Lines Matching +full:num +full:- +full:macs
46 # include "openbsd-compat/glob.h"
49 #include "openbsd-compat/sys-queue.h"
94 /* Portable-specific options */ in initialize_server_options()
95 options->use_pam = -1; in initialize_server_options()
96 options->pam_service_name = NULL; in initialize_server_options()
99 options->num_ports = 0; in initialize_server_options()
100 options->ports_from_cmdline = 0; in initialize_server_options()
101 options->queued_listen_addrs = NULL; in initialize_server_options()
102 options->num_queued_listens = 0; in initialize_server_options()
103 options->listen_addrs = NULL; in initialize_server_options()
104 options->num_listen_addrs = 0; in initialize_server_options()
105 options->address_family = -1; in initialize_server_options()
106 options->routing_domain = NULL; in initialize_server_options()
107 options->num_host_key_files = 0; in initialize_server_options()
108 options->num_host_cert_files = 0; in initialize_server_options()
109 options->host_key_agent = NULL; in initialize_server_options()
110 options->pid_file = NULL; in initialize_server_options()
111 options->login_grace_time = -1; in initialize_server_options()
112 options->permit_root_login = PERMIT_NOT_SET; in initialize_server_options()
113 options->ignore_rhosts = -1; in initialize_server_options()
114 options->ignore_user_known_hosts = -1; in initialize_server_options()
115 options->print_motd = -1; in initialize_server_options()
116 options->print_lastlog = -1; in initialize_server_options()
117 options->x11_forwarding = -1; in initialize_server_options()
118 options->x11_display_offset = -1; in initialize_server_options()
119 options->x11_use_localhost = -1; in initialize_server_options()
120 options->permit_tty = -1; in initialize_server_options()
121 options->permit_user_rc = -1; in initialize_server_options()
122 options->xauth_location = NULL; in initialize_server_options()
123 options->strict_modes = -1; in initialize_server_options()
124 options->tcp_keep_alive = -1; in initialize_server_options()
125 options->log_facility = SYSLOG_FACILITY_NOT_SET; in initialize_server_options()
126 options->log_level = SYSLOG_LEVEL_NOT_SET; in initialize_server_options()
127 options->num_log_verbose = 0; in initialize_server_options()
128 options->log_verbose = NULL; in initialize_server_options()
129 options->hostbased_authentication = -1; in initialize_server_options()
130 options->hostbased_uses_name_from_packet_only = -1; in initialize_server_options()
131 options->hostbased_accepted_algos = NULL; in initialize_server_options()
132 options->hostkeyalgorithms = NULL; in initialize_server_options()
133 options->pubkey_authentication = -1; in initialize_server_options()
134 options->pubkey_auth_options = -1; in initialize_server_options()
135 options->pubkey_accepted_algos = NULL; in initialize_server_options()
136 options->kerberos_authentication = -1; in initialize_server_options()
137 options->kerberos_or_local_passwd = -1; in initialize_server_options()
138 options->kerberos_ticket_cleanup = -1; in initialize_server_options()
139 options->kerberos_get_afs_token = -1; in initialize_server_options()
140 options->gss_authentication=-1; in initialize_server_options()
141 options->gss_cleanup_creds = -1; in initialize_server_options()
142 options->gss_strict_acceptor = -1; in initialize_server_options()
143 options->password_authentication = -1; in initialize_server_options()
144 options->kbd_interactive_authentication = -1; in initialize_server_options()
145 options->permit_empty_passwd = -1; in initialize_server_options()
146 options->permit_user_env = -1; in initialize_server_options()
147 options->permit_user_env_allowlist = NULL; in initialize_server_options()
148 options->compression = -1; in initialize_server_options()
149 options->rekey_limit = -1; in initialize_server_options()
150 options->rekey_interval = -1; in initialize_server_options()
151 options->allow_tcp_forwarding = -1; in initialize_server_options()
152 options->allow_streamlocal_forwarding = -1; in initialize_server_options()
153 options->allow_agent_forwarding = -1; in initialize_server_options()
154 options->num_allow_users = 0; in initialize_server_options()
155 options->num_deny_users = 0; in initialize_server_options()
156 options->num_allow_groups = 0; in initialize_server_options()
157 options->num_deny_groups = 0; in initialize_server_options()
158 options->ciphers = NULL; in initialize_server_options()
159 options->macs = NULL; in initialize_server_options()
160 options->kex_algorithms = NULL; in initialize_server_options()
161 options->ca_sign_algorithms = NULL; in initialize_server_options()
162 options->fwd_opts.gateway_ports = -1; in initialize_server_options()
163 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; in initialize_server_options()
164 options->fwd_opts.streamlocal_bind_unlink = -1; in initialize_server_options()
165 options->num_subsystems = 0; in initialize_server_options()
166 options->max_startups_begin = -1; in initialize_server_options()
167 options->max_startups_rate = -1; in initialize_server_options()
168 options->max_startups = -1; in initialize_server_options()
169 options->per_source_max_startups = -1; in initialize_server_options()
170 options->per_source_masklen_ipv4 = -1; in initialize_server_options()
171 options->per_source_masklen_ipv6 = -1; in initialize_server_options()
172 options->per_source_penalty_exempt = NULL; in initialize_server_options()
173 options->per_source_penalty.enabled = -1; in initialize_server_options()
174 options->per_source_penalty.max_sources4 = -1; in initialize_server_options()
175 options->per_source_penalty.max_sources6 = -1; in initialize_server_options()
176 options->per_source_penalty.overflow_mode = -1; in initialize_server_options()
177 options->per_source_penalty.overflow_mode6 = -1; in initialize_server_options()
178 options->per_source_penalty.penalty_crash = -1; in initialize_server_options()
179 options->per_source_penalty.penalty_authfail = -1; in initialize_server_options()
180 options->per_source_penalty.penalty_noauth = -1; in initialize_server_options()
181 options->per_source_penalty.penalty_grace = -1; in initialize_server_options()
182 options->per_source_penalty.penalty_refuseconnection = -1; in initialize_server_options()
183 options->per_source_penalty.penalty_max = -1; in initialize_server_options()
184 options->per_source_penalty.penalty_min = -1; in initialize_server_options()
185 options->max_authtries = -1; in initialize_server_options()
186 options->max_sessions = -1; in initialize_server_options()
187 options->banner = NULL; in initialize_server_options()
188 options->use_dns = -1; in initialize_server_options()
189 options->client_alive_interval = -1; in initialize_server_options()
190 options->client_alive_count_max = -1; in initialize_server_options()
191 options->num_authkeys_files = 0; in initialize_server_options()
192 options->num_accept_env = 0; in initialize_server_options()
193 options->num_setenv = 0; in initialize_server_options()
194 options->permit_tun = -1; in initialize_server_options()
195 options->permitted_opens = NULL; in initialize_server_options()
196 options->permitted_listens = NULL; in initialize_server_options()
197 options->adm_forced_command = NULL; in initialize_server_options()
198 options->chroot_directory = NULL; in initialize_server_options()
199 options->authorized_keys_command = NULL; in initialize_server_options()
200 options->authorized_keys_command_user = NULL; in initialize_server_options()
201 options->revoked_keys_file = NULL; in initialize_server_options()
202 options->sk_provider = NULL; in initialize_server_options()
203 options->trusted_user_ca_keys = NULL; in initialize_server_options()
204 options->authorized_principals_file = NULL; in initialize_server_options()
205 options->authorized_principals_command = NULL; in initialize_server_options()
206 options->authorized_principals_command_user = NULL; in initialize_server_options()
207 options->ip_qos_interactive = -1; in initialize_server_options()
208 options->ip_qos_bulk = -1; in initialize_server_options()
209 options->version_addendum = NULL; in initialize_server_options()
210 options->fingerprint_hash = -1; in initialize_server_options()
211 options->disable_forwarding = -1; in initialize_server_options()
212 options->expose_userauth_info = -1; in initialize_server_options()
213 options->required_rsa_size = -1; in initialize_server_options()
214 options->channel_timeouts = NULL; in initialize_server_options()
215 options->num_channel_timeouts = 0; in initialize_server_options()
216 options->unused_connection_timeout = -1; in initialize_server_options()
217 options->sshd_session_path = NULL; in initialize_server_options()
218 options->refuse_connection = -1; in initialize_server_options()
219 options->use_blacklist = -1; in initialize_server_options()
249 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ in assemble_algorithms()
253 ASSEMBLE(macs, def_mac, all_mac); in assemble_algorithms()
283 &options->host_key_files, &options->host_key_file_userprovided, in servconf_add_hostkey()
284 &options->num_host_key_files, apath, userprovided); in servconf_add_hostkey()
295 &options->host_cert_files, &options->num_host_cert_files, apath); in servconf_add_hostcert()
304 /* Portable-specific options */ in fill_default_server_options()
305 if (options->use_pam == -1) in fill_default_server_options()
306 options->use_pam = 1; in fill_default_server_options()
307 if (options->pam_service_name == NULL) in fill_default_server_options()
308 options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); in fill_default_server_options()
311 if (options->num_host_key_files == 0) { in fill_default_server_options()
326 if (options->num_host_key_files == 0) in fill_default_server_options()
329 if (options->num_ports == 0) in fill_default_server_options()
330 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; in fill_default_server_options()
331 if (options->address_family == -1) in fill_default_server_options()
332 options->address_family = AF_UNSPEC; in fill_default_server_options()
333 if (options->listen_addrs == NULL) in fill_default_server_options()
335 if (options->pid_file == NULL) in fill_default_server_options()
336 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); in fill_default_server_options()
337 if (options->moduli_file == NULL) in fill_default_server_options()
338 options->moduli_file = xstrdup(_PATH_DH_MODULI); in fill_default_server_options()
339 if (options->login_grace_time == -1) in fill_default_server_options()
340 options->login_grace_time = 120; in fill_default_server_options()
341 if (options->permit_root_login == PERMIT_NOT_SET) in fill_default_server_options()
342 options->permit_root_login = PERMIT_NO; in fill_default_server_options()
343 if (options->ignore_rhosts == -1) in fill_default_server_options()
344 options->ignore_rhosts = 1; in fill_default_server_options()
345 if (options->ignore_user_known_hosts == -1) in fill_default_server_options()
346 options->ignore_user_known_hosts = 0; in fill_default_server_options()
347 if (options->print_motd == -1) in fill_default_server_options()
348 options->print_motd = 1; in fill_default_server_options()
349 if (options->print_lastlog == -1) in fill_default_server_options()
350 options->print_lastlog = 1; in fill_default_server_options()
351 if (options->x11_forwarding == -1) in fill_default_server_options()
352 options->x11_forwarding = 0; in fill_default_server_options()
353 if (options->x11_display_offset == -1) in fill_default_server_options()
354 options->x11_display_offset = 10; in fill_default_server_options()
355 if (options->x11_use_localhost == -1) in fill_default_server_options()
356 options->x11_use_localhost = 1; in fill_default_server_options()
357 if (options->xauth_location == NULL) in fill_default_server_options()
358 options->xauth_location = xstrdup(_PATH_XAUTH); in fill_default_server_options()
359 if (options->permit_tty == -1) in fill_default_server_options()
360 options->permit_tty = 1; in fill_default_server_options()
361 if (options->permit_user_rc == -1) in fill_default_server_options()
362 options->permit_user_rc = 1; in fill_default_server_options()
363 if (options->strict_modes == -1) in fill_default_server_options()
364 options->strict_modes = 1; in fill_default_server_options()
365 if (options->tcp_keep_alive == -1) in fill_default_server_options()
366 options->tcp_keep_alive = 1; in fill_default_server_options()
367 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) in fill_default_server_options()
368 options->log_facility = SYSLOG_FACILITY_AUTH; in fill_default_server_options()
369 if (options->log_level == SYSLOG_LEVEL_NOT_SET) in fill_default_server_options()
370 options->log_level = SYSLOG_LEVEL_INFO; in fill_default_server_options()
371 if (options->hostbased_authentication == -1) in fill_default_server_options()
372 options->hostbased_authentication = 0; in fill_default_server_options()
373 if (options->hostbased_uses_name_from_packet_only == -1) in fill_default_server_options()
374 options->hostbased_uses_name_from_packet_only = 0; in fill_default_server_options()
375 if (options->pubkey_authentication == -1) in fill_default_server_options()
376 options->pubkey_authentication = 1; in fill_default_server_options()
377 if (options->pubkey_auth_options == -1) in fill_default_server_options()
378 options->pubkey_auth_options = 0; in fill_default_server_options()
379 if (options->kerberos_authentication == -1) in fill_default_server_options()
380 options->kerberos_authentication = 0; in fill_default_server_options()
381 if (options->kerberos_or_local_passwd == -1) in fill_default_server_options()
382 options->kerberos_or_local_passwd = 1; in fill_default_server_options()
383 if (options->kerberos_ticket_cleanup == -1) in fill_default_server_options()
384 options->kerberos_ticket_cleanup = 1; in fill_default_server_options()
385 if (options->kerberos_get_afs_token == -1) in fill_default_server_options()
386 options->kerberos_get_afs_token = 0; in fill_default_server_options()
387 if (options->gss_authentication == -1) in fill_default_server_options()
388 options->gss_authentication = 0; in fill_default_server_options()
389 if (options->gss_cleanup_creds == -1) in fill_default_server_options()
390 options->gss_cleanup_creds = 1; in fill_default_server_options()
391 if (options->gss_strict_acceptor == -1) in fill_default_server_options()
392 options->gss_strict_acceptor = 1; in fill_default_server_options()
393 if (options->password_authentication == -1) in fill_default_server_options()
394 options->password_authentication = 0; in fill_default_server_options()
395 if (options->kbd_interactive_authentication == -1) in fill_default_server_options()
396 options->kbd_interactive_authentication = 1; in fill_default_server_options()
397 if (options->permit_empty_passwd == -1) in fill_default_server_options()
398 options->permit_empty_passwd = 0; in fill_default_server_options()
399 if (options->permit_user_env == -1) { in fill_default_server_options()
400 options->permit_user_env = 0; in fill_default_server_options()
401 options->permit_user_env_allowlist = NULL; in fill_default_server_options()
403 if (options->compression == -1) in fill_default_server_options()
405 options->compression = COMP_DELAYED; in fill_default_server_options()
407 options->compression = COMP_NONE; in fill_default_server_options()
410 if (options->rekey_limit == -1) in fill_default_server_options()
411 options->rekey_limit = 0; in fill_default_server_options()
412 if (options->rekey_interval == -1) in fill_default_server_options()
413 options->rekey_interval = 0; in fill_default_server_options()
414 if (options->allow_tcp_forwarding == -1) in fill_default_server_options()
415 options->allow_tcp_forwarding = FORWARD_ALLOW; in fill_default_server_options()
416 if (options->allow_streamlocal_forwarding == -1) in fill_default_server_options()
417 options->allow_streamlocal_forwarding = FORWARD_ALLOW; in fill_default_server_options()
418 if (options->allow_agent_forwarding == -1) in fill_default_server_options()
419 options->allow_agent_forwarding = 1; in fill_default_server_options()
420 if (options->fwd_opts.gateway_ports == -1) in fill_default_server_options()
421 options->fwd_opts.gateway_ports = 0; in fill_default_server_options()
422 if (options->max_startups == -1) in fill_default_server_options()
423 options->max_startups = 100; in fill_default_server_options()
424 if (options->max_startups_rate == -1) in fill_default_server_options()
425 options->max_startups_rate = 30; /* 30% */ in fill_default_server_options()
426 if (options->max_startups_begin == -1) in fill_default_server_options()
427 options->max_startups_begin = 10; in fill_default_server_options()
428 if (options->per_source_max_startups == -1) in fill_default_server_options()
429 options->per_source_max_startups = INT_MAX; in fill_default_server_options()
430 if (options->per_source_masklen_ipv4 == -1) in fill_default_server_options()
431 options->per_source_masklen_ipv4 = 32; in fill_default_server_options()
432 if (options->per_source_masklen_ipv6 == -1) in fill_default_server_options()
433 options->per_source_masklen_ipv6 = 128; in fill_default_server_options()
434 if (options->per_source_penalty.enabled == -1) in fill_default_server_options()
435 options->per_source_penalty.enabled = 1; in fill_default_server_options()
436 if (options->per_source_penalty.max_sources4 == -1) in fill_default_server_options()
437 options->per_source_penalty.max_sources4 = 65536; in fill_default_server_options()
438 if (options->per_source_penalty.max_sources6 == -1) in fill_default_server_options()
439 options->per_source_penalty.max_sources6 = 65536; in fill_default_server_options()
440 if (options->per_source_penalty.overflow_mode == -1) in fill_default_server_options()
441 options->per_source_penalty.overflow_mode = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE; in fill_default_server_options()
442 if (options->per_source_penalty.overflow_mode6 == -1) in fill_default_server_options()
443 options->per_source_penalty.overflow_mode6 = options->per_source_penalty.overflow_mode; in fill_default_server_options()
444 if (options->per_source_penalty.penalty_crash == -1) in fill_default_server_options()
445 options->per_source_penalty.penalty_crash = 90; in fill_default_server_options()
446 if (options->per_source_penalty.penalty_grace == -1) in fill_default_server_options()
447 options->per_source_penalty.penalty_grace = 10; in fill_default_server_options()
448 if (options->per_source_penalty.penalty_authfail == -1) in fill_default_server_options()
449 options->per_source_penalty.penalty_authfail = 5; in fill_default_server_options()
450 if (options->per_source_penalty.penalty_noauth == -1) in fill_default_server_options()
451 options->per_source_penalty.penalty_noauth = 1; in fill_default_server_options()
452 if (options->per_source_penalty.penalty_refuseconnection == -1) in fill_default_server_options()
453 options->per_source_penalty.penalty_refuseconnection = 10; in fill_default_server_options()
454 if (options->per_source_penalty.penalty_min == -1) in fill_default_server_options()
455 options->per_source_penalty.penalty_min = 15; in fill_default_server_options()
456 if (options->per_source_penalty.penalty_max == -1) in fill_default_server_options()
457 options->per_source_penalty.penalty_max = 600; in fill_default_server_options()
458 if (options->max_authtries == -1) in fill_default_server_options()
459 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; in fill_default_server_options()
460 if (options->max_sessions == -1) in fill_default_server_options()
461 options->max_sessions = DEFAULT_SESSIONS_MAX; in fill_default_server_options()
462 if (options->use_dns == -1) in fill_default_server_options()
463 options->use_dns = 1; in fill_default_server_options()
464 if (options->client_alive_interval == -1) in fill_default_server_options()
465 options->client_alive_interval = 0; in fill_default_server_options()
466 if (options->client_alive_count_max == -1) in fill_default_server_options()
467 options->client_alive_count_max = 3; in fill_default_server_options()
468 if (options->num_authkeys_files == 0) { in fill_default_server_options()
470 &options->authorized_keys_files, in fill_default_server_options()
471 &options->num_authkeys_files, in fill_default_server_options()
474 &options->authorized_keys_files, in fill_default_server_options()
475 &options->num_authkeys_files, in fill_default_server_options()
478 if (options->permit_tun == -1) in fill_default_server_options()
479 options->permit_tun = SSH_TUNMODE_NO; in fill_default_server_options()
480 if (options->ip_qos_interactive == -1) in fill_default_server_options()
481 options->ip_qos_interactive = IPTOS_DSCP_AF21; in fill_default_server_options()
482 if (options->ip_qos_bulk == -1) in fill_default_server_options()
483 options->ip_qos_bulk = IPTOS_DSCP_CS1; in fill_default_server_options()
484 if (options->version_addendum == NULL) in fill_default_server_options()
485 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); in fill_default_server_options()
486 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) in fill_default_server_options()
487 options->fwd_opts.streamlocal_bind_mask = 0177; in fill_default_server_options()
488 if (options->fwd_opts.streamlocal_bind_unlink == -1) in fill_default_server_options()
489 options->fwd_opts.streamlocal_bind_unlink = 0; in fill_default_server_options()
490 if (options->fingerprint_hash == -1) in fill_default_server_options()
491 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; in fill_default_server_options()
492 if (options->disable_forwarding == -1) in fill_default_server_options()
493 options->disable_forwarding = 0; in fill_default_server_options()
494 if (options->expose_userauth_info == -1) in fill_default_server_options()
495 options->expose_userauth_info = 0; in fill_default_server_options()
496 if (options->sk_provider == NULL) in fill_default_server_options()
497 options->sk_provider = xstrdup("internal"); in fill_default_server_options()
498 if (options->required_rsa_size == -1) in fill_default_server_options()
499 options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; in fill_default_server_options()
500 if (options->unused_connection_timeout == -1) in fill_default_server_options()
501 options->unused_connection_timeout = 0; in fill_default_server_options()
502 if (options->sshd_session_path == NULL) in fill_default_server_options()
503 options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION); in fill_default_server_options()
504 if (options->refuse_connection == -1) in fill_default_server_options()
505 options->refuse_connection = 0; in fill_default_server_options()
506 if (options->use_blacklist == -1) in fill_default_server_options()
507 options->use_blacklist = 0; in fill_default_server_options()
520 if (options->nv == 1 && \ in fill_default_server_options()
521 strcasecmp(options->v[0], none) == 0) { \ in fill_default_server_options()
522 free(options->v[0]); \ in fill_default_server_options()
523 free(options->v); \ in fill_default_server_options()
524 options->v = NULL; \ in fill_default_server_options()
525 options->nv = 0; \ in fill_default_server_options()
528 CLEAR_ON_NONE(options->pid_file); in fill_default_server_options()
529 CLEAR_ON_NONE(options->xauth_location); in fill_default_server_options()
530 CLEAR_ON_NONE(options->banner); in fill_default_server_options()
531 CLEAR_ON_NONE(options->trusted_user_ca_keys); in fill_default_server_options()
532 CLEAR_ON_NONE(options->revoked_keys_file); in fill_default_server_options()
533 CLEAR_ON_NONE(options->sk_provider); in fill_default_server_options()
534 CLEAR_ON_NONE(options->authorized_principals_file); in fill_default_server_options()
535 CLEAR_ON_NONE(options->adm_forced_command); in fill_default_server_options()
536 CLEAR_ON_NONE(options->chroot_directory); in fill_default_server_options()
537 CLEAR_ON_NONE(options->routing_domain); in fill_default_server_options()
538 CLEAR_ON_NONE(options->host_key_agent); in fill_default_server_options()
539 CLEAR_ON_NONE(options->per_source_penalty_exempt); in fill_default_server_options()
541 for (i = 0; i < options->num_host_key_files; i++) in fill_default_server_options()
542 CLEAR_ON_NONE(options->host_key_files[i]); in fill_default_server_options()
543 for (i = 0; i < options->num_host_cert_files; i++) in fill_default_server_options()
544 CLEAR_ON_NONE(options->host_cert_files[i]); in fill_default_server_options()
555 /* Portable-specific options */
607 /* Portable-specific options */
703 { "macs", sMacs, SSHCFG_GLOBAL },
771 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
774 { -1, NULL }
838 for (i = 0; i < options->num_ports; i++) { in add_listen_addr()
840 options->ports[i]); in add_listen_addr()
855 for (i = 0; i < options->num_listen_addrs; i++) { in add_one_listen_addr()
856 if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL) in add_one_listen_addr()
858 if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL) in add_one_listen_addr()
860 if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0) in add_one_listen_addr()
863 if (i >= options->num_listen_addrs) { in add_one_listen_addr()
867 options->listen_addrs = xrecallocarray(options->listen_addrs, in add_one_listen_addr()
868 options->num_listen_addrs, options->num_listen_addrs + 1, in add_one_listen_addr()
869 sizeof(*options->listen_addrs)); in add_one_listen_addr()
870 i = options->num_listen_addrs++; in add_one_listen_addr()
872 options->listen_addrs[i].rdomain = xstrdup(rdomain); in add_one_listen_addr()
874 /* options->listen_addrs[i] points to the addresses for this rdomain */ in add_one_listen_addr()
877 hints.ai_family = options->address_family; in add_one_listen_addr()
885 for (ai = aitop; ai->ai_next; ai = ai->ai_next) in add_one_listen_addr()
887 ai->ai_next = options->listen_addrs[i].addrs; in add_one_listen_addr()
888 options->listen_addrs[i].addrs = aitop; in add_one_listen_addr()
899 long long num; in valid_rdomain()
907 num = strtonum(name, 0, 255, &errstr); in valid_rdomain()
916 mib[5] = (int)num; in valid_rdomain()
917 if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1) in valid_rdomain()
937 options->queued_listen_addrs = xrecallocarray( in queue_listen_addr()
938 options->queued_listen_addrs, in queue_listen_addr()
939 options->num_queued_listens, options->num_queued_listens + 1, in queue_listen_addr()
940 sizeof(*options->queued_listen_addrs)); in queue_listen_addr()
941 qla = &options->queued_listen_addrs[options->num_queued_listens++]; in queue_listen_addr()
942 qla->addr = xstrdup(addr); in queue_listen_addr()
943 qla->port = port; in queue_listen_addr()
944 qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain); in queue_listen_addr()
956 if (options->num_ports == 0) in process_queued_listen_addrs()
957 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; in process_queued_listen_addrs()
958 if (options->address_family == -1) in process_queued_listen_addrs()
959 options->address_family = AF_UNSPEC; in process_queued_listen_addrs()
961 for (i = 0; i < options->num_queued_listens; i++) { in process_queued_listen_addrs()
962 qla = &options->queued_listen_addrs[i]; in process_queued_listen_addrs()
963 add_listen_addr(options, qla->addr, qla->rdomain, qla->port); in process_queued_listen_addrs()
964 free(qla->addr); in process_queued_listen_addrs()
965 free(qla->rdomain); in process_queued_listen_addrs()
967 free(options->queued_listen_addrs); in process_queued_listen_addrs()
968 options->queued_listen_addrs = NULL; in process_queued_listen_addrs()
969 options->num_queued_listens = 0; in process_queued_listen_addrs()
988 * - Add Match support for pre-kex directives, eg. Ciphers.
990 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
1000 * - Add a PermittedChannelRequests directive
1002 * PermittedChannelRequests session,forwarded-tcpip
1017 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { in match_cfg_line_group()
1057 ci->user ? ci->user : "(null)", in match_cfg_line()
1058 ci->user_invalid ? " (invalid)" : "", in match_cfg_line()
1059 ci->host ? ci->host : "(null)", in match_cfg_line()
1060 ci->address ? ci->address : "(null)", in match_cfg_line()
1061 ci->laddress ? ci->laddress : "(null)", ci->lport); in match_cfg_line()
1080 result = -1; in match_cfg_line()
1088 /* Criterion "invalid-user" also has no argument */ in match_cfg_line()
1089 if (strcasecmp(attrib, "invalid-user") == 0) { in match_cfg_line()
1094 if (ci->user_invalid == 0) in match_cfg_line()
1097 debug("matched invalid-user at line %d", line); in match_cfg_line()
1118 result = -1; in match_cfg_line()
1122 if (ci == NULL || (ci->test && ci->user == NULL)) { in match_cfg_line()
1126 if (ci->user == NULL) in match_cfg_line()
1128 if (match_usergroup_pattern_list(ci->user, arg) != 1) in match_cfg_line()
1132 "line %d", ci->user, arg, line); in match_cfg_line()
1134 if (ci == NULL || (ci->test && ci->user == NULL)) { in match_cfg_line()
1138 if (ci->user == NULL) in match_cfg_line()
1140 switch (match_cfg_line_group(arg, line, ci->user)) { in match_cfg_line()
1141 case -1: in match_cfg_line()
1142 result = -1; in match_cfg_line()
1148 if (ci == NULL || (ci->test && ci->host == NULL)) { in match_cfg_line()
1152 if (ci->host == NULL) in match_cfg_line()
1154 if (match_hostname(ci->host, arg) != 1) in match_cfg_line()
1158 "%.100s' at line %d", ci->host, arg, line); in match_cfg_line()
1160 if (ci == NULL || (ci->test && ci->address == NULL)) { in match_cfg_line()
1167 if (ci->address == NULL) in match_cfg_line()
1169 switch (addr_match_list(ci->address, arg)) { in match_cfg_line()
1172 "%.100s' at line %d", ci->address, arg, line); in match_cfg_line()
1175 case -1: in match_cfg_line()
1178 case -2: in match_cfg_line()
1179 result = -1; in match_cfg_line()
1183 if (ci == NULL || (ci->test && ci->laddress == NULL)) { in match_cfg_line()
1191 if (ci->laddress == NULL) in match_cfg_line()
1194 switch (addr_match_list(ci->laddress, arg)) { in match_cfg_line()
1198 ci->laddress, arg, line); in match_cfg_line()
1201 case -1: in match_cfg_line()
1204 case -2: in match_cfg_line()
1205 result = -1; in match_cfg_line()
1209 if ((port = a2port(arg)) == -1) { in match_cfg_line()
1212 result = -1; in match_cfg_line()
1215 if (ci == NULL || (ci->test && ci->lport == -1)) { in match_cfg_line()
1219 if (ci->lport == 0) in match_cfg_line()
1222 if (port == ci->lport) in match_cfg_line()
1225 ci->laddress, port, line); in match_cfg_line()
1229 if (ci == NULL || (ci->test && ci->rdomain == NULL)) { in match_cfg_line()
1233 if (ci->rdomain == NULL) in match_cfg_line()
1235 if (match_pattern_list(ci->rdomain, arg, 0) != 1) in match_cfg_line()
1239 "line %d", ci->rdomain, arg, line); in match_cfg_line()
1242 result = -1; in match_cfg_line()
1250 return -1; in match_cfg_line()
1253 if (ci != NULL && result != -1) in match_cfg_line()
1269 { NULL, -1 }
1274 { "shosts-only", IGNORE_RHOSTS_SHOSTS },
1275 { NULL, -1 }
1281 { NULL, -1 }
1284 { "without-password", PERMIT_NO_PASSWD },
1285 { "prohibit-password", PERMIT_NO_PASSWD },
1286 { "forced-commands-only", PERMIT_FORCED_ONLY },
1289 { NULL, -1 }
1297 { NULL, -1 }
1303 { NULL, -1 }
1311 { NULL, -1 }
1335 int ret = -1; in process_server_config_line_depth()
1342 for (len--; len > 0; len--) { in process_server_config_line_depth()
1359 return -1; in process_server_config_line_depth()
1367 return -1; in process_server_config_line_depth()
1389 /* Portable-specific options */ in process_server_config_line_depth()
1391 intptr = &options->use_pam; in process_server_config_line_depth()
1394 charptr = &options->pam_service_name; in process_server_config_line_depth()
1409 if (options->ports_from_cmdline) { in process_server_config_line_depth()
1413 if (options->num_ports >= MAX_PORTS) in process_server_config_line_depth()
1420 options->ports[options->num_ports++] = a2port(arg); in process_server_config_line_depth()
1421 if (options->ports[options->num_ports-1] <= 0) in process_server_config_line_depth()
1427 intptr = &options->login_grace_time; in process_server_config_line_depth()
1433 if ((value = convtime(arg)) == -1) in process_server_config_line_depth()
1436 if (*activep && *intptr == -1) in process_server_config_line_depth()
1479 intptr = &options->address_family; in process_server_config_line_depth()
1486 value = -1; in process_server_config_line_depth()
1493 if (value == -1) in process_server_config_line_depth()
1496 if (*activep && *intptr == -1) in process_server_config_line_depth()
1512 charptr = &options->host_key_agent; in process_server_config_line_depth()
1532 charptr = &options->pid_file; in process_server_config_line_depth()
1547 charptr = &options->moduli_file; in process_server_config_line_depth()
1551 intptr = &options->permit_root_login; in process_server_config_line_depth()
1556 intptr = &options->ignore_rhosts; in process_server_config_line_depth()
1561 intptr = &options->ignore_user_known_hosts; in process_server_config_line_depth()
1567 intptr = &options->hostbased_authentication; in process_server_config_line_depth()
1571 intptr = &options->hostbased_uses_name_from_packet_only; in process_server_config_line_depth()
1575 charptr = &options->hostbased_accepted_algos; in process_server_config_line_depth()
1582 if (*arg != '-' && in process_server_config_line_depth()
1592 charptr = &options->hostkeyalgorithms; in process_server_config_line_depth()
1597 charptr = &options->ca_sign_algorithms; in process_server_config_line_depth()
1602 intptr = &options->pubkey_authentication; in process_server_config_line_depth()
1607 charptr = &options->pubkey_accepted_algos; in process_server_config_line_depth()
1612 intptr = &options->pubkey_auth_options; in process_server_config_line_depth()
1617 if (strcasecmp(arg, "touch-required") == 0) in process_server_config_line_depth()
1619 else if (strcasecmp(arg, "verify-required") == 0) in process_server_config_line_depth()
1627 if (*activep && *intptr == -1) in process_server_config_line_depth()
1632 intptr = &options->kerberos_authentication; in process_server_config_line_depth()
1636 intptr = &options->kerberos_or_local_passwd; in process_server_config_line_depth()
1640 intptr = &options->kerberos_ticket_cleanup; in process_server_config_line_depth()
1644 intptr = &options->kerberos_get_afs_token; in process_server_config_line_depth()
1648 intptr = &options->gss_authentication; in process_server_config_line_depth()
1652 intptr = &options->gss_cleanup_creds; in process_server_config_line_depth()
1656 intptr = &options->gss_strict_acceptor; in process_server_config_line_depth()
1660 intptr = &options->password_authentication; in process_server_config_line_depth()
1664 intptr = &options->kbd_interactive_authentication; in process_server_config_line_depth()
1668 intptr = &options->print_motd; in process_server_config_line_depth()
1672 intptr = &options->print_lastlog; in process_server_config_line_depth()
1676 intptr = &options->x11_forwarding; in process_server_config_line_depth()
1680 intptr = &options->x11_display_offset; in process_server_config_line_depth()
1686 if (*activep && *intptr == -1) in process_server_config_line_depth()
1691 intptr = &options->x11_use_localhost; in process_server_config_line_depth()
1695 charptr = &options->xauth_location; in process_server_config_line_depth()
1699 intptr = &options->permit_tty; in process_server_config_line_depth()
1703 intptr = &options->permit_user_rc; in process_server_config_line_depth()
1707 intptr = &options->strict_modes; in process_server_config_line_depth()
1711 intptr = &options->tcp_keep_alive; in process_server_config_line_depth()
1715 intptr = &options->permit_empty_passwd; in process_server_config_line_depth()
1719 intptr = &options->permit_user_env; in process_server_config_line_depth()
1720 charptr = &options->permit_user_env_allowlist; in process_server_config_line_depth()
1732 /* Pattern-list specified */ in process_server_config_line_depth()
1736 if (*activep && *intptr == -1) { in process_server_config_line_depth()
1745 intptr = &options->compression; in process_server_config_line_depth()
1757 if (scan_scaled(arg, &val64) == -1) in process_server_config_line_depth()
1765 if (*activep && options->rekey_limit == -1) in process_server_config_line_depth()
1766 options->rekey_limit = val64; in process_server_config_line_depth()
1772 intptr = &options->rekey_interval; in process_server_config_line_depth()
1778 intptr = &options->fwd_opts.gateway_ports; in process_server_config_line_depth()
1783 intptr = &options->use_dns; in process_server_config_line_depth()
1787 log_facility_ptr = &options->log_facility; in process_server_config_line_depth()
1793 if (*log_facility_ptr == -1) in process_server_config_line_depth()
1798 log_level_ptr = &options->log_level; in process_server_config_line_depth()
1804 if (*activep && *log_level_ptr == -1) in process_server_config_line_depth()
1809 found = options->num_log_verbose == 0; in process_server_config_line_depth()
1833 options->log_verbose = strs; in process_server_config_line_depth()
1834 options->num_log_verbose = nstrs; in process_server_config_line_depth()
1841 intptr = &options->allow_tcp_forwarding; in process_server_config_line_depth()
1846 intptr = &options->allow_streamlocal_forwarding; in process_server_config_line_depth()
1851 intptr = &options->allow_agent_forwarding; in process_server_config_line_depth()
1855 intptr = &options->disable_forwarding; in process_server_config_line_depth()
1859 chararrayptr = &options->allow_users; in process_server_config_line_depth()
1860 uintptr = &options->num_allow_users; in process_server_config_line_depth()
1862 /* XXX appends to list; doesn't respect first-match-wins */ in process_server_config_line_depth()
1865 match_user(NULL, NULL, NULL, arg) == -1) in process_server_config_line_depth()
1881 chararrayptr = &options->deny_users; in process_server_config_line_depth()
1882 uintptr = &options->num_deny_users; in process_server_config_line_depth()
1886 chararrayptr = &options->allow_groups; in process_server_config_line_depth()
1887 uintptr = &options->num_allow_groups; in process_server_config_line_depth()
1888 /* XXX appends to list; doesn't respect first-match-wins */ in process_server_config_line_depth()
1907 chararrayptr = &options->deny_groups; in process_server_config_line_depth()
1908 uintptr = &options->num_deny_groups; in process_server_config_line_depth()
1916 if (*arg != '-' && in process_server_config_line_depth()
1920 if (options->ciphers == NULL) in process_server_config_line_depth()
1921 options->ciphers = xstrdup(arg); in process_server_config_line_depth()
1929 if (*arg != '-' && in process_server_config_line_depth()
1933 if (options->macs == NULL) in process_server_config_line_depth()
1934 options->macs = xstrdup(arg); in process_server_config_line_depth()
1942 if (*arg != '-' && in process_server_config_line_depth()
1947 if (options->kex_algorithms == NULL) in process_server_config_line_depth()
1948 options->kex_algorithms = xstrdup(arg); in process_server_config_line_depth()
1961 for (i = 0; i < options->num_subsystems; i++) { in process_server_config_line_depth()
1962 if (strcmp(arg, options->subsystem_name[i]) == 0) { in process_server_config_line_depth()
1973 options->subsystem_name = xrecallocarray( in process_server_config_line_depth()
1974 options->subsystem_name, options->num_subsystems, in process_server_config_line_depth()
1975 options->num_subsystems + 1, in process_server_config_line_depth()
1976 sizeof(*options->subsystem_name)); in process_server_config_line_depth()
1977 options->subsystem_command = xrecallocarray( in process_server_config_line_depth()
1978 options->subsystem_command, options->num_subsystems, in process_server_config_line_depth()
1979 options->num_subsystems + 1, in process_server_config_line_depth()
1980 sizeof(*options->subsystem_command)); in process_server_config_line_depth()
1981 options->subsystem_args = xrecallocarray( in process_server_config_line_depth()
1982 options->subsystem_args, options->num_subsystems, in process_server_config_line_depth()
1983 options->num_subsystems + 1, in process_server_config_line_depth()
1984 sizeof(*options->subsystem_args)); in process_server_config_line_depth()
1985 options->subsystem_name[options->num_subsystems] = xstrdup(arg); in process_server_config_line_depth()
1991 options->subsystem_command[options->num_subsystems] = in process_server_config_line_depth()
1996 xasprintf(&options->subsystem_args[options->num_subsystems], in process_server_config_line_depth()
2001 options->num_subsystems++; in process_server_config_line_depth()
2010 &options->max_startups_begin, in process_server_config_line_depth()
2011 &options->max_startups_rate, in process_server_config_line_depth()
2012 &options->max_startups)) == 3) { in process_server_config_line_depth()
2013 if (options->max_startups_begin > in process_server_config_line_depth()
2014 options->max_startups || in process_server_config_line_depth()
2015 options->max_startups_rate > 100 || in process_server_config_line_depth()
2016 options->max_startups_rate < 1) in process_server_config_line_depth()
2023 options->max_startups = options->max_startups_begin; in process_server_config_line_depth()
2024 if (options->max_startups <= 0 || in process_server_config_line_depth()
2025 options->max_startups_begin <= 0) in process_server_config_line_depth()
2038 n = -1; in process_server_config_line_depth()
2042 n = -1; in process_server_config_line_depth()
2048 options->per_source_masklen_ipv4 = value; in process_server_config_line_depth()
2049 options->per_source_masklen_ipv6 = value2; in process_server_config_line_depth()
2065 if (*activep && options->per_source_max_startups == -1) in process_server_config_line_depth()
2066 options->per_source_max_startups = value; in process_server_config_line_depth()
2070 charptr = &options->per_source_penalty_exempt; in process_server_config_line_depth()
2087 value = -1; in process_server_config_line_depth()
2099 options->per_source_penalty.enabled == -1) in process_server_config_line_depth()
2100 options->per_source_penalty.enabled = value2; in process_server_config_line_depth()
2104 intptr = &options->per_source_penalty.penalty_crash; in process_server_config_line_depth()
2107 intptr = &options->per_source_penalty.penalty_authfail; in process_server_config_line_depth()
2110 intptr = &options->per_source_penalty.penalty_noauth; in process_server_config_line_depth()
2111 } else if (strncmp(arg, "grace-exceeded:", 15) == 0) { in process_server_config_line_depth()
2113 intptr = &options->per_source_penalty.penalty_grace; in process_server_config_line_depth()
2116 intptr = &options->per_source_penalty.penalty_refuseconnection; in process_server_config_line_depth()
2119 intptr = &options->per_source_penalty.penalty_max; in process_server_config_line_depth()
2122 intptr = &options->per_source_penalty.penalty_min; in process_server_config_line_depth()
2123 } else if (strncmp(arg, "max-sources4:", 13) == 0) { in process_server_config_line_depth()
2124 intptr = &options->per_source_penalty.max_sources4; in process_server_config_line_depth()
2128 } else if (strncmp(arg, "max-sources6:", 13) == 0) { in process_server_config_line_depth()
2129 intptr = &options->per_source_penalty.max_sources6; in process_server_config_line_depth()
2133 } else if (strcmp(arg, "overflow:deny-all") == 0) { in process_server_config_line_depth()
2134 intptr = &options->per_source_penalty.overflow_mode; in process_server_config_line_depth()
2137 intptr = &options->per_source_penalty.overflow_mode; in process_server_config_line_depth()
2139 } else if (strcmp(arg, "overflow6:deny-all") == 0) { in process_server_config_line_depth()
2140 intptr = &options->per_source_penalty.overflow_mode6; in process_server_config_line_depth()
2143 intptr = &options->per_source_penalty.overflow_mode6; in process_server_config_line_depth()
2150 if (value == -1 && (value = convtime(p)) == -1) { in process_server_config_line_depth()
2154 if (*activep && *intptr == -1) { in process_server_config_line_depth()
2157 options->per_source_penalty.enabled = 1; in process_server_config_line_depth()
2167 intptr = &options->max_authtries; in process_server_config_line_depth()
2171 intptr = &options->max_sessions; in process_server_config_line_depth()
2175 charptr = &options->banner; in process_server_config_line_depth()
2185 found = options->num_authkeys_files == 0; in process_server_config_line_depth()
2202 options->authorized_keys_files = strs; in process_server_config_line_depth()
2203 options->num_authkeys_files = nstrs; in process_server_config_line_depth()
2210 charptr = &options->authorized_principals_file; in process_server_config_line_depth()
2224 intptr = &options->client_alive_interval; in process_server_config_line_depth()
2228 intptr = &options->client_alive_count_max; in process_server_config_line_depth()
2232 /* XXX appends to list; doesn't respect first-match-wins */ in process_server_config_line_depth()
2241 &options->accept_env, &options->num_accept_env, in process_server_config_line_depth()
2251 found = options->num_setenv == 0; in process_server_config_line_depth()
2269 options->setenv = strs; in process_server_config_line_depth()
2270 options->num_setenv = nstrs; in process_server_config_line_depth()
2277 intptr = &options->permit_tun; in process_server_config_line_depth()
2282 value = -1; in process_server_config_line_depth()
2283 for (i = 0; tunmode_desc[i].val != -1; i++) in process_server_config_line_depth()
2288 if (value == -1) in process_server_config_line_depth()
2291 if (*activep && *intptr == -1) in process_server_config_line_depth()
2298 "command-line option"); in process_server_config_line_depth()
2322 if (strcmp(item->selector, arg) != 0) in process_server_config_line_depth()
2324 if (item->filename != NULL) { in process_server_config_line_depth()
2326 item->filename, item->contents, in process_server_config_line_depth()
2356 item->selector = strdup(arg); in process_server_config_line_depth()
2366 item->selector = strdup(arg); in process_server_config_line_depth()
2367 item->filename = strdup(gbuf.gl_pathv[n]); in process_server_config_line_depth()
2368 if ((item->contents = sshbuf_new()) == NULL) in process_server_config_line_depth()
2370 load_server_config(item->filename, in process_server_config_line_depth()
2371 item->contents); in process_server_config_line_depth()
2373 item->filename, item->contents, in process_server_config_line_depth()
2393 fatal("Match directive not supported as a command-line " in process_server_config_line_depth()
2411 uintptr = &options->num_permitted_listens; in process_server_config_line_depth()
2412 chararrayptr = &options->permitted_listens; in process_server_config_line_depth()
2414 uintptr = &options->num_permitted_opens; in process_server_config_line_depth()
2415 chararrayptr = &options->permitted_opens; in process_server_config_line_depth()
2473 if (*activep && options->adm_forced_command == NULL) in process_server_config_line_depth()
2474 options->adm_forced_command = xstrdup(str + len); in process_server_config_line_depth()
2479 charptr = &options->chroot_directory; in process_server_config_line_depth()
2490 charptr = &options->trusted_user_ca_keys; in process_server_config_line_depth()
2494 charptr = &options->revoked_keys_file; in process_server_config_line_depth()
2498 charptr = &options->sk_provider; in process_server_config_line_depth()
2517 if ((value = parse_ipqos(arg)) == -1) in process_server_config_line_depth()
2523 else if ((value2 = parse_ipqos(arg)) == -1) in process_server_config_line_depth()
2527 options->ip_qos_interactive = value; in process_server_config_line_depth()
2528 options->ip_qos_bulk = value2; in process_server_config_line_depth()
2545 if (*activep && options->version_addendum == NULL) { in process_server_config_line_depth()
2547 options->version_addendum = xstrdup(""); in process_server_config_line_depth()
2549 options->version_addendum = xstrdup(str + len); in process_server_config_line_depth()
2555 charptr = &options->authorized_keys_command; in process_server_config_line_depth()
2568 charptr = &options->authorized_keys_command_user; in process_server_config_line_depth()
2580 charptr = &options->authorized_principals_command; in process_server_config_line_depth()
2584 charptr = &options->authorized_principals_command_user; in process_server_config_line_depth()
2588 found = options->num_auth_methods == 0; in process_server_config_line_depth()
2589 value = 0; /* seen "any" pseudo-method */ in process_server_config_line_depth()
2613 options->auth_methods = strs; in process_server_config_line_depth()
2614 options->num_auth_methods = nstrs; in process_server_config_line_depth()
2631 options->fwd_opts.streamlocal_bind_mask = (mode_t)value; in process_server_config_line_depth()
2635 intptr = &options->fwd_opts.streamlocal_bind_unlink; in process_server_config_line_depth()
2643 if ((value = ssh_digest_alg_by_name(arg)) == -1) in process_server_config_line_depth()
2647 options->fingerprint_hash = value; in process_server_config_line_depth()
2651 intptr = &options->expose_userauth_info; in process_server_config_line_depth()
2659 charptr = &options->routing_domain; in process_server_config_line_depth()
2673 intptr = &options->required_rsa_size; in process_server_config_line_depth()
2677 found = options->num_channel_timeouts == 0; in process_server_config_line_depth()
2700 options->channel_timeouts = strs; in process_server_config_line_depth()
2701 options->num_channel_timeouts = nstrs; in process_server_config_line_depth()
2708 intptr = &options->unused_connection_timeout; in process_server_config_line_depth()
2719 charptr = &options->sshd_session_path; in process_server_config_line_depth()
2723 intptr = &options->refuse_connection; in process_server_config_line_depth()
2728 intptr = &options->use_blacklist; in process_server_config_line_depth()
2794 while (getline(&line, &linesize, f) != -1) { in load_server_config()
2797 * NB - preserve newlines, they are needed to reproduce in load_server_config()
2829 ci->address = xstrdup(p + 5); in parse_server_match_testspec()
2831 ci->host = xstrdup(p + 5); in parse_server_match_testspec()
2833 ci->user = xstrdup(p + 5); in parse_server_match_testspec()
2835 ci->laddress = xstrdup(p + 6); in parse_server_match_testspec()
2837 ci->rdomain = xstrdup(p + 8); in parse_server_match_testspec()
2839 ci->lport = a2port(p + 6); in parse_server_match_testspec()
2840 if (ci->lport == -1) { in parse_server_match_testspec()
2843 return -1; in parse_server_match_testspec()
2845 } else if (strcmp(p, "invalid-user") == 0) { in parse_server_match_testspec()
2846 ci->user_invalid = 1; in parse_server_match_testspec()
2850 return -1; in parse_server_match_testspec()
2861 for (i = 0; i < src->num_subsystems; i++) { in servconf_merge_subsystems()
2863 for (j = 0; j < dst->num_subsystems; j++) { in servconf_merge_subsystems()
2864 if (strcmp(src->subsystem_name[i], in servconf_merge_subsystems()
2865 dst->subsystem_name[j]) == 0) { in servconf_merge_subsystems()
2871 debug_f("override \"%s\"", dst->subsystem_name[j]); in servconf_merge_subsystems()
2872 free(dst->subsystem_command[j]); in servconf_merge_subsystems()
2873 free(dst->subsystem_args[j]); in servconf_merge_subsystems()
2874 dst->subsystem_command[j] = in servconf_merge_subsystems()
2875 xstrdup(src->subsystem_command[i]); in servconf_merge_subsystems()
2876 dst->subsystem_args[j] = in servconf_merge_subsystems()
2877 xstrdup(src->subsystem_args[i]); in servconf_merge_subsystems()
2880 debug_f("add \"%s\"", src->subsystem_name[i]); in servconf_merge_subsystems()
2881 dst->subsystem_name = xrecallocarray( in servconf_merge_subsystems()
2882 dst->subsystem_name, dst->num_subsystems, in servconf_merge_subsystems()
2883 dst->num_subsystems + 1, sizeof(*dst->subsystem_name)); in servconf_merge_subsystems()
2884 dst->subsystem_command = xrecallocarray( in servconf_merge_subsystems()
2885 dst->subsystem_command, dst->num_subsystems, in servconf_merge_subsystems()
2886 dst->num_subsystems + 1, sizeof(*dst->subsystem_command)); in servconf_merge_subsystems()
2887 dst->subsystem_args = xrecallocarray( in servconf_merge_subsystems()
2888 dst->subsystem_args, dst->num_subsystems, in servconf_merge_subsystems()
2889 dst->num_subsystems + 1, sizeof(*dst->subsystem_args)); in servconf_merge_subsystems()
2890 j = dst->num_subsystems++; in servconf_merge_subsystems()
2891 dst->subsystem_name[j] = xstrdup(src->subsystem_name[i]); in servconf_merge_subsystems()
2892 dst->subsystem_command[j] = xstrdup(src->subsystem_command[i]); in servconf_merge_subsystems()
2893 dst->subsystem_args[j] = xstrdup(src->subsystem_args[i]); in servconf_merge_subsystems()
2901 * array values that are not used pre-authentication, because any that we
2908 if (src->n != -1) \ in copy_set_server_options()
2909 dst->n = src->n; \ in copy_set_server_options()
2952 * M_CP_INTOPT - it does a signed comparison that causes compiler in copy_set_server_options()
2955 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { in copy_set_server_options()
2956 dst->fwd_opts.streamlocal_bind_mask = in copy_set_server_options()
2957 src->fwd_opts.streamlocal_bind_mask; in copy_set_server_options()
2962 if (src->n != NULL && dst->n != src->n) { \ in copy_set_server_options()
2963 free(dst->n); \ in copy_set_server_options()
2964 dst->n = src->n; \ in copy_set_server_options()
2969 if (src->num_s != 0) { \ in copy_set_server_options()
2970 for (i = 0; i < dst->num_s; i++) \ in copy_set_server_options()
2971 free(dst->s[i]); \ in copy_set_server_options()
2972 free(dst->s); \ in copy_set_server_options()
2973 dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \ in copy_set_server_options()
2974 for (i = 0; i < src->num_s; i++) \ in copy_set_server_options()
2975 dst->s[i] = xstrdup(src->s[i]); \ in copy_set_server_options()
2976 dst->num_s = src->num_s; \ in copy_set_server_options()
2995 if (option_clear_or_none(dst->adm_forced_command)) { in copy_set_server_options()
2996 free(dst->adm_forced_command); in copy_set_server_options()
2997 dst->adm_forced_command = NULL; in copy_set_server_options()
3000 if (option_clear_or_none(dst->chroot_directory)) { in copy_set_server_options()
3001 free(dst->chroot_directory); in copy_set_server_options()
3002 dst->chroot_directory = NULL; in copy_set_server_options()
3070 if (val == -1) in fmt_intarg()
3177 for (ai = la->addrs; ai; ai = ai->ai_next) { in format_listen_addrs()
3178 if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, in format_listen_addrs()
3185 if (ai->ai_family == AF_INET6) { in format_listen_addrs()
3188 la->rdomain == NULL ? "" : " rdomain ", in format_listen_addrs()
3189 la->rdomain == NULL ? "" : la->rdomain, in format_listen_addrs()
3194 la->rdomain == NULL ? "" : " rdomain ", in format_listen_addrs()
3195 la->rdomain == NULL ? "" : la->rdomain, in format_listen_addrs()
3210 for (i = 0; i < o->num_ports; i++) in dump_config()
3211 printf("port %d\n", o->ports[i]); in dump_config()
3212 dump_cfg_fmtint(sAddressFamily, o->address_family); in dump_config()
3214 for (i = 0; i < o->num_listen_addrs; i++) { in dump_config()
3215 s = format_listen_addrs(&o->listen_addrs[i]); in dump_config()
3222 dump_cfg_fmtint(sUsePAM, o->use_pam); in dump_config()
3223 dump_cfg_string(sPAMServiceName, o->pam_service_name); in dump_config()
3225 dump_cfg_int(sLoginGraceTime, o->login_grace_time); in dump_config()
3226 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); in dump_config()
3227 dump_cfg_int(sMaxAuthTries, o->max_authtries); in dump_config()
3228 dump_cfg_int(sMaxSessions, o->max_sessions); in dump_config()
3229 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); in dump_config()
3230 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); in dump_config()
3231 dump_cfg_int(sRequiredRSASize, o->required_rsa_size); in dump_config()
3232 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); in dump_config()
3233 dump_cfg_int(sUnusedConnectionTimeout, o->unused_connection_timeout); in dump_config()
3236 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); in dump_config()
3237 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); in dump_config()
3238 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); in dump_config()
3239 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); in dump_config()
3241 o->hostbased_uses_name_from_packet_only); in dump_config()
3242 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); in dump_config()
3244 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); in dump_config()
3245 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); in dump_config()
3246 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); in dump_config()
3248 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); in dump_config()
3252 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); in dump_config()
3253 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); in dump_config()
3255 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); in dump_config()
3257 o->kbd_interactive_authentication); in dump_config()
3258 dump_cfg_fmtint(sPrintMotd, o->print_motd); in dump_config()
3260 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); in dump_config()
3262 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); in dump_config()
3263 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); in dump_config()
3264 dump_cfg_fmtint(sPermitTTY, o->permit_tty); in dump_config()
3265 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); in dump_config()
3266 dump_cfg_fmtint(sStrictModes, o->strict_modes); in dump_config()
3267 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); in dump_config()
3268 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); in dump_config()
3269 dump_cfg_fmtint(sCompression, o->compression); in dump_config()
3270 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); in dump_config()
3271 dump_cfg_fmtint(sUseDNS, o->use_dns); in dump_config()
3272 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); in dump_config()
3273 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); in dump_config()
3274 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); in dump_config()
3275 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); in dump_config()
3276 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); in dump_config()
3277 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); in dump_config()
3278 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); in dump_config()
3279 dump_cfg_fmtint(sRefuseConnection, o->refuse_connection); in dump_config()
3280 dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); in dump_config()
3283 dump_cfg_string(sPidFile, o->pid_file); in dump_config()
3284 dump_cfg_string(sModuliFile, o->moduli_file); in dump_config()
3285 dump_cfg_string(sXAuthLocation, o->xauth_location); in dump_config()
3286 dump_cfg_string(sCiphers, o->ciphers); in dump_config()
3287 dump_cfg_string(sMacs, o->macs); in dump_config()
3288 dump_cfg_string(sBanner, o->banner); in dump_config()
3289 dump_cfg_string(sForceCommand, o->adm_forced_command); in dump_config()
3290 dump_cfg_string(sChrootDirectory, o->chroot_directory); in dump_config()
3291 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); in dump_config()
3292 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); in dump_config()
3293 dump_cfg_string(sSecurityKeyProvider, o->sk_provider); in dump_config()
3295 o->authorized_principals_file); in dump_config()
3296 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' in dump_config()
3297 ? "none" : o->version_addendum); in dump_config()
3298 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); in dump_config()
3299 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); in dump_config()
3300 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); in dump_config()
3301 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); in dump_config()
3302 dump_cfg_string(sHostKeyAgent, o->host_key_agent); in dump_config()
3303 dump_cfg_string(sKexAlgorithms, o->kex_algorithms); in dump_config()
3304 dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms); in dump_config()
3305 dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos); in dump_config()
3306 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms); in dump_config()
3307 dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos); in dump_config()
3309 dump_cfg_string(sRDomain, o->routing_domain); in dump_config()
3311 dump_cfg_string(sSshdSessionPath, o->sshd_session_path); in dump_config()
3312 dump_cfg_string(sPerSourcePenaltyExemptList, o->per_source_penalty_exempt); in dump_config()
3315 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); in dump_config()
3316 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); in dump_config()
3319 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, in dump_config()
3320 o->authorized_keys_files); in dump_config()
3321 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, in dump_config()
3322 o->host_key_files); in dump_config()
3323 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, in dump_config()
3324 o->host_cert_files); in dump_config()
3325 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); in dump_config()
3326 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); in dump_config()
3327 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); in dump_config()
3328 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); in dump_config()
3329 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); in dump_config()
3330 dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv); in dump_config()
3332 o->num_auth_methods, o->auth_methods); in dump_config()
3334 o->num_log_verbose, o->log_verbose); in dump_config()
3336 o->num_channel_timeouts, o->channel_timeouts); in dump_config()
3339 for (i = 0; i < o->num_subsystems; i++) in dump_config()
3340 printf("subsystem %s %s\n", o->subsystem_name[i], in dump_config()
3341 o->subsystem_args[i]); in dump_config()
3343 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, in dump_config()
3344 o->max_startups_rate, o->max_startups); in dump_config()
3346 if (o->per_source_max_startups == INT_MAX) in dump_config()
3349 printf("%d\n", o->per_source_max_startups); in dump_config()
3350 printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4, in dump_config()
3351 o->per_source_masklen_ipv6); in dump_config()
3354 for (i = 0; tunmode_desc[i].val != -1; i++) { in dump_config()
3355 if (tunmode_desc[i].val == o->permit_tun) { in dump_config()
3362 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); in dump_config()
3363 printf("%s\n", iptos2str(o->ip_qos_bulk)); in dump_config()
3365 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, in dump_config()
3366 o->rekey_interval); in dump_config()
3369 if (o->num_permitted_opens == 0) in dump_config()
3372 for (i = 0; i < o->num_permitted_opens; i++) in dump_config()
3373 printf(" %s", o->permitted_opens[i]); in dump_config()
3377 if (o->num_permitted_listens == 0) in dump_config()
3380 for (i = 0; i < o->num_permitted_listens; i++) in dump_config()
3381 printf(" %s", o->permitted_listens[i]); in dump_config()
3385 if (o->permit_user_env_allowlist == NULL) { in dump_config()
3386 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); in dump_config()
3389 o->permit_user_env_allowlist); in dump_config()
3393 if (o->pubkey_auth_options == 0) in dump_config()
3395 if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED) in dump_config()
3396 printf(" touch-required"); in dump_config()
3397 if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED) in dump_config()
3398 printf(" verify-required"); in dump_config()
3401 if (o->per_source_penalty.enabled) { in dump_config()
3403 "grace-exceeded:%d refuseconnection:%d max:%d min:%d " in dump_config()
3404 "max-sources4:%d max-sources6:%d " in dump_config()
3406 o->per_source_penalty.penalty_crash, in dump_config()
3407 o->per_source_penalty.penalty_authfail, in dump_config()
3408 o->per_source_penalty.penalty_noauth, in dump_config()
3409 o->per_source_penalty.penalty_grace, in dump_config()
3410 o->per_source_penalty.penalty_refuseconnection, in dump_config()
3411 o->per_source_penalty.penalty_max, in dump_config()
3412 o->per_source_penalty.penalty_min, in dump_config()
3413 o->per_source_penalty.max_sources4, in dump_config()
3414 o->per_source_penalty.max_sources6, in dump_config()
3415 o->per_source_penalty.overflow_mode == in dump_config()
3417 "deny-all" : "permissive", in dump_config()
3418 o->per_source_penalty.overflow_mode6 == in dump_config()
3420 "deny-all" : "permissive"); in dump_config()