1 /* $NetBSD: readconf.c,v 1.4 2010/11/21 18:29:49 adam Exp $ */ 2 /* $OpenBSD: readconf.c,v 1.187 2010/07/19 09:15:12 djm Exp $ */ 3 /* 4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * Functions for reading the configuration files. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 */ 15 16 #include "includes.h" 17 __RCSID("$NetBSD: readconf.c,v 1.4 2010/11/21 18:29:49 adam Exp $"); 18 #include <sys/types.h> 19 #include <sys/stat.h> 20 #include <sys/socket.h> 21 22 #include <netinet/in.h> 23 24 #include <ctype.h> 25 #include <errno.h> 26 #include <netdb.h> 27 #include <signal.h> 28 #include <stdio.h> 29 #include <string.h> 30 #include <unistd.h> 31 #include <limits.h> 32 33 #include "xmalloc.h" 34 #include "ssh.h" 35 #include "compat.h" 36 #include "cipher.h" 37 #include "pathnames.h" 38 #include "log.h" 39 #include "key.h" 40 #include "readconf.h" 41 #include "match.h" 42 #include "misc.h" 43 #include "buffer.h" 44 #include "kex.h" 45 #include "mac.h" 46 47 /* Format of the configuration file: 48 49 # Configuration data is parsed as follows: 50 # 1. command line options 51 # 2. user-specific file 52 # 3. system-wide file 53 # Any configuration value is only changed the first time it is set. 54 # Thus, host-specific definitions should be at the beginning of the 55 # configuration file, and defaults at the end. 56 57 # Host-specific declarations. These may override anything above. A single 58 # host may match multiple declarations; these are processed in the order 59 # that they are given in. 60 61 Host *.ngs.fi ngs.fi 62 User foo 63 64 Host fake.com 65 HostName another.host.name.real.org 66 User blaah 67 Port 34289 68 ForwardX11 no 69 ForwardAgent no 70 71 Host books.com 72 RemoteForward 9999 shadows.cs.hut.fi:9999 73 Cipher 3des 74 75 Host fascist.blob.com 76 Port 23123 77 User tylonen 78 PasswordAuthentication no 79 80 Host puukko.hut.fi 81 User t35124p 82 ProxyCommand ssh-proxy %h %p 83 84 Host *.fr 85 PublicKeyAuthentication no 86 87 Host *.su 88 Cipher none 89 PasswordAuthentication no 90 91 Host vpn.fake.com 92 Tunnel yes 93 TunnelDevice 3 94 95 # Defaults for various options 96 Host * 97 ForwardAgent no 98 ForwardX11 no 99 PasswordAuthentication yes 100 RSAAuthentication yes 101 RhostsRSAAuthentication yes 102 StrictHostKeyChecking yes 103 TcpKeepAlive no 104 IdentityFile ~/.ssh/identity 105 Port 22 106 EscapeChar ~ 107 108 */ 109 110 /* Keyword tokens. */ 111 112 typedef enum { 113 oBadOption, 114 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, 115 oGatewayPorts, oExitOnForwardFailure, 116 oPasswordAuthentication, oRSAAuthentication, 117 oChallengeResponseAuthentication, oXAuthLocation, 118 #if defined(KRB4) || defined(KRB5) 119 oKerberosAuthentication, 120 #endif 121 #if defined(AFS) || defined(KRB5) 122 oKerberosTgtPassing, 123 #endif 124 #ifdef AFS 125 oAFSTokenPassing, 126 #endif 127 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, 128 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, 129 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, 130 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, 131 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, 132 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, 133 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 134 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 135 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 136 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 137 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 138 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 139 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 140 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 141 oSendEnv, oControlPath, oControlMaster, oControlPersist, 142 oHashKnownHosts, 143 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 144 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 145 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled, 146 oHPNBufferSize, 147 oDeprecated, oUnsupported 148 } OpCodes; 149 150 /* Textual representations of the tokens. */ 151 152 static struct { 153 const char *name; 154 OpCodes opcode; 155 } keywords[] = { 156 { "forwardagent", oForwardAgent }, 157 { "forwardx11", oForwardX11 }, 158 { "forwardx11trusted", oForwardX11Trusted }, 159 { "forwardx11timeout", oForwardX11Timeout }, 160 { "exitonforwardfailure", oExitOnForwardFailure }, 161 { "xauthlocation", oXAuthLocation }, 162 { "gatewayports", oGatewayPorts }, 163 { "useprivilegedport", oUsePrivilegedPort }, 164 { "rhostsauthentication", oDeprecated }, 165 { "passwordauthentication", oPasswordAuthentication }, 166 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 167 { "kbdinteractivedevices", oKbdInteractiveDevices }, 168 { "rsaauthentication", oRSAAuthentication }, 169 { "pubkeyauthentication", oPubkeyAuthentication }, 170 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 171 { "rhostsrsaauthentication", oRhostsRSAAuthentication }, 172 { "hostbasedauthentication", oHostbasedAuthentication }, 173 { "challengeresponseauthentication", oChallengeResponseAuthentication }, 174 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ 175 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ 176 #if defined(KRB4) || defined(KRB5) 177 { "kerberosauthentication", oKerberosAuthentication }, 178 #endif 179 #if defined(AFS) || defined(KRB5) 180 { "kerberostgtpassing", oKerberosTgtPassing }, 181 { "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */ 182 { "kerberos4tgtpassing", oKerberosTgtPassing }, /* alias */ 183 #endif 184 #ifdef AFS 185 { "afstokenpassing", oAFSTokenPassing }, 186 #endif 187 #if defined(GSSAPI) 188 { "gssapiauthentication", oGssAuthentication }, 189 { "gssapidelegatecredentials", oGssDelegateCreds }, 190 #else 191 { "gssapiauthentication", oUnsupported }, 192 { "gssapidelegatecredentials", oUnsupported }, 193 #endif 194 { "fallbacktorsh", oDeprecated }, 195 { "usersh", oDeprecated }, 196 { "identityfile", oIdentityFile }, 197 { "identityfile2", oIdentityFile }, /* obsolete */ 198 { "identitiesonly", oIdentitiesOnly }, 199 { "hostname", oHostName }, 200 { "hostkeyalias", oHostKeyAlias }, 201 { "proxycommand", oProxyCommand }, 202 { "port", oPort }, 203 { "cipher", oCipher }, 204 { "ciphers", oCiphers }, 205 { "macs", oMacs }, 206 { "protocol", oProtocol }, 207 { "remoteforward", oRemoteForward }, 208 { "localforward", oLocalForward }, 209 { "user", oUser }, 210 { "host", oHost }, 211 { "escapechar", oEscapeChar }, 212 { "globalknownhostsfile", oGlobalKnownHostsFile }, 213 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */ 214 { "userknownhostsfile", oUserKnownHostsFile }, 215 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */ 216 { "connectionattempts", oConnectionAttempts }, 217 { "batchmode", oBatchMode }, 218 { "checkhostip", oCheckHostIP }, 219 { "stricthostkeychecking", oStrictHostKeyChecking }, 220 { "compression", oCompression }, 221 { "compressionlevel", oCompressionLevel }, 222 { "tcpkeepalive", oTCPKeepAlive }, 223 { "keepalive", oTCPKeepAlive }, /* obsolete */ 224 { "numberofpasswordprompts", oNumberOfPasswordPrompts }, 225 { "loglevel", oLogLevel }, 226 { "dynamicforward", oDynamicForward }, 227 { "preferredauthentications", oPreferredAuthentications }, 228 { "hostkeyalgorithms", oHostKeyAlgorithms }, 229 { "bindaddress", oBindAddress }, 230 #ifdef ENABLE_PKCS11 231 { "smartcarddevice", oPKCS11Provider }, 232 { "pkcs11provider", oPKCS11Provider }, 233 #else 234 { "smartcarddevice", oUnsupported }, 235 { "pkcs11provider", oUnsupported }, 236 #endif 237 { "clearallforwardings", oClearAllForwardings }, 238 { "enablesshkeysign", oEnableSSHKeysign }, 239 { "verifyhostkeydns", oVerifyHostKeyDNS }, 240 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, 241 { "rekeylimit", oRekeyLimit }, 242 { "connecttimeout", oConnectTimeout }, 243 { "addressfamily", oAddressFamily }, 244 { "serveraliveinterval", oServerAliveInterval }, 245 { "serveralivecountmax", oServerAliveCountMax }, 246 { "sendenv", oSendEnv }, 247 { "controlpath", oControlPath }, 248 { "controlmaster", oControlMaster }, 249 { "controlpersist", oControlPersist }, 250 { "hashknownhosts", oHashKnownHosts }, 251 { "tunnel", oTunnel }, 252 { "tunneldevice", oTunnelDevice }, 253 { "localcommand", oLocalCommand }, 254 { "permitlocalcommand", oPermitLocalCommand }, 255 { "visualhostkey", oVisualHostKey }, 256 { "useroaming", oUseRoaming }, 257 #ifdef JPAKE 258 { "zeroknowledgepasswordauthentication", 259 oZeroKnowledgePasswordAuthentication }, 260 #else 261 { "zeroknowledgepasswordauthentication", oUnsupported }, 262 #endif 263 { "noneenabled", oNoneEnabled }, 264 { "tcprcvbufpoll", oTcpRcvBufPoll }, 265 { "tcprcvbuf", oTcpRcvBuf }, 266 { "noneswitch", oNoneSwitch }, 267 { "hpndisabled", oHPNDisabled }, 268 { "hpnbuffersize", oHPNBufferSize }, 269 { NULL, oBadOption } 270 }; 271 272 /* 273 * Adds a local TCP/IP port forward to options. Never returns if there is an 274 * error. 275 */ 276 277 void 278 add_local_forward(Options *options, const Forward *newfwd) 279 { 280 Forward *fwd; 281 extern uid_t original_real_uid; 282 283 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) 284 fatal("Privileged ports can only be forwarded by root."); 285 options->local_forwards = xrealloc(options->local_forwards, 286 options->num_local_forwards + 1, 287 sizeof(*options->local_forwards)); 288 fwd = &options->local_forwards[options->num_local_forwards++]; 289 290 fwd->listen_host = newfwd->listen_host; 291 fwd->listen_port = newfwd->listen_port; 292 fwd->connect_host = newfwd->connect_host; 293 fwd->connect_port = newfwd->connect_port; 294 } 295 296 /* 297 * Adds a remote TCP/IP port forward to options. Never returns if there is 298 * an error. 299 */ 300 301 void 302 add_remote_forward(Options *options, const Forward *newfwd) 303 { 304 Forward *fwd; 305 306 options->remote_forwards = xrealloc(options->remote_forwards, 307 options->num_remote_forwards + 1, 308 sizeof(*options->remote_forwards)); 309 fwd = &options->remote_forwards[options->num_remote_forwards++]; 310 311 fwd->listen_host = newfwd->listen_host; 312 fwd->listen_port = newfwd->listen_port; 313 fwd->connect_host = newfwd->connect_host; 314 fwd->connect_port = newfwd->connect_port; 315 fwd->allocated_port = 0; 316 } 317 318 static void 319 clear_forwardings(Options *options) 320 { 321 int i; 322 323 for (i = 0; i < options->num_local_forwards; i++) { 324 if (options->local_forwards[i].listen_host != NULL) 325 xfree(options->local_forwards[i].listen_host); 326 xfree(options->local_forwards[i].connect_host); 327 } 328 if (options->num_local_forwards > 0) { 329 xfree(options->local_forwards); 330 options->local_forwards = NULL; 331 } 332 options->num_local_forwards = 0; 333 for (i = 0; i < options->num_remote_forwards; i++) { 334 if (options->remote_forwards[i].listen_host != NULL) 335 xfree(options->remote_forwards[i].listen_host); 336 xfree(options->remote_forwards[i].connect_host); 337 } 338 if (options->num_remote_forwards > 0) { 339 xfree(options->remote_forwards); 340 options->remote_forwards = NULL; 341 } 342 options->num_remote_forwards = 0; 343 options->tun_open = SSH_TUNMODE_NO; 344 } 345 346 /* 347 * Returns the number of the token pointed to by cp or oBadOption. 348 */ 349 350 static OpCodes 351 parse_token(const char *cp, const char *filename, int linenum) 352 { 353 u_int i; 354 355 for (i = 0; keywords[i].name; i++) 356 if (strcasecmp(cp, keywords[i].name) == 0) 357 return keywords[i].opcode; 358 359 error("%s: line %d: Bad configuration option: %s", 360 filename, linenum, cp); 361 return oBadOption; 362 } 363 364 /* 365 * Processes a single option line as used in the configuration files. This 366 * only sets those values that have not already been set. 367 */ 368 #define WHITESPACE " \t\r\n" 369 370 int 371 process_config_line(Options *options, const char *host, 372 char *line, const char *filename, int linenum, 373 int *activep) 374 { 375 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; 376 int opcode, *intptr, value, value2, scale; 377 LogLevel *log_level_ptr; 378 long long orig, val64; 379 size_t len; 380 Forward fwd; 381 382 /* Strip trailing whitespace */ 383 for (len = strlen(line) - 1; len > 0; len--) { 384 if (strchr(WHITESPACE, line[len]) == NULL) 385 break; 386 line[len] = '\0'; 387 } 388 389 s = line; 390 /* Get the keyword. (Each line is supposed to begin with a keyword). */ 391 if ((keyword = strdelim(&s)) == NULL) 392 return 0; 393 /* Ignore leading whitespace. */ 394 if (*keyword == '\0') 395 keyword = strdelim(&s); 396 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') 397 return 0; 398 399 opcode = parse_token(keyword, filename, linenum); 400 401 switch (opcode) { 402 case oBadOption: 403 /* don't panic, but count bad options */ 404 return -1; 405 /* NOTREACHED */ 406 case oConnectTimeout: 407 intptr = &options->connection_timeout; 408 parse_time: 409 arg = strdelim(&s); 410 if (!arg || *arg == '\0') 411 fatal("%s line %d: missing time value.", 412 filename, linenum); 413 if ((value = convtime(arg)) == -1) 414 fatal("%s line %d: invalid time value.", 415 filename, linenum); 416 if (*activep && *intptr == -1) 417 *intptr = value; 418 break; 419 420 case oForwardAgent: 421 intptr = &options->forward_agent; 422 parse_flag: 423 arg = strdelim(&s); 424 if (!arg || *arg == '\0') 425 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); 426 value = 0; /* To avoid compiler warning... */ 427 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 428 value = 1; 429 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 430 value = 0; 431 else 432 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum); 433 if (*activep && *intptr == -1) 434 *intptr = value; 435 break; 436 437 case oForwardX11: 438 intptr = &options->forward_x11; 439 goto parse_flag; 440 441 case oForwardX11Trusted: 442 intptr = &options->forward_x11_trusted; 443 goto parse_flag; 444 445 case oForwardX11Timeout: 446 intptr = &options->forward_x11_timeout; 447 goto parse_time; 448 449 case oGatewayPorts: 450 intptr = &options->gateway_ports; 451 goto parse_flag; 452 453 case oExitOnForwardFailure: 454 intptr = &options->exit_on_forward_failure; 455 goto parse_flag; 456 457 case oUsePrivilegedPort: 458 intptr = &options->use_privileged_port; 459 goto parse_flag; 460 461 case oPasswordAuthentication: 462 intptr = &options->password_authentication; 463 goto parse_flag; 464 465 case oZeroKnowledgePasswordAuthentication: 466 intptr = &options->zero_knowledge_password_authentication; 467 goto parse_flag; 468 469 case oKbdInteractiveAuthentication: 470 intptr = &options->kbd_interactive_authentication; 471 goto parse_flag; 472 473 case oKbdInteractiveDevices: 474 charptr = &options->kbd_interactive_devices; 475 goto parse_string; 476 477 case oPubkeyAuthentication: 478 intptr = &options->pubkey_authentication; 479 goto parse_flag; 480 481 case oRSAAuthentication: 482 intptr = &options->rsa_authentication; 483 goto parse_flag; 484 485 case oRhostsRSAAuthentication: 486 intptr = &options->rhosts_rsa_authentication; 487 goto parse_flag; 488 489 case oHostbasedAuthentication: 490 intptr = &options->hostbased_authentication; 491 goto parse_flag; 492 493 case oChallengeResponseAuthentication: 494 intptr = &options->challenge_response_authentication; 495 goto parse_flag; 496 497 #if defined(KRB4) || defined(KRB5) 498 case oKerberosAuthentication: 499 intptr = &options->kerberos_authentication; 500 goto parse_flag; 501 #endif 502 #if defined(AFS) || defined(KRB5) 503 case oKerberosTgtPassing: 504 intptr = &options->kerberos_tgt_passing; 505 goto parse_flag; 506 #endif 507 508 case oGssAuthentication: 509 intptr = &options->gss_authentication; 510 goto parse_flag; 511 512 #ifdef AFS 513 case oAFSTokenPassing: 514 intptr = &options->afs_token_passing; 515 goto parse_flag; 516 #endif 517 518 case oGssDelegateCreds: 519 intptr = &options->gss_deleg_creds; 520 goto parse_flag; 521 522 case oBatchMode: 523 intptr = &options->batch_mode; 524 goto parse_flag; 525 526 case oCheckHostIP: 527 intptr = &options->check_host_ip; 528 goto parse_flag; 529 530 case oNoneEnabled: 531 intptr = &options->none_enabled; 532 goto parse_flag; 533 534 /* we check to see if the command comes from the */ 535 /* command line or not. If it does then enable it */ 536 /* otherwise fail. NONE should never be a default configuration */ 537 case oNoneSwitch: 538 if(strcmp(filename,"command-line")==0) 539 { 540 intptr = &options->none_switch; 541 goto parse_flag; 542 } else { 543 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); 544 error("Continuing..."); 545 debug("NoneSwitch directive found in %.200s.", filename); 546 return 0; 547 } 548 549 case oHPNDisabled: 550 intptr = &options->hpn_disabled; 551 goto parse_flag; 552 553 case oHPNBufferSize: 554 intptr = &options->hpn_buffer_size; 555 goto parse_int; 556 557 case oTcpRcvBufPoll: 558 intptr = &options->tcp_rcv_buf_poll; 559 goto parse_flag; 560 561 case oVerifyHostKeyDNS: 562 intptr = &options->verify_host_key_dns; 563 goto parse_yesnoask; 564 565 case oStrictHostKeyChecking: 566 intptr = &options->strict_host_key_checking; 567 parse_yesnoask: 568 arg = strdelim(&s); 569 if (!arg || *arg == '\0') 570 fatal("%.200s line %d: Missing yes/no/ask argument.", 571 filename, linenum); 572 value = 0; /* To avoid compiler warning... */ 573 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 574 value = 1; 575 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 576 value = 0; 577 else if (strcmp(arg, "ask") == 0) 578 value = 2; 579 else 580 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum); 581 if (*activep && *intptr == -1) 582 *intptr = value; 583 break; 584 585 case oCompression: 586 intptr = &options->compression; 587 goto parse_flag; 588 589 case oTCPKeepAlive: 590 intptr = &options->tcp_keep_alive; 591 goto parse_flag; 592 593 case oNoHostAuthenticationForLocalhost: 594 intptr = &options->no_host_authentication_for_localhost; 595 goto parse_flag; 596 597 case oNumberOfPasswordPrompts: 598 intptr = &options->number_of_password_prompts; 599 goto parse_int; 600 601 case oCompressionLevel: 602 intptr = &options->compression_level; 603 goto parse_int; 604 605 case oRekeyLimit: 606 arg = strdelim(&s); 607 if (!arg || *arg == '\0') 608 fatal("%.200s line %d: Missing argument.", filename, linenum); 609 if (arg[0] < '0' || arg[0] > '9') 610 fatal("%.200s line %d: Bad number.", filename, linenum); 611 orig = val64 = strtoll(arg, &endofnumber, 10); 612 if (arg == endofnumber) 613 fatal("%.200s line %d: Bad number.", filename, linenum); 614 switch (toupper((unsigned char)*endofnumber)) { 615 case '\0': 616 scale = 1; 617 break; 618 case 'K': 619 scale = 1<<10; 620 break; 621 case 'M': 622 scale = 1<<20; 623 break; 624 case 'G': 625 scale = 1<<30; 626 break; 627 default: 628 scale = 0; 629 fatal("%.200s line %d: Invalid RekeyLimit suffix", 630 filename, linenum); 631 } 632 val64 *= scale; 633 /* detect integer wrap and too-large limits */ 634 if ((val64 / scale) != orig || val64 > UINT_MAX) 635 fatal("%.200s line %d: RekeyLimit too large", 636 filename, linenum); 637 if (val64 < 16) 638 fatal("%.200s line %d: RekeyLimit too small", 639 filename, linenum); 640 if (*activep && options->rekey_limit == -1) 641 options->rekey_limit = (u_int32_t)val64; 642 break; 643 644 case oIdentityFile: 645 arg = strdelim(&s); 646 if (!arg || *arg == '\0') 647 fatal("%.200s line %d: Missing argument.", filename, linenum); 648 if (*activep) { 649 intptr = &options->num_identity_files; 650 if (*intptr >= SSH_MAX_IDENTITY_FILES) 651 fatal("%.200s line %d: Too many identity files specified (max %d).", 652 filename, linenum, SSH_MAX_IDENTITY_FILES); 653 charptr = &options->identity_files[*intptr]; 654 *charptr = xstrdup(arg); 655 *intptr = *intptr + 1; 656 } 657 break; 658 659 case oXAuthLocation: 660 charptr=&options->xauth_location; 661 goto parse_string; 662 663 case oUser: 664 charptr = &options->user; 665 parse_string: 666 arg = strdelim(&s); 667 if (!arg || *arg == '\0') 668 fatal("%.200s line %d: Missing argument.", filename, linenum); 669 if (*activep && *charptr == NULL) 670 *charptr = xstrdup(arg); 671 break; 672 673 case oGlobalKnownHostsFile: 674 charptr = &options->system_hostfile; 675 goto parse_string; 676 677 case oUserKnownHostsFile: 678 charptr = &options->user_hostfile; 679 goto parse_string; 680 681 case oGlobalKnownHostsFile2: 682 charptr = &options->system_hostfile2; 683 goto parse_string; 684 685 case oUserKnownHostsFile2: 686 charptr = &options->user_hostfile2; 687 goto parse_string; 688 689 case oHostName: 690 charptr = &options->hostname; 691 goto parse_string; 692 693 case oHostKeyAlias: 694 charptr = &options->host_key_alias; 695 goto parse_string; 696 697 case oPreferredAuthentications: 698 charptr = &options->preferred_authentications; 699 goto parse_string; 700 701 case oBindAddress: 702 charptr = &options->bind_address; 703 goto parse_string; 704 705 case oPKCS11Provider: 706 charptr = &options->pkcs11_provider; 707 goto parse_string; 708 709 case oProxyCommand: 710 charptr = &options->proxy_command; 711 parse_command: 712 if (s == NULL) 713 fatal("%.200s line %d: Missing argument.", filename, linenum); 714 len = strspn(s, WHITESPACE "="); 715 if (*activep && *charptr == NULL) 716 *charptr = xstrdup(s + len); 717 return 0; 718 719 case oPort: 720 intptr = &options->port; 721 parse_int: 722 arg = strdelim(&s); 723 if (!arg || *arg == '\0') 724 fatal("%.200s line %d: Missing argument.", filename, linenum); 725 if (arg[0] < '0' || arg[0] > '9') 726 fatal("%.200s line %d: Bad number.", filename, linenum); 727 728 /* Octal, decimal, or hex format? */ 729 value = strtol(arg, &endofnumber, 0); 730 if (arg == endofnumber) 731 fatal("%.200s line %d: Bad number.", filename, linenum); 732 if (*activep && *intptr == -1) 733 *intptr = value; 734 break; 735 736 case oConnectionAttempts: 737 intptr = &options->connection_attempts; 738 goto parse_int; 739 740 case oTcpRcvBuf: 741 intptr = &options->tcp_rcv_buf; 742 goto parse_int; 743 744 case oCipher: 745 intptr = &options->cipher; 746 arg = strdelim(&s); 747 if (!arg || *arg == '\0') 748 fatal("%.200s line %d: Missing argument.", filename, linenum); 749 value = cipher_number(arg); 750 if (value == -1) 751 fatal("%.200s line %d: Bad cipher '%s'.", 752 filename, linenum, arg ? arg : "<NONE>"); 753 if (*activep && *intptr == -1) 754 *intptr = value; 755 break; 756 757 case oCiphers: 758 arg = strdelim(&s); 759 if (!arg || *arg == '\0') 760 fatal("%.200s line %d: Missing argument.", filename, linenum); 761 if (!ciphers_valid(arg)) 762 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", 763 filename, linenum, arg ? arg : "<NONE>"); 764 if (*activep && options->ciphers == NULL) 765 options->ciphers = xstrdup(arg); 766 break; 767 768 case oMacs: 769 arg = strdelim(&s); 770 if (!arg || *arg == '\0') 771 fatal("%.200s line %d: Missing argument.", filename, linenum); 772 if (!mac_valid(arg)) 773 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", 774 filename, linenum, arg ? arg : "<NONE>"); 775 if (*activep && options->macs == NULL) 776 options->macs = xstrdup(arg); 777 break; 778 779 case oHostKeyAlgorithms: 780 arg = strdelim(&s); 781 if (!arg || *arg == '\0') 782 fatal("%.200s line %d: Missing argument.", filename, linenum); 783 if (!key_names_valid2(arg)) 784 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", 785 filename, linenum, arg ? arg : "<NONE>"); 786 if (*activep && options->hostkeyalgorithms == NULL) 787 options->hostkeyalgorithms = xstrdup(arg); 788 break; 789 790 case oProtocol: 791 intptr = &options->protocol; 792 arg = strdelim(&s); 793 if (!arg || *arg == '\0') 794 fatal("%.200s line %d: Missing argument.", filename, linenum); 795 value = proto_spec(arg); 796 if (value == SSH_PROTO_UNKNOWN) 797 fatal("%.200s line %d: Bad protocol spec '%s'.", 798 filename, linenum, arg ? arg : "<NONE>"); 799 if (*activep && *intptr == SSH_PROTO_UNKNOWN) 800 *intptr = value; 801 break; 802 803 case oLogLevel: 804 log_level_ptr = &options->log_level; 805 arg = strdelim(&s); 806 value = log_level_number(arg); 807 if (value == SYSLOG_LEVEL_NOT_SET) 808 fatal("%.200s line %d: unsupported log level '%s'", 809 filename, linenum, arg ? arg : "<NONE>"); 810 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET) 811 *log_level_ptr = (LogLevel) value; 812 break; 813 814 case oLocalForward: 815 case oRemoteForward: 816 case oDynamicForward: 817 arg = strdelim(&s); 818 if (arg == NULL || *arg == '\0') 819 fatal("%.200s line %d: Missing port argument.", 820 filename, linenum); 821 822 if (opcode == oLocalForward || 823 opcode == oRemoteForward) { 824 arg2 = strdelim(&s); 825 if (arg2 == NULL || *arg2 == '\0') 826 fatal("%.200s line %d: Missing target argument.", 827 filename, linenum); 828 829 /* construct a string for parse_forward */ 830 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2); 831 } else if (opcode == oDynamicForward) { 832 strlcpy(fwdarg, arg, sizeof(fwdarg)); 833 } 834 835 if (parse_forward(&fwd, fwdarg, 836 opcode == oDynamicForward ? 1 : 0, 837 opcode == oRemoteForward ? 1 : 0) == 0) 838 fatal("%.200s line %d: Bad forwarding specification.", 839 filename, linenum); 840 841 if (*activep) { 842 if (opcode == oLocalForward || 843 opcode == oDynamicForward) 844 add_local_forward(options, &fwd); 845 else if (opcode == oRemoteForward) 846 add_remote_forward(options, &fwd); 847 } 848 break; 849 850 case oClearAllForwardings: 851 intptr = &options->clear_forwardings; 852 goto parse_flag; 853 854 case oHost: 855 *activep = 0; 856 while ((arg = strdelim(&s)) != NULL && *arg != '\0') 857 if (match_pattern(host, arg)) { 858 debug("Applying options for %.100s", arg); 859 *activep = 1; 860 break; 861 } 862 /* Avoid garbage check below, as strdelim is done. */ 863 return 0; 864 865 case oEscapeChar: 866 intptr = &options->escape_char; 867 arg = strdelim(&s); 868 if (!arg || *arg == '\0') 869 fatal("%.200s line %d: Missing argument.", filename, linenum); 870 value = 0; /* To avoid compiler warning... */ 871 if (arg[0] == '^' && arg[2] == 0 && 872 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) 873 value = (u_char) arg[1] & 31; 874 else if (strlen(arg) == 1) 875 value = (u_char) arg[0]; 876 else if (strcmp(arg, "none") == 0) 877 value = SSH_ESCAPECHAR_NONE; 878 else { 879 fatal("%.200s line %d: Bad escape character.", 880 filename, linenum); 881 /* NOTREACHED */ 882 value = 0; /* Avoid compiler warning. */ 883 } 884 if (*activep && *intptr == -1) 885 *intptr = value; 886 break; 887 888 case oAddressFamily: 889 arg = strdelim(&s); 890 if (!arg || *arg == '\0') 891 fatal("%s line %d: missing address family.", 892 filename, linenum); 893 intptr = &options->address_family; 894 value = 0; /* To avoid compiler warning... */ 895 if (strcasecmp(arg, "inet") == 0) 896 value = AF_INET; 897 else if (strcasecmp(arg, "inet6") == 0) 898 value = AF_INET6; 899 else if (strcasecmp(arg, "any") == 0) 900 value = AF_UNSPEC; 901 else 902 fatal("Unsupported AddressFamily \"%s\"", arg); 903 if (*activep && *intptr == -1) 904 *intptr = value; 905 break; 906 907 case oEnableSSHKeysign: 908 intptr = &options->enable_ssh_keysign; 909 goto parse_flag; 910 911 case oIdentitiesOnly: 912 intptr = &options->identities_only; 913 goto parse_flag; 914 915 case oServerAliveInterval: 916 intptr = &options->server_alive_interval; 917 goto parse_time; 918 919 case oServerAliveCountMax: 920 intptr = &options->server_alive_count_max; 921 goto parse_int; 922 923 case oSendEnv: 924 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 925 if (strchr(arg, '=') != NULL) 926 fatal("%s line %d: Invalid environment name.", 927 filename, linenum); 928 if (!*activep) 929 continue; 930 if (options->num_send_env >= MAX_SEND_ENV) 931 fatal("%s line %d: too many send env.", 932 filename, linenum); 933 options->send_env[options->num_send_env++] = 934 xstrdup(arg); 935 } 936 break; 937 938 case oControlPath: 939 charptr = &options->control_path; 940 goto parse_string; 941 942 case oControlMaster: 943 intptr = &options->control_master; 944 arg = strdelim(&s); 945 if (!arg || *arg == '\0') 946 fatal("%.200s line %d: Missing ControlMaster argument.", 947 filename, linenum); 948 value = 0; /* To avoid compiler warning... */ 949 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 950 value = SSHCTL_MASTER_YES; 951 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 952 value = SSHCTL_MASTER_NO; 953 else if (strcmp(arg, "auto") == 0) 954 value = SSHCTL_MASTER_AUTO; 955 else if (strcmp(arg, "ask") == 0) 956 value = SSHCTL_MASTER_ASK; 957 else if (strcmp(arg, "autoask") == 0) 958 value = SSHCTL_MASTER_AUTO_ASK; 959 else 960 fatal("%.200s line %d: Bad ControlMaster argument.", 961 filename, linenum); 962 if (*activep && *intptr == -1) 963 *intptr = value; 964 break; 965 966 case oControlPersist: 967 /* no/false/yes/true, or a time spec */ 968 intptr = &options->control_persist; 969 arg = strdelim(&s); 970 if (!arg || *arg == '\0') 971 fatal("%.200s line %d: Missing ControlPersist" 972 " argument.", filename, linenum); 973 value = 0; 974 value2 = 0; /* timeout */ 975 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 976 value = 0; 977 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 978 value = 1; 979 else if ((value2 = convtime(arg)) >= 0) 980 value = 1; 981 else 982 fatal("%.200s line %d: Bad ControlPersist argument.", 983 filename, linenum); 984 if (*activep && *intptr == -1) { 985 *intptr = value; 986 options->control_persist_timeout = value2; 987 } 988 break; 989 990 case oHashKnownHosts: 991 intptr = &options->hash_known_hosts; 992 goto parse_flag; 993 994 case oTunnel: 995 intptr = &options->tun_open; 996 arg = strdelim(&s); 997 if (!arg || *arg == '\0') 998 fatal("%s line %d: Missing yes/point-to-point/" 999 "ethernet/no argument.", filename, linenum); 1000 value = 0; /* silence compiler */ 1001 if (strcasecmp(arg, "ethernet") == 0) 1002 value = SSH_TUNMODE_ETHERNET; 1003 else if (strcasecmp(arg, "point-to-point") == 0) 1004 value = SSH_TUNMODE_POINTOPOINT; 1005 else if (strcasecmp(arg, "yes") == 0) 1006 value = SSH_TUNMODE_DEFAULT; 1007 else if (strcasecmp(arg, "no") == 0) 1008 value = SSH_TUNMODE_NO; 1009 else 1010 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1011 "no argument: %s", filename, linenum, arg); 1012 if (*activep) 1013 *intptr = value; 1014 break; 1015 1016 case oTunnelDevice: 1017 arg = strdelim(&s); 1018 if (!arg || *arg == '\0') 1019 fatal("%.200s line %d: Missing argument.", filename, linenum); 1020 value = a2tun(arg, &value2); 1021 if (value == SSH_TUNID_ERR) 1022 fatal("%.200s line %d: Bad tun device.", filename, linenum); 1023 if (*activep) { 1024 options->tun_local = value; 1025 options->tun_remote = value2; 1026 } 1027 break; 1028 1029 case oLocalCommand: 1030 charptr = &options->local_command; 1031 goto parse_command; 1032 1033 case oPermitLocalCommand: 1034 intptr = &options->permit_local_command; 1035 goto parse_flag; 1036 1037 case oVisualHostKey: 1038 intptr = &options->visual_host_key; 1039 goto parse_flag; 1040 1041 case oUseRoaming: 1042 intptr = &options->use_roaming; 1043 goto parse_flag; 1044 1045 case oDeprecated: 1046 debug("%s line %d: Deprecated option \"%s\"", 1047 filename, linenum, keyword); 1048 return 0; 1049 1050 case oUnsupported: 1051 error("%s line %d: Unsupported option \"%s\"", 1052 filename, linenum, keyword); 1053 return 0; 1054 1055 default: 1056 fatal("process_config_line: Unimplemented opcode %d", opcode); 1057 } 1058 1059 /* Check that there is no garbage at end of line. */ 1060 if ((arg = strdelim(&s)) != NULL && *arg != '\0') { 1061 fatal("%.200s line %d: garbage at end of line; \"%.200s\".", 1062 filename, linenum, arg); 1063 } 1064 return 0; 1065 } 1066 1067 1068 /* 1069 * Reads the config file and modifies the options accordingly. Options 1070 * should already be initialized before this call. This never returns if 1071 * there is an error. If the file does not exist, this returns 0. 1072 */ 1073 1074 int 1075 read_config_file(const char *filename, const char *host, Options *options, 1076 int checkperm) 1077 { 1078 FILE *f; 1079 char line[1024]; 1080 int active, linenum; 1081 int bad_options = 0; 1082 1083 if ((f = fopen(filename, "r")) == NULL) 1084 return 0; 1085 1086 if (checkperm) { 1087 struct stat sb; 1088 1089 if (fstat(fileno(f), &sb) == -1) 1090 fatal("fstat %s: %s", filename, strerror(errno)); 1091 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1092 (sb.st_mode & 022) != 0)) 1093 fatal("Bad owner or permissions on %s", filename); 1094 } 1095 1096 debug("Reading configuration data %.200s", filename); 1097 1098 /* 1099 * Mark that we are now processing the options. This flag is turned 1100 * on/off by Host specifications. 1101 */ 1102 active = 1; 1103 linenum = 0; 1104 while (fgets(line, sizeof(line), f)) { 1105 /* Update line number counter. */ 1106 linenum++; 1107 if (process_config_line(options, host, line, filename, linenum, &active) != 0) 1108 bad_options++; 1109 } 1110 fclose(f); 1111 if (bad_options > 0) 1112 fatal("%s: terminating, %d bad configuration options", 1113 filename, bad_options); 1114 return 1; 1115 } 1116 1117 /* 1118 * Initializes options to special values that indicate that they have not yet 1119 * been set. Read_config_file will only set options with this value. Options 1120 * are processed in the following order: command line, user config file, 1121 * system config file. Last, fill_default_options is called. 1122 */ 1123 1124 void 1125 initialize_options(Options * options) 1126 { 1127 memset(options, 'X', sizeof(*options)); 1128 options->forward_agent = -1; 1129 options->forward_x11 = -1; 1130 options->forward_x11_trusted = -1; 1131 options->forward_x11_timeout = -1; 1132 options->exit_on_forward_failure = -1; 1133 options->xauth_location = NULL; 1134 options->gateway_ports = -1; 1135 options->use_privileged_port = -1; 1136 options->rsa_authentication = -1; 1137 options->pubkey_authentication = -1; 1138 options->challenge_response_authentication = -1; 1139 #if defined(KRB4) || defined(KRB5) 1140 options->kerberos_authentication = -1; 1141 #endif 1142 #if defined(AFS) || defined(KRB5) 1143 options->kerberos_tgt_passing = -1; 1144 #endif 1145 #ifdef AFS 1146 options->afs_token_passing = -1; 1147 #endif 1148 options->gss_authentication = -1; 1149 options->gss_deleg_creds = -1; 1150 options->password_authentication = -1; 1151 options->kbd_interactive_authentication = -1; 1152 options->kbd_interactive_devices = NULL; 1153 options->rhosts_rsa_authentication = -1; 1154 options->hostbased_authentication = -1; 1155 options->batch_mode = -1; 1156 options->check_host_ip = -1; 1157 options->strict_host_key_checking = -1; 1158 options->compression = -1; 1159 options->tcp_keep_alive = -1; 1160 options->compression_level = -1; 1161 options->port = -1; 1162 options->address_family = -1; 1163 options->connection_attempts = -1; 1164 options->connection_timeout = -1; 1165 options->number_of_password_prompts = -1; 1166 options->cipher = -1; 1167 options->ciphers = NULL; 1168 options->macs = NULL; 1169 options->hostkeyalgorithms = NULL; 1170 options->protocol = SSH_PROTO_UNKNOWN; 1171 options->num_identity_files = 0; 1172 options->hostname = NULL; 1173 options->host_key_alias = NULL; 1174 options->proxy_command = NULL; 1175 options->user = NULL; 1176 options->escape_char = -1; 1177 options->system_hostfile = NULL; 1178 options->user_hostfile = NULL; 1179 options->system_hostfile2 = NULL; 1180 options->user_hostfile2 = NULL; 1181 options->local_forwards = NULL; 1182 options->num_local_forwards = 0; 1183 options->remote_forwards = NULL; 1184 options->num_remote_forwards = 0; 1185 options->clear_forwardings = -1; 1186 options->log_level = SYSLOG_LEVEL_NOT_SET; 1187 options->preferred_authentications = NULL; 1188 options->bind_address = NULL; 1189 options->pkcs11_provider = NULL; 1190 options->enable_ssh_keysign = - 1; 1191 options->no_host_authentication_for_localhost = - 1; 1192 options->identities_only = - 1; 1193 options->rekey_limit = - 1; 1194 options->verify_host_key_dns = -1; 1195 options->server_alive_interval = -1; 1196 options->server_alive_count_max = -1; 1197 options->num_send_env = 0; 1198 options->control_path = NULL; 1199 options->control_master = -1; 1200 options->control_persist = -1; 1201 options->control_persist_timeout = 0; 1202 options->hash_known_hosts = -1; 1203 options->tun_open = -1; 1204 options->tun_local = -1; 1205 options->tun_remote = -1; 1206 options->local_command = NULL; 1207 options->permit_local_command = -1; 1208 options->use_roaming = -1; 1209 options->visual_host_key = -1; 1210 options->zero_knowledge_password_authentication = -1; 1211 options->none_switch = -1; 1212 options->none_enabled = -1; 1213 options->hpn_disabled = -1; 1214 options->hpn_buffer_size = -1; 1215 options->tcp_rcv_buf_poll = -1; 1216 options->tcp_rcv_buf = -1; 1217 } 1218 1219 /* 1220 * Called after processing other sources of option data, this fills those 1221 * options for which no value has been specified with their default values. 1222 */ 1223 1224 void 1225 fill_default_options(Options * options) 1226 { 1227 int len; 1228 1229 if (options->forward_agent == -1) 1230 options->forward_agent = 0; 1231 if (options->forward_x11 == -1) 1232 options->forward_x11 = 0; 1233 if (options->forward_x11_trusted == -1) 1234 options->forward_x11_trusted = 0; 1235 if (options->forward_x11_timeout == -1) 1236 options->forward_x11_timeout = 1200; 1237 if (options->exit_on_forward_failure == -1) 1238 options->exit_on_forward_failure = 0; 1239 if (options->xauth_location == NULL) 1240 options->xauth_location = _PATH_XAUTH; 1241 if (options->gateway_ports == -1) 1242 options->gateway_ports = 0; 1243 if (options->use_privileged_port == -1) 1244 options->use_privileged_port = 0; 1245 if (options->rsa_authentication == -1) 1246 options->rsa_authentication = 1; 1247 if (options->pubkey_authentication == -1) 1248 options->pubkey_authentication = 1; 1249 if (options->challenge_response_authentication == -1) 1250 options->challenge_response_authentication = 1; 1251 #if defined(KRB4) || defined(KRB5) 1252 if (options->kerberos_authentication == -1) 1253 options->kerberos_authentication = 1; 1254 #endif 1255 #if defined(AFS) || defined(KRB5) 1256 if (options->kerberos_tgt_passing == -1) 1257 options->kerberos_tgt_passing = 1; 1258 #endif 1259 #ifdef AFS 1260 if (options->afs_token_passing == -1) 1261 options->afs_token_passing = 1; 1262 #endif 1263 if (options->gss_authentication == -1) 1264 options->gss_authentication = 0; 1265 if (options->gss_deleg_creds == -1) 1266 options->gss_deleg_creds = 0; 1267 if (options->password_authentication == -1) 1268 options->password_authentication = 1; 1269 if (options->kbd_interactive_authentication == -1) 1270 options->kbd_interactive_authentication = 1; 1271 if (options->rhosts_rsa_authentication == -1) 1272 options->rhosts_rsa_authentication = 0; 1273 if (options->hostbased_authentication == -1) 1274 options->hostbased_authentication = 0; 1275 if (options->batch_mode == -1) 1276 options->batch_mode = 0; 1277 if (options->check_host_ip == -1) 1278 options->check_host_ip = 1; 1279 if (options->strict_host_key_checking == -1) 1280 options->strict_host_key_checking = 2; /* 2 is default */ 1281 if (options->compression == -1) 1282 options->compression = 0; 1283 if (options->tcp_keep_alive == -1) 1284 options->tcp_keep_alive = 1; 1285 if (options->compression_level == -1) 1286 options->compression_level = 6; 1287 if (options->port == -1) 1288 options->port = 0; /* Filled in ssh_connect. */ 1289 if (options->address_family == -1) 1290 options->address_family = AF_UNSPEC; 1291 if (options->connection_attempts == -1) 1292 options->connection_attempts = 1; 1293 if (options->number_of_password_prompts == -1) 1294 options->number_of_password_prompts = 3; 1295 /* Selected in ssh_login(). */ 1296 if (options->cipher == -1) 1297 options->cipher = SSH_CIPHER_NOT_SET; 1298 /* options->ciphers, default set in myproposals.h */ 1299 /* options->macs, default set in myproposals.h */ 1300 /* options->hostkeyalgorithms, default set in myproposals.h */ 1301 if (options->protocol == SSH_PROTO_UNKNOWN) 1302 options->protocol = SSH_PROTO_2; 1303 if (options->num_identity_files == 0) { 1304 if (options->protocol & SSH_PROTO_1) { 1305 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; 1306 options->identity_files[options->num_identity_files] = 1307 xmalloc(len); 1308 snprintf(options->identity_files[options->num_identity_files++], 1309 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); 1310 } 1311 if (options->protocol & SSH_PROTO_2) { 1312 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; 1313 options->identity_files[options->num_identity_files] = 1314 xmalloc(len); 1315 snprintf(options->identity_files[options->num_identity_files++], 1316 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); 1317 1318 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; 1319 options->identity_files[options->num_identity_files] = 1320 xmalloc(len); 1321 snprintf(options->identity_files[options->num_identity_files++], 1322 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); 1323 } 1324 } 1325 if (options->escape_char == -1) 1326 options->escape_char = '~'; 1327 if (options->system_hostfile == NULL) 1328 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE; 1329 if (options->user_hostfile == NULL) 1330 options->user_hostfile = _PATH_SSH_USER_HOSTFILE; 1331 if (options->system_hostfile2 == NULL) 1332 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2; 1333 if (options->user_hostfile2 == NULL) 1334 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2; 1335 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 1336 options->log_level = SYSLOG_LEVEL_INFO; 1337 if (options->clear_forwardings == 1) 1338 clear_forwardings(options); 1339 if (options->no_host_authentication_for_localhost == - 1) 1340 options->no_host_authentication_for_localhost = 0; 1341 if (options->identities_only == -1) 1342 options->identities_only = 0; 1343 if (options->enable_ssh_keysign == -1) 1344 options->enable_ssh_keysign = 0; 1345 if (options->rekey_limit == -1) 1346 options->rekey_limit = 0; 1347 if (options->verify_host_key_dns == -1) 1348 options->verify_host_key_dns = 0; 1349 if (options->server_alive_interval == -1) 1350 options->server_alive_interval = 0; 1351 if (options->server_alive_count_max == -1) 1352 options->server_alive_count_max = 3; 1353 if (options->none_switch == -1) 1354 options->none_switch = 0; 1355 if (options->hpn_disabled == -1) 1356 options->hpn_disabled = 0; 1357 if (options->hpn_buffer_size > -1) 1358 { 1359 /* if a user tries to set the size to 0 set it to 1KB */ 1360 if (options->hpn_buffer_size == 0) 1361 options->hpn_buffer_size = 1024; 1362 /*limit the buffer to 64MB*/ 1363 if (options->hpn_buffer_size > 65536) 1364 { 1365 options->hpn_buffer_size = 65536*1024; 1366 debug("User requested buffer larger than 64MB. Request reverted to 64MB"); 1367 } 1368 debug("hpn_buffer_size set to %d", options->hpn_buffer_size); 1369 } 1370 if (options->tcp_rcv_buf == 0) 1371 options->tcp_rcv_buf = 1; 1372 if (options->tcp_rcv_buf > -1) 1373 options->tcp_rcv_buf *=1024; 1374 if (options->tcp_rcv_buf_poll == -1) 1375 options->tcp_rcv_buf_poll = 1; 1376 if (options->control_master == -1) 1377 options->control_master = 0; 1378 if (options->control_persist == -1) { 1379 options->control_persist = 0; 1380 options->control_persist_timeout = 0; 1381 } 1382 if (options->hash_known_hosts == -1) 1383 options->hash_known_hosts = 0; 1384 if (options->tun_open == -1) 1385 options->tun_open = SSH_TUNMODE_NO; 1386 if (options->tun_local == -1) 1387 options->tun_local = SSH_TUNID_ANY; 1388 if (options->tun_remote == -1) 1389 options->tun_remote = SSH_TUNID_ANY; 1390 if (options->permit_local_command == -1) 1391 options->permit_local_command = 0; 1392 if (options->use_roaming == -1) 1393 options->use_roaming = 1; 1394 if (options->visual_host_key == -1) 1395 options->visual_host_key = 0; 1396 if (options->zero_knowledge_password_authentication == -1) 1397 options->zero_knowledge_password_authentication = 0; 1398 /* options->local_command should not be set by default */ 1399 /* options->proxy_command should not be set by default */ 1400 /* options->user will be set in the main program if appropriate */ 1401 /* options->hostname will be set in the main program if appropriate */ 1402 /* options->host_key_alias should not be set by default */ 1403 /* options->preferred_authentications will be set in ssh */ 1404 } 1405 1406 /* 1407 * parse_forward 1408 * parses a string containing a port forwarding specification of the form: 1409 * dynamicfwd == 0 1410 * [listenhost:]listenport:connecthost:connectport 1411 * dynamicfwd == 1 1412 * [listenhost:]listenport 1413 * returns number of arguments parsed or zero on error 1414 */ 1415 int 1416 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) 1417 { 1418 int i; 1419 char *p, *cp, *fwdarg[4]; 1420 1421 memset(fwd, '\0', sizeof(*fwd)); 1422 1423 cp = p = xstrdup(fwdspec); 1424 1425 /* skip leading spaces */ 1426 while (isspace((unsigned char)*cp)) 1427 cp++; 1428 1429 for (i = 0; i < 4; ++i) 1430 if ((fwdarg[i] = hpdelim(&cp)) == NULL) 1431 break; 1432 1433 /* Check for trailing garbage */ 1434 if (cp != NULL) 1435 i = 0; /* failure */ 1436 1437 switch (i) { 1438 case 1: 1439 fwd->listen_host = NULL; 1440 fwd->listen_port = a2port(fwdarg[0]); 1441 fwd->connect_host = xstrdup("socks"); 1442 break; 1443 1444 case 2: 1445 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); 1446 fwd->listen_port = a2port(fwdarg[1]); 1447 fwd->connect_host = xstrdup("socks"); 1448 break; 1449 1450 case 3: 1451 fwd->listen_host = NULL; 1452 fwd->listen_port = a2port(fwdarg[0]); 1453 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1])); 1454 fwd->connect_port = a2port(fwdarg[2]); 1455 break; 1456 1457 case 4: 1458 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); 1459 fwd->listen_port = a2port(fwdarg[1]); 1460 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2])); 1461 fwd->connect_port = a2port(fwdarg[3]); 1462 break; 1463 default: 1464 i = 0; /* failure */ 1465 } 1466 1467 xfree(p); 1468 1469 if (dynamicfwd) { 1470 if (!(i == 1 || i == 2)) 1471 goto fail_free; 1472 } else { 1473 if (!(i == 3 || i == 4)) 1474 goto fail_free; 1475 if (fwd->connect_port <= 0) 1476 goto fail_free; 1477 } 1478 1479 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0)) 1480 goto fail_free; 1481 1482 if (fwd->connect_host != NULL && 1483 strlen(fwd->connect_host) >= NI_MAXHOST) 1484 goto fail_free; 1485 if (fwd->listen_host != NULL && 1486 strlen(fwd->listen_host) >= NI_MAXHOST) 1487 goto fail_free; 1488 1489 1490 return (i); 1491 1492 fail_free: 1493 if (fwd->connect_host != NULL) { 1494 xfree(fwd->connect_host); 1495 fwd->connect_host = NULL; 1496 } 1497 if (fwd->listen_host != NULL) { 1498 xfree(fwd->listen_host); 1499 fwd->listen_host = NULL; 1500 } 1501 return (0); 1502 } 1503