1462c32cbSDag-Erling Smørgrav 2*bc5531deSDag-Erling Smørgrav /* $OpenBSD: servconf.c,v 1.260 2015/02/02 01:57:44 deraadt Exp $ */ 3511b41d2SMark Murray /* 4511b41d2SMark Murray * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5511b41d2SMark Murray * All rights reserved 6511b41d2SMark Murray * 7c2d3a559SKris Kennaway * As far as I am concerned, the code I have written for this software 8c2d3a559SKris Kennaway * can be used freely for any purpose. Any derived versions of this 9c2d3a559SKris Kennaway * software must be clearly marked as such, and if the derived work is 10c2d3a559SKris Kennaway * incompatible with the protocol description in the RFC file, it must be 11c2d3a559SKris Kennaway * called by a name other than "ssh" or "Secure Shell". 12511b41d2SMark Murray */ 13511b41d2SMark Murray 14511b41d2SMark Murray #include "includes.h" 15333ee039SDag-Erling Smørgrav __RCSID("$FreeBSD$"); 16511b41d2SMark Murray 17333ee039SDag-Erling Smørgrav #include <sys/types.h> 18333ee039SDag-Erling Smørgrav #include <sys/socket.h> 19333ee039SDag-Erling Smørgrav 204a421b63SDag-Erling Smørgrav #include <netinet/in.h> 214a421b63SDag-Erling Smørgrav #include <netinet/in_systm.h> 224a421b63SDag-Erling Smørgrav #include <netinet/ip.h> 234a421b63SDag-Erling Smørgrav 24e4a9863fSDag-Erling Smørgrav #include <ctype.h> 25333ee039SDag-Erling Smørgrav #include <netdb.h> 26333ee039SDag-Erling Smørgrav #include <pwd.h> 27333ee039SDag-Erling Smørgrav #include <stdio.h> 28333ee039SDag-Erling Smørgrav #include <stdlib.h> 29333ee039SDag-Erling Smørgrav #include <string.h> 30333ee039SDag-Erling Smørgrav #include <signal.h> 31333ee039SDag-Erling Smørgrav #include <unistd.h> 32*bc5531deSDag-Erling Smørgrav #include <limits.h> 33333ee039SDag-Erling Smørgrav #include <stdarg.h> 34d4af9e69SDag-Erling Smørgrav #include <errno.h> 35e4a9863fSDag-Erling Smørgrav #ifdef HAVE_UTIL_H 36e4a9863fSDag-Erling Smørgrav #include <util.h> 37e4a9863fSDag-Erling Smørgrav #endif 38333ee039SDag-Erling Smørgrav 39d4af9e69SDag-Erling Smørgrav #include "openbsd-compat/sys-queue.h" 40333ee039SDag-Erling Smørgrav #include "xmalloc.h" 41511b41d2SMark Murray #include "ssh.h" 42ca3176e7SBrian Feldman #include "log.h" 43333ee039SDag-Erling Smørgrav #include "buffer.h" 44a0ee8cc6SDag-Erling Smørgrav #include "misc.h" 45511b41d2SMark Murray #include "servconf.h" 46e8aafc91SKris Kennaway #include "compat.h" 47ca3176e7SBrian Feldman #include "pathnames.h" 48ca3176e7SBrian Feldman #include "cipher.h" 49333ee039SDag-Erling Smørgrav #include "key.h" 50ca3176e7SBrian Feldman #include "kex.h" 51ca3176e7SBrian Feldman #include "mac.h" 52333ee039SDag-Erling Smørgrav #include "match.h" 53333ee039SDag-Erling Smørgrav #include "channels.h" 54333ee039SDag-Erling Smørgrav #include "groupaccess.h" 55462c32cbSDag-Erling Smørgrav #include "canohost.h" 56462c32cbSDag-Erling Smørgrav #include "packet.h" 576888a9beSDag-Erling Smørgrav #include "hostfile.h" 586888a9beSDag-Erling Smørgrav #include "auth.h" 59*bc5531deSDag-Erling Smørgrav #include "myproposal.h" 60*bc5531deSDag-Erling Smørgrav #include "digest.h" 61b15c8340SDag-Erling Smørgrav #include "version.h" 62511b41d2SMark Murray 63cce7d346SDag-Erling Smørgrav static void add_listen_addr(ServerOptions *, char *, int); 64cce7d346SDag-Erling Smørgrav static void add_one_listen_addr(ServerOptions *, char *, int); 65ca3176e7SBrian Feldman 6680628bacSDag-Erling Smørgrav /* Use of privilege separation or not */ 6780628bacSDag-Erling Smørgrav extern int use_privsep; 68333ee039SDag-Erling Smørgrav extern Buffer cfg; 69511b41d2SMark Murray 70511b41d2SMark Murray /* Initializes the server options to their default values. */ 71511b41d2SMark Murray 72511b41d2SMark Murray void 73511b41d2SMark Murray initialize_server_options(ServerOptions *options) 74511b41d2SMark Murray { 75511b41d2SMark Murray memset(options, 0, sizeof(*options)); 76989dd127SDag-Erling Smørgrav 77989dd127SDag-Erling Smørgrav /* Portable-specific options */ 78cf2b5f3bSDag-Erling Smørgrav options->use_pam = -1; 79989dd127SDag-Erling Smørgrav 80989dd127SDag-Erling Smørgrav /* Standard Options */ 81511b41d2SMark Murray options->num_ports = 0; 82511b41d2SMark Murray options->ports_from_cmdline = 0; 83511b41d2SMark Murray options->listen_addrs = NULL; 84aa49c926SDag-Erling Smørgrav options->address_family = -1; 85ca3176e7SBrian Feldman options->num_host_key_files = 0; 86b15c8340SDag-Erling Smørgrav options->num_host_cert_files = 0; 87e4a9863fSDag-Erling Smørgrav options->host_key_agent = NULL; 88e8aafc91SKris Kennaway options->pid_file = NULL; 89511b41d2SMark Murray options->server_key_bits = -1; 90511b41d2SMark Murray options->login_grace_time = -1; 91511b41d2SMark Murray options->key_regeneration_time = -1; 92ca3176e7SBrian Feldman options->permit_root_login = PERMIT_NOT_SET; 93511b41d2SMark Murray options->ignore_rhosts = -1; 94511b41d2SMark Murray options->ignore_user_known_hosts = -1; 95511b41d2SMark Murray options->print_motd = -1; 96ca3176e7SBrian Feldman options->print_lastlog = -1; 97511b41d2SMark Murray options->x11_forwarding = -1; 98511b41d2SMark Murray options->x11_display_offset = -1; 99af12a3e7SDag-Erling Smørgrav options->x11_use_localhost = -1; 100f7167e0eSDag-Erling Smørgrav options->permit_tty = -1; 101a0ee8cc6SDag-Erling Smørgrav options->permit_user_rc = -1; 102c2d3a559SKris Kennaway options->xauth_location = NULL; 103511b41d2SMark Murray options->strict_modes = -1; 1041ec0d754SDag-Erling Smørgrav options->tcp_keep_alive = -1; 105af12a3e7SDag-Erling Smørgrav options->log_facility = SYSLOG_FACILITY_NOT_SET; 106af12a3e7SDag-Erling Smørgrav options->log_level = SYSLOG_LEVEL_NOT_SET; 107511b41d2SMark Murray options->rhosts_rsa_authentication = -1; 108ca3176e7SBrian Feldman options->hostbased_authentication = -1; 109ca3176e7SBrian Feldman options->hostbased_uses_name_from_packet_only = -1; 110*bc5531deSDag-Erling Smørgrav options->hostbased_key_types = NULL; 111511b41d2SMark Murray options->rsa_authentication = -1; 112ca3176e7SBrian Feldman options->pubkey_authentication = -1; 113*bc5531deSDag-Erling Smørgrav options->pubkey_key_types = NULL; 114cb96ab36SAssar Westerlund options->kerberos_authentication = -1; 115af12a3e7SDag-Erling Smørgrav options->kerberos_or_local_passwd = -1; 116af12a3e7SDag-Erling Smørgrav options->kerberos_ticket_cleanup = -1; 1171ec0d754SDag-Erling Smørgrav options->kerberos_get_afs_token = -1; 118cf2b5f3bSDag-Erling Smørgrav options->gss_authentication=-1; 119cf2b5f3bSDag-Erling Smørgrav options->gss_cleanup_creds = -1; 120511b41d2SMark Murray options->password_authentication = -1; 12109958426SBrian Feldman options->kbd_interactive_authentication = -1; 122af12a3e7SDag-Erling Smørgrav options->challenge_response_authentication = -1; 123511b41d2SMark Murray options->permit_empty_passwd = -1; 124f388f5efSDag-Erling Smørgrav options->permit_user_env = -1; 125511b41d2SMark Murray options->use_login = -1; 12680628bacSDag-Erling Smørgrav options->compression = -1; 127e4a9863fSDag-Erling Smørgrav options->rekey_limit = -1; 128e4a9863fSDag-Erling Smørgrav options->rekey_interval = -1; 12909958426SBrian Feldman options->allow_tcp_forwarding = -1; 130a0ee8cc6SDag-Erling Smørgrav options->allow_streamlocal_forwarding = -1; 131d4af9e69SDag-Erling Smørgrav options->allow_agent_forwarding = -1; 132511b41d2SMark Murray options->num_allow_users = 0; 133511b41d2SMark Murray options->num_deny_users = 0; 134511b41d2SMark Murray options->num_allow_groups = 0; 135511b41d2SMark Murray options->num_deny_groups = 0; 136e8aafc91SKris Kennaway options->ciphers = NULL; 137ca3176e7SBrian Feldman options->macs = NULL; 1384a421b63SDag-Erling Smørgrav options->kex_algorithms = NULL; 139e8aafc91SKris Kennaway options->protocol = SSH_PROTO_UNKNOWN; 140a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.gateway_ports = -1; 141a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 142a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.streamlocal_bind_unlink = -1; 143c2d3a559SKris Kennaway options->num_subsystems = 0; 144c2d3a559SKris Kennaway options->max_startups_begin = -1; 145c2d3a559SKris Kennaway options->max_startups_rate = -1; 146c2d3a559SKris Kennaway options->max_startups = -1; 14721e764dfSDag-Erling Smørgrav options->max_authtries = -1; 148d4af9e69SDag-Erling Smørgrav options->max_sessions = -1; 149ca3176e7SBrian Feldman options->banner = NULL; 150cf2b5f3bSDag-Erling Smørgrav options->use_dns = -1; 151ca3176e7SBrian Feldman options->client_alive_interval = -1; 152ca3176e7SBrian Feldman options->client_alive_count_max = -1; 153e146993eSDag-Erling Smørgrav options->num_authkeys_files = 0; 15421e764dfSDag-Erling Smørgrav options->num_accept_env = 0; 155b74df5b2SDag-Erling Smørgrav options->permit_tun = -1; 156333ee039SDag-Erling Smørgrav options->num_permitted_opens = -1; 157333ee039SDag-Erling Smørgrav options->adm_forced_command = NULL; 158d4af9e69SDag-Erling Smørgrav options->chroot_directory = NULL; 1596888a9beSDag-Erling Smørgrav options->authorized_keys_command = NULL; 1606888a9beSDag-Erling Smørgrav options->authorized_keys_command_user = NULL; 161b15c8340SDag-Erling Smørgrav options->revoked_keys_file = NULL; 162b15c8340SDag-Erling Smørgrav options->trusted_user_ca_keys = NULL; 163e2f6069cSDag-Erling Smørgrav options->authorized_principals_file = NULL; 1644a421b63SDag-Erling Smørgrav options->ip_qos_interactive = -1; 1654a421b63SDag-Erling Smørgrav options->ip_qos_bulk = -1; 166462c32cbSDag-Erling Smørgrav options->version_addendum = NULL; 167*bc5531deSDag-Erling Smørgrav options->fingerprint_hash = -1; 168*bc5531deSDag-Erling Smørgrav } 169*bc5531deSDag-Erling Smørgrav 170*bc5531deSDag-Erling Smørgrav /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 171*bc5531deSDag-Erling Smørgrav static int 172*bc5531deSDag-Erling Smørgrav option_clear_or_none(const char *o) 173*bc5531deSDag-Erling Smørgrav { 174*bc5531deSDag-Erling Smørgrav return o == NULL || strcasecmp(o, "none") == 0; 175511b41d2SMark Murray } 176511b41d2SMark Murray 177511b41d2SMark Murray void 178511b41d2SMark Murray fill_default_server_options(ServerOptions *options) 179511b41d2SMark Murray { 180*bc5531deSDag-Erling Smørgrav int i; 181*bc5531deSDag-Erling Smørgrav 182989dd127SDag-Erling Smørgrav /* Portable-specific options */ 183cf2b5f3bSDag-Erling Smørgrav if (options->use_pam == -1) 184f0477b26SDag-Erling Smørgrav options->use_pam = 1; 185989dd127SDag-Erling Smørgrav 186989dd127SDag-Erling Smørgrav /* Standard Options */ 187ca3176e7SBrian Feldman if (options->protocol == SSH_PROTO_UNKNOWN) 188028c324aSDag-Erling Smørgrav options->protocol = SSH_PROTO_2; 189ca3176e7SBrian Feldman if (options->num_host_key_files == 0) { 190ca3176e7SBrian Feldman /* fill default hostkeys for protocols */ 191ca3176e7SBrian Feldman if (options->protocol & SSH_PROTO_1) 192af12a3e7SDag-Erling Smørgrav options->host_key_files[options->num_host_key_files++] = 193af12a3e7SDag-Erling Smørgrav _PATH_HOST_KEY_FILE; 194af12a3e7SDag-Erling Smørgrav if (options->protocol & SSH_PROTO_2) { 195af12a3e7SDag-Erling Smørgrav options->host_key_files[options->num_host_key_files++] = 196d4af9e69SDag-Erling Smørgrav _PATH_HOST_RSA_KEY_FILE; 197d4af9e69SDag-Erling Smørgrav options->host_key_files[options->num_host_key_files++] = 198af12a3e7SDag-Erling Smørgrav _PATH_HOST_DSA_KEY_FILE; 1994a421b63SDag-Erling Smørgrav #ifdef OPENSSL_HAS_ECC 2004a421b63SDag-Erling Smørgrav options->host_key_files[options->num_host_key_files++] = 2014a421b63SDag-Erling Smørgrav _PATH_HOST_ECDSA_KEY_FILE; 2024a421b63SDag-Erling Smørgrav #endif 203f7167e0eSDag-Erling Smørgrav options->host_key_files[options->num_host_key_files++] = 204f7167e0eSDag-Erling Smørgrav _PATH_HOST_ED25519_KEY_FILE; 205af12a3e7SDag-Erling Smørgrav } 206ca3176e7SBrian Feldman } 207b15c8340SDag-Erling Smørgrav /* No certificates by default */ 208511b41d2SMark Murray if (options->num_ports == 0) 209511b41d2SMark Murray options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 210511b41d2SMark Murray if (options->listen_addrs == NULL) 211ca3176e7SBrian Feldman add_listen_addr(options, NULL, 0); 212e8aafc91SKris Kennaway if (options->pid_file == NULL) 213*bc5531deSDag-Erling Smørgrav options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 214511b41d2SMark Murray if (options->server_key_bits == -1) 215d4af9e69SDag-Erling Smørgrav options->server_key_bits = 1024; 216511b41d2SMark Murray if (options->login_grace_time == -1) 217975616f0SDag-Erling Smørgrav options->login_grace_time = 120; 218511b41d2SMark Murray if (options->key_regeneration_time == -1) 219511b41d2SMark Murray options->key_regeneration_time = 3600; 220ca3176e7SBrian Feldman if (options->permit_root_login == PERMIT_NOT_SET) 221975616f0SDag-Erling Smørgrav options->permit_root_login = PERMIT_NO; 222511b41d2SMark Murray if (options->ignore_rhosts == -1) 223fe5fd017SMark Murray options->ignore_rhosts = 1; 224511b41d2SMark Murray if (options->ignore_user_known_hosts == -1) 225511b41d2SMark Murray options->ignore_user_known_hosts = 0; 226511b41d2SMark Murray if (options->print_motd == -1) 227511b41d2SMark Murray options->print_motd = 1; 228ca3176e7SBrian Feldman if (options->print_lastlog == -1) 229ca3176e7SBrian Feldman options->print_lastlog = 1; 230511b41d2SMark Murray if (options->x11_forwarding == -1) 231975616f0SDag-Erling Smørgrav options->x11_forwarding = 1; 232511b41d2SMark Murray if (options->x11_display_offset == -1) 233fe5fd017SMark Murray options->x11_display_offset = 10; 234af12a3e7SDag-Erling Smørgrav if (options->x11_use_localhost == -1) 235af12a3e7SDag-Erling Smørgrav options->x11_use_localhost = 1; 236c2d3a559SKris Kennaway if (options->xauth_location == NULL) 237*bc5531deSDag-Erling Smørgrav options->xauth_location = xstrdup(_PATH_XAUTH); 238f7167e0eSDag-Erling Smørgrav if (options->permit_tty == -1) 239f7167e0eSDag-Erling Smørgrav options->permit_tty = 1; 240a0ee8cc6SDag-Erling Smørgrav if (options->permit_user_rc == -1) 241a0ee8cc6SDag-Erling Smørgrav options->permit_user_rc = 1; 242511b41d2SMark Murray if (options->strict_modes == -1) 243511b41d2SMark Murray options->strict_modes = 1; 2441ec0d754SDag-Erling Smørgrav if (options->tcp_keep_alive == -1) 2451ec0d754SDag-Erling Smørgrav options->tcp_keep_alive = 1; 246af12a3e7SDag-Erling Smørgrav if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 247511b41d2SMark Murray options->log_facility = SYSLOG_FACILITY_AUTH; 248af12a3e7SDag-Erling Smørgrav if (options->log_level == SYSLOG_LEVEL_NOT_SET) 249511b41d2SMark Murray options->log_level = SYSLOG_LEVEL_INFO; 250511b41d2SMark Murray if (options->rhosts_rsa_authentication == -1) 251fe5fd017SMark Murray options->rhosts_rsa_authentication = 0; 252ca3176e7SBrian Feldman if (options->hostbased_authentication == -1) 253ca3176e7SBrian Feldman options->hostbased_authentication = 0; 254ca3176e7SBrian Feldman if (options->hostbased_uses_name_from_packet_only == -1) 255ca3176e7SBrian Feldman options->hostbased_uses_name_from_packet_only = 0; 256*bc5531deSDag-Erling Smørgrav if (options->hostbased_key_types == NULL) 257*bc5531deSDag-Erling Smørgrav options->hostbased_key_types = xstrdup("*"); 258511b41d2SMark Murray if (options->rsa_authentication == -1) 259511b41d2SMark Murray options->rsa_authentication = 1; 260ca3176e7SBrian Feldman if (options->pubkey_authentication == -1) 261ca3176e7SBrian Feldman options->pubkey_authentication = 1; 262*bc5531deSDag-Erling Smørgrav if (options->pubkey_key_types == NULL) 263*bc5531deSDag-Erling Smørgrav options->pubkey_key_types = xstrdup("*"); 264989dd127SDag-Erling Smørgrav if (options->kerberos_authentication == -1) 265cf2b5f3bSDag-Erling Smørgrav options->kerberos_authentication = 0; 266af12a3e7SDag-Erling Smørgrav if (options->kerberos_or_local_passwd == -1) 267af12a3e7SDag-Erling Smørgrav options->kerberos_or_local_passwd = 1; 268af12a3e7SDag-Erling Smørgrav if (options->kerberos_ticket_cleanup == -1) 269af12a3e7SDag-Erling Smørgrav options->kerberos_ticket_cleanup = 1; 2701ec0d754SDag-Erling Smørgrav if (options->kerberos_get_afs_token == -1) 2711ec0d754SDag-Erling Smørgrav options->kerberos_get_afs_token = 0; 272cf2b5f3bSDag-Erling Smørgrav if (options->gss_authentication == -1) 273cf2b5f3bSDag-Erling Smørgrav options->gss_authentication = 0; 274cf2b5f3bSDag-Erling Smørgrav if (options->gss_cleanup_creds == -1) 275cf2b5f3bSDag-Erling Smørgrav options->gss_cleanup_creds = 1; 276511b41d2SMark Murray if (options->password_authentication == -1) 277b909c84bSDag-Erling Smørgrav options->password_authentication = 0; 27809958426SBrian Feldman if (options->kbd_interactive_authentication == -1) 27909958426SBrian Feldman options->kbd_interactive_authentication = 0; 280af12a3e7SDag-Erling Smørgrav if (options->challenge_response_authentication == -1) 28180241871SDag-Erling Smørgrav options->challenge_response_authentication = 1; 282511b41d2SMark Murray if (options->permit_empty_passwd == -1) 283fe5fd017SMark Murray options->permit_empty_passwd = 0; 284f388f5efSDag-Erling Smørgrav if (options->permit_user_env == -1) 285f388f5efSDag-Erling Smørgrav options->permit_user_env = 0; 286511b41d2SMark Murray if (options->use_login == -1) 287511b41d2SMark Murray options->use_login = 0; 28880628bacSDag-Erling Smørgrav if (options->compression == -1) 289d4ecd108SDag-Erling Smørgrav options->compression = COMP_DELAYED; 290e4a9863fSDag-Erling Smørgrav if (options->rekey_limit == -1) 291e4a9863fSDag-Erling Smørgrav options->rekey_limit = 0; 292e4a9863fSDag-Erling Smørgrav if (options->rekey_interval == -1) 293e4a9863fSDag-Erling Smørgrav options->rekey_interval = 0; 29409958426SBrian Feldman if (options->allow_tcp_forwarding == -1) 2956888a9beSDag-Erling Smørgrav options->allow_tcp_forwarding = FORWARD_ALLOW; 296a0ee8cc6SDag-Erling Smørgrav if (options->allow_streamlocal_forwarding == -1) 297a0ee8cc6SDag-Erling Smørgrav options->allow_streamlocal_forwarding = FORWARD_ALLOW; 298d4af9e69SDag-Erling Smørgrav if (options->allow_agent_forwarding == -1) 299d4af9e69SDag-Erling Smørgrav options->allow_agent_forwarding = 1; 300a0ee8cc6SDag-Erling Smørgrav if (options->fwd_opts.gateway_ports == -1) 301a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.gateway_ports = 0; 302c2d3a559SKris Kennaway if (options->max_startups == -1) 3036888a9beSDag-Erling Smørgrav options->max_startups = 100; 304c2d3a559SKris Kennaway if (options->max_startups_rate == -1) 3056888a9beSDag-Erling Smørgrav options->max_startups_rate = 30; /* 30% */ 306c2d3a559SKris Kennaway if (options->max_startups_begin == -1) 3076888a9beSDag-Erling Smørgrav options->max_startups_begin = 10; 30821e764dfSDag-Erling Smørgrav if (options->max_authtries == -1) 30921e764dfSDag-Erling Smørgrav options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 310d4af9e69SDag-Erling Smørgrav if (options->max_sessions == -1) 311d4af9e69SDag-Erling Smørgrav options->max_sessions = DEFAULT_SESSIONS_MAX; 312cf2b5f3bSDag-Erling Smørgrav if (options->use_dns == -1) 313*bc5531deSDag-Erling Smørgrav options->use_dns = 0; 314ca3176e7SBrian Feldman if (options->client_alive_interval == -1) 315ca3176e7SBrian Feldman options->client_alive_interval = 0; 316ca3176e7SBrian Feldman if (options->client_alive_count_max == -1) 317ca3176e7SBrian Feldman options->client_alive_count_max = 3; 318e146993eSDag-Erling Smørgrav if (options->num_authkeys_files == 0) { 319e146993eSDag-Erling Smørgrav options->authorized_keys_files[options->num_authkeys_files++] = 320e146993eSDag-Erling Smørgrav xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 321e146993eSDag-Erling Smørgrav options->authorized_keys_files[options->num_authkeys_files++] = 322e146993eSDag-Erling Smørgrav xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 323af12a3e7SDag-Erling Smørgrav } 324b74df5b2SDag-Erling Smørgrav if (options->permit_tun == -1) 325b74df5b2SDag-Erling Smørgrav options->permit_tun = SSH_TUNMODE_NO; 3264a421b63SDag-Erling Smørgrav if (options->ip_qos_interactive == -1) 3274a421b63SDag-Erling Smørgrav options->ip_qos_interactive = IPTOS_LOWDELAY; 3284a421b63SDag-Erling Smørgrav if (options->ip_qos_bulk == -1) 3294a421b63SDag-Erling Smørgrav options->ip_qos_bulk = IPTOS_THROUGHPUT; 330462c32cbSDag-Erling Smørgrav if (options->version_addendum == NULL) 331462c32cbSDag-Erling Smørgrav options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); 332a0ee8cc6SDag-Erling Smørgrav if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 333a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.streamlocal_bind_mask = 0177; 334a0ee8cc6SDag-Erling Smørgrav if (options->fwd_opts.streamlocal_bind_unlink == -1) 335a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.streamlocal_bind_unlink = 0; 336*bc5531deSDag-Erling Smørgrav if (options->fingerprint_hash == -1) 337*bc5531deSDag-Erling Smørgrav options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 338462c32cbSDag-Erling Smørgrav /* Turn privilege separation on by default */ 339462c32cbSDag-Erling Smørgrav if (use_privsep == -1) 3402b1970f3SDag-Erling Smørgrav use_privsep = PRIVSEP_ON; 341462c32cbSDag-Erling Smørgrav 342*bc5531deSDag-Erling Smørgrav #define CLEAR_ON_NONE(v) \ 343*bc5531deSDag-Erling Smørgrav do { \ 344*bc5531deSDag-Erling Smørgrav if (option_clear_or_none(v)) { \ 345*bc5531deSDag-Erling Smørgrav free(v); \ 346*bc5531deSDag-Erling Smørgrav v = NULL; \ 347*bc5531deSDag-Erling Smørgrav } \ 348*bc5531deSDag-Erling Smørgrav } while(0) 349*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->pid_file); 350*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->xauth_location); 351*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->banner); 352*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->trusted_user_ca_keys); 353*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->revoked_keys_file); 354*bc5531deSDag-Erling Smørgrav for (i = 0; i < options->num_host_key_files; i++) 355*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->host_key_files[i]); 356*bc5531deSDag-Erling Smørgrav for (i = 0; i < options->num_host_cert_files; i++) 357*bc5531deSDag-Erling Smørgrav CLEAR_ON_NONE(options->host_cert_files[i]); 358*bc5531deSDag-Erling Smørgrav #undef CLEAR_ON_NONE 359*bc5531deSDag-Erling Smørgrav 360462c32cbSDag-Erling Smørgrav #ifndef HAVE_MMAP 361462c32cbSDag-Erling Smørgrav if (use_privsep && options->compression == 1) { 362462c32cbSDag-Erling Smørgrav error("This platform does not support both privilege " 363462c32cbSDag-Erling Smørgrav "separation and compression"); 364462c32cbSDag-Erling Smørgrav error("Compression disabled"); 365462c32cbSDag-Erling Smørgrav options->compression = 0; 366462c32cbSDag-Erling Smørgrav } 367462c32cbSDag-Erling Smørgrav #endif 368462c32cbSDag-Erling Smørgrav 369511b41d2SMark Murray } 370511b41d2SMark Murray 371511b41d2SMark Murray /* Keyword tokens. */ 372511b41d2SMark Murray typedef enum { 373511b41d2SMark Murray sBadOption, /* == unknown option */ 374989dd127SDag-Erling Smørgrav /* Portable-specific options */ 375cf2b5f3bSDag-Erling Smørgrav sUsePAM, 376989dd127SDag-Erling Smørgrav /* Standard Options */ 377*bc5531deSDag-Erling Smørgrav sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, 378*bc5531deSDag-Erling Smørgrav sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, 379cf2b5f3bSDag-Erling Smørgrav sRhostsRSAAuthentication, sRSAAuthentication, 380af12a3e7SDag-Erling Smørgrav sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 3811ec0d754SDag-Erling Smørgrav sKerberosGetAFSToken, 382cf2b5f3bSDag-Erling Smørgrav sKerberosTgtPassing, sChallengeResponseAuthentication, 383aa49c926SDag-Erling Smørgrav sPasswordAuthentication, sKbdInteractiveAuthentication, 384aa49c926SDag-Erling Smørgrav sListenAddress, sAddressFamily, 385ca3176e7SBrian Feldman sPrintMotd, sPrintLastLog, sIgnoreRhosts, 386af12a3e7SDag-Erling Smørgrav sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 387f7167e0eSDag-Erling Smørgrav sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 388f388f5efSDag-Erling Smørgrav sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 389e4a9863fSDag-Erling Smørgrav sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 390ca3176e7SBrian Feldman sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 391*bc5531deSDag-Erling Smørgrav sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 392*bc5531deSDag-Erling Smørgrav sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 393cf2b5f3bSDag-Erling Smørgrav sBanner, sUseDNS, sHostbasedAuthentication, 394*bc5531deSDag-Erling Smørgrav sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, 395*bc5531deSDag-Erling Smørgrav sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 396b74df5b2SDag-Erling Smørgrav sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 397d4af9e69SDag-Erling Smørgrav sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 398d4af9e69SDag-Erling Smørgrav sUsePrivilegeSeparation, sAllowAgentForwarding, 399b83788ffSDag-Erling Smørgrav sHostCertificate, 400e2f6069cSDag-Erling Smørgrav sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 401462c32cbSDag-Erling Smørgrav sKexAlgorithms, sIPQoS, sVersionAddendum, 4026888a9beSDag-Erling Smørgrav sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 403a0ee8cc6SDag-Erling Smørgrav sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 404a0ee8cc6SDag-Erling Smørgrav sStreamLocalBindMask, sStreamLocalBindUnlink, 405*bc5531deSDag-Erling Smørgrav sAllowStreamLocalForwarding, sFingerprintHash, 406cf2b5f3bSDag-Erling Smørgrav sDeprecated, sUnsupported 407511b41d2SMark Murray } ServerOpCodes; 408511b41d2SMark Murray 409333ee039SDag-Erling Smørgrav #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 410333ee039SDag-Erling Smørgrav #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 411333ee039SDag-Erling Smørgrav #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 412333ee039SDag-Erling Smørgrav 413511b41d2SMark Murray /* Textual representation of the tokens. */ 414511b41d2SMark Murray static struct { 415511b41d2SMark Murray const char *name; 416511b41d2SMark Murray ServerOpCodes opcode; 417333ee039SDag-Erling Smørgrav u_int flags; 418511b41d2SMark Murray } keywords[] = { 419989dd127SDag-Erling Smørgrav /* Portable-specific options */ 420cf2b5f3bSDag-Erling Smørgrav #ifdef USE_PAM 421333ee039SDag-Erling Smørgrav { "usepam", sUsePAM, SSHCFG_GLOBAL }, 422cf2b5f3bSDag-Erling Smørgrav #else 423333ee039SDag-Erling Smørgrav { "usepam", sUnsupported, SSHCFG_GLOBAL }, 424975616f0SDag-Erling Smørgrav #endif 425333ee039SDag-Erling Smørgrav { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 426989dd127SDag-Erling Smørgrav /* Standard Options */ 427333ee039SDag-Erling Smørgrav { "port", sPort, SSHCFG_GLOBAL }, 428333ee039SDag-Erling Smørgrav { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 429333ee039SDag-Erling Smørgrav { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 430e4a9863fSDag-Erling Smørgrav { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 431333ee039SDag-Erling Smørgrav { "pidfile", sPidFile, SSHCFG_GLOBAL }, 432333ee039SDag-Erling Smørgrav { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 433333ee039SDag-Erling Smørgrav { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 434333ee039SDag-Erling Smørgrav { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 435d4af9e69SDag-Erling Smørgrav { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 436333ee039SDag-Erling Smørgrav { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 437333ee039SDag-Erling Smørgrav { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 438333ee039SDag-Erling Smørgrav { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 439d4af9e69SDag-Erling Smørgrav { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 440d4af9e69SDag-Erling Smørgrav { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 441e2f6069cSDag-Erling Smørgrav { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 442*bc5531deSDag-Erling Smørgrav { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 443d4af9e69SDag-Erling Smørgrav { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 444d4af9e69SDag-Erling Smørgrav { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 445*bc5531deSDag-Erling Smørgrav { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 446333ee039SDag-Erling Smørgrav { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 447cf2b5f3bSDag-Erling Smørgrav #ifdef KRB5 448d4af9e69SDag-Erling Smørgrav { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 449333ee039SDag-Erling Smørgrav { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 450333ee039SDag-Erling Smørgrav { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 4511ec0d754SDag-Erling Smørgrav #ifdef USE_AFS 452333ee039SDag-Erling Smørgrav { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 4531ec0d754SDag-Erling Smørgrav #else 454333ee039SDag-Erling Smørgrav { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 4551ec0d754SDag-Erling Smørgrav #endif 456cf2b5f3bSDag-Erling Smørgrav #else 457d4af9e69SDag-Erling Smørgrav { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 458333ee039SDag-Erling Smørgrav { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 459333ee039SDag-Erling Smørgrav { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 460333ee039SDag-Erling Smørgrav { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 461cb96ab36SAssar Westerlund #endif 462333ee039SDag-Erling Smørgrav { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 463333ee039SDag-Erling Smørgrav { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 464cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 465d4af9e69SDag-Erling Smørgrav { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 466333ee039SDag-Erling Smørgrav { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 467cf2b5f3bSDag-Erling Smørgrav #else 468d4af9e69SDag-Erling Smørgrav { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 469333ee039SDag-Erling Smørgrav { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 470511b41d2SMark Murray #endif 471d4af9e69SDag-Erling Smørgrav { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 472d4af9e69SDag-Erling Smørgrav { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 473333ee039SDag-Erling Smørgrav { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 474333ee039SDag-Erling Smørgrav { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 475333ee039SDag-Erling Smørgrav { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 476333ee039SDag-Erling Smørgrav { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 477333ee039SDag-Erling Smørgrav { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 478333ee039SDag-Erling Smørgrav { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 479333ee039SDag-Erling Smørgrav { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 480333ee039SDag-Erling Smørgrav { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 481333ee039SDag-Erling Smørgrav { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 482333ee039SDag-Erling Smørgrav { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 483333ee039SDag-Erling Smørgrav { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 484333ee039SDag-Erling Smørgrav { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 485333ee039SDag-Erling Smørgrav { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 486333ee039SDag-Erling Smørgrav { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 487cce7d346SDag-Erling Smørgrav { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 488333ee039SDag-Erling Smørgrav { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 489333ee039SDag-Erling Smørgrav { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 490333ee039SDag-Erling Smørgrav { "compression", sCompression, SSHCFG_GLOBAL }, 491e4a9863fSDag-Erling Smørgrav { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 492333ee039SDag-Erling Smørgrav { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 493333ee039SDag-Erling Smørgrav { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 494333ee039SDag-Erling Smørgrav { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 495d4af9e69SDag-Erling Smørgrav { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 496462c32cbSDag-Erling Smørgrav { "allowusers", sAllowUsers, SSHCFG_ALL }, 497462c32cbSDag-Erling Smørgrav { "denyusers", sDenyUsers, SSHCFG_ALL }, 498462c32cbSDag-Erling Smørgrav { "allowgroups", sAllowGroups, SSHCFG_ALL }, 499462c32cbSDag-Erling Smørgrav { "denygroups", sDenyGroups, SSHCFG_ALL }, 500333ee039SDag-Erling Smørgrav { "ciphers", sCiphers, SSHCFG_GLOBAL }, 501333ee039SDag-Erling Smørgrav { "macs", sMacs, SSHCFG_GLOBAL }, 502333ee039SDag-Erling Smørgrav { "protocol", sProtocol, SSHCFG_GLOBAL }, 503333ee039SDag-Erling Smørgrav { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 504333ee039SDag-Erling Smørgrav { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 505333ee039SDag-Erling Smørgrav { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 506d4af9e69SDag-Erling Smørgrav { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 507d4af9e69SDag-Erling Smørgrav { "maxsessions", sMaxSessions, SSHCFG_ALL }, 508d4af9e69SDag-Erling Smørgrav { "banner", sBanner, SSHCFG_ALL }, 509333ee039SDag-Erling Smørgrav { "usedns", sUseDNS, SSHCFG_GLOBAL }, 510333ee039SDag-Erling Smørgrav { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 511333ee039SDag-Erling Smørgrav { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 512333ee039SDag-Erling Smørgrav { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 513333ee039SDag-Erling Smørgrav { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 514e2f6069cSDag-Erling Smørgrav { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 515e146993eSDag-Erling Smørgrav { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 516333ee039SDag-Erling Smørgrav { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 517462c32cbSDag-Erling Smørgrav { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 518e2f6069cSDag-Erling Smørgrav { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 519f7167e0eSDag-Erling Smørgrav { "permittty", sPermitTTY, SSHCFG_ALL }, 520a0ee8cc6SDag-Erling Smørgrav { "permituserrc", sPermitUserRC, SSHCFG_ALL }, 521333ee039SDag-Erling Smørgrav { "match", sMatch, SSHCFG_ALL }, 522333ee039SDag-Erling Smørgrav { "permitopen", sPermitOpen, SSHCFG_ALL }, 523333ee039SDag-Erling Smørgrav { "forcecommand", sForceCommand, SSHCFG_ALL }, 524d4af9e69SDag-Erling Smørgrav { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 525b15c8340SDag-Erling Smørgrav { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 526b15c8340SDag-Erling Smørgrav { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 527b15c8340SDag-Erling Smørgrav { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 528e2f6069cSDag-Erling Smørgrav { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 5294a421b63SDag-Erling Smørgrav { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 5304a421b63SDag-Erling Smørgrav { "ipqos", sIPQoS, SSHCFG_ALL }, 5316888a9beSDag-Erling Smørgrav { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, 5326888a9beSDag-Erling Smørgrav { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 533462c32cbSDag-Erling Smørgrav { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 5346888a9beSDag-Erling Smørgrav { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 535a0ee8cc6SDag-Erling Smørgrav { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, 536a0ee8cc6SDag-Erling Smørgrav { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 537a0ee8cc6SDag-Erling Smørgrav { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 538*bc5531deSDag-Erling Smørgrav { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 539333ee039SDag-Erling Smørgrav { NULL, sBadOption, 0 } 540511b41d2SMark Murray }; 541511b41d2SMark Murray 542d4af9e69SDag-Erling Smørgrav static struct { 543d4af9e69SDag-Erling Smørgrav int val; 544d4af9e69SDag-Erling Smørgrav char *text; 545d4af9e69SDag-Erling Smørgrav } tunmode_desc[] = { 546d4af9e69SDag-Erling Smørgrav { SSH_TUNMODE_NO, "no" }, 547d4af9e69SDag-Erling Smørgrav { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 548d4af9e69SDag-Erling Smørgrav { SSH_TUNMODE_ETHERNET, "ethernet" }, 549d4af9e69SDag-Erling Smørgrav { SSH_TUNMODE_YES, "yes" }, 550d4af9e69SDag-Erling Smørgrav { -1, NULL } 551d4af9e69SDag-Erling Smørgrav }; 552d4af9e69SDag-Erling Smørgrav 553511b41d2SMark Murray /* 554ca3176e7SBrian Feldman * Returns the number of the token pointed to by cp or sBadOption. 555511b41d2SMark Murray */ 556511b41d2SMark Murray 557511b41d2SMark Murray static ServerOpCodes 558511b41d2SMark Murray parse_token(const char *cp, const char *filename, 559333ee039SDag-Erling Smørgrav int linenum, u_int *flags) 560511b41d2SMark Murray { 561ca3176e7SBrian Feldman u_int i; 562511b41d2SMark Murray 563511b41d2SMark Murray for (i = 0; keywords[i].name; i++) 564333ee039SDag-Erling Smørgrav if (strcasecmp(cp, keywords[i].name) == 0) { 565333ee039SDag-Erling Smørgrav *flags = keywords[i].flags; 566511b41d2SMark Murray return keywords[i].opcode; 567333ee039SDag-Erling Smørgrav } 568511b41d2SMark Murray 569ca3176e7SBrian Feldman error("%s: line %d: Bad configuration option: %s", 570511b41d2SMark Murray filename, linenum, cp); 571511b41d2SMark Murray return sBadOption; 572511b41d2SMark Murray } 573511b41d2SMark Murray 574b15c8340SDag-Erling Smørgrav char * 575b15c8340SDag-Erling Smørgrav derelativise_path(const char *path) 576b15c8340SDag-Erling Smørgrav { 577*bc5531deSDag-Erling Smørgrav char *expanded, *ret, cwd[PATH_MAX]; 578b15c8340SDag-Erling Smørgrav 579*bc5531deSDag-Erling Smørgrav if (strcasecmp(path, "none") == 0) 580*bc5531deSDag-Erling Smørgrav return xstrdup("none"); 581b15c8340SDag-Erling Smørgrav expanded = tilde_expand_filename(path, getuid()); 582b15c8340SDag-Erling Smørgrav if (*expanded == '/') 583b15c8340SDag-Erling Smørgrav return expanded; 5848ad9b54aSDag-Erling Smørgrav if (getcwd(cwd, sizeof(cwd)) == NULL) 585b15c8340SDag-Erling Smørgrav fatal("%s: getcwd: %s", __func__, strerror(errno)); 586b15c8340SDag-Erling Smørgrav xasprintf(&ret, "%s/%s", cwd, expanded); 587e4a9863fSDag-Erling Smørgrav free(expanded); 588b15c8340SDag-Erling Smørgrav return ret; 589b15c8340SDag-Erling Smørgrav } 590b15c8340SDag-Erling Smørgrav 591af12a3e7SDag-Erling Smørgrav static void 592cce7d346SDag-Erling Smørgrav add_listen_addr(ServerOptions *options, char *addr, int port) 593511b41d2SMark Murray { 594d4ecd108SDag-Erling Smørgrav u_int i; 595511b41d2SMark Murray 596511b41d2SMark Murray if (options->num_ports == 0) 597511b41d2SMark Murray options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 598aa49c926SDag-Erling Smørgrav if (options->address_family == -1) 599aa49c926SDag-Erling Smørgrav options->address_family = AF_UNSPEC; 600ca3176e7SBrian Feldman if (port == 0) 601ca3176e7SBrian Feldman for (i = 0; i < options->num_ports; i++) 602ca3176e7SBrian Feldman add_one_listen_addr(options, addr, options->ports[i]); 603ca3176e7SBrian Feldman else 604ca3176e7SBrian Feldman add_one_listen_addr(options, addr, port); 605ca3176e7SBrian Feldman } 606ca3176e7SBrian Feldman 607af12a3e7SDag-Erling Smørgrav static void 608cce7d346SDag-Erling Smørgrav add_one_listen_addr(ServerOptions *options, char *addr, int port) 609ca3176e7SBrian Feldman { 610ca3176e7SBrian Feldman struct addrinfo hints, *ai, *aitop; 611ca3176e7SBrian Feldman char strport[NI_MAXSERV]; 612ca3176e7SBrian Feldman int gaierr; 613ca3176e7SBrian Feldman 614511b41d2SMark Murray memset(&hints, 0, sizeof(hints)); 615aa49c926SDag-Erling Smørgrav hints.ai_family = options->address_family; 616511b41d2SMark Murray hints.ai_socktype = SOCK_STREAM; 617511b41d2SMark Murray hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 618cce7d346SDag-Erling Smørgrav snprintf(strport, sizeof strport, "%d", port); 619511b41d2SMark Murray if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 620ca3176e7SBrian Feldman fatal("bad addr or host: %s (%s)", 621511b41d2SMark Murray addr ? addr : "<NULL>", 622d4af9e69SDag-Erling Smørgrav ssh_gai_strerror(gaierr)); 623511b41d2SMark Murray for (ai = aitop; ai->ai_next; ai = ai->ai_next) 624511b41d2SMark Murray ; 625511b41d2SMark Murray ai->ai_next = options->listen_addrs; 626511b41d2SMark Murray options->listen_addrs = aitop; 627511b41d2SMark Murray } 628511b41d2SMark Murray 629462c32cbSDag-Erling Smørgrav struct connection_info * 630462c32cbSDag-Erling Smørgrav get_connection_info(int populate, int use_dns) 631462c32cbSDag-Erling Smørgrav { 632462c32cbSDag-Erling Smørgrav static struct connection_info ci; 633462c32cbSDag-Erling Smørgrav 634462c32cbSDag-Erling Smørgrav if (!populate) 635462c32cbSDag-Erling Smørgrav return &ci; 636462c32cbSDag-Erling Smørgrav ci.host = get_canonical_hostname(use_dns); 637462c32cbSDag-Erling Smørgrav ci.address = get_remote_ipaddr(); 638462c32cbSDag-Erling Smørgrav ci.laddress = get_local_ipaddr(packet_get_connection_in()); 639462c32cbSDag-Erling Smørgrav ci.lport = get_local_port(); 640462c32cbSDag-Erling Smørgrav return &ci; 641462c32cbSDag-Erling Smørgrav } 642462c32cbSDag-Erling Smørgrav 643333ee039SDag-Erling Smørgrav /* 644333ee039SDag-Erling Smørgrav * The strategy for the Match blocks is that the config file is parsed twice. 645333ee039SDag-Erling Smørgrav * 646333ee039SDag-Erling Smørgrav * The first time is at startup. activep is initialized to 1 and the 647333ee039SDag-Erling Smørgrav * directives in the global context are processed and acted on. Hitting a 648333ee039SDag-Erling Smørgrav * Match directive unsets activep and the directives inside the block are 649333ee039SDag-Erling Smørgrav * checked for syntax only. 650333ee039SDag-Erling Smørgrav * 651333ee039SDag-Erling Smørgrav * The second time is after a connection has been established but before 652333ee039SDag-Erling Smørgrav * authentication. activep is initialized to 2 and global config directives 653333ee039SDag-Erling Smørgrav * are ignored since they have already been processed. If the criteria in a 654333ee039SDag-Erling Smørgrav * Match block is met, activep is set and the subsequent directives 655333ee039SDag-Erling Smørgrav * processed and actioned until EOF or another Match block unsets it. Any 656333ee039SDag-Erling Smørgrav * options set are copied into the main server config. 657333ee039SDag-Erling Smørgrav * 658333ee039SDag-Erling Smørgrav * Potential additions/improvements: 659333ee039SDag-Erling Smørgrav * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 660333ee039SDag-Erling Smørgrav * 661333ee039SDag-Erling Smørgrav * - Add a Tag directive (idea from David Leonard) ala pf, eg: 662333ee039SDag-Erling Smørgrav * Match Address 192.168.0.* 663333ee039SDag-Erling Smørgrav * Tag trusted 664333ee039SDag-Erling Smørgrav * Match Group wheel 665333ee039SDag-Erling Smørgrav * Tag trusted 666333ee039SDag-Erling Smørgrav * Match Tag trusted 667333ee039SDag-Erling Smørgrav * AllowTcpForwarding yes 668333ee039SDag-Erling Smørgrav * GatewayPorts clientspecified 669333ee039SDag-Erling Smørgrav * [...] 670333ee039SDag-Erling Smørgrav * 671333ee039SDag-Erling Smørgrav * - Add a PermittedChannelRequests directive 672333ee039SDag-Erling Smørgrav * Match Group shell 673333ee039SDag-Erling Smørgrav * PermittedChannelRequests session,forwarded-tcpip 674333ee039SDag-Erling Smørgrav */ 675333ee039SDag-Erling Smørgrav 676333ee039SDag-Erling Smørgrav static int 677333ee039SDag-Erling Smørgrav match_cfg_line_group(const char *grps, int line, const char *user) 678333ee039SDag-Erling Smørgrav { 679333ee039SDag-Erling Smørgrav int result = 0; 680333ee039SDag-Erling Smørgrav struct passwd *pw; 681333ee039SDag-Erling Smørgrav 682333ee039SDag-Erling Smørgrav if (user == NULL) 683333ee039SDag-Erling Smørgrav goto out; 684333ee039SDag-Erling Smørgrav 685333ee039SDag-Erling Smørgrav if ((pw = getpwnam(user)) == NULL) { 686333ee039SDag-Erling Smørgrav debug("Can't match group at line %d because user %.100s does " 687333ee039SDag-Erling Smørgrav "not exist", line, user); 688333ee039SDag-Erling Smørgrav } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 689333ee039SDag-Erling Smørgrav debug("Can't Match group because user %.100s not in any group " 690333ee039SDag-Erling Smørgrav "at line %d", user, line); 691d4af9e69SDag-Erling Smørgrav } else if (ga_match_pattern_list(grps) != 1) { 692d4af9e69SDag-Erling Smørgrav debug("user %.100s does not match group list %.100s at line %d", 693d4af9e69SDag-Erling Smørgrav user, grps, line); 694333ee039SDag-Erling Smørgrav } else { 695d4af9e69SDag-Erling Smørgrav debug("user %.100s matched group list %.100s at line %d", user, 696d4af9e69SDag-Erling Smørgrav grps, line); 697333ee039SDag-Erling Smørgrav result = 1; 698333ee039SDag-Erling Smørgrav } 699333ee039SDag-Erling Smørgrav out: 700333ee039SDag-Erling Smørgrav ga_free(); 701333ee039SDag-Erling Smørgrav return result; 702333ee039SDag-Erling Smørgrav } 703333ee039SDag-Erling Smørgrav 704462c32cbSDag-Erling Smørgrav /* 7056888a9beSDag-Erling Smørgrav * All of the attributes on a single Match line are ANDed together, so we need 706f7167e0eSDag-Erling Smørgrav * to check every attribute and set the result to zero if any attribute does 7076888a9beSDag-Erling Smørgrav * not match. 708462c32cbSDag-Erling Smørgrav */ 709333ee039SDag-Erling Smørgrav static int 710462c32cbSDag-Erling Smørgrav match_cfg_line(char **condition, int line, struct connection_info *ci) 711333ee039SDag-Erling Smørgrav { 712f7167e0eSDag-Erling Smørgrav int result = 1, attributes = 0, port; 713333ee039SDag-Erling Smørgrav char *arg, *attrib, *cp = *condition; 714333ee039SDag-Erling Smørgrav size_t len; 715333ee039SDag-Erling Smørgrav 716462c32cbSDag-Erling Smørgrav if (ci == NULL) 717333ee039SDag-Erling Smørgrav debug3("checking syntax for 'Match %s'", cp); 718333ee039SDag-Erling Smørgrav else 719462c32cbSDag-Erling Smørgrav debug3("checking match for '%s' user %s host %s addr %s " 720462c32cbSDag-Erling Smørgrav "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 721462c32cbSDag-Erling Smørgrav ci->host ? ci->host : "(null)", 722462c32cbSDag-Erling Smørgrav ci->address ? ci->address : "(null)", 723462c32cbSDag-Erling Smørgrav ci->laddress ? ci->laddress : "(null)", ci->lport); 724333ee039SDag-Erling Smørgrav 725333ee039SDag-Erling Smørgrav while ((attrib = strdelim(&cp)) && *attrib != '\0') { 726f7167e0eSDag-Erling Smørgrav attributes++; 727f7167e0eSDag-Erling Smørgrav if (strcasecmp(attrib, "all") == 0) { 728f7167e0eSDag-Erling Smørgrav if (attributes != 1 || 729f7167e0eSDag-Erling Smørgrav ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { 730f7167e0eSDag-Erling Smørgrav error("'all' cannot be combined with other " 731f7167e0eSDag-Erling Smørgrav "Match attributes"); 732f7167e0eSDag-Erling Smørgrav return -1; 733f7167e0eSDag-Erling Smørgrav } 734f7167e0eSDag-Erling Smørgrav *condition = cp; 735f7167e0eSDag-Erling Smørgrav return 1; 736f7167e0eSDag-Erling Smørgrav } 737333ee039SDag-Erling Smørgrav if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 738333ee039SDag-Erling Smørgrav error("Missing Match criteria for %s", attrib); 739333ee039SDag-Erling Smørgrav return -1; 740333ee039SDag-Erling Smørgrav } 741333ee039SDag-Erling Smørgrav len = strlen(arg); 742333ee039SDag-Erling Smørgrav if (strcasecmp(attrib, "user") == 0) { 743462c32cbSDag-Erling Smørgrav if (ci == NULL || ci->user == NULL) { 744333ee039SDag-Erling Smørgrav result = 0; 745333ee039SDag-Erling Smørgrav continue; 746333ee039SDag-Erling Smørgrav } 747462c32cbSDag-Erling Smørgrav if (match_pattern_list(ci->user, arg, len, 0) != 1) 748333ee039SDag-Erling Smørgrav result = 0; 749333ee039SDag-Erling Smørgrav else 750333ee039SDag-Erling Smørgrav debug("user %.100s matched 'User %.100s' at " 751462c32cbSDag-Erling Smørgrav "line %d", ci->user, arg, line); 752333ee039SDag-Erling Smørgrav } else if (strcasecmp(attrib, "group") == 0) { 753462c32cbSDag-Erling Smørgrav if (ci == NULL || ci->user == NULL) { 754462c32cbSDag-Erling Smørgrav result = 0; 755462c32cbSDag-Erling Smørgrav continue; 756462c32cbSDag-Erling Smørgrav } 757462c32cbSDag-Erling Smørgrav switch (match_cfg_line_group(arg, line, ci->user)) { 758333ee039SDag-Erling Smørgrav case -1: 759333ee039SDag-Erling Smørgrav return -1; 760333ee039SDag-Erling Smørgrav case 0: 761333ee039SDag-Erling Smørgrav result = 0; 762333ee039SDag-Erling Smørgrav } 763333ee039SDag-Erling Smørgrav } else if (strcasecmp(attrib, "host") == 0) { 764462c32cbSDag-Erling Smørgrav if (ci == NULL || ci->host == NULL) { 765333ee039SDag-Erling Smørgrav result = 0; 766333ee039SDag-Erling Smørgrav continue; 767333ee039SDag-Erling Smørgrav } 768462c32cbSDag-Erling Smørgrav if (match_hostname(ci->host, arg, len) != 1) 769333ee039SDag-Erling Smørgrav result = 0; 770333ee039SDag-Erling Smørgrav else 771333ee039SDag-Erling Smørgrav debug("connection from %.100s matched 'Host " 772462c32cbSDag-Erling Smørgrav "%.100s' at line %d", ci->host, arg, line); 773333ee039SDag-Erling Smørgrav } else if (strcasecmp(attrib, "address") == 0) { 774462c32cbSDag-Erling Smørgrav if (ci == NULL || ci->address == NULL) { 775462c32cbSDag-Erling Smørgrav result = 0; 776462c32cbSDag-Erling Smørgrav continue; 777462c32cbSDag-Erling Smørgrav } 778462c32cbSDag-Erling Smørgrav switch (addr_match_list(ci->address, arg)) { 779d4af9e69SDag-Erling Smørgrav case 1: 780333ee039SDag-Erling Smørgrav debug("connection from %.100s matched 'Address " 781462c32cbSDag-Erling Smørgrav "%.100s' at line %d", ci->address, arg, line); 782d4af9e69SDag-Erling Smørgrav break; 783d4af9e69SDag-Erling Smørgrav case 0: 784d4af9e69SDag-Erling Smørgrav case -1: 785d4af9e69SDag-Erling Smørgrav result = 0; 786d4af9e69SDag-Erling Smørgrav break; 787d4af9e69SDag-Erling Smørgrav case -2: 788d4af9e69SDag-Erling Smørgrav return -1; 789d4af9e69SDag-Erling Smørgrav } 790462c32cbSDag-Erling Smørgrav } else if (strcasecmp(attrib, "localaddress") == 0){ 791462c32cbSDag-Erling Smørgrav if (ci == NULL || ci->laddress == NULL) { 792462c32cbSDag-Erling Smørgrav result = 0; 793462c32cbSDag-Erling Smørgrav continue; 794462c32cbSDag-Erling Smørgrav } 795462c32cbSDag-Erling Smørgrav switch (addr_match_list(ci->laddress, arg)) { 796462c32cbSDag-Erling Smørgrav case 1: 797462c32cbSDag-Erling Smørgrav debug("connection from %.100s matched " 798462c32cbSDag-Erling Smørgrav "'LocalAddress %.100s' at line %d", 799462c32cbSDag-Erling Smørgrav ci->laddress, arg, line); 800462c32cbSDag-Erling Smørgrav break; 801462c32cbSDag-Erling Smørgrav case 0: 802462c32cbSDag-Erling Smørgrav case -1: 803462c32cbSDag-Erling Smørgrav result = 0; 804462c32cbSDag-Erling Smørgrav break; 805462c32cbSDag-Erling Smørgrav case -2: 806462c32cbSDag-Erling Smørgrav return -1; 807462c32cbSDag-Erling Smørgrav } 808462c32cbSDag-Erling Smørgrav } else if (strcasecmp(attrib, "localport") == 0) { 809462c32cbSDag-Erling Smørgrav if ((port = a2port(arg)) == -1) { 810462c32cbSDag-Erling Smørgrav error("Invalid LocalPort '%s' on Match line", 811462c32cbSDag-Erling Smørgrav arg); 812462c32cbSDag-Erling Smørgrav return -1; 813462c32cbSDag-Erling Smørgrav } 814462c32cbSDag-Erling Smørgrav if (ci == NULL || ci->lport == 0) { 815462c32cbSDag-Erling Smørgrav result = 0; 816462c32cbSDag-Erling Smørgrav continue; 817462c32cbSDag-Erling Smørgrav } 818462c32cbSDag-Erling Smørgrav /* TODO support port lists */ 819462c32cbSDag-Erling Smørgrav if (port == ci->lport) 820462c32cbSDag-Erling Smørgrav debug("connection from %.100s matched " 821462c32cbSDag-Erling Smørgrav "'LocalPort %d' at line %d", 822462c32cbSDag-Erling Smørgrav ci->laddress, port, line); 823462c32cbSDag-Erling Smørgrav else 824462c32cbSDag-Erling Smørgrav result = 0; 825333ee039SDag-Erling Smørgrav } else { 826333ee039SDag-Erling Smørgrav error("Unsupported Match attribute %s", attrib); 827333ee039SDag-Erling Smørgrav return -1; 828333ee039SDag-Erling Smørgrav } 829333ee039SDag-Erling Smørgrav } 830f7167e0eSDag-Erling Smørgrav if (attributes == 0) { 831f7167e0eSDag-Erling Smørgrav error("One or more attributes required for Match"); 832f7167e0eSDag-Erling Smørgrav return -1; 833f7167e0eSDag-Erling Smørgrav } 834462c32cbSDag-Erling Smørgrav if (ci != NULL) 835333ee039SDag-Erling Smørgrav debug3("match %sfound", result ? "" : "not "); 836333ee039SDag-Erling Smørgrav *condition = cp; 837333ee039SDag-Erling Smørgrav return result; 838333ee039SDag-Erling Smørgrav } 839333ee039SDag-Erling Smørgrav 840333ee039SDag-Erling Smørgrav #define WHITESPACE " \t\r\n" 841333ee039SDag-Erling Smørgrav 842e146993eSDag-Erling Smørgrav /* Multistate option parsing */ 843e146993eSDag-Erling Smørgrav struct multistate { 844e146993eSDag-Erling Smørgrav char *key; 845e146993eSDag-Erling Smørgrav int value; 846e146993eSDag-Erling Smørgrav }; 847e146993eSDag-Erling Smørgrav static const struct multistate multistate_addressfamily[] = { 848e146993eSDag-Erling Smørgrav { "inet", AF_INET }, 849e146993eSDag-Erling Smørgrav { "inet6", AF_INET6 }, 850e146993eSDag-Erling Smørgrav { "any", AF_UNSPEC }, 851e146993eSDag-Erling Smørgrav { NULL, -1 } 852e146993eSDag-Erling Smørgrav }; 853e146993eSDag-Erling Smørgrav static const struct multistate multistate_permitrootlogin[] = { 854e146993eSDag-Erling Smørgrav { "without-password", PERMIT_NO_PASSWD }, 855e146993eSDag-Erling Smørgrav { "forced-commands-only", PERMIT_FORCED_ONLY }, 856e146993eSDag-Erling Smørgrav { "yes", PERMIT_YES }, 857e146993eSDag-Erling Smørgrav { "no", PERMIT_NO }, 858e146993eSDag-Erling Smørgrav { NULL, -1 } 859e146993eSDag-Erling Smørgrav }; 860e146993eSDag-Erling Smørgrav static const struct multistate multistate_compression[] = { 861e146993eSDag-Erling Smørgrav { "delayed", COMP_DELAYED }, 862e146993eSDag-Erling Smørgrav { "yes", COMP_ZLIB }, 863e146993eSDag-Erling Smørgrav { "no", COMP_NONE }, 864e146993eSDag-Erling Smørgrav { NULL, -1 } 865e146993eSDag-Erling Smørgrav }; 866e146993eSDag-Erling Smørgrav static const struct multistate multistate_gatewayports[] = { 867e146993eSDag-Erling Smørgrav { "clientspecified", 2 }, 868e146993eSDag-Erling Smørgrav { "yes", 1 }, 869e146993eSDag-Erling Smørgrav { "no", 0 }, 870e146993eSDag-Erling Smørgrav { NULL, -1 } 871e146993eSDag-Erling Smørgrav }; 872e146993eSDag-Erling Smørgrav static const struct multistate multistate_privsep[] = { 873462c32cbSDag-Erling Smørgrav { "yes", PRIVSEP_NOSANDBOX }, 874462c32cbSDag-Erling Smørgrav { "sandbox", PRIVSEP_ON }, 875462c32cbSDag-Erling Smørgrav { "nosandbox", PRIVSEP_NOSANDBOX }, 876e146993eSDag-Erling Smørgrav { "no", PRIVSEP_OFF }, 877e146993eSDag-Erling Smørgrav { NULL, -1 } 878e146993eSDag-Erling Smørgrav }; 8796888a9beSDag-Erling Smørgrav static const struct multistate multistate_tcpfwd[] = { 8806888a9beSDag-Erling Smørgrav { "yes", FORWARD_ALLOW }, 8816888a9beSDag-Erling Smørgrav { "all", FORWARD_ALLOW }, 8826888a9beSDag-Erling Smørgrav { "no", FORWARD_DENY }, 8836888a9beSDag-Erling Smørgrav { "remote", FORWARD_REMOTE }, 8846888a9beSDag-Erling Smørgrav { "local", FORWARD_LOCAL }, 8856888a9beSDag-Erling Smørgrav { NULL, -1 } 8866888a9beSDag-Erling Smørgrav }; 887e146993eSDag-Erling Smørgrav 888af12a3e7SDag-Erling Smørgrav int 889af12a3e7SDag-Erling Smørgrav process_server_config_line(ServerOptions *options, char *line, 890462c32cbSDag-Erling Smørgrav const char *filename, int linenum, int *activep, 891462c32cbSDag-Erling Smørgrav struct connection_info *connectinfo) 892511b41d2SMark Murray { 893ca3176e7SBrian Feldman char *cp, **charptr, *arg, *p; 894e4a9863fSDag-Erling Smørgrav int cmdline = 0, *intptr, value, value2, n, port; 895d4af9e69SDag-Erling Smørgrav SyslogFacility *log_facility_ptr; 896d4af9e69SDag-Erling Smørgrav LogLevel *log_level_ptr; 897511b41d2SMark Murray ServerOpCodes opcode; 898333ee039SDag-Erling Smørgrav u_int i, flags = 0; 899333ee039SDag-Erling Smørgrav size_t len; 900e4a9863fSDag-Erling Smørgrav long long val64; 901e146993eSDag-Erling Smørgrav const struct multistate *multistate_ptr; 902511b41d2SMark Murray 903c2d3a559SKris Kennaway cp = line; 904333ee039SDag-Erling Smørgrav if ((arg = strdelim(&cp)) == NULL) 905333ee039SDag-Erling Smørgrav return 0; 906c2d3a559SKris Kennaway /* Ignore leading whitespace */ 907c2d3a559SKris Kennaway if (*arg == '\0') 908c2d3a559SKris Kennaway arg = strdelim(&cp); 909ca3176e7SBrian Feldman if (!arg || !*arg || *arg == '#') 910af12a3e7SDag-Erling Smørgrav return 0; 911ca3176e7SBrian Feldman intptr = NULL; 912ca3176e7SBrian Feldman charptr = NULL; 913333ee039SDag-Erling Smørgrav opcode = parse_token(arg, filename, linenum, &flags); 914333ee039SDag-Erling Smørgrav 915333ee039SDag-Erling Smørgrav if (activep == NULL) { /* We are processing a command line directive */ 916333ee039SDag-Erling Smørgrav cmdline = 1; 917333ee039SDag-Erling Smørgrav activep = &cmdline; 918333ee039SDag-Erling Smørgrav } 919333ee039SDag-Erling Smørgrav if (*activep && opcode != sMatch) 920333ee039SDag-Erling Smørgrav debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 921333ee039SDag-Erling Smørgrav if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 922462c32cbSDag-Erling Smørgrav if (connectinfo == NULL) { 923333ee039SDag-Erling Smørgrav fatal("%s line %d: Directive '%s' is not allowed " 924333ee039SDag-Erling Smørgrav "within a Match block", filename, linenum, arg); 925333ee039SDag-Erling Smørgrav } else { /* this is a directive we have already processed */ 926333ee039SDag-Erling Smørgrav while (arg) 927333ee039SDag-Erling Smørgrav arg = strdelim(&cp); 928333ee039SDag-Erling Smørgrav return 0; 929333ee039SDag-Erling Smørgrav } 930333ee039SDag-Erling Smørgrav } 931333ee039SDag-Erling Smørgrav 932511b41d2SMark Murray switch (opcode) { 933989dd127SDag-Erling Smørgrav /* Portable-specific options */ 934cf2b5f3bSDag-Erling Smørgrav case sUsePAM: 935cf2b5f3bSDag-Erling Smørgrav intptr = &options->use_pam; 936989dd127SDag-Erling Smørgrav goto parse_flag; 937989dd127SDag-Erling Smørgrav 938989dd127SDag-Erling Smørgrav /* Standard Options */ 939511b41d2SMark Murray case sBadOption: 940af12a3e7SDag-Erling Smørgrav return -1; 941511b41d2SMark Murray case sPort: 942511b41d2SMark Murray /* ignore ports from configfile if cmdline specifies ports */ 943511b41d2SMark Murray if (options->ports_from_cmdline) 944af12a3e7SDag-Erling Smørgrav return 0; 945511b41d2SMark Murray if (options->listen_addrs != NULL) 946511b41d2SMark Murray fatal("%s line %d: ports must be specified before " 947af12a3e7SDag-Erling Smørgrav "ListenAddress.", filename, linenum); 948511b41d2SMark Murray if (options->num_ports >= MAX_PORTS) 949ca3176e7SBrian Feldman fatal("%s line %d: too many ports.", 950511b41d2SMark Murray filename, linenum); 951c2d3a559SKris Kennaway arg = strdelim(&cp); 952c2d3a559SKris Kennaway if (!arg || *arg == '\0') 953ca3176e7SBrian Feldman fatal("%s line %d: missing port number.", 954511b41d2SMark Murray filename, linenum); 955ca3176e7SBrian Feldman options->ports[options->num_ports++] = a2port(arg); 956cce7d346SDag-Erling Smørgrav if (options->ports[options->num_ports-1] <= 0) 957ca3176e7SBrian Feldman fatal("%s line %d: Badly formatted port number.", 958ca3176e7SBrian Feldman filename, linenum); 959511b41d2SMark Murray break; 960511b41d2SMark Murray 961511b41d2SMark Murray case sServerKeyBits: 962511b41d2SMark Murray intptr = &options->server_key_bits; 963511b41d2SMark Murray parse_int: 964c2d3a559SKris Kennaway arg = strdelim(&cp); 965ca3176e7SBrian Feldman if (!arg || *arg == '\0') 966ca3176e7SBrian Feldman fatal("%s line %d: missing integer value.", 967511b41d2SMark Murray filename, linenum); 968c2d3a559SKris Kennaway value = atoi(arg); 969333ee039SDag-Erling Smørgrav if (*activep && *intptr == -1) 970511b41d2SMark Murray *intptr = value; 971511b41d2SMark Murray break; 972511b41d2SMark Murray 973511b41d2SMark Murray case sLoginGraceTime: 974511b41d2SMark Murray intptr = &options->login_grace_time; 975af12a3e7SDag-Erling Smørgrav parse_time: 976af12a3e7SDag-Erling Smørgrav arg = strdelim(&cp); 977af12a3e7SDag-Erling Smørgrav if (!arg || *arg == '\0') 978af12a3e7SDag-Erling Smørgrav fatal("%s line %d: missing time value.", 979af12a3e7SDag-Erling Smørgrav filename, linenum); 980af12a3e7SDag-Erling Smørgrav if ((value = convtime(arg)) == -1) 981af12a3e7SDag-Erling Smørgrav fatal("%s line %d: invalid time value.", 982af12a3e7SDag-Erling Smørgrav filename, linenum); 983af12a3e7SDag-Erling Smørgrav if (*intptr == -1) 984af12a3e7SDag-Erling Smørgrav *intptr = value; 985af12a3e7SDag-Erling Smørgrav break; 986511b41d2SMark Murray 987511b41d2SMark Murray case sKeyRegenerationTime: 988511b41d2SMark Murray intptr = &options->key_regeneration_time; 989af12a3e7SDag-Erling Smørgrav goto parse_time; 990511b41d2SMark Murray 991511b41d2SMark Murray case sListenAddress: 992c2d3a559SKris Kennaway arg = strdelim(&cp); 993aa49c926SDag-Erling Smørgrav if (arg == NULL || *arg == '\0') 994aa49c926SDag-Erling Smørgrav fatal("%s line %d: missing address", 995511b41d2SMark Murray filename, linenum); 996d4ecd108SDag-Erling Smørgrav /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 997d4ecd108SDag-Erling Smørgrav if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 998d4ecd108SDag-Erling Smørgrav && strchr(p+1, ':') != NULL) { 999d4ecd108SDag-Erling Smørgrav add_listen_addr(options, arg, 0); 1000d4ecd108SDag-Erling Smørgrav break; 1001d4ecd108SDag-Erling Smørgrav } 1002aa49c926SDag-Erling Smørgrav p = hpdelim(&arg); 1003aa49c926SDag-Erling Smørgrav if (p == NULL) 1004aa49c926SDag-Erling Smørgrav fatal("%s line %d: bad address:port usage", 1005ca3176e7SBrian Feldman filename, linenum); 1006aa49c926SDag-Erling Smørgrav p = cleanhostname(p); 1007aa49c926SDag-Erling Smørgrav if (arg == NULL) 1008aa49c926SDag-Erling Smørgrav port = 0; 1009cce7d346SDag-Erling Smørgrav else if ((port = a2port(arg)) <= 0) 1010aa49c926SDag-Erling Smørgrav fatal("%s line %d: bad port number", filename, linenum); 1011ca3176e7SBrian Feldman 1012aa49c926SDag-Erling Smørgrav add_listen_addr(options, p, port); 1013aa49c926SDag-Erling Smørgrav 1014aa49c926SDag-Erling Smørgrav break; 1015aa49c926SDag-Erling Smørgrav 1016aa49c926SDag-Erling Smørgrav case sAddressFamily: 1017e146993eSDag-Erling Smørgrav intptr = &options->address_family; 1018e146993eSDag-Erling Smørgrav multistate_ptr = multistate_addressfamily; 1019e146993eSDag-Erling Smørgrav if (options->listen_addrs != NULL) 1020e146993eSDag-Erling Smørgrav fatal("%s line %d: address family must be specified " 1021e146993eSDag-Erling Smørgrav "before ListenAddress.", filename, linenum); 1022e146993eSDag-Erling Smørgrav parse_multistate: 1023aa49c926SDag-Erling Smørgrav arg = strdelim(&cp); 1024d4ecd108SDag-Erling Smørgrav if (!arg || *arg == '\0') 1025e146993eSDag-Erling Smørgrav fatal("%s line %d: missing argument.", 1026d4ecd108SDag-Erling Smørgrav filename, linenum); 1027e146993eSDag-Erling Smørgrav value = -1; 1028e146993eSDag-Erling Smørgrav for (i = 0; multistate_ptr[i].key != NULL; i++) { 1029e146993eSDag-Erling Smørgrav if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 1030e146993eSDag-Erling Smørgrav value = multistate_ptr[i].value; 1031e146993eSDag-Erling Smørgrav break; 1032e146993eSDag-Erling Smørgrav } 1033e146993eSDag-Erling Smørgrav } 1034e146993eSDag-Erling Smørgrav if (value == -1) 1035e146993eSDag-Erling Smørgrav fatal("%s line %d: unsupported option \"%s\".", 1036aa49c926SDag-Erling Smørgrav filename, linenum, arg); 1037e146993eSDag-Erling Smørgrav if (*activep && *intptr == -1) 1038aa49c926SDag-Erling Smørgrav *intptr = value; 1039511b41d2SMark Murray break; 1040511b41d2SMark Murray 1041511b41d2SMark Murray case sHostKeyFile: 1042ca3176e7SBrian Feldman intptr = &options->num_host_key_files; 1043ca3176e7SBrian Feldman if (*intptr >= MAX_HOSTKEYS) 1044ca3176e7SBrian Feldman fatal("%s line %d: too many host keys specified (max %d).", 1045ca3176e7SBrian Feldman filename, linenum, MAX_HOSTKEYS); 1046ca3176e7SBrian Feldman charptr = &options->host_key_files[*intptr]; 1047c2d3a559SKris Kennaway parse_filename: 1048c2d3a559SKris Kennaway arg = strdelim(&cp); 1049ca3176e7SBrian Feldman if (!arg || *arg == '\0') 1050ca3176e7SBrian Feldman fatal("%s line %d: missing file name.", 1051e8aafc91SKris Kennaway filename, linenum); 1052333ee039SDag-Erling Smørgrav if (*activep && *charptr == NULL) { 1053b15c8340SDag-Erling Smørgrav *charptr = derelativise_path(arg); 1054ca3176e7SBrian Feldman /* increase optional counter */ 1055ca3176e7SBrian Feldman if (intptr != NULL) 1056ca3176e7SBrian Feldman *intptr = *intptr + 1; 1057ca3176e7SBrian Feldman } 1058e8aafc91SKris Kennaway break; 1059e8aafc91SKris Kennaway 1060e4a9863fSDag-Erling Smørgrav case sHostKeyAgent: 1061e4a9863fSDag-Erling Smørgrav charptr = &options->host_key_agent; 1062e4a9863fSDag-Erling Smørgrav arg = strdelim(&cp); 1063e4a9863fSDag-Erling Smørgrav if (!arg || *arg == '\0') 1064e4a9863fSDag-Erling Smørgrav fatal("%s line %d: missing socket name.", 1065e4a9863fSDag-Erling Smørgrav filename, linenum); 1066e4a9863fSDag-Erling Smørgrav if (*activep && *charptr == NULL) 1067e4a9863fSDag-Erling Smørgrav *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? 1068e4a9863fSDag-Erling Smørgrav xstrdup(arg) : derelativise_path(arg); 1069e4a9863fSDag-Erling Smørgrav break; 1070e4a9863fSDag-Erling Smørgrav 1071b15c8340SDag-Erling Smørgrav case sHostCertificate: 1072b15c8340SDag-Erling Smørgrav intptr = &options->num_host_cert_files; 1073b15c8340SDag-Erling Smørgrav if (*intptr >= MAX_HOSTKEYS) 1074b15c8340SDag-Erling Smørgrav fatal("%s line %d: too many host certificates " 1075b15c8340SDag-Erling Smørgrav "specified (max %d).", filename, linenum, 1076b15c8340SDag-Erling Smørgrav MAX_HOSTCERTS); 1077b15c8340SDag-Erling Smørgrav charptr = &options->host_cert_files[*intptr]; 1078b15c8340SDag-Erling Smørgrav goto parse_filename; 1079b15c8340SDag-Erling Smørgrav break; 1080b15c8340SDag-Erling Smørgrav 1081e8aafc91SKris Kennaway case sPidFile: 1082e8aafc91SKris Kennaway charptr = &options->pid_file; 1083c2d3a559SKris Kennaway goto parse_filename; 1084511b41d2SMark Murray 1085511b41d2SMark Murray case sPermitRootLogin: 1086511b41d2SMark Murray intptr = &options->permit_root_login; 1087e146993eSDag-Erling Smørgrav multistate_ptr = multistate_permitrootlogin; 1088e146993eSDag-Erling Smørgrav goto parse_multistate; 1089511b41d2SMark Murray 1090511b41d2SMark Murray case sIgnoreRhosts: 1091511b41d2SMark Murray intptr = &options->ignore_rhosts; 1092511b41d2SMark Murray parse_flag: 1093c2d3a559SKris Kennaway arg = strdelim(&cp); 1094ca3176e7SBrian Feldman if (!arg || *arg == '\0') 1095ca3176e7SBrian Feldman fatal("%s line %d: missing yes/no argument.", 1096511b41d2SMark Murray filename, linenum); 1097ca3176e7SBrian Feldman value = 0; /* silence compiler */ 1098c2d3a559SKris Kennaway if (strcmp(arg, "yes") == 0) 1099511b41d2SMark Murray value = 1; 1100c2d3a559SKris Kennaway else if (strcmp(arg, "no") == 0) 1101511b41d2SMark Murray value = 0; 1102ca3176e7SBrian Feldman else 1103ca3176e7SBrian Feldman fatal("%s line %d: Bad yes/no argument: %s", 1104c2d3a559SKris Kennaway filename, linenum, arg); 1105333ee039SDag-Erling Smørgrav if (*activep && *intptr == -1) 1106511b41d2SMark Murray *intptr = value; 1107511b41d2SMark Murray break; 1108511b41d2SMark Murray 1109511b41d2SMark Murray case sIgnoreUserKnownHosts: 1110511b41d2SMark Murray intptr = &options->ignore_user_known_hosts; 1111962a3f4eSSheldon Hearn goto parse_flag; 1112511b41d2SMark Murray 1113511b41d2SMark Murray case sRhostsRSAAuthentication: 1114511b41d2SMark Murray intptr = &options->rhosts_rsa_authentication; 1115511b41d2SMark Murray goto parse_flag; 1116511b41d2SMark Murray 1117ca3176e7SBrian Feldman case sHostbasedAuthentication: 1118ca3176e7SBrian Feldman intptr = &options->hostbased_authentication; 1119ca3176e7SBrian Feldman goto parse_flag; 1120ca3176e7SBrian Feldman 1121ca3176e7SBrian Feldman case sHostbasedUsesNameFromPacketOnly: 1122ca3176e7SBrian Feldman intptr = &options->hostbased_uses_name_from_packet_only; 1123ca3176e7SBrian Feldman goto parse_flag; 1124ca3176e7SBrian Feldman 1125*bc5531deSDag-Erling Smørgrav case sHostbasedAcceptedKeyTypes: 1126*bc5531deSDag-Erling Smørgrav charptr = &options->hostbased_key_types; 1127*bc5531deSDag-Erling Smørgrav parse_keytypes: 1128*bc5531deSDag-Erling Smørgrav arg = strdelim(&cp); 1129*bc5531deSDag-Erling Smørgrav if (!arg || *arg == '\0') 1130*bc5531deSDag-Erling Smørgrav fatal("%s line %d: Missing argument.", 1131*bc5531deSDag-Erling Smørgrav filename, linenum); 1132*bc5531deSDag-Erling Smørgrav if (!sshkey_names_valid2(arg, 1)) 1133*bc5531deSDag-Erling Smørgrav fatal("%s line %d: Bad key types '%s'.", 1134*bc5531deSDag-Erling Smørgrav filename, linenum, arg ? arg : "<NONE>"); 1135*bc5531deSDag-Erling Smørgrav if (*activep && *charptr == NULL) 1136*bc5531deSDag-Erling Smørgrav *charptr = xstrdup(arg); 1137*bc5531deSDag-Erling Smørgrav break; 1138*bc5531deSDag-Erling Smørgrav 1139511b41d2SMark Murray case sRSAAuthentication: 1140511b41d2SMark Murray intptr = &options->rsa_authentication; 1141511b41d2SMark Murray goto parse_flag; 1142511b41d2SMark Murray 1143ca3176e7SBrian Feldman case sPubkeyAuthentication: 1144ca3176e7SBrian Feldman intptr = &options->pubkey_authentication; 1145e8aafc91SKris Kennaway goto parse_flag; 1146cf2b5f3bSDag-Erling Smørgrav 1147*bc5531deSDag-Erling Smørgrav case sPubkeyAcceptedKeyTypes: 1148*bc5531deSDag-Erling Smørgrav charptr = &options->pubkey_key_types; 1149*bc5531deSDag-Erling Smørgrav goto parse_keytypes; 1150*bc5531deSDag-Erling Smørgrav 1151cb96ab36SAssar Westerlund case sKerberosAuthentication: 1152cb96ab36SAssar Westerlund intptr = &options->kerberos_authentication; 1153511b41d2SMark Murray goto parse_flag; 1154511b41d2SMark Murray 1155af12a3e7SDag-Erling Smørgrav case sKerberosOrLocalPasswd: 1156af12a3e7SDag-Erling Smørgrav intptr = &options->kerberos_or_local_passwd; 1157511b41d2SMark Murray goto parse_flag; 1158511b41d2SMark Murray 1159af12a3e7SDag-Erling Smørgrav case sKerberosTicketCleanup: 1160af12a3e7SDag-Erling Smørgrav intptr = &options->kerberos_ticket_cleanup; 1161511b41d2SMark Murray goto parse_flag; 1162cf2b5f3bSDag-Erling Smørgrav 11631ec0d754SDag-Erling Smørgrav case sKerberosGetAFSToken: 11641ec0d754SDag-Erling Smørgrav intptr = &options->kerberos_get_afs_token; 11651ec0d754SDag-Erling Smørgrav goto parse_flag; 11661ec0d754SDag-Erling Smørgrav 1167cf2b5f3bSDag-Erling Smørgrav case sGssAuthentication: 1168cf2b5f3bSDag-Erling Smørgrav intptr = &options->gss_authentication; 1169fe5fd017SMark Murray goto parse_flag; 1170cf2b5f3bSDag-Erling Smørgrav 1171cf2b5f3bSDag-Erling Smørgrav case sGssCleanupCreds: 1172cf2b5f3bSDag-Erling Smørgrav intptr = &options->gss_cleanup_creds; 1173511b41d2SMark Murray goto parse_flag; 1174511b41d2SMark Murray 1175511b41d2SMark Murray case sPasswordAuthentication: 1176511b41d2SMark Murray intptr = &options->password_authentication; 1177511b41d2SMark Murray goto parse_flag; 1178511b41d2SMark Murray 117909958426SBrian Feldman case sKbdInteractiveAuthentication: 118009958426SBrian Feldman intptr = &options->kbd_interactive_authentication; 118109958426SBrian Feldman goto parse_flag; 118209958426SBrian Feldman 1183ca3176e7SBrian Feldman case sChallengeResponseAuthentication: 1184af12a3e7SDag-Erling Smørgrav intptr = &options->challenge_response_authentication; 1185511b41d2SMark Murray goto parse_flag; 1186511b41d2SMark Murray 1187511b41d2SMark Murray case sPrintMotd: 1188511b41d2SMark Murray intptr = &options->print_motd; 1189511b41d2SMark Murray goto parse_flag; 1190511b41d2SMark Murray 1191ca3176e7SBrian Feldman case sPrintLastLog: 1192ca3176e7SBrian Feldman intptr = &options->print_lastlog; 1193ca3176e7SBrian Feldman goto parse_flag; 1194ca3176e7SBrian Feldman 1195511b41d2SMark Murray case sX11Forwarding: 1196511b41d2SMark Murray intptr = &options->x11_forwarding; 1197511b41d2SMark Murray goto parse_flag; 1198511b41d2SMark Murray 1199511b41d2SMark Murray case sX11DisplayOffset: 1200511b41d2SMark Murray intptr = &options->x11_display_offset; 1201511b41d2SMark Murray goto parse_int; 1202511b41d2SMark Murray 1203af12a3e7SDag-Erling Smørgrav case sX11UseLocalhost: 1204af12a3e7SDag-Erling Smørgrav intptr = &options->x11_use_localhost; 1205af12a3e7SDag-Erling Smørgrav goto parse_flag; 1206af12a3e7SDag-Erling Smørgrav 1207c2d3a559SKris Kennaway case sXAuthLocation: 1208c2d3a559SKris Kennaway charptr = &options->xauth_location; 1209c2d3a559SKris Kennaway goto parse_filename; 1210c2d3a559SKris Kennaway 1211f7167e0eSDag-Erling Smørgrav case sPermitTTY: 1212f7167e0eSDag-Erling Smørgrav intptr = &options->permit_tty; 1213f7167e0eSDag-Erling Smørgrav goto parse_flag; 1214f7167e0eSDag-Erling Smørgrav 1215a0ee8cc6SDag-Erling Smørgrav case sPermitUserRC: 1216a0ee8cc6SDag-Erling Smørgrav intptr = &options->permit_user_rc; 1217a0ee8cc6SDag-Erling Smørgrav goto parse_flag; 1218a0ee8cc6SDag-Erling Smørgrav 1219511b41d2SMark Murray case sStrictModes: 1220511b41d2SMark Murray intptr = &options->strict_modes; 1221511b41d2SMark Murray goto parse_flag; 1222511b41d2SMark Murray 12231ec0d754SDag-Erling Smørgrav case sTCPKeepAlive: 12241ec0d754SDag-Erling Smørgrav intptr = &options->tcp_keep_alive; 1225511b41d2SMark Murray goto parse_flag; 1226511b41d2SMark Murray 1227511b41d2SMark Murray case sEmptyPasswd: 1228511b41d2SMark Murray intptr = &options->permit_empty_passwd; 1229511b41d2SMark Murray goto parse_flag; 1230511b41d2SMark Murray 1231f388f5efSDag-Erling Smørgrav case sPermitUserEnvironment: 1232f388f5efSDag-Erling Smørgrav intptr = &options->permit_user_env; 1233f388f5efSDag-Erling Smørgrav goto parse_flag; 1234f388f5efSDag-Erling Smørgrav 1235511b41d2SMark Murray case sUseLogin: 1236511b41d2SMark Murray intptr = &options->use_login; 1237511b41d2SMark Murray goto parse_flag; 1238511b41d2SMark Murray 123980628bacSDag-Erling Smørgrav case sCompression: 124080628bacSDag-Erling Smørgrav intptr = &options->compression; 1241e146993eSDag-Erling Smørgrav multistate_ptr = multistate_compression; 1242e146993eSDag-Erling Smørgrav goto parse_multistate; 124380628bacSDag-Erling Smørgrav 1244e4a9863fSDag-Erling Smørgrav case sRekeyLimit: 1245e4a9863fSDag-Erling Smørgrav arg = strdelim(&cp); 1246e4a9863fSDag-Erling Smørgrav if (!arg || *arg == '\0') 1247e4a9863fSDag-Erling Smørgrav fatal("%.200s line %d: Missing argument.", filename, 1248e4a9863fSDag-Erling Smørgrav linenum); 1249e4a9863fSDag-Erling Smørgrav if (strcmp(arg, "default") == 0) { 1250e4a9863fSDag-Erling Smørgrav val64 = 0; 1251e4a9863fSDag-Erling Smørgrav } else { 1252e4a9863fSDag-Erling Smørgrav if (scan_scaled(arg, &val64) == -1) 1253e4a9863fSDag-Erling Smørgrav fatal("%.200s line %d: Bad number '%s': %s", 1254e4a9863fSDag-Erling Smørgrav filename, linenum, arg, strerror(errno)); 1255e4a9863fSDag-Erling Smørgrav /* check for too-large or too-small limits */ 1256e4a9863fSDag-Erling Smørgrav if (val64 > UINT_MAX) 1257e4a9863fSDag-Erling Smørgrav fatal("%.200s line %d: RekeyLimit too large", 1258e4a9863fSDag-Erling Smørgrav filename, linenum); 1259e4a9863fSDag-Erling Smørgrav if (val64 != 0 && val64 < 16) 1260e4a9863fSDag-Erling Smørgrav fatal("%.200s line %d: RekeyLimit too small", 1261e4a9863fSDag-Erling Smørgrav filename, linenum); 1262e4a9863fSDag-Erling Smørgrav } 1263e4a9863fSDag-Erling Smørgrav if (*activep && options->rekey_limit == -1) 1264e4a9863fSDag-Erling Smørgrav options->rekey_limit = (u_int32_t)val64; 1265e4a9863fSDag-Erling Smørgrav if (cp != NULL) { /* optional rekey interval present */ 1266e4a9863fSDag-Erling Smørgrav if (strcmp(cp, "none") == 0) { 1267e4a9863fSDag-Erling Smørgrav (void)strdelim(&cp); /* discard */ 1268e4a9863fSDag-Erling Smørgrav break; 1269e4a9863fSDag-Erling Smørgrav } 1270e4a9863fSDag-Erling Smørgrav intptr = &options->rekey_interval; 1271e4a9863fSDag-Erling Smørgrav goto parse_time; 1272e4a9863fSDag-Erling Smørgrav } 1273e4a9863fSDag-Erling Smørgrav break; 1274e4a9863fSDag-Erling Smørgrav 1275e8aafc91SKris Kennaway case sGatewayPorts: 1276a0ee8cc6SDag-Erling Smørgrav intptr = &options->fwd_opts.gateway_ports; 1277e146993eSDag-Erling Smørgrav multistate_ptr = multistate_gatewayports; 1278e146993eSDag-Erling Smørgrav goto parse_multistate; 1279e8aafc91SKris Kennaway 1280cf2b5f3bSDag-Erling Smørgrav case sUseDNS: 1281cf2b5f3bSDag-Erling Smørgrav intptr = &options->use_dns; 1282ca3176e7SBrian Feldman goto parse_flag; 1283ca3176e7SBrian Feldman 1284511b41d2SMark Murray case sLogFacility: 1285d4af9e69SDag-Erling Smørgrav log_facility_ptr = &options->log_facility; 1286c2d3a559SKris Kennaway arg = strdelim(&cp); 1287c2d3a559SKris Kennaway value = log_facility_number(arg); 1288af12a3e7SDag-Erling Smørgrav if (value == SYSLOG_FACILITY_NOT_SET) 1289ca3176e7SBrian Feldman fatal("%.200s line %d: unsupported log facility '%s'", 1290c2d3a559SKris Kennaway filename, linenum, arg ? arg : "<NONE>"); 1291d4af9e69SDag-Erling Smørgrav if (*log_facility_ptr == -1) 1292d4af9e69SDag-Erling Smørgrav *log_facility_ptr = (SyslogFacility) value; 1293511b41d2SMark Murray break; 1294511b41d2SMark Murray 1295511b41d2SMark Murray case sLogLevel: 1296d4af9e69SDag-Erling Smørgrav log_level_ptr = &options->log_level; 1297c2d3a559SKris Kennaway arg = strdelim(&cp); 1298c2d3a559SKris Kennaway value = log_level_number(arg); 1299af12a3e7SDag-Erling Smørgrav if (value == SYSLOG_LEVEL_NOT_SET) 1300ca3176e7SBrian Feldman fatal("%.200s line %d: unsupported log level '%s'", 1301c2d3a559SKris Kennaway filename, linenum, arg ? arg : "<NONE>"); 1302d4af9e69SDag-Erling Smørgrav if (*log_level_ptr == -1) 1303d4af9e69SDag-Erling Smørgrav *log_level_ptr = (LogLevel) value; 1304511b41d2SMark Murray break; 1305511b41d2SMark Murray 130609958426SBrian Feldman case sAllowTcpForwarding: 130709958426SBrian Feldman intptr = &options->allow_tcp_forwarding; 13086888a9beSDag-Erling Smørgrav multistate_ptr = multistate_tcpfwd; 13096888a9beSDag-Erling Smørgrav goto parse_multistate; 131009958426SBrian Feldman 1311a0ee8cc6SDag-Erling Smørgrav case sAllowStreamLocalForwarding: 1312a0ee8cc6SDag-Erling Smørgrav intptr = &options->allow_streamlocal_forwarding; 1313a0ee8cc6SDag-Erling Smørgrav multistate_ptr = multistate_tcpfwd; 1314a0ee8cc6SDag-Erling Smørgrav goto parse_multistate; 1315a0ee8cc6SDag-Erling Smørgrav 1316d4af9e69SDag-Erling Smørgrav case sAllowAgentForwarding: 1317d4af9e69SDag-Erling Smørgrav intptr = &options->allow_agent_forwarding; 1318d4af9e69SDag-Erling Smørgrav goto parse_flag; 1319d4af9e69SDag-Erling Smørgrav 132080628bacSDag-Erling Smørgrav case sUsePrivilegeSeparation: 132180628bacSDag-Erling Smørgrav intptr = &use_privsep; 1322e146993eSDag-Erling Smørgrav multistate_ptr = multistate_privsep; 1323e146993eSDag-Erling Smørgrav goto parse_multistate; 132480628bacSDag-Erling Smørgrav 1325511b41d2SMark Murray case sAllowUsers: 1326c2d3a559SKris Kennaway while ((arg = strdelim(&cp)) && *arg != '\0') { 132742f71286SMark Murray if (options->num_allow_users >= MAX_ALLOW_USERS) 1328af12a3e7SDag-Erling Smørgrav fatal("%s line %d: too many allow users.", 1329e8aafc91SKris Kennaway filename, linenum); 1330462c32cbSDag-Erling Smørgrav if (!*activep) 1331462c32cbSDag-Erling Smørgrav continue; 1332a82e551fSDag-Erling Smørgrav options->allow_users[options->num_allow_users++] = 1333a82e551fSDag-Erling Smørgrav xstrdup(arg); 1334511b41d2SMark Murray } 1335511b41d2SMark Murray break; 1336511b41d2SMark Murray 1337511b41d2SMark Murray case sDenyUsers: 1338c2d3a559SKris Kennaway while ((arg = strdelim(&cp)) && *arg != '\0') { 13392803b77eSBrian Feldman if (options->num_deny_users >= MAX_DENY_USERS) 1340af12a3e7SDag-Erling Smørgrav fatal("%s line %d: too many deny users.", 1341e8aafc91SKris Kennaway filename, linenum); 1342462c32cbSDag-Erling Smørgrav if (!*activep) 1343462c32cbSDag-Erling Smørgrav continue; 1344a82e551fSDag-Erling Smørgrav options->deny_users[options->num_deny_users++] = 1345a82e551fSDag-Erling Smørgrav xstrdup(arg); 1346511b41d2SMark Murray } 1347511b41d2SMark Murray break; 1348511b41d2SMark Murray 1349511b41d2SMark Murray case sAllowGroups: 1350c2d3a559SKris Kennaway while ((arg = strdelim(&cp)) && *arg != '\0') { 135142f71286SMark Murray if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1352af12a3e7SDag-Erling Smørgrav fatal("%s line %d: too many allow groups.", 1353e8aafc91SKris Kennaway filename, linenum); 1354462c32cbSDag-Erling Smørgrav if (!*activep) 1355462c32cbSDag-Erling Smørgrav continue; 1356a82e551fSDag-Erling Smørgrav options->allow_groups[options->num_allow_groups++] = 1357a82e551fSDag-Erling Smørgrav xstrdup(arg); 1358511b41d2SMark Murray } 1359511b41d2SMark Murray break; 1360511b41d2SMark Murray 1361511b41d2SMark Murray case sDenyGroups: 1362c2d3a559SKris Kennaway while ((arg = strdelim(&cp)) && *arg != '\0') { 136342f71286SMark Murray if (options->num_deny_groups >= MAX_DENY_GROUPS) 1364af12a3e7SDag-Erling Smørgrav fatal("%s line %d: too many deny groups.", 1365e8aafc91SKris Kennaway filename, linenum); 1366462c32cbSDag-Erling Smørgrav if (!*activep) 1367462c32cbSDag-Erling Smørgrav continue; 1368462c32cbSDag-Erling Smørgrav options->deny_groups[options->num_deny_groups++] = 1369462c32cbSDag-Erling Smørgrav xstrdup(arg); 1370511b41d2SMark Murray } 1371511b41d2SMark Murray break; 1372511b41d2SMark Murray 1373e8aafc91SKris Kennaway case sCiphers: 1374c2d3a559SKris Kennaway arg = strdelim(&cp); 1375c2d3a559SKris Kennaway if (!arg || *arg == '\0') 1376c322fe35SKris Kennaway fatal("%s line %d: Missing argument.", filename, linenum); 1377c2d3a559SKris Kennaway if (!ciphers_valid(arg)) 1378e8aafc91SKris Kennaway fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1379c2d3a559SKris Kennaway filename, linenum, arg ? arg : "<NONE>"); 1380e8aafc91SKris Kennaway if (options->ciphers == NULL) 1381c2d3a559SKris Kennaway options->ciphers = xstrdup(arg); 1382e8aafc91SKris Kennaway break; 1383e8aafc91SKris Kennaway 1384ca3176e7SBrian Feldman case sMacs: 1385ca3176e7SBrian Feldman arg = strdelim(&cp); 1386ca3176e7SBrian Feldman if (!arg || *arg == '\0') 1387ca3176e7SBrian Feldman fatal("%s line %d: Missing argument.", filename, linenum); 1388ca3176e7SBrian Feldman if (!mac_valid(arg)) 1389ca3176e7SBrian Feldman fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1390ca3176e7SBrian Feldman filename, linenum, arg ? arg : "<NONE>"); 1391ca3176e7SBrian Feldman if (options->macs == NULL) 1392ca3176e7SBrian Feldman options->macs = xstrdup(arg); 1393ca3176e7SBrian Feldman break; 1394ca3176e7SBrian Feldman 13954a421b63SDag-Erling Smørgrav case sKexAlgorithms: 13964a421b63SDag-Erling Smørgrav arg = strdelim(&cp); 13974a421b63SDag-Erling Smørgrav if (!arg || *arg == '\0') 13984a421b63SDag-Erling Smørgrav fatal("%s line %d: Missing argument.", 13994a421b63SDag-Erling Smørgrav filename, linenum); 14004a421b63SDag-Erling Smørgrav if (!kex_names_valid(arg)) 14014a421b63SDag-Erling Smørgrav fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 14024a421b63SDag-Erling Smørgrav filename, linenum, arg ? arg : "<NONE>"); 14034a421b63SDag-Erling Smørgrav if (options->kex_algorithms == NULL) 14044a421b63SDag-Erling Smørgrav options->kex_algorithms = xstrdup(arg); 14054a421b63SDag-Erling Smørgrav break; 14064a421b63SDag-Erling Smørgrav 1407e8aafc91SKris Kennaway case sProtocol: 1408e8aafc91SKris Kennaway intptr = &options->protocol; 1409c2d3a559SKris Kennaway arg = strdelim(&cp); 1410c2d3a559SKris Kennaway if (!arg || *arg == '\0') 1411c322fe35SKris Kennaway fatal("%s line %d: Missing argument.", filename, linenum); 1412c2d3a559SKris Kennaway value = proto_spec(arg); 1413e8aafc91SKris Kennaway if (value == SSH_PROTO_UNKNOWN) 1414e8aafc91SKris Kennaway fatal("%s line %d: Bad protocol spec '%s'.", 1415c2d3a559SKris Kennaway filename, linenum, arg ? arg : "<NONE>"); 1416e8aafc91SKris Kennaway if (*intptr == SSH_PROTO_UNKNOWN) 1417e8aafc91SKris Kennaway *intptr = value; 1418e8aafc91SKris Kennaway break; 1419e8aafc91SKris Kennaway 1420c2d3a559SKris Kennaway case sSubsystem: 1421c2d3a559SKris Kennaway if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1422c2d3a559SKris Kennaway fatal("%s line %d: too many subsystems defined.", 1423c2d3a559SKris Kennaway filename, linenum); 1424c2d3a559SKris Kennaway } 1425c2d3a559SKris Kennaway arg = strdelim(&cp); 1426c2d3a559SKris Kennaway if (!arg || *arg == '\0') 1427c2d3a559SKris Kennaway fatal("%s line %d: Missing subsystem name.", 1428c2d3a559SKris Kennaway filename, linenum); 1429333ee039SDag-Erling Smørgrav if (!*activep) { 1430333ee039SDag-Erling Smørgrav arg = strdelim(&cp); 1431333ee039SDag-Erling Smørgrav break; 1432333ee039SDag-Erling Smørgrav } 1433c2d3a559SKris Kennaway for (i = 0; i < options->num_subsystems; i++) 1434c2d3a559SKris Kennaway if (strcmp(arg, options->subsystem_name[i]) == 0) 1435c2d3a559SKris Kennaway fatal("%s line %d: Subsystem '%s' already defined.", 1436c2d3a559SKris Kennaway filename, linenum, arg); 1437c2d3a559SKris Kennaway options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1438c2d3a559SKris Kennaway arg = strdelim(&cp); 1439c2d3a559SKris Kennaway if (!arg || *arg == '\0') 1440c2d3a559SKris Kennaway fatal("%s line %d: Missing subsystem command.", 1441c2d3a559SKris Kennaway filename, linenum); 1442c2d3a559SKris Kennaway options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1443333ee039SDag-Erling Smørgrav 1444333ee039SDag-Erling Smørgrav /* Collect arguments (separate to executable) */ 1445333ee039SDag-Erling Smørgrav p = xstrdup(arg); 1446333ee039SDag-Erling Smørgrav len = strlen(p) + 1; 1447333ee039SDag-Erling Smørgrav while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1448333ee039SDag-Erling Smørgrav len += 1 + strlen(arg); 1449333ee039SDag-Erling Smørgrav p = xrealloc(p, 1, len); 1450333ee039SDag-Erling Smørgrav strlcat(p, " ", len); 1451333ee039SDag-Erling Smørgrav strlcat(p, arg, len); 1452333ee039SDag-Erling Smørgrav } 1453333ee039SDag-Erling Smørgrav options->subsystem_args[options->num_subsystems] = p; 1454c2d3a559SKris Kennaway options->num_subsystems++; 1455c2d3a559SKris Kennaway break; 1456c2d3a559SKris Kennaway 1457c2d3a559SKris Kennaway case sMaxStartups: 1458c2d3a559SKris Kennaway arg = strdelim(&cp); 1459c2d3a559SKris Kennaway if (!arg || *arg == '\0') 1460c2d3a559SKris Kennaway fatal("%s line %d: Missing MaxStartups spec.", 1461c2d3a559SKris Kennaway filename, linenum); 1462af12a3e7SDag-Erling Smørgrav if ((n = sscanf(arg, "%d:%d:%d", 1463c2d3a559SKris Kennaway &options->max_startups_begin, 1464c2d3a559SKris Kennaway &options->max_startups_rate, 1465af12a3e7SDag-Erling Smørgrav &options->max_startups)) == 3) { 1466c2d3a559SKris Kennaway if (options->max_startups_begin > 1467c2d3a559SKris Kennaway options->max_startups || 1468c2d3a559SKris Kennaway options->max_startups_rate > 100 || 1469c2d3a559SKris Kennaway options->max_startups_rate < 1) 1470c2d3a559SKris Kennaway fatal("%s line %d: Illegal MaxStartups spec.", 1471c2d3a559SKris Kennaway filename, linenum); 1472af12a3e7SDag-Erling Smørgrav } else if (n != 1) 1473af12a3e7SDag-Erling Smørgrav fatal("%s line %d: Illegal MaxStartups spec.", 1474af12a3e7SDag-Erling Smørgrav filename, linenum); 1475af12a3e7SDag-Erling Smørgrav else 1476af12a3e7SDag-Erling Smørgrav options->max_startups = options->max_startups_begin; 1477933ca70fSBrian Feldman break; 1478933ca70fSBrian Feldman 147921e764dfSDag-Erling Smørgrav case sMaxAuthTries: 148021e764dfSDag-Erling Smørgrav intptr = &options->max_authtries; 148121e764dfSDag-Erling Smørgrav goto parse_int; 148221e764dfSDag-Erling Smørgrav 1483d4af9e69SDag-Erling Smørgrav case sMaxSessions: 1484d4af9e69SDag-Erling Smørgrav intptr = &options->max_sessions; 1485d4af9e69SDag-Erling Smørgrav goto parse_int; 1486d4af9e69SDag-Erling Smørgrav 1487ca3176e7SBrian Feldman case sBanner: 1488ca3176e7SBrian Feldman charptr = &options->banner; 1489ca3176e7SBrian Feldman goto parse_filename; 1490d4af9e69SDag-Erling Smørgrav 1491af12a3e7SDag-Erling Smørgrav /* 1492af12a3e7SDag-Erling Smørgrav * These options can contain %X options expanded at 1493af12a3e7SDag-Erling Smørgrav * connect time, so that you can specify paths like: 1494af12a3e7SDag-Erling Smørgrav * 1495af12a3e7SDag-Erling Smørgrav * AuthorizedKeysFile /etc/ssh_keys/%u 1496af12a3e7SDag-Erling Smørgrav */ 1497af12a3e7SDag-Erling Smørgrav case sAuthorizedKeysFile: 1498e146993eSDag-Erling Smørgrav if (*activep && options->num_authkeys_files == 0) { 1499e146993eSDag-Erling Smørgrav while ((arg = strdelim(&cp)) && *arg != '\0') { 1500e146993eSDag-Erling Smørgrav if (options->num_authkeys_files >= 1501e146993eSDag-Erling Smørgrav MAX_AUTHKEYS_FILES) 1502e146993eSDag-Erling Smørgrav fatal("%s line %d: " 1503e146993eSDag-Erling Smørgrav "too many authorized keys files.", 1504e146993eSDag-Erling Smørgrav filename, linenum); 1505e146993eSDag-Erling Smørgrav options->authorized_keys_files[ 1506e146993eSDag-Erling Smørgrav options->num_authkeys_files++] = 1507e146993eSDag-Erling Smørgrav tilde_expand_filename(arg, getuid()); 1508e146993eSDag-Erling Smørgrav } 1509e146993eSDag-Erling Smørgrav } 1510e146993eSDag-Erling Smørgrav return 0; 1511e146993eSDag-Erling Smørgrav 1512e2f6069cSDag-Erling Smørgrav case sAuthorizedPrincipalsFile: 1513e2f6069cSDag-Erling Smørgrav charptr = &options->authorized_principals_file; 15148ad9b54aSDag-Erling Smørgrav arg = strdelim(&cp); 15158ad9b54aSDag-Erling Smørgrav if (!arg || *arg == '\0') 15168ad9b54aSDag-Erling Smørgrav fatal("%s line %d: missing file name.", 15178ad9b54aSDag-Erling Smørgrav filename, linenum); 15188ad9b54aSDag-Erling Smørgrav if (*activep && *charptr == NULL) { 15198ad9b54aSDag-Erling Smørgrav *charptr = tilde_expand_filename(arg, getuid()); 15208ad9b54aSDag-Erling Smørgrav /* increase optional counter */ 15218ad9b54aSDag-Erling Smørgrav if (intptr != NULL) 15228ad9b54aSDag-Erling Smørgrav *intptr = *intptr + 1; 15238ad9b54aSDag-Erling Smørgrav } 15248ad9b54aSDag-Erling Smørgrav break; 1525af12a3e7SDag-Erling Smørgrav 1526ca3176e7SBrian Feldman case sClientAliveInterval: 1527ca3176e7SBrian Feldman intptr = &options->client_alive_interval; 1528af12a3e7SDag-Erling Smørgrav goto parse_time; 1529af12a3e7SDag-Erling Smørgrav 1530ca3176e7SBrian Feldman case sClientAliveCountMax: 1531ca3176e7SBrian Feldman intptr = &options->client_alive_count_max; 1532ca3176e7SBrian Feldman goto parse_int; 1533af12a3e7SDag-Erling Smørgrav 153421e764dfSDag-Erling Smørgrav case sAcceptEnv: 153521e764dfSDag-Erling Smørgrav while ((arg = strdelim(&cp)) && *arg != '\0') { 153621e764dfSDag-Erling Smørgrav if (strchr(arg, '=') != NULL) 153721e764dfSDag-Erling Smørgrav fatal("%s line %d: Invalid environment name.", 153821e764dfSDag-Erling Smørgrav filename, linenum); 153921e764dfSDag-Erling Smørgrav if (options->num_accept_env >= MAX_ACCEPT_ENV) 154021e764dfSDag-Erling Smørgrav fatal("%s line %d: too many allow env.", 154121e764dfSDag-Erling Smørgrav filename, linenum); 1542333ee039SDag-Erling Smørgrav if (!*activep) 1543462c32cbSDag-Erling Smørgrav continue; 154421e764dfSDag-Erling Smørgrav options->accept_env[options->num_accept_env++] = 154521e764dfSDag-Erling Smørgrav xstrdup(arg); 154621e764dfSDag-Erling Smørgrav } 154721e764dfSDag-Erling Smørgrav break; 154821e764dfSDag-Erling Smørgrav 1549b74df5b2SDag-Erling Smørgrav case sPermitTunnel: 1550b74df5b2SDag-Erling Smørgrav intptr = &options->permit_tun; 1551b74df5b2SDag-Erling Smørgrav arg = strdelim(&cp); 1552b74df5b2SDag-Erling Smørgrav if (!arg || *arg == '\0') 1553b74df5b2SDag-Erling Smørgrav fatal("%s line %d: Missing yes/point-to-point/" 1554b74df5b2SDag-Erling Smørgrav "ethernet/no argument.", filename, linenum); 1555d4af9e69SDag-Erling Smørgrav value = -1; 1556d4af9e69SDag-Erling Smørgrav for (i = 0; tunmode_desc[i].val != -1; i++) 1557d4af9e69SDag-Erling Smørgrav if (strcmp(tunmode_desc[i].text, arg) == 0) { 1558d4af9e69SDag-Erling Smørgrav value = tunmode_desc[i].val; 1559d4af9e69SDag-Erling Smørgrav break; 1560d4af9e69SDag-Erling Smørgrav } 1561d4af9e69SDag-Erling Smørgrav if (value == -1) 1562b74df5b2SDag-Erling Smørgrav fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1563b74df5b2SDag-Erling Smørgrav "no argument: %s", filename, linenum, arg); 1564b74df5b2SDag-Erling Smørgrav if (*intptr == -1) 1565b74df5b2SDag-Erling Smørgrav *intptr = value; 1566b74df5b2SDag-Erling Smørgrav break; 1567b74df5b2SDag-Erling Smørgrav 1568333ee039SDag-Erling Smørgrav case sMatch: 1569333ee039SDag-Erling Smørgrav if (cmdline) 1570333ee039SDag-Erling Smørgrav fatal("Match directive not supported as a command-line " 1571333ee039SDag-Erling Smørgrav "option"); 1572462c32cbSDag-Erling Smørgrav value = match_cfg_line(&cp, linenum, connectinfo); 1573333ee039SDag-Erling Smørgrav if (value < 0) 1574333ee039SDag-Erling Smørgrav fatal("%s line %d: Bad Match condition", filename, 1575333ee039SDag-Erling Smørgrav linenum); 1576333ee039SDag-Erling Smørgrav *activep = value; 1577333ee039SDag-Erling Smørgrav break; 1578333ee039SDag-Erling Smørgrav 1579333ee039SDag-Erling Smørgrav case sPermitOpen: 1580333ee039SDag-Erling Smørgrav arg = strdelim(&cp); 1581333ee039SDag-Erling Smørgrav if (!arg || *arg == '\0') 1582333ee039SDag-Erling Smørgrav fatal("%s line %d: missing PermitOpen specification", 1583333ee039SDag-Erling Smørgrav filename, linenum); 1584d4af9e69SDag-Erling Smørgrav n = options->num_permitted_opens; /* modified later */ 1585333ee039SDag-Erling Smørgrav if (strcmp(arg, "any") == 0) { 1586d4af9e69SDag-Erling Smørgrav if (*activep && n == -1) { 1587333ee039SDag-Erling Smørgrav channel_clear_adm_permitted_opens(); 1588333ee039SDag-Erling Smørgrav options->num_permitted_opens = 0; 1589333ee039SDag-Erling Smørgrav } 1590333ee039SDag-Erling Smørgrav break; 1591333ee039SDag-Erling Smørgrav } 1592462c32cbSDag-Erling Smørgrav if (strcmp(arg, "none") == 0) { 1593462c32cbSDag-Erling Smørgrav if (*activep && n == -1) { 1594462c32cbSDag-Erling Smørgrav options->num_permitted_opens = 1; 1595462c32cbSDag-Erling Smørgrav channel_disable_adm_local_opens(); 1596462c32cbSDag-Erling Smørgrav } 1597462c32cbSDag-Erling Smørgrav break; 1598462c32cbSDag-Erling Smørgrav } 1599d4af9e69SDag-Erling Smørgrav if (*activep && n == -1) 1600d4af9e69SDag-Erling Smørgrav channel_clear_adm_permitted_opens(); 1601333ee039SDag-Erling Smørgrav for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1602333ee039SDag-Erling Smørgrav p = hpdelim(&arg); 1603333ee039SDag-Erling Smørgrav if (p == NULL) 1604333ee039SDag-Erling Smørgrav fatal("%s line %d: missing host in PermitOpen", 1605333ee039SDag-Erling Smørgrav filename, linenum); 1606333ee039SDag-Erling Smørgrav p = cleanhostname(p); 1607462c32cbSDag-Erling Smørgrav if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1608333ee039SDag-Erling Smørgrav fatal("%s line %d: bad port number in " 1609333ee039SDag-Erling Smørgrav "PermitOpen", filename, linenum); 1610d4af9e69SDag-Erling Smørgrav if (*activep && n == -1) 1611333ee039SDag-Erling Smørgrav options->num_permitted_opens = 1612333ee039SDag-Erling Smørgrav channel_add_adm_permitted_opens(p, port); 1613333ee039SDag-Erling Smørgrav } 1614333ee039SDag-Erling Smørgrav break; 1615333ee039SDag-Erling Smørgrav 1616333ee039SDag-Erling Smørgrav case sForceCommand: 1617333ee039SDag-Erling Smørgrav if (cp == NULL) 1618333ee039SDag-Erling Smørgrav fatal("%.200s line %d: Missing argument.", filename, 1619333ee039SDag-Erling Smørgrav linenum); 1620333ee039SDag-Erling Smørgrav len = strspn(cp, WHITESPACE); 1621333ee039SDag-Erling Smørgrav if (*activep && options->adm_forced_command == NULL) 1622333ee039SDag-Erling Smørgrav options->adm_forced_command = xstrdup(cp + len); 1623333ee039SDag-Erling Smørgrav return 0; 1624333ee039SDag-Erling Smørgrav 1625d4af9e69SDag-Erling Smørgrav case sChrootDirectory: 1626d4af9e69SDag-Erling Smørgrav charptr = &options->chroot_directory; 1627d4af9e69SDag-Erling Smørgrav 1628d4af9e69SDag-Erling Smørgrav arg = strdelim(&cp); 1629d4af9e69SDag-Erling Smørgrav if (!arg || *arg == '\0') 1630d4af9e69SDag-Erling Smørgrav fatal("%s line %d: missing file name.", 1631d4af9e69SDag-Erling Smørgrav filename, linenum); 1632d4af9e69SDag-Erling Smørgrav if (*activep && *charptr == NULL) 1633d4af9e69SDag-Erling Smørgrav *charptr = xstrdup(arg); 1634d4af9e69SDag-Erling Smørgrav break; 1635d4af9e69SDag-Erling Smørgrav 1636b15c8340SDag-Erling Smørgrav case sTrustedUserCAKeys: 1637b15c8340SDag-Erling Smørgrav charptr = &options->trusted_user_ca_keys; 1638b15c8340SDag-Erling Smørgrav goto parse_filename; 1639b15c8340SDag-Erling Smørgrav 1640b15c8340SDag-Erling Smørgrav case sRevokedKeys: 1641b15c8340SDag-Erling Smørgrav charptr = &options->revoked_keys_file; 1642b15c8340SDag-Erling Smørgrav goto parse_filename; 1643b15c8340SDag-Erling Smørgrav 16444a421b63SDag-Erling Smørgrav case sIPQoS: 16454a421b63SDag-Erling Smørgrav arg = strdelim(&cp); 16464a421b63SDag-Erling Smørgrav if ((value = parse_ipqos(arg)) == -1) 16474a421b63SDag-Erling Smørgrav fatal("%s line %d: Bad IPQoS value: %s", 16484a421b63SDag-Erling Smørgrav filename, linenum, arg); 16494a421b63SDag-Erling Smørgrav arg = strdelim(&cp); 16504a421b63SDag-Erling Smørgrav if (arg == NULL) 16514a421b63SDag-Erling Smørgrav value2 = value; 16524a421b63SDag-Erling Smørgrav else if ((value2 = parse_ipqos(arg)) == -1) 16534a421b63SDag-Erling Smørgrav fatal("%s line %d: Bad IPQoS value: %s", 16544a421b63SDag-Erling Smørgrav filename, linenum, arg); 16554a421b63SDag-Erling Smørgrav if (*activep) { 16564a421b63SDag-Erling Smørgrav options->ip_qos_interactive = value; 16574a421b63SDag-Erling Smørgrav options->ip_qos_bulk = value2; 16584a421b63SDag-Erling Smørgrav } 16594a421b63SDag-Erling Smørgrav break; 16604a421b63SDag-Erling Smørgrav 1661db58a8e4SDag-Erling Smørgrav case sVersionAddendum: 1662462c32cbSDag-Erling Smørgrav if (cp == NULL) 1663462c32cbSDag-Erling Smørgrav fatal("%.200s line %d: Missing argument.", filename, 1664462c32cbSDag-Erling Smørgrav linenum); 1665462c32cbSDag-Erling Smørgrav len = strspn(cp, WHITESPACE); 1666462c32cbSDag-Erling Smørgrav if (*activep && options->version_addendum == NULL) { 1667462c32cbSDag-Erling Smørgrav if (strcasecmp(cp + len, "none") == 0) 1668462c32cbSDag-Erling Smørgrav options->version_addendum = xstrdup(""); 1669462c32cbSDag-Erling Smørgrav else if (strchr(cp + len, '\r') != NULL) 1670462c32cbSDag-Erling Smørgrav fatal("%.200s line %d: Invalid argument", 1671462c32cbSDag-Erling Smørgrav filename, linenum); 1672462c32cbSDag-Erling Smørgrav else 1673462c32cbSDag-Erling Smørgrav options->version_addendum = xstrdup(cp + len); 1674462c32cbSDag-Erling Smørgrav } 1675462c32cbSDag-Erling Smørgrav return 0; 1676db58a8e4SDag-Erling Smørgrav 16776888a9beSDag-Erling Smørgrav case sAuthorizedKeysCommand: 1678*bc5531deSDag-Erling Smørgrav if (cp == NULL) 1679*bc5531deSDag-Erling Smørgrav fatal("%.200s line %d: Missing argument.", filename, 1680*bc5531deSDag-Erling Smørgrav linenum); 16816888a9beSDag-Erling Smørgrav len = strspn(cp, WHITESPACE); 16826888a9beSDag-Erling Smørgrav if (*activep && options->authorized_keys_command == NULL) { 16836888a9beSDag-Erling Smørgrav if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 16846888a9beSDag-Erling Smørgrav fatal("%.200s line %d: AuthorizedKeysCommand " 16856888a9beSDag-Erling Smørgrav "must be an absolute path", 16866888a9beSDag-Erling Smørgrav filename, linenum); 16876888a9beSDag-Erling Smørgrav options->authorized_keys_command = xstrdup(cp + len); 16886888a9beSDag-Erling Smørgrav } 16896888a9beSDag-Erling Smørgrav return 0; 16906888a9beSDag-Erling Smørgrav 16916888a9beSDag-Erling Smørgrav case sAuthorizedKeysCommandUser: 16926888a9beSDag-Erling Smørgrav charptr = &options->authorized_keys_command_user; 16936888a9beSDag-Erling Smørgrav 16946888a9beSDag-Erling Smørgrav arg = strdelim(&cp); 1695*bc5531deSDag-Erling Smørgrav if (!arg || *arg == '\0') 1696*bc5531deSDag-Erling Smørgrav fatal("%s line %d: missing AuthorizedKeysCommandUser " 1697*bc5531deSDag-Erling Smørgrav "argument.", filename, linenum); 16986888a9beSDag-Erling Smørgrav if (*activep && *charptr == NULL) 16996888a9beSDag-Erling Smørgrav *charptr = xstrdup(arg); 17006888a9beSDag-Erling Smørgrav break; 17016888a9beSDag-Erling Smørgrav 17026888a9beSDag-Erling Smørgrav case sAuthenticationMethods: 17036888a9beSDag-Erling Smørgrav if (*activep && options->num_auth_methods == 0) { 17046888a9beSDag-Erling Smørgrav while ((arg = strdelim(&cp)) && *arg != '\0') { 17056888a9beSDag-Erling Smørgrav if (options->num_auth_methods >= 17066888a9beSDag-Erling Smørgrav MAX_AUTH_METHODS) 17076888a9beSDag-Erling Smørgrav fatal("%s line %d: " 17086888a9beSDag-Erling Smørgrav "too many authentication methods.", 17096888a9beSDag-Erling Smørgrav filename, linenum); 17106888a9beSDag-Erling Smørgrav if (auth2_methods_valid(arg, 0) != 0) 17116888a9beSDag-Erling Smørgrav fatal("%s line %d: invalid " 17126888a9beSDag-Erling Smørgrav "authentication method list.", 17136888a9beSDag-Erling Smørgrav filename, linenum); 17146888a9beSDag-Erling Smørgrav options->auth_methods[ 17156888a9beSDag-Erling Smørgrav options->num_auth_methods++] = xstrdup(arg); 17166888a9beSDag-Erling Smørgrav } 17176888a9beSDag-Erling Smørgrav } 17186888a9beSDag-Erling Smørgrav return 0; 17196888a9beSDag-Erling Smørgrav 1720a0ee8cc6SDag-Erling Smørgrav case sStreamLocalBindMask: 1721a0ee8cc6SDag-Erling Smørgrav arg = strdelim(&cp); 1722a0ee8cc6SDag-Erling Smørgrav if (!arg || *arg == '\0') 1723a0ee8cc6SDag-Erling Smørgrav fatal("%s line %d: missing StreamLocalBindMask argument.", 1724a0ee8cc6SDag-Erling Smørgrav filename, linenum); 1725a0ee8cc6SDag-Erling Smørgrav /* Parse mode in octal format */ 1726a0ee8cc6SDag-Erling Smørgrav value = strtol(arg, &p, 8); 1727a0ee8cc6SDag-Erling Smørgrav if (arg == p || value < 0 || value > 0777) 1728a0ee8cc6SDag-Erling Smørgrav fatal("%s line %d: Bad mask.", filename, linenum); 1729a0ee8cc6SDag-Erling Smørgrav options->fwd_opts.streamlocal_bind_mask = (mode_t)value; 1730a0ee8cc6SDag-Erling Smørgrav break; 1731a0ee8cc6SDag-Erling Smørgrav 1732a0ee8cc6SDag-Erling Smørgrav case sStreamLocalBindUnlink: 1733a0ee8cc6SDag-Erling Smørgrav intptr = &options->fwd_opts.streamlocal_bind_unlink; 1734a0ee8cc6SDag-Erling Smørgrav goto parse_flag; 1735a0ee8cc6SDag-Erling Smørgrav 1736*bc5531deSDag-Erling Smørgrav case sFingerprintHash: 1737*bc5531deSDag-Erling Smørgrav arg = strdelim(&cp); 1738*bc5531deSDag-Erling Smørgrav if (!arg || *arg == '\0') 1739*bc5531deSDag-Erling Smørgrav fatal("%.200s line %d: Missing argument.", 1740*bc5531deSDag-Erling Smørgrav filename, linenum); 1741*bc5531deSDag-Erling Smørgrav if ((value = ssh_digest_alg_by_name(arg)) == -1) 1742*bc5531deSDag-Erling Smørgrav fatal("%.200s line %d: Invalid hash algorithm \"%s\".", 1743*bc5531deSDag-Erling Smørgrav filename, linenum, arg); 1744*bc5531deSDag-Erling Smørgrav if (*activep) 1745*bc5531deSDag-Erling Smørgrav options->fingerprint_hash = value; 1746*bc5531deSDag-Erling Smørgrav break; 1747*bc5531deSDag-Erling Smørgrav 1748af12a3e7SDag-Erling Smørgrav case sDeprecated: 1749cf2b5f3bSDag-Erling Smørgrav logit("%s line %d: Deprecated option %s", 1750cf2b5f3bSDag-Erling Smørgrav filename, linenum, arg); 1751cf2b5f3bSDag-Erling Smørgrav while (arg) 1752cf2b5f3bSDag-Erling Smørgrav arg = strdelim(&cp); 1753cf2b5f3bSDag-Erling Smørgrav break; 1754cf2b5f3bSDag-Erling Smørgrav 1755cf2b5f3bSDag-Erling Smørgrav case sUnsupported: 1756cf2b5f3bSDag-Erling Smørgrav logit("%s line %d: Unsupported option %s", 1757af12a3e7SDag-Erling Smørgrav filename, linenum, arg); 1758af12a3e7SDag-Erling Smørgrav while (arg) 1759af12a3e7SDag-Erling Smørgrav arg = strdelim(&cp); 1760af12a3e7SDag-Erling Smørgrav break; 1761af12a3e7SDag-Erling Smørgrav 176242f71286SMark Murray default: 1763af12a3e7SDag-Erling Smørgrav fatal("%s line %d: Missing handler for opcode %s (%d)", 1764c2d3a559SKris Kennaway filename, linenum, arg, opcode); 1765511b41d2SMark Murray } 1766ca3176e7SBrian Feldman if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1767ca3176e7SBrian Feldman fatal("%s line %d: garbage at end of line; \"%.200s\".", 1768c2d3a559SKris Kennaway filename, linenum, arg); 1769af12a3e7SDag-Erling Smørgrav return 0; 1770af12a3e7SDag-Erling Smørgrav } 1771af12a3e7SDag-Erling Smørgrav 1772af12a3e7SDag-Erling Smørgrav /* Reads the server configuration file. */ 1773af12a3e7SDag-Erling Smørgrav 1774af12a3e7SDag-Erling Smørgrav void 177521e764dfSDag-Erling Smørgrav load_server_config(const char *filename, Buffer *conf) 1776af12a3e7SDag-Erling Smørgrav { 1777462c32cbSDag-Erling Smørgrav char line[4096], *cp; 1778a82e551fSDag-Erling Smørgrav FILE *f; 1779462c32cbSDag-Erling Smørgrav int lineno = 0; 1780af12a3e7SDag-Erling Smørgrav 178121e764dfSDag-Erling Smørgrav debug2("%s: filename %s", __func__, filename); 178221e764dfSDag-Erling Smørgrav if ((f = fopen(filename, "r")) == NULL) { 1783af12a3e7SDag-Erling Smørgrav perror(filename); 1784af12a3e7SDag-Erling Smørgrav exit(1); 1785af12a3e7SDag-Erling Smørgrav } 178621e764dfSDag-Erling Smørgrav buffer_clear(conf); 1787af12a3e7SDag-Erling Smørgrav while (fgets(line, sizeof(line), f)) { 1788462c32cbSDag-Erling Smørgrav lineno++; 1789462c32cbSDag-Erling Smørgrav if (strlen(line) == sizeof(line) - 1) 1790462c32cbSDag-Erling Smørgrav fatal("%s line %d too long", filename, lineno); 179121e764dfSDag-Erling Smørgrav /* 179221e764dfSDag-Erling Smørgrav * Trim out comments and strip whitespace 179321e764dfSDag-Erling Smørgrav * NB - preserve newlines, they are needed to reproduce 179421e764dfSDag-Erling Smørgrav * line numbers later for error messages 179521e764dfSDag-Erling Smørgrav */ 179621e764dfSDag-Erling Smørgrav if ((cp = strchr(line, '#')) != NULL) 179721e764dfSDag-Erling Smørgrav memcpy(cp, "\n", 2); 179821e764dfSDag-Erling Smørgrav cp = line + strspn(line, " \t\r"); 179921e764dfSDag-Erling Smørgrav 180021e764dfSDag-Erling Smørgrav buffer_append(conf, cp, strlen(cp)); 180121e764dfSDag-Erling Smørgrav } 180221e764dfSDag-Erling Smørgrav buffer_append(conf, "\0", 1); 180321e764dfSDag-Erling Smørgrav fclose(f); 180421e764dfSDag-Erling Smørgrav debug2("%s: done config len = %d", __func__, buffer_len(conf)); 180521e764dfSDag-Erling Smørgrav } 180621e764dfSDag-Erling Smørgrav 180721e764dfSDag-Erling Smørgrav void 1808462c32cbSDag-Erling Smørgrav parse_server_match_config(ServerOptions *options, 1809462c32cbSDag-Erling Smørgrav struct connection_info *connectinfo) 181021e764dfSDag-Erling Smørgrav { 1811333ee039SDag-Erling Smørgrav ServerOptions mo; 1812333ee039SDag-Erling Smørgrav 1813333ee039SDag-Erling Smørgrav initialize_server_options(&mo); 1814462c32cbSDag-Erling Smørgrav parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1815d4af9e69SDag-Erling Smørgrav copy_set_server_options(options, &mo, 0); 1816333ee039SDag-Erling Smørgrav } 1817333ee039SDag-Erling Smørgrav 1818462c32cbSDag-Erling Smørgrav int parse_server_match_testspec(struct connection_info *ci, char *spec) 1819462c32cbSDag-Erling Smørgrav { 1820462c32cbSDag-Erling Smørgrav char *p; 1821462c32cbSDag-Erling Smørgrav 1822462c32cbSDag-Erling Smørgrav while ((p = strsep(&spec, ",")) && *p != '\0') { 1823462c32cbSDag-Erling Smørgrav if (strncmp(p, "addr=", 5) == 0) { 1824462c32cbSDag-Erling Smørgrav ci->address = xstrdup(p + 5); 1825462c32cbSDag-Erling Smørgrav } else if (strncmp(p, "host=", 5) == 0) { 1826462c32cbSDag-Erling Smørgrav ci->host = xstrdup(p + 5); 1827462c32cbSDag-Erling Smørgrav } else if (strncmp(p, "user=", 5) == 0) { 1828462c32cbSDag-Erling Smørgrav ci->user = xstrdup(p + 5); 1829462c32cbSDag-Erling Smørgrav } else if (strncmp(p, "laddr=", 6) == 0) { 1830462c32cbSDag-Erling Smørgrav ci->laddress = xstrdup(p + 6); 1831462c32cbSDag-Erling Smørgrav } else if (strncmp(p, "lport=", 6) == 0) { 1832462c32cbSDag-Erling Smørgrav ci->lport = a2port(p + 6); 1833462c32cbSDag-Erling Smørgrav if (ci->lport == -1) { 1834462c32cbSDag-Erling Smørgrav fprintf(stderr, "Invalid port '%s' in test mode" 1835462c32cbSDag-Erling Smørgrav " specification %s\n", p+6, p); 1836462c32cbSDag-Erling Smørgrav return -1; 1837462c32cbSDag-Erling Smørgrav } 1838462c32cbSDag-Erling Smørgrav } else { 1839462c32cbSDag-Erling Smørgrav fprintf(stderr, "Invalid test mode specification %s\n", 1840462c32cbSDag-Erling Smørgrav p); 1841462c32cbSDag-Erling Smørgrav return -1; 1842462c32cbSDag-Erling Smørgrav } 1843462c32cbSDag-Erling Smørgrav } 1844462c32cbSDag-Erling Smørgrav return 0; 1845462c32cbSDag-Erling Smørgrav } 1846462c32cbSDag-Erling Smørgrav 1847462c32cbSDag-Erling Smørgrav /* 1848462c32cbSDag-Erling Smørgrav * returns 1 for a complete spec, 0 for partial spec and -1 for an 1849462c32cbSDag-Erling Smørgrav * empty spec. 1850462c32cbSDag-Erling Smørgrav */ 1851462c32cbSDag-Erling Smørgrav int server_match_spec_complete(struct connection_info *ci) 1852462c32cbSDag-Erling Smørgrav { 1853462c32cbSDag-Erling Smørgrav if (ci->user && ci->host && ci->address) 1854462c32cbSDag-Erling Smørgrav return 1; /* complete */ 1855462c32cbSDag-Erling Smørgrav if (!ci->user && !ci->host && !ci->address) 1856462c32cbSDag-Erling Smørgrav return -1; /* empty */ 1857462c32cbSDag-Erling Smørgrav return 0; /* partial */ 1858462c32cbSDag-Erling Smørgrav } 1859462c32cbSDag-Erling Smørgrav 1860d4af9e69SDag-Erling Smørgrav /* 1861d4af9e69SDag-Erling Smørgrav * Copy any supported values that are set. 1862d4af9e69SDag-Erling Smørgrav * 18637aee6ffeSDag-Erling Smørgrav * If the preauth flag is set, we do not bother copying the string or 1864d4af9e69SDag-Erling Smørgrav * array values that are not used pre-authentication, because any that we 1865d4af9e69SDag-Erling Smørgrav * do use must be explictly sent in mm_getpwnamallow(). 1866d4af9e69SDag-Erling Smørgrav */ 1867333ee039SDag-Erling Smørgrav void 1868d4af9e69SDag-Erling Smørgrav copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1869333ee039SDag-Erling Smørgrav { 1870f7167e0eSDag-Erling Smørgrav #define M_CP_INTOPT(n) do {\ 1871f7167e0eSDag-Erling Smørgrav if (src->n != -1) \ 1872f7167e0eSDag-Erling Smørgrav dst->n = src->n; \ 1873f7167e0eSDag-Erling Smørgrav } while (0) 1874f7167e0eSDag-Erling Smørgrav 1875d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(password_authentication); 1876d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(gss_authentication); 1877d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(rsa_authentication); 1878d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(pubkey_authentication); 1879d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(kerberos_authentication); 1880d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(hostbased_authentication); 1881e2f6069cSDag-Erling Smørgrav M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1882d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(kbd_interactive_authentication); 1883d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(permit_root_login); 1884cce7d346SDag-Erling Smørgrav M_CP_INTOPT(permit_empty_passwd); 1885d4af9e69SDag-Erling Smørgrav 1886d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(allow_tcp_forwarding); 1887a0ee8cc6SDag-Erling Smørgrav M_CP_INTOPT(allow_streamlocal_forwarding); 1888d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(allow_agent_forwarding); 1889e2f6069cSDag-Erling Smørgrav M_CP_INTOPT(permit_tun); 1890a0ee8cc6SDag-Erling Smørgrav M_CP_INTOPT(fwd_opts.gateway_ports); 1891d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(x11_display_offset); 1892d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(x11_forwarding); 1893d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(x11_use_localhost); 1894f7167e0eSDag-Erling Smørgrav M_CP_INTOPT(permit_tty); 1895a0ee8cc6SDag-Erling Smørgrav M_CP_INTOPT(permit_user_rc); 1896d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(max_sessions); 1897d4af9e69SDag-Erling Smørgrav M_CP_INTOPT(max_authtries); 18984a421b63SDag-Erling Smørgrav M_CP_INTOPT(ip_qos_interactive); 18994a421b63SDag-Erling Smørgrav M_CP_INTOPT(ip_qos_bulk); 1900e4a9863fSDag-Erling Smørgrav M_CP_INTOPT(rekey_limit); 1901e4a9863fSDag-Erling Smørgrav M_CP_INTOPT(rekey_interval); 1902d4af9e69SDag-Erling Smørgrav 1903f7167e0eSDag-Erling Smørgrav /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 1904f7167e0eSDag-Erling Smørgrav #define M_CP_STROPT(n) do {\ 1905f7167e0eSDag-Erling Smørgrav if (src->n != NULL && dst->n != src->n) { \ 1906f7167e0eSDag-Erling Smørgrav free(dst->n); \ 1907f7167e0eSDag-Erling Smørgrav dst->n = src->n; \ 1908f7167e0eSDag-Erling Smørgrav } \ 1909f7167e0eSDag-Erling Smørgrav } while(0) 1910f7167e0eSDag-Erling Smørgrav #define M_CP_STRARRAYOPT(n, num_n) do {\ 1911f7167e0eSDag-Erling Smørgrav if (src->num_n != 0) { \ 1912f7167e0eSDag-Erling Smørgrav for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 1913f7167e0eSDag-Erling Smørgrav dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 1914f7167e0eSDag-Erling Smørgrav } \ 1915f7167e0eSDag-Erling Smørgrav } while(0) 1916f7167e0eSDag-Erling Smørgrav 1917e146993eSDag-Erling Smørgrav /* See comment in servconf.h */ 1918e146993eSDag-Erling Smørgrav COPY_MATCH_STRING_OPTS(); 1919e146993eSDag-Erling Smørgrav 1920e146993eSDag-Erling Smørgrav /* 1921e146993eSDag-Erling Smørgrav * The only things that should be below this point are string options 1922e146993eSDag-Erling Smørgrav * which are only used after authentication. 1923e146993eSDag-Erling Smørgrav */ 1924d4af9e69SDag-Erling Smørgrav if (preauth) 1925d4af9e69SDag-Erling Smørgrav return; 1926e146993eSDag-Erling Smørgrav 1927d4af9e69SDag-Erling Smørgrav M_CP_STROPT(adm_forced_command); 1928d4af9e69SDag-Erling Smørgrav M_CP_STROPT(chroot_directory); 1929333ee039SDag-Erling Smørgrav } 1930d4af9e69SDag-Erling Smørgrav 1931d4af9e69SDag-Erling Smørgrav #undef M_CP_INTOPT 1932d4af9e69SDag-Erling Smørgrav #undef M_CP_STROPT 1933e146993eSDag-Erling Smørgrav #undef M_CP_STRARRAYOPT 1934333ee039SDag-Erling Smørgrav 1935333ee039SDag-Erling Smørgrav void 1936333ee039SDag-Erling Smørgrav parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1937462c32cbSDag-Erling Smørgrav struct connection_info *connectinfo) 1938333ee039SDag-Erling Smørgrav { 1939333ee039SDag-Erling Smørgrav int active, linenum, bad_options = 0; 194021e764dfSDag-Erling Smørgrav char *cp, *obuf, *cbuf; 194121e764dfSDag-Erling Smørgrav 194221e764dfSDag-Erling Smørgrav debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 194321e764dfSDag-Erling Smørgrav 194421e764dfSDag-Erling Smørgrav obuf = cbuf = xstrdup(buffer_ptr(conf)); 1945462c32cbSDag-Erling Smørgrav active = connectinfo ? 0 : 1; 194621e764dfSDag-Erling Smørgrav linenum = 1; 194721e764dfSDag-Erling Smørgrav while ((cp = strsep(&cbuf, "\n")) != NULL) { 194821e764dfSDag-Erling Smørgrav if (process_server_config_line(options, cp, filename, 1949462c32cbSDag-Erling Smørgrav linenum++, &active, connectinfo) != 0) 1950af12a3e7SDag-Erling Smørgrav bad_options++; 1951511b41d2SMark Murray } 1952e4a9863fSDag-Erling Smørgrav free(obuf); 1953ca3176e7SBrian Feldman if (bad_options > 0) 1954af12a3e7SDag-Erling Smørgrav fatal("%s: terminating, %d bad configuration options", 1955511b41d2SMark Murray filename, bad_options); 1956511b41d2SMark Murray } 1957d4af9e69SDag-Erling Smørgrav 1958d4af9e69SDag-Erling Smørgrav static const char * 1959e146993eSDag-Erling Smørgrav fmt_multistate_int(int val, const struct multistate *m) 1960d4af9e69SDag-Erling Smørgrav { 1961e146993eSDag-Erling Smørgrav u_int i; 1962e146993eSDag-Erling Smørgrav 1963e146993eSDag-Erling Smørgrav for (i = 0; m[i].key != NULL; i++) { 1964e146993eSDag-Erling Smørgrav if (m[i].value == val) 1965e146993eSDag-Erling Smørgrav return m[i].key; 1966e146993eSDag-Erling Smørgrav } 1967d4af9e69SDag-Erling Smørgrav return "UNKNOWN"; 1968d4af9e69SDag-Erling Smørgrav } 1969e146993eSDag-Erling Smørgrav 1970e146993eSDag-Erling Smørgrav static const char * 1971e146993eSDag-Erling Smørgrav fmt_intarg(ServerOpCodes code, int val) 1972e146993eSDag-Erling Smørgrav { 1973e146993eSDag-Erling Smørgrav if (val == -1) 1974e146993eSDag-Erling Smørgrav return "unset"; 1975e146993eSDag-Erling Smørgrav switch (code) { 1976e146993eSDag-Erling Smørgrav case sAddressFamily: 1977e146993eSDag-Erling Smørgrav return fmt_multistate_int(val, multistate_addressfamily); 1978e146993eSDag-Erling Smørgrav case sPermitRootLogin: 1979e146993eSDag-Erling Smørgrav return fmt_multistate_int(val, multistate_permitrootlogin); 1980e146993eSDag-Erling Smørgrav case sGatewayPorts: 1981e146993eSDag-Erling Smørgrav return fmt_multistate_int(val, multistate_gatewayports); 1982e146993eSDag-Erling Smørgrav case sCompression: 1983e146993eSDag-Erling Smørgrav return fmt_multistate_int(val, multistate_compression); 1984e146993eSDag-Erling Smørgrav case sUsePrivilegeSeparation: 1985e146993eSDag-Erling Smørgrav return fmt_multistate_int(val, multistate_privsep); 19866888a9beSDag-Erling Smørgrav case sAllowTcpForwarding: 19876888a9beSDag-Erling Smørgrav return fmt_multistate_int(val, multistate_tcpfwd); 1988a0ee8cc6SDag-Erling Smørgrav case sAllowStreamLocalForwarding: 1989a0ee8cc6SDag-Erling Smørgrav return fmt_multistate_int(val, multistate_tcpfwd); 1990*bc5531deSDag-Erling Smørgrav case sFingerprintHash: 1991*bc5531deSDag-Erling Smørgrav return ssh_digest_alg_name(val); 1992e146993eSDag-Erling Smørgrav case sProtocol: 1993d4af9e69SDag-Erling Smørgrav switch (val) { 1994d4af9e69SDag-Erling Smørgrav case SSH_PROTO_1: 1995d4af9e69SDag-Erling Smørgrav return "1"; 1996d4af9e69SDag-Erling Smørgrav case SSH_PROTO_2: 1997d4af9e69SDag-Erling Smørgrav return "2"; 1998d4af9e69SDag-Erling Smørgrav case (SSH_PROTO_1|SSH_PROTO_2): 1999d4af9e69SDag-Erling Smørgrav return "2,1"; 2000d4af9e69SDag-Erling Smørgrav default: 2001d4af9e69SDag-Erling Smørgrav return "UNKNOWN"; 2002d4af9e69SDag-Erling Smørgrav } 2003e146993eSDag-Erling Smørgrav default: 2004d4af9e69SDag-Erling Smørgrav switch (val) { 2005d4af9e69SDag-Erling Smørgrav case 0: 2006d4af9e69SDag-Erling Smørgrav return "no"; 2007d4af9e69SDag-Erling Smørgrav case 1: 2008d4af9e69SDag-Erling Smørgrav return "yes"; 2009e146993eSDag-Erling Smørgrav default: 2010d4af9e69SDag-Erling Smørgrav return "UNKNOWN"; 2011d4af9e69SDag-Erling Smørgrav } 2012e146993eSDag-Erling Smørgrav } 2013e146993eSDag-Erling Smørgrav } 2014d4af9e69SDag-Erling Smørgrav 2015d4af9e69SDag-Erling Smørgrav static const char * 2016d4af9e69SDag-Erling Smørgrav lookup_opcode_name(ServerOpCodes code) 2017d4af9e69SDag-Erling Smørgrav { 2018d4af9e69SDag-Erling Smørgrav u_int i; 2019d4af9e69SDag-Erling Smørgrav 2020d4af9e69SDag-Erling Smørgrav for (i = 0; keywords[i].name != NULL; i++) 2021d4af9e69SDag-Erling Smørgrav if (keywords[i].opcode == code) 2022d4af9e69SDag-Erling Smørgrav return(keywords[i].name); 2023d4af9e69SDag-Erling Smørgrav return "UNKNOWN"; 2024d4af9e69SDag-Erling Smørgrav } 2025d4af9e69SDag-Erling Smørgrav 2026d4af9e69SDag-Erling Smørgrav static void 2027d4af9e69SDag-Erling Smørgrav dump_cfg_int(ServerOpCodes code, int val) 2028d4af9e69SDag-Erling Smørgrav { 2029d4af9e69SDag-Erling Smørgrav printf("%s %d\n", lookup_opcode_name(code), val); 2030d4af9e69SDag-Erling Smørgrav } 2031d4af9e69SDag-Erling Smørgrav 2032d4af9e69SDag-Erling Smørgrav static void 2033d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(ServerOpCodes code, int val) 2034d4af9e69SDag-Erling Smørgrav { 2035d4af9e69SDag-Erling Smørgrav printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 2036d4af9e69SDag-Erling Smørgrav } 2037d4af9e69SDag-Erling Smørgrav 2038d4af9e69SDag-Erling Smørgrav static void 2039d4af9e69SDag-Erling Smørgrav dump_cfg_string(ServerOpCodes code, const char *val) 2040d4af9e69SDag-Erling Smørgrav { 2041d4af9e69SDag-Erling Smørgrav if (val == NULL) 2042d4af9e69SDag-Erling Smørgrav return; 2043*bc5531deSDag-Erling Smørgrav printf("%s %s\n", lookup_opcode_name(code), 2044*bc5531deSDag-Erling Smørgrav val == NULL ? "none" : val); 2045d4af9e69SDag-Erling Smørgrav } 2046d4af9e69SDag-Erling Smørgrav 2047d4af9e69SDag-Erling Smørgrav static void 2048d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 2049d4af9e69SDag-Erling Smørgrav { 2050d4af9e69SDag-Erling Smørgrav u_int i; 2051d4af9e69SDag-Erling Smørgrav 2052d4af9e69SDag-Erling Smørgrav for (i = 0; i < count; i++) 2053d4af9e69SDag-Erling Smørgrav printf("%s %s\n", lookup_opcode_name(code), vals[i]); 2054d4af9e69SDag-Erling Smørgrav } 2055d4af9e69SDag-Erling Smørgrav 2056e146993eSDag-Erling Smørgrav static void 2057e146993eSDag-Erling Smørgrav dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 2058e146993eSDag-Erling Smørgrav { 2059e146993eSDag-Erling Smørgrav u_int i; 2060e146993eSDag-Erling Smørgrav 2061e146993eSDag-Erling Smørgrav printf("%s", lookup_opcode_name(code)); 2062e146993eSDag-Erling Smørgrav for (i = 0; i < count; i++) 2063e146993eSDag-Erling Smørgrav printf(" %s", vals[i]); 2064e146993eSDag-Erling Smørgrav printf("\n"); 2065e146993eSDag-Erling Smørgrav } 2066e146993eSDag-Erling Smørgrav 2067d4af9e69SDag-Erling Smørgrav void 2068d4af9e69SDag-Erling Smørgrav dump_config(ServerOptions *o) 2069d4af9e69SDag-Erling Smørgrav { 2070d4af9e69SDag-Erling Smørgrav u_int i; 2071d4af9e69SDag-Erling Smørgrav int ret; 2072d4af9e69SDag-Erling Smørgrav struct addrinfo *ai; 2073d4af9e69SDag-Erling Smørgrav char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 2074d4af9e69SDag-Erling Smørgrav 2075d4af9e69SDag-Erling Smørgrav /* these are usually at the top of the config */ 2076d4af9e69SDag-Erling Smørgrav for (i = 0; i < o->num_ports; i++) 2077d4af9e69SDag-Erling Smørgrav printf("port %d\n", o->ports[i]); 2078d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sProtocol, o->protocol); 2079d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sAddressFamily, o->address_family); 2080d4af9e69SDag-Erling Smørgrav 2081d4af9e69SDag-Erling Smørgrav /* ListenAddress must be after Port */ 2082d4af9e69SDag-Erling Smørgrav for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 2083d4af9e69SDag-Erling Smørgrav if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 2084d4af9e69SDag-Erling Smørgrav sizeof(addr), port, sizeof(port), 2085d4af9e69SDag-Erling Smørgrav NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 2086d4af9e69SDag-Erling Smørgrav error("getnameinfo failed: %.100s", 2087d4af9e69SDag-Erling Smørgrav (ret != EAI_SYSTEM) ? gai_strerror(ret) : 2088d4af9e69SDag-Erling Smørgrav strerror(errno)); 2089d4af9e69SDag-Erling Smørgrav } else { 2090d4af9e69SDag-Erling Smørgrav if (ai->ai_family == AF_INET6) 2091d4af9e69SDag-Erling Smørgrav printf("listenaddress [%s]:%s\n", addr, port); 2092d4af9e69SDag-Erling Smørgrav else 2093d4af9e69SDag-Erling Smørgrav printf("listenaddress %s:%s\n", addr, port); 2094d4af9e69SDag-Erling Smørgrav } 2095d4af9e69SDag-Erling Smørgrav } 2096d4af9e69SDag-Erling Smørgrav 2097d4af9e69SDag-Erling Smørgrav /* integer arguments */ 2098cce7d346SDag-Erling Smørgrav #ifdef USE_PAM 2099cce7d346SDag-Erling Smørgrav dump_cfg_int(sUsePAM, o->use_pam); 2100cce7d346SDag-Erling Smørgrav #endif 2101d4af9e69SDag-Erling Smørgrav dump_cfg_int(sServerKeyBits, o->server_key_bits); 2102d4af9e69SDag-Erling Smørgrav dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2103d4af9e69SDag-Erling Smørgrav dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 2104d4af9e69SDag-Erling Smørgrav dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2105d4af9e69SDag-Erling Smørgrav dump_cfg_int(sMaxAuthTries, o->max_authtries); 2106cce7d346SDag-Erling Smørgrav dump_cfg_int(sMaxSessions, o->max_sessions); 2107d4af9e69SDag-Erling Smørgrav dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 2108d4af9e69SDag-Erling Smørgrav dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 2109d4af9e69SDag-Erling Smørgrav 2110d4af9e69SDag-Erling Smørgrav /* formatted integer arguments */ 2111d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2112d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2113d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2114d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 2115d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2116d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2117d4af9e69SDag-Erling Smørgrav o->hostbased_uses_name_from_packet_only); 2118d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 2119d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2120cce7d346SDag-Erling Smørgrav #ifdef KRB5 2121d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2122d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 2123d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 2124cce7d346SDag-Erling Smørgrav # ifdef USE_AFS 2125d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 2126cce7d346SDag-Erling Smørgrav # endif 2127cce7d346SDag-Erling Smørgrav #endif 2128cce7d346SDag-Erling Smørgrav #ifdef GSSAPI 2129d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2130d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2131cce7d346SDag-Erling Smørgrav #endif 2132d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2133d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sKbdInteractiveAuthentication, 2134d4af9e69SDag-Erling Smørgrav o->kbd_interactive_authentication); 2135d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sChallengeResponseAuthentication, 2136d4af9e69SDag-Erling Smørgrav o->challenge_response_authentication); 2137d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sPrintMotd, o->print_motd); 2138d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2139d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2140d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2141f7167e0eSDag-Erling Smørgrav dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2142a0ee8cc6SDag-Erling Smørgrav dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); 2143d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sStrictModes, o->strict_modes); 2144d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2145d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2146d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2147d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sUseLogin, o->use_login); 2148d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sCompression, o->compression); 2149a0ee8cc6SDag-Erling Smørgrav dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2150d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sUseDNS, o->use_dns); 2151d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2152a0ee8cc6SDag-Erling Smørgrav dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2153d4af9e69SDag-Erling Smørgrav dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2154*bc5531deSDag-Erling Smørgrav dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2155d4af9e69SDag-Erling Smørgrav 2156d4af9e69SDag-Erling Smørgrav /* string arguments */ 2157d4af9e69SDag-Erling Smørgrav dump_cfg_string(sPidFile, o->pid_file); 2158d4af9e69SDag-Erling Smørgrav dump_cfg_string(sXAuthLocation, o->xauth_location); 2159*bc5531deSDag-Erling Smørgrav dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); 2160*bc5531deSDag-Erling Smørgrav dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); 2161d4af9e69SDag-Erling Smørgrav dump_cfg_string(sBanner, o->banner); 2162d4af9e69SDag-Erling Smørgrav dump_cfg_string(sForceCommand, o->adm_forced_command); 2163b15c8340SDag-Erling Smørgrav dump_cfg_string(sChrootDirectory, o->chroot_directory); 2164b15c8340SDag-Erling Smørgrav dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2165b15c8340SDag-Erling Smørgrav dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2166e2f6069cSDag-Erling Smørgrav dump_cfg_string(sAuthorizedPrincipalsFile, 2167e2f6069cSDag-Erling Smørgrav o->authorized_principals_file); 2168462c32cbSDag-Erling Smørgrav dump_cfg_string(sVersionAddendum, o->version_addendum); 21696888a9beSDag-Erling Smørgrav dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 21706888a9beSDag-Erling Smørgrav dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2171e4a9863fSDag-Erling Smørgrav dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2172*bc5531deSDag-Erling Smørgrav dump_cfg_string(sKexAlgorithms, 2173*bc5531deSDag-Erling Smørgrav o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2174*bc5531deSDag-Erling Smørgrav dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2175*bc5531deSDag-Erling Smørgrav o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2176*bc5531deSDag-Erling Smørgrav dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2177*bc5531deSDag-Erling Smørgrav o->pubkey_key_types : KEX_DEFAULT_PK_ALG); 2178d4af9e69SDag-Erling Smørgrav 2179d4af9e69SDag-Erling Smørgrav /* string arguments requiring a lookup */ 2180d4af9e69SDag-Erling Smørgrav dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2181d4af9e69SDag-Erling Smørgrav dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 2182d4af9e69SDag-Erling Smørgrav 2183d4af9e69SDag-Erling Smørgrav /* string array arguments */ 2184e146993eSDag-Erling Smørgrav dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 2185e146993eSDag-Erling Smørgrav o->authorized_keys_files); 2186d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 2187d4af9e69SDag-Erling Smørgrav o->host_key_files); 2188b15c8340SDag-Erling Smørgrav dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, 2189b15c8340SDag-Erling Smørgrav o->host_cert_files); 2190d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 2191d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2192d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2193d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2194d4af9e69SDag-Erling Smørgrav dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 21956888a9beSDag-Erling Smørgrav dump_cfg_strarray_oneline(sAuthenticationMethods, 21966888a9beSDag-Erling Smørgrav o->num_auth_methods, o->auth_methods); 2197d4af9e69SDag-Erling Smørgrav 2198d4af9e69SDag-Erling Smørgrav /* other arguments */ 2199d4af9e69SDag-Erling Smørgrav for (i = 0; i < o->num_subsystems; i++) 2200d4af9e69SDag-Erling Smørgrav printf("subsystem %s %s\n", o->subsystem_name[i], 2201d4af9e69SDag-Erling Smørgrav o->subsystem_args[i]); 2202d4af9e69SDag-Erling Smørgrav 2203d4af9e69SDag-Erling Smørgrav printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2204d4af9e69SDag-Erling Smørgrav o->max_startups_rate, o->max_startups); 2205d4af9e69SDag-Erling Smørgrav 2206d4af9e69SDag-Erling Smørgrav for (i = 0; tunmode_desc[i].val != -1; i++) 2207d4af9e69SDag-Erling Smørgrav if (tunmode_desc[i].val == o->permit_tun) { 2208d4af9e69SDag-Erling Smørgrav s = tunmode_desc[i].text; 2209d4af9e69SDag-Erling Smørgrav break; 2210d4af9e69SDag-Erling Smørgrav } 2211d4af9e69SDag-Erling Smørgrav dump_cfg_string(sPermitTunnel, s); 2212d4af9e69SDag-Erling Smørgrav 2213e146993eSDag-Erling Smørgrav printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2214e146993eSDag-Erling Smørgrav printf("%s\n", iptos2str(o->ip_qos_bulk)); 22154a421b63SDag-Erling Smørgrav 2216e4a9863fSDag-Erling Smørgrav printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, 2217e4a9863fSDag-Erling Smørgrav o->rekey_interval); 2218e4a9863fSDag-Erling Smørgrav 2219d4af9e69SDag-Erling Smørgrav channel_print_adm_permitted_opens(); 2220d4af9e69SDag-Erling Smørgrav } 2221