1 /* $OpenBSD: servconf.c,v 1.213 2010/11/13 23:27:50 djm Exp $ */ 2 /* 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 */ 12 13 #include "includes.h" 14 15 #include <sys/types.h> 16 #include <sys/socket.h> 17 18 #include <netinet/in.h> 19 #include <netinet/in_systm.h> 20 #include <netinet/ip.h> 21 22 #include <netdb.h> 23 #include <pwd.h> 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <string.h> 27 #include <signal.h> 28 #include <unistd.h> 29 #include <stdarg.h> 30 #include <errno.h> 31 32 #include "openbsd-compat/sys-queue.h" 33 #include "xmalloc.h" 34 #include "ssh.h" 35 #include "log.h" 36 #include "buffer.h" 37 #include "servconf.h" 38 #include "compat.h" 39 #include "pathnames.h" 40 #include "misc.h" 41 #include "cipher.h" 42 #include "key.h" 43 #include "kex.h" 44 #include "mac.h" 45 #include "match.h" 46 #include "channels.h" 47 #include "groupaccess.h" 48 #include "version.h" 49 50 static void add_listen_addr(ServerOptions *, char *, int); 51 static void add_one_listen_addr(ServerOptions *, char *, int); 52 53 /* Use of privilege separation or not */ 54 extern int use_privsep; 55 extern Buffer cfg; 56 57 /* Initializes the server options to their default values. */ 58 59 void 60 initialize_server_options(ServerOptions *options) 61 { 62 memset(options, 0, sizeof(*options)); 63 64 /* Portable-specific options */ 65 options->use_pam = -1; 66 67 /* Standard Options */ 68 options->num_ports = 0; 69 options->ports_from_cmdline = 0; 70 options->listen_addrs = NULL; 71 options->address_family = -1; 72 options->num_host_key_files = 0; 73 options->num_host_cert_files = 0; 74 options->pid_file = NULL; 75 options->server_key_bits = -1; 76 options->login_grace_time = -1; 77 options->key_regeneration_time = -1; 78 options->permit_root_login = PERMIT_NOT_SET; 79 options->ignore_rhosts = -1; 80 options->ignore_user_known_hosts = -1; 81 options->print_motd = -1; 82 options->print_lastlog = -1; 83 options->x11_forwarding = -1; 84 options->x11_display_offset = -1; 85 options->x11_use_localhost = -1; 86 options->xauth_location = NULL; 87 options->strict_modes = -1; 88 options->tcp_keep_alive = -1; 89 options->log_facility = SYSLOG_FACILITY_NOT_SET; 90 options->log_level = SYSLOG_LEVEL_NOT_SET; 91 options->rhosts_rsa_authentication = -1; 92 options->hostbased_authentication = -1; 93 options->hostbased_uses_name_from_packet_only = -1; 94 options->rsa_authentication = -1; 95 options->pubkey_authentication = -1; 96 options->kerberos_authentication = -1; 97 options->kerberos_or_local_passwd = -1; 98 options->kerberos_ticket_cleanup = -1; 99 options->kerberos_get_afs_token = -1; 100 options->gss_authentication=-1; 101 options->gss_cleanup_creds = -1; 102 options->password_authentication = -1; 103 options->kbd_interactive_authentication = -1; 104 options->challenge_response_authentication = -1; 105 options->permit_blacklisted_keys = -1; 106 options->permit_empty_passwd = -1; 107 options->permit_user_env = -1; 108 options->use_login = -1; 109 options->compression = -1; 110 options->allow_tcp_forwarding = -1; 111 options->allow_agent_forwarding = -1; 112 options->num_allow_users = 0; 113 options->num_deny_users = 0; 114 options->num_allow_groups = 0; 115 options->num_deny_groups = 0; 116 options->ciphers = NULL; 117 options->macs = NULL; 118 options->kex_algorithms = NULL; 119 options->protocol = SSH_PROTO_UNKNOWN; 120 options->gateway_ports = -1; 121 options->num_subsystems = 0; 122 options->max_startups_begin = -1; 123 options->max_startups_rate = -1; 124 options->max_startups = -1; 125 options->max_authtries = -1; 126 options->max_sessions = -1; 127 options->banner = NULL; 128 options->use_dns = -1; 129 options->client_alive_interval = -1; 130 options->client_alive_count_max = -1; 131 options->authorized_keys_file = NULL; 132 options->authorized_keys_file2 = NULL; 133 options->num_accept_env = 0; 134 options->permit_tun = -1; 135 options->num_permitted_opens = -1; 136 options->adm_forced_command = NULL; 137 options->chroot_directory = NULL; 138 options->zero_knowledge_password_authentication = -1; 139 options->none_enabled = -1; 140 options->tcp_rcv_buf_poll = -1; 141 options->hpn_disabled = -1; 142 options->hpn_buffer_size = -1; 143 options->revoked_keys_file = NULL; 144 options->trusted_user_ca_keys = NULL; 145 options->authorized_principals_file = NULL; 146 options->ip_qos_interactive = -1; 147 options->ip_qos_bulk = -1; 148 } 149 150 void 151 fill_default_server_options(ServerOptions *options) 152 { 153 /* needed for hpn socket tests */ 154 int sock; 155 int socksize; 156 int socksizelen = sizeof(int); 157 158 /* Portable-specific options */ 159 if (options->use_pam == -1) 160 options->use_pam = 0; 161 162 /* Standard Options */ 163 if (options->protocol == SSH_PROTO_UNKNOWN) 164 options->protocol = SSH_PROTO_2; 165 if (options->num_host_key_files == 0) { 166 /* fill default hostkeys for protocols */ 167 if (options->protocol & SSH_PROTO_1) 168 options->host_key_files[options->num_host_key_files++] = 169 _PATH_HOST_KEY_FILE; 170 if (options->protocol & SSH_PROTO_2) { 171 options->host_key_files[options->num_host_key_files++] = 172 _PATH_HOST_RSA_KEY_FILE; 173 options->host_key_files[options->num_host_key_files++] = 174 _PATH_HOST_DSA_KEY_FILE; 175 #ifdef OPENSSL_HAS_ECC 176 options->host_key_files[options->num_host_key_files++] = 177 _PATH_HOST_ECDSA_KEY_FILE; 178 #endif 179 } 180 } 181 /* No certificates by default */ 182 if (options->num_ports == 0) 183 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 184 if (options->listen_addrs == NULL) 185 add_listen_addr(options, NULL, 0); 186 if (options->pid_file == NULL) 187 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 188 if (options->server_key_bits == -1) 189 options->server_key_bits = 1024; 190 if (options->login_grace_time == -1) 191 options->login_grace_time = 120; 192 if (options->key_regeneration_time == -1) 193 options->key_regeneration_time = 3600; 194 if (options->permit_root_login == PERMIT_NOT_SET) 195 options->permit_root_login = PERMIT_NO; 196 if (options->ignore_rhosts == -1) 197 options->ignore_rhosts = 1; 198 if (options->ignore_user_known_hosts == -1) 199 options->ignore_user_known_hosts = 0; 200 if (options->print_motd == -1) 201 options->print_motd = 1; 202 if (options->print_lastlog == -1) 203 options->print_lastlog = 1; 204 if (options->x11_forwarding == -1) 205 options->x11_forwarding = 1; 206 if (options->x11_display_offset == -1) 207 options->x11_display_offset = 10; 208 if (options->x11_use_localhost == -1) 209 options->x11_use_localhost = 1; 210 if (options->xauth_location == NULL) 211 options->xauth_location = _PATH_XAUTH; 212 if (options->strict_modes == -1) 213 options->strict_modes = 1; 214 if (options->tcp_keep_alive == -1) 215 options->tcp_keep_alive = 1; 216 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 217 options->log_facility = SYSLOG_FACILITY_AUTH; 218 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 219 options->log_level = SYSLOG_LEVEL_INFO; 220 if (options->rhosts_rsa_authentication == -1) 221 options->rhosts_rsa_authentication = 0; 222 if (options->hostbased_authentication == -1) 223 options->hostbased_authentication = 0; 224 if (options->hostbased_uses_name_from_packet_only == -1) 225 options->hostbased_uses_name_from_packet_only = 0; 226 if (options->rsa_authentication == -1) 227 options->rsa_authentication = 1; 228 if (options->pubkey_authentication == -1) 229 options->pubkey_authentication = 1; 230 if (options->kerberos_authentication == -1) 231 options->kerberos_authentication = 0; 232 if (options->kerberos_or_local_passwd == -1) 233 options->kerberos_or_local_passwd = 1; 234 if (options->kerberos_ticket_cleanup == -1) 235 options->kerberos_ticket_cleanup = 1; 236 if (options->kerberos_get_afs_token == -1) 237 options->kerberos_get_afs_token = 0; 238 if (options->gss_authentication == -1) 239 options->gss_authentication = 0; 240 if (options->gss_cleanup_creds == -1) 241 options->gss_cleanup_creds = 1; 242 if (options->password_authentication == -1) 243 options->password_authentication = 1; 244 if (options->kbd_interactive_authentication == -1) 245 options->kbd_interactive_authentication = 0; 246 if (options->challenge_response_authentication == -1) 247 options->challenge_response_authentication = 1; 248 if (options->permit_blacklisted_keys == -1) 249 options->permit_blacklisted_keys = 0; 250 if (options->permit_empty_passwd == -1) 251 options->permit_empty_passwd = 0; 252 if (options->permit_user_env == -1) 253 options->permit_user_env = 0; 254 if (options->use_login == -1) 255 options->use_login = 0; 256 if (options->compression == -1) 257 options->compression = COMP_DELAYED; 258 if (options->allow_tcp_forwarding == -1) 259 options->allow_tcp_forwarding = 1; 260 if (options->allow_agent_forwarding == -1) 261 options->allow_agent_forwarding = 1; 262 if (options->gateway_ports == -1) 263 options->gateway_ports = 0; 264 if (options->max_startups == -1) 265 options->max_startups = 10; 266 if (options->max_startups_rate == -1) 267 options->max_startups_rate = 100; /* 100% */ 268 if (options->max_startups_begin == -1) 269 options->max_startups_begin = options->max_startups; 270 if (options->max_authtries == -1) 271 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 272 if (options->max_sessions == -1) 273 options->max_sessions = DEFAULT_SESSIONS_MAX; 274 if (options->use_dns == -1) 275 options->use_dns = 1; 276 if (options->client_alive_interval == -1) 277 options->client_alive_interval = 0; 278 if (options->client_alive_count_max == -1) 279 options->client_alive_count_max = 3; 280 if (options->authorized_keys_file2 == NULL) { 281 /* authorized_keys_file2 falls back to authorized_keys_file */ 282 if (options->authorized_keys_file != NULL) 283 options->authorized_keys_file2 = xstrdup(options->authorized_keys_file); 284 else 285 options->authorized_keys_file2 = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 286 } 287 if (options->authorized_keys_file == NULL) 288 options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 289 if (options->permit_tun == -1) 290 options->permit_tun = SSH_TUNMODE_NO; 291 if (options->zero_knowledge_password_authentication == -1) 292 options->zero_knowledge_password_authentication = 0; 293 if (options->ip_qos_interactive == -1) 294 options->ip_qos_interactive = IPTOS_LOWDELAY; 295 if (options->ip_qos_bulk == -1) 296 options->ip_qos_bulk = IPTOS_THROUGHPUT; 297 298 if (options->hpn_disabled == -1) 299 options->hpn_disabled = 0; 300 301 if (options->hpn_buffer_size == -1) { 302 /* option not explicitly set. Now we have to figure out */ 303 /* what value to use */ 304 if (options->hpn_disabled == 1) { 305 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; 306 } else { 307 /* get the current RCV size and set it to that */ 308 /*create a socket but don't connect it */ 309 /* we use that the get the rcv socket size */ 310 sock = socket(AF_INET, SOCK_STREAM, 0); 311 getsockopt(sock, SOL_SOCKET, SO_RCVBUF, 312 &socksize, &socksizelen); 313 close(sock); 314 options->hpn_buffer_size = socksize; 315 debug ("HPN Buffer Size: %d", options->hpn_buffer_size); 316 317 } 318 } else { 319 /* we have to do this incase the user sets both values in a contradictory */ 320 /* manner. hpn_disabled overrrides hpn_buffer_size*/ 321 if (options->hpn_disabled <= 0) { 322 if (options->hpn_buffer_size == 0) 323 options->hpn_buffer_size = 1; 324 /* limit the maximum buffer to 64MB */ 325 if (options->hpn_buffer_size > 64*1024) { 326 options->hpn_buffer_size = 64*1024*1024; 327 } else { 328 options->hpn_buffer_size *= 1024; 329 } 330 } else 331 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; 332 } 333 334 /* Turn privilege separation on by default */ 335 if (use_privsep == -1) 336 use_privsep = 1; 337 338 #ifndef HAVE_MMAP 339 if (use_privsep && options->compression == 1) { 340 error("This platform does not support both privilege " 341 "separation and compression"); 342 error("Compression disabled"); 343 options->compression = 0; 344 } 345 #endif 346 347 } 348 349 /* Keyword tokens. */ 350 typedef enum { 351 sBadOption, /* == unknown option */ 352 /* Portable-specific options */ 353 sUsePAM, 354 /* Standard Options */ 355 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 356 sPermitRootLogin, sLogFacility, sLogLevel, 357 sRhostsRSAAuthentication, sRSAAuthentication, 358 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 359 sKerberosGetAFSToken, 360 sKerberosTgtPassing, sChallengeResponseAuthentication, 361 sPasswordAuthentication, sKbdInteractiveAuthentication, 362 sListenAddress, sAddressFamily, 363 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 364 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 365 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 366 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 367 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 368 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 369 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 370 sMaxStartups, sMaxAuthTries, sMaxSessions, 371 sBanner, sUseDNS, sHostbasedAuthentication, 372 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 373 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 374 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 375 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 376 sUsePrivilegeSeparation, sAllowAgentForwarding, 377 sZeroKnowledgePasswordAuthentication, sHostCertificate, 378 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 379 sKexAlgorithms, sIPQoS, 380 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, 381 sVersionAddendum, 382 sDeprecated, sUnsupported 383 } ServerOpCodes; 384 385 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 386 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 387 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 388 389 /* Textual representation of the tokens. */ 390 static struct { 391 const char *name; 392 ServerOpCodes opcode; 393 u_int flags; 394 } keywords[] = { 395 /* Portable-specific options */ 396 #ifdef USE_PAM 397 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 398 #else 399 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 400 #endif 401 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 402 /* Standard Options */ 403 { "port", sPort, SSHCFG_GLOBAL }, 404 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 405 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 406 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 407 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 408 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 409 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 410 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 411 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 412 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 413 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 414 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 415 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 416 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 417 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 418 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 419 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 420 #ifdef KRB5 421 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 422 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 423 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 424 #ifdef USE_AFS 425 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 426 #else 427 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 428 #endif 429 #else 430 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 431 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 432 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 433 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 434 #endif 435 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 436 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 437 #ifdef GSSAPI 438 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 439 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 440 #else 441 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 442 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 443 #endif 444 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 445 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 446 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 447 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 448 #ifdef JPAKE 449 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, 450 #else 451 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, 452 #endif 453 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 454 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 455 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 456 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 457 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 458 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 459 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 460 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 461 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 462 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 463 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 464 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 465 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, 466 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 467 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 468 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 469 { "compression", sCompression, SSHCFG_GLOBAL }, 470 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 471 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 472 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 473 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 474 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 475 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 476 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 477 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 478 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 479 { "macs", sMacs, SSHCFG_GLOBAL }, 480 { "protocol", sProtocol, SSHCFG_GLOBAL }, 481 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 482 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 483 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 484 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 485 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 486 { "banner", sBanner, SSHCFG_ALL }, 487 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 488 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 489 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 490 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 491 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 492 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 493 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL }, 494 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 495 { "versionaddendum", sVersionAddendum , SSHCFG_GLOBAL }, 496 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, 497 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 498 { "match", sMatch, SSHCFG_ALL }, 499 { "permitopen", sPermitOpen, SSHCFG_ALL }, 500 { "forcecommand", sForceCommand, SSHCFG_ALL }, 501 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 502 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 503 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 504 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 505 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 506 { "noneenabled", sNoneEnabled }, 507 { "hpndisabled", sHPNDisabled }, 508 { "hpnbuffersize", sHPNBufferSize }, 509 { "tcprcvbufpoll", sTcpRcvBufPoll }, 510 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 511 { "ipqos", sIPQoS, SSHCFG_ALL }, 512 { NULL, sBadOption, 0 } 513 }; 514 515 static struct { 516 int val; 517 char *text; 518 } tunmode_desc[] = { 519 { SSH_TUNMODE_NO, "no" }, 520 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 521 { SSH_TUNMODE_ETHERNET, "ethernet" }, 522 { SSH_TUNMODE_YES, "yes" }, 523 { -1, NULL } 524 }; 525 526 /* 527 * Returns the number of the token pointed to by cp or sBadOption. 528 */ 529 530 static ServerOpCodes 531 parse_token(const char *cp, const char *filename, 532 int linenum, u_int *flags) 533 { 534 u_int i; 535 536 for (i = 0; keywords[i].name; i++) 537 if (strcasecmp(cp, keywords[i].name) == 0) { 538 debug ("Config token is %s", keywords[i].name); 539 *flags = keywords[i].flags; 540 return keywords[i].opcode; 541 } 542 543 error("%s: line %d: Bad configuration option: %s", 544 filename, linenum, cp); 545 return sBadOption; 546 } 547 548 char * 549 derelativise_path(const char *path) 550 { 551 char *expanded, *ret, cwd[MAXPATHLEN]; 552 553 expanded = tilde_expand_filename(path, getuid()); 554 if (*expanded == '/') 555 return expanded; 556 if (getcwd(cwd, sizeof(cwd)) == NULL) 557 fatal("%s: getcwd: %s", __func__, strerror(errno)); 558 xasprintf(&ret, "%s/%s", cwd, expanded); 559 xfree(expanded); 560 return ret; 561 } 562 563 static void 564 add_listen_addr(ServerOptions *options, char *addr, int port) 565 { 566 u_int i; 567 568 if (options->num_ports == 0) 569 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 570 if (options->address_family == -1) 571 options->address_family = AF_UNSPEC; 572 if (port == 0) 573 for (i = 0; i < options->num_ports; i++) 574 add_one_listen_addr(options, addr, options->ports[i]); 575 else 576 add_one_listen_addr(options, addr, port); 577 } 578 579 static void 580 add_one_listen_addr(ServerOptions *options, char *addr, int port) 581 { 582 struct addrinfo hints, *ai, *aitop; 583 char strport[NI_MAXSERV]; 584 int gaierr; 585 586 memset(&hints, 0, sizeof(hints)); 587 hints.ai_family = options->address_family; 588 hints.ai_socktype = SOCK_STREAM; 589 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 590 snprintf(strport, sizeof strport, "%d", port); 591 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 592 fatal("bad addr or host: %s (%s)", 593 addr ? addr : "<NULL>", 594 ssh_gai_strerror(gaierr)); 595 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 596 ; 597 ai->ai_next = options->listen_addrs; 598 options->listen_addrs = aitop; 599 } 600 601 /* 602 * The strategy for the Match blocks is that the config file is parsed twice. 603 * 604 * The first time is at startup. activep is initialized to 1 and the 605 * directives in the global context are processed and acted on. Hitting a 606 * Match directive unsets activep and the directives inside the block are 607 * checked for syntax only. 608 * 609 * The second time is after a connection has been established but before 610 * authentication. activep is initialized to 2 and global config directives 611 * are ignored since they have already been processed. If the criteria in a 612 * Match block is met, activep is set and the subsequent directives 613 * processed and actioned until EOF or another Match block unsets it. Any 614 * options set are copied into the main server config. 615 * 616 * Potential additions/improvements: 617 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 618 * 619 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 620 * Match Address 192.168.0.* 621 * Tag trusted 622 * Match Group wheel 623 * Tag trusted 624 * Match Tag trusted 625 * AllowTcpForwarding yes 626 * GatewayPorts clientspecified 627 * [...] 628 * 629 * - Add a PermittedChannelRequests directive 630 * Match Group shell 631 * PermittedChannelRequests session,forwarded-tcpip 632 */ 633 634 static int 635 match_cfg_line_group(const char *grps, int line, const char *user) 636 { 637 int result = 0; 638 struct passwd *pw; 639 640 if (user == NULL) 641 goto out; 642 643 if ((pw = getpwnam(user)) == NULL) { 644 debug("Can't match group at line %d because user %.100s does " 645 "not exist", line, user); 646 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 647 debug("Can't Match group because user %.100s not in any group " 648 "at line %d", user, line); 649 } else if (ga_match_pattern_list(grps) != 1) { 650 debug("user %.100s does not match group list %.100s at line %d", 651 user, grps, line); 652 } else { 653 debug("user %.100s matched group list %.100s at line %d", user, 654 grps, line); 655 result = 1; 656 } 657 out: 658 ga_free(); 659 return result; 660 } 661 662 static int 663 match_cfg_line(char **condition, int line, const char *user, const char *host, 664 const char *address) 665 { 666 int result = 1; 667 char *arg, *attrib, *cp = *condition; 668 size_t len; 669 670 if (user == NULL) 671 debug3("checking syntax for 'Match %s'", cp); 672 else 673 debug3("checking match for '%s' user %s host %s addr %s", cp, 674 user ? user : "(null)", host ? host : "(null)", 675 address ? address : "(null)"); 676 677 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 678 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 679 error("Missing Match criteria for %s", attrib); 680 return -1; 681 } 682 len = strlen(arg); 683 if (strcasecmp(attrib, "user") == 0) { 684 if (!user) { 685 result = 0; 686 continue; 687 } 688 if (match_pattern_list(user, arg, len, 0) != 1) 689 result = 0; 690 else 691 debug("user %.100s matched 'User %.100s' at " 692 "line %d", user, arg, line); 693 } else if (strcasecmp(attrib, "group") == 0) { 694 switch (match_cfg_line_group(arg, line, user)) { 695 case -1: 696 return -1; 697 case 0: 698 result = 0; 699 } 700 } else if (strcasecmp(attrib, "host") == 0) { 701 if (!host) { 702 result = 0; 703 continue; 704 } 705 if (match_hostname(host, arg, len) != 1) 706 result = 0; 707 else 708 debug("connection from %.100s matched 'Host " 709 "%.100s' at line %d", host, arg, line); 710 } else if (strcasecmp(attrib, "address") == 0) { 711 switch (addr_match_list(address, arg)) { 712 case 1: 713 debug("connection from %.100s matched 'Address " 714 "%.100s' at line %d", address, arg, line); 715 break; 716 case 0: 717 case -1: 718 result = 0; 719 break; 720 case -2: 721 return -1; 722 } 723 } else { 724 error("Unsupported Match attribute %s", attrib); 725 return -1; 726 } 727 } 728 if (user != NULL) 729 debug3("match %sfound", result ? "" : "not "); 730 *condition = cp; 731 return result; 732 } 733 734 #define WHITESPACE " \t\r\n" 735 736 int 737 process_server_config_line(ServerOptions *options, char *line, 738 const char *filename, int linenum, int *activep, const char *user, 739 const char *host, const char *address) 740 { 741 char *cp, **charptr, *arg, *p; 742 int cmdline = 0, *intptr, value, value2, n; 743 SyslogFacility *log_facility_ptr; 744 LogLevel *log_level_ptr; 745 ServerOpCodes opcode; 746 int port; 747 u_int i, flags = 0; 748 size_t len; 749 750 cp = line; 751 if ((arg = strdelim(&cp)) == NULL) 752 return 0; 753 /* Ignore leading whitespace */ 754 if (*arg == '\0') 755 arg = strdelim(&cp); 756 if (!arg || !*arg || *arg == '#') 757 return 0; 758 intptr = NULL; 759 charptr = NULL; 760 opcode = parse_token(arg, filename, linenum, &flags); 761 762 if (activep == NULL) { /* We are processing a command line directive */ 763 cmdline = 1; 764 activep = &cmdline; 765 } 766 if (*activep && opcode != sMatch) 767 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 768 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 769 if (user == NULL) { 770 fatal("%s line %d: Directive '%s' is not allowed " 771 "within a Match block", filename, linenum, arg); 772 } else { /* this is a directive we have already processed */ 773 while (arg) 774 arg = strdelim(&cp); 775 return 0; 776 } 777 } 778 779 switch (opcode) { 780 /* Portable-specific options */ 781 case sUsePAM: 782 intptr = &options->use_pam; 783 goto parse_flag; 784 785 /* Standard Options */ 786 case sBadOption: 787 return -1; 788 case sPort: 789 /* ignore ports from configfile if cmdline specifies ports */ 790 if (options->ports_from_cmdline) 791 return 0; 792 if (options->listen_addrs != NULL) 793 fatal("%s line %d: ports must be specified before " 794 "ListenAddress.", filename, linenum); 795 if (options->num_ports >= MAX_PORTS) 796 fatal("%s line %d: too many ports.", 797 filename, linenum); 798 arg = strdelim(&cp); 799 if (!arg || *arg == '\0') 800 fatal("%s line %d: missing port number.", 801 filename, linenum); 802 options->ports[options->num_ports++] = a2port(arg); 803 if (options->ports[options->num_ports-1] <= 0) 804 fatal("%s line %d: Badly formatted port number.", 805 filename, linenum); 806 break; 807 808 case sServerKeyBits: 809 intptr = &options->server_key_bits; 810 parse_int: 811 arg = strdelim(&cp); 812 if (!arg || *arg == '\0') 813 fatal("%s line %d: missing integer value.", 814 filename, linenum); 815 value = atoi(arg); 816 if (*activep && *intptr == -1) 817 *intptr = value; 818 break; 819 820 case sLoginGraceTime: 821 intptr = &options->login_grace_time; 822 parse_time: 823 arg = strdelim(&cp); 824 if (!arg || *arg == '\0') 825 fatal("%s line %d: missing time value.", 826 filename, linenum); 827 if ((value = convtime(arg)) == -1) 828 fatal("%s line %d: invalid time value.", 829 filename, linenum); 830 if (*intptr == -1) 831 *intptr = value; 832 break; 833 834 case sKeyRegenerationTime: 835 intptr = &options->key_regeneration_time; 836 goto parse_time; 837 838 case sListenAddress: 839 arg = strdelim(&cp); 840 if (arg == NULL || *arg == '\0') 841 fatal("%s line %d: missing address", 842 filename, linenum); 843 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 844 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 845 && strchr(p+1, ':') != NULL) { 846 add_listen_addr(options, arg, 0); 847 break; 848 } 849 p = hpdelim(&arg); 850 if (p == NULL) 851 fatal("%s line %d: bad address:port usage", 852 filename, linenum); 853 p = cleanhostname(p); 854 if (arg == NULL) 855 port = 0; 856 else if ((port = a2port(arg)) <= 0) 857 fatal("%s line %d: bad port number", filename, linenum); 858 859 add_listen_addr(options, p, port); 860 861 break; 862 863 case sAddressFamily: 864 arg = strdelim(&cp); 865 if (!arg || *arg == '\0') 866 fatal("%s line %d: missing address family.", 867 filename, linenum); 868 intptr = &options->address_family; 869 if (options->listen_addrs != NULL) 870 fatal("%s line %d: address family must be specified before " 871 "ListenAddress.", filename, linenum); 872 if (strcasecmp(arg, "inet") == 0) 873 value = AF_INET; 874 else if (strcasecmp(arg, "inet6") == 0) 875 value = AF_INET6; 876 else if (strcasecmp(arg, "any") == 0) 877 value = AF_UNSPEC; 878 else 879 fatal("%s line %d: unsupported address family \"%s\".", 880 filename, linenum, arg); 881 if (*intptr == -1) 882 *intptr = value; 883 break; 884 885 case sHostKeyFile: 886 intptr = &options->num_host_key_files; 887 if (*intptr >= MAX_HOSTKEYS) 888 fatal("%s line %d: too many host keys specified (max %d).", 889 filename, linenum, MAX_HOSTKEYS); 890 charptr = &options->host_key_files[*intptr]; 891 parse_filename: 892 arg = strdelim(&cp); 893 if (!arg || *arg == '\0') 894 fatal("%s line %d: missing file name.", 895 filename, linenum); 896 if (*activep && *charptr == NULL) { 897 *charptr = derelativise_path(arg); 898 /* increase optional counter */ 899 if (intptr != NULL) 900 *intptr = *intptr + 1; 901 } 902 break; 903 904 case sHostCertificate: 905 intptr = &options->num_host_cert_files; 906 if (*intptr >= MAX_HOSTKEYS) 907 fatal("%s line %d: too many host certificates " 908 "specified (max %d).", filename, linenum, 909 MAX_HOSTCERTS); 910 charptr = &options->host_cert_files[*intptr]; 911 goto parse_filename; 912 break; 913 914 case sPidFile: 915 charptr = &options->pid_file; 916 goto parse_filename; 917 918 case sPermitRootLogin: 919 intptr = &options->permit_root_login; 920 arg = strdelim(&cp); 921 if (!arg || *arg == '\0') 922 fatal("%s line %d: missing yes/" 923 "without-password/forced-commands-only/no " 924 "argument.", filename, linenum); 925 value = 0; /* silence compiler */ 926 if (strcmp(arg, "without-password") == 0) 927 value = PERMIT_NO_PASSWD; 928 else if (strcmp(arg, "forced-commands-only") == 0) 929 value = PERMIT_FORCED_ONLY; 930 else if (strcmp(arg, "yes") == 0) 931 value = PERMIT_YES; 932 else if (strcmp(arg, "no") == 0) 933 value = PERMIT_NO; 934 else 935 fatal("%s line %d: Bad yes/" 936 "without-password/forced-commands-only/no " 937 "argument: %s", filename, linenum, arg); 938 if (*activep && *intptr == -1) 939 *intptr = value; 940 break; 941 942 case sIgnoreRhosts: 943 intptr = &options->ignore_rhosts; 944 parse_flag: 945 arg = strdelim(&cp); 946 if (!arg || *arg == '\0') 947 fatal("%s line %d: missing yes/no argument.", 948 filename, linenum); 949 value = 0; /* silence compiler */ 950 if (strcmp(arg, "yes") == 0) 951 value = 1; 952 else if (strcmp(arg, "no") == 0) 953 value = 0; 954 else 955 fatal("%s line %d: Bad yes/no argument: %s", 956 filename, linenum, arg); 957 if (*activep && *intptr == -1) 958 *intptr = value; 959 break; 960 961 case sNoneEnabled: 962 intptr = &options->none_enabled; 963 goto parse_flag; 964 965 case sTcpRcvBufPoll: 966 intptr = &options->tcp_rcv_buf_poll; 967 goto parse_flag; 968 969 case sHPNDisabled: 970 intptr = &options->hpn_disabled; 971 goto parse_flag; 972 973 case sHPNBufferSize: 974 intptr = &options->hpn_buffer_size; 975 goto parse_int; 976 977 case sIgnoreUserKnownHosts: 978 intptr = &options->ignore_user_known_hosts; 979 goto parse_flag; 980 981 case sRhostsRSAAuthentication: 982 intptr = &options->rhosts_rsa_authentication; 983 goto parse_flag; 984 985 case sHostbasedAuthentication: 986 intptr = &options->hostbased_authentication; 987 goto parse_flag; 988 989 case sHostbasedUsesNameFromPacketOnly: 990 intptr = &options->hostbased_uses_name_from_packet_only; 991 goto parse_flag; 992 993 case sRSAAuthentication: 994 intptr = &options->rsa_authentication; 995 goto parse_flag; 996 997 case sPubkeyAuthentication: 998 intptr = &options->pubkey_authentication; 999 goto parse_flag; 1000 1001 case sKerberosAuthentication: 1002 intptr = &options->kerberos_authentication; 1003 goto parse_flag; 1004 1005 case sKerberosOrLocalPasswd: 1006 intptr = &options->kerberos_or_local_passwd; 1007 goto parse_flag; 1008 1009 case sKerberosTicketCleanup: 1010 intptr = &options->kerberos_ticket_cleanup; 1011 goto parse_flag; 1012 1013 case sKerberosGetAFSToken: 1014 intptr = &options->kerberos_get_afs_token; 1015 goto parse_flag; 1016 1017 case sGssAuthentication: 1018 intptr = &options->gss_authentication; 1019 goto parse_flag; 1020 1021 case sGssCleanupCreds: 1022 intptr = &options->gss_cleanup_creds; 1023 goto parse_flag; 1024 1025 case sPasswordAuthentication: 1026 intptr = &options->password_authentication; 1027 goto parse_flag; 1028 1029 case sZeroKnowledgePasswordAuthentication: 1030 intptr = &options->zero_knowledge_password_authentication; 1031 goto parse_flag; 1032 1033 case sKbdInteractiveAuthentication: 1034 intptr = &options->kbd_interactive_authentication; 1035 goto parse_flag; 1036 1037 case sChallengeResponseAuthentication: 1038 intptr = &options->challenge_response_authentication; 1039 goto parse_flag; 1040 1041 case sPrintMotd: 1042 intptr = &options->print_motd; 1043 goto parse_flag; 1044 1045 case sPrintLastLog: 1046 intptr = &options->print_lastlog; 1047 goto parse_flag; 1048 1049 case sX11Forwarding: 1050 intptr = &options->x11_forwarding; 1051 goto parse_flag; 1052 1053 case sX11DisplayOffset: 1054 intptr = &options->x11_display_offset; 1055 goto parse_int; 1056 1057 case sX11UseLocalhost: 1058 intptr = &options->x11_use_localhost; 1059 goto parse_flag; 1060 1061 case sXAuthLocation: 1062 charptr = &options->xauth_location; 1063 goto parse_filename; 1064 1065 case sStrictModes: 1066 intptr = &options->strict_modes; 1067 goto parse_flag; 1068 1069 case sTCPKeepAlive: 1070 intptr = &options->tcp_keep_alive; 1071 goto parse_flag; 1072 1073 case sPermitBlacklistedKeys: 1074 intptr = &options->permit_blacklisted_keys; 1075 goto parse_flag; 1076 1077 case sEmptyPasswd: 1078 intptr = &options->permit_empty_passwd; 1079 goto parse_flag; 1080 1081 case sPermitUserEnvironment: 1082 intptr = &options->permit_user_env; 1083 goto parse_flag; 1084 1085 case sUseLogin: 1086 intptr = &options->use_login; 1087 goto parse_flag; 1088 1089 case sCompression: 1090 intptr = &options->compression; 1091 arg = strdelim(&cp); 1092 if (!arg || *arg == '\0') 1093 fatal("%s line %d: missing yes/no/delayed " 1094 "argument.", filename, linenum); 1095 value = 0; /* silence compiler */ 1096 if (strcmp(arg, "delayed") == 0) 1097 value = COMP_DELAYED; 1098 else if (strcmp(arg, "yes") == 0) 1099 value = COMP_ZLIB; 1100 else if (strcmp(arg, "no") == 0) 1101 value = COMP_NONE; 1102 else 1103 fatal("%s line %d: Bad yes/no/delayed " 1104 "argument: %s", filename, linenum, arg); 1105 if (*intptr == -1) 1106 *intptr = value; 1107 break; 1108 1109 case sGatewayPorts: 1110 intptr = &options->gateway_ports; 1111 arg = strdelim(&cp); 1112 if (!arg || *arg == '\0') 1113 fatal("%s line %d: missing yes/no/clientspecified " 1114 "argument.", filename, linenum); 1115 value = 0; /* silence compiler */ 1116 if (strcmp(arg, "clientspecified") == 0) 1117 value = 2; 1118 else if (strcmp(arg, "yes") == 0) 1119 value = 1; 1120 else if (strcmp(arg, "no") == 0) 1121 value = 0; 1122 else 1123 fatal("%s line %d: Bad yes/no/clientspecified " 1124 "argument: %s", filename, linenum, arg); 1125 if (*activep && *intptr == -1) 1126 *intptr = value; 1127 break; 1128 1129 case sUseDNS: 1130 intptr = &options->use_dns; 1131 goto parse_flag; 1132 1133 case sLogFacility: 1134 log_facility_ptr = &options->log_facility; 1135 arg = strdelim(&cp); 1136 value = log_facility_number(arg); 1137 if (value == SYSLOG_FACILITY_NOT_SET) 1138 fatal("%.200s line %d: unsupported log facility '%s'", 1139 filename, linenum, arg ? arg : "<NONE>"); 1140 if (*log_facility_ptr == -1) 1141 *log_facility_ptr = (SyslogFacility) value; 1142 break; 1143 1144 case sLogLevel: 1145 log_level_ptr = &options->log_level; 1146 arg = strdelim(&cp); 1147 value = log_level_number(arg); 1148 if (value == SYSLOG_LEVEL_NOT_SET) 1149 fatal("%.200s line %d: unsupported log level '%s'", 1150 filename, linenum, arg ? arg : "<NONE>"); 1151 if (*log_level_ptr == -1) 1152 *log_level_ptr = (LogLevel) value; 1153 break; 1154 1155 case sAllowTcpForwarding: 1156 intptr = &options->allow_tcp_forwarding; 1157 goto parse_flag; 1158 1159 case sAllowAgentForwarding: 1160 intptr = &options->allow_agent_forwarding; 1161 goto parse_flag; 1162 1163 case sUsePrivilegeSeparation: 1164 intptr = &use_privsep; 1165 goto parse_flag; 1166 1167 case sAllowUsers: 1168 while ((arg = strdelim(&cp)) && *arg != '\0') { 1169 if (options->num_allow_users >= MAX_ALLOW_USERS) 1170 fatal("%s line %d: too many allow users.", 1171 filename, linenum); 1172 options->allow_users[options->num_allow_users++] = 1173 xstrdup(arg); 1174 } 1175 break; 1176 1177 case sDenyUsers: 1178 while ((arg = strdelim(&cp)) && *arg != '\0') { 1179 if (options->num_deny_users >= MAX_DENY_USERS) 1180 fatal("%s line %d: too many deny users.", 1181 filename, linenum); 1182 options->deny_users[options->num_deny_users++] = 1183 xstrdup(arg); 1184 } 1185 break; 1186 1187 case sAllowGroups: 1188 while ((arg = strdelim(&cp)) && *arg != '\0') { 1189 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1190 fatal("%s line %d: too many allow groups.", 1191 filename, linenum); 1192 options->allow_groups[options->num_allow_groups++] = 1193 xstrdup(arg); 1194 } 1195 break; 1196 1197 case sDenyGroups: 1198 while ((arg = strdelim(&cp)) && *arg != '\0') { 1199 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1200 fatal("%s line %d: too many deny groups.", 1201 filename, linenum); 1202 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1203 } 1204 break; 1205 1206 case sCiphers: 1207 arg = strdelim(&cp); 1208 if (!arg || *arg == '\0') 1209 fatal("%s line %d: Missing argument.", filename, linenum); 1210 if (!ciphers_valid(arg)) 1211 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1212 filename, linenum, arg ? arg : "<NONE>"); 1213 if (options->ciphers == NULL) 1214 options->ciphers = xstrdup(arg); 1215 break; 1216 1217 case sMacs: 1218 arg = strdelim(&cp); 1219 if (!arg || *arg == '\0') 1220 fatal("%s line %d: Missing argument.", filename, linenum); 1221 if (!mac_valid(arg)) 1222 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1223 filename, linenum, arg ? arg : "<NONE>"); 1224 if (options->macs == NULL) 1225 options->macs = xstrdup(arg); 1226 break; 1227 1228 case sKexAlgorithms: 1229 arg = strdelim(&cp); 1230 if (!arg || *arg == '\0') 1231 fatal("%s line %d: Missing argument.", 1232 filename, linenum); 1233 if (!kex_names_valid(arg)) 1234 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1235 filename, linenum, arg ? arg : "<NONE>"); 1236 if (options->kex_algorithms == NULL) 1237 options->kex_algorithms = xstrdup(arg); 1238 break; 1239 1240 case sProtocol: 1241 intptr = &options->protocol; 1242 arg = strdelim(&cp); 1243 if (!arg || *arg == '\0') 1244 fatal("%s line %d: Missing argument.", filename, linenum); 1245 value = proto_spec(arg); 1246 if (value == SSH_PROTO_UNKNOWN) 1247 fatal("%s line %d: Bad protocol spec '%s'.", 1248 filename, linenum, arg ? arg : "<NONE>"); 1249 if (*intptr == SSH_PROTO_UNKNOWN) 1250 *intptr = value; 1251 break; 1252 1253 case sSubsystem: 1254 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1255 fatal("%s line %d: too many subsystems defined.", 1256 filename, linenum); 1257 } 1258 arg = strdelim(&cp); 1259 if (!arg || *arg == '\0') 1260 fatal("%s line %d: Missing subsystem name.", 1261 filename, linenum); 1262 if (!*activep) { 1263 arg = strdelim(&cp); 1264 break; 1265 } 1266 for (i = 0; i < options->num_subsystems; i++) 1267 if (strcmp(arg, options->subsystem_name[i]) == 0) 1268 fatal("%s line %d: Subsystem '%s' already defined.", 1269 filename, linenum, arg); 1270 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1271 arg = strdelim(&cp); 1272 if (!arg || *arg == '\0') 1273 fatal("%s line %d: Missing subsystem command.", 1274 filename, linenum); 1275 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1276 1277 /* Collect arguments (separate to executable) */ 1278 p = xstrdup(arg); 1279 len = strlen(p) + 1; 1280 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1281 len += 1 + strlen(arg); 1282 p = xrealloc(p, 1, len); 1283 strlcat(p, " ", len); 1284 strlcat(p, arg, len); 1285 } 1286 options->subsystem_args[options->num_subsystems] = p; 1287 options->num_subsystems++; 1288 break; 1289 1290 case sMaxStartups: 1291 arg = strdelim(&cp); 1292 if (!arg || *arg == '\0') 1293 fatal("%s line %d: Missing MaxStartups spec.", 1294 filename, linenum); 1295 if ((n = sscanf(arg, "%d:%d:%d", 1296 &options->max_startups_begin, 1297 &options->max_startups_rate, 1298 &options->max_startups)) == 3) { 1299 if (options->max_startups_begin > 1300 options->max_startups || 1301 options->max_startups_rate > 100 || 1302 options->max_startups_rate < 1) 1303 fatal("%s line %d: Illegal MaxStartups spec.", 1304 filename, linenum); 1305 } else if (n != 1) 1306 fatal("%s line %d: Illegal MaxStartups spec.", 1307 filename, linenum); 1308 else 1309 options->max_startups = options->max_startups_begin; 1310 break; 1311 1312 case sMaxAuthTries: 1313 intptr = &options->max_authtries; 1314 goto parse_int; 1315 1316 case sMaxSessions: 1317 intptr = &options->max_sessions; 1318 goto parse_int; 1319 1320 case sBanner: 1321 charptr = &options->banner; 1322 goto parse_filename; 1323 1324 /* 1325 * These options can contain %X options expanded at 1326 * connect time, so that you can specify paths like: 1327 * 1328 * AuthorizedKeysFile /etc/ssh_keys/%u 1329 */ 1330 case sAuthorizedKeysFile: 1331 charptr = &options->authorized_keys_file; 1332 goto parse_tilde_filename; 1333 case sAuthorizedKeysFile2: 1334 charptr = &options->authorized_keys_file2; 1335 goto parse_tilde_filename; 1336 case sAuthorizedPrincipalsFile: 1337 charptr = &options->authorized_principals_file; 1338 parse_tilde_filename: 1339 arg = strdelim(&cp); 1340 if (!arg || *arg == '\0') 1341 fatal("%s line %d: missing file name.", 1342 filename, linenum); 1343 if (*activep && *charptr == NULL) { 1344 *charptr = tilde_expand_filename(arg, getuid()); 1345 /* increase optional counter */ 1346 if (intptr != NULL) 1347 *intptr = *intptr + 1; 1348 } 1349 break; 1350 1351 case sClientAliveInterval: 1352 intptr = &options->client_alive_interval; 1353 goto parse_time; 1354 1355 case sClientAliveCountMax: 1356 intptr = &options->client_alive_count_max; 1357 goto parse_int; 1358 1359 case sAcceptEnv: 1360 while ((arg = strdelim(&cp)) && *arg != '\0') { 1361 if (strchr(arg, '=') != NULL) 1362 fatal("%s line %d: Invalid environment name.", 1363 filename, linenum); 1364 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1365 fatal("%s line %d: too many allow env.", 1366 filename, linenum); 1367 if (!*activep) 1368 break; 1369 options->accept_env[options->num_accept_env++] = 1370 xstrdup(arg); 1371 } 1372 break; 1373 1374 case sPermitTunnel: 1375 intptr = &options->permit_tun; 1376 arg = strdelim(&cp); 1377 if (!arg || *arg == '\0') 1378 fatal("%s line %d: Missing yes/point-to-point/" 1379 "ethernet/no argument.", filename, linenum); 1380 value = -1; 1381 for (i = 0; tunmode_desc[i].val != -1; i++) 1382 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1383 value = tunmode_desc[i].val; 1384 break; 1385 } 1386 if (value == -1) 1387 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1388 "no argument: %s", filename, linenum, arg); 1389 if (*intptr == -1) 1390 *intptr = value; 1391 break; 1392 1393 case sMatch: 1394 if (cmdline) 1395 fatal("Match directive not supported as a command-line " 1396 "option"); 1397 value = match_cfg_line(&cp, linenum, user, host, address); 1398 if (value < 0) 1399 fatal("%s line %d: Bad Match condition", filename, 1400 linenum); 1401 *activep = value; 1402 break; 1403 1404 case sPermitOpen: 1405 arg = strdelim(&cp); 1406 if (!arg || *arg == '\0') 1407 fatal("%s line %d: missing PermitOpen specification", 1408 filename, linenum); 1409 n = options->num_permitted_opens; /* modified later */ 1410 if (strcmp(arg, "any") == 0) { 1411 if (*activep && n == -1) { 1412 channel_clear_adm_permitted_opens(); 1413 options->num_permitted_opens = 0; 1414 } 1415 break; 1416 } 1417 if (*activep && n == -1) 1418 channel_clear_adm_permitted_opens(); 1419 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1420 p = hpdelim(&arg); 1421 if (p == NULL) 1422 fatal("%s line %d: missing host in PermitOpen", 1423 filename, linenum); 1424 p = cleanhostname(p); 1425 if (arg == NULL || (port = a2port(arg)) <= 0) 1426 fatal("%s line %d: bad port number in " 1427 "PermitOpen", filename, linenum); 1428 if (*activep && n == -1) 1429 options->num_permitted_opens = 1430 channel_add_adm_permitted_opens(p, port); 1431 } 1432 break; 1433 1434 case sForceCommand: 1435 if (cp == NULL) 1436 fatal("%.200s line %d: Missing argument.", filename, 1437 linenum); 1438 len = strspn(cp, WHITESPACE); 1439 if (*activep && options->adm_forced_command == NULL) 1440 options->adm_forced_command = xstrdup(cp + len); 1441 return 0; 1442 1443 case sChrootDirectory: 1444 charptr = &options->chroot_directory; 1445 1446 arg = strdelim(&cp); 1447 if (!arg || *arg == '\0') 1448 fatal("%s line %d: missing file name.", 1449 filename, linenum); 1450 if (*activep && *charptr == NULL) 1451 *charptr = xstrdup(arg); 1452 break; 1453 1454 case sVersionAddendum: 1455 ssh_version_set_addendum(strtok(cp, "\n")); 1456 do { 1457 arg = strdelim(&cp); 1458 } while (arg != NULL && *arg != '\0'); 1459 break; 1460 case sTrustedUserCAKeys: 1461 charptr = &options->trusted_user_ca_keys; 1462 goto parse_filename; 1463 1464 case sRevokedKeys: 1465 charptr = &options->revoked_keys_file; 1466 goto parse_filename; 1467 1468 case sIPQoS: 1469 arg = strdelim(&cp); 1470 if ((value = parse_ipqos(arg)) == -1) 1471 fatal("%s line %d: Bad IPQoS value: %s", 1472 filename, linenum, arg); 1473 arg = strdelim(&cp); 1474 if (arg == NULL) 1475 value2 = value; 1476 else if ((value2 = parse_ipqos(arg)) == -1) 1477 fatal("%s line %d: Bad IPQoS value: %s", 1478 filename, linenum, arg); 1479 if (*activep) { 1480 options->ip_qos_interactive = value; 1481 options->ip_qos_bulk = value2; 1482 } 1483 break; 1484 1485 case sDeprecated: 1486 logit("%s line %d: Deprecated option %s", 1487 filename, linenum, arg); 1488 while (arg) 1489 arg = strdelim(&cp); 1490 break; 1491 1492 case sUnsupported: 1493 logit("%s line %d: Unsupported option %s", 1494 filename, linenum, arg); 1495 while (arg) 1496 arg = strdelim(&cp); 1497 break; 1498 1499 default: 1500 fatal("%s line %d: Missing handler for opcode %s (%d)", 1501 filename, linenum, arg, opcode); 1502 } 1503 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1504 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1505 filename, linenum, arg); 1506 return 0; 1507 } 1508 1509 /* Reads the server configuration file. */ 1510 1511 void 1512 load_server_config(const char *filename, Buffer *conf) 1513 { 1514 char line[1024], *cp; 1515 FILE *f; 1516 1517 debug2("%s: filename %s", __func__, filename); 1518 if ((f = fopen(filename, "r")) == NULL) { 1519 perror(filename); 1520 exit(1); 1521 } 1522 buffer_clear(conf); 1523 while (fgets(line, sizeof(line), f)) { 1524 /* 1525 * Trim out comments and strip whitespace 1526 * NB - preserve newlines, they are needed to reproduce 1527 * line numbers later for error messages 1528 */ 1529 if ((cp = strchr(line, '#')) != NULL) 1530 memcpy(cp, "\n", 2); 1531 cp = line + strspn(line, " \t\r"); 1532 1533 buffer_append(conf, cp, strlen(cp)); 1534 } 1535 buffer_append(conf, "\0", 1); 1536 fclose(f); 1537 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1538 } 1539 1540 void 1541 parse_server_match_config(ServerOptions *options, const char *user, 1542 const char *host, const char *address) 1543 { 1544 ServerOptions mo; 1545 1546 initialize_server_options(&mo); 1547 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1548 copy_set_server_options(options, &mo, 0); 1549 } 1550 1551 /* Helper macros */ 1552 #define M_CP_INTOPT(n) do {\ 1553 if (src->n != -1) \ 1554 dst->n = src->n; \ 1555 } while (0) 1556 #define M_CP_STROPT(n) do {\ 1557 if (src->n != NULL) { \ 1558 if (dst->n != NULL) \ 1559 xfree(dst->n); \ 1560 dst->n = src->n; \ 1561 } \ 1562 } while(0) 1563 1564 /* 1565 * Copy any supported values that are set. 1566 * 1567 * If the preauth flag is set, we do not bother copying the string or 1568 * array values that are not used pre-authentication, because any that we 1569 * do use must be explictly sent in mm_getpwnamallow(). 1570 */ 1571 void 1572 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1573 { 1574 M_CP_INTOPT(password_authentication); 1575 M_CP_INTOPT(gss_authentication); 1576 M_CP_INTOPT(rsa_authentication); 1577 M_CP_INTOPT(pubkey_authentication); 1578 M_CP_INTOPT(kerberos_authentication); 1579 M_CP_INTOPT(hostbased_authentication); 1580 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1581 M_CP_INTOPT(kbd_interactive_authentication); 1582 M_CP_INTOPT(zero_knowledge_password_authentication); 1583 M_CP_INTOPT(permit_root_login); 1584 M_CP_INTOPT(permit_empty_passwd); 1585 1586 M_CP_INTOPT(allow_tcp_forwarding); 1587 M_CP_INTOPT(allow_agent_forwarding); 1588 M_CP_INTOPT(permit_tun); 1589 M_CP_INTOPT(gateway_ports); 1590 M_CP_INTOPT(x11_display_offset); 1591 M_CP_INTOPT(x11_forwarding); 1592 M_CP_INTOPT(x11_use_localhost); 1593 M_CP_INTOPT(max_sessions); 1594 M_CP_INTOPT(max_authtries); 1595 M_CP_INTOPT(ip_qos_interactive); 1596 M_CP_INTOPT(ip_qos_bulk); 1597 1598 M_CP_STROPT(banner); 1599 if (preauth) 1600 return; 1601 M_CP_STROPT(adm_forced_command); 1602 M_CP_STROPT(chroot_directory); 1603 M_CP_STROPT(trusted_user_ca_keys); 1604 M_CP_STROPT(revoked_keys_file); 1605 M_CP_STROPT(authorized_keys_file); 1606 M_CP_STROPT(authorized_keys_file2); 1607 M_CP_STROPT(authorized_principals_file); 1608 } 1609 1610 #undef M_CP_INTOPT 1611 #undef M_CP_STROPT 1612 1613 void 1614 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1615 const char *user, const char *host, const char *address) 1616 { 1617 int active, linenum, bad_options = 0; 1618 char *cp, *obuf, *cbuf; 1619 1620 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1621 1622 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1623 active = user ? 0 : 1; 1624 linenum = 1; 1625 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1626 if (process_server_config_line(options, cp, filename, 1627 linenum++, &active, user, host, address) != 0) 1628 bad_options++; 1629 } 1630 xfree(obuf); 1631 if (bad_options > 0) 1632 fatal("%s: terminating, %d bad configuration options", 1633 filename, bad_options); 1634 } 1635 1636 static const char * 1637 fmt_intarg(ServerOpCodes code, int val) 1638 { 1639 if (code == sAddressFamily) { 1640 switch (val) { 1641 case AF_INET: 1642 return "inet"; 1643 case AF_INET6: 1644 return "inet6"; 1645 case AF_UNSPEC: 1646 return "any"; 1647 default: 1648 return "UNKNOWN"; 1649 } 1650 } 1651 if (code == sPermitRootLogin) { 1652 switch (val) { 1653 case PERMIT_NO_PASSWD: 1654 return "without-password"; 1655 case PERMIT_FORCED_ONLY: 1656 return "forced-commands-only"; 1657 case PERMIT_YES: 1658 return "yes"; 1659 } 1660 } 1661 if (code == sProtocol) { 1662 switch (val) { 1663 case SSH_PROTO_1: 1664 return "1"; 1665 case SSH_PROTO_2: 1666 return "2"; 1667 case (SSH_PROTO_1|SSH_PROTO_2): 1668 return "2,1"; 1669 default: 1670 return "UNKNOWN"; 1671 } 1672 } 1673 if (code == sGatewayPorts && val == 2) 1674 return "clientspecified"; 1675 if (code == sCompression && val == COMP_DELAYED) 1676 return "delayed"; 1677 switch (val) { 1678 case -1: 1679 return "unset"; 1680 case 0: 1681 return "no"; 1682 case 1: 1683 return "yes"; 1684 } 1685 return "UNKNOWN"; 1686 } 1687 1688 static const char * 1689 lookup_opcode_name(ServerOpCodes code) 1690 { 1691 u_int i; 1692 1693 for (i = 0; keywords[i].name != NULL; i++) 1694 if (keywords[i].opcode == code) 1695 return(keywords[i].name); 1696 return "UNKNOWN"; 1697 } 1698 1699 static void 1700 dump_cfg_int(ServerOpCodes code, int val) 1701 { 1702 printf("%s %d\n", lookup_opcode_name(code), val); 1703 } 1704 1705 static void 1706 dump_cfg_fmtint(ServerOpCodes code, int val) 1707 { 1708 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 1709 } 1710 1711 static void 1712 dump_cfg_string(ServerOpCodes code, const char *val) 1713 { 1714 if (val == NULL) 1715 return; 1716 printf("%s %s\n", lookup_opcode_name(code), val); 1717 } 1718 1719 static void 1720 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 1721 { 1722 u_int i; 1723 1724 for (i = 0; i < count; i++) 1725 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 1726 } 1727 1728 void 1729 dump_config(ServerOptions *o) 1730 { 1731 u_int i; 1732 int ret; 1733 struct addrinfo *ai; 1734 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 1735 1736 /* these are usually at the top of the config */ 1737 for (i = 0; i < o->num_ports; i++) 1738 printf("port %d\n", o->ports[i]); 1739 dump_cfg_fmtint(sProtocol, o->protocol); 1740 dump_cfg_fmtint(sAddressFamily, o->address_family); 1741 1742 /* ListenAddress must be after Port */ 1743 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 1744 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 1745 sizeof(addr), port, sizeof(port), 1746 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 1747 error("getnameinfo failed: %.100s", 1748 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 1749 strerror(errno)); 1750 } else { 1751 if (ai->ai_family == AF_INET6) 1752 printf("listenaddress [%s]:%s\n", addr, port); 1753 else 1754 printf("listenaddress %s:%s\n", addr, port); 1755 } 1756 } 1757 1758 /* integer arguments */ 1759 #ifdef USE_PAM 1760 dump_cfg_int(sUsePAM, o->use_pam); 1761 #endif 1762 dump_cfg_int(sServerKeyBits, o->server_key_bits); 1763 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 1764 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 1765 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 1766 dump_cfg_int(sMaxAuthTries, o->max_authtries); 1767 dump_cfg_int(sMaxSessions, o->max_sessions); 1768 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 1769 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 1770 1771 /* formatted integer arguments */ 1772 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 1773 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 1774 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 1775 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 1776 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 1777 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 1778 o->hostbased_uses_name_from_packet_only); 1779 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 1780 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 1781 #ifdef KRB5 1782 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 1783 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 1784 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 1785 # ifdef USE_AFS 1786 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 1787 # endif 1788 #endif 1789 #ifdef GSSAPI 1790 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 1791 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 1792 #endif 1793 #ifdef JPAKE 1794 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 1795 o->zero_knowledge_password_authentication); 1796 #endif 1797 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 1798 dump_cfg_fmtint(sKbdInteractiveAuthentication, 1799 o->kbd_interactive_authentication); 1800 dump_cfg_fmtint(sChallengeResponseAuthentication, 1801 o->challenge_response_authentication); 1802 dump_cfg_fmtint(sPrintMotd, o->print_motd); 1803 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 1804 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 1805 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 1806 dump_cfg_fmtint(sStrictModes, o->strict_modes); 1807 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 1808 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 1809 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 1810 dump_cfg_fmtint(sUseLogin, o->use_login); 1811 dump_cfg_fmtint(sCompression, o->compression); 1812 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); 1813 dump_cfg_fmtint(sUseDNS, o->use_dns); 1814 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 1815 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 1816 1817 /* string arguments */ 1818 dump_cfg_string(sPidFile, o->pid_file); 1819 dump_cfg_string(sXAuthLocation, o->xauth_location); 1820 dump_cfg_string(sCiphers, o->ciphers); 1821 dump_cfg_string(sMacs, o->macs); 1822 dump_cfg_string(sBanner, o->banner); 1823 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); 1824 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); 1825 dump_cfg_string(sForceCommand, o->adm_forced_command); 1826 dump_cfg_string(sChrootDirectory, o->chroot_directory); 1827 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 1828 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 1829 dump_cfg_string(sAuthorizedPrincipalsFile, 1830 o->authorized_principals_file); 1831 1832 /* string arguments requiring a lookup */ 1833 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 1834 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 1835 1836 /* string array arguments */ 1837 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 1838 o->host_key_files); 1839 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, 1840 o->host_cert_files); 1841 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 1842 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 1843 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 1844 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 1845 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 1846 1847 /* other arguments */ 1848 for (i = 0; i < o->num_subsystems; i++) 1849 printf("subsystem %s %s\n", o->subsystem_name[i], 1850 o->subsystem_args[i]); 1851 1852 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 1853 o->max_startups_rate, o->max_startups); 1854 1855 for (i = 0; tunmode_desc[i].val != -1; i++) 1856 if (tunmode_desc[i].val == o->permit_tun) { 1857 s = tunmode_desc[i].text; 1858 break; 1859 } 1860 dump_cfg_string(sPermitTunnel, s); 1861 1862 printf("ipqos 0x%02x 0x%02x\n", o->ip_qos_interactive, o->ip_qos_bulk); 1863 1864 channel_print_adm_permitted_opens(); 1865 } 1866