1 /* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */ 2 /* $FreeBSD$ */ 3 /* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include "includes.h" 15 __RCSID("$FreeBSD$"); 16 17 #include <sys/types.h> 18 #include <sys/socket.h> 19 20 #include <netinet/in.h> 21 #include <netinet/in_systm.h> 22 #include <netinet/ip.h> 23 24 #include <netdb.h> 25 #include <pwd.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <signal.h> 30 #include <unistd.h> 31 #include <stdarg.h> 32 #include <errno.h> 33 34 #include "openbsd-compat/sys-queue.h" 35 #include "xmalloc.h" 36 #include "ssh.h" 37 #include "log.h" 38 #include "buffer.h" 39 #include "servconf.h" 40 #include "compat.h" 41 #include "pathnames.h" 42 #include "misc.h" 43 #include "cipher.h" 44 #include "key.h" 45 #include "kex.h" 46 #include "mac.h" 47 #include "match.h" 48 #include "channels.h" 49 #include "groupaccess.h" 50 #include "version.h" 51 52 static void add_listen_addr(ServerOptions *, char *, int); 53 static void add_one_listen_addr(ServerOptions *, char *, int); 54 55 /* Use of privilege separation or not */ 56 extern int use_privsep; 57 extern Buffer cfg; 58 59 /* Initializes the server options to their default values. */ 60 61 void 62 initialize_server_options(ServerOptions *options) 63 { 64 memset(options, 0, sizeof(*options)); 65 66 /* Portable-specific options */ 67 options->use_pam = -1; 68 69 /* Standard Options */ 70 options->num_ports = 0; 71 options->ports_from_cmdline = 0; 72 options->listen_addrs = NULL; 73 options->address_family = -1; 74 options->num_host_key_files = 0; 75 options->num_host_cert_files = 0; 76 options->pid_file = NULL; 77 options->server_key_bits = -1; 78 options->login_grace_time = -1; 79 options->key_regeneration_time = -1; 80 options->permit_root_login = PERMIT_NOT_SET; 81 options->ignore_rhosts = -1; 82 options->ignore_user_known_hosts = -1; 83 options->print_motd = -1; 84 options->print_lastlog = -1; 85 options->x11_forwarding = -1; 86 options->x11_display_offset = -1; 87 options->x11_use_localhost = -1; 88 options->xauth_location = NULL; 89 options->strict_modes = -1; 90 options->tcp_keep_alive = -1; 91 options->log_facility = SYSLOG_FACILITY_NOT_SET; 92 options->log_level = SYSLOG_LEVEL_NOT_SET; 93 options->rhosts_rsa_authentication = -1; 94 options->hostbased_authentication = -1; 95 options->hostbased_uses_name_from_packet_only = -1; 96 options->rsa_authentication = -1; 97 options->pubkey_authentication = -1; 98 options->kerberos_authentication = -1; 99 options->kerberos_or_local_passwd = -1; 100 options->kerberos_ticket_cleanup = -1; 101 options->kerberos_get_afs_token = -1; 102 options->gss_authentication=-1; 103 options->gss_cleanup_creds = -1; 104 options->password_authentication = -1; 105 options->kbd_interactive_authentication = -1; 106 options->challenge_response_authentication = -1; 107 options->permit_empty_passwd = -1; 108 options->permit_user_env = -1; 109 options->use_login = -1; 110 options->compression = -1; 111 options->allow_tcp_forwarding = -1; 112 options->allow_agent_forwarding = -1; 113 options->num_allow_users = 0; 114 options->num_deny_users = 0; 115 options->num_allow_groups = 0; 116 options->num_deny_groups = 0; 117 options->ciphers = NULL; 118 options->macs = NULL; 119 options->kex_algorithms = NULL; 120 options->protocol = SSH_PROTO_UNKNOWN; 121 options->gateway_ports = -1; 122 options->num_subsystems = 0; 123 options->max_startups_begin = -1; 124 options->max_startups_rate = -1; 125 options->max_startups = -1; 126 options->max_authtries = -1; 127 options->max_sessions = -1; 128 options->banner = NULL; 129 options->use_dns = -1; 130 options->client_alive_interval = -1; 131 options->client_alive_count_max = -1; 132 options->num_authkeys_files = 0; 133 options->num_accept_env = 0; 134 options->permit_tun = -1; 135 options->num_permitted_opens = -1; 136 options->adm_forced_command = NULL; 137 options->chroot_directory = NULL; 138 options->zero_knowledge_password_authentication = -1; 139 options->revoked_keys_file = NULL; 140 options->trusted_user_ca_keys = NULL; 141 options->authorized_principals_file = NULL; 142 options->ip_qos_interactive = -1; 143 options->ip_qos_bulk = -1; 144 options->hpn_disabled = -1; 145 options->hpn_buffer_size = -1; 146 options->tcp_rcv_buf_poll = -1; 147 #ifdef NONE_CIPHER_ENABLED 148 options->none_enabled = -1; 149 #endif 150 } 151 152 void 153 fill_default_server_options(ServerOptions *options) 154 { 155 /* Portable-specific options */ 156 if (options->use_pam == -1) 157 options->use_pam = 1; 158 159 /* Standard Options */ 160 if (options->protocol == SSH_PROTO_UNKNOWN) 161 options->protocol = SSH_PROTO_2; 162 if (options->num_host_key_files == 0) { 163 /* fill default hostkeys for protocols */ 164 if (options->protocol & SSH_PROTO_1) 165 options->host_key_files[options->num_host_key_files++] = 166 _PATH_HOST_KEY_FILE; 167 if (options->protocol & SSH_PROTO_2) { 168 options->host_key_files[options->num_host_key_files++] = 169 _PATH_HOST_RSA_KEY_FILE; 170 options->host_key_files[options->num_host_key_files++] = 171 _PATH_HOST_DSA_KEY_FILE; 172 #ifdef OPENSSL_HAS_ECC 173 options->host_key_files[options->num_host_key_files++] = 174 _PATH_HOST_ECDSA_KEY_FILE; 175 #endif 176 } 177 } 178 /* No certificates by default */ 179 if (options->num_ports == 0) 180 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 181 if (options->listen_addrs == NULL) 182 add_listen_addr(options, NULL, 0); 183 if (options->pid_file == NULL) 184 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 185 if (options->server_key_bits == -1) 186 options->server_key_bits = 1024; 187 if (options->login_grace_time == -1) 188 options->login_grace_time = 120; 189 if (options->key_regeneration_time == -1) 190 options->key_regeneration_time = 3600; 191 if (options->permit_root_login == PERMIT_NOT_SET) 192 options->permit_root_login = PERMIT_NO; 193 if (options->ignore_rhosts == -1) 194 options->ignore_rhosts = 1; 195 if (options->ignore_user_known_hosts == -1) 196 options->ignore_user_known_hosts = 0; 197 if (options->print_motd == -1) 198 options->print_motd = 1; 199 if (options->print_lastlog == -1) 200 options->print_lastlog = 1; 201 if (options->x11_forwarding == -1) 202 options->x11_forwarding = 1; 203 if (options->x11_display_offset == -1) 204 options->x11_display_offset = 10; 205 if (options->x11_use_localhost == -1) 206 options->x11_use_localhost = 1; 207 if (options->xauth_location == NULL) 208 options->xauth_location = _PATH_XAUTH; 209 if (options->strict_modes == -1) 210 options->strict_modes = 1; 211 if (options->tcp_keep_alive == -1) 212 options->tcp_keep_alive = 1; 213 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 214 options->log_facility = SYSLOG_FACILITY_AUTH; 215 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 216 options->log_level = SYSLOG_LEVEL_INFO; 217 if (options->rhosts_rsa_authentication == -1) 218 options->rhosts_rsa_authentication = 0; 219 if (options->hostbased_authentication == -1) 220 options->hostbased_authentication = 0; 221 if (options->hostbased_uses_name_from_packet_only == -1) 222 options->hostbased_uses_name_from_packet_only = 0; 223 if (options->rsa_authentication == -1) 224 options->rsa_authentication = 1; 225 if (options->pubkey_authentication == -1) 226 options->pubkey_authentication = 1; 227 if (options->kerberos_authentication == -1) 228 options->kerberos_authentication = 0; 229 if (options->kerberos_or_local_passwd == -1) 230 options->kerberos_or_local_passwd = 1; 231 if (options->kerberos_ticket_cleanup == -1) 232 options->kerberos_ticket_cleanup = 1; 233 if (options->kerberos_get_afs_token == -1) 234 options->kerberos_get_afs_token = 0; 235 if (options->gss_authentication == -1) 236 options->gss_authentication = 0; 237 if (options->gss_cleanup_creds == -1) 238 options->gss_cleanup_creds = 1; 239 if (options->password_authentication == -1) 240 options->password_authentication = 0; 241 if (options->kbd_interactive_authentication == -1) 242 options->kbd_interactive_authentication = 0; 243 if (options->challenge_response_authentication == -1) 244 options->challenge_response_authentication = 1; 245 if (options->permit_empty_passwd == -1) 246 options->permit_empty_passwd = 0; 247 if (options->permit_user_env == -1) 248 options->permit_user_env = 0; 249 if (options->use_login == -1) 250 options->use_login = 0; 251 if (options->compression == -1) 252 options->compression = COMP_DELAYED; 253 if (options->allow_tcp_forwarding == -1) 254 options->allow_tcp_forwarding = 1; 255 if (options->allow_agent_forwarding == -1) 256 options->allow_agent_forwarding = 1; 257 if (options->gateway_ports == -1) 258 options->gateway_ports = 0; 259 if (options->max_startups == -1) 260 options->max_startups = 10; 261 if (options->max_startups_rate == -1) 262 options->max_startups_rate = 100; /* 100% */ 263 if (options->max_startups_begin == -1) 264 options->max_startups_begin = options->max_startups; 265 if (options->max_authtries == -1) 266 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 267 if (options->max_sessions == -1) 268 options->max_sessions = DEFAULT_SESSIONS_MAX; 269 if (options->use_dns == -1) 270 options->use_dns = 1; 271 if (options->client_alive_interval == -1) 272 options->client_alive_interval = 0; 273 if (options->client_alive_count_max == -1) 274 options->client_alive_count_max = 3; 275 if (options->num_authkeys_files == 0) { 276 options->authorized_keys_files[options->num_authkeys_files++] = 277 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 278 options->authorized_keys_files[options->num_authkeys_files++] = 279 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 280 } 281 if (options->permit_tun == -1) 282 options->permit_tun = SSH_TUNMODE_NO; 283 if (options->zero_knowledge_password_authentication == -1) 284 options->zero_knowledge_password_authentication = 0; 285 if (options->ip_qos_interactive == -1) 286 options->ip_qos_interactive = IPTOS_LOWDELAY; 287 if (options->ip_qos_bulk == -1) 288 options->ip_qos_bulk = IPTOS_THROUGHPUT; 289 if (options->hpn_disabled == -1) 290 options->hpn_disabled = 0; 291 if (options->hpn_buffer_size == -1) { 292 /* 293 * HPN buffer size option not explicitly set. Try to figure 294 * out what value to use or resort to default. 295 */ 296 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; 297 if (!options->hpn_disabled) { 298 sock_get_rcvbuf(&options->hpn_buffer_size, 0); 299 debug ("HPN Buffer Size: %d", options->hpn_buffer_size); 300 } 301 } else { 302 /* 303 * In the case that the user sets both values in a 304 * contradictory manner hpn_disabled overrrides hpn_buffer_size. 305 */ 306 if (options->hpn_disabled <= 0) { 307 u_int maxlen; 308 309 maxlen = buffer_get_max_len(); 310 if (options->hpn_buffer_size == 0) 311 options->hpn_buffer_size = 1; 312 /* Limit the maximum buffer to BUFFER_MAX_LEN. */ 313 if (options->hpn_buffer_size > maxlen / 1024) 314 options->hpn_buffer_size = maxlen; 315 else 316 options->hpn_buffer_size *= 1024; 317 } else 318 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; 319 } 320 321 /* Turn privilege separation on by default */ 322 if (use_privsep == -1) 323 use_privsep = PRIVSEP_ON; 324 325 #ifndef HAVE_MMAP 326 if (use_privsep && options->compression == 1) { 327 error("This platform does not support both privilege " 328 "separation and compression"); 329 error("Compression disabled"); 330 options->compression = 0; 331 } 332 #endif 333 334 } 335 336 /* Keyword tokens. */ 337 typedef enum { 338 sBadOption, /* == unknown option */ 339 /* Portable-specific options */ 340 sUsePAM, 341 /* Standard Options */ 342 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 343 sPermitRootLogin, sLogFacility, sLogLevel, 344 sRhostsRSAAuthentication, sRSAAuthentication, 345 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 346 sKerberosGetAFSToken, 347 sKerberosTgtPassing, sChallengeResponseAuthentication, 348 sPasswordAuthentication, sKbdInteractiveAuthentication, 349 sListenAddress, sAddressFamily, 350 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 351 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 352 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 353 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 354 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 355 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 356 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 357 sMaxStartups, sMaxAuthTries, sMaxSessions, 358 sBanner, sUseDNS, sHostbasedAuthentication, 359 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 360 sClientAliveCountMax, sAuthorizedKeysFile, 361 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 362 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 363 sUsePrivilegeSeparation, sAllowAgentForwarding, 364 sZeroKnowledgePasswordAuthentication, sHostCertificate, 365 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 366 sKexAlgorithms, sIPQoS, 367 sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll, 368 #ifdef NONE_CIPHER_ENABLED 369 sNoneEnabled, 370 #endif 371 sVersionAddendum, 372 sDeprecated, sUnsupported 373 } ServerOpCodes; 374 375 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 376 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 377 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 378 379 /* Textual representation of the tokens. */ 380 static struct { 381 const char *name; 382 ServerOpCodes opcode; 383 u_int flags; 384 } keywords[] = { 385 /* Portable-specific options */ 386 #ifdef USE_PAM 387 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 388 #else 389 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 390 #endif 391 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 392 /* Standard Options */ 393 { "port", sPort, SSHCFG_GLOBAL }, 394 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 395 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 396 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 397 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 398 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 399 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 400 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 401 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 402 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 403 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 404 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 405 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 406 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 407 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 408 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 409 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 410 #ifdef KRB5 411 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 412 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 413 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 414 #ifdef USE_AFS 415 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 416 #else 417 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 418 #endif 419 #else 420 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 421 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 422 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 423 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 424 #endif 425 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 426 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 427 #ifdef GSSAPI 428 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 429 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 430 #else 431 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 432 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 433 #endif 434 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 435 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 436 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 437 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 438 #ifdef JPAKE 439 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, 440 #else 441 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, 442 #endif 443 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 444 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 445 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 446 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 447 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 448 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 449 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 450 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 451 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 452 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 453 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 454 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 455 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 456 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 457 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 458 { "compression", sCompression, SSHCFG_GLOBAL }, 459 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 460 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 461 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 462 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 463 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 464 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 465 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 466 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 467 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 468 { "macs", sMacs, SSHCFG_GLOBAL }, 469 { "protocol", sProtocol, SSHCFG_GLOBAL }, 470 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 471 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 472 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 473 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 474 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 475 { "banner", sBanner, SSHCFG_ALL }, 476 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 477 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 478 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 479 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 480 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 481 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 482 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 483 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 484 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, 485 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 486 { "match", sMatch, SSHCFG_ALL }, 487 { "permitopen", sPermitOpen, SSHCFG_ALL }, 488 { "forcecommand", sForceCommand, SSHCFG_ALL }, 489 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 490 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 491 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 492 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 493 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 494 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 495 { "ipqos", sIPQoS, SSHCFG_ALL }, 496 { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, 497 { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, 498 { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, 499 #ifdef NONE_CIPHER_ENABLED 500 { "noneenabled", sNoneEnabled, SSHCFG_ALL }, 501 #endif 502 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 503 { NULL, sBadOption, 0 } 504 }; 505 506 static struct { 507 int val; 508 char *text; 509 } tunmode_desc[] = { 510 { SSH_TUNMODE_NO, "no" }, 511 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 512 { SSH_TUNMODE_ETHERNET, "ethernet" }, 513 { SSH_TUNMODE_YES, "yes" }, 514 { -1, NULL } 515 }; 516 517 /* 518 * Returns the number of the token pointed to by cp or sBadOption. 519 */ 520 521 static ServerOpCodes 522 parse_token(const char *cp, const char *filename, 523 int linenum, u_int *flags) 524 { 525 u_int i; 526 527 for (i = 0; keywords[i].name; i++) 528 if (strcasecmp(cp, keywords[i].name) == 0) { 529 *flags = keywords[i].flags; 530 return keywords[i].opcode; 531 } 532 533 error("%s: line %d: Bad configuration option: %s", 534 filename, linenum, cp); 535 return sBadOption; 536 } 537 538 char * 539 derelativise_path(const char *path) 540 { 541 char *expanded, *ret, cwd[MAXPATHLEN]; 542 543 expanded = tilde_expand_filename(path, getuid()); 544 if (*expanded == '/') 545 return expanded; 546 if (getcwd(cwd, sizeof(cwd)) == NULL) 547 fatal("%s: getcwd: %s", __func__, strerror(errno)); 548 xasprintf(&ret, "%s/%s", cwd, expanded); 549 xfree(expanded); 550 return ret; 551 } 552 553 static void 554 add_listen_addr(ServerOptions *options, char *addr, int port) 555 { 556 u_int i; 557 558 if (options->num_ports == 0) 559 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 560 if (options->address_family == -1) 561 options->address_family = AF_UNSPEC; 562 if (port == 0) 563 for (i = 0; i < options->num_ports; i++) 564 add_one_listen_addr(options, addr, options->ports[i]); 565 else 566 add_one_listen_addr(options, addr, port); 567 } 568 569 static void 570 add_one_listen_addr(ServerOptions *options, char *addr, int port) 571 { 572 struct addrinfo hints, *ai, *aitop; 573 char strport[NI_MAXSERV]; 574 int gaierr; 575 576 memset(&hints, 0, sizeof(hints)); 577 hints.ai_family = options->address_family; 578 hints.ai_socktype = SOCK_STREAM; 579 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 580 snprintf(strport, sizeof strport, "%d", port); 581 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 582 fatal("bad addr or host: %s (%s)", 583 addr ? addr : "<NULL>", 584 ssh_gai_strerror(gaierr)); 585 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 586 ; 587 ai->ai_next = options->listen_addrs; 588 options->listen_addrs = aitop; 589 } 590 591 /* 592 * The strategy for the Match blocks is that the config file is parsed twice. 593 * 594 * The first time is at startup. activep is initialized to 1 and the 595 * directives in the global context are processed and acted on. Hitting a 596 * Match directive unsets activep and the directives inside the block are 597 * checked for syntax only. 598 * 599 * The second time is after a connection has been established but before 600 * authentication. activep is initialized to 2 and global config directives 601 * are ignored since they have already been processed. If the criteria in a 602 * Match block is met, activep is set and the subsequent directives 603 * processed and actioned until EOF or another Match block unsets it. Any 604 * options set are copied into the main server config. 605 * 606 * Potential additions/improvements: 607 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 608 * 609 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 610 * Match Address 192.168.0.* 611 * Tag trusted 612 * Match Group wheel 613 * Tag trusted 614 * Match Tag trusted 615 * AllowTcpForwarding yes 616 * GatewayPorts clientspecified 617 * [...] 618 * 619 * - Add a PermittedChannelRequests directive 620 * Match Group shell 621 * PermittedChannelRequests session,forwarded-tcpip 622 */ 623 624 static int 625 match_cfg_line_group(const char *grps, int line, const char *user) 626 { 627 int result = 0; 628 struct passwd *pw; 629 630 if (user == NULL) 631 goto out; 632 633 if ((pw = getpwnam(user)) == NULL) { 634 debug("Can't match group at line %d because user %.100s does " 635 "not exist", line, user); 636 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 637 debug("Can't Match group because user %.100s not in any group " 638 "at line %d", user, line); 639 } else if (ga_match_pattern_list(grps) != 1) { 640 debug("user %.100s does not match group list %.100s at line %d", 641 user, grps, line); 642 } else { 643 debug("user %.100s matched group list %.100s at line %d", user, 644 grps, line); 645 result = 1; 646 } 647 out: 648 ga_free(); 649 return result; 650 } 651 652 static int 653 match_cfg_line(char **condition, int line, const char *user, const char *host, 654 const char *address) 655 { 656 int result = 1; 657 char *arg, *attrib, *cp = *condition; 658 size_t len; 659 660 if (user == NULL) 661 debug3("checking syntax for 'Match %s'", cp); 662 else 663 debug3("checking match for '%s' user %s host %s addr %s", cp, 664 user ? user : "(null)", host ? host : "(null)", 665 address ? address : "(null)"); 666 667 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 668 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 669 error("Missing Match criteria for %s", attrib); 670 return -1; 671 } 672 len = strlen(arg); 673 if (strcasecmp(attrib, "user") == 0) { 674 if (!user) { 675 result = 0; 676 continue; 677 } 678 if (match_pattern_list(user, arg, len, 0) != 1) 679 result = 0; 680 else 681 debug("user %.100s matched 'User %.100s' at " 682 "line %d", user, arg, line); 683 } else if (strcasecmp(attrib, "group") == 0) { 684 switch (match_cfg_line_group(arg, line, user)) { 685 case -1: 686 return -1; 687 case 0: 688 result = 0; 689 } 690 } else if (strcasecmp(attrib, "host") == 0) { 691 if (!host) { 692 result = 0; 693 continue; 694 } 695 if (match_hostname(host, arg, len) != 1) 696 result = 0; 697 else 698 debug("connection from %.100s matched 'Host " 699 "%.100s' at line %d", host, arg, line); 700 } else if (strcasecmp(attrib, "address") == 0) { 701 switch (addr_match_list(address, arg)) { 702 case 1: 703 debug("connection from %.100s matched 'Address " 704 "%.100s' at line %d", address, arg, line); 705 break; 706 case 0: 707 case -1: 708 result = 0; 709 break; 710 case -2: 711 return -1; 712 } 713 } else { 714 error("Unsupported Match attribute %s", attrib); 715 return -1; 716 } 717 } 718 if (user != NULL) 719 debug3("match %sfound", result ? "" : "not "); 720 *condition = cp; 721 return result; 722 } 723 724 #define WHITESPACE " \t\r\n" 725 726 /* Multistate option parsing */ 727 struct multistate { 728 char *key; 729 int value; 730 }; 731 static const struct multistate multistate_addressfamily[] = { 732 { "inet", AF_INET }, 733 { "inet6", AF_INET6 }, 734 { "any", AF_UNSPEC }, 735 { NULL, -1 } 736 }; 737 static const struct multistate multistate_permitrootlogin[] = { 738 { "without-password", PERMIT_NO_PASSWD }, 739 { "forced-commands-only", PERMIT_FORCED_ONLY }, 740 { "yes", PERMIT_YES }, 741 { "no", PERMIT_NO }, 742 { NULL, -1 } 743 }; 744 static const struct multistate multistate_compression[] = { 745 { "delayed", COMP_DELAYED }, 746 { "yes", COMP_ZLIB }, 747 { "no", COMP_NONE }, 748 { NULL, -1 } 749 }; 750 static const struct multistate multistate_gatewayports[] = { 751 { "clientspecified", 2 }, 752 { "yes", 1 }, 753 { "no", 0 }, 754 { NULL, -1 } 755 }; 756 static const struct multistate multistate_privsep[] = { 757 { "sandbox", PRIVSEP_SANDBOX }, 758 { "yes", PRIVSEP_ON }, 759 { "no", PRIVSEP_OFF }, 760 { NULL, -1 } 761 }; 762 763 int 764 process_server_config_line(ServerOptions *options, char *line, 765 const char *filename, int linenum, int *activep, const char *user, 766 const char *host, const char *address) 767 { 768 char *cp, **charptr, *arg, *p; 769 int cmdline = 0, *intptr, value, value2, n; 770 SyslogFacility *log_facility_ptr; 771 LogLevel *log_level_ptr; 772 ServerOpCodes opcode; 773 int port; 774 u_int i, flags = 0; 775 size_t len; 776 const struct multistate *multistate_ptr; 777 778 cp = line; 779 if ((arg = strdelim(&cp)) == NULL) 780 return 0; 781 /* Ignore leading whitespace */ 782 if (*arg == '\0') 783 arg = strdelim(&cp); 784 if (!arg || !*arg || *arg == '#') 785 return 0; 786 intptr = NULL; 787 charptr = NULL; 788 opcode = parse_token(arg, filename, linenum, &flags); 789 790 if (activep == NULL) { /* We are processing a command line directive */ 791 cmdline = 1; 792 activep = &cmdline; 793 } 794 if (*activep && opcode != sMatch) 795 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 796 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 797 if (user == NULL) { 798 fatal("%s line %d: Directive '%s' is not allowed " 799 "within a Match block", filename, linenum, arg); 800 } else { /* this is a directive we have already processed */ 801 while (arg) 802 arg = strdelim(&cp); 803 return 0; 804 } 805 } 806 807 switch (opcode) { 808 /* Portable-specific options */ 809 case sUsePAM: 810 intptr = &options->use_pam; 811 goto parse_flag; 812 813 /* Standard Options */ 814 case sBadOption: 815 return -1; 816 case sPort: 817 /* ignore ports from configfile if cmdline specifies ports */ 818 if (options->ports_from_cmdline) 819 return 0; 820 if (options->listen_addrs != NULL) 821 fatal("%s line %d: ports must be specified before " 822 "ListenAddress.", filename, linenum); 823 if (options->num_ports >= MAX_PORTS) 824 fatal("%s line %d: too many ports.", 825 filename, linenum); 826 arg = strdelim(&cp); 827 if (!arg || *arg == '\0') 828 fatal("%s line %d: missing port number.", 829 filename, linenum); 830 options->ports[options->num_ports++] = a2port(arg); 831 if (options->ports[options->num_ports-1] <= 0) 832 fatal("%s line %d: Badly formatted port number.", 833 filename, linenum); 834 break; 835 836 case sServerKeyBits: 837 intptr = &options->server_key_bits; 838 parse_int: 839 arg = strdelim(&cp); 840 if (!arg || *arg == '\0') 841 fatal("%s line %d: missing integer value.", 842 filename, linenum); 843 value = atoi(arg); 844 if (*activep && *intptr == -1) 845 *intptr = value; 846 break; 847 848 case sLoginGraceTime: 849 intptr = &options->login_grace_time; 850 parse_time: 851 arg = strdelim(&cp); 852 if (!arg || *arg == '\0') 853 fatal("%s line %d: missing time value.", 854 filename, linenum); 855 if ((value = convtime(arg)) == -1) 856 fatal("%s line %d: invalid time value.", 857 filename, linenum); 858 if (*intptr == -1) 859 *intptr = value; 860 break; 861 862 case sKeyRegenerationTime: 863 intptr = &options->key_regeneration_time; 864 goto parse_time; 865 866 case sListenAddress: 867 arg = strdelim(&cp); 868 if (arg == NULL || *arg == '\0') 869 fatal("%s line %d: missing address", 870 filename, linenum); 871 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 872 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 873 && strchr(p+1, ':') != NULL) { 874 add_listen_addr(options, arg, 0); 875 break; 876 } 877 p = hpdelim(&arg); 878 if (p == NULL) 879 fatal("%s line %d: bad address:port usage", 880 filename, linenum); 881 p = cleanhostname(p); 882 if (arg == NULL) 883 port = 0; 884 else if ((port = a2port(arg)) <= 0) 885 fatal("%s line %d: bad port number", filename, linenum); 886 887 add_listen_addr(options, p, port); 888 889 break; 890 891 case sAddressFamily: 892 intptr = &options->address_family; 893 multistate_ptr = multistate_addressfamily; 894 if (options->listen_addrs != NULL) 895 fatal("%s line %d: address family must be specified " 896 "before ListenAddress.", filename, linenum); 897 parse_multistate: 898 arg = strdelim(&cp); 899 if (!arg || *arg == '\0') 900 fatal("%s line %d: missing argument.", 901 filename, linenum); 902 value = -1; 903 for (i = 0; multistate_ptr[i].key != NULL; i++) { 904 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 905 value = multistate_ptr[i].value; 906 break; 907 } 908 } 909 if (value == -1) 910 fatal("%s line %d: unsupported option \"%s\".", 911 filename, linenum, arg); 912 if (*activep && *intptr == -1) 913 *intptr = value; 914 break; 915 916 case sHostKeyFile: 917 intptr = &options->num_host_key_files; 918 if (*intptr >= MAX_HOSTKEYS) 919 fatal("%s line %d: too many host keys specified (max %d).", 920 filename, linenum, MAX_HOSTKEYS); 921 charptr = &options->host_key_files[*intptr]; 922 parse_filename: 923 arg = strdelim(&cp); 924 if (!arg || *arg == '\0') 925 fatal("%s line %d: missing file name.", 926 filename, linenum); 927 if (*activep && *charptr == NULL) { 928 *charptr = derelativise_path(arg); 929 /* increase optional counter */ 930 if (intptr != NULL) 931 *intptr = *intptr + 1; 932 } 933 break; 934 935 case sHostCertificate: 936 intptr = &options->num_host_cert_files; 937 if (*intptr >= MAX_HOSTKEYS) 938 fatal("%s line %d: too many host certificates " 939 "specified (max %d).", filename, linenum, 940 MAX_HOSTCERTS); 941 charptr = &options->host_cert_files[*intptr]; 942 goto parse_filename; 943 break; 944 945 case sPidFile: 946 charptr = &options->pid_file; 947 goto parse_filename; 948 949 case sPermitRootLogin: 950 intptr = &options->permit_root_login; 951 multistate_ptr = multistate_permitrootlogin; 952 goto parse_multistate; 953 954 case sIgnoreRhosts: 955 intptr = &options->ignore_rhosts; 956 parse_flag: 957 arg = strdelim(&cp); 958 if (!arg || *arg == '\0') 959 fatal("%s line %d: missing yes/no argument.", 960 filename, linenum); 961 value = 0; /* silence compiler */ 962 if (strcmp(arg, "yes") == 0) 963 value = 1; 964 else if (strcmp(arg, "no") == 0) 965 value = 0; 966 else 967 fatal("%s line %d: Bad yes/no argument: %s", 968 filename, linenum, arg); 969 if (*activep && *intptr == -1) 970 *intptr = value; 971 break; 972 973 case sIgnoreUserKnownHosts: 974 intptr = &options->ignore_user_known_hosts; 975 goto parse_flag; 976 977 case sRhostsRSAAuthentication: 978 intptr = &options->rhosts_rsa_authentication; 979 goto parse_flag; 980 981 case sHostbasedAuthentication: 982 intptr = &options->hostbased_authentication; 983 goto parse_flag; 984 985 case sHostbasedUsesNameFromPacketOnly: 986 intptr = &options->hostbased_uses_name_from_packet_only; 987 goto parse_flag; 988 989 case sRSAAuthentication: 990 intptr = &options->rsa_authentication; 991 goto parse_flag; 992 993 case sPubkeyAuthentication: 994 intptr = &options->pubkey_authentication; 995 goto parse_flag; 996 997 case sKerberosAuthentication: 998 intptr = &options->kerberos_authentication; 999 goto parse_flag; 1000 1001 case sKerberosOrLocalPasswd: 1002 intptr = &options->kerberos_or_local_passwd; 1003 goto parse_flag; 1004 1005 case sKerberosTicketCleanup: 1006 intptr = &options->kerberos_ticket_cleanup; 1007 goto parse_flag; 1008 1009 case sKerberosGetAFSToken: 1010 intptr = &options->kerberos_get_afs_token; 1011 goto parse_flag; 1012 1013 case sGssAuthentication: 1014 intptr = &options->gss_authentication; 1015 goto parse_flag; 1016 1017 case sGssCleanupCreds: 1018 intptr = &options->gss_cleanup_creds; 1019 goto parse_flag; 1020 1021 case sPasswordAuthentication: 1022 intptr = &options->password_authentication; 1023 goto parse_flag; 1024 1025 case sZeroKnowledgePasswordAuthentication: 1026 intptr = &options->zero_knowledge_password_authentication; 1027 goto parse_flag; 1028 1029 case sKbdInteractiveAuthentication: 1030 intptr = &options->kbd_interactive_authentication; 1031 goto parse_flag; 1032 1033 case sChallengeResponseAuthentication: 1034 intptr = &options->challenge_response_authentication; 1035 goto parse_flag; 1036 1037 case sPrintMotd: 1038 intptr = &options->print_motd; 1039 goto parse_flag; 1040 1041 case sPrintLastLog: 1042 intptr = &options->print_lastlog; 1043 goto parse_flag; 1044 1045 case sX11Forwarding: 1046 intptr = &options->x11_forwarding; 1047 goto parse_flag; 1048 1049 case sX11DisplayOffset: 1050 intptr = &options->x11_display_offset; 1051 goto parse_int; 1052 1053 case sX11UseLocalhost: 1054 intptr = &options->x11_use_localhost; 1055 goto parse_flag; 1056 1057 case sXAuthLocation: 1058 charptr = &options->xauth_location; 1059 goto parse_filename; 1060 1061 case sStrictModes: 1062 intptr = &options->strict_modes; 1063 goto parse_flag; 1064 1065 case sTCPKeepAlive: 1066 intptr = &options->tcp_keep_alive; 1067 goto parse_flag; 1068 1069 case sEmptyPasswd: 1070 intptr = &options->permit_empty_passwd; 1071 goto parse_flag; 1072 1073 case sPermitUserEnvironment: 1074 intptr = &options->permit_user_env; 1075 goto parse_flag; 1076 1077 case sUseLogin: 1078 intptr = &options->use_login; 1079 goto parse_flag; 1080 1081 case sCompression: 1082 intptr = &options->compression; 1083 multistate_ptr = multistate_compression; 1084 goto parse_multistate; 1085 1086 case sGatewayPorts: 1087 intptr = &options->gateway_ports; 1088 multistate_ptr = multistate_gatewayports; 1089 goto parse_multistate; 1090 1091 case sUseDNS: 1092 intptr = &options->use_dns; 1093 goto parse_flag; 1094 1095 case sLogFacility: 1096 log_facility_ptr = &options->log_facility; 1097 arg = strdelim(&cp); 1098 value = log_facility_number(arg); 1099 if (value == SYSLOG_FACILITY_NOT_SET) 1100 fatal("%.200s line %d: unsupported log facility '%s'", 1101 filename, linenum, arg ? arg : "<NONE>"); 1102 if (*log_facility_ptr == -1) 1103 *log_facility_ptr = (SyslogFacility) value; 1104 break; 1105 1106 case sLogLevel: 1107 log_level_ptr = &options->log_level; 1108 arg = strdelim(&cp); 1109 value = log_level_number(arg); 1110 if (value == SYSLOG_LEVEL_NOT_SET) 1111 fatal("%.200s line %d: unsupported log level '%s'", 1112 filename, linenum, arg ? arg : "<NONE>"); 1113 if (*log_level_ptr == -1) 1114 *log_level_ptr = (LogLevel) value; 1115 break; 1116 1117 case sAllowTcpForwarding: 1118 intptr = &options->allow_tcp_forwarding; 1119 goto parse_flag; 1120 1121 case sAllowAgentForwarding: 1122 intptr = &options->allow_agent_forwarding; 1123 goto parse_flag; 1124 1125 case sUsePrivilegeSeparation: 1126 intptr = &use_privsep; 1127 multistate_ptr = multistate_privsep; 1128 goto parse_multistate; 1129 1130 case sAllowUsers: 1131 while ((arg = strdelim(&cp)) && *arg != '\0') { 1132 if (options->num_allow_users >= MAX_ALLOW_USERS) 1133 fatal("%s line %d: too many allow users.", 1134 filename, linenum); 1135 options->allow_users[options->num_allow_users++] = 1136 xstrdup(arg); 1137 } 1138 break; 1139 1140 case sDenyUsers: 1141 while ((arg = strdelim(&cp)) && *arg != '\0') { 1142 if (options->num_deny_users >= MAX_DENY_USERS) 1143 fatal("%s line %d: too many deny users.", 1144 filename, linenum); 1145 options->deny_users[options->num_deny_users++] = 1146 xstrdup(arg); 1147 } 1148 break; 1149 1150 case sAllowGroups: 1151 while ((arg = strdelim(&cp)) && *arg != '\0') { 1152 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1153 fatal("%s line %d: too many allow groups.", 1154 filename, linenum); 1155 options->allow_groups[options->num_allow_groups++] = 1156 xstrdup(arg); 1157 } 1158 break; 1159 1160 case sDenyGroups: 1161 while ((arg = strdelim(&cp)) && *arg != '\0') { 1162 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1163 fatal("%s line %d: too many deny groups.", 1164 filename, linenum); 1165 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1166 } 1167 break; 1168 1169 case sCiphers: 1170 arg = strdelim(&cp); 1171 if (!arg || *arg == '\0') 1172 fatal("%s line %d: Missing argument.", filename, linenum); 1173 if (!ciphers_valid(arg)) 1174 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1175 filename, linenum, arg ? arg : "<NONE>"); 1176 if (options->ciphers == NULL) 1177 options->ciphers = xstrdup(arg); 1178 break; 1179 1180 case sMacs: 1181 arg = strdelim(&cp); 1182 if (!arg || *arg == '\0') 1183 fatal("%s line %d: Missing argument.", filename, linenum); 1184 if (!mac_valid(arg)) 1185 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1186 filename, linenum, arg ? arg : "<NONE>"); 1187 if (options->macs == NULL) 1188 options->macs = xstrdup(arg); 1189 break; 1190 1191 case sKexAlgorithms: 1192 arg = strdelim(&cp); 1193 if (!arg || *arg == '\0') 1194 fatal("%s line %d: Missing argument.", 1195 filename, linenum); 1196 if (!kex_names_valid(arg)) 1197 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1198 filename, linenum, arg ? arg : "<NONE>"); 1199 if (options->kex_algorithms == NULL) 1200 options->kex_algorithms = xstrdup(arg); 1201 break; 1202 1203 case sProtocol: 1204 intptr = &options->protocol; 1205 arg = strdelim(&cp); 1206 if (!arg || *arg == '\0') 1207 fatal("%s line %d: Missing argument.", filename, linenum); 1208 value = proto_spec(arg); 1209 if (value == SSH_PROTO_UNKNOWN) 1210 fatal("%s line %d: Bad protocol spec '%s'.", 1211 filename, linenum, arg ? arg : "<NONE>"); 1212 if (*intptr == SSH_PROTO_UNKNOWN) 1213 *intptr = value; 1214 break; 1215 1216 case sSubsystem: 1217 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1218 fatal("%s line %d: too many subsystems defined.", 1219 filename, linenum); 1220 } 1221 arg = strdelim(&cp); 1222 if (!arg || *arg == '\0') 1223 fatal("%s line %d: Missing subsystem name.", 1224 filename, linenum); 1225 if (!*activep) { 1226 arg = strdelim(&cp); 1227 break; 1228 } 1229 for (i = 0; i < options->num_subsystems; i++) 1230 if (strcmp(arg, options->subsystem_name[i]) == 0) 1231 fatal("%s line %d: Subsystem '%s' already defined.", 1232 filename, linenum, arg); 1233 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1234 arg = strdelim(&cp); 1235 if (!arg || *arg == '\0') 1236 fatal("%s line %d: Missing subsystem command.", 1237 filename, linenum); 1238 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1239 1240 /* Collect arguments (separate to executable) */ 1241 p = xstrdup(arg); 1242 len = strlen(p) + 1; 1243 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1244 len += 1 + strlen(arg); 1245 p = xrealloc(p, 1, len); 1246 strlcat(p, " ", len); 1247 strlcat(p, arg, len); 1248 } 1249 options->subsystem_args[options->num_subsystems] = p; 1250 options->num_subsystems++; 1251 break; 1252 1253 case sMaxStartups: 1254 arg = strdelim(&cp); 1255 if (!arg || *arg == '\0') 1256 fatal("%s line %d: Missing MaxStartups spec.", 1257 filename, linenum); 1258 if ((n = sscanf(arg, "%d:%d:%d", 1259 &options->max_startups_begin, 1260 &options->max_startups_rate, 1261 &options->max_startups)) == 3) { 1262 if (options->max_startups_begin > 1263 options->max_startups || 1264 options->max_startups_rate > 100 || 1265 options->max_startups_rate < 1) 1266 fatal("%s line %d: Illegal MaxStartups spec.", 1267 filename, linenum); 1268 } else if (n != 1) 1269 fatal("%s line %d: Illegal MaxStartups spec.", 1270 filename, linenum); 1271 else 1272 options->max_startups = options->max_startups_begin; 1273 break; 1274 1275 case sMaxAuthTries: 1276 intptr = &options->max_authtries; 1277 goto parse_int; 1278 1279 case sMaxSessions: 1280 intptr = &options->max_sessions; 1281 goto parse_int; 1282 1283 case sBanner: 1284 charptr = &options->banner; 1285 goto parse_filename; 1286 1287 /* 1288 * These options can contain %X options expanded at 1289 * connect time, so that you can specify paths like: 1290 * 1291 * AuthorizedKeysFile /etc/ssh_keys/%u 1292 */ 1293 case sAuthorizedKeysFile: 1294 if (*activep && options->num_authkeys_files == 0) { 1295 while ((arg = strdelim(&cp)) && *arg != '\0') { 1296 if (options->num_authkeys_files >= 1297 MAX_AUTHKEYS_FILES) 1298 fatal("%s line %d: " 1299 "too many authorized keys files.", 1300 filename, linenum); 1301 options->authorized_keys_files[ 1302 options->num_authkeys_files++] = 1303 tilde_expand_filename(arg, getuid()); 1304 } 1305 } 1306 return 0; 1307 1308 case sAuthorizedPrincipalsFile: 1309 charptr = &options->authorized_principals_file; 1310 arg = strdelim(&cp); 1311 if (!arg || *arg == '\0') 1312 fatal("%s line %d: missing file name.", 1313 filename, linenum); 1314 if (*activep && *charptr == NULL) { 1315 *charptr = tilde_expand_filename(arg, getuid()); 1316 /* increase optional counter */ 1317 if (intptr != NULL) 1318 *intptr = *intptr + 1; 1319 } 1320 break; 1321 1322 case sClientAliveInterval: 1323 intptr = &options->client_alive_interval; 1324 goto parse_time; 1325 1326 case sClientAliveCountMax: 1327 intptr = &options->client_alive_count_max; 1328 goto parse_int; 1329 1330 case sAcceptEnv: 1331 while ((arg = strdelim(&cp)) && *arg != '\0') { 1332 if (strchr(arg, '=') != NULL) 1333 fatal("%s line %d: Invalid environment name.", 1334 filename, linenum); 1335 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1336 fatal("%s line %d: too many allow env.", 1337 filename, linenum); 1338 if (!*activep) 1339 break; 1340 options->accept_env[options->num_accept_env++] = 1341 xstrdup(arg); 1342 } 1343 break; 1344 1345 case sPermitTunnel: 1346 intptr = &options->permit_tun; 1347 arg = strdelim(&cp); 1348 if (!arg || *arg == '\0') 1349 fatal("%s line %d: Missing yes/point-to-point/" 1350 "ethernet/no argument.", filename, linenum); 1351 value = -1; 1352 for (i = 0; tunmode_desc[i].val != -1; i++) 1353 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1354 value = tunmode_desc[i].val; 1355 break; 1356 } 1357 if (value == -1) 1358 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1359 "no argument: %s", filename, linenum, arg); 1360 if (*intptr == -1) 1361 *intptr = value; 1362 break; 1363 1364 case sMatch: 1365 if (cmdline) 1366 fatal("Match directive not supported as a command-line " 1367 "option"); 1368 value = match_cfg_line(&cp, linenum, user, host, address); 1369 if (value < 0) 1370 fatal("%s line %d: Bad Match condition", filename, 1371 linenum); 1372 *activep = value; 1373 break; 1374 1375 case sPermitOpen: 1376 arg = strdelim(&cp); 1377 if (!arg || *arg == '\0') 1378 fatal("%s line %d: missing PermitOpen specification", 1379 filename, linenum); 1380 n = options->num_permitted_opens; /* modified later */ 1381 if (strcmp(arg, "any") == 0) { 1382 if (*activep && n == -1) { 1383 channel_clear_adm_permitted_opens(); 1384 options->num_permitted_opens = 0; 1385 } 1386 break; 1387 } 1388 if (*activep && n == -1) 1389 channel_clear_adm_permitted_opens(); 1390 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1391 p = hpdelim(&arg); 1392 if (p == NULL) 1393 fatal("%s line %d: missing host in PermitOpen", 1394 filename, linenum); 1395 p = cleanhostname(p); 1396 if (arg == NULL || (port = a2port(arg)) <= 0) 1397 fatal("%s line %d: bad port number in " 1398 "PermitOpen", filename, linenum); 1399 if (*activep && n == -1) 1400 options->num_permitted_opens = 1401 channel_add_adm_permitted_opens(p, port); 1402 } 1403 break; 1404 1405 case sForceCommand: 1406 if (cp == NULL) 1407 fatal("%.200s line %d: Missing argument.", filename, 1408 linenum); 1409 len = strspn(cp, WHITESPACE); 1410 if (*activep && options->adm_forced_command == NULL) 1411 options->adm_forced_command = xstrdup(cp + len); 1412 return 0; 1413 1414 case sChrootDirectory: 1415 charptr = &options->chroot_directory; 1416 1417 arg = strdelim(&cp); 1418 if (!arg || *arg == '\0') 1419 fatal("%s line %d: missing file name.", 1420 filename, linenum); 1421 if (*activep && *charptr == NULL) 1422 *charptr = xstrdup(arg); 1423 break; 1424 1425 case sTrustedUserCAKeys: 1426 charptr = &options->trusted_user_ca_keys; 1427 goto parse_filename; 1428 1429 case sRevokedKeys: 1430 charptr = &options->revoked_keys_file; 1431 goto parse_filename; 1432 1433 case sIPQoS: 1434 arg = strdelim(&cp); 1435 if ((value = parse_ipqos(arg)) == -1) 1436 fatal("%s line %d: Bad IPQoS value: %s", 1437 filename, linenum, arg); 1438 arg = strdelim(&cp); 1439 if (arg == NULL) 1440 value2 = value; 1441 else if ((value2 = parse_ipqos(arg)) == -1) 1442 fatal("%s line %d: Bad IPQoS value: %s", 1443 filename, linenum, arg); 1444 if (*activep) { 1445 options->ip_qos_interactive = value; 1446 options->ip_qos_bulk = value2; 1447 } 1448 break; 1449 1450 case sVersionAddendum: 1451 ssh_version_set_addendum(strtok(cp, "\n")); 1452 do { 1453 arg = strdelim(&cp); 1454 } while (arg != NULL && *arg != '\0'); 1455 break; 1456 1457 case sHPNDisabled: 1458 intptr = &options->hpn_disabled; 1459 goto parse_flag; 1460 1461 case sHPNBufferSize: 1462 intptr = &options->hpn_buffer_size; 1463 goto parse_int; 1464 1465 case sTcpRcvBufPoll: 1466 intptr = &options->tcp_rcv_buf_poll; 1467 goto parse_flag; 1468 1469 #ifdef NONE_CIPHER_ENABLED 1470 case sNoneEnabled: 1471 intptr = &options->none_enabled; 1472 goto parse_flag; 1473 #endif 1474 1475 case sDeprecated: 1476 logit("%s line %d: Deprecated option %s", 1477 filename, linenum, arg); 1478 while (arg) 1479 arg = strdelim(&cp); 1480 break; 1481 1482 case sUnsupported: 1483 logit("%s line %d: Unsupported option %s", 1484 filename, linenum, arg); 1485 while (arg) 1486 arg = strdelim(&cp); 1487 break; 1488 1489 default: 1490 fatal("%s line %d: Missing handler for opcode %s (%d)", 1491 filename, linenum, arg, opcode); 1492 } 1493 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1494 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1495 filename, linenum, arg); 1496 return 0; 1497 } 1498 1499 /* Reads the server configuration file. */ 1500 1501 void 1502 load_server_config(const char *filename, Buffer *conf) 1503 { 1504 char line[1024], *cp; 1505 FILE *f; 1506 1507 debug2("%s: filename %s", __func__, filename); 1508 if ((f = fopen(filename, "r")) == NULL) { 1509 perror(filename); 1510 exit(1); 1511 } 1512 buffer_clear(conf); 1513 while (fgets(line, sizeof(line), f)) { 1514 /* 1515 * Trim out comments and strip whitespace 1516 * NB - preserve newlines, they are needed to reproduce 1517 * line numbers later for error messages 1518 */ 1519 if ((cp = strchr(line, '#')) != NULL) 1520 memcpy(cp, "\n", 2); 1521 cp = line + strspn(line, " \t\r"); 1522 1523 buffer_append(conf, cp, strlen(cp)); 1524 } 1525 buffer_append(conf, "\0", 1); 1526 fclose(f); 1527 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1528 } 1529 1530 void 1531 parse_server_match_config(ServerOptions *options, const char *user, 1532 const char *host, const char *address) 1533 { 1534 ServerOptions mo; 1535 1536 initialize_server_options(&mo); 1537 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1538 copy_set_server_options(options, &mo, 0); 1539 } 1540 1541 /* Helper macros */ 1542 #define M_CP_INTOPT(n) do {\ 1543 if (src->n != -1) \ 1544 dst->n = src->n; \ 1545 } while (0) 1546 #define M_CP_STROPT(n) do {\ 1547 if (src->n != NULL) { \ 1548 if (dst->n != NULL) \ 1549 xfree(dst->n); \ 1550 dst->n = src->n; \ 1551 } \ 1552 } while(0) 1553 #define M_CP_STRARRAYOPT(n, num_n) do {\ 1554 if (src->num_n != 0) { \ 1555 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 1556 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 1557 } \ 1558 } while(0) 1559 1560 /* 1561 * Copy any supported values that are set. 1562 * 1563 * If the preauth flag is set, we do not bother copying the string or 1564 * array values that are not used pre-authentication, because any that we 1565 * do use must be explictly sent in mm_getpwnamallow(). 1566 */ 1567 void 1568 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1569 { 1570 M_CP_INTOPT(password_authentication); 1571 M_CP_INTOPT(gss_authentication); 1572 M_CP_INTOPT(rsa_authentication); 1573 M_CP_INTOPT(pubkey_authentication); 1574 M_CP_INTOPT(kerberos_authentication); 1575 M_CP_INTOPT(hostbased_authentication); 1576 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1577 M_CP_INTOPT(kbd_interactive_authentication); 1578 M_CP_INTOPT(zero_knowledge_password_authentication); 1579 M_CP_INTOPT(permit_root_login); 1580 M_CP_INTOPT(permit_empty_passwd); 1581 1582 M_CP_INTOPT(allow_tcp_forwarding); 1583 M_CP_INTOPT(allow_agent_forwarding); 1584 M_CP_INTOPT(permit_tun); 1585 M_CP_INTOPT(gateway_ports); 1586 M_CP_INTOPT(x11_display_offset); 1587 M_CP_INTOPT(x11_forwarding); 1588 M_CP_INTOPT(x11_use_localhost); 1589 M_CP_INTOPT(max_sessions); 1590 M_CP_INTOPT(max_authtries); 1591 M_CP_INTOPT(ip_qos_interactive); 1592 M_CP_INTOPT(ip_qos_bulk); 1593 1594 /* See comment in servconf.h */ 1595 COPY_MATCH_STRING_OPTS(); 1596 1597 /* 1598 * The only things that should be below this point are string options 1599 * which are only used after authentication. 1600 */ 1601 if (preauth) 1602 return; 1603 1604 M_CP_STROPT(adm_forced_command); 1605 M_CP_STROPT(chroot_directory); 1606 } 1607 1608 #undef M_CP_INTOPT 1609 #undef M_CP_STROPT 1610 #undef M_CP_STRARRAYOPT 1611 1612 void 1613 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1614 const char *user, const char *host, const char *address) 1615 { 1616 int active, linenum, bad_options = 0; 1617 char *cp, *obuf, *cbuf; 1618 1619 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1620 1621 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1622 active = user ? 0 : 1; 1623 linenum = 1; 1624 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1625 if (process_server_config_line(options, cp, filename, 1626 linenum++, &active, user, host, address) != 0) 1627 bad_options++; 1628 } 1629 xfree(obuf); 1630 if (bad_options > 0) 1631 fatal("%s: terminating, %d bad configuration options", 1632 filename, bad_options); 1633 } 1634 1635 static const char * 1636 fmt_multistate_int(int val, const struct multistate *m) 1637 { 1638 u_int i; 1639 1640 for (i = 0; m[i].key != NULL; i++) { 1641 if (m[i].value == val) 1642 return m[i].key; 1643 } 1644 return "UNKNOWN"; 1645 } 1646 1647 static const char * 1648 fmt_intarg(ServerOpCodes code, int val) 1649 { 1650 if (val == -1) 1651 return "unset"; 1652 switch (code) { 1653 case sAddressFamily: 1654 return fmt_multistate_int(val, multistate_addressfamily); 1655 case sPermitRootLogin: 1656 return fmt_multistate_int(val, multistate_permitrootlogin); 1657 case sGatewayPorts: 1658 return fmt_multistate_int(val, multistate_gatewayports); 1659 case sCompression: 1660 return fmt_multistate_int(val, multistate_compression); 1661 case sUsePrivilegeSeparation: 1662 return fmt_multistate_int(val, multistate_privsep); 1663 case sProtocol: 1664 switch (val) { 1665 case SSH_PROTO_1: 1666 return "1"; 1667 case SSH_PROTO_2: 1668 return "2"; 1669 case (SSH_PROTO_1|SSH_PROTO_2): 1670 return "2,1"; 1671 default: 1672 return "UNKNOWN"; 1673 } 1674 default: 1675 switch (val) { 1676 case 0: 1677 return "no"; 1678 case 1: 1679 return "yes"; 1680 default: 1681 return "UNKNOWN"; 1682 } 1683 } 1684 } 1685 1686 static const char * 1687 lookup_opcode_name(ServerOpCodes code) 1688 { 1689 u_int i; 1690 1691 for (i = 0; keywords[i].name != NULL; i++) 1692 if (keywords[i].opcode == code) 1693 return(keywords[i].name); 1694 return "UNKNOWN"; 1695 } 1696 1697 static void 1698 dump_cfg_int(ServerOpCodes code, int val) 1699 { 1700 printf("%s %d\n", lookup_opcode_name(code), val); 1701 } 1702 1703 static void 1704 dump_cfg_fmtint(ServerOpCodes code, int val) 1705 { 1706 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 1707 } 1708 1709 static void 1710 dump_cfg_string(ServerOpCodes code, const char *val) 1711 { 1712 if (val == NULL) 1713 return; 1714 printf("%s %s\n", lookup_opcode_name(code), val); 1715 } 1716 1717 static void 1718 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 1719 { 1720 u_int i; 1721 1722 for (i = 0; i < count; i++) 1723 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 1724 } 1725 1726 static void 1727 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 1728 { 1729 u_int i; 1730 1731 printf("%s", lookup_opcode_name(code)); 1732 for (i = 0; i < count; i++) 1733 printf(" %s", vals[i]); 1734 printf("\n"); 1735 } 1736 1737 void 1738 dump_config(ServerOptions *o) 1739 { 1740 u_int i; 1741 int ret; 1742 struct addrinfo *ai; 1743 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 1744 1745 /* these are usually at the top of the config */ 1746 for (i = 0; i < o->num_ports; i++) 1747 printf("port %d\n", o->ports[i]); 1748 dump_cfg_fmtint(sProtocol, o->protocol); 1749 dump_cfg_fmtint(sAddressFamily, o->address_family); 1750 1751 /* ListenAddress must be after Port */ 1752 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 1753 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 1754 sizeof(addr), port, sizeof(port), 1755 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 1756 error("getnameinfo failed: %.100s", 1757 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 1758 strerror(errno)); 1759 } else { 1760 if (ai->ai_family == AF_INET6) 1761 printf("listenaddress [%s]:%s\n", addr, port); 1762 else 1763 printf("listenaddress %s:%s\n", addr, port); 1764 } 1765 } 1766 1767 /* integer arguments */ 1768 #ifdef USE_PAM 1769 dump_cfg_int(sUsePAM, o->use_pam); 1770 #endif 1771 dump_cfg_int(sServerKeyBits, o->server_key_bits); 1772 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 1773 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 1774 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 1775 dump_cfg_int(sMaxAuthTries, o->max_authtries); 1776 dump_cfg_int(sMaxSessions, o->max_sessions); 1777 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 1778 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 1779 1780 /* formatted integer arguments */ 1781 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 1782 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 1783 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 1784 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 1785 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 1786 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 1787 o->hostbased_uses_name_from_packet_only); 1788 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 1789 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 1790 #ifdef KRB5 1791 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 1792 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 1793 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 1794 # ifdef USE_AFS 1795 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 1796 # endif 1797 #endif 1798 #ifdef GSSAPI 1799 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 1800 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 1801 #endif 1802 #ifdef JPAKE 1803 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 1804 o->zero_knowledge_password_authentication); 1805 #endif 1806 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 1807 dump_cfg_fmtint(sKbdInteractiveAuthentication, 1808 o->kbd_interactive_authentication); 1809 dump_cfg_fmtint(sChallengeResponseAuthentication, 1810 o->challenge_response_authentication); 1811 dump_cfg_fmtint(sPrintMotd, o->print_motd); 1812 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 1813 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 1814 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 1815 dump_cfg_fmtint(sStrictModes, o->strict_modes); 1816 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 1817 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 1818 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 1819 dump_cfg_fmtint(sUseLogin, o->use_login); 1820 dump_cfg_fmtint(sCompression, o->compression); 1821 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); 1822 dump_cfg_fmtint(sUseDNS, o->use_dns); 1823 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 1824 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 1825 1826 /* string arguments */ 1827 dump_cfg_string(sPidFile, o->pid_file); 1828 dump_cfg_string(sXAuthLocation, o->xauth_location); 1829 dump_cfg_string(sCiphers, o->ciphers); 1830 dump_cfg_string(sMacs, o->macs); 1831 dump_cfg_string(sBanner, o->banner); 1832 dump_cfg_string(sForceCommand, o->adm_forced_command); 1833 dump_cfg_string(sChrootDirectory, o->chroot_directory); 1834 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 1835 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 1836 dump_cfg_string(sAuthorizedPrincipalsFile, 1837 o->authorized_principals_file); 1838 1839 /* string arguments requiring a lookup */ 1840 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 1841 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 1842 1843 /* string array arguments */ 1844 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 1845 o->authorized_keys_files); 1846 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 1847 o->host_key_files); 1848 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, 1849 o->host_cert_files); 1850 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 1851 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 1852 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 1853 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 1854 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 1855 1856 /* other arguments */ 1857 for (i = 0; i < o->num_subsystems; i++) 1858 printf("subsystem %s %s\n", o->subsystem_name[i], 1859 o->subsystem_args[i]); 1860 1861 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 1862 o->max_startups_rate, o->max_startups); 1863 1864 for (i = 0; tunmode_desc[i].val != -1; i++) 1865 if (tunmode_desc[i].val == o->permit_tun) { 1866 s = tunmode_desc[i].text; 1867 break; 1868 } 1869 dump_cfg_string(sPermitTunnel, s); 1870 1871 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 1872 printf("%s\n", iptos2str(o->ip_qos_bulk)); 1873 1874 channel_print_adm_permitted_opens(); 1875 } 1876