1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 12 #include "includes.h" 13 RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $"); 14 RCSID("$FreeBSD$"); 15 16 #if defined(KRB4) 17 #include <krb.h> 18 #endif 19 #if defined(KRB5) 20 #ifdef HEIMDAL 21 #include <krb5.h> 22 #else 23 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 24 * keytab */ 25 #define KEYFILE "/etc/krb5.keytab" 26 #endif 27 #endif 28 #ifdef AFS 29 #include <kafs.h> 30 #endif 31 32 #include "ssh.h" 33 #include "log.h" 34 #include "servconf.h" 35 #include "xmalloc.h" 36 #include "compat.h" 37 #include "pathnames.h" 38 #include "tildexpand.h" 39 #include "misc.h" 40 #include "cipher.h" 41 #include "kex.h" 42 #include "mac.h" 43 44 static void add_listen_addr(ServerOptions *, char *, u_short); 45 static void add_one_listen_addr(ServerOptions *, char *, u_short); 46 47 /* AF_UNSPEC or AF_INET or AF_INET6 */ 48 extern int IPv4or6; 49 /* Use of privilege separation or not */ 50 extern int use_privsep; 51 52 /* Initializes the server options to their default values. */ 53 54 void 55 initialize_server_options(ServerOptions *options) 56 { 57 memset(options, 0, sizeof(*options)); 58 59 /* Portable-specific options */ 60 options->pam_authentication_via_kbd_int = -1; 61 62 /* Standard Options */ 63 options->num_ports = 0; 64 options->ports_from_cmdline = 0; 65 options->listen_addrs = NULL; 66 options->num_host_key_files = 0; 67 options->pid_file = NULL; 68 options->server_key_bits = -1; 69 options->login_grace_time = -1; 70 options->key_regeneration_time = -1; 71 options->permit_root_login = PERMIT_NOT_SET; 72 options->ignore_rhosts = -1; 73 options->ignore_user_known_hosts = -1; 74 options->print_motd = -1; 75 options->print_lastlog = -1; 76 options->x11_forwarding = -1; 77 options->x11_display_offset = -1; 78 options->x11_use_localhost = -1; 79 options->xauth_location = NULL; 80 options->strict_modes = -1; 81 options->keepalives = -1; 82 options->log_facility = SYSLOG_FACILITY_NOT_SET; 83 options->log_level = SYSLOG_LEVEL_NOT_SET; 84 options->rhosts_authentication = -1; 85 options->rhosts_rsa_authentication = -1; 86 options->hostbased_authentication = -1; 87 options->hostbased_uses_name_from_packet_only = -1; 88 options->rsa_authentication = -1; 89 options->pubkey_authentication = -1; 90 #if defined(KRB4) || defined(KRB5) 91 options->kerberos_authentication = -1; 92 options->kerberos_or_local_passwd = -1; 93 options->kerberos_ticket_cleanup = -1; 94 #endif 95 #if defined(AFS) || defined(KRB5) 96 options->kerberos_tgt_passing = -1; 97 #endif 98 #ifdef AFS 99 options->afs_token_passing = -1; 100 #endif 101 options->password_authentication = -1; 102 options->kbd_interactive_authentication = -1; 103 options->challenge_response_authentication = -1; 104 options->permit_empty_passwd = -1; 105 options->use_login = -1; 106 options->compression = -1; 107 options->allow_tcp_forwarding = -1; 108 options->num_allow_users = 0; 109 options->num_deny_users = 0; 110 options->num_allow_groups = 0; 111 options->num_deny_groups = 0; 112 options->ciphers = NULL; 113 options->macs = NULL; 114 options->protocol = SSH_PROTO_UNKNOWN; 115 options->gateway_ports = -1; 116 options->num_subsystems = 0; 117 options->max_startups_begin = -1; 118 options->max_startups_rate = -1; 119 options->max_startups = -1; 120 options->banner = NULL; 121 options->verify_reverse_mapping = -1; 122 options->client_alive_interval = -1; 123 options->client_alive_count_max = -1; 124 options->authorized_keys_file = NULL; 125 options->authorized_keys_file2 = NULL; 126 127 /* Needs to be accessable in many places */ 128 use_privsep = -1; 129 } 130 131 void 132 fill_default_server_options(ServerOptions *options) 133 { 134 /* Portable-specific options */ 135 if (options->pam_authentication_via_kbd_int == -1) 136 options->pam_authentication_via_kbd_int = 0; 137 138 /* Standard Options */ 139 if (options->protocol == SSH_PROTO_UNKNOWN) 140 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 141 if (options->num_host_key_files == 0) { 142 /* fill default hostkeys for protocols */ 143 if (options->protocol & SSH_PROTO_1) 144 options->host_key_files[options->num_host_key_files++] = 145 _PATH_HOST_KEY_FILE; 146 if (options->protocol & SSH_PROTO_2) { 147 options->host_key_files[options->num_host_key_files++] = 148 _PATH_HOST_DSA_KEY_FILE; 149 } 150 } 151 if (options->num_ports == 0) 152 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 153 if (options->listen_addrs == NULL) 154 add_listen_addr(options, NULL, 0); 155 if (options->pid_file == NULL) 156 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 157 if (options->server_key_bits == -1) 158 options->server_key_bits = 768; 159 if (options->login_grace_time == -1) 160 options->login_grace_time = 120; 161 if (options->key_regeneration_time == -1) 162 options->key_regeneration_time = 3600; 163 if (options->permit_root_login == PERMIT_NOT_SET) 164 options->permit_root_login = PERMIT_NO; 165 if (options->ignore_rhosts == -1) 166 options->ignore_rhosts = 1; 167 if (options->ignore_user_known_hosts == -1) 168 options->ignore_user_known_hosts = 0; 169 if (options->print_motd == -1) 170 options->print_motd = 1; 171 if (options->print_lastlog == -1) 172 options->print_lastlog = 1; 173 if (options->x11_forwarding == -1) 174 options->x11_forwarding = 1; 175 if (options->x11_display_offset == -1) 176 options->x11_display_offset = 10; 177 if (options->x11_use_localhost == -1) 178 options->x11_use_localhost = 1; 179 if (options->xauth_location == NULL) 180 options->xauth_location = _PATH_XAUTH; 181 if (options->strict_modes == -1) 182 options->strict_modes = 1; 183 if (options->keepalives == -1) 184 options->keepalives = 1; 185 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 186 options->log_facility = SYSLOG_FACILITY_AUTH; 187 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 188 options->log_level = SYSLOG_LEVEL_INFO; 189 if (options->rhosts_authentication == -1) 190 options->rhosts_authentication = 0; 191 if (options->rhosts_rsa_authentication == -1) 192 options->rhosts_rsa_authentication = 0; 193 if (options->hostbased_authentication == -1) 194 options->hostbased_authentication = 0; 195 if (options->hostbased_uses_name_from_packet_only == -1) 196 options->hostbased_uses_name_from_packet_only = 0; 197 if (options->rsa_authentication == -1) 198 options->rsa_authentication = 1; 199 if (options->pubkey_authentication == -1) 200 options->pubkey_authentication = 1; 201 #if defined(KRB4) && defined(KRB5) 202 if (options->kerberos_authentication == -1) 203 options->kerberos_authentication = 204 (access(KEYFILE, R_OK) == 0 || 205 access(krb5_defkeyname, R_OK) == 0); 206 #elif defined(KRB4) 207 if (options->kerberos_authentication == -1) 208 options->kerberos_authentication = 209 (access(KEYFILE, R_OK) == 0); 210 #elif defined(KRB5) 211 if (options->kerberos_authentication == -1) 212 options->kerberos_authentication = 213 (access(krb5_defkeyname, R_OK) == 0); 214 #endif 215 #if defined(KRB4) || defined(KRB5) 216 if (options->kerberos_or_local_passwd == -1) 217 options->kerberos_or_local_passwd = 1; 218 if (options->kerberos_ticket_cleanup == -1) 219 options->kerberos_ticket_cleanup = 1; 220 #endif 221 #if defined(AFS) || defined(KRB5) 222 if (options->kerberos_tgt_passing == -1) 223 options->kerberos_tgt_passing = 0; 224 #endif 225 #ifdef AFS 226 if (options->afs_token_passing == -1) 227 options->afs_token_passing = 0; 228 #endif 229 if (options->password_authentication == -1) 230 options->password_authentication = 1; 231 if (options->kbd_interactive_authentication == -1) 232 options->kbd_interactive_authentication = 0; 233 if (options->challenge_response_authentication == -1) 234 options->challenge_response_authentication = 1; 235 if (options->permit_empty_passwd == -1) 236 options->permit_empty_passwd = 0; 237 if (options->use_login == -1) 238 options->use_login = 0; 239 if (options->compression == -1) 240 options->compression = 1; 241 if (options->allow_tcp_forwarding == -1) 242 options->allow_tcp_forwarding = 1; 243 if (options->gateway_ports == -1) 244 options->gateway_ports = 0; 245 if (options->max_startups == -1) 246 options->max_startups = 10; 247 if (options->max_startups_rate == -1) 248 options->max_startups_rate = 100; /* 100% */ 249 if (options->max_startups_begin == -1) 250 options->max_startups_begin = options->max_startups; 251 if (options->verify_reverse_mapping == -1) 252 options->verify_reverse_mapping = 0; 253 if (options->client_alive_interval == -1) 254 options->client_alive_interval = 0; 255 if (options->client_alive_count_max == -1) 256 options->client_alive_count_max = 3; 257 if (options->authorized_keys_file2 == NULL) { 258 /* authorized_keys_file2 falls back to authorized_keys_file */ 259 if (options->authorized_keys_file != NULL) 260 options->authorized_keys_file2 = options->authorized_keys_file; 261 else 262 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 263 } 264 if (options->authorized_keys_file == NULL) 265 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 266 267 /* Turn privilege separation on by default */ 268 if (use_privsep == -1) 269 use_privsep = 1; 270 271 #if !defined(HAVE_MMAP_ANON_SHARED) 272 if (use_privsep && options->compression == 1) { 273 error("This platform does not support both privilege " 274 "separation and compression"); 275 error("Compression disabled"); 276 options->compression = 0; 277 } 278 #endif 279 280 } 281 282 /* Keyword tokens. */ 283 typedef enum { 284 sBadOption, /* == unknown option */ 285 /* Portable-specific options */ 286 sPAMAuthenticationViaKbdInt, 287 /* Standard Options */ 288 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 289 sPermitRootLogin, sLogFacility, sLogLevel, 290 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 291 #if defined(KRB4) || defined(KRB5) 292 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 293 #endif 294 #if defined(AFS) || defined(KRB5) 295 sKerberosTgtPassing, 296 #endif 297 #ifdef AFS 298 sAFSTokenPassing, 299 #endif 300 sChallengeResponseAuthentication, 301 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 302 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 303 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 304 sStrictModes, sEmptyPasswd, sKeepAlives, 305 sUseLogin, sAllowTcpForwarding, sCompression, 306 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 307 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 308 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 309 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 310 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 311 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 312 sUsePrivilegeSeparation, 313 sVersionAddendum, 314 sDeprecated 315 } ServerOpCodes; 316 317 /* Textual representation of the tokens. */ 318 static struct { 319 const char *name; 320 ServerOpCodes opcode; 321 } keywords[] = { 322 /* Portable-specific options */ 323 #if 0 324 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, 325 #endif 326 /* Standard Options */ 327 { "port", sPort }, 328 { "hostkey", sHostKeyFile }, 329 { "hostdsakey", sHostKeyFile }, /* alias */ 330 { "pidfile", sPidFile }, 331 { "serverkeybits", sServerKeyBits }, 332 { "logingracetime", sLoginGraceTime }, 333 { "keyregenerationinterval", sKeyRegenerationTime }, 334 { "permitrootlogin", sPermitRootLogin }, 335 { "syslogfacility", sLogFacility }, 336 { "loglevel", sLogLevel }, 337 { "rhostsauthentication", sRhostsAuthentication }, 338 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 339 { "hostbasedauthentication", sHostbasedAuthentication }, 340 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 341 { "rsaauthentication", sRSAAuthentication }, 342 { "pubkeyauthentication", sPubkeyAuthentication }, 343 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 344 #if defined(KRB4) || defined(KRB5) 345 { "kerberosauthentication", sKerberosAuthentication }, 346 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 347 { "kerberosticketcleanup", sKerberosTicketCleanup }, 348 #endif 349 #if defined(AFS) || defined(KRB5) 350 { "kerberostgtpassing", sKerberosTgtPassing }, 351 #endif 352 #ifdef AFS 353 { "afstokenpassing", sAFSTokenPassing }, 354 #endif 355 { "passwordauthentication", sPasswordAuthentication }, 356 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 357 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 358 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 359 { "checkmail", sDeprecated }, 360 { "listenaddress", sListenAddress }, 361 { "printmotd", sPrintMotd }, 362 { "printlastlog", sPrintLastLog }, 363 { "ignorerhosts", sIgnoreRhosts }, 364 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 365 { "x11forwarding", sX11Forwarding }, 366 { "x11displayoffset", sX11DisplayOffset }, 367 { "x11uselocalhost", sX11UseLocalhost }, 368 { "xauthlocation", sXAuthLocation }, 369 { "strictmodes", sStrictModes }, 370 { "permitemptypasswords", sEmptyPasswd }, 371 { "uselogin", sUseLogin }, 372 { "compression", sCompression }, 373 { "keepalive", sKeepAlives }, 374 { "allowtcpforwarding", sAllowTcpForwarding }, 375 { "allowusers", sAllowUsers }, 376 { "denyusers", sDenyUsers }, 377 { "allowgroups", sAllowGroups }, 378 { "denygroups", sDenyGroups }, 379 { "ciphers", sCiphers }, 380 { "macs", sMacs }, 381 { "protocol", sProtocol }, 382 { "gatewayports", sGatewayPorts }, 383 { "subsystem", sSubsystem }, 384 { "maxstartups", sMaxStartups }, 385 { "banner", sBanner }, 386 { "verifyreversemapping", sVerifyReverseMapping }, 387 { "reversemappingcheck", sVerifyReverseMapping }, 388 { "clientaliveinterval", sClientAliveInterval }, 389 { "clientalivecountmax", sClientAliveCountMax }, 390 { "authorizedkeysfile", sAuthorizedKeysFile }, 391 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 392 { "useprivilegeseparation", sUsePrivilegeSeparation}, 393 { "versionaddendum", sVersionAddendum }, 394 { NULL, sBadOption } 395 }; 396 397 /* 398 * Returns the number of the token pointed to by cp or sBadOption. 399 */ 400 401 static ServerOpCodes 402 parse_token(const char *cp, const char *filename, 403 int linenum) 404 { 405 u_int i; 406 407 for (i = 0; keywords[i].name; i++) 408 if (strcasecmp(cp, keywords[i].name) == 0) 409 return keywords[i].opcode; 410 411 error("%s: line %d: Bad configuration option: %s", 412 filename, linenum, cp); 413 return sBadOption; 414 } 415 416 static void 417 add_listen_addr(ServerOptions *options, char *addr, u_short port) 418 { 419 int i; 420 421 if (options->num_ports == 0) 422 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 423 if (port == 0) 424 for (i = 0; i < options->num_ports; i++) 425 add_one_listen_addr(options, addr, options->ports[i]); 426 else 427 add_one_listen_addr(options, addr, port); 428 } 429 430 static void 431 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 432 { 433 struct addrinfo hints, *ai, *aitop; 434 char strport[NI_MAXSERV]; 435 int gaierr; 436 437 memset(&hints, 0, sizeof(hints)); 438 hints.ai_family = IPv4or6; 439 hints.ai_socktype = SOCK_STREAM; 440 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 441 snprintf(strport, sizeof strport, "%u", port); 442 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 443 fatal("bad addr or host: %s (%s)", 444 addr ? addr : "<NULL>", 445 gai_strerror(gaierr)); 446 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 447 ; 448 ai->ai_next = options->listen_addrs; 449 options->listen_addrs = aitop; 450 } 451 452 int 453 process_server_config_line(ServerOptions *options, char *line, 454 const char *filename, int linenum) 455 { 456 char *cp, **charptr, *arg, *p; 457 int *intptr, value, i, n; 458 ServerOpCodes opcode; 459 460 cp = line; 461 arg = strdelim(&cp); 462 /* Ignore leading whitespace */ 463 if (*arg == '\0') 464 arg = strdelim(&cp); 465 if (!arg || !*arg || *arg == '#') 466 return 0; 467 intptr = NULL; 468 charptr = NULL; 469 opcode = parse_token(arg, filename, linenum); 470 switch (opcode) { 471 /* Portable-specific options */ 472 case sPAMAuthenticationViaKbdInt: 473 intptr = &options->pam_authentication_via_kbd_int; 474 goto parse_flag; 475 476 /* Standard Options */ 477 case sBadOption: 478 return -1; 479 case sPort: 480 /* ignore ports from configfile if cmdline specifies ports */ 481 if (options->ports_from_cmdline) 482 return 0; 483 if (options->listen_addrs != NULL) 484 fatal("%s line %d: ports must be specified before " 485 "ListenAddress.", filename, linenum); 486 if (options->num_ports >= MAX_PORTS) 487 fatal("%s line %d: too many ports.", 488 filename, linenum); 489 arg = strdelim(&cp); 490 if (!arg || *arg == '\0') 491 fatal("%s line %d: missing port number.", 492 filename, linenum); 493 options->ports[options->num_ports++] = a2port(arg); 494 if (options->ports[options->num_ports-1] == 0) 495 fatal("%s line %d: Badly formatted port number.", 496 filename, linenum); 497 break; 498 499 case sServerKeyBits: 500 intptr = &options->server_key_bits; 501 parse_int: 502 arg = strdelim(&cp); 503 if (!arg || *arg == '\0') 504 fatal("%s line %d: missing integer value.", 505 filename, linenum); 506 value = atoi(arg); 507 if (*intptr == -1) 508 *intptr = value; 509 break; 510 511 case sLoginGraceTime: 512 intptr = &options->login_grace_time; 513 parse_time: 514 arg = strdelim(&cp); 515 if (!arg || *arg == '\0') 516 fatal("%s line %d: missing time value.", 517 filename, linenum); 518 if ((value = convtime(arg)) == -1) 519 fatal("%s line %d: invalid time value.", 520 filename, linenum); 521 if (*intptr == -1) 522 *intptr = value; 523 break; 524 525 case sKeyRegenerationTime: 526 intptr = &options->key_regeneration_time; 527 goto parse_time; 528 529 case sListenAddress: 530 arg = strdelim(&cp); 531 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 532 fatal("%s line %d: missing inet addr.", 533 filename, linenum); 534 if (*arg == '[') { 535 if ((p = strchr(arg, ']')) == NULL) 536 fatal("%s line %d: bad ipv6 inet addr usage.", 537 filename, linenum); 538 arg++; 539 memmove(p, p+1, strlen(p+1)+1); 540 } else if (((p = strchr(arg, ':')) == NULL) || 541 (strchr(p+1, ':') != NULL)) { 542 add_listen_addr(options, arg, 0); 543 break; 544 } 545 if (*p == ':') { 546 u_short port; 547 548 p++; 549 if (*p == '\0') 550 fatal("%s line %d: bad inet addr:port usage.", 551 filename, linenum); 552 else { 553 *(p-1) = '\0'; 554 if ((port = a2port(p)) == 0) 555 fatal("%s line %d: bad port number.", 556 filename, linenum); 557 add_listen_addr(options, arg, port); 558 } 559 } else if (*p == '\0') 560 add_listen_addr(options, arg, 0); 561 else 562 fatal("%s line %d: bad inet addr usage.", 563 filename, linenum); 564 break; 565 566 case sHostKeyFile: 567 intptr = &options->num_host_key_files; 568 if (*intptr >= MAX_HOSTKEYS) 569 fatal("%s line %d: too many host keys specified (max %d).", 570 filename, linenum, MAX_HOSTKEYS); 571 charptr = &options->host_key_files[*intptr]; 572 parse_filename: 573 arg = strdelim(&cp); 574 if (!arg || *arg == '\0') 575 fatal("%s line %d: missing file name.", 576 filename, linenum); 577 if (*charptr == NULL) { 578 *charptr = tilde_expand_filename(arg, getuid()); 579 /* increase optional counter */ 580 if (intptr != NULL) 581 *intptr = *intptr + 1; 582 } 583 break; 584 585 case sPidFile: 586 charptr = &options->pid_file; 587 goto parse_filename; 588 589 case sPermitRootLogin: 590 intptr = &options->permit_root_login; 591 arg = strdelim(&cp); 592 if (!arg || *arg == '\0') 593 fatal("%s line %d: missing yes/" 594 "without-password/forced-commands-only/no " 595 "argument.", filename, linenum); 596 value = 0; /* silence compiler */ 597 if (strcmp(arg, "without-password") == 0) 598 value = PERMIT_NO_PASSWD; 599 else if (strcmp(arg, "forced-commands-only") == 0) 600 value = PERMIT_FORCED_ONLY; 601 else if (strcmp(arg, "yes") == 0) 602 value = PERMIT_YES; 603 else if (strcmp(arg, "no") == 0) 604 value = PERMIT_NO; 605 else 606 fatal("%s line %d: Bad yes/" 607 "without-password/forced-commands-only/no " 608 "argument: %s", filename, linenum, arg); 609 if (*intptr == -1) 610 *intptr = value; 611 break; 612 613 case sIgnoreRhosts: 614 intptr = &options->ignore_rhosts; 615 parse_flag: 616 arg = strdelim(&cp); 617 if (!arg || *arg == '\0') 618 fatal("%s line %d: missing yes/no argument.", 619 filename, linenum); 620 value = 0; /* silence compiler */ 621 if (strcmp(arg, "yes") == 0) 622 value = 1; 623 else if (strcmp(arg, "no") == 0) 624 value = 0; 625 else 626 fatal("%s line %d: Bad yes/no argument: %s", 627 filename, linenum, arg); 628 if (*intptr == -1) 629 *intptr = value; 630 break; 631 632 case sIgnoreUserKnownHosts: 633 intptr = &options->ignore_user_known_hosts; 634 goto parse_flag; 635 636 case sRhostsAuthentication: 637 intptr = &options->rhosts_authentication; 638 goto parse_flag; 639 640 case sRhostsRSAAuthentication: 641 intptr = &options->rhosts_rsa_authentication; 642 goto parse_flag; 643 644 case sHostbasedAuthentication: 645 intptr = &options->hostbased_authentication; 646 goto parse_flag; 647 648 case sHostbasedUsesNameFromPacketOnly: 649 intptr = &options->hostbased_uses_name_from_packet_only; 650 goto parse_flag; 651 652 case sRSAAuthentication: 653 intptr = &options->rsa_authentication; 654 goto parse_flag; 655 656 case sPubkeyAuthentication: 657 intptr = &options->pubkey_authentication; 658 goto parse_flag; 659 #if defined(KRB4) || defined(KRB5) 660 case sKerberosAuthentication: 661 intptr = &options->kerberos_authentication; 662 goto parse_flag; 663 664 case sKerberosOrLocalPasswd: 665 intptr = &options->kerberos_or_local_passwd; 666 goto parse_flag; 667 668 case sKerberosTicketCleanup: 669 intptr = &options->kerberos_ticket_cleanup; 670 goto parse_flag; 671 #endif 672 #if defined(AFS) || defined(KRB5) 673 case sKerberosTgtPassing: 674 intptr = &options->kerberos_tgt_passing; 675 goto parse_flag; 676 #endif 677 #ifdef AFS 678 case sAFSTokenPassing: 679 intptr = &options->afs_token_passing; 680 goto parse_flag; 681 #endif 682 683 case sPasswordAuthentication: 684 intptr = &options->password_authentication; 685 goto parse_flag; 686 687 case sKbdInteractiveAuthentication: 688 intptr = &options->kbd_interactive_authentication; 689 goto parse_flag; 690 691 case sChallengeResponseAuthentication: 692 intptr = &options->challenge_response_authentication; 693 goto parse_flag; 694 695 case sPrintMotd: 696 intptr = &options->print_motd; 697 goto parse_flag; 698 699 case sPrintLastLog: 700 intptr = &options->print_lastlog; 701 goto parse_flag; 702 703 case sX11Forwarding: 704 intptr = &options->x11_forwarding; 705 goto parse_flag; 706 707 case sX11DisplayOffset: 708 intptr = &options->x11_display_offset; 709 goto parse_int; 710 711 case sX11UseLocalhost: 712 intptr = &options->x11_use_localhost; 713 goto parse_flag; 714 715 case sXAuthLocation: 716 charptr = &options->xauth_location; 717 goto parse_filename; 718 719 case sStrictModes: 720 intptr = &options->strict_modes; 721 goto parse_flag; 722 723 case sKeepAlives: 724 intptr = &options->keepalives; 725 goto parse_flag; 726 727 case sEmptyPasswd: 728 intptr = &options->permit_empty_passwd; 729 goto parse_flag; 730 731 case sUseLogin: 732 intptr = &options->use_login; 733 goto parse_flag; 734 735 case sCompression: 736 intptr = &options->compression; 737 goto parse_flag; 738 739 case sGatewayPorts: 740 intptr = &options->gateway_ports; 741 goto parse_flag; 742 743 case sVerifyReverseMapping: 744 intptr = &options->verify_reverse_mapping; 745 goto parse_flag; 746 747 case sLogFacility: 748 intptr = (int *) &options->log_facility; 749 arg = strdelim(&cp); 750 value = log_facility_number(arg); 751 if (value == SYSLOG_FACILITY_NOT_SET) 752 fatal("%.200s line %d: unsupported log facility '%s'", 753 filename, linenum, arg ? arg : "<NONE>"); 754 if (*intptr == -1) 755 *intptr = (SyslogFacility) value; 756 break; 757 758 case sLogLevel: 759 intptr = (int *) &options->log_level; 760 arg = strdelim(&cp); 761 value = log_level_number(arg); 762 if (value == SYSLOG_LEVEL_NOT_SET) 763 fatal("%.200s line %d: unsupported log level '%s'", 764 filename, linenum, arg ? arg : "<NONE>"); 765 if (*intptr == -1) 766 *intptr = (LogLevel) value; 767 break; 768 769 case sAllowTcpForwarding: 770 intptr = &options->allow_tcp_forwarding; 771 goto parse_flag; 772 773 case sUsePrivilegeSeparation: 774 intptr = &use_privsep; 775 goto parse_flag; 776 777 case sAllowUsers: 778 while ((arg = strdelim(&cp)) && *arg != '\0') { 779 if (options->num_allow_users >= MAX_ALLOW_USERS) 780 fatal("%s line %d: too many allow users.", 781 filename, linenum); 782 options->allow_users[options->num_allow_users++] = 783 xstrdup(arg); 784 } 785 break; 786 787 case sDenyUsers: 788 while ((arg = strdelim(&cp)) && *arg != '\0') { 789 if (options->num_deny_users >= MAX_DENY_USERS) 790 fatal( "%s line %d: too many deny users.", 791 filename, linenum); 792 options->deny_users[options->num_deny_users++] = 793 xstrdup(arg); 794 } 795 break; 796 797 case sAllowGroups: 798 while ((arg = strdelim(&cp)) && *arg != '\0') { 799 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 800 fatal("%s line %d: too many allow groups.", 801 filename, linenum); 802 options->allow_groups[options->num_allow_groups++] = 803 xstrdup(arg); 804 } 805 break; 806 807 case sDenyGroups: 808 while ((arg = strdelim(&cp)) && *arg != '\0') { 809 if (options->num_deny_groups >= MAX_DENY_GROUPS) 810 fatal("%s line %d: too many deny groups.", 811 filename, linenum); 812 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 813 } 814 break; 815 816 case sCiphers: 817 arg = strdelim(&cp); 818 if (!arg || *arg == '\0') 819 fatal("%s line %d: Missing argument.", filename, linenum); 820 if (!ciphers_valid(arg)) 821 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 822 filename, linenum, arg ? arg : "<NONE>"); 823 if (options->ciphers == NULL) 824 options->ciphers = xstrdup(arg); 825 break; 826 827 case sMacs: 828 arg = strdelim(&cp); 829 if (!arg || *arg == '\0') 830 fatal("%s line %d: Missing argument.", filename, linenum); 831 if (!mac_valid(arg)) 832 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 833 filename, linenum, arg ? arg : "<NONE>"); 834 if (options->macs == NULL) 835 options->macs = xstrdup(arg); 836 break; 837 838 case sProtocol: 839 intptr = &options->protocol; 840 arg = strdelim(&cp); 841 if (!arg || *arg == '\0') 842 fatal("%s line %d: Missing argument.", filename, linenum); 843 value = proto_spec(arg); 844 if (value == SSH_PROTO_UNKNOWN) 845 fatal("%s line %d: Bad protocol spec '%s'.", 846 filename, linenum, arg ? arg : "<NONE>"); 847 if (*intptr == SSH_PROTO_UNKNOWN) 848 *intptr = value; 849 break; 850 851 case sSubsystem: 852 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 853 fatal("%s line %d: too many subsystems defined.", 854 filename, linenum); 855 } 856 arg = strdelim(&cp); 857 if (!arg || *arg == '\0') 858 fatal("%s line %d: Missing subsystem name.", 859 filename, linenum); 860 for (i = 0; i < options->num_subsystems; i++) 861 if (strcmp(arg, options->subsystem_name[i]) == 0) 862 fatal("%s line %d: Subsystem '%s' already defined.", 863 filename, linenum, arg); 864 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 865 arg = strdelim(&cp); 866 if (!arg || *arg == '\0') 867 fatal("%s line %d: Missing subsystem command.", 868 filename, linenum); 869 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 870 options->num_subsystems++; 871 break; 872 873 case sMaxStartups: 874 arg = strdelim(&cp); 875 if (!arg || *arg == '\0') 876 fatal("%s line %d: Missing MaxStartups spec.", 877 filename, linenum); 878 if ((n = sscanf(arg, "%d:%d:%d", 879 &options->max_startups_begin, 880 &options->max_startups_rate, 881 &options->max_startups)) == 3) { 882 if (options->max_startups_begin > 883 options->max_startups || 884 options->max_startups_rate > 100 || 885 options->max_startups_rate < 1) 886 fatal("%s line %d: Illegal MaxStartups spec.", 887 filename, linenum); 888 } else if (n != 1) 889 fatal("%s line %d: Illegal MaxStartups spec.", 890 filename, linenum); 891 else 892 options->max_startups = options->max_startups_begin; 893 break; 894 895 case sBanner: 896 charptr = &options->banner; 897 goto parse_filename; 898 /* 899 * These options can contain %X options expanded at 900 * connect time, so that you can specify paths like: 901 * 902 * AuthorizedKeysFile /etc/ssh_keys/%u 903 */ 904 case sAuthorizedKeysFile: 905 case sAuthorizedKeysFile2: 906 charptr = (opcode == sAuthorizedKeysFile ) ? 907 &options->authorized_keys_file : 908 &options->authorized_keys_file2; 909 goto parse_filename; 910 911 case sClientAliveInterval: 912 intptr = &options->client_alive_interval; 913 goto parse_time; 914 915 case sClientAliveCountMax: 916 intptr = &options->client_alive_count_max; 917 goto parse_int; 918 919 case sVersionAddendum: 920 ssh_version_set_addendum(strtok(cp, "\n")); 921 do { 922 arg = strdelim(&cp); 923 } while (arg != NULL && *arg != '\0'); 924 break; 925 926 case sDeprecated: 927 log("%s line %d: Deprecated option %s", 928 filename, linenum, arg); 929 while (arg) 930 arg = strdelim(&cp); 931 break; 932 933 default: 934 fatal("%s line %d: Missing handler for opcode %s (%d)", 935 filename, linenum, arg, opcode); 936 } 937 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 938 fatal("%s line %d: garbage at end of line; \"%.200s\".", 939 filename, linenum, arg); 940 return 0; 941 } 942 943 /* Reads the server configuration file. */ 944 945 void 946 read_server_config(ServerOptions *options, const char *filename) 947 { 948 int linenum, bad_options = 0; 949 char line[1024]; 950 FILE *f; 951 952 f = fopen(filename, "r"); 953 if (!f) { 954 perror(filename); 955 exit(1); 956 } 957 linenum = 0; 958 while (fgets(line, sizeof(line), f)) { 959 /* Update line number counter. */ 960 linenum++; 961 if (process_server_config_line(options, line, filename, linenum) != 0) 962 bad_options++; 963 } 964 fclose(f); 965 if (bad_options > 0) 966 fatal("%s: terminating, %d bad configuration options", 967 filename, bad_options); 968 } 969