xref: /freebsd/crypto/openssh/servconf.c (revision 64a0982bee3db2236df43357e70ce8dddbc21d48)
1 
2 /* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 __RCSID("$FreeBSD$");
16 
17 #include <sys/types.h>
18 #include <sys/socket.h>
19 
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
23 
24 #include <ctype.h>
25 #include <fcntl.h>
26 #include <netdb.h>
27 #include <pwd.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <signal.h>
32 #include <unistd.h>
33 #include <limits.h>
34 #include <stdarg.h>
35 #include <errno.h>
36 #ifdef HAVE_UTIL_H
37 #include <util.h>
38 #endif
39 
40 #include "openbsd-compat/sys-queue.h"
41 #include "xmalloc.h"
42 #include "ssh.h"
43 #include "log.h"
44 #include "buffer.h"
45 #include "misc.h"
46 #include "servconf.h"
47 #include "compat.h"
48 #include "pathnames.h"
49 #include "cipher.h"
50 #include "key.h"
51 #include "kex.h"
52 #include "mac.h"
53 #include "match.h"
54 #include "channels.h"
55 #include "groupaccess.h"
56 #include "canohost.h"
57 #include "packet.h"
58 #include "hostfile.h"
59 #include "auth.h"
60 #include "myproposal.h"
61 #include "digest.h"
62 #include "version.h"
63 
64 static void add_listen_addr(ServerOptions *, char *, int);
65 static void add_one_listen_addr(ServerOptions *, char *, int);
66 
67 /* Use of privilege separation or not */
68 extern int use_privsep;
69 extern Buffer cfg;
70 
71 /* Initializes the server options to their default values. */
72 
73 void
74 initialize_server_options(ServerOptions *options)
75 {
76 	memset(options, 0, sizeof(*options));
77 
78 	/* Portable-specific options */
79 	options->use_pam = -1;
80 
81 	/* Standard Options */
82 	options->num_ports = 0;
83 	options->ports_from_cmdline = 0;
84 	options->queued_listen_addrs = NULL;
85 	options->num_queued_listens = 0;
86 	options->listen_addrs = NULL;
87 	options->address_family = -1;
88 	options->num_host_key_files = 0;
89 	options->num_host_cert_files = 0;
90 	options->host_key_agent = NULL;
91 	options->pid_file = NULL;
92 	options->server_key_bits = -1;
93 	options->login_grace_time = -1;
94 	options->key_regeneration_time = -1;
95 	options->permit_root_login = PERMIT_NOT_SET;
96 	options->ignore_rhosts = -1;
97 	options->ignore_user_known_hosts = -1;
98 	options->print_motd = -1;
99 	options->print_lastlog = -1;
100 	options->x11_forwarding = -1;
101 	options->x11_display_offset = -1;
102 	options->x11_use_localhost = -1;
103 	options->permit_tty = -1;
104 	options->permit_user_rc = -1;
105 	options->xauth_location = NULL;
106 	options->strict_modes = -1;
107 	options->tcp_keep_alive = -1;
108 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
109 	options->log_level = SYSLOG_LEVEL_NOT_SET;
110 	options->rhosts_rsa_authentication = -1;
111 	options->hostbased_authentication = -1;
112 	options->hostbased_uses_name_from_packet_only = -1;
113 	options->hostbased_key_types = NULL;
114 	options->hostkeyalgorithms = NULL;
115 	options->rsa_authentication = -1;
116 	options->pubkey_authentication = -1;
117 	options->pubkey_key_types = NULL;
118 	options->kerberos_authentication = -1;
119 	options->kerberos_or_local_passwd = -1;
120 	options->kerberos_ticket_cleanup = -1;
121 	options->kerberos_get_afs_token = -1;
122 	options->gss_authentication=-1;
123 	options->gss_cleanup_creds = -1;
124 	options->gss_strict_acceptor = -1;
125 	options->password_authentication = -1;
126 	options->kbd_interactive_authentication = -1;
127 	options->challenge_response_authentication = -1;
128 	options->permit_empty_passwd = -1;
129 	options->permit_user_env = -1;
130 	options->use_login = -1;
131 	options->compression = -1;
132 	options->rekey_limit = -1;
133 	options->rekey_interval = -1;
134 	options->allow_tcp_forwarding = -1;
135 	options->allow_streamlocal_forwarding = -1;
136 	options->allow_agent_forwarding = -1;
137 	options->num_allow_users = 0;
138 	options->num_deny_users = 0;
139 	options->num_allow_groups = 0;
140 	options->num_deny_groups = 0;
141 	options->ciphers = NULL;
142 	options->macs = NULL;
143 	options->kex_algorithms = NULL;
144 	options->protocol = SSH_PROTO_UNKNOWN;
145 	options->fwd_opts.gateway_ports = -1;
146 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
147 	options->fwd_opts.streamlocal_bind_unlink = -1;
148 	options->num_subsystems = 0;
149 	options->max_startups_begin = -1;
150 	options->max_startups_rate = -1;
151 	options->max_startups = -1;
152 	options->max_authtries = -1;
153 	options->max_sessions = -1;
154 	options->banner = NULL;
155 	options->use_dns = -1;
156 	options->client_alive_interval = -1;
157 	options->client_alive_count_max = -1;
158 	options->num_authkeys_files = 0;
159 	options->num_accept_env = 0;
160 	options->permit_tun = -1;
161 	options->num_permitted_opens = -1;
162 	options->adm_forced_command = NULL;
163 	options->chroot_directory = NULL;
164 	options->authorized_keys_command = NULL;
165 	options->authorized_keys_command_user = NULL;
166 	options->revoked_keys_file = NULL;
167 	options->trusted_user_ca_keys = NULL;
168 	options->authorized_principals_file = NULL;
169 	options->authorized_principals_command = NULL;
170 	options->authorized_principals_command_user = NULL;
171 	options->ip_qos_interactive = -1;
172 	options->ip_qos_bulk = -1;
173 	options->version_addendum = NULL;
174 	options->fingerprint_hash = -1;
175 	options->use_blacklist = -1;
176 }
177 
178 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
179 static int
180 option_clear_or_none(const char *o)
181 {
182 	return o == NULL || strcasecmp(o, "none") == 0;
183 }
184 
185 static void
186 assemble_algorithms(ServerOptions *o)
187 {
188 	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
189 	    kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
190 	    kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
191 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
192 	    &o->hostkeyalgorithms) != 0 ||
193 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
194 	    &o->hostbased_key_types) != 0 ||
195 	    kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
196 		fatal("kex_assemble_names failed");
197 }
198 
199 void
200 fill_default_server_options(ServerOptions *options)
201 {
202 	int i;
203 
204 	/* Portable-specific options */
205 	if (options->use_pam == -1)
206 		options->use_pam = 1;
207 
208 	/* Standard Options */
209 	if (options->protocol == SSH_PROTO_UNKNOWN)
210 		options->protocol = SSH_PROTO_2;
211 #define add_host_key_file(path)						\
212 	do {								\
213 		if (access((path), O_RDONLY) == 0)			\
214 			options->host_key_files				\
215 			    [options->num_host_key_files++] = (path);	\
216 	} while (0)
217 	if (options->num_host_key_files == 0) {
218 		/* fill default hostkeys for protocols */
219 		if (options->protocol & SSH_PROTO_1)
220 			add_host_key_file(_PATH_HOST_KEY_FILE);
221 		if (options->protocol & SSH_PROTO_2) {
222 			add_host_key_file(_PATH_HOST_RSA_KEY_FILE);
223 			add_host_key_file(_PATH_HOST_DSA_KEY_FILE);
224 #ifdef OPENSSL_HAS_ECC
225 			add_host_key_file(_PATH_HOST_ECDSA_KEY_FILE);
226 #endif
227 			add_host_key_file(_PATH_HOST_ED25519_KEY_FILE);
228 		}
229 	}
230 #undef add_host_key_file
231 	if (options->num_host_key_files == 0)
232 		fatal("No host key files found");
233 	/* No certificates by default */
234 	if (options->num_ports == 0)
235 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
236 	if (options->address_family == -1)
237 		options->address_family = AF_UNSPEC;
238 	if (options->listen_addrs == NULL)
239 		add_listen_addr(options, NULL, 0);
240 	if (options->pid_file == NULL)
241 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
242 	if (options->server_key_bits == -1)
243 		options->server_key_bits = 1024;
244 	if (options->login_grace_time == -1)
245 		options->login_grace_time = 120;
246 	if (options->key_regeneration_time == -1)
247 		options->key_regeneration_time = 3600;
248 	if (options->permit_root_login == PERMIT_NOT_SET)
249 		options->permit_root_login = PERMIT_NO;
250 	if (options->ignore_rhosts == -1)
251 		options->ignore_rhosts = 1;
252 	if (options->ignore_user_known_hosts == -1)
253 		options->ignore_user_known_hosts = 0;
254 	if (options->print_motd == -1)
255 		options->print_motd = 1;
256 	if (options->print_lastlog == -1)
257 		options->print_lastlog = 1;
258 	if (options->x11_forwarding == -1)
259 		options->x11_forwarding = 1;
260 	if (options->x11_display_offset == -1)
261 		options->x11_display_offset = 10;
262 	if (options->x11_use_localhost == -1)
263 		options->x11_use_localhost = 1;
264 	if (options->xauth_location == NULL)
265 		options->xauth_location = xstrdup(_PATH_XAUTH);
266 	if (options->permit_tty == -1)
267 		options->permit_tty = 1;
268 	if (options->permit_user_rc == -1)
269 		options->permit_user_rc = 1;
270 	if (options->strict_modes == -1)
271 		options->strict_modes = 1;
272 	if (options->tcp_keep_alive == -1)
273 		options->tcp_keep_alive = 1;
274 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
275 		options->log_facility = SYSLOG_FACILITY_AUTH;
276 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
277 		options->log_level = SYSLOG_LEVEL_INFO;
278 	if (options->rhosts_rsa_authentication == -1)
279 		options->rhosts_rsa_authentication = 0;
280 	if (options->hostbased_authentication == -1)
281 		options->hostbased_authentication = 0;
282 	if (options->hostbased_uses_name_from_packet_only == -1)
283 		options->hostbased_uses_name_from_packet_only = 0;
284 	if (options->rsa_authentication == -1)
285 		options->rsa_authentication = 1;
286 	if (options->pubkey_authentication == -1)
287 		options->pubkey_authentication = 1;
288 	if (options->kerberos_authentication == -1)
289 		options->kerberos_authentication = 0;
290 	if (options->kerberos_or_local_passwd == -1)
291 		options->kerberos_or_local_passwd = 1;
292 	if (options->kerberos_ticket_cleanup == -1)
293 		options->kerberos_ticket_cleanup = 1;
294 	if (options->kerberos_get_afs_token == -1)
295 		options->kerberos_get_afs_token = 0;
296 	if (options->gss_authentication == -1)
297 		options->gss_authentication = 0;
298 	if (options->gss_cleanup_creds == -1)
299 		options->gss_cleanup_creds = 1;
300 	if (options->gss_strict_acceptor == -1)
301 		options->gss_strict_acceptor = 0;
302 	if (options->password_authentication == -1)
303 		options->password_authentication = 0;
304 	if (options->kbd_interactive_authentication == -1)
305 		options->kbd_interactive_authentication = 0;
306 	if (options->challenge_response_authentication == -1)
307 		options->challenge_response_authentication = 1;
308 	if (options->permit_empty_passwd == -1)
309 		options->permit_empty_passwd = 0;
310 	if (options->permit_user_env == -1)
311 		options->permit_user_env = 0;
312 	if (options->use_login == -1)
313 		options->use_login = 0;
314 	if (options->compression == -1)
315 		options->compression = COMP_DELAYED;
316 	if (options->rekey_limit == -1)
317 		options->rekey_limit = 0;
318 	if (options->rekey_interval == -1)
319 		options->rekey_interval = 0;
320 	if (options->allow_tcp_forwarding == -1)
321 		options->allow_tcp_forwarding = FORWARD_ALLOW;
322 	if (options->allow_streamlocal_forwarding == -1)
323 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
324 	if (options->allow_agent_forwarding == -1)
325 		options->allow_agent_forwarding = 1;
326 	if (options->fwd_opts.gateway_ports == -1)
327 		options->fwd_opts.gateway_ports = 0;
328 	if (options->max_startups == -1)
329 		options->max_startups = 100;
330 	if (options->max_startups_rate == -1)
331 		options->max_startups_rate = 30;		/* 30% */
332 	if (options->max_startups_begin == -1)
333 		options->max_startups_begin = 10;
334 	if (options->max_authtries == -1)
335 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
336 	if (options->max_sessions == -1)
337 		options->max_sessions = DEFAULT_SESSIONS_MAX;
338 	if (options->use_dns == -1)
339 		options->use_dns = 1;
340 	if (options->client_alive_interval == -1)
341 		options->client_alive_interval = 0;
342 	if (options->client_alive_count_max == -1)
343 		options->client_alive_count_max = 3;
344 	if (options->num_authkeys_files == 0) {
345 		options->authorized_keys_files[options->num_authkeys_files++] =
346 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
347 		options->authorized_keys_files[options->num_authkeys_files++] =
348 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
349 	}
350 	if (options->permit_tun == -1)
351 		options->permit_tun = SSH_TUNMODE_NO;
352 	if (options->ip_qos_interactive == -1)
353 		options->ip_qos_interactive = IPTOS_LOWDELAY;
354 	if (options->ip_qos_bulk == -1)
355 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
356 	if (options->version_addendum == NULL)
357 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
358 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
359 		options->fwd_opts.streamlocal_bind_mask = 0177;
360 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
361 		options->fwd_opts.streamlocal_bind_unlink = 0;
362 	if (options->fingerprint_hash == -1)
363 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
364 	if (options->use_blacklist == -1)
365 		options->use_blacklist = 0;
366 
367 	assemble_algorithms(options);
368 
369 	/* Turn privilege separation and sandboxing on by default */
370 	if (use_privsep == -1)
371 		use_privsep = PRIVSEP_ON;
372 
373 #define CLEAR_ON_NONE(v) \
374 	do { \
375 		if (option_clear_or_none(v)) { \
376 			free(v); \
377 			v = NULL; \
378 		} \
379 	} while(0)
380 	CLEAR_ON_NONE(options->pid_file);
381 	CLEAR_ON_NONE(options->xauth_location);
382 	CLEAR_ON_NONE(options->banner);
383 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
384 	CLEAR_ON_NONE(options->revoked_keys_file);
385 	CLEAR_ON_NONE(options->authorized_principals_file);
386 	CLEAR_ON_NONE(options->adm_forced_command);
387 	CLEAR_ON_NONE(options->chroot_directory);
388 	for (i = 0; i < options->num_host_key_files; i++)
389 		CLEAR_ON_NONE(options->host_key_files[i]);
390 	for (i = 0; i < options->num_host_cert_files; i++)
391 		CLEAR_ON_NONE(options->host_cert_files[i]);
392 #undef CLEAR_ON_NONE
393 
394 	/* Similar handling for AuthenticationMethods=any */
395 	if (options->num_auth_methods == 1 &&
396 	    strcmp(options->auth_methods[0], "any") == 0) {
397 		free(options->auth_methods[0]);
398 		options->auth_methods[0] = NULL;
399 		options->num_auth_methods = 0;
400 	}
401 
402 #ifndef HAVE_MMAP
403 	if (use_privsep && options->compression == 1) {
404 		error("This platform does not support both privilege "
405 		    "separation and compression");
406 		error("Compression disabled");
407 		options->compression = 0;
408 	}
409 #endif
410 
411 }
412 
413 /* Keyword tokens. */
414 typedef enum {
415 	sBadOption,		/* == unknown option */
416 	/* Portable-specific options */
417 	sUsePAM,
418 	/* Standard Options */
419 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
420 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
421 	sRhostsRSAAuthentication, sRSAAuthentication,
422 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
423 	sKerberosGetAFSToken,
424 	sKerberosTgtPassing, sChallengeResponseAuthentication,
425 	sPasswordAuthentication, sKbdInteractiveAuthentication,
426 	sListenAddress, sAddressFamily,
427 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
428 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
429 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
430 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
431 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
432 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
433 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
434 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
435 	sBanner, sUseDNS, sHostbasedAuthentication,
436 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
437 	sHostKeyAlgorithms,
438 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
439 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
440 	sAcceptEnv, sPermitTunnel,
441 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
442 	sUsePrivilegeSeparation, sAllowAgentForwarding,
443 	sHostCertificate,
444 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
445 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
446 	sKexAlgorithms, sIPQoS, sVersionAddendum,
447 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
448 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
449 	sStreamLocalBindMask, sStreamLocalBindUnlink,
450 	sAllowStreamLocalForwarding, sFingerprintHash,
451 	sUseBlacklist,
452 	sDeprecated, sUnsupported
453 } ServerOpCodes;
454 
455 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
456 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
457 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
458 
459 /* Textual representation of the tokens. */
460 static struct {
461 	const char *name;
462 	ServerOpCodes opcode;
463 	u_int flags;
464 } keywords[] = {
465 	/* Portable-specific options */
466 #ifdef USE_PAM
467 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
468 #else
469 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
470 #endif
471 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
472 	/* Standard Options */
473 	{ "port", sPort, SSHCFG_GLOBAL },
474 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
475 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
476 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
477 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
478 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
479 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
480 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
481 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
482 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
483 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
484 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
485 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
486 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
487 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
488 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
489 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
490 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
491 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
492 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
493 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
494 #ifdef KRB5
495 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
496 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
497 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
498 #ifdef USE_AFS
499 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
500 #else
501 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
502 #endif
503 #else
504 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
505 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
506 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
507 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
508 #endif
509 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
510 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
511 #ifdef GSSAPI
512 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
513 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
514 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
515 #else
516 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
517 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
518 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
519 #endif
520 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
521 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
522 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
523 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
524 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
525 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
526 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
527 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
528 #ifdef DISABLE_LASTLOG
529 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
530 #else
531 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
532 #endif
533 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
534 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
535 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
536 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
537 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
538 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
539 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
540 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
541 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
542 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
543 	{ "compression", sCompression, SSHCFG_GLOBAL },
544 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
545 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
546 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
547 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
548 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
549 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
550 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
551 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
552 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
553 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
554 	{ "macs", sMacs, SSHCFG_GLOBAL },
555 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
556 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
557 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
558 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
559 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
560 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
561 	{ "banner", sBanner, SSHCFG_ALL },
562 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
563 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
564 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
565 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
566 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
567 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
568 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
569 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
570 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
571 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
572 	{ "permittty", sPermitTTY, SSHCFG_ALL },
573 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
574 	{ "match", sMatch, SSHCFG_ALL },
575 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
576 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
577 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
578 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
579 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
580 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
581 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
582 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
583 	{ "ipqos", sIPQoS, SSHCFG_ALL },
584 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
585 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
586 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
587 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
588 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
589 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
590 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
591 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
592 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
593 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
594 	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
595 	{ "noneenabled", sUnsupported, SSHCFG_ALL },
596 	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
597 	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
598 	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
599 	{ NULL, sBadOption, 0 }
600 };
601 
602 static struct {
603 	int val;
604 	char *text;
605 } tunmode_desc[] = {
606 	{ SSH_TUNMODE_NO, "no" },
607 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
608 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
609 	{ SSH_TUNMODE_YES, "yes" },
610 	{ -1, NULL }
611 };
612 
613 /*
614  * Returns the number of the token pointed to by cp or sBadOption.
615  */
616 
617 static ServerOpCodes
618 parse_token(const char *cp, const char *filename,
619 	    int linenum, u_int *flags)
620 {
621 	u_int i;
622 
623 	for (i = 0; keywords[i].name; i++)
624 		if (strcasecmp(cp, keywords[i].name) == 0) {
625 			*flags = keywords[i].flags;
626 			return keywords[i].opcode;
627 		}
628 
629 	error("%s: line %d: Bad configuration option: %s",
630 	    filename, linenum, cp);
631 	return sBadOption;
632 }
633 
634 char *
635 derelativise_path(const char *path)
636 {
637 	char *expanded, *ret, cwd[PATH_MAX];
638 
639 	if (strcasecmp(path, "none") == 0)
640 		return xstrdup("none");
641 	expanded = tilde_expand_filename(path, getuid());
642 	if (*expanded == '/')
643 		return expanded;
644 	if (getcwd(cwd, sizeof(cwd)) == NULL)
645 		fatal("%s: getcwd: %s", __func__, strerror(errno));
646 	xasprintf(&ret, "%s/%s", cwd, expanded);
647 	free(expanded);
648 	return ret;
649 }
650 
651 static void
652 add_listen_addr(ServerOptions *options, char *addr, int port)
653 {
654 	u_int i;
655 
656 	if (port == 0)
657 		for (i = 0; i < options->num_ports; i++)
658 			add_one_listen_addr(options, addr, options->ports[i]);
659 	else
660 		add_one_listen_addr(options, addr, port);
661 }
662 
663 static void
664 add_one_listen_addr(ServerOptions *options, char *addr, int port)
665 {
666 	struct addrinfo hints, *ai, *aitop;
667 	char strport[NI_MAXSERV];
668 	int gaierr;
669 
670 	memset(&hints, 0, sizeof(hints));
671 	hints.ai_family = options->address_family;
672 	hints.ai_socktype = SOCK_STREAM;
673 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
674 	snprintf(strport, sizeof strport, "%d", port);
675 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
676 		fatal("bad addr or host: %s (%s)",
677 		    addr ? addr : "<NULL>",
678 		    ssh_gai_strerror(gaierr));
679 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
680 		;
681 	ai->ai_next = options->listen_addrs;
682 	options->listen_addrs = aitop;
683 }
684 
685 /*
686  * Queue a ListenAddress to be processed once we have all of the Ports
687  * and AddressFamily options.
688  */
689 static void
690 queue_listen_addr(ServerOptions *options, char *addr, int port)
691 {
692 	options->queued_listen_addrs = xreallocarray(
693 	    options->queued_listen_addrs, options->num_queued_listens + 1,
694 	    sizeof(addr));
695 	options->queued_listen_ports = xreallocarray(
696 	    options->queued_listen_ports, options->num_queued_listens + 1,
697 	    sizeof(port));
698 	options->queued_listen_addrs[options->num_queued_listens] =
699 	    xstrdup(addr);
700 	options->queued_listen_ports[options->num_queued_listens] = port;
701 	options->num_queued_listens++;
702 }
703 
704 /*
705  * Process queued (text) ListenAddress entries.
706  */
707 static void
708 process_queued_listen_addrs(ServerOptions *options)
709 {
710 	u_int i;
711 
712 	if (options->num_ports == 0)
713 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
714 	if (options->address_family == -1)
715 		options->address_family = AF_UNSPEC;
716 
717 	for (i = 0; i < options->num_queued_listens; i++) {
718 		add_listen_addr(options, options->queued_listen_addrs[i],
719 		    options->queued_listen_ports[i]);
720 		free(options->queued_listen_addrs[i]);
721 		options->queued_listen_addrs[i] = NULL;
722 	}
723 	free(options->queued_listen_addrs);
724 	options->queued_listen_addrs = NULL;
725 	free(options->queued_listen_ports);
726 	options->queued_listen_ports = NULL;
727 	options->num_queued_listens = 0;
728 }
729 
730 struct connection_info *
731 get_connection_info(int populate, int use_dns)
732 {
733 	struct ssh *ssh = active_state; /* XXX */
734 	static struct connection_info ci;
735 
736 	if (!populate)
737 		return &ci;
738 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
739 	ci.address = ssh_remote_ipaddr(ssh);
740 	ci.laddress = ssh_local_ipaddr(ssh);
741 	ci.lport = ssh_local_port(ssh);
742 	return &ci;
743 }
744 
745 /*
746  * The strategy for the Match blocks is that the config file is parsed twice.
747  *
748  * The first time is at startup.  activep is initialized to 1 and the
749  * directives in the global context are processed and acted on.  Hitting a
750  * Match directive unsets activep and the directives inside the block are
751  * checked for syntax only.
752  *
753  * The second time is after a connection has been established but before
754  * authentication.  activep is initialized to 2 and global config directives
755  * are ignored since they have already been processed.  If the criteria in a
756  * Match block is met, activep is set and the subsequent directives
757  * processed and actioned until EOF or another Match block unsets it.  Any
758  * options set are copied into the main server config.
759  *
760  * Potential additions/improvements:
761  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
762  *
763  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
764  *	Match Address 192.168.0.*
765  *		Tag trusted
766  *	Match Group wheel
767  *		Tag trusted
768  *	Match Tag trusted
769  *		AllowTcpForwarding yes
770  *		GatewayPorts clientspecified
771  *		[...]
772  *
773  *  - Add a PermittedChannelRequests directive
774  *	Match Group shell
775  *		PermittedChannelRequests session,forwarded-tcpip
776  */
777 
778 static int
779 match_cfg_line_group(const char *grps, int line, const char *user)
780 {
781 	int result = 0;
782 	struct passwd *pw;
783 
784 	if (user == NULL)
785 		goto out;
786 
787 	if ((pw = getpwnam(user)) == NULL) {
788 		debug("Can't match group at line %d because user %.100s does "
789 		    "not exist", line, user);
790 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
791 		debug("Can't Match group because user %.100s not in any group "
792 		    "at line %d", user, line);
793 	} else if (ga_match_pattern_list(grps) != 1) {
794 		debug("user %.100s does not match group list %.100s at line %d",
795 		    user, grps, line);
796 	} else {
797 		debug("user %.100s matched group list %.100s at line %d", user,
798 		    grps, line);
799 		result = 1;
800 	}
801 out:
802 	ga_free();
803 	return result;
804 }
805 
806 /*
807  * All of the attributes on a single Match line are ANDed together, so we need
808  * to check every attribute and set the result to zero if any attribute does
809  * not match.
810  */
811 static int
812 match_cfg_line(char **condition, int line, struct connection_info *ci)
813 {
814 	int result = 1, attributes = 0, port;
815 	char *arg, *attrib, *cp = *condition;
816 
817 	if (ci == NULL)
818 		debug3("checking syntax for 'Match %s'", cp);
819 	else
820 		debug3("checking match for '%s' user %s host %s addr %s "
821 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
822 		    ci->host ? ci->host : "(null)",
823 		    ci->address ? ci->address : "(null)",
824 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
825 
826 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
827 		attributes++;
828 		if (strcasecmp(attrib, "all") == 0) {
829 			if (attributes != 1 ||
830 			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
831 				error("'all' cannot be combined with other "
832 				    "Match attributes");
833 				return -1;
834 			}
835 			*condition = cp;
836 			return 1;
837 		}
838 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
839 			error("Missing Match criteria for %s", attrib);
840 			return -1;
841 		}
842 		if (strcasecmp(attrib, "user") == 0) {
843 			if (ci == NULL || ci->user == NULL) {
844 				result = 0;
845 				continue;
846 			}
847 			if (match_pattern_list(ci->user, arg, 0) != 1)
848 				result = 0;
849 			else
850 				debug("user %.100s matched 'User %.100s' at "
851 				    "line %d", ci->user, arg, line);
852 		} else if (strcasecmp(attrib, "group") == 0) {
853 			if (ci == NULL || ci->user == NULL) {
854 				result = 0;
855 				continue;
856 			}
857 			switch (match_cfg_line_group(arg, line, ci->user)) {
858 			case -1:
859 				return -1;
860 			case 0:
861 				result = 0;
862 			}
863 		} else if (strcasecmp(attrib, "host") == 0) {
864 			if (ci == NULL || ci->host == NULL) {
865 				result = 0;
866 				continue;
867 			}
868 			if (match_hostname(ci->host, arg) != 1)
869 				result = 0;
870 			else
871 				debug("connection from %.100s matched 'Host "
872 				    "%.100s' at line %d", ci->host, arg, line);
873 		} else if (strcasecmp(attrib, "address") == 0) {
874 			if (ci == NULL || ci->address == NULL) {
875 				result = 0;
876 				continue;
877 			}
878 			switch (addr_match_list(ci->address, arg)) {
879 			case 1:
880 				debug("connection from %.100s matched 'Address "
881 				    "%.100s' at line %d", ci->address, arg, line);
882 				break;
883 			case 0:
884 			case -1:
885 				result = 0;
886 				break;
887 			case -2:
888 				return -1;
889 			}
890 		} else if (strcasecmp(attrib, "localaddress") == 0){
891 			if (ci == NULL || ci->laddress == NULL) {
892 				result = 0;
893 				continue;
894 			}
895 			switch (addr_match_list(ci->laddress, arg)) {
896 			case 1:
897 				debug("connection from %.100s matched "
898 				    "'LocalAddress %.100s' at line %d",
899 				    ci->laddress, arg, line);
900 				break;
901 			case 0:
902 			case -1:
903 				result = 0;
904 				break;
905 			case -2:
906 				return -1;
907 			}
908 		} else if (strcasecmp(attrib, "localport") == 0) {
909 			if ((port = a2port(arg)) == -1) {
910 				error("Invalid LocalPort '%s' on Match line",
911 				    arg);
912 				return -1;
913 			}
914 			if (ci == NULL || ci->lport == 0) {
915 				result = 0;
916 				continue;
917 			}
918 			/* TODO support port lists */
919 			if (port == ci->lport)
920 				debug("connection from %.100s matched "
921 				    "'LocalPort %d' at line %d",
922 				    ci->laddress, port, line);
923 			else
924 				result = 0;
925 		} else {
926 			error("Unsupported Match attribute %s", attrib);
927 			return -1;
928 		}
929 	}
930 	if (attributes == 0) {
931 		error("One or more attributes required for Match");
932 		return -1;
933 	}
934 	if (ci != NULL)
935 		debug3("match %sfound", result ? "" : "not ");
936 	*condition = cp;
937 	return result;
938 }
939 
940 #define WHITESPACE " \t\r\n"
941 
942 /* Multistate option parsing */
943 struct multistate {
944 	char *key;
945 	int value;
946 };
947 static const struct multistate multistate_addressfamily[] = {
948 	{ "inet",			AF_INET },
949 	{ "inet6",			AF_INET6 },
950 	{ "any",			AF_UNSPEC },
951 	{ NULL, -1 }
952 };
953 static const struct multistate multistate_permitrootlogin[] = {
954 	{ "without-password",		PERMIT_NO_PASSWD },
955 	{ "prohibit-password",		PERMIT_NO_PASSWD },
956 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
957 	{ "yes",			PERMIT_YES },
958 	{ "no",				PERMIT_NO },
959 	{ NULL, -1 }
960 };
961 static const struct multistate multistate_compression[] = {
962 	{ "delayed",			COMP_DELAYED },
963 	{ "yes",			COMP_ZLIB },
964 	{ "no",				COMP_NONE },
965 	{ NULL, -1 }
966 };
967 static const struct multistate multistate_gatewayports[] = {
968 	{ "clientspecified",		2 },
969 	{ "yes",			1 },
970 	{ "no",				0 },
971 	{ NULL, -1 }
972 };
973 static const struct multistate multistate_privsep[] = {
974 	{ "yes",			PRIVSEP_NOSANDBOX },
975 	{ "sandbox",			PRIVSEP_ON },
976 	{ "nosandbox",			PRIVSEP_NOSANDBOX },
977 	{ "no",				PRIVSEP_OFF },
978 	{ NULL, -1 }
979 };
980 static const struct multistate multistate_tcpfwd[] = {
981 	{ "yes",			FORWARD_ALLOW },
982 	{ "all",			FORWARD_ALLOW },
983 	{ "no",				FORWARD_DENY },
984 	{ "remote",			FORWARD_REMOTE },
985 	{ "local",			FORWARD_LOCAL },
986 	{ NULL, -1 }
987 };
988 
989 int
990 process_server_config_line(ServerOptions *options, char *line,
991     const char *filename, int linenum, int *activep,
992     struct connection_info *connectinfo)
993 {
994 	char *cp, **charptr, *arg, *p;
995 	int cmdline = 0, *intptr, value, value2, n, port;
996 	SyslogFacility *log_facility_ptr;
997 	LogLevel *log_level_ptr;
998 	ServerOpCodes opcode;
999 	u_int i, flags = 0;
1000 	size_t len;
1001 	long long val64;
1002 	const struct multistate *multistate_ptr;
1003 
1004 	cp = line;
1005 	if ((arg = strdelim(&cp)) == NULL)
1006 		return 0;
1007 	/* Ignore leading whitespace */
1008 	if (*arg == '\0')
1009 		arg = strdelim(&cp);
1010 	if (!arg || !*arg || *arg == '#')
1011 		return 0;
1012 	intptr = NULL;
1013 	charptr = NULL;
1014 	opcode = parse_token(arg, filename, linenum, &flags);
1015 
1016 	if (activep == NULL) { /* We are processing a command line directive */
1017 		cmdline = 1;
1018 		activep = &cmdline;
1019 	}
1020 	if (*activep && opcode != sMatch)
1021 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1022 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1023 		if (connectinfo == NULL) {
1024 			fatal("%s line %d: Directive '%s' is not allowed "
1025 			    "within a Match block", filename, linenum, arg);
1026 		} else { /* this is a directive we have already processed */
1027 			while (arg)
1028 				arg = strdelim(&cp);
1029 			return 0;
1030 		}
1031 	}
1032 
1033 	switch (opcode) {
1034 	/* Portable-specific options */
1035 	case sUsePAM:
1036 		intptr = &options->use_pam;
1037 		goto parse_flag;
1038 
1039 	/* Standard Options */
1040 	case sBadOption:
1041 		return -1;
1042 	case sPort:
1043 		/* ignore ports from configfile if cmdline specifies ports */
1044 		if (options->ports_from_cmdline)
1045 			return 0;
1046 		if (options->num_ports >= MAX_PORTS)
1047 			fatal("%s line %d: too many ports.",
1048 			    filename, linenum);
1049 		arg = strdelim(&cp);
1050 		if (!arg || *arg == '\0')
1051 			fatal("%s line %d: missing port number.",
1052 			    filename, linenum);
1053 		options->ports[options->num_ports++] = a2port(arg);
1054 		if (options->ports[options->num_ports-1] <= 0)
1055 			fatal("%s line %d: Badly formatted port number.",
1056 			    filename, linenum);
1057 		break;
1058 
1059 	case sServerKeyBits:
1060 		intptr = &options->server_key_bits;
1061  parse_int:
1062 		arg = strdelim(&cp);
1063 		if (!arg || *arg == '\0')
1064 			fatal("%s line %d: missing integer value.",
1065 			    filename, linenum);
1066 		value = atoi(arg);
1067 		if (*activep && *intptr == -1)
1068 			*intptr = value;
1069 		break;
1070 
1071 	case sLoginGraceTime:
1072 		intptr = &options->login_grace_time;
1073  parse_time:
1074 		arg = strdelim(&cp);
1075 		if (!arg || *arg == '\0')
1076 			fatal("%s line %d: missing time value.",
1077 			    filename, linenum);
1078 		if ((value = convtime(arg)) == -1)
1079 			fatal("%s line %d: invalid time value.",
1080 			    filename, linenum);
1081 		if (*activep && *intptr == -1)
1082 			*intptr = value;
1083 		break;
1084 
1085 	case sKeyRegenerationTime:
1086 		intptr = &options->key_regeneration_time;
1087 		goto parse_time;
1088 
1089 	case sListenAddress:
1090 		arg = strdelim(&cp);
1091 		if (arg == NULL || *arg == '\0')
1092 			fatal("%s line %d: missing address",
1093 			    filename, linenum);
1094 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1095 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1096 		    && strchr(p+1, ':') != NULL) {
1097 			queue_listen_addr(options, arg, 0);
1098 			break;
1099 		}
1100 		p = hpdelim(&arg);
1101 		if (p == NULL)
1102 			fatal("%s line %d: bad address:port usage",
1103 			    filename, linenum);
1104 		p = cleanhostname(p);
1105 		if (arg == NULL)
1106 			port = 0;
1107 		else if ((port = a2port(arg)) <= 0)
1108 			fatal("%s line %d: bad port number", filename, linenum);
1109 
1110 		queue_listen_addr(options, p, port);
1111 
1112 		break;
1113 
1114 	case sAddressFamily:
1115 		intptr = &options->address_family;
1116 		multistate_ptr = multistate_addressfamily;
1117  parse_multistate:
1118 		arg = strdelim(&cp);
1119 		if (!arg || *arg == '\0')
1120 			fatal("%s line %d: missing argument.",
1121 			    filename, linenum);
1122 		value = -1;
1123 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1124 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1125 				value = multistate_ptr[i].value;
1126 				break;
1127 			}
1128 		}
1129 		if (value == -1)
1130 			fatal("%s line %d: unsupported option \"%s\".",
1131 			    filename, linenum, arg);
1132 		if (*activep && *intptr == -1)
1133 			*intptr = value;
1134 		break;
1135 
1136 	case sHostKeyFile:
1137 		intptr = &options->num_host_key_files;
1138 		if (*intptr >= MAX_HOSTKEYS)
1139 			fatal("%s line %d: too many host keys specified (max %d).",
1140 			    filename, linenum, MAX_HOSTKEYS);
1141 		charptr = &options->host_key_files[*intptr];
1142  parse_filename:
1143 		arg = strdelim(&cp);
1144 		if (!arg || *arg == '\0')
1145 			fatal("%s line %d: missing file name.",
1146 			    filename, linenum);
1147 		if (*activep && *charptr == NULL) {
1148 			*charptr = derelativise_path(arg);
1149 			/* increase optional counter */
1150 			if (intptr != NULL)
1151 				*intptr = *intptr + 1;
1152 		}
1153 		break;
1154 
1155 	case sHostKeyAgent:
1156 		charptr = &options->host_key_agent;
1157 		arg = strdelim(&cp);
1158 		if (!arg || *arg == '\0')
1159 			fatal("%s line %d: missing socket name.",
1160 			    filename, linenum);
1161 		if (*activep && *charptr == NULL)
1162 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1163 			    xstrdup(arg) : derelativise_path(arg);
1164 		break;
1165 
1166 	case sHostCertificate:
1167 		intptr = &options->num_host_cert_files;
1168 		if (*intptr >= MAX_HOSTKEYS)
1169 			fatal("%s line %d: too many host certificates "
1170 			    "specified (max %d).", filename, linenum,
1171 			    MAX_HOSTCERTS);
1172 		charptr = &options->host_cert_files[*intptr];
1173 		goto parse_filename;
1174 		break;
1175 
1176 	case sPidFile:
1177 		charptr = &options->pid_file;
1178 		goto parse_filename;
1179 
1180 	case sPermitRootLogin:
1181 		intptr = &options->permit_root_login;
1182 		multistate_ptr = multistate_permitrootlogin;
1183 		goto parse_multistate;
1184 
1185 	case sIgnoreRhosts:
1186 		intptr = &options->ignore_rhosts;
1187  parse_flag:
1188 		arg = strdelim(&cp);
1189 		if (!arg || *arg == '\0')
1190 			fatal("%s line %d: missing yes/no argument.",
1191 			    filename, linenum);
1192 		value = 0;	/* silence compiler */
1193 		if (strcmp(arg, "yes") == 0)
1194 			value = 1;
1195 		else if (strcmp(arg, "no") == 0)
1196 			value = 0;
1197 		else
1198 			fatal("%s line %d: Bad yes/no argument: %s",
1199 				filename, linenum, arg);
1200 		if (*activep && *intptr == -1)
1201 			*intptr = value;
1202 		break;
1203 
1204 	case sIgnoreUserKnownHosts:
1205 		intptr = &options->ignore_user_known_hosts;
1206 		goto parse_flag;
1207 
1208 	case sRhostsRSAAuthentication:
1209 		intptr = &options->rhosts_rsa_authentication;
1210 		goto parse_flag;
1211 
1212 	case sHostbasedAuthentication:
1213 		intptr = &options->hostbased_authentication;
1214 		goto parse_flag;
1215 
1216 	case sHostbasedUsesNameFromPacketOnly:
1217 		intptr = &options->hostbased_uses_name_from_packet_only;
1218 		goto parse_flag;
1219 
1220 	case sHostbasedAcceptedKeyTypes:
1221 		charptr = &options->hostbased_key_types;
1222  parse_keytypes:
1223 		arg = strdelim(&cp);
1224 		if (!arg || *arg == '\0')
1225 			fatal("%s line %d: Missing argument.",
1226 			    filename, linenum);
1227 		if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1228 			fatal("%s line %d: Bad key types '%s'.",
1229 			    filename, linenum, arg ? arg : "<NONE>");
1230 		if (*activep && *charptr == NULL)
1231 			*charptr = xstrdup(arg);
1232 		break;
1233 
1234 	case sHostKeyAlgorithms:
1235 		charptr = &options->hostkeyalgorithms;
1236 		goto parse_keytypes;
1237 
1238 	case sRSAAuthentication:
1239 		intptr = &options->rsa_authentication;
1240 		goto parse_flag;
1241 
1242 	case sPubkeyAuthentication:
1243 		intptr = &options->pubkey_authentication;
1244 		goto parse_flag;
1245 
1246 	case sPubkeyAcceptedKeyTypes:
1247 		charptr = &options->pubkey_key_types;
1248 		goto parse_keytypes;
1249 
1250 	case sKerberosAuthentication:
1251 		intptr = &options->kerberos_authentication;
1252 		goto parse_flag;
1253 
1254 	case sKerberosOrLocalPasswd:
1255 		intptr = &options->kerberos_or_local_passwd;
1256 		goto parse_flag;
1257 
1258 	case sKerberosTicketCleanup:
1259 		intptr = &options->kerberos_ticket_cleanup;
1260 		goto parse_flag;
1261 
1262 	case sKerberosGetAFSToken:
1263 		intptr = &options->kerberos_get_afs_token;
1264 		goto parse_flag;
1265 
1266 	case sGssAuthentication:
1267 		intptr = &options->gss_authentication;
1268 		goto parse_flag;
1269 
1270 	case sGssCleanupCreds:
1271 		intptr = &options->gss_cleanup_creds;
1272 		goto parse_flag;
1273 
1274 	case sGssStrictAcceptor:
1275 		intptr = &options->gss_strict_acceptor;
1276 		goto parse_flag;
1277 
1278 	case sPasswordAuthentication:
1279 		intptr = &options->password_authentication;
1280 		goto parse_flag;
1281 
1282 	case sKbdInteractiveAuthentication:
1283 		intptr = &options->kbd_interactive_authentication;
1284 		goto parse_flag;
1285 
1286 	case sChallengeResponseAuthentication:
1287 		intptr = &options->challenge_response_authentication;
1288 		goto parse_flag;
1289 
1290 	case sPrintMotd:
1291 		intptr = &options->print_motd;
1292 		goto parse_flag;
1293 
1294 	case sPrintLastLog:
1295 		intptr = &options->print_lastlog;
1296 		goto parse_flag;
1297 
1298 	case sX11Forwarding:
1299 		intptr = &options->x11_forwarding;
1300 		goto parse_flag;
1301 
1302 	case sX11DisplayOffset:
1303 		intptr = &options->x11_display_offset;
1304 		goto parse_int;
1305 
1306 	case sX11UseLocalhost:
1307 		intptr = &options->x11_use_localhost;
1308 		goto parse_flag;
1309 
1310 	case sXAuthLocation:
1311 		charptr = &options->xauth_location;
1312 		goto parse_filename;
1313 
1314 	case sPermitTTY:
1315 		intptr = &options->permit_tty;
1316 		goto parse_flag;
1317 
1318 	case sPermitUserRC:
1319 		intptr = &options->permit_user_rc;
1320 		goto parse_flag;
1321 
1322 	case sStrictModes:
1323 		intptr = &options->strict_modes;
1324 		goto parse_flag;
1325 
1326 	case sTCPKeepAlive:
1327 		intptr = &options->tcp_keep_alive;
1328 		goto parse_flag;
1329 
1330 	case sEmptyPasswd:
1331 		intptr = &options->permit_empty_passwd;
1332 		goto parse_flag;
1333 
1334 	case sPermitUserEnvironment:
1335 		intptr = &options->permit_user_env;
1336 		goto parse_flag;
1337 
1338 	case sUseLogin:
1339 		intptr = &options->use_login;
1340 		goto parse_flag;
1341 
1342 	case sCompression:
1343 		intptr = &options->compression;
1344 		multistate_ptr = multistate_compression;
1345 		goto parse_multistate;
1346 
1347 	case sRekeyLimit:
1348 		arg = strdelim(&cp);
1349 		if (!arg || *arg == '\0')
1350 			fatal("%.200s line %d: Missing argument.", filename,
1351 			    linenum);
1352 		if (strcmp(arg, "default") == 0) {
1353 			val64 = 0;
1354 		} else {
1355 			if (scan_scaled(arg, &val64) == -1)
1356 				fatal("%.200s line %d: Bad number '%s': %s",
1357 				    filename, linenum, arg, strerror(errno));
1358 			if (val64 != 0 && val64 < 16)
1359 				fatal("%.200s line %d: RekeyLimit too small",
1360 				    filename, linenum);
1361 		}
1362 		if (*activep && options->rekey_limit == -1)
1363 			options->rekey_limit = val64;
1364 		if (cp != NULL) { /* optional rekey interval present */
1365 			if (strcmp(cp, "none") == 0) {
1366 				(void)strdelim(&cp);	/* discard */
1367 				break;
1368 			}
1369 			intptr = &options->rekey_interval;
1370 			goto parse_time;
1371 		}
1372 		break;
1373 
1374 	case sGatewayPorts:
1375 		intptr = &options->fwd_opts.gateway_ports;
1376 		multistate_ptr = multistate_gatewayports;
1377 		goto parse_multistate;
1378 
1379 	case sUseDNS:
1380 		intptr = &options->use_dns;
1381 		goto parse_flag;
1382 
1383 	case sLogFacility:
1384 		log_facility_ptr = &options->log_facility;
1385 		arg = strdelim(&cp);
1386 		value = log_facility_number(arg);
1387 		if (value == SYSLOG_FACILITY_NOT_SET)
1388 			fatal("%.200s line %d: unsupported log facility '%s'",
1389 			    filename, linenum, arg ? arg : "<NONE>");
1390 		if (*log_facility_ptr == -1)
1391 			*log_facility_ptr = (SyslogFacility) value;
1392 		break;
1393 
1394 	case sLogLevel:
1395 		log_level_ptr = &options->log_level;
1396 		arg = strdelim(&cp);
1397 		value = log_level_number(arg);
1398 		if (value == SYSLOG_LEVEL_NOT_SET)
1399 			fatal("%.200s line %d: unsupported log level '%s'",
1400 			    filename, linenum, arg ? arg : "<NONE>");
1401 		if (*log_level_ptr == -1)
1402 			*log_level_ptr = (LogLevel) value;
1403 		break;
1404 
1405 	case sAllowTcpForwarding:
1406 		intptr = &options->allow_tcp_forwarding;
1407 		multistate_ptr = multistate_tcpfwd;
1408 		goto parse_multistate;
1409 
1410 	case sAllowStreamLocalForwarding:
1411 		intptr = &options->allow_streamlocal_forwarding;
1412 		multistate_ptr = multistate_tcpfwd;
1413 		goto parse_multistate;
1414 
1415 	case sAllowAgentForwarding:
1416 		intptr = &options->allow_agent_forwarding;
1417 		goto parse_flag;
1418 
1419 	case sUsePrivilegeSeparation:
1420 		intptr = &use_privsep;
1421 		multistate_ptr = multistate_privsep;
1422 		goto parse_multistate;
1423 
1424 	case sAllowUsers:
1425 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1426 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1427 				fatal("%s line %d: too many allow users.",
1428 				    filename, linenum);
1429 			if (!*activep)
1430 				continue;
1431 			options->allow_users[options->num_allow_users++] =
1432 			    xstrdup(arg);
1433 		}
1434 		break;
1435 
1436 	case sDenyUsers:
1437 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1438 			if (options->num_deny_users >= MAX_DENY_USERS)
1439 				fatal("%s line %d: too many deny users.",
1440 				    filename, linenum);
1441 			if (!*activep)
1442 				continue;
1443 			options->deny_users[options->num_deny_users++] =
1444 			    xstrdup(arg);
1445 		}
1446 		break;
1447 
1448 	case sAllowGroups:
1449 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1450 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1451 				fatal("%s line %d: too many allow groups.",
1452 				    filename, linenum);
1453 			if (!*activep)
1454 				continue;
1455 			options->allow_groups[options->num_allow_groups++] =
1456 			    xstrdup(arg);
1457 		}
1458 		break;
1459 
1460 	case sDenyGroups:
1461 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1462 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1463 				fatal("%s line %d: too many deny groups.",
1464 				    filename, linenum);
1465 			if (!*activep)
1466 				continue;
1467 			options->deny_groups[options->num_deny_groups++] =
1468 			    xstrdup(arg);
1469 		}
1470 		break;
1471 
1472 	case sCiphers:
1473 		arg = strdelim(&cp);
1474 		if (!arg || *arg == '\0')
1475 			fatal("%s line %d: Missing argument.", filename, linenum);
1476 		if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1477 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1478 			    filename, linenum, arg ? arg : "<NONE>");
1479 		if (options->ciphers == NULL)
1480 			options->ciphers = xstrdup(arg);
1481 		break;
1482 
1483 	case sMacs:
1484 		arg = strdelim(&cp);
1485 		if (!arg || *arg == '\0')
1486 			fatal("%s line %d: Missing argument.", filename, linenum);
1487 		if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1488 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1489 			    filename, linenum, arg ? arg : "<NONE>");
1490 		if (options->macs == NULL)
1491 			options->macs = xstrdup(arg);
1492 		break;
1493 
1494 	case sKexAlgorithms:
1495 		arg = strdelim(&cp);
1496 		if (!arg || *arg == '\0')
1497 			fatal("%s line %d: Missing argument.",
1498 			    filename, linenum);
1499 		if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1500 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1501 			    filename, linenum, arg ? arg : "<NONE>");
1502 		if (options->kex_algorithms == NULL)
1503 			options->kex_algorithms = xstrdup(arg);
1504 		break;
1505 
1506 	case sProtocol:
1507 		intptr = &options->protocol;
1508 		arg = strdelim(&cp);
1509 		if (!arg || *arg == '\0')
1510 			fatal("%s line %d: Missing argument.", filename, linenum);
1511 		value = proto_spec(arg);
1512 		if (value == SSH_PROTO_UNKNOWN)
1513 			fatal("%s line %d: Bad protocol spec '%s'.",
1514 			    filename, linenum, arg ? arg : "<NONE>");
1515 		if (*intptr == SSH_PROTO_UNKNOWN)
1516 			*intptr = value;
1517 		break;
1518 
1519 	case sSubsystem:
1520 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1521 			fatal("%s line %d: too many subsystems defined.",
1522 			    filename, linenum);
1523 		}
1524 		arg = strdelim(&cp);
1525 		if (!arg || *arg == '\0')
1526 			fatal("%s line %d: Missing subsystem name.",
1527 			    filename, linenum);
1528 		if (!*activep) {
1529 			arg = strdelim(&cp);
1530 			break;
1531 		}
1532 		for (i = 0; i < options->num_subsystems; i++)
1533 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1534 				fatal("%s line %d: Subsystem '%s' already defined.",
1535 				    filename, linenum, arg);
1536 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1537 		arg = strdelim(&cp);
1538 		if (!arg || *arg == '\0')
1539 			fatal("%s line %d: Missing subsystem command.",
1540 			    filename, linenum);
1541 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1542 
1543 		/* Collect arguments (separate to executable) */
1544 		p = xstrdup(arg);
1545 		len = strlen(p) + 1;
1546 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1547 			len += 1 + strlen(arg);
1548 			p = xreallocarray(p, 1, len);
1549 			strlcat(p, " ", len);
1550 			strlcat(p, arg, len);
1551 		}
1552 		options->subsystem_args[options->num_subsystems] = p;
1553 		options->num_subsystems++;
1554 		break;
1555 
1556 	case sMaxStartups:
1557 		arg = strdelim(&cp);
1558 		if (!arg || *arg == '\0')
1559 			fatal("%s line %d: Missing MaxStartups spec.",
1560 			    filename, linenum);
1561 		if ((n = sscanf(arg, "%d:%d:%d",
1562 		    &options->max_startups_begin,
1563 		    &options->max_startups_rate,
1564 		    &options->max_startups)) == 3) {
1565 			if (options->max_startups_begin >
1566 			    options->max_startups ||
1567 			    options->max_startups_rate > 100 ||
1568 			    options->max_startups_rate < 1)
1569 				fatal("%s line %d: Illegal MaxStartups spec.",
1570 				    filename, linenum);
1571 		} else if (n != 1)
1572 			fatal("%s line %d: Illegal MaxStartups spec.",
1573 			    filename, linenum);
1574 		else
1575 			options->max_startups = options->max_startups_begin;
1576 		break;
1577 
1578 	case sMaxAuthTries:
1579 		intptr = &options->max_authtries;
1580 		goto parse_int;
1581 
1582 	case sMaxSessions:
1583 		intptr = &options->max_sessions;
1584 		goto parse_int;
1585 
1586 	case sBanner:
1587 		charptr = &options->banner;
1588 		goto parse_filename;
1589 
1590 	/*
1591 	 * These options can contain %X options expanded at
1592 	 * connect time, so that you can specify paths like:
1593 	 *
1594 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1595 	 */
1596 	case sAuthorizedKeysFile:
1597 		if (*activep && options->num_authkeys_files == 0) {
1598 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1599 				if (options->num_authkeys_files >=
1600 				    MAX_AUTHKEYS_FILES)
1601 					fatal("%s line %d: "
1602 					    "too many authorized keys files.",
1603 					    filename, linenum);
1604 				options->authorized_keys_files[
1605 				    options->num_authkeys_files++] =
1606 				    tilde_expand_filename(arg, getuid());
1607 			}
1608 		}
1609 		return 0;
1610 
1611 	case sAuthorizedPrincipalsFile:
1612 		charptr = &options->authorized_principals_file;
1613 		arg = strdelim(&cp);
1614 		if (!arg || *arg == '\0')
1615 			fatal("%s line %d: missing file name.",
1616 			    filename, linenum);
1617 		if (*activep && *charptr == NULL) {
1618 			*charptr = tilde_expand_filename(arg, getuid());
1619 			/* increase optional counter */
1620 			if (intptr != NULL)
1621 				*intptr = *intptr + 1;
1622 		}
1623 		break;
1624 
1625 	case sClientAliveInterval:
1626 		intptr = &options->client_alive_interval;
1627 		goto parse_time;
1628 
1629 	case sClientAliveCountMax:
1630 		intptr = &options->client_alive_count_max;
1631 		goto parse_int;
1632 
1633 	case sAcceptEnv:
1634 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1635 			if (strchr(arg, '=') != NULL)
1636 				fatal("%s line %d: Invalid environment name.",
1637 				    filename, linenum);
1638 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1639 				fatal("%s line %d: too many allow env.",
1640 				    filename, linenum);
1641 			if (!*activep)
1642 				continue;
1643 			options->accept_env[options->num_accept_env++] =
1644 			    xstrdup(arg);
1645 		}
1646 		break;
1647 
1648 	case sPermitTunnel:
1649 		intptr = &options->permit_tun;
1650 		arg = strdelim(&cp);
1651 		if (!arg || *arg == '\0')
1652 			fatal("%s line %d: Missing yes/point-to-point/"
1653 			    "ethernet/no argument.", filename, linenum);
1654 		value = -1;
1655 		for (i = 0; tunmode_desc[i].val != -1; i++)
1656 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1657 				value = tunmode_desc[i].val;
1658 				break;
1659 			}
1660 		if (value == -1)
1661 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1662 			    "no argument: %s", filename, linenum, arg);
1663 		if (*activep && *intptr == -1)
1664 			*intptr = value;
1665 		break;
1666 
1667 	case sMatch:
1668 		if (cmdline)
1669 			fatal("Match directive not supported as a command-line "
1670 			   "option");
1671 		value = match_cfg_line(&cp, linenum, connectinfo);
1672 		if (value < 0)
1673 			fatal("%s line %d: Bad Match condition", filename,
1674 			    linenum);
1675 		*activep = value;
1676 		break;
1677 
1678 	case sPermitOpen:
1679 		arg = strdelim(&cp);
1680 		if (!arg || *arg == '\0')
1681 			fatal("%s line %d: missing PermitOpen specification",
1682 			    filename, linenum);
1683 		n = options->num_permitted_opens;	/* modified later */
1684 		if (strcmp(arg, "any") == 0) {
1685 			if (*activep && n == -1) {
1686 				channel_clear_adm_permitted_opens();
1687 				options->num_permitted_opens = 0;
1688 			}
1689 			break;
1690 		}
1691 		if (strcmp(arg, "none") == 0) {
1692 			if (*activep && n == -1) {
1693 				options->num_permitted_opens = 1;
1694 				channel_disable_adm_local_opens();
1695 			}
1696 			break;
1697 		}
1698 		if (*activep && n == -1)
1699 			channel_clear_adm_permitted_opens();
1700 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1701 			p = hpdelim(&arg);
1702 			if (p == NULL)
1703 				fatal("%s line %d: missing host in PermitOpen",
1704 				    filename, linenum);
1705 			p = cleanhostname(p);
1706 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1707 				fatal("%s line %d: bad port number in "
1708 				    "PermitOpen", filename, linenum);
1709 			if (*activep && n == -1)
1710 				options->num_permitted_opens =
1711 				    channel_add_adm_permitted_opens(p, port);
1712 		}
1713 		break;
1714 
1715 	case sForceCommand:
1716 		if (cp == NULL || *cp == '\0')
1717 			fatal("%.200s line %d: Missing argument.", filename,
1718 			    linenum);
1719 		len = strspn(cp, WHITESPACE);
1720 		if (*activep && options->adm_forced_command == NULL)
1721 			options->adm_forced_command = xstrdup(cp + len);
1722 		return 0;
1723 
1724 	case sChrootDirectory:
1725 		charptr = &options->chroot_directory;
1726 
1727 		arg = strdelim(&cp);
1728 		if (!arg || *arg == '\0')
1729 			fatal("%s line %d: missing file name.",
1730 			    filename, linenum);
1731 		if (*activep && *charptr == NULL)
1732 			*charptr = xstrdup(arg);
1733 		break;
1734 
1735 	case sTrustedUserCAKeys:
1736 		charptr = &options->trusted_user_ca_keys;
1737 		goto parse_filename;
1738 
1739 	case sRevokedKeys:
1740 		charptr = &options->revoked_keys_file;
1741 		goto parse_filename;
1742 
1743 	case sIPQoS:
1744 		arg = strdelim(&cp);
1745 		if ((value = parse_ipqos(arg)) == -1)
1746 			fatal("%s line %d: Bad IPQoS value: %s",
1747 			    filename, linenum, arg);
1748 		arg = strdelim(&cp);
1749 		if (arg == NULL)
1750 			value2 = value;
1751 		else if ((value2 = parse_ipqos(arg)) == -1)
1752 			fatal("%s line %d: Bad IPQoS value: %s",
1753 			    filename, linenum, arg);
1754 		if (*activep) {
1755 			options->ip_qos_interactive = value;
1756 			options->ip_qos_bulk = value2;
1757 		}
1758 		break;
1759 
1760 	case sVersionAddendum:
1761 		if (cp == NULL || *cp == '\0')
1762 			fatal("%.200s line %d: Missing argument.", filename,
1763 			    linenum);
1764 		len = strspn(cp, WHITESPACE);
1765 		if (*activep && options->version_addendum == NULL) {
1766 			if (strcasecmp(cp + len, "none") == 0)
1767 				options->version_addendum = xstrdup("");
1768 			else if (strchr(cp + len, '\r') != NULL)
1769 				fatal("%.200s line %d: Invalid argument",
1770 				    filename, linenum);
1771 			else
1772 				options->version_addendum = xstrdup(cp + len);
1773 		}
1774 		return 0;
1775 
1776 	case sAuthorizedKeysCommand:
1777 		if (cp == NULL)
1778 			fatal("%.200s line %d: Missing argument.", filename,
1779 			    linenum);
1780 		len = strspn(cp, WHITESPACE);
1781 		if (*activep && options->authorized_keys_command == NULL) {
1782 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1783 				fatal("%.200s line %d: AuthorizedKeysCommand "
1784 				    "must be an absolute path",
1785 				    filename, linenum);
1786 			options->authorized_keys_command = xstrdup(cp + len);
1787 		}
1788 		return 0;
1789 
1790 	case sAuthorizedKeysCommandUser:
1791 		charptr = &options->authorized_keys_command_user;
1792 
1793 		arg = strdelim(&cp);
1794 		if (!arg || *arg == '\0')
1795 			fatal("%s line %d: missing AuthorizedKeysCommandUser "
1796 			    "argument.", filename, linenum);
1797 		if (*activep && *charptr == NULL)
1798 			*charptr = xstrdup(arg);
1799 		break;
1800 
1801 	case sAuthorizedPrincipalsCommand:
1802 		if (cp == NULL)
1803 			fatal("%.200s line %d: Missing argument.", filename,
1804 			    linenum);
1805 		len = strspn(cp, WHITESPACE);
1806 		if (*activep &&
1807 		    options->authorized_principals_command == NULL) {
1808 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1809 				fatal("%.200s line %d: "
1810 				    "AuthorizedPrincipalsCommand must be "
1811 				    "an absolute path", filename, linenum);
1812 			options->authorized_principals_command =
1813 			    xstrdup(cp + len);
1814 		}
1815 		return 0;
1816 
1817 	case sAuthorizedPrincipalsCommandUser:
1818 		charptr = &options->authorized_principals_command_user;
1819 
1820 		arg = strdelim(&cp);
1821 		if (!arg || *arg == '\0')
1822 			fatal("%s line %d: missing "
1823 			    "AuthorizedPrincipalsCommandUser argument.",
1824 			    filename, linenum);
1825 		if (*activep && *charptr == NULL)
1826 			*charptr = xstrdup(arg);
1827 		break;
1828 
1829 	case sAuthenticationMethods:
1830 		if (options->num_auth_methods == 0) {
1831 			value = 0; /* seen "any" pseudo-method */
1832 			value2 = 0; /* sucessfully parsed any method */
1833 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1834 				if (options->num_auth_methods >=
1835 				    MAX_AUTH_METHODS)
1836 					fatal("%s line %d: "
1837 					    "too many authentication methods.",
1838 					    filename, linenum);
1839 				if (strcmp(arg, "any") == 0) {
1840 					if (options->num_auth_methods > 0) {
1841 						fatal("%s line %d: \"any\" "
1842 						    "must appear alone in "
1843 						    "AuthenticationMethods",
1844 						    filename, linenum);
1845 					}
1846 					value = 1;
1847 				} else if (value) {
1848 					fatal("%s line %d: \"any\" must appear "
1849 					    "alone in AuthenticationMethods",
1850 					    filename, linenum);
1851 				} else if (auth2_methods_valid(arg, 0) != 0) {
1852 					fatal("%s line %d: invalid "
1853 					    "authentication method list.",
1854 					    filename, linenum);
1855 				}
1856 				value2 = 1;
1857 				if (!*activep)
1858 					continue;
1859 				options->auth_methods[
1860 				    options->num_auth_methods++] = xstrdup(arg);
1861 			}
1862 			if (value2 == 0) {
1863 				fatal("%s line %d: no AuthenticationMethods "
1864 				    "specified", filename, linenum);
1865 			}
1866 		}
1867 		return 0;
1868 
1869 	case sStreamLocalBindMask:
1870 		arg = strdelim(&cp);
1871 		if (!arg || *arg == '\0')
1872 			fatal("%s line %d: missing StreamLocalBindMask "
1873 			    "argument.", filename, linenum);
1874 		/* Parse mode in octal format */
1875 		value = strtol(arg, &p, 8);
1876 		if (arg == p || value < 0 || value > 0777)
1877 			fatal("%s line %d: Bad mask.", filename, linenum);
1878 		if (*activep)
1879 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1880 		break;
1881 
1882 	case sStreamLocalBindUnlink:
1883 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
1884 		goto parse_flag;
1885 
1886 	case sFingerprintHash:
1887 		arg = strdelim(&cp);
1888 		if (!arg || *arg == '\0')
1889 			fatal("%.200s line %d: Missing argument.",
1890 			    filename, linenum);
1891 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
1892 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1893 			    filename, linenum, arg);
1894 		if (*activep)
1895 			options->fingerprint_hash = value;
1896 		break;
1897 
1898 	case sUseBlacklist:
1899 		intptr = &options->use_blacklist;
1900 		goto parse_flag;
1901 
1902 	case sDeprecated:
1903 		logit("%s line %d: Deprecated option %s",
1904 		    filename, linenum, arg);
1905 		while (arg)
1906 		    arg = strdelim(&cp);
1907 		break;
1908 
1909 	case sUnsupported:
1910 		logit("%s line %d: Unsupported option %s",
1911 		    filename, linenum, arg);
1912 		while (arg)
1913 		    arg = strdelim(&cp);
1914 		break;
1915 
1916 	default:
1917 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1918 		    filename, linenum, arg, opcode);
1919 	}
1920 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1921 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1922 		    filename, linenum, arg);
1923 	return 0;
1924 }
1925 
1926 /* Reads the server configuration file. */
1927 
1928 void
1929 load_server_config(const char *filename, Buffer *conf)
1930 {
1931 	char line[4096], *cp;
1932 	FILE *f;
1933 	int lineno = 0;
1934 
1935 	debug2("%s: filename %s", __func__, filename);
1936 	if ((f = fopen(filename, "r")) == NULL) {
1937 		perror(filename);
1938 		exit(1);
1939 	}
1940 	buffer_clear(conf);
1941 	while (fgets(line, sizeof(line), f)) {
1942 		lineno++;
1943 		if (strlen(line) == sizeof(line) - 1)
1944 			fatal("%s line %d too long", filename, lineno);
1945 		/*
1946 		 * Trim out comments and strip whitespace
1947 		 * NB - preserve newlines, they are needed to reproduce
1948 		 * line numbers later for error messages
1949 		 */
1950 		if ((cp = strchr(line, '#')) != NULL)
1951 			memcpy(cp, "\n", 2);
1952 		cp = line + strspn(line, " \t\r");
1953 
1954 		buffer_append(conf, cp, strlen(cp));
1955 	}
1956 	buffer_append(conf, "\0", 1);
1957 	fclose(f);
1958 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1959 }
1960 
1961 void
1962 parse_server_match_config(ServerOptions *options,
1963    struct connection_info *connectinfo)
1964 {
1965 	ServerOptions mo;
1966 
1967 	initialize_server_options(&mo);
1968 	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1969 	copy_set_server_options(options, &mo, 0);
1970 }
1971 
1972 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1973 {
1974 	char *p;
1975 
1976 	while ((p = strsep(&spec, ",")) && *p != '\0') {
1977 		if (strncmp(p, "addr=", 5) == 0) {
1978 			ci->address = xstrdup(p + 5);
1979 		} else if (strncmp(p, "host=", 5) == 0) {
1980 			ci->host = xstrdup(p + 5);
1981 		} else if (strncmp(p, "user=", 5) == 0) {
1982 			ci->user = xstrdup(p + 5);
1983 		} else if (strncmp(p, "laddr=", 6) == 0) {
1984 			ci->laddress = xstrdup(p + 6);
1985 		} else if (strncmp(p, "lport=", 6) == 0) {
1986 			ci->lport = a2port(p + 6);
1987 			if (ci->lport == -1) {
1988 				fprintf(stderr, "Invalid port '%s' in test mode"
1989 				   " specification %s\n", p+6, p);
1990 				return -1;
1991 			}
1992 		} else {
1993 			fprintf(stderr, "Invalid test mode specification %s\n",
1994 			   p);
1995 			return -1;
1996 		}
1997 	}
1998 	return 0;
1999 }
2000 
2001 /*
2002  * returns 1 for a complete spec, 0 for partial spec and -1 for an
2003  * empty spec.
2004  */
2005 int server_match_spec_complete(struct connection_info *ci)
2006 {
2007 	if (ci->user && ci->host && ci->address)
2008 		return 1;	/* complete */
2009 	if (!ci->user && !ci->host && !ci->address)
2010 		return -1;	/* empty */
2011 	return 0;	/* partial */
2012 }
2013 
2014 /*
2015  * Copy any supported values that are set.
2016  *
2017  * If the preauth flag is set, we do not bother copying the string or
2018  * array values that are not used pre-authentication, because any that we
2019  * do use must be explictly sent in mm_getpwnamallow().
2020  */
2021 void
2022 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2023 {
2024 #define M_CP_INTOPT(n) do {\
2025 	if (src->n != -1) \
2026 		dst->n = src->n; \
2027 } while (0)
2028 
2029 	M_CP_INTOPT(password_authentication);
2030 	M_CP_INTOPT(gss_authentication);
2031 	M_CP_INTOPT(rsa_authentication);
2032 	M_CP_INTOPT(pubkey_authentication);
2033 	M_CP_INTOPT(kerberos_authentication);
2034 	M_CP_INTOPT(hostbased_authentication);
2035 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2036 	M_CP_INTOPT(kbd_interactive_authentication);
2037 	M_CP_INTOPT(permit_root_login);
2038 	M_CP_INTOPT(permit_empty_passwd);
2039 
2040 	M_CP_INTOPT(allow_tcp_forwarding);
2041 	M_CP_INTOPT(allow_streamlocal_forwarding);
2042 	M_CP_INTOPT(allow_agent_forwarding);
2043 	M_CP_INTOPT(permit_tun);
2044 	M_CP_INTOPT(fwd_opts.gateway_ports);
2045 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2046 	M_CP_INTOPT(x11_display_offset);
2047 	M_CP_INTOPT(x11_forwarding);
2048 	M_CP_INTOPT(x11_use_localhost);
2049 	M_CP_INTOPT(permit_tty);
2050 	M_CP_INTOPT(permit_user_rc);
2051 	M_CP_INTOPT(max_sessions);
2052 	M_CP_INTOPT(max_authtries);
2053 	M_CP_INTOPT(ip_qos_interactive);
2054 	M_CP_INTOPT(ip_qos_bulk);
2055 	M_CP_INTOPT(rekey_limit);
2056 	M_CP_INTOPT(rekey_interval);
2057 
2058 	/*
2059 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2060 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2061 	 * warnings.
2062 	 */
2063 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2064 		dst->fwd_opts.streamlocal_bind_mask =
2065 		    src->fwd_opts.streamlocal_bind_mask;
2066 	}
2067 
2068 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2069 #define M_CP_STROPT(n) do {\
2070 	if (src->n != NULL && dst->n != src->n) { \
2071 		free(dst->n); \
2072 		dst->n = src->n; \
2073 	} \
2074 } while(0)
2075 #define M_CP_STRARRAYOPT(n, num_n) do {\
2076 	if (src->num_n != 0) { \
2077 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2078 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2079 	} \
2080 } while(0)
2081 
2082 	/* See comment in servconf.h */
2083 	COPY_MATCH_STRING_OPTS();
2084 
2085 	/* Arguments that accept '+...' need to be expanded */
2086 	assemble_algorithms(dst);
2087 
2088 	/*
2089 	 * The only things that should be below this point are string options
2090 	 * which are only used after authentication.
2091 	 */
2092 	if (preauth)
2093 		return;
2094 
2095 	/* These options may be "none" to clear a global setting */
2096 	M_CP_STROPT(adm_forced_command);
2097 	if (option_clear_or_none(dst->adm_forced_command)) {
2098 		free(dst->adm_forced_command);
2099 		dst->adm_forced_command = NULL;
2100 	}
2101 	M_CP_STROPT(chroot_directory);
2102 	if (option_clear_or_none(dst->chroot_directory)) {
2103 		free(dst->chroot_directory);
2104 		dst->chroot_directory = NULL;
2105 	}
2106 }
2107 
2108 #undef M_CP_INTOPT
2109 #undef M_CP_STROPT
2110 #undef M_CP_STRARRAYOPT
2111 
2112 void
2113 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2114     struct connection_info *connectinfo)
2115 {
2116 	int active, linenum, bad_options = 0;
2117 	char *cp, *obuf, *cbuf;
2118 
2119 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2120 
2121 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2122 		fatal("%s: sshbuf_dup_string failed", __func__);
2123 	active = connectinfo ? 0 : 1;
2124 	linenum = 1;
2125 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2126 		if (process_server_config_line(options, cp, filename,
2127 		    linenum++, &active, connectinfo) != 0)
2128 			bad_options++;
2129 	}
2130 	free(obuf);
2131 	if (bad_options > 0)
2132 		fatal("%s: terminating, %d bad configuration options",
2133 		    filename, bad_options);
2134 	process_queued_listen_addrs(options);
2135 }
2136 
2137 static const char *
2138 fmt_multistate_int(int val, const struct multistate *m)
2139 {
2140 	u_int i;
2141 
2142 	for (i = 0; m[i].key != NULL; i++) {
2143 		if (m[i].value == val)
2144 			return m[i].key;
2145 	}
2146 	return "UNKNOWN";
2147 }
2148 
2149 static const char *
2150 fmt_intarg(ServerOpCodes code, int val)
2151 {
2152 	if (val == -1)
2153 		return "unset";
2154 	switch (code) {
2155 	case sAddressFamily:
2156 		return fmt_multistate_int(val, multistate_addressfamily);
2157 	case sPermitRootLogin:
2158 		return fmt_multistate_int(val, multistate_permitrootlogin);
2159 	case sGatewayPorts:
2160 		return fmt_multistate_int(val, multistate_gatewayports);
2161 	case sCompression:
2162 		return fmt_multistate_int(val, multistate_compression);
2163 	case sUsePrivilegeSeparation:
2164 		return fmt_multistate_int(val, multistate_privsep);
2165 	case sAllowTcpForwarding:
2166 		return fmt_multistate_int(val, multistate_tcpfwd);
2167 	case sAllowStreamLocalForwarding:
2168 		return fmt_multistate_int(val, multistate_tcpfwd);
2169 	case sFingerprintHash:
2170 		return ssh_digest_alg_name(val);
2171 	case sProtocol:
2172 		switch (val) {
2173 		case SSH_PROTO_1:
2174 			return "1";
2175 		case SSH_PROTO_2:
2176 			return "2";
2177 		case (SSH_PROTO_1|SSH_PROTO_2):
2178 			return "2,1";
2179 		default:
2180 			return "UNKNOWN";
2181 		}
2182 	default:
2183 		switch (val) {
2184 		case 0:
2185 			return "no";
2186 		case 1:
2187 			return "yes";
2188 		default:
2189 			return "UNKNOWN";
2190 		}
2191 	}
2192 }
2193 
2194 static const char *
2195 lookup_opcode_name(ServerOpCodes code)
2196 {
2197 	u_int i;
2198 
2199 	for (i = 0; keywords[i].name != NULL; i++)
2200 		if (keywords[i].opcode == code)
2201 			return(keywords[i].name);
2202 	return "UNKNOWN";
2203 }
2204 
2205 static void
2206 dump_cfg_int(ServerOpCodes code, int val)
2207 {
2208 	printf("%s %d\n", lookup_opcode_name(code), val);
2209 }
2210 
2211 static void
2212 dump_cfg_oct(ServerOpCodes code, int val)
2213 {
2214 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2215 }
2216 
2217 static void
2218 dump_cfg_fmtint(ServerOpCodes code, int val)
2219 {
2220 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2221 }
2222 
2223 static void
2224 dump_cfg_string(ServerOpCodes code, const char *val)
2225 {
2226 	if (val == NULL)
2227 		return;
2228 	printf("%s %s\n", lookup_opcode_name(code),
2229 	    val == NULL ? "none" : val);
2230 }
2231 
2232 static void
2233 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2234 {
2235 	u_int i;
2236 
2237 	for (i = 0; i < count; i++)
2238 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2239 }
2240 
2241 static void
2242 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2243 {
2244 	u_int i;
2245 
2246 	if (count <= 0 && code != sAuthenticationMethods)
2247 		return;
2248 	printf("%s", lookup_opcode_name(code));
2249 	for (i = 0; i < count; i++)
2250 		printf(" %s",  vals[i]);
2251 	if (code == sAuthenticationMethods && count == 0)
2252 		printf(" any");
2253 	printf("\n");
2254 }
2255 
2256 void
2257 dump_config(ServerOptions *o)
2258 {
2259 	u_int i;
2260 	int ret;
2261 	struct addrinfo *ai;
2262 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2263 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2264 
2265 	/* these are usually at the top of the config */
2266 	for (i = 0; i < o->num_ports; i++)
2267 		printf("port %d\n", o->ports[i]);
2268 	dump_cfg_fmtint(sProtocol, o->protocol);
2269 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2270 
2271 	/*
2272 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2273 	 * addresses onto a stack, so to maintain ordering we need to
2274 	 * print these in reverse order.
2275 	 */
2276 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2277 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2278 		    sizeof(addr), port, sizeof(port),
2279 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2280 			error("getnameinfo failed: %.100s",
2281 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2282 			    strerror(errno));
2283 		} else {
2284 			laddr2 = laddr1;
2285 			if (ai->ai_family == AF_INET6)
2286 				xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2287 				    addr, port, laddr2);
2288 			else
2289 				xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2290 				    addr, port, laddr2);
2291 			free(laddr2);
2292 		}
2293 	}
2294 	printf("%s", laddr1);
2295 	free(laddr1);
2296 
2297 	/* integer arguments */
2298 #ifdef USE_PAM
2299 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2300 #endif
2301 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
2302 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2303 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2304 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2305 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2306 	dump_cfg_int(sMaxSessions, o->max_sessions);
2307 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2308 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2309 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2310 
2311 	/* formatted integer arguments */
2312 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2313 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2314 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2315 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2316 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2317 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2318 	    o->hostbased_uses_name_from_packet_only);
2319 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2320 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2321 #ifdef KRB5
2322 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2323 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2324 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2325 # ifdef USE_AFS
2326 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2327 # endif
2328 #endif
2329 #ifdef GSSAPI
2330 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2331 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2332 #endif
2333 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2334 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2335 	    o->kbd_interactive_authentication);
2336 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2337 	    o->challenge_response_authentication);
2338 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2339 #ifndef DISABLE_LASTLOG
2340 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2341 #endif
2342 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2343 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2344 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2345 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2346 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2347 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2348 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2349 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2350 	dump_cfg_fmtint(sUseLogin, o->use_login);
2351 	dump_cfg_fmtint(sCompression, o->compression);
2352 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2353 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2354 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2355 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2356 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2357 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2358 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2359 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2360 	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
2361 
2362 	/* string arguments */
2363 	dump_cfg_string(sPidFile, o->pid_file);
2364 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2365 	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2366 	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2367 	dump_cfg_string(sBanner, o->banner);
2368 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2369 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2370 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2371 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2372 	dump_cfg_string(sAuthorizedPrincipalsFile,
2373 	    o->authorized_principals_file);
2374 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2375 	    ? "none" : o->version_addendum);
2376 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2377 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2378 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2379 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2380 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2381 	dump_cfg_string(sKexAlgorithms,
2382 	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2383 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2384 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2385 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2386 	    o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2387 	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2388 	    o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2389 
2390 	/* string arguments requiring a lookup */
2391 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2392 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2393 
2394 	/* string array arguments */
2395 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2396 	    o->authorized_keys_files);
2397 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2398 	     o->host_key_files);
2399 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2400 	     o->host_cert_files);
2401 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2402 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2403 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2404 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2405 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2406 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2407 	    o->num_auth_methods, o->auth_methods);
2408 
2409 	/* other arguments */
2410 	for (i = 0; i < o->num_subsystems; i++)
2411 		printf("subsystem %s %s\n", o->subsystem_name[i],
2412 		    o->subsystem_args[i]);
2413 
2414 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2415 	    o->max_startups_rate, o->max_startups);
2416 
2417 	for (i = 0; tunmode_desc[i].val != -1; i++)
2418 		if (tunmode_desc[i].val == o->permit_tun) {
2419 			s = tunmode_desc[i].text;
2420 			break;
2421 		}
2422 	dump_cfg_string(sPermitTunnel, s);
2423 
2424 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2425 	printf("%s\n", iptos2str(o->ip_qos_bulk));
2426 
2427 	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2428 	    o->rekey_interval);
2429 
2430 	channel_print_adm_permitted_opens();
2431 }
2432