1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12 #include "includes.h" 13 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 14 RCSID("$FreeBSD: src/crypto/openssh/servconf.c,v 1.3.2.15 2003/02/03 17:31:07 des Exp $"); 15 RCSID("$DragonFly: src/crypto/openssh/Attic/servconf.c,v 1.2 2003/06/17 04:24:36 dillon Exp $"); 16 17 #if defined(KRB4) 18 #include <krb.h> 19 #endif 20 #if defined(KRB5) 21 #ifdef HEIMDAL 22 #include <krb5.h> 23 #else 24 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 25 * keytab */ 26 #define KEYFILE "/etc/krb5.keytab" 27 #endif 28 #endif 29 #ifdef AFS 30 #include <kafs.h> 31 #endif 32 33 #include "ssh.h" 34 #include "log.h" 35 #include "servconf.h" 36 #include "xmalloc.h" 37 #include "compat.h" 38 #include "pathnames.h" 39 #include "tildexpand.h" 40 #include "misc.h" 41 #include "cipher.h" 42 #include "kex.h" 43 #include "mac.h" 44 45 static void add_listen_addr(ServerOptions *, char *, u_short); 46 static void add_one_listen_addr(ServerOptions *, char *, u_short); 47 48 /* AF_UNSPEC or AF_INET or AF_INET6 */ 49 extern int IPv4or6; 50 /* Use of privilege separation or not */ 51 extern int use_privsep; 52 53 /* Initializes the server options to their default values. */ 54 55 void 56 initialize_server_options(ServerOptions *options) 57 { 58 memset(options, 0, sizeof(*options)); 59 60 /* Portable-specific options */ 61 options->pam_authentication_via_kbd_int = -1; 62 63 /* Standard Options */ 64 options->num_ports = 0; 65 options->ports_from_cmdline = 0; 66 options->listen_addrs = NULL; 67 options->num_host_key_files = 0; 68 options->pid_file = NULL; 69 options->server_key_bits = -1; 70 options->login_grace_time = -1; 71 options->key_regeneration_time = -1; 72 options->permit_root_login = PERMIT_NOT_SET; 73 options->ignore_rhosts = -1; 74 options->ignore_user_known_hosts = -1; 75 options->print_motd = -1; 76 options->print_lastlog = -1; 77 options->x11_forwarding = -1; 78 options->x11_display_offset = -1; 79 options->x11_use_localhost = -1; 80 options->xauth_location = NULL; 81 options->strict_modes = -1; 82 options->keepalives = -1; 83 options->log_facility = SYSLOG_FACILITY_NOT_SET; 84 options->log_level = SYSLOG_LEVEL_NOT_SET; 85 options->rhosts_authentication = -1; 86 options->rhosts_rsa_authentication = -1; 87 options->hostbased_authentication = -1; 88 options->hostbased_uses_name_from_packet_only = -1; 89 options->rsa_authentication = -1; 90 options->pubkey_authentication = -1; 91 #if defined(KRB4) || defined(KRB5) 92 options->kerberos_authentication = -1; 93 options->kerberos_or_local_passwd = -1; 94 options->kerberos_ticket_cleanup = -1; 95 #endif 96 #if defined(AFS) || defined(KRB5) 97 options->kerberos_tgt_passing = -1; 98 #endif 99 #ifdef AFS 100 options->afs_token_passing = -1; 101 #endif 102 options->password_authentication = -1; 103 options->kbd_interactive_authentication = -1; 104 options->challenge_response_authentication = -1; 105 options->permit_empty_passwd = -1; 106 options->permit_user_env = -1; 107 options->use_login = -1; 108 options->compression = -1; 109 options->allow_tcp_forwarding = -1; 110 options->num_allow_users = 0; 111 options->num_deny_users = 0; 112 options->num_allow_groups = 0; 113 options->num_deny_groups = 0; 114 options->ciphers = NULL; 115 options->macs = NULL; 116 options->protocol = SSH_PROTO_UNKNOWN; 117 options->gateway_ports = -1; 118 options->num_subsystems = 0; 119 options->max_startups_begin = -1; 120 options->max_startups_rate = -1; 121 options->max_startups = -1; 122 options->banner = NULL; 123 options->verify_reverse_mapping = -1; 124 options->client_alive_interval = -1; 125 options->client_alive_count_max = -1; 126 options->authorized_keys_file = NULL; 127 options->authorized_keys_file2 = NULL; 128 129 /* Needs to be accessable in many places */ 130 use_privsep = -1; 131 } 132 133 void 134 fill_default_server_options(ServerOptions *options) 135 { 136 /* Portable-specific options */ 137 if (options->pam_authentication_via_kbd_int == -1) 138 options->pam_authentication_via_kbd_int = 0; 139 140 /* Standard Options */ 141 if (options->protocol == SSH_PROTO_UNKNOWN) 142 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 143 if (options->num_host_key_files == 0) { 144 /* fill default hostkeys for protocols */ 145 if (options->protocol & SSH_PROTO_1) 146 options->host_key_files[options->num_host_key_files++] = 147 _PATH_HOST_KEY_FILE; 148 if (options->protocol & SSH_PROTO_2) { 149 options->host_key_files[options->num_host_key_files++] = 150 _PATH_HOST_DSA_KEY_FILE; 151 } 152 } 153 if (options->num_ports == 0) 154 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 155 if (options->listen_addrs == NULL) 156 add_listen_addr(options, NULL, 0); 157 if (options->pid_file == NULL) 158 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 159 if (options->server_key_bits == -1) 160 options->server_key_bits = 768; 161 if (options->login_grace_time == -1) 162 options->login_grace_time = 120; 163 if (options->key_regeneration_time == -1) 164 options->key_regeneration_time = 3600; 165 if (options->permit_root_login == PERMIT_NOT_SET) 166 options->permit_root_login = PERMIT_NO; 167 if (options->ignore_rhosts == -1) 168 options->ignore_rhosts = 1; 169 if (options->ignore_user_known_hosts == -1) 170 options->ignore_user_known_hosts = 0; 171 if (options->print_motd == -1) 172 options->print_motd = 1; 173 if (options->print_lastlog == -1) 174 options->print_lastlog = 1; 175 if (options->x11_forwarding == -1) 176 options->x11_forwarding = 1; 177 if (options->x11_display_offset == -1) 178 options->x11_display_offset = 10; 179 if (options->x11_use_localhost == -1) 180 options->x11_use_localhost = 1; 181 if (options->xauth_location == NULL) 182 options->xauth_location = _PATH_XAUTH; 183 if (options->strict_modes == -1) 184 options->strict_modes = 1; 185 if (options->keepalives == -1) 186 options->keepalives = 1; 187 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 188 options->log_facility = SYSLOG_FACILITY_AUTH; 189 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 190 options->log_level = SYSLOG_LEVEL_INFO; 191 if (options->rhosts_authentication == -1) 192 options->rhosts_authentication = 0; 193 if (options->rhosts_rsa_authentication == -1) 194 options->rhosts_rsa_authentication = 0; 195 if (options->hostbased_authentication == -1) 196 options->hostbased_authentication = 0; 197 if (options->hostbased_uses_name_from_packet_only == -1) 198 options->hostbased_uses_name_from_packet_only = 0; 199 if (options->rsa_authentication == -1) 200 options->rsa_authentication = 1; 201 if (options->pubkey_authentication == -1) 202 options->pubkey_authentication = 1; 203 #if defined(KRB4) && defined(KRB5) 204 if (options->kerberos_authentication == -1) 205 options->kerberos_authentication = 206 (access(KEYFILE, R_OK) == 0 || 207 access(krb5_defkeyname, R_OK) == 0); 208 #elif defined(KRB4) 209 if (options->kerberos_authentication == -1) 210 options->kerberos_authentication = 211 (access(KEYFILE, R_OK) == 0); 212 #elif defined(KRB5) 213 if (options->kerberos_authentication == -1) 214 options->kerberos_authentication = 215 (access(krb5_defkeyname, R_OK) == 0); 216 #endif 217 #if defined(KRB4) || defined(KRB5) 218 if (options->kerberos_or_local_passwd == -1) 219 options->kerberos_or_local_passwd = 1; 220 if (options->kerberos_ticket_cleanup == -1) 221 options->kerberos_ticket_cleanup = 1; 222 #endif 223 #if defined(AFS) || defined(KRB5) 224 if (options->kerberos_tgt_passing == -1) 225 options->kerberos_tgt_passing = 0; 226 #endif 227 #ifdef AFS 228 if (options->afs_token_passing == -1) 229 options->afs_token_passing = 0; 230 #endif 231 if (options->password_authentication == -1) 232 options->password_authentication = 1; 233 if (options->kbd_interactive_authentication == -1) 234 options->kbd_interactive_authentication = 0; 235 if (options->challenge_response_authentication == -1) 236 options->challenge_response_authentication = 1; 237 if (options->permit_empty_passwd == -1) 238 options->permit_empty_passwd = 0; 239 if (options->permit_user_env == -1) 240 options->permit_user_env = 0; 241 if (options->use_login == -1) 242 options->use_login = 0; 243 if (options->compression == -1) 244 options->compression = 1; 245 if (options->allow_tcp_forwarding == -1) 246 options->allow_tcp_forwarding = 1; 247 if (options->gateway_ports == -1) 248 options->gateway_ports = 0; 249 if (options->max_startups == -1) 250 options->max_startups = 10; 251 if (options->max_startups_rate == -1) 252 options->max_startups_rate = 100; /* 100% */ 253 if (options->max_startups_begin == -1) 254 options->max_startups_begin = options->max_startups; 255 if (options->verify_reverse_mapping == -1) 256 options->verify_reverse_mapping = 0; 257 if (options->client_alive_interval == -1) 258 options->client_alive_interval = 0; 259 if (options->client_alive_count_max == -1) 260 options->client_alive_count_max = 3; 261 if (options->authorized_keys_file2 == NULL) { 262 /* authorized_keys_file2 falls back to authorized_keys_file */ 263 if (options->authorized_keys_file != NULL) 264 options->authorized_keys_file2 = options->authorized_keys_file; 265 else 266 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 267 } 268 if (options->authorized_keys_file == NULL) 269 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 270 271 /* Turn privilege separation on by default */ 272 if (use_privsep == -1) 273 use_privsep = 1; 274 275 #ifndef HAVE_MMAP 276 if (use_privsep && options->compression == 1) { 277 error("This platform does not support both privilege " 278 "separation and compression"); 279 error("Compression disabled"); 280 options->compression = 0; 281 } 282 #endif 283 284 } 285 286 /* Keyword tokens. */ 287 typedef enum { 288 sBadOption, /* == unknown option */ 289 /* Portable-specific options */ 290 sPAMAuthenticationViaKbdInt, 291 /* Standard Options */ 292 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 293 sPermitRootLogin, sLogFacility, sLogLevel, 294 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 295 #if defined(KRB4) || defined(KRB5) 296 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 297 #endif 298 #if defined(AFS) || defined(KRB5) 299 sKerberosTgtPassing, 300 #endif 301 #ifdef AFS 302 sAFSTokenPassing, 303 #endif 304 sChallengeResponseAuthentication, 305 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 306 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 307 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 308 sStrictModes, sEmptyPasswd, sKeepAlives, 309 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 310 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 311 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 312 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 313 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 314 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 315 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 316 sUsePrivilegeSeparation, 317 sVersionAddendum, 318 sDeprecated 319 } ServerOpCodes; 320 321 /* Textual representation of the tokens. */ 322 static struct { 323 const char *name; 324 ServerOpCodes opcode; 325 } keywords[] = { 326 /* Portable-specific options */ 327 #if 0 328 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, 329 #endif 330 /* Standard Options */ 331 { "port", sPort }, 332 { "hostkey", sHostKeyFile }, 333 { "hostdsakey", sHostKeyFile }, /* alias */ 334 { "pidfile", sPidFile }, 335 { "serverkeybits", sServerKeyBits }, 336 { "logingracetime", sLoginGraceTime }, 337 { "keyregenerationinterval", sKeyRegenerationTime }, 338 { "permitrootlogin", sPermitRootLogin }, 339 { "syslogfacility", sLogFacility }, 340 { "loglevel", sLogLevel }, 341 { "rhostsauthentication", sRhostsAuthentication }, 342 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 343 { "hostbasedauthentication", sHostbasedAuthentication }, 344 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 345 { "rsaauthentication", sRSAAuthentication }, 346 { "pubkeyauthentication", sPubkeyAuthentication }, 347 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 348 #if defined(KRB4) || defined(KRB5) 349 { "kerberosauthentication", sKerberosAuthentication }, 350 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 351 { "kerberosticketcleanup", sKerberosTicketCleanup }, 352 #endif 353 #if defined(AFS) || defined(KRB5) 354 { "kerberostgtpassing", sKerberosTgtPassing }, 355 #endif 356 #ifdef AFS 357 { "afstokenpassing", sAFSTokenPassing }, 358 #endif 359 { "passwordauthentication", sPasswordAuthentication }, 360 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 361 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 362 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 363 { "checkmail", sDeprecated }, 364 { "listenaddress", sListenAddress }, 365 { "printmotd", sPrintMotd }, 366 { "printlastlog", sPrintLastLog }, 367 { "ignorerhosts", sIgnoreRhosts }, 368 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 369 { "x11forwarding", sX11Forwarding }, 370 { "x11displayoffset", sX11DisplayOffset }, 371 { "x11uselocalhost", sX11UseLocalhost }, 372 { "xauthlocation", sXAuthLocation }, 373 { "strictmodes", sStrictModes }, 374 { "permitemptypasswords", sEmptyPasswd }, 375 { "permituserenvironment", sPermitUserEnvironment }, 376 { "uselogin", sUseLogin }, 377 { "compression", sCompression }, 378 { "keepalive", sKeepAlives }, 379 { "allowtcpforwarding", sAllowTcpForwarding }, 380 { "allowusers", sAllowUsers }, 381 { "denyusers", sDenyUsers }, 382 { "allowgroups", sAllowGroups }, 383 { "denygroups", sDenyGroups }, 384 { "ciphers", sCiphers }, 385 { "macs", sMacs }, 386 { "protocol", sProtocol }, 387 { "gatewayports", sGatewayPorts }, 388 { "subsystem", sSubsystem }, 389 { "maxstartups", sMaxStartups }, 390 { "banner", sBanner }, 391 { "verifyreversemapping", sVerifyReverseMapping }, 392 { "reversemappingcheck", sVerifyReverseMapping }, 393 { "clientaliveinterval", sClientAliveInterval }, 394 { "clientalivecountmax", sClientAliveCountMax }, 395 { "authorizedkeysfile", sAuthorizedKeysFile }, 396 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 397 { "useprivilegeseparation", sUsePrivilegeSeparation}, 398 { "versionaddendum", sVersionAddendum }, 399 { NULL, sBadOption } 400 }; 401 402 /* 403 * Returns the number of the token pointed to by cp or sBadOption. 404 */ 405 406 static ServerOpCodes 407 parse_token(const char *cp, const char *filename, 408 int linenum) 409 { 410 u_int i; 411 412 for (i = 0; keywords[i].name; i++) 413 if (strcasecmp(cp, keywords[i].name) == 0) 414 return keywords[i].opcode; 415 416 error("%s: line %d: Bad configuration option: %s", 417 filename, linenum, cp); 418 return sBadOption; 419 } 420 421 static void 422 add_listen_addr(ServerOptions *options, char *addr, u_short port) 423 { 424 int i; 425 426 if (options->num_ports == 0) 427 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 428 if (port == 0) 429 for (i = 0; i < options->num_ports; i++) 430 add_one_listen_addr(options, addr, options->ports[i]); 431 else 432 add_one_listen_addr(options, addr, port); 433 } 434 435 static void 436 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 437 { 438 struct addrinfo hints, *ai, *aitop; 439 char strport[NI_MAXSERV]; 440 int gaierr; 441 442 memset(&hints, 0, sizeof(hints)); 443 hints.ai_family = IPv4or6; 444 hints.ai_socktype = SOCK_STREAM; 445 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 446 snprintf(strport, sizeof strport, "%u", port); 447 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 448 fatal("bad addr or host: %s (%s)", 449 addr ? addr : "<NULL>", 450 gai_strerror(gaierr)); 451 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 452 ; 453 ai->ai_next = options->listen_addrs; 454 options->listen_addrs = aitop; 455 } 456 457 int 458 process_server_config_line(ServerOptions *options, char *line, 459 const char *filename, int linenum) 460 { 461 char *cp, **charptr, *arg, *p; 462 int *intptr, value, i, n; 463 ServerOpCodes opcode; 464 465 cp = line; 466 arg = strdelim(&cp); 467 /* Ignore leading whitespace */ 468 if (*arg == '\0') 469 arg = strdelim(&cp); 470 if (!arg || !*arg || *arg == '#') 471 return 0; 472 intptr = NULL; 473 charptr = NULL; 474 opcode = parse_token(arg, filename, linenum); 475 switch (opcode) { 476 /* Portable-specific options */ 477 case sPAMAuthenticationViaKbdInt: 478 intptr = &options->pam_authentication_via_kbd_int; 479 goto parse_flag; 480 481 /* Standard Options */ 482 case sBadOption: 483 return -1; 484 case sPort: 485 /* ignore ports from configfile if cmdline specifies ports */ 486 if (options->ports_from_cmdline) 487 return 0; 488 if (options->listen_addrs != NULL) 489 fatal("%s line %d: ports must be specified before " 490 "ListenAddress.", filename, linenum); 491 if (options->num_ports >= MAX_PORTS) 492 fatal("%s line %d: too many ports.", 493 filename, linenum); 494 arg = strdelim(&cp); 495 if (!arg || *arg == '\0') 496 fatal("%s line %d: missing port number.", 497 filename, linenum); 498 options->ports[options->num_ports++] = a2port(arg); 499 if (options->ports[options->num_ports-1] == 0) 500 fatal("%s line %d: Badly formatted port number.", 501 filename, linenum); 502 break; 503 504 case sServerKeyBits: 505 intptr = &options->server_key_bits; 506 parse_int: 507 arg = strdelim(&cp); 508 if (!arg || *arg == '\0') 509 fatal("%s line %d: missing integer value.", 510 filename, linenum); 511 value = atoi(arg); 512 if (*intptr == -1) 513 *intptr = value; 514 break; 515 516 case sLoginGraceTime: 517 intptr = &options->login_grace_time; 518 parse_time: 519 arg = strdelim(&cp); 520 if (!arg || *arg == '\0') 521 fatal("%s line %d: missing time value.", 522 filename, linenum); 523 if ((value = convtime(arg)) == -1) 524 fatal("%s line %d: invalid time value.", 525 filename, linenum); 526 if (*intptr == -1) 527 *intptr = value; 528 break; 529 530 case sKeyRegenerationTime: 531 intptr = &options->key_regeneration_time; 532 goto parse_time; 533 534 case sListenAddress: 535 arg = strdelim(&cp); 536 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 537 fatal("%s line %d: missing inet addr.", 538 filename, linenum); 539 if (*arg == '[') { 540 if ((p = strchr(arg, ']')) == NULL) 541 fatal("%s line %d: bad ipv6 inet addr usage.", 542 filename, linenum); 543 arg++; 544 memmove(p, p+1, strlen(p+1)+1); 545 } else if (((p = strchr(arg, ':')) == NULL) || 546 (strchr(p+1, ':') != NULL)) { 547 add_listen_addr(options, arg, 0); 548 break; 549 } 550 if (*p == ':') { 551 u_short port; 552 553 p++; 554 if (*p == '\0') 555 fatal("%s line %d: bad inet addr:port usage.", 556 filename, linenum); 557 else { 558 *(p-1) = '\0'; 559 if ((port = a2port(p)) == 0) 560 fatal("%s line %d: bad port number.", 561 filename, linenum); 562 add_listen_addr(options, arg, port); 563 } 564 } else if (*p == '\0') 565 add_listen_addr(options, arg, 0); 566 else 567 fatal("%s line %d: bad inet addr usage.", 568 filename, linenum); 569 break; 570 571 case sHostKeyFile: 572 intptr = &options->num_host_key_files; 573 if (*intptr >= MAX_HOSTKEYS) 574 fatal("%s line %d: too many host keys specified (max %d).", 575 filename, linenum, MAX_HOSTKEYS); 576 charptr = &options->host_key_files[*intptr]; 577 parse_filename: 578 arg = strdelim(&cp); 579 if (!arg || *arg == '\0') 580 fatal("%s line %d: missing file name.", 581 filename, linenum); 582 if (*charptr == NULL) { 583 *charptr = tilde_expand_filename(arg, getuid()); 584 /* increase optional counter */ 585 if (intptr != NULL) 586 *intptr = *intptr + 1; 587 } 588 break; 589 590 case sPidFile: 591 charptr = &options->pid_file; 592 goto parse_filename; 593 594 case sPermitRootLogin: 595 intptr = &options->permit_root_login; 596 arg = strdelim(&cp); 597 if (!arg || *arg == '\0') 598 fatal("%s line %d: missing yes/" 599 "without-password/forced-commands-only/no " 600 "argument.", filename, linenum); 601 value = 0; /* silence compiler */ 602 if (strcmp(arg, "without-password") == 0) 603 value = PERMIT_NO_PASSWD; 604 else if (strcmp(arg, "forced-commands-only") == 0) 605 value = PERMIT_FORCED_ONLY; 606 else if (strcmp(arg, "yes") == 0) 607 value = PERMIT_YES; 608 else if (strcmp(arg, "no") == 0) 609 value = PERMIT_NO; 610 else 611 fatal("%s line %d: Bad yes/" 612 "without-password/forced-commands-only/no " 613 "argument: %s", filename, linenum, arg); 614 if (*intptr == -1) 615 *intptr = value; 616 break; 617 618 case sIgnoreRhosts: 619 intptr = &options->ignore_rhosts; 620 parse_flag: 621 arg = strdelim(&cp); 622 if (!arg || *arg == '\0') 623 fatal("%s line %d: missing yes/no argument.", 624 filename, linenum); 625 value = 0; /* silence compiler */ 626 if (strcmp(arg, "yes") == 0) 627 value = 1; 628 else if (strcmp(arg, "no") == 0) 629 value = 0; 630 else 631 fatal("%s line %d: Bad yes/no argument: %s", 632 filename, linenum, arg); 633 if (*intptr == -1) 634 *intptr = value; 635 break; 636 637 case sIgnoreUserKnownHosts: 638 intptr = &options->ignore_user_known_hosts; 639 goto parse_flag; 640 641 case sRhostsAuthentication: 642 intptr = &options->rhosts_authentication; 643 goto parse_flag; 644 645 case sRhostsRSAAuthentication: 646 intptr = &options->rhosts_rsa_authentication; 647 goto parse_flag; 648 649 case sHostbasedAuthentication: 650 intptr = &options->hostbased_authentication; 651 goto parse_flag; 652 653 case sHostbasedUsesNameFromPacketOnly: 654 intptr = &options->hostbased_uses_name_from_packet_only; 655 goto parse_flag; 656 657 case sRSAAuthentication: 658 intptr = &options->rsa_authentication; 659 goto parse_flag; 660 661 case sPubkeyAuthentication: 662 intptr = &options->pubkey_authentication; 663 goto parse_flag; 664 #if defined(KRB4) || defined(KRB5) 665 case sKerberosAuthentication: 666 intptr = &options->kerberos_authentication; 667 goto parse_flag; 668 669 case sKerberosOrLocalPasswd: 670 intptr = &options->kerberos_or_local_passwd; 671 goto parse_flag; 672 673 case sKerberosTicketCleanup: 674 intptr = &options->kerberos_ticket_cleanup; 675 goto parse_flag; 676 #endif 677 #if defined(AFS) || defined(KRB5) 678 case sKerberosTgtPassing: 679 intptr = &options->kerberos_tgt_passing; 680 goto parse_flag; 681 #endif 682 #ifdef AFS 683 case sAFSTokenPassing: 684 intptr = &options->afs_token_passing; 685 goto parse_flag; 686 #endif 687 688 case sPasswordAuthentication: 689 intptr = &options->password_authentication; 690 goto parse_flag; 691 692 case sKbdInteractiveAuthentication: 693 intptr = &options->kbd_interactive_authentication; 694 goto parse_flag; 695 696 case sChallengeResponseAuthentication: 697 intptr = &options->challenge_response_authentication; 698 goto parse_flag; 699 700 case sPrintMotd: 701 intptr = &options->print_motd; 702 goto parse_flag; 703 704 case sPrintLastLog: 705 intptr = &options->print_lastlog; 706 goto parse_flag; 707 708 case sX11Forwarding: 709 intptr = &options->x11_forwarding; 710 goto parse_flag; 711 712 case sX11DisplayOffset: 713 intptr = &options->x11_display_offset; 714 goto parse_int; 715 716 case sX11UseLocalhost: 717 intptr = &options->x11_use_localhost; 718 goto parse_flag; 719 720 case sXAuthLocation: 721 charptr = &options->xauth_location; 722 goto parse_filename; 723 724 case sStrictModes: 725 intptr = &options->strict_modes; 726 goto parse_flag; 727 728 case sKeepAlives: 729 intptr = &options->keepalives; 730 goto parse_flag; 731 732 case sEmptyPasswd: 733 intptr = &options->permit_empty_passwd; 734 goto parse_flag; 735 736 case sPermitUserEnvironment: 737 intptr = &options->permit_user_env; 738 goto parse_flag; 739 740 case sUseLogin: 741 intptr = &options->use_login; 742 goto parse_flag; 743 744 case sCompression: 745 intptr = &options->compression; 746 goto parse_flag; 747 748 case sGatewayPorts: 749 intptr = &options->gateway_ports; 750 goto parse_flag; 751 752 case sVerifyReverseMapping: 753 intptr = &options->verify_reverse_mapping; 754 goto parse_flag; 755 756 case sLogFacility: 757 intptr = (int *) &options->log_facility; 758 arg = strdelim(&cp); 759 value = log_facility_number(arg); 760 if (value == SYSLOG_FACILITY_NOT_SET) 761 fatal("%.200s line %d: unsupported log facility '%s'", 762 filename, linenum, arg ? arg : "<NONE>"); 763 if (*intptr == -1) 764 *intptr = (SyslogFacility) value; 765 break; 766 767 case sLogLevel: 768 intptr = (int *) &options->log_level; 769 arg = strdelim(&cp); 770 value = log_level_number(arg); 771 if (value == SYSLOG_LEVEL_NOT_SET) 772 fatal("%.200s line %d: unsupported log level '%s'", 773 filename, linenum, arg ? arg : "<NONE>"); 774 if (*intptr == -1) 775 *intptr = (LogLevel) value; 776 break; 777 778 case sAllowTcpForwarding: 779 intptr = &options->allow_tcp_forwarding; 780 goto parse_flag; 781 782 case sUsePrivilegeSeparation: 783 intptr = &use_privsep; 784 goto parse_flag; 785 786 case sAllowUsers: 787 while ((arg = strdelim(&cp)) && *arg != '\0') { 788 if (options->num_allow_users >= MAX_ALLOW_USERS) 789 fatal("%s line %d: too many allow users.", 790 filename, linenum); 791 options->allow_users[options->num_allow_users++] = 792 xstrdup(arg); 793 } 794 break; 795 796 case sDenyUsers: 797 while ((arg = strdelim(&cp)) && *arg != '\0') { 798 if (options->num_deny_users >= MAX_DENY_USERS) 799 fatal( "%s line %d: too many deny users.", 800 filename, linenum); 801 options->deny_users[options->num_deny_users++] = 802 xstrdup(arg); 803 } 804 break; 805 806 case sAllowGroups: 807 while ((arg = strdelim(&cp)) && *arg != '\0') { 808 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 809 fatal("%s line %d: too many allow groups.", 810 filename, linenum); 811 options->allow_groups[options->num_allow_groups++] = 812 xstrdup(arg); 813 } 814 break; 815 816 case sDenyGroups: 817 while ((arg = strdelim(&cp)) && *arg != '\0') { 818 if (options->num_deny_groups >= MAX_DENY_GROUPS) 819 fatal("%s line %d: too many deny groups.", 820 filename, linenum); 821 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 822 } 823 break; 824 825 case sCiphers: 826 arg = strdelim(&cp); 827 if (!arg || *arg == '\0') 828 fatal("%s line %d: Missing argument.", filename, linenum); 829 if (!ciphers_valid(arg)) 830 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 831 filename, linenum, arg ? arg : "<NONE>"); 832 if (options->ciphers == NULL) 833 options->ciphers = xstrdup(arg); 834 break; 835 836 case sMacs: 837 arg = strdelim(&cp); 838 if (!arg || *arg == '\0') 839 fatal("%s line %d: Missing argument.", filename, linenum); 840 if (!mac_valid(arg)) 841 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 842 filename, linenum, arg ? arg : "<NONE>"); 843 if (options->macs == NULL) 844 options->macs = xstrdup(arg); 845 break; 846 847 case sProtocol: 848 intptr = &options->protocol; 849 arg = strdelim(&cp); 850 if (!arg || *arg == '\0') 851 fatal("%s line %d: Missing argument.", filename, linenum); 852 value = proto_spec(arg); 853 if (value == SSH_PROTO_UNKNOWN) 854 fatal("%s line %d: Bad protocol spec '%s'.", 855 filename, linenum, arg ? arg : "<NONE>"); 856 if (*intptr == SSH_PROTO_UNKNOWN) 857 *intptr = value; 858 break; 859 860 case sSubsystem: 861 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 862 fatal("%s line %d: too many subsystems defined.", 863 filename, linenum); 864 } 865 arg = strdelim(&cp); 866 if (!arg || *arg == '\0') 867 fatal("%s line %d: Missing subsystem name.", 868 filename, linenum); 869 for (i = 0; i < options->num_subsystems; i++) 870 if (strcmp(arg, options->subsystem_name[i]) == 0) 871 fatal("%s line %d: Subsystem '%s' already defined.", 872 filename, linenum, arg); 873 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 874 arg = strdelim(&cp); 875 if (!arg || *arg == '\0') 876 fatal("%s line %d: Missing subsystem command.", 877 filename, linenum); 878 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 879 options->num_subsystems++; 880 break; 881 882 case sMaxStartups: 883 arg = strdelim(&cp); 884 if (!arg || *arg == '\0') 885 fatal("%s line %d: Missing MaxStartups spec.", 886 filename, linenum); 887 if ((n = sscanf(arg, "%d:%d:%d", 888 &options->max_startups_begin, 889 &options->max_startups_rate, 890 &options->max_startups)) == 3) { 891 if (options->max_startups_begin > 892 options->max_startups || 893 options->max_startups_rate > 100 || 894 options->max_startups_rate < 1) 895 fatal("%s line %d: Illegal MaxStartups spec.", 896 filename, linenum); 897 } else if (n != 1) 898 fatal("%s line %d: Illegal MaxStartups spec.", 899 filename, linenum); 900 else 901 options->max_startups = options->max_startups_begin; 902 break; 903 904 case sBanner: 905 charptr = &options->banner; 906 goto parse_filename; 907 /* 908 * These options can contain %X options expanded at 909 * connect time, so that you can specify paths like: 910 * 911 * AuthorizedKeysFile /etc/ssh_keys/%u 912 */ 913 case sAuthorizedKeysFile: 914 case sAuthorizedKeysFile2: 915 charptr = (opcode == sAuthorizedKeysFile ) ? 916 &options->authorized_keys_file : 917 &options->authorized_keys_file2; 918 goto parse_filename; 919 920 case sClientAliveInterval: 921 intptr = &options->client_alive_interval; 922 goto parse_time; 923 924 case sClientAliveCountMax: 925 intptr = &options->client_alive_count_max; 926 goto parse_int; 927 928 case sVersionAddendum: 929 ssh_version_set_addendum(strtok(cp, "\n")); 930 do { 931 arg = strdelim(&cp); 932 } while (arg != NULL && *arg != '\0'); 933 break; 934 935 case sDeprecated: 936 log("%s line %d: Deprecated option %s", 937 filename, linenum, arg); 938 while (arg) 939 arg = strdelim(&cp); 940 break; 941 942 default: 943 fatal("%s line %d: Missing handler for opcode %s (%d)", 944 filename, linenum, arg, opcode); 945 } 946 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 947 fatal("%s line %d: garbage at end of line; \"%.200s\".", 948 filename, linenum, arg); 949 return 0; 950 } 951 952 /* Reads the server configuration file. */ 953 954 void 955 read_server_config(ServerOptions *options, const char *filename) 956 { 957 int linenum, bad_options = 0; 958 char line[1024]; 959 FILE *f; 960 961 f = fopen(filename, "r"); 962 if (!f) { 963 perror(filename); 964 exit(1); 965 } 966 linenum = 0; 967 while (fgets(line, sizeof(line), f)) { 968 /* Update line number counter. */ 969 linenum++; 970 if (process_server_config_line(options, line, filename, linenum) != 0) 971 bad_options++; 972 } 973 fclose(f); 974 if (bad_options > 0) 975 fatal("%s: terminating, %d bad configuration options", 976 filename, bad_options); 977 } 978