1 /* $NetBSD: readconf.c,v 1.11 2013/11/08 19:18:25 christos Exp $ */ 2 /* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */ 3 /* 4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * Functions for reading the configuration files. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 */ 15 16 #include "includes.h" 17 __RCSID("$NetBSD: readconf.c,v 1.11 2013/11/08 19:18:25 christos Exp $"); 18 #include <sys/types.h> 19 #include <sys/stat.h> 20 #include <sys/socket.h> 21 22 #include <netinet/in.h> 23 #include <netinet/in_systm.h> 24 #include <netinet/ip.h> 25 26 #include <ctype.h> 27 #include <errno.h> 28 #include <netdb.h> 29 #include <signal.h> 30 #include <stdio.h> 31 #include <string.h> 32 #include <unistd.h> 33 #include <limits.h> 34 #include <util.h> 35 36 #include "xmalloc.h" 37 #include "ssh.h" 38 #include "compat.h" 39 #include "cipher.h" 40 #include "pathnames.h" 41 #include "log.h" 42 #include "key.h" 43 #include "readconf.h" 44 #include "match.h" 45 #include "misc.h" 46 #include "buffer.h" 47 #include "kex.h" 48 #include "mac.h" 49 #include "fmt_scaled.h" 50 51 /* Format of the configuration file: 52 53 # Configuration data is parsed as follows: 54 # 1. command line options 55 # 2. user-specific file 56 # 3. system-wide file 57 # Any configuration value is only changed the first time it is set. 58 # Thus, host-specific definitions should be at the beginning of the 59 # configuration file, and defaults at the end. 60 61 # Host-specific declarations. These may override anything above. A single 62 # host may match multiple declarations; these are processed in the order 63 # that they are given in. 64 65 Host *.ngs.fi ngs.fi 66 User foo 67 68 Host fake.com 69 HostName another.host.name.real.org 70 User blaah 71 Port 34289 72 ForwardX11 no 73 ForwardAgent no 74 75 Host books.com 76 RemoteForward 9999 shadows.cs.hut.fi:9999 77 Cipher 3des 78 79 Host fascist.blob.com 80 Port 23123 81 User tylonen 82 PasswordAuthentication no 83 84 Host puukko.hut.fi 85 User t35124p 86 ProxyCommand ssh-proxy %h %p 87 88 Host *.fr 89 PublicKeyAuthentication no 90 91 Host *.su 92 Cipher none 93 PasswordAuthentication no 94 95 Host vpn.fake.com 96 Tunnel yes 97 TunnelDevice 3 98 99 # Defaults for various options 100 Host * 101 ForwardAgent no 102 ForwardX11 no 103 PasswordAuthentication yes 104 RSAAuthentication yes 105 RhostsRSAAuthentication yes 106 StrictHostKeyChecking yes 107 TcpKeepAlive no 108 IdentityFile ~/.ssh/identity 109 Port 22 110 EscapeChar ~ 111 112 */ 113 114 /* Keyword tokens. */ 115 116 typedef enum { 117 oBadOption, 118 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, 119 oGatewayPorts, oExitOnForwardFailure, 120 oPasswordAuthentication, oRSAAuthentication, 121 oChallengeResponseAuthentication, oXAuthLocation, 122 #if defined(KRB4) || defined(KRB5) 123 oKerberosAuthentication, 124 #endif 125 #if defined(AFS) || defined(KRB5) 126 oKerberosTgtPassing, 127 #endif 128 #ifdef AFS 129 oAFSTokenPassing, 130 #endif 131 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, 132 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, 133 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, 134 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, 135 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, 136 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, 137 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 138 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 139 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 140 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 141 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 142 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 143 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 144 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 145 oSendEnv, oControlPath, oControlMaster, oControlPersist, 146 oHashKnownHosts, 147 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 148 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 149 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, 150 oIgnoredUnknownOption, 151 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled, 152 oHPNBufferSize, 153 oSendVersionFirst, 154 oDeprecated, oUnsupported 155 } OpCodes; 156 157 /* Textual representations of the tokens. */ 158 159 static struct { 160 const char *name; 161 OpCodes opcode; 162 } keywords[] = { 163 { "forwardagent", oForwardAgent }, 164 { "forwardx11", oForwardX11 }, 165 { "forwardx11trusted", oForwardX11Trusted }, 166 { "forwardx11timeout", oForwardX11Timeout }, 167 { "exitonforwardfailure", oExitOnForwardFailure }, 168 { "xauthlocation", oXAuthLocation }, 169 { "gatewayports", oGatewayPorts }, 170 { "useprivilegedport", oUsePrivilegedPort }, 171 { "rhostsauthentication", oDeprecated }, 172 { "passwordauthentication", oPasswordAuthentication }, 173 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 174 { "kbdinteractivedevices", oKbdInteractiveDevices }, 175 { "rsaauthentication", oRSAAuthentication }, 176 { "pubkeyauthentication", oPubkeyAuthentication }, 177 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 178 { "rhostsrsaauthentication", oRhostsRSAAuthentication }, 179 { "hostbasedauthentication", oHostbasedAuthentication }, 180 { "challengeresponseauthentication", oChallengeResponseAuthentication }, 181 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ 182 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ 183 #if defined(KRB4) || defined(KRB5) 184 { "kerberosauthentication", oKerberosAuthentication }, 185 #endif 186 #if defined(AFS) || defined(KRB5) 187 { "kerberostgtpassing", oKerberosTgtPassing }, 188 { "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */ 189 { "kerberos4tgtpassing", oKerberosTgtPassing }, /* alias */ 190 #endif 191 #ifdef AFS 192 { "afstokenpassing", oAFSTokenPassing }, 193 #endif 194 #if defined(GSSAPI) 195 { "gssapiauthentication", oGssAuthentication }, 196 { "gssapidelegatecredentials", oGssDelegateCreds }, 197 #else 198 { "gssapiauthentication", oUnsupported }, 199 { "gssapidelegatecredentials", oUnsupported }, 200 #endif 201 { "fallbacktorsh", oDeprecated }, 202 { "usersh", oDeprecated }, 203 { "identityfile", oIdentityFile }, 204 { "identityfile2", oIdentityFile }, /* obsolete */ 205 { "identitiesonly", oIdentitiesOnly }, 206 { "hostname", oHostName }, 207 { "hostkeyalias", oHostKeyAlias }, 208 { "proxycommand", oProxyCommand }, 209 { "port", oPort }, 210 { "cipher", oCipher }, 211 { "ciphers", oCiphers }, 212 { "macs", oMacs }, 213 { "protocol", oProtocol }, 214 { "remoteforward", oRemoteForward }, 215 { "localforward", oLocalForward }, 216 { "user", oUser }, 217 { "host", oHost }, 218 { "escapechar", oEscapeChar }, 219 { "globalknownhostsfile", oGlobalKnownHostsFile }, 220 { "globalknownhostsfile2", oDeprecated }, 221 { "userknownhostsfile", oUserKnownHostsFile }, 222 { "userknownhostsfile2", oDeprecated }, 223 { "connectionattempts", oConnectionAttempts }, 224 { "batchmode", oBatchMode }, 225 { "checkhostip", oCheckHostIP }, 226 { "stricthostkeychecking", oStrictHostKeyChecking }, 227 { "compression", oCompression }, 228 { "compressionlevel", oCompressionLevel }, 229 { "tcpkeepalive", oTCPKeepAlive }, 230 { "keepalive", oTCPKeepAlive }, /* obsolete */ 231 { "numberofpasswordprompts", oNumberOfPasswordPrompts }, 232 { "loglevel", oLogLevel }, 233 { "dynamicforward", oDynamicForward }, 234 { "preferredauthentications", oPreferredAuthentications }, 235 { "hostkeyalgorithms", oHostKeyAlgorithms }, 236 { "bindaddress", oBindAddress }, 237 #ifdef ENABLE_PKCS11 238 { "smartcarddevice", oPKCS11Provider }, 239 { "pkcs11provider", oPKCS11Provider }, 240 #else 241 { "smartcarddevice", oUnsupported }, 242 { "pkcs11provider", oUnsupported }, 243 #endif 244 { "clearallforwardings", oClearAllForwardings }, 245 { "enablesshkeysign", oEnableSSHKeysign }, 246 { "verifyhostkeydns", oVerifyHostKeyDNS }, 247 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, 248 { "rekeylimit", oRekeyLimit }, 249 { "connecttimeout", oConnectTimeout }, 250 { "addressfamily", oAddressFamily }, 251 { "serveraliveinterval", oServerAliveInterval }, 252 { "serveralivecountmax", oServerAliveCountMax }, 253 { "sendenv", oSendEnv }, 254 { "controlpath", oControlPath }, 255 { "controlmaster", oControlMaster }, 256 { "controlpersist", oControlPersist }, 257 { "hashknownhosts", oHashKnownHosts }, 258 { "tunnel", oTunnel }, 259 { "tunneldevice", oTunnelDevice }, 260 { "localcommand", oLocalCommand }, 261 { "permitlocalcommand", oPermitLocalCommand }, 262 { "visualhostkey", oVisualHostKey }, 263 { "useroaming", oUseRoaming }, 264 #ifdef JPAKE 265 { "zeroknowledgepasswordauthentication", 266 oZeroKnowledgePasswordAuthentication }, 267 #else 268 { "zeroknowledgepasswordauthentication", oUnsupported }, 269 #endif 270 { "kexalgorithms", oKexAlgorithms }, 271 { "ipqos", oIPQoS }, 272 { "requesttty", oRequestTTY }, 273 { "ignoreunknown", oIgnoreUnknown }, 274 { "noneenabled", oNoneEnabled }, 275 { "tcprcvbufpoll", oTcpRcvBufPoll }, 276 { "tcprcvbuf", oTcpRcvBuf }, 277 { "noneswitch", oNoneSwitch }, 278 { "hpndisabled", oHPNDisabled }, 279 { "hpnbuffersize", oHPNBufferSize }, 280 { "sendversionfirst", oSendVersionFirst }, 281 { NULL, oBadOption } 282 }; 283 284 /* 285 * Adds a local TCP/IP port forward to options. Never returns if there is an 286 * error. 287 */ 288 289 void 290 add_local_forward(Options *options, const Forward *newfwd) 291 { 292 Forward *fwd; 293 extern uid_t original_real_uid; 294 295 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) 296 fatal("Privileged ports can only be forwarded by root."); 297 options->local_forwards = xrealloc(options->local_forwards, 298 options->num_local_forwards + 1, 299 sizeof(*options->local_forwards)); 300 fwd = &options->local_forwards[options->num_local_forwards++]; 301 302 fwd->listen_host = newfwd->listen_host; 303 fwd->listen_port = newfwd->listen_port; 304 fwd->connect_host = newfwd->connect_host; 305 fwd->connect_port = newfwd->connect_port; 306 } 307 308 /* 309 * Adds a remote TCP/IP port forward to options. Never returns if there is 310 * an error. 311 */ 312 313 void 314 add_remote_forward(Options *options, const Forward *newfwd) 315 { 316 Forward *fwd; 317 318 options->remote_forwards = xrealloc(options->remote_forwards, 319 options->num_remote_forwards + 1, 320 sizeof(*options->remote_forwards)); 321 fwd = &options->remote_forwards[options->num_remote_forwards++]; 322 323 fwd->listen_host = newfwd->listen_host; 324 fwd->listen_port = newfwd->listen_port; 325 fwd->connect_host = newfwd->connect_host; 326 fwd->connect_port = newfwd->connect_port; 327 fwd->handle = newfwd->handle; 328 fwd->allocated_port = 0; 329 } 330 331 static void 332 clear_forwardings(Options *options) 333 { 334 int i; 335 336 for (i = 0; i < options->num_local_forwards; i++) { 337 free(options->local_forwards[i].listen_host); 338 free(options->local_forwards[i].connect_host); 339 } 340 if (options->num_local_forwards > 0) { 341 free(options->local_forwards); 342 options->local_forwards = NULL; 343 } 344 options->num_local_forwards = 0; 345 for (i = 0; i < options->num_remote_forwards; i++) { 346 free(options->remote_forwards[i].listen_host); 347 free(options->remote_forwards[i].connect_host); 348 } 349 if (options->num_remote_forwards > 0) { 350 free(options->remote_forwards); 351 options->remote_forwards = NULL; 352 } 353 options->num_remote_forwards = 0; 354 options->tun_open = SSH_TUNMODE_NO; 355 } 356 357 void 358 add_identity_file(Options *options, const char *dir, const char *filename, 359 int userprovided) 360 { 361 char *path; 362 363 if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES) 364 fatal("Too many identity files specified (max %d)", 365 SSH_MAX_IDENTITY_FILES); 366 367 if (dir == NULL) /* no dir, filename is absolute */ 368 path = xstrdup(filename); 369 else 370 (void)xasprintf(&path, "%.100s%.100s", dir, filename); 371 372 options->identity_file_userprovided[options->num_identity_files] = 373 userprovided; 374 options->identity_files[options->num_identity_files++] = path; 375 } 376 377 /* 378 * Returns the number of the token pointed to by cp or oBadOption. 379 */ 380 381 static OpCodes 382 parse_token(const char *cp, const char *filename, int linenum, 383 const char *ignored_unknown) 384 { 385 int i; 386 387 for (i = 0; keywords[i].name; i++) 388 if (strcmp(cp, keywords[i].name) == 0) 389 return keywords[i].opcode; 390 if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown, 391 strlen(ignored_unknown), 1) == 1) 392 return oIgnoredUnknownOption; 393 error("%s: line %d: Bad configuration option: %s", 394 filename, linenum, cp); 395 return oBadOption; 396 } 397 398 /* 399 * Processes a single option line as used in the configuration files. This 400 * only sets those values that have not already been set. 401 */ 402 #define WHITESPACE " \t\r\n" 403 404 int 405 process_config_line(Options *options, const char *host, 406 char *line, const char *filename, int linenum, 407 int *activep, int userconfig) 408 { 409 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; 410 char **cpptr, fwdarg[256]; 411 u_int i, *uintptr, max_entries = 0; 412 int negated, opcode, *intptr, value, value2; 413 LogLevel *log_level_ptr; 414 long long val64; 415 size_t len; 416 Forward fwd; 417 418 /* Strip trailing whitespace */ 419 for (len = strlen(line) - 1; len > 0; len--) { 420 if (strchr(WHITESPACE, line[len]) == NULL) 421 break; 422 line[len] = '\0'; 423 } 424 425 s = line; 426 /* Get the keyword. (Each line is supposed to begin with a keyword). */ 427 if ((keyword = strdelim(&s)) == NULL) 428 return 0; 429 /* Ignore leading whitespace. */ 430 if (*keyword == '\0') 431 keyword = strdelim(&s); 432 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') 433 return 0; 434 /* Match lowercase keyword */ 435 for (i = 0; i < strlen(keyword); i++) 436 keyword[i] = tolower((unsigned char)keyword[i]); 437 438 opcode = parse_token(keyword, filename, linenum, 439 options->ignored_unknown); 440 441 switch (opcode) { 442 case oBadOption: 443 /* don't panic, but count bad options */ 444 return -1; 445 /* NOTREACHED */ 446 case oIgnoredUnknownOption: 447 debug("%s line %d: Ignored unknown option \"%s\"", 448 filename, linenum, keyword); 449 return 0; 450 case oConnectTimeout: 451 intptr = &options->connection_timeout; 452 parse_time: 453 arg = strdelim(&s); 454 if (!arg || *arg == '\0') 455 fatal("%s line %d: missing time value.", 456 filename, linenum); 457 if ((value = convtime(arg)) == -1) 458 fatal("%s line %d: invalid time value.", 459 filename, linenum); 460 if (*activep && *intptr == -1) 461 *intptr = value; 462 break; 463 464 case oForwardAgent: 465 intptr = &options->forward_agent; 466 parse_flag: 467 arg = strdelim(&s); 468 if (!arg || *arg == '\0') 469 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); 470 value = 0; /* To avoid compiler warning... */ 471 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 472 value = 1; 473 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 474 value = 0; 475 else 476 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum); 477 if (*activep && *intptr == -1) 478 *intptr = value; 479 break; 480 481 case oForwardX11: 482 intptr = &options->forward_x11; 483 goto parse_flag; 484 485 case oForwardX11Trusted: 486 intptr = &options->forward_x11_trusted; 487 goto parse_flag; 488 489 case oForwardX11Timeout: 490 intptr = &options->forward_x11_timeout; 491 goto parse_time; 492 493 case oGatewayPorts: 494 intptr = &options->gateway_ports; 495 goto parse_flag; 496 497 case oExitOnForwardFailure: 498 intptr = &options->exit_on_forward_failure; 499 goto parse_flag; 500 501 case oUsePrivilegedPort: 502 intptr = &options->use_privileged_port; 503 goto parse_flag; 504 505 case oPasswordAuthentication: 506 intptr = &options->password_authentication; 507 goto parse_flag; 508 509 case oZeroKnowledgePasswordAuthentication: 510 intptr = &options->zero_knowledge_password_authentication; 511 goto parse_flag; 512 513 case oKbdInteractiveAuthentication: 514 intptr = &options->kbd_interactive_authentication; 515 goto parse_flag; 516 517 case oKbdInteractiveDevices: 518 charptr = &options->kbd_interactive_devices; 519 goto parse_string; 520 521 case oPubkeyAuthentication: 522 intptr = &options->pubkey_authentication; 523 goto parse_flag; 524 525 case oRSAAuthentication: 526 intptr = &options->rsa_authentication; 527 goto parse_flag; 528 529 case oRhostsRSAAuthentication: 530 intptr = &options->rhosts_rsa_authentication; 531 goto parse_flag; 532 533 case oHostbasedAuthentication: 534 intptr = &options->hostbased_authentication; 535 goto parse_flag; 536 537 case oChallengeResponseAuthentication: 538 intptr = &options->challenge_response_authentication; 539 goto parse_flag; 540 541 #if defined(KRB4) || defined(KRB5) 542 case oKerberosAuthentication: 543 intptr = &options->kerberos_authentication; 544 goto parse_flag; 545 #endif 546 #if defined(AFS) || defined(KRB5) 547 case oKerberosTgtPassing: 548 intptr = &options->kerberos_tgt_passing; 549 goto parse_flag; 550 #endif 551 552 case oGssAuthentication: 553 intptr = &options->gss_authentication; 554 goto parse_flag; 555 556 #ifdef AFS 557 case oAFSTokenPassing: 558 intptr = &options->afs_token_passing; 559 goto parse_flag; 560 #endif 561 562 case oGssDelegateCreds: 563 intptr = &options->gss_deleg_creds; 564 goto parse_flag; 565 566 case oBatchMode: 567 intptr = &options->batch_mode; 568 goto parse_flag; 569 570 case oCheckHostIP: 571 intptr = &options->check_host_ip; 572 goto parse_flag; 573 574 case oNoneEnabled: 575 intptr = &options->none_enabled; 576 goto parse_flag; 577 578 /* we check to see if the command comes from the */ 579 /* command line or not. If it does then enable it */ 580 /* otherwise fail. NONE should never be a default configuration */ 581 case oNoneSwitch: 582 if(strcmp(filename,"command-line")==0) 583 { 584 intptr = &options->none_switch; 585 goto parse_flag; 586 } else { 587 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); 588 error("Continuing..."); 589 debug("NoneSwitch directive found in %.200s.", filename); 590 return 0; 591 } 592 593 case oHPNDisabled: 594 intptr = &options->hpn_disabled; 595 goto parse_flag; 596 597 case oHPNBufferSize: 598 intptr = &options->hpn_buffer_size; 599 goto parse_int; 600 601 case oTcpRcvBufPoll: 602 intptr = &options->tcp_rcv_buf_poll; 603 goto parse_flag; 604 605 case oVerifyHostKeyDNS: 606 intptr = &options->verify_host_key_dns; 607 goto parse_yesnoask; 608 609 case oStrictHostKeyChecking: 610 intptr = &options->strict_host_key_checking; 611 parse_yesnoask: 612 arg = strdelim(&s); 613 if (!arg || *arg == '\0') 614 fatal("%.200s line %d: Missing yes/no/ask argument.", 615 filename, linenum); 616 value = 0; /* To avoid compiler warning... */ 617 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 618 value = 1; 619 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 620 value = 0; 621 else if (strcmp(arg, "ask") == 0) 622 value = 2; 623 else 624 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum); 625 if (*activep && *intptr == -1) 626 *intptr = value; 627 break; 628 629 case oCompression: 630 intptr = &options->compression; 631 goto parse_flag; 632 633 case oTCPKeepAlive: 634 intptr = &options->tcp_keep_alive; 635 goto parse_flag; 636 637 case oNoHostAuthenticationForLocalhost: 638 intptr = &options->no_host_authentication_for_localhost; 639 goto parse_flag; 640 641 case oNumberOfPasswordPrompts: 642 intptr = &options->number_of_password_prompts; 643 goto parse_int; 644 645 case oCompressionLevel: 646 intptr = &options->compression_level; 647 goto parse_int; 648 649 case oRekeyLimit: 650 arg = strdelim(&s); 651 if (!arg || *arg == '\0') 652 fatal("%.200s line %d: Missing argument.", filename, 653 linenum); 654 if (strcmp(arg, "default") == 0) { 655 val64 = 0; 656 } else { 657 if (scan_scaled(arg, &val64) == -1) 658 fatal("%.200s line %d: Bad number '%s': %s", 659 filename, linenum, arg, strerror(errno)); 660 /* check for too-large or too-small limits */ 661 if (val64 > UINT_MAX) 662 fatal("%.200s line %d: RekeyLimit too large", 663 filename, linenum); 664 if (val64 != 0 && val64 < 16) 665 fatal("%.200s line %d: RekeyLimit too small", 666 filename, linenum); 667 } 668 if (*activep && options->rekey_limit == -1) 669 options->rekey_limit = (u_int32_t)val64; 670 if (s != NULL) { /* optional rekey interval present */ 671 if (strcmp(s, "none") == 0) { 672 (void)strdelim(&s); /* discard */ 673 break; 674 } 675 intptr = &options->rekey_interval; 676 goto parse_time; 677 } 678 break; 679 680 case oIdentityFile: 681 arg = strdelim(&s); 682 if (!arg || *arg == '\0') 683 fatal("%.200s line %d: Missing argument.", filename, linenum); 684 if (*activep) { 685 intptr = &options->num_identity_files; 686 if (*intptr >= SSH_MAX_IDENTITY_FILES) 687 fatal("%.200s line %d: Too many identity files specified (max %d).", 688 filename, linenum, SSH_MAX_IDENTITY_FILES); 689 add_identity_file(options, NULL, arg, userconfig); 690 } 691 break; 692 693 case oXAuthLocation: 694 charptr=&options->xauth_location; 695 goto parse_string; 696 697 case oUser: 698 charptr = &options->user; 699 parse_string: 700 arg = strdelim(&s); 701 if (!arg || *arg == '\0') 702 fatal("%.200s line %d: Missing argument.", 703 filename, linenum); 704 if (*activep && *charptr == NULL) 705 *charptr = xstrdup(arg); 706 break; 707 708 case oGlobalKnownHostsFile: 709 cpptr = (char **)&options->system_hostfiles; 710 uintptr = &options->num_system_hostfiles; 711 max_entries = SSH_MAX_HOSTS_FILES; 712 parse_char_array: 713 if (*activep && *uintptr == 0) { 714 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 715 if ((*uintptr) >= max_entries) 716 fatal("%s line %d: " 717 "too many authorized keys files.", 718 filename, linenum); 719 cpptr[(*uintptr)++] = xstrdup(arg); 720 } 721 } 722 return 0; 723 724 case oUserKnownHostsFile: 725 cpptr = (char **)&options->user_hostfiles; 726 uintptr = &options->num_user_hostfiles; 727 max_entries = SSH_MAX_HOSTS_FILES; 728 goto parse_char_array; 729 730 case oHostName: 731 charptr = &options->hostname; 732 goto parse_string; 733 734 case oHostKeyAlias: 735 charptr = &options->host_key_alias; 736 goto parse_string; 737 738 case oPreferredAuthentications: 739 charptr = &options->preferred_authentications; 740 goto parse_string; 741 742 case oBindAddress: 743 charptr = &options->bind_address; 744 goto parse_string; 745 746 case oPKCS11Provider: 747 charptr = &options->pkcs11_provider; 748 goto parse_string; 749 750 case oProxyCommand: 751 charptr = &options->proxy_command; 752 parse_command: 753 if (s == NULL) 754 fatal("%.200s line %d: Missing argument.", filename, linenum); 755 len = strspn(s, WHITESPACE "="); 756 if (*activep && *charptr == NULL) 757 *charptr = xstrdup(s + len); 758 return 0; 759 760 case oPort: 761 intptr = &options->port; 762 parse_int: 763 arg = strdelim(&s); 764 if (!arg || *arg == '\0') 765 fatal("%.200s line %d: Missing argument.", filename, linenum); 766 if (arg[0] < '0' || arg[0] > '9') 767 fatal("%.200s line %d: Bad number.", filename, linenum); 768 769 /* Octal, decimal, or hex format? */ 770 value = strtol(arg, &endofnumber, 0); 771 if (arg == endofnumber) 772 fatal("%.200s line %d: Bad number.", filename, linenum); 773 if (*activep && *intptr == -1) 774 *intptr = value; 775 break; 776 777 case oConnectionAttempts: 778 intptr = &options->connection_attempts; 779 goto parse_int; 780 781 case oTcpRcvBuf: 782 intptr = &options->tcp_rcv_buf; 783 goto parse_int; 784 785 case oCipher: 786 intptr = &options->cipher; 787 arg = strdelim(&s); 788 if (!arg || *arg == '\0') 789 fatal("%.200s line %d: Missing argument.", filename, linenum); 790 value = cipher_number(arg); 791 if (value == -1) 792 fatal("%.200s line %d: Bad cipher '%s'.", 793 filename, linenum, arg ? arg : "<NONE>"); 794 if (*activep && *intptr == -1) 795 *intptr = value; 796 break; 797 798 case oCiphers: 799 arg = strdelim(&s); 800 if (!arg || *arg == '\0') 801 fatal("%.200s line %d: Missing argument.", filename, linenum); 802 if (!ciphers_valid(arg)) 803 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", 804 filename, linenum, arg ? arg : "<NONE>"); 805 if (*activep && options->ciphers == NULL) 806 options->ciphers = xstrdup(arg); 807 break; 808 809 case oMacs: 810 arg = strdelim(&s); 811 if (!arg || *arg == '\0') 812 fatal("%.200s line %d: Missing argument.", filename, linenum); 813 if (!mac_valid(arg)) 814 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", 815 filename, linenum, arg ? arg : "<NONE>"); 816 if (*activep && options->macs == NULL) 817 options->macs = xstrdup(arg); 818 break; 819 820 case oKexAlgorithms: 821 arg = strdelim(&s); 822 if (!arg || *arg == '\0') 823 fatal("%.200s line %d: Missing argument.", 824 filename, linenum); 825 if (!kex_names_valid(arg)) 826 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", 827 filename, linenum, arg ? arg : "<NONE>"); 828 if (*activep && options->kex_algorithms == NULL) 829 options->kex_algorithms = xstrdup(arg); 830 break; 831 832 case oHostKeyAlgorithms: 833 arg = strdelim(&s); 834 if (!arg || *arg == '\0') 835 fatal("%.200s line %d: Missing argument.", filename, linenum); 836 if (!key_names_valid2(arg)) 837 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", 838 filename, linenum, arg ? arg : "<NONE>"); 839 if (*activep && options->hostkeyalgorithms == NULL) 840 options->hostkeyalgorithms = xstrdup(arg); 841 break; 842 843 case oProtocol: 844 intptr = &options->protocol; 845 arg = strdelim(&s); 846 if (!arg || *arg == '\0') 847 fatal("%.200s line %d: Missing argument.", filename, linenum); 848 value = proto_spec(arg); 849 if (value == SSH_PROTO_UNKNOWN) 850 fatal("%.200s line %d: Bad protocol spec '%s'.", 851 filename, linenum, arg ? arg : "<NONE>"); 852 if (*activep && *intptr == SSH_PROTO_UNKNOWN) 853 *intptr = value; 854 break; 855 856 case oLogLevel: 857 log_level_ptr = &options->log_level; 858 arg = strdelim(&s); 859 value = log_level_number(arg); 860 if (value == SYSLOG_LEVEL_NOT_SET) 861 fatal("%.200s line %d: unsupported log level '%s'", 862 filename, linenum, arg ? arg : "<NONE>"); 863 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET) 864 *log_level_ptr = (LogLevel) value; 865 break; 866 867 case oLocalForward: 868 case oRemoteForward: 869 case oDynamicForward: 870 arg = strdelim(&s); 871 if (arg == NULL || *arg == '\0') 872 fatal("%.200s line %d: Missing port argument.", 873 filename, linenum); 874 875 if (opcode == oLocalForward || 876 opcode == oRemoteForward) { 877 arg2 = strdelim(&s); 878 if (arg2 == NULL || *arg2 == '\0') 879 fatal("%.200s line %d: Missing target argument.", 880 filename, linenum); 881 882 /* construct a string for parse_forward */ 883 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2); 884 } else if (opcode == oDynamicForward) { 885 strlcpy(fwdarg, arg, sizeof(fwdarg)); 886 } 887 888 if (parse_forward(&fwd, fwdarg, 889 opcode == oDynamicForward ? 1 : 0, 890 opcode == oRemoteForward ? 1 : 0) == 0) 891 fatal("%.200s line %d: Bad forwarding specification.", 892 filename, linenum); 893 894 if (*activep) { 895 if (opcode == oLocalForward || 896 opcode == oDynamicForward) 897 add_local_forward(options, &fwd); 898 else if (opcode == oRemoteForward) 899 add_remote_forward(options, &fwd); 900 } 901 break; 902 903 case oClearAllForwardings: 904 intptr = &options->clear_forwardings; 905 goto parse_flag; 906 907 case oHost: 908 *activep = 0; 909 arg2 = NULL; 910 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 911 negated = *arg == '!'; 912 if (negated) 913 arg++; 914 if (match_pattern(host, arg)) { 915 if (negated) { 916 debug("%.200s line %d: Skipping Host " 917 "block because of negated match " 918 "for %.100s", filename, linenum, 919 arg); 920 *activep = 0; 921 break; 922 } 923 if (!*activep) 924 arg2 = arg; /* logged below */ 925 *activep = 1; 926 } 927 } 928 if (*activep) 929 debug("%.200s line %d: Applying options for %.100s", 930 filename, linenum, arg2); 931 /* Avoid garbage check below, as strdelim is done. */ 932 return 0; 933 934 case oEscapeChar: 935 intptr = &options->escape_char; 936 arg = strdelim(&s); 937 if (!arg || *arg == '\0') 938 fatal("%.200s line %d: Missing argument.", filename, linenum); 939 value = 0; /* To avoid compiler warning... */ 940 if (arg[0] == '^' && arg[2] == 0 && 941 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) 942 value = (u_char) arg[1] & 31; 943 else if (strlen(arg) == 1) 944 value = (u_char) arg[0]; 945 else if (strcmp(arg, "none") == 0) 946 value = SSH_ESCAPECHAR_NONE; 947 else { 948 fatal("%.200s line %d: Bad escape character.", 949 filename, linenum); 950 /* NOTREACHED */ 951 value = 0; /* Avoid compiler warning. */ 952 } 953 if (*activep && *intptr == -1) 954 *intptr = value; 955 break; 956 957 case oAddressFamily: 958 arg = strdelim(&s); 959 if (!arg || *arg == '\0') 960 fatal("%s line %d: missing address family.", 961 filename, linenum); 962 intptr = &options->address_family; 963 value = 0; /* To avoid compiler warning... */ 964 if (strcasecmp(arg, "inet") == 0) 965 value = AF_INET; 966 else if (strcasecmp(arg, "inet6") == 0) 967 value = AF_INET6; 968 else if (strcasecmp(arg, "any") == 0) 969 value = AF_UNSPEC; 970 else 971 fatal("Unsupported AddressFamily \"%s\"", arg); 972 if (*activep && *intptr == -1) 973 *intptr = value; 974 break; 975 976 case oEnableSSHKeysign: 977 intptr = &options->enable_ssh_keysign; 978 goto parse_flag; 979 980 case oIdentitiesOnly: 981 intptr = &options->identities_only; 982 goto parse_flag; 983 984 case oServerAliveInterval: 985 intptr = &options->server_alive_interval; 986 goto parse_time; 987 988 case oServerAliveCountMax: 989 intptr = &options->server_alive_count_max; 990 goto parse_int; 991 992 case oSendEnv: 993 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 994 if (strchr(arg, '=') != NULL) 995 fatal("%s line %d: Invalid environment name.", 996 filename, linenum); 997 if (!*activep) 998 continue; 999 if (options->num_send_env >= MAX_SEND_ENV) 1000 fatal("%s line %d: too many send env.", 1001 filename, linenum); 1002 options->send_env[options->num_send_env++] = 1003 xstrdup(arg); 1004 } 1005 break; 1006 1007 case oControlPath: 1008 charptr = &options->control_path; 1009 goto parse_string; 1010 1011 case oControlMaster: 1012 intptr = &options->control_master; 1013 arg = strdelim(&s); 1014 if (!arg || *arg == '\0') 1015 fatal("%.200s line %d: Missing ControlMaster argument.", 1016 filename, linenum); 1017 value = 0; /* To avoid compiler warning... */ 1018 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 1019 value = SSHCTL_MASTER_YES; 1020 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 1021 value = SSHCTL_MASTER_NO; 1022 else if (strcmp(arg, "auto") == 0) 1023 value = SSHCTL_MASTER_AUTO; 1024 else if (strcmp(arg, "ask") == 0) 1025 value = SSHCTL_MASTER_ASK; 1026 else if (strcmp(arg, "autoask") == 0) 1027 value = SSHCTL_MASTER_AUTO_ASK; 1028 else 1029 fatal("%.200s line %d: Bad ControlMaster argument.", 1030 filename, linenum); 1031 if (*activep && *intptr == -1) 1032 *intptr = value; 1033 break; 1034 1035 case oControlPersist: 1036 /* no/false/yes/true, or a time spec */ 1037 intptr = &options->control_persist; 1038 arg = strdelim(&s); 1039 if (!arg || *arg == '\0') 1040 fatal("%.200s line %d: Missing ControlPersist" 1041 " argument.", filename, linenum); 1042 value = 0; 1043 value2 = 0; /* timeout */ 1044 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 1045 value = 0; 1046 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 1047 value = 1; 1048 else if ((value2 = convtime(arg)) >= 0) 1049 value = 1; 1050 else 1051 fatal("%.200s line %d: Bad ControlPersist argument.", 1052 filename, linenum); 1053 if (*activep && *intptr == -1) { 1054 *intptr = value; 1055 options->control_persist_timeout = value2; 1056 } 1057 break; 1058 1059 case oHashKnownHosts: 1060 intptr = &options->hash_known_hosts; 1061 goto parse_flag; 1062 1063 case oTunnel: 1064 intptr = &options->tun_open; 1065 arg = strdelim(&s); 1066 if (!arg || *arg == '\0') 1067 fatal("%s line %d: Missing yes/point-to-point/" 1068 "ethernet/no argument.", filename, linenum); 1069 value = 0; /* silence compiler */ 1070 if (strcasecmp(arg, "ethernet") == 0) 1071 value = SSH_TUNMODE_ETHERNET; 1072 else if (strcasecmp(arg, "point-to-point") == 0) 1073 value = SSH_TUNMODE_POINTOPOINT; 1074 else if (strcasecmp(arg, "yes") == 0) 1075 value = SSH_TUNMODE_DEFAULT; 1076 else if (strcasecmp(arg, "no") == 0) 1077 value = SSH_TUNMODE_NO; 1078 else 1079 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1080 "no argument: %s", filename, linenum, arg); 1081 if (*activep) 1082 *intptr = value; 1083 break; 1084 1085 case oTunnelDevice: 1086 arg = strdelim(&s); 1087 if (!arg || *arg == '\0') 1088 fatal("%.200s line %d: Missing argument.", filename, linenum); 1089 value = a2tun(arg, &value2); 1090 if (value == SSH_TUNID_ERR) 1091 fatal("%.200s line %d: Bad tun device.", filename, linenum); 1092 if (*activep) { 1093 options->tun_local = value; 1094 options->tun_remote = value2; 1095 } 1096 break; 1097 1098 case oLocalCommand: 1099 charptr = &options->local_command; 1100 goto parse_command; 1101 1102 case oPermitLocalCommand: 1103 intptr = &options->permit_local_command; 1104 goto parse_flag; 1105 1106 case oVisualHostKey: 1107 intptr = &options->visual_host_key; 1108 goto parse_flag; 1109 1110 case oIPQoS: 1111 arg = strdelim(&s); 1112 if ((value = parse_ipqos(arg)) == -1) 1113 fatal("%s line %d: Bad IPQoS value: %s", 1114 filename, linenum, arg); 1115 arg = strdelim(&s); 1116 if (arg == NULL) 1117 value2 = value; 1118 else if ((value2 = parse_ipqos(arg)) == -1) 1119 fatal("%s line %d: Bad IPQoS value: %s", 1120 filename, linenum, arg); 1121 if (*activep) { 1122 options->ip_qos_interactive = value; 1123 options->ip_qos_bulk = value2; 1124 } 1125 break; 1126 1127 case oUseRoaming: 1128 intptr = &options->use_roaming; 1129 goto parse_flag; 1130 1131 case oRequestTTY: 1132 arg = strdelim(&s); 1133 if (!arg || *arg == '\0') 1134 fatal("%s line %d: missing argument.", 1135 filename, linenum); 1136 intptr = &options->request_tty; 1137 if (strcasecmp(arg, "yes") == 0) 1138 value = REQUEST_TTY_YES; 1139 else if (strcasecmp(arg, "no") == 0) 1140 value = REQUEST_TTY_NO; 1141 else if (strcasecmp(arg, "force") == 0) 1142 value = REQUEST_TTY_FORCE; 1143 else if (strcasecmp(arg, "auto") == 0) 1144 value = REQUEST_TTY_AUTO; 1145 else 1146 fatal("Unsupported RequestTTY \"%s\"", arg); 1147 if (*activep && *intptr == -1) 1148 *intptr = value; 1149 break; 1150 1151 case oSendVersionFirst: 1152 intptr = &options->send_version_first; 1153 goto parse_flag; 1154 1155 case oIgnoreUnknown: 1156 charptr = &options->ignored_unknown; 1157 goto parse_string; 1158 1159 case oDeprecated: 1160 debug("%s line %d: Deprecated option \"%s\"", 1161 filename, linenum, keyword); 1162 return 0; 1163 1164 case oUnsupported: 1165 error("%s line %d: Unsupported option \"%s\"", 1166 filename, linenum, keyword); 1167 return 0; 1168 1169 default: 1170 fatal("process_config_line: Unimplemented opcode %d", opcode); 1171 } 1172 1173 /* Check that there is no garbage at end of line. */ 1174 if ((arg = strdelim(&s)) != NULL && *arg != '\0') { 1175 fatal("%.200s line %d: garbage at end of line; \"%.200s\".", 1176 filename, linenum, arg); 1177 } 1178 return 0; 1179 } 1180 1181 1182 /* 1183 * Reads the config file and modifies the options accordingly. Options 1184 * should already be initialized before this call. This never returns if 1185 * there is an error. If the file does not exist, this returns 0. 1186 */ 1187 1188 int 1189 read_config_file(const char *filename, const char *host, Options *options, 1190 int flags) 1191 { 1192 FILE *f; 1193 char line[1024]; 1194 int active, linenum; 1195 int bad_options = 0; 1196 1197 if ((f = fopen(filename, "r")) == NULL) 1198 return 0; 1199 1200 if (flags & SSHCONF_CHECKPERM) { 1201 struct stat sb; 1202 1203 if (fstat(fileno(f), &sb) == -1) 1204 fatal("fstat %s: %s", filename, strerror(errno)); 1205 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1206 (sb.st_mode & 022) != 0)) 1207 fatal("Bad owner or permissions on %s", filename); 1208 } 1209 1210 debug("Reading configuration data %.200s", filename); 1211 1212 /* 1213 * Mark that we are now processing the options. This flag is turned 1214 * on/off by Host specifications. 1215 */ 1216 active = 1; 1217 linenum = 0; 1218 while (fgets(line, sizeof(line), f)) { 1219 /* Update line number counter. */ 1220 linenum++; 1221 if (process_config_line(options, host, line, filename, linenum, 1222 &active, flags & SSHCONF_USERCONF) != 0) 1223 bad_options++; 1224 } 1225 fclose(f); 1226 if (bad_options > 0) 1227 fatal("%s: terminating, %d bad configuration options", 1228 filename, bad_options); 1229 return 1; 1230 } 1231 1232 /* 1233 * Initializes options to special values that indicate that they have not yet 1234 * been set. Read_config_file will only set options with this value. Options 1235 * are processed in the following order: command line, user config file, 1236 * system config file. Last, fill_default_options is called. 1237 */ 1238 1239 void 1240 initialize_options(Options * options) 1241 { 1242 memset(options, 'X', sizeof(*options)); 1243 options->forward_agent = -1; 1244 options->forward_x11 = -1; 1245 options->forward_x11_trusted = -1; 1246 options->forward_x11_timeout = -1; 1247 options->exit_on_forward_failure = -1; 1248 options->xauth_location = NULL; 1249 options->gateway_ports = -1; 1250 options->use_privileged_port = -1; 1251 options->rsa_authentication = -1; 1252 options->pubkey_authentication = -1; 1253 options->challenge_response_authentication = -1; 1254 #if defined(KRB4) || defined(KRB5) 1255 options->kerberos_authentication = -1; 1256 #endif 1257 #if defined(AFS) || defined(KRB5) 1258 options->kerberos_tgt_passing = -1; 1259 #endif 1260 #ifdef AFS 1261 options->afs_token_passing = -1; 1262 #endif 1263 options->gss_authentication = -1; 1264 options->gss_deleg_creds = -1; 1265 options->password_authentication = -1; 1266 options->kbd_interactive_authentication = -1; 1267 options->kbd_interactive_devices = NULL; 1268 options->rhosts_rsa_authentication = -1; 1269 options->hostbased_authentication = -1; 1270 options->batch_mode = -1; 1271 options->check_host_ip = -1; 1272 options->strict_host_key_checking = -1; 1273 options->compression = -1; 1274 options->tcp_keep_alive = -1; 1275 options->compression_level = -1; 1276 options->port = -1; 1277 options->address_family = -1; 1278 options->connection_attempts = -1; 1279 options->connection_timeout = -1; 1280 options->number_of_password_prompts = -1; 1281 options->cipher = -1; 1282 options->ciphers = NULL; 1283 options->macs = NULL; 1284 options->kex_algorithms = NULL; 1285 options->hostkeyalgorithms = NULL; 1286 options->protocol = SSH_PROTO_UNKNOWN; 1287 options->num_identity_files = 0; 1288 options->hostname = NULL; 1289 options->host_key_alias = NULL; 1290 options->proxy_command = NULL; 1291 options->user = NULL; 1292 options->escape_char = -1; 1293 options->num_system_hostfiles = 0; 1294 options->num_user_hostfiles = 0; 1295 options->local_forwards = NULL; 1296 options->num_local_forwards = 0; 1297 options->remote_forwards = NULL; 1298 options->num_remote_forwards = 0; 1299 options->clear_forwardings = -1; 1300 options->log_level = SYSLOG_LEVEL_NOT_SET; 1301 options->preferred_authentications = NULL; 1302 options->bind_address = NULL; 1303 options->pkcs11_provider = NULL; 1304 options->enable_ssh_keysign = - 1; 1305 options->no_host_authentication_for_localhost = - 1; 1306 options->identities_only = - 1; 1307 options->rekey_limit = - 1; 1308 options->rekey_interval = -1; 1309 options->verify_host_key_dns = -1; 1310 options->server_alive_interval = -1; 1311 options->server_alive_count_max = -1; 1312 options->num_send_env = 0; 1313 options->control_path = NULL; 1314 options->control_master = -1; 1315 options->control_persist = -1; 1316 options->control_persist_timeout = 0; 1317 options->hash_known_hosts = -1; 1318 options->tun_open = -1; 1319 options->tun_local = -1; 1320 options->tun_remote = -1; 1321 options->local_command = NULL; 1322 options->permit_local_command = -1; 1323 options->use_roaming = -1; 1324 options->visual_host_key = -1; 1325 options->zero_knowledge_password_authentication = -1; 1326 options->ip_qos_interactive = -1; 1327 options->ip_qos_bulk = -1; 1328 options->request_tty = -1; 1329 options->ignored_unknown = NULL; 1330 options->none_switch = -1; 1331 options->none_enabled = -1; 1332 options->hpn_disabled = -1; 1333 options->hpn_buffer_size = -1; 1334 options->tcp_rcv_buf_poll = -1; 1335 options->tcp_rcv_buf = -1; 1336 options->send_version_first = -1; 1337 } 1338 1339 /* 1340 * Called after processing other sources of option data, this fills those 1341 * options for which no value has been specified with their default values. 1342 */ 1343 1344 void 1345 fill_default_options(Options * options) 1346 { 1347 if (options->forward_agent == -1) 1348 options->forward_agent = 0; 1349 if (options->forward_x11 == -1) 1350 options->forward_x11 = 0; 1351 if (options->forward_x11_trusted == -1) 1352 options->forward_x11_trusted = 0; 1353 if (options->forward_x11_timeout == -1) 1354 options->forward_x11_timeout = 1200; 1355 if (options->exit_on_forward_failure == -1) 1356 options->exit_on_forward_failure = 0; 1357 if (options->xauth_location == NULL) 1358 options->xauth_location = __UNCONST(_PATH_XAUTH); 1359 if (options->gateway_ports == -1) 1360 options->gateway_ports = 0; 1361 if (options->use_privileged_port == -1) 1362 options->use_privileged_port = 0; 1363 if (options->rsa_authentication == -1) 1364 options->rsa_authentication = 1; 1365 if (options->pubkey_authentication == -1) 1366 options->pubkey_authentication = 1; 1367 if (options->challenge_response_authentication == -1) 1368 options->challenge_response_authentication = 1; 1369 #if defined(KRB4) || defined(KRB5) 1370 if (options->kerberos_authentication == -1) 1371 options->kerberos_authentication = 1; 1372 #endif 1373 #if defined(AFS) || defined(KRB5) 1374 if (options->kerberos_tgt_passing == -1) 1375 options->kerberos_tgt_passing = 1; 1376 #endif 1377 #ifdef AFS 1378 if (options->afs_token_passing == -1) 1379 options->afs_token_passing = 1; 1380 #endif 1381 if (options->gss_authentication == -1) 1382 options->gss_authentication = 0; 1383 if (options->gss_deleg_creds == -1) 1384 options->gss_deleg_creds = 0; 1385 if (options->password_authentication == -1) 1386 options->password_authentication = 1; 1387 if (options->kbd_interactive_authentication == -1) 1388 options->kbd_interactive_authentication = 1; 1389 if (options->rhosts_rsa_authentication == -1) 1390 options->rhosts_rsa_authentication = 0; 1391 if (options->hostbased_authentication == -1) 1392 options->hostbased_authentication = 0; 1393 if (options->batch_mode == -1) 1394 options->batch_mode = 0; 1395 if (options->check_host_ip == -1) 1396 options->check_host_ip = 1; 1397 if (options->strict_host_key_checking == -1) 1398 options->strict_host_key_checking = 2; /* 2 is default */ 1399 if (options->compression == -1) 1400 options->compression = 0; 1401 if (options->tcp_keep_alive == -1) 1402 options->tcp_keep_alive = 1; 1403 if (options->compression_level == -1) 1404 options->compression_level = 6; 1405 if (options->port == -1) 1406 options->port = 0; /* Filled in ssh_connect. */ 1407 if (options->address_family == -1) 1408 options->address_family = AF_UNSPEC; 1409 if (options->connection_attempts == -1) 1410 options->connection_attempts = 1; 1411 if (options->number_of_password_prompts == -1) 1412 options->number_of_password_prompts = 3; 1413 /* Selected in ssh_login(). */ 1414 if (options->cipher == -1) 1415 options->cipher = SSH_CIPHER_NOT_SET; 1416 /* options->ciphers, default set in myproposals.h */ 1417 /* options->macs, default set in myproposals.h */ 1418 /* options->kex_algorithms, default set in myproposals.h */ 1419 /* options->hostkeyalgorithms, default set in myproposals.h */ 1420 if (options->protocol == SSH_PROTO_UNKNOWN) 1421 options->protocol = SSH_PROTO_2; 1422 if (options->num_identity_files == 0) { 1423 if (options->protocol & SSH_PROTO_1) { 1424 add_identity_file(options, "~/", 1425 _PATH_SSH_CLIENT_IDENTITY, 0); 1426 } 1427 if (options->protocol & SSH_PROTO_2) { 1428 add_identity_file(options, "~/", 1429 _PATH_SSH_CLIENT_ID_RSA, 0); 1430 add_identity_file(options, "~/", 1431 _PATH_SSH_CLIENT_ID_DSA, 0); 1432 add_identity_file(options, "~/", 1433 _PATH_SSH_CLIENT_ID_ECDSA, 0); 1434 } 1435 } 1436 if (options->escape_char == -1) 1437 options->escape_char = '~'; 1438 if (options->num_system_hostfiles == 0) { 1439 options->system_hostfiles[options->num_system_hostfiles++] = 1440 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE); 1441 options->system_hostfiles[options->num_system_hostfiles++] = 1442 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); 1443 } 1444 if (options->num_user_hostfiles == 0) { 1445 options->user_hostfiles[options->num_user_hostfiles++] = 1446 xstrdup(_PATH_SSH_USER_HOSTFILE); 1447 options->user_hostfiles[options->num_user_hostfiles++] = 1448 xstrdup(_PATH_SSH_USER_HOSTFILE2); 1449 } 1450 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 1451 options->log_level = SYSLOG_LEVEL_INFO; 1452 if (options->clear_forwardings == 1) 1453 clear_forwardings(options); 1454 if (options->no_host_authentication_for_localhost == - 1) 1455 options->no_host_authentication_for_localhost = 0; 1456 if (options->identities_only == -1) 1457 options->identities_only = 0; 1458 if (options->enable_ssh_keysign == -1) 1459 options->enable_ssh_keysign = 0; 1460 if (options->rekey_limit == -1) 1461 options->rekey_limit = 0; 1462 if (options->rekey_interval == -1) 1463 options->rekey_interval = 0; 1464 if (options->verify_host_key_dns == -1) 1465 options->verify_host_key_dns = 0; 1466 if (options->server_alive_interval == -1) 1467 options->server_alive_interval = 0; 1468 if (options->server_alive_count_max == -1) 1469 options->server_alive_count_max = 3; 1470 if (options->none_switch == -1) 1471 options->none_switch = 0; 1472 if (options->hpn_disabled == -1) 1473 options->hpn_disabled = 0; 1474 if (options->hpn_buffer_size > -1) 1475 { 1476 /* if a user tries to set the size to 0 set it to 1KB */ 1477 if (options->hpn_buffer_size == 0) 1478 options->hpn_buffer_size = 1024; 1479 /*limit the buffer to 64MB*/ 1480 if (options->hpn_buffer_size > 65536) 1481 { 1482 options->hpn_buffer_size = 65536*1024; 1483 debug("User requested buffer larger than 64MB. Request reverted to 64MB"); 1484 } 1485 debug("hpn_buffer_size set to %d", options->hpn_buffer_size); 1486 } 1487 if (options->tcp_rcv_buf == 0) 1488 options->tcp_rcv_buf = 1; 1489 if (options->tcp_rcv_buf > -1) 1490 options->tcp_rcv_buf *=1024; 1491 if (options->tcp_rcv_buf_poll == -1) 1492 options->tcp_rcv_buf_poll = 1; 1493 if (options->control_master == -1) 1494 options->control_master = 0; 1495 if (options->control_persist == -1) { 1496 options->control_persist = 0; 1497 options->control_persist_timeout = 0; 1498 } 1499 if (options->hash_known_hosts == -1) 1500 options->hash_known_hosts = 0; 1501 if (options->tun_open == -1) 1502 options->tun_open = SSH_TUNMODE_NO; 1503 if (options->tun_local == -1) 1504 options->tun_local = SSH_TUNID_ANY; 1505 if (options->tun_remote == -1) 1506 options->tun_remote = SSH_TUNID_ANY; 1507 if (options->permit_local_command == -1) 1508 options->permit_local_command = 0; 1509 if (options->use_roaming == -1) 1510 options->use_roaming = 1; 1511 if (options->visual_host_key == -1) 1512 options->visual_host_key = 0; 1513 if (options->zero_knowledge_password_authentication == -1) 1514 options->zero_knowledge_password_authentication = 0; 1515 if (options->ip_qos_interactive == -1) 1516 options->ip_qos_interactive = IPTOS_LOWDELAY; 1517 if (options->ip_qos_bulk == -1) 1518 options->ip_qos_bulk = IPTOS_THROUGHPUT; 1519 if (options->request_tty == -1) 1520 options->request_tty = REQUEST_TTY_AUTO; 1521 if (options->send_version_first == -1) 1522 options->send_version_first = 1; 1523 /* options->local_command should not be set by default */ 1524 /* options->proxy_command should not be set by default */ 1525 /* options->user will be set in the main program if appropriate */ 1526 /* options->hostname will be set in the main program if appropriate */ 1527 /* options->host_key_alias should not be set by default */ 1528 /* options->preferred_authentications will be set in ssh */ 1529 } 1530 1531 /* 1532 * parse_forward 1533 * parses a string containing a port forwarding specification of the form: 1534 * dynamicfwd == 0 1535 * [listenhost:]listenport:connecthost:connectport 1536 * dynamicfwd == 1 1537 * [listenhost:]listenport 1538 * returns number of arguments parsed or zero on error 1539 */ 1540 int 1541 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) 1542 { 1543 int i; 1544 char *p, *cp, *fwdarg[4]; 1545 1546 memset(fwd, '\0', sizeof(*fwd)); 1547 1548 cp = p = xstrdup(fwdspec); 1549 1550 /* skip leading spaces */ 1551 while (isspace((unsigned char)*cp)) 1552 cp++; 1553 1554 for (i = 0; i < 4; ++i) 1555 if ((fwdarg[i] = hpdelim(&cp)) == NULL) 1556 break; 1557 1558 /* Check for trailing garbage */ 1559 if (cp != NULL) 1560 i = 0; /* failure */ 1561 1562 switch (i) { 1563 case 1: 1564 fwd->listen_host = NULL; 1565 fwd->listen_port = a2port(fwdarg[0]); 1566 fwd->connect_host = xstrdup("socks"); 1567 break; 1568 1569 case 2: 1570 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); 1571 fwd->listen_port = a2port(fwdarg[1]); 1572 fwd->connect_host = xstrdup("socks"); 1573 break; 1574 1575 case 3: 1576 fwd->listen_host = NULL; 1577 fwd->listen_port = a2port(fwdarg[0]); 1578 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1])); 1579 fwd->connect_port = a2port(fwdarg[2]); 1580 break; 1581 1582 case 4: 1583 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); 1584 fwd->listen_port = a2port(fwdarg[1]); 1585 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2])); 1586 fwd->connect_port = a2port(fwdarg[3]); 1587 break; 1588 default: 1589 i = 0; /* failure */ 1590 } 1591 1592 free(p); 1593 1594 if (dynamicfwd) { 1595 if (!(i == 1 || i == 2)) 1596 goto fail_free; 1597 } else { 1598 if (!(i == 3 || i == 4)) 1599 goto fail_free; 1600 if (fwd->connect_port <= 0) 1601 goto fail_free; 1602 } 1603 1604 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0)) 1605 goto fail_free; 1606 1607 if (fwd->connect_host != NULL && 1608 strlen(fwd->connect_host) >= NI_MAXHOST) 1609 goto fail_free; 1610 if (fwd->listen_host != NULL && 1611 strlen(fwd->listen_host) >= NI_MAXHOST) 1612 goto fail_free; 1613 1614 1615 return (i); 1616 1617 fail_free: 1618 free(fwd->connect_host); 1619 fwd->connect_host = NULL; 1620 free(fwd->listen_host); 1621 fwd->listen_host = NULL; 1622 return (0); 1623 } 1624