xref: /freebsd/crypto/openssh/servconf.c (revision 6574b8ed19b093f0af09501d2c9676c28993cb97)
1 
2 /* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */
3 /* $FreeBSD$ */
4 /*
5  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6  *                    All rights reserved
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  */
14 
15 #include "includes.h"
16 __RCSID("$FreeBSD$");
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
24 
25 #include <ctype.h>
26 #include <netdb.h>
27 #include <pwd.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <signal.h>
32 #include <unistd.h>
33 #include <stdarg.h>
34 #include <errno.h>
35 #ifdef HAVE_UTIL_H
36 #include <util.h>
37 #endif
38 
39 #include "openbsd-compat/sys-queue.h"
40 #include "xmalloc.h"
41 #include "ssh.h"
42 #include "log.h"
43 #include "buffer.h"
44 #include "servconf.h"
45 #include "compat.h"
46 #include "pathnames.h"
47 #include "misc.h"
48 #include "cipher.h"
49 #include "key.h"
50 #include "kex.h"
51 #include "mac.h"
52 #include "match.h"
53 #include "channels.h"
54 #include "groupaccess.h"
55 #include "canohost.h"
56 #include "packet.h"
57 #include "hostfile.h"
58 #include "auth.h"
59 #include "version.h"
60 
61 static void add_listen_addr(ServerOptions *, char *, int);
62 static void add_one_listen_addr(ServerOptions *, char *, int);
63 
64 /* Use of privilege separation or not */
65 extern int use_privsep;
66 extern Buffer cfg;
67 
68 /* Initializes the server options to their default values. */
69 
70 void
71 initialize_server_options(ServerOptions *options)
72 {
73 	memset(options, 0, sizeof(*options));
74 
75 	/* Portable-specific options */
76 	options->use_pam = -1;
77 
78 	/* Standard Options */
79 	options->num_ports = 0;
80 	options->ports_from_cmdline = 0;
81 	options->listen_addrs = NULL;
82 	options->address_family = -1;
83 	options->num_host_key_files = 0;
84 	options->num_host_cert_files = 0;
85 	options->host_key_agent = NULL;
86 	options->pid_file = NULL;
87 	options->server_key_bits = -1;
88 	options->login_grace_time = -1;
89 	options->key_regeneration_time = -1;
90 	options->permit_root_login = PERMIT_NOT_SET;
91 	options->ignore_rhosts = -1;
92 	options->ignore_user_known_hosts = -1;
93 	options->print_motd = -1;
94 	options->print_lastlog = -1;
95 	options->x11_forwarding = -1;
96 	options->x11_display_offset = -1;
97 	options->x11_use_localhost = -1;
98 	options->permit_tty = -1;
99 	options->xauth_location = NULL;
100 	options->strict_modes = -1;
101 	options->tcp_keep_alive = -1;
102 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
103 	options->log_level = SYSLOG_LEVEL_NOT_SET;
104 	options->rhosts_rsa_authentication = -1;
105 	options->hostbased_authentication = -1;
106 	options->hostbased_uses_name_from_packet_only = -1;
107 	options->rsa_authentication = -1;
108 	options->pubkey_authentication = -1;
109 	options->kerberos_authentication = -1;
110 	options->kerberos_or_local_passwd = -1;
111 	options->kerberos_ticket_cleanup = -1;
112 	options->kerberos_get_afs_token = -1;
113 	options->gss_authentication=-1;
114 	options->gss_cleanup_creds = -1;
115 	options->password_authentication = -1;
116 	options->kbd_interactive_authentication = -1;
117 	options->challenge_response_authentication = -1;
118 	options->permit_empty_passwd = -1;
119 	options->permit_user_env = -1;
120 	options->use_login = -1;
121 	options->compression = -1;
122 	options->rekey_limit = -1;
123 	options->rekey_interval = -1;
124 	options->allow_tcp_forwarding = -1;
125 	options->allow_agent_forwarding = -1;
126 	options->num_allow_users = 0;
127 	options->num_deny_users = 0;
128 	options->num_allow_groups = 0;
129 	options->num_deny_groups = 0;
130 	options->ciphers = NULL;
131 	options->macs = NULL;
132 	options->kex_algorithms = NULL;
133 	options->protocol = SSH_PROTO_UNKNOWN;
134 	options->gateway_ports = -1;
135 	options->num_subsystems = 0;
136 	options->max_startups_begin = -1;
137 	options->max_startups_rate = -1;
138 	options->max_startups = -1;
139 	options->max_authtries = -1;
140 	options->max_sessions = -1;
141 	options->banner = NULL;
142 	options->use_dns = -1;
143 	options->client_alive_interval = -1;
144 	options->client_alive_count_max = -1;
145 	options->num_authkeys_files = 0;
146 	options->num_accept_env = 0;
147 	options->permit_tun = -1;
148 	options->num_permitted_opens = -1;
149 	options->adm_forced_command = NULL;
150 	options->chroot_directory = NULL;
151 	options->authorized_keys_command = NULL;
152 	options->authorized_keys_command_user = NULL;
153 	options->revoked_keys_file = NULL;
154 	options->trusted_user_ca_keys = NULL;
155 	options->authorized_principals_file = NULL;
156 	options->ip_qos_interactive = -1;
157 	options->ip_qos_bulk = -1;
158 	options->version_addendum = NULL;
159 	options->hpn_disabled = -1;
160 	options->hpn_buffer_size = -1;
161 	options->tcp_rcv_buf_poll = -1;
162 #ifdef	NONE_CIPHER_ENABLED
163 	options->none_enabled = -1;
164 #endif
165 }
166 
167 void
168 fill_default_server_options(ServerOptions *options)
169 {
170 	/* Portable-specific options */
171 	if (options->use_pam == -1)
172 		options->use_pam = 1;
173 
174 	/* Standard Options */
175 	if (options->protocol == SSH_PROTO_UNKNOWN)
176 		options->protocol = SSH_PROTO_2;
177 	if (options->num_host_key_files == 0) {
178 		/* fill default hostkeys for protocols */
179 		if (options->protocol & SSH_PROTO_1)
180 			options->host_key_files[options->num_host_key_files++] =
181 			    _PATH_HOST_KEY_FILE;
182 		if (options->protocol & SSH_PROTO_2) {
183 			options->host_key_files[options->num_host_key_files++] =
184 			    _PATH_HOST_RSA_KEY_FILE;
185 			options->host_key_files[options->num_host_key_files++] =
186 			    _PATH_HOST_DSA_KEY_FILE;
187 #ifdef OPENSSL_HAS_ECC
188 			options->host_key_files[options->num_host_key_files++] =
189 			    _PATH_HOST_ECDSA_KEY_FILE;
190 #endif
191 			options->host_key_files[options->num_host_key_files++] =
192 			    _PATH_HOST_ED25519_KEY_FILE;
193 		}
194 	}
195 	/* No certificates by default */
196 	if (options->num_ports == 0)
197 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
198 	if (options->listen_addrs == NULL)
199 		add_listen_addr(options, NULL, 0);
200 	if (options->pid_file == NULL)
201 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
202 	if (options->server_key_bits == -1)
203 		options->server_key_bits = 1024;
204 	if (options->login_grace_time == -1)
205 		options->login_grace_time = 120;
206 	if (options->key_regeneration_time == -1)
207 		options->key_regeneration_time = 3600;
208 	if (options->permit_root_login == PERMIT_NOT_SET)
209 		options->permit_root_login = PERMIT_NO;
210 	if (options->ignore_rhosts == -1)
211 		options->ignore_rhosts = 1;
212 	if (options->ignore_user_known_hosts == -1)
213 		options->ignore_user_known_hosts = 0;
214 	if (options->print_motd == -1)
215 		options->print_motd = 1;
216 	if (options->print_lastlog == -1)
217 		options->print_lastlog = 1;
218 	if (options->x11_forwarding == -1)
219 		options->x11_forwarding = 1;
220 	if (options->x11_display_offset == -1)
221 		options->x11_display_offset = 10;
222 	if (options->x11_use_localhost == -1)
223 		options->x11_use_localhost = 1;
224 	if (options->xauth_location == NULL)
225 		options->xauth_location = _PATH_XAUTH;
226 	if (options->permit_tty == -1)
227 		options->permit_tty = 1;
228 	if (options->strict_modes == -1)
229 		options->strict_modes = 1;
230 	if (options->tcp_keep_alive == -1)
231 		options->tcp_keep_alive = 1;
232 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
233 		options->log_facility = SYSLOG_FACILITY_AUTH;
234 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
235 		options->log_level = SYSLOG_LEVEL_INFO;
236 	if (options->rhosts_rsa_authentication == -1)
237 		options->rhosts_rsa_authentication = 0;
238 	if (options->hostbased_authentication == -1)
239 		options->hostbased_authentication = 0;
240 	if (options->hostbased_uses_name_from_packet_only == -1)
241 		options->hostbased_uses_name_from_packet_only = 0;
242 	if (options->rsa_authentication == -1)
243 		options->rsa_authentication = 1;
244 	if (options->pubkey_authentication == -1)
245 		options->pubkey_authentication = 1;
246 	if (options->kerberos_authentication == -1)
247 		options->kerberos_authentication = 0;
248 	if (options->kerberos_or_local_passwd == -1)
249 		options->kerberos_or_local_passwd = 1;
250 	if (options->kerberos_ticket_cleanup == -1)
251 		options->kerberos_ticket_cleanup = 1;
252 	if (options->kerberos_get_afs_token == -1)
253 		options->kerberos_get_afs_token = 0;
254 	if (options->gss_authentication == -1)
255 		options->gss_authentication = 0;
256 	if (options->gss_cleanup_creds == -1)
257 		options->gss_cleanup_creds = 1;
258 	if (options->password_authentication == -1)
259 		options->password_authentication = 0;
260 	if (options->kbd_interactive_authentication == -1)
261 		options->kbd_interactive_authentication = 0;
262 	if (options->challenge_response_authentication == -1)
263 		options->challenge_response_authentication = 1;
264 	if (options->permit_empty_passwd == -1)
265 		options->permit_empty_passwd = 0;
266 	if (options->permit_user_env == -1)
267 		options->permit_user_env = 0;
268 	if (options->use_login == -1)
269 		options->use_login = 0;
270 	if (options->compression == -1)
271 		options->compression = COMP_DELAYED;
272 	if (options->rekey_limit == -1)
273 		options->rekey_limit = 0;
274 	if (options->rekey_interval == -1)
275 		options->rekey_interval = 0;
276 	if (options->allow_tcp_forwarding == -1)
277 		options->allow_tcp_forwarding = FORWARD_ALLOW;
278 	if (options->allow_agent_forwarding == -1)
279 		options->allow_agent_forwarding = 1;
280 	if (options->gateway_ports == -1)
281 		options->gateway_ports = 0;
282 	if (options->max_startups == -1)
283 		options->max_startups = 100;
284 	if (options->max_startups_rate == -1)
285 		options->max_startups_rate = 30;		/* 30% */
286 	if (options->max_startups_begin == -1)
287 		options->max_startups_begin = 10;
288 	if (options->max_authtries == -1)
289 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
290 	if (options->max_sessions == -1)
291 		options->max_sessions = DEFAULT_SESSIONS_MAX;
292 	if (options->use_dns == -1)
293 		options->use_dns = 1;
294 	if (options->client_alive_interval == -1)
295 		options->client_alive_interval = 0;
296 	if (options->client_alive_count_max == -1)
297 		options->client_alive_count_max = 3;
298 	if (options->num_authkeys_files == 0) {
299 		options->authorized_keys_files[options->num_authkeys_files++] =
300 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
301 		options->authorized_keys_files[options->num_authkeys_files++] =
302 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
303 	}
304 	if (options->permit_tun == -1)
305 		options->permit_tun = SSH_TUNMODE_NO;
306 	if (options->ip_qos_interactive == -1)
307 		options->ip_qos_interactive = IPTOS_LOWDELAY;
308 	if (options->ip_qos_bulk == -1)
309 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
310 	if (options->version_addendum == NULL)
311 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
312 	/* Turn privilege separation on by default */
313 	if (use_privsep == -1)
314 		use_privsep = PRIVSEP_ON;
315 
316 #ifndef HAVE_MMAP
317 	if (use_privsep && options->compression == 1) {
318 		error("This platform does not support both privilege "
319 		    "separation and compression");
320 		error("Compression disabled");
321 		options->compression = 0;
322 	}
323 #endif
324 
325 	if (options->hpn_disabled == -1)
326 		options->hpn_disabled = 0;
327 	if (options->hpn_buffer_size == -1) {
328 		/*
329 		 * HPN buffer size option not explicitly set.  Try to figure
330 		 * out what value to use or resort to default.
331 		 */
332 		options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
333 		if (!options->hpn_disabled) {
334 			sock_get_rcvbuf(&options->hpn_buffer_size, 0);
335 			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
336 		}
337 	} else {
338 		/*
339 		 * In the case that the user sets both values in a
340 		 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
341 		 */
342 		if (options->hpn_disabled <= 0) {
343 			u_int maxlen;
344 
345 			maxlen = buffer_get_max_len();
346 			if (options->hpn_buffer_size == 0)
347 				options->hpn_buffer_size = 1;
348 			/* Limit the maximum buffer to BUFFER_MAX_LEN. */
349 			if (options->hpn_buffer_size > maxlen / 1024)
350 				options->hpn_buffer_size = maxlen;
351 			else
352 				options->hpn_buffer_size *= 1024;
353 		} else {
354 			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
355 		}
356 	}
357 }
358 
359 /* Keyword tokens. */
360 typedef enum {
361 	sBadOption,		/* == unknown option */
362 	/* Portable-specific options */
363 	sUsePAM,
364 	/* Standard Options */
365 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
366 	sPermitRootLogin, sLogFacility, sLogLevel,
367 	sRhostsRSAAuthentication, sRSAAuthentication,
368 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
369 	sKerberosGetAFSToken,
370 	sKerberosTgtPassing, sChallengeResponseAuthentication,
371 	sPasswordAuthentication, sKbdInteractiveAuthentication,
372 	sListenAddress, sAddressFamily,
373 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
374 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
375 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
376 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
377 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
378 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
379 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
380 	sMaxStartups, sMaxAuthTries, sMaxSessions,
381 	sBanner, sUseDNS, sHostbasedAuthentication,
382 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
383 	sClientAliveCountMax, sAuthorizedKeysFile,
384 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
385 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
386 	sUsePrivilegeSeparation, sAllowAgentForwarding,
387 	sHostCertificate,
388 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
389 	sKexAlgorithms, sIPQoS, sVersionAddendum,
390 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
391 	sAuthenticationMethods, sHostKeyAgent,
392 	sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
393 #ifdef NONE_CIPHER_ENABLED
394 	sNoneEnabled,
395 #endif
396 	sDeprecated, sUnsupported
397 } ServerOpCodes;
398 
399 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
400 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
401 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
402 
403 /* Textual representation of the tokens. */
404 static struct {
405 	const char *name;
406 	ServerOpCodes opcode;
407 	u_int flags;
408 } keywords[] = {
409 	/* Portable-specific options */
410 #ifdef USE_PAM
411 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
412 #else
413 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
414 #endif
415 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
416 	/* Standard Options */
417 	{ "port", sPort, SSHCFG_GLOBAL },
418 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
419 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
420 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
421 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
422 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
423 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
424 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
425 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
426 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
427 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
428 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
429 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
430 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
431 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
432 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
433 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
434 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
435 #ifdef KRB5
436 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
437 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
438 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
439 #ifdef USE_AFS
440 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
441 #else
442 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
443 #endif
444 #else
445 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
446 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
447 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
448 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
449 #endif
450 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
451 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
452 #ifdef GSSAPI
453 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
454 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
455 #else
456 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
457 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
458 #endif
459 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
460 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
461 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
462 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
463 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
464 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
465 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
466 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
467 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
468 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
469 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
470 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
471 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
472 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
473 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
474 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
475 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
476 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
477 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
478 	{ "compression", sCompression, SSHCFG_GLOBAL },
479 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
480 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
481 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
482 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
483 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
484 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
485 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
486 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
487 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
488 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
489 	{ "macs", sMacs, SSHCFG_GLOBAL },
490 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
491 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
492 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
493 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
494 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
495 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
496 	{ "banner", sBanner, SSHCFG_ALL },
497 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
498 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
499 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
500 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
501 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
502 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
503 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
504 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
505 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
506 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
507 	{ "permittty", sPermitTTY, SSHCFG_ALL },
508 	{ "match", sMatch, SSHCFG_ALL },
509 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
510 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
511 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
512 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
513 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
514 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
515 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
516 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
517 	{ "ipqos", sIPQoS, SSHCFG_ALL },
518 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
519 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
520 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
521 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
522 	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
523 	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
524 	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
525 #ifdef NONE_CIPHER_ENABLED
526 	{ "noneenabled", sNoneEnabled, SSHCFG_ALL },
527 #endif
528 	{ NULL, sBadOption, 0 }
529 };
530 
531 static struct {
532 	int val;
533 	char *text;
534 } tunmode_desc[] = {
535 	{ SSH_TUNMODE_NO, "no" },
536 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
537 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
538 	{ SSH_TUNMODE_YES, "yes" },
539 	{ -1, NULL }
540 };
541 
542 /*
543  * Returns the number of the token pointed to by cp or sBadOption.
544  */
545 
546 static ServerOpCodes
547 parse_token(const char *cp, const char *filename,
548 	    int linenum, u_int *flags)
549 {
550 	u_int i;
551 
552 	for (i = 0; keywords[i].name; i++)
553 		if (strcasecmp(cp, keywords[i].name) == 0) {
554 			*flags = keywords[i].flags;
555 			return keywords[i].opcode;
556 		}
557 
558 	error("%s: line %d: Bad configuration option: %s",
559 	    filename, linenum, cp);
560 	return sBadOption;
561 }
562 
563 char *
564 derelativise_path(const char *path)
565 {
566 	char *expanded, *ret, cwd[MAXPATHLEN];
567 
568 	expanded = tilde_expand_filename(path, getuid());
569 	if (*expanded == '/')
570 		return expanded;
571 	if (getcwd(cwd, sizeof(cwd)) == NULL)
572 		fatal("%s: getcwd: %s", __func__, strerror(errno));
573 	xasprintf(&ret, "%s/%s", cwd, expanded);
574 	free(expanded);
575 	return ret;
576 }
577 
578 static void
579 add_listen_addr(ServerOptions *options, char *addr, int port)
580 {
581 	u_int i;
582 
583 	if (options->num_ports == 0)
584 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
585 	if (options->address_family == -1)
586 		options->address_family = AF_UNSPEC;
587 	if (port == 0)
588 		for (i = 0; i < options->num_ports; i++)
589 			add_one_listen_addr(options, addr, options->ports[i]);
590 	else
591 		add_one_listen_addr(options, addr, port);
592 }
593 
594 static void
595 add_one_listen_addr(ServerOptions *options, char *addr, int port)
596 {
597 	struct addrinfo hints, *ai, *aitop;
598 	char strport[NI_MAXSERV];
599 	int gaierr;
600 
601 	memset(&hints, 0, sizeof(hints));
602 	hints.ai_family = options->address_family;
603 	hints.ai_socktype = SOCK_STREAM;
604 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
605 	snprintf(strport, sizeof strport, "%d", port);
606 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
607 		fatal("bad addr or host: %s (%s)",
608 		    addr ? addr : "<NULL>",
609 		    ssh_gai_strerror(gaierr));
610 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
611 		;
612 	ai->ai_next = options->listen_addrs;
613 	options->listen_addrs = aitop;
614 }
615 
616 struct connection_info *
617 get_connection_info(int populate, int use_dns)
618 {
619 	static struct connection_info ci;
620 
621 	if (!populate)
622 		return &ci;
623 	ci.host = get_canonical_hostname(use_dns);
624 	ci.address = get_remote_ipaddr();
625 	ci.laddress = get_local_ipaddr(packet_get_connection_in());
626 	ci.lport = get_local_port();
627 	return &ci;
628 }
629 
630 /*
631  * The strategy for the Match blocks is that the config file is parsed twice.
632  *
633  * The first time is at startup.  activep is initialized to 1 and the
634  * directives in the global context are processed and acted on.  Hitting a
635  * Match directive unsets activep and the directives inside the block are
636  * checked for syntax only.
637  *
638  * The second time is after a connection has been established but before
639  * authentication.  activep is initialized to 2 and global config directives
640  * are ignored since they have already been processed.  If the criteria in a
641  * Match block is met, activep is set and the subsequent directives
642  * processed and actioned until EOF or another Match block unsets it.  Any
643  * options set are copied into the main server config.
644  *
645  * Potential additions/improvements:
646  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
647  *
648  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
649  *	Match Address 192.168.0.*
650  *		Tag trusted
651  *	Match Group wheel
652  *		Tag trusted
653  *	Match Tag trusted
654  *		AllowTcpForwarding yes
655  *		GatewayPorts clientspecified
656  *		[...]
657  *
658  *  - Add a PermittedChannelRequests directive
659  *	Match Group shell
660  *		PermittedChannelRequests session,forwarded-tcpip
661  */
662 
663 static int
664 match_cfg_line_group(const char *grps, int line, const char *user)
665 {
666 	int result = 0;
667 	struct passwd *pw;
668 
669 	if (user == NULL)
670 		goto out;
671 
672 	if ((pw = getpwnam(user)) == NULL) {
673 		debug("Can't match group at line %d because user %.100s does "
674 		    "not exist", line, user);
675 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
676 		debug("Can't Match group because user %.100s not in any group "
677 		    "at line %d", user, line);
678 	} else if (ga_match_pattern_list(grps) != 1) {
679 		debug("user %.100s does not match group list %.100s at line %d",
680 		    user, grps, line);
681 	} else {
682 		debug("user %.100s matched group list %.100s at line %d", user,
683 		    grps, line);
684 		result = 1;
685 	}
686 out:
687 	ga_free();
688 	return result;
689 }
690 
691 /*
692  * All of the attributes on a single Match line are ANDed together, so we need
693  * to check every attribute and set the result to zero if any attribute does
694  * not match.
695  */
696 static int
697 match_cfg_line(char **condition, int line, struct connection_info *ci)
698 {
699 	int result = 1, attributes = 0, port;
700 	char *arg, *attrib, *cp = *condition;
701 	size_t len;
702 
703 	if (ci == NULL)
704 		debug3("checking syntax for 'Match %s'", cp);
705 	else
706 		debug3("checking match for '%s' user %s host %s addr %s "
707 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
708 		    ci->host ? ci->host : "(null)",
709 		    ci->address ? ci->address : "(null)",
710 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
711 
712 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
713 		attributes++;
714 		if (strcasecmp(attrib, "all") == 0) {
715 			if (attributes != 1 ||
716 			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
717 				error("'all' cannot be combined with other "
718 				    "Match attributes");
719 				return -1;
720 			}
721 			*condition = cp;
722 			return 1;
723 		}
724 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
725 			error("Missing Match criteria for %s", attrib);
726 			return -1;
727 		}
728 		len = strlen(arg);
729 		if (strcasecmp(attrib, "user") == 0) {
730 			if (ci == NULL || ci->user == NULL) {
731 				result = 0;
732 				continue;
733 			}
734 			if (match_pattern_list(ci->user, arg, len, 0) != 1)
735 				result = 0;
736 			else
737 				debug("user %.100s matched 'User %.100s' at "
738 				    "line %d", ci->user, arg, line);
739 		} else if (strcasecmp(attrib, "group") == 0) {
740 			if (ci == NULL || ci->user == NULL) {
741 				result = 0;
742 				continue;
743 			}
744 			switch (match_cfg_line_group(arg, line, ci->user)) {
745 			case -1:
746 				return -1;
747 			case 0:
748 				result = 0;
749 			}
750 		} else if (strcasecmp(attrib, "host") == 0) {
751 			if (ci == NULL || ci->host == NULL) {
752 				result = 0;
753 				continue;
754 			}
755 			if (match_hostname(ci->host, arg, len) != 1)
756 				result = 0;
757 			else
758 				debug("connection from %.100s matched 'Host "
759 				    "%.100s' at line %d", ci->host, arg, line);
760 		} else if (strcasecmp(attrib, "address") == 0) {
761 			if (ci == NULL || ci->address == NULL) {
762 				result = 0;
763 				continue;
764 			}
765 			switch (addr_match_list(ci->address, arg)) {
766 			case 1:
767 				debug("connection from %.100s matched 'Address "
768 				    "%.100s' at line %d", ci->address, arg, line);
769 				break;
770 			case 0:
771 			case -1:
772 				result = 0;
773 				break;
774 			case -2:
775 				return -1;
776 			}
777 		} else if (strcasecmp(attrib, "localaddress") == 0){
778 			if (ci == NULL || ci->laddress == NULL) {
779 				result = 0;
780 				continue;
781 			}
782 			switch (addr_match_list(ci->laddress, arg)) {
783 			case 1:
784 				debug("connection from %.100s matched "
785 				    "'LocalAddress %.100s' at line %d",
786 				    ci->laddress, arg, line);
787 				break;
788 			case 0:
789 			case -1:
790 				result = 0;
791 				break;
792 			case -2:
793 				return -1;
794 			}
795 		} else if (strcasecmp(attrib, "localport") == 0) {
796 			if ((port = a2port(arg)) == -1) {
797 				error("Invalid LocalPort '%s' on Match line",
798 				    arg);
799 				return -1;
800 			}
801 			if (ci == NULL || ci->lport == 0) {
802 				result = 0;
803 				continue;
804 			}
805 			/* TODO support port lists */
806 			if (port == ci->lport)
807 				debug("connection from %.100s matched "
808 				    "'LocalPort %d' at line %d",
809 				    ci->laddress, port, line);
810 			else
811 				result = 0;
812 		} else {
813 			error("Unsupported Match attribute %s", attrib);
814 			return -1;
815 		}
816 	}
817 	if (attributes == 0) {
818 		error("One or more attributes required for Match");
819 		return -1;
820 	}
821 	if (ci != NULL)
822 		debug3("match %sfound", result ? "" : "not ");
823 	*condition = cp;
824 	return result;
825 }
826 
827 #define WHITESPACE " \t\r\n"
828 
829 /* Multistate option parsing */
830 struct multistate {
831 	char *key;
832 	int value;
833 };
834 static const struct multistate multistate_addressfamily[] = {
835 	{ "inet",			AF_INET },
836 	{ "inet6",			AF_INET6 },
837 	{ "any",			AF_UNSPEC },
838 	{ NULL, -1 }
839 };
840 static const struct multistate multistate_permitrootlogin[] = {
841 	{ "without-password",		PERMIT_NO_PASSWD },
842 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
843 	{ "yes",			PERMIT_YES },
844 	{ "no",				PERMIT_NO },
845 	{ NULL, -1 }
846 };
847 static const struct multistate multistate_compression[] = {
848 	{ "delayed",			COMP_DELAYED },
849 	{ "yes",			COMP_ZLIB },
850 	{ "no",				COMP_NONE },
851 	{ NULL, -1 }
852 };
853 static const struct multistate multistate_gatewayports[] = {
854 	{ "clientspecified",		2 },
855 	{ "yes",			1 },
856 	{ "no",				0 },
857 	{ NULL, -1 }
858 };
859 static const struct multistate multistate_privsep[] = {
860 	{ "yes",			PRIVSEP_NOSANDBOX },
861 	{ "sandbox",			PRIVSEP_ON },
862 	{ "nosandbox",			PRIVSEP_NOSANDBOX },
863 	{ "no",				PRIVSEP_OFF },
864 	{ NULL, -1 }
865 };
866 static const struct multistate multistate_tcpfwd[] = {
867 	{ "yes",			FORWARD_ALLOW },
868 	{ "all",			FORWARD_ALLOW },
869 	{ "no",				FORWARD_DENY },
870 	{ "remote",			FORWARD_REMOTE },
871 	{ "local",			FORWARD_LOCAL },
872 	{ NULL, -1 }
873 };
874 
875 int
876 process_server_config_line(ServerOptions *options, char *line,
877     const char *filename, int linenum, int *activep,
878     struct connection_info *connectinfo)
879 {
880 	char *cp, **charptr, *arg, *p;
881 	int cmdline = 0, *intptr, value, value2, n, port;
882 	SyslogFacility *log_facility_ptr;
883 	LogLevel *log_level_ptr;
884 	ServerOpCodes opcode;
885 	u_int i, flags = 0;
886 	size_t len;
887 	long long val64;
888 	const struct multistate *multistate_ptr;
889 
890 	cp = line;
891 	if ((arg = strdelim(&cp)) == NULL)
892 		return 0;
893 	/* Ignore leading whitespace */
894 	if (*arg == '\0')
895 		arg = strdelim(&cp);
896 	if (!arg || !*arg || *arg == '#')
897 		return 0;
898 	intptr = NULL;
899 	charptr = NULL;
900 	opcode = parse_token(arg, filename, linenum, &flags);
901 
902 	if (activep == NULL) { /* We are processing a command line directive */
903 		cmdline = 1;
904 		activep = &cmdline;
905 	}
906 	if (*activep && opcode != sMatch)
907 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
908 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
909 		if (connectinfo == NULL) {
910 			fatal("%s line %d: Directive '%s' is not allowed "
911 			    "within a Match block", filename, linenum, arg);
912 		} else { /* this is a directive we have already processed */
913 			while (arg)
914 				arg = strdelim(&cp);
915 			return 0;
916 		}
917 	}
918 
919 	switch (opcode) {
920 	/* Portable-specific options */
921 	case sUsePAM:
922 		intptr = &options->use_pam;
923 		goto parse_flag;
924 
925 	/* Standard Options */
926 	case sBadOption:
927 		return -1;
928 	case sPort:
929 		/* ignore ports from configfile if cmdline specifies ports */
930 		if (options->ports_from_cmdline)
931 			return 0;
932 		if (options->listen_addrs != NULL)
933 			fatal("%s line %d: ports must be specified before "
934 			    "ListenAddress.", filename, linenum);
935 		if (options->num_ports >= MAX_PORTS)
936 			fatal("%s line %d: too many ports.",
937 			    filename, linenum);
938 		arg = strdelim(&cp);
939 		if (!arg || *arg == '\0')
940 			fatal("%s line %d: missing port number.",
941 			    filename, linenum);
942 		options->ports[options->num_ports++] = a2port(arg);
943 		if (options->ports[options->num_ports-1] <= 0)
944 			fatal("%s line %d: Badly formatted port number.",
945 			    filename, linenum);
946 		break;
947 
948 	case sServerKeyBits:
949 		intptr = &options->server_key_bits;
950  parse_int:
951 		arg = strdelim(&cp);
952 		if (!arg || *arg == '\0')
953 			fatal("%s line %d: missing integer value.",
954 			    filename, linenum);
955 		value = atoi(arg);
956 		if (*activep && *intptr == -1)
957 			*intptr = value;
958 		break;
959 
960 	case sLoginGraceTime:
961 		intptr = &options->login_grace_time;
962  parse_time:
963 		arg = strdelim(&cp);
964 		if (!arg || *arg == '\0')
965 			fatal("%s line %d: missing time value.",
966 			    filename, linenum);
967 		if ((value = convtime(arg)) == -1)
968 			fatal("%s line %d: invalid time value.",
969 			    filename, linenum);
970 		if (*intptr == -1)
971 			*intptr = value;
972 		break;
973 
974 	case sKeyRegenerationTime:
975 		intptr = &options->key_regeneration_time;
976 		goto parse_time;
977 
978 	case sListenAddress:
979 		arg = strdelim(&cp);
980 		if (arg == NULL || *arg == '\0')
981 			fatal("%s line %d: missing address",
982 			    filename, linenum);
983 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
984 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
985 		    && strchr(p+1, ':') != NULL) {
986 			add_listen_addr(options, arg, 0);
987 			break;
988 		}
989 		p = hpdelim(&arg);
990 		if (p == NULL)
991 			fatal("%s line %d: bad address:port usage",
992 			    filename, linenum);
993 		p = cleanhostname(p);
994 		if (arg == NULL)
995 			port = 0;
996 		else if ((port = a2port(arg)) <= 0)
997 			fatal("%s line %d: bad port number", filename, linenum);
998 
999 		add_listen_addr(options, p, port);
1000 
1001 		break;
1002 
1003 	case sAddressFamily:
1004 		intptr = &options->address_family;
1005 		multistate_ptr = multistate_addressfamily;
1006 		if (options->listen_addrs != NULL)
1007 			fatal("%s line %d: address family must be specified "
1008 			    "before ListenAddress.", filename, linenum);
1009  parse_multistate:
1010 		arg = strdelim(&cp);
1011 		if (!arg || *arg == '\0')
1012 			fatal("%s line %d: missing argument.",
1013 			    filename, linenum);
1014 		value = -1;
1015 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1016 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1017 				value = multistate_ptr[i].value;
1018 				break;
1019 			}
1020 		}
1021 		if (value == -1)
1022 			fatal("%s line %d: unsupported option \"%s\".",
1023 			    filename, linenum, arg);
1024 		if (*activep && *intptr == -1)
1025 			*intptr = value;
1026 		break;
1027 
1028 	case sHostKeyFile:
1029 		intptr = &options->num_host_key_files;
1030 		if (*intptr >= MAX_HOSTKEYS)
1031 			fatal("%s line %d: too many host keys specified (max %d).",
1032 			    filename, linenum, MAX_HOSTKEYS);
1033 		charptr = &options->host_key_files[*intptr];
1034  parse_filename:
1035 		arg = strdelim(&cp);
1036 		if (!arg || *arg == '\0')
1037 			fatal("%s line %d: missing file name.",
1038 			    filename, linenum);
1039 		if (*activep && *charptr == NULL) {
1040 			*charptr = derelativise_path(arg);
1041 			/* increase optional counter */
1042 			if (intptr != NULL)
1043 				*intptr = *intptr + 1;
1044 		}
1045 		break;
1046 
1047 	case sHostKeyAgent:
1048 		charptr = &options->host_key_agent;
1049 		arg = strdelim(&cp);
1050 		if (!arg || *arg == '\0')
1051 			fatal("%s line %d: missing socket name.",
1052 			    filename, linenum);
1053 		if (*activep && *charptr == NULL)
1054 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1055 			    xstrdup(arg) : derelativise_path(arg);
1056 		break;
1057 
1058 	case sHostCertificate:
1059 		intptr = &options->num_host_cert_files;
1060 		if (*intptr >= MAX_HOSTKEYS)
1061 			fatal("%s line %d: too many host certificates "
1062 			    "specified (max %d).", filename, linenum,
1063 			    MAX_HOSTCERTS);
1064 		charptr = &options->host_cert_files[*intptr];
1065 		goto parse_filename;
1066 		break;
1067 
1068 	case sPidFile:
1069 		charptr = &options->pid_file;
1070 		goto parse_filename;
1071 
1072 	case sPermitRootLogin:
1073 		intptr = &options->permit_root_login;
1074 		multistate_ptr = multistate_permitrootlogin;
1075 		goto parse_multistate;
1076 
1077 	case sIgnoreRhosts:
1078 		intptr = &options->ignore_rhosts;
1079  parse_flag:
1080 		arg = strdelim(&cp);
1081 		if (!arg || *arg == '\0')
1082 			fatal("%s line %d: missing yes/no argument.",
1083 			    filename, linenum);
1084 		value = 0;	/* silence compiler */
1085 		if (strcmp(arg, "yes") == 0)
1086 			value = 1;
1087 		else if (strcmp(arg, "no") == 0)
1088 			value = 0;
1089 		else
1090 			fatal("%s line %d: Bad yes/no argument: %s",
1091 				filename, linenum, arg);
1092 		if (*activep && *intptr == -1)
1093 			*intptr = value;
1094 		break;
1095 
1096 	case sIgnoreUserKnownHosts:
1097 		intptr = &options->ignore_user_known_hosts;
1098 		goto parse_flag;
1099 
1100 	case sRhostsRSAAuthentication:
1101 		intptr = &options->rhosts_rsa_authentication;
1102 		goto parse_flag;
1103 
1104 	case sHostbasedAuthentication:
1105 		intptr = &options->hostbased_authentication;
1106 		goto parse_flag;
1107 
1108 	case sHostbasedUsesNameFromPacketOnly:
1109 		intptr = &options->hostbased_uses_name_from_packet_only;
1110 		goto parse_flag;
1111 
1112 	case sRSAAuthentication:
1113 		intptr = &options->rsa_authentication;
1114 		goto parse_flag;
1115 
1116 	case sPubkeyAuthentication:
1117 		intptr = &options->pubkey_authentication;
1118 		goto parse_flag;
1119 
1120 	case sKerberosAuthentication:
1121 		intptr = &options->kerberos_authentication;
1122 		goto parse_flag;
1123 
1124 	case sKerberosOrLocalPasswd:
1125 		intptr = &options->kerberos_or_local_passwd;
1126 		goto parse_flag;
1127 
1128 	case sKerberosTicketCleanup:
1129 		intptr = &options->kerberos_ticket_cleanup;
1130 		goto parse_flag;
1131 
1132 	case sKerberosGetAFSToken:
1133 		intptr = &options->kerberos_get_afs_token;
1134 		goto parse_flag;
1135 
1136 	case sGssAuthentication:
1137 		intptr = &options->gss_authentication;
1138 		goto parse_flag;
1139 
1140 	case sGssCleanupCreds:
1141 		intptr = &options->gss_cleanup_creds;
1142 		goto parse_flag;
1143 
1144 	case sPasswordAuthentication:
1145 		intptr = &options->password_authentication;
1146 		goto parse_flag;
1147 
1148 	case sKbdInteractiveAuthentication:
1149 		intptr = &options->kbd_interactive_authentication;
1150 		goto parse_flag;
1151 
1152 	case sChallengeResponseAuthentication:
1153 		intptr = &options->challenge_response_authentication;
1154 		goto parse_flag;
1155 
1156 	case sPrintMotd:
1157 		intptr = &options->print_motd;
1158 		goto parse_flag;
1159 
1160 	case sPrintLastLog:
1161 		intptr = &options->print_lastlog;
1162 		goto parse_flag;
1163 
1164 	case sX11Forwarding:
1165 		intptr = &options->x11_forwarding;
1166 		goto parse_flag;
1167 
1168 	case sX11DisplayOffset:
1169 		intptr = &options->x11_display_offset;
1170 		goto parse_int;
1171 
1172 	case sX11UseLocalhost:
1173 		intptr = &options->x11_use_localhost;
1174 		goto parse_flag;
1175 
1176 	case sXAuthLocation:
1177 		charptr = &options->xauth_location;
1178 		goto parse_filename;
1179 
1180 	case sPermitTTY:
1181 		intptr = &options->permit_tty;
1182 		goto parse_flag;
1183 
1184 	case sStrictModes:
1185 		intptr = &options->strict_modes;
1186 		goto parse_flag;
1187 
1188 	case sTCPKeepAlive:
1189 		intptr = &options->tcp_keep_alive;
1190 		goto parse_flag;
1191 
1192 	case sEmptyPasswd:
1193 		intptr = &options->permit_empty_passwd;
1194 		goto parse_flag;
1195 
1196 	case sPermitUserEnvironment:
1197 		intptr = &options->permit_user_env;
1198 		goto parse_flag;
1199 
1200 	case sUseLogin:
1201 		intptr = &options->use_login;
1202 		goto parse_flag;
1203 
1204 	case sCompression:
1205 		intptr = &options->compression;
1206 		multistate_ptr = multistate_compression;
1207 		goto parse_multistate;
1208 
1209 	case sRekeyLimit:
1210 		arg = strdelim(&cp);
1211 		if (!arg || *arg == '\0')
1212 			fatal("%.200s line %d: Missing argument.", filename,
1213 			    linenum);
1214 		if (strcmp(arg, "default") == 0) {
1215 			val64 = 0;
1216 		} else {
1217 			if (scan_scaled(arg, &val64) == -1)
1218 				fatal("%.200s line %d: Bad number '%s': %s",
1219 				    filename, linenum, arg, strerror(errno));
1220 			/* check for too-large or too-small limits */
1221 			if (val64 > UINT_MAX)
1222 				fatal("%.200s line %d: RekeyLimit too large",
1223 				    filename, linenum);
1224 			if (val64 != 0 && val64 < 16)
1225 				fatal("%.200s line %d: RekeyLimit too small",
1226 				    filename, linenum);
1227 		}
1228 		if (*activep && options->rekey_limit == -1)
1229 			options->rekey_limit = (u_int32_t)val64;
1230 		if (cp != NULL) { /* optional rekey interval present */
1231 			if (strcmp(cp, "none") == 0) {
1232 				(void)strdelim(&cp);	/* discard */
1233 				break;
1234 			}
1235 			intptr = &options->rekey_interval;
1236 			goto parse_time;
1237 		}
1238 		break;
1239 
1240 	case sGatewayPorts:
1241 		intptr = &options->gateway_ports;
1242 		multistate_ptr = multistate_gatewayports;
1243 		goto parse_multistate;
1244 
1245 	case sUseDNS:
1246 		intptr = &options->use_dns;
1247 		goto parse_flag;
1248 
1249 	case sLogFacility:
1250 		log_facility_ptr = &options->log_facility;
1251 		arg = strdelim(&cp);
1252 		value = log_facility_number(arg);
1253 		if (value == SYSLOG_FACILITY_NOT_SET)
1254 			fatal("%.200s line %d: unsupported log facility '%s'",
1255 			    filename, linenum, arg ? arg : "<NONE>");
1256 		if (*log_facility_ptr == -1)
1257 			*log_facility_ptr = (SyslogFacility) value;
1258 		break;
1259 
1260 	case sLogLevel:
1261 		log_level_ptr = &options->log_level;
1262 		arg = strdelim(&cp);
1263 		value = log_level_number(arg);
1264 		if (value == SYSLOG_LEVEL_NOT_SET)
1265 			fatal("%.200s line %d: unsupported log level '%s'",
1266 			    filename, linenum, arg ? arg : "<NONE>");
1267 		if (*log_level_ptr == -1)
1268 			*log_level_ptr = (LogLevel) value;
1269 		break;
1270 
1271 	case sAllowTcpForwarding:
1272 		intptr = &options->allow_tcp_forwarding;
1273 		multistate_ptr = multistate_tcpfwd;
1274 		goto parse_multistate;
1275 
1276 	case sAllowAgentForwarding:
1277 		intptr = &options->allow_agent_forwarding;
1278 		goto parse_flag;
1279 
1280 	case sUsePrivilegeSeparation:
1281 		intptr = &use_privsep;
1282 		multistate_ptr = multistate_privsep;
1283 		goto parse_multistate;
1284 
1285 	case sAllowUsers:
1286 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1287 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1288 				fatal("%s line %d: too many allow users.",
1289 				    filename, linenum);
1290 			if (!*activep)
1291 				continue;
1292 			options->allow_users[options->num_allow_users++] =
1293 			    xstrdup(arg);
1294 		}
1295 		break;
1296 
1297 	case sDenyUsers:
1298 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1299 			if (options->num_deny_users >= MAX_DENY_USERS)
1300 				fatal("%s line %d: too many deny users.",
1301 				    filename, linenum);
1302 			if (!*activep)
1303 				continue;
1304 			options->deny_users[options->num_deny_users++] =
1305 			    xstrdup(arg);
1306 		}
1307 		break;
1308 
1309 	case sAllowGroups:
1310 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1311 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1312 				fatal("%s line %d: too many allow groups.",
1313 				    filename, linenum);
1314 			if (!*activep)
1315 				continue;
1316 			options->allow_groups[options->num_allow_groups++] =
1317 			    xstrdup(arg);
1318 		}
1319 		break;
1320 
1321 	case sDenyGroups:
1322 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1323 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1324 				fatal("%s line %d: too many deny groups.",
1325 				    filename, linenum);
1326 			if (!*activep)
1327 				continue;
1328 			options->deny_groups[options->num_deny_groups++] =
1329 			    xstrdup(arg);
1330 		}
1331 		break;
1332 
1333 	case sCiphers:
1334 		arg = strdelim(&cp);
1335 		if (!arg || *arg == '\0')
1336 			fatal("%s line %d: Missing argument.", filename, linenum);
1337 		if (!ciphers_valid(arg))
1338 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1339 			    filename, linenum, arg ? arg : "<NONE>");
1340 		if (options->ciphers == NULL)
1341 			options->ciphers = xstrdup(arg);
1342 		break;
1343 
1344 	case sMacs:
1345 		arg = strdelim(&cp);
1346 		if (!arg || *arg == '\0')
1347 			fatal("%s line %d: Missing argument.", filename, linenum);
1348 		if (!mac_valid(arg))
1349 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1350 			    filename, linenum, arg ? arg : "<NONE>");
1351 		if (options->macs == NULL)
1352 			options->macs = xstrdup(arg);
1353 		break;
1354 
1355 	case sKexAlgorithms:
1356 		arg = strdelim(&cp);
1357 		if (!arg || *arg == '\0')
1358 			fatal("%s line %d: Missing argument.",
1359 			    filename, linenum);
1360 		if (!kex_names_valid(arg))
1361 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1362 			    filename, linenum, arg ? arg : "<NONE>");
1363 		if (options->kex_algorithms == NULL)
1364 			options->kex_algorithms = xstrdup(arg);
1365 		break;
1366 
1367 	case sProtocol:
1368 		intptr = &options->protocol;
1369 		arg = strdelim(&cp);
1370 		if (!arg || *arg == '\0')
1371 			fatal("%s line %d: Missing argument.", filename, linenum);
1372 		value = proto_spec(arg);
1373 		if (value == SSH_PROTO_UNKNOWN)
1374 			fatal("%s line %d: Bad protocol spec '%s'.",
1375 			    filename, linenum, arg ? arg : "<NONE>");
1376 		if (*intptr == SSH_PROTO_UNKNOWN)
1377 			*intptr = value;
1378 		break;
1379 
1380 	case sSubsystem:
1381 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1382 			fatal("%s line %d: too many subsystems defined.",
1383 			    filename, linenum);
1384 		}
1385 		arg = strdelim(&cp);
1386 		if (!arg || *arg == '\0')
1387 			fatal("%s line %d: Missing subsystem name.",
1388 			    filename, linenum);
1389 		if (!*activep) {
1390 			arg = strdelim(&cp);
1391 			break;
1392 		}
1393 		for (i = 0; i < options->num_subsystems; i++)
1394 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1395 				fatal("%s line %d: Subsystem '%s' already defined.",
1396 				    filename, linenum, arg);
1397 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1398 		arg = strdelim(&cp);
1399 		if (!arg || *arg == '\0')
1400 			fatal("%s line %d: Missing subsystem command.",
1401 			    filename, linenum);
1402 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1403 
1404 		/* Collect arguments (separate to executable) */
1405 		p = xstrdup(arg);
1406 		len = strlen(p) + 1;
1407 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1408 			len += 1 + strlen(arg);
1409 			p = xrealloc(p, 1, len);
1410 			strlcat(p, " ", len);
1411 			strlcat(p, arg, len);
1412 		}
1413 		options->subsystem_args[options->num_subsystems] = p;
1414 		options->num_subsystems++;
1415 		break;
1416 
1417 	case sMaxStartups:
1418 		arg = strdelim(&cp);
1419 		if (!arg || *arg == '\0')
1420 			fatal("%s line %d: Missing MaxStartups spec.",
1421 			    filename, linenum);
1422 		if ((n = sscanf(arg, "%d:%d:%d",
1423 		    &options->max_startups_begin,
1424 		    &options->max_startups_rate,
1425 		    &options->max_startups)) == 3) {
1426 			if (options->max_startups_begin >
1427 			    options->max_startups ||
1428 			    options->max_startups_rate > 100 ||
1429 			    options->max_startups_rate < 1)
1430 				fatal("%s line %d: Illegal MaxStartups spec.",
1431 				    filename, linenum);
1432 		} else if (n != 1)
1433 			fatal("%s line %d: Illegal MaxStartups spec.",
1434 			    filename, linenum);
1435 		else
1436 			options->max_startups = options->max_startups_begin;
1437 		break;
1438 
1439 	case sMaxAuthTries:
1440 		intptr = &options->max_authtries;
1441 		goto parse_int;
1442 
1443 	case sMaxSessions:
1444 		intptr = &options->max_sessions;
1445 		goto parse_int;
1446 
1447 	case sBanner:
1448 		charptr = &options->banner;
1449 		goto parse_filename;
1450 
1451 	/*
1452 	 * These options can contain %X options expanded at
1453 	 * connect time, so that you can specify paths like:
1454 	 *
1455 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1456 	 */
1457 	case sAuthorizedKeysFile:
1458 		if (*activep && options->num_authkeys_files == 0) {
1459 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1460 				if (options->num_authkeys_files >=
1461 				    MAX_AUTHKEYS_FILES)
1462 					fatal("%s line %d: "
1463 					    "too many authorized keys files.",
1464 					    filename, linenum);
1465 				options->authorized_keys_files[
1466 				    options->num_authkeys_files++] =
1467 				    tilde_expand_filename(arg, getuid());
1468 			}
1469 		}
1470 		return 0;
1471 
1472 	case sAuthorizedPrincipalsFile:
1473 		charptr = &options->authorized_principals_file;
1474 		arg = strdelim(&cp);
1475 		if (!arg || *arg == '\0')
1476 			fatal("%s line %d: missing file name.",
1477 			    filename, linenum);
1478 		if (*activep && *charptr == NULL) {
1479 			*charptr = tilde_expand_filename(arg, getuid());
1480 			/* increase optional counter */
1481 			if (intptr != NULL)
1482 				*intptr = *intptr + 1;
1483 		}
1484 		break;
1485 
1486 	case sClientAliveInterval:
1487 		intptr = &options->client_alive_interval;
1488 		goto parse_time;
1489 
1490 	case sClientAliveCountMax:
1491 		intptr = &options->client_alive_count_max;
1492 		goto parse_int;
1493 
1494 	case sAcceptEnv:
1495 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1496 			if (strchr(arg, '=') != NULL)
1497 				fatal("%s line %d: Invalid environment name.",
1498 				    filename, linenum);
1499 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1500 				fatal("%s line %d: too many allow env.",
1501 				    filename, linenum);
1502 			if (!*activep)
1503 				continue;
1504 			options->accept_env[options->num_accept_env++] =
1505 			    xstrdup(arg);
1506 		}
1507 		break;
1508 
1509 	case sPermitTunnel:
1510 		intptr = &options->permit_tun;
1511 		arg = strdelim(&cp);
1512 		if (!arg || *arg == '\0')
1513 			fatal("%s line %d: Missing yes/point-to-point/"
1514 			    "ethernet/no argument.", filename, linenum);
1515 		value = -1;
1516 		for (i = 0; tunmode_desc[i].val != -1; i++)
1517 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1518 				value = tunmode_desc[i].val;
1519 				break;
1520 			}
1521 		if (value == -1)
1522 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1523 			    "no argument: %s", filename, linenum, arg);
1524 		if (*intptr == -1)
1525 			*intptr = value;
1526 		break;
1527 
1528 	case sMatch:
1529 		if (cmdline)
1530 			fatal("Match directive not supported as a command-line "
1531 			   "option");
1532 		value = match_cfg_line(&cp, linenum, connectinfo);
1533 		if (value < 0)
1534 			fatal("%s line %d: Bad Match condition", filename,
1535 			    linenum);
1536 		*activep = value;
1537 		break;
1538 
1539 	case sPermitOpen:
1540 		arg = strdelim(&cp);
1541 		if (!arg || *arg == '\0')
1542 			fatal("%s line %d: missing PermitOpen specification",
1543 			    filename, linenum);
1544 		n = options->num_permitted_opens;	/* modified later */
1545 		if (strcmp(arg, "any") == 0) {
1546 			if (*activep && n == -1) {
1547 				channel_clear_adm_permitted_opens();
1548 				options->num_permitted_opens = 0;
1549 			}
1550 			break;
1551 		}
1552 		if (strcmp(arg, "none") == 0) {
1553 			if (*activep && n == -1) {
1554 				options->num_permitted_opens = 1;
1555 				channel_disable_adm_local_opens();
1556 			}
1557 			break;
1558 		}
1559 		if (*activep && n == -1)
1560 			channel_clear_adm_permitted_opens();
1561 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1562 			p = hpdelim(&arg);
1563 			if (p == NULL)
1564 				fatal("%s line %d: missing host in PermitOpen",
1565 				    filename, linenum);
1566 			p = cleanhostname(p);
1567 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1568 				fatal("%s line %d: bad port number in "
1569 				    "PermitOpen", filename, linenum);
1570 			if (*activep && n == -1)
1571 				options->num_permitted_opens =
1572 				    channel_add_adm_permitted_opens(p, port);
1573 		}
1574 		break;
1575 
1576 	case sForceCommand:
1577 		if (cp == NULL)
1578 			fatal("%.200s line %d: Missing argument.", filename,
1579 			    linenum);
1580 		len = strspn(cp, WHITESPACE);
1581 		if (*activep && options->adm_forced_command == NULL)
1582 			options->adm_forced_command = xstrdup(cp + len);
1583 		return 0;
1584 
1585 	case sChrootDirectory:
1586 		charptr = &options->chroot_directory;
1587 
1588 		arg = strdelim(&cp);
1589 		if (!arg || *arg == '\0')
1590 			fatal("%s line %d: missing file name.",
1591 			    filename, linenum);
1592 		if (*activep && *charptr == NULL)
1593 			*charptr = xstrdup(arg);
1594 		break;
1595 
1596 	case sTrustedUserCAKeys:
1597 		charptr = &options->trusted_user_ca_keys;
1598 		goto parse_filename;
1599 
1600 	case sRevokedKeys:
1601 		charptr = &options->revoked_keys_file;
1602 		goto parse_filename;
1603 
1604 	case sIPQoS:
1605 		arg = strdelim(&cp);
1606 		if ((value = parse_ipqos(arg)) == -1)
1607 			fatal("%s line %d: Bad IPQoS value: %s",
1608 			    filename, linenum, arg);
1609 		arg = strdelim(&cp);
1610 		if (arg == NULL)
1611 			value2 = value;
1612 		else if ((value2 = parse_ipqos(arg)) == -1)
1613 			fatal("%s line %d: Bad IPQoS value: %s",
1614 			    filename, linenum, arg);
1615 		if (*activep) {
1616 			options->ip_qos_interactive = value;
1617 			options->ip_qos_bulk = value2;
1618 		}
1619 		break;
1620 
1621 	case sVersionAddendum:
1622 		if (cp == NULL)
1623 			fatal("%.200s line %d: Missing argument.", filename,
1624 			    linenum);
1625 		len = strspn(cp, WHITESPACE);
1626 		if (*activep && options->version_addendum == NULL) {
1627 			if (strcasecmp(cp + len, "none") == 0)
1628 				options->version_addendum = xstrdup("");
1629 			else if (strchr(cp + len, '\r') != NULL)
1630 				fatal("%.200s line %d: Invalid argument",
1631 				    filename, linenum);
1632 			else
1633 				options->version_addendum = xstrdup(cp + len);
1634 		}
1635 		return 0;
1636 
1637 	case sAuthorizedKeysCommand:
1638 		len = strspn(cp, WHITESPACE);
1639 		if (*activep && options->authorized_keys_command == NULL) {
1640 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1641 				fatal("%.200s line %d: AuthorizedKeysCommand "
1642 				    "must be an absolute path",
1643 				    filename, linenum);
1644 			options->authorized_keys_command = xstrdup(cp + len);
1645 		}
1646 		return 0;
1647 
1648 	case sAuthorizedKeysCommandUser:
1649 		charptr = &options->authorized_keys_command_user;
1650 
1651 		arg = strdelim(&cp);
1652 		if (*activep && *charptr == NULL)
1653 			*charptr = xstrdup(arg);
1654 		break;
1655 
1656 	case sAuthenticationMethods:
1657 		if (*activep && options->num_auth_methods == 0) {
1658 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1659 				if (options->num_auth_methods >=
1660 				    MAX_AUTH_METHODS)
1661 					fatal("%s line %d: "
1662 					    "too many authentication methods.",
1663 					    filename, linenum);
1664 				if (auth2_methods_valid(arg, 0) != 0)
1665 					fatal("%s line %d: invalid "
1666 					    "authentication method list.",
1667 					    filename, linenum);
1668 				options->auth_methods[
1669 				    options->num_auth_methods++] = xstrdup(arg);
1670 			}
1671 		}
1672 		return 0;
1673 
1674 	case sHPNDisabled:
1675 		intptr = &options->hpn_disabled;
1676 		goto parse_flag;
1677 
1678 	case sHPNBufferSize:
1679 		intptr = &options->hpn_buffer_size;
1680 		goto parse_int;
1681 
1682 	case sTcpRcvBufPoll:
1683 		intptr = &options->tcp_rcv_buf_poll;
1684 		goto parse_flag;
1685 
1686 #ifdef	NONE_CIPHER_ENABLED
1687 	case sNoneEnabled:
1688 		intptr = &options->none_enabled;
1689 		goto parse_flag;
1690 #endif
1691 
1692 	case sDeprecated:
1693 		logit("%s line %d: Deprecated option %s",
1694 		    filename, linenum, arg);
1695 		while (arg)
1696 		    arg = strdelim(&cp);
1697 		break;
1698 
1699 	case sUnsupported:
1700 		logit("%s line %d: Unsupported option %s",
1701 		    filename, linenum, arg);
1702 		while (arg)
1703 		    arg = strdelim(&cp);
1704 		break;
1705 
1706 	default:
1707 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1708 		    filename, linenum, arg, opcode);
1709 	}
1710 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1711 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1712 		    filename, linenum, arg);
1713 	return 0;
1714 }
1715 
1716 /* Reads the server configuration file. */
1717 
1718 void
1719 load_server_config(const char *filename, Buffer *conf)
1720 {
1721 	char line[4096], *cp;
1722 	FILE *f;
1723 	int lineno = 0;
1724 
1725 	debug2("%s: filename %s", __func__, filename);
1726 	if ((f = fopen(filename, "r")) == NULL) {
1727 		perror(filename);
1728 		exit(1);
1729 	}
1730 	buffer_clear(conf);
1731 	while (fgets(line, sizeof(line), f)) {
1732 		lineno++;
1733 		if (strlen(line) == sizeof(line) - 1)
1734 			fatal("%s line %d too long", filename, lineno);
1735 		/*
1736 		 * Trim out comments and strip whitespace
1737 		 * NB - preserve newlines, they are needed to reproduce
1738 		 * line numbers later for error messages
1739 		 */
1740 		if ((cp = strchr(line, '#')) != NULL)
1741 			memcpy(cp, "\n", 2);
1742 		cp = line + strspn(line, " \t\r");
1743 
1744 		buffer_append(conf, cp, strlen(cp));
1745 	}
1746 	buffer_append(conf, "\0", 1);
1747 	fclose(f);
1748 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1749 }
1750 
1751 void
1752 parse_server_match_config(ServerOptions *options,
1753    struct connection_info *connectinfo)
1754 {
1755 	ServerOptions mo;
1756 
1757 	initialize_server_options(&mo);
1758 	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1759 	copy_set_server_options(options, &mo, 0);
1760 }
1761 
1762 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1763 {
1764 	char *p;
1765 
1766 	while ((p = strsep(&spec, ",")) && *p != '\0') {
1767 		if (strncmp(p, "addr=", 5) == 0) {
1768 			ci->address = xstrdup(p + 5);
1769 		} else if (strncmp(p, "host=", 5) == 0) {
1770 			ci->host = xstrdup(p + 5);
1771 		} else if (strncmp(p, "user=", 5) == 0) {
1772 			ci->user = xstrdup(p + 5);
1773 		} else if (strncmp(p, "laddr=", 6) == 0) {
1774 			ci->laddress = xstrdup(p + 6);
1775 		} else if (strncmp(p, "lport=", 6) == 0) {
1776 			ci->lport = a2port(p + 6);
1777 			if (ci->lport == -1) {
1778 				fprintf(stderr, "Invalid port '%s' in test mode"
1779 				   " specification %s\n", p+6, p);
1780 				return -1;
1781 			}
1782 		} else {
1783 			fprintf(stderr, "Invalid test mode specification %s\n",
1784 			   p);
1785 			return -1;
1786 		}
1787 	}
1788 	return 0;
1789 }
1790 
1791 /*
1792  * returns 1 for a complete spec, 0 for partial spec and -1 for an
1793  * empty spec.
1794  */
1795 int server_match_spec_complete(struct connection_info *ci)
1796 {
1797 	if (ci->user && ci->host && ci->address)
1798 		return 1;	/* complete */
1799 	if (!ci->user && !ci->host && !ci->address)
1800 		return -1;	/* empty */
1801 	return 0;	/* partial */
1802 }
1803 
1804 /*
1805  * Copy any supported values that are set.
1806  *
1807  * If the preauth flag is set, we do not bother copying the string or
1808  * array values that are not used pre-authentication, because any that we
1809  * do use must be explictly sent in mm_getpwnamallow().
1810  */
1811 void
1812 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1813 {
1814 #define M_CP_INTOPT(n) do {\
1815 	if (src->n != -1) \
1816 		dst->n = src->n; \
1817 } while (0)
1818 
1819 	M_CP_INTOPT(password_authentication);
1820 	M_CP_INTOPT(gss_authentication);
1821 	M_CP_INTOPT(rsa_authentication);
1822 	M_CP_INTOPT(pubkey_authentication);
1823 	M_CP_INTOPT(kerberos_authentication);
1824 	M_CP_INTOPT(hostbased_authentication);
1825 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1826 	M_CP_INTOPT(kbd_interactive_authentication);
1827 	M_CP_INTOPT(permit_root_login);
1828 	M_CP_INTOPT(permit_empty_passwd);
1829 
1830 	M_CP_INTOPT(allow_tcp_forwarding);
1831 	M_CP_INTOPT(allow_agent_forwarding);
1832 	M_CP_INTOPT(permit_tun);
1833 	M_CP_INTOPT(gateway_ports);
1834 	M_CP_INTOPT(x11_display_offset);
1835 	M_CP_INTOPT(x11_forwarding);
1836 	M_CP_INTOPT(x11_use_localhost);
1837 	M_CP_INTOPT(permit_tty);
1838 	M_CP_INTOPT(max_sessions);
1839 	M_CP_INTOPT(max_authtries);
1840 	M_CP_INTOPT(ip_qos_interactive);
1841 	M_CP_INTOPT(ip_qos_bulk);
1842 	M_CP_INTOPT(rekey_limit);
1843 	M_CP_INTOPT(rekey_interval);
1844 
1845 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
1846 #define M_CP_STROPT(n) do {\
1847 	if (src->n != NULL && dst->n != src->n) { \
1848 		free(dst->n); \
1849 		dst->n = src->n; \
1850 	} \
1851 } while(0)
1852 #define M_CP_STRARRAYOPT(n, num_n) do {\
1853 	if (src->num_n != 0) { \
1854 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1855 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1856 	} \
1857 } while(0)
1858 
1859 	/* See comment in servconf.h */
1860 	COPY_MATCH_STRING_OPTS();
1861 
1862 	/*
1863 	 * The only things that should be below this point are string options
1864 	 * which are only used after authentication.
1865 	 */
1866 	if (preauth)
1867 		return;
1868 
1869 	M_CP_STROPT(adm_forced_command);
1870 	M_CP_STROPT(chroot_directory);
1871 }
1872 
1873 #undef M_CP_INTOPT
1874 #undef M_CP_STROPT
1875 #undef M_CP_STRARRAYOPT
1876 
1877 void
1878 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1879     struct connection_info *connectinfo)
1880 {
1881 	int active, linenum, bad_options = 0;
1882 	char *cp, *obuf, *cbuf;
1883 
1884 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1885 
1886 	obuf = cbuf = xstrdup(buffer_ptr(conf));
1887 	active = connectinfo ? 0 : 1;
1888 	linenum = 1;
1889 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
1890 		if (process_server_config_line(options, cp, filename,
1891 		    linenum++, &active, connectinfo) != 0)
1892 			bad_options++;
1893 	}
1894 	free(obuf);
1895 	if (bad_options > 0)
1896 		fatal("%s: terminating, %d bad configuration options",
1897 		    filename, bad_options);
1898 }
1899 
1900 static const char *
1901 fmt_multistate_int(int val, const struct multistate *m)
1902 {
1903 	u_int i;
1904 
1905 	for (i = 0; m[i].key != NULL; i++) {
1906 		if (m[i].value == val)
1907 			return m[i].key;
1908 	}
1909 	return "UNKNOWN";
1910 }
1911 
1912 static const char *
1913 fmt_intarg(ServerOpCodes code, int val)
1914 {
1915 	if (val == -1)
1916 		return "unset";
1917 	switch (code) {
1918 	case sAddressFamily:
1919 		return fmt_multistate_int(val, multistate_addressfamily);
1920 	case sPermitRootLogin:
1921 		return fmt_multistate_int(val, multistate_permitrootlogin);
1922 	case sGatewayPorts:
1923 		return fmt_multistate_int(val, multistate_gatewayports);
1924 	case sCompression:
1925 		return fmt_multistate_int(val, multistate_compression);
1926 	case sUsePrivilegeSeparation:
1927 		return fmt_multistate_int(val, multistate_privsep);
1928 	case sAllowTcpForwarding:
1929 		return fmt_multistate_int(val, multistate_tcpfwd);
1930 	case sProtocol:
1931 		switch (val) {
1932 		case SSH_PROTO_1:
1933 			return "1";
1934 		case SSH_PROTO_2:
1935 			return "2";
1936 		case (SSH_PROTO_1|SSH_PROTO_2):
1937 			return "2,1";
1938 		default:
1939 			return "UNKNOWN";
1940 		}
1941 	default:
1942 		switch (val) {
1943 		case 0:
1944 			return "no";
1945 		case 1:
1946 			return "yes";
1947 		default:
1948 			return "UNKNOWN";
1949 		}
1950 	}
1951 }
1952 
1953 static const char *
1954 lookup_opcode_name(ServerOpCodes code)
1955 {
1956 	u_int i;
1957 
1958 	for (i = 0; keywords[i].name != NULL; i++)
1959 		if (keywords[i].opcode == code)
1960 			return(keywords[i].name);
1961 	return "UNKNOWN";
1962 }
1963 
1964 static void
1965 dump_cfg_int(ServerOpCodes code, int val)
1966 {
1967 	printf("%s %d\n", lookup_opcode_name(code), val);
1968 }
1969 
1970 static void
1971 dump_cfg_fmtint(ServerOpCodes code, int val)
1972 {
1973 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1974 }
1975 
1976 static void
1977 dump_cfg_string(ServerOpCodes code, const char *val)
1978 {
1979 	if (val == NULL)
1980 		return;
1981 	printf("%s %s\n", lookup_opcode_name(code), val);
1982 }
1983 
1984 static void
1985 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1986 {
1987 	u_int i;
1988 
1989 	for (i = 0; i < count; i++)
1990 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1991 }
1992 
1993 static void
1994 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1995 {
1996 	u_int i;
1997 
1998 	printf("%s", lookup_opcode_name(code));
1999 	for (i = 0; i < count; i++)
2000 		printf(" %s",  vals[i]);
2001 	printf("\n");
2002 }
2003 
2004 void
2005 dump_config(ServerOptions *o)
2006 {
2007 	u_int i;
2008 	int ret;
2009 	struct addrinfo *ai;
2010 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2011 
2012 	/* these are usually at the top of the config */
2013 	for (i = 0; i < o->num_ports; i++)
2014 		printf("port %d\n", o->ports[i]);
2015 	dump_cfg_fmtint(sProtocol, o->protocol);
2016 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2017 
2018 	/* ListenAddress must be after Port */
2019 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2020 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2021 		    sizeof(addr), port, sizeof(port),
2022 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2023 			error("getnameinfo failed: %.100s",
2024 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2025 			    strerror(errno));
2026 		} else {
2027 			if (ai->ai_family == AF_INET6)
2028 				printf("listenaddress [%s]:%s\n", addr, port);
2029 			else
2030 				printf("listenaddress %s:%s\n", addr, port);
2031 		}
2032 	}
2033 
2034 	/* integer arguments */
2035 #ifdef USE_PAM
2036 	dump_cfg_int(sUsePAM, o->use_pam);
2037 #endif
2038 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
2039 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2040 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2041 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2042 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2043 	dump_cfg_int(sMaxSessions, o->max_sessions);
2044 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2045 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2046 
2047 	/* formatted integer arguments */
2048 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2049 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2050 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2051 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2052 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2053 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2054 	    o->hostbased_uses_name_from_packet_only);
2055 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2056 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2057 #ifdef KRB5
2058 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2059 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2060 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2061 # ifdef USE_AFS
2062 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2063 # endif
2064 #endif
2065 #ifdef GSSAPI
2066 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2067 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2068 #endif
2069 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2070 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2071 	    o->kbd_interactive_authentication);
2072 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2073 	    o->challenge_response_authentication);
2074 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2075 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2076 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2077 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2078 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2079 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2080 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2081 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2082 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2083 	dump_cfg_fmtint(sUseLogin, o->use_login);
2084 	dump_cfg_fmtint(sCompression, o->compression);
2085 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
2086 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2087 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2088 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2089 
2090 	/* string arguments */
2091 	dump_cfg_string(sPidFile, o->pid_file);
2092 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2093 	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
2094 	    cipher_alg_list(',', 0));
2095 	dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
2096 	dump_cfg_string(sBanner, o->banner);
2097 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2098 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2099 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2100 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2101 	dump_cfg_string(sAuthorizedPrincipalsFile,
2102 	    o->authorized_principals_file);
2103 	dump_cfg_string(sVersionAddendum, o->version_addendum);
2104 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2105 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2106 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2107 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
2108 	    kex_alg_list(','));
2109 
2110 	/* string arguments requiring a lookup */
2111 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2112 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2113 
2114 	/* string array arguments */
2115 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2116 	    o->authorized_keys_files);
2117 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2118 	     o->host_key_files);
2119 	dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2120 	     o->host_cert_files);
2121 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2122 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2123 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2124 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2125 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2126 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2127 	    o->num_auth_methods, o->auth_methods);
2128 
2129 	/* other arguments */
2130 	for (i = 0; i < o->num_subsystems; i++)
2131 		printf("subsystem %s %s\n", o->subsystem_name[i],
2132 		    o->subsystem_args[i]);
2133 
2134 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2135 	    o->max_startups_rate, o->max_startups);
2136 
2137 	for (i = 0; tunmode_desc[i].val != -1; i++)
2138 		if (tunmode_desc[i].val == o->permit_tun) {
2139 			s = tunmode_desc[i].text;
2140 			break;
2141 		}
2142 	dump_cfg_string(sPermitTunnel, s);
2143 
2144 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2145 	printf("%s\n", iptos2str(o->ip_qos_bulk));
2146 
2147 	printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2148 	    o->rekey_interval);
2149 
2150 	channel_print_adm_permitted_opens();
2151 }
2152