1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12 #include "includes.h" 13 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 14 15 #if defined(KRB4) || defined(KRB5) 16 #include <krb.h> 17 #endif 18 #ifdef AFS 19 #include <kafs.h> 20 #endif 21 22 #include "ssh.h" 23 #include "log.h" 24 #include "servconf.h" 25 #include "xmalloc.h" 26 #include "compat.h" 27 #include "pathnames.h" 28 #include "tildexpand.h" 29 #include "misc.h" 30 #include "cipher.h" 31 #include "kex.h" 32 #include "mac.h" 33 34 static void add_listen_addr(ServerOptions *, char *, u_short); 35 static void add_one_listen_addr(ServerOptions *, char *, u_short); 36 37 /* AF_UNSPEC or AF_INET or AF_INET6 */ 38 extern int IPv4or6; 39 /* Use of privilege separation or not */ 40 extern int use_privsep; 41 42 /* Initializes the server options to their default values. */ 43 44 void 45 initialize_server_options(ServerOptions *options) 46 { 47 memset(options, 0, sizeof(*options)); 48 options->num_ports = 0; 49 options->ports_from_cmdline = 0; 50 options->listen_addrs = NULL; 51 options->num_host_key_files = 0; 52 options->pid_file = NULL; 53 options->server_key_bits = -1; 54 options->login_grace_time = -1; 55 options->key_regeneration_time = -1; 56 options->permit_root_login = PERMIT_NOT_SET; 57 options->ignore_rhosts = -1; 58 options->ignore_user_known_hosts = -1; 59 options->print_motd = -1; 60 options->print_lastlog = -1; 61 options->x11_forwarding = -1; 62 options->x11_display_offset = -1; 63 options->x11_use_localhost = -1; 64 options->xauth_location = NULL; 65 options->strict_modes = -1; 66 options->keepalives = -1; 67 options->log_facility = SYSLOG_FACILITY_NOT_SET; 68 options->log_level = SYSLOG_LEVEL_NOT_SET; 69 options->rhosts_authentication = -1; 70 options->rhosts_rsa_authentication = -1; 71 options->hostbased_authentication = -1; 72 options->hostbased_uses_name_from_packet_only = -1; 73 options->rsa_authentication = -1; 74 options->pubkey_authentication = -1; 75 #if defined(KRB4) || defined(KRB5) 76 options->kerberos_authentication = -1; 77 options->kerberos_or_local_passwd = -1; 78 options->kerberos_ticket_cleanup = -1; 79 #endif 80 #if defined(AFS) || defined(KRB5) 81 options->kerberos_tgt_passing = -1; 82 #endif 83 #ifdef AFS 84 options->afs_token_passing = -1; 85 #endif 86 options->password_authentication = -1; 87 options->kbd_interactive_authentication = -1; 88 options->challenge_response_authentication = -1; 89 options->permit_empty_passwd = -1; 90 options->permit_user_env = -1; 91 options->use_login = -1; 92 options->compression = -1; 93 options->allow_tcp_forwarding = -1; 94 options->num_allow_users = 0; 95 options->num_deny_users = 0; 96 options->num_allow_groups = 0; 97 options->num_deny_groups = 0; 98 options->ciphers = NULL; 99 options->macs = NULL; 100 options->protocol = SSH_PROTO_UNKNOWN; 101 options->gateway_ports = -1; 102 options->num_subsystems = 0; 103 options->max_startups_begin = -1; 104 options->max_startups_rate = -1; 105 options->max_startups = -1; 106 options->banner = NULL; 107 options->verify_reverse_mapping = -1; 108 options->client_alive_interval = -1; 109 options->client_alive_count_max = -1; 110 options->authorized_keys_file = NULL; 111 options->authorized_keys_file2 = NULL; 112 113 /* Needs to be accessable in many places */ 114 use_privsep = -1; 115 } 116 117 void 118 fill_default_server_options(ServerOptions *options) 119 { 120 if (options->protocol == SSH_PROTO_UNKNOWN) 121 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 122 if (options->num_host_key_files == 0) { 123 /* fill default hostkeys for protocols */ 124 if (options->protocol & SSH_PROTO_1) 125 options->host_key_files[options->num_host_key_files++] = 126 _PATH_HOST_KEY_FILE; 127 if (options->protocol & SSH_PROTO_2) { 128 options->host_key_files[options->num_host_key_files++] = 129 _PATH_HOST_RSA_KEY_FILE; 130 options->host_key_files[options->num_host_key_files++] = 131 _PATH_HOST_DSA_KEY_FILE; 132 } 133 } 134 if (options->num_ports == 0) 135 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 136 if (options->listen_addrs == NULL) 137 add_listen_addr(options, NULL, 0); 138 if (options->pid_file == NULL) 139 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 140 if (options->server_key_bits == -1) 141 options->server_key_bits = 768; 142 if (options->login_grace_time == -1) 143 options->login_grace_time = 120; 144 if (options->key_regeneration_time == -1) 145 options->key_regeneration_time = 3600; 146 if (options->permit_root_login == PERMIT_NOT_SET) 147 options->permit_root_login = PERMIT_YES; 148 if (options->ignore_rhosts == -1) 149 options->ignore_rhosts = 1; 150 if (options->ignore_user_known_hosts == -1) 151 options->ignore_user_known_hosts = 0; 152 if (options->print_motd == -1) 153 options->print_motd = 1; 154 if (options->print_lastlog == -1) 155 options->print_lastlog = 1; 156 if (options->x11_forwarding == -1) 157 options->x11_forwarding = 0; 158 if (options->x11_display_offset == -1) 159 options->x11_display_offset = 10; 160 if (options->x11_use_localhost == -1) 161 options->x11_use_localhost = 1; 162 if (options->xauth_location == NULL) 163 options->xauth_location = _PATH_XAUTH; 164 if (options->strict_modes == -1) 165 options->strict_modes = 1; 166 if (options->keepalives == -1) 167 options->keepalives = 1; 168 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 169 options->log_facility = SYSLOG_FACILITY_AUTH; 170 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 171 options->log_level = SYSLOG_LEVEL_INFO; 172 if (options->rhosts_authentication == -1) 173 options->rhosts_authentication = 0; 174 if (options->rhosts_rsa_authentication == -1) 175 options->rhosts_rsa_authentication = 0; 176 if (options->hostbased_authentication == -1) 177 options->hostbased_authentication = 0; 178 if (options->hostbased_uses_name_from_packet_only == -1) 179 options->hostbased_uses_name_from_packet_only = 0; 180 if (options->rsa_authentication == -1) 181 options->rsa_authentication = 1; 182 if (options->pubkey_authentication == -1) 183 options->pubkey_authentication = 1; 184 #if defined(KRB4) || defined(KRB5) 185 if (options->kerberos_authentication == -1) 186 options->kerberos_authentication = 0; 187 if (options->kerberos_or_local_passwd == -1) 188 options->kerberos_or_local_passwd = 1; 189 if (options->kerberos_ticket_cleanup == -1) 190 options->kerberos_ticket_cleanup = 1; 191 #endif 192 #if defined(AFS) || defined(KRB5) 193 if (options->kerberos_tgt_passing == -1) 194 options->kerberos_tgt_passing = 0; 195 #endif 196 #ifdef AFS 197 if (options->afs_token_passing == -1) 198 options->afs_token_passing = 0; 199 #endif 200 if (options->password_authentication == -1) 201 options->password_authentication = 1; 202 if (options->kbd_interactive_authentication == -1) 203 options->kbd_interactive_authentication = 0; 204 if (options->challenge_response_authentication == -1) 205 options->challenge_response_authentication = 1; 206 if (options->permit_empty_passwd == -1) 207 options->permit_empty_passwd = 0; 208 if (options->permit_user_env == -1) 209 options->permit_user_env = 0; 210 if (options->use_login == -1) 211 options->use_login = 0; 212 if (options->compression == -1) 213 options->compression = 1; 214 if (options->allow_tcp_forwarding == -1) 215 options->allow_tcp_forwarding = 1; 216 if (options->gateway_ports == -1) 217 options->gateway_ports = 0; 218 if (options->max_startups == -1) 219 options->max_startups = 10; 220 if (options->max_startups_rate == -1) 221 options->max_startups_rate = 100; /* 100% */ 222 if (options->max_startups_begin == -1) 223 options->max_startups_begin = options->max_startups; 224 if (options->verify_reverse_mapping == -1) 225 options->verify_reverse_mapping = 0; 226 if (options->client_alive_interval == -1) 227 options->client_alive_interval = 0; 228 if (options->client_alive_count_max == -1) 229 options->client_alive_count_max = 3; 230 if (options->authorized_keys_file2 == NULL) { 231 /* authorized_keys_file2 falls back to authorized_keys_file */ 232 if (options->authorized_keys_file != NULL) 233 options->authorized_keys_file2 = options->authorized_keys_file; 234 else 235 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 236 } 237 if (options->authorized_keys_file == NULL) 238 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 239 240 /* Turn privilege separation on by default */ 241 if (use_privsep == -1) 242 use_privsep = 1; 243 } 244 245 /* Keyword tokens. */ 246 typedef enum { 247 sBadOption, /* == unknown option */ 248 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 249 sPermitRootLogin, sLogFacility, sLogLevel, 250 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 251 #if defined(KRB4) || defined(KRB5) 252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 253 #endif 254 #if defined(AFS) || defined(KRB5) 255 sKerberosTgtPassing, 256 #endif 257 #ifdef AFS 258 sAFSTokenPassing, 259 #endif 260 sChallengeResponseAuthentication, 261 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 264 sStrictModes, sEmptyPasswd, sKeepAlives, 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 269 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 270 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 271 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 272 sUsePrivilegeSeparation, 273 sDeprecated 274 } ServerOpCodes; 275 276 /* Textual representation of the tokens. */ 277 static struct { 278 const char *name; 279 ServerOpCodes opcode; 280 } keywords[] = { 281 { "port", sPort }, 282 { "hostkey", sHostKeyFile }, 283 { "hostdsakey", sHostKeyFile }, /* alias */ 284 { "pidfile", sPidFile }, 285 { "serverkeybits", sServerKeyBits }, 286 { "logingracetime", sLoginGraceTime }, 287 { "keyregenerationinterval", sKeyRegenerationTime }, 288 { "permitrootlogin", sPermitRootLogin }, 289 { "syslogfacility", sLogFacility }, 290 { "loglevel", sLogLevel }, 291 { "rhostsauthentication", sRhostsAuthentication }, 292 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 293 { "hostbasedauthentication", sHostbasedAuthentication }, 294 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 295 { "rsaauthentication", sRSAAuthentication }, 296 { "pubkeyauthentication", sPubkeyAuthentication }, 297 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 298 #if defined(KRB4) || defined(KRB5) 299 { "kerberosauthentication", sKerberosAuthentication }, 300 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 301 { "kerberosticketcleanup", sKerberosTicketCleanup }, 302 #endif 303 #if defined(AFS) || defined(KRB5) 304 { "kerberostgtpassing", sKerberosTgtPassing }, 305 #endif 306 #ifdef AFS 307 { "afstokenpassing", sAFSTokenPassing }, 308 #endif 309 { "passwordauthentication", sPasswordAuthentication }, 310 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 311 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 312 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 313 { "checkmail", sDeprecated }, 314 { "listenaddress", sListenAddress }, 315 { "printmotd", sPrintMotd }, 316 { "printlastlog", sPrintLastLog }, 317 { "ignorerhosts", sIgnoreRhosts }, 318 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 319 { "x11forwarding", sX11Forwarding }, 320 { "x11displayoffset", sX11DisplayOffset }, 321 { "x11uselocalhost", sX11UseLocalhost }, 322 { "xauthlocation", sXAuthLocation }, 323 { "strictmodes", sStrictModes }, 324 { "permitemptypasswords", sEmptyPasswd }, 325 { "permituserenvironment", sPermitUserEnvironment }, 326 { "uselogin", sUseLogin }, 327 { "compression", sCompression }, 328 { "keepalive", sKeepAlives }, 329 { "allowtcpforwarding", sAllowTcpForwarding }, 330 { "allowusers", sAllowUsers }, 331 { "denyusers", sDenyUsers }, 332 { "allowgroups", sAllowGroups }, 333 { "denygroups", sDenyGroups }, 334 { "ciphers", sCiphers }, 335 { "macs", sMacs }, 336 { "protocol", sProtocol }, 337 { "gatewayports", sGatewayPorts }, 338 { "subsystem", sSubsystem }, 339 { "maxstartups", sMaxStartups }, 340 { "banner", sBanner }, 341 { "verifyreversemapping", sVerifyReverseMapping }, 342 { "reversemappingcheck", sVerifyReverseMapping }, 343 { "clientaliveinterval", sClientAliveInterval }, 344 { "clientalivecountmax", sClientAliveCountMax }, 345 { "authorizedkeysfile", sAuthorizedKeysFile }, 346 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 347 { "useprivilegeseparation", sUsePrivilegeSeparation}, 348 { NULL, sBadOption } 349 }; 350 351 /* 352 * Returns the number of the token pointed to by cp or sBadOption. 353 */ 354 355 static ServerOpCodes 356 parse_token(const char *cp, const char *filename, 357 int linenum) 358 { 359 u_int i; 360 361 for (i = 0; keywords[i].name; i++) 362 if (strcasecmp(cp, keywords[i].name) == 0) 363 return keywords[i].opcode; 364 365 error("%s: line %d: Bad configuration option: %s", 366 filename, linenum, cp); 367 return sBadOption; 368 } 369 370 static void 371 add_listen_addr(ServerOptions *options, char *addr, u_short port) 372 { 373 int i; 374 375 if (options->num_ports == 0) 376 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 377 if (port == 0) 378 for (i = 0; i < options->num_ports; i++) 379 add_one_listen_addr(options, addr, options->ports[i]); 380 else 381 add_one_listen_addr(options, addr, port); 382 } 383 384 static void 385 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 386 { 387 struct addrinfo hints, *ai, *aitop; 388 char strport[NI_MAXSERV]; 389 int gaierr; 390 391 memset(&hints, 0, sizeof(hints)); 392 hints.ai_family = IPv4or6; 393 hints.ai_socktype = SOCK_STREAM; 394 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 395 snprintf(strport, sizeof strport, "%u", port); 396 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 397 fatal("bad addr or host: %s (%s)", 398 addr ? addr : "<NULL>", 399 gai_strerror(gaierr)); 400 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 401 ; 402 ai->ai_next = options->listen_addrs; 403 options->listen_addrs = aitop; 404 } 405 406 int 407 process_server_config_line(ServerOptions *options, char *line, 408 const char *filename, int linenum) 409 { 410 char *cp, **charptr, *arg, *p; 411 int *intptr, value, i, n; 412 ServerOpCodes opcode; 413 414 cp = line; 415 arg = strdelim(&cp); 416 /* Ignore leading whitespace */ 417 if (*arg == '\0') 418 arg = strdelim(&cp); 419 if (!arg || !*arg || *arg == '#') 420 return 0; 421 intptr = NULL; 422 charptr = NULL; 423 opcode = parse_token(arg, filename, linenum); 424 switch (opcode) { 425 case sBadOption: 426 return -1; 427 case sPort: 428 /* ignore ports from configfile if cmdline specifies ports */ 429 if (options->ports_from_cmdline) 430 return 0; 431 if (options->listen_addrs != NULL) 432 fatal("%s line %d: ports must be specified before " 433 "ListenAddress.", filename, linenum); 434 if (options->num_ports >= MAX_PORTS) 435 fatal("%s line %d: too many ports.", 436 filename, linenum); 437 arg = strdelim(&cp); 438 if (!arg || *arg == '\0') 439 fatal("%s line %d: missing port number.", 440 filename, linenum); 441 options->ports[options->num_ports++] = a2port(arg); 442 if (options->ports[options->num_ports-1] == 0) 443 fatal("%s line %d: Badly formatted port number.", 444 filename, linenum); 445 break; 446 447 case sServerKeyBits: 448 intptr = &options->server_key_bits; 449 parse_int: 450 arg = strdelim(&cp); 451 if (!arg || *arg == '\0') 452 fatal("%s line %d: missing integer value.", 453 filename, linenum); 454 value = atoi(arg); 455 if (*intptr == -1) 456 *intptr = value; 457 break; 458 459 case sLoginGraceTime: 460 intptr = &options->login_grace_time; 461 parse_time: 462 arg = strdelim(&cp); 463 if (!arg || *arg == '\0') 464 fatal("%s line %d: missing time value.", 465 filename, linenum); 466 if ((value = convtime(arg)) == -1) 467 fatal("%s line %d: invalid time value.", 468 filename, linenum); 469 if (*intptr == -1) 470 *intptr = value; 471 break; 472 473 case sKeyRegenerationTime: 474 intptr = &options->key_regeneration_time; 475 goto parse_time; 476 477 case sListenAddress: 478 arg = strdelim(&cp); 479 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 480 fatal("%s line %d: missing inet addr.", 481 filename, linenum); 482 if (*arg == '[') { 483 if ((p = strchr(arg, ']')) == NULL) 484 fatal("%s line %d: bad ipv6 inet addr usage.", 485 filename, linenum); 486 arg++; 487 memmove(p, p+1, strlen(p+1)+1); 488 } else if (((p = strchr(arg, ':')) == NULL) || 489 (strchr(p+1, ':') != NULL)) { 490 add_listen_addr(options, arg, 0); 491 break; 492 } 493 if (*p == ':') { 494 u_short port; 495 496 p++; 497 if (*p == '\0') 498 fatal("%s line %d: bad inet addr:port usage.", 499 filename, linenum); 500 else { 501 *(p-1) = '\0'; 502 if ((port = a2port(p)) == 0) 503 fatal("%s line %d: bad port number.", 504 filename, linenum); 505 add_listen_addr(options, arg, port); 506 } 507 } else if (*p == '\0') 508 add_listen_addr(options, arg, 0); 509 else 510 fatal("%s line %d: bad inet addr usage.", 511 filename, linenum); 512 break; 513 514 case sHostKeyFile: 515 intptr = &options->num_host_key_files; 516 if (*intptr >= MAX_HOSTKEYS) 517 fatal("%s line %d: too many host keys specified (max %d).", 518 filename, linenum, MAX_HOSTKEYS); 519 charptr = &options->host_key_files[*intptr]; 520 parse_filename: 521 arg = strdelim(&cp); 522 if (!arg || *arg == '\0') 523 fatal("%s line %d: missing file name.", 524 filename, linenum); 525 if (*charptr == NULL) { 526 *charptr = tilde_expand_filename(arg, getuid()); 527 /* increase optional counter */ 528 if (intptr != NULL) 529 *intptr = *intptr + 1; 530 } 531 break; 532 533 case sPidFile: 534 charptr = &options->pid_file; 535 goto parse_filename; 536 537 case sPermitRootLogin: 538 intptr = &options->permit_root_login; 539 arg = strdelim(&cp); 540 if (!arg || *arg == '\0') 541 fatal("%s line %d: missing yes/" 542 "without-password/forced-commands-only/no " 543 "argument.", filename, linenum); 544 value = 0; /* silence compiler */ 545 if (strcmp(arg, "without-password") == 0) 546 value = PERMIT_NO_PASSWD; 547 else if (strcmp(arg, "forced-commands-only") == 0) 548 value = PERMIT_FORCED_ONLY; 549 else if (strcmp(arg, "yes") == 0) 550 value = PERMIT_YES; 551 else if (strcmp(arg, "no") == 0) 552 value = PERMIT_NO; 553 else 554 fatal("%s line %d: Bad yes/" 555 "without-password/forced-commands-only/no " 556 "argument: %s", filename, linenum, arg); 557 if (*intptr == -1) 558 *intptr = value; 559 break; 560 561 case sIgnoreRhosts: 562 intptr = &options->ignore_rhosts; 563 parse_flag: 564 arg = strdelim(&cp); 565 if (!arg || *arg == '\0') 566 fatal("%s line %d: missing yes/no argument.", 567 filename, linenum); 568 value = 0; /* silence compiler */ 569 if (strcmp(arg, "yes") == 0) 570 value = 1; 571 else if (strcmp(arg, "no") == 0) 572 value = 0; 573 else 574 fatal("%s line %d: Bad yes/no argument: %s", 575 filename, linenum, arg); 576 if (*intptr == -1) 577 *intptr = value; 578 break; 579 580 case sIgnoreUserKnownHosts: 581 intptr = &options->ignore_user_known_hosts; 582 goto parse_flag; 583 584 case sRhostsAuthentication: 585 intptr = &options->rhosts_authentication; 586 goto parse_flag; 587 588 case sRhostsRSAAuthentication: 589 intptr = &options->rhosts_rsa_authentication; 590 goto parse_flag; 591 592 case sHostbasedAuthentication: 593 intptr = &options->hostbased_authentication; 594 goto parse_flag; 595 596 case sHostbasedUsesNameFromPacketOnly: 597 intptr = &options->hostbased_uses_name_from_packet_only; 598 goto parse_flag; 599 600 case sRSAAuthentication: 601 intptr = &options->rsa_authentication; 602 goto parse_flag; 603 604 case sPubkeyAuthentication: 605 intptr = &options->pubkey_authentication; 606 goto parse_flag; 607 #if defined(KRB4) || defined(KRB5) 608 case sKerberosAuthentication: 609 intptr = &options->kerberos_authentication; 610 goto parse_flag; 611 612 case sKerberosOrLocalPasswd: 613 intptr = &options->kerberos_or_local_passwd; 614 goto parse_flag; 615 616 case sKerberosTicketCleanup: 617 intptr = &options->kerberos_ticket_cleanup; 618 goto parse_flag; 619 #endif 620 #if defined(AFS) || defined(KRB5) 621 case sKerberosTgtPassing: 622 intptr = &options->kerberos_tgt_passing; 623 goto parse_flag; 624 #endif 625 #ifdef AFS 626 case sAFSTokenPassing: 627 intptr = &options->afs_token_passing; 628 goto parse_flag; 629 #endif 630 631 case sPasswordAuthentication: 632 intptr = &options->password_authentication; 633 goto parse_flag; 634 635 case sKbdInteractiveAuthentication: 636 intptr = &options->kbd_interactive_authentication; 637 goto parse_flag; 638 639 case sChallengeResponseAuthentication: 640 intptr = &options->challenge_response_authentication; 641 goto parse_flag; 642 643 case sPrintMotd: 644 intptr = &options->print_motd; 645 goto parse_flag; 646 647 case sPrintLastLog: 648 intptr = &options->print_lastlog; 649 goto parse_flag; 650 651 case sX11Forwarding: 652 intptr = &options->x11_forwarding; 653 goto parse_flag; 654 655 case sX11DisplayOffset: 656 intptr = &options->x11_display_offset; 657 goto parse_int; 658 659 case sX11UseLocalhost: 660 intptr = &options->x11_use_localhost; 661 goto parse_flag; 662 663 case sXAuthLocation: 664 charptr = &options->xauth_location; 665 goto parse_filename; 666 667 case sStrictModes: 668 intptr = &options->strict_modes; 669 goto parse_flag; 670 671 case sKeepAlives: 672 intptr = &options->keepalives; 673 goto parse_flag; 674 675 case sEmptyPasswd: 676 intptr = &options->permit_empty_passwd; 677 goto parse_flag; 678 679 case sPermitUserEnvironment: 680 intptr = &options->permit_user_env; 681 goto parse_flag; 682 683 case sUseLogin: 684 intptr = &options->use_login; 685 goto parse_flag; 686 687 case sCompression: 688 intptr = &options->compression; 689 goto parse_flag; 690 691 case sGatewayPorts: 692 intptr = &options->gateway_ports; 693 goto parse_flag; 694 695 case sVerifyReverseMapping: 696 intptr = &options->verify_reverse_mapping; 697 goto parse_flag; 698 699 case sLogFacility: 700 intptr = (int *) &options->log_facility; 701 arg = strdelim(&cp); 702 value = log_facility_number(arg); 703 if (value == SYSLOG_FACILITY_NOT_SET) 704 fatal("%.200s line %d: unsupported log facility '%s'", 705 filename, linenum, arg ? arg : "<NONE>"); 706 if (*intptr == -1) 707 *intptr = (SyslogFacility) value; 708 break; 709 710 case sLogLevel: 711 intptr = (int *) &options->log_level; 712 arg = strdelim(&cp); 713 value = log_level_number(arg); 714 if (value == SYSLOG_LEVEL_NOT_SET) 715 fatal("%.200s line %d: unsupported log level '%s'", 716 filename, linenum, arg ? arg : "<NONE>"); 717 if (*intptr == -1) 718 *intptr = (LogLevel) value; 719 break; 720 721 case sAllowTcpForwarding: 722 intptr = &options->allow_tcp_forwarding; 723 goto parse_flag; 724 725 case sUsePrivilegeSeparation: 726 intptr = &use_privsep; 727 goto parse_flag; 728 729 case sAllowUsers: 730 while ((arg = strdelim(&cp)) && *arg != '\0') { 731 if (options->num_allow_users >= MAX_ALLOW_USERS) 732 fatal("%s line %d: too many allow users.", 733 filename, linenum); 734 options->allow_users[options->num_allow_users++] = 735 xstrdup(arg); 736 } 737 break; 738 739 case sDenyUsers: 740 while ((arg = strdelim(&cp)) && *arg != '\0') { 741 if (options->num_deny_users >= MAX_DENY_USERS) 742 fatal( "%s line %d: too many deny users.", 743 filename, linenum); 744 options->deny_users[options->num_deny_users++] = 745 xstrdup(arg); 746 } 747 break; 748 749 case sAllowGroups: 750 while ((arg = strdelim(&cp)) && *arg != '\0') { 751 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 752 fatal("%s line %d: too many allow groups.", 753 filename, linenum); 754 options->allow_groups[options->num_allow_groups++] = 755 xstrdup(arg); 756 } 757 break; 758 759 case sDenyGroups: 760 while ((arg = strdelim(&cp)) && *arg != '\0') { 761 if (options->num_deny_groups >= MAX_DENY_GROUPS) 762 fatal("%s line %d: too many deny groups.", 763 filename, linenum); 764 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 765 } 766 break; 767 768 case sCiphers: 769 arg = strdelim(&cp); 770 if (!arg || *arg == '\0') 771 fatal("%s line %d: Missing argument.", filename, linenum); 772 if (!ciphers_valid(arg)) 773 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 774 filename, linenum, arg ? arg : "<NONE>"); 775 if (options->ciphers == NULL) 776 options->ciphers = xstrdup(arg); 777 break; 778 779 case sMacs: 780 arg = strdelim(&cp); 781 if (!arg || *arg == '\0') 782 fatal("%s line %d: Missing argument.", filename, linenum); 783 if (!mac_valid(arg)) 784 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 785 filename, linenum, arg ? arg : "<NONE>"); 786 if (options->macs == NULL) 787 options->macs = xstrdup(arg); 788 break; 789 790 case sProtocol: 791 intptr = &options->protocol; 792 arg = strdelim(&cp); 793 if (!arg || *arg == '\0') 794 fatal("%s line %d: Missing argument.", filename, linenum); 795 value = proto_spec(arg); 796 if (value == SSH_PROTO_UNKNOWN) 797 fatal("%s line %d: Bad protocol spec '%s'.", 798 filename, linenum, arg ? arg : "<NONE>"); 799 if (*intptr == SSH_PROTO_UNKNOWN) 800 *intptr = value; 801 break; 802 803 case sSubsystem: 804 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 805 fatal("%s line %d: too many subsystems defined.", 806 filename, linenum); 807 } 808 arg = strdelim(&cp); 809 if (!arg || *arg == '\0') 810 fatal("%s line %d: Missing subsystem name.", 811 filename, linenum); 812 for (i = 0; i < options->num_subsystems; i++) 813 if (strcmp(arg, options->subsystem_name[i]) == 0) 814 fatal("%s line %d: Subsystem '%s' already defined.", 815 filename, linenum, arg); 816 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 817 arg = strdelim(&cp); 818 if (!arg || *arg == '\0') 819 fatal("%s line %d: Missing subsystem command.", 820 filename, linenum); 821 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 822 options->num_subsystems++; 823 break; 824 825 case sMaxStartups: 826 arg = strdelim(&cp); 827 if (!arg || *arg == '\0') 828 fatal("%s line %d: Missing MaxStartups spec.", 829 filename, linenum); 830 if ((n = sscanf(arg, "%d:%d:%d", 831 &options->max_startups_begin, 832 &options->max_startups_rate, 833 &options->max_startups)) == 3) { 834 if (options->max_startups_begin > 835 options->max_startups || 836 options->max_startups_rate > 100 || 837 options->max_startups_rate < 1) 838 fatal("%s line %d: Illegal MaxStartups spec.", 839 filename, linenum); 840 } else if (n != 1) 841 fatal("%s line %d: Illegal MaxStartups spec.", 842 filename, linenum); 843 else 844 options->max_startups = options->max_startups_begin; 845 break; 846 847 case sBanner: 848 charptr = &options->banner; 849 goto parse_filename; 850 /* 851 * These options can contain %X options expanded at 852 * connect time, so that you can specify paths like: 853 * 854 * AuthorizedKeysFile /etc/ssh_keys/%u 855 */ 856 case sAuthorizedKeysFile: 857 case sAuthorizedKeysFile2: 858 charptr = (opcode == sAuthorizedKeysFile ) ? 859 &options->authorized_keys_file : 860 &options->authorized_keys_file2; 861 goto parse_filename; 862 863 case sClientAliveInterval: 864 intptr = &options->client_alive_interval; 865 goto parse_time; 866 867 case sClientAliveCountMax: 868 intptr = &options->client_alive_count_max; 869 goto parse_int; 870 871 case sDeprecated: 872 log("%s line %d: Deprecated option %s", 873 filename, linenum, arg); 874 while (arg) 875 arg = strdelim(&cp); 876 break; 877 878 default: 879 fatal("%s line %d: Missing handler for opcode %s (%d)", 880 filename, linenum, arg, opcode); 881 } 882 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 883 fatal("%s line %d: garbage at end of line; \"%.200s\".", 884 filename, linenum, arg); 885 return 0; 886 } 887 888 /* Reads the server configuration file. */ 889 890 void 891 read_server_config(ServerOptions *options, const char *filename) 892 { 893 int linenum, bad_options = 0; 894 char line[1024]; 895 FILE *f; 896 897 f = fopen(filename, "r"); 898 if (!f) { 899 perror(filename); 900 exit(1); 901 } 902 linenum = 0; 903 while (fgets(line, sizeof(line), f)) { 904 /* Update line number counter. */ 905 linenum++; 906 if (process_server_config_line(options, line, filename, linenum) != 0) 907 bad_options++; 908 } 909 fclose(f); 910 if (bad_options > 0) 911 fatal("%s: terminating, %d bad configuration options", 912 filename, bad_options); 913 } 914