many allow users.",
1172 options->allow_users[options->num_allow_users++] =
1178 while ((arg = strdelim(&cp)) && *arg != '\0') {
1179 if (options->num_deny_users >= MAX_DENY_USERS)
1180 fatal("%s line %d: too many deny users.",
1182 options->deny_users[options->num_deny_users++] =
1188 while ((arg = strdelim(&cp)) && *arg != '\0') {
1189 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1190 fatal("%s line %d: too many allow groups.",
1192 options->allow_groups[options->num_allow_groups++] =
1198 while ((arg = strdelim(&cp)) && *arg != '\0') {
1199 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1200 fatal("%s line %d: too many deny groups.",
1202 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1207 arg = strdelim(&cp);
1208 if (!arg || *arg == '\0')
1209 fatal("%s line %d: Missing argument.", filename, linenum);
1210 if (!ciphers_valid(arg))
1211 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1212 filename, linenum, arg ? arg : "<NONE>");
1213 if (options->ciphers == NULL)
1214 options->ciphers = xstrdup(arg);
1218 arg = strdelim(&cp);
1219 if (!arg || *arg == '\0')
1220 fatal("%s line %d: Missing argument.", filename, linenum);
1221 if (!mac_valid(arg))
1222 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1223 filename, linenum, arg ? arg : "<NONE>");
1224 if (options->macs == NULL)
1225 options->macs = xstrdup(arg);
1228 case sKexAlgorithms:
1229 arg = strdelim(&cp);
1230 if (!arg || *arg == '\0')
1231 fatal("%s line %d: Missing argument.",
1233 if (!kex_names_valid(arg))
1234 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1235 filename, linenum, arg ? arg : "<NONE>");
1236 if (options->kex_algorithms == NULL)
1237 options->kex_algorithms = xstrdup(arg);
1241 intptr = &options->protocol;
1242 arg = strdelim(&cp);
1243 if (!arg || *arg == '\0')
1244 fatal("%s line %d: Missing argument.", filename, linenum);
1245 value = proto_spec(arg);
1246 if (value == SSH_PROTO_UNKNOWN)
1247 fatal("%s line %d: Bad protocol spec '%s'.",
1248 filename, linenum, arg ? arg : "<NONE>");
1249 if (*intptr == SSH_PROTO_UNKNOWN)
1254 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1255 fatal("%s line %d: too many subsystems defined.",
1258 arg = strdelim(&cp);
1259 if (!arg || *arg == '\0')
1260 fatal("%s line %d: Missing subsystem name.",
1263 arg = strdelim(&cp);
1266 for (i = 0; i < options->num_subsystems; i++)
1267 if (strcmp(arg, options->subsystem_name[i]) == 0)
1268 fatal("%s line %d: Subsystem '%s' already defined.",
1269 filename, linenum, arg);
1270 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1271 arg = strdelim(&cp);
1272 if (!arg || *arg == '\0')
1273 fatal("%s line %d: Missing subsystem command.",
1275 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1277 /* Collect arguments (separate to executable) */
1279 len = strlen(p) + 1;
1280 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1281 len += 1 + strlen(arg);
1282 p = xrealloc(p, 1, len);
1283 strlcat(p, " ", len);
1284 strlcat(p, arg, len);
1286 options->subsystem_args[options->num_subsystems] = p;
1287 options->num_subsystems++;
1291 arg = strdelim(&cp);
1292 if (!arg || *arg == '\0')
1293 fatal("%s line %d: Missing MaxStartups spec.",
1295 if ((n = sscanf(arg, "%d:%d:%d",
1296 &options->max_startups_begin,
1297 &options->max_startups_rate,
1298 &options->max_startups)) == 3) {
1299 if (options->max_startups_begin >
1300 options->max_startups ||
1301 options->max_startups_rate > 100 ||
1302 options->max_startups_rate < 1)
1303 fatal("%s line %d: Illegal MaxStartups spec.",
1306 fatal("%s line %d: Illegal MaxStartups spec.",
1309 options->max_startups = options->max_startups_begin;
1313 intptr = &options->max_authtries;
1317 intptr = &options->max_sessions;
1321 charptr = &options->banner;
1322 goto parse_filename;
1325 * These options can contain %X options expanded at
1326 * connect time, so that you can specify paths like:
1328 * AuthorizedKeysFile /etc/ssh_keys/%u
1330 case sAuthorizedKeysFile:
1331 charptr = &options->authorized_keys_file;
1332 goto parse_tilde_filename;
1333 case sAuthorizedKeysFile2:
1334 charptr = &options->authorized_keys_file2;
1335 goto parse_tilde_filename;
1336 case sAuthorizedPrincipalsFile:
1337 charptr = &options->authorized_principals_file;
1338 parse_tilde_filename:
1339 arg = strdelim(&cp);
1340 if (!arg || *arg == '\0')
1341 fatal("%s line %d: missing file name.",
1343 if (*activep && *charptr == NULL) {
1344 *charptr = tilde_expand_filename(arg, getuid());
1345 /* increase optional counter */
1347 *intptr = *intptr + 1;
1351 case sClientAliveInterval:
1352 intptr = &options->client_alive_interval;
1355 case sClientAliveCountMax:
1356 intptr = &options->client_alive_count_max;
1360 while ((arg = strdelim(&cp)) && *arg != '\0') {
1361 if (strchr(arg, '=') != NULL)
1362 fatal("%s line %d: Invalid environment name.",
1364 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1365 fatal("%s line %d: too many allow env.",
1369 options->accept_env[options->num_accept_env++] =
1375 intptr = &options->permit_tun;
1376 arg = strdelim(&cp);
1377 if (!arg || *arg == '\0')
1378 fatal("%s line %d: Missing yes/point-to-point/"
1379 "ethernet/no argument.", filename, linenum);
1381 for (i = 0; tunmode_desc[i].val != -1; i++)
1382 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1383 value = tunmode_desc[i].val;
1387 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1388 "no argument: %s", filename, linenum, arg);
1395 fatal("Match directive not supported as a command-line "
1397 value = match_cfg_line(&cp, linenum, user, host, address);
1399 fatal("%s line %d: Bad Match condition", filename,
1405 arg = strdelim(&cp);
1406 if (!arg || *arg == '\0')
1407 fatal("%s line %d: missing PermitOpen specification",
1409 n = options->num_permitted_opens; /* modified later */
1410 if (strcmp(arg, "any") == 0) {
1411 if (*activep && n == -1) {
1412 channel_clear_adm_permitted_opens();
1413 options->num_permitted_opens = 0;
1417 if (*activep && n == -1)
1418 channel_clear_adm_permitted_opens();
1419 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1422 fatal("%s line %d: missing host in PermitOpen",
1424 p = cleanhostname(p);
1425 if (arg == NULL || (port = a2port(arg)) <= 0)
1426 fatal("%s line %d: bad port number in "
1427 "PermitOpen", filename, linenum);
1428 if (*activep && n == -1)
1429 options->num_permitted_opens =
1430 channel_add_adm_permitted_opens(p, port);
1436 fatal("%.200s line %d: Missing argument.", filename,
1438 len = strspn(cp, WHITESPACE);
1439 if (*activep && options->adm_forced_command == NULL)
1440 options->adm_forced_command = xstrdup(cp + len);
1443 case sChrootDirectory:
1444 charptr = &options->chroot_directory;
1446 arg = strdelim(&cp);
1447 if (!arg || *arg == '\0')
1448 fatal("%s line %d: missing file name.",
1450 if (*activep && *charptr == NULL)
1451 *charptr = xstrdup(arg);
1454 case sVersionAddendum:
1455 ssh_version_set_addendum(strtok(cp, "\n"));
1457 arg = strdelim(&cp);
1458 } while (arg != NULL && *arg != '\0');
1460 case sTrustedUserCAKeys:
1461 charptr = &options->trusted_user_ca_keys;
1462 goto parse_filename;
1465 charptr = &options->revoked_keys_file;
1466 goto parse_filename;
1469 arg = strdelim(&cp);
1470 if ((value = parse_ipqos(arg)) == -1)
1471 fatal("%s line %d: Bad IPQoS value: %s",
1472 filename, linenum, arg);
1473 arg = strdelim(&cp);
1476 else if ((value2 = parse_ipqos(arg)) == -1)
1477 fatal("%s line %d: Bad IPQoS value: %s",
1478 filename, linenum, arg);
1480 options->ip_qos_interactive = value;
1481 options->ip_qos_bulk = value2;
1486 logit("%s line %d: Deprecated option %s",
1487 filename, linenum, arg);
1489 arg = strdelim(&cp);
1493 logit("%s line %d: Unsupported option %s",
1494 filename, linenum, arg);
1496 arg = strdelim(&cp);
1500 fatal("%s line %d: Missing handler for opcode %s (%d)",
1501 filename, linenum, arg, opcode);
1503 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1504 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1505 filename, linenum, arg);
1509 /* Reads the server configuration file. */
1512 load_server_config(const char *filename, Buffer *conf)
1514 char line[1024], *cp;
1517 debug2("%s: filename %s", __func__, filename);
1518 if ((f = fopen(filename, "r")) == NULL) {
1523 while (fgets(line, sizeof(line), f)) {
1525 * Trim out comments and strip whitespace
1526 * NB - preserve newlines, they are needed to reproduce
1527 * line numbers later for error messages
1529 if ((cp = strchr(line, '#')) != NULL)
1530 memcpy(cp, "\n", 2);
1531 cp = line + strspn(line, " \t\r");
1533 buffer_append(conf, cp, strlen(cp));
1535 buffer_append(conf, "\0", 1);
1537 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1541 parse_server_match_config(ServerOptions *options, const char *user,
1542 const char *host, const char *address)
1546 initialize_server_options(&mo);
1547 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1548 copy_set_server_options(options, &mo, 0);
1552 #define M_CP_INTOPT(n) do {\
1556 #define M_CP_STROPT(n) do {\
1557 if (src->n != NULL) { \
1558 if (dst->n != NULL) \
1565 * Copy any supported values that are set.
1567 * If the preauth flag is set, we do not bother copying the string or
1568 * array values that are not used pre-authentication, because any that we
1569 * do use must be explictly sent in mm_getpwnamallow().
1572 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1574 M_CP_INTOPT(password_authentication);
1575 M_CP_INTOPT(gss_authentication);
1576 M_CP_INTOPT(rsa_authentication);
1577 M_CP_INTOPT(pubkey_authentication);
1578 M_CP_INTOPT(kerberos_authentication);
1579 M_CP_INTOPT(hostbased_authentication);
1580 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1581 M_CP_INTOPT(kbd_interactive_authentication);
1582 M_CP_INTOPT(zero_knowledge_password_authentication);
1583 M_CP_INTOPT(permit_root_login);
1584 M_CP_INTOPT(permit_empty_passwd);
1586 M_CP_INTOPT(allow_tcp_forwarding);
1587 M_CP_INTOPT(allow_agent_forwarding);
1588 M_CP_INTOPT(permit_tun);
1589 M_CP_INTOPT(gateway_ports);
1590 M_CP_INTOPT(x11_display_offset);
1591 M_CP_INTOPT(x11_forwarding);
1592 M_CP_INTOPT(x11_use_localhost);
1593 M_CP_INTOPT(max_sessions);
1594 M_CP_INTOPT(max_authtries);
1595 M_CP_INTOPT(ip_qos_interactive);
1596 M_CP_INTOPT(ip_qos_bulk);
1598 M_CP_STROPT(banner);
1601 M_CP_STROPT(adm_forced_command);
1602 M_CP_STROPT(chroot_directory);
1603 M_CP_STROPT(trusted_user_ca_keys);
1604 M_CP_STROPT(revoked_keys_file);
1605 M_CP_STROPT(authorized_keys_file);
1606 M_CP_STROPT(authorized_keys_file2);
1607 M_CP_STROPT(authorized_principals_file);
1614 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1615 const char *user, const char *host, const char *address)
1617 int active, linenum, bad_options = 0;
1618 char *cp, *obuf, *cbuf;
1620 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1622 obuf = cbuf = xstrdup(buffer_ptr(conf));
1623 active = user ? 0 : 1;
1625 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1626 if (process_server_config_line(options, cp, filename,
1627 linenum++, &active, user, host, address) != 0)
1631 if (bad_options > 0)
1632 fatal("%s: terminating, %d bad configuration options",
1633 filename, bad_options);
1637 fmt_intarg(ServerOpCodes code, int val)
1639 if (code == sAddressFamily) {
1651 if (code == sPermitRootLogin) {
1653 case PERMIT_NO_PASSWD:
1654 return "without-password";
1655 case PERMIT_FORCED_ONLY:
1656 return "forced-commands-only";
1661 if (code == sProtocol) {
1667 case (SSH_PROTO_1|SSH_PROTO_2):
1673 if (code == sGatewayPorts && val == 2)
1674 return "clientspecified";
1675 if (code == sCompression && val == COMP_DELAYED)
1689 lookup_opcode_name(ServerOpCodes code)
1693 for (i = 0; keywords[i].name != NULL; i++)
1694 if (keywords[i].opcode == code)
1695 return(keywords[i].name);
1700 dump_cfg_int(ServerOpCodes code, int val)
1702 printf("%s %d\n", lookup_opcode_name(code), val);
1706 dump_cfg_fmtint(ServerOpCodes code, int val)
1708 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1712 dump_cfg_string(ServerOpCodes code, const char *val)
1716 printf("%s %s\n", lookup_opcode_name(code), val);
1720 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1724 for (i = 0; i < count; i++)
1725 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1729 dump_config(ServerOptions *o)
1733 struct addrinfo *ai;
1734 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1736 /* these are usually at the top of the config */
1737 for (i = 0; i < o->num_ports; i++)
1738 printf("port %d\n", o->ports[i]);
1739 dump_cfg_fmtint(sProtocol, o->protocol);
1740 dump_cfg_fmtint(sAddressFamily, o->address_family);
1742 /* ListenAddress must be after Port */
1743 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1744 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1745 sizeof(addr), port, sizeof(port),
1746 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1747 error("getnameinfo failed: %.100s",
1748 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1751 if (ai->ai_family == AF_INET6)
1752 printf("listenaddress [%s]:%s\n", addr, port);
1754 printf("listenaddress %s:%s\n", addr, port);
1758 /* integer arguments */
1760 dump_cfg_int(sUsePAM, o->use_pam);
1762 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1763 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1764 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1765 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1766 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1767 dump_cfg_int(sMaxSessions, o->max_sessions);
1768 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1769 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1771 /* formatted integer arguments */
1772 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1773 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1774 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1775 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1776 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1777 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1778 o->hostbased_uses_name_from_packet_only);
1779 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1780 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1782 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1783 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1784 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1786 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1790 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1791 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1794 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1795 o->zero_knowledge_password_authentication);
1797 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1798 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1799 o->kbd_interactive_authentication);
1800 dump_cfg_fmtint(sChallengeResponseAuthentication,
1801 o->challenge_response_authentication);
1802 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1803 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1804 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1805 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1806 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1807 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1808 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1809 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1810 dump_cfg_fmtint(sUseLogin, o->use_login);
1811 dump_cfg_fmtint(sCompression, o->compression);
1812 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1813 dump_cfg_fmtint(sUseDNS, o->use_dns);
1814 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1815 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1817 /* string arguments */
1818 dump_cfg_string(sPidFile, o->pid_file);
1819 dump_cfg_string(sXAuthLocation, o->xauth_location);
1820 dump_cfg_string(sCiphers, o->ciphers);
1821 dump_cfg_string(sMacs, o->macs);
1822 dump_cfg_string(sBanner, o->banner);
1823 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1824 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1825 dump_cfg_string(sForceCommand, o->adm_forced_command);
1826 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1827 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1828 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1829 dump_cfg_string(sAuthorizedPrincipalsFile,
1830 o->authorized_principals_file);
1832 /* string arguments requiring a lookup */
1833 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1834 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1836 /* string array arguments */
1837 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1839 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1840 o->host_cert_files);
1841 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1842 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1843 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1844 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1845 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1847 /* other arguments */
1848 for (i = 0; i < o->num_subsystems; i++)
1849 printf("subsystem %s %s\n", o->subsystem_name[i],
1850 o->subsystem_args[i]);
1852 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1853 o->max_startups_rate, o->max_startups);
1855 for (i = 0; tunmode_desc[i].val != -1; i++)
1856 if (tunmode_desc[i].val == o->permit_tun) {
1857 s = tunmode_desc[i].text;
1860 dump_cfg_string(sPermitTunnel, s);
1862 printf("ipqos 0x%02x 0x%02x\n", o->ip_qos_interactive, o->ip_qos_bulk);
1864 channel_print_adm_permitted_opens();