1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12 #include "includes.h" 13 RCSID("$OpenBSD: servconf.c,v 1.95 2001/12/19 07:18:56 deraadt Exp $"); 14 15 #if defined(KRB4) || defined(KRB5) 16 #include <krb.h> 17 #endif 18 #ifdef AFS 19 #include <kafs.h> 20 #endif 21 22 #include "ssh.h" 23 #include "log.h" 24 #include "servconf.h" 25 #include "xmalloc.h" 26 #include "compat.h" 27 #include "pathnames.h" 28 #include "tildexpand.h" 29 #include "misc.h" 30 #include "cipher.h" 31 #include "kex.h" 32 #include "mac.h" 33 34 static void add_listen_addr(ServerOptions *, char *, u_short); 35 static void add_one_listen_addr(ServerOptions *, char *, u_short); 36 37 /* AF_UNSPEC or AF_INET or AF_INET6 */ 38 extern int IPv4or6; 39 40 /* Initializes the server options to their default values. */ 41 42 void 43 initialize_server_options(ServerOptions *options) 44 { 45 memset(options, 0, sizeof(*options)); 46 options->num_ports = 0; 47 options->ports_from_cmdline = 0; 48 options->listen_addrs = NULL; 49 options->num_host_key_files = 0; 50 options->pid_file = NULL; 51 options->server_key_bits = -1; 52 options->login_grace_time = -1; 53 options->key_regeneration_time = -1; 54 options->permit_root_login = PERMIT_NOT_SET; 55 options->ignore_rhosts = -1; 56 options->ignore_user_known_hosts = -1; 57 options->print_motd = -1; 58 options->print_lastlog = -1; 59 options->x11_forwarding = -1; 60 options->x11_display_offset = -1; 61 options->xauth_location = NULL; 62 options->strict_modes = -1; 63 options->keepalives = -1; 64 options->log_facility = (SyslogFacility) - 1; 65 options->log_level = (LogLevel) - 1; 66 options->rhosts_authentication = -1; 67 options->rhosts_rsa_authentication = -1; 68 options->hostbased_authentication = -1; 69 options->hostbased_uses_name_from_packet_only = -1; 70 options->rsa_authentication = -1; 71 options->pubkey_authentication = -1; 72 #if defined(KRB4) || defined(KRB5) 73 options->kerberos_authentication = -1; 74 options->kerberos_or_local_passwd = -1; 75 options->kerberos_ticket_cleanup = -1; 76 #endif 77 #if defined(AFS) || defined(KRB5) 78 options->kerberos_tgt_passing = -1; 79 #endif 80 #ifdef AFS 81 options->afs_token_passing = -1; 82 #endif 83 options->password_authentication = -1; 84 options->kbd_interactive_authentication = -1; 85 options->challenge_response_authentication = -1; 86 options->permit_empty_passwd = -1; 87 options->use_login = -1; 88 options->allow_tcp_forwarding = -1; 89 options->num_allow_users = 0; 90 options->num_deny_users = 0; 91 options->num_allow_groups = 0; 92 options->num_deny_groups = 0; 93 options->ciphers = NULL; 94 options->macs = NULL; 95 options->protocol = SSH_PROTO_UNKNOWN; 96 options->gateway_ports = -1; 97 options->num_subsystems = 0; 98 options->max_startups_begin = -1; 99 options->max_startups_rate = -1; 100 options->max_startups = -1; 101 options->banner = NULL; 102 options->reverse_mapping_check = -1; 103 options->client_alive_interval = -1; 104 options->client_alive_count_max = -1; 105 options->authorized_keys_file = NULL; 106 options->authorized_keys_file2 = NULL; 107 } 108 109 void 110 fill_default_server_options(ServerOptions *options) 111 { 112 if (options->protocol == SSH_PROTO_UNKNOWN) 113 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 114 if (options->num_host_key_files == 0) { 115 /* fill default hostkeys for protocols */ 116 if (options->protocol & SSH_PROTO_1) 117 options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE; 118 if (options->protocol & SSH_PROTO_2) 119 options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE; 120 } 121 if (options->num_ports == 0) 122 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 123 if (options->listen_addrs == NULL) 124 add_listen_addr(options, NULL, 0); 125 if (options->pid_file == NULL) 126 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 127 if (options->server_key_bits == -1) 128 options->server_key_bits = 768; 129 if (options->login_grace_time == -1) 130 options->login_grace_time = 600; 131 if (options->key_regeneration_time == -1) 132 options->key_regeneration_time = 3600; 133 if (options->permit_root_login == PERMIT_NOT_SET) 134 options->permit_root_login = PERMIT_YES; 135 if (options->ignore_rhosts == -1) 136 options->ignore_rhosts = 1; 137 if (options->ignore_user_known_hosts == -1) 138 options->ignore_user_known_hosts = 0; 139 if (options->print_motd == -1) 140 options->print_motd = 1; 141 if (options->print_lastlog == -1) 142 options->print_lastlog = 1; 143 if (options->x11_forwarding == -1) 144 options->x11_forwarding = 0; 145 if (options->x11_display_offset == -1) 146 options->x11_display_offset = 10; 147 #ifdef _PATH_XAUTH 148 if (options->xauth_location == NULL) 149 options->xauth_location = _PATH_XAUTH; 150 #endif 151 if (options->strict_modes == -1) 152 options->strict_modes = 1; 153 if (options->keepalives == -1) 154 options->keepalives = 1; 155 if (options->log_facility == (SyslogFacility) (-1)) 156 options->log_facility = SYSLOG_FACILITY_AUTH; 157 if (options->log_level == (LogLevel) (-1)) 158 options->log_level = SYSLOG_LEVEL_INFO; 159 if (options->rhosts_authentication == -1) 160 options->rhosts_authentication = 0; 161 if (options->rhosts_rsa_authentication == -1) 162 options->rhosts_rsa_authentication = 0; 163 if (options->hostbased_authentication == -1) 164 options->hostbased_authentication = 0; 165 if (options->hostbased_uses_name_from_packet_only == -1) 166 options->hostbased_uses_name_from_packet_only = 0; 167 if (options->rsa_authentication == -1) 168 options->rsa_authentication = 1; 169 if (options->pubkey_authentication == -1) 170 options->pubkey_authentication = 1; 171 #if defined(KRB4) || defined(KRB5) 172 if (options->kerberos_authentication == -1) 173 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); 174 if (options->kerberos_or_local_passwd == -1) 175 options->kerberos_or_local_passwd = 1; 176 if (options->kerberos_ticket_cleanup == -1) 177 options->kerberos_ticket_cleanup = 1; 178 #endif 179 #if defined(AFS) || defined(KRB5) 180 if (options->kerberos_tgt_passing == -1) 181 options->kerberos_tgt_passing = 0; 182 #endif 183 #ifdef AFS 184 if (options->afs_token_passing == -1) 185 options->afs_token_passing = k_hasafs(); 186 #endif 187 if (options->password_authentication == -1) 188 options->password_authentication = 1; 189 if (options->kbd_interactive_authentication == -1) 190 options->kbd_interactive_authentication = 0; 191 if (options->challenge_response_authentication == -1) 192 options->challenge_response_authentication = 1; 193 if (options->permit_empty_passwd == -1) 194 options->permit_empty_passwd = 0; 195 if (options->use_login == -1) 196 options->use_login = 0; 197 if (options->allow_tcp_forwarding == -1) 198 options->allow_tcp_forwarding = 1; 199 if (options->gateway_ports == -1) 200 options->gateway_ports = 0; 201 if (options->max_startups == -1) 202 options->max_startups = 10; 203 if (options->max_startups_rate == -1) 204 options->max_startups_rate = 100; /* 100% */ 205 if (options->max_startups_begin == -1) 206 options->max_startups_begin = options->max_startups; 207 if (options->reverse_mapping_check == -1) 208 options->reverse_mapping_check = 0; 209 if (options->client_alive_interval == -1) 210 options->client_alive_interval = 0; 211 if (options->client_alive_count_max == -1) 212 options->client_alive_count_max = 3; 213 if (options->authorized_keys_file2 == NULL) { 214 /* authorized_keys_file2 falls back to authorized_keys_file */ 215 if (options->authorized_keys_file != NULL) 216 options->authorized_keys_file2 = options->authorized_keys_file; 217 else 218 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 219 } 220 if (options->authorized_keys_file == NULL) 221 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 222 } 223 224 /* Keyword tokens. */ 225 typedef enum { 226 sBadOption, /* == unknown option */ 227 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 228 sPermitRootLogin, sLogFacility, sLogLevel, 229 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 230 #if defined(KRB4) || defined(KRB5) 231 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 232 #endif 233 #if defined(AFS) || defined(KRB5) 234 sKerberosTgtPassing, 235 #endif 236 #ifdef AFS 237 sAFSTokenPassing, 238 #endif 239 sChallengeResponseAuthentication, 240 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 241 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 242 sX11Forwarding, sX11DisplayOffset, 243 sStrictModes, sEmptyPasswd, sKeepAlives, 244 sUseLogin, sAllowTcpForwarding, 245 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 246 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 247 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 248 sBanner, sReverseMappingCheck, sHostbasedAuthentication, 249 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 250 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 251 sDeprecated 252 } ServerOpCodes; 253 254 /* Textual representation of the tokens. */ 255 static struct { 256 const char *name; 257 ServerOpCodes opcode; 258 } keywords[] = { 259 { "port", sPort }, 260 { "hostkey", sHostKeyFile }, 261 { "hostdsakey", sHostKeyFile }, /* alias */ 262 { "pidfile", sPidFile }, 263 { "serverkeybits", sServerKeyBits }, 264 { "logingracetime", sLoginGraceTime }, 265 { "keyregenerationinterval", sKeyRegenerationTime }, 266 { "permitrootlogin", sPermitRootLogin }, 267 { "syslogfacility", sLogFacility }, 268 { "loglevel", sLogLevel }, 269 { "rhostsauthentication", sRhostsAuthentication }, 270 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 271 { "hostbasedauthentication", sHostbasedAuthentication }, 272 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 273 { "rsaauthentication", sRSAAuthentication }, 274 { "pubkeyauthentication", sPubkeyAuthentication }, 275 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 276 #if defined(KRB4) || defined(KRB5) 277 { "kerberosauthentication", sKerberosAuthentication }, 278 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 279 { "kerberosticketcleanup", sKerberosTicketCleanup }, 280 #endif 281 #if defined(AFS) || defined(KRB5) 282 { "kerberostgtpassing", sKerberosTgtPassing }, 283 #endif 284 #ifdef AFS 285 { "afstokenpassing", sAFSTokenPassing }, 286 #endif 287 { "passwordauthentication", sPasswordAuthentication }, 288 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 289 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 290 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 291 { "checkmail", sDeprecated }, 292 { "listenaddress", sListenAddress }, 293 { "printmotd", sPrintMotd }, 294 { "printlastlog", sPrintLastLog }, 295 { "ignorerhosts", sIgnoreRhosts }, 296 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 297 { "x11forwarding", sX11Forwarding }, 298 { "x11displayoffset", sX11DisplayOffset }, 299 { "xauthlocation", sXAuthLocation }, 300 { "strictmodes", sStrictModes }, 301 { "permitemptypasswords", sEmptyPasswd }, 302 { "uselogin", sUseLogin }, 303 { "keepalive", sKeepAlives }, 304 { "allowtcpforwarding", sAllowTcpForwarding }, 305 { "allowusers", sAllowUsers }, 306 { "denyusers", sDenyUsers }, 307 { "allowgroups", sAllowGroups }, 308 { "denygroups", sDenyGroups }, 309 { "ciphers", sCiphers }, 310 { "macs", sMacs }, 311 { "protocol", sProtocol }, 312 { "gatewayports", sGatewayPorts }, 313 { "subsystem", sSubsystem }, 314 { "maxstartups", sMaxStartups }, 315 { "banner", sBanner }, 316 { "reversemappingcheck", sReverseMappingCheck }, 317 { "clientaliveinterval", sClientAliveInterval }, 318 { "clientalivecountmax", sClientAliveCountMax }, 319 { "authorizedkeysfile", sAuthorizedKeysFile }, 320 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 321 { NULL, sBadOption } 322 }; 323 324 /* 325 * Returns the number of the token pointed to by cp or sBadOption. 326 */ 327 328 static ServerOpCodes 329 parse_token(const char *cp, const char *filename, 330 int linenum) 331 { 332 u_int i; 333 334 for (i = 0; keywords[i].name; i++) 335 if (strcasecmp(cp, keywords[i].name) == 0) 336 return keywords[i].opcode; 337 338 error("%s: line %d: Bad configuration option: %s", 339 filename, linenum, cp); 340 return sBadOption; 341 } 342 343 static void 344 add_listen_addr(ServerOptions *options, char *addr, u_short port) 345 { 346 int i; 347 348 if (options->num_ports == 0) 349 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 350 if (port == 0) 351 for (i = 0; i < options->num_ports; i++) 352 add_one_listen_addr(options, addr, options->ports[i]); 353 else 354 add_one_listen_addr(options, addr, port); 355 } 356 357 static void 358 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 359 { 360 struct addrinfo hints, *ai, *aitop; 361 char strport[NI_MAXSERV]; 362 int gaierr; 363 364 memset(&hints, 0, sizeof(hints)); 365 hints.ai_family = IPv4or6; 366 hints.ai_socktype = SOCK_STREAM; 367 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 368 snprintf(strport, sizeof strport, "%d", port); 369 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 370 fatal("bad addr or host: %s (%s)", 371 addr ? addr : "<NULL>", 372 gai_strerror(gaierr)); 373 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 374 ; 375 ai->ai_next = options->listen_addrs; 376 options->listen_addrs = aitop; 377 } 378 379 int 380 process_server_config_line(ServerOptions *options, char *line, 381 const char *filename, int linenum) 382 { 383 char *cp, **charptr, *arg, *p; 384 int *intptr, value; 385 ServerOpCodes opcode; 386 int i, n; 387 388 cp = line; 389 arg = strdelim(&cp); 390 /* Ignore leading whitespace */ 391 if (*arg == '\0') 392 arg = strdelim(&cp); 393 if (!arg || !*arg || *arg == '#') 394 return 0; 395 intptr = NULL; 396 charptr = NULL; 397 opcode = parse_token(arg, filename, linenum); 398 switch (opcode) { 399 case sBadOption: 400 return -1; 401 case sPort: 402 /* ignore ports from configfile if cmdline specifies ports */ 403 if (options->ports_from_cmdline) 404 return 0; 405 if (options->listen_addrs != NULL) 406 fatal("%s line %d: ports must be specified before " 407 "ListenAdress.", filename, linenum); 408 if (options->num_ports >= MAX_PORTS) 409 fatal("%s line %d: too many ports.", 410 filename, linenum); 411 arg = strdelim(&cp); 412 if (!arg || *arg == '\0') 413 fatal("%s line %d: missing port number.", 414 filename, linenum); 415 options->ports[options->num_ports++] = a2port(arg); 416 if (options->ports[options->num_ports-1] == 0) 417 fatal("%s line %d: Badly formatted port number.", 418 filename, linenum); 419 break; 420 421 case sServerKeyBits: 422 intptr = &options->server_key_bits; 423 parse_int: 424 arg = strdelim(&cp); 425 if (!arg || *arg == '\0') 426 fatal("%s line %d: missing integer value.", 427 filename, linenum); 428 value = atoi(arg); 429 if (*intptr == -1) 430 *intptr = value; 431 break; 432 433 case sLoginGraceTime: 434 intptr = &options->login_grace_time; 435 parse_time: 436 arg = strdelim(&cp); 437 if (!arg || *arg == '\0') 438 fatal("%s line %d: missing time value.", 439 filename, linenum); 440 if ((value = convtime(arg)) == -1) 441 fatal("%s line %d: invalid time value.", 442 filename, linenum); 443 if (*intptr == -1) 444 *intptr = value; 445 break; 446 447 case sKeyRegenerationTime: 448 intptr = &options->key_regeneration_time; 449 goto parse_time; 450 451 case sListenAddress: 452 arg = strdelim(&cp); 453 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 454 fatal("%s line %d: missing inet addr.", 455 filename, linenum); 456 if (*arg == '[') { 457 if ((p = strchr(arg, ']')) == NULL) 458 fatal("%s line %d: bad ipv6 inet addr usage.", 459 filename, linenum); 460 arg++; 461 memmove(p, p+1, strlen(p+1)+1); 462 } else if (((p = strchr(arg, ':')) == NULL) || 463 (strchr(p+1, ':') != NULL)) { 464 add_listen_addr(options, arg, 0); 465 break; 466 } 467 if (*p == ':') { 468 u_short port; 469 470 p++; 471 if (*p == '\0') 472 fatal("%s line %d: bad inet addr:port usage.", 473 filename, linenum); 474 else { 475 *(p-1) = '\0'; 476 if ((port = a2port(p)) == 0) 477 fatal("%s line %d: bad port number.", 478 filename, linenum); 479 add_listen_addr(options, arg, port); 480 } 481 } else if (*p == '\0') 482 add_listen_addr(options, arg, 0); 483 else 484 fatal("%s line %d: bad inet addr usage.", 485 filename, linenum); 486 break; 487 488 case sHostKeyFile: 489 intptr = &options->num_host_key_files; 490 if (*intptr >= MAX_HOSTKEYS) 491 fatal("%s line %d: too many host keys specified (max %d).", 492 filename, linenum, MAX_HOSTKEYS); 493 charptr = &options->host_key_files[*intptr]; 494 parse_filename: 495 arg = strdelim(&cp); 496 if (!arg || *arg == '\0') 497 fatal("%s line %d: missing file name.", 498 filename, linenum); 499 if (*charptr == NULL) { 500 *charptr = tilde_expand_filename(arg, getuid()); 501 /* increase optional counter */ 502 if (intptr != NULL) 503 *intptr = *intptr + 1; 504 } 505 break; 506 507 case sPidFile: 508 charptr = &options->pid_file; 509 goto parse_filename; 510 511 case sPermitRootLogin: 512 intptr = &options->permit_root_login; 513 arg = strdelim(&cp); 514 if (!arg || *arg == '\0') 515 fatal("%s line %d: missing yes/" 516 "without-password/forced-commands-only/no " 517 "argument.", filename, linenum); 518 value = 0; /* silence compiler */ 519 if (strcmp(arg, "without-password") == 0) 520 value = PERMIT_NO_PASSWD; 521 else if (strcmp(arg, "forced-commands-only") == 0) 522 value = PERMIT_FORCED_ONLY; 523 else if (strcmp(arg, "yes") == 0) 524 value = PERMIT_YES; 525 else if (strcmp(arg, "no") == 0) 526 value = PERMIT_NO; 527 else 528 fatal("%s line %d: Bad yes/" 529 "without-password/forced-commands-only/no " 530 "argument: %s", filename, linenum, arg); 531 if (*intptr == -1) 532 *intptr = value; 533 break; 534 535 case sIgnoreRhosts: 536 intptr = &options->ignore_rhosts; 537 parse_flag: 538 arg = strdelim(&cp); 539 if (!arg || *arg == '\0') 540 fatal("%s line %d: missing yes/no argument.", 541 filename, linenum); 542 value = 0; /* silence compiler */ 543 if (strcmp(arg, "yes") == 0) 544 value = 1; 545 else if (strcmp(arg, "no") == 0) 546 value = 0; 547 else 548 fatal("%s line %d: Bad yes/no argument: %s", 549 filename, linenum, arg); 550 if (*intptr == -1) 551 *intptr = value; 552 break; 553 554 case sIgnoreUserKnownHosts: 555 intptr = &options->ignore_user_known_hosts; 556 goto parse_flag; 557 558 case sRhostsAuthentication: 559 intptr = &options->rhosts_authentication; 560 goto parse_flag; 561 562 case sRhostsRSAAuthentication: 563 intptr = &options->rhosts_rsa_authentication; 564 goto parse_flag; 565 566 case sHostbasedAuthentication: 567 intptr = &options->hostbased_authentication; 568 goto parse_flag; 569 570 case sHostbasedUsesNameFromPacketOnly: 571 intptr = &options->hostbased_uses_name_from_packet_only; 572 goto parse_flag; 573 574 case sRSAAuthentication: 575 intptr = &options->rsa_authentication; 576 goto parse_flag; 577 578 case sPubkeyAuthentication: 579 intptr = &options->pubkey_authentication; 580 goto parse_flag; 581 #if defined(KRB4) || defined(KRB5) 582 case sKerberosAuthentication: 583 intptr = &options->kerberos_authentication; 584 goto parse_flag; 585 586 case sKerberosOrLocalPasswd: 587 intptr = &options->kerberos_or_local_passwd; 588 goto parse_flag; 589 590 case sKerberosTicketCleanup: 591 intptr = &options->kerberos_ticket_cleanup; 592 goto parse_flag; 593 #endif 594 #if defined(AFS) || defined(KRB5) 595 case sKerberosTgtPassing: 596 intptr = &options->kerberos_tgt_passing; 597 goto parse_flag; 598 #endif 599 #ifdef AFS 600 case sAFSTokenPassing: 601 intptr = &options->afs_token_passing; 602 goto parse_flag; 603 #endif 604 605 case sPasswordAuthentication: 606 intptr = &options->password_authentication; 607 goto parse_flag; 608 609 case sKbdInteractiveAuthentication: 610 intptr = &options->kbd_interactive_authentication; 611 goto parse_flag; 612 613 case sChallengeResponseAuthentication: 614 intptr = &options->challenge_response_authentication; 615 goto parse_flag; 616 617 case sPrintMotd: 618 intptr = &options->print_motd; 619 goto parse_flag; 620 621 case sPrintLastLog: 622 intptr = &options->print_lastlog; 623 goto parse_flag; 624 625 case sX11Forwarding: 626 intptr = &options->x11_forwarding; 627 goto parse_flag; 628 629 case sX11DisplayOffset: 630 intptr = &options->x11_display_offset; 631 goto parse_int; 632 633 case sXAuthLocation: 634 charptr = &options->xauth_location; 635 goto parse_filename; 636 637 case sStrictModes: 638 intptr = &options->strict_modes; 639 goto parse_flag; 640 641 case sKeepAlives: 642 intptr = &options->keepalives; 643 goto parse_flag; 644 645 case sEmptyPasswd: 646 intptr = &options->permit_empty_passwd; 647 goto parse_flag; 648 649 case sUseLogin: 650 intptr = &options->use_login; 651 goto parse_flag; 652 653 case sGatewayPorts: 654 intptr = &options->gateway_ports; 655 goto parse_flag; 656 657 case sReverseMappingCheck: 658 intptr = &options->reverse_mapping_check; 659 goto parse_flag; 660 661 case sLogFacility: 662 intptr = (int *) &options->log_facility; 663 arg = strdelim(&cp); 664 value = log_facility_number(arg); 665 if (value == (SyslogFacility) - 1) 666 fatal("%.200s line %d: unsupported log facility '%s'", 667 filename, linenum, arg ? arg : "<NONE>"); 668 if (*intptr == -1) 669 *intptr = (SyslogFacility) value; 670 break; 671 672 case sLogLevel: 673 intptr = (int *) &options->log_level; 674 arg = strdelim(&cp); 675 value = log_level_number(arg); 676 if (value == (LogLevel) - 1) 677 fatal("%.200s line %d: unsupported log level '%s'", 678 filename, linenum, arg ? arg : "<NONE>"); 679 if (*intptr == -1) 680 *intptr = (LogLevel) value; 681 break; 682 683 case sAllowTcpForwarding: 684 intptr = &options->allow_tcp_forwarding; 685 goto parse_flag; 686 687 case sAllowUsers: 688 while ((arg = strdelim(&cp)) && *arg != '\0') { 689 if (options->num_allow_users >= MAX_ALLOW_USERS) 690 fatal("%s line %d: too many allow users.", 691 filename, linenum); 692 options->allow_users[options->num_allow_users++] = xstrdup(arg); 693 } 694 break; 695 696 case sDenyUsers: 697 while ((arg = strdelim(&cp)) && *arg != '\0') { 698 if (options->num_deny_users >= MAX_DENY_USERS) 699 fatal( "%s line %d: too many deny users.", 700 filename, linenum); 701 options->deny_users[options->num_deny_users++] = xstrdup(arg); 702 } 703 break; 704 705 case sAllowGroups: 706 while ((arg = strdelim(&cp)) && *arg != '\0') { 707 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 708 fatal("%s line %d: too many allow groups.", 709 filename, linenum); 710 options->allow_groups[options->num_allow_groups++] = xstrdup(arg); 711 } 712 break; 713 714 case sDenyGroups: 715 while ((arg = strdelim(&cp)) && *arg != '\0') { 716 if (options->num_deny_groups >= MAX_DENY_GROUPS) 717 fatal("%s line %d: too many deny groups.", 718 filename, linenum); 719 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 720 } 721 break; 722 723 case sCiphers: 724 arg = strdelim(&cp); 725 if (!arg || *arg == '\0') 726 fatal("%s line %d: Missing argument.", filename, linenum); 727 if (!ciphers_valid(arg)) 728 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 729 filename, linenum, arg ? arg : "<NONE>"); 730 if (options->ciphers == NULL) 731 options->ciphers = xstrdup(arg); 732 break; 733 734 case sMacs: 735 arg = strdelim(&cp); 736 if (!arg || *arg == '\0') 737 fatal("%s line %d: Missing argument.", filename, linenum); 738 if (!mac_valid(arg)) 739 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 740 filename, linenum, arg ? arg : "<NONE>"); 741 if (options->macs == NULL) 742 options->macs = xstrdup(arg); 743 break; 744 745 case sProtocol: 746 intptr = &options->protocol; 747 arg = strdelim(&cp); 748 if (!arg || *arg == '\0') 749 fatal("%s line %d: Missing argument.", filename, linenum); 750 value = proto_spec(arg); 751 if (value == SSH_PROTO_UNKNOWN) 752 fatal("%s line %d: Bad protocol spec '%s'.", 753 filename, linenum, arg ? arg : "<NONE>"); 754 if (*intptr == SSH_PROTO_UNKNOWN) 755 *intptr = value; 756 break; 757 758 case sSubsystem: 759 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 760 fatal("%s line %d: too many subsystems defined.", 761 filename, linenum); 762 } 763 arg = strdelim(&cp); 764 if (!arg || *arg == '\0') 765 fatal("%s line %d: Missing subsystem name.", 766 filename, linenum); 767 for (i = 0; i < options->num_subsystems; i++) 768 if (strcmp(arg, options->subsystem_name[i]) == 0) 769 fatal("%s line %d: Subsystem '%s' already defined.", 770 filename, linenum, arg); 771 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 772 arg = strdelim(&cp); 773 if (!arg || *arg == '\0') 774 fatal("%s line %d: Missing subsystem command.", 775 filename, linenum); 776 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 777 options->num_subsystems++; 778 break; 779 780 case sMaxStartups: 781 arg = strdelim(&cp); 782 if (!arg || *arg == '\0') 783 fatal("%s line %d: Missing MaxStartups spec.", 784 filename, linenum); 785 if ((n = sscanf(arg, "%d:%d:%d", 786 &options->max_startups_begin, 787 &options->max_startups_rate, 788 &options->max_startups)) == 3) { 789 if (options->max_startups_begin > 790 options->max_startups || 791 options->max_startups_rate > 100 || 792 options->max_startups_rate < 1) 793 fatal("%s line %d: Illegal MaxStartups spec.", 794 filename, linenum); 795 } else if (n != 1) 796 fatal("%s line %d: Illegal MaxStartups spec.", 797 filename, linenum); 798 else 799 options->max_startups = options->max_startups_begin; 800 break; 801 802 case sBanner: 803 charptr = &options->banner; 804 goto parse_filename; 805 /* 806 * These options can contain %X options expanded at 807 * connect time, so that you can specify paths like: 808 * 809 * AuthorizedKeysFile /etc/ssh_keys/%u 810 */ 811 case sAuthorizedKeysFile: 812 case sAuthorizedKeysFile2: 813 charptr = (opcode == sAuthorizedKeysFile ) ? 814 &options->authorized_keys_file : 815 &options->authorized_keys_file2; 816 goto parse_filename; 817 818 case sClientAliveInterval: 819 intptr = &options->client_alive_interval; 820 goto parse_time; 821 822 case sClientAliveCountMax: 823 intptr = &options->client_alive_count_max; 824 goto parse_int; 825 826 case sDeprecated: 827 log("%s line %d: Deprecated option %s", 828 filename, linenum, arg); 829 while (arg) 830 arg = strdelim(&cp); 831 break; 832 833 default: 834 fatal("%s line %d: Missing handler for opcode %s (%d)", 835 filename, linenum, arg, opcode); 836 } 837 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 838 fatal("%s line %d: garbage at end of line; \"%.200s\".", 839 filename, linenum, arg); 840 return 0; 841 } 842 843 /* Reads the server configuration file. */ 844 845 void 846 read_server_config(ServerOptions *options, const char *filename) 847 { 848 FILE *f; 849 char line[1024]; 850 int linenum; 851 int bad_options = 0; 852 853 f = fopen(filename, "r"); 854 if (!f) { 855 perror(filename); 856 exit(1); 857 } 858 linenum = 0; 859 while (fgets(line, sizeof(line), f)) { 860 /* Update line number counter. */ 861 linenum++; 862 if (process_server_config_line(options, line, filename, linenum) != 0) 863 bad_options++; 864 } 865 fclose(f); 866 if (bad_options > 0) 867 fatal("%s: terminating, %d bad configuration options", 868 filename, bad_options); 869 } 870