1 2 /* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ 3 /* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include "includes.h" 15 16 #include <sys/types.h> 17 #include <sys/socket.h> 18 19 #include <netinet/in.h> 20 #include <netinet/in_systm.h> 21 #include <netinet/ip.h> 22 23 #include <ctype.h> 24 #include <netdb.h> 25 #include <pwd.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <signal.h> 30 #include <unistd.h> 31 #include <limits.h> 32 #include <stdarg.h> 33 #include <errno.h> 34 #ifdef HAVE_UTIL_H 35 #include <util.h> 36 #endif 37 38 #include "openbsd-compat/sys-queue.h" 39 #include "xmalloc.h" 40 #include "ssh.h" 41 #include "log.h" 42 #include "buffer.h" 43 #include "misc.h" 44 #include "servconf.h" 45 #include "compat.h" 46 #include "pathnames.h" 47 #include "cipher.h" 48 #include "key.h" 49 #include "kex.h" 50 #include "mac.h" 51 #include "match.h" 52 #include "channels.h" 53 #include "groupaccess.h" 54 #include "canohost.h" 55 #include "packet.h" 56 #include "hostfile.h" 57 #include "auth.h" 58 #include "myproposal.h" 59 #include "digest.h" 60 61 static void add_listen_addr(ServerOptions *, char *, int); 62 static void add_one_listen_addr(ServerOptions *, char *, int); 63 64 /* Use of privilege separation or not */ 65 extern int use_privsep; 66 extern Buffer cfg; 67 68 /* Initializes the server options to their default values. */ 69 70 void 71 initialize_server_options(ServerOptions *options) 72 { 73 memset(options, 0, sizeof(*options)); 74 75 /* Portable-specific options */ 76 options->use_pam = -1; 77 78 /* Standard Options */ 79 options->num_ports = 0; 80 options->ports_from_cmdline = 0; 81 options->queued_listen_addrs = NULL; 82 options->num_queued_listens = 0; 83 options->listen_addrs = NULL; 84 options->address_family = -1; 85 options->num_host_key_files = 0; 86 options->num_host_cert_files = 0; 87 options->host_key_agent = NULL; 88 options->pid_file = NULL; 89 options->server_key_bits = -1; 90 options->login_grace_time = -1; 91 options->key_regeneration_time = -1; 92 options->permit_root_login = PERMIT_NOT_SET; 93 options->ignore_rhosts = -1; 94 options->ignore_user_known_hosts = -1; 95 options->print_motd = -1; 96 options->print_lastlog = -1; 97 options->x11_forwarding = -1; 98 options->x11_display_offset = -1; 99 options->x11_use_localhost = -1; 100 options->permit_tty = -1; 101 options->permit_user_rc = -1; 102 options->xauth_location = NULL; 103 options->strict_modes = -1; 104 options->tcp_keep_alive = -1; 105 options->log_facility = SYSLOG_FACILITY_NOT_SET; 106 options->log_level = SYSLOG_LEVEL_NOT_SET; 107 options->rhosts_rsa_authentication = -1; 108 options->hostbased_authentication = -1; 109 options->hostbased_uses_name_from_packet_only = -1; 110 options->hostbased_key_types = NULL; 111 options->hostkeyalgorithms = NULL; 112 options->rsa_authentication = -1; 113 options->pubkey_authentication = -1; 114 options->pubkey_key_types = NULL; 115 options->kerberos_authentication = -1; 116 options->kerberos_or_local_passwd = -1; 117 options->kerberos_ticket_cleanup = -1; 118 options->kerberos_get_afs_token = -1; 119 options->gss_authentication=-1; 120 options->gss_cleanup_creds = -1; 121 options->gss_strict_acceptor = -1; 122 options->password_authentication = -1; 123 options->kbd_interactive_authentication = -1; 124 options->challenge_response_authentication = -1; 125 options->permit_empty_passwd = -1; 126 options->permit_user_env = -1; 127 options->use_login = -1; 128 options->compression = -1; 129 options->rekey_limit = -1; 130 options->rekey_interval = -1; 131 options->allow_tcp_forwarding = -1; 132 options->allow_streamlocal_forwarding = -1; 133 options->allow_agent_forwarding = -1; 134 options->num_allow_users = 0; 135 options->num_deny_users = 0; 136 options->num_allow_groups = 0; 137 options->num_deny_groups = 0; 138 options->ciphers = NULL; 139 options->macs = NULL; 140 options->kex_algorithms = NULL; 141 options->protocol = SSH_PROTO_UNKNOWN; 142 options->fwd_opts.gateway_ports = -1; 143 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 144 options->fwd_opts.streamlocal_bind_unlink = -1; 145 options->num_subsystems = 0; 146 options->max_startups_begin = -1; 147 options->max_startups_rate = -1; 148 options->max_startups = -1; 149 options->max_authtries = -1; 150 options->max_sessions = -1; 151 options->banner = NULL; 152 options->use_dns = -1; 153 options->client_alive_interval = -1; 154 options->client_alive_count_max = -1; 155 options->num_authkeys_files = 0; 156 options->num_accept_env = 0; 157 options->permit_tun = -1; 158 options->num_permitted_opens = -1; 159 options->adm_forced_command = NULL; 160 options->chroot_directory = NULL; 161 options->authorized_keys_command = NULL; 162 options->authorized_keys_command_user = NULL; 163 options->revoked_keys_file = NULL; 164 options->trusted_user_ca_keys = NULL; 165 options->authorized_principals_file = NULL; 166 options->authorized_principals_command = NULL; 167 options->authorized_principals_command_user = NULL; 168 options->ip_qos_interactive = -1; 169 options->ip_qos_bulk = -1; 170 options->version_addendum = NULL; 171 options->fingerprint_hash = -1; 172 } 173 174 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 175 static int 176 option_clear_or_none(const char *o) 177 { 178 return o == NULL || strcasecmp(o, "none") == 0; 179 } 180 181 static void 182 assemble_algorithms(ServerOptions *o) 183 { 184 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || 185 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || 186 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || 187 kex_assemble_names(KEX_DEFAULT_PK_ALG, 188 &o->hostkeyalgorithms) != 0 || 189 kex_assemble_names(KEX_DEFAULT_PK_ALG, 190 &o->hostbased_key_types) != 0 || 191 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) 192 fatal("kex_assemble_names failed"); 193 } 194 195 void 196 fill_default_server_options(ServerOptions *options) 197 { 198 int i; 199 200 /* Portable-specific options */ 201 if (options->use_pam == -1) 202 options->use_pam = 0; 203 204 /* Standard Options */ 205 if (options->protocol == SSH_PROTO_UNKNOWN) 206 options->protocol = SSH_PROTO_2; 207 if (options->num_host_key_files == 0) { 208 /* fill default hostkeys for protocols */ 209 if (options->protocol & SSH_PROTO_1) 210 options->host_key_files[options->num_host_key_files++] = 211 _PATH_HOST_KEY_FILE; 212 if (options->protocol & SSH_PROTO_2) { 213 options->host_key_files[options->num_host_key_files++] = 214 _PATH_HOST_RSA_KEY_FILE; 215 options->host_key_files[options->num_host_key_files++] = 216 _PATH_HOST_DSA_KEY_FILE; 217 #ifdef OPENSSL_HAS_ECC 218 options->host_key_files[options->num_host_key_files++] = 219 _PATH_HOST_ECDSA_KEY_FILE; 220 #endif 221 options->host_key_files[options->num_host_key_files++] = 222 _PATH_HOST_ED25519_KEY_FILE; 223 } 224 } 225 /* No certificates by default */ 226 if (options->num_ports == 0) 227 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 228 if (options->address_family == -1) 229 options->address_family = AF_UNSPEC; 230 if (options->listen_addrs == NULL) 231 add_listen_addr(options, NULL, 0); 232 if (options->pid_file == NULL) 233 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 234 if (options->server_key_bits == -1) 235 options->server_key_bits = 1024; 236 if (options->login_grace_time == -1) 237 options->login_grace_time = 120; 238 if (options->key_regeneration_time == -1) 239 options->key_regeneration_time = 3600; 240 if (options->permit_root_login == PERMIT_NOT_SET) 241 options->permit_root_login = PERMIT_NO_PASSWD; 242 if (options->ignore_rhosts == -1) 243 options->ignore_rhosts = 1; 244 if (options->ignore_user_known_hosts == -1) 245 options->ignore_user_known_hosts = 0; 246 if (options->print_motd == -1) 247 options->print_motd = 1; 248 if (options->print_lastlog == -1) 249 options->print_lastlog = 1; 250 if (options->x11_forwarding == -1) 251 options->x11_forwarding = 0; 252 if (options->x11_display_offset == -1) 253 options->x11_display_offset = 10; 254 if (options->x11_use_localhost == -1) 255 options->x11_use_localhost = 1; 256 if (options->xauth_location == NULL) 257 options->xauth_location = xstrdup(_PATH_XAUTH); 258 if (options->permit_tty == -1) 259 options->permit_tty = 1; 260 if (options->permit_user_rc == -1) 261 options->permit_user_rc = 1; 262 if (options->strict_modes == -1) 263 options->strict_modes = 1; 264 if (options->tcp_keep_alive == -1) 265 options->tcp_keep_alive = 1; 266 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 267 options->log_facility = SYSLOG_FACILITY_AUTH; 268 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 269 options->log_level = SYSLOG_LEVEL_INFO; 270 if (options->rhosts_rsa_authentication == -1) 271 options->rhosts_rsa_authentication = 0; 272 if (options->hostbased_authentication == -1) 273 options->hostbased_authentication = 0; 274 if (options->hostbased_uses_name_from_packet_only == -1) 275 options->hostbased_uses_name_from_packet_only = 0; 276 if (options->rsa_authentication == -1) 277 options->rsa_authentication = 1; 278 if (options->pubkey_authentication == -1) 279 options->pubkey_authentication = 1; 280 if (options->kerberos_authentication == -1) 281 options->kerberos_authentication = 0; 282 if (options->kerberos_or_local_passwd == -1) 283 options->kerberos_or_local_passwd = 1; 284 if (options->kerberos_ticket_cleanup == -1) 285 options->kerberos_ticket_cleanup = 1; 286 if (options->kerberos_get_afs_token == -1) 287 options->kerberos_get_afs_token = 0; 288 if (options->gss_authentication == -1) 289 options->gss_authentication = 0; 290 if (options->gss_cleanup_creds == -1) 291 options->gss_cleanup_creds = 1; 292 if (options->gss_strict_acceptor == -1) 293 options->gss_strict_acceptor = 0; 294 if (options->password_authentication == -1) 295 options->password_authentication = 1; 296 if (options->kbd_interactive_authentication == -1) 297 options->kbd_interactive_authentication = 0; 298 if (options->challenge_response_authentication == -1) 299 options->challenge_response_authentication = 1; 300 if (options->permit_empty_passwd == -1) 301 options->permit_empty_passwd = 0; 302 if (options->permit_user_env == -1) 303 options->permit_user_env = 0; 304 if (options->use_login == -1) 305 options->use_login = 0; 306 if (options->compression == -1) 307 options->compression = COMP_DELAYED; 308 if (options->rekey_limit == -1) 309 options->rekey_limit = 0; 310 if (options->rekey_interval == -1) 311 options->rekey_interval = 0; 312 if (options->allow_tcp_forwarding == -1) 313 options->allow_tcp_forwarding = FORWARD_ALLOW; 314 if (options->allow_streamlocal_forwarding == -1) 315 options->allow_streamlocal_forwarding = FORWARD_ALLOW; 316 if (options->allow_agent_forwarding == -1) 317 options->allow_agent_forwarding = 1; 318 if (options->fwd_opts.gateway_ports == -1) 319 options->fwd_opts.gateway_ports = 0; 320 if (options->max_startups == -1) 321 options->max_startups = 100; 322 if (options->max_startups_rate == -1) 323 options->max_startups_rate = 30; /* 30% */ 324 if (options->max_startups_begin == -1) 325 options->max_startups_begin = 10; 326 if (options->max_authtries == -1) 327 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 328 if (options->max_sessions == -1) 329 options->max_sessions = DEFAULT_SESSIONS_MAX; 330 if (options->use_dns == -1) 331 options->use_dns = 0; 332 if (options->client_alive_interval == -1) 333 options->client_alive_interval = 0; 334 if (options->client_alive_count_max == -1) 335 options->client_alive_count_max = 3; 336 if (options->num_authkeys_files == 0) { 337 options->authorized_keys_files[options->num_authkeys_files++] = 338 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 339 options->authorized_keys_files[options->num_authkeys_files++] = 340 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 341 } 342 if (options->permit_tun == -1) 343 options->permit_tun = SSH_TUNMODE_NO; 344 if (options->ip_qos_interactive == -1) 345 options->ip_qos_interactive = IPTOS_LOWDELAY; 346 if (options->ip_qos_bulk == -1) 347 options->ip_qos_bulk = IPTOS_THROUGHPUT; 348 if (options->version_addendum == NULL) 349 options->version_addendum = xstrdup(""); 350 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 351 options->fwd_opts.streamlocal_bind_mask = 0177; 352 if (options->fwd_opts.streamlocal_bind_unlink == -1) 353 options->fwd_opts.streamlocal_bind_unlink = 0; 354 if (options->fingerprint_hash == -1) 355 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 356 357 assemble_algorithms(options); 358 359 /* Turn privilege separation and sandboxing on by default */ 360 if (use_privsep == -1) 361 use_privsep = PRIVSEP_ON; 362 363 #define CLEAR_ON_NONE(v) \ 364 do { \ 365 if (option_clear_or_none(v)) { \ 366 free(v); \ 367 v = NULL; \ 368 } \ 369 } while(0) 370 CLEAR_ON_NONE(options->pid_file); 371 CLEAR_ON_NONE(options->xauth_location); 372 CLEAR_ON_NONE(options->banner); 373 CLEAR_ON_NONE(options->trusted_user_ca_keys); 374 CLEAR_ON_NONE(options->revoked_keys_file); 375 CLEAR_ON_NONE(options->authorized_principals_file); 376 CLEAR_ON_NONE(options->adm_forced_command); 377 CLEAR_ON_NONE(options->chroot_directory); 378 for (i = 0; i < options->num_host_key_files; i++) 379 CLEAR_ON_NONE(options->host_key_files[i]); 380 for (i = 0; i < options->num_host_cert_files; i++) 381 CLEAR_ON_NONE(options->host_cert_files[i]); 382 #undef CLEAR_ON_NONE 383 384 /* Similar handling for AuthenticationMethods=any */ 385 if (options->num_auth_methods == 1 && 386 strcmp(options->auth_methods[0], "any") == 0) { 387 free(options->auth_methods[0]); 388 options->auth_methods[0] = NULL; 389 options->num_auth_methods = 0; 390 } 391 392 #ifndef HAVE_MMAP 393 if (use_privsep && options->compression == 1) { 394 error("This platform does not support both privilege " 395 "separation and compression"); 396 error("Compression disabled"); 397 options->compression = 0; 398 } 399 #endif 400 401 } 402 403 /* Keyword tokens. */ 404 typedef enum { 405 sBadOption, /* == unknown option */ 406 /* Portable-specific options */ 407 sUsePAM, 408 /* Standard Options */ 409 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, 410 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, 411 sRhostsRSAAuthentication, sRSAAuthentication, 412 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 413 sKerberosGetAFSToken, 414 sKerberosTgtPassing, sChallengeResponseAuthentication, 415 sPasswordAuthentication, sKbdInteractiveAuthentication, 416 sListenAddress, sAddressFamily, 417 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 418 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 419 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 420 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 421 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 422 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 423 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 424 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 425 sBanner, sUseDNS, sHostbasedAuthentication, 426 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, 427 sHostKeyAlgorithms, 428 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 429 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 430 sAcceptEnv, sPermitTunnel, 431 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 432 sUsePrivilegeSeparation, sAllowAgentForwarding, 433 sHostCertificate, 434 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 435 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, 436 sKexAlgorithms, sIPQoS, sVersionAddendum, 437 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 438 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 439 sStreamLocalBindMask, sStreamLocalBindUnlink, 440 sAllowStreamLocalForwarding, sFingerprintHash, 441 sDeprecated, sUnsupported 442 } ServerOpCodes; 443 444 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 445 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 446 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 447 448 /* Textual representation of the tokens. */ 449 static struct { 450 const char *name; 451 ServerOpCodes opcode; 452 u_int flags; 453 } keywords[] = { 454 /* Portable-specific options */ 455 #ifdef USE_PAM 456 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 457 #else 458 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 459 #endif 460 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 461 /* Standard Options */ 462 { "port", sPort, SSHCFG_GLOBAL }, 463 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 464 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 465 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 466 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 467 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 468 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 469 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 470 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 471 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 472 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 473 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 474 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 475 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 476 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 477 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 478 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, 479 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 480 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 481 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 482 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 483 #ifdef KRB5 484 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 485 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 486 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 487 #ifdef USE_AFS 488 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 489 #else 490 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 491 #endif 492 #else 493 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 494 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 495 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 496 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 497 #endif 498 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 499 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 500 #ifdef GSSAPI 501 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 502 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 503 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 504 #else 505 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 506 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 507 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 508 #endif 509 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 510 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 511 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 512 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 513 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 514 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 515 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 516 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 517 #ifdef DISABLE_LASTLOG 518 { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, 519 #else 520 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 521 #endif 522 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 523 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 524 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 525 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 526 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 527 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 528 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 529 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 530 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 531 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 532 { "compression", sCompression, SSHCFG_GLOBAL }, 533 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 534 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 535 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 536 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 537 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 538 { "allowusers", sAllowUsers, SSHCFG_ALL }, 539 { "denyusers", sDenyUsers, SSHCFG_ALL }, 540 { "allowgroups", sAllowGroups, SSHCFG_ALL }, 541 { "denygroups", sDenyGroups, SSHCFG_ALL }, 542 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 543 { "macs", sMacs, SSHCFG_GLOBAL }, 544 { "protocol", sProtocol, SSHCFG_GLOBAL }, 545 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 546 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 547 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 548 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 549 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 550 { "banner", sBanner, SSHCFG_ALL }, 551 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 552 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 553 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 554 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 555 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 556 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 557 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 558 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 559 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 560 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 561 { "permittty", sPermitTTY, SSHCFG_ALL }, 562 { "permituserrc", sPermitUserRC, SSHCFG_ALL }, 563 { "match", sMatch, SSHCFG_ALL }, 564 { "permitopen", sPermitOpen, SSHCFG_ALL }, 565 { "forcecommand", sForceCommand, SSHCFG_ALL }, 566 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 567 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 568 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 569 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 570 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 571 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 572 { "ipqos", sIPQoS, SSHCFG_ALL }, 573 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, 574 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 575 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, 576 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, 577 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 578 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 579 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, 580 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 581 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 582 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 583 { NULL, sBadOption, 0 } 584 }; 585 586 static struct { 587 int val; 588 char *text; 589 } tunmode_desc[] = { 590 { SSH_TUNMODE_NO, "no" }, 591 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 592 { SSH_TUNMODE_ETHERNET, "ethernet" }, 593 { SSH_TUNMODE_YES, "yes" }, 594 { -1, NULL } 595 }; 596 597 /* 598 * Returns the number of the token pointed to by cp or sBadOption. 599 */ 600 601 static ServerOpCodes 602 parse_token(const char *cp, const char *filename, 603 int linenum, u_int *flags) 604 { 605 u_int i; 606 607 for (i = 0; keywords[i].name; i++) 608 if (strcasecmp(cp, keywords[i].name) == 0) { 609 *flags = keywords[i].flags; 610 return keywords[i].opcode; 611 } 612 613 error("%s: line %d: Bad configuration option: %s", 614 filename, linenum, cp); 615 return sBadOption; 616 } 617 618 char * 619 derelativise_path(const char *path) 620 { 621 char *expanded, *ret, cwd[PATH_MAX]; 622 623 if (strcasecmp(path, "none") == 0) 624 return xstrdup("none"); 625 expanded = tilde_expand_filename(path, getuid()); 626 if (*expanded == '/') 627 return expanded; 628 if (getcwd(cwd, sizeof(cwd)) == NULL) 629 fatal("%s: getcwd: %s", __func__, strerror(errno)); 630 xasprintf(&ret, "%s/%s", cwd, expanded); 631 free(expanded); 632 return ret; 633 } 634 635 static void 636 add_listen_addr(ServerOptions *options, char *addr, int port) 637 { 638 u_int i; 639 640 if (port == 0) 641 for (i = 0; i < options->num_ports; i++) 642 add_one_listen_addr(options, addr, options->ports[i]); 643 else 644 add_one_listen_addr(options, addr, port); 645 } 646 647 static void 648 add_one_listen_addr(ServerOptions *options, char *addr, int port) 649 { 650 struct addrinfo hints, *ai, *aitop; 651 char strport[NI_MAXSERV]; 652 int gaierr; 653 654 memset(&hints, 0, sizeof(hints)); 655 hints.ai_family = options->address_family; 656 hints.ai_socktype = SOCK_STREAM; 657 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 658 snprintf(strport, sizeof strport, "%d", port); 659 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 660 fatal("bad addr or host: %s (%s)", 661 addr ? addr : "<NULL>", 662 ssh_gai_strerror(gaierr)); 663 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 664 ; 665 ai->ai_next = options->listen_addrs; 666 options->listen_addrs = aitop; 667 } 668 669 /* 670 * Queue a ListenAddress to be processed once we have all of the Ports 671 * and AddressFamily options. 672 */ 673 static void 674 queue_listen_addr(ServerOptions *options, char *addr, int port) 675 { 676 options->queued_listen_addrs = xreallocarray( 677 options->queued_listen_addrs, options->num_queued_listens + 1, 678 sizeof(addr)); 679 options->queued_listen_ports = xreallocarray( 680 options->queued_listen_ports, options->num_queued_listens + 1, 681 sizeof(port)); 682 options->queued_listen_addrs[options->num_queued_listens] = 683 xstrdup(addr); 684 options->queued_listen_ports[options->num_queued_listens] = port; 685 options->num_queued_listens++; 686 } 687 688 /* 689 * Process queued (text) ListenAddress entries. 690 */ 691 static void 692 process_queued_listen_addrs(ServerOptions *options) 693 { 694 u_int i; 695 696 if (options->num_ports == 0) 697 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 698 if (options->address_family == -1) 699 options->address_family = AF_UNSPEC; 700 701 for (i = 0; i < options->num_queued_listens; i++) { 702 add_listen_addr(options, options->queued_listen_addrs[i], 703 options->queued_listen_ports[i]); 704 free(options->queued_listen_addrs[i]); 705 options->queued_listen_addrs[i] = NULL; 706 } 707 free(options->queued_listen_addrs); 708 options->queued_listen_addrs = NULL; 709 free(options->queued_listen_ports); 710 options->queued_listen_ports = NULL; 711 options->num_queued_listens = 0; 712 } 713 714 struct connection_info * 715 get_connection_info(int populate, int use_dns) 716 { 717 struct ssh *ssh = active_state; /* XXX */ 718 static struct connection_info ci; 719 720 if (!populate) 721 return &ci; 722 ci.host = auth_get_canonical_hostname(ssh, use_dns); 723 ci.address = ssh_remote_ipaddr(ssh); 724 ci.laddress = ssh_local_ipaddr(ssh); 725 ci.lport = ssh_local_port(ssh); 726 return &ci; 727 } 728 729 /* 730 * The strategy for the Match blocks is that the config file is parsed twice. 731 * 732 * The first time is at startup. activep is initialized to 1 and the 733 * directives in the global context are processed and acted on. Hitting a 734 * Match directive unsets activep and the directives inside the block are 735 * checked for syntax only. 736 * 737 * The second time is after a connection has been established but before 738 * authentication. activep is initialized to 2 and global config directives 739 * are ignored since they have already been processed. If the criteria in a 740 * Match block is met, activep is set and the subsequent directives 741 * processed and actioned until EOF or another Match block unsets it. Any 742 * options set are copied into the main server config. 743 * 744 * Potential additions/improvements: 745 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 746 * 747 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 748 * Match Address 192.168.0.* 749 * Tag trusted 750 * Match Group wheel 751 * Tag trusted 752 * Match Tag trusted 753 * AllowTcpForwarding yes 754 * GatewayPorts clientspecified 755 * [...] 756 * 757 * - Add a PermittedChannelRequests directive 758 * Match Group shell 759 * PermittedChannelRequests session,forwarded-tcpip 760 */ 761 762 static int 763 match_cfg_line_group(const char *grps, int line, const char *user) 764 { 765 int result = 0; 766 struct passwd *pw; 767 768 if (user == NULL) 769 goto out; 770 771 if ((pw = getpwnam(user)) == NULL) { 772 debug("Can't match group at line %d because user %.100s does " 773 "not exist", line, user); 774 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 775 debug("Can't Match group because user %.100s not in any group " 776 "at line %d", user, line); 777 } else if (ga_match_pattern_list(grps) != 1) { 778 debug("user %.100s does not match group list %.100s at line %d", 779 user, grps, line); 780 } else { 781 debug("user %.100s matched group list %.100s at line %d", user, 782 grps, line); 783 result = 1; 784 } 785 out: 786 ga_free(); 787 return result; 788 } 789 790 /* 791 * All of the attributes on a single Match line are ANDed together, so we need 792 * to check every attribute and set the result to zero if any attribute does 793 * not match. 794 */ 795 static int 796 match_cfg_line(char **condition, int line, struct connection_info *ci) 797 { 798 int result = 1, attributes = 0, port; 799 char *arg, *attrib, *cp = *condition; 800 801 if (ci == NULL) 802 debug3("checking syntax for 'Match %s'", cp); 803 else 804 debug3("checking match for '%s' user %s host %s addr %s " 805 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 806 ci->host ? ci->host : "(null)", 807 ci->address ? ci->address : "(null)", 808 ci->laddress ? ci->laddress : "(null)", ci->lport); 809 810 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 811 attributes++; 812 if (strcasecmp(attrib, "all") == 0) { 813 if (attributes != 1 || 814 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { 815 error("'all' cannot be combined with other " 816 "Match attributes"); 817 return -1; 818 } 819 *condition = cp; 820 return 1; 821 } 822 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 823 error("Missing Match criteria for %s", attrib); 824 return -1; 825 } 826 if (strcasecmp(attrib, "user") == 0) { 827 if (ci == NULL || ci->user == NULL) { 828 result = 0; 829 continue; 830 } 831 if (match_pattern_list(ci->user, arg, 0) != 1) 832 result = 0; 833 else 834 debug("user %.100s matched 'User %.100s' at " 835 "line %d", ci->user, arg, line); 836 } else if (strcasecmp(attrib, "group") == 0) { 837 if (ci == NULL || ci->user == NULL) { 838 result = 0; 839 continue; 840 } 841 switch (match_cfg_line_group(arg, line, ci->user)) { 842 case -1: 843 return -1; 844 case 0: 845 result = 0; 846 } 847 } else if (strcasecmp(attrib, "host") == 0) { 848 if (ci == NULL || ci->host == NULL) { 849 result = 0; 850 continue; 851 } 852 if (match_hostname(ci->host, arg) != 1) 853 result = 0; 854 else 855 debug("connection from %.100s matched 'Host " 856 "%.100s' at line %d", ci->host, arg, line); 857 } else if (strcasecmp(attrib, "address") == 0) { 858 if (ci == NULL || ci->address == NULL) { 859 result = 0; 860 continue; 861 } 862 switch (addr_match_list(ci->address, arg)) { 863 case 1: 864 debug("connection from %.100s matched 'Address " 865 "%.100s' at line %d", ci->address, arg, line); 866 break; 867 case 0: 868 case -1: 869 result = 0; 870 break; 871 case -2: 872 return -1; 873 } 874 } else if (strcasecmp(attrib, "localaddress") == 0){ 875 if (ci == NULL || ci->laddress == NULL) { 876 result = 0; 877 continue; 878 } 879 switch (addr_match_list(ci->laddress, arg)) { 880 case 1: 881 debug("connection from %.100s matched " 882 "'LocalAddress %.100s' at line %d", 883 ci->laddress, arg, line); 884 break; 885 case 0: 886 case -1: 887 result = 0; 888 break; 889 case -2: 890 return -1; 891 } 892 } else if (strcasecmp(attrib, "localport") == 0) { 893 if ((port = a2port(arg)) == -1) { 894 error("Invalid LocalPort '%s' on Match line", 895 arg); 896 return -1; 897 } 898 if (ci == NULL || ci->lport == 0) { 899 result = 0; 900 continue; 901 } 902 /* TODO support port lists */ 903 if (port == ci->lport) 904 debug("connection from %.100s matched " 905 "'LocalPort %d' at line %d", 906 ci->laddress, port, line); 907 else 908 result = 0; 909 } else { 910 error("Unsupported Match attribute %s", attrib); 911 return -1; 912 } 913 } 914 if (attributes == 0) { 915 error("One or more attributes required for Match"); 916 return -1; 917 } 918 if (ci != NULL) 919 debug3("match %sfound", result ? "" : "not "); 920 *condition = cp; 921 return result; 922 } 923 924 #define WHITESPACE " \t\r\n" 925 926 /* Multistate option parsing */ 927 struct multistate { 928 char *key; 929 int value; 930 }; 931 static const struct multistate multistate_addressfamily[] = { 932 { "inet", AF_INET }, 933 { "inet6", AF_INET6 }, 934 { "any", AF_UNSPEC }, 935 { NULL, -1 } 936 }; 937 static const struct multistate multistate_permitrootlogin[] = { 938 { "without-password", PERMIT_NO_PASSWD }, 939 { "prohibit-password", PERMIT_NO_PASSWD }, 940 { "forced-commands-only", PERMIT_FORCED_ONLY }, 941 { "yes", PERMIT_YES }, 942 { "no", PERMIT_NO }, 943 { NULL, -1 } 944 }; 945 static const struct multistate multistate_compression[] = { 946 { "delayed", COMP_DELAYED }, 947 { "yes", COMP_ZLIB }, 948 { "no", COMP_NONE }, 949 { NULL, -1 } 950 }; 951 static const struct multistate multistate_gatewayports[] = { 952 { "clientspecified", 2 }, 953 { "yes", 1 }, 954 { "no", 0 }, 955 { NULL, -1 } 956 }; 957 static const struct multistate multistate_privsep[] = { 958 { "yes", PRIVSEP_NOSANDBOX }, 959 { "sandbox", PRIVSEP_ON }, 960 { "nosandbox", PRIVSEP_NOSANDBOX }, 961 { "no", PRIVSEP_OFF }, 962 { NULL, -1 } 963 }; 964 static const struct multistate multistate_tcpfwd[] = { 965 { "yes", FORWARD_ALLOW }, 966 { "all", FORWARD_ALLOW }, 967 { "no", FORWARD_DENY }, 968 { "remote", FORWARD_REMOTE }, 969 { "local", FORWARD_LOCAL }, 970 { NULL, -1 } 971 }; 972 973 int 974 process_server_config_line(ServerOptions *options, char *line, 975 const char *filename, int linenum, int *activep, 976 struct connection_info *connectinfo) 977 { 978 char *cp, **charptr, *arg, *p; 979 int cmdline = 0, *intptr, value, value2, n, port; 980 SyslogFacility *log_facility_ptr; 981 LogLevel *log_level_ptr; 982 ServerOpCodes opcode; 983 u_int i, flags = 0; 984 size_t len; 985 long long val64; 986 const struct multistate *multistate_ptr; 987 988 cp = line; 989 if ((arg = strdelim(&cp)) == NULL) 990 return 0; 991 /* Ignore leading whitespace */ 992 if (*arg == '\0') 993 arg = strdelim(&cp); 994 if (!arg || !*arg || *arg == '#') 995 return 0; 996 intptr = NULL; 997 charptr = NULL; 998 opcode = parse_token(arg, filename, linenum, &flags); 999 1000 if (activep == NULL) { /* We are processing a command line directive */ 1001 cmdline = 1; 1002 activep = &cmdline; 1003 } 1004 if (*activep && opcode != sMatch) 1005 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 1006 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 1007 if (connectinfo == NULL) { 1008 fatal("%s line %d: Directive '%s' is not allowed " 1009 "within a Match block", filename, linenum, arg); 1010 } else { /* this is a directive we have already processed */ 1011 while (arg) 1012 arg = strdelim(&cp); 1013 return 0; 1014 } 1015 } 1016 1017 switch (opcode) { 1018 /* Portable-specific options */ 1019 case sUsePAM: 1020 intptr = &options->use_pam; 1021 goto parse_flag; 1022 1023 /* Standard Options */ 1024 case sBadOption: 1025 return -1; 1026 case sPort: 1027 /* ignore ports from configfile if cmdline specifies ports */ 1028 if (options->ports_from_cmdline) 1029 return 0; 1030 if (options->num_ports >= MAX_PORTS) 1031 fatal("%s line %d: too many ports.", 1032 filename, linenum); 1033 arg = strdelim(&cp); 1034 if (!arg || *arg == '\0') 1035 fatal("%s line %d: missing port number.", 1036 filename, linenum); 1037 options->ports[options->num_ports++] = a2port(arg); 1038 if (options->ports[options->num_ports-1] <= 0) 1039 fatal("%s line %d: Badly formatted port number.", 1040 filename, linenum); 1041 break; 1042 1043 case sServerKeyBits: 1044 intptr = &options->server_key_bits; 1045 parse_int: 1046 arg = strdelim(&cp); 1047 if (!arg || *arg == '\0') 1048 fatal("%s line %d: missing integer value.", 1049 filename, linenum); 1050 value = atoi(arg); 1051 if (*activep && *intptr == -1) 1052 *intptr = value; 1053 break; 1054 1055 case sLoginGraceTime: 1056 intptr = &options->login_grace_time; 1057 parse_time: 1058 arg = strdelim(&cp); 1059 if (!arg || *arg == '\0') 1060 fatal("%s line %d: missing time value.", 1061 filename, linenum); 1062 if ((value = convtime(arg)) == -1) 1063 fatal("%s line %d: invalid time value.", 1064 filename, linenum); 1065 if (*activep && *intptr == -1) 1066 *intptr = value; 1067 break; 1068 1069 case sKeyRegenerationTime: 1070 intptr = &options->key_regeneration_time; 1071 goto parse_time; 1072 1073 case sListenAddress: 1074 arg = strdelim(&cp); 1075 if (arg == NULL || *arg == '\0') 1076 fatal("%s line %d: missing address", 1077 filename, linenum); 1078 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 1079 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 1080 && strchr(p+1, ':') != NULL) { 1081 queue_listen_addr(options, arg, 0); 1082 break; 1083 } 1084 p = hpdelim(&arg); 1085 if (p == NULL) 1086 fatal("%s line %d: bad address:port usage", 1087 filename, linenum); 1088 p = cleanhostname(p); 1089 if (arg == NULL) 1090 port = 0; 1091 else if ((port = a2port(arg)) <= 0) 1092 fatal("%s line %d: bad port number", filename, linenum); 1093 1094 queue_listen_addr(options, p, port); 1095 1096 break; 1097 1098 case sAddressFamily: 1099 intptr = &options->address_family; 1100 multistate_ptr = multistate_addressfamily; 1101 parse_multistate: 1102 arg = strdelim(&cp); 1103 if (!arg || *arg == '\0') 1104 fatal("%s line %d: missing argument.", 1105 filename, linenum); 1106 value = -1; 1107 for (i = 0; multistate_ptr[i].key != NULL; i++) { 1108 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 1109 value = multistate_ptr[i].value; 1110 break; 1111 } 1112 } 1113 if (value == -1) 1114 fatal("%s line %d: unsupported option \"%s\".", 1115 filename, linenum, arg); 1116 if (*activep && *intptr == -1) 1117 *intptr = value; 1118 break; 1119 1120 case sHostKeyFile: 1121 intptr = &options->num_host_key_files; 1122 if (*intptr >= MAX_HOSTKEYS) 1123 fatal("%s line %d: too many host keys specified (max %d).", 1124 filename, linenum, MAX_HOSTKEYS); 1125 charptr = &options->host_key_files[*intptr]; 1126 parse_filename: 1127 arg = strdelim(&cp); 1128 if (!arg || *arg == '\0') 1129 fatal("%s line %d: missing file name.", 1130 filename, linenum); 1131 if (*activep && *charptr == NULL) { 1132 *charptr = derelativise_path(arg); 1133 /* increase optional counter */ 1134 if (intptr != NULL) 1135 *intptr = *intptr + 1; 1136 } 1137 break; 1138 1139 case sHostKeyAgent: 1140 charptr = &options->host_key_agent; 1141 arg = strdelim(&cp); 1142 if (!arg || *arg == '\0') 1143 fatal("%s line %d: missing socket name.", 1144 filename, linenum); 1145 if (*activep && *charptr == NULL) 1146 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? 1147 xstrdup(arg) : derelativise_path(arg); 1148 break; 1149 1150 case sHostCertificate: 1151 intptr = &options->num_host_cert_files; 1152 if (*intptr >= MAX_HOSTKEYS) 1153 fatal("%s line %d: too many host certificates " 1154 "specified (max %d).", filename, linenum, 1155 MAX_HOSTCERTS); 1156 charptr = &options->host_cert_files[*intptr]; 1157 goto parse_filename; 1158 break; 1159 1160 case sPidFile: 1161 charptr = &options->pid_file; 1162 goto parse_filename; 1163 1164 case sPermitRootLogin: 1165 intptr = &options->permit_root_login; 1166 multistate_ptr = multistate_permitrootlogin; 1167 goto parse_multistate; 1168 1169 case sIgnoreRhosts: 1170 intptr = &options->ignore_rhosts; 1171 parse_flag: 1172 arg = strdelim(&cp); 1173 if (!arg || *arg == '\0') 1174 fatal("%s line %d: missing yes/no argument.", 1175 filename, linenum); 1176 value = 0; /* silence compiler */ 1177 if (strcmp(arg, "yes") == 0) 1178 value = 1; 1179 else if (strcmp(arg, "no") == 0) 1180 value = 0; 1181 else 1182 fatal("%s line %d: Bad yes/no argument: %s", 1183 filename, linenum, arg); 1184 if (*activep && *intptr == -1) 1185 *intptr = value; 1186 break; 1187 1188 case sIgnoreUserKnownHosts: 1189 intptr = &options->ignore_user_known_hosts; 1190 goto parse_flag; 1191 1192 case sRhostsRSAAuthentication: 1193 intptr = &options->rhosts_rsa_authentication; 1194 goto parse_flag; 1195 1196 case sHostbasedAuthentication: 1197 intptr = &options->hostbased_authentication; 1198 goto parse_flag; 1199 1200 case sHostbasedUsesNameFromPacketOnly: 1201 intptr = &options->hostbased_uses_name_from_packet_only; 1202 goto parse_flag; 1203 1204 case sHostbasedAcceptedKeyTypes: 1205 charptr = &options->hostbased_key_types; 1206 parse_keytypes: 1207 arg = strdelim(&cp); 1208 if (!arg || *arg == '\0') 1209 fatal("%s line %d: Missing argument.", 1210 filename, linenum); 1211 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) 1212 fatal("%s line %d: Bad key types '%s'.", 1213 filename, linenum, arg ? arg : "<NONE>"); 1214 if (*activep && *charptr == NULL) 1215 *charptr = xstrdup(arg); 1216 break; 1217 1218 case sHostKeyAlgorithms: 1219 charptr = &options->hostkeyalgorithms; 1220 goto parse_keytypes; 1221 1222 case sRSAAuthentication: 1223 intptr = &options->rsa_authentication; 1224 goto parse_flag; 1225 1226 case sPubkeyAuthentication: 1227 intptr = &options->pubkey_authentication; 1228 goto parse_flag; 1229 1230 case sPubkeyAcceptedKeyTypes: 1231 charptr = &options->pubkey_key_types; 1232 goto parse_keytypes; 1233 1234 case sKerberosAuthentication: 1235 intptr = &options->kerberos_authentication; 1236 goto parse_flag; 1237 1238 case sKerberosOrLocalPasswd: 1239 intptr = &options->kerberos_or_local_passwd; 1240 goto parse_flag; 1241 1242 case sKerberosTicketCleanup: 1243 intptr = &options->kerberos_ticket_cleanup; 1244 goto parse_flag; 1245 1246 case sKerberosGetAFSToken: 1247 intptr = &options->kerberos_get_afs_token; 1248 goto parse_flag; 1249 1250 case sGssAuthentication: 1251 intptr = &options->gss_authentication; 1252 goto parse_flag; 1253 1254 case sGssCleanupCreds: 1255 intptr = &options->gss_cleanup_creds; 1256 goto parse_flag; 1257 1258 case sGssStrictAcceptor: 1259 intptr = &options->gss_strict_acceptor; 1260 goto parse_flag; 1261 1262 case sPasswordAuthentication: 1263 intptr = &options->password_authentication; 1264 goto parse_flag; 1265 1266 case sKbdInteractiveAuthentication: 1267 intptr = &options->kbd_interactive_authentication; 1268 goto parse_flag; 1269 1270 case sChallengeResponseAuthentication: 1271 intptr = &options->challenge_response_authentication; 1272 goto parse_flag; 1273 1274 case sPrintMotd: 1275 intptr = &options->print_motd; 1276 goto parse_flag; 1277 1278 case sPrintLastLog: 1279 intptr = &options->print_lastlog; 1280 goto parse_flag; 1281 1282 case sX11Forwarding: 1283 intptr = &options->x11_forwarding; 1284 goto parse_flag; 1285 1286 case sX11DisplayOffset: 1287 intptr = &options->x11_display_offset; 1288 goto parse_int; 1289 1290 case sX11UseLocalhost: 1291 intptr = &options->x11_use_localhost; 1292 goto parse_flag; 1293 1294 case sXAuthLocation: 1295 charptr = &options->xauth_location; 1296 goto parse_filename; 1297 1298 case sPermitTTY: 1299 intptr = &options->permit_tty; 1300 goto parse_flag; 1301 1302 case sPermitUserRC: 1303 intptr = &options->permit_user_rc; 1304 goto parse_flag; 1305 1306 case sStrictModes: 1307 intptr = &options->strict_modes; 1308 goto parse_flag; 1309 1310 case sTCPKeepAlive: 1311 intptr = &options->tcp_keep_alive; 1312 goto parse_flag; 1313 1314 case sEmptyPasswd: 1315 intptr = &options->permit_empty_passwd; 1316 goto parse_flag; 1317 1318 case sPermitUserEnvironment: 1319 intptr = &options->permit_user_env; 1320 goto parse_flag; 1321 1322 case sUseLogin: 1323 intptr = &options->use_login; 1324 goto parse_flag; 1325 1326 case sCompression: 1327 intptr = &options->compression; 1328 multistate_ptr = multistate_compression; 1329 goto parse_multistate; 1330 1331 case sRekeyLimit: 1332 arg = strdelim(&cp); 1333 if (!arg || *arg == '\0') 1334 fatal("%.200s line %d: Missing argument.", filename, 1335 linenum); 1336 if (strcmp(arg, "default") == 0) { 1337 val64 = 0; 1338 } else { 1339 if (scan_scaled(arg, &val64) == -1) 1340 fatal("%.200s line %d: Bad number '%s': %s", 1341 filename, linenum, arg, strerror(errno)); 1342 if (val64 != 0 && val64 < 16) 1343 fatal("%.200s line %d: RekeyLimit too small", 1344 filename, linenum); 1345 } 1346 if (*activep && options->rekey_limit == -1) 1347 options->rekey_limit = val64; 1348 if (cp != NULL) { /* optional rekey interval present */ 1349 if (strcmp(cp, "none") == 0) { 1350 (void)strdelim(&cp); /* discard */ 1351 break; 1352 } 1353 intptr = &options->rekey_interval; 1354 goto parse_time; 1355 } 1356 break; 1357 1358 case sGatewayPorts: 1359 intptr = &options->fwd_opts.gateway_ports; 1360 multistate_ptr = multistate_gatewayports; 1361 goto parse_multistate; 1362 1363 case sUseDNS: 1364 intptr = &options->use_dns; 1365 goto parse_flag; 1366 1367 case sLogFacility: 1368 log_facility_ptr = &options->log_facility; 1369 arg = strdelim(&cp); 1370 value = log_facility_number(arg); 1371 if (value == SYSLOG_FACILITY_NOT_SET) 1372 fatal("%.200s line %d: unsupported log facility '%s'", 1373 filename, linenum, arg ? arg : "<NONE>"); 1374 if (*log_facility_ptr == -1) 1375 *log_facility_ptr = (SyslogFacility) value; 1376 break; 1377 1378 case sLogLevel: 1379 log_level_ptr = &options->log_level; 1380 arg = strdelim(&cp); 1381 value = log_level_number(arg); 1382 if (value == SYSLOG_LEVEL_NOT_SET) 1383 fatal("%.200s line %d: unsupported log level '%s'", 1384 filename, linenum, arg ? arg : "<NONE>"); 1385 if (*log_level_ptr == -1) 1386 *log_level_ptr = (LogLevel) value; 1387 break; 1388 1389 case sAllowTcpForwarding: 1390 intptr = &options->allow_tcp_forwarding; 1391 multistate_ptr = multistate_tcpfwd; 1392 goto parse_multistate; 1393 1394 case sAllowStreamLocalForwarding: 1395 intptr = &options->allow_streamlocal_forwarding; 1396 multistate_ptr = multistate_tcpfwd; 1397 goto parse_multistate; 1398 1399 case sAllowAgentForwarding: 1400 intptr = &options->allow_agent_forwarding; 1401 goto parse_flag; 1402 1403 case sUsePrivilegeSeparation: 1404 intptr = &use_privsep; 1405 multistate_ptr = multistate_privsep; 1406 goto parse_multistate; 1407 1408 case sAllowUsers: 1409 while ((arg = strdelim(&cp)) && *arg != '\0') { 1410 if (options->num_allow_users >= MAX_ALLOW_USERS) 1411 fatal("%s line %d: too many allow users.", 1412 filename, linenum); 1413 if (!*activep) 1414 continue; 1415 options->allow_users[options->num_allow_users++] = 1416 xstrdup(arg); 1417 } 1418 break; 1419 1420 case sDenyUsers: 1421 while ((arg = strdelim(&cp)) && *arg != '\0') { 1422 if (options->num_deny_users >= MAX_DENY_USERS) 1423 fatal("%s line %d: too many deny users.", 1424 filename, linenum); 1425 if (!*activep) 1426 continue; 1427 options->deny_users[options->num_deny_users++] = 1428 xstrdup(arg); 1429 } 1430 break; 1431 1432 case sAllowGroups: 1433 while ((arg = strdelim(&cp)) && *arg != '\0') { 1434 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1435 fatal("%s line %d: too many allow groups.", 1436 filename, linenum); 1437 if (!*activep) 1438 continue; 1439 options->allow_groups[options->num_allow_groups++] = 1440 xstrdup(arg); 1441 } 1442 break; 1443 1444 case sDenyGroups: 1445 while ((arg = strdelim(&cp)) && *arg != '\0') { 1446 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1447 fatal("%s line %d: too many deny groups.", 1448 filename, linenum); 1449 if (!*activep) 1450 continue; 1451 options->deny_groups[options->num_deny_groups++] = 1452 xstrdup(arg); 1453 } 1454 break; 1455 1456 case sCiphers: 1457 arg = strdelim(&cp); 1458 if (!arg || *arg == '\0') 1459 fatal("%s line %d: Missing argument.", filename, linenum); 1460 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) 1461 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1462 filename, linenum, arg ? arg : "<NONE>"); 1463 if (options->ciphers == NULL) 1464 options->ciphers = xstrdup(arg); 1465 break; 1466 1467 case sMacs: 1468 arg = strdelim(&cp); 1469 if (!arg || *arg == '\0') 1470 fatal("%s line %d: Missing argument.", filename, linenum); 1471 if (!mac_valid(*arg == '+' ? arg + 1 : arg)) 1472 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1473 filename, linenum, arg ? arg : "<NONE>"); 1474 if (options->macs == NULL) 1475 options->macs = xstrdup(arg); 1476 break; 1477 1478 case sKexAlgorithms: 1479 arg = strdelim(&cp); 1480 if (!arg || *arg == '\0') 1481 fatal("%s line %d: Missing argument.", 1482 filename, linenum); 1483 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) 1484 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1485 filename, linenum, arg ? arg : "<NONE>"); 1486 if (options->kex_algorithms == NULL) 1487 options->kex_algorithms = xstrdup(arg); 1488 break; 1489 1490 case sProtocol: 1491 intptr = &options->protocol; 1492 arg = strdelim(&cp); 1493 if (!arg || *arg == '\0') 1494 fatal("%s line %d: Missing argument.", filename, linenum); 1495 value = proto_spec(arg); 1496 if (value == SSH_PROTO_UNKNOWN) 1497 fatal("%s line %d: Bad protocol spec '%s'.", 1498 filename, linenum, arg ? arg : "<NONE>"); 1499 if (*intptr == SSH_PROTO_UNKNOWN) 1500 *intptr = value; 1501 break; 1502 1503 case sSubsystem: 1504 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1505 fatal("%s line %d: too many subsystems defined.", 1506 filename, linenum); 1507 } 1508 arg = strdelim(&cp); 1509 if (!arg || *arg == '\0') 1510 fatal("%s line %d: Missing subsystem name.", 1511 filename, linenum); 1512 if (!*activep) { 1513 arg = strdelim(&cp); 1514 break; 1515 } 1516 for (i = 0; i < options->num_subsystems; i++) 1517 if (strcmp(arg, options->subsystem_name[i]) == 0) 1518 fatal("%s line %d: Subsystem '%s' already defined.", 1519 filename, linenum, arg); 1520 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1521 arg = strdelim(&cp); 1522 if (!arg || *arg == '\0') 1523 fatal("%s line %d: Missing subsystem command.", 1524 filename, linenum); 1525 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1526 1527 /* Collect arguments (separate to executable) */ 1528 p = xstrdup(arg); 1529 len = strlen(p) + 1; 1530 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1531 len += 1 + strlen(arg); 1532 p = xreallocarray(p, 1, len); 1533 strlcat(p, " ", len); 1534 strlcat(p, arg, len); 1535 } 1536 options->subsystem_args[options->num_subsystems] = p; 1537 options->num_subsystems++; 1538 break; 1539 1540 case sMaxStartups: 1541 arg = strdelim(&cp); 1542 if (!arg || *arg == '\0') 1543 fatal("%s line %d: Missing MaxStartups spec.", 1544 filename, linenum); 1545 if ((n = sscanf(arg, "%d:%d:%d", 1546 &options->max_startups_begin, 1547 &options->max_startups_rate, 1548 &options->max_startups)) == 3) { 1549 if (options->max_startups_begin > 1550 options->max_startups || 1551 options->max_startups_rate > 100 || 1552 options->max_startups_rate < 1) 1553 fatal("%s line %d: Illegal MaxStartups spec.", 1554 filename, linenum); 1555 } else if (n != 1) 1556 fatal("%s line %d: Illegal MaxStartups spec.", 1557 filename, linenum); 1558 else 1559 options->max_startups = options->max_startups_begin; 1560 break; 1561 1562 case sMaxAuthTries: 1563 intptr = &options->max_authtries; 1564 goto parse_int; 1565 1566 case sMaxSessions: 1567 intptr = &options->max_sessions; 1568 goto parse_int; 1569 1570 case sBanner: 1571 charptr = &options->banner; 1572 goto parse_filename; 1573 1574 /* 1575 * These options can contain %X options expanded at 1576 * connect time, so that you can specify paths like: 1577 * 1578 * AuthorizedKeysFile /etc/ssh_keys/%u 1579 */ 1580 case sAuthorizedKeysFile: 1581 if (*activep && options->num_authkeys_files == 0) { 1582 while ((arg = strdelim(&cp)) && *arg != '\0') { 1583 if (options->num_authkeys_files >= 1584 MAX_AUTHKEYS_FILES) 1585 fatal("%s line %d: " 1586 "too many authorized keys files.", 1587 filename, linenum); 1588 options->authorized_keys_files[ 1589 options->num_authkeys_files++] = 1590 tilde_expand_filename(arg, getuid()); 1591 } 1592 } 1593 return 0; 1594 1595 case sAuthorizedPrincipalsFile: 1596 charptr = &options->authorized_principals_file; 1597 arg = strdelim(&cp); 1598 if (!arg || *arg == '\0') 1599 fatal("%s line %d: missing file name.", 1600 filename, linenum); 1601 if (*activep && *charptr == NULL) { 1602 *charptr = tilde_expand_filename(arg, getuid()); 1603 /* increase optional counter */ 1604 if (intptr != NULL) 1605 *intptr = *intptr + 1; 1606 } 1607 break; 1608 1609 case sClientAliveInterval: 1610 intptr = &options->client_alive_interval; 1611 goto parse_time; 1612 1613 case sClientAliveCountMax: 1614 intptr = &options->client_alive_count_max; 1615 goto parse_int; 1616 1617 case sAcceptEnv: 1618 while ((arg = strdelim(&cp)) && *arg != '\0') { 1619 if (strchr(arg, '=') != NULL) 1620 fatal("%s line %d: Invalid environment name.", 1621 filename, linenum); 1622 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1623 fatal("%s line %d: too many allow env.", 1624 filename, linenum); 1625 if (!*activep) 1626 continue; 1627 options->accept_env[options->num_accept_env++] = 1628 xstrdup(arg); 1629 } 1630 break; 1631 1632 case sPermitTunnel: 1633 intptr = &options->permit_tun; 1634 arg = strdelim(&cp); 1635 if (!arg || *arg == '\0') 1636 fatal("%s line %d: Missing yes/point-to-point/" 1637 "ethernet/no argument.", filename, linenum); 1638 value = -1; 1639 for (i = 0; tunmode_desc[i].val != -1; i++) 1640 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1641 value = tunmode_desc[i].val; 1642 break; 1643 } 1644 if (value == -1) 1645 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1646 "no argument: %s", filename, linenum, arg); 1647 if (*activep && *intptr == -1) 1648 *intptr = value; 1649 break; 1650 1651 case sMatch: 1652 if (cmdline) 1653 fatal("Match directive not supported as a command-line " 1654 "option"); 1655 value = match_cfg_line(&cp, linenum, connectinfo); 1656 if (value < 0) 1657 fatal("%s line %d: Bad Match condition", filename, 1658 linenum); 1659 *activep = value; 1660 break; 1661 1662 case sPermitOpen: 1663 arg = strdelim(&cp); 1664 if (!arg || *arg == '\0') 1665 fatal("%s line %d: missing PermitOpen specification", 1666 filename, linenum); 1667 n = options->num_permitted_opens; /* modified later */ 1668 if (strcmp(arg, "any") == 0) { 1669 if (*activep && n == -1) { 1670 channel_clear_adm_permitted_opens(); 1671 options->num_permitted_opens = 0; 1672 } 1673 break; 1674 } 1675 if (strcmp(arg, "none") == 0) { 1676 if (*activep && n == -1) { 1677 options->num_permitted_opens = 1; 1678 channel_disable_adm_local_opens(); 1679 } 1680 break; 1681 } 1682 if (*activep && n == -1) 1683 channel_clear_adm_permitted_opens(); 1684 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1685 p = hpdelim(&arg); 1686 if (p == NULL) 1687 fatal("%s line %d: missing host in PermitOpen", 1688 filename, linenum); 1689 p = cleanhostname(p); 1690 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1691 fatal("%s line %d: bad port number in " 1692 "PermitOpen", filename, linenum); 1693 if (*activep && n == -1) 1694 options->num_permitted_opens = 1695 channel_add_adm_permitted_opens(p, port); 1696 } 1697 break; 1698 1699 case sForceCommand: 1700 if (cp == NULL || *cp == '\0') 1701 fatal("%.200s line %d: Missing argument.", filename, 1702 linenum); 1703 len = strspn(cp, WHITESPACE); 1704 if (*activep && options->adm_forced_command == NULL) 1705 options->adm_forced_command = xstrdup(cp + len); 1706 return 0; 1707 1708 case sChrootDirectory: 1709 charptr = &options->chroot_directory; 1710 1711 arg = strdelim(&cp); 1712 if (!arg || *arg == '\0') 1713 fatal("%s line %d: missing file name.", 1714 filename, linenum); 1715 if (*activep && *charptr == NULL) 1716 *charptr = xstrdup(arg); 1717 break; 1718 1719 case sTrustedUserCAKeys: 1720 charptr = &options->trusted_user_ca_keys; 1721 goto parse_filename; 1722 1723 case sRevokedKeys: 1724 charptr = &options->revoked_keys_file; 1725 goto parse_filename; 1726 1727 case sIPQoS: 1728 arg = strdelim(&cp); 1729 if ((value = parse_ipqos(arg)) == -1) 1730 fatal("%s line %d: Bad IPQoS value: %s", 1731 filename, linenum, arg); 1732 arg = strdelim(&cp); 1733 if (arg == NULL) 1734 value2 = value; 1735 else if ((value2 = parse_ipqos(arg)) == -1) 1736 fatal("%s line %d: Bad IPQoS value: %s", 1737 filename, linenum, arg); 1738 if (*activep) { 1739 options->ip_qos_interactive = value; 1740 options->ip_qos_bulk = value2; 1741 } 1742 break; 1743 1744 case sVersionAddendum: 1745 if (cp == NULL || *cp == '\0') 1746 fatal("%.200s line %d: Missing argument.", filename, 1747 linenum); 1748 len = strspn(cp, WHITESPACE); 1749 if (*activep && options->version_addendum == NULL) { 1750 if (strcasecmp(cp + len, "none") == 0) 1751 options->version_addendum = xstrdup(""); 1752 else if (strchr(cp + len, '\r') != NULL) 1753 fatal("%.200s line %d: Invalid argument", 1754 filename, linenum); 1755 else 1756 options->version_addendum = xstrdup(cp + len); 1757 } 1758 return 0; 1759 1760 case sAuthorizedKeysCommand: 1761 if (cp == NULL) 1762 fatal("%.200s line %d: Missing argument.", filename, 1763 linenum); 1764 len = strspn(cp, WHITESPACE); 1765 if (*activep && options->authorized_keys_command == NULL) { 1766 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1767 fatal("%.200s line %d: AuthorizedKeysCommand " 1768 "must be an absolute path", 1769 filename, linenum); 1770 options->authorized_keys_command = xstrdup(cp + len); 1771 } 1772 return 0; 1773 1774 case sAuthorizedKeysCommandUser: 1775 charptr = &options->authorized_keys_command_user; 1776 1777 arg = strdelim(&cp); 1778 if (!arg || *arg == '\0') 1779 fatal("%s line %d: missing AuthorizedKeysCommandUser " 1780 "argument.", filename, linenum); 1781 if (*activep && *charptr == NULL) 1782 *charptr = xstrdup(arg); 1783 break; 1784 1785 case sAuthorizedPrincipalsCommand: 1786 if (cp == NULL) 1787 fatal("%.200s line %d: Missing argument.", filename, 1788 linenum); 1789 len = strspn(cp, WHITESPACE); 1790 if (*activep && 1791 options->authorized_principals_command == NULL) { 1792 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1793 fatal("%.200s line %d: " 1794 "AuthorizedPrincipalsCommand must be " 1795 "an absolute path", filename, linenum); 1796 options->authorized_principals_command = 1797 xstrdup(cp + len); 1798 } 1799 return 0; 1800 1801 case sAuthorizedPrincipalsCommandUser: 1802 charptr = &options->authorized_principals_command_user; 1803 1804 arg = strdelim(&cp); 1805 if (!arg || *arg == '\0') 1806 fatal("%s line %d: missing " 1807 "AuthorizedPrincipalsCommandUser argument.", 1808 filename, linenum); 1809 if (*activep && *charptr == NULL) 1810 *charptr = xstrdup(arg); 1811 break; 1812 1813 case sAuthenticationMethods: 1814 if (options->num_auth_methods == 0) { 1815 value = 0; /* seen "any" pseudo-method */ 1816 value2 = 0; /* sucessfully parsed any method */ 1817 while ((arg = strdelim(&cp)) && *arg != '\0') { 1818 if (options->num_auth_methods >= 1819 MAX_AUTH_METHODS) 1820 fatal("%s line %d: " 1821 "too many authentication methods.", 1822 filename, linenum); 1823 if (strcmp(arg, "any") == 0) { 1824 if (options->num_auth_methods > 0) { 1825 fatal("%s line %d: \"any\" " 1826 "must appear alone in " 1827 "AuthenticationMethods", 1828 filename, linenum); 1829 } 1830 value = 1; 1831 } else if (value) { 1832 fatal("%s line %d: \"any\" must appear " 1833 "alone in AuthenticationMethods", 1834 filename, linenum); 1835 } else if (auth2_methods_valid(arg, 0) != 0) { 1836 fatal("%s line %d: invalid " 1837 "authentication method list.", 1838 filename, linenum); 1839 } 1840 value2 = 1; 1841 if (!*activep) 1842 continue; 1843 options->auth_methods[ 1844 options->num_auth_methods++] = xstrdup(arg); 1845 } 1846 if (value2 == 0) { 1847 fatal("%s line %d: no AuthenticationMethods " 1848 "specified", filename, linenum); 1849 } 1850 } 1851 return 0; 1852 1853 case sStreamLocalBindMask: 1854 arg = strdelim(&cp); 1855 if (!arg || *arg == '\0') 1856 fatal("%s line %d: missing StreamLocalBindMask " 1857 "argument.", filename, linenum); 1858 /* Parse mode in octal format */ 1859 value = strtol(arg, &p, 8); 1860 if (arg == p || value < 0 || value > 0777) 1861 fatal("%s line %d: Bad mask.", filename, linenum); 1862 if (*activep) 1863 options->fwd_opts.streamlocal_bind_mask = (mode_t)value; 1864 break; 1865 1866 case sStreamLocalBindUnlink: 1867 intptr = &options->fwd_opts.streamlocal_bind_unlink; 1868 goto parse_flag; 1869 1870 case sFingerprintHash: 1871 arg = strdelim(&cp); 1872 if (!arg || *arg == '\0') 1873 fatal("%.200s line %d: Missing argument.", 1874 filename, linenum); 1875 if ((value = ssh_digest_alg_by_name(arg)) == -1) 1876 fatal("%.200s line %d: Invalid hash algorithm \"%s\".", 1877 filename, linenum, arg); 1878 if (*activep) 1879 options->fingerprint_hash = value; 1880 break; 1881 1882 case sDeprecated: 1883 logit("%s line %d: Deprecated option %s", 1884 filename, linenum, arg); 1885 while (arg) 1886 arg = strdelim(&cp); 1887 break; 1888 1889 case sUnsupported: 1890 logit("%s line %d: Unsupported option %s", 1891 filename, linenum, arg); 1892 while (arg) 1893 arg = strdelim(&cp); 1894 break; 1895 1896 default: 1897 fatal("%s line %d: Missing handler for opcode %s (%d)", 1898 filename, linenum, arg, opcode); 1899 } 1900 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1901 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1902 filename, linenum, arg); 1903 return 0; 1904 } 1905 1906 /* Reads the server configuration file. */ 1907 1908 void 1909 load_server_config(const char *filename, Buffer *conf) 1910 { 1911 char line[4096], *cp; 1912 FILE *f; 1913 int lineno = 0; 1914 1915 debug2("%s: filename %s", __func__, filename); 1916 if ((f = fopen(filename, "r")) == NULL) { 1917 perror(filename); 1918 exit(1); 1919 } 1920 buffer_clear(conf); 1921 while (fgets(line, sizeof(line), f)) { 1922 lineno++; 1923 if (strlen(line) == sizeof(line) - 1) 1924 fatal("%s line %d too long", filename, lineno); 1925 /* 1926 * Trim out comments and strip whitespace 1927 * NB - preserve newlines, they are needed to reproduce 1928 * line numbers later for error messages 1929 */ 1930 if ((cp = strchr(line, '#')) != NULL) 1931 memcpy(cp, "\n", 2); 1932 cp = line + strspn(line, " \t\r"); 1933 1934 buffer_append(conf, cp, strlen(cp)); 1935 } 1936 buffer_append(conf, "\0", 1); 1937 fclose(f); 1938 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1939 } 1940 1941 void 1942 parse_server_match_config(ServerOptions *options, 1943 struct connection_info *connectinfo) 1944 { 1945 ServerOptions mo; 1946 1947 initialize_server_options(&mo); 1948 parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1949 copy_set_server_options(options, &mo, 0); 1950 } 1951 1952 int parse_server_match_testspec(struct connection_info *ci, char *spec) 1953 { 1954 char *p; 1955 1956 while ((p = strsep(&spec, ",")) && *p != '\0') { 1957 if (strncmp(p, "addr=", 5) == 0) { 1958 ci->address = xstrdup(p + 5); 1959 } else if (strncmp(p, "host=", 5) == 0) { 1960 ci->host = xstrdup(p + 5); 1961 } else if (strncmp(p, "user=", 5) == 0) { 1962 ci->user = xstrdup(p + 5); 1963 } else if (strncmp(p, "laddr=", 6) == 0) { 1964 ci->laddress = xstrdup(p + 6); 1965 } else if (strncmp(p, "lport=", 6) == 0) { 1966 ci->lport = a2port(p + 6); 1967 if (ci->lport == -1) { 1968 fprintf(stderr, "Invalid port '%s' in test mode" 1969 " specification %s\n", p+6, p); 1970 return -1; 1971 } 1972 } else { 1973 fprintf(stderr, "Invalid test mode specification %s\n", 1974 p); 1975 return -1; 1976 } 1977 } 1978 return 0; 1979 } 1980 1981 /* 1982 * returns 1 for a complete spec, 0 for partial spec and -1 for an 1983 * empty spec. 1984 */ 1985 int server_match_spec_complete(struct connection_info *ci) 1986 { 1987 if (ci->user && ci->host && ci->address) 1988 return 1; /* complete */ 1989 if (!ci->user && !ci->host && !ci->address) 1990 return -1; /* empty */ 1991 return 0; /* partial */ 1992 } 1993 1994 /* 1995 * Copy any supported values that are set. 1996 * 1997 * If the preauth flag is set, we do not bother copying the string or 1998 * array values that are not used pre-authentication, because any that we 1999 * do use must be explictly sent in mm_getpwnamallow(). 2000 */ 2001 void 2002 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 2003 { 2004 #define M_CP_INTOPT(n) do {\ 2005 if (src->n != -1) \ 2006 dst->n = src->n; \ 2007 } while (0) 2008 2009 M_CP_INTOPT(password_authentication); 2010 M_CP_INTOPT(gss_authentication); 2011 M_CP_INTOPT(rsa_authentication); 2012 M_CP_INTOPT(pubkey_authentication); 2013 M_CP_INTOPT(kerberos_authentication); 2014 M_CP_INTOPT(hostbased_authentication); 2015 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 2016 M_CP_INTOPT(kbd_interactive_authentication); 2017 M_CP_INTOPT(permit_root_login); 2018 M_CP_INTOPT(permit_empty_passwd); 2019 2020 M_CP_INTOPT(allow_tcp_forwarding); 2021 M_CP_INTOPT(allow_streamlocal_forwarding); 2022 M_CP_INTOPT(allow_agent_forwarding); 2023 M_CP_INTOPT(permit_tun); 2024 M_CP_INTOPT(fwd_opts.gateway_ports); 2025 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 2026 M_CP_INTOPT(x11_display_offset); 2027 M_CP_INTOPT(x11_forwarding); 2028 M_CP_INTOPT(x11_use_localhost); 2029 M_CP_INTOPT(permit_tty); 2030 M_CP_INTOPT(permit_user_rc); 2031 M_CP_INTOPT(max_sessions); 2032 M_CP_INTOPT(max_authtries); 2033 M_CP_INTOPT(ip_qos_interactive); 2034 M_CP_INTOPT(ip_qos_bulk); 2035 M_CP_INTOPT(rekey_limit); 2036 M_CP_INTOPT(rekey_interval); 2037 2038 /* 2039 * The bind_mask is a mode_t that may be unsigned, so we can't use 2040 * M_CP_INTOPT - it does a signed comparison that causes compiler 2041 * warnings. 2042 */ 2043 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { 2044 dst->fwd_opts.streamlocal_bind_mask = 2045 src->fwd_opts.streamlocal_bind_mask; 2046 } 2047 2048 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 2049 #define M_CP_STROPT(n) do {\ 2050 if (src->n != NULL && dst->n != src->n) { \ 2051 free(dst->n); \ 2052 dst->n = src->n; \ 2053 } \ 2054 } while(0) 2055 #define M_CP_STRARRAYOPT(n, num_n) do {\ 2056 if (src->num_n != 0) { \ 2057 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 2058 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 2059 } \ 2060 } while(0) 2061 2062 /* See comment in servconf.h */ 2063 COPY_MATCH_STRING_OPTS(); 2064 2065 /* Arguments that accept '+...' need to be expanded */ 2066 assemble_algorithms(dst); 2067 2068 /* 2069 * The only things that should be below this point are string options 2070 * which are only used after authentication. 2071 */ 2072 if (preauth) 2073 return; 2074 2075 /* These options may be "none" to clear a global setting */ 2076 M_CP_STROPT(adm_forced_command); 2077 if (option_clear_or_none(dst->adm_forced_command)) { 2078 free(dst->adm_forced_command); 2079 dst->adm_forced_command = NULL; 2080 } 2081 M_CP_STROPT(chroot_directory); 2082 if (option_clear_or_none(dst->chroot_directory)) { 2083 free(dst->chroot_directory); 2084 dst->chroot_directory = NULL; 2085 } 2086 } 2087 2088 #undef M_CP_INTOPT 2089 #undef M_CP_STROPT 2090 #undef M_CP_STRARRAYOPT 2091 2092 void 2093 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 2094 struct connection_info *connectinfo) 2095 { 2096 int active, linenum, bad_options = 0; 2097 char *cp, *obuf, *cbuf; 2098 2099 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 2100 2101 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) 2102 fatal("%s: sshbuf_dup_string failed", __func__); 2103 active = connectinfo ? 0 : 1; 2104 linenum = 1; 2105 while ((cp = strsep(&cbuf, "\n")) != NULL) { 2106 if (process_server_config_line(options, cp, filename, 2107 linenum++, &active, connectinfo) != 0) 2108 bad_options++; 2109 } 2110 free(obuf); 2111 if (bad_options > 0) 2112 fatal("%s: terminating, %d bad configuration options", 2113 filename, bad_options); 2114 process_queued_listen_addrs(options); 2115 } 2116 2117 static const char * 2118 fmt_multistate_int(int val, const struct multistate *m) 2119 { 2120 u_int i; 2121 2122 for (i = 0; m[i].key != NULL; i++) { 2123 if (m[i].value == val) 2124 return m[i].key; 2125 } 2126 return "UNKNOWN"; 2127 } 2128 2129 static const char * 2130 fmt_intarg(ServerOpCodes code, int val) 2131 { 2132 if (val == -1) 2133 return "unset"; 2134 switch (code) { 2135 case sAddressFamily: 2136 return fmt_multistate_int(val, multistate_addressfamily); 2137 case sPermitRootLogin: 2138 return fmt_multistate_int(val, multistate_permitrootlogin); 2139 case sGatewayPorts: 2140 return fmt_multistate_int(val, multistate_gatewayports); 2141 case sCompression: 2142 return fmt_multistate_int(val, multistate_compression); 2143 case sUsePrivilegeSeparation: 2144 return fmt_multistate_int(val, multistate_privsep); 2145 case sAllowTcpForwarding: 2146 return fmt_multistate_int(val, multistate_tcpfwd); 2147 case sAllowStreamLocalForwarding: 2148 return fmt_multistate_int(val, multistate_tcpfwd); 2149 case sFingerprintHash: 2150 return ssh_digest_alg_name(val); 2151 case sProtocol: 2152 switch (val) { 2153 case SSH_PROTO_1: 2154 return "1"; 2155 case SSH_PROTO_2: 2156 return "2"; 2157 case (SSH_PROTO_1|SSH_PROTO_2): 2158 return "2,1"; 2159 default: 2160 return "UNKNOWN"; 2161 } 2162 default: 2163 switch (val) { 2164 case 0: 2165 return "no"; 2166 case 1: 2167 return "yes"; 2168 default: 2169 return "UNKNOWN"; 2170 } 2171 } 2172 } 2173 2174 static const char * 2175 lookup_opcode_name(ServerOpCodes code) 2176 { 2177 u_int i; 2178 2179 for (i = 0; keywords[i].name != NULL; i++) 2180 if (keywords[i].opcode == code) 2181 return(keywords[i].name); 2182 return "UNKNOWN"; 2183 } 2184 2185 static void 2186 dump_cfg_int(ServerOpCodes code, int val) 2187 { 2188 printf("%s %d\n", lookup_opcode_name(code), val); 2189 } 2190 2191 static void 2192 dump_cfg_oct(ServerOpCodes code, int val) 2193 { 2194 printf("%s 0%o\n", lookup_opcode_name(code), val); 2195 } 2196 2197 static void 2198 dump_cfg_fmtint(ServerOpCodes code, int val) 2199 { 2200 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 2201 } 2202 2203 static void 2204 dump_cfg_string(ServerOpCodes code, const char *val) 2205 { 2206 if (val == NULL) 2207 return; 2208 printf("%s %s\n", lookup_opcode_name(code), 2209 val == NULL ? "none" : val); 2210 } 2211 2212 static void 2213 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 2214 { 2215 u_int i; 2216 2217 for (i = 0; i < count; i++) 2218 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 2219 } 2220 2221 static void 2222 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 2223 { 2224 u_int i; 2225 2226 if (count <= 0 && code != sAuthenticationMethods) 2227 return; 2228 printf("%s", lookup_opcode_name(code)); 2229 for (i = 0; i < count; i++) 2230 printf(" %s", vals[i]); 2231 if (code == sAuthenticationMethods && count == 0) 2232 printf(" any"); 2233 printf("\n"); 2234 } 2235 2236 void 2237 dump_config(ServerOptions *o) 2238 { 2239 u_int i; 2240 int ret; 2241 struct addrinfo *ai; 2242 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 2243 char *laddr1 = xstrdup(""), *laddr2 = NULL; 2244 2245 /* these are usually at the top of the config */ 2246 for (i = 0; i < o->num_ports; i++) 2247 printf("port %d\n", o->ports[i]); 2248 dump_cfg_fmtint(sProtocol, o->protocol); 2249 dump_cfg_fmtint(sAddressFamily, o->address_family); 2250 2251 /* 2252 * ListenAddress must be after Port. add_one_listen_addr pushes 2253 * addresses onto a stack, so to maintain ordering we need to 2254 * print these in reverse order. 2255 */ 2256 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 2257 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 2258 sizeof(addr), port, sizeof(port), 2259 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 2260 error("getnameinfo failed: %.100s", 2261 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 2262 strerror(errno)); 2263 } else { 2264 laddr2 = laddr1; 2265 if (ai->ai_family == AF_INET6) 2266 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s", 2267 addr, port, laddr2); 2268 else 2269 xasprintf(&laddr1, "listenaddress %s:%s\n%s", 2270 addr, port, laddr2); 2271 free(laddr2); 2272 } 2273 } 2274 printf("%s", laddr1); 2275 free(laddr1); 2276 2277 /* integer arguments */ 2278 #ifdef USE_PAM 2279 dump_cfg_fmtint(sUsePAM, o->use_pam); 2280 #endif 2281 dump_cfg_int(sServerKeyBits, o->server_key_bits); 2282 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2283 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 2284 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2285 dump_cfg_int(sMaxAuthTries, o->max_authtries); 2286 dump_cfg_int(sMaxSessions, o->max_sessions); 2287 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 2288 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 2289 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); 2290 2291 /* formatted integer arguments */ 2292 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2293 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2294 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2295 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 2296 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2297 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2298 o->hostbased_uses_name_from_packet_only); 2299 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 2300 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2301 #ifdef KRB5 2302 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2303 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 2304 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 2305 # ifdef USE_AFS 2306 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 2307 # endif 2308 #endif 2309 #ifdef GSSAPI 2310 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2311 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2312 #endif 2313 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2314 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2315 o->kbd_interactive_authentication); 2316 dump_cfg_fmtint(sChallengeResponseAuthentication, 2317 o->challenge_response_authentication); 2318 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2319 #ifndef DISABLE_LASTLOG 2320 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2321 #endif 2322 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2323 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2324 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2325 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); 2326 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2327 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2328 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2329 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2330 dump_cfg_fmtint(sUseLogin, o->use_login); 2331 dump_cfg_fmtint(sCompression, o->compression); 2332 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2333 dump_cfg_fmtint(sUseDNS, o->use_dns); 2334 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2335 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2336 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2337 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2338 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2339 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2340 2341 /* string arguments */ 2342 dump_cfg_string(sPidFile, o->pid_file); 2343 dump_cfg_string(sXAuthLocation, o->xauth_location); 2344 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); 2345 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); 2346 dump_cfg_string(sBanner, o->banner); 2347 dump_cfg_string(sForceCommand, o->adm_forced_command); 2348 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2349 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2350 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2351 dump_cfg_string(sAuthorizedPrincipalsFile, 2352 o->authorized_principals_file); 2353 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' 2354 ? "none" : o->version_addendum); 2355 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2356 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2357 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); 2358 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); 2359 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2360 dump_cfg_string(sKexAlgorithms, 2361 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2362 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2363 o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2364 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2365 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); 2366 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2367 o->pubkey_key_types : KEX_DEFAULT_PK_ALG); 2368 2369 /* string arguments requiring a lookup */ 2370 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2371 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 2372 2373 /* string array arguments */ 2374 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 2375 o->authorized_keys_files); 2376 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 2377 o->host_key_files); 2378 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, 2379 o->host_cert_files); 2380 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 2381 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2382 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2383 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2384 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2385 dump_cfg_strarray_oneline(sAuthenticationMethods, 2386 o->num_auth_methods, o->auth_methods); 2387 2388 /* other arguments */ 2389 for (i = 0; i < o->num_subsystems; i++) 2390 printf("subsystem %s %s\n", o->subsystem_name[i], 2391 o->subsystem_args[i]); 2392 2393 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2394 o->max_startups_rate, o->max_startups); 2395 2396 for (i = 0; tunmode_desc[i].val != -1; i++) 2397 if (tunmode_desc[i].val == o->permit_tun) { 2398 s = tunmode_desc[i].text; 2399 break; 2400 } 2401 dump_cfg_string(sPermitTunnel, s); 2402 2403 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2404 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2405 2406 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, 2407 o->rekey_interval); 2408 2409 channel_print_adm_permitted_opens(); 2410 } 2411