1 2 /* $OpenBSD: servconf.c,v 1.295 2016/08/25 23:57:54 djm Exp $ */ 3 /* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include <sys/types.h> 15 #include <sys/socket.h> 16 #include <sys/queue.h> 17 18 #include <netinet/in.h> 19 #include <netinet/ip.h> 20 21 #include <ctype.h> 22 #include <netdb.h> 23 #include <pwd.h> 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <string.h> 27 #include <signal.h> 28 #include <unistd.h> 29 #include <limits.h> 30 #include <stdarg.h> 31 #include <errno.h> 32 #include <util.h> 33 34 #include "xmalloc.h" 35 #include "ssh.h" 36 #include "log.h" 37 #include "buffer.h" 38 #include "misc.h" 39 #include "servconf.h" 40 #include "compat.h" 41 #include "pathnames.h" 42 #include "cipher.h" 43 #include "key.h" 44 #include "kex.h" 45 #include "mac.h" 46 #include "match.h" 47 #include "channels.h" 48 #include "groupaccess.h" 49 #include "canohost.h" 50 #include "packet.h" 51 #include "hostfile.h" 52 #include "auth.h" 53 #include "myproposal.h" 54 #include "digest.h" 55 56 static void add_listen_addr(ServerOptions *, char *, int); 57 static void add_one_listen_addr(ServerOptions *, char *, int); 58 59 /* Use of privilege separation or not */ 60 extern int use_privsep; 61 extern Buffer cfg; 62 63 /* Initializes the server options to their default values. */ 64 65 void 66 initialize_server_options(ServerOptions *options) 67 { 68 memset(options, 0, sizeof(*options)); 69 options->num_ports = 0; 70 options->ports_from_cmdline = 0; 71 options->queued_listen_addrs = NULL; 72 options->num_queued_listens = 0; 73 options->listen_addrs = NULL; 74 options->address_family = -1; 75 options->num_host_key_files = 0; 76 options->num_host_cert_files = 0; 77 options->host_key_agent = NULL; 78 options->pid_file = NULL; 79 options->login_grace_time = -1; 80 options->permit_root_login = PERMIT_NOT_SET; 81 options->ignore_rhosts = -1; 82 options->ignore_user_known_hosts = -1; 83 options->print_motd = -1; 84 options->print_lastlog = -1; 85 options->x11_forwarding = -1; 86 options->x11_display_offset = -1; 87 options->x11_use_localhost = -1; 88 options->permit_tty = -1; 89 options->permit_user_rc = -1; 90 options->xauth_location = NULL; 91 options->strict_modes = -1; 92 options->tcp_keep_alive = -1; 93 options->log_facility = SYSLOG_FACILITY_NOT_SET; 94 options->log_level = SYSLOG_LEVEL_NOT_SET; 95 options->hostbased_authentication = -1; 96 options->hostbased_uses_name_from_packet_only = -1; 97 options->hostbased_key_types = NULL; 98 options->hostkeyalgorithms = NULL; 99 options->pubkey_authentication = -1; 100 options->pubkey_key_types = NULL; 101 options->kerberos_authentication = -1; 102 options->kerberos_or_local_passwd = -1; 103 options->kerberos_ticket_cleanup = -1; 104 options->kerberos_get_afs_token = -1; 105 options->gss_authentication=-1; 106 options->gss_cleanup_creds = -1; 107 options->gss_strict_acceptor = -1; 108 options->password_authentication = -1; 109 options->kbd_interactive_authentication = -1; 110 options->challenge_response_authentication = -1; 111 options->permit_empty_passwd = -1; 112 options->permit_user_env = -1; 113 options->compression = -1; 114 options->rekey_limit = -1; 115 options->rekey_interval = -1; 116 options->allow_tcp_forwarding = -1; 117 options->allow_streamlocal_forwarding = -1; 118 options->allow_agent_forwarding = -1; 119 options->num_allow_users = 0; 120 options->num_deny_users = 0; 121 options->num_allow_groups = 0; 122 options->num_deny_groups = 0; 123 options->ciphers = NULL; 124 options->macs = NULL; 125 options->kex_algorithms = NULL; 126 options->fwd_opts.gateway_ports = -1; 127 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 128 options->fwd_opts.streamlocal_bind_unlink = -1; 129 options->num_subsystems = 0; 130 options->max_startups_begin = -1; 131 options->max_startups_rate = -1; 132 options->max_startups = -1; 133 options->max_authtries = -1; 134 options->max_sessions = -1; 135 options->banner = NULL; 136 options->use_dns = -1; 137 options->client_alive_interval = -1; 138 options->client_alive_count_max = -1; 139 options->num_authkeys_files = 0; 140 options->num_accept_env = 0; 141 options->permit_tun = -1; 142 options->num_permitted_opens = -1; 143 options->adm_forced_command = NULL; 144 options->chroot_directory = NULL; 145 options->authorized_keys_command = NULL; 146 options->authorized_keys_command_user = NULL; 147 options->revoked_keys_file = NULL; 148 options->trusted_user_ca_keys = NULL; 149 options->authorized_principals_file = NULL; 150 options->authorized_principals_command = NULL; 151 options->authorized_principals_command_user = NULL; 152 options->ip_qos_interactive = -1; 153 options->ip_qos_bulk = -1; 154 options->version_addendum = NULL; 155 options->fingerprint_hash = -1; 156 } 157 158 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 159 static int 160 option_clear_or_none(const char *o) 161 { 162 return o == NULL || strcasecmp(o, "none") == 0; 163 } 164 165 static void 166 assemble_algorithms(ServerOptions *o) 167 { 168 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || 169 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || 170 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || 171 kex_assemble_names(KEX_DEFAULT_PK_ALG, 172 &o->hostkeyalgorithms) != 0 || 173 kex_assemble_names(KEX_DEFAULT_PK_ALG, 174 &o->hostbased_key_types) != 0 || 175 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) 176 fatal("kex_assemble_names failed"); 177 } 178 179 void 180 fill_default_server_options(ServerOptions *options) 181 { 182 int i; 183 184 if (options->num_host_key_files == 0) { 185 /* fill default hostkeys */ 186 options->host_key_files[options->num_host_key_files++] = 187 _PATH_HOST_RSA_KEY_FILE; 188 options->host_key_files[options->num_host_key_files++] = 189 _PATH_HOST_DSA_KEY_FILE; 190 options->host_key_files[options->num_host_key_files++] = 191 _PATH_HOST_ECDSA_KEY_FILE; 192 options->host_key_files[options->num_host_key_files++] = 193 _PATH_HOST_ED25519_KEY_FILE; 194 } 195 /* No certificates by default */ 196 if (options->num_ports == 0) 197 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 198 if (options->address_family == -1) 199 options->address_family = AF_UNSPEC; 200 if (options->listen_addrs == NULL) 201 add_listen_addr(options, NULL, 0); 202 if (options->pid_file == NULL) 203 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 204 if (options->login_grace_time == -1) 205 options->login_grace_time = 120; 206 if (options->permit_root_login == PERMIT_NOT_SET) 207 options->permit_root_login = PERMIT_NO_PASSWD; 208 if (options->ignore_rhosts == -1) 209 options->ignore_rhosts = 1; 210 if (options->ignore_user_known_hosts == -1) 211 options->ignore_user_known_hosts = 0; 212 if (options->print_motd == -1) 213 options->print_motd = 1; 214 if (options->print_lastlog == -1) 215 options->print_lastlog = 1; 216 if (options->x11_forwarding == -1) 217 options->x11_forwarding = 0; 218 if (options->x11_display_offset == -1) 219 options->x11_display_offset = 10; 220 if (options->x11_use_localhost == -1) 221 options->x11_use_localhost = 1; 222 if (options->xauth_location == NULL) 223 options->xauth_location = xstrdup(_PATH_XAUTH); 224 if (options->permit_tty == -1) 225 options->permit_tty = 1; 226 if (options->permit_user_rc == -1) 227 options->permit_user_rc = 1; 228 if (options->strict_modes == -1) 229 options->strict_modes = 1; 230 if (options->tcp_keep_alive == -1) 231 options->tcp_keep_alive = 1; 232 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 233 options->log_facility = SYSLOG_FACILITY_AUTH; 234 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 235 options->log_level = SYSLOG_LEVEL_INFO; 236 if (options->hostbased_authentication == -1) 237 options->hostbased_authentication = 0; 238 if (options->hostbased_uses_name_from_packet_only == -1) 239 options->hostbased_uses_name_from_packet_only = 0; 240 if (options->pubkey_authentication == -1) 241 options->pubkey_authentication = 1; 242 if (options->kerberos_authentication == -1) 243 options->kerberos_authentication = 0; 244 if (options->kerberos_or_local_passwd == -1) 245 options->kerberos_or_local_passwd = 1; 246 if (options->kerberos_ticket_cleanup == -1) 247 options->kerberos_ticket_cleanup = 1; 248 if (options->kerberos_get_afs_token == -1) 249 options->kerberos_get_afs_token = 0; 250 if (options->gss_authentication == -1) 251 options->gss_authentication = 0; 252 if (options->gss_cleanup_creds == -1) 253 options->gss_cleanup_creds = 1; 254 if (options->gss_strict_acceptor == -1) 255 options->gss_strict_acceptor = 0; 256 if (options->password_authentication == -1) 257 options->password_authentication = 1; 258 if (options->kbd_interactive_authentication == -1) 259 options->kbd_interactive_authentication = 0; 260 if (options->challenge_response_authentication == -1) 261 options->challenge_response_authentication = 1; 262 if (options->permit_empty_passwd == -1) 263 options->permit_empty_passwd = 0; 264 if (options->permit_user_env == -1) 265 options->permit_user_env = 0; 266 if (options->compression == -1) 267 options->compression = COMP_DELAYED; 268 if (options->rekey_limit == -1) 269 options->rekey_limit = 0; 270 if (options->rekey_interval == -1) 271 options->rekey_interval = 0; 272 if (options->allow_tcp_forwarding == -1) 273 options->allow_tcp_forwarding = FORWARD_ALLOW; 274 if (options->allow_streamlocal_forwarding == -1) 275 options->allow_streamlocal_forwarding = FORWARD_ALLOW; 276 if (options->allow_agent_forwarding == -1) 277 options->allow_agent_forwarding = 1; 278 if (options->fwd_opts.gateway_ports == -1) 279 options->fwd_opts.gateway_ports = 0; 280 if (options->max_startups == -1) 281 options->max_startups = 100; 282 if (options->max_startups_rate == -1) 283 options->max_startups_rate = 30; /* 30% */ 284 if (options->max_startups_begin == -1) 285 options->max_startups_begin = 10; 286 if (options->max_authtries == -1) 287 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 288 if (options->max_sessions == -1) 289 options->max_sessions = DEFAULT_SESSIONS_MAX; 290 if (options->use_dns == -1) 291 options->use_dns = 0; 292 if (options->client_alive_interval == -1) 293 options->client_alive_interval = 0; 294 if (options->client_alive_count_max == -1) 295 options->client_alive_count_max = 3; 296 if (options->num_authkeys_files == 0) { 297 options->authorized_keys_files[options->num_authkeys_files++] = 298 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 299 options->authorized_keys_files[options->num_authkeys_files++] = 300 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 301 } 302 if (options->permit_tun == -1) 303 options->permit_tun = SSH_TUNMODE_NO; 304 if (options->ip_qos_interactive == -1) 305 options->ip_qos_interactive = IPTOS_LOWDELAY; 306 if (options->ip_qos_bulk == -1) 307 options->ip_qos_bulk = IPTOS_THROUGHPUT; 308 if (options->version_addendum == NULL) 309 options->version_addendum = xstrdup(""); 310 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 311 options->fwd_opts.streamlocal_bind_mask = 0177; 312 if (options->fwd_opts.streamlocal_bind_unlink == -1) 313 options->fwd_opts.streamlocal_bind_unlink = 0; 314 if (options->fingerprint_hash == -1) 315 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 316 317 assemble_algorithms(options); 318 319 /* Turn privilege separation and sandboxing on by default */ 320 if (use_privsep == -1) 321 use_privsep = PRIVSEP_ON; 322 323 #define CLEAR_ON_NONE(v) \ 324 do { \ 325 if (option_clear_or_none(v)) { \ 326 free(v); \ 327 v = NULL; \ 328 } \ 329 } while(0) 330 CLEAR_ON_NONE(options->pid_file); 331 CLEAR_ON_NONE(options->xauth_location); 332 CLEAR_ON_NONE(options->banner); 333 CLEAR_ON_NONE(options->trusted_user_ca_keys); 334 CLEAR_ON_NONE(options->revoked_keys_file); 335 CLEAR_ON_NONE(options->authorized_principals_file); 336 CLEAR_ON_NONE(options->adm_forced_command); 337 CLEAR_ON_NONE(options->chroot_directory); 338 for (i = 0; i < options->num_host_key_files; i++) 339 CLEAR_ON_NONE(options->host_key_files[i]); 340 for (i = 0; i < options->num_host_cert_files; i++) 341 CLEAR_ON_NONE(options->host_cert_files[i]); 342 #undef CLEAR_ON_NONE 343 344 /* Similar handling for AuthenticationMethods=any */ 345 if (options->num_auth_methods == 1 && 346 strcmp(options->auth_methods[0], "any") == 0) { 347 free(options->auth_methods[0]); 348 options->auth_methods[0] = NULL; 349 options->num_auth_methods = 0; 350 } 351 352 } 353 354 /* Keyword tokens. */ 355 typedef enum { 356 sBadOption, /* == unknown option */ 357 sPort, sHostKeyFile, sLoginGraceTime, 358 sPermitRootLogin, sLogFacility, sLogLevel, 359 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 360 sKerberosGetAFSToken, 361 sKerberosTgtPassing, sChallengeResponseAuthentication, 362 sPasswordAuthentication, sKbdInteractiveAuthentication, 363 sListenAddress, sAddressFamily, 364 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 365 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 366 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 367 sPermitUserEnvironment, sAllowTcpForwarding, sCompression, 368 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 369 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, 370 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 371 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 372 sBanner, sUseDNS, sHostbasedAuthentication, 373 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, 374 sHostKeyAlgorithms, 375 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 376 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 377 sAcceptEnv, sPermitTunnel, 378 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 379 sUsePrivilegeSeparation, sAllowAgentForwarding, 380 sHostCertificate, 381 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 382 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, 383 sKexAlgorithms, sIPQoS, sVersionAddendum, 384 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 385 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 386 sStreamLocalBindMask, sStreamLocalBindUnlink, 387 sAllowStreamLocalForwarding, sFingerprintHash, 388 sDeprecated, sIgnore, sUnsupported 389 } ServerOpCodes; 390 391 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 392 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 393 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 394 395 /* Textual representation of the tokens. */ 396 static struct { 397 const char *name; 398 ServerOpCodes opcode; 399 u_int flags; 400 } keywords[] = { 401 { "port", sPort, SSHCFG_GLOBAL }, 402 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 403 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 404 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 405 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 406 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL }, 407 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 408 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, 409 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 410 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 411 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 412 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 413 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, 414 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 415 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 416 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 417 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, 418 { "rsaauthentication", sDeprecated, SSHCFG_ALL }, 419 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 420 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 421 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 422 #ifdef KRB5 423 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 424 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 425 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 426 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 427 #else 428 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 429 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 430 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 431 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 432 #endif 433 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 434 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 435 #ifdef GSSAPI 436 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 437 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 438 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 439 #else 440 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 441 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 442 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 443 #endif 444 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 445 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 446 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 447 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 448 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 449 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 450 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 451 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 452 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 453 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 454 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 455 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 456 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 457 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 458 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 459 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 460 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 461 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 462 { "uselogin", sDeprecated, SSHCFG_GLOBAL }, 463 { "compression", sCompression, SSHCFG_GLOBAL }, 464 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 465 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 466 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 467 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 468 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 469 { "allowusers", sAllowUsers, SSHCFG_ALL }, 470 { "denyusers", sDenyUsers, SSHCFG_ALL }, 471 { "allowgroups", sAllowGroups, SSHCFG_ALL }, 472 { "denygroups", sDenyGroups, SSHCFG_ALL }, 473 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 474 { "macs", sMacs, SSHCFG_GLOBAL }, 475 { "protocol", sIgnore, SSHCFG_GLOBAL }, 476 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 477 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 478 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 479 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 480 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 481 { "banner", sBanner, SSHCFG_ALL }, 482 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 483 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 484 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 485 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 486 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 487 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 488 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 489 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 490 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 491 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 492 { "permittty", sPermitTTY, SSHCFG_ALL }, 493 { "permituserrc", sPermitUserRC, SSHCFG_ALL }, 494 { "match", sMatch, SSHCFG_ALL }, 495 { "permitopen", sPermitOpen, SSHCFG_ALL }, 496 { "forcecommand", sForceCommand, SSHCFG_ALL }, 497 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 498 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 499 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 500 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 501 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 502 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 503 { "ipqos", sIPQoS, SSHCFG_ALL }, 504 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, 505 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 506 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, 507 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, 508 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 509 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 510 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, 511 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 512 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 513 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 514 { NULL, sBadOption, 0 } 515 }; 516 517 static struct { 518 int val; 519 char *text; 520 } tunmode_desc[] = { 521 { SSH_TUNMODE_NO, "no" }, 522 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 523 { SSH_TUNMODE_ETHERNET, "ethernet" }, 524 { SSH_TUNMODE_YES, "yes" }, 525 { -1, NULL } 526 }; 527 528 /* 529 * Returns the number of the token pointed to by cp or sBadOption. 530 */ 531 532 static ServerOpCodes 533 parse_token(const char *cp, const char *filename, 534 int linenum, u_int *flags) 535 { 536 u_int i; 537 538 for (i = 0; keywords[i].name; i++) 539 if (strcasecmp(cp, keywords[i].name) == 0) { 540 *flags = keywords[i].flags; 541 return keywords[i].opcode; 542 } 543 544 error("%s: line %d: Bad configuration option: %s", 545 filename, linenum, cp); 546 return sBadOption; 547 } 548 549 char * 550 derelativise_path(const char *path) 551 { 552 char *expanded, *ret, cwd[PATH_MAX]; 553 554 if (strcasecmp(path, "none") == 0) 555 return xstrdup("none"); 556 expanded = tilde_expand_filename(path, getuid()); 557 if (*expanded == '/') 558 return expanded; 559 if (getcwd(cwd, sizeof(cwd)) == NULL) 560 fatal("%s: getcwd: %s", __func__, strerror(errno)); 561 xasprintf(&ret, "%s/%s", cwd, expanded); 562 free(expanded); 563 return ret; 564 } 565 566 static void 567 add_listen_addr(ServerOptions *options, char *addr, int port) 568 { 569 u_int i; 570 571 if (port == 0) 572 for (i = 0; i < options->num_ports; i++) 573 add_one_listen_addr(options, addr, options->ports[i]); 574 else 575 add_one_listen_addr(options, addr, port); 576 } 577 578 static void 579 add_one_listen_addr(ServerOptions *options, char *addr, int port) 580 { 581 struct addrinfo hints, *ai, *aitop; 582 char strport[NI_MAXSERV]; 583 int gaierr; 584 585 memset(&hints, 0, sizeof(hints)); 586 hints.ai_family = options->address_family; 587 hints.ai_socktype = SOCK_STREAM; 588 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 589 snprintf(strport, sizeof strport, "%d", port); 590 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 591 fatal("bad addr or host: %s (%s)", 592 addr ? addr : "<NULL>", 593 ssh_gai_strerror(gaierr)); 594 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 595 ; 596 ai->ai_next = options->listen_addrs; 597 options->listen_addrs = aitop; 598 } 599 600 /* 601 * Queue a ListenAddress to be processed once we have all of the Ports 602 * and AddressFamily options. 603 */ 604 static void 605 queue_listen_addr(ServerOptions *options, char *addr, int port) 606 { 607 options->queued_listen_addrs = xreallocarray( 608 options->queued_listen_addrs, options->num_queued_listens + 1, 609 sizeof(addr)); 610 options->queued_listen_ports = xreallocarray( 611 options->queued_listen_ports, options->num_queued_listens + 1, 612 sizeof(port)); 613 options->queued_listen_addrs[options->num_queued_listens] = 614 xstrdup(addr); 615 options->queued_listen_ports[options->num_queued_listens] = port; 616 options->num_queued_listens++; 617 } 618 619 /* 620 * Process queued (text) ListenAddress entries. 621 */ 622 static void 623 process_queued_listen_addrs(ServerOptions *options) 624 { 625 u_int i; 626 627 if (options->num_ports == 0) 628 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 629 if (options->address_family == -1) 630 options->address_family = AF_UNSPEC; 631 632 for (i = 0; i < options->num_queued_listens; i++) { 633 add_listen_addr(options, options->queued_listen_addrs[i], 634 options->queued_listen_ports[i]); 635 free(options->queued_listen_addrs[i]); 636 options->queued_listen_addrs[i] = NULL; 637 } 638 free(options->queued_listen_addrs); 639 options->queued_listen_addrs = NULL; 640 free(options->queued_listen_ports); 641 options->queued_listen_ports = NULL; 642 options->num_queued_listens = 0; 643 } 644 645 struct connection_info * 646 get_connection_info(int populate, int use_dns) 647 { 648 struct ssh *ssh = active_state; /* XXX */ 649 static struct connection_info ci; 650 651 if (!populate) 652 return &ci; 653 ci.host = auth_get_canonical_hostname(ssh, use_dns); 654 ci.address = ssh_remote_ipaddr(ssh); 655 ci.laddress = ssh_local_ipaddr(ssh); 656 ci.lport = ssh_local_port(ssh); 657 return &ci; 658 } 659 660 /* 661 * The strategy for the Match blocks is that the config file is parsed twice. 662 * 663 * The first time is at startup. activep is initialized to 1 and the 664 * directives in the global context are processed and acted on. Hitting a 665 * Match directive unsets activep and the directives inside the block are 666 * checked for syntax only. 667 * 668 * The second time is after a connection has been established but before 669 * authentication. activep is initialized to 2 and global config directives 670 * are ignored since they have already been processed. If the criteria in a 671 * Match block is met, activep is set and the subsequent directives 672 * processed and actioned until EOF or another Match block unsets it. Any 673 * options set are copied into the main server config. 674 * 675 * Potential additions/improvements: 676 * - Add Match support for pre-kex directives, eg. Ciphers. 677 * 678 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 679 * Match Address 192.168.0.* 680 * Tag trusted 681 * Match Group wheel 682 * Tag trusted 683 * Match Tag trusted 684 * AllowTcpForwarding yes 685 * GatewayPorts clientspecified 686 * [...] 687 * 688 * - Add a PermittedChannelRequests directive 689 * Match Group shell 690 * PermittedChannelRequests session,forwarded-tcpip 691 */ 692 693 static int 694 match_cfg_line_group(const char *grps, int line, const char *user) 695 { 696 int result = 0; 697 struct passwd *pw; 698 699 if (user == NULL) 700 goto out; 701 702 if ((pw = getpwnam(user)) == NULL) { 703 debug("Can't match group at line %d because user %.100s does " 704 "not exist", line, user); 705 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 706 debug("Can't Match group because user %.100s not in any group " 707 "at line %d", user, line); 708 } else if (ga_match_pattern_list(grps) != 1) { 709 debug("user %.100s does not match group list %.100s at line %d", 710 user, grps, line); 711 } else { 712 debug("user %.100s matched group list %.100s at line %d", user, 713 grps, line); 714 result = 1; 715 } 716 out: 717 ga_free(); 718 return result; 719 } 720 721 /* 722 * All of the attributes on a single Match line are ANDed together, so we need 723 * to check every attribute and set the result to zero if any attribute does 724 * not match. 725 */ 726 static int 727 match_cfg_line(char **condition, int line, struct connection_info *ci) 728 { 729 int result = 1, attributes = 0, port; 730 char *arg, *attrib, *cp = *condition; 731 732 if (ci == NULL) 733 debug3("checking syntax for 'Match %s'", cp); 734 else 735 debug3("checking match for '%s' user %s host %s addr %s " 736 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 737 ci->host ? ci->host : "(null)", 738 ci->address ? ci->address : "(null)", 739 ci->laddress ? ci->laddress : "(null)", ci->lport); 740 741 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 742 attributes++; 743 if (strcasecmp(attrib, "all") == 0) { 744 if (attributes != 1 || 745 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { 746 error("'all' cannot be combined with other " 747 "Match attributes"); 748 return -1; 749 } 750 *condition = cp; 751 return 1; 752 } 753 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 754 error("Missing Match criteria for %s", attrib); 755 return -1; 756 } 757 if (strcasecmp(attrib, "user") == 0) { 758 if (ci == NULL || ci->user == NULL) { 759 result = 0; 760 continue; 761 } 762 if (match_pattern_list(ci->user, arg, 0) != 1) 763 result = 0; 764 else 765 debug("user %.100s matched 'User %.100s' at " 766 "line %d", ci->user, arg, line); 767 } else if (strcasecmp(attrib, "group") == 0) { 768 if (ci == NULL || ci->user == NULL) { 769 result = 0; 770 continue; 771 } 772 switch (match_cfg_line_group(arg, line, ci->user)) { 773 case -1: 774 return -1; 775 case 0: 776 result = 0; 777 } 778 } else if (strcasecmp(attrib, "host") == 0) { 779 if (ci == NULL || ci->host == NULL) { 780 result = 0; 781 continue; 782 } 783 if (match_hostname(ci->host, arg) != 1) 784 result = 0; 785 else 786 debug("connection from %.100s matched 'Host " 787 "%.100s' at line %d", ci->host, arg, line); 788 } else if (strcasecmp(attrib, "address") == 0) { 789 if (ci == NULL || ci->address == NULL) { 790 result = 0; 791 continue; 792 } 793 switch (addr_match_list(ci->address, arg)) { 794 case 1: 795 debug("connection from %.100s matched 'Address " 796 "%.100s' at line %d", ci->address, arg, line); 797 break; 798 case 0: 799 case -1: 800 result = 0; 801 break; 802 case -2: 803 return -1; 804 } 805 } else if (strcasecmp(attrib, "localaddress") == 0){ 806 if (ci == NULL || ci->laddress == NULL) { 807 result = 0; 808 continue; 809 } 810 switch (addr_match_list(ci->laddress, arg)) { 811 case 1: 812 debug("connection from %.100s matched " 813 "'LocalAddress %.100s' at line %d", 814 ci->laddress, arg, line); 815 break; 816 case 0: 817 case -1: 818 result = 0; 819 break; 820 case -2: 821 return -1; 822 } 823 } else if (strcasecmp(attrib, "localport") == 0) { 824 if ((port = a2port(arg)) == -1) { 825 error("Invalid LocalPort '%s' on Match line", 826 arg); 827 return -1; 828 } 829 if (ci == NULL || ci->lport == 0) { 830 result = 0; 831 continue; 832 } 833 /* TODO support port lists */ 834 if (port == ci->lport) 835 debug("connection from %.100s matched " 836 "'LocalPort %d' at line %d", 837 ci->laddress, port, line); 838 else 839 result = 0; 840 } else { 841 error("Unsupported Match attribute %s", attrib); 842 return -1; 843 } 844 } 845 if (attributes == 0) { 846 error("One or more attributes required for Match"); 847 return -1; 848 } 849 if (ci != NULL) 850 debug3("match %sfound", result ? "" : "not "); 851 *condition = cp; 852 return result; 853 } 854 855 #define WHITESPACE " \t\r\n" 856 857 /* Multistate option parsing */ 858 struct multistate { 859 char *key; 860 int value; 861 }; 862 static const struct multistate multistate_addressfamily[] = { 863 { "inet", AF_INET }, 864 { "inet6", AF_INET6 }, 865 { "any", AF_UNSPEC }, 866 { NULL, -1 } 867 }; 868 static const struct multistate multistate_permitrootlogin[] = { 869 { "without-password", PERMIT_NO_PASSWD }, 870 { "prohibit-password", PERMIT_NO_PASSWD }, 871 { "forced-commands-only", PERMIT_FORCED_ONLY }, 872 { "yes", PERMIT_YES }, 873 { "no", PERMIT_NO }, 874 { NULL, -1 } 875 }; 876 static const struct multistate multistate_compression[] = { 877 { "delayed", COMP_DELAYED }, 878 { "yes", COMP_ZLIB }, 879 { "no", COMP_NONE }, 880 { NULL, -1 } 881 }; 882 static const struct multistate multistate_gatewayports[] = { 883 { "clientspecified", 2 }, 884 { "yes", 1 }, 885 { "no", 0 }, 886 { NULL, -1 } 887 }; 888 static const struct multistate multistate_privsep[] = { 889 { "yes", PRIVSEP_NOSANDBOX }, 890 { "sandbox", PRIVSEP_ON }, 891 { "nosandbox", PRIVSEP_NOSANDBOX }, 892 { "no", PRIVSEP_OFF }, 893 { NULL, -1 } 894 }; 895 static const struct multistate multistate_tcpfwd[] = { 896 { "yes", FORWARD_ALLOW }, 897 { "all", FORWARD_ALLOW }, 898 { "no", FORWARD_DENY }, 899 { "remote", FORWARD_REMOTE }, 900 { "local", FORWARD_LOCAL }, 901 { NULL, -1 } 902 }; 903 904 int 905 process_server_config_line(ServerOptions *options, char *line, 906 const char *filename, int linenum, int *activep, 907 struct connection_info *connectinfo) 908 { 909 char *cp, **charptr, *arg, *p; 910 int cmdline = 0, *intptr, value, value2, n, port; 911 SyslogFacility *log_facility_ptr; 912 LogLevel *log_level_ptr; 913 ServerOpCodes opcode; 914 u_int i, flags = 0; 915 size_t len; 916 long long val64; 917 const struct multistate *multistate_ptr; 918 919 cp = line; 920 if ((arg = strdelim(&cp)) == NULL) 921 return 0; 922 /* Ignore leading whitespace */ 923 if (*arg == '\0') 924 arg = strdelim(&cp); 925 if (!arg || !*arg || *arg == '#') 926 return 0; 927 intptr = NULL; 928 charptr = NULL; 929 opcode = parse_token(arg, filename, linenum, &flags); 930 931 if (activep == NULL) { /* We are processing a command line directive */ 932 cmdline = 1; 933 activep = &cmdline; 934 } 935 if (*activep && opcode != sMatch) 936 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 937 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 938 if (connectinfo == NULL) { 939 fatal("%s line %d: Directive '%s' is not allowed " 940 "within a Match block", filename, linenum, arg); 941 } else { /* this is a directive we have already processed */ 942 while (arg) 943 arg = strdelim(&cp); 944 return 0; 945 } 946 } 947 948 switch (opcode) { 949 case sBadOption: 950 return -1; 951 case sPort: 952 /* ignore ports from configfile if cmdline specifies ports */ 953 if (options->ports_from_cmdline) 954 return 0; 955 if (options->num_ports >= MAX_PORTS) 956 fatal("%s line %d: too many ports.", 957 filename, linenum); 958 arg = strdelim(&cp); 959 if (!arg || *arg == '\0') 960 fatal("%s line %d: missing port number.", 961 filename, linenum); 962 options->ports[options->num_ports++] = a2port(arg); 963 if (options->ports[options->num_ports-1] <= 0) 964 fatal("%s line %d: Badly formatted port number.", 965 filename, linenum); 966 break; 967 968 case sLoginGraceTime: 969 intptr = &options->login_grace_time; 970 parse_time: 971 arg = strdelim(&cp); 972 if (!arg || *arg == '\0') 973 fatal("%s line %d: missing time value.", 974 filename, linenum); 975 if ((value = convtime(arg)) == -1) 976 fatal("%s line %d: invalid time value.", 977 filename, linenum); 978 if (*activep && *intptr == -1) 979 *intptr = value; 980 break; 981 982 case sListenAddress: 983 arg = strdelim(&cp); 984 if (arg == NULL || *arg == '\0') 985 fatal("%s line %d: missing address", 986 filename, linenum); 987 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 988 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 989 && strchr(p+1, ':') != NULL) { 990 queue_listen_addr(options, arg, 0); 991 break; 992 } 993 p = hpdelim(&arg); 994 if (p == NULL) 995 fatal("%s line %d: bad address:port usage", 996 filename, linenum); 997 p = cleanhostname(p); 998 if (arg == NULL) 999 port = 0; 1000 else if ((port = a2port(arg)) <= 0) 1001 fatal("%s line %d: bad port number", filename, linenum); 1002 1003 queue_listen_addr(options, p, port); 1004 1005 break; 1006 1007 case sAddressFamily: 1008 intptr = &options->address_family; 1009 multistate_ptr = multistate_addressfamily; 1010 parse_multistate: 1011 arg = strdelim(&cp); 1012 if (!arg || *arg == '\0') 1013 fatal("%s line %d: missing argument.", 1014 filename, linenum); 1015 value = -1; 1016 for (i = 0; multistate_ptr[i].key != NULL; i++) { 1017 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 1018 value = multistate_ptr[i].value; 1019 break; 1020 } 1021 } 1022 if (value == -1) 1023 fatal("%s line %d: unsupported option \"%s\".", 1024 filename, linenum, arg); 1025 if (*activep && *intptr == -1) 1026 *intptr = value; 1027 break; 1028 1029 case sHostKeyFile: 1030 intptr = &options->num_host_key_files; 1031 if (*intptr >= MAX_HOSTKEYS) 1032 fatal("%s line %d: too many host keys specified (max %d).", 1033 filename, linenum, MAX_HOSTKEYS); 1034 charptr = &options->host_key_files[*intptr]; 1035 parse_filename: 1036 arg = strdelim(&cp); 1037 if (!arg || *arg == '\0') 1038 fatal("%s line %d: missing file name.", 1039 filename, linenum); 1040 if (*activep && *charptr == NULL) { 1041 *charptr = derelativise_path(arg); 1042 /* increase optional counter */ 1043 if (intptr != NULL) 1044 *intptr = *intptr + 1; 1045 } 1046 break; 1047 1048 case sHostKeyAgent: 1049 charptr = &options->host_key_agent; 1050 arg = strdelim(&cp); 1051 if (!arg || *arg == '\0') 1052 fatal("%s line %d: missing socket name.", 1053 filename, linenum); 1054 if (*activep && *charptr == NULL) 1055 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? 1056 xstrdup(arg) : derelativise_path(arg); 1057 break; 1058 1059 case sHostCertificate: 1060 intptr = &options->num_host_cert_files; 1061 if (*intptr >= MAX_HOSTKEYS) 1062 fatal("%s line %d: too many host certificates " 1063 "specified (max %d).", filename, linenum, 1064 MAX_HOSTCERTS); 1065 charptr = &options->host_cert_files[*intptr]; 1066 goto parse_filename; 1067 break; 1068 1069 case sPidFile: 1070 charptr = &options->pid_file; 1071 goto parse_filename; 1072 1073 case sPermitRootLogin: 1074 intptr = &options->permit_root_login; 1075 multistate_ptr = multistate_permitrootlogin; 1076 goto parse_multistate; 1077 1078 case sIgnoreRhosts: 1079 intptr = &options->ignore_rhosts; 1080 parse_flag: 1081 arg = strdelim(&cp); 1082 if (!arg || *arg == '\0') 1083 fatal("%s line %d: missing yes/no argument.", 1084 filename, linenum); 1085 value = 0; /* silence compiler */ 1086 if (strcmp(arg, "yes") == 0) 1087 value = 1; 1088 else if (strcmp(arg, "no") == 0) 1089 value = 0; 1090 else 1091 fatal("%s line %d: Bad yes/no argument: %s", 1092 filename, linenum, arg); 1093 if (*activep && *intptr == -1) 1094 *intptr = value; 1095 break; 1096 1097 case sIgnoreUserKnownHosts: 1098 intptr = &options->ignore_user_known_hosts; 1099 goto parse_flag; 1100 1101 case sHostbasedAuthentication: 1102 intptr = &options->hostbased_authentication; 1103 goto parse_flag; 1104 1105 case sHostbasedUsesNameFromPacketOnly: 1106 intptr = &options->hostbased_uses_name_from_packet_only; 1107 goto parse_flag; 1108 1109 case sHostbasedAcceptedKeyTypes: 1110 charptr = &options->hostbased_key_types; 1111 parse_keytypes: 1112 arg = strdelim(&cp); 1113 if (!arg || *arg == '\0') 1114 fatal("%s line %d: Missing argument.", 1115 filename, linenum); 1116 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) 1117 fatal("%s line %d: Bad key types '%s'.", 1118 filename, linenum, arg ? arg : "<NONE>"); 1119 if (*activep && *charptr == NULL) 1120 *charptr = xstrdup(arg); 1121 break; 1122 1123 case sHostKeyAlgorithms: 1124 charptr = &options->hostkeyalgorithms; 1125 goto parse_keytypes; 1126 1127 case sPubkeyAuthentication: 1128 intptr = &options->pubkey_authentication; 1129 goto parse_flag; 1130 1131 case sPubkeyAcceptedKeyTypes: 1132 charptr = &options->pubkey_key_types; 1133 goto parse_keytypes; 1134 1135 case sKerberosAuthentication: 1136 intptr = &options->kerberos_authentication; 1137 goto parse_flag; 1138 1139 case sKerberosOrLocalPasswd: 1140 intptr = &options->kerberos_or_local_passwd; 1141 goto parse_flag; 1142 1143 case sKerberosTicketCleanup: 1144 intptr = &options->kerberos_ticket_cleanup; 1145 goto parse_flag; 1146 1147 case sKerberosGetAFSToken: 1148 intptr = &options->kerberos_get_afs_token; 1149 goto parse_flag; 1150 1151 case sGssAuthentication: 1152 intptr = &options->gss_authentication; 1153 goto parse_flag; 1154 1155 case sGssCleanupCreds: 1156 intptr = &options->gss_cleanup_creds; 1157 goto parse_flag; 1158 1159 case sGssStrictAcceptor: 1160 intptr = &options->gss_strict_acceptor; 1161 goto parse_flag; 1162 1163 case sPasswordAuthentication: 1164 intptr = &options->password_authentication; 1165 goto parse_flag; 1166 1167 case sKbdInteractiveAuthentication: 1168 intptr = &options->kbd_interactive_authentication; 1169 goto parse_flag; 1170 1171 case sChallengeResponseAuthentication: 1172 intptr = &options->challenge_response_authentication; 1173 goto parse_flag; 1174 1175 case sPrintMotd: 1176 intptr = &options->print_motd; 1177 goto parse_flag; 1178 1179 case sPrintLastLog: 1180 intptr = &options->print_lastlog; 1181 goto parse_flag; 1182 1183 case sX11Forwarding: 1184 intptr = &options->x11_forwarding; 1185 goto parse_flag; 1186 1187 case sX11DisplayOffset: 1188 intptr = &options->x11_display_offset; 1189 parse_int: 1190 arg = strdelim(&cp); 1191 if (!arg || *arg == '\0') 1192 fatal("%s line %d: missing integer value.", 1193 filename, linenum); 1194 value = atoi(arg); 1195 if (*activep && *intptr == -1) 1196 *intptr = value; 1197 break; 1198 1199 case sX11UseLocalhost: 1200 intptr = &options->x11_use_localhost; 1201 goto parse_flag; 1202 1203 case sXAuthLocation: 1204 charptr = &options->xauth_location; 1205 goto parse_filename; 1206 1207 case sPermitTTY: 1208 intptr = &options->permit_tty; 1209 goto parse_flag; 1210 1211 case sPermitUserRC: 1212 intptr = &options->permit_user_rc; 1213 goto parse_flag; 1214 1215 case sStrictModes: 1216 intptr = &options->strict_modes; 1217 goto parse_flag; 1218 1219 case sTCPKeepAlive: 1220 intptr = &options->tcp_keep_alive; 1221 goto parse_flag; 1222 1223 case sEmptyPasswd: 1224 intptr = &options->permit_empty_passwd; 1225 goto parse_flag; 1226 1227 case sPermitUserEnvironment: 1228 intptr = &options->permit_user_env; 1229 goto parse_flag; 1230 1231 case sCompression: 1232 intptr = &options->compression; 1233 multistate_ptr = multistate_compression; 1234 goto parse_multistate; 1235 1236 case sRekeyLimit: 1237 arg = strdelim(&cp); 1238 if (!arg || *arg == '\0') 1239 fatal("%.200s line %d: Missing argument.", filename, 1240 linenum); 1241 if (strcmp(arg, "default") == 0) { 1242 val64 = 0; 1243 } else { 1244 if (scan_scaled(arg, &val64) == -1) 1245 fatal("%.200s line %d: Bad number '%s': %s", 1246 filename, linenum, arg, strerror(errno)); 1247 if (val64 != 0 && val64 < 16) 1248 fatal("%.200s line %d: RekeyLimit too small", 1249 filename, linenum); 1250 } 1251 if (*activep && options->rekey_limit == -1) 1252 options->rekey_limit = val64; 1253 if (cp != NULL) { /* optional rekey interval present */ 1254 if (strcmp(cp, "none") == 0) { 1255 (void)strdelim(&cp); /* discard */ 1256 break; 1257 } 1258 intptr = &options->rekey_interval; 1259 goto parse_time; 1260 } 1261 break; 1262 1263 case sGatewayPorts: 1264 intptr = &options->fwd_opts.gateway_ports; 1265 multistate_ptr = multistate_gatewayports; 1266 goto parse_multistate; 1267 1268 case sUseDNS: 1269 intptr = &options->use_dns; 1270 goto parse_flag; 1271 1272 case sLogFacility: 1273 log_facility_ptr = &options->log_facility; 1274 arg = strdelim(&cp); 1275 value = log_facility_number(arg); 1276 if (value == SYSLOG_FACILITY_NOT_SET) 1277 fatal("%.200s line %d: unsupported log facility '%s'", 1278 filename, linenum, arg ? arg : "<NONE>"); 1279 if (*log_facility_ptr == -1) 1280 *log_facility_ptr = (SyslogFacility) value; 1281 break; 1282 1283 case sLogLevel: 1284 log_level_ptr = &options->log_level; 1285 arg = strdelim(&cp); 1286 value = log_level_number(arg); 1287 if (value == SYSLOG_LEVEL_NOT_SET) 1288 fatal("%.200s line %d: unsupported log level '%s'", 1289 filename, linenum, arg ? arg : "<NONE>"); 1290 if (*log_level_ptr == -1) 1291 *log_level_ptr = (LogLevel) value; 1292 break; 1293 1294 case sAllowTcpForwarding: 1295 intptr = &options->allow_tcp_forwarding; 1296 multistate_ptr = multistate_tcpfwd; 1297 goto parse_multistate; 1298 1299 case sAllowStreamLocalForwarding: 1300 intptr = &options->allow_streamlocal_forwarding; 1301 multistate_ptr = multistate_tcpfwd; 1302 goto parse_multistate; 1303 1304 case sAllowAgentForwarding: 1305 intptr = &options->allow_agent_forwarding; 1306 goto parse_flag; 1307 1308 case sUsePrivilegeSeparation: 1309 intptr = &use_privsep; 1310 multistate_ptr = multistate_privsep; 1311 goto parse_multistate; 1312 1313 case sAllowUsers: 1314 while ((arg = strdelim(&cp)) && *arg != '\0') { 1315 if (options->num_allow_users >= MAX_ALLOW_USERS) 1316 fatal("%s line %d: too many allow users.", 1317 filename, linenum); 1318 if (!*activep) 1319 continue; 1320 options->allow_users[options->num_allow_users++] = 1321 xstrdup(arg); 1322 } 1323 break; 1324 1325 case sDenyUsers: 1326 while ((arg = strdelim(&cp)) && *arg != '\0') { 1327 if (options->num_deny_users >= MAX_DENY_USERS) 1328 fatal("%s line %d: too many deny users.", 1329 filename, linenum); 1330 if (!*activep) 1331 continue; 1332 options->deny_users[options->num_deny_users++] = 1333 xstrdup(arg); 1334 } 1335 break; 1336 1337 case sAllowGroups: 1338 while ((arg = strdelim(&cp)) && *arg != '\0') { 1339 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1340 fatal("%s line %d: too many allow groups.", 1341 filename, linenum); 1342 if (!*activep) 1343 continue; 1344 options->allow_groups[options->num_allow_groups++] = 1345 xstrdup(arg); 1346 } 1347 break; 1348 1349 case sDenyGroups: 1350 while ((arg = strdelim(&cp)) && *arg != '\0') { 1351 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1352 fatal("%s line %d: too many deny groups.", 1353 filename, linenum); 1354 if (!*activep) 1355 continue; 1356 options->deny_groups[options->num_deny_groups++] = 1357 xstrdup(arg); 1358 } 1359 break; 1360 1361 case sCiphers: 1362 arg = strdelim(&cp); 1363 if (!arg || *arg == '\0') 1364 fatal("%s line %d: Missing argument.", filename, linenum); 1365 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) 1366 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1367 filename, linenum, arg ? arg : "<NONE>"); 1368 if (options->ciphers == NULL) 1369 options->ciphers = xstrdup(arg); 1370 break; 1371 1372 case sMacs: 1373 arg = strdelim(&cp); 1374 if (!arg || *arg == '\0') 1375 fatal("%s line %d: Missing argument.", filename, linenum); 1376 if (!mac_valid(*arg == '+' ? arg + 1 : arg)) 1377 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1378 filename, linenum, arg ? arg : "<NONE>"); 1379 if (options->macs == NULL) 1380 options->macs = xstrdup(arg); 1381 break; 1382 1383 case sKexAlgorithms: 1384 arg = strdelim(&cp); 1385 if (!arg || *arg == '\0') 1386 fatal("%s line %d: Missing argument.", 1387 filename, linenum); 1388 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) 1389 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1390 filename, linenum, arg ? arg : "<NONE>"); 1391 if (options->kex_algorithms == NULL) 1392 options->kex_algorithms = xstrdup(arg); 1393 break; 1394 1395 case sSubsystem: 1396 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1397 fatal("%s line %d: too many subsystems defined.", 1398 filename, linenum); 1399 } 1400 arg = strdelim(&cp); 1401 if (!arg || *arg == '\0') 1402 fatal("%s line %d: Missing subsystem name.", 1403 filename, linenum); 1404 if (!*activep) { 1405 arg = strdelim(&cp); 1406 break; 1407 } 1408 for (i = 0; i < options->num_subsystems; i++) 1409 if (strcmp(arg, options->subsystem_name[i]) == 0) 1410 fatal("%s line %d: Subsystem '%s' already defined.", 1411 filename, linenum, arg); 1412 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1413 arg = strdelim(&cp); 1414 if (!arg || *arg == '\0') 1415 fatal("%s line %d: Missing subsystem command.", 1416 filename, linenum); 1417 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1418 1419 /* Collect arguments (separate to executable) */ 1420 p = xstrdup(arg); 1421 len = strlen(p) + 1; 1422 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1423 len += 1 + strlen(arg); 1424 p = xreallocarray(p, 1, len); 1425 strlcat(p, " ", len); 1426 strlcat(p, arg, len); 1427 } 1428 options->subsystem_args[options->num_subsystems] = p; 1429 options->num_subsystems++; 1430 break; 1431 1432 case sMaxStartups: 1433 arg = strdelim(&cp); 1434 if (!arg || *arg == '\0') 1435 fatal("%s line %d: Missing MaxStartups spec.", 1436 filename, linenum); 1437 if ((n = sscanf(arg, "%d:%d:%d", 1438 &options->max_startups_begin, 1439 &options->max_startups_rate, 1440 &options->max_startups)) == 3) { 1441 if (options->max_startups_begin > 1442 options->max_startups || 1443 options->max_startups_rate > 100 || 1444 options->max_startups_rate < 1) 1445 fatal("%s line %d: Illegal MaxStartups spec.", 1446 filename, linenum); 1447 } else if (n != 1) 1448 fatal("%s line %d: Illegal MaxStartups spec.", 1449 filename, linenum); 1450 else 1451 options->max_startups = options->max_startups_begin; 1452 break; 1453 1454 case sMaxAuthTries: 1455 intptr = &options->max_authtries; 1456 goto parse_int; 1457 1458 case sMaxSessions: 1459 intptr = &options->max_sessions; 1460 goto parse_int; 1461 1462 case sBanner: 1463 charptr = &options->banner; 1464 goto parse_filename; 1465 1466 /* 1467 * These options can contain %X options expanded at 1468 * connect time, so that you can specify paths like: 1469 * 1470 * AuthorizedKeysFile /etc/ssh_keys/%u 1471 */ 1472 case sAuthorizedKeysFile: 1473 if (*activep && options->num_authkeys_files == 0) { 1474 while ((arg = strdelim(&cp)) && *arg != '\0') { 1475 if (options->num_authkeys_files >= 1476 MAX_AUTHKEYS_FILES) 1477 fatal("%s line %d: " 1478 "too many authorized keys files.", 1479 filename, linenum); 1480 options->authorized_keys_files[ 1481 options->num_authkeys_files++] = 1482 tilde_expand_filename(arg, getuid()); 1483 } 1484 } 1485 return 0; 1486 1487 case sAuthorizedPrincipalsFile: 1488 charptr = &options->authorized_principals_file; 1489 arg = strdelim(&cp); 1490 if (!arg || *arg == '\0') 1491 fatal("%s line %d: missing file name.", 1492 filename, linenum); 1493 if (*activep && *charptr == NULL) { 1494 *charptr = tilde_expand_filename(arg, getuid()); 1495 /* increase optional counter */ 1496 if (intptr != NULL) 1497 *intptr = *intptr + 1; 1498 } 1499 break; 1500 1501 case sClientAliveInterval: 1502 intptr = &options->client_alive_interval; 1503 goto parse_time; 1504 1505 case sClientAliveCountMax: 1506 intptr = &options->client_alive_count_max; 1507 goto parse_int; 1508 1509 case sAcceptEnv: 1510 while ((arg = strdelim(&cp)) && *arg != '\0') { 1511 if (strchr(arg, '=') != NULL) 1512 fatal("%s line %d: Invalid environment name.", 1513 filename, linenum); 1514 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1515 fatal("%s line %d: too many allow env.", 1516 filename, linenum); 1517 if (!*activep) 1518 continue; 1519 options->accept_env[options->num_accept_env++] = 1520 xstrdup(arg); 1521 } 1522 break; 1523 1524 case sPermitTunnel: 1525 intptr = &options->permit_tun; 1526 arg = strdelim(&cp); 1527 if (!arg || *arg == '\0') 1528 fatal("%s line %d: Missing yes/point-to-point/" 1529 "ethernet/no argument.", filename, linenum); 1530 value = -1; 1531 for (i = 0; tunmode_desc[i].val != -1; i++) 1532 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1533 value = tunmode_desc[i].val; 1534 break; 1535 } 1536 if (value == -1) 1537 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1538 "no argument: %s", filename, linenum, arg); 1539 if (*activep && *intptr == -1) 1540 *intptr = value; 1541 break; 1542 1543 case sMatch: 1544 if (cmdline) 1545 fatal("Match directive not supported as a command-line " 1546 "option"); 1547 value = match_cfg_line(&cp, linenum, connectinfo); 1548 if (value < 0) 1549 fatal("%s line %d: Bad Match condition", filename, 1550 linenum); 1551 *activep = value; 1552 break; 1553 1554 case sPermitOpen: 1555 arg = strdelim(&cp); 1556 if (!arg || *arg == '\0') 1557 fatal("%s line %d: missing PermitOpen specification", 1558 filename, linenum); 1559 n = options->num_permitted_opens; /* modified later */ 1560 if (strcmp(arg, "any") == 0) { 1561 if (*activep && n == -1) { 1562 channel_clear_adm_permitted_opens(); 1563 options->num_permitted_opens = 0; 1564 } 1565 break; 1566 } 1567 if (strcmp(arg, "none") == 0) { 1568 if (*activep && n == -1) { 1569 options->num_permitted_opens = 1; 1570 channel_disable_adm_local_opens(); 1571 } 1572 break; 1573 } 1574 if (*activep && n == -1) 1575 channel_clear_adm_permitted_opens(); 1576 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1577 p = hpdelim(&arg); 1578 if (p == NULL) 1579 fatal("%s line %d: missing host in PermitOpen", 1580 filename, linenum); 1581 p = cleanhostname(p); 1582 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1583 fatal("%s line %d: bad port number in " 1584 "PermitOpen", filename, linenum); 1585 if (*activep && n == -1) 1586 options->num_permitted_opens = 1587 channel_add_adm_permitted_opens(p, port); 1588 } 1589 break; 1590 1591 case sForceCommand: 1592 if (cp == NULL || *cp == '\0') 1593 fatal("%.200s line %d: Missing argument.", filename, 1594 linenum); 1595 len = strspn(cp, WHITESPACE); 1596 if (*activep && options->adm_forced_command == NULL) 1597 options->adm_forced_command = xstrdup(cp + len); 1598 return 0; 1599 1600 case sChrootDirectory: 1601 charptr = &options->chroot_directory; 1602 1603 arg = strdelim(&cp); 1604 if (!arg || *arg == '\0') 1605 fatal("%s line %d: missing file name.", 1606 filename, linenum); 1607 if (*activep && *charptr == NULL) 1608 *charptr = xstrdup(arg); 1609 break; 1610 1611 case sTrustedUserCAKeys: 1612 charptr = &options->trusted_user_ca_keys; 1613 goto parse_filename; 1614 1615 case sRevokedKeys: 1616 charptr = &options->revoked_keys_file; 1617 goto parse_filename; 1618 1619 case sIPQoS: 1620 arg = strdelim(&cp); 1621 if ((value = parse_ipqos(arg)) == -1) 1622 fatal("%s line %d: Bad IPQoS value: %s", 1623 filename, linenum, arg); 1624 arg = strdelim(&cp); 1625 if (arg == NULL) 1626 value2 = value; 1627 else if ((value2 = parse_ipqos(arg)) == -1) 1628 fatal("%s line %d: Bad IPQoS value: %s", 1629 filename, linenum, arg); 1630 if (*activep) { 1631 options->ip_qos_interactive = value; 1632 options->ip_qos_bulk = value2; 1633 } 1634 break; 1635 1636 case sVersionAddendum: 1637 if (cp == NULL || *cp == '\0') 1638 fatal("%.200s line %d: Missing argument.", filename, 1639 linenum); 1640 len = strspn(cp, WHITESPACE); 1641 if (*activep && options->version_addendum == NULL) { 1642 if (strcasecmp(cp + len, "none") == 0) 1643 options->version_addendum = xstrdup(""); 1644 else if (strchr(cp + len, '\r') != NULL) 1645 fatal("%.200s line %d: Invalid argument", 1646 filename, linenum); 1647 else 1648 options->version_addendum = xstrdup(cp + len); 1649 } 1650 return 0; 1651 1652 case sAuthorizedKeysCommand: 1653 if (cp == NULL) 1654 fatal("%.200s line %d: Missing argument.", filename, 1655 linenum); 1656 len = strspn(cp, WHITESPACE); 1657 if (*activep && options->authorized_keys_command == NULL) { 1658 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1659 fatal("%.200s line %d: AuthorizedKeysCommand " 1660 "must be an absolute path", 1661 filename, linenum); 1662 options->authorized_keys_command = xstrdup(cp + len); 1663 } 1664 return 0; 1665 1666 case sAuthorizedKeysCommandUser: 1667 charptr = &options->authorized_keys_command_user; 1668 1669 arg = strdelim(&cp); 1670 if (!arg || *arg == '\0') 1671 fatal("%s line %d: missing AuthorizedKeysCommandUser " 1672 "argument.", filename, linenum); 1673 if (*activep && *charptr == NULL) 1674 *charptr = xstrdup(arg); 1675 break; 1676 1677 case sAuthorizedPrincipalsCommand: 1678 if (cp == NULL) 1679 fatal("%.200s line %d: Missing argument.", filename, 1680 linenum); 1681 len = strspn(cp, WHITESPACE); 1682 if (*activep && 1683 options->authorized_principals_command == NULL) { 1684 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1685 fatal("%.200s line %d: " 1686 "AuthorizedPrincipalsCommand must be " 1687 "an absolute path", filename, linenum); 1688 options->authorized_principals_command = 1689 xstrdup(cp + len); 1690 } 1691 return 0; 1692 1693 case sAuthorizedPrincipalsCommandUser: 1694 charptr = &options->authorized_principals_command_user; 1695 1696 arg = strdelim(&cp); 1697 if (!arg || *arg == '\0') 1698 fatal("%s line %d: missing " 1699 "AuthorizedPrincipalsCommandUser argument.", 1700 filename, linenum); 1701 if (*activep && *charptr == NULL) 1702 *charptr = xstrdup(arg); 1703 break; 1704 1705 case sAuthenticationMethods: 1706 if (options->num_auth_methods == 0) { 1707 value = 0; /* seen "any" pseudo-method */ 1708 value2 = 0; /* sucessfully parsed any method */ 1709 while ((arg = strdelim(&cp)) && *arg != '\0') { 1710 if (options->num_auth_methods >= 1711 MAX_AUTH_METHODS) 1712 fatal("%s line %d: " 1713 "too many authentication methods.", 1714 filename, linenum); 1715 if (strcmp(arg, "any") == 0) { 1716 if (options->num_auth_methods > 0) { 1717 fatal("%s line %d: \"any\" " 1718 "must appear alone in " 1719 "AuthenticationMethods", 1720 filename, linenum); 1721 } 1722 value = 1; 1723 } else if (value) { 1724 fatal("%s line %d: \"any\" must appear " 1725 "alone in AuthenticationMethods", 1726 filename, linenum); 1727 } else if (auth2_methods_valid(arg, 0) != 0) { 1728 fatal("%s line %d: invalid " 1729 "authentication method list.", 1730 filename, linenum); 1731 } 1732 value2 = 1; 1733 if (!*activep) 1734 continue; 1735 options->auth_methods[ 1736 options->num_auth_methods++] = xstrdup(arg); 1737 } 1738 if (value2 == 0) { 1739 fatal("%s line %d: no AuthenticationMethods " 1740 "specified", filename, linenum); 1741 } 1742 } 1743 return 0; 1744 1745 case sStreamLocalBindMask: 1746 arg = strdelim(&cp); 1747 if (!arg || *arg == '\0') 1748 fatal("%s line %d: missing StreamLocalBindMask " 1749 "argument.", filename, linenum); 1750 /* Parse mode in octal format */ 1751 value = strtol(arg, &p, 8); 1752 if (arg == p || value < 0 || value > 0777) 1753 fatal("%s line %d: Bad mask.", filename, linenum); 1754 if (*activep) 1755 options->fwd_opts.streamlocal_bind_mask = (mode_t)value; 1756 break; 1757 1758 case sStreamLocalBindUnlink: 1759 intptr = &options->fwd_opts.streamlocal_bind_unlink; 1760 goto parse_flag; 1761 1762 case sFingerprintHash: 1763 arg = strdelim(&cp); 1764 if (!arg || *arg == '\0') 1765 fatal("%.200s line %d: Missing argument.", 1766 filename, linenum); 1767 if ((value = ssh_digest_alg_by_name(arg)) == -1) 1768 fatal("%.200s line %d: Invalid hash algorithm \"%s\".", 1769 filename, linenum, arg); 1770 if (*activep) 1771 options->fingerprint_hash = value; 1772 break; 1773 1774 case sDeprecated: 1775 case sIgnore: 1776 case sUnsupported: 1777 do_log2(opcode == sIgnore ? 1778 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO, 1779 "%s line %d: %s option %s", filename, linenum, 1780 opcode == sUnsupported ? "Unsupported" : "Deprecated", arg); 1781 while (arg) 1782 arg = strdelim(&cp); 1783 break; 1784 1785 default: 1786 fatal("%s line %d: Missing handler for opcode %s (%d)", 1787 filename, linenum, arg, opcode); 1788 } 1789 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1790 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1791 filename, linenum, arg); 1792 return 0; 1793 } 1794 1795 /* Reads the server configuration file. */ 1796 1797 void 1798 load_server_config(const char *filename, Buffer *conf) 1799 { 1800 char line[4096], *cp; 1801 FILE *f; 1802 int lineno = 0; 1803 1804 debug2("%s: filename %s", __func__, filename); 1805 if ((f = fopen(filename, "r")) == NULL) { 1806 perror(filename); 1807 exit(1); 1808 } 1809 buffer_clear(conf); 1810 while (fgets(line, sizeof(line), f)) { 1811 lineno++; 1812 if (strlen(line) == sizeof(line) - 1) 1813 fatal("%s line %d too long", filename, lineno); 1814 /* 1815 * Trim out comments and strip whitespace 1816 * NB - preserve newlines, they are needed to reproduce 1817 * line numbers later for error messages 1818 */ 1819 if ((cp = strchr(line, '#')) != NULL) 1820 memcpy(cp, "\n", 2); 1821 cp = line + strspn(line, " \t\r"); 1822 1823 buffer_append(conf, cp, strlen(cp)); 1824 } 1825 buffer_append(conf, "\0", 1); 1826 fclose(f); 1827 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1828 } 1829 1830 void 1831 parse_server_match_config(ServerOptions *options, 1832 struct connection_info *connectinfo) 1833 { 1834 ServerOptions mo; 1835 1836 initialize_server_options(&mo); 1837 parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1838 copy_set_server_options(options, &mo, 0); 1839 } 1840 1841 int parse_server_match_testspec(struct connection_info *ci, char *spec) 1842 { 1843 char *p; 1844 1845 while ((p = strsep(&spec, ",")) && *p != '\0') { 1846 if (strncmp(p, "addr=", 5) == 0) { 1847 ci->address = xstrdup(p + 5); 1848 } else if (strncmp(p, "host=", 5) == 0) { 1849 ci->host = xstrdup(p + 5); 1850 } else if (strncmp(p, "user=", 5) == 0) { 1851 ci->user = xstrdup(p + 5); 1852 } else if (strncmp(p, "laddr=", 6) == 0) { 1853 ci->laddress = xstrdup(p + 6); 1854 } else if (strncmp(p, "lport=", 6) == 0) { 1855 ci->lport = a2port(p + 6); 1856 if (ci->lport == -1) { 1857 fprintf(stderr, "Invalid port '%s' in test mode" 1858 " specification %s\n", p+6, p); 1859 return -1; 1860 } 1861 } else { 1862 fprintf(stderr, "Invalid test mode specification %s\n", 1863 p); 1864 return -1; 1865 } 1866 } 1867 return 0; 1868 } 1869 1870 /* 1871 * returns 1 for a complete spec, 0 for partial spec and -1 for an 1872 * empty spec. 1873 */ 1874 int server_match_spec_complete(struct connection_info *ci) 1875 { 1876 if (ci->user && ci->host && ci->address) 1877 return 1; /* complete */ 1878 if (!ci->user && !ci->host && !ci->address) 1879 return -1; /* empty */ 1880 return 0; /* partial */ 1881 } 1882 1883 /* 1884 * Copy any supported values that are set. 1885 * 1886 * If the preauth flag is set, we do not bother copying the string or 1887 * array values that are not used pre-authentication, because any that we 1888 * do use must be explictly sent in mm_getpwnamallow(). 1889 */ 1890 void 1891 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1892 { 1893 #define M_CP_INTOPT(n) do {\ 1894 if (src->n != -1) \ 1895 dst->n = src->n; \ 1896 } while (0) 1897 1898 M_CP_INTOPT(password_authentication); 1899 M_CP_INTOPT(gss_authentication); 1900 M_CP_INTOPT(pubkey_authentication); 1901 M_CP_INTOPT(kerberos_authentication); 1902 M_CP_INTOPT(hostbased_authentication); 1903 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1904 M_CP_INTOPT(kbd_interactive_authentication); 1905 M_CP_INTOPT(permit_root_login); 1906 M_CP_INTOPT(permit_empty_passwd); 1907 1908 M_CP_INTOPT(allow_tcp_forwarding); 1909 M_CP_INTOPT(allow_streamlocal_forwarding); 1910 M_CP_INTOPT(allow_agent_forwarding); 1911 M_CP_INTOPT(permit_tun); 1912 M_CP_INTOPT(fwd_opts.gateway_ports); 1913 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 1914 M_CP_INTOPT(x11_display_offset); 1915 M_CP_INTOPT(x11_forwarding); 1916 M_CP_INTOPT(x11_use_localhost); 1917 M_CP_INTOPT(permit_tty); 1918 M_CP_INTOPT(permit_user_rc); 1919 M_CP_INTOPT(max_sessions); 1920 M_CP_INTOPT(max_authtries); 1921 M_CP_INTOPT(ip_qos_interactive); 1922 M_CP_INTOPT(ip_qos_bulk); 1923 M_CP_INTOPT(rekey_limit); 1924 M_CP_INTOPT(rekey_interval); 1925 1926 /* 1927 * The bind_mask is a mode_t that may be unsigned, so we can't use 1928 * M_CP_INTOPT - it does a signed comparison that causes compiler 1929 * warnings. 1930 */ 1931 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { 1932 dst->fwd_opts.streamlocal_bind_mask = 1933 src->fwd_opts.streamlocal_bind_mask; 1934 } 1935 1936 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 1937 #define M_CP_STROPT(n) do {\ 1938 if (src->n != NULL && dst->n != src->n) { \ 1939 free(dst->n); \ 1940 dst->n = src->n; \ 1941 } \ 1942 } while(0) 1943 #define M_CP_STRARRAYOPT(n, num_n) do {\ 1944 if (src->num_n != 0) { \ 1945 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 1946 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 1947 } \ 1948 } while(0) 1949 1950 /* See comment in servconf.h */ 1951 COPY_MATCH_STRING_OPTS(); 1952 1953 /* Arguments that accept '+...' need to be expanded */ 1954 assemble_algorithms(dst); 1955 1956 /* 1957 * The only things that should be below this point are string options 1958 * which are only used after authentication. 1959 */ 1960 if (preauth) 1961 return; 1962 1963 /* These options may be "none" to clear a global setting */ 1964 M_CP_STROPT(adm_forced_command); 1965 if (option_clear_or_none(dst->adm_forced_command)) { 1966 free(dst->adm_forced_command); 1967 dst->adm_forced_command = NULL; 1968 } 1969 M_CP_STROPT(chroot_directory); 1970 if (option_clear_or_none(dst->chroot_directory)) { 1971 free(dst->chroot_directory); 1972 dst->chroot_directory = NULL; 1973 } 1974 } 1975 1976 #undef M_CP_INTOPT 1977 #undef M_CP_STROPT 1978 #undef M_CP_STRARRAYOPT 1979 1980 void 1981 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1982 struct connection_info *connectinfo) 1983 { 1984 int active, linenum, bad_options = 0; 1985 char *cp, *obuf, *cbuf; 1986 1987 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1988 1989 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) 1990 fatal("%s: sshbuf_dup_string failed", __func__); 1991 active = connectinfo ? 0 : 1; 1992 linenum = 1; 1993 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1994 if (process_server_config_line(options, cp, filename, 1995 linenum++, &active, connectinfo) != 0) 1996 bad_options++; 1997 } 1998 free(obuf); 1999 if (bad_options > 0) 2000 fatal("%s: terminating, %d bad configuration options", 2001 filename, bad_options); 2002 process_queued_listen_addrs(options); 2003 } 2004 2005 static const char * 2006 fmt_multistate_int(int val, const struct multistate *m) 2007 { 2008 u_int i; 2009 2010 for (i = 0; m[i].key != NULL; i++) { 2011 if (m[i].value == val) 2012 return m[i].key; 2013 } 2014 return "UNKNOWN"; 2015 } 2016 2017 static const char * 2018 fmt_intarg(ServerOpCodes code, int val) 2019 { 2020 if (val == -1) 2021 return "unset"; 2022 switch (code) { 2023 case sAddressFamily: 2024 return fmt_multistate_int(val, multistate_addressfamily); 2025 case sPermitRootLogin: 2026 return fmt_multistate_int(val, multistate_permitrootlogin); 2027 case sGatewayPorts: 2028 return fmt_multistate_int(val, multistate_gatewayports); 2029 case sCompression: 2030 return fmt_multistate_int(val, multistate_compression); 2031 case sUsePrivilegeSeparation: 2032 return fmt_multistate_int(val, multistate_privsep); 2033 case sAllowTcpForwarding: 2034 return fmt_multistate_int(val, multistate_tcpfwd); 2035 case sAllowStreamLocalForwarding: 2036 return fmt_multistate_int(val, multistate_tcpfwd); 2037 case sFingerprintHash: 2038 return ssh_digest_alg_name(val); 2039 default: 2040 switch (val) { 2041 case 0: 2042 return "no"; 2043 case 1: 2044 return "yes"; 2045 default: 2046 return "UNKNOWN"; 2047 } 2048 } 2049 } 2050 2051 static const char * 2052 lookup_opcode_name(ServerOpCodes code) 2053 { 2054 u_int i; 2055 2056 for (i = 0; keywords[i].name != NULL; i++) 2057 if (keywords[i].opcode == code) 2058 return(keywords[i].name); 2059 return "UNKNOWN"; 2060 } 2061 2062 static void 2063 dump_cfg_int(ServerOpCodes code, int val) 2064 { 2065 printf("%s %d\n", lookup_opcode_name(code), val); 2066 } 2067 2068 static void 2069 dump_cfg_oct(ServerOpCodes code, int val) 2070 { 2071 printf("%s 0%o\n", lookup_opcode_name(code), val); 2072 } 2073 2074 static void 2075 dump_cfg_fmtint(ServerOpCodes code, int val) 2076 { 2077 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 2078 } 2079 2080 static void 2081 dump_cfg_string(ServerOpCodes code, const char *val) 2082 { 2083 if (val == NULL) 2084 return; 2085 printf("%s %s\n", lookup_opcode_name(code), 2086 val == NULL ? "none" : val); 2087 } 2088 2089 static void 2090 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 2091 { 2092 u_int i; 2093 2094 for (i = 0; i < count; i++) 2095 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 2096 } 2097 2098 static void 2099 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 2100 { 2101 u_int i; 2102 2103 if (count <= 0 && code != sAuthenticationMethods) 2104 return; 2105 printf("%s", lookup_opcode_name(code)); 2106 for (i = 0; i < count; i++) 2107 printf(" %s", vals[i]); 2108 if (code == sAuthenticationMethods && count == 0) 2109 printf(" any"); 2110 printf("\n"); 2111 } 2112 2113 void 2114 dump_config(ServerOptions *o) 2115 { 2116 u_int i; 2117 int ret; 2118 struct addrinfo *ai; 2119 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 2120 char *laddr1 = xstrdup(""), *laddr2 = NULL; 2121 2122 /* these are usually at the top of the config */ 2123 for (i = 0; i < o->num_ports; i++) 2124 printf("port %d\n", o->ports[i]); 2125 dump_cfg_fmtint(sAddressFamily, o->address_family); 2126 2127 /* 2128 * ListenAddress must be after Port. add_one_listen_addr pushes 2129 * addresses onto a stack, so to maintain ordering we need to 2130 * print these in reverse order. 2131 */ 2132 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 2133 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 2134 sizeof(addr), port, sizeof(port), 2135 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 2136 error("getnameinfo failed: %.100s", 2137 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 2138 strerror(errno)); 2139 } else { 2140 laddr2 = laddr1; 2141 if (ai->ai_family == AF_INET6) 2142 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s", 2143 addr, port, laddr2); 2144 else 2145 xasprintf(&laddr1, "listenaddress %s:%s\n%s", 2146 addr, port, laddr2); 2147 free(laddr2); 2148 } 2149 } 2150 printf("%s", laddr1); 2151 free(laddr1); 2152 2153 /* integer arguments */ 2154 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2155 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2156 dump_cfg_int(sMaxAuthTries, o->max_authtries); 2157 dump_cfg_int(sMaxSessions, o->max_sessions); 2158 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 2159 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 2160 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); 2161 2162 /* formatted integer arguments */ 2163 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2164 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2165 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2166 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2167 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2168 o->hostbased_uses_name_from_packet_only); 2169 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2170 #ifdef KRB5 2171 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2172 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 2173 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 2174 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 2175 #endif 2176 #ifdef GSSAPI 2177 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2178 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2179 #endif 2180 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2181 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2182 o->kbd_interactive_authentication); 2183 dump_cfg_fmtint(sChallengeResponseAuthentication, 2184 o->challenge_response_authentication); 2185 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2186 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2187 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2188 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2189 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2190 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); 2191 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2192 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2193 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2194 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2195 dump_cfg_fmtint(sCompression, o->compression); 2196 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2197 dump_cfg_fmtint(sUseDNS, o->use_dns); 2198 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2199 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2200 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2201 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2202 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2203 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2204 2205 /* string arguments */ 2206 dump_cfg_string(sPidFile, o->pid_file); 2207 dump_cfg_string(sXAuthLocation, o->xauth_location); 2208 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); 2209 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); 2210 dump_cfg_string(sBanner, o->banner); 2211 dump_cfg_string(sForceCommand, o->adm_forced_command); 2212 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2213 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2214 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2215 dump_cfg_string(sAuthorizedPrincipalsFile, 2216 o->authorized_principals_file); 2217 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' 2218 ? "none" : o->version_addendum); 2219 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2220 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2221 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); 2222 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); 2223 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2224 dump_cfg_string(sKexAlgorithms, 2225 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2226 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2227 o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2228 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2229 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); 2230 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2231 o->pubkey_key_types : KEX_DEFAULT_PK_ALG); 2232 2233 /* string arguments requiring a lookup */ 2234 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2235 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 2236 2237 /* string array arguments */ 2238 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 2239 o->authorized_keys_files); 2240 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 2241 o->host_key_files); 2242 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, 2243 o->host_cert_files); 2244 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 2245 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2246 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2247 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2248 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2249 dump_cfg_strarray_oneline(sAuthenticationMethods, 2250 o->num_auth_methods, o->auth_methods); 2251 2252 /* other arguments */ 2253 for (i = 0; i < o->num_subsystems; i++) 2254 printf("subsystem %s %s\n", o->subsystem_name[i], 2255 o->subsystem_args[i]); 2256 2257 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2258 o->max_startups_rate, o->max_startups); 2259 2260 for (i = 0; tunmode_desc[i].val != -1; i++) 2261 if (tunmode_desc[i].val == o->permit_tun) { 2262 s = tunmode_desc[i].text; 2263 break; 2264 } 2265 dump_cfg_string(sPermitTunnel, s); 2266 2267 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2268 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2269 2270 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, 2271 o->rekey_interval); 2272 2273 channel_print_adm_permitted_opens(); 2274 } 2275