1 /* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
79 options->x11_use_localhost = -1;
80 options->xauth_location = NULL;
81 options->strict_modes = -1;
82 options->tcp_keep_alive = -1;
83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93 options->kerberos_get_afs_token = -1;
94 options->gss_authentication=-1;
95 options->gss_cleanup_creds = -1;
96 options->password_authentication = -1;
97 options->kbd_interactive_authentication = -1;
98 options->challenge_response_authentication = -1;
99 options->permit_empty_passwd = -1;
100 options->permit_user_env = -1;
101 options->use_login = -1;
102 options->compression = -1;
103 options->allow_tcp_forwarding = -1;
104 options->allow_agent_forwarding = -1;
105 options->num_allow_users = 0;
106 options->num_deny_users = 0;
107 options->num_allow_groups = 0;
108 options->num_deny_groups = 0;
109 options->ciphers = NULL;
110 options->macs = NULL;
111 options->protocol = SSH_PROTO_UNKNOWN;
112 options->gateway_ports = -1;
113 options->num_subsystems = 0;
114 options->max_startups_begin = -1;
115 options->max_startups_rate = -1;
116 options->max_startups = -1;
117 options->max_authtries = -1;
118 options->max_sessions = -1;
119 options->banner = NULL;
120 options->use_dns = -1;
121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
125 options->num_accept_env = 0;
126 options->permit_tun = -1;
127 options->num_permitted_opens = -1;
128 options->adm_forced_command = NULL;
129 options->chroot_directory = NULL;
130 options->zero_knowledge_password_authentication = -1;
134 fill_default_server_options(ServerOptions *options)
136 /* Portable-specific options */
137 if (options->use_pam == -1)
138 options->use_pam = 0;
140 /* Standard Options */
141 if (options->protocol == SSH_PROTO_UNKNOWN)
142 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
143 if (options->num_host_key_files == 0) {
144 /* fill default hostkeys for protocols */
145 if (options->protocol & SSH_PROTO_1)
146 options->host_key_files[options->num_host_key_files++] =
148 if (options->protocol & SSH_PROTO_2) {
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_RSA_KEY_FILE;
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_DSA_KEY_FILE;
155 if (options->num_ports == 0)
156 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
157 if (options->listen_addrs == NULL)
158 add_listen_addr(options, NULL, 0);
159 if (options->pid_file == NULL)
160 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
161 if (options->server_key_bits == -1)
162 options->server_key_bits = 1024;
163 if (options->login_grace_time == -1)
164 options->login_grace_time = 120;
165 if (options->key_regeneration_time == -1)
166 options->key_regeneration_time = 3600;
167 if (options->permit_root_login == PERMIT_NOT_SET)
168 options->permit_root_login = PERMIT_YES;
169 if (options->ignore_rhosts == -1)
170 options->ignore_rhosts = 1;
171 if (options->ignore_user_known_hosts == -1)
172 options->ignore_user_known_hosts = 0;
173 if (options->print_motd == -1)
174 options->print_motd = 1;
175 if (options->print_lastlog == -1)
176 options->print_lastlog = 1;
177 if (options->x11_forwarding == -1)
178 options->x11_forwarding = 0;
179 if (options->x11_display_offset == -1)
180 options->x11_display_offset = 10;
181 if (options->x11_use_localhost == -1)
182 options->x11_use_localhost = 1;
183 if (options->xauth_location == NULL)
184 options->xauth_location = _PATH_XAUTH;
185 if (options->strict_modes == -1)
186 options->strict_modes = 1;
187 if (options->tcp_keep_alive == -1)
188 options->tcp_keep_alive = 1;
189 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
190 options->log_facility = SYSLOG_FACILITY_AUTH;
191 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
192 options->log_level = SYSLOG_LEVEL_INFO;
193 if (options->rhosts_rsa_authentication == -1)
194 options->rhosts_rsa_authentication = 0;
195 if (options->hostbased_authentication == -1)
196 options->hostbased_authentication = 0;
197 if (options->hostbased_uses_name_from_packet_only == -1)
198 options->hostbased_uses_name_from_packet_only = 0;
199 if (options->rsa_authentication == -1)
200 options->rsa_authentication = 1;
201 if (options->pubkey_authentication == -1)
202 options->pubkey_authentication = 1;
203 if (options->kerberos_authentication == -1)
204 options->kerberos_authentication = 0;
205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
209 if (options->kerberos_get_afs_token == -1)
210 options->kerberos_get_afs_token = 0;
211 if (options->gss_authentication == -1)
212 options->gss_authentication = 0;
213 if (options->gss_cleanup_creds == -1)
214 options->gss_cleanup_creds = 1;
215 if (options->password_authentication == -1)
216 options->password_authentication = 1;
217 if (options->kbd_interactive_authentication == -1)
218 options->kbd_interactive_authentication = 0;
219 if (options->challenge_response_authentication == -1)
220 options->challenge_response_authentication = 1;
221 if (options->permit_empty_passwd == -1)
222 options->permit_empty_passwd = 0;
223 if (options->permit_user_env == -1)
224 options->permit_user_env = 0;
225 if (options->use_login == -1)
226 options->use_login = 0;
227 if (options->compression == -1)
228 options->compression = COMP_DELAYED;
229 if (options->allow_tcp_forwarding == -1)
230 options->allow_tcp_forwarding = 1;
231 if (options->allow_agent_forwarding == -1)
232 options->allow_agent_forwarding = 1;
233 if (options->gateway_ports == -1)
234 options->gateway_ports = 0;
235 if (options->max_startups == -1)
236 options->max_startups = 10;
237 if (options->max_startups_rate == -1)
238 options->max_startups_rate = 100; /* 100% */
239 if (options->max_startups_begin == -1)
240 options->max_startups_begin = options->max_startups;
241 if (options->max_authtries == -1)
242 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
243 if (options->max_sessions == -1)
244 options->max_sessions = DEFAULT_SESSIONS_MAX;
245 if (options->use_dns == -1)
246 options->use_dns = 1;
247 if (options->client_alive_interval == -1)
248 options->client_alive_interval = 0;
249 if (options->client_alive_count_max == -1)
250 options->client_alive_count_max = 3;
251 if (options->authorized_keys_file2 == NULL) {
252 /* authorized_keys_file2 falls back to authorized_keys_file */
253 if (options->authorized_keys_file != NULL)
254 options->authorized_keys_file2 = options->authorized_keys_file;
256 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
258 if (options->authorized_keys_file == NULL)
259 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
260 if (options->permit_tun == -1)
261 options->permit_tun = SSH_TUNMODE_NO;
262 if (options->zero_knowledge_password_authentication == -1)
263 options->zero_knowledge_password_authentication = 0;
265 /* Turn privilege separation on by default */
266 if (use_privsep == -1)
270 if (use_privsep && options->compression == 1) {
271 error("This platform does not support both privilege "
272 "separation and compression");
273 error("Compression disabled");
274 options->compression = 0;
280 /* Keyword tokens. */
282 sBadOption, /* == unknown option */
283 /* Portable-specific options */
285 /* Standard Options */
286 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
287 sPermitRootLogin, sLogFacility, sLogLevel,
288 sRhostsRSAAuthentication, sRSAAuthentication,
289 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
290 sKerberosGetAFSToken,
291 sKerberosTgtPassing, sChallengeResponseAuthentication,
292 sPasswordAuthentication, sKbdInteractiveAuthentication,
293 sListenAddress, sAddressFamily,
294 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
295 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
296 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
297 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
298 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
299 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
300 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
301 sMaxStartups, sMaxAuthTries, sMaxSessions,
302 sBanner, sUseDNS, sHostbasedAuthentication,
303 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
304 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
305 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
306 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
307 sUsePrivilegeSeparation, sAllowAgentForwarding,
308 sZeroKnowledgePasswordAuthentication,
309 sDeprecated, sUnsupported
312 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
313 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
314 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
316 /* Textual representation of the tokens. */
319 ServerOpCodes opcode;
322 /* Portable-specific options */
324 { "usepam", sUsePAM, SSHCFG_GLOBAL },
326 { "usepam", sUnsupported, SSHCFG_GLOBAL },
328 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
329 /* Standard Options */
330 { "port", sPort, SSHCFG_GLOBAL },
331 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
332 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
333 { "pidfile", sPidFile, SSHCFG_GLOBAL },
334 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
335 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
336 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
337 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
338 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
339 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
340 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
341 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
342 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
343 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
344 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
345 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
346 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
348 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
349 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
350 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
352 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
354 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
357 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
358 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
359 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
360 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
362 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
363 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
365 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
366 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
368 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
369 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
371 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
372 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
373 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
374 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
376 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
378 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
380 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
381 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
382 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
383 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
384 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
385 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
386 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
387 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
388 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
389 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
390 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
391 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
392 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
393 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
394 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
395 { "compression", sCompression, SSHCFG_GLOBAL },
396 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
397 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
398 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
399 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
400 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
401 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
402 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
403 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
404 { "ciphers", sCiphers, SSHCFG_GLOBAL },
405 { "macs", sMacs, SSHCFG_GLOBAL },
406 { "protocol", sProtocol, SSHCFG_GLOBAL },
407 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
408 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
409 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
410 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
411 { "maxsessions", sMaxSessions, SSHCFG_ALL },
412 { "banner", sBanner, SSHCFG_ALL },
413 { "usedns", sUseDNS, SSHCFG_GLOBAL },
414 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
415 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
416 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
417 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
418 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
419 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
420 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
421 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
422 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
423 { "match", sMatch, SSHCFG_ALL },
424 { "permitopen", sPermitOpen, SSHCFG_ALL },
425 { "forcecommand", sForceCommand, SSHCFG_ALL },
426 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
427 { NULL, sBadOption, 0 }
434 { SSH_TUNMODE_NO, "no" },
435 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
436 { SSH_TUNMODE_ETHERNET, "ethernet" },
437 { SSH_TUNMODE_YES, "yes" },
442 * Returns the number of the token pointed to by cp or sBadOption.
446 parse_token(const char *cp, const char *filename,
447 int linenum, u_int *flags)
451 for (i = 0; keywords[i].name; i++)
452 if (strcasecmp(cp, keywords[i].name) == 0) {
453 *flags = keywords[i].flags;
454 return keywords[i].opcode;
457 error("%s: line %d: Bad configuration option: %s",
458 filename, linenum, cp);
463 add_listen_addr(ServerOptions *options, char *addr, int port)
467 if (options->num_ports == 0)
468 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
469 if (options->address_family == -1)
470 options->address_family = AF_UNSPEC;
472 for (i = 0; i < options->num_ports; i++)
473 add_one_listen_addr(options, addr, options->ports[i]);
475 add_one_listen_addr(options, addr, port);
479 add_one_listen_addr(ServerOptions *options, char *addr, int port)
481 struct addrinfo hints, *ai, *aitop;
482 char strport[NI_MAXSERV];
485 memset(&hints, 0, sizeof(hints));
486 hints.ai_family = options->address_family;
487 hints.ai_socktype = SOCK_STREAM;
488 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
489 snprintf(strport, sizeof strport, "%d", port);
490 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
491 fatal("bad addr or host: %s (%s)",
492 addr ? addr : "<NULL>",
493 ssh_gai_strerror(gaierr));
494 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
496 ai->ai_next = options->listen_addrs;
497 options->listen_addrs = aitop;
501 * The strategy for the Match blocks is that the config file is parsed twice.
503 * The first time is at startup. activep is initialized to 1 and the
504 * directives in the global context are processed and acted on. Hitting a
505 * Match directive unsets activep and the directives inside the block are
506 * checked for syntax only.
508 * The second time is after a connection has been established but before
509 * authentication. activep is initialized to 2 and global config directives
510 * are ignored since they have already been processed. If the criteria in a
511 * Match block is met, activep is set and the subsequent directives
512 * processed and actioned until EOF or another Match block unsets it. Any
513 * options set are copied into the main server config.
515 * Potential additions/improvements:
516 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
518 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
519 * Match Address 192.168.0.*
524 * AllowTcpForwarding yes
525 * GatewayPorts clientspecified
528 * - Add a PermittedChannelRequests directive
530 * PermittedChannelRequests session,forwarded-tcpip
534 match_cfg_line_group(const char *grps, int line, const char *user)
542 if ((pw = getpwnam(user)) == NULL) {
543 debug("Can't match group at line %d because user %.100s does "
544 "not exist", line, user);
545 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
546 debug("Can't Match group because user %.100s not in any group "
547 "at line %d", user, line);
548 } else if (ga_match_pattern_list(grps) != 1) {
549 debug("user %.100s does not match group list %.100s at line %d",
552 debug("user %.100s matched group list %.100s at line %d", user,
562 match_cfg_line(char **condition, int line, const char *user, const char *host,
566 char *arg, *attrib, *cp = *condition;
570 debug3("checking syntax for 'Match %s'", cp);
572 debug3("checking match for '%s' user %s host %s addr %s", cp,
573 user ? user : "(null)", host ? host : "(null)",
574 address ? address : "(null)");
576 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
577 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
578 error("Missing Match criteria for %s", attrib);
582 if (strcasecmp(attrib, "user") == 0) {
587 if (match_pattern_list(user, arg, len, 0) != 1)
590 debug("user %.100s matched 'User %.100s' at "
591 "line %d", user, arg, line);
592 } else if (strcasecmp(attrib, "group") == 0) {
593 switch (match_cfg_line_group(arg, line, user)) {
599 } else if (strcasecmp(attrib, "host") == 0) {
604 if (match_hostname(host, arg, len) != 1)
607 debug("connection from %.100s matched 'Host "
608 "%.100s' at line %d", host, arg, line);
609 } else if (strcasecmp(attrib, "address") == 0) {
610 switch (addr_match_list(address, arg)) {
612 debug("connection from %.100s matched 'Address "
613 "%.100s' at line %d", address, arg, line);
623 error("Unsupported Match attribute %s", attrib);
628 debug3("match %sfound", result ? "" : "not ");
633 #define WHITESPACE " \t\r\n"
636 process_server_config_line(ServerOptions *options, char *line,
637 const char *filename, int linenum, int *activep, const char *user,
638 const char *host, const char *address)
640 char *cp, **charptr, *arg, *p;
641 int cmdline = 0, *intptr, value, n;
642 SyslogFacility *log_facility_ptr;
643 LogLevel *log_level_ptr;
644 ServerOpCodes opcode;
650 if ((arg = strdelim(&cp)) == NULL)
652 /* Ignore leading whitespace */
655 if (!arg || !*arg || *arg == '#')
659 opcode = parse_token(arg, filename, linenum, &flags);
661 if (activep == NULL) { /* We are processing a command line directive */
665 if (*activep && opcode != sMatch)
666 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
667 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
669 fatal("%s line %d: Directive '%s' is not allowed "
670 "within a Match block", filename, linenum, arg);
671 } else { /* this is a directive we have already processed */
679 /* Portable-specific options */
681 intptr = &options->use_pam;
684 /* Standard Options */
688 /* ignore ports from configfile if cmdline specifies ports */
689 if (options->ports_from_cmdline)
691 if (options->listen_addrs != NULL)
692 fatal("%s line %d: ports must be specified before "
693 "ListenAddress.", filename, linenum);
694 if (options->num_ports >= MAX_PORTS)
695 fatal("%s line %d: too many ports.",
698 if (!arg || *arg == '\0')
699 fatal("%s line %d: missing port number.",
701 options->ports[options->num_ports++] = a2port(arg);
702 if (options->ports[options->num_ports-1] <= 0)
703 fatal("%s line %d: Badly formatted port number.",
708 intptr = &options->server_key_bits;
711 if (!arg || *arg == '\0')
712 fatal("%s line %d: missing integer value.",
715 if (*activep && *intptr == -1)
719 case sLoginGraceTime:
720 intptr = &options->login_grace_time;
723 if (!arg || *arg == '\0')
724 fatal("%s line %d: missing time value.",
726 if ((value = convtime(arg)) == -1)
727 fatal("%s line %d: invalid time value.",
733 case sKeyRegenerationTime:
734 intptr = &options->key_regeneration_time;
739 if (arg == NULL || *arg == '\0')
740 fatal("%s line %d: missing address",
742 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
743 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
744 && strchr(p+1, ':') != NULL) {
745 add_listen_addr(options, arg, 0);
750 fatal("%s line %d: bad address:port usage",
752 p = cleanhostname(p);
755 else if ((port = a2port(arg)) <= 0)
756 fatal("%s line %d: bad port number", filename, linenum);
758 add_listen_addr(options, p, port);
764 if (!arg || *arg == '\0')
765 fatal("%s line %d: missing address family.",
767 intptr = &options->address_family;
768 if (options->listen_addrs != NULL)
769 fatal("%s line %d: address family must be specified before "
770 "ListenAddress.", filename, linenum);
771 if (strcasecmp(arg, "inet") == 0)
773 else if (strcasecmp(arg, "inet6") == 0)
775 else if (strcasecmp(arg, "any") == 0)
778 fatal("%s line %d: unsupported address family \"%s\".",
779 filename, linenum, arg);
785 intptr = &options->num_host_key_files;
786 if (*intptr >= MAX_HOSTKEYS)
787 fatal("%s line %d: too many host keys specified (max %d).",
788 filename, linenum, MAX_HOSTKEYS);
789 charptr = &options->host_key_files[*intptr];
792 if (!arg || *arg == '\0')
793 fatal("%s line %d: missing file name.",
795 if (*activep && *charptr == NULL) {
796 *charptr = tilde_expand_filename(arg, getuid());
797 /* increase optional counter */
799 *intptr = *intptr + 1;
804 charptr = &options->pid_file;
807 case sPermitRootLogin:
808 intptr = &options->permit_root_login;
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: missing yes/"
812 "without-password/forced-commands-only/no "
813 "argument.", filename, linenum);
814 value = 0; /* silence compiler */
815 if (strcmp(arg, "without-password") == 0)
816 value = PERMIT_NO_PASSWD;
817 else if (strcmp(arg, "forced-commands-only") == 0)
818 value = PERMIT_FORCED_ONLY;
819 else if (strcmp(arg, "yes") == 0)
821 else if (strcmp(arg, "no") == 0)
824 fatal("%s line %d: Bad yes/"
825 "without-password/forced-commands-only/no "
826 "argument: %s", filename, linenum, arg);
827 if (*activep && *intptr == -1)
832 intptr = &options->ignore_rhosts;
835 if (!arg || *arg == '\0')
836 fatal("%s line %d: missing yes/no argument.",
838 value = 0; /* silence compiler */
839 if (strcmp(arg, "yes") == 0)
841 else if (strcmp(arg, "no") == 0)
844 fatal("%s line %d: Bad yes/no argument: %s",
845 filename, linenum, arg);
846 if (*activep && *intptr == -1)
850 case sIgnoreUserKnownHosts:
851 intptr = &options->ignore_user_known_hosts;
854 case sRhostsRSAAuthentication:
855 intptr = &options->rhosts_rsa_authentication;
858 case sHostbasedAuthentication:
859 intptr = &options->hostbased_authentication;
862 case sHostbasedUsesNameFromPacketOnly:
863 intptr = &options->hostbased_uses_name_from_packet_only;
866 case sRSAAuthentication:
867 intptr = &options->rsa_authentication;
870 case sPubkeyAuthentication:
871 intptr = &options->pubkey_authentication;
874 case sKerberosAuthentication:
875 intptr = &options->kerberos_authentication;
878 case sKerberosOrLocalPasswd:
879 intptr = &options->kerberos_or_local_passwd;
882 case sKerberosTicketCleanup:
883 intptr = &options->kerberos_ticket_cleanup;
886 case sKerberosGetAFSToken:
887 intptr = &options->kerberos_get_afs_token;
890 case sGssAuthentication:
891 intptr = &options->gss_authentication;
894 case sGssCleanupCreds:
895 intptr = &options->gss_cleanup_creds;
898 case sPasswordAuthentication:
899 intptr = &options->password_authentication;
902 case sZeroKnowledgePasswordAuthentication:
903 intptr = &options->zero_knowledge_password_authentication;
906 case sKbdInteractiveAuthentication:
907 intptr = &options->kbd_interactive_authentication;
910 case sChallengeResponseAuthentication:
911 intptr = &options->challenge_response_authentication;
915 intptr = &options->print_motd;
919 intptr = &options->print_lastlog;
923 intptr = &options->x11_forwarding;
926 case sX11DisplayOffset:
927 intptr = &options->x11_display_offset;
930 case sX11UseLocalhost:
931 intptr = &options->x11_use_localhost;
935 charptr = &options->xauth_location;
939 intptr = &options->strict_modes;
943 intptr = &options->tcp_keep_alive;
947 intptr = &options->permit_empty_passwd;
950 case sPermitUserEnvironment:
951 intptr = &options->permit_user_env;
955 intptr = &options->use_login;
959 intptr = &options->compression;
961 if (!arg || *arg == '\0')
962 fatal("%s line %d: missing yes/no/delayed "
963 "argument.", filename, linenum);
964 value = 0; /* silence compiler */
965 if (strcmp(arg, "delayed") == 0)
966 value = COMP_DELAYED;
967 else if (strcmp(arg, "yes") == 0)
969 else if (strcmp(arg, "no") == 0)
972 fatal("%s line %d: Bad yes/no/delayed "
973 "argument: %s", filename, linenum, arg);
979 intptr = &options->gateway_ports;
981 if (!arg || *arg == '\0')
982 fatal("%s line %d: missing yes/no/clientspecified "
983 "argument.", filename, linenum);
984 value = 0; /* silence compiler */
985 if (strcmp(arg, "clientspecified") == 0)
987 else if (strcmp(arg, "yes") == 0)
989 else if (strcmp(arg, "no") == 0)
992 fatal("%s line %d: Bad yes/no/clientspecified "
993 "argument: %s", filename, linenum, arg);
994 if (*activep && *intptr == -1)
999 intptr = &options->use_dns;
1003 log_facility_ptr = &options->log_facility;
1004 arg = strdelim(&cp);
1005 value = log_facility_number(arg);
1006 if (value == SYSLOG_FACILITY_NOT_SET)
1007 fatal("%.200s line %d: unsupported log facility '%s'",
1008 filename, linenum, arg ? arg : "<NONE>");
1009 if (*log_facility_ptr == -1)
1010 *log_facility_ptr = (SyslogFacility) value;
1014 log_level_ptr = &options->log_level;
1015 arg = strdelim(&cp);
1016 value = log_level_number(arg);
1017 if (value == SYSLOG_LEVEL_NOT_SET)
1018 fatal("%.200s line %d: unsupported log level '%s'",
1019 filename, linenum, arg ? arg : "<NONE>");
1020 if (*log_level_ptr == -1)
1021 *log_level_ptr = (LogLevel) value;
1024 case sAllowTcpForwarding:
1025 intptr = &options->allow_tcp_forwarding;
1028 case sAllowAgentForwarding:
1029 intptr = &options->allow_agent_forwarding;
1032 case sUsePrivilegeSeparation:
1033 intptr = &use_privsep;
1037 while ((arg = strdelim(&cp)) && *arg != '\0') {
1038 if (options->num_allow_users >= MAX_ALLOW_USERS)
1039 fatal("%s line %d: too many allow users.",
1041 options->allow_users[options->num_allow_users++] =
1047 while ((arg = strdelim(&cp)) && *arg != '\0') {
1048 if (options->num_deny_users >= MAX_DENY_USERS)
1049 fatal("%s line %d: too many deny users.",
1051 options->deny_users[options->num_deny_users++] =
1057 while ((arg = strdelim(&cp)) && *arg != '\0') {
1058 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1059 fatal("%s line %d: too many allow groups.",
1061 options->allow_groups[options->num_allow_groups++] =
1067 while ((arg = strdelim(&cp)) && *arg != '\0') {
1068 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1069 fatal("%s line %d: too many deny groups.",
1071 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1076 arg = strdelim(&cp);
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: Missing argument.", filename, linenum);
1079 if (!ciphers_valid(arg))
1080 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1081 filename, linenum, arg ? arg : "<NONE>");
1082 if (options->ciphers == NULL)
1083 options->ciphers = xstrdup(arg);
1087 arg = strdelim(&cp);
1088 if (!arg || *arg == '\0')
1089 fatal("%s line %d: Missing argument.", filename, linenum);
1090 if (!mac_valid(arg))
1091 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1092 filename, linenum, arg ? arg : "<NONE>");
1093 if (options->macs == NULL)
1094 options->macs = xstrdup(arg);
1098 intptr = &options->protocol;
1099 arg = strdelim(&cp);
1100 if (!arg || *arg == '\0')
1101 fatal("%s line %d: Missing argument.", filename, linenum);
1102 value = proto_spec(arg);
1103 if (value == SSH_PROTO_UNKNOWN)
1104 fatal("%s line %d: Bad protocol spec '%s'.",
1105 filename, linenum, arg ? arg : "<NONE>");
1106 if (*intptr == SSH_PROTO_UNKNOWN)
1111 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1112 fatal("%s line %d: too many subsystems defined.",
1115 arg = strdelim(&cp);
1116 if (!arg || *arg == '\0')
1117 fatal("%s line %d: Missing subsystem name.",
1120 arg = strdelim(&cp);
1123 for (i = 0; i < options->num_subsystems; i++)
1124 if (strcmp(arg, options->subsystem_name[i]) == 0)
1125 fatal("%s line %d: Subsystem '%s' already defined.",
1126 filename, linenum, arg);
1127 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1128 arg = strdelim(&cp);
1129 if (!arg || *arg == '\0')
1130 fatal("%s line %d: Missing subsystem command.",
1132 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1134 /* Collect arguments (separate to executable) */
1136 len = strlen(p) + 1;
1137 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1138 len += 1 + strlen(arg);
1139 p = xrealloc(p, 1, len);
1140 strlcat(p, " ", len);
1141 strlcat(p, arg, len);
1143 options->subsystem_args[options->num_subsystems] = p;
1144 options->num_subsystems++;
1148 arg = strdelim(&cp);
1149 if (!arg || *arg == '\0')
1150 fatal("%s line %d: Missing MaxStartups spec.",
1152 if ((n = sscanf(arg, "%d:%d:%d",
1153 &options->max_startups_begin,
1154 &options->max_startups_rate,
1155 &options->max_startups)) == 3) {
1156 if (options->max_startups_begin >
1157 options->max_startups ||
1158 options->max_startups_rate > 100 ||
1159 options->max_startups_rate < 1)
1160 fatal("%s line %d: Illegal MaxStartups spec.",
1163 fatal("%s line %d: Illegal MaxStartups spec.",
1166 options->max_startups = options->max_startups_begin;
1170 intptr = &options->max_authtries;
1174 intptr = &options->max_sessions;
1178 charptr = &options->banner;
1179 goto parse_filename;
1182 * These options can contain %X options expanded at
1183 * connect time, so that you can specify paths like:
1185 * AuthorizedKeysFile /etc/ssh_keys/%u
1187 case sAuthorizedKeysFile:
1188 case sAuthorizedKeysFile2:
1189 charptr = (opcode == sAuthorizedKeysFile) ?
1190 &options->authorized_keys_file :
1191 &options->authorized_keys_file2;
1192 goto parse_filename;
1194 case sClientAliveInterval:
1195 intptr = &options->client_alive_interval;
1198 case sClientAliveCountMax:
1199 intptr = &options->client_alive_count_max;
1203 while ((arg = strdelim(&cp)) && *arg != '\0') {
1204 if (strchr(arg, '=') != NULL)
1205 fatal("%s line %d: Invalid environment name.",
1207 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1208 fatal("%s line %d: too many allow env.",
1212 options->accept_env[options->num_accept_env++] =
1218 intptr = &options->permit_tun;
1219 arg = strdelim(&cp);
1220 if (!arg || *arg == '\0')
1221 fatal("%s line %d: Missing yes/point-to-point/"
1222 "ethernet/no argument.", filename, linenum);
1224 for (i = 0; tunmode_desc[i].val != -1; i++)
1225 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1226 value = tunmode_desc[i].val;
1230 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1231 "no argument: %s", filename, linenum, arg);
1238 fatal("Match directive not supported as a command-line "
1240 value = match_cfg_line(&cp, linenum, user, host, address);
1242 fatal("%s line %d: Bad Match condition", filename,
1248 arg = strdelim(&cp);
1249 if (!arg || *arg == '\0')
1250 fatal("%s line %d: missing PermitOpen specification",
1252 n = options->num_permitted_opens; /* modified later */
1253 if (strcmp(arg, "any") == 0) {
1254 if (*activep && n == -1) {
1255 channel_clear_adm_permitted_opens();
1256 options->num_permitted_opens = 0;
1260 if (*activep && n == -1)
1261 channel_clear_adm_permitted_opens();
1262 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1265 fatal("%s line %d: missing host in PermitOpen",
1267 p = cleanhostname(p);
1268 if (arg == NULL || (port = a2port(arg)) <= 0)
1269 fatal("%s line %d: bad port number in "
1270 "PermitOpen", filename, linenum);
1271 if (*activep && n == -1)
1272 options->num_permitted_opens =
1273 channel_add_adm_permitted_opens(p, port);
1279 fatal("%.200s line %d: Missing argument.", filename,
1281 len = strspn(cp, WHITESPACE);
1282 if (*activep && options->adm_forced_command == NULL)
1283 options->adm_forced_command = xstrdup(cp + len);
1286 case sChrootDirectory:
1287 charptr = &options->chroot_directory;
1289 arg = strdelim(&cp);
1290 if (!arg || *arg == '\0')
1291 fatal("%s line %d: missing file name.",
1293 if (*activep && *charptr == NULL)
1294 *charptr = xstrdup(arg);
1298 logit("%s line %d: Deprecated option %s",
1299 filename, linenum, arg);
1301 arg = strdelim(&cp);
1305 logit("%s line %d: Unsupported option %s",
1306 filename, linenum, arg);
1308 arg = strdelim(&cp);
1312 fatal("%s line %d: Missing handler for opcode %s (%d)",
1313 filename, linenum, arg, opcode);
1315 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1316 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1317 filename, linenum, arg);
1321 /* Reads the server configuration file. */
1324 load_server_config(const char *filename, Buffer *conf)
1326 char line[1024], *cp;
1329 debug2("%s: filename %s", __func__, filename);
1330 if ((f = fopen(filename, "r")) == NULL) {
1335 while (fgets(line, sizeof(line), f)) {
1337 * Trim out comments and strip whitespace
1338 * NB - preserve newlines, they are needed to reproduce
1339 * line numbers later for error messages
1341 if ((cp = strchr(line, '#')) != NULL)
1342 memcpy(cp, "\n", 2);
1343 cp = line + strspn(line, " \t\r");
1345 buffer_append(conf, cp, strlen(cp));
1347 buffer_append(conf, "\0", 1);
1349 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1353 parse_server_match_config(ServerOptions *options, const char *user,
1354 const char *host, const char *address)
1358 initialize_server_options(&mo);
1359 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1360 copy_set_server_options(options, &mo, 0);
1364 #define M_CP_INTOPT(n) do {\
1368 #define M_CP_STROPT(n) do {\
1369 if (src->n != NULL) { \
1370 if (dst->n != NULL) \
1377 * Copy any supported values that are set.
1379 * If the preauth flag is set, we do not bother copying the the string or
1380 * array values that are not used pre-authentication, because any that we
1381 * do use must be explictly sent in mm_getpwnamallow().
1384 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1386 M_CP_INTOPT(password_authentication);
1387 M_CP_INTOPT(gss_authentication);
1388 M_CP_INTOPT(rsa_authentication);
1389 M_CP_INTOPT(pubkey_authentication);
1390 M_CP_INTOPT(kerberos_authentication);
1391 M_CP_INTOPT(hostbased_authentication);
1392 M_CP_INTOPT(kbd_interactive_authentication);
1393 M_CP_INTOPT(zero_knowledge_password_authentication);
1394 M_CP_INTOPT(permit_root_login);
1395 M_CP_INTOPT(permit_empty_passwd);
1397 M_CP_INTOPT(allow_tcp_forwarding);
1398 M_CP_INTOPT(allow_agent_forwarding);
1399 M_CP_INTOPT(gateway_ports);
1400 M_CP_INTOPT(x11_display_offset);
1401 M_CP_INTOPT(x11_forwarding);
1402 M_CP_INTOPT(x11_use_localhost);
1403 M_CP_INTOPT(max_sessions);
1404 M_CP_INTOPT(max_authtries);
1406 M_CP_STROPT(banner);
1409 M_CP_STROPT(adm_forced_command);
1410 M_CP_STROPT(chroot_directory);
1417 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1418 const char *user, const char *host, const char *address)
1420 int active, linenum, bad_options = 0;
1421 char *cp, *obuf, *cbuf;
1423 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1425 obuf = cbuf = xstrdup(buffer_ptr(conf));
1426 active = user ? 0 : 1;
1428 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1429 if (process_server_config_line(options, cp, filename,
1430 linenum++, &active, user, host, address) != 0)
1434 if (bad_options > 0)
1435 fatal("%s: terminating, %d bad configuration options",
1436 filename, bad_options);
1440 fmt_intarg(ServerOpCodes code, int val)
1442 if (code == sAddressFamily) {
1454 if (code == sPermitRootLogin) {
1456 case PERMIT_NO_PASSWD:
1457 return "without-password";
1458 case PERMIT_FORCED_ONLY:
1459 return "forced-commands-only";
1464 if (code == sProtocol) {
1470 case (SSH_PROTO_1|SSH_PROTO_2):
1476 if (code == sGatewayPorts && val == 2)
1477 return "clientspecified";
1478 if (code == sCompression && val == COMP_DELAYED)
1492 lookup_opcode_name(ServerOpCodes code)
1496 for (i = 0; keywords[i].name != NULL; i++)
1497 if (keywords[i].opcode == code)
1498 return(keywords[i].name);
1503 dump_cfg_int(ServerOpCodes code, int val)
1505 printf("%s %d\n", lookup_opcode_name(code), val);
1509 dump_cfg_fmtint(ServerOpCodes code, int val)
1511 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1515 dump_cfg_string(ServerOpCodes code, const char *val)
1519 printf("%s %s\n", lookup_opcode_name(code), val);
1523 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1527 for (i = 0; i < count; i++)
1528 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1532 dump_config(ServerOptions *o)
1536 struct addrinfo *ai;
1537 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1539 /* these are usually at the top of the config */
1540 for (i = 0; i < o->num_ports; i++)
1541 printf("port %d\n", o->ports[i]);
1542 dump_cfg_fmtint(sProtocol, o->protocol);
1543 dump_cfg_fmtint(sAddressFamily, o->address_family);
1545 /* ListenAddress must be after Port */
1546 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1547 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1548 sizeof(addr), port, sizeof(port),
1549 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1550 error("getnameinfo failed: %.100s",
1551 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1554 if (ai->ai_family == AF_INET6)
1555 printf("listenaddress [%s]:%s\n", addr, port);
1557 printf("listenaddress %s:%s\n", addr, port);
1561 /* integer arguments */
1563 dump_cfg_int(sUsePAM, o->use_pam);
1565 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1566 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1567 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1568 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1569 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1570 dump_cfg_int(sMaxSessions, o->max_sessions);
1571 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1572 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1574 /* formatted integer arguments */
1575 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1576 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1577 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1578 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1579 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1580 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1581 o->hostbased_uses_name_from_packet_only);
1582 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1583 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1585 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1586 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1587 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1589 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1593 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1594 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1597 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1598 o->zero_knowledge_password_authentication);
1600 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1601 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1602 o->kbd_interactive_authentication);
1603 dump_cfg_fmtint(sChallengeResponseAuthentication,
1604 o->challenge_response_authentication);
1605 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1606 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1607 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1608 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1609 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1610 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1611 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1612 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1613 dump_cfg_fmtint(sUseLogin, o->use_login);
1614 dump_cfg_fmtint(sCompression, o->compression);
1615 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1616 dump_cfg_fmtint(sUseDNS, o->use_dns);
1617 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1618 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1620 /* string arguments */
1621 dump_cfg_string(sPidFile, o->pid_file);
1622 dump_cfg_string(sXAuthLocation, o->xauth_location);
1623 dump_cfg_string(sCiphers, o->ciphers);
1624 dump_cfg_string(sMacs, o->macs);
1625 dump_cfg_string(sBanner, o->banner);
1626 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1627 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1628 dump_cfg_string(sForceCommand, o->adm_forced_command);
1630 /* string arguments requiring a lookup */
1631 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1632 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1634 /* string array arguments */
1635 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1637 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1638 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1639 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1640 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1641 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1643 /* other arguments */
1644 for (i = 0; i < o->num_subsystems; i++)
1645 printf("subsystem %s %s\n", o->subsystem_name[i],
1646 o->subsystem_args[i]);
1648 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1649 o->max_startups_rate, o->max_startups);
1651 for (i = 0; tunmode_desc[i].val != -1; i++)
1652 if (tunmode_desc[i].val == o->permit_tun) {
1653 s = tunmode_desc[i].text;
1656 dump_cfg_string(sPermitTunnel, s);
1658 channel_print_adm_permitted_opens();