xref: /freebsd/crypto/openssh/servconf.c (revision a18eacbefdfa1085ca3db829e86ece78cd416493)
1 
2 /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
3 /* $FreeBSD$ */
4 /*
5  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6  *                    All rights reserved
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  */
14 
15 #include "includes.h"
16 __RCSID("$FreeBSD$");
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
24 
25 #include <ctype.h>
26 #include <netdb.h>
27 #include <pwd.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <signal.h>
32 #include <unistd.h>
33 #include <stdarg.h>
34 #include <errno.h>
35 #ifdef HAVE_UTIL_H
36 #include <util.h>
37 #endif
38 
39 #include "openbsd-compat/sys-queue.h"
40 #include "xmalloc.h"
41 #include "ssh.h"
42 #include "log.h"
43 #include "buffer.h"
44 #include "servconf.h"
45 #include "compat.h"
46 #include "pathnames.h"
47 #include "misc.h"
48 #include "cipher.h"
49 #include "key.h"
50 #include "kex.h"
51 #include "mac.h"
52 #include "match.h"
53 #include "channels.h"
54 #include "groupaccess.h"
55 #include "canohost.h"
56 #include "packet.h"
57 #include "hostfile.h"
58 #include "auth.h"
59 #include "version.h"
60 
61 static void add_listen_addr(ServerOptions *, char *, int);
62 static void add_one_listen_addr(ServerOptions *, char *, int);
63 
64 /* Use of privilege separation or not */
65 extern int use_privsep;
66 extern Buffer cfg;
67 
68 /* Initializes the server options to their default values. */
69 
70 void
71 initialize_server_options(ServerOptions *options)
72 {
73 	memset(options, 0, sizeof(*options));
74 
75 	/* Portable-specific options */
76 	options->use_pam = -1;
77 
78 	/* Standard Options */
79 	options->num_ports = 0;
80 	options->ports_from_cmdline = 0;
81 	options->listen_addrs = NULL;
82 	options->address_family = -1;
83 	options->num_host_key_files = 0;
84 	options->num_host_cert_files = 0;
85 	options->host_key_agent = NULL;
86 	options->pid_file = NULL;
87 	options->server_key_bits = -1;
88 	options->login_grace_time = -1;
89 	options->key_regeneration_time = -1;
90 	options->permit_root_login = PERMIT_NOT_SET;
91 	options->ignore_rhosts = -1;
92 	options->ignore_user_known_hosts = -1;
93 	options->print_motd = -1;
94 	options->print_lastlog = -1;
95 	options->x11_forwarding = -1;
96 	options->x11_display_offset = -1;
97 	options->x11_use_localhost = -1;
98 	options->xauth_location = NULL;
99 	options->strict_modes = -1;
100 	options->tcp_keep_alive = -1;
101 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
102 	options->log_level = SYSLOG_LEVEL_NOT_SET;
103 	options->rhosts_rsa_authentication = -1;
104 	options->hostbased_authentication = -1;
105 	options->hostbased_uses_name_from_packet_only = -1;
106 	options->rsa_authentication = -1;
107 	options->pubkey_authentication = -1;
108 	options->kerberos_authentication = -1;
109 	options->kerberos_or_local_passwd = -1;
110 	options->kerberos_ticket_cleanup = -1;
111 	options->kerberos_get_afs_token = -1;
112 	options->gss_authentication=-1;
113 	options->gss_cleanup_creds = -1;
114 	options->password_authentication = -1;
115 	options->kbd_interactive_authentication = -1;
116 	options->challenge_response_authentication = -1;
117 	options->permit_empty_passwd = -1;
118 	options->permit_user_env = -1;
119 	options->use_login = -1;
120 	options->compression = -1;
121 	options->rekey_limit = -1;
122 	options->rekey_interval = -1;
123 	options->allow_tcp_forwarding = -1;
124 	options->allow_agent_forwarding = -1;
125 	options->num_allow_users = 0;
126 	options->num_deny_users = 0;
127 	options->num_allow_groups = 0;
128 	options->num_deny_groups = 0;
129 	options->ciphers = NULL;
130 	options->macs = NULL;
131 	options->kex_algorithms = NULL;
132 	options->protocol = SSH_PROTO_UNKNOWN;
133 	options->gateway_ports = -1;
134 	options->num_subsystems = 0;
135 	options->max_startups_begin = -1;
136 	options->max_startups_rate = -1;
137 	options->max_startups = -1;
138 	options->max_authtries = -1;
139 	options->max_sessions = -1;
140 	options->banner = NULL;
141 	options->use_dns = -1;
142 	options->client_alive_interval = -1;
143 	options->client_alive_count_max = -1;
144 	options->num_authkeys_files = 0;
145 	options->num_accept_env = 0;
146 	options->permit_tun = -1;
147 	options->num_permitted_opens = -1;
148 	options->adm_forced_command = NULL;
149 	options->chroot_directory = NULL;
150 	options->authorized_keys_command = NULL;
151 	options->authorized_keys_command_user = NULL;
152 	options->zero_knowledge_password_authentication = -1;
153 	options->revoked_keys_file = NULL;
154 	options->trusted_user_ca_keys = NULL;
155 	options->authorized_principals_file = NULL;
156 	options->ip_qos_interactive = -1;
157 	options->ip_qos_bulk = -1;
158 	options->version_addendum = NULL;
159 	options->hpn_disabled = -1;
160 	options->hpn_buffer_size = -1;
161 	options->tcp_rcv_buf_poll = -1;
162 #ifdef	NONE_CIPHER_ENABLED
163 	options->none_enabled = -1;
164 #endif
165 }
166 
167 void
168 fill_default_server_options(ServerOptions *options)
169 {
170 	/* Portable-specific options */
171 	if (options->use_pam == -1)
172 		options->use_pam = 1;
173 
174 	/* Standard Options */
175 	if (options->protocol == SSH_PROTO_UNKNOWN)
176 		options->protocol = SSH_PROTO_2;
177 	if (options->num_host_key_files == 0) {
178 		/* fill default hostkeys for protocols */
179 		if (options->protocol & SSH_PROTO_1)
180 			options->host_key_files[options->num_host_key_files++] =
181 			    _PATH_HOST_KEY_FILE;
182 		if (options->protocol & SSH_PROTO_2) {
183 			options->host_key_files[options->num_host_key_files++] =
184 			    _PATH_HOST_RSA_KEY_FILE;
185 			options->host_key_files[options->num_host_key_files++] =
186 			    _PATH_HOST_DSA_KEY_FILE;
187 #ifdef OPENSSL_HAS_ECC
188 			options->host_key_files[options->num_host_key_files++] =
189 			    _PATH_HOST_ECDSA_KEY_FILE;
190 #endif
191 		}
192 	}
193 	/* No certificates by default */
194 	if (options->num_ports == 0)
195 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
196 	if (options->listen_addrs == NULL)
197 		add_listen_addr(options, NULL, 0);
198 	if (options->pid_file == NULL)
199 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
200 	if (options->server_key_bits == -1)
201 		options->server_key_bits = 1024;
202 	if (options->login_grace_time == -1)
203 		options->login_grace_time = 120;
204 	if (options->key_regeneration_time == -1)
205 		options->key_regeneration_time = 3600;
206 	if (options->permit_root_login == PERMIT_NOT_SET)
207 		options->permit_root_login = PERMIT_NO;
208 	if (options->ignore_rhosts == -1)
209 		options->ignore_rhosts = 1;
210 	if (options->ignore_user_known_hosts == -1)
211 		options->ignore_user_known_hosts = 0;
212 	if (options->print_motd == -1)
213 		options->print_motd = 1;
214 	if (options->print_lastlog == -1)
215 		options->print_lastlog = 1;
216 	if (options->x11_forwarding == -1)
217 		options->x11_forwarding = 1;
218 	if (options->x11_display_offset == -1)
219 		options->x11_display_offset = 10;
220 	if (options->x11_use_localhost == -1)
221 		options->x11_use_localhost = 1;
222 	if (options->xauth_location == NULL)
223 		options->xauth_location = _PATH_XAUTH;
224 	if (options->strict_modes == -1)
225 		options->strict_modes = 1;
226 	if (options->tcp_keep_alive == -1)
227 		options->tcp_keep_alive = 1;
228 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
229 		options->log_facility = SYSLOG_FACILITY_AUTH;
230 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
231 		options->log_level = SYSLOG_LEVEL_INFO;
232 	if (options->rhosts_rsa_authentication == -1)
233 		options->rhosts_rsa_authentication = 0;
234 	if (options->hostbased_authentication == -1)
235 		options->hostbased_authentication = 0;
236 	if (options->hostbased_uses_name_from_packet_only == -1)
237 		options->hostbased_uses_name_from_packet_only = 0;
238 	if (options->rsa_authentication == -1)
239 		options->rsa_authentication = 1;
240 	if (options->pubkey_authentication == -1)
241 		options->pubkey_authentication = 1;
242 	if (options->kerberos_authentication == -1)
243 		options->kerberos_authentication = 0;
244 	if (options->kerberos_or_local_passwd == -1)
245 		options->kerberos_or_local_passwd = 1;
246 	if (options->kerberos_ticket_cleanup == -1)
247 		options->kerberos_ticket_cleanup = 1;
248 	if (options->kerberos_get_afs_token == -1)
249 		options->kerberos_get_afs_token = 0;
250 	if (options->gss_authentication == -1)
251 		options->gss_authentication = 0;
252 	if (options->gss_cleanup_creds == -1)
253 		options->gss_cleanup_creds = 1;
254 	if (options->password_authentication == -1)
255 		options->password_authentication = 0;
256 	if (options->kbd_interactive_authentication == -1)
257 		options->kbd_interactive_authentication = 0;
258 	if (options->challenge_response_authentication == -1)
259 		options->challenge_response_authentication = 1;
260 	if (options->permit_empty_passwd == -1)
261 		options->permit_empty_passwd = 0;
262 	if (options->permit_user_env == -1)
263 		options->permit_user_env = 0;
264 	if (options->use_login == -1)
265 		options->use_login = 0;
266 	if (options->compression == -1)
267 		options->compression = COMP_DELAYED;
268 	if (options->rekey_limit == -1)
269 		options->rekey_limit = 0;
270 	if (options->rekey_interval == -1)
271 		options->rekey_interval = 0;
272 	if (options->allow_tcp_forwarding == -1)
273 		options->allow_tcp_forwarding = FORWARD_ALLOW;
274 	if (options->allow_agent_forwarding == -1)
275 		options->allow_agent_forwarding = 1;
276 	if (options->gateway_ports == -1)
277 		options->gateway_ports = 0;
278 	if (options->max_startups == -1)
279 		options->max_startups = 100;
280 	if (options->max_startups_rate == -1)
281 		options->max_startups_rate = 30;		/* 30% */
282 	if (options->max_startups_begin == -1)
283 		options->max_startups_begin = 10;
284 	if (options->max_authtries == -1)
285 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
286 	if (options->max_sessions == -1)
287 		options->max_sessions = DEFAULT_SESSIONS_MAX;
288 	if (options->use_dns == -1)
289 		options->use_dns = 1;
290 	if (options->client_alive_interval == -1)
291 		options->client_alive_interval = 0;
292 	if (options->client_alive_count_max == -1)
293 		options->client_alive_count_max = 3;
294 	if (options->num_authkeys_files == 0) {
295 		options->authorized_keys_files[options->num_authkeys_files++] =
296 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
297 		options->authorized_keys_files[options->num_authkeys_files++] =
298 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
299 	}
300 	if (options->permit_tun == -1)
301 		options->permit_tun = SSH_TUNMODE_NO;
302 	if (options->zero_knowledge_password_authentication == -1)
303 		options->zero_knowledge_password_authentication = 0;
304 	if (options->ip_qos_interactive == -1)
305 		options->ip_qos_interactive = IPTOS_LOWDELAY;
306 	if (options->ip_qos_bulk == -1)
307 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
308 	if (options->version_addendum == NULL)
309 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
310 	/* Turn privilege separation on by default */
311 	if (use_privsep == -1)
312 		use_privsep = PRIVSEP_NOSANDBOX;
313 
314 #ifndef HAVE_MMAP
315 	if (use_privsep && options->compression == 1) {
316 		error("This platform does not support both privilege "
317 		    "separation and compression");
318 		error("Compression disabled");
319 		options->compression = 0;
320 	}
321 #endif
322 
323 	if (options->hpn_disabled == -1)
324 		options->hpn_disabled = 0;
325 	if (options->hpn_buffer_size == -1) {
326 		/*
327 		 * HPN buffer size option not explicitly set.  Try to figure
328 		 * out what value to use or resort to default.
329 		 */
330 		options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
331 		if (!options->hpn_disabled) {
332 			sock_get_rcvbuf(&options->hpn_buffer_size, 0);
333 			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
334 		}
335 	} else {
336 		/*
337 		 * In the case that the user sets both values in a
338 		 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
339 		 */
340 		if (options->hpn_disabled <= 0) {
341 			u_int maxlen;
342 
343 			maxlen = buffer_get_max_len();
344 			if (options->hpn_buffer_size == 0)
345 				options->hpn_buffer_size = 1;
346 			/* Limit the maximum buffer to BUFFER_MAX_LEN. */
347 			if (options->hpn_buffer_size > maxlen / 1024)
348 				options->hpn_buffer_size = maxlen;
349 			else
350 				options->hpn_buffer_size *= 1024;
351 		} else {
352 			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
353 		}
354 	}
355 }
356 
357 /* Keyword tokens. */
358 typedef enum {
359 	sBadOption,		/* == unknown option */
360 	/* Portable-specific options */
361 	sUsePAM,
362 	/* Standard Options */
363 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
364 	sPermitRootLogin, sLogFacility, sLogLevel,
365 	sRhostsRSAAuthentication, sRSAAuthentication,
366 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
367 	sKerberosGetAFSToken,
368 	sKerberosTgtPassing, sChallengeResponseAuthentication,
369 	sPasswordAuthentication, sKbdInteractiveAuthentication,
370 	sListenAddress, sAddressFamily,
371 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
372 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
373 	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
374 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
375 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
376 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
377 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
378 	sMaxStartups, sMaxAuthTries, sMaxSessions,
379 	sBanner, sUseDNS, sHostbasedAuthentication,
380 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
381 	sClientAliveCountMax, sAuthorizedKeysFile,
382 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
383 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
384 	sUsePrivilegeSeparation, sAllowAgentForwarding,
385 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
386 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
387 	sKexAlgorithms, sIPQoS, sVersionAddendum,
388 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
389 	sAuthenticationMethods, sHostKeyAgent,
390 	sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
391 #ifdef NONE_CIPHER_ENABLED
392 	sNoneEnabled,
393 #endif
394 	sDeprecated, sUnsupported
395 } ServerOpCodes;
396 
397 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
398 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
399 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
400 
401 /* Textual representation of the tokens. */
402 static struct {
403 	const char *name;
404 	ServerOpCodes opcode;
405 	u_int flags;
406 } keywords[] = {
407 	/* Portable-specific options */
408 #ifdef USE_PAM
409 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
410 #else
411 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
412 #endif
413 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
414 	/* Standard Options */
415 	{ "port", sPort, SSHCFG_GLOBAL },
416 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
417 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
418 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
419 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
420 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
421 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
422 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
423 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
424 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
425 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
426 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
427 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
428 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
429 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
430 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
431 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
432 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
433 #ifdef KRB5
434 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
435 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
436 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
437 #ifdef USE_AFS
438 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
439 #else
440 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
441 #endif
442 #else
443 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
444 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
445 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
446 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
447 #endif
448 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
449 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
450 #ifdef GSSAPI
451 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
452 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
453 #else
454 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
455 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
456 #endif
457 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
458 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
459 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
460 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
461 #ifdef JPAKE
462 	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
463 #else
464 	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
465 #endif
466 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
467 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
468 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
469 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
470 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
471 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
472 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
473 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
474 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
475 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
476 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
477 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
478 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
479 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
480 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
481 	{ "compression", sCompression, SSHCFG_GLOBAL },
482 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
483 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
484 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
485 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
486 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
487 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
488 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
489 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
490 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
491 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
492 	{ "macs", sMacs, SSHCFG_GLOBAL },
493 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
494 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
495 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
496 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
497 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
498 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
499 	{ "banner", sBanner, SSHCFG_ALL },
500 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
501 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
502 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
503 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
504 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
505 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
506 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
507 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
508 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
509 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
510 	{ "match", sMatch, SSHCFG_ALL },
511 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
512 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
513 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
514 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
515 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
516 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
517 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
518 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
519 	{ "ipqos", sIPQoS, SSHCFG_ALL },
520 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
521 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
522 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
523 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
524 	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
525 	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
526 	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
527 #ifdef NONE_CIPHER_ENABLED
528 	{ "noneenabled", sNoneEnabled, SSHCFG_ALL },
529 #endif
530 	{ NULL, sBadOption, 0 }
531 };
532 
533 static struct {
534 	int val;
535 	char *text;
536 } tunmode_desc[] = {
537 	{ SSH_TUNMODE_NO, "no" },
538 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
539 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
540 	{ SSH_TUNMODE_YES, "yes" },
541 	{ -1, NULL }
542 };
543 
544 /*
545  * Returns the number of the token pointed to by cp or sBadOption.
546  */
547 
548 static ServerOpCodes
549 parse_token(const char *cp, const char *filename,
550 	    int linenum, u_int *flags)
551 {
552 	u_int i;
553 
554 	for (i = 0; keywords[i].name; i++)
555 		if (strcasecmp(cp, keywords[i].name) == 0) {
556 			*flags = keywords[i].flags;
557 			return keywords[i].opcode;
558 		}
559 
560 	error("%s: line %d: Bad configuration option: %s",
561 	    filename, linenum, cp);
562 	return sBadOption;
563 }
564 
565 char *
566 derelativise_path(const char *path)
567 {
568 	char *expanded, *ret, cwd[MAXPATHLEN];
569 
570 	expanded = tilde_expand_filename(path, getuid());
571 	if (*expanded == '/')
572 		return expanded;
573 	if (getcwd(cwd, sizeof(cwd)) == NULL)
574 		fatal("%s: getcwd: %s", __func__, strerror(errno));
575 	xasprintf(&ret, "%s/%s", cwd, expanded);
576 	free(expanded);
577 	return ret;
578 }
579 
580 static void
581 add_listen_addr(ServerOptions *options, char *addr, int port)
582 {
583 	u_int i;
584 
585 	if (options->num_ports == 0)
586 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
587 	if (options->address_family == -1)
588 		options->address_family = AF_UNSPEC;
589 	if (port == 0)
590 		for (i = 0; i < options->num_ports; i++)
591 			add_one_listen_addr(options, addr, options->ports[i]);
592 	else
593 		add_one_listen_addr(options, addr, port);
594 }
595 
596 static void
597 add_one_listen_addr(ServerOptions *options, char *addr, int port)
598 {
599 	struct addrinfo hints, *ai, *aitop;
600 	char strport[NI_MAXSERV];
601 	int gaierr;
602 
603 	memset(&hints, 0, sizeof(hints));
604 	hints.ai_family = options->address_family;
605 	hints.ai_socktype = SOCK_STREAM;
606 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
607 	snprintf(strport, sizeof strport, "%d", port);
608 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
609 		fatal("bad addr or host: %s (%s)",
610 		    addr ? addr : "<NULL>",
611 		    ssh_gai_strerror(gaierr));
612 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
613 		;
614 	ai->ai_next = options->listen_addrs;
615 	options->listen_addrs = aitop;
616 }
617 
618 struct connection_info *
619 get_connection_info(int populate, int use_dns)
620 {
621 	static struct connection_info ci;
622 
623 	if (!populate)
624 		return &ci;
625 	ci.host = get_canonical_hostname(use_dns);
626 	ci.address = get_remote_ipaddr();
627 	ci.laddress = get_local_ipaddr(packet_get_connection_in());
628 	ci.lport = get_local_port();
629 	return &ci;
630 }
631 
632 /*
633  * The strategy for the Match blocks is that the config file is parsed twice.
634  *
635  * The first time is at startup.  activep is initialized to 1 and the
636  * directives in the global context are processed and acted on.  Hitting a
637  * Match directive unsets activep and the directives inside the block are
638  * checked for syntax only.
639  *
640  * The second time is after a connection has been established but before
641  * authentication.  activep is initialized to 2 and global config directives
642  * are ignored since they have already been processed.  If the criteria in a
643  * Match block is met, activep is set and the subsequent directives
644  * processed and actioned until EOF or another Match block unsets it.  Any
645  * options set are copied into the main server config.
646  *
647  * Potential additions/improvements:
648  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
649  *
650  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
651  *	Match Address 192.168.0.*
652  *		Tag trusted
653  *	Match Group wheel
654  *		Tag trusted
655  *	Match Tag trusted
656  *		AllowTcpForwarding yes
657  *		GatewayPorts clientspecified
658  *		[...]
659  *
660  *  - Add a PermittedChannelRequests directive
661  *	Match Group shell
662  *		PermittedChannelRequests session,forwarded-tcpip
663  */
664 
665 static int
666 match_cfg_line_group(const char *grps, int line, const char *user)
667 {
668 	int result = 0;
669 	struct passwd *pw;
670 
671 	if (user == NULL)
672 		goto out;
673 
674 	if ((pw = getpwnam(user)) == NULL) {
675 		debug("Can't match group at line %d because user %.100s does "
676 		    "not exist", line, user);
677 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
678 		debug("Can't Match group because user %.100s not in any group "
679 		    "at line %d", user, line);
680 	} else if (ga_match_pattern_list(grps) != 1) {
681 		debug("user %.100s does not match group list %.100s at line %d",
682 		    user, grps, line);
683 	} else {
684 		debug("user %.100s matched group list %.100s at line %d", user,
685 		    grps, line);
686 		result = 1;
687 	}
688 out:
689 	ga_free();
690 	return result;
691 }
692 
693 /*
694  * All of the attributes on a single Match line are ANDed together, so we need
695  * to check every * attribute and set the result to zero if any attribute does
696  * not match.
697  */
698 static int
699 match_cfg_line(char **condition, int line, struct connection_info *ci)
700 {
701 	int result = 1, port;
702 	char *arg, *attrib, *cp = *condition;
703 	size_t len;
704 
705 	if (ci == NULL)
706 		debug3("checking syntax for 'Match %s'", cp);
707 	else
708 		debug3("checking match for '%s' user %s host %s addr %s "
709 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
710 		    ci->host ? ci->host : "(null)",
711 		    ci->address ? ci->address : "(null)",
712 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
713 
714 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
715 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
716 			error("Missing Match criteria for %s", attrib);
717 			return -1;
718 		}
719 		len = strlen(arg);
720 		if (strcasecmp(attrib, "user") == 0) {
721 			if (ci == NULL || ci->user == NULL) {
722 				result = 0;
723 				continue;
724 			}
725 			if (match_pattern_list(ci->user, arg, len, 0) != 1)
726 				result = 0;
727 			else
728 				debug("user %.100s matched 'User %.100s' at "
729 				    "line %d", ci->user, arg, line);
730 		} else if (strcasecmp(attrib, "group") == 0) {
731 			if (ci == NULL || ci->user == NULL) {
732 				result = 0;
733 				continue;
734 			}
735 			switch (match_cfg_line_group(arg, line, ci->user)) {
736 			case -1:
737 				return -1;
738 			case 0:
739 				result = 0;
740 			}
741 		} else if (strcasecmp(attrib, "host") == 0) {
742 			if (ci == NULL || ci->host == NULL) {
743 				result = 0;
744 				continue;
745 			}
746 			if (match_hostname(ci->host, arg, len) != 1)
747 				result = 0;
748 			else
749 				debug("connection from %.100s matched 'Host "
750 				    "%.100s' at line %d", ci->host, arg, line);
751 		} else if (strcasecmp(attrib, "address") == 0) {
752 			if (ci == NULL || ci->address == NULL) {
753 				result = 0;
754 				continue;
755 			}
756 			switch (addr_match_list(ci->address, arg)) {
757 			case 1:
758 				debug("connection from %.100s matched 'Address "
759 				    "%.100s' at line %d", ci->address, arg, line);
760 				break;
761 			case 0:
762 			case -1:
763 				result = 0;
764 				break;
765 			case -2:
766 				return -1;
767 			}
768 		} else if (strcasecmp(attrib, "localaddress") == 0){
769 			if (ci == NULL || ci->laddress == NULL) {
770 				result = 0;
771 				continue;
772 			}
773 			switch (addr_match_list(ci->laddress, arg)) {
774 			case 1:
775 				debug("connection from %.100s matched "
776 				    "'LocalAddress %.100s' at line %d",
777 				    ci->laddress, arg, line);
778 				break;
779 			case 0:
780 			case -1:
781 				result = 0;
782 				break;
783 			case -2:
784 				return -1;
785 			}
786 		} else if (strcasecmp(attrib, "localport") == 0) {
787 			if ((port = a2port(arg)) == -1) {
788 				error("Invalid LocalPort '%s' on Match line",
789 				    arg);
790 				return -1;
791 			}
792 			if (ci == NULL || ci->lport == 0) {
793 				result = 0;
794 				continue;
795 			}
796 			/* TODO support port lists */
797 			if (port == ci->lport)
798 				debug("connection from %.100s matched "
799 				    "'LocalPort %d' at line %d",
800 				    ci->laddress, port, line);
801 			else
802 				result = 0;
803 		} else {
804 			error("Unsupported Match attribute %s", attrib);
805 			return -1;
806 		}
807 	}
808 	if (ci != NULL)
809 		debug3("match %sfound", result ? "" : "not ");
810 	*condition = cp;
811 	return result;
812 }
813 
814 #define WHITESPACE " \t\r\n"
815 
816 /* Multistate option parsing */
817 struct multistate {
818 	char *key;
819 	int value;
820 };
821 static const struct multistate multistate_addressfamily[] = {
822 	{ "inet",			AF_INET },
823 	{ "inet6",			AF_INET6 },
824 	{ "any",			AF_UNSPEC },
825 	{ NULL, -1 }
826 };
827 static const struct multistate multistate_permitrootlogin[] = {
828 	{ "without-password",		PERMIT_NO_PASSWD },
829 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
830 	{ "yes",			PERMIT_YES },
831 	{ "no",				PERMIT_NO },
832 	{ NULL, -1 }
833 };
834 static const struct multistate multistate_compression[] = {
835 	{ "delayed",			COMP_DELAYED },
836 	{ "yes",			COMP_ZLIB },
837 	{ "no",				COMP_NONE },
838 	{ NULL, -1 }
839 };
840 static const struct multistate multistate_gatewayports[] = {
841 	{ "clientspecified",		2 },
842 	{ "yes",			1 },
843 	{ "no",				0 },
844 	{ NULL, -1 }
845 };
846 static const struct multistate multistate_privsep[] = {
847 	{ "yes",			PRIVSEP_NOSANDBOX },
848 	{ "sandbox",			PRIVSEP_ON },
849 	{ "nosandbox",			PRIVSEP_NOSANDBOX },
850 	{ "no",				PRIVSEP_OFF },
851 	{ NULL, -1 }
852 };
853 static const struct multistate multistate_tcpfwd[] = {
854 	{ "yes",			FORWARD_ALLOW },
855 	{ "all",			FORWARD_ALLOW },
856 	{ "no",				FORWARD_DENY },
857 	{ "remote",			FORWARD_REMOTE },
858 	{ "local",			FORWARD_LOCAL },
859 	{ NULL, -1 }
860 };
861 
862 int
863 process_server_config_line(ServerOptions *options, char *line,
864     const char *filename, int linenum, int *activep,
865     struct connection_info *connectinfo)
866 {
867 	char *cp, **charptr, *arg, *p;
868 	int cmdline = 0, *intptr, value, value2, n, port;
869 	SyslogFacility *log_facility_ptr;
870 	LogLevel *log_level_ptr;
871 	ServerOpCodes opcode;
872 	u_int i, flags = 0;
873 	size_t len;
874 	long long val64;
875 	const struct multistate *multistate_ptr;
876 
877 	cp = line;
878 	if ((arg = strdelim(&cp)) == NULL)
879 		return 0;
880 	/* Ignore leading whitespace */
881 	if (*arg == '\0')
882 		arg = strdelim(&cp);
883 	if (!arg || !*arg || *arg == '#')
884 		return 0;
885 	intptr = NULL;
886 	charptr = NULL;
887 	opcode = parse_token(arg, filename, linenum, &flags);
888 
889 	if (activep == NULL) { /* We are processing a command line directive */
890 		cmdline = 1;
891 		activep = &cmdline;
892 	}
893 	if (*activep && opcode != sMatch)
894 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
895 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
896 		if (connectinfo == NULL) {
897 			fatal("%s line %d: Directive '%s' is not allowed "
898 			    "within a Match block", filename, linenum, arg);
899 		} else { /* this is a directive we have already processed */
900 			while (arg)
901 				arg = strdelim(&cp);
902 			return 0;
903 		}
904 	}
905 
906 	switch (opcode) {
907 	/* Portable-specific options */
908 	case sUsePAM:
909 		intptr = &options->use_pam;
910 		goto parse_flag;
911 
912 	/* Standard Options */
913 	case sBadOption:
914 		return -1;
915 	case sPort:
916 		/* ignore ports from configfile if cmdline specifies ports */
917 		if (options->ports_from_cmdline)
918 			return 0;
919 		if (options->listen_addrs != NULL)
920 			fatal("%s line %d: ports must be specified before "
921 			    "ListenAddress.", filename, linenum);
922 		if (options->num_ports >= MAX_PORTS)
923 			fatal("%s line %d: too many ports.",
924 			    filename, linenum);
925 		arg = strdelim(&cp);
926 		if (!arg || *arg == '\0')
927 			fatal("%s line %d: missing port number.",
928 			    filename, linenum);
929 		options->ports[options->num_ports++] = a2port(arg);
930 		if (options->ports[options->num_ports-1] <= 0)
931 			fatal("%s line %d: Badly formatted port number.",
932 			    filename, linenum);
933 		break;
934 
935 	case sServerKeyBits:
936 		intptr = &options->server_key_bits;
937  parse_int:
938 		arg = strdelim(&cp);
939 		if (!arg || *arg == '\0')
940 			fatal("%s line %d: missing integer value.",
941 			    filename, linenum);
942 		value = atoi(arg);
943 		if (*activep && *intptr == -1)
944 			*intptr = value;
945 		break;
946 
947 	case sLoginGraceTime:
948 		intptr = &options->login_grace_time;
949  parse_time:
950 		arg = strdelim(&cp);
951 		if (!arg || *arg == '\0')
952 			fatal("%s line %d: missing time value.",
953 			    filename, linenum);
954 		if ((value = convtime(arg)) == -1)
955 			fatal("%s line %d: invalid time value.",
956 			    filename, linenum);
957 		if (*intptr == -1)
958 			*intptr = value;
959 		break;
960 
961 	case sKeyRegenerationTime:
962 		intptr = &options->key_regeneration_time;
963 		goto parse_time;
964 
965 	case sListenAddress:
966 		arg = strdelim(&cp);
967 		if (arg == NULL || *arg == '\0')
968 			fatal("%s line %d: missing address",
969 			    filename, linenum);
970 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
971 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
972 		    && strchr(p+1, ':') != NULL) {
973 			add_listen_addr(options, arg, 0);
974 			break;
975 		}
976 		p = hpdelim(&arg);
977 		if (p == NULL)
978 			fatal("%s line %d: bad address:port usage",
979 			    filename, linenum);
980 		p = cleanhostname(p);
981 		if (arg == NULL)
982 			port = 0;
983 		else if ((port = a2port(arg)) <= 0)
984 			fatal("%s line %d: bad port number", filename, linenum);
985 
986 		add_listen_addr(options, p, port);
987 
988 		break;
989 
990 	case sAddressFamily:
991 		intptr = &options->address_family;
992 		multistate_ptr = multistate_addressfamily;
993 		if (options->listen_addrs != NULL)
994 			fatal("%s line %d: address family must be specified "
995 			    "before ListenAddress.", filename, linenum);
996  parse_multistate:
997 		arg = strdelim(&cp);
998 		if (!arg || *arg == '\0')
999 			fatal("%s line %d: missing argument.",
1000 			    filename, linenum);
1001 		value = -1;
1002 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1003 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1004 				value = multistate_ptr[i].value;
1005 				break;
1006 			}
1007 		}
1008 		if (value == -1)
1009 			fatal("%s line %d: unsupported option \"%s\".",
1010 			    filename, linenum, arg);
1011 		if (*activep && *intptr == -1)
1012 			*intptr = value;
1013 		break;
1014 
1015 	case sHostKeyFile:
1016 		intptr = &options->num_host_key_files;
1017 		if (*intptr >= MAX_HOSTKEYS)
1018 			fatal("%s line %d: too many host keys specified (max %d).",
1019 			    filename, linenum, MAX_HOSTKEYS);
1020 		charptr = &options->host_key_files[*intptr];
1021  parse_filename:
1022 		arg = strdelim(&cp);
1023 		if (!arg || *arg == '\0')
1024 			fatal("%s line %d: missing file name.",
1025 			    filename, linenum);
1026 		if (*activep && *charptr == NULL) {
1027 			*charptr = derelativise_path(arg);
1028 			/* increase optional counter */
1029 			if (intptr != NULL)
1030 				*intptr = *intptr + 1;
1031 		}
1032 		break;
1033 
1034 	case sHostKeyAgent:
1035 		charptr = &options->host_key_agent;
1036 		arg = strdelim(&cp);
1037 		if (!arg || *arg == '\0')
1038 			fatal("%s line %d: missing socket name.",
1039 			    filename, linenum);
1040 		if (*activep && *charptr == NULL)
1041 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1042 			    xstrdup(arg) : derelativise_path(arg);
1043 		break;
1044 
1045 	case sHostCertificate:
1046 		intptr = &options->num_host_cert_files;
1047 		if (*intptr >= MAX_HOSTKEYS)
1048 			fatal("%s line %d: too many host certificates "
1049 			    "specified (max %d).", filename, linenum,
1050 			    MAX_HOSTCERTS);
1051 		charptr = &options->host_cert_files[*intptr];
1052 		goto parse_filename;
1053 		break;
1054 
1055 	case sPidFile:
1056 		charptr = &options->pid_file;
1057 		goto parse_filename;
1058 
1059 	case sPermitRootLogin:
1060 		intptr = &options->permit_root_login;
1061 		multistate_ptr = multistate_permitrootlogin;
1062 		goto parse_multistate;
1063 
1064 	case sIgnoreRhosts:
1065 		intptr = &options->ignore_rhosts;
1066  parse_flag:
1067 		arg = strdelim(&cp);
1068 		if (!arg || *arg == '\0')
1069 			fatal("%s line %d: missing yes/no argument.",
1070 			    filename, linenum);
1071 		value = 0;	/* silence compiler */
1072 		if (strcmp(arg, "yes") == 0)
1073 			value = 1;
1074 		else if (strcmp(arg, "no") == 0)
1075 			value = 0;
1076 		else
1077 			fatal("%s line %d: Bad yes/no argument: %s",
1078 				filename, linenum, arg);
1079 		if (*activep && *intptr == -1)
1080 			*intptr = value;
1081 		break;
1082 
1083 	case sIgnoreUserKnownHosts:
1084 		intptr = &options->ignore_user_known_hosts;
1085 		goto parse_flag;
1086 
1087 	case sRhostsRSAAuthentication:
1088 		intptr = &options->rhosts_rsa_authentication;
1089 		goto parse_flag;
1090 
1091 	case sHostbasedAuthentication:
1092 		intptr = &options->hostbased_authentication;
1093 		goto parse_flag;
1094 
1095 	case sHostbasedUsesNameFromPacketOnly:
1096 		intptr = &options->hostbased_uses_name_from_packet_only;
1097 		goto parse_flag;
1098 
1099 	case sRSAAuthentication:
1100 		intptr = &options->rsa_authentication;
1101 		goto parse_flag;
1102 
1103 	case sPubkeyAuthentication:
1104 		intptr = &options->pubkey_authentication;
1105 		goto parse_flag;
1106 
1107 	case sKerberosAuthentication:
1108 		intptr = &options->kerberos_authentication;
1109 		goto parse_flag;
1110 
1111 	case sKerberosOrLocalPasswd:
1112 		intptr = &options->kerberos_or_local_passwd;
1113 		goto parse_flag;
1114 
1115 	case sKerberosTicketCleanup:
1116 		intptr = &options->kerberos_ticket_cleanup;
1117 		goto parse_flag;
1118 
1119 	case sKerberosGetAFSToken:
1120 		intptr = &options->kerberos_get_afs_token;
1121 		goto parse_flag;
1122 
1123 	case sGssAuthentication:
1124 		intptr = &options->gss_authentication;
1125 		goto parse_flag;
1126 
1127 	case sGssCleanupCreds:
1128 		intptr = &options->gss_cleanup_creds;
1129 		goto parse_flag;
1130 
1131 	case sPasswordAuthentication:
1132 		intptr = &options->password_authentication;
1133 		goto parse_flag;
1134 
1135 	case sZeroKnowledgePasswordAuthentication:
1136 		intptr = &options->zero_knowledge_password_authentication;
1137 		goto parse_flag;
1138 
1139 	case sKbdInteractiveAuthentication:
1140 		intptr = &options->kbd_interactive_authentication;
1141 		goto parse_flag;
1142 
1143 	case sChallengeResponseAuthentication:
1144 		intptr = &options->challenge_response_authentication;
1145 		goto parse_flag;
1146 
1147 	case sPrintMotd:
1148 		intptr = &options->print_motd;
1149 		goto parse_flag;
1150 
1151 	case sPrintLastLog:
1152 		intptr = &options->print_lastlog;
1153 		goto parse_flag;
1154 
1155 	case sX11Forwarding:
1156 		intptr = &options->x11_forwarding;
1157 		goto parse_flag;
1158 
1159 	case sX11DisplayOffset:
1160 		intptr = &options->x11_display_offset;
1161 		goto parse_int;
1162 
1163 	case sX11UseLocalhost:
1164 		intptr = &options->x11_use_localhost;
1165 		goto parse_flag;
1166 
1167 	case sXAuthLocation:
1168 		charptr = &options->xauth_location;
1169 		goto parse_filename;
1170 
1171 	case sStrictModes:
1172 		intptr = &options->strict_modes;
1173 		goto parse_flag;
1174 
1175 	case sTCPKeepAlive:
1176 		intptr = &options->tcp_keep_alive;
1177 		goto parse_flag;
1178 
1179 	case sEmptyPasswd:
1180 		intptr = &options->permit_empty_passwd;
1181 		goto parse_flag;
1182 
1183 	case sPermitUserEnvironment:
1184 		intptr = &options->permit_user_env;
1185 		goto parse_flag;
1186 
1187 	case sUseLogin:
1188 		intptr = &options->use_login;
1189 		goto parse_flag;
1190 
1191 	case sCompression:
1192 		intptr = &options->compression;
1193 		multistate_ptr = multistate_compression;
1194 		goto parse_multistate;
1195 
1196 	case sRekeyLimit:
1197 		arg = strdelim(&cp);
1198 		if (!arg || *arg == '\0')
1199 			fatal("%.200s line %d: Missing argument.", filename,
1200 			    linenum);
1201 		if (strcmp(arg, "default") == 0) {
1202 			val64 = 0;
1203 		} else {
1204 			if (scan_scaled(arg, &val64) == -1)
1205 				fatal("%.200s line %d: Bad number '%s': %s",
1206 				    filename, linenum, arg, strerror(errno));
1207 			/* check for too-large or too-small limits */
1208 			if (val64 > UINT_MAX)
1209 				fatal("%.200s line %d: RekeyLimit too large",
1210 				    filename, linenum);
1211 			if (val64 != 0 && val64 < 16)
1212 				fatal("%.200s line %d: RekeyLimit too small",
1213 				    filename, linenum);
1214 		}
1215 		if (*activep && options->rekey_limit == -1)
1216 			options->rekey_limit = (u_int32_t)val64;
1217 		if (cp != NULL) { /* optional rekey interval present */
1218 			if (strcmp(cp, "none") == 0) {
1219 				(void)strdelim(&cp);	/* discard */
1220 				break;
1221 			}
1222 			intptr = &options->rekey_interval;
1223 			goto parse_time;
1224 		}
1225 		break;
1226 
1227 	case sGatewayPorts:
1228 		intptr = &options->gateway_ports;
1229 		multistate_ptr = multistate_gatewayports;
1230 		goto parse_multistate;
1231 
1232 	case sUseDNS:
1233 		intptr = &options->use_dns;
1234 		goto parse_flag;
1235 
1236 	case sLogFacility:
1237 		log_facility_ptr = &options->log_facility;
1238 		arg = strdelim(&cp);
1239 		value = log_facility_number(arg);
1240 		if (value == SYSLOG_FACILITY_NOT_SET)
1241 			fatal("%.200s line %d: unsupported log facility '%s'",
1242 			    filename, linenum, arg ? arg : "<NONE>");
1243 		if (*log_facility_ptr == -1)
1244 			*log_facility_ptr = (SyslogFacility) value;
1245 		break;
1246 
1247 	case sLogLevel:
1248 		log_level_ptr = &options->log_level;
1249 		arg = strdelim(&cp);
1250 		value = log_level_number(arg);
1251 		if (value == SYSLOG_LEVEL_NOT_SET)
1252 			fatal("%.200s line %d: unsupported log level '%s'",
1253 			    filename, linenum, arg ? arg : "<NONE>");
1254 		if (*log_level_ptr == -1)
1255 			*log_level_ptr = (LogLevel) value;
1256 		break;
1257 
1258 	case sAllowTcpForwarding:
1259 		intptr = &options->allow_tcp_forwarding;
1260 		multistate_ptr = multistate_tcpfwd;
1261 		goto parse_multistate;
1262 
1263 	case sAllowAgentForwarding:
1264 		intptr = &options->allow_agent_forwarding;
1265 		goto parse_flag;
1266 
1267 	case sUsePrivilegeSeparation:
1268 		intptr = &use_privsep;
1269 		multistate_ptr = multistate_privsep;
1270 		goto parse_multistate;
1271 
1272 	case sAllowUsers:
1273 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1274 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1275 				fatal("%s line %d: too many allow users.",
1276 				    filename, linenum);
1277 			if (!*activep)
1278 				continue;
1279 			options->allow_users[options->num_allow_users++] =
1280 			    xstrdup(arg);
1281 		}
1282 		break;
1283 
1284 	case sDenyUsers:
1285 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1286 			if (options->num_deny_users >= MAX_DENY_USERS)
1287 				fatal("%s line %d: too many deny users.",
1288 				    filename, linenum);
1289 			if (!*activep)
1290 				continue;
1291 			options->deny_users[options->num_deny_users++] =
1292 			    xstrdup(arg);
1293 		}
1294 		break;
1295 
1296 	case sAllowGroups:
1297 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1298 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1299 				fatal("%s line %d: too many allow groups.",
1300 				    filename, linenum);
1301 			if (!*activep)
1302 				continue;
1303 			options->allow_groups[options->num_allow_groups++] =
1304 			    xstrdup(arg);
1305 		}
1306 		break;
1307 
1308 	case sDenyGroups:
1309 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1310 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1311 				fatal("%s line %d: too many deny groups.",
1312 				    filename, linenum);
1313 			if (!*activep)
1314 				continue;
1315 			options->deny_groups[options->num_deny_groups++] =
1316 			    xstrdup(arg);
1317 		}
1318 		break;
1319 
1320 	case sCiphers:
1321 		arg = strdelim(&cp);
1322 		if (!arg || *arg == '\0')
1323 			fatal("%s line %d: Missing argument.", filename, linenum);
1324 		if (!ciphers_valid(arg))
1325 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1326 			    filename, linenum, arg ? arg : "<NONE>");
1327 		if (options->ciphers == NULL)
1328 			options->ciphers = xstrdup(arg);
1329 		break;
1330 
1331 	case sMacs:
1332 		arg = strdelim(&cp);
1333 		if (!arg || *arg == '\0')
1334 			fatal("%s line %d: Missing argument.", filename, linenum);
1335 		if (!mac_valid(arg))
1336 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1337 			    filename, linenum, arg ? arg : "<NONE>");
1338 		if (options->macs == NULL)
1339 			options->macs = xstrdup(arg);
1340 		break;
1341 
1342 	case sKexAlgorithms:
1343 		arg = strdelim(&cp);
1344 		if (!arg || *arg == '\0')
1345 			fatal("%s line %d: Missing argument.",
1346 			    filename, linenum);
1347 		if (!kex_names_valid(arg))
1348 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1349 			    filename, linenum, arg ? arg : "<NONE>");
1350 		if (options->kex_algorithms == NULL)
1351 			options->kex_algorithms = xstrdup(arg);
1352 		break;
1353 
1354 	case sProtocol:
1355 		intptr = &options->protocol;
1356 		arg = strdelim(&cp);
1357 		if (!arg || *arg == '\0')
1358 			fatal("%s line %d: Missing argument.", filename, linenum);
1359 		value = proto_spec(arg);
1360 		if (value == SSH_PROTO_UNKNOWN)
1361 			fatal("%s line %d: Bad protocol spec '%s'.",
1362 			    filename, linenum, arg ? arg : "<NONE>");
1363 		if (*intptr == SSH_PROTO_UNKNOWN)
1364 			*intptr = value;
1365 		break;
1366 
1367 	case sSubsystem:
1368 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1369 			fatal("%s line %d: too many subsystems defined.",
1370 			    filename, linenum);
1371 		}
1372 		arg = strdelim(&cp);
1373 		if (!arg || *arg == '\0')
1374 			fatal("%s line %d: Missing subsystem name.",
1375 			    filename, linenum);
1376 		if (!*activep) {
1377 			arg = strdelim(&cp);
1378 			break;
1379 		}
1380 		for (i = 0; i < options->num_subsystems; i++)
1381 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1382 				fatal("%s line %d: Subsystem '%s' already defined.",
1383 				    filename, linenum, arg);
1384 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1385 		arg = strdelim(&cp);
1386 		if (!arg || *arg == '\0')
1387 			fatal("%s line %d: Missing subsystem command.",
1388 			    filename, linenum);
1389 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1390 
1391 		/* Collect arguments (separate to executable) */
1392 		p = xstrdup(arg);
1393 		len = strlen(p) + 1;
1394 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1395 			len += 1 + strlen(arg);
1396 			p = xrealloc(p, 1, len);
1397 			strlcat(p, " ", len);
1398 			strlcat(p, arg, len);
1399 		}
1400 		options->subsystem_args[options->num_subsystems] = p;
1401 		options->num_subsystems++;
1402 		break;
1403 
1404 	case sMaxStartups:
1405 		arg = strdelim(&cp);
1406 		if (!arg || *arg == '\0')
1407 			fatal("%s line %d: Missing MaxStartups spec.",
1408 			    filename, linenum);
1409 		if ((n = sscanf(arg, "%d:%d:%d",
1410 		    &options->max_startups_begin,
1411 		    &options->max_startups_rate,
1412 		    &options->max_startups)) == 3) {
1413 			if (options->max_startups_begin >
1414 			    options->max_startups ||
1415 			    options->max_startups_rate > 100 ||
1416 			    options->max_startups_rate < 1)
1417 				fatal("%s line %d: Illegal MaxStartups spec.",
1418 				    filename, linenum);
1419 		} else if (n != 1)
1420 			fatal("%s line %d: Illegal MaxStartups spec.",
1421 			    filename, linenum);
1422 		else
1423 			options->max_startups = options->max_startups_begin;
1424 		break;
1425 
1426 	case sMaxAuthTries:
1427 		intptr = &options->max_authtries;
1428 		goto parse_int;
1429 
1430 	case sMaxSessions:
1431 		intptr = &options->max_sessions;
1432 		goto parse_int;
1433 
1434 	case sBanner:
1435 		charptr = &options->banner;
1436 		goto parse_filename;
1437 
1438 	/*
1439 	 * These options can contain %X options expanded at
1440 	 * connect time, so that you can specify paths like:
1441 	 *
1442 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1443 	 */
1444 	case sAuthorizedKeysFile:
1445 		if (*activep && options->num_authkeys_files == 0) {
1446 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1447 				if (options->num_authkeys_files >=
1448 				    MAX_AUTHKEYS_FILES)
1449 					fatal("%s line %d: "
1450 					    "too many authorized keys files.",
1451 					    filename, linenum);
1452 				options->authorized_keys_files[
1453 				    options->num_authkeys_files++] =
1454 				    tilde_expand_filename(arg, getuid());
1455 			}
1456 		}
1457 		return 0;
1458 
1459 	case sAuthorizedPrincipalsFile:
1460 		charptr = &options->authorized_principals_file;
1461 		arg = strdelim(&cp);
1462 		if (!arg || *arg == '\0')
1463 			fatal("%s line %d: missing file name.",
1464 			    filename, linenum);
1465 		if (*activep && *charptr == NULL) {
1466 			*charptr = tilde_expand_filename(arg, getuid());
1467 			/* increase optional counter */
1468 			if (intptr != NULL)
1469 				*intptr = *intptr + 1;
1470 		}
1471 		break;
1472 
1473 	case sClientAliveInterval:
1474 		intptr = &options->client_alive_interval;
1475 		goto parse_time;
1476 
1477 	case sClientAliveCountMax:
1478 		intptr = &options->client_alive_count_max;
1479 		goto parse_int;
1480 
1481 	case sAcceptEnv:
1482 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1483 			if (strchr(arg, '=') != NULL)
1484 				fatal("%s line %d: Invalid environment name.",
1485 				    filename, linenum);
1486 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1487 				fatal("%s line %d: too many allow env.",
1488 				    filename, linenum);
1489 			if (!*activep)
1490 				continue;
1491 			options->accept_env[options->num_accept_env++] =
1492 			    xstrdup(arg);
1493 		}
1494 		break;
1495 
1496 	case sPermitTunnel:
1497 		intptr = &options->permit_tun;
1498 		arg = strdelim(&cp);
1499 		if (!arg || *arg == '\0')
1500 			fatal("%s line %d: Missing yes/point-to-point/"
1501 			    "ethernet/no argument.", filename, linenum);
1502 		value = -1;
1503 		for (i = 0; tunmode_desc[i].val != -1; i++)
1504 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1505 				value = tunmode_desc[i].val;
1506 				break;
1507 			}
1508 		if (value == -1)
1509 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1510 			    "no argument: %s", filename, linenum, arg);
1511 		if (*intptr == -1)
1512 			*intptr = value;
1513 		break;
1514 
1515 	case sMatch:
1516 		if (cmdline)
1517 			fatal("Match directive not supported as a command-line "
1518 			   "option");
1519 		value = match_cfg_line(&cp, linenum, connectinfo);
1520 		if (value < 0)
1521 			fatal("%s line %d: Bad Match condition", filename,
1522 			    linenum);
1523 		*activep = value;
1524 		break;
1525 
1526 	case sPermitOpen:
1527 		arg = strdelim(&cp);
1528 		if (!arg || *arg == '\0')
1529 			fatal("%s line %d: missing PermitOpen specification",
1530 			    filename, linenum);
1531 		n = options->num_permitted_opens;	/* modified later */
1532 		if (strcmp(arg, "any") == 0) {
1533 			if (*activep && n == -1) {
1534 				channel_clear_adm_permitted_opens();
1535 				options->num_permitted_opens = 0;
1536 			}
1537 			break;
1538 		}
1539 		if (strcmp(arg, "none") == 0) {
1540 			if (*activep && n == -1) {
1541 				options->num_permitted_opens = 1;
1542 				channel_disable_adm_local_opens();
1543 			}
1544 			break;
1545 		}
1546 		if (*activep && n == -1)
1547 			channel_clear_adm_permitted_opens();
1548 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1549 			p = hpdelim(&arg);
1550 			if (p == NULL)
1551 				fatal("%s line %d: missing host in PermitOpen",
1552 				    filename, linenum);
1553 			p = cleanhostname(p);
1554 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1555 				fatal("%s line %d: bad port number in "
1556 				    "PermitOpen", filename, linenum);
1557 			if (*activep && n == -1)
1558 				options->num_permitted_opens =
1559 				    channel_add_adm_permitted_opens(p, port);
1560 		}
1561 		break;
1562 
1563 	case sForceCommand:
1564 		if (cp == NULL)
1565 			fatal("%.200s line %d: Missing argument.", filename,
1566 			    linenum);
1567 		len = strspn(cp, WHITESPACE);
1568 		if (*activep && options->adm_forced_command == NULL)
1569 			options->adm_forced_command = xstrdup(cp + len);
1570 		return 0;
1571 
1572 	case sChrootDirectory:
1573 		charptr = &options->chroot_directory;
1574 
1575 		arg = strdelim(&cp);
1576 		if (!arg || *arg == '\0')
1577 			fatal("%s line %d: missing file name.",
1578 			    filename, linenum);
1579 		if (*activep && *charptr == NULL)
1580 			*charptr = xstrdup(arg);
1581 		break;
1582 
1583 	case sTrustedUserCAKeys:
1584 		charptr = &options->trusted_user_ca_keys;
1585 		goto parse_filename;
1586 
1587 	case sRevokedKeys:
1588 		charptr = &options->revoked_keys_file;
1589 		goto parse_filename;
1590 
1591 	case sIPQoS:
1592 		arg = strdelim(&cp);
1593 		if ((value = parse_ipqos(arg)) == -1)
1594 			fatal("%s line %d: Bad IPQoS value: %s",
1595 			    filename, linenum, arg);
1596 		arg = strdelim(&cp);
1597 		if (arg == NULL)
1598 			value2 = value;
1599 		else if ((value2 = parse_ipqos(arg)) == -1)
1600 			fatal("%s line %d: Bad IPQoS value: %s",
1601 			    filename, linenum, arg);
1602 		if (*activep) {
1603 			options->ip_qos_interactive = value;
1604 			options->ip_qos_bulk = value2;
1605 		}
1606 		break;
1607 
1608 	case sVersionAddendum:
1609 		if (cp == NULL)
1610 			fatal("%.200s line %d: Missing argument.", filename,
1611 			    linenum);
1612 		len = strspn(cp, WHITESPACE);
1613 		if (*activep && options->version_addendum == NULL) {
1614 			if (strcasecmp(cp + len, "none") == 0)
1615 				options->version_addendum = xstrdup("");
1616 			else if (strchr(cp + len, '\r') != NULL)
1617 				fatal("%.200s line %d: Invalid argument",
1618 				    filename, linenum);
1619 			else
1620 				options->version_addendum = xstrdup(cp + len);
1621 		}
1622 		return 0;
1623 
1624 	case sAuthorizedKeysCommand:
1625 		len = strspn(cp, WHITESPACE);
1626 		if (*activep && options->authorized_keys_command == NULL) {
1627 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1628 				fatal("%.200s line %d: AuthorizedKeysCommand "
1629 				    "must be an absolute path",
1630 				    filename, linenum);
1631 			options->authorized_keys_command = xstrdup(cp + len);
1632 		}
1633 		return 0;
1634 
1635 	case sAuthorizedKeysCommandUser:
1636 		charptr = &options->authorized_keys_command_user;
1637 
1638 		arg = strdelim(&cp);
1639 		if (*activep && *charptr == NULL)
1640 			*charptr = xstrdup(arg);
1641 		break;
1642 
1643 	case sAuthenticationMethods:
1644 		if (*activep && options->num_auth_methods == 0) {
1645 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1646 				if (options->num_auth_methods >=
1647 				    MAX_AUTH_METHODS)
1648 					fatal("%s line %d: "
1649 					    "too many authentication methods.",
1650 					    filename, linenum);
1651 				if (auth2_methods_valid(arg, 0) != 0)
1652 					fatal("%s line %d: invalid "
1653 					    "authentication method list.",
1654 					    filename, linenum);
1655 				options->auth_methods[
1656 				    options->num_auth_methods++] = xstrdup(arg);
1657 			}
1658 		}
1659 		return 0;
1660 
1661 	case sHPNDisabled:
1662 		intptr = &options->hpn_disabled;
1663 		goto parse_flag;
1664 
1665 	case sHPNBufferSize:
1666 		intptr = &options->hpn_buffer_size;
1667 		goto parse_int;
1668 
1669 	case sTcpRcvBufPoll:
1670 		intptr = &options->tcp_rcv_buf_poll;
1671 		goto parse_flag;
1672 
1673 #ifdef	NONE_CIPHER_ENABLED
1674 	case sNoneEnabled:
1675 		intptr = &options->none_enabled;
1676 		goto parse_flag;
1677 #endif
1678 
1679 	case sDeprecated:
1680 		logit("%s line %d: Deprecated option %s",
1681 		    filename, linenum, arg);
1682 		while (arg)
1683 		    arg = strdelim(&cp);
1684 		break;
1685 
1686 	case sUnsupported:
1687 		logit("%s line %d: Unsupported option %s",
1688 		    filename, linenum, arg);
1689 		while (arg)
1690 		    arg = strdelim(&cp);
1691 		break;
1692 
1693 	default:
1694 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1695 		    filename, linenum, arg, opcode);
1696 	}
1697 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1698 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1699 		    filename, linenum, arg);
1700 	return 0;
1701 }
1702 
1703 /* Reads the server configuration file. */
1704 
1705 void
1706 load_server_config(const char *filename, Buffer *conf)
1707 {
1708 	char line[4096], *cp;
1709 	FILE *f;
1710 	int lineno = 0;
1711 
1712 	debug2("%s: filename %s", __func__, filename);
1713 	if ((f = fopen(filename, "r")) == NULL) {
1714 		perror(filename);
1715 		exit(1);
1716 	}
1717 	buffer_clear(conf);
1718 	while (fgets(line, sizeof(line), f)) {
1719 		lineno++;
1720 		if (strlen(line) == sizeof(line) - 1)
1721 			fatal("%s line %d too long", filename, lineno);
1722 		/*
1723 		 * Trim out comments and strip whitespace
1724 		 * NB - preserve newlines, they are needed to reproduce
1725 		 * line numbers later for error messages
1726 		 */
1727 		if ((cp = strchr(line, '#')) != NULL)
1728 			memcpy(cp, "\n", 2);
1729 		cp = line + strspn(line, " \t\r");
1730 
1731 		buffer_append(conf, cp, strlen(cp));
1732 	}
1733 	buffer_append(conf, "\0", 1);
1734 	fclose(f);
1735 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1736 }
1737 
1738 void
1739 parse_server_match_config(ServerOptions *options,
1740    struct connection_info *connectinfo)
1741 {
1742 	ServerOptions mo;
1743 
1744 	initialize_server_options(&mo);
1745 	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1746 	copy_set_server_options(options, &mo, 0);
1747 }
1748 
1749 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1750 {
1751 	char *p;
1752 
1753 	while ((p = strsep(&spec, ",")) && *p != '\0') {
1754 		if (strncmp(p, "addr=", 5) == 0) {
1755 			ci->address = xstrdup(p + 5);
1756 		} else if (strncmp(p, "host=", 5) == 0) {
1757 			ci->host = xstrdup(p + 5);
1758 		} else if (strncmp(p, "user=", 5) == 0) {
1759 			ci->user = xstrdup(p + 5);
1760 		} else if (strncmp(p, "laddr=", 6) == 0) {
1761 			ci->laddress = xstrdup(p + 6);
1762 		} else if (strncmp(p, "lport=", 6) == 0) {
1763 			ci->lport = a2port(p + 6);
1764 			if (ci->lport == -1) {
1765 				fprintf(stderr, "Invalid port '%s' in test mode"
1766 				   " specification %s\n", p+6, p);
1767 				return -1;
1768 			}
1769 		} else {
1770 			fprintf(stderr, "Invalid test mode specification %s\n",
1771 			   p);
1772 			return -1;
1773 		}
1774 	}
1775 	return 0;
1776 }
1777 
1778 /*
1779  * returns 1 for a complete spec, 0 for partial spec and -1 for an
1780  * empty spec.
1781  */
1782 int server_match_spec_complete(struct connection_info *ci)
1783 {
1784 	if (ci->user && ci->host && ci->address)
1785 		return 1;	/* complete */
1786 	if (!ci->user && !ci->host && !ci->address)
1787 		return -1;	/* empty */
1788 	return 0;	/* partial */
1789 }
1790 
1791 /* Helper macros */
1792 #define M_CP_INTOPT(n) do {\
1793 	if (src->n != -1) \
1794 		dst->n = src->n; \
1795 } while (0)
1796 #define M_CP_STROPT(n) do {\
1797 	if (src->n != NULL) { \
1798 		free(dst->n); \
1799 		dst->n = src->n; \
1800 	} \
1801 } while(0)
1802 #define M_CP_STRARRAYOPT(n, num_n) do {\
1803 	if (src->num_n != 0) { \
1804 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1805 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1806 	} \
1807 } while(0)
1808 
1809 /*
1810  * Copy any supported values that are set.
1811  *
1812  * If the preauth flag is set, we do not bother copying the string or
1813  * array values that are not used pre-authentication, because any that we
1814  * do use must be explictly sent in mm_getpwnamallow().
1815  */
1816 void
1817 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1818 {
1819 	M_CP_INTOPT(password_authentication);
1820 	M_CP_INTOPT(gss_authentication);
1821 	M_CP_INTOPT(rsa_authentication);
1822 	M_CP_INTOPT(pubkey_authentication);
1823 	M_CP_INTOPT(kerberos_authentication);
1824 	M_CP_INTOPT(hostbased_authentication);
1825 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1826 	M_CP_INTOPT(kbd_interactive_authentication);
1827 	M_CP_INTOPT(zero_knowledge_password_authentication);
1828 	M_CP_STROPT(authorized_keys_command);
1829 	M_CP_STROPT(authorized_keys_command_user);
1830 	M_CP_INTOPT(permit_root_login);
1831 	M_CP_INTOPT(permit_empty_passwd);
1832 
1833 	M_CP_INTOPT(allow_tcp_forwarding);
1834 	M_CP_INTOPT(allow_agent_forwarding);
1835 	M_CP_INTOPT(permit_tun);
1836 	M_CP_INTOPT(gateway_ports);
1837 	M_CP_INTOPT(x11_display_offset);
1838 	M_CP_INTOPT(x11_forwarding);
1839 	M_CP_INTOPT(x11_use_localhost);
1840 	M_CP_INTOPT(max_sessions);
1841 	M_CP_INTOPT(max_authtries);
1842 	M_CP_INTOPT(ip_qos_interactive);
1843 	M_CP_INTOPT(ip_qos_bulk);
1844 	M_CP_INTOPT(rekey_limit);
1845 	M_CP_INTOPT(rekey_interval);
1846 
1847 	/* See comment in servconf.h */
1848 	COPY_MATCH_STRING_OPTS();
1849 
1850 	/*
1851 	 * The only things that should be below this point are string options
1852 	 * which are only used after authentication.
1853 	 */
1854 	if (preauth)
1855 		return;
1856 
1857 	M_CP_STROPT(adm_forced_command);
1858 	M_CP_STROPT(chroot_directory);
1859 }
1860 
1861 #undef M_CP_INTOPT
1862 #undef M_CP_STROPT
1863 #undef M_CP_STRARRAYOPT
1864 
1865 void
1866 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1867     struct connection_info *connectinfo)
1868 {
1869 	int active, linenum, bad_options = 0;
1870 	char *cp, *obuf, *cbuf;
1871 
1872 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1873 
1874 	obuf = cbuf = xstrdup(buffer_ptr(conf));
1875 	active = connectinfo ? 0 : 1;
1876 	linenum = 1;
1877 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
1878 		if (process_server_config_line(options, cp, filename,
1879 		    linenum++, &active, connectinfo) != 0)
1880 			bad_options++;
1881 	}
1882 	free(obuf);
1883 	if (bad_options > 0)
1884 		fatal("%s: terminating, %d bad configuration options",
1885 		    filename, bad_options);
1886 }
1887 
1888 static const char *
1889 fmt_multistate_int(int val, const struct multistate *m)
1890 {
1891 	u_int i;
1892 
1893 	for (i = 0; m[i].key != NULL; i++) {
1894 		if (m[i].value == val)
1895 			return m[i].key;
1896 	}
1897 	return "UNKNOWN";
1898 }
1899 
1900 static const char *
1901 fmt_intarg(ServerOpCodes code, int val)
1902 {
1903 	if (val == -1)
1904 		return "unset";
1905 	switch (code) {
1906 	case sAddressFamily:
1907 		return fmt_multistate_int(val, multistate_addressfamily);
1908 	case sPermitRootLogin:
1909 		return fmt_multistate_int(val, multistate_permitrootlogin);
1910 	case sGatewayPorts:
1911 		return fmt_multistate_int(val, multistate_gatewayports);
1912 	case sCompression:
1913 		return fmt_multistate_int(val, multistate_compression);
1914 	case sUsePrivilegeSeparation:
1915 		return fmt_multistate_int(val, multistate_privsep);
1916 	case sAllowTcpForwarding:
1917 		return fmt_multistate_int(val, multistate_tcpfwd);
1918 	case sProtocol:
1919 		switch (val) {
1920 		case SSH_PROTO_1:
1921 			return "1";
1922 		case SSH_PROTO_2:
1923 			return "2";
1924 		case (SSH_PROTO_1|SSH_PROTO_2):
1925 			return "2,1";
1926 		default:
1927 			return "UNKNOWN";
1928 		}
1929 	default:
1930 		switch (val) {
1931 		case 0:
1932 			return "no";
1933 		case 1:
1934 			return "yes";
1935 		default:
1936 			return "UNKNOWN";
1937 		}
1938 	}
1939 }
1940 
1941 static const char *
1942 lookup_opcode_name(ServerOpCodes code)
1943 {
1944 	u_int i;
1945 
1946 	for (i = 0; keywords[i].name != NULL; i++)
1947 		if (keywords[i].opcode == code)
1948 			return(keywords[i].name);
1949 	return "UNKNOWN";
1950 }
1951 
1952 static void
1953 dump_cfg_int(ServerOpCodes code, int val)
1954 {
1955 	printf("%s %d\n", lookup_opcode_name(code), val);
1956 }
1957 
1958 static void
1959 dump_cfg_fmtint(ServerOpCodes code, int val)
1960 {
1961 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1962 }
1963 
1964 static void
1965 dump_cfg_string(ServerOpCodes code, const char *val)
1966 {
1967 	if (val == NULL)
1968 		return;
1969 	printf("%s %s\n", lookup_opcode_name(code), val);
1970 }
1971 
1972 static void
1973 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1974 {
1975 	u_int i;
1976 
1977 	for (i = 0; i < count; i++)
1978 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1979 }
1980 
1981 static void
1982 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1983 {
1984 	u_int i;
1985 
1986 	printf("%s", lookup_opcode_name(code));
1987 	for (i = 0; i < count; i++)
1988 		printf(" %s",  vals[i]);
1989 	printf("\n");
1990 }
1991 
1992 void
1993 dump_config(ServerOptions *o)
1994 {
1995 	u_int i;
1996 	int ret;
1997 	struct addrinfo *ai;
1998 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1999 
2000 	/* these are usually at the top of the config */
2001 	for (i = 0; i < o->num_ports; i++)
2002 		printf("port %d\n", o->ports[i]);
2003 	dump_cfg_fmtint(sProtocol, o->protocol);
2004 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2005 
2006 	/* ListenAddress must be after Port */
2007 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2008 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2009 		    sizeof(addr), port, sizeof(port),
2010 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2011 			error("getnameinfo failed: %.100s",
2012 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2013 			    strerror(errno));
2014 		} else {
2015 			if (ai->ai_family == AF_INET6)
2016 				printf("listenaddress [%s]:%s\n", addr, port);
2017 			else
2018 				printf("listenaddress %s:%s\n", addr, port);
2019 		}
2020 	}
2021 
2022 	/* integer arguments */
2023 #ifdef USE_PAM
2024 	dump_cfg_int(sUsePAM, o->use_pam);
2025 #endif
2026 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
2027 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2028 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2029 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2030 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2031 	dump_cfg_int(sMaxSessions, o->max_sessions);
2032 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2033 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2034 
2035 	/* formatted integer arguments */
2036 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2037 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2038 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2039 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2040 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2041 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2042 	    o->hostbased_uses_name_from_packet_only);
2043 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2044 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2045 #ifdef KRB5
2046 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2047 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2048 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2049 # ifdef USE_AFS
2050 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2051 # endif
2052 #endif
2053 #ifdef GSSAPI
2054 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2055 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2056 #endif
2057 #ifdef JPAKE
2058 	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2059 	    o->zero_knowledge_password_authentication);
2060 #endif
2061 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2062 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2063 	    o->kbd_interactive_authentication);
2064 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2065 	    o->challenge_response_authentication);
2066 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2067 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2068 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2069 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2070 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2071 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2072 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2073 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2074 	dump_cfg_fmtint(sUseLogin, o->use_login);
2075 	dump_cfg_fmtint(sCompression, o->compression);
2076 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
2077 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2078 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2079 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2080 
2081 	/* string arguments */
2082 	dump_cfg_string(sPidFile, o->pid_file);
2083 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2084 	dump_cfg_string(sCiphers, o->ciphers);
2085 	dump_cfg_string(sMacs, o->macs);
2086 	dump_cfg_string(sBanner, o->banner);
2087 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2088 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2089 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2090 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2091 	dump_cfg_string(sAuthorizedPrincipalsFile,
2092 	    o->authorized_principals_file);
2093 	dump_cfg_string(sVersionAddendum, o->version_addendum);
2094 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2095 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2096 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2097 
2098 	/* string arguments requiring a lookup */
2099 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2100 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2101 
2102 	/* string array arguments */
2103 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2104 	    o->authorized_keys_files);
2105 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2106 	     o->host_key_files);
2107 	dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2108 	     o->host_cert_files);
2109 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2110 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2111 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2112 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2113 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2114 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2115 	    o->num_auth_methods, o->auth_methods);
2116 
2117 	/* other arguments */
2118 	for (i = 0; i < o->num_subsystems; i++)
2119 		printf("subsystem %s %s\n", o->subsystem_name[i],
2120 		    o->subsystem_args[i]);
2121 
2122 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2123 	    o->max_startups_rate, o->max_startups);
2124 
2125 	for (i = 0; tunmode_desc[i].val != -1; i++)
2126 		if (tunmode_desc[i].val == o->permit_tun) {
2127 			s = tunmode_desc[i].text;
2128 			break;
2129 		}
2130 	dump_cfg_string(sPermitTunnel, s);
2131 
2132 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2133 	printf("%s\n", iptos2str(o->ip_qos_bulk));
2134 
2135 	printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2136 	    o->rekey_interval);
2137 
2138 	channel_print_adm_permitted_opens();
2139 }
2140