1 2 /* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */ 3 /* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include "includes.h" 15 16 #include <sys/types.h> 17 #include <sys/socket.h> 18 19 #include <netinet/in.h> 20 #include <netinet/in_systm.h> 21 #include <netinet/ip.h> 22 23 #include <ctype.h> 24 #include <netdb.h> 25 #include <pwd.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <signal.h> 30 #include <unistd.h> 31 #include <limits.h> 32 #include <stdarg.h> 33 #include <errno.h> 34 #ifdef HAVE_UTIL_H 35 #include <util.h> 36 #endif 37 38 #include "openbsd-compat/sys-queue.h" 39 #include "xmalloc.h" 40 #include "ssh.h" 41 #include "log.h" 42 #include "buffer.h" 43 #include "misc.h" 44 #include "servconf.h" 45 #include "compat.h" 46 #include "pathnames.h" 47 #include "cipher.h" 48 #include "key.h" 49 #include "kex.h" 50 #include "mac.h" 51 #include "match.h" 52 #include "channels.h" 53 #include "groupaccess.h" 54 #include "canohost.h" 55 #include "packet.h" 56 #include "hostfile.h" 57 #include "auth.h" 58 #include "myproposal.h" 59 #include "digest.h" 60 61 static void add_listen_addr(ServerOptions *, char *, int); 62 static void add_one_listen_addr(ServerOptions *, char *, int); 63 64 /* Use of privilege separation or not */ 65 extern int use_privsep; 66 extern Buffer cfg; 67 68 /* Initializes the server options to their default values. */ 69 70 void 71 initialize_server_options(ServerOptions *options) 72 { 73 memset(options, 0, sizeof(*options)); 74 75 /* Portable-specific options */ 76 options->use_pam = -1; 77 78 /* Standard Options */ 79 options->num_ports = 0; 80 options->ports_from_cmdline = 0; 81 options->queued_listen_addrs = NULL; 82 options->num_queued_listens = 0; 83 options->listen_addrs = NULL; 84 options->address_family = -1; 85 options->num_host_key_files = 0; 86 options->num_host_cert_files = 0; 87 options->host_key_agent = NULL; 88 options->pid_file = NULL; 89 options->login_grace_time = -1; 90 options->permit_root_login = PERMIT_NOT_SET; 91 options->ignore_rhosts = -1; 92 options->ignore_user_known_hosts = -1; 93 options->print_motd = -1; 94 options->print_lastlog = -1; 95 options->x11_forwarding = -1; 96 options->x11_display_offset = -1; 97 options->x11_use_localhost = -1; 98 options->permit_tty = -1; 99 options->permit_user_rc = -1; 100 options->xauth_location = NULL; 101 options->strict_modes = -1; 102 options->tcp_keep_alive = -1; 103 options->log_facility = SYSLOG_FACILITY_NOT_SET; 104 options->log_level = SYSLOG_LEVEL_NOT_SET; 105 options->hostbased_authentication = -1; 106 options->hostbased_uses_name_from_packet_only = -1; 107 options->hostbased_key_types = NULL; 108 options->hostkeyalgorithms = NULL; 109 options->pubkey_authentication = -1; 110 options->pubkey_key_types = NULL; 111 options->kerberos_authentication = -1; 112 options->kerberos_or_local_passwd = -1; 113 options->kerberos_ticket_cleanup = -1; 114 options->kerberos_get_afs_token = -1; 115 options->gss_authentication=-1; 116 options->gss_cleanup_creds = -1; 117 options->gss_strict_acceptor = -1; 118 options->password_authentication = -1; 119 options->kbd_interactive_authentication = -1; 120 options->challenge_response_authentication = -1; 121 options->permit_empty_passwd = -1; 122 options->permit_user_env = -1; 123 options->compression = -1; 124 options->rekey_limit = -1; 125 options->rekey_interval = -1; 126 options->allow_tcp_forwarding = -1; 127 options->allow_streamlocal_forwarding = -1; 128 options->allow_agent_forwarding = -1; 129 options->num_allow_users = 0; 130 options->num_deny_users = 0; 131 options->num_allow_groups = 0; 132 options->num_deny_groups = 0; 133 options->ciphers = NULL; 134 options->macs = NULL; 135 options->kex_algorithms = NULL; 136 options->fwd_opts.gateway_ports = -1; 137 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 138 options->fwd_opts.streamlocal_bind_unlink = -1; 139 options->num_subsystems = 0; 140 options->max_startups_begin = -1; 141 options->max_startups_rate = -1; 142 options->max_startups = -1; 143 options->max_authtries = -1; 144 options->max_sessions = -1; 145 options->banner = NULL; 146 options->use_dns = -1; 147 options->client_alive_interval = -1; 148 options->client_alive_count_max = -1; 149 options->num_authkeys_files = 0; 150 options->num_accept_env = 0; 151 options->permit_tun = -1; 152 options->permitted_opens = NULL; 153 options->adm_forced_command = NULL; 154 options->chroot_directory = NULL; 155 options->authorized_keys_command = NULL; 156 options->authorized_keys_command_user = NULL; 157 options->revoked_keys_file = NULL; 158 options->trusted_user_ca_keys = NULL; 159 options->authorized_principals_file = NULL; 160 options->authorized_principals_command = NULL; 161 options->authorized_principals_command_user = NULL; 162 options->ip_qos_interactive = -1; 163 options->ip_qos_bulk = -1; 164 options->version_addendum = NULL; 165 options->fingerprint_hash = -1; 166 options->disable_forwarding = -1; 167 options->expose_userauth_info = -1; 168 } 169 170 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 171 static int 172 option_clear_or_none(const char *o) 173 { 174 return o == NULL || strcasecmp(o, "none") == 0; 175 } 176 177 static void 178 assemble_algorithms(ServerOptions *o) 179 { 180 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || 181 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || 182 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || 183 kex_assemble_names(KEX_DEFAULT_PK_ALG, 184 &o->hostkeyalgorithms) != 0 || 185 kex_assemble_names(KEX_DEFAULT_PK_ALG, 186 &o->hostbased_key_types) != 0 || 187 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) 188 fatal("kex_assemble_names failed"); 189 } 190 191 void 192 fill_default_server_options(ServerOptions *options) 193 { 194 int i; 195 196 /* Portable-specific options */ 197 if (options->use_pam == -1) 198 options->use_pam = 0; 199 200 /* Standard Options */ 201 if (options->num_host_key_files == 0) { 202 /* fill default hostkeys for protocols */ 203 options->host_key_files[options->num_host_key_files++] = 204 _PATH_HOST_RSA_KEY_FILE; 205 options->host_key_files[options->num_host_key_files++] = 206 _PATH_HOST_DSA_KEY_FILE; 207 #ifdef OPENSSL_HAS_ECC 208 options->host_key_files[options->num_host_key_files++] = 209 _PATH_HOST_ECDSA_KEY_FILE; 210 #endif 211 options->host_key_files[options->num_host_key_files++] = 212 _PATH_HOST_ED25519_KEY_FILE; 213 } 214 /* No certificates by default */ 215 if (options->num_ports == 0) 216 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 217 if (options->address_family == -1) 218 options->address_family = AF_UNSPEC; 219 if (options->listen_addrs == NULL) 220 add_listen_addr(options, NULL, 0); 221 if (options->pid_file == NULL) 222 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 223 if (options->login_grace_time == -1) 224 options->login_grace_time = 120; 225 if (options->permit_root_login == PERMIT_NOT_SET) 226 options->permit_root_login = PERMIT_NO_PASSWD; 227 if (options->ignore_rhosts == -1) 228 options->ignore_rhosts = 1; 229 if (options->ignore_user_known_hosts == -1) 230 options->ignore_user_known_hosts = 0; 231 if (options->print_motd == -1) 232 options->print_motd = 1; 233 if (options->print_lastlog == -1) 234 options->print_lastlog = 1; 235 if (options->x11_forwarding == -1) 236 options->x11_forwarding = 0; 237 if (options->x11_display_offset == -1) 238 options->x11_display_offset = 10; 239 if (options->x11_use_localhost == -1) 240 options->x11_use_localhost = 1; 241 if (options->xauth_location == NULL) 242 options->xauth_location = xstrdup(_PATH_XAUTH); 243 if (options->permit_tty == -1) 244 options->permit_tty = 1; 245 if (options->permit_user_rc == -1) 246 options->permit_user_rc = 1; 247 if (options->strict_modes == -1) 248 options->strict_modes = 1; 249 if (options->tcp_keep_alive == -1) 250 options->tcp_keep_alive = 1; 251 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 252 options->log_facility = SYSLOG_FACILITY_AUTH; 253 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 254 options->log_level = SYSLOG_LEVEL_INFO; 255 if (options->hostbased_authentication == -1) 256 options->hostbased_authentication = 0; 257 if (options->hostbased_uses_name_from_packet_only == -1) 258 options->hostbased_uses_name_from_packet_only = 0; 259 if (options->pubkey_authentication == -1) 260 options->pubkey_authentication = 1; 261 if (options->kerberos_authentication == -1) 262 options->kerberos_authentication = 0; 263 if (options->kerberos_or_local_passwd == -1) 264 options->kerberos_or_local_passwd = 1; 265 if (options->kerberos_ticket_cleanup == -1) 266 options->kerberos_ticket_cleanup = 1; 267 if (options->kerberos_get_afs_token == -1) 268 options->kerberos_get_afs_token = 0; 269 if (options->gss_authentication == -1) 270 options->gss_authentication = 0; 271 if (options->gss_cleanup_creds == -1) 272 options->gss_cleanup_creds = 1; 273 if (options->gss_strict_acceptor == -1) 274 options->gss_strict_acceptor = 1; 275 if (options->password_authentication == -1) 276 options->password_authentication = 1; 277 if (options->kbd_interactive_authentication == -1) 278 options->kbd_interactive_authentication = 0; 279 if (options->challenge_response_authentication == -1) 280 options->challenge_response_authentication = 1; 281 if (options->permit_empty_passwd == -1) 282 options->permit_empty_passwd = 0; 283 if (options->permit_user_env == -1) 284 options->permit_user_env = 0; 285 if (options->compression == -1) 286 options->compression = COMP_DELAYED; 287 if (options->rekey_limit == -1) 288 options->rekey_limit = 0; 289 if (options->rekey_interval == -1) 290 options->rekey_interval = 0; 291 if (options->allow_tcp_forwarding == -1) 292 options->allow_tcp_forwarding = FORWARD_ALLOW; 293 if (options->allow_streamlocal_forwarding == -1) 294 options->allow_streamlocal_forwarding = FORWARD_ALLOW; 295 if (options->allow_agent_forwarding == -1) 296 options->allow_agent_forwarding = 1; 297 if (options->fwd_opts.gateway_ports == -1) 298 options->fwd_opts.gateway_ports = 0; 299 if (options->max_startups == -1) 300 options->max_startups = 100; 301 if (options->max_startups_rate == -1) 302 options->max_startups_rate = 30; /* 30% */ 303 if (options->max_startups_begin == -1) 304 options->max_startups_begin = 10; 305 if (options->max_authtries == -1) 306 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 307 if (options->max_sessions == -1) 308 options->max_sessions = DEFAULT_SESSIONS_MAX; 309 if (options->use_dns == -1) 310 options->use_dns = 0; 311 if (options->client_alive_interval == -1) 312 options->client_alive_interval = 0; 313 if (options->client_alive_count_max == -1) 314 options->client_alive_count_max = 3; 315 if (options->num_authkeys_files == 0) { 316 options->authorized_keys_files[options->num_authkeys_files++] = 317 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 318 options->authorized_keys_files[options->num_authkeys_files++] = 319 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 320 } 321 if (options->permit_tun == -1) 322 options->permit_tun = SSH_TUNMODE_NO; 323 if (options->ip_qos_interactive == -1) 324 options->ip_qos_interactive = IPTOS_LOWDELAY; 325 if (options->ip_qos_bulk == -1) 326 options->ip_qos_bulk = IPTOS_THROUGHPUT; 327 if (options->version_addendum == NULL) 328 options->version_addendum = xstrdup(""); 329 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 330 options->fwd_opts.streamlocal_bind_mask = 0177; 331 if (options->fwd_opts.streamlocal_bind_unlink == -1) 332 options->fwd_opts.streamlocal_bind_unlink = 0; 333 if (options->fingerprint_hash == -1) 334 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 335 if (options->disable_forwarding == -1) 336 options->disable_forwarding = 0; 337 if (options->expose_userauth_info == -1) 338 options->expose_userauth_info = 0; 339 340 assemble_algorithms(options); 341 342 /* Turn privilege separation and sandboxing on by default */ 343 if (use_privsep == -1) 344 use_privsep = PRIVSEP_ON; 345 346 #define CLEAR_ON_NONE(v) \ 347 do { \ 348 if (option_clear_or_none(v)) { \ 349 free(v); \ 350 v = NULL; \ 351 } \ 352 } while(0) 353 CLEAR_ON_NONE(options->pid_file); 354 CLEAR_ON_NONE(options->xauth_location); 355 CLEAR_ON_NONE(options->banner); 356 CLEAR_ON_NONE(options->trusted_user_ca_keys); 357 CLEAR_ON_NONE(options->revoked_keys_file); 358 CLEAR_ON_NONE(options->authorized_principals_file); 359 CLEAR_ON_NONE(options->adm_forced_command); 360 CLEAR_ON_NONE(options->chroot_directory); 361 for (i = 0; i < options->num_host_key_files; i++) 362 CLEAR_ON_NONE(options->host_key_files[i]); 363 for (i = 0; i < options->num_host_cert_files; i++) 364 CLEAR_ON_NONE(options->host_cert_files[i]); 365 #undef CLEAR_ON_NONE 366 367 /* Similar handling for AuthenticationMethods=any */ 368 if (options->num_auth_methods == 1 && 369 strcmp(options->auth_methods[0], "any") == 0) { 370 free(options->auth_methods[0]); 371 options->auth_methods[0] = NULL; 372 options->num_auth_methods = 0; 373 } 374 375 #ifndef HAVE_MMAP 376 if (use_privsep && options->compression == 1) { 377 error("This platform does not support both privilege " 378 "separation and compression"); 379 error("Compression disabled"); 380 options->compression = 0; 381 } 382 #endif 383 384 } 385 386 /* Keyword tokens. */ 387 typedef enum { 388 sBadOption, /* == unknown option */ 389 /* Portable-specific options */ 390 sUsePAM, 391 /* Standard Options */ 392 sPort, sHostKeyFile, sLoginGraceTime, 393 sPermitRootLogin, sLogFacility, sLogLevel, 394 sRhostsRSAAuthentication, sRSAAuthentication, 395 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 396 sKerberosGetAFSToken, 397 sKerberosTgtPassing, sChallengeResponseAuthentication, 398 sPasswordAuthentication, sKbdInteractiveAuthentication, 399 sListenAddress, sAddressFamily, 400 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 401 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 402 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 403 sPermitUserEnvironment, sAllowTcpForwarding, sCompression, 404 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 405 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, 406 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 407 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 408 sBanner, sUseDNS, sHostbasedAuthentication, 409 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, 410 sHostKeyAlgorithms, 411 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 412 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 413 sAcceptEnv, sPermitTunnel, 414 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 415 sUsePrivilegeSeparation, sAllowAgentForwarding, 416 sHostCertificate, 417 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 418 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, 419 sKexAlgorithms, sIPQoS, sVersionAddendum, 420 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 421 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 422 sStreamLocalBindMask, sStreamLocalBindUnlink, 423 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 424 sExposeAuthInfo, 425 sDeprecated, sIgnore, sUnsupported 426 } ServerOpCodes; 427 428 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 429 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 430 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 431 432 /* Textual representation of the tokens. */ 433 static struct { 434 const char *name; 435 ServerOpCodes opcode; 436 u_int flags; 437 } keywords[] = { 438 /* Portable-specific options */ 439 #ifdef USE_PAM 440 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 441 #else 442 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 443 #endif 444 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 445 /* Standard Options */ 446 { "port", sPort, SSHCFG_GLOBAL }, 447 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 448 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 449 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 450 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 451 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL }, 452 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 453 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, 454 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 455 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 456 { "loglevel", sLogLevel, SSHCFG_ALL }, 457 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 458 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, 459 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 460 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 461 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 462 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, 463 { "rsaauthentication", sDeprecated, SSHCFG_ALL }, 464 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 465 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 466 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 467 #ifdef KRB5 468 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 469 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 470 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 471 #ifdef USE_AFS 472 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 473 #else 474 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 475 #endif 476 #else 477 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 478 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 479 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 480 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 481 #endif 482 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 483 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 484 #ifdef GSSAPI 485 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 486 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 487 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 488 #else 489 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 490 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 491 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 492 #endif 493 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 494 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 495 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 496 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 497 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 498 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 499 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 500 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 501 #ifdef DISABLE_LASTLOG 502 { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, 503 #else 504 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 505 #endif 506 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 507 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 508 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 509 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 510 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 511 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 512 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 513 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 514 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 515 { "uselogin", sDeprecated, SSHCFG_GLOBAL }, 516 { "compression", sCompression, SSHCFG_GLOBAL }, 517 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 518 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 519 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 520 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 521 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 522 { "allowusers", sAllowUsers, SSHCFG_ALL }, 523 { "denyusers", sDenyUsers, SSHCFG_ALL }, 524 { "allowgroups", sAllowGroups, SSHCFG_ALL }, 525 { "denygroups", sDenyGroups, SSHCFG_ALL }, 526 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 527 { "macs", sMacs, SSHCFG_GLOBAL }, 528 { "protocol", sIgnore, SSHCFG_GLOBAL }, 529 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 530 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 531 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 532 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 533 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 534 { "banner", sBanner, SSHCFG_ALL }, 535 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 536 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 537 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 538 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, 539 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, 540 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 541 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 542 { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, 543 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 544 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 545 { "permittty", sPermitTTY, SSHCFG_ALL }, 546 { "permituserrc", sPermitUserRC, SSHCFG_ALL }, 547 { "match", sMatch, SSHCFG_ALL }, 548 { "permitopen", sPermitOpen, SSHCFG_ALL }, 549 { "forcecommand", sForceCommand, SSHCFG_ALL }, 550 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 551 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 552 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 553 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 554 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 555 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 556 { "ipqos", sIPQoS, SSHCFG_ALL }, 557 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, 558 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 559 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, 560 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, 561 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 562 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 563 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, 564 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 565 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 566 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 567 { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 568 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 569 { NULL, sBadOption, 0 } 570 }; 571 572 static struct { 573 int val; 574 char *text; 575 } tunmode_desc[] = { 576 { SSH_TUNMODE_NO, "no" }, 577 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 578 { SSH_TUNMODE_ETHERNET, "ethernet" }, 579 { SSH_TUNMODE_YES, "yes" }, 580 { -1, NULL } 581 }; 582 583 /* 584 * Returns the number of the token pointed to by cp or sBadOption. 585 */ 586 587 static ServerOpCodes 588 parse_token(const char *cp, const char *filename, 589 int linenum, u_int *flags) 590 { 591 u_int i; 592 593 for (i = 0; keywords[i].name; i++) 594 if (strcasecmp(cp, keywords[i].name) == 0) { 595 *flags = keywords[i].flags; 596 return keywords[i].opcode; 597 } 598 599 error("%s: line %d: Bad configuration option: %s", 600 filename, linenum, cp); 601 return sBadOption; 602 } 603 604 char * 605 derelativise_path(const char *path) 606 { 607 char *expanded, *ret, cwd[PATH_MAX]; 608 609 if (strcasecmp(path, "none") == 0) 610 return xstrdup("none"); 611 expanded = tilde_expand_filename(path, getuid()); 612 if (*expanded == '/') 613 return expanded; 614 if (getcwd(cwd, sizeof(cwd)) == NULL) 615 fatal("%s: getcwd: %s", __func__, strerror(errno)); 616 xasprintf(&ret, "%s/%s", cwd, expanded); 617 free(expanded); 618 return ret; 619 } 620 621 static void 622 add_listen_addr(ServerOptions *options, char *addr, int port) 623 { 624 u_int i; 625 626 if (port == 0) 627 for (i = 0; i < options->num_ports; i++) 628 add_one_listen_addr(options, addr, options->ports[i]); 629 else 630 add_one_listen_addr(options, addr, port); 631 } 632 633 static void 634 add_one_listen_addr(ServerOptions *options, char *addr, int port) 635 { 636 struct addrinfo hints, *ai, *aitop; 637 char strport[NI_MAXSERV]; 638 int gaierr; 639 640 memset(&hints, 0, sizeof(hints)); 641 hints.ai_family = options->address_family; 642 hints.ai_socktype = SOCK_STREAM; 643 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 644 snprintf(strport, sizeof strport, "%d", port); 645 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 646 fatal("bad addr or host: %s (%s)", 647 addr ? addr : "<NULL>", 648 ssh_gai_strerror(gaierr)); 649 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 650 ; 651 ai->ai_next = options->listen_addrs; 652 options->listen_addrs = aitop; 653 } 654 655 /* 656 * Queue a ListenAddress to be processed once we have all of the Ports 657 * and AddressFamily options. 658 */ 659 static void 660 queue_listen_addr(ServerOptions *options, char *addr, int port) 661 { 662 options->queued_listen_addrs = xreallocarray( 663 options->queued_listen_addrs, options->num_queued_listens + 1, 664 sizeof(addr)); 665 options->queued_listen_ports = xreallocarray( 666 options->queued_listen_ports, options->num_queued_listens + 1, 667 sizeof(port)); 668 options->queued_listen_addrs[options->num_queued_listens] = 669 xstrdup(addr); 670 options->queued_listen_ports[options->num_queued_listens] = port; 671 options->num_queued_listens++; 672 } 673 674 /* 675 * Process queued (text) ListenAddress entries. 676 */ 677 static void 678 process_queued_listen_addrs(ServerOptions *options) 679 { 680 u_int i; 681 682 if (options->num_ports == 0) 683 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 684 if (options->address_family == -1) 685 options->address_family = AF_UNSPEC; 686 687 for (i = 0; i < options->num_queued_listens; i++) { 688 add_listen_addr(options, options->queued_listen_addrs[i], 689 options->queued_listen_ports[i]); 690 free(options->queued_listen_addrs[i]); 691 options->queued_listen_addrs[i] = NULL; 692 } 693 free(options->queued_listen_addrs); 694 options->queued_listen_addrs = NULL; 695 free(options->queued_listen_ports); 696 options->queued_listen_ports = NULL; 697 options->num_queued_listens = 0; 698 } 699 700 /* 701 * Inform channels layer of permitopen options from configuration. 702 */ 703 void 704 process_permitopen(struct ssh *ssh, ServerOptions *options) 705 { 706 u_int i; 707 int port; 708 char *host, *arg, *oarg; 709 710 channel_clear_adm_permitted_opens(ssh); 711 if (options->num_permitted_opens == 0) 712 return; /* permit any */ 713 714 /* handle keywords: "any" / "none" */ 715 if (options->num_permitted_opens == 1 && 716 strcmp(options->permitted_opens[0], "any") == 0) 717 return; 718 if (options->num_permitted_opens == 1 && 719 strcmp(options->permitted_opens[0], "none") == 0) { 720 channel_disable_adm_local_opens(ssh); 721 return; 722 } 723 /* Otherwise treat it as a list of permitted host:port */ 724 for (i = 0; i < options->num_permitted_opens; i++) { 725 oarg = arg = xstrdup(options->permitted_opens[i]); 726 host = hpdelim(&arg); 727 if (host == NULL) 728 fatal("%s: missing host in PermitOpen", __func__); 729 host = cleanhostname(host); 730 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 731 fatal("%s: bad port number in PermitOpen", __func__); 732 /* Send it to channels layer */ 733 channel_add_adm_permitted_opens(ssh, host, port); 734 free(oarg); 735 } 736 } 737 738 struct connection_info * 739 get_connection_info(int populate, int use_dns) 740 { 741 struct ssh *ssh = active_state; /* XXX */ 742 static struct connection_info ci; 743 744 if (!populate) 745 return &ci; 746 ci.host = auth_get_canonical_hostname(ssh, use_dns); 747 ci.address = ssh_remote_ipaddr(ssh); 748 ci.laddress = ssh_local_ipaddr(ssh); 749 ci.lport = ssh_local_port(ssh); 750 return &ci; 751 } 752 753 /* 754 * The strategy for the Match blocks is that the config file is parsed twice. 755 * 756 * The first time is at startup. activep is initialized to 1 and the 757 * directives in the global context are processed and acted on. Hitting a 758 * Match directive unsets activep and the directives inside the block are 759 * checked for syntax only. 760 * 761 * The second time is after a connection has been established but before 762 * authentication. activep is initialized to 2 and global config directives 763 * are ignored since they have already been processed. If the criteria in a 764 * Match block is met, activep is set and the subsequent directives 765 * processed and actioned until EOF or another Match block unsets it. Any 766 * options set are copied into the main server config. 767 * 768 * Potential additions/improvements: 769 * - Add Match support for pre-kex directives, eg. Ciphers. 770 * 771 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 772 * Match Address 192.168.0.* 773 * Tag trusted 774 * Match Group wheel 775 * Tag trusted 776 * Match Tag trusted 777 * AllowTcpForwarding yes 778 * GatewayPorts clientspecified 779 * [...] 780 * 781 * - Add a PermittedChannelRequests directive 782 * Match Group shell 783 * PermittedChannelRequests session,forwarded-tcpip 784 */ 785 786 static int 787 match_cfg_line_group(const char *grps, int line, const char *user) 788 { 789 int result = 0; 790 struct passwd *pw; 791 792 if (user == NULL) 793 goto out; 794 795 if ((pw = getpwnam(user)) == NULL) { 796 debug("Can't match group at line %d because user %.100s does " 797 "not exist", line, user); 798 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 799 debug("Can't Match group because user %.100s not in any group " 800 "at line %d", user, line); 801 } else if (ga_match_pattern_list(grps) != 1) { 802 debug("user %.100s does not match group list %.100s at line %d", 803 user, grps, line); 804 } else { 805 debug("user %.100s matched group list %.100s at line %d", user, 806 grps, line); 807 result = 1; 808 } 809 out: 810 ga_free(); 811 return result; 812 } 813 814 /* 815 * All of the attributes on a single Match line are ANDed together, so we need 816 * to check every attribute and set the result to zero if any attribute does 817 * not match. 818 */ 819 static int 820 match_cfg_line(char **condition, int line, struct connection_info *ci) 821 { 822 int result = 1, attributes = 0, port; 823 char *arg, *attrib, *cp = *condition; 824 825 if (ci == NULL) 826 debug3("checking syntax for 'Match %s'", cp); 827 else 828 debug3("checking match for '%s' user %s host %s addr %s " 829 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 830 ci->host ? ci->host : "(null)", 831 ci->address ? ci->address : "(null)", 832 ci->laddress ? ci->laddress : "(null)", ci->lport); 833 834 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 835 attributes++; 836 if (strcasecmp(attrib, "all") == 0) { 837 if (attributes != 1 || 838 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { 839 error("'all' cannot be combined with other " 840 "Match attributes"); 841 return -1; 842 } 843 *condition = cp; 844 return 1; 845 } 846 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 847 error("Missing Match criteria for %s", attrib); 848 return -1; 849 } 850 if (strcasecmp(attrib, "user") == 0) { 851 if (ci == NULL || ci->user == NULL) { 852 result = 0; 853 continue; 854 } 855 if (match_pattern_list(ci->user, arg, 0) != 1) 856 result = 0; 857 else 858 debug("user %.100s matched 'User %.100s' at " 859 "line %d", ci->user, arg, line); 860 } else if (strcasecmp(attrib, "group") == 0) { 861 if (ci == NULL || ci->user == NULL) { 862 result = 0; 863 continue; 864 } 865 switch (match_cfg_line_group(arg, line, ci->user)) { 866 case -1: 867 return -1; 868 case 0: 869 result = 0; 870 } 871 } else if (strcasecmp(attrib, "host") == 0) { 872 if (ci == NULL || ci->host == NULL) { 873 result = 0; 874 continue; 875 } 876 if (match_hostname(ci->host, arg) != 1) 877 result = 0; 878 else 879 debug("connection from %.100s matched 'Host " 880 "%.100s' at line %d", ci->host, arg, line); 881 } else if (strcasecmp(attrib, "address") == 0) { 882 if (ci == NULL || ci->address == NULL) { 883 result = 0; 884 continue; 885 } 886 switch (addr_match_list(ci->address, arg)) { 887 case 1: 888 debug("connection from %.100s matched 'Address " 889 "%.100s' at line %d", ci->address, arg, line); 890 break; 891 case 0: 892 case -1: 893 result = 0; 894 break; 895 case -2: 896 return -1; 897 } 898 } else if (strcasecmp(attrib, "localaddress") == 0){ 899 if (ci == NULL || ci->laddress == NULL) { 900 result = 0; 901 continue; 902 } 903 switch (addr_match_list(ci->laddress, arg)) { 904 case 1: 905 debug("connection from %.100s matched " 906 "'LocalAddress %.100s' at line %d", 907 ci->laddress, arg, line); 908 break; 909 case 0: 910 case -1: 911 result = 0; 912 break; 913 case -2: 914 return -1; 915 } 916 } else if (strcasecmp(attrib, "localport") == 0) { 917 if ((port = a2port(arg)) == -1) { 918 error("Invalid LocalPort '%s' on Match line", 919 arg); 920 return -1; 921 } 922 if (ci == NULL || ci->lport == 0) { 923 result = 0; 924 continue; 925 } 926 /* TODO support port lists */ 927 if (port == ci->lport) 928 debug("connection from %.100s matched " 929 "'LocalPort %d' at line %d", 930 ci->laddress, port, line); 931 else 932 result = 0; 933 } else { 934 error("Unsupported Match attribute %s", attrib); 935 return -1; 936 } 937 } 938 if (attributes == 0) { 939 error("One or more attributes required for Match"); 940 return -1; 941 } 942 if (ci != NULL) 943 debug3("match %sfound", result ? "" : "not "); 944 *condition = cp; 945 return result; 946 } 947 948 #define WHITESPACE " \t\r\n" 949 950 /* Multistate option parsing */ 951 struct multistate { 952 char *key; 953 int value; 954 }; 955 static const struct multistate multistate_addressfamily[] = { 956 { "inet", AF_INET }, 957 { "inet6", AF_INET6 }, 958 { "any", AF_UNSPEC }, 959 { NULL, -1 } 960 }; 961 static const struct multistate multistate_permitrootlogin[] = { 962 { "without-password", PERMIT_NO_PASSWD }, 963 { "prohibit-password", PERMIT_NO_PASSWD }, 964 { "forced-commands-only", PERMIT_FORCED_ONLY }, 965 { "yes", PERMIT_YES }, 966 { "no", PERMIT_NO }, 967 { NULL, -1 } 968 }; 969 static const struct multistate multistate_compression[] = { 970 { "yes", COMP_DELAYED }, 971 { "delayed", COMP_DELAYED }, 972 { "no", COMP_NONE }, 973 { NULL, -1 } 974 }; 975 static const struct multistate multistate_gatewayports[] = { 976 { "clientspecified", 2 }, 977 { "yes", 1 }, 978 { "no", 0 }, 979 { NULL, -1 } 980 }; 981 static const struct multistate multistate_tcpfwd[] = { 982 { "yes", FORWARD_ALLOW }, 983 { "all", FORWARD_ALLOW }, 984 { "no", FORWARD_DENY }, 985 { "remote", FORWARD_REMOTE }, 986 { "local", FORWARD_LOCAL }, 987 { NULL, -1 } 988 }; 989 990 int 991 process_server_config_line(ServerOptions *options, char *line, 992 const char *filename, int linenum, int *activep, 993 struct connection_info *connectinfo) 994 { 995 char *cp, **charptr, *arg, *arg2, *p; 996 int cmdline = 0, *intptr, value, value2, n, port; 997 SyslogFacility *log_facility_ptr; 998 LogLevel *log_level_ptr; 999 ServerOpCodes opcode; 1000 u_int i, flags = 0; 1001 size_t len; 1002 long long val64; 1003 const struct multistate *multistate_ptr; 1004 1005 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */ 1006 if ((len = strlen(line)) == 0) 1007 return 0; 1008 for (len--; len > 0; len--) { 1009 if (strchr(WHITESPACE "\f", line[len]) == NULL) 1010 break; 1011 line[len] = '\0'; 1012 } 1013 1014 cp = line; 1015 if ((arg = strdelim(&cp)) == NULL) 1016 return 0; 1017 /* Ignore leading whitespace */ 1018 if (*arg == '\0') 1019 arg = strdelim(&cp); 1020 if (!arg || !*arg || *arg == '#') 1021 return 0; 1022 intptr = NULL; 1023 charptr = NULL; 1024 opcode = parse_token(arg, filename, linenum, &flags); 1025 1026 if (activep == NULL) { /* We are processing a command line directive */ 1027 cmdline = 1; 1028 activep = &cmdline; 1029 } 1030 if (*activep && opcode != sMatch) 1031 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 1032 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 1033 if (connectinfo == NULL) { 1034 fatal("%s line %d: Directive '%s' is not allowed " 1035 "within a Match block", filename, linenum, arg); 1036 } else { /* this is a directive we have already processed */ 1037 while (arg) 1038 arg = strdelim(&cp); 1039 return 0; 1040 } 1041 } 1042 1043 switch (opcode) { 1044 /* Portable-specific options */ 1045 case sUsePAM: 1046 intptr = &options->use_pam; 1047 goto parse_flag; 1048 1049 /* Standard Options */ 1050 case sBadOption: 1051 return -1; 1052 case sPort: 1053 /* ignore ports from configfile if cmdline specifies ports */ 1054 if (options->ports_from_cmdline) 1055 return 0; 1056 if (options->num_ports >= MAX_PORTS) 1057 fatal("%s line %d: too many ports.", 1058 filename, linenum); 1059 arg = strdelim(&cp); 1060 if (!arg || *arg == '\0') 1061 fatal("%s line %d: missing port number.", 1062 filename, linenum); 1063 options->ports[options->num_ports++] = a2port(arg); 1064 if (options->ports[options->num_ports-1] <= 0) 1065 fatal("%s line %d: Badly formatted port number.", 1066 filename, linenum); 1067 break; 1068 1069 case sLoginGraceTime: 1070 intptr = &options->login_grace_time; 1071 parse_time: 1072 arg = strdelim(&cp); 1073 if (!arg || *arg == '\0') 1074 fatal("%s line %d: missing time value.", 1075 filename, linenum); 1076 if ((value = convtime(arg)) == -1) 1077 fatal("%s line %d: invalid time value.", 1078 filename, linenum); 1079 if (*activep && *intptr == -1) 1080 *intptr = value; 1081 break; 1082 1083 case sListenAddress: 1084 arg = strdelim(&cp); 1085 if (arg == NULL || *arg == '\0') 1086 fatal("%s line %d: missing address", 1087 filename, linenum); 1088 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 1089 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 1090 && strchr(p+1, ':') != NULL) { 1091 queue_listen_addr(options, arg, 0); 1092 break; 1093 } 1094 p = hpdelim(&arg); 1095 if (p == NULL) 1096 fatal("%s line %d: bad address:port usage", 1097 filename, linenum); 1098 p = cleanhostname(p); 1099 if (arg == NULL) 1100 port = 0; 1101 else if ((port = a2port(arg)) <= 0) 1102 fatal("%s line %d: bad port number", filename, linenum); 1103 1104 queue_listen_addr(options, p, port); 1105 1106 break; 1107 1108 case sAddressFamily: 1109 intptr = &options->address_family; 1110 multistate_ptr = multistate_addressfamily; 1111 parse_multistate: 1112 arg = strdelim(&cp); 1113 if (!arg || *arg == '\0') 1114 fatal("%s line %d: missing argument.", 1115 filename, linenum); 1116 value = -1; 1117 for (i = 0; multistate_ptr[i].key != NULL; i++) { 1118 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 1119 value = multistate_ptr[i].value; 1120 break; 1121 } 1122 } 1123 if (value == -1) 1124 fatal("%s line %d: unsupported option \"%s\".", 1125 filename, linenum, arg); 1126 if (*activep && *intptr == -1) 1127 *intptr = value; 1128 break; 1129 1130 case sHostKeyFile: 1131 intptr = &options->num_host_key_files; 1132 if (*intptr >= MAX_HOSTKEYS) 1133 fatal("%s line %d: too many host keys specified (max %d).", 1134 filename, linenum, MAX_HOSTKEYS); 1135 charptr = &options->host_key_files[*intptr]; 1136 parse_filename: 1137 arg = strdelim(&cp); 1138 if (!arg || *arg == '\0') 1139 fatal("%s line %d: missing file name.", 1140 filename, linenum); 1141 if (*activep && *charptr == NULL) { 1142 *charptr = derelativise_path(arg); 1143 /* increase optional counter */ 1144 if (intptr != NULL) 1145 *intptr = *intptr + 1; 1146 } 1147 break; 1148 1149 case sHostKeyAgent: 1150 charptr = &options->host_key_agent; 1151 arg = strdelim(&cp); 1152 if (!arg || *arg == '\0') 1153 fatal("%s line %d: missing socket name.", 1154 filename, linenum); 1155 if (*activep && *charptr == NULL) 1156 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? 1157 xstrdup(arg) : derelativise_path(arg); 1158 break; 1159 1160 case sHostCertificate: 1161 intptr = &options->num_host_cert_files; 1162 if (*intptr >= MAX_HOSTKEYS) 1163 fatal("%s line %d: too many host certificates " 1164 "specified (max %d).", filename, linenum, 1165 MAX_HOSTCERTS); 1166 charptr = &options->host_cert_files[*intptr]; 1167 goto parse_filename; 1168 1169 case sPidFile: 1170 charptr = &options->pid_file; 1171 goto parse_filename; 1172 1173 case sPermitRootLogin: 1174 intptr = &options->permit_root_login; 1175 multistate_ptr = multistate_permitrootlogin; 1176 goto parse_multistate; 1177 1178 case sIgnoreRhosts: 1179 intptr = &options->ignore_rhosts; 1180 parse_flag: 1181 arg = strdelim(&cp); 1182 if (!arg || *arg == '\0') 1183 fatal("%s line %d: missing yes/no argument.", 1184 filename, linenum); 1185 value = 0; /* silence compiler */ 1186 if (strcmp(arg, "yes") == 0) 1187 value = 1; 1188 else if (strcmp(arg, "no") == 0) 1189 value = 0; 1190 else 1191 fatal("%s line %d: Bad yes/no argument: %s", 1192 filename, linenum, arg); 1193 if (*activep && *intptr == -1) 1194 *intptr = value; 1195 break; 1196 1197 case sIgnoreUserKnownHosts: 1198 intptr = &options->ignore_user_known_hosts; 1199 goto parse_flag; 1200 1201 case sHostbasedAuthentication: 1202 intptr = &options->hostbased_authentication; 1203 goto parse_flag; 1204 1205 case sHostbasedUsesNameFromPacketOnly: 1206 intptr = &options->hostbased_uses_name_from_packet_only; 1207 goto parse_flag; 1208 1209 case sHostbasedAcceptedKeyTypes: 1210 charptr = &options->hostbased_key_types; 1211 parse_keytypes: 1212 arg = strdelim(&cp); 1213 if (!arg || *arg == '\0') 1214 fatal("%s line %d: Missing argument.", 1215 filename, linenum); 1216 if (*arg != '-' && 1217 !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) 1218 fatal("%s line %d: Bad key types '%s'.", 1219 filename, linenum, arg ? arg : "<NONE>"); 1220 if (*activep && *charptr == NULL) 1221 *charptr = xstrdup(arg); 1222 break; 1223 1224 case sHostKeyAlgorithms: 1225 charptr = &options->hostkeyalgorithms; 1226 goto parse_keytypes; 1227 1228 case sPubkeyAuthentication: 1229 intptr = &options->pubkey_authentication; 1230 goto parse_flag; 1231 1232 case sPubkeyAcceptedKeyTypes: 1233 charptr = &options->pubkey_key_types; 1234 goto parse_keytypes; 1235 1236 case sKerberosAuthentication: 1237 intptr = &options->kerberos_authentication; 1238 goto parse_flag; 1239 1240 case sKerberosOrLocalPasswd: 1241 intptr = &options->kerberos_or_local_passwd; 1242 goto parse_flag; 1243 1244 case sKerberosTicketCleanup: 1245 intptr = &options->kerberos_ticket_cleanup; 1246 goto parse_flag; 1247 1248 case sKerberosGetAFSToken: 1249 intptr = &options->kerberos_get_afs_token; 1250 goto parse_flag; 1251 1252 case sGssAuthentication: 1253 intptr = &options->gss_authentication; 1254 goto parse_flag; 1255 1256 case sGssCleanupCreds: 1257 intptr = &options->gss_cleanup_creds; 1258 goto parse_flag; 1259 1260 case sGssStrictAcceptor: 1261 intptr = &options->gss_strict_acceptor; 1262 goto parse_flag; 1263 1264 case sPasswordAuthentication: 1265 intptr = &options->password_authentication; 1266 goto parse_flag; 1267 1268 case sKbdInteractiveAuthentication: 1269 intptr = &options->kbd_interactive_authentication; 1270 goto parse_flag; 1271 1272 case sChallengeResponseAuthentication: 1273 intptr = &options->challenge_response_authentication; 1274 goto parse_flag; 1275 1276 case sPrintMotd: 1277 intptr = &options->print_motd; 1278 goto parse_flag; 1279 1280 case sPrintLastLog: 1281 intptr = &options->print_lastlog; 1282 goto parse_flag; 1283 1284 case sX11Forwarding: 1285 intptr = &options->x11_forwarding; 1286 goto parse_flag; 1287 1288 case sX11DisplayOffset: 1289 intptr = &options->x11_display_offset; 1290 parse_int: 1291 arg = strdelim(&cp); 1292 if (!arg || *arg == '\0') 1293 fatal("%s line %d: missing integer value.", 1294 filename, linenum); 1295 value = atoi(arg); 1296 if (*activep && *intptr == -1) 1297 *intptr = value; 1298 break; 1299 1300 case sX11UseLocalhost: 1301 intptr = &options->x11_use_localhost; 1302 goto parse_flag; 1303 1304 case sXAuthLocation: 1305 charptr = &options->xauth_location; 1306 goto parse_filename; 1307 1308 case sPermitTTY: 1309 intptr = &options->permit_tty; 1310 goto parse_flag; 1311 1312 case sPermitUserRC: 1313 intptr = &options->permit_user_rc; 1314 goto parse_flag; 1315 1316 case sStrictModes: 1317 intptr = &options->strict_modes; 1318 goto parse_flag; 1319 1320 case sTCPKeepAlive: 1321 intptr = &options->tcp_keep_alive; 1322 goto parse_flag; 1323 1324 case sEmptyPasswd: 1325 intptr = &options->permit_empty_passwd; 1326 goto parse_flag; 1327 1328 case sPermitUserEnvironment: 1329 intptr = &options->permit_user_env; 1330 goto parse_flag; 1331 1332 case sCompression: 1333 intptr = &options->compression; 1334 multistate_ptr = multistate_compression; 1335 goto parse_multistate; 1336 1337 case sRekeyLimit: 1338 arg = strdelim(&cp); 1339 if (!arg || *arg == '\0') 1340 fatal("%.200s line %d: Missing argument.", filename, 1341 linenum); 1342 if (strcmp(arg, "default") == 0) { 1343 val64 = 0; 1344 } else { 1345 if (scan_scaled(arg, &val64) == -1) 1346 fatal("%.200s line %d: Bad number '%s': %s", 1347 filename, linenum, arg, strerror(errno)); 1348 if (val64 != 0 && val64 < 16) 1349 fatal("%.200s line %d: RekeyLimit too small", 1350 filename, linenum); 1351 } 1352 if (*activep && options->rekey_limit == -1) 1353 options->rekey_limit = val64; 1354 if (cp != NULL) { /* optional rekey interval present */ 1355 if (strcmp(cp, "none") == 0) { 1356 (void)strdelim(&cp); /* discard */ 1357 break; 1358 } 1359 intptr = &options->rekey_interval; 1360 goto parse_time; 1361 } 1362 break; 1363 1364 case sGatewayPorts: 1365 intptr = &options->fwd_opts.gateway_ports; 1366 multistate_ptr = multistate_gatewayports; 1367 goto parse_multistate; 1368 1369 case sUseDNS: 1370 intptr = &options->use_dns; 1371 goto parse_flag; 1372 1373 case sLogFacility: 1374 log_facility_ptr = &options->log_facility; 1375 arg = strdelim(&cp); 1376 value = log_facility_number(arg); 1377 if (value == SYSLOG_FACILITY_NOT_SET) 1378 fatal("%.200s line %d: unsupported log facility '%s'", 1379 filename, linenum, arg ? arg : "<NONE>"); 1380 if (*log_facility_ptr == -1) 1381 *log_facility_ptr = (SyslogFacility) value; 1382 break; 1383 1384 case sLogLevel: 1385 log_level_ptr = &options->log_level; 1386 arg = strdelim(&cp); 1387 value = log_level_number(arg); 1388 if (value == SYSLOG_LEVEL_NOT_SET) 1389 fatal("%.200s line %d: unsupported log level '%s'", 1390 filename, linenum, arg ? arg : "<NONE>"); 1391 if (*activep && *log_level_ptr == -1) 1392 *log_level_ptr = (LogLevel) value; 1393 break; 1394 1395 case sAllowTcpForwarding: 1396 intptr = &options->allow_tcp_forwarding; 1397 multistate_ptr = multistate_tcpfwd; 1398 goto parse_multistate; 1399 1400 case sAllowStreamLocalForwarding: 1401 intptr = &options->allow_streamlocal_forwarding; 1402 multistate_ptr = multistate_tcpfwd; 1403 goto parse_multistate; 1404 1405 case sAllowAgentForwarding: 1406 intptr = &options->allow_agent_forwarding; 1407 goto parse_flag; 1408 1409 case sDisableForwarding: 1410 intptr = &options->disable_forwarding; 1411 goto parse_flag; 1412 1413 case sAllowUsers: 1414 while ((arg = strdelim(&cp)) && *arg != '\0') { 1415 if (options->num_allow_users >= MAX_ALLOW_USERS) 1416 fatal("%s line %d: too many allow users.", 1417 filename, linenum); 1418 if (match_user(NULL, NULL, NULL, arg) == -1) 1419 fatal("%s line %d: invalid AllowUsers pattern: " 1420 "\"%.100s\"", filename, linenum, arg); 1421 if (!*activep) 1422 continue; 1423 options->allow_users[options->num_allow_users++] = 1424 xstrdup(arg); 1425 } 1426 break; 1427 1428 case sDenyUsers: 1429 while ((arg = strdelim(&cp)) && *arg != '\0') { 1430 if (options->num_deny_users >= MAX_DENY_USERS) 1431 fatal("%s line %d: too many deny users.", 1432 filename, linenum); 1433 if (match_user(NULL, NULL, NULL, arg) == -1) 1434 fatal("%s line %d: invalid DenyUsers pattern: " 1435 "\"%.100s\"", filename, linenum, arg); 1436 if (!*activep) 1437 continue; 1438 options->deny_users[options->num_deny_users++] = 1439 xstrdup(arg); 1440 } 1441 break; 1442 1443 case sAllowGroups: 1444 while ((arg = strdelim(&cp)) && *arg != '\0') { 1445 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1446 fatal("%s line %d: too many allow groups.", 1447 filename, linenum); 1448 if (!*activep) 1449 continue; 1450 options->allow_groups[options->num_allow_groups++] = 1451 xstrdup(arg); 1452 } 1453 break; 1454 1455 case sDenyGroups: 1456 while ((arg = strdelim(&cp)) && *arg != '\0') { 1457 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1458 fatal("%s line %d: too many deny groups.", 1459 filename, linenum); 1460 if (!*activep) 1461 continue; 1462 options->deny_groups[options->num_deny_groups++] = 1463 xstrdup(arg); 1464 } 1465 break; 1466 1467 case sCiphers: 1468 arg = strdelim(&cp); 1469 if (!arg || *arg == '\0') 1470 fatal("%s line %d: Missing argument.", filename, linenum); 1471 if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) 1472 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1473 filename, linenum, arg ? arg : "<NONE>"); 1474 if (options->ciphers == NULL) 1475 options->ciphers = xstrdup(arg); 1476 break; 1477 1478 case sMacs: 1479 arg = strdelim(&cp); 1480 if (!arg || *arg == '\0') 1481 fatal("%s line %d: Missing argument.", filename, linenum); 1482 if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) 1483 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1484 filename, linenum, arg ? arg : "<NONE>"); 1485 if (options->macs == NULL) 1486 options->macs = xstrdup(arg); 1487 break; 1488 1489 case sKexAlgorithms: 1490 arg = strdelim(&cp); 1491 if (!arg || *arg == '\0') 1492 fatal("%s line %d: Missing argument.", 1493 filename, linenum); 1494 if (*arg != '-' && 1495 !kex_names_valid(*arg == '+' ? arg + 1 : arg)) 1496 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1497 filename, linenum, arg ? arg : "<NONE>"); 1498 if (options->kex_algorithms == NULL) 1499 options->kex_algorithms = xstrdup(arg); 1500 break; 1501 1502 case sSubsystem: 1503 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1504 fatal("%s line %d: too many subsystems defined.", 1505 filename, linenum); 1506 } 1507 arg = strdelim(&cp); 1508 if (!arg || *arg == '\0') 1509 fatal("%s line %d: Missing subsystem name.", 1510 filename, linenum); 1511 if (!*activep) { 1512 arg = strdelim(&cp); 1513 break; 1514 } 1515 for (i = 0; i < options->num_subsystems; i++) 1516 if (strcmp(arg, options->subsystem_name[i]) == 0) 1517 fatal("%s line %d: Subsystem '%s' already defined.", 1518 filename, linenum, arg); 1519 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1520 arg = strdelim(&cp); 1521 if (!arg || *arg == '\0') 1522 fatal("%s line %d: Missing subsystem command.", 1523 filename, linenum); 1524 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1525 1526 /* Collect arguments (separate to executable) */ 1527 p = xstrdup(arg); 1528 len = strlen(p) + 1; 1529 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1530 len += 1 + strlen(arg); 1531 p = xreallocarray(p, 1, len); 1532 strlcat(p, " ", len); 1533 strlcat(p, arg, len); 1534 } 1535 options->subsystem_args[options->num_subsystems] = p; 1536 options->num_subsystems++; 1537 break; 1538 1539 case sMaxStartups: 1540 arg = strdelim(&cp); 1541 if (!arg || *arg == '\0') 1542 fatal("%s line %d: Missing MaxStartups spec.", 1543 filename, linenum); 1544 if ((n = sscanf(arg, "%d:%d:%d", 1545 &options->max_startups_begin, 1546 &options->max_startups_rate, 1547 &options->max_startups)) == 3) { 1548 if (options->max_startups_begin > 1549 options->max_startups || 1550 options->max_startups_rate > 100 || 1551 options->max_startups_rate < 1) 1552 fatal("%s line %d: Illegal MaxStartups spec.", 1553 filename, linenum); 1554 } else if (n != 1) 1555 fatal("%s line %d: Illegal MaxStartups spec.", 1556 filename, linenum); 1557 else 1558 options->max_startups = options->max_startups_begin; 1559 break; 1560 1561 case sMaxAuthTries: 1562 intptr = &options->max_authtries; 1563 goto parse_int; 1564 1565 case sMaxSessions: 1566 intptr = &options->max_sessions; 1567 goto parse_int; 1568 1569 case sBanner: 1570 charptr = &options->banner; 1571 goto parse_filename; 1572 1573 /* 1574 * These options can contain %X options expanded at 1575 * connect time, so that you can specify paths like: 1576 * 1577 * AuthorizedKeysFile /etc/ssh_keys/%u 1578 */ 1579 case sAuthorizedKeysFile: 1580 if (*activep && options->num_authkeys_files == 0) { 1581 while ((arg = strdelim(&cp)) && *arg != '\0') { 1582 if (options->num_authkeys_files >= 1583 MAX_AUTHKEYS_FILES) 1584 fatal("%s line %d: " 1585 "too many authorized keys files.", 1586 filename, linenum); 1587 options->authorized_keys_files[ 1588 options->num_authkeys_files++] = 1589 tilde_expand_filename(arg, getuid()); 1590 } 1591 } 1592 return 0; 1593 1594 case sAuthorizedPrincipalsFile: 1595 charptr = &options->authorized_principals_file; 1596 arg = strdelim(&cp); 1597 if (!arg || *arg == '\0') 1598 fatal("%s line %d: missing file name.", 1599 filename, linenum); 1600 if (*activep && *charptr == NULL) { 1601 *charptr = tilde_expand_filename(arg, getuid()); 1602 /* increase optional counter */ 1603 if (intptr != NULL) 1604 *intptr = *intptr + 1; 1605 } 1606 break; 1607 1608 case sClientAliveInterval: 1609 intptr = &options->client_alive_interval; 1610 goto parse_time; 1611 1612 case sClientAliveCountMax: 1613 intptr = &options->client_alive_count_max; 1614 goto parse_int; 1615 1616 case sAcceptEnv: 1617 while ((arg = strdelim(&cp)) && *arg != '\0') { 1618 if (strchr(arg, '=') != NULL) 1619 fatal("%s line %d: Invalid environment name.", 1620 filename, linenum); 1621 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1622 fatal("%s line %d: too many allow env.", 1623 filename, linenum); 1624 if (!*activep) 1625 continue; 1626 options->accept_env[options->num_accept_env++] = 1627 xstrdup(arg); 1628 } 1629 break; 1630 1631 case sPermitTunnel: 1632 intptr = &options->permit_tun; 1633 arg = strdelim(&cp); 1634 if (!arg || *arg == '\0') 1635 fatal("%s line %d: Missing yes/point-to-point/" 1636 "ethernet/no argument.", filename, linenum); 1637 value = -1; 1638 for (i = 0; tunmode_desc[i].val != -1; i++) 1639 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1640 value = tunmode_desc[i].val; 1641 break; 1642 } 1643 if (value == -1) 1644 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1645 "no argument: %s", filename, linenum, arg); 1646 if (*activep && *intptr == -1) 1647 *intptr = value; 1648 break; 1649 1650 case sMatch: 1651 if (cmdline) 1652 fatal("Match directive not supported as a command-line " 1653 "option"); 1654 value = match_cfg_line(&cp, linenum, connectinfo); 1655 if (value < 0) 1656 fatal("%s line %d: Bad Match condition", filename, 1657 linenum); 1658 *activep = value; 1659 break; 1660 1661 case sPermitOpen: 1662 arg = strdelim(&cp); 1663 if (!arg || *arg == '\0') 1664 fatal("%s line %d: missing PermitOpen specification", 1665 filename, linenum); 1666 value = options->num_permitted_opens; /* modified later */ 1667 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { 1668 if (*activep && value == 0) { 1669 options->num_permitted_opens = 1; 1670 options->permitted_opens = xcalloc(1, 1671 sizeof(*options->permitted_opens)); 1672 options->permitted_opens[0] = xstrdup(arg); 1673 } 1674 break; 1675 } 1676 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1677 arg2 = xstrdup(arg); 1678 p = hpdelim(&arg); 1679 if (p == NULL) 1680 fatal("%s line %d: missing host in PermitOpen", 1681 filename, linenum); 1682 p = cleanhostname(p); 1683 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1684 fatal("%s line %d: bad port number in " 1685 "PermitOpen", filename, linenum); 1686 if (*activep && value == 0) { 1687 options->permitted_opens = xrecallocarray( 1688 options->permitted_opens, 1689 options->num_permitted_opens, 1690 options->num_permitted_opens + 1, 1691 sizeof(*options->permitted_opens)); 1692 i = options->num_permitted_opens++; 1693 options->permitted_opens[i] = arg2; 1694 } else 1695 free(arg2); 1696 } 1697 break; 1698 1699 case sForceCommand: 1700 if (cp == NULL || *cp == '\0') 1701 fatal("%.200s line %d: Missing argument.", filename, 1702 linenum); 1703 len = strspn(cp, WHITESPACE); 1704 if (*activep && options->adm_forced_command == NULL) 1705 options->adm_forced_command = xstrdup(cp + len); 1706 return 0; 1707 1708 case sChrootDirectory: 1709 charptr = &options->chroot_directory; 1710 1711 arg = strdelim(&cp); 1712 if (!arg || *arg == '\0') 1713 fatal("%s line %d: missing file name.", 1714 filename, linenum); 1715 if (*activep && *charptr == NULL) 1716 *charptr = xstrdup(arg); 1717 break; 1718 1719 case sTrustedUserCAKeys: 1720 charptr = &options->trusted_user_ca_keys; 1721 goto parse_filename; 1722 1723 case sRevokedKeys: 1724 charptr = &options->revoked_keys_file; 1725 goto parse_filename; 1726 1727 case sIPQoS: 1728 arg = strdelim(&cp); 1729 if ((value = parse_ipqos(arg)) == -1) 1730 fatal("%s line %d: Bad IPQoS value: %s", 1731 filename, linenum, arg); 1732 arg = strdelim(&cp); 1733 if (arg == NULL) 1734 value2 = value; 1735 else if ((value2 = parse_ipqos(arg)) == -1) 1736 fatal("%s line %d: Bad IPQoS value: %s", 1737 filename, linenum, arg); 1738 if (*activep) { 1739 options->ip_qos_interactive = value; 1740 options->ip_qos_bulk = value2; 1741 } 1742 break; 1743 1744 case sVersionAddendum: 1745 if (cp == NULL || *cp == '\0') 1746 fatal("%.200s line %d: Missing argument.", filename, 1747 linenum); 1748 len = strspn(cp, WHITESPACE); 1749 if (*activep && options->version_addendum == NULL) { 1750 if (strcasecmp(cp + len, "none") == 0) 1751 options->version_addendum = xstrdup(""); 1752 else if (strchr(cp + len, '\r') != NULL) 1753 fatal("%.200s line %d: Invalid argument", 1754 filename, linenum); 1755 else 1756 options->version_addendum = xstrdup(cp + len); 1757 } 1758 return 0; 1759 1760 case sAuthorizedKeysCommand: 1761 if (cp == NULL) 1762 fatal("%.200s line %d: Missing argument.", filename, 1763 linenum); 1764 len = strspn(cp, WHITESPACE); 1765 if (*activep && options->authorized_keys_command == NULL) { 1766 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1767 fatal("%.200s line %d: AuthorizedKeysCommand " 1768 "must be an absolute path", 1769 filename, linenum); 1770 options->authorized_keys_command = xstrdup(cp + len); 1771 } 1772 return 0; 1773 1774 case sAuthorizedKeysCommandUser: 1775 charptr = &options->authorized_keys_command_user; 1776 1777 arg = strdelim(&cp); 1778 if (!arg || *arg == '\0') 1779 fatal("%s line %d: missing AuthorizedKeysCommandUser " 1780 "argument.", filename, linenum); 1781 if (*activep && *charptr == NULL) 1782 *charptr = xstrdup(arg); 1783 break; 1784 1785 case sAuthorizedPrincipalsCommand: 1786 if (cp == NULL) 1787 fatal("%.200s line %d: Missing argument.", filename, 1788 linenum); 1789 len = strspn(cp, WHITESPACE); 1790 if (*activep && 1791 options->authorized_principals_command == NULL) { 1792 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1793 fatal("%.200s line %d: " 1794 "AuthorizedPrincipalsCommand must be " 1795 "an absolute path", filename, linenum); 1796 options->authorized_principals_command = 1797 xstrdup(cp + len); 1798 } 1799 return 0; 1800 1801 case sAuthorizedPrincipalsCommandUser: 1802 charptr = &options->authorized_principals_command_user; 1803 1804 arg = strdelim(&cp); 1805 if (!arg || *arg == '\0') 1806 fatal("%s line %d: missing " 1807 "AuthorizedPrincipalsCommandUser argument.", 1808 filename, linenum); 1809 if (*activep && *charptr == NULL) 1810 *charptr = xstrdup(arg); 1811 break; 1812 1813 case sAuthenticationMethods: 1814 if (options->num_auth_methods == 0) { 1815 value = 0; /* seen "any" pseudo-method */ 1816 value2 = 0; /* sucessfully parsed any method */ 1817 while ((arg = strdelim(&cp)) && *arg != '\0') { 1818 if (options->num_auth_methods >= 1819 MAX_AUTH_METHODS) 1820 fatal("%s line %d: " 1821 "too many authentication methods.", 1822 filename, linenum); 1823 if (strcmp(arg, "any") == 0) { 1824 if (options->num_auth_methods > 0) { 1825 fatal("%s line %d: \"any\" " 1826 "must appear alone in " 1827 "AuthenticationMethods", 1828 filename, linenum); 1829 } 1830 value = 1; 1831 } else if (value) { 1832 fatal("%s line %d: \"any\" must appear " 1833 "alone in AuthenticationMethods", 1834 filename, linenum); 1835 } else if (auth2_methods_valid(arg, 0) != 0) { 1836 fatal("%s line %d: invalid " 1837 "authentication method list.", 1838 filename, linenum); 1839 } 1840 value2 = 1; 1841 if (!*activep) 1842 continue; 1843 options->auth_methods[ 1844 options->num_auth_methods++] = xstrdup(arg); 1845 } 1846 if (value2 == 0) { 1847 fatal("%s line %d: no AuthenticationMethods " 1848 "specified", filename, linenum); 1849 } 1850 } 1851 return 0; 1852 1853 case sStreamLocalBindMask: 1854 arg = strdelim(&cp); 1855 if (!arg || *arg == '\0') 1856 fatal("%s line %d: missing StreamLocalBindMask " 1857 "argument.", filename, linenum); 1858 /* Parse mode in octal format */ 1859 value = strtol(arg, &p, 8); 1860 if (arg == p || value < 0 || value > 0777) 1861 fatal("%s line %d: Bad mask.", filename, linenum); 1862 if (*activep) 1863 options->fwd_opts.streamlocal_bind_mask = (mode_t)value; 1864 break; 1865 1866 case sStreamLocalBindUnlink: 1867 intptr = &options->fwd_opts.streamlocal_bind_unlink; 1868 goto parse_flag; 1869 1870 case sFingerprintHash: 1871 arg = strdelim(&cp); 1872 if (!arg || *arg == '\0') 1873 fatal("%.200s line %d: Missing argument.", 1874 filename, linenum); 1875 if ((value = ssh_digest_alg_by_name(arg)) == -1) 1876 fatal("%.200s line %d: Invalid hash algorithm \"%s\".", 1877 filename, linenum, arg); 1878 if (*activep) 1879 options->fingerprint_hash = value; 1880 break; 1881 1882 case sExposeAuthInfo: 1883 intptr = &options->expose_userauth_info; 1884 goto parse_flag; 1885 1886 case sDeprecated: 1887 case sIgnore: 1888 case sUnsupported: 1889 do_log2(opcode == sIgnore ? 1890 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO, 1891 "%s line %d: %s option %s", filename, linenum, 1892 opcode == sUnsupported ? "Unsupported" : "Deprecated", arg); 1893 while (arg) 1894 arg = strdelim(&cp); 1895 break; 1896 1897 default: 1898 fatal("%s line %d: Missing handler for opcode %s (%d)", 1899 filename, linenum, arg, opcode); 1900 } 1901 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1902 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1903 filename, linenum, arg); 1904 return 0; 1905 } 1906 1907 /* Reads the server configuration file. */ 1908 1909 void 1910 load_server_config(const char *filename, Buffer *conf) 1911 { 1912 char line[4096], *cp; 1913 FILE *f; 1914 int lineno = 0; 1915 1916 debug2("%s: filename %s", __func__, filename); 1917 if ((f = fopen(filename, "r")) == NULL) { 1918 perror(filename); 1919 exit(1); 1920 } 1921 buffer_clear(conf); 1922 while (fgets(line, sizeof(line), f)) { 1923 lineno++; 1924 if (strlen(line) == sizeof(line) - 1) 1925 fatal("%s line %d too long", filename, lineno); 1926 /* 1927 * Trim out comments and strip whitespace 1928 * NB - preserve newlines, they are needed to reproduce 1929 * line numbers later for error messages 1930 */ 1931 if ((cp = strchr(line, '#')) != NULL) 1932 memcpy(cp, "\n", 2); 1933 cp = line + strspn(line, " \t\r"); 1934 1935 buffer_append(conf, cp, strlen(cp)); 1936 } 1937 buffer_append(conf, "\0", 1); 1938 fclose(f); 1939 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1940 } 1941 1942 void 1943 parse_server_match_config(ServerOptions *options, 1944 struct connection_info *connectinfo) 1945 { 1946 ServerOptions mo; 1947 1948 initialize_server_options(&mo); 1949 parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1950 copy_set_server_options(options, &mo, 0); 1951 } 1952 1953 int parse_server_match_testspec(struct connection_info *ci, char *spec) 1954 { 1955 char *p; 1956 1957 while ((p = strsep(&spec, ",")) && *p != '\0') { 1958 if (strncmp(p, "addr=", 5) == 0) { 1959 ci->address = xstrdup(p + 5); 1960 } else if (strncmp(p, "host=", 5) == 0) { 1961 ci->host = xstrdup(p + 5); 1962 } else if (strncmp(p, "user=", 5) == 0) { 1963 ci->user = xstrdup(p + 5); 1964 } else if (strncmp(p, "laddr=", 6) == 0) { 1965 ci->laddress = xstrdup(p + 6); 1966 } else if (strncmp(p, "lport=", 6) == 0) { 1967 ci->lport = a2port(p + 6); 1968 if (ci->lport == -1) { 1969 fprintf(stderr, "Invalid port '%s' in test mode" 1970 " specification %s\n", p+6, p); 1971 return -1; 1972 } 1973 } else { 1974 fprintf(stderr, "Invalid test mode specification %s\n", 1975 p); 1976 return -1; 1977 } 1978 } 1979 return 0; 1980 } 1981 1982 /* 1983 * returns 1 for a complete spec, 0 for partial spec and -1 for an 1984 * empty spec. 1985 */ 1986 int server_match_spec_complete(struct connection_info *ci) 1987 { 1988 if (ci->user && ci->host && ci->address) 1989 return 1; /* complete */ 1990 if (!ci->user && !ci->host && !ci->address) 1991 return -1; /* empty */ 1992 return 0; /* partial */ 1993 } 1994 1995 /* 1996 * Copy any supported values that are set. 1997 * 1998 * If the preauth flag is set, we do not bother copying the string or 1999 * array values that are not used pre-authentication, because any that we 2000 * do use must be explictly sent in mm_getpwnamallow(). 2001 */ 2002 void 2003 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 2004 { 2005 #define M_CP_INTOPT(n) do {\ 2006 if (src->n != -1) \ 2007 dst->n = src->n; \ 2008 } while (0) 2009 2010 M_CP_INTOPT(password_authentication); 2011 M_CP_INTOPT(gss_authentication); 2012 M_CP_INTOPT(pubkey_authentication); 2013 M_CP_INTOPT(kerberos_authentication); 2014 M_CP_INTOPT(hostbased_authentication); 2015 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 2016 M_CP_INTOPT(kbd_interactive_authentication); 2017 M_CP_INTOPT(permit_root_login); 2018 M_CP_INTOPT(permit_empty_passwd); 2019 2020 M_CP_INTOPT(allow_tcp_forwarding); 2021 M_CP_INTOPT(allow_streamlocal_forwarding); 2022 M_CP_INTOPT(allow_agent_forwarding); 2023 M_CP_INTOPT(disable_forwarding); 2024 M_CP_INTOPT(expose_userauth_info); 2025 M_CP_INTOPT(permit_tun); 2026 M_CP_INTOPT(fwd_opts.gateway_ports); 2027 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 2028 M_CP_INTOPT(x11_display_offset); 2029 M_CP_INTOPT(x11_forwarding); 2030 M_CP_INTOPT(x11_use_localhost); 2031 M_CP_INTOPT(permit_tty); 2032 M_CP_INTOPT(permit_user_rc); 2033 M_CP_INTOPT(max_sessions); 2034 M_CP_INTOPT(max_authtries); 2035 M_CP_INTOPT(client_alive_count_max); 2036 M_CP_INTOPT(client_alive_interval); 2037 M_CP_INTOPT(ip_qos_interactive); 2038 M_CP_INTOPT(ip_qos_bulk); 2039 M_CP_INTOPT(rekey_limit); 2040 M_CP_INTOPT(rekey_interval); 2041 M_CP_INTOPT(log_level); 2042 2043 /* 2044 * The bind_mask is a mode_t that may be unsigned, so we can't use 2045 * M_CP_INTOPT - it does a signed comparison that causes compiler 2046 * warnings. 2047 */ 2048 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { 2049 dst->fwd_opts.streamlocal_bind_mask = 2050 src->fwd_opts.streamlocal_bind_mask; 2051 } 2052 2053 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 2054 #define M_CP_STROPT(n) do {\ 2055 if (src->n != NULL && dst->n != src->n) { \ 2056 free(dst->n); \ 2057 dst->n = src->n; \ 2058 } \ 2059 } while(0) 2060 #define M_CP_STRARRAYOPT(n, num_n) do {\ 2061 if (src->num_n != 0) { \ 2062 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 2063 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 2064 } \ 2065 } while(0) 2066 #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \ 2067 if (src->num_n != 0) { \ 2068 dst->n = xcalloc(src->num_n, sizeof(*dst->n)); \ 2069 M_CP_STRARRAYOPT(n, num_n); \ 2070 dst->num_n = src->num_n; \ 2071 } \ 2072 } while(0) 2073 2074 /* See comment in servconf.h */ 2075 COPY_MATCH_STRING_OPTS(); 2076 2077 /* Arguments that accept '+...' need to be expanded */ 2078 assemble_algorithms(dst); 2079 2080 /* 2081 * The only things that should be below this point are string options 2082 * which are only used after authentication. 2083 */ 2084 if (preauth) 2085 return; 2086 2087 /* These options may be "none" to clear a global setting */ 2088 M_CP_STROPT(adm_forced_command); 2089 if (option_clear_or_none(dst->adm_forced_command)) { 2090 free(dst->adm_forced_command); 2091 dst->adm_forced_command = NULL; 2092 } 2093 M_CP_STROPT(chroot_directory); 2094 if (option_clear_or_none(dst->chroot_directory)) { 2095 free(dst->chroot_directory); 2096 dst->chroot_directory = NULL; 2097 } 2098 } 2099 2100 #undef M_CP_INTOPT 2101 #undef M_CP_STROPT 2102 #undef M_CP_STRARRAYOPT 2103 #undef M_CP_STRARRAYOPT_ALLOC 2104 2105 void 2106 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 2107 struct connection_info *connectinfo) 2108 { 2109 int active, linenum, bad_options = 0; 2110 char *cp, *obuf, *cbuf; 2111 2112 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 2113 2114 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) 2115 fatal("%s: sshbuf_dup_string failed", __func__); 2116 active = connectinfo ? 0 : 1; 2117 linenum = 1; 2118 while ((cp = strsep(&cbuf, "\n")) != NULL) { 2119 if (process_server_config_line(options, cp, filename, 2120 linenum++, &active, connectinfo) != 0) 2121 bad_options++; 2122 } 2123 free(obuf); 2124 if (bad_options > 0) 2125 fatal("%s: terminating, %d bad configuration options", 2126 filename, bad_options); 2127 process_queued_listen_addrs(options); 2128 } 2129 2130 static const char * 2131 fmt_multistate_int(int val, const struct multistate *m) 2132 { 2133 u_int i; 2134 2135 for (i = 0; m[i].key != NULL; i++) { 2136 if (m[i].value == val) 2137 return m[i].key; 2138 } 2139 return "UNKNOWN"; 2140 } 2141 2142 static const char * 2143 fmt_intarg(ServerOpCodes code, int val) 2144 { 2145 if (val == -1) 2146 return "unset"; 2147 switch (code) { 2148 case sAddressFamily: 2149 return fmt_multistate_int(val, multistate_addressfamily); 2150 case sPermitRootLogin: 2151 return fmt_multistate_int(val, multistate_permitrootlogin); 2152 case sGatewayPorts: 2153 return fmt_multistate_int(val, multistate_gatewayports); 2154 case sCompression: 2155 return fmt_multistate_int(val, multistate_compression); 2156 case sAllowTcpForwarding: 2157 return fmt_multistate_int(val, multistate_tcpfwd); 2158 case sAllowStreamLocalForwarding: 2159 return fmt_multistate_int(val, multistate_tcpfwd); 2160 case sFingerprintHash: 2161 return ssh_digest_alg_name(val); 2162 default: 2163 switch (val) { 2164 case 0: 2165 return "no"; 2166 case 1: 2167 return "yes"; 2168 default: 2169 return "UNKNOWN"; 2170 } 2171 } 2172 } 2173 2174 static const char * 2175 lookup_opcode_name(ServerOpCodes code) 2176 { 2177 u_int i; 2178 2179 for (i = 0; keywords[i].name != NULL; i++) 2180 if (keywords[i].opcode == code) 2181 return(keywords[i].name); 2182 return "UNKNOWN"; 2183 } 2184 2185 static void 2186 dump_cfg_int(ServerOpCodes code, int val) 2187 { 2188 printf("%s %d\n", lookup_opcode_name(code), val); 2189 } 2190 2191 static void 2192 dump_cfg_oct(ServerOpCodes code, int val) 2193 { 2194 printf("%s 0%o\n", lookup_opcode_name(code), val); 2195 } 2196 2197 static void 2198 dump_cfg_fmtint(ServerOpCodes code, int val) 2199 { 2200 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 2201 } 2202 2203 static void 2204 dump_cfg_string(ServerOpCodes code, const char *val) 2205 { 2206 printf("%s %s\n", lookup_opcode_name(code), 2207 val == NULL ? "none" : val); 2208 } 2209 2210 static void 2211 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 2212 { 2213 u_int i; 2214 2215 for (i = 0; i < count; i++) 2216 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 2217 } 2218 2219 static void 2220 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 2221 { 2222 u_int i; 2223 2224 if (count <= 0 && code != sAuthenticationMethods) 2225 return; 2226 printf("%s", lookup_opcode_name(code)); 2227 for (i = 0; i < count; i++) 2228 printf(" %s", vals[i]); 2229 if (code == sAuthenticationMethods && count == 0) 2230 printf(" any"); 2231 printf("\n"); 2232 } 2233 2234 void 2235 dump_config(ServerOptions *o) 2236 { 2237 u_int i; 2238 int ret; 2239 struct addrinfo *ai; 2240 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 2241 char *laddr1 = xstrdup(""), *laddr2 = NULL; 2242 2243 /* these are usually at the top of the config */ 2244 for (i = 0; i < o->num_ports; i++) 2245 printf("port %d\n", o->ports[i]); 2246 dump_cfg_fmtint(sAddressFamily, o->address_family); 2247 2248 /* 2249 * ListenAddress must be after Port. add_one_listen_addr pushes 2250 * addresses onto a stack, so to maintain ordering we need to 2251 * print these in reverse order. 2252 */ 2253 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 2254 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 2255 sizeof(addr), port, sizeof(port), 2256 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 2257 error("getnameinfo failed: %.100s", 2258 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 2259 strerror(errno)); 2260 } else { 2261 laddr2 = laddr1; 2262 if (ai->ai_family == AF_INET6) 2263 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s", 2264 addr, port, laddr2); 2265 else 2266 xasprintf(&laddr1, "listenaddress %s:%s\n%s", 2267 addr, port, laddr2); 2268 free(laddr2); 2269 } 2270 } 2271 printf("%s", laddr1); 2272 free(laddr1); 2273 2274 /* integer arguments */ 2275 #ifdef USE_PAM 2276 dump_cfg_fmtint(sUsePAM, o->use_pam); 2277 #endif 2278 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2279 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2280 dump_cfg_int(sMaxAuthTries, o->max_authtries); 2281 dump_cfg_int(sMaxSessions, o->max_sessions); 2282 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 2283 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 2284 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); 2285 2286 /* formatted integer arguments */ 2287 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2288 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2289 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2290 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2291 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2292 o->hostbased_uses_name_from_packet_only); 2293 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2294 #ifdef KRB5 2295 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2296 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 2297 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 2298 # ifdef USE_AFS 2299 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 2300 # endif 2301 #endif 2302 #ifdef GSSAPI 2303 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2304 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2305 #endif 2306 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2307 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2308 o->kbd_interactive_authentication); 2309 dump_cfg_fmtint(sChallengeResponseAuthentication, 2310 o->challenge_response_authentication); 2311 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2312 #ifndef DISABLE_LASTLOG 2313 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2314 #endif 2315 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2316 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2317 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2318 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); 2319 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2320 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2321 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2322 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2323 dump_cfg_fmtint(sCompression, o->compression); 2324 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2325 dump_cfg_fmtint(sUseDNS, o->use_dns); 2326 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2327 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2328 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); 2329 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2330 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2331 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2332 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); 2333 2334 /* string arguments */ 2335 dump_cfg_string(sPidFile, o->pid_file); 2336 dump_cfg_string(sXAuthLocation, o->xauth_location); 2337 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); 2338 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); 2339 dump_cfg_string(sBanner, o->banner); 2340 dump_cfg_string(sForceCommand, o->adm_forced_command); 2341 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2342 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2343 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2344 dump_cfg_string(sAuthorizedPrincipalsFile, 2345 o->authorized_principals_file); 2346 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' 2347 ? "none" : o->version_addendum); 2348 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2349 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2350 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); 2351 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); 2352 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2353 dump_cfg_string(sKexAlgorithms, 2354 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2355 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2356 o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2357 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2358 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); 2359 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2360 o->pubkey_key_types : KEX_DEFAULT_PK_ALG); 2361 2362 /* string arguments requiring a lookup */ 2363 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2364 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 2365 2366 /* string array arguments */ 2367 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 2368 o->authorized_keys_files); 2369 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 2370 o->host_key_files); 2371 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, 2372 o->host_cert_files); 2373 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 2374 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2375 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2376 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2377 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2378 dump_cfg_strarray_oneline(sAuthenticationMethods, 2379 o->num_auth_methods, o->auth_methods); 2380 2381 /* other arguments */ 2382 for (i = 0; i < o->num_subsystems; i++) 2383 printf("subsystem %s %s\n", o->subsystem_name[i], 2384 o->subsystem_args[i]); 2385 2386 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2387 o->max_startups_rate, o->max_startups); 2388 2389 for (i = 0; tunmode_desc[i].val != -1; i++) 2390 if (tunmode_desc[i].val == o->permit_tun) { 2391 s = tunmode_desc[i].text; 2392 break; 2393 } 2394 dump_cfg_string(sPermitTunnel, s); 2395 2396 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2397 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2398 2399 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, 2400 o->rekey_interval); 2401 2402 printf("permitopen"); 2403 if (o->num_permitted_opens == 0) 2404 printf(" any"); 2405 else { 2406 for (i = 0; i < o->num_permitted_opens; i++) 2407 printf(" %s", o->permitted_opens[i]); 2408 } 2409 printf("\n"); 2410 } 2411