1 2 /* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ 3 /* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include "includes.h" 15 16 #include <sys/types.h> 17 #include <sys/socket.h> 18 19 #include <netinet/in.h> 20 #include <netinet/in_systm.h> 21 #include <netinet/ip.h> 22 23 #include <netdb.h> 24 #include <pwd.h> 25 #include <stdio.h> 26 #include <stdlib.h> 27 #include <string.h> 28 #include <signal.h> 29 #include <unistd.h> 30 #include <stdarg.h> 31 #include <errno.h> 32 33 #include "openbsd-compat/sys-queue.h" 34 #include "xmalloc.h" 35 #include "ssh.h" 36 #include "log.h" 37 #include "buffer.h" 38 #include "servconf.h" 39 #include "compat.h" 40 #include "pathnames.h" 41 #include "misc.h" 42 #include "cipher.h" 43 #include "key.h" 44 #include "kex.h" 45 #include "mac.h" 46 #include "match.h" 47 #include "channels.h" 48 #include "groupaccess.h" 49 #include "canohost.h" 50 #include "packet.h" 51 52 static void add_listen_addr(ServerOptions *, char *, int); 53 static void add_one_listen_addr(ServerOptions *, char *, int); 54 55 /* Use of privilege separation or not */ 56 extern int use_privsep; 57 extern Buffer cfg; 58 59 /* Initializes the server options to their default values. */ 60 61 void 62 initialize_server_options(ServerOptions *options) 63 { 64 memset(options, 0, sizeof(*options)); 65 66 /* Portable-specific options */ 67 options->use_pam = -1; 68 69 /* Standard Options */ 70 options->num_ports = 0; 71 options->ports_from_cmdline = 0; 72 options->listen_addrs = NULL; 73 options->address_family = -1; 74 options->num_host_key_files = 0; 75 options->num_host_cert_files = 0; 76 options->pid_file = NULL; 77 options->server_key_bits = -1; 78 options->login_grace_time = -1; 79 options->key_regeneration_time = -1; 80 options->permit_root_login = PERMIT_NOT_SET; 81 options->ignore_rhosts = -1; 82 options->ignore_user_known_hosts = -1; 83 options->print_motd = -1; 84 options->print_lastlog = -1; 85 options->x11_forwarding = -1; 86 options->x11_display_offset = -1; 87 options->x11_use_localhost = -1; 88 options->xauth_location = NULL; 89 options->strict_modes = -1; 90 options->tcp_keep_alive = -1; 91 options->log_facility = SYSLOG_FACILITY_NOT_SET; 92 options->log_level = SYSLOG_LEVEL_NOT_SET; 93 options->rhosts_rsa_authentication = -1; 94 options->hostbased_authentication = -1; 95 options->hostbased_uses_name_from_packet_only = -1; 96 options->rsa_authentication = -1; 97 options->pubkey_authentication = -1; 98 options->kerberos_authentication = -1; 99 options->kerberos_or_local_passwd = -1; 100 options->kerberos_ticket_cleanup = -1; 101 options->kerberos_get_afs_token = -1; 102 options->gss_authentication=-1; 103 options->gss_cleanup_creds = -1; 104 options->password_authentication = -1; 105 options->kbd_interactive_authentication = -1; 106 options->challenge_response_authentication = -1; 107 options->permit_blacklisted_keys = -1; 108 options->permit_empty_passwd = -1; 109 options->permit_user_env = -1; 110 options->use_login = -1; 111 options->compression = -1; 112 options->allow_tcp_forwarding = -1; 113 options->allow_agent_forwarding = -1; 114 options->num_allow_users = 0; 115 options->num_deny_users = 0; 116 options->num_allow_groups = 0; 117 options->num_deny_groups = 0; 118 options->ciphers = NULL; 119 options->macs = NULL; 120 options->kex_algorithms = NULL; 121 options->protocol = SSH_PROTO_UNKNOWN; 122 options->gateway_ports = -1; 123 options->num_subsystems = 0; 124 options->max_startups_begin = -1; 125 options->max_startups_rate = -1; 126 options->max_startups = -1; 127 options->max_authtries = -1; 128 options->max_sessions = -1; 129 options->banner = NULL; 130 options->use_dns = -1; 131 options->client_alive_interval = -1; 132 options->client_alive_count_max = -1; 133 options->num_authkeys_files = 0; 134 options->num_accept_env = 0; 135 options->permit_tun = -1; 136 options->num_permitted_opens = -1; 137 options->adm_forced_command = NULL; 138 options->chroot_directory = NULL; 139 options->zero_knowledge_password_authentication = -1; 140 options->none_enabled = -1; 141 options->tcp_rcv_buf_poll = -1; 142 options->hpn_disabled = -1; 143 options->hpn_buffer_size = -1; 144 options->revoked_keys_file = NULL; 145 options->trusted_user_ca_keys = NULL; 146 options->authorized_principals_file = NULL; 147 options->ip_qos_interactive = -1; 148 options->ip_qos_bulk = -1; 149 options->version_addendum = NULL; 150 } 151 152 void 153 fill_default_server_options(ServerOptions *options) 154 { 155 /* needed for hpn socket tests */ 156 int sock; 157 int socksize; 158 int socksizelen = sizeof(int); 159 160 /* Portable-specific options */ 161 if (options->use_pam == -1) 162 options->use_pam = 0; 163 164 /* Standard Options */ 165 if (options->protocol == SSH_PROTO_UNKNOWN) 166 options->protocol = SSH_PROTO_2; 167 if (options->num_host_key_files == 0) { 168 /* fill default hostkeys for protocols */ 169 if (options->protocol & SSH_PROTO_1) 170 options->host_key_files[options->num_host_key_files++] = 171 _PATH_HOST_KEY_FILE; 172 if (options->protocol & SSH_PROTO_2) { 173 options->host_key_files[options->num_host_key_files++] = 174 _PATH_HOST_RSA_KEY_FILE; 175 options->host_key_files[options->num_host_key_files++] = 176 _PATH_HOST_DSA_KEY_FILE; 177 #ifdef OPENSSL_HAS_ECC 178 options->host_key_files[options->num_host_key_files++] = 179 _PATH_HOST_ECDSA_KEY_FILE; 180 #endif 181 } 182 } 183 /* No certificates by default */ 184 if (options->num_ports == 0) 185 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 186 if (options->listen_addrs == NULL) 187 add_listen_addr(options, NULL, 0); 188 if (options->pid_file == NULL) 189 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 190 if (options->server_key_bits == -1) 191 options->server_key_bits = 1024; 192 if (options->login_grace_time == -1) 193 options->login_grace_time = 120; 194 if (options->key_regeneration_time == -1) 195 options->key_regeneration_time = 3600; 196 if (options->permit_root_login == PERMIT_NOT_SET) 197 options->permit_root_login = PERMIT_NO; 198 if (options->ignore_rhosts == -1) 199 options->ignore_rhosts = 1; 200 if (options->ignore_user_known_hosts == -1) 201 options->ignore_user_known_hosts = 0; 202 if (options->print_motd == -1) 203 options->print_motd = 1; 204 if (options->print_lastlog == -1) 205 options->print_lastlog = 1; 206 if (options->x11_forwarding == -1) 207 options->x11_forwarding = 1; 208 if (options->x11_display_offset == -1) 209 options->x11_display_offset = 10; 210 if (options->x11_use_localhost == -1) 211 options->x11_use_localhost = 1; 212 if (options->xauth_location == NULL) 213 options->xauth_location = _PATH_XAUTH; 214 if (options->strict_modes == -1) 215 options->strict_modes = 1; 216 if (options->tcp_keep_alive == -1) 217 options->tcp_keep_alive = 1; 218 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 219 options->log_facility = SYSLOG_FACILITY_AUTH; 220 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 221 options->log_level = SYSLOG_LEVEL_INFO; 222 if (options->rhosts_rsa_authentication == -1) 223 options->rhosts_rsa_authentication = 0; 224 if (options->hostbased_authentication == -1) 225 options->hostbased_authentication = 0; 226 if (options->hostbased_uses_name_from_packet_only == -1) 227 options->hostbased_uses_name_from_packet_only = 0; 228 if (options->rsa_authentication == -1) 229 options->rsa_authentication = 1; 230 if (options->pubkey_authentication == -1) 231 options->pubkey_authentication = 1; 232 if (options->kerberos_authentication == -1) 233 options->kerberos_authentication = 0; 234 if (options->kerberos_or_local_passwd == -1) 235 options->kerberos_or_local_passwd = 1; 236 if (options->kerberos_ticket_cleanup == -1) 237 options->kerberos_ticket_cleanup = 1; 238 if (options->kerberos_get_afs_token == -1) 239 options->kerberos_get_afs_token = 0; 240 if (options->gss_authentication == -1) 241 options->gss_authentication = 0; 242 if (options->gss_cleanup_creds == -1) 243 options->gss_cleanup_creds = 1; 244 if (options->password_authentication == -1) 245 options->password_authentication = 1; 246 if (options->kbd_interactive_authentication == -1) 247 options->kbd_interactive_authentication = 0; 248 if (options->challenge_response_authentication == -1) 249 options->challenge_response_authentication = 1; 250 if (options->permit_blacklisted_keys == -1) 251 options->permit_blacklisted_keys = 0; 252 if (options->permit_empty_passwd == -1) 253 options->permit_empty_passwd = 0; 254 if (options->permit_user_env == -1) 255 options->permit_user_env = 0; 256 if (options->use_login == -1) 257 options->use_login = 0; 258 if (options->compression == -1) 259 options->compression = COMP_DELAYED; 260 if (options->allow_tcp_forwarding == -1) 261 options->allow_tcp_forwarding = 1; 262 if (options->allow_agent_forwarding == -1) 263 options->allow_agent_forwarding = 1; 264 if (options->gateway_ports == -1) 265 options->gateway_ports = 0; 266 if (options->max_startups == -1) 267 options->max_startups = 10; 268 if (options->max_startups_rate == -1) 269 options->max_startups_rate = 100; /* 100% */ 270 if (options->max_startups_begin == -1) 271 options->max_startups_begin = options->max_startups; 272 if (options->max_authtries == -1) 273 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 274 if (options->max_sessions == -1) 275 options->max_sessions = DEFAULT_SESSIONS_MAX; 276 if (options->use_dns == -1) 277 options->use_dns = 1; 278 if (options->client_alive_interval == -1) 279 options->client_alive_interval = 0; 280 if (options->client_alive_count_max == -1) 281 options->client_alive_count_max = 3; 282 if (options->num_authkeys_files == 0) { 283 options->authorized_keys_files[options->num_authkeys_files++] = 284 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 285 options->authorized_keys_files[options->num_authkeys_files++] = 286 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 287 } 288 if (options->permit_tun == -1) 289 options->permit_tun = SSH_TUNMODE_NO; 290 if (options->zero_knowledge_password_authentication == -1) 291 options->zero_knowledge_password_authentication = 0; 292 if (options->ip_qos_interactive == -1) 293 options->ip_qos_interactive = IPTOS_LOWDELAY; 294 if (options->ip_qos_bulk == -1) 295 options->ip_qos_bulk = IPTOS_THROUGHPUT; 296 297 if (options->hpn_disabled == -1) 298 options->hpn_disabled = 0; 299 300 if (options->hpn_buffer_size == -1) { 301 /* option not explicitly set. Now we have to figure out */ 302 /* what value to use */ 303 if (options->hpn_disabled == 1) { 304 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; 305 } else { 306 /* get the current RCV size and set it to that */ 307 /*create a socket but don't connect it */ 308 /* we use that the get the rcv socket size */ 309 sock = socket(AF_INET, SOCK_STREAM, 0); 310 getsockopt(sock, SOL_SOCKET, SO_RCVBUF, 311 &socksize, &socksizelen); 312 close(sock); 313 options->hpn_buffer_size = socksize; 314 debug ("HPN Buffer Size: %d", options->hpn_buffer_size); 315 316 } 317 } else { 318 /* we have to do this incase the user sets both values in a contradictory */ 319 /* manner. hpn_disabled overrrides hpn_buffer_size*/ 320 if (options->hpn_disabled <= 0) { 321 if (options->hpn_buffer_size == 0) 322 options->hpn_buffer_size = 1; 323 /* limit the maximum buffer to 64MB */ 324 if (options->hpn_buffer_size > 64*1024) { 325 options->hpn_buffer_size = 64*1024*1024; 326 } else { 327 options->hpn_buffer_size *= 1024; 328 } 329 } else 330 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; 331 } 332 333 if (options->version_addendum == NULL) 334 options->version_addendum = xstrdup(""); 335 /* Turn privilege separation on by default */ 336 if (use_privsep == -1) 337 use_privsep = PRIVSEP_NOSANDBOX; 338 339 #ifndef HAVE_MMAP 340 if (use_privsep && options->compression == 1) { 341 error("This platform does not support both privilege " 342 "separation and compression"); 343 error("Compression disabled"); 344 options->compression = 0; 345 } 346 #endif 347 348 } 349 350 /* Keyword tokens. */ 351 typedef enum { 352 sBadOption, /* == unknown option */ 353 /* Portable-specific options */ 354 sUsePAM, 355 /* Standard Options */ 356 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 357 sPermitRootLogin, sLogFacility, sLogLevel, 358 sRhostsRSAAuthentication, sRSAAuthentication, 359 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 360 sKerberosGetAFSToken, 361 sKerberosTgtPassing, sChallengeResponseAuthentication, 362 sPasswordAuthentication, sKbdInteractiveAuthentication, 363 sListenAddress, sAddressFamily, 364 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 365 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 366 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 367 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 368 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 369 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 370 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 371 sMaxStartups, sMaxAuthTries, sMaxSessions, 372 sBanner, sUseDNS, sHostbasedAuthentication, 373 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 374 sClientAliveCountMax, sAuthorizedKeysFile, 375 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 376 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 377 sUsePrivilegeSeparation, sAllowAgentForwarding, 378 sZeroKnowledgePasswordAuthentication, sHostCertificate, 379 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 380 sKexAlgorithms, sIPQoS, sVersionAddendum, 381 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, 382 sDeprecated, sUnsupported 383 } ServerOpCodes; 384 385 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 386 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 387 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 388 389 /* Textual representation of the tokens. */ 390 static struct { 391 const char *name; 392 ServerOpCodes opcode; 393 u_int flags; 394 } keywords[] = { 395 /* Portable-specific options */ 396 #ifdef USE_PAM 397 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 398 #else 399 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 400 #endif 401 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 402 /* Standard Options */ 403 { "port", sPort, SSHCFG_GLOBAL }, 404 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 405 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 406 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 407 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 408 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 409 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 410 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 411 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 412 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 413 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 414 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 415 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 416 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 417 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 418 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 419 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 420 #ifdef KRB5 421 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 422 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 423 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 424 #ifdef USE_AFS 425 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 426 #else 427 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 428 #endif 429 #else 430 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 431 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 432 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 433 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 434 #endif 435 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 436 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 437 #ifdef GSSAPI 438 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 439 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 440 #else 441 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 442 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 443 #endif 444 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 445 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 446 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 447 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 448 #ifdef JPAKE 449 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, 450 #else 451 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, 452 #endif 453 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 454 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 455 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 456 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 457 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 458 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 459 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 460 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 461 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 462 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 463 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 464 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 465 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, 466 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 467 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 468 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 469 { "compression", sCompression, SSHCFG_GLOBAL }, 470 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 471 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 472 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 473 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 474 { "allowusers", sAllowUsers, SSHCFG_ALL }, 475 { "denyusers", sDenyUsers, SSHCFG_ALL }, 476 { "allowgroups", sAllowGroups, SSHCFG_ALL }, 477 { "denygroups", sDenyGroups, SSHCFG_ALL }, 478 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 479 { "macs", sMacs, SSHCFG_GLOBAL }, 480 { "protocol", sProtocol, SSHCFG_GLOBAL }, 481 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 482 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 483 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 484 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 485 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 486 { "banner", sBanner, SSHCFG_ALL }, 487 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 488 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 489 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 490 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 491 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 492 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 493 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 494 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 495 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 496 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 497 { "match", sMatch, SSHCFG_ALL }, 498 { "permitopen", sPermitOpen, SSHCFG_ALL }, 499 { "forcecommand", sForceCommand, SSHCFG_ALL }, 500 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 501 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 502 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 503 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 504 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 505 { "noneenabled", sNoneEnabled }, 506 { "hpndisabled", sHPNDisabled }, 507 { "hpnbuffersize", sHPNBufferSize }, 508 { "tcprcvbufpoll", sTcpRcvBufPoll }, 509 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 510 { "ipqos", sIPQoS, SSHCFG_ALL }, 511 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 512 { NULL, sBadOption, 0 } 513 }; 514 515 static struct { 516 int val; 517 char *text; 518 } tunmode_desc[] = { 519 { SSH_TUNMODE_NO, "no" }, 520 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 521 { SSH_TUNMODE_ETHERNET, "ethernet" }, 522 { SSH_TUNMODE_YES, "yes" }, 523 { -1, NULL } 524 }; 525 526 /* 527 * Returns the number of the token pointed to by cp or sBadOption. 528 */ 529 530 static ServerOpCodes 531 parse_token(const char *cp, const char *filename, 532 int linenum, u_int *flags) 533 { 534 u_int i; 535 536 for (i = 0; keywords[i].name; i++) 537 if (strcasecmp(cp, keywords[i].name) == 0) { 538 debug ("Config token is %s", keywords[i].name); 539 *flags = keywords[i].flags; 540 return keywords[i].opcode; 541 } 542 543 error("%s: line %d: Bad configuration option: %s", 544 filename, linenum, cp); 545 return sBadOption; 546 } 547 548 char * 549 derelativise_path(const char *path) 550 { 551 char *expanded, *ret, cwd[MAXPATHLEN]; 552 553 expanded = tilde_expand_filename(path, getuid()); 554 if (*expanded == '/') 555 return expanded; 556 if (getcwd(cwd, sizeof(cwd)) == NULL) 557 fatal("%s: getcwd: %s", __func__, strerror(errno)); 558 xasprintf(&ret, "%s/%s", cwd, expanded); 559 xfree(expanded); 560 return ret; 561 } 562 563 static void 564 add_listen_addr(ServerOptions *options, char *addr, int port) 565 { 566 u_int i; 567 568 if (options->num_ports == 0) 569 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 570 if (options->address_family == -1) 571 options->address_family = AF_UNSPEC; 572 if (port == 0) 573 for (i = 0; i < options->num_ports; i++) 574 add_one_listen_addr(options, addr, options->ports[i]); 575 else 576 add_one_listen_addr(options, addr, port); 577 } 578 579 static void 580 add_one_listen_addr(ServerOptions *options, char *addr, int port) 581 { 582 struct addrinfo hints, *ai, *aitop; 583 char strport[NI_MAXSERV]; 584 int gaierr; 585 586 memset(&hints, 0, sizeof(hints)); 587 hints.ai_family = options->address_family; 588 hints.ai_socktype = SOCK_STREAM; 589 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 590 snprintf(strport, sizeof strport, "%d", port); 591 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 592 fatal("bad addr or host: %s (%s)", 593 addr ? addr : "<NULL>", 594 ssh_gai_strerror(gaierr)); 595 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 596 ; 597 ai->ai_next = options->listen_addrs; 598 options->listen_addrs = aitop; 599 } 600 601 struct connection_info * 602 get_connection_info(int populate, int use_dns) 603 { 604 static struct connection_info ci; 605 606 if (!populate) 607 return &ci; 608 ci.host = get_canonical_hostname(use_dns); 609 ci.address = get_remote_ipaddr(); 610 ci.laddress = get_local_ipaddr(packet_get_connection_in()); 611 ci.lport = get_local_port(); 612 return &ci; 613 } 614 615 /* 616 * The strategy for the Match blocks is that the config file is parsed twice. 617 * 618 * The first time is at startup. activep is initialized to 1 and the 619 * directives in the global context are processed and acted on. Hitting a 620 * Match directive unsets activep and the directives inside the block are 621 * checked for syntax only. 622 * 623 * The second time is after a connection has been established but before 624 * authentication. activep is initialized to 2 and global config directives 625 * are ignored since they have already been processed. If the criteria in a 626 * Match block is met, activep is set and the subsequent directives 627 * processed and actioned until EOF or another Match block unsets it. Any 628 * options set are copied into the main server config. 629 * 630 * Potential additions/improvements: 631 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 632 * 633 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 634 * Match Address 192.168.0.* 635 * Tag trusted 636 * Match Group wheel 637 * Tag trusted 638 * Match Tag trusted 639 * AllowTcpForwarding yes 640 * GatewayPorts clientspecified 641 * [...] 642 * 643 * - Add a PermittedChannelRequests directive 644 * Match Group shell 645 * PermittedChannelRequests session,forwarded-tcpip 646 */ 647 648 static int 649 match_cfg_line_group(const char *grps, int line, const char *user) 650 { 651 int result = 0; 652 struct passwd *pw; 653 654 if (user == NULL) 655 goto out; 656 657 if ((pw = getpwnam(user)) == NULL) { 658 debug("Can't match group at line %d because user %.100s does " 659 "not exist", line, user); 660 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 661 debug("Can't Match group because user %.100s not in any group " 662 "at line %d", user, line); 663 } else if (ga_match_pattern_list(grps) != 1) { 664 debug("user %.100s does not match group list %.100s at line %d", 665 user, grps, line); 666 } else { 667 debug("user %.100s matched group list %.100s at line %d", user, 668 grps, line); 669 result = 1; 670 } 671 out: 672 ga_free(); 673 return result; 674 } 675 676 /* 677 * All of the attributes on a single Match line are ANDed together, so we need to check every 678 * attribute and set the result to zero if any attribute does not match. 679 */ 680 static int 681 match_cfg_line(char **condition, int line, struct connection_info *ci) 682 { 683 int result = 1, port; 684 char *arg, *attrib, *cp = *condition; 685 size_t len; 686 687 if (ci == NULL) 688 debug3("checking syntax for 'Match %s'", cp); 689 else 690 debug3("checking match for '%s' user %s host %s addr %s " 691 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 692 ci->host ? ci->host : "(null)", 693 ci->address ? ci->address : "(null)", 694 ci->laddress ? ci->laddress : "(null)", ci->lport); 695 696 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 697 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 698 error("Missing Match criteria for %s", attrib); 699 return -1; 700 } 701 len = strlen(arg); 702 if (strcasecmp(attrib, "user") == 0) { 703 if (ci == NULL || ci->user == NULL) { 704 result = 0; 705 continue; 706 } 707 if (match_pattern_list(ci->user, arg, len, 0) != 1) 708 result = 0; 709 else 710 debug("user %.100s matched 'User %.100s' at " 711 "line %d", ci->user, arg, line); 712 } else if (strcasecmp(attrib, "group") == 0) { 713 if (ci == NULL || ci->user == NULL) { 714 result = 0; 715 continue; 716 } 717 switch (match_cfg_line_group(arg, line, ci->user)) { 718 case -1: 719 return -1; 720 case 0: 721 result = 0; 722 } 723 } else if (strcasecmp(attrib, "host") == 0) { 724 if (ci == NULL || ci->host == NULL) { 725 result = 0; 726 continue; 727 } 728 if (match_hostname(ci->host, arg, len) != 1) 729 result = 0; 730 else 731 debug("connection from %.100s matched 'Host " 732 "%.100s' at line %d", ci->host, arg, line); 733 } else if (strcasecmp(attrib, "address") == 0) { 734 if (ci == NULL || ci->address == NULL) { 735 result = 0; 736 continue; 737 } 738 switch (addr_match_list(ci->address, arg)) { 739 case 1: 740 debug("connection from %.100s matched 'Address " 741 "%.100s' at line %d", ci->address, arg, line); 742 break; 743 case 0: 744 case -1: 745 result = 0; 746 break; 747 case -2: 748 return -1; 749 } 750 } else if (strcasecmp(attrib, "localaddress") == 0){ 751 if (ci == NULL || ci->laddress == NULL) { 752 result = 0; 753 continue; 754 } 755 switch (addr_match_list(ci->laddress, arg)) { 756 case 1: 757 debug("connection from %.100s matched " 758 "'LocalAddress %.100s' at line %d", 759 ci->laddress, arg, line); 760 break; 761 case 0: 762 case -1: 763 result = 0; 764 break; 765 case -2: 766 return -1; 767 } 768 } else if (strcasecmp(attrib, "localport") == 0) { 769 if ((port = a2port(arg)) == -1) { 770 error("Invalid LocalPort '%s' on Match line", 771 arg); 772 return -1; 773 } 774 if (ci == NULL || ci->lport == 0) { 775 result = 0; 776 continue; 777 } 778 /* TODO support port lists */ 779 if (port == ci->lport) 780 debug("connection from %.100s matched " 781 "'LocalPort %d' at line %d", 782 ci->laddress, port, line); 783 else 784 result = 0; 785 } else { 786 error("Unsupported Match attribute %s", attrib); 787 return -1; 788 } 789 } 790 if (ci != NULL) 791 debug3("match %sfound", result ? "" : "not "); 792 *condition = cp; 793 return result; 794 } 795 796 #define WHITESPACE " \t\r\n" 797 798 /* Multistate option parsing */ 799 struct multistate { 800 char *key; 801 int value; 802 }; 803 static const struct multistate multistate_addressfamily[] = { 804 { "inet", AF_INET }, 805 { "inet6", AF_INET6 }, 806 { "any", AF_UNSPEC }, 807 { NULL, -1 } 808 }; 809 static const struct multistate multistate_permitrootlogin[] = { 810 { "without-password", PERMIT_NO_PASSWD }, 811 { "forced-commands-only", PERMIT_FORCED_ONLY }, 812 { "yes", PERMIT_YES }, 813 { "no", PERMIT_NO }, 814 { NULL, -1 } 815 }; 816 static const struct multistate multistate_compression[] = { 817 { "delayed", COMP_DELAYED }, 818 { "yes", COMP_ZLIB }, 819 { "no", COMP_NONE }, 820 { NULL, -1 } 821 }; 822 static const struct multistate multistate_gatewayports[] = { 823 { "clientspecified", 2 }, 824 { "yes", 1 }, 825 { "no", 0 }, 826 { NULL, -1 } 827 }; 828 static const struct multistate multistate_privsep[] = { 829 { "yes", PRIVSEP_NOSANDBOX }, 830 { "sandbox", PRIVSEP_ON }, 831 { "nosandbox", PRIVSEP_NOSANDBOX }, 832 { "no", PRIVSEP_OFF }, 833 { NULL, -1 } 834 }; 835 836 int 837 process_server_config_line(ServerOptions *options, char *line, 838 const char *filename, int linenum, int *activep, 839 struct connection_info *connectinfo) 840 { 841 char *cp, **charptr, *arg, *p; 842 int cmdline = 0, *intptr, value, value2, n; 843 SyslogFacility *log_facility_ptr; 844 LogLevel *log_level_ptr; 845 ServerOpCodes opcode; 846 int port; 847 u_int i, flags = 0; 848 size_t len; 849 const struct multistate *multistate_ptr; 850 851 cp = line; 852 if ((arg = strdelim(&cp)) == NULL) 853 return 0; 854 /* Ignore leading whitespace */ 855 if (*arg == '\0') 856 arg = strdelim(&cp); 857 if (!arg || !*arg || *arg == '#') 858 return 0; 859 intptr = NULL; 860 charptr = NULL; 861 opcode = parse_token(arg, filename, linenum, &flags); 862 863 if (activep == NULL) { /* We are processing a command line directive */ 864 cmdline = 1; 865 activep = &cmdline; 866 } 867 if (*activep && opcode != sMatch) 868 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 869 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 870 if (connectinfo == NULL) { 871 fatal("%s line %d: Directive '%s' is not allowed " 872 "within a Match block", filename, linenum, arg); 873 } else { /* this is a directive we have already processed */ 874 while (arg) 875 arg = strdelim(&cp); 876 return 0; 877 } 878 } 879 880 switch (opcode) { 881 /* Portable-specific options */ 882 case sUsePAM: 883 intptr = &options->use_pam; 884 goto parse_flag; 885 886 /* Standard Options */ 887 case sBadOption: 888 return -1; 889 case sPort: 890 /* ignore ports from configfile if cmdline specifies ports */ 891 if (options->ports_from_cmdline) 892 return 0; 893 if (options->listen_addrs != NULL) 894 fatal("%s line %d: ports must be specified before " 895 "ListenAddress.", filename, linenum); 896 if (options->num_ports >= MAX_PORTS) 897 fatal("%s line %d: too many ports.", 898 filename, linenum); 899 arg = strdelim(&cp); 900 if (!arg || *arg == '\0') 901 fatal("%s line %d: missing port number.", 902 filename, linenum); 903 options->ports[options->num_ports++] = a2port(arg); 904 if (options->ports[options->num_ports-1] <= 0) 905 fatal("%s line %d: Badly formatted port number.", 906 filename, linenum); 907 break; 908 909 case sServerKeyBits: 910 intptr = &options->server_key_bits; 911 parse_int: 912 arg = strdelim(&cp); 913 if (!arg || *arg == '\0') 914 fatal("%s line %d: missing integer value.", 915 filename, linenum); 916 value = atoi(arg); 917 if (*activep && *intptr == -1) 918 *intptr = value; 919 break; 920 921 case sLoginGraceTime: 922 intptr = &options->login_grace_time; 923 parse_time: 924 arg = strdelim(&cp); 925 if (!arg || *arg == '\0') 926 fatal("%s line %d: missing time value.", 927 filename, linenum); 928 if ((value = convtime(arg)) == -1) 929 fatal("%s line %d: invalid time value.", 930 filename, linenum); 931 if (*intptr == -1) 932 *intptr = value; 933 break; 934 935 case sKeyRegenerationTime: 936 intptr = &options->key_regeneration_time; 937 goto parse_time; 938 939 case sListenAddress: 940 arg = strdelim(&cp); 941 if (arg == NULL || *arg == '\0') 942 fatal("%s line %d: missing address", 943 filename, linenum); 944 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 945 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 946 && strchr(p+1, ':') != NULL) { 947 add_listen_addr(options, arg, 0); 948 break; 949 } 950 p = hpdelim(&arg); 951 if (p == NULL) 952 fatal("%s line %d: bad address:port usage", 953 filename, linenum); 954 p = cleanhostname(p); 955 if (arg == NULL) 956 port = 0; 957 else if ((port = a2port(arg)) <= 0) 958 fatal("%s line %d: bad port number", filename, linenum); 959 960 add_listen_addr(options, p, port); 961 962 break; 963 964 case sAddressFamily: 965 intptr = &options->address_family; 966 multistate_ptr = multistate_addressfamily; 967 if (options->listen_addrs != NULL) 968 fatal("%s line %d: address family must be specified " 969 "before ListenAddress.", filename, linenum); 970 parse_multistate: 971 arg = strdelim(&cp); 972 if (!arg || *arg == '\0') 973 fatal("%s line %d: missing argument.", 974 filename, linenum); 975 value = -1; 976 for (i = 0; multistate_ptr[i].key != NULL; i++) { 977 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 978 value = multistate_ptr[i].value; 979 break; 980 } 981 } 982 if (value == -1) 983 fatal("%s line %d: unsupported option \"%s\".", 984 filename, linenum, arg); 985 if (*activep && *intptr == -1) 986 *intptr = value; 987 break; 988 989 case sHostKeyFile: 990 intptr = &options->num_host_key_files; 991 if (*intptr >= MAX_HOSTKEYS) 992 fatal("%s line %d: too many host keys specified (max %d).", 993 filename, linenum, MAX_HOSTKEYS); 994 charptr = &options->host_key_files[*intptr]; 995 parse_filename: 996 arg = strdelim(&cp); 997 if (!arg || *arg == '\0') 998 fatal("%s line %d: missing file name.", 999 filename, linenum); 1000 if (*activep && *charptr == NULL) { 1001 *charptr = derelativise_path(arg); 1002 /* increase optional counter */ 1003 if (intptr != NULL) 1004 *intptr = *intptr + 1; 1005 } 1006 break; 1007 1008 case sHostCertificate: 1009 intptr = &options->num_host_cert_files; 1010 if (*intptr >= MAX_HOSTKEYS) 1011 fatal("%s line %d: too many host certificates " 1012 "specified (max %d).", filename, linenum, 1013 MAX_HOSTCERTS); 1014 charptr = &options->host_cert_files[*intptr]; 1015 goto parse_filename; 1016 break; 1017 1018 case sPidFile: 1019 charptr = &options->pid_file; 1020 goto parse_filename; 1021 1022 case sPermitRootLogin: 1023 intptr = &options->permit_root_login; 1024 multistate_ptr = multistate_permitrootlogin; 1025 goto parse_multistate; 1026 1027 case sIgnoreRhosts: 1028 intptr = &options->ignore_rhosts; 1029 parse_flag: 1030 arg = strdelim(&cp); 1031 if (!arg || *arg == '\0') 1032 fatal("%s line %d: missing yes/no argument.", 1033 filename, linenum); 1034 value = 0; /* silence compiler */ 1035 if (strcmp(arg, "yes") == 0) 1036 value = 1; 1037 else if (strcmp(arg, "no") == 0) 1038 value = 0; 1039 else 1040 fatal("%s line %d: Bad yes/no argument: %s", 1041 filename, linenum, arg); 1042 if (*activep && *intptr == -1) 1043 *intptr = value; 1044 break; 1045 1046 case sNoneEnabled: 1047 intptr = &options->none_enabled; 1048 goto parse_flag; 1049 1050 case sTcpRcvBufPoll: 1051 intptr = &options->tcp_rcv_buf_poll; 1052 goto parse_flag; 1053 1054 case sHPNDisabled: 1055 intptr = &options->hpn_disabled; 1056 goto parse_flag; 1057 1058 case sHPNBufferSize: 1059 intptr = &options->hpn_buffer_size; 1060 goto parse_int; 1061 1062 case sIgnoreUserKnownHosts: 1063 intptr = &options->ignore_user_known_hosts; 1064 goto parse_flag; 1065 1066 case sRhostsRSAAuthentication: 1067 intptr = &options->rhosts_rsa_authentication; 1068 goto parse_flag; 1069 1070 case sHostbasedAuthentication: 1071 intptr = &options->hostbased_authentication; 1072 goto parse_flag; 1073 1074 case sHostbasedUsesNameFromPacketOnly: 1075 intptr = &options->hostbased_uses_name_from_packet_only; 1076 goto parse_flag; 1077 1078 case sRSAAuthentication: 1079 intptr = &options->rsa_authentication; 1080 goto parse_flag; 1081 1082 case sPubkeyAuthentication: 1083 intptr = &options->pubkey_authentication; 1084 goto parse_flag; 1085 1086 case sKerberosAuthentication: 1087 intptr = &options->kerberos_authentication; 1088 goto parse_flag; 1089 1090 case sKerberosOrLocalPasswd: 1091 intptr = &options->kerberos_or_local_passwd; 1092 goto parse_flag; 1093 1094 case sKerberosTicketCleanup: 1095 intptr = &options->kerberos_ticket_cleanup; 1096 goto parse_flag; 1097 1098 case sKerberosGetAFSToken: 1099 intptr = &options->kerberos_get_afs_token; 1100 goto parse_flag; 1101 1102 case sGssAuthentication: 1103 intptr = &options->gss_authentication; 1104 goto parse_flag; 1105 1106 case sGssCleanupCreds: 1107 intptr = &options->gss_cleanup_creds; 1108 goto parse_flag; 1109 1110 case sPasswordAuthentication: 1111 intptr = &options->password_authentication; 1112 goto parse_flag; 1113 1114 case sZeroKnowledgePasswordAuthentication: 1115 intptr = &options->zero_knowledge_password_authentication; 1116 goto parse_flag; 1117 1118 case sKbdInteractiveAuthentication: 1119 intptr = &options->kbd_interactive_authentication; 1120 goto parse_flag; 1121 1122 case sChallengeResponseAuthentication: 1123 intptr = &options->challenge_response_authentication; 1124 goto parse_flag; 1125 1126 case sPrintMotd: 1127 intptr = &options->print_motd; 1128 goto parse_flag; 1129 1130 case sPrintLastLog: 1131 intptr = &options->print_lastlog; 1132 goto parse_flag; 1133 1134 case sX11Forwarding: 1135 intptr = &options->x11_forwarding; 1136 goto parse_flag; 1137 1138 case sX11DisplayOffset: 1139 intptr = &options->x11_display_offset; 1140 goto parse_int; 1141 1142 case sX11UseLocalhost: 1143 intptr = &options->x11_use_localhost; 1144 goto parse_flag; 1145 1146 case sXAuthLocation: 1147 charptr = &options->xauth_location; 1148 goto parse_filename; 1149 1150 case sStrictModes: 1151 intptr = &options->strict_modes; 1152 goto parse_flag; 1153 1154 case sTCPKeepAlive: 1155 intptr = &options->tcp_keep_alive; 1156 goto parse_flag; 1157 1158 case sPermitBlacklistedKeys: 1159 intptr = &options->permit_blacklisted_keys; 1160 goto parse_flag; 1161 1162 case sEmptyPasswd: 1163 intptr = &options->permit_empty_passwd; 1164 goto parse_flag; 1165 1166 case sPermitUserEnvironment: 1167 intptr = &options->permit_user_env; 1168 goto parse_flag; 1169 1170 case sUseLogin: 1171 intptr = &options->use_login; 1172 goto parse_flag; 1173 1174 case sCompression: 1175 intptr = &options->compression; 1176 multistate_ptr = multistate_compression; 1177 goto parse_multistate; 1178 1179 case sGatewayPorts: 1180 intptr = &options->gateway_ports; 1181 multistate_ptr = multistate_gatewayports; 1182 goto parse_multistate; 1183 1184 case sUseDNS: 1185 intptr = &options->use_dns; 1186 goto parse_flag; 1187 1188 case sLogFacility: 1189 log_facility_ptr = &options->log_facility; 1190 arg = strdelim(&cp); 1191 value = log_facility_number(arg); 1192 if (value == SYSLOG_FACILITY_NOT_SET) 1193 fatal("%.200s line %d: unsupported log facility '%s'", 1194 filename, linenum, arg ? arg : "<NONE>"); 1195 if (*log_facility_ptr == -1) 1196 *log_facility_ptr = (SyslogFacility) value; 1197 break; 1198 1199 case sLogLevel: 1200 log_level_ptr = &options->log_level; 1201 arg = strdelim(&cp); 1202 value = log_level_number(arg); 1203 if (value == SYSLOG_LEVEL_NOT_SET) 1204 fatal("%.200s line %d: unsupported log level '%s'", 1205 filename, linenum, arg ? arg : "<NONE>"); 1206 if (*log_level_ptr == -1) 1207 *log_level_ptr = (LogLevel) value; 1208 break; 1209 1210 case sAllowTcpForwarding: 1211 intptr = &options->allow_tcp_forwarding; 1212 goto parse_flag; 1213 1214 case sAllowAgentForwarding: 1215 intptr = &options->allow_agent_forwarding; 1216 goto parse_flag; 1217 1218 case sUsePrivilegeSeparation: 1219 intptr = &use_privsep; 1220 multistate_ptr = multistate_privsep; 1221 goto parse_multistate; 1222 1223 case sAllowUsers: 1224 while ((arg = strdelim(&cp)) && *arg != '\0') { 1225 if (options->num_allow_users >= MAX_ALLOW_USERS) 1226 fatal("%s line %d: too many allow users.", 1227 filename, linenum); 1228 if (!*activep) 1229 continue; 1230 options->allow_users[options->num_allow_users++] = 1231 xstrdup(arg); 1232 } 1233 break; 1234 1235 case sDenyUsers: 1236 while ((arg = strdelim(&cp)) && *arg != '\0') { 1237 if (options->num_deny_users >= MAX_DENY_USERS) 1238 fatal("%s line %d: too many deny users.", 1239 filename, linenum); 1240 if (!*activep) 1241 continue; 1242 options->deny_users[options->num_deny_users++] = 1243 xstrdup(arg); 1244 } 1245 break; 1246 1247 case sAllowGroups: 1248 while ((arg = strdelim(&cp)) && *arg != '\0') { 1249 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1250 fatal("%s line %d: too many allow groups.", 1251 filename, linenum); 1252 if (!*activep) 1253 continue; 1254 options->allow_groups[options->num_allow_groups++] = 1255 xstrdup(arg); 1256 } 1257 break; 1258 1259 case sDenyGroups: 1260 while ((arg = strdelim(&cp)) && *arg != '\0') { 1261 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1262 fatal("%s line %d: too many deny groups.", 1263 filename, linenum); 1264 if (!*activep) 1265 continue; 1266 options->deny_groups[options->num_deny_groups++] = 1267 xstrdup(arg); 1268 } 1269 break; 1270 1271 case sCiphers: 1272 arg = strdelim(&cp); 1273 if (!arg || *arg == '\0') 1274 fatal("%s line %d: Missing argument.", filename, linenum); 1275 if (!ciphers_valid(arg)) 1276 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1277 filename, linenum, arg ? arg : "<NONE>"); 1278 if (options->ciphers == NULL) 1279 options->ciphers = xstrdup(arg); 1280 break; 1281 1282 case sMacs: 1283 arg = strdelim(&cp); 1284 if (!arg || *arg == '\0') 1285 fatal("%s line %d: Missing argument.", filename, linenum); 1286 if (!mac_valid(arg)) 1287 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1288 filename, linenum, arg ? arg : "<NONE>"); 1289 if (options->macs == NULL) 1290 options->macs = xstrdup(arg); 1291 break; 1292 1293 case sKexAlgorithms: 1294 arg = strdelim(&cp); 1295 if (!arg || *arg == '\0') 1296 fatal("%s line %d: Missing argument.", 1297 filename, linenum); 1298 if (!kex_names_valid(arg)) 1299 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1300 filename, linenum, arg ? arg : "<NONE>"); 1301 if (options->kex_algorithms == NULL) 1302 options->kex_algorithms = xstrdup(arg); 1303 break; 1304 1305 case sProtocol: 1306 intptr = &options->protocol; 1307 arg = strdelim(&cp); 1308 if (!arg || *arg == '\0') 1309 fatal("%s line %d: Missing argument.", filename, linenum); 1310 value = proto_spec(arg); 1311 if (value == SSH_PROTO_UNKNOWN) 1312 fatal("%s line %d: Bad protocol spec '%s'.", 1313 filename, linenum, arg ? arg : "<NONE>"); 1314 if (*intptr == SSH_PROTO_UNKNOWN) 1315 *intptr = value; 1316 break; 1317 1318 case sSubsystem: 1319 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1320 fatal("%s line %d: too many subsystems defined.", 1321 filename, linenum); 1322 } 1323 arg = strdelim(&cp); 1324 if (!arg || *arg == '\0') 1325 fatal("%s line %d: Missing subsystem name.", 1326 filename, linenum); 1327 if (!*activep) { 1328 arg = strdelim(&cp); 1329 break; 1330 } 1331 for (i = 0; i < options->num_subsystems; i++) 1332 if (strcmp(arg, options->subsystem_name[i]) == 0) 1333 fatal("%s line %d: Subsystem '%s' already defined.", 1334 filename, linenum, arg); 1335 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1336 arg = strdelim(&cp); 1337 if (!arg || *arg == '\0') 1338 fatal("%s line %d: Missing subsystem command.", 1339 filename, linenum); 1340 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1341 1342 /* Collect arguments (separate to executable) */ 1343 p = xstrdup(arg); 1344 len = strlen(p) + 1; 1345 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1346 len += 1 + strlen(arg); 1347 p = xrealloc(p, 1, len); 1348 strlcat(p, " ", len); 1349 strlcat(p, arg, len); 1350 } 1351 options->subsystem_args[options->num_subsystems] = p; 1352 options->num_subsystems++; 1353 break; 1354 1355 case sMaxStartups: 1356 arg = strdelim(&cp); 1357 if (!arg || *arg == '\0') 1358 fatal("%s line %d: Missing MaxStartups spec.", 1359 filename, linenum); 1360 if ((n = sscanf(arg, "%d:%d:%d", 1361 &options->max_startups_begin, 1362 &options->max_startups_rate, 1363 &options->max_startups)) == 3) { 1364 if (options->max_startups_begin > 1365 options->max_startups || 1366 options->max_startups_rate > 100 || 1367 options->max_startups_rate < 1) 1368 fatal("%s line %d: Illegal MaxStartups spec.", 1369 filename, linenum); 1370 } else if (n != 1) 1371 fatal("%s line %d: Illegal MaxStartups spec.", 1372 filename, linenum); 1373 else 1374 options->max_startups = options->max_startups_begin; 1375 break; 1376 1377 case sMaxAuthTries: 1378 intptr = &options->max_authtries; 1379 goto parse_int; 1380 1381 case sMaxSessions: 1382 intptr = &options->max_sessions; 1383 goto parse_int; 1384 1385 case sBanner: 1386 charptr = &options->banner; 1387 goto parse_filename; 1388 1389 /* 1390 * These options can contain %X options expanded at 1391 * connect time, so that you can specify paths like: 1392 * 1393 * AuthorizedKeysFile /etc/ssh_keys/%u 1394 */ 1395 case sAuthorizedKeysFile: 1396 if (*activep && options->num_authkeys_files == 0) { 1397 while ((arg = strdelim(&cp)) && *arg != '\0') { 1398 if (options->num_authkeys_files >= 1399 MAX_AUTHKEYS_FILES) 1400 fatal("%s line %d: " 1401 "too many authorized keys files.", 1402 filename, linenum); 1403 options->authorized_keys_files[ 1404 options->num_authkeys_files++] = 1405 tilde_expand_filename(arg, getuid()); 1406 } 1407 } 1408 return 0; 1409 1410 case sAuthorizedPrincipalsFile: 1411 charptr = &options->authorized_principals_file; 1412 arg = strdelim(&cp); 1413 if (!arg || *arg == '\0') 1414 fatal("%s line %d: missing file name.", 1415 filename, linenum); 1416 if (*activep && *charptr == NULL) { 1417 *charptr = tilde_expand_filename(arg, getuid()); 1418 /* increase optional counter */ 1419 if (intptr != NULL) 1420 *intptr = *intptr + 1; 1421 } 1422 break; 1423 1424 case sClientAliveInterval: 1425 intptr = &options->client_alive_interval; 1426 goto parse_time; 1427 1428 case sClientAliveCountMax: 1429 intptr = &options->client_alive_count_max; 1430 goto parse_int; 1431 1432 case sAcceptEnv: 1433 while ((arg = strdelim(&cp)) && *arg != '\0') { 1434 if (strchr(arg, '=') != NULL) 1435 fatal("%s line %d: Invalid environment name.", 1436 filename, linenum); 1437 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1438 fatal("%s line %d: too many allow env.", 1439 filename, linenum); 1440 if (!*activep) 1441 continue; 1442 options->accept_env[options->num_accept_env++] = 1443 xstrdup(arg); 1444 } 1445 break; 1446 1447 case sPermitTunnel: 1448 intptr = &options->permit_tun; 1449 arg = strdelim(&cp); 1450 if (!arg || *arg == '\0') 1451 fatal("%s line %d: Missing yes/point-to-point/" 1452 "ethernet/no argument.", filename, linenum); 1453 value = -1; 1454 for (i = 0; tunmode_desc[i].val != -1; i++) 1455 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1456 value = tunmode_desc[i].val; 1457 break; 1458 } 1459 if (value == -1) 1460 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1461 "no argument: %s", filename, linenum, arg); 1462 if (*intptr == -1) 1463 *intptr = value; 1464 break; 1465 1466 case sMatch: 1467 if (cmdline) 1468 fatal("Match directive not supported as a command-line " 1469 "option"); 1470 value = match_cfg_line(&cp, linenum, connectinfo); 1471 if (value < 0) 1472 fatal("%s line %d: Bad Match condition", filename, 1473 linenum); 1474 *activep = value; 1475 break; 1476 1477 case sPermitOpen: 1478 arg = strdelim(&cp); 1479 if (!arg || *arg == '\0') 1480 fatal("%s line %d: missing PermitOpen specification", 1481 filename, linenum); 1482 n = options->num_permitted_opens; /* modified later */ 1483 if (strcmp(arg, "any") == 0) { 1484 if (*activep && n == -1) { 1485 channel_clear_adm_permitted_opens(); 1486 options->num_permitted_opens = 0; 1487 } 1488 break; 1489 } 1490 if (strcmp(arg, "none") == 0) { 1491 if (*activep && n == -1) { 1492 channel_clear_adm_permitted_opens(); 1493 options->num_permitted_opens = 1; 1494 channel_disable_adm_local_opens(); 1495 } 1496 break; 1497 } 1498 if (*activep && n == -1) 1499 channel_clear_adm_permitted_opens(); 1500 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1501 p = hpdelim(&arg); 1502 if (p == NULL) 1503 fatal("%s line %d: missing host in PermitOpen", 1504 filename, linenum); 1505 p = cleanhostname(p); 1506 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1507 fatal("%s line %d: bad port number in " 1508 "PermitOpen", filename, linenum); 1509 if (*activep && n == -1) 1510 options->num_permitted_opens = 1511 channel_add_adm_permitted_opens(p, port); 1512 } 1513 break; 1514 1515 case sForceCommand: 1516 if (cp == NULL) 1517 fatal("%.200s line %d: Missing argument.", filename, 1518 linenum); 1519 len = strspn(cp, WHITESPACE); 1520 if (*activep && options->adm_forced_command == NULL) 1521 options->adm_forced_command = xstrdup(cp + len); 1522 return 0; 1523 1524 case sChrootDirectory: 1525 charptr = &options->chroot_directory; 1526 1527 arg = strdelim(&cp); 1528 if (!arg || *arg == '\0') 1529 fatal("%s line %d: missing file name.", 1530 filename, linenum); 1531 if (*activep && *charptr == NULL) 1532 *charptr = xstrdup(arg); 1533 break; 1534 1535 case sTrustedUserCAKeys: 1536 charptr = &options->trusted_user_ca_keys; 1537 goto parse_filename; 1538 1539 case sRevokedKeys: 1540 charptr = &options->revoked_keys_file; 1541 goto parse_filename; 1542 1543 case sIPQoS: 1544 arg = strdelim(&cp); 1545 if ((value = parse_ipqos(arg)) == -1) 1546 fatal("%s line %d: Bad IPQoS value: %s", 1547 filename, linenum, arg); 1548 arg = strdelim(&cp); 1549 if (arg == NULL) 1550 value2 = value; 1551 else if ((value2 = parse_ipqos(arg)) == -1) 1552 fatal("%s line %d: Bad IPQoS value: %s", 1553 filename, linenum, arg); 1554 if (*activep) { 1555 options->ip_qos_interactive = value; 1556 options->ip_qos_bulk = value2; 1557 } 1558 break; 1559 1560 case sVersionAddendum: 1561 if (cp == NULL) 1562 fatal("%.200s line %d: Missing argument.", filename, 1563 linenum); 1564 len = strspn(cp, WHITESPACE); 1565 if (*activep && options->version_addendum == NULL) { 1566 if (strcasecmp(cp + len, "none") == 0) 1567 options->version_addendum = xstrdup(""); 1568 else if (strchr(cp + len, '\r') != NULL) 1569 fatal("%.200s line %d: Invalid argument", 1570 filename, linenum); 1571 else 1572 options->version_addendum = xstrdup(cp + len); 1573 } 1574 return 0; 1575 1576 case sDeprecated: 1577 logit("%s line %d: Deprecated option %s", 1578 filename, linenum, arg); 1579 while (arg) 1580 arg = strdelim(&cp); 1581 break; 1582 1583 case sUnsupported: 1584 logit("%s line %d: Unsupported option %s", 1585 filename, linenum, arg); 1586 while (arg) 1587 arg = strdelim(&cp); 1588 break; 1589 1590 default: 1591 fatal("%s line %d: Missing handler for opcode %s (%d)", 1592 filename, linenum, arg, opcode); 1593 } 1594 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1595 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1596 filename, linenum, arg); 1597 return 0; 1598 } 1599 1600 /* Reads the server configuration file. */ 1601 1602 void 1603 load_server_config(const char *filename, Buffer *conf) 1604 { 1605 char line[4096], *cp; 1606 FILE *f; 1607 int lineno = 0; 1608 1609 debug2("%s: filename %s", __func__, filename); 1610 if ((f = fopen(filename, "r")) == NULL) { 1611 perror(filename); 1612 exit(1); 1613 } 1614 buffer_clear(conf); 1615 while (fgets(line, sizeof(line), f)) { 1616 lineno++; 1617 if (strlen(line) == sizeof(line) - 1) 1618 fatal("%s line %d too long", filename, lineno); 1619 /* 1620 * Trim out comments and strip whitespace 1621 * NB - preserve newlines, they are needed to reproduce 1622 * line numbers later for error messages 1623 */ 1624 if ((cp = strchr(line, '#')) != NULL) 1625 memcpy(cp, "\n", 2); 1626 cp = line + strspn(line, " \t\r"); 1627 1628 buffer_append(conf, cp, strlen(cp)); 1629 } 1630 buffer_append(conf, "\0", 1); 1631 fclose(f); 1632 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1633 } 1634 1635 void 1636 parse_server_match_config(ServerOptions *options, 1637 struct connection_info *connectinfo) 1638 { 1639 ServerOptions mo; 1640 1641 initialize_server_options(&mo); 1642 parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1643 copy_set_server_options(options, &mo, 0); 1644 } 1645 1646 int parse_server_match_testspec(struct connection_info *ci, char *spec) 1647 { 1648 char *p; 1649 1650 while ((p = strsep(&spec, ",")) && *p != '\0') { 1651 if (strncmp(p, "addr=", 5) == 0) { 1652 ci->address = xstrdup(p + 5); 1653 } else if (strncmp(p, "host=", 5) == 0) { 1654 ci->host = xstrdup(p + 5); 1655 } else if (strncmp(p, "user=", 5) == 0) { 1656 ci->user = xstrdup(p + 5); 1657 } else if (strncmp(p, "laddr=", 6) == 0) { 1658 ci->laddress = xstrdup(p + 6); 1659 } else if (strncmp(p, "lport=", 6) == 0) { 1660 ci->lport = a2port(p + 6); 1661 if (ci->lport == -1) { 1662 fprintf(stderr, "Invalid port '%s' in test mode" 1663 " specification %s\n", p+6, p); 1664 return -1; 1665 } 1666 } else { 1667 fprintf(stderr, "Invalid test mode specification %s\n", 1668 p); 1669 return -1; 1670 } 1671 } 1672 return 0; 1673 } 1674 1675 /* 1676 * returns 1 for a complete spec, 0 for partial spec and -1 for an 1677 * empty spec. 1678 */ 1679 int server_match_spec_complete(struct connection_info *ci) 1680 { 1681 if (ci->user && ci->host && ci->address) 1682 return 1; /* complete */ 1683 if (!ci->user && !ci->host && !ci->address) 1684 return -1; /* empty */ 1685 return 0; /* partial */ 1686 } 1687 1688 /* Helper macros */ 1689 #define M_CP_INTOPT(n) do {\ 1690 if (src->n != -1) \ 1691 dst->n = src->n; \ 1692 } while (0) 1693 #define M_CP_STROPT(n) do {\ 1694 if (src->n != NULL) { \ 1695 if (dst->n != NULL) \ 1696 xfree(dst->n); \ 1697 dst->n = src->n; \ 1698 } \ 1699 } while(0) 1700 #define M_CP_STRARRAYOPT(n, num_n) do {\ 1701 if (src->num_n != 0) { \ 1702 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 1703 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 1704 } \ 1705 } while(0) 1706 1707 /* 1708 * Copy any supported values that are set. 1709 * 1710 * If the preauth flag is set, we do not bother copying the string or 1711 * array values that are not used pre-authentication, because any that we 1712 * do use must be explictly sent in mm_getpwnamallow(). 1713 */ 1714 void 1715 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1716 { 1717 M_CP_INTOPT(password_authentication); 1718 M_CP_INTOPT(gss_authentication); 1719 M_CP_INTOPT(rsa_authentication); 1720 M_CP_INTOPT(pubkey_authentication); 1721 M_CP_INTOPT(kerberos_authentication); 1722 M_CP_INTOPT(hostbased_authentication); 1723 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1724 M_CP_INTOPT(kbd_interactive_authentication); 1725 M_CP_INTOPT(zero_knowledge_password_authentication); 1726 M_CP_INTOPT(permit_root_login); 1727 M_CP_INTOPT(permit_empty_passwd); 1728 1729 M_CP_INTOPT(allow_tcp_forwarding); 1730 M_CP_INTOPT(allow_agent_forwarding); 1731 M_CP_INTOPT(permit_tun); 1732 M_CP_INTOPT(gateway_ports); 1733 M_CP_INTOPT(x11_display_offset); 1734 M_CP_INTOPT(x11_forwarding); 1735 M_CP_INTOPT(x11_use_localhost); 1736 M_CP_INTOPT(max_sessions); 1737 M_CP_INTOPT(max_authtries); 1738 M_CP_INTOPT(ip_qos_interactive); 1739 M_CP_INTOPT(ip_qos_bulk); 1740 1741 /* See comment in servconf.h */ 1742 COPY_MATCH_STRING_OPTS(); 1743 1744 /* 1745 * The only things that should be below this point are string options 1746 * which are only used after authentication. 1747 */ 1748 if (preauth) 1749 return; 1750 1751 M_CP_STROPT(adm_forced_command); 1752 M_CP_STROPT(chroot_directory); 1753 } 1754 1755 #undef M_CP_INTOPT 1756 #undef M_CP_STROPT 1757 #undef M_CP_STRARRAYOPT 1758 1759 void 1760 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1761 struct connection_info *connectinfo) 1762 { 1763 int active, linenum, bad_options = 0; 1764 char *cp, *obuf, *cbuf; 1765 1766 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1767 1768 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1769 active = connectinfo ? 0 : 1; 1770 linenum = 1; 1771 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1772 if (process_server_config_line(options, cp, filename, 1773 linenum++, &active, connectinfo) != 0) 1774 bad_options++; 1775 } 1776 xfree(obuf); 1777 if (bad_options > 0) 1778 fatal("%s: terminating, %d bad configuration options", 1779 filename, bad_options); 1780 } 1781 1782 static const char * 1783 fmt_multistate_int(int val, const struct multistate *m) 1784 { 1785 u_int i; 1786 1787 for (i = 0; m[i].key != NULL; i++) { 1788 if (m[i].value == val) 1789 return m[i].key; 1790 } 1791 return "UNKNOWN"; 1792 } 1793 1794 static const char * 1795 fmt_intarg(ServerOpCodes code, int val) 1796 { 1797 if (val == -1) 1798 return "unset"; 1799 switch (code) { 1800 case sAddressFamily: 1801 return fmt_multistate_int(val, multistate_addressfamily); 1802 case sPermitRootLogin: 1803 return fmt_multistate_int(val, multistate_permitrootlogin); 1804 case sGatewayPorts: 1805 return fmt_multistate_int(val, multistate_gatewayports); 1806 case sCompression: 1807 return fmt_multistate_int(val, multistate_compression); 1808 case sUsePrivilegeSeparation: 1809 return fmt_multistate_int(val, multistate_privsep); 1810 case sProtocol: 1811 switch (val) { 1812 case SSH_PROTO_1: 1813 return "1"; 1814 case SSH_PROTO_2: 1815 return "2"; 1816 case (SSH_PROTO_1|SSH_PROTO_2): 1817 return "2,1"; 1818 default: 1819 return "UNKNOWN"; 1820 } 1821 default: 1822 switch (val) { 1823 case 0: 1824 return "no"; 1825 case 1: 1826 return "yes"; 1827 default: 1828 return "UNKNOWN"; 1829 } 1830 } 1831 } 1832 1833 static const char * 1834 lookup_opcode_name(ServerOpCodes code) 1835 { 1836 u_int i; 1837 1838 for (i = 0; keywords[i].name != NULL; i++) 1839 if (keywords[i].opcode == code) 1840 return(keywords[i].name); 1841 return "UNKNOWN"; 1842 } 1843 1844 static void 1845 dump_cfg_int(ServerOpCodes code, int val) 1846 { 1847 printf("%s %d\n", lookup_opcode_name(code), val); 1848 } 1849 1850 static void 1851 dump_cfg_fmtint(ServerOpCodes code, int val) 1852 { 1853 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 1854 } 1855 1856 static void 1857 dump_cfg_string(ServerOpCodes code, const char *val) 1858 { 1859 if (val == NULL) 1860 return; 1861 printf("%s %s\n", lookup_opcode_name(code), val); 1862 } 1863 1864 static void 1865 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 1866 { 1867 u_int i; 1868 1869 for (i = 0; i < count; i++) 1870 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 1871 } 1872 1873 static void 1874 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 1875 { 1876 u_int i; 1877 1878 printf("%s", lookup_opcode_name(code)); 1879 for (i = 0; i < count; i++) 1880 printf(" %s", vals[i]); 1881 printf("\n"); 1882 } 1883 1884 void 1885 dump_config(ServerOptions *o) 1886 { 1887 u_int i; 1888 int ret; 1889 struct addrinfo *ai; 1890 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 1891 1892 /* these are usually at the top of the config */ 1893 for (i = 0; i < o->num_ports; i++) 1894 printf("port %d\n", o->ports[i]); 1895 dump_cfg_fmtint(sProtocol, o->protocol); 1896 dump_cfg_fmtint(sAddressFamily, o->address_family); 1897 1898 /* ListenAddress must be after Port */ 1899 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 1900 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 1901 sizeof(addr), port, sizeof(port), 1902 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 1903 error("getnameinfo failed: %.100s", 1904 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 1905 strerror(errno)); 1906 } else { 1907 if (ai->ai_family == AF_INET6) 1908 printf("listenaddress [%s]:%s\n", addr, port); 1909 else 1910 printf("listenaddress %s:%s\n", addr, port); 1911 } 1912 } 1913 1914 /* integer arguments */ 1915 #ifdef USE_PAM 1916 dump_cfg_int(sUsePAM, o->use_pam); 1917 #endif 1918 dump_cfg_int(sServerKeyBits, o->server_key_bits); 1919 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 1920 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 1921 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 1922 dump_cfg_int(sMaxAuthTries, o->max_authtries); 1923 dump_cfg_int(sMaxSessions, o->max_sessions); 1924 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 1925 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 1926 1927 /* formatted integer arguments */ 1928 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 1929 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 1930 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 1931 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 1932 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 1933 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 1934 o->hostbased_uses_name_from_packet_only); 1935 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 1936 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 1937 #ifdef KRB5 1938 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 1939 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 1940 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 1941 # ifdef USE_AFS 1942 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 1943 # endif 1944 #endif 1945 #ifdef GSSAPI 1946 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 1947 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 1948 #endif 1949 #ifdef JPAKE 1950 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 1951 o->zero_knowledge_password_authentication); 1952 #endif 1953 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 1954 dump_cfg_fmtint(sKbdInteractiveAuthentication, 1955 o->kbd_interactive_authentication); 1956 dump_cfg_fmtint(sChallengeResponseAuthentication, 1957 o->challenge_response_authentication); 1958 dump_cfg_fmtint(sPrintMotd, o->print_motd); 1959 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 1960 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 1961 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 1962 dump_cfg_fmtint(sStrictModes, o->strict_modes); 1963 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 1964 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 1965 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 1966 dump_cfg_fmtint(sUseLogin, o->use_login); 1967 dump_cfg_fmtint(sCompression, o->compression); 1968 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); 1969 dump_cfg_fmtint(sUseDNS, o->use_dns); 1970 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 1971 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 1972 1973 /* string arguments */ 1974 dump_cfg_string(sPidFile, o->pid_file); 1975 dump_cfg_string(sXAuthLocation, o->xauth_location); 1976 dump_cfg_string(sCiphers, o->ciphers); 1977 dump_cfg_string(sMacs, o->macs); 1978 dump_cfg_string(sBanner, o->banner); 1979 dump_cfg_string(sForceCommand, o->adm_forced_command); 1980 dump_cfg_string(sChrootDirectory, o->chroot_directory); 1981 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 1982 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 1983 dump_cfg_string(sAuthorizedPrincipalsFile, 1984 o->authorized_principals_file); 1985 dump_cfg_string(sVersionAddendum, o->version_addendum); 1986 1987 /* string arguments requiring a lookup */ 1988 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 1989 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 1990 1991 /* string array arguments */ 1992 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 1993 o->authorized_keys_files); 1994 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 1995 o->host_key_files); 1996 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, 1997 o->host_cert_files); 1998 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 1999 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2000 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2001 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2002 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2003 2004 /* other arguments */ 2005 for (i = 0; i < o->num_subsystems; i++) 2006 printf("subsystem %s %s\n", o->subsystem_name[i], 2007 o->subsystem_args[i]); 2008 2009 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2010 o->max_startups_rate, o->max_startups); 2011 2012 for (i = 0; tunmode_desc[i].val != -1; i++) 2013 if (tunmode_desc[i].val == o->permit_tun) { 2014 s = tunmode_desc[i].text; 2015 break; 2016 } 2017 dump_cfg_string(sPermitTunnel, s); 2018 2019 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2020 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2021 2022 channel_print_adm_permitted_opens(); 2023 } 2024