xref: /freebsd/crypto/openssh/servconf.c (revision 9286d46a794f25482880d29864a8901ef6666fae)
1 /* $OpenBSD: servconf.c,v 1.403 2023/10/11 22:42:26 djm Exp $ */
2 /*
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  *
6  * As far as I am concerned, the code I have written for this software
7  * can be used freely for any purpose.  Any derived versions of this
8  * software must be clearly marked as such, and if the derived work is
9  * incompatible with the protocol description in the RFC file, it must be
10  * called by a name other than "ssh" or "Secure Shell".
11  */
12 
13 #include "includes.h"
14 
15 #include <sys/types.h>
16 #include <sys/socket.h>
17 #include <sys/stat.h>
18 #ifdef __OpenBSD__
19 #include <sys/sysctl.h>
20 #endif
21 
22 #include <netinet/in.h>
23 #include <netinet/in_systm.h>
24 #include <netinet/ip.h>
25 #ifdef HAVE_NET_ROUTE_H
26 #include <net/route.h>
27 #endif
28 
29 #include <ctype.h>
30 #include <netdb.h>
31 #include <pwd.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <signal.h>
36 #include <unistd.h>
37 #include <limits.h>
38 #include <stdarg.h>
39 #include <errno.h>
40 #ifdef HAVE_UTIL_H
41 #include <util.h>
42 #endif
43 #ifdef USE_SYSTEM_GLOB
44 # include <glob.h>
45 #else
46 # include "openbsd-compat/glob.h"
47 #endif
48 
49 #include "openbsd-compat/sys-queue.h"
50 #include "xmalloc.h"
51 #include "ssh.h"
52 #include "log.h"
53 #include "sshbuf.h"
54 #include "misc.h"
55 #include "servconf.h"
56 #include "pathnames.h"
57 #include "cipher.h"
58 #include "sshkey.h"
59 #include "kex.h"
60 #include "mac.h"
61 #include "match.h"
62 #include "channels.h"
63 #include "groupaccess.h"
64 #include "canohost.h"
65 #include "packet.h"
66 #include "ssherr.h"
67 #include "hostfile.h"
68 #include "auth.h"
69 #include "myproposal.h"
70 #include "digest.h"
71 #include "version.h"
72 
73 static void add_listen_addr(ServerOptions *, const char *,
74     const char *, int);
75 static void add_one_listen_addr(ServerOptions *, const char *,
76     const char *, int);
77 static void parse_server_config_depth(ServerOptions *options,
78     const char *filename, struct sshbuf *conf, struct include_list *includes,
79     struct connection_info *connectinfo, int flags, int *activep, int depth);
80 
81 /* Use of privilege separation or not */
82 extern int use_privsep;
83 extern struct sshbuf *cfg;
84 
85 /* Initializes the server options to their default values. */
86 
87 void
88 initialize_server_options(ServerOptions *options)
89 {
90 	memset(options, 0, sizeof(*options));
91 
92 	/* Portable-specific options */
93 	options->use_pam = -1;
94 
95 	/* Standard Options */
96 	options->num_ports = 0;
97 	options->ports_from_cmdline = 0;
98 	options->queued_listen_addrs = NULL;
99 	options->num_queued_listens = 0;
100 	options->listen_addrs = NULL;
101 	options->num_listen_addrs = 0;
102 	options->address_family = -1;
103 	options->routing_domain = NULL;
104 	options->num_host_key_files = 0;
105 	options->num_host_cert_files = 0;
106 	options->host_key_agent = NULL;
107 	options->pid_file = NULL;
108 	options->login_grace_time = -1;
109 	options->permit_root_login = PERMIT_NOT_SET;
110 	options->ignore_rhosts = -1;
111 	options->ignore_user_known_hosts = -1;
112 	options->print_motd = -1;
113 	options->print_lastlog = -1;
114 	options->x11_forwarding = -1;
115 	options->x11_display_offset = -1;
116 	options->x11_use_localhost = -1;
117 	options->permit_tty = -1;
118 	options->permit_user_rc = -1;
119 	options->xauth_location = NULL;
120 	options->strict_modes = -1;
121 	options->tcp_keep_alive = -1;
122 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
123 	options->log_level = SYSLOG_LEVEL_NOT_SET;
124 	options->num_log_verbose = 0;
125 	options->log_verbose = NULL;
126 	options->hostbased_authentication = -1;
127 	options->hostbased_uses_name_from_packet_only = -1;
128 	options->hostbased_accepted_algos = NULL;
129 	options->hostkeyalgorithms = NULL;
130 	options->pubkey_authentication = -1;
131 	options->pubkey_auth_options = -1;
132 	options->pubkey_accepted_algos = NULL;
133 	options->kerberos_authentication = -1;
134 	options->kerberos_or_local_passwd = -1;
135 	options->kerberos_ticket_cleanup = -1;
136 	options->kerberos_get_afs_token = -1;
137 	options->gss_authentication=-1;
138 	options->gss_cleanup_creds = -1;
139 	options->gss_strict_acceptor = -1;
140 	options->password_authentication = -1;
141 	options->kbd_interactive_authentication = -1;
142 	options->permit_empty_passwd = -1;
143 	options->permit_user_env = -1;
144 	options->permit_user_env_allowlist = NULL;
145 	options->compression = -1;
146 	options->rekey_limit = -1;
147 	options->rekey_interval = -1;
148 	options->allow_tcp_forwarding = -1;
149 	options->allow_streamlocal_forwarding = -1;
150 	options->allow_agent_forwarding = -1;
151 	options->num_allow_users = 0;
152 	options->num_deny_users = 0;
153 	options->num_allow_groups = 0;
154 	options->num_deny_groups = 0;
155 	options->ciphers = NULL;
156 	options->macs = NULL;
157 	options->kex_algorithms = NULL;
158 	options->ca_sign_algorithms = NULL;
159 	options->fwd_opts.gateway_ports = -1;
160 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
161 	options->fwd_opts.streamlocal_bind_unlink = -1;
162 	options->num_subsystems = 0;
163 	options->max_startups_begin = -1;
164 	options->max_startups_rate = -1;
165 	options->max_startups = -1;
166 	options->per_source_max_startups = -1;
167 	options->per_source_masklen_ipv4 = -1;
168 	options->per_source_masklen_ipv6 = -1;
169 	options->max_authtries = -1;
170 	options->max_sessions = -1;
171 	options->banner = NULL;
172 	options->use_dns = -1;
173 	options->client_alive_interval = -1;
174 	options->client_alive_count_max = -1;
175 	options->num_authkeys_files = 0;
176 	options->num_accept_env = 0;
177 	options->num_setenv = 0;
178 	options->permit_tun = -1;
179 	options->permitted_opens = NULL;
180 	options->permitted_listens = NULL;
181 	options->adm_forced_command = NULL;
182 	options->chroot_directory = NULL;
183 	options->authorized_keys_command = NULL;
184 	options->authorized_keys_command_user = NULL;
185 	options->revoked_keys_file = NULL;
186 	options->sk_provider = NULL;
187 	options->trusted_user_ca_keys = NULL;
188 	options->authorized_principals_file = NULL;
189 	options->authorized_principals_command = NULL;
190 	options->authorized_principals_command_user = NULL;
191 	options->ip_qos_interactive = -1;
192 	options->ip_qos_bulk = -1;
193 	options->version_addendum = NULL;
194 	options->fingerprint_hash = -1;
195 	options->disable_forwarding = -1;
196 	options->expose_userauth_info = -1;
197 	options->required_rsa_size = -1;
198 	options->channel_timeouts = NULL;
199 	options->num_channel_timeouts = 0;
200 	options->unused_connection_timeout = -1;
201 	options->use_blacklist = -1;
202 }
203 
204 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
205 static int
206 option_clear_or_none(const char *o)
207 {
208 	return o == NULL || strcasecmp(o, "none") == 0;
209 }
210 
211 static void
212 assemble_algorithms(ServerOptions *o)
213 {
214 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
215 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
216 	int r;
217 
218 	all_cipher = cipher_alg_list(',', 0);
219 	all_mac = mac_alg_list(',');
220 	all_kex = kex_alg_list(',');
221 	all_key = sshkey_alg_list(0, 0, 1, ',');
222 	all_sig = sshkey_alg_list(0, 1, 1, ',');
223 	/* remove unsupported algos from default lists */
224 	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
225 	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
226 	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
227 	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
228 	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
229 #define ASSEMBLE(what, defaults, all) \
230 	do { \
231 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
232 			fatal_fr(r, "%s", #what); \
233 	} while (0)
234 	ASSEMBLE(ciphers, def_cipher, all_cipher);
235 	ASSEMBLE(macs, def_mac, all_mac);
236 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
237 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
238 	ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
239 	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
240 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
241 #undef ASSEMBLE
242 	free(all_cipher);
243 	free(all_mac);
244 	free(all_kex);
245 	free(all_key);
246 	free(all_sig);
247 	free(def_cipher);
248 	free(def_mac);
249 	free(def_kex);
250 	free(def_key);
251 	free(def_sig);
252 }
253 
254 static const char *defaultkey = "[default]";
255 
256 void
257 servconf_add_hostkey(const char *file, const int line,
258     ServerOptions *options, const char *path, int userprovided)
259 {
260 	char *apath = derelativise_path(path);
261 
262 	if (file == defaultkey && access(path, R_OK) != 0)
263 		return;
264 	opt_array_append2(file, line, "HostKey",
265 	    &options->host_key_files, &options->host_key_file_userprovided,
266 	    &options->num_host_key_files, apath, userprovided);
267 	free(apath);
268 }
269 
270 void
271 servconf_add_hostcert(const char *file, const int line,
272     ServerOptions *options, const char *path)
273 {
274 	char *apath = derelativise_path(path);
275 
276 	opt_array_append(file, line, "HostCertificate",
277 	    &options->host_cert_files, &options->num_host_cert_files, apath);
278 	free(apath);
279 }
280 
281 void
282 fill_default_server_options(ServerOptions *options)
283 {
284 	u_int i;
285 
286 	/* Portable-specific options */
287 	if (options->use_pam == -1)
288 		options->use_pam = 1;
289 
290 	/* Standard Options */
291 	if (options->num_host_key_files == 0) {
292 		/* fill default hostkeys for protocols */
293 		servconf_add_hostkey(defaultkey, 0, options,
294 		    _PATH_HOST_RSA_KEY_FILE, 0);
295 #ifdef OPENSSL_HAS_ECC
296 		servconf_add_hostkey(defaultkey, 0, options,
297 		    _PATH_HOST_ECDSA_KEY_FILE, 0);
298 #endif
299 		servconf_add_hostkey(defaultkey, 0, options,
300 		    _PATH_HOST_ED25519_KEY_FILE, 0);
301 #ifdef WITH_XMSS
302 		servconf_add_hostkey(defaultkey, 0, options,
303 		    _PATH_HOST_XMSS_KEY_FILE, 0);
304 #endif /* WITH_XMSS */
305 	}
306 	if (options->num_host_key_files == 0)
307 		fatal("No host key files found");
308 	/* No certificates by default */
309 	if (options->num_ports == 0)
310 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
311 	if (options->address_family == -1)
312 		options->address_family = AF_UNSPEC;
313 	if (options->listen_addrs == NULL)
314 		add_listen_addr(options, NULL, NULL, 0);
315 	if (options->pid_file == NULL)
316 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
317 	if (options->moduli_file == NULL)
318 		options->moduli_file = xstrdup(_PATH_DH_MODULI);
319 	if (options->login_grace_time == -1)
320 		options->login_grace_time = 120;
321 	if (options->permit_root_login == PERMIT_NOT_SET)
322 		options->permit_root_login = PERMIT_NO;
323 	if (options->ignore_rhosts == -1)
324 		options->ignore_rhosts = 1;
325 	if (options->ignore_user_known_hosts == -1)
326 		options->ignore_user_known_hosts = 0;
327 	if (options->print_motd == -1)
328 		options->print_motd = 1;
329 	if (options->print_lastlog == -1)
330 		options->print_lastlog = 1;
331 	if (options->x11_forwarding == -1)
332 		options->x11_forwarding = 0;
333 	if (options->x11_display_offset == -1)
334 		options->x11_display_offset = 10;
335 	if (options->x11_use_localhost == -1)
336 		options->x11_use_localhost = 1;
337 	if (options->xauth_location == NULL)
338 		options->xauth_location = xstrdup(_PATH_XAUTH);
339 	if (options->permit_tty == -1)
340 		options->permit_tty = 1;
341 	if (options->permit_user_rc == -1)
342 		options->permit_user_rc = 1;
343 	if (options->strict_modes == -1)
344 		options->strict_modes = 1;
345 	if (options->tcp_keep_alive == -1)
346 		options->tcp_keep_alive = 1;
347 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
348 		options->log_facility = SYSLOG_FACILITY_AUTH;
349 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
350 		options->log_level = SYSLOG_LEVEL_INFO;
351 	if (options->hostbased_authentication == -1)
352 		options->hostbased_authentication = 0;
353 	if (options->hostbased_uses_name_from_packet_only == -1)
354 		options->hostbased_uses_name_from_packet_only = 0;
355 	if (options->pubkey_authentication == -1)
356 		options->pubkey_authentication = 1;
357 	if (options->pubkey_auth_options == -1)
358 		options->pubkey_auth_options = 0;
359 	if (options->kerberos_authentication == -1)
360 		options->kerberos_authentication = 0;
361 	if (options->kerberos_or_local_passwd == -1)
362 		options->kerberos_or_local_passwd = 1;
363 	if (options->kerberos_ticket_cleanup == -1)
364 		options->kerberos_ticket_cleanup = 1;
365 	if (options->kerberos_get_afs_token == -1)
366 		options->kerberos_get_afs_token = 0;
367 	if (options->gss_authentication == -1)
368 		options->gss_authentication = 0;
369 	if (options->gss_cleanup_creds == -1)
370 		options->gss_cleanup_creds = 1;
371 	if (options->gss_strict_acceptor == -1)
372 		options->gss_strict_acceptor = 1;
373 	if (options->password_authentication == -1)
374 		options->password_authentication = 0;
375 	if (options->kbd_interactive_authentication == -1)
376 		options->kbd_interactive_authentication = 1;
377 	if (options->permit_empty_passwd == -1)
378 		options->permit_empty_passwd = 0;
379 	if (options->permit_user_env == -1) {
380 		options->permit_user_env = 0;
381 		options->permit_user_env_allowlist = NULL;
382 	}
383 	if (options->compression == -1)
384 #ifdef WITH_ZLIB
385 		options->compression = COMP_DELAYED;
386 #else
387 		options->compression = COMP_NONE;
388 #endif
389 
390 	if (options->rekey_limit == -1)
391 		options->rekey_limit = 0;
392 	if (options->rekey_interval == -1)
393 		options->rekey_interval = 0;
394 	if (options->allow_tcp_forwarding == -1)
395 		options->allow_tcp_forwarding = FORWARD_ALLOW;
396 	if (options->allow_streamlocal_forwarding == -1)
397 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
398 	if (options->allow_agent_forwarding == -1)
399 		options->allow_agent_forwarding = 1;
400 	if (options->fwd_opts.gateway_ports == -1)
401 		options->fwd_opts.gateway_ports = 0;
402 	if (options->max_startups == -1)
403 		options->max_startups = 100;
404 	if (options->max_startups_rate == -1)
405 		options->max_startups_rate = 30;		/* 30% */
406 	if (options->max_startups_begin == -1)
407 		options->max_startups_begin = 10;
408 	if (options->per_source_max_startups == -1)
409 		options->per_source_max_startups = INT_MAX;
410 	if (options->per_source_masklen_ipv4 == -1)
411 		options->per_source_masklen_ipv4 = 32;
412 	if (options->per_source_masklen_ipv6 == -1)
413 		options->per_source_masklen_ipv6 = 128;
414 	if (options->max_authtries == -1)
415 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
416 	if (options->max_sessions == -1)
417 		options->max_sessions = DEFAULT_SESSIONS_MAX;
418 	if (options->use_dns == -1)
419 		options->use_dns = 1;
420 	if (options->client_alive_interval == -1)
421 		options->client_alive_interval = 0;
422 	if (options->client_alive_count_max == -1)
423 		options->client_alive_count_max = 3;
424 	if (options->num_authkeys_files == 0) {
425 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
426 		    &options->authorized_keys_files,
427 		    &options->num_authkeys_files,
428 		    _PATH_SSH_USER_PERMITTED_KEYS);
429 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
430 		    &options->authorized_keys_files,
431 		    &options->num_authkeys_files,
432 		    _PATH_SSH_USER_PERMITTED_KEYS2);
433 	}
434 	if (options->permit_tun == -1)
435 		options->permit_tun = SSH_TUNMODE_NO;
436 	if (options->ip_qos_interactive == -1)
437 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
438 	if (options->ip_qos_bulk == -1)
439 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
440 	if (options->version_addendum == NULL)
441 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
442 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
443 		options->fwd_opts.streamlocal_bind_mask = 0177;
444 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
445 		options->fwd_opts.streamlocal_bind_unlink = 0;
446 	if (options->fingerprint_hash == -1)
447 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
448 	if (options->disable_forwarding == -1)
449 		options->disable_forwarding = 0;
450 	if (options->expose_userauth_info == -1)
451 		options->expose_userauth_info = 0;
452 	if (options->sk_provider == NULL)
453 		options->sk_provider = xstrdup("internal");
454 	if (options->required_rsa_size == -1)
455 		options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
456 	if (options->unused_connection_timeout == -1)
457 		options->unused_connection_timeout = 0;
458 	if (options->use_blacklist == -1)
459 		options->use_blacklist = 0;
460 
461 	assemble_algorithms(options);
462 
463 	/* Turn privilege separation and sandboxing on by default */
464 	if (use_privsep == -1)
465 		use_privsep = PRIVSEP_ON;
466 
467 #define CLEAR_ON_NONE(v) \
468 	do { \
469 		if (option_clear_or_none(v)) { \
470 			free(v); \
471 			v = NULL; \
472 		} \
473 	} while(0)
474 #define CLEAR_ON_NONE_ARRAY(v, nv, none) \
475 	do { \
476 		if (options->nv == 1 && \
477 		    strcasecmp(options->v[0], none) == 0) { \
478 			free(options->v[0]); \
479 			free(options->v); \
480 			options->v = NULL; \
481 			options->nv = 0; \
482 		} \
483 	} while (0)
484 	CLEAR_ON_NONE(options->pid_file);
485 	CLEAR_ON_NONE(options->xauth_location);
486 	CLEAR_ON_NONE(options->banner);
487 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
488 	CLEAR_ON_NONE(options->revoked_keys_file);
489 	CLEAR_ON_NONE(options->sk_provider);
490 	CLEAR_ON_NONE(options->authorized_principals_file);
491 	CLEAR_ON_NONE(options->adm_forced_command);
492 	CLEAR_ON_NONE(options->chroot_directory);
493 	CLEAR_ON_NONE(options->routing_domain);
494 	CLEAR_ON_NONE(options->host_key_agent);
495 
496 	for (i = 0; i < options->num_host_key_files; i++)
497 		CLEAR_ON_NONE(options->host_key_files[i]);
498 	for (i = 0; i < options->num_host_cert_files; i++)
499 		CLEAR_ON_NONE(options->host_cert_files[i]);
500 
501 	CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none");
502 	CLEAR_ON_NONE_ARRAY(auth_methods, num_auth_methods, "any");
503 #undef CLEAR_ON_NONE
504 #undef CLEAR_ON_NONE_ARRAY
505 }
506 
507 /* Keyword tokens. */
508 typedef enum {
509 	sBadOption,		/* == unknown option */
510 	/* Portable-specific options */
511 	sUsePAM,
512 	/* Standard Options */
513 	sPort, sHostKeyFile, sLoginGraceTime,
514 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
515 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
516 	sKerberosGetAFSToken, sPasswordAuthentication,
517 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
518 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
519 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
520 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
521 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
522 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
523 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
524 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
525 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
526 	sBanner, sUseDNS, sHostbasedAuthentication,
527 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
528 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
529 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
530 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
531 	sAcceptEnv, sSetEnv, sPermitTunnel,
532 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
533 	sUsePrivilegeSeparation, sAllowAgentForwarding,
534 	sHostCertificate, sInclude,
535 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
536 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
537 	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
538 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
539 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
540 	sStreamLocalBindMask, sStreamLocalBindUnlink,
541 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
542 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
543 	sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
544 	sUseBlacklist,
545 	sDeprecated, sIgnore, sUnsupported
546 } ServerOpCodes;
547 
548 #define SSHCFG_GLOBAL		0x01	/* allowed in main section of config */
549 #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
550 #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
551 #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
552 #define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
553 
554 /* Textual representation of the tokens. */
555 static struct {
556 	const char *name;
557 	ServerOpCodes opcode;
558 	u_int flags;
559 } keywords[] = {
560 	/* Portable-specific options */
561 #ifdef USE_PAM
562 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
563 #else
564 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
565 #endif
566 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
567 	/* Standard Options */
568 	{ "port", sPort, SSHCFG_GLOBAL },
569 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
570 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
571 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
572 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
573 	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
574 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
575 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
576 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
577 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
578 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
579 	{ "loglevel", sLogLevel, SSHCFG_ALL },
580 	{ "logverbose", sLogVerbose, SSHCFG_ALL },
581 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
582 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
583 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
584 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
585 	{ "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
586 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
587 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
588 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
589 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
590 	{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
591 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
592 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
593 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
594 #ifdef KRB5
595 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
596 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
597 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
598 #ifdef USE_AFS
599 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
600 #else
601 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
602 #endif
603 #else
604 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
605 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
606 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
607 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
608 #endif
609 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
610 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
611 #ifdef GSSAPI
612 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
613 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
614 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
615 #else
616 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
617 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
618 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
619 #endif
620 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
621 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
622 	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
623 	{ "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
624 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
625 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
626 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
627 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
628 #ifdef DISABLE_LASTLOG
629 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
630 #else
631 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
632 #endif
633 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
634 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
635 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
636 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
637 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
638 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
639 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
640 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
641 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
642 	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
643 	{ "compression", sCompression, SSHCFG_GLOBAL },
644 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
645 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
646 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
647 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
648 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
649 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
650 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
651 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
652 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
653 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
654 	{ "macs", sMacs, SSHCFG_GLOBAL },
655 	{ "protocol", sIgnore, SSHCFG_GLOBAL },
656 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
657 	{ "subsystem", sSubsystem, SSHCFG_ALL },
658 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
659 	{ "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
660 	{ "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
661 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
662 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
663 	{ "banner", sBanner, SSHCFG_ALL },
664 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
665 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
666 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
667 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
668 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
669 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
670 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
671 	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
672 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
673 	{ "setenv", sSetEnv, SSHCFG_ALL },
674 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
675 	{ "permittty", sPermitTTY, SSHCFG_ALL },
676 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
677 	{ "match", sMatch, SSHCFG_ALL },
678 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
679 	{ "permitlisten", sPermitListen, SSHCFG_ALL },
680 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
681 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
682 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
683 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
684 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
685 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
686 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
687 	{ "include", sInclude, SSHCFG_ALL },
688 	{ "ipqos", sIPQoS, SSHCFG_ALL },
689 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
690 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
691 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
692 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
693 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
694 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
695 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
696 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
697 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
698 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
699 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
700 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
701 	{ "rdomain", sRDomain, SSHCFG_ALL },
702 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
703 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
704 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
705 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
706 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
707 	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
708 	{ "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
709 
710 	{ NULL, sBadOption, 0 }
711 };
712 
713 static struct {
714 	int val;
715 	char *text;
716 } tunmode_desc[] = {
717 	{ SSH_TUNMODE_NO, "no" },
718 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
719 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
720 	{ SSH_TUNMODE_YES, "yes" },
721 	{ -1, NULL }
722 };
723 
724 /* Returns an opcode name from its number */
725 
726 static const char *
727 lookup_opcode_name(ServerOpCodes code)
728 {
729 	u_int i;
730 
731 	for (i = 0; keywords[i].name != NULL; i++)
732 		if (keywords[i].opcode == code)
733 			return(keywords[i].name);
734 	return "UNKNOWN";
735 }
736 
737 
738 /*
739  * Returns the number of the token pointed to by cp or sBadOption.
740  */
741 
742 static ServerOpCodes
743 parse_token(const char *cp, const char *filename,
744 	    int linenum, u_int *flags)
745 {
746 	u_int i;
747 
748 	for (i = 0; keywords[i].name; i++)
749 		if (strcasecmp(cp, keywords[i].name) == 0) {
750 			*flags = keywords[i].flags;
751 			return keywords[i].opcode;
752 		}
753 
754 	error("%s: line %d: Bad configuration option: %s",
755 	    filename, linenum, cp);
756 	return sBadOption;
757 }
758 
759 char *
760 derelativise_path(const char *path)
761 {
762 	char *expanded, *ret, cwd[PATH_MAX];
763 
764 	if (strcasecmp(path, "none") == 0)
765 		return xstrdup("none");
766 	expanded = tilde_expand_filename(path, getuid());
767 	if (path_absolute(expanded))
768 		return expanded;
769 	if (getcwd(cwd, sizeof(cwd)) == NULL)
770 		fatal_f("getcwd: %s", strerror(errno));
771 	xasprintf(&ret, "%s/%s", cwd, expanded);
772 	free(expanded);
773 	return ret;
774 }
775 
776 static void
777 add_listen_addr(ServerOptions *options, const char *addr,
778     const char *rdomain, int port)
779 {
780 	u_int i;
781 
782 	if (port > 0)
783 		add_one_listen_addr(options, addr, rdomain, port);
784 	else {
785 		for (i = 0; i < options->num_ports; i++) {
786 			add_one_listen_addr(options, addr, rdomain,
787 			    options->ports[i]);
788 		}
789 	}
790 }
791 
792 static void
793 add_one_listen_addr(ServerOptions *options, const char *addr,
794     const char *rdomain, int port)
795 {
796 	struct addrinfo hints, *ai, *aitop;
797 	char strport[NI_MAXSERV];
798 	int gaierr;
799 	u_int i;
800 
801 	/* Find listen_addrs entry for this rdomain */
802 	for (i = 0; i < options->num_listen_addrs; i++) {
803 		if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
804 			break;
805 		if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
806 			continue;
807 		if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
808 			break;
809 	}
810 	if (i >= options->num_listen_addrs) {
811 		/* No entry for this rdomain; allocate one */
812 		if (i >= INT_MAX)
813 			fatal_f("too many listen addresses");
814 		options->listen_addrs = xrecallocarray(options->listen_addrs,
815 		    options->num_listen_addrs, options->num_listen_addrs + 1,
816 		    sizeof(*options->listen_addrs));
817 		i = options->num_listen_addrs++;
818 		if (rdomain != NULL)
819 			options->listen_addrs[i].rdomain = xstrdup(rdomain);
820 	}
821 	/* options->listen_addrs[i] points to the addresses for this rdomain */
822 
823 	memset(&hints, 0, sizeof(hints));
824 	hints.ai_family = options->address_family;
825 	hints.ai_socktype = SOCK_STREAM;
826 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
827 	snprintf(strport, sizeof strport, "%d", port);
828 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
829 		fatal("bad addr or host: %s (%s)",
830 		    addr ? addr : "<NULL>",
831 		    ssh_gai_strerror(gaierr));
832 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
833 		;
834 	ai->ai_next = options->listen_addrs[i].addrs;
835 	options->listen_addrs[i].addrs = aitop;
836 }
837 
838 /* Returns nonzero if the routing domain name is valid */
839 static int
840 valid_rdomain(const char *name)
841 {
842 #if defined(HAVE_SYS_VALID_RDOMAIN)
843 	return sys_valid_rdomain(name);
844 #elif defined(__OpenBSD__)
845 	const char *errstr;
846 	long long num;
847 	struct rt_tableinfo info;
848 	int mib[6];
849 	size_t miblen = sizeof(mib);
850 
851 	if (name == NULL)
852 		return 1;
853 
854 	num = strtonum(name, 0, 255, &errstr);
855 	if (errstr != NULL)
856 		return 0;
857 
858 	/* Check whether the table actually exists */
859 	memset(mib, 0, sizeof(mib));
860 	mib[0] = CTL_NET;
861 	mib[1] = PF_ROUTE;
862 	mib[4] = NET_RT_TABLE;
863 	mib[5] = (int)num;
864 	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
865 		return 0;
866 
867 	return 1;
868 #else /* defined(__OpenBSD__) */
869 	error("Routing domains are not supported on this platform");
870 	return 0;
871 #endif
872 }
873 
874 /*
875  * Queue a ListenAddress to be processed once we have all of the Ports
876  * and AddressFamily options.
877  */
878 static void
879 queue_listen_addr(ServerOptions *options, const char *addr,
880     const char *rdomain, int port)
881 {
882 	struct queued_listenaddr *qla;
883 
884 	options->queued_listen_addrs = xrecallocarray(
885 	    options->queued_listen_addrs,
886 	    options->num_queued_listens, options->num_queued_listens + 1,
887 	    sizeof(*options->queued_listen_addrs));
888 	qla = &options->queued_listen_addrs[options->num_queued_listens++];
889 	qla->addr = xstrdup(addr);
890 	qla->port = port;
891 	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
892 }
893 
894 /*
895  * Process queued (text) ListenAddress entries.
896  */
897 static void
898 process_queued_listen_addrs(ServerOptions *options)
899 {
900 	u_int i;
901 	struct queued_listenaddr *qla;
902 
903 	if (options->num_ports == 0)
904 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
905 	if (options->address_family == -1)
906 		options->address_family = AF_UNSPEC;
907 
908 	for (i = 0; i < options->num_queued_listens; i++) {
909 		qla = &options->queued_listen_addrs[i];
910 		add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
911 		free(qla->addr);
912 		free(qla->rdomain);
913 	}
914 	free(options->queued_listen_addrs);
915 	options->queued_listen_addrs = NULL;
916 	options->num_queued_listens = 0;
917 }
918 
919 /*
920  * Inform channels layer of permitopen options for a single forwarding
921  * direction (local/remote).
922  */
923 static void
924 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
925     char **opens, u_int num_opens)
926 {
927 	u_int i;
928 	int port;
929 	char *host, *arg, *oarg;
930 	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
931 	const char *what = lookup_opcode_name(opcode);
932 
933 	channel_clear_permission(ssh, FORWARD_ADM, where);
934 	if (num_opens == 0)
935 		return; /* permit any */
936 
937 	/* handle keywords: "any" / "none" */
938 	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
939 		return;
940 	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
941 		channel_disable_admin(ssh, where);
942 		return;
943 	}
944 	/* Otherwise treat it as a list of permitted host:port */
945 	for (i = 0; i < num_opens; i++) {
946 		oarg = arg = xstrdup(opens[i]);
947 		host = hpdelim(&arg);
948 		if (host == NULL)
949 			fatal_f("missing host in %s", what);
950 		host = cleanhostname(host);
951 		if (arg == NULL || ((port = permitopen_port(arg)) < 0))
952 			fatal_f("bad port number in %s", what);
953 		/* Send it to channels layer */
954 		channel_add_permission(ssh, FORWARD_ADM,
955 		    where, host, port);
956 		free(oarg);
957 	}
958 }
959 
960 /*
961  * Inform channels layer of permitopen options from configuration.
962  */
963 void
964 process_permitopen(struct ssh *ssh, ServerOptions *options)
965 {
966 	process_permitopen_list(ssh, sPermitOpen,
967 	    options->permitted_opens, options->num_permitted_opens);
968 	process_permitopen_list(ssh, sPermitListen,
969 	    options->permitted_listens,
970 	    options->num_permitted_listens);
971 }
972 
973 void
974 process_channel_timeouts(struct ssh *ssh, ServerOptions *options)
975 {
976 	int secs;
977 	u_int i;
978 	char *type;
979 
980 	debug3_f("setting %u timeouts", options->num_channel_timeouts);
981 	channel_clear_timeouts(ssh);
982 	for (i = 0; i < options->num_channel_timeouts; i++) {
983 		if (parse_pattern_interval(options->channel_timeouts[i],
984 		    &type, &secs) != 0) {
985 			fatal_f("internal error: bad timeout %s",
986 			    options->channel_timeouts[i]);
987 		}
988 		channel_add_timeout(ssh, type, secs);
989 		free(type);
990 	}
991 }
992 
993 struct connection_info *
994 get_connection_info(struct ssh *ssh, int populate, int use_dns)
995 {
996 	static struct connection_info ci;
997 
998 	if (ssh == NULL || !populate)
999 		return &ci;
1000 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
1001 	ci.address = ssh_remote_ipaddr(ssh);
1002 	ci.laddress = ssh_local_ipaddr(ssh);
1003 	ci.lport = ssh_local_port(ssh);
1004 	ci.rdomain = ssh_packet_rdomain_in(ssh);
1005 	return &ci;
1006 }
1007 
1008 /*
1009  * The strategy for the Match blocks is that the config file is parsed twice.
1010  *
1011  * The first time is at startup.  activep is initialized to 1 and the
1012  * directives in the global context are processed and acted on.  Hitting a
1013  * Match directive unsets activep and the directives inside the block are
1014  * checked for syntax only.
1015  *
1016  * The second time is after a connection has been established but before
1017  * authentication.  activep is initialized to 2 and global config directives
1018  * are ignored since they have already been processed.  If the criteria in a
1019  * Match block is met, activep is set and the subsequent directives
1020  * processed and actioned until EOF or another Match block unsets it.  Any
1021  * options set are copied into the main server config.
1022  *
1023  * Potential additions/improvements:
1024  *  - Add Match support for pre-kex directives, eg. Ciphers.
1025  *
1026  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
1027  *	Match Address 192.168.0.*
1028  *		Tag trusted
1029  *	Match Group wheel
1030  *		Tag trusted
1031  *	Match Tag trusted
1032  *		AllowTcpForwarding yes
1033  *		GatewayPorts clientspecified
1034  *		[...]
1035  *
1036  *  - Add a PermittedChannelRequests directive
1037  *	Match Group shell
1038  *		PermittedChannelRequests session,forwarded-tcpip
1039  */
1040 
1041 static int
1042 match_cfg_line_group(const char *grps, int line, const char *user)
1043 {
1044 	int result = 0;
1045 	struct passwd *pw;
1046 
1047 	if (user == NULL)
1048 		goto out;
1049 
1050 	if ((pw = getpwnam(user)) == NULL) {
1051 		debug("Can't match group at line %d because user %.100s does "
1052 		    "not exist", line, user);
1053 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1054 		debug("Can't Match group because user %.100s not in any group "
1055 		    "at line %d", user, line);
1056 	} else if (ga_match_pattern_list(grps) != 1) {
1057 		debug("user %.100s does not match group list %.100s at line %d",
1058 		    user, grps, line);
1059 	} else {
1060 		debug("user %.100s matched group list %.100s at line %d", user,
1061 		    grps, line);
1062 		result = 1;
1063 	}
1064 out:
1065 	ga_free();
1066 	return result;
1067 }
1068 
1069 static void
1070 match_test_missing_fatal(const char *criteria, const char *attrib)
1071 {
1072 	fatal("'Match %s' in configuration but '%s' not in connection "
1073 	    "test specification.", criteria, attrib);
1074 }
1075 
1076 /*
1077  * All of the attributes on a single Match line are ANDed together, so we need
1078  * to check every attribute and set the result to zero if any attribute does
1079  * not match.
1080  */
1081 static int
1082 match_cfg_line(char **condition, int line, struct connection_info *ci)
1083 {
1084 	int result = 1, attributes = 0, port;
1085 	char *arg, *attrib, *cp = *condition;
1086 
1087 	if (ci == NULL)
1088 		debug3("checking syntax for 'Match %s'", cp);
1089 	else
1090 		debug3("checking match for '%s' user %s host %s addr %s "
1091 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1092 		    ci->host ? ci->host : "(null)",
1093 		    ci->address ? ci->address : "(null)",
1094 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
1095 
1096 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1097 		/* Terminate on comment */
1098 		if (*attrib == '#') {
1099 			cp = NULL; /* mark all arguments consumed */
1100 			break;
1101 		}
1102 		arg = NULL;
1103 		attributes++;
1104 		/* Criterion "all" has no argument and must appear alone */
1105 		if (strcasecmp(attrib, "all") == 0) {
1106 			if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
1107 			    *arg != '\0' && *arg != '#')) {
1108 				error("'all' cannot be combined with other "
1109 				    "Match attributes");
1110 				return -1;
1111 			}
1112 			if (arg != NULL && *arg == '#')
1113 				cp = NULL; /* mark all arguments consumed */
1114 			*condition = cp;
1115 			return 1;
1116 		}
1117 		/* All other criteria require an argument */
1118 		if ((arg = strdelim(&cp)) == NULL ||
1119 		    *arg == '\0' || *arg == '#') {
1120 			error("Missing Match criteria for %s", attrib);
1121 			return -1;
1122 		}
1123 		if (strcasecmp(attrib, "user") == 0) {
1124 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1125 				result = 0;
1126 				continue;
1127 			}
1128 			if (ci->user == NULL)
1129 				match_test_missing_fatal("User", "user");
1130 			if (match_usergroup_pattern_list(ci->user, arg) != 1)
1131 				result = 0;
1132 			else
1133 				debug("user %.100s matched 'User %.100s' at "
1134 				    "line %d", ci->user, arg, line);
1135 		} else if (strcasecmp(attrib, "group") == 0) {
1136 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1137 				result = 0;
1138 				continue;
1139 			}
1140 			if (ci->user == NULL)
1141 				match_test_missing_fatal("Group", "user");
1142 			switch (match_cfg_line_group(arg, line, ci->user)) {
1143 			case -1:
1144 				return -1;
1145 			case 0:
1146 				result = 0;
1147 			}
1148 		} else if (strcasecmp(attrib, "host") == 0) {
1149 			if (ci == NULL || (ci->test && ci->host == NULL)) {
1150 				result = 0;
1151 				continue;
1152 			}
1153 			if (ci->host == NULL)
1154 				match_test_missing_fatal("Host", "host");
1155 			if (match_hostname(ci->host, arg) != 1)
1156 				result = 0;
1157 			else
1158 				debug("connection from %.100s matched 'Host "
1159 				    "%.100s' at line %d", ci->host, arg, line);
1160 		} else if (strcasecmp(attrib, "address") == 0) {
1161 			if (ci == NULL || (ci->test && ci->address == NULL)) {
1162 				if (addr_match_list(NULL, arg) != 0)
1163 					fatal("Invalid Match address argument "
1164 					    "'%s' at line %d", arg, line);
1165 				result = 0;
1166 				continue;
1167 			}
1168 			if (ci->address == NULL)
1169 				match_test_missing_fatal("Address", "addr");
1170 			switch (addr_match_list(ci->address, arg)) {
1171 			case 1:
1172 				debug("connection from %.100s matched 'Address "
1173 				    "%.100s' at line %d", ci->address, arg, line);
1174 				break;
1175 			case 0:
1176 			case -1:
1177 				result = 0;
1178 				break;
1179 			case -2:
1180 				return -1;
1181 			}
1182 		} else if (strcasecmp(attrib, "localaddress") == 0){
1183 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1184 				if (addr_match_list(NULL, arg) != 0)
1185 					fatal("Invalid Match localaddress "
1186 					    "argument '%s' at line %d", arg,
1187 					    line);
1188 				result = 0;
1189 				continue;
1190 			}
1191 			if (ci->laddress == NULL)
1192 				match_test_missing_fatal("LocalAddress",
1193 				    "laddr");
1194 			switch (addr_match_list(ci->laddress, arg)) {
1195 			case 1:
1196 				debug("connection from %.100s matched "
1197 				    "'LocalAddress %.100s' at line %d",
1198 				    ci->laddress, arg, line);
1199 				break;
1200 			case 0:
1201 			case -1:
1202 				result = 0;
1203 				break;
1204 			case -2:
1205 				return -1;
1206 			}
1207 		} else if (strcasecmp(attrib, "localport") == 0) {
1208 			if ((port = a2port(arg)) == -1) {
1209 				error("Invalid LocalPort '%s' on Match line",
1210 				    arg);
1211 				return -1;
1212 			}
1213 			if (ci == NULL || (ci->test && ci->lport == -1)) {
1214 				result = 0;
1215 				continue;
1216 			}
1217 			if (ci->lport == 0)
1218 				match_test_missing_fatal("LocalPort", "lport");
1219 			/* TODO support port lists */
1220 			if (port == ci->lport)
1221 				debug("connection from %.100s matched "
1222 				    "'LocalPort %d' at line %d",
1223 				    ci->laddress, port, line);
1224 			else
1225 				result = 0;
1226 		} else if (strcasecmp(attrib, "rdomain") == 0) {
1227 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1228 				result = 0;
1229 				continue;
1230 			}
1231 			if (ci->rdomain == NULL)
1232 				match_test_missing_fatal("RDomain", "rdomain");
1233 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1234 				result = 0;
1235 			else
1236 				debug("user %.100s matched 'RDomain %.100s' at "
1237 				    "line %d", ci->rdomain, arg, line);
1238 		} else {
1239 			error("Unsupported Match attribute %s", attrib);
1240 			return -1;
1241 		}
1242 	}
1243 	if (attributes == 0) {
1244 		error("One or more attributes required for Match");
1245 		return -1;
1246 	}
1247 	if (ci != NULL)
1248 		debug3("match %sfound", result ? "" : "not ");
1249 	*condition = cp;
1250 	return result;
1251 }
1252 
1253 #define WHITESPACE " \t\r\n"
1254 
1255 /* Multistate option parsing */
1256 struct multistate {
1257 	char *key;
1258 	int value;
1259 };
1260 static const struct multistate multistate_flag[] = {
1261 	{ "yes",			1 },
1262 	{ "no",				0 },
1263 	{ NULL, -1 }
1264 };
1265 static const struct multistate multistate_ignore_rhosts[] = {
1266 	{ "yes",			IGNORE_RHOSTS_YES },
1267 	{ "no",				IGNORE_RHOSTS_NO },
1268 	{ "shosts-only",		IGNORE_RHOSTS_SHOSTS },
1269 	{ NULL, -1 }
1270 };
1271 static const struct multistate multistate_addressfamily[] = {
1272 	{ "inet",			AF_INET },
1273 	{ "inet6",			AF_INET6 },
1274 	{ "any",			AF_UNSPEC },
1275 	{ NULL, -1 }
1276 };
1277 static const struct multistate multistate_permitrootlogin[] = {
1278 	{ "without-password",		PERMIT_NO_PASSWD },
1279 	{ "prohibit-password",		PERMIT_NO_PASSWD },
1280 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
1281 	{ "yes",			PERMIT_YES },
1282 	{ "no",				PERMIT_NO },
1283 	{ NULL, -1 }
1284 };
1285 static const struct multistate multistate_compression[] = {
1286 #ifdef WITH_ZLIB
1287 	{ "yes",			COMP_DELAYED },
1288 	{ "delayed",			COMP_DELAYED },
1289 #endif
1290 	{ "no",				COMP_NONE },
1291 	{ NULL, -1 }
1292 };
1293 static const struct multistate multistate_gatewayports[] = {
1294 	{ "clientspecified",		2 },
1295 	{ "yes",			1 },
1296 	{ "no",				0 },
1297 	{ NULL, -1 }
1298 };
1299 static const struct multistate multistate_tcpfwd[] = {
1300 	{ "yes",			FORWARD_ALLOW },
1301 	{ "all",			FORWARD_ALLOW },
1302 	{ "no",				FORWARD_DENY },
1303 	{ "remote",			FORWARD_REMOTE },
1304 	{ "local",			FORWARD_LOCAL },
1305 	{ NULL, -1 }
1306 };
1307 
1308 static int
1309 process_server_config_line_depth(ServerOptions *options, char *line,
1310     const char *filename, int linenum, int *activep,
1311     struct connection_info *connectinfo, int *inc_flags, int depth,
1312     struct include_list *includes)
1313 {
1314 	char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
1315 	int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1316 	int ca_only = 0;
1317 	SyslogFacility *log_facility_ptr;
1318 	LogLevel *log_level_ptr;
1319 	ServerOpCodes opcode;
1320 	u_int i, *uintptr, uvalue, flags = 0;
1321 	size_t len;
1322 	long long val64;
1323 	const struct multistate *multistate_ptr;
1324 	const char *errstr;
1325 	struct include_item *item;
1326 	glob_t gbuf;
1327 	char **oav = NULL, **av;
1328 	int oac = 0, ac;
1329 	int ret = -1;
1330 
1331 	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1332 	if ((len = strlen(line)) == 0)
1333 		return 0;
1334 	for (len--; len > 0; len--) {
1335 		if (strchr(WHITESPACE "\f", line[len]) == NULL)
1336 			break;
1337 		line[len] = '\0';
1338 	}
1339 
1340 	str = line;
1341 	if ((keyword = strdelim(&str)) == NULL)
1342 		return 0;
1343 	/* Ignore leading whitespace */
1344 	if (*keyword == '\0')
1345 		keyword = strdelim(&str);
1346 	if (!keyword || !*keyword || *keyword == '#')
1347 		return 0;
1348 	if (str == NULL || *str == '\0') {
1349 		error("%s line %d: no argument after keyword \"%s\"",
1350 		    filename, linenum, keyword);
1351 		return -1;
1352 	}
1353 	intptr = NULL;
1354 	charptr = NULL;
1355 	opcode = parse_token(keyword, filename, linenum, &flags);
1356 
1357 	if (argv_split(str, &oac, &oav, 1) != 0) {
1358 		error("%s line %d: invalid quotes", filename, linenum);
1359 		return -1;
1360 	}
1361 	ac = oac;
1362 	av = oav;
1363 
1364 	if (activep == NULL) { /* We are processing a command line directive */
1365 		cmdline = 1;
1366 		activep = &cmdline;
1367 	}
1368 	if (*activep && opcode != sMatch && opcode != sInclude)
1369 		debug3("%s:%d setting %s %s", filename, linenum, keyword, str);
1370 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1371 		if (connectinfo == NULL) {
1372 			fatal("%s line %d: Directive '%s' is not allowed "
1373 			    "within a Match block", filename, linenum, keyword);
1374 		} else { /* this is a directive we have already processed */
1375 			ret = 0;
1376 			goto out;
1377 		}
1378 	}
1379 
1380 	switch (opcode) {
1381 	/* Portable-specific options */
1382 	case sUsePAM:
1383 		intptr = &options->use_pam;
1384 		goto parse_flag;
1385 
1386 	/* Standard Options */
1387 	case sBadOption:
1388 		goto out;
1389 	case sPort:
1390 		/* ignore ports from configfile if cmdline specifies ports */
1391 		if (options->ports_from_cmdline) {
1392 			argv_consume(&ac);
1393 			break;
1394 		}
1395 		if (options->num_ports >= MAX_PORTS)
1396 			fatal("%s line %d: too many ports.",
1397 			    filename, linenum);
1398 		arg = argv_next(&ac, &av);
1399 		if (!arg || *arg == '\0')
1400 			fatal("%s line %d: missing port number.",
1401 			    filename, linenum);
1402 		options->ports[options->num_ports++] = a2port(arg);
1403 		if (options->ports[options->num_ports-1] <= 0)
1404 			fatal("%s line %d: Badly formatted port number.",
1405 			    filename, linenum);
1406 		break;
1407 
1408 	case sLoginGraceTime:
1409 		intptr = &options->login_grace_time;
1410  parse_time:
1411 		arg = argv_next(&ac, &av);
1412 		if (!arg || *arg == '\0')
1413 			fatal("%s line %d: missing time value.",
1414 			    filename, linenum);
1415 		if ((value = convtime(arg)) == -1)
1416 			fatal("%s line %d: invalid time value.",
1417 			    filename, linenum);
1418 		if (*activep && *intptr == -1)
1419 			*intptr = value;
1420 		break;
1421 
1422 	case sListenAddress:
1423 		arg = argv_next(&ac, &av);
1424 		if (arg == NULL || *arg == '\0')
1425 			fatal("%s line %d: missing address",
1426 			    filename, linenum);
1427 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1428 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1429 		    && strchr(p+1, ':') != NULL) {
1430 			port = 0;
1431 			p = arg;
1432 		} else {
1433 			arg2 = NULL;
1434 			p = hpdelim(&arg);
1435 			if (p == NULL)
1436 				fatal("%s line %d: bad address:port usage",
1437 				    filename, linenum);
1438 			p = cleanhostname(p);
1439 			if (arg == NULL)
1440 				port = 0;
1441 			else if ((port = a2port(arg)) <= 0)
1442 				fatal("%s line %d: bad port number",
1443 				    filename, linenum);
1444 		}
1445 		/* Optional routing table */
1446 		arg2 = NULL;
1447 		if ((arg = argv_next(&ac, &av)) != NULL) {
1448 			if (strcmp(arg, "rdomain") != 0 ||
1449 			    (arg2 = argv_next(&ac, &av)) == NULL)
1450 				fatal("%s line %d: bad ListenAddress syntax",
1451 				    filename, linenum);
1452 			if (!valid_rdomain(arg2))
1453 				fatal("%s line %d: bad routing domain",
1454 				    filename, linenum);
1455 		}
1456 		queue_listen_addr(options, p, arg2, port);
1457 
1458 		break;
1459 
1460 	case sAddressFamily:
1461 		intptr = &options->address_family;
1462 		multistate_ptr = multistate_addressfamily;
1463  parse_multistate:
1464 		arg = argv_next(&ac, &av);
1465 		if (!arg || *arg == '\0')
1466 			fatal("%s line %d: missing argument.",
1467 			    filename, linenum);
1468 		value = -1;
1469 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1470 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1471 				value = multistate_ptr[i].value;
1472 				break;
1473 			}
1474 		}
1475 		if (value == -1)
1476 			fatal("%s line %d: unsupported option \"%s\".",
1477 			    filename, linenum, arg);
1478 		if (*activep && *intptr == -1)
1479 			*intptr = value;
1480 		break;
1481 
1482 	case sHostKeyFile:
1483 		arg = argv_next(&ac, &av);
1484 		if (!arg || *arg == '\0')
1485 			fatal("%s line %d: missing file name.",
1486 			    filename, linenum);
1487 		if (*activep) {
1488 			servconf_add_hostkey(filename, linenum,
1489 			    options, arg, 1);
1490 		}
1491 		break;
1492 
1493 	case sHostKeyAgent:
1494 		charptr = &options->host_key_agent;
1495 		arg = argv_next(&ac, &av);
1496 		if (!arg || *arg == '\0')
1497 			fatal("%s line %d: missing socket name.",
1498 			    filename, linenum);
1499 		if (*activep && *charptr == NULL)
1500 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1501 			    xstrdup(arg) : derelativise_path(arg);
1502 		break;
1503 
1504 	case sHostCertificate:
1505 		arg = argv_next(&ac, &av);
1506 		if (!arg || *arg == '\0')
1507 			fatal("%s line %d: missing file name.",
1508 			    filename, linenum);
1509 		if (*activep)
1510 			servconf_add_hostcert(filename, linenum, options, arg);
1511 		break;
1512 
1513 	case sPidFile:
1514 		charptr = &options->pid_file;
1515  parse_filename:
1516 		arg = argv_next(&ac, &av);
1517 		if (!arg || *arg == '\0')
1518 			fatal("%s line %d: missing file name.",
1519 			    filename, linenum);
1520 		if (*activep && *charptr == NULL) {
1521 			*charptr = derelativise_path(arg);
1522 			/* increase optional counter */
1523 			if (intptr != NULL)
1524 				*intptr = *intptr + 1;
1525 		}
1526 		break;
1527 
1528 	case sModuliFile:
1529 		charptr = &options->moduli_file;
1530 		goto parse_filename;
1531 
1532 	case sPermitRootLogin:
1533 		intptr = &options->permit_root_login;
1534 		multistate_ptr = multistate_permitrootlogin;
1535 		goto parse_multistate;
1536 
1537 	case sIgnoreRhosts:
1538 		intptr = &options->ignore_rhosts;
1539 		multistate_ptr = multistate_ignore_rhosts;
1540 		goto parse_multistate;
1541 
1542 	case sIgnoreUserKnownHosts:
1543 		intptr = &options->ignore_user_known_hosts;
1544  parse_flag:
1545 		multistate_ptr = multistate_flag;
1546 		goto parse_multistate;
1547 
1548 	case sHostbasedAuthentication:
1549 		intptr = &options->hostbased_authentication;
1550 		goto parse_flag;
1551 
1552 	case sHostbasedUsesNameFromPacketOnly:
1553 		intptr = &options->hostbased_uses_name_from_packet_only;
1554 		goto parse_flag;
1555 
1556 	case sHostbasedAcceptedAlgorithms:
1557 		charptr = &options->hostbased_accepted_algos;
1558 		ca_only = 0;
1559  parse_pubkey_algos:
1560 		arg = argv_next(&ac, &av);
1561 		if (!arg || *arg == '\0')
1562 			fatal("%s line %d: Missing argument.",
1563 			    filename, linenum);
1564 		if (*arg != '-' &&
1565 		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1566 		    arg + 1 : arg, 1, ca_only))
1567 			fatal("%s line %d: Bad key types '%s'.",
1568 			    filename, linenum, arg ? arg : "<NONE>");
1569 		if (*activep && *charptr == NULL)
1570 			*charptr = xstrdup(arg);
1571 		break;
1572 
1573 	case sHostKeyAlgorithms:
1574 		charptr = &options->hostkeyalgorithms;
1575 		ca_only = 0;
1576 		goto parse_pubkey_algos;
1577 
1578 	case sCASignatureAlgorithms:
1579 		charptr = &options->ca_sign_algorithms;
1580 		ca_only = 1;
1581 		goto parse_pubkey_algos;
1582 
1583 	case sPubkeyAuthentication:
1584 		intptr = &options->pubkey_authentication;
1585 		ca_only = 0;
1586 		goto parse_flag;
1587 
1588 	case sPubkeyAcceptedAlgorithms:
1589 		charptr = &options->pubkey_accepted_algos;
1590 		ca_only = 0;
1591 		goto parse_pubkey_algos;
1592 
1593 	case sPubkeyAuthOptions:
1594 		intptr = &options->pubkey_auth_options;
1595 		value = 0;
1596 		while ((arg = argv_next(&ac, &av)) != NULL) {
1597 			if (strcasecmp(arg, "none") == 0)
1598 				continue;
1599 			if (strcasecmp(arg, "touch-required") == 0)
1600 				value |= PUBKEYAUTH_TOUCH_REQUIRED;
1601 			else if (strcasecmp(arg, "verify-required") == 0)
1602 				value |= PUBKEYAUTH_VERIFY_REQUIRED;
1603 			else {
1604 				error("%s line %d: unsupported %s option %s",
1605 				    filename, linenum, keyword, arg);
1606 				goto out;
1607 			}
1608 		}
1609 		if (*activep && *intptr == -1)
1610 			*intptr = value;
1611 		break;
1612 
1613 	case sKerberosAuthentication:
1614 		intptr = &options->kerberos_authentication;
1615 		goto parse_flag;
1616 
1617 	case sKerberosOrLocalPasswd:
1618 		intptr = &options->kerberos_or_local_passwd;
1619 		goto parse_flag;
1620 
1621 	case sKerberosTicketCleanup:
1622 		intptr = &options->kerberos_ticket_cleanup;
1623 		goto parse_flag;
1624 
1625 	case sKerberosGetAFSToken:
1626 		intptr = &options->kerberos_get_afs_token;
1627 		goto parse_flag;
1628 
1629 	case sGssAuthentication:
1630 		intptr = &options->gss_authentication;
1631 		goto parse_flag;
1632 
1633 	case sGssCleanupCreds:
1634 		intptr = &options->gss_cleanup_creds;
1635 		goto parse_flag;
1636 
1637 	case sGssStrictAcceptor:
1638 		intptr = &options->gss_strict_acceptor;
1639 		goto parse_flag;
1640 
1641 	case sPasswordAuthentication:
1642 		intptr = &options->password_authentication;
1643 		goto parse_flag;
1644 
1645 	case sKbdInteractiveAuthentication:
1646 		intptr = &options->kbd_interactive_authentication;
1647 		goto parse_flag;
1648 
1649 	case sPrintMotd:
1650 		intptr = &options->print_motd;
1651 		goto parse_flag;
1652 
1653 	case sPrintLastLog:
1654 		intptr = &options->print_lastlog;
1655 		goto parse_flag;
1656 
1657 	case sX11Forwarding:
1658 		intptr = &options->x11_forwarding;
1659 		goto parse_flag;
1660 
1661 	case sX11DisplayOffset:
1662 		intptr = &options->x11_display_offset;
1663  parse_int:
1664 		arg = argv_next(&ac, &av);
1665 		if ((errstr = atoi_err(arg, &value)) != NULL)
1666 			fatal("%s line %d: %s integer value %s.",
1667 			    filename, linenum, keyword, errstr);
1668 		if (*activep && *intptr == -1)
1669 			*intptr = value;
1670 		break;
1671 
1672 	case sX11UseLocalhost:
1673 		intptr = &options->x11_use_localhost;
1674 		goto parse_flag;
1675 
1676 	case sXAuthLocation:
1677 		charptr = &options->xauth_location;
1678 		goto parse_filename;
1679 
1680 	case sPermitTTY:
1681 		intptr = &options->permit_tty;
1682 		goto parse_flag;
1683 
1684 	case sPermitUserRC:
1685 		intptr = &options->permit_user_rc;
1686 		goto parse_flag;
1687 
1688 	case sStrictModes:
1689 		intptr = &options->strict_modes;
1690 		goto parse_flag;
1691 
1692 	case sTCPKeepAlive:
1693 		intptr = &options->tcp_keep_alive;
1694 		goto parse_flag;
1695 
1696 	case sEmptyPasswd:
1697 		intptr = &options->permit_empty_passwd;
1698 		goto parse_flag;
1699 
1700 	case sPermitUserEnvironment:
1701 		intptr = &options->permit_user_env;
1702 		charptr = &options->permit_user_env_allowlist;
1703 		arg = argv_next(&ac, &av);
1704 		if (!arg || *arg == '\0')
1705 			fatal("%s line %d: %s missing argument.",
1706 			    filename, linenum, keyword);
1707 		value = 0;
1708 		p = NULL;
1709 		if (strcmp(arg, "yes") == 0)
1710 			value = 1;
1711 		else if (strcmp(arg, "no") == 0)
1712 			value = 0;
1713 		else {
1714 			/* Pattern-list specified */
1715 			value = 1;
1716 			p = xstrdup(arg);
1717 		}
1718 		if (*activep && *intptr == -1) {
1719 			*intptr = value;
1720 			*charptr = p;
1721 			p = NULL;
1722 		}
1723 		free(p);
1724 		break;
1725 
1726 	case sCompression:
1727 		intptr = &options->compression;
1728 		multistate_ptr = multistate_compression;
1729 		goto parse_multistate;
1730 
1731 	case sRekeyLimit:
1732 		arg = argv_next(&ac, &av);
1733 		if (!arg || *arg == '\0')
1734 			fatal("%s line %d: %s missing argument.",
1735 			    filename, linenum, keyword);
1736 		if (strcmp(arg, "default") == 0) {
1737 			val64 = 0;
1738 		} else {
1739 			if (scan_scaled(arg, &val64) == -1)
1740 				fatal("%.200s line %d: Bad %s number '%s': %s",
1741 				    filename, linenum, keyword,
1742 				    arg, strerror(errno));
1743 			if (val64 != 0 && val64 < 16)
1744 				fatal("%.200s line %d: %s too small",
1745 				    filename, linenum, keyword);
1746 		}
1747 		if (*activep && options->rekey_limit == -1)
1748 			options->rekey_limit = val64;
1749 		if (ac != 0) { /* optional rekey interval present */
1750 			if (strcmp(av[0], "none") == 0) {
1751 				(void)argv_next(&ac, &av);	/* discard */
1752 				break;
1753 			}
1754 			intptr = &options->rekey_interval;
1755 			goto parse_time;
1756 		}
1757 		break;
1758 
1759 	case sGatewayPorts:
1760 		intptr = &options->fwd_opts.gateway_ports;
1761 		multistate_ptr = multistate_gatewayports;
1762 		goto parse_multistate;
1763 
1764 	case sUseDNS:
1765 		intptr = &options->use_dns;
1766 		goto parse_flag;
1767 
1768 	case sLogFacility:
1769 		log_facility_ptr = &options->log_facility;
1770 		arg = argv_next(&ac, &av);
1771 		value = log_facility_number(arg);
1772 		if (value == SYSLOG_FACILITY_NOT_SET)
1773 			fatal("%.200s line %d: unsupported log facility '%s'",
1774 			    filename, linenum, arg ? arg : "<NONE>");
1775 		if (*log_facility_ptr == -1)
1776 			*log_facility_ptr = (SyslogFacility) value;
1777 		break;
1778 
1779 	case sLogLevel:
1780 		log_level_ptr = &options->log_level;
1781 		arg = argv_next(&ac, &av);
1782 		value = log_level_number(arg);
1783 		if (value == SYSLOG_LEVEL_NOT_SET)
1784 			fatal("%.200s line %d: unsupported log level '%s'",
1785 			    filename, linenum, arg ? arg : "<NONE>");
1786 		if (*activep && *log_level_ptr == -1)
1787 			*log_level_ptr = (LogLevel) value;
1788 		break;
1789 
1790 	case sLogVerbose:
1791 		found = options->num_log_verbose == 0;
1792 		i = 0;
1793 		while ((arg = argv_next(&ac, &av)) != NULL) {
1794 			if (*arg == '\0') {
1795 				error("%s line %d: keyword %s empty argument",
1796 				    filename, linenum, keyword);
1797 				goto out;
1798 			}
1799 			/* Allow "none" only in first position */
1800 			if (strcasecmp(arg, "none") == 0) {
1801 				if (i > 0 || ac > 0) {
1802 					error("%s line %d: keyword %s \"none\" "
1803 					    "argument must appear alone.",
1804 					    filename, linenum, keyword);
1805 					goto out;
1806 				}
1807 			}
1808 			i++;
1809 			if (!found || !*activep)
1810 				continue;
1811 			opt_array_append(filename, linenum, keyword,
1812 			    &options->log_verbose, &options->num_log_verbose,
1813 			    arg);
1814 		}
1815 		break;
1816 
1817 	case sAllowTcpForwarding:
1818 		intptr = &options->allow_tcp_forwarding;
1819 		multistate_ptr = multistate_tcpfwd;
1820 		goto parse_multistate;
1821 
1822 	case sAllowStreamLocalForwarding:
1823 		intptr = &options->allow_streamlocal_forwarding;
1824 		multistate_ptr = multistate_tcpfwd;
1825 		goto parse_multistate;
1826 
1827 	case sAllowAgentForwarding:
1828 		intptr = &options->allow_agent_forwarding;
1829 		goto parse_flag;
1830 
1831 	case sDisableForwarding:
1832 		intptr = &options->disable_forwarding;
1833 		goto parse_flag;
1834 
1835 	case sAllowUsers:
1836 		chararrayptr = &options->allow_users;
1837 		uintptr = &options->num_allow_users;
1838  parse_allowdenyusers:
1839 		while ((arg = argv_next(&ac, &av)) != NULL) {
1840 			if (*arg == '\0' ||
1841 			    match_user(NULL, NULL, NULL, arg) == -1)
1842 				fatal("%s line %d: invalid %s pattern: \"%s\"",
1843 				    filename, linenum, keyword, arg);
1844 			if (!*activep)
1845 				continue;
1846 			opt_array_append(filename, linenum, keyword,
1847 			    chararrayptr, uintptr, arg);
1848 		}
1849 		break;
1850 
1851 	case sDenyUsers:
1852 		chararrayptr = &options->deny_users;
1853 		uintptr = &options->num_deny_users;
1854 		goto parse_allowdenyusers;
1855 
1856 	case sAllowGroups:
1857 		chararrayptr = &options->allow_groups;
1858 		uintptr = &options->num_allow_groups;
1859  parse_allowdenygroups:
1860 		while ((arg = argv_next(&ac, &av)) != NULL) {
1861 			if (*arg == '\0')
1862 				fatal("%s line %d: empty %s pattern",
1863 				    filename, linenum, keyword);
1864 			if (!*activep)
1865 				continue;
1866 			opt_array_append(filename, linenum, keyword,
1867 			    chararrayptr, uintptr, arg);
1868 		}
1869 		break;
1870 
1871 	case sDenyGroups:
1872 		chararrayptr = &options->deny_groups;
1873 		uintptr = &options->num_deny_groups;
1874 		goto parse_allowdenygroups;
1875 
1876 	case sCiphers:
1877 		arg = argv_next(&ac, &av);
1878 		if (!arg || *arg == '\0')
1879 			fatal("%s line %d: %s missing argument.",
1880 			    filename, linenum, keyword);
1881 		if (*arg != '-' &&
1882 		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1883 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1884 			    filename, linenum, arg ? arg : "<NONE>");
1885 		if (options->ciphers == NULL)
1886 			options->ciphers = xstrdup(arg);
1887 		break;
1888 
1889 	case sMacs:
1890 		arg = argv_next(&ac, &av);
1891 		if (!arg || *arg == '\0')
1892 			fatal("%s line %d: %s missing argument.",
1893 			    filename, linenum, keyword);
1894 		if (*arg != '-' &&
1895 		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1896 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1897 			    filename, linenum, arg ? arg : "<NONE>");
1898 		if (options->macs == NULL)
1899 			options->macs = xstrdup(arg);
1900 		break;
1901 
1902 	case sKexAlgorithms:
1903 		arg = argv_next(&ac, &av);
1904 		if (!arg || *arg == '\0')
1905 			fatal("%s line %d: %s missing argument.",
1906 			    filename, linenum, keyword);
1907 		if (*arg != '-' &&
1908 		    !kex_names_valid(*arg == '+' || *arg == '^' ?
1909 		    arg + 1 : arg))
1910 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1911 			    filename, linenum, arg ? arg : "<NONE>");
1912 		if (options->kex_algorithms == NULL)
1913 			options->kex_algorithms = xstrdup(arg);
1914 		break;
1915 
1916 	case sSubsystem:
1917 		arg = argv_next(&ac, &av);
1918 		if (!arg || *arg == '\0')
1919 			fatal("%s line %d: %s missing argument.",
1920 			    filename, linenum, keyword);
1921 		if (!*activep) {
1922 			argv_consume(&ac);
1923 			break;
1924 		}
1925 		found = 0;
1926 		for (i = 0; i < options->num_subsystems; i++) {
1927 			if (strcmp(arg, options->subsystem_name[i]) == 0) {
1928 				found = 1;
1929 				break;
1930 			}
1931 		}
1932 		if (found) {
1933 			debug("%s line %d: Subsystem '%s' already defined.",
1934 			    filename, linenum, arg);
1935 			argv_consume(&ac);
1936 			break;
1937 		}
1938 		options->subsystem_name = xrecallocarray(
1939 		    options->subsystem_name, options->num_subsystems,
1940 		    options->num_subsystems + 1,
1941 		    sizeof(*options->subsystem_name));
1942 		options->subsystem_command = xrecallocarray(
1943 		    options->subsystem_command, options->num_subsystems,
1944 		    options->num_subsystems + 1,
1945 		    sizeof(*options->subsystem_command));
1946 		options->subsystem_args = xrecallocarray(
1947 		    options->subsystem_args, options->num_subsystems,
1948 		    options->num_subsystems + 1,
1949 		    sizeof(*options->subsystem_args));
1950 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1951 		arg = argv_next(&ac, &av);
1952 		if (!arg || *arg == '\0') {
1953 			fatal("%s line %d: Missing subsystem command.",
1954 			    filename, linenum);
1955 		}
1956 		options->subsystem_command[options->num_subsystems] =
1957 		    xstrdup(arg);
1958 		/* Collect arguments (separate to executable) */
1959 		arg = argv_assemble(1, &arg); /* quote command correctly */
1960 		arg2 = argv_assemble(ac, av); /* rest of command */
1961 		xasprintf(&options->subsystem_args[options->num_subsystems],
1962 		    "%s %s", arg, arg2);
1963 		free(arg2);
1964 		argv_consume(&ac);
1965 		options->num_subsystems++;
1966 		break;
1967 
1968 	case sMaxStartups:
1969 		arg = argv_next(&ac, &av);
1970 		if (!arg || *arg == '\0')
1971 			fatal("%s line %d: %s missing argument.",
1972 			    filename, linenum, keyword);
1973 		if ((n = sscanf(arg, "%d:%d:%d",
1974 		    &options->max_startups_begin,
1975 		    &options->max_startups_rate,
1976 		    &options->max_startups)) == 3) {
1977 			if (options->max_startups_begin >
1978 			    options->max_startups ||
1979 			    options->max_startups_rate > 100 ||
1980 			    options->max_startups_rate < 1)
1981 				fatal("%s line %d: Invalid %s spec.",
1982 				    filename, linenum, keyword);
1983 		} else if (n != 1)
1984 			fatal("%s line %d: Invalid %s spec.",
1985 			    filename, linenum, keyword);
1986 		else
1987 			options->max_startups = options->max_startups_begin;
1988 		if (options->max_startups <= 0 ||
1989 		    options->max_startups_begin <= 0)
1990 			fatal("%s line %d: Invalid %s spec.",
1991 			    filename, linenum, keyword);
1992 		break;
1993 
1994 	case sPerSourceNetBlockSize:
1995 		arg = argv_next(&ac, &av);
1996 		if (!arg || *arg == '\0')
1997 			fatal("%s line %d: %s missing argument.",
1998 			    filename, linenum, keyword);
1999 		switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
2000 		case 2:
2001 			if (value2 < 0 || value2 > 128)
2002 				n = -1;
2003 			/* FALLTHROUGH */
2004 		case 1:
2005 			if (value < 0 || value > 32)
2006 				n = -1;
2007 		}
2008 		if (n != 1 && n != 2)
2009 			fatal("%s line %d: Invalid %s spec.",
2010 			    filename, linenum, keyword);
2011 		if (*activep) {
2012 			options->per_source_masklen_ipv4 = value;
2013 			options->per_source_masklen_ipv6 = value2;
2014 		}
2015 		break;
2016 
2017 	case sPerSourceMaxStartups:
2018 		arg = argv_next(&ac, &av);
2019 		if (!arg || *arg == '\0')
2020 			fatal("%s line %d: %s missing argument.",
2021 			    filename, linenum, keyword);
2022 		if (strcmp(arg, "none") == 0) { /* no limit */
2023 			value = INT_MAX;
2024 		} else {
2025 			if ((errstr = atoi_err(arg, &value)) != NULL)
2026 				fatal("%s line %d: %s integer value %s.",
2027 				    filename, linenum, keyword, errstr);
2028 		}
2029 		if (*activep && options->per_source_max_startups == -1)
2030 			options->per_source_max_startups = value;
2031 		break;
2032 
2033 	case sMaxAuthTries:
2034 		intptr = &options->max_authtries;
2035 		goto parse_int;
2036 
2037 	case sMaxSessions:
2038 		intptr = &options->max_sessions;
2039 		goto parse_int;
2040 
2041 	case sBanner:
2042 		charptr = &options->banner;
2043 		goto parse_filename;
2044 
2045 	/*
2046 	 * These options can contain %X options expanded at
2047 	 * connect time, so that you can specify paths like:
2048 	 *
2049 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
2050 	 */
2051 	case sAuthorizedKeysFile:
2052 		uvalue = options->num_authkeys_files;
2053 		while ((arg = argv_next(&ac, &av)) != NULL) {
2054 			if (*arg == '\0') {
2055 				error("%s line %d: keyword %s empty argument",
2056 				    filename, linenum, keyword);
2057 				goto out;
2058 			}
2059 			arg2 = tilde_expand_filename(arg, getuid());
2060 			if (*activep && uvalue == 0) {
2061 				opt_array_append(filename, linenum, keyword,
2062 				    &options->authorized_keys_files,
2063 				    &options->num_authkeys_files, arg2);
2064 			}
2065 			free(arg2);
2066 		}
2067 		break;
2068 
2069 	case sAuthorizedPrincipalsFile:
2070 		charptr = &options->authorized_principals_file;
2071 		arg = argv_next(&ac, &av);
2072 		if (!arg || *arg == '\0')
2073 			fatal("%s line %d: %s missing argument.",
2074 			    filename, linenum, keyword);
2075 		if (*activep && *charptr == NULL) {
2076 			*charptr = tilde_expand_filename(arg, getuid());
2077 			/* increase optional counter */
2078 			if (intptr != NULL)
2079 				*intptr = *intptr + 1;
2080 		}
2081 		break;
2082 
2083 	case sClientAliveInterval:
2084 		intptr = &options->client_alive_interval;
2085 		goto parse_time;
2086 
2087 	case sClientAliveCountMax:
2088 		intptr = &options->client_alive_count_max;
2089 		goto parse_int;
2090 
2091 	case sAcceptEnv:
2092 		while ((arg = argv_next(&ac, &av)) != NULL) {
2093 			if (*arg == '\0' || strchr(arg, '=') != NULL)
2094 				fatal("%s line %d: Invalid environment name.",
2095 				    filename, linenum);
2096 			if (!*activep)
2097 				continue;
2098 			opt_array_append(filename, linenum, keyword,
2099 			    &options->accept_env, &options->num_accept_env,
2100 			    arg);
2101 		}
2102 		break;
2103 
2104 	case sSetEnv:
2105 		uvalue = options->num_setenv;
2106 		while ((arg = argv_next(&ac, &av)) != NULL) {
2107 			if (*arg == '\0' || strchr(arg, '=') == NULL)
2108 				fatal("%s line %d: Invalid environment.",
2109 				    filename, linenum);
2110 			if (!*activep || uvalue != 0)
2111 				continue;
2112 			if (lookup_setenv_in_list(arg, options->setenv,
2113 			    options->num_setenv) != NULL) {
2114 				debug2("%s line %d: ignoring duplicate env "
2115 				    "name \"%.64s\"", filename, linenum, arg);
2116 				continue;
2117 			}
2118 			opt_array_append(filename, linenum, keyword,
2119 			    &options->setenv, &options->num_setenv, arg);
2120 		}
2121 		break;
2122 
2123 	case sPermitTunnel:
2124 		intptr = &options->permit_tun;
2125 		arg = argv_next(&ac, &av);
2126 		if (!arg || *arg == '\0')
2127 			fatal("%s line %d: %s missing argument.",
2128 			    filename, linenum, keyword);
2129 		value = -1;
2130 		for (i = 0; tunmode_desc[i].val != -1; i++)
2131 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
2132 				value = tunmode_desc[i].val;
2133 				break;
2134 			}
2135 		if (value == -1)
2136 			fatal("%s line %d: bad %s argument %s",
2137 			    filename, linenum, keyword, arg);
2138 		if (*activep && *intptr == -1)
2139 			*intptr = value;
2140 		break;
2141 
2142 	case sInclude:
2143 		if (cmdline) {
2144 			fatal("Include directive not supported as a "
2145 			    "command-line option");
2146 		}
2147 		value = 0;
2148 		while ((arg2 = argv_next(&ac, &av)) != NULL) {
2149 			if (*arg2 == '\0') {
2150 				error("%s line %d: keyword %s empty argument",
2151 				    filename, linenum, keyword);
2152 				goto out;
2153 			}
2154 			value++;
2155 			found = 0;
2156 			if (*arg2 != '/' && *arg2 != '~') {
2157 				xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2158 			} else
2159 				arg = xstrdup(arg2);
2160 
2161 			/*
2162 			 * Don't let included files clobber the containing
2163 			 * file's Match state.
2164 			 */
2165 			oactive = *activep;
2166 
2167 			/* consult cache of include files */
2168 			TAILQ_FOREACH(item, includes, entry) {
2169 				if (strcmp(item->selector, arg) != 0)
2170 					continue;
2171 				if (item->filename != NULL) {
2172 					parse_server_config_depth(options,
2173 					    item->filename, item->contents,
2174 					    includes, connectinfo,
2175 					    (*inc_flags & SSHCFG_MATCH_ONLY
2176 					        ? SSHCFG_MATCH_ONLY : (oactive
2177 					            ? 0 : SSHCFG_NEVERMATCH)),
2178 					    activep, depth + 1);
2179 				}
2180 				found = 1;
2181 				*activep = oactive;
2182 			}
2183 			if (found != 0) {
2184 				free(arg);
2185 				continue;
2186 			}
2187 
2188 			/* requested glob was not in cache */
2189 			debug2("%s line %d: new include %s",
2190 			    filename, linenum, arg);
2191 			if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2192 				if (r != GLOB_NOMATCH) {
2193 					fatal("%s line %d: include \"%s\" glob "
2194 					    "failed", filename, linenum, arg);
2195 				}
2196 				/*
2197 				 * If no entry matched then record a
2198 				 * placeholder to skip later glob calls.
2199 				 */
2200 				debug2("%s line %d: no match for %s",
2201 				    filename, linenum, arg);
2202 				item = xcalloc(1, sizeof(*item));
2203 				item->selector = strdup(arg);
2204 				TAILQ_INSERT_TAIL(includes,
2205 				    item, entry);
2206 			}
2207 			if (gbuf.gl_pathc > INT_MAX)
2208 				fatal_f("too many glob results");
2209 			for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2210 				debug2("%s line %d: including %s",
2211 				    filename, linenum, gbuf.gl_pathv[n]);
2212 				item = xcalloc(1, sizeof(*item));
2213 				item->selector = strdup(arg);
2214 				item->filename = strdup(gbuf.gl_pathv[n]);
2215 				if ((item->contents = sshbuf_new()) == NULL)
2216 					fatal_f("sshbuf_new failed");
2217 				load_server_config(item->filename,
2218 				    item->contents);
2219 				parse_server_config_depth(options,
2220 				    item->filename, item->contents,
2221 				    includes, connectinfo,
2222 				    (*inc_flags & SSHCFG_MATCH_ONLY
2223 				        ? SSHCFG_MATCH_ONLY : (oactive
2224 				            ? 0 : SSHCFG_NEVERMATCH)),
2225 				    activep, depth + 1);
2226 				*activep = oactive;
2227 				TAILQ_INSERT_TAIL(includes, item, entry);
2228 			}
2229 			globfree(&gbuf);
2230 			free(arg);
2231 		}
2232 		if (value == 0) {
2233 			fatal("%s line %d: %s missing filename argument",
2234 			    filename, linenum, keyword);
2235 		}
2236 		break;
2237 
2238 	case sMatch:
2239 		if (cmdline)
2240 			fatal("Match directive not supported as a command-line "
2241 			    "option");
2242 		value = match_cfg_line(&str, linenum,
2243 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2244 		if (value < 0)
2245 			fatal("%s line %d: Bad Match condition", filename,
2246 			    linenum);
2247 		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2248 		/*
2249 		 * The MATCH_ONLY flag is applicable only until the first
2250 		 * match block.
2251 		 */
2252 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
2253 		/*
2254 		 * If match_cfg_line() didn't consume all its arguments then
2255 		 * arrange for the extra arguments check below to fail.
2256 		 */
2257 		if (str == NULL || *str == '\0')
2258 			argv_consume(&ac);
2259 		break;
2260 
2261 	case sPermitListen:
2262 	case sPermitOpen:
2263 		if (opcode == sPermitListen) {
2264 			uintptr = &options->num_permitted_listens;
2265 			chararrayptr = &options->permitted_listens;
2266 		} else {
2267 			uintptr = &options->num_permitted_opens;
2268 			chararrayptr = &options->permitted_opens;
2269 		}
2270 		arg = argv_next(&ac, &av);
2271 		if (!arg || *arg == '\0')
2272 			fatal("%s line %d: %s missing argument.",
2273 			    filename, linenum, keyword);
2274 		uvalue = *uintptr;	/* modified later */
2275 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2276 			if (*activep && uvalue == 0) {
2277 				*uintptr = 1;
2278 				*chararrayptr = xcalloc(1,
2279 				    sizeof(**chararrayptr));
2280 				(*chararrayptr)[0] = xstrdup(arg);
2281 			}
2282 			break;
2283 		}
2284 		for (; arg != NULL && *arg != '\0'; arg = argv_next(&ac, &av)) {
2285 			if (opcode == sPermitListen &&
2286 			    strchr(arg, ':') == NULL) {
2287 				/*
2288 				 * Allow bare port number for PermitListen
2289 				 * to indicate a wildcard listen host.
2290 				 */
2291 				xasprintf(&arg2, "*:%s", arg);
2292 			} else {
2293 				arg2 = xstrdup(arg);
2294 				p = hpdelim(&arg);
2295 				if (p == NULL) {
2296 					fatal("%s line %d: %s missing host",
2297 					    filename, linenum, keyword);
2298 				}
2299 				p = cleanhostname(p);
2300 			}
2301 			if (arg == NULL ||
2302 			    ((port = permitopen_port(arg)) < 0)) {
2303 				fatal("%s line %d: %s bad port number",
2304 				    filename, linenum, keyword);
2305 			}
2306 			if (*activep && uvalue == 0) {
2307 				opt_array_append(filename, linenum, keyword,
2308 				    chararrayptr, uintptr, arg2);
2309 			}
2310 			free(arg2);
2311 		}
2312 		break;
2313 
2314 	case sForceCommand:
2315 		if (str == NULL || *str == '\0')
2316 			fatal("%s line %d: %s missing argument.",
2317 			    filename, linenum, keyword);
2318 		len = strspn(str, WHITESPACE);
2319 		if (*activep && options->adm_forced_command == NULL)
2320 			options->adm_forced_command = xstrdup(str + len);
2321 		argv_consume(&ac);
2322 		break;
2323 
2324 	case sChrootDirectory:
2325 		charptr = &options->chroot_directory;
2326 
2327 		arg = argv_next(&ac, &av);
2328 		if (!arg || *arg == '\0')
2329 			fatal("%s line %d: %s missing argument.",
2330 			    filename, linenum, keyword);
2331 		if (*activep && *charptr == NULL)
2332 			*charptr = xstrdup(arg);
2333 		break;
2334 
2335 	case sTrustedUserCAKeys:
2336 		charptr = &options->trusted_user_ca_keys;
2337 		goto parse_filename;
2338 
2339 	case sRevokedKeys:
2340 		charptr = &options->revoked_keys_file;
2341 		goto parse_filename;
2342 
2343 	case sSecurityKeyProvider:
2344 		charptr = &options->sk_provider;
2345 		arg = argv_next(&ac, &av);
2346 		if (!arg || *arg == '\0')
2347 			fatal("%s line %d: %s missing argument.",
2348 			    filename, linenum, keyword);
2349 		if (*activep && *charptr == NULL) {
2350 			*charptr = strcasecmp(arg, "internal") == 0 ?
2351 			    xstrdup(arg) : derelativise_path(arg);
2352 			/* increase optional counter */
2353 			if (intptr != NULL)
2354 				*intptr = *intptr + 1;
2355 		}
2356 		break;
2357 
2358 	case sIPQoS:
2359 		arg = argv_next(&ac, &av);
2360 		if (!arg || *arg == '\0')
2361 			fatal("%s line %d: %s missing argument.",
2362 			    filename, linenum, keyword);
2363 		if ((value = parse_ipqos(arg)) == -1)
2364 			fatal("%s line %d: Bad %s value: %s",
2365 			    filename, linenum, keyword, arg);
2366 		arg = argv_next(&ac, &av);
2367 		if (arg == NULL)
2368 			value2 = value;
2369 		else if ((value2 = parse_ipqos(arg)) == -1)
2370 			fatal("%s line %d: Bad %s value: %s",
2371 			    filename, linenum, keyword, arg);
2372 		if (*activep) {
2373 			options->ip_qos_interactive = value;
2374 			options->ip_qos_bulk = value2;
2375 		}
2376 		break;
2377 
2378 	case sVersionAddendum:
2379 		if (str == NULL || *str == '\0')
2380 			fatal("%s line %d: %s missing argument.",
2381 			    filename, linenum, keyword);
2382 		len = strspn(str, WHITESPACE);
2383 		if (strchr(str + len, '\r') != NULL) {
2384 			fatal("%.200s line %d: Invalid %s argument",
2385 			    filename, linenum, keyword);
2386 		}
2387 		if ((arg = strchr(line, '#')) != NULL) {
2388 			*arg = '\0';
2389 			rtrim(line);
2390 		}
2391 		if (*activep && options->version_addendum == NULL) {
2392 			if (strcasecmp(str + len, "none") == 0)
2393 				options->version_addendum = xstrdup("");
2394 			else
2395 				options->version_addendum = xstrdup(str + len);
2396 		}
2397 		argv_consume(&ac);
2398 		break;
2399 
2400 	case sAuthorizedKeysCommand:
2401 		charptr = &options->authorized_keys_command;
2402  parse_command:
2403 		len = strspn(str, WHITESPACE);
2404 		if (str[len] != '/' && strcasecmp(str + len, "none") != 0) {
2405 			fatal("%.200s line %d: %s must be an absolute path",
2406 			    filename, linenum, keyword);
2407 		}
2408 		if (*activep && *charptr == NULL)
2409 			*charptr = xstrdup(str + len);
2410 		argv_consume(&ac);
2411 		break;
2412 
2413 	case sAuthorizedKeysCommandUser:
2414 		charptr = &options->authorized_keys_command_user;
2415  parse_localuser:
2416 		arg = argv_next(&ac, &av);
2417 		if (!arg || *arg == '\0') {
2418 			fatal("%s line %d: missing %s argument.",
2419 			    filename, linenum, keyword);
2420 		}
2421 		if (*activep && *charptr == NULL)
2422 			*charptr = xstrdup(arg);
2423 		break;
2424 
2425 	case sAuthorizedPrincipalsCommand:
2426 		charptr = &options->authorized_principals_command;
2427 		goto parse_command;
2428 
2429 	case sAuthorizedPrincipalsCommandUser:
2430 		charptr = &options->authorized_principals_command_user;
2431 		goto parse_localuser;
2432 
2433 	case sAuthenticationMethods:
2434 		found = options->num_auth_methods == 0;
2435 		value = 0; /* seen "any" pseudo-method */
2436 		value2 = 0; /* successfully parsed any method */
2437 		while ((arg = argv_next(&ac, &av)) != NULL) {
2438 			if (strcmp(arg, "any") == 0) {
2439 				if (options->num_auth_methods > 0) {
2440 					fatal("%s line %d: \"any\" must "
2441 					    "appear alone in %s",
2442 					    filename, linenum, keyword);
2443 				}
2444 				value = 1;
2445 			} else if (value) {
2446 				fatal("%s line %d: \"any\" must appear "
2447 				    "alone in %s", filename, linenum, keyword);
2448 			} else if (auth2_methods_valid(arg, 0) != 0) {
2449 				fatal("%s line %d: invalid %s method list.",
2450 				    filename, linenum, keyword);
2451 			}
2452 			value2 = 1;
2453 			if (!found || !*activep)
2454 				continue;
2455 			opt_array_append(filename, linenum, keyword,
2456 			    &options->auth_methods,
2457 			    &options->num_auth_methods, arg);
2458 		}
2459 		if (value2 == 0) {
2460 			fatal("%s line %d: no %s specified",
2461 			    filename, linenum, keyword);
2462 		}
2463 		break;
2464 
2465 	case sStreamLocalBindMask:
2466 		arg = argv_next(&ac, &av);
2467 		if (!arg || *arg == '\0')
2468 			fatal("%s line %d: %s missing argument.",
2469 			    filename, linenum, keyword);
2470 		/* Parse mode in octal format */
2471 		value = strtol(arg, &p, 8);
2472 		if (arg == p || value < 0 || value > 0777)
2473 			fatal("%s line %d: Invalid %s.",
2474 			    filename, linenum, keyword);
2475 		if (*activep)
2476 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2477 		break;
2478 
2479 	case sStreamLocalBindUnlink:
2480 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
2481 		goto parse_flag;
2482 
2483 	case sFingerprintHash:
2484 		arg = argv_next(&ac, &av);
2485 		if (!arg || *arg == '\0')
2486 			fatal("%s line %d: %s missing argument.",
2487 			    filename, linenum, keyword);
2488 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
2489 			fatal("%.200s line %d: Invalid %s algorithm \"%s\".",
2490 			    filename, linenum, keyword, arg);
2491 		if (*activep)
2492 			options->fingerprint_hash = value;
2493 		break;
2494 
2495 	case sExposeAuthInfo:
2496 		intptr = &options->expose_userauth_info;
2497 		goto parse_flag;
2498 
2499 	case sRDomain:
2500 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2501 		fatal("%s line %d: setting RDomain not supported on this "
2502 		    "platform.", filename, linenum);
2503 #endif
2504 		charptr = &options->routing_domain;
2505 		arg = argv_next(&ac, &av);
2506 		if (!arg || *arg == '\0')
2507 			fatal("%s line %d: %s missing argument.",
2508 			    filename, linenum, keyword);
2509 		if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2510 		    !valid_rdomain(arg))
2511 			fatal("%s line %d: invalid routing domain",
2512 			    filename, linenum);
2513 		if (*activep && *charptr == NULL)
2514 			*charptr = xstrdup(arg);
2515 		break;
2516 
2517 	case sRequiredRSASize:
2518 		intptr = &options->required_rsa_size;
2519 		goto parse_int;
2520 
2521 	case sChannelTimeout:
2522 		uvalue = options->num_channel_timeouts;
2523 		i = 0;
2524 		while ((arg = argv_next(&ac, &av)) != NULL) {
2525 			/* Allow "none" only in first position */
2526 			if (strcasecmp(arg, "none") == 0) {
2527 				if (i > 0 || ac > 0) {
2528 					error("%s line %d: keyword %s \"none\" "
2529 					    "argument must appear alone.",
2530 					    filename, linenum, keyword);
2531 					goto out;
2532 				}
2533 			} else if (parse_pattern_interval(arg,
2534 			    NULL, NULL) != 0) {
2535 				fatal("%s line %d: invalid channel timeout %s",
2536 				    filename, linenum, arg);
2537 			}
2538 			if (!*activep || uvalue != 0)
2539 				continue;
2540 			opt_array_append(filename, linenum, keyword,
2541 			    &options->channel_timeouts,
2542 			    &options->num_channel_timeouts, arg);
2543 		}
2544 		break;
2545 
2546 	case sUnusedConnectionTimeout:
2547 		intptr = &options->unused_connection_timeout;
2548 		/* peek at first arg for "none" so we can reuse parse_time */
2549 		if (av[0] != NULL && strcasecmp(av[0], "none") == 0) {
2550 			(void)argv_next(&ac, &av); /* consume arg */
2551 			if (*activep)
2552 				*intptr = 0;
2553 			break;
2554 		}
2555 		goto parse_time;
2556 
2557 	case sUseBlacklist:
2558 		intptr = &options->use_blacklist;
2559 		goto parse_flag;
2560 
2561 	case sDeprecated:
2562 	case sIgnore:
2563 	case sUnsupported:
2564 		do_log2(opcode == sIgnore ?
2565 		    SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2566 		    "%s line %d: %s option %s", filename, linenum,
2567 		    opcode == sUnsupported ? "Unsupported" : "Deprecated",
2568 		    keyword);
2569 		argv_consume(&ac);
2570 		break;
2571 
2572 	default:
2573 		fatal("%s line %d: Missing handler for opcode %s (%d)",
2574 		    filename, linenum, keyword, opcode);
2575 	}
2576 	/* Check that there is no garbage at end of line. */
2577 	if (ac > 0) {
2578 		error("%.200s line %d: keyword %s extra arguments "
2579 		    "at end of line", filename, linenum, keyword);
2580 		goto out;
2581 	}
2582 
2583 	/* success */
2584 	ret = 0;
2585  out:
2586 	argv_free(oav, oac);
2587 	return ret;
2588 }
2589 
2590 int
2591 process_server_config_line(ServerOptions *options, char *line,
2592     const char *filename, int linenum, int *activep,
2593     struct connection_info *connectinfo, struct include_list *includes)
2594 {
2595 	int inc_flags = 0;
2596 
2597 	return process_server_config_line_depth(options, line, filename,
2598 	    linenum, activep, connectinfo, &inc_flags, 0, includes);
2599 }
2600 
2601 
2602 /* Reads the server configuration file. */
2603 
2604 void
2605 load_server_config(const char *filename, struct sshbuf *conf)
2606 {
2607 	struct stat st;
2608 	char *line = NULL, *cp;
2609 	size_t linesize = 0;
2610 	FILE *f;
2611 	int r;
2612 
2613 	debug2_f("filename %s", filename);
2614 	if ((f = fopen(filename, "r")) == NULL) {
2615 		perror(filename);
2616 		exit(1);
2617 	}
2618 	sshbuf_reset(conf);
2619 	/* grow buffer, so realloc is avoided for large config files */
2620 	if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2621 	    (r = sshbuf_allocate(conf, st.st_size)) != 0)
2622 		fatal_fr(r, "allocate");
2623 	while (getline(&line, &linesize, f) != -1) {
2624 		/*
2625 		 * Strip whitespace
2626 		 * NB - preserve newlines, they are needed to reproduce
2627 		 * line numbers later for error messages
2628 		 */
2629 		cp = line + strspn(line, " \t\r");
2630 		if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2631 			fatal_fr(r, "sshbuf_put");
2632 	}
2633 	free(line);
2634 	if ((r = sshbuf_put_u8(conf, 0)) != 0)
2635 		fatal_fr(r, "sshbuf_put_u8");
2636 	fclose(f);
2637 	debug2_f("done config len = %zu", sshbuf_len(conf));
2638 }
2639 
2640 void
2641 parse_server_match_config(ServerOptions *options,
2642    struct include_list *includes, struct connection_info *connectinfo)
2643 {
2644 	ServerOptions mo;
2645 
2646 	initialize_server_options(&mo);
2647 	parse_server_config(&mo, "reprocess config", cfg, includes,
2648 	    connectinfo, 0);
2649 	copy_set_server_options(options, &mo, 0);
2650 }
2651 
2652 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2653 {
2654 	char *p;
2655 
2656 	while ((p = strsep(&spec, ",")) && *p != '\0') {
2657 		if (strncmp(p, "addr=", 5) == 0) {
2658 			ci->address = xstrdup(p + 5);
2659 		} else if (strncmp(p, "host=", 5) == 0) {
2660 			ci->host = xstrdup(p + 5);
2661 		} else if (strncmp(p, "user=", 5) == 0) {
2662 			ci->user = xstrdup(p + 5);
2663 		} else if (strncmp(p, "laddr=", 6) == 0) {
2664 			ci->laddress = xstrdup(p + 6);
2665 		} else if (strncmp(p, "rdomain=", 8) == 0) {
2666 			ci->rdomain = xstrdup(p + 8);
2667 		} else if (strncmp(p, "lport=", 6) == 0) {
2668 			ci->lport = a2port(p + 6);
2669 			if (ci->lport == -1) {
2670 				fprintf(stderr, "Invalid port '%s' in test mode"
2671 				    " specification %s\n", p+6, p);
2672 				return -1;
2673 			}
2674 		} else {
2675 			fprintf(stderr, "Invalid test mode specification %s\n",
2676 			    p);
2677 			return -1;
2678 		}
2679 	}
2680 	return 0;
2681 }
2682 
2683 void
2684 servconf_merge_subsystems(ServerOptions *dst, ServerOptions *src)
2685 {
2686 	u_int i, j, found;
2687 
2688 	for (i = 0; i < src->num_subsystems; i++) {
2689 		found = 0;
2690 		for (j = 0; j < dst->num_subsystems; j++) {
2691 			if (strcmp(src->subsystem_name[i],
2692 			    dst->subsystem_name[j]) == 0) {
2693 				found = 1;
2694 				break;
2695 			}
2696 		}
2697 		if (found) {
2698 			debug_f("override \"%s\"", dst->subsystem_name[j]);
2699 			free(dst->subsystem_command[j]);
2700 			free(dst->subsystem_args[j]);
2701 			dst->subsystem_command[j] =
2702 			    xstrdup(src->subsystem_command[i]);
2703 			dst->subsystem_args[j] =
2704 			    xstrdup(src->subsystem_args[i]);
2705 			continue;
2706 		}
2707 		debug_f("add \"%s\"", src->subsystem_name[i]);
2708 		dst->subsystem_name = xrecallocarray(
2709 		    dst->subsystem_name, dst->num_subsystems,
2710 		    dst->num_subsystems + 1, sizeof(*dst->subsystem_name));
2711 		dst->subsystem_command = xrecallocarray(
2712 		    dst->subsystem_command, dst->num_subsystems,
2713 		    dst->num_subsystems + 1, sizeof(*dst->subsystem_command));
2714 		dst->subsystem_args = xrecallocarray(
2715 		    dst->subsystem_args, dst->num_subsystems,
2716 		    dst->num_subsystems + 1, sizeof(*dst->subsystem_args));
2717 		j = dst->num_subsystems++;
2718 		dst->subsystem_name[j] = xstrdup(src->subsystem_name[i]);
2719 		dst->subsystem_command[j] = xstrdup(src->subsystem_command[i]);
2720 		dst->subsystem_args[j] = xstrdup(src->subsystem_args[i]);
2721 	}
2722 }
2723 
2724 /*
2725  * Copy any supported values that are set.
2726  *
2727  * If the preauth flag is set, we do not bother copying the string or
2728  * array values that are not used pre-authentication, because any that we
2729  * do use must be explicitly sent in mm_getpwnamallow().
2730  */
2731 void
2732 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2733 {
2734 #define M_CP_INTOPT(n) do {\
2735 	if (src->n != -1) \
2736 		dst->n = src->n; \
2737 } while (0)
2738 
2739 	M_CP_INTOPT(password_authentication);
2740 	M_CP_INTOPT(gss_authentication);
2741 	M_CP_INTOPT(pubkey_authentication);
2742 	M_CP_INTOPT(pubkey_auth_options);
2743 	M_CP_INTOPT(kerberos_authentication);
2744 	M_CP_INTOPT(hostbased_authentication);
2745 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2746 	M_CP_INTOPT(kbd_interactive_authentication);
2747 	M_CP_INTOPT(permit_root_login);
2748 	M_CP_INTOPT(permit_empty_passwd);
2749 	M_CP_INTOPT(ignore_rhosts);
2750 
2751 	M_CP_INTOPT(allow_tcp_forwarding);
2752 	M_CP_INTOPT(allow_streamlocal_forwarding);
2753 	M_CP_INTOPT(allow_agent_forwarding);
2754 	M_CP_INTOPT(disable_forwarding);
2755 	M_CP_INTOPT(expose_userauth_info);
2756 	M_CP_INTOPT(permit_tun);
2757 	M_CP_INTOPT(fwd_opts.gateway_ports);
2758 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2759 	M_CP_INTOPT(x11_display_offset);
2760 	M_CP_INTOPT(x11_forwarding);
2761 	M_CP_INTOPT(x11_use_localhost);
2762 	M_CP_INTOPT(permit_tty);
2763 	M_CP_INTOPT(permit_user_rc);
2764 	M_CP_INTOPT(max_sessions);
2765 	M_CP_INTOPT(max_authtries);
2766 	M_CP_INTOPT(client_alive_count_max);
2767 	M_CP_INTOPT(client_alive_interval);
2768 	M_CP_INTOPT(ip_qos_interactive);
2769 	M_CP_INTOPT(ip_qos_bulk);
2770 	M_CP_INTOPT(rekey_limit);
2771 	M_CP_INTOPT(rekey_interval);
2772 	M_CP_INTOPT(log_level);
2773 	M_CP_INTOPT(required_rsa_size);
2774 	M_CP_INTOPT(unused_connection_timeout);
2775 
2776 	/*
2777 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2778 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2779 	 * warnings.
2780 	 */
2781 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2782 		dst->fwd_opts.streamlocal_bind_mask =
2783 		    src->fwd_opts.streamlocal_bind_mask;
2784 	}
2785 
2786 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2787 #define M_CP_STROPT(n) do {\
2788 	if (src->n != NULL && dst->n != src->n) { \
2789 		free(dst->n); \
2790 		dst->n = src->n; \
2791 	} \
2792 } while(0)
2793 #define M_CP_STRARRAYOPT(s, num_s) do {\
2794 	u_int i; \
2795 	if (src->num_s != 0) { \
2796 		for (i = 0; i < dst->num_s; i++) \
2797 			free(dst->s[i]); \
2798 		free(dst->s); \
2799 		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2800 		for (i = 0; i < src->num_s; i++) \
2801 			dst->s[i] = xstrdup(src->s[i]); \
2802 		dst->num_s = src->num_s; \
2803 	} \
2804 } while(0)
2805 
2806 	/* See comment in servconf.h */
2807 	COPY_MATCH_STRING_OPTS();
2808 
2809 	/* Arguments that accept '+...' need to be expanded */
2810 	assemble_algorithms(dst);
2811 
2812 	/*
2813 	 * The only things that should be below this point are string options
2814 	 * which are only used after authentication.
2815 	 */
2816 	if (preauth)
2817 		return;
2818 
2819 	/* These options may be "none" to clear a global setting */
2820 	M_CP_STROPT(adm_forced_command);
2821 	if (option_clear_or_none(dst->adm_forced_command)) {
2822 		free(dst->adm_forced_command);
2823 		dst->adm_forced_command = NULL;
2824 	}
2825 	M_CP_STROPT(chroot_directory);
2826 	if (option_clear_or_none(dst->chroot_directory)) {
2827 		free(dst->chroot_directory);
2828 		dst->chroot_directory = NULL;
2829 	}
2830 
2831 	/* Subsystems require merging. */
2832 	servconf_merge_subsystems(dst, src);
2833 }
2834 
2835 #undef M_CP_INTOPT
2836 #undef M_CP_STROPT
2837 #undef M_CP_STRARRAYOPT
2838 
2839 #define SERVCONF_MAX_DEPTH	16
2840 static void
2841 parse_server_config_depth(ServerOptions *options, const char *filename,
2842     struct sshbuf *conf, struct include_list *includes,
2843     struct connection_info *connectinfo, int flags, int *activep, int depth)
2844 {
2845 	int linenum, bad_options = 0;
2846 	char *cp, *obuf, *cbuf;
2847 
2848 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2849 		fatal("Too many recursive configuration includes");
2850 
2851 	debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2852 	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2853 
2854 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2855 		fatal_f("sshbuf_dup_string failed");
2856 	linenum = 1;
2857 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2858 		if (process_server_config_line_depth(options, cp,
2859 		    filename, linenum++, activep, connectinfo, &flags,
2860 		    depth, includes) != 0)
2861 			bad_options++;
2862 	}
2863 	free(obuf);
2864 	if (bad_options > 0)
2865 		fatal("%s: terminating, %d bad configuration options",
2866 		    filename, bad_options);
2867 }
2868 
2869 void
2870 parse_server_config(ServerOptions *options, const char *filename,
2871     struct sshbuf *conf, struct include_list *includes,
2872     struct connection_info *connectinfo, int reexec)
2873 {
2874 	int active = connectinfo ? 0 : 1;
2875 	parse_server_config_depth(options, filename, conf, includes,
2876 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2877 	if (!reexec)
2878 		process_queued_listen_addrs(options);
2879 }
2880 
2881 static const char *
2882 fmt_multistate_int(int val, const struct multistate *m)
2883 {
2884 	u_int i;
2885 
2886 	for (i = 0; m[i].key != NULL; i++) {
2887 		if (m[i].value == val)
2888 			return m[i].key;
2889 	}
2890 	return "UNKNOWN";
2891 }
2892 
2893 static const char *
2894 fmt_intarg(ServerOpCodes code, int val)
2895 {
2896 	if (val == -1)
2897 		return "unset";
2898 	switch (code) {
2899 	case sAddressFamily:
2900 		return fmt_multistate_int(val, multistate_addressfamily);
2901 	case sPermitRootLogin:
2902 		return fmt_multistate_int(val, multistate_permitrootlogin);
2903 	case sGatewayPorts:
2904 		return fmt_multistate_int(val, multistate_gatewayports);
2905 	case sCompression:
2906 		return fmt_multistate_int(val, multistate_compression);
2907 	case sAllowTcpForwarding:
2908 		return fmt_multistate_int(val, multistate_tcpfwd);
2909 	case sAllowStreamLocalForwarding:
2910 		return fmt_multistate_int(val, multistate_tcpfwd);
2911 	case sIgnoreRhosts:
2912 		return fmt_multistate_int(val, multistate_ignore_rhosts);
2913 	case sFingerprintHash:
2914 		return ssh_digest_alg_name(val);
2915 	default:
2916 		switch (val) {
2917 		case 0:
2918 			return "no";
2919 		case 1:
2920 			return "yes";
2921 		default:
2922 			return "UNKNOWN";
2923 		}
2924 	}
2925 }
2926 
2927 static void
2928 dump_cfg_int(ServerOpCodes code, int val)
2929 {
2930 	if (code == sUnusedConnectionTimeout && val == 0) {
2931 		printf("%s none\n", lookup_opcode_name(code));
2932 		return;
2933 	}
2934 	printf("%s %d\n", lookup_opcode_name(code), val);
2935 }
2936 
2937 static void
2938 dump_cfg_oct(ServerOpCodes code, int val)
2939 {
2940 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2941 }
2942 
2943 static void
2944 dump_cfg_fmtint(ServerOpCodes code, int val)
2945 {
2946 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2947 }
2948 
2949 static void
2950 dump_cfg_string(ServerOpCodes code, const char *val)
2951 {
2952 	printf("%s %s\n", lookup_opcode_name(code),
2953 	    val == NULL ? "none" : val);
2954 }
2955 
2956 static void
2957 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2958 {
2959 	u_int i;
2960 
2961 	for (i = 0; i < count; i++)
2962 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2963 }
2964 
2965 static void
2966 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2967 {
2968 	u_int i;
2969 
2970 	switch (code) {
2971 	case sAuthenticationMethods:
2972 	case sChannelTimeout:
2973 		break;
2974 	default:
2975 		if (count <= 0)
2976 			return;
2977 		break;
2978 	}
2979 
2980 	printf("%s", lookup_opcode_name(code));
2981 	for (i = 0; i < count; i++)
2982 		printf(" %s",  vals[i]);
2983 	if (code == sAuthenticationMethods && count == 0)
2984 		printf(" any");
2985 	else if (code == sChannelTimeout && count == 0)
2986 		printf(" none");
2987 	printf("\n");
2988 }
2989 
2990 static char *
2991 format_listen_addrs(struct listenaddr *la)
2992 {
2993 	int r;
2994 	struct addrinfo *ai;
2995 	char addr[NI_MAXHOST], port[NI_MAXSERV];
2996 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2997 
2998 	/*
2999 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
3000 	 * addresses onto a stack, so to maintain ordering we need to
3001 	 * print these in reverse order.
3002 	 */
3003 	for (ai = la->addrs; ai; ai = ai->ai_next) {
3004 		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
3005 		    sizeof(addr), port, sizeof(port),
3006 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
3007 			error("getnameinfo: %.100s", ssh_gai_strerror(r));
3008 			continue;
3009 		}
3010 		laddr2 = laddr1;
3011 		if (ai->ai_family == AF_INET6) {
3012 			xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
3013 			    addr, port,
3014 			    la->rdomain == NULL ? "" : " rdomain ",
3015 			    la->rdomain == NULL ? "" : la->rdomain,
3016 			    laddr2);
3017 		} else {
3018 			xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
3019 			    addr, port,
3020 			    la->rdomain == NULL ? "" : " rdomain ",
3021 			    la->rdomain == NULL ? "" : la->rdomain,
3022 			    laddr2);
3023 		}
3024 		free(laddr2);
3025 	}
3026 	return laddr1;
3027 }
3028 
3029 void
3030 dump_config(ServerOptions *o)
3031 {
3032 	char *s;
3033 	u_int i;
3034 
3035 	/* these are usually at the top of the config */
3036 	for (i = 0; i < o->num_ports; i++)
3037 		printf("port %d\n", o->ports[i]);
3038 	dump_cfg_fmtint(sAddressFamily, o->address_family);
3039 
3040 	for (i = 0; i < o->num_listen_addrs; i++) {
3041 		s = format_listen_addrs(&o->listen_addrs[i]);
3042 		printf("%s", s);
3043 		free(s);
3044 	}
3045 
3046 	/* integer arguments */
3047 #ifdef USE_PAM
3048 	dump_cfg_fmtint(sUsePAM, o->use_pam);
3049 #endif
3050 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
3051 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
3052 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
3053 	dump_cfg_int(sMaxSessions, o->max_sessions);
3054 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
3055 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
3056 	dump_cfg_int(sRequiredRSASize, o->required_rsa_size);
3057 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
3058 	dump_cfg_int(sUnusedConnectionTimeout, o->unused_connection_timeout);
3059 
3060 	/* formatted integer arguments */
3061 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
3062 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
3063 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
3064 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
3065 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
3066 	    o->hostbased_uses_name_from_packet_only);
3067 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
3068 #ifdef KRB5
3069 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
3070 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
3071 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
3072 # ifdef USE_AFS
3073 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
3074 # endif
3075 #endif
3076 #ifdef GSSAPI
3077 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3078 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
3079 #endif
3080 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3081 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
3082 	    o->kbd_interactive_authentication);
3083 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
3084 #ifndef DISABLE_LASTLOG
3085 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
3086 #endif
3087 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
3088 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
3089 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
3090 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
3091 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
3092 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
3093 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
3094 	dump_cfg_fmtint(sCompression, o->compression);
3095 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
3096 	dump_cfg_fmtint(sUseDNS, o->use_dns);
3097 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
3098 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
3099 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
3100 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
3101 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
3102 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
3103 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
3104 	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
3105 
3106 	/* string arguments */
3107 	dump_cfg_string(sPidFile, o->pid_file);
3108 	dump_cfg_string(sModuliFile, o->moduli_file);
3109 	dump_cfg_string(sXAuthLocation, o->xauth_location);
3110 	dump_cfg_string(sCiphers, o->ciphers);
3111 	dump_cfg_string(sMacs, o->macs);
3112 	dump_cfg_string(sBanner, o->banner);
3113 	dump_cfg_string(sForceCommand, o->adm_forced_command);
3114 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
3115 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
3116 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
3117 	dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
3118 	dump_cfg_string(sAuthorizedPrincipalsFile,
3119 	    o->authorized_principals_file);
3120 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
3121 	    ? "none" : o->version_addendum);
3122 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
3123 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
3124 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
3125 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
3126 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
3127 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
3128 	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
3129 	dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos);
3130 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
3131 	dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
3132 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
3133 	dump_cfg_string(sRDomain, o->routing_domain);
3134 #endif
3135 
3136 	/* string arguments requiring a lookup */
3137 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
3138 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
3139 
3140 	/* string array arguments */
3141 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
3142 	    o->authorized_keys_files);
3143 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
3144 	    o->host_key_files);
3145 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
3146 	    o->host_cert_files);
3147 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
3148 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
3149 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
3150 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
3151 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
3152 	dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
3153 	dump_cfg_strarray_oneline(sAuthenticationMethods,
3154 	    o->num_auth_methods, o->auth_methods);
3155 	dump_cfg_strarray_oneline(sLogVerbose,
3156 	    o->num_log_verbose, o->log_verbose);
3157 	dump_cfg_strarray_oneline(sChannelTimeout,
3158 	    o->num_channel_timeouts, o->channel_timeouts);
3159 
3160 	/* other arguments */
3161 	for (i = 0; i < o->num_subsystems; i++)
3162 		printf("subsystem %s %s\n", o->subsystem_name[i],
3163 		    o->subsystem_args[i]);
3164 
3165 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
3166 	    o->max_startups_rate, o->max_startups);
3167 	printf("persourcemaxstartups ");
3168 	if (o->per_source_max_startups == INT_MAX)
3169 		printf("none\n");
3170 	else
3171 		printf("%d\n", o->per_source_max_startups);
3172 	printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4,
3173 	    o->per_source_masklen_ipv6);
3174 
3175 	s = NULL;
3176 	for (i = 0; tunmode_desc[i].val != -1; i++) {
3177 		if (tunmode_desc[i].val == o->permit_tun) {
3178 			s = tunmode_desc[i].text;
3179 			break;
3180 		}
3181 	}
3182 	dump_cfg_string(sPermitTunnel, s);
3183 
3184 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
3185 	printf("%s\n", iptos2str(o->ip_qos_bulk));
3186 
3187 	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
3188 	    o->rekey_interval);
3189 
3190 	printf("permitopen");
3191 	if (o->num_permitted_opens == 0)
3192 		printf(" any");
3193 	else {
3194 		for (i = 0; i < o->num_permitted_opens; i++)
3195 			printf(" %s", o->permitted_opens[i]);
3196 	}
3197 	printf("\n");
3198 	printf("permitlisten");
3199 	if (o->num_permitted_listens == 0)
3200 		printf(" any");
3201 	else {
3202 		for (i = 0; i < o->num_permitted_listens; i++)
3203 			printf(" %s", o->permitted_listens[i]);
3204 	}
3205 	printf("\n");
3206 
3207 	if (o->permit_user_env_allowlist == NULL) {
3208 		dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
3209 	} else {
3210 		printf("permituserenvironment %s\n",
3211 		    o->permit_user_env_allowlist);
3212 	}
3213 
3214 	printf("pubkeyauthoptions");
3215 	if (o->pubkey_auth_options == 0)
3216 		printf(" none");
3217 	if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
3218 		printf(" touch-required");
3219 	if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
3220 		printf(" verify-required");
3221 	printf("\n");
3222 }
3223