xref: /freebsd/crypto/openssh/servconf.c (revision a5921bc3653e2e286715e6fe8d473ec0d02da38c)
1 
2 /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 __RCSID("$FreeBSD$");
16 
17 #include <sys/types.h>
18 #include <sys/socket.h>
19 
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
23 
24 #include <ctype.h>
25 #include <netdb.h>
26 #include <pwd.h>
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <signal.h>
31 #include <unistd.h>
32 #include <limits.h>
33 #include <stdarg.h>
34 #include <errno.h>
35 #ifdef HAVE_UTIL_H
36 #include <util.h>
37 #endif
38 
39 #include "openbsd-compat/sys-queue.h"
40 #include "xmalloc.h"
41 #include "ssh.h"
42 #include "log.h"
43 #include "buffer.h"
44 #include "misc.h"
45 #include "servconf.h"
46 #include "compat.h"
47 #include "pathnames.h"
48 #include "cipher.h"
49 #include "key.h"
50 #include "kex.h"
51 #include "mac.h"
52 #include "match.h"
53 #include "channels.h"
54 #include "groupaccess.h"
55 #include "canohost.h"
56 #include "packet.h"
57 #include "hostfile.h"
58 #include "auth.h"
59 #include "myproposal.h"
60 #include "digest.h"
61 #include "version.h"
62 
63 static void add_listen_addr(ServerOptions *, char *, int);
64 static void add_one_listen_addr(ServerOptions *, char *, int);
65 
66 /* Use of privilege separation or not */
67 extern int use_privsep;
68 extern Buffer cfg;
69 
70 /* Initializes the server options to their default values. */
71 
72 void
73 initialize_server_options(ServerOptions *options)
74 {
75 	memset(options, 0, sizeof(*options));
76 
77 	/* Portable-specific options */
78 	options->use_pam = -1;
79 
80 	/* Standard Options */
81 	options->num_ports = 0;
82 	options->ports_from_cmdline = 0;
83 	options->queued_listen_addrs = NULL;
84 	options->num_queued_listens = 0;
85 	options->listen_addrs = NULL;
86 	options->address_family = -1;
87 	options->num_host_key_files = 0;
88 	options->num_host_cert_files = 0;
89 	options->host_key_agent = NULL;
90 	options->pid_file = NULL;
91 	options->server_key_bits = -1;
92 	options->login_grace_time = -1;
93 	options->key_regeneration_time = -1;
94 	options->permit_root_login = PERMIT_NOT_SET;
95 	options->ignore_rhosts = -1;
96 	options->ignore_user_known_hosts = -1;
97 	options->print_motd = -1;
98 	options->print_lastlog = -1;
99 	options->x11_forwarding = -1;
100 	options->x11_display_offset = -1;
101 	options->x11_use_localhost = -1;
102 	options->permit_tty = -1;
103 	options->permit_user_rc = -1;
104 	options->xauth_location = NULL;
105 	options->strict_modes = -1;
106 	options->tcp_keep_alive = -1;
107 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
108 	options->log_level = SYSLOG_LEVEL_NOT_SET;
109 	options->rhosts_rsa_authentication = -1;
110 	options->hostbased_authentication = -1;
111 	options->hostbased_uses_name_from_packet_only = -1;
112 	options->hostbased_key_types = NULL;
113 	options->hostkeyalgorithms = NULL;
114 	options->rsa_authentication = -1;
115 	options->pubkey_authentication = -1;
116 	options->pubkey_key_types = NULL;
117 	options->kerberos_authentication = -1;
118 	options->kerberos_or_local_passwd = -1;
119 	options->kerberos_ticket_cleanup = -1;
120 	options->kerberos_get_afs_token = -1;
121 	options->gss_authentication=-1;
122 	options->gss_cleanup_creds = -1;
123 	options->gss_strict_acceptor = -1;
124 	options->password_authentication = -1;
125 	options->kbd_interactive_authentication = -1;
126 	options->challenge_response_authentication = -1;
127 	options->permit_empty_passwd = -1;
128 	options->permit_user_env = -1;
129 	options->use_login = -1;
130 	options->compression = -1;
131 	options->rekey_limit = -1;
132 	options->rekey_interval = -1;
133 	options->allow_tcp_forwarding = -1;
134 	options->allow_streamlocal_forwarding = -1;
135 	options->allow_agent_forwarding = -1;
136 	options->num_allow_users = 0;
137 	options->num_deny_users = 0;
138 	options->num_allow_groups = 0;
139 	options->num_deny_groups = 0;
140 	options->ciphers = NULL;
141 	options->macs = NULL;
142 	options->kex_algorithms = NULL;
143 	options->protocol = SSH_PROTO_UNKNOWN;
144 	options->fwd_opts.gateway_ports = -1;
145 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
146 	options->fwd_opts.streamlocal_bind_unlink = -1;
147 	options->num_subsystems = 0;
148 	options->max_startups_begin = -1;
149 	options->max_startups_rate = -1;
150 	options->max_startups = -1;
151 	options->max_authtries = -1;
152 	options->max_sessions = -1;
153 	options->banner = NULL;
154 	options->use_dns = -1;
155 	options->client_alive_interval = -1;
156 	options->client_alive_count_max = -1;
157 	options->num_authkeys_files = 0;
158 	options->num_accept_env = 0;
159 	options->permit_tun = -1;
160 	options->num_permitted_opens = -1;
161 	options->adm_forced_command = NULL;
162 	options->chroot_directory = NULL;
163 	options->authorized_keys_command = NULL;
164 	options->authorized_keys_command_user = NULL;
165 	options->revoked_keys_file = NULL;
166 	options->trusted_user_ca_keys = NULL;
167 	options->authorized_principals_file = NULL;
168 	options->authorized_principals_command = NULL;
169 	options->authorized_principals_command_user = NULL;
170 	options->ip_qos_interactive = -1;
171 	options->ip_qos_bulk = -1;
172 	options->version_addendum = NULL;
173 	options->fingerprint_hash = -1;
174 }
175 
176 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
177 static int
178 option_clear_or_none(const char *o)
179 {
180 	return o == NULL || strcasecmp(o, "none") == 0;
181 }
182 
183 static void
184 assemble_algorithms(ServerOptions *o)
185 {
186 	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
187 	    kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
188 	    kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
189 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
190 	    &o->hostkeyalgorithms) != 0 ||
191 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
192 	    &o->hostbased_key_types) != 0 ||
193 	    kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
194 		fatal("kex_assemble_names failed");
195 }
196 
197 void
198 fill_default_server_options(ServerOptions *options)
199 {
200 	int i;
201 
202 	/* Portable-specific options */
203 	if (options->use_pam == -1)
204 		options->use_pam = 1;
205 
206 	/* Standard Options */
207 	if (options->protocol == SSH_PROTO_UNKNOWN)
208 		options->protocol = SSH_PROTO_2;
209 	if (options->protocol & SSH_PROTO_1)
210 		error("WARNING: SSH protocol version 1 enabled");
211 	if (options->num_host_key_files == 0) {
212 		/* fill default hostkeys for protocols */
213 		if (options->protocol & SSH_PROTO_1)
214 			options->host_key_files[options->num_host_key_files++] =
215 			    _PATH_HOST_KEY_FILE;
216 		if (options->protocol & SSH_PROTO_2) {
217 			options->host_key_files[options->num_host_key_files++] =
218 			    _PATH_HOST_RSA_KEY_FILE;
219 			options->host_key_files[options->num_host_key_files++] =
220 			    _PATH_HOST_DSA_KEY_FILE;
221 #ifdef OPENSSL_HAS_ECC
222 			options->host_key_files[options->num_host_key_files++] =
223 			    _PATH_HOST_ECDSA_KEY_FILE;
224 #endif
225 			options->host_key_files[options->num_host_key_files++] =
226 			    _PATH_HOST_ED25519_KEY_FILE;
227 		}
228 	}
229 	/* No certificates by default */
230 	if (options->num_ports == 0)
231 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
232 	if (options->address_family == -1)
233 		options->address_family = AF_UNSPEC;
234 	if (options->listen_addrs == NULL)
235 		add_listen_addr(options, NULL, 0);
236 	if (options->pid_file == NULL)
237 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
238 	if (options->server_key_bits == -1)
239 		options->server_key_bits = 1024;
240 	if (options->login_grace_time == -1)
241 		options->login_grace_time = 120;
242 	if (options->key_regeneration_time == -1)
243 		options->key_regeneration_time = 3600;
244 	if (options->permit_root_login == PERMIT_NOT_SET)
245 		options->permit_root_login = PERMIT_NO;
246 	if (options->ignore_rhosts == -1)
247 		options->ignore_rhosts = 1;
248 	if (options->ignore_user_known_hosts == -1)
249 		options->ignore_user_known_hosts = 0;
250 	if (options->print_motd == -1)
251 		options->print_motd = 1;
252 	if (options->print_lastlog == -1)
253 		options->print_lastlog = 1;
254 	if (options->x11_forwarding == -1)
255 		options->x11_forwarding = 1;
256 	if (options->x11_display_offset == -1)
257 		options->x11_display_offset = 10;
258 	if (options->x11_use_localhost == -1)
259 		options->x11_use_localhost = 1;
260 	if (options->xauth_location == NULL)
261 		options->xauth_location = xstrdup(_PATH_XAUTH);
262 	if (options->permit_tty == -1)
263 		options->permit_tty = 1;
264 	if (options->permit_user_rc == -1)
265 		options->permit_user_rc = 1;
266 	if (options->strict_modes == -1)
267 		options->strict_modes = 1;
268 	if (options->tcp_keep_alive == -1)
269 		options->tcp_keep_alive = 1;
270 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
271 		options->log_facility = SYSLOG_FACILITY_AUTH;
272 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
273 		options->log_level = SYSLOG_LEVEL_INFO;
274 	if (options->rhosts_rsa_authentication == -1)
275 		options->rhosts_rsa_authentication = 0;
276 	if (options->hostbased_authentication == -1)
277 		options->hostbased_authentication = 0;
278 	if (options->hostbased_uses_name_from_packet_only == -1)
279 		options->hostbased_uses_name_from_packet_only = 0;
280 	if (options->rsa_authentication == -1)
281 		options->rsa_authentication = 1;
282 	if (options->pubkey_authentication == -1)
283 		options->pubkey_authentication = 1;
284 	if (options->kerberos_authentication == -1)
285 		options->kerberos_authentication = 0;
286 	if (options->kerberos_or_local_passwd == -1)
287 		options->kerberos_or_local_passwd = 1;
288 	if (options->kerberos_ticket_cleanup == -1)
289 		options->kerberos_ticket_cleanup = 1;
290 	if (options->kerberos_get_afs_token == -1)
291 		options->kerberos_get_afs_token = 0;
292 	if (options->gss_authentication == -1)
293 		options->gss_authentication = 0;
294 	if (options->gss_cleanup_creds == -1)
295 		options->gss_cleanup_creds = 1;
296 	if (options->gss_strict_acceptor == -1)
297 		options->gss_strict_acceptor = 0;
298 	if (options->password_authentication == -1)
299 		options->password_authentication = 0;
300 	if (options->kbd_interactive_authentication == -1)
301 		options->kbd_interactive_authentication = 0;
302 	if (options->challenge_response_authentication == -1)
303 		options->challenge_response_authentication = 1;
304 	if (options->permit_empty_passwd == -1)
305 		options->permit_empty_passwd = 0;
306 	if (options->permit_user_env == -1)
307 		options->permit_user_env = 0;
308 	if (options->use_login == -1)
309 		options->use_login = 0;
310 	if (options->compression == -1)
311 		options->compression = COMP_DELAYED;
312 	if (options->rekey_limit == -1)
313 		options->rekey_limit = 0;
314 	if (options->rekey_interval == -1)
315 		options->rekey_interval = 0;
316 	if (options->allow_tcp_forwarding == -1)
317 		options->allow_tcp_forwarding = FORWARD_ALLOW;
318 	if (options->allow_streamlocal_forwarding == -1)
319 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
320 	if (options->allow_agent_forwarding == -1)
321 		options->allow_agent_forwarding = 1;
322 	if (options->fwd_opts.gateway_ports == -1)
323 		options->fwd_opts.gateway_ports = 0;
324 	if (options->max_startups == -1)
325 		options->max_startups = 100;
326 	if (options->max_startups_rate == -1)
327 		options->max_startups_rate = 30;		/* 30% */
328 	if (options->max_startups_begin == -1)
329 		options->max_startups_begin = 10;
330 	if (options->max_authtries == -1)
331 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
332 	if (options->max_sessions == -1)
333 		options->max_sessions = DEFAULT_SESSIONS_MAX;
334 	if (options->use_dns == -1)
335 		options->use_dns = 1;
336 	if (options->client_alive_interval == -1)
337 		options->client_alive_interval = 0;
338 	if (options->client_alive_count_max == -1)
339 		options->client_alive_count_max = 3;
340 	if (options->num_authkeys_files == 0) {
341 		options->authorized_keys_files[options->num_authkeys_files++] =
342 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
343 		options->authorized_keys_files[options->num_authkeys_files++] =
344 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
345 	}
346 	if (options->permit_tun == -1)
347 		options->permit_tun = SSH_TUNMODE_NO;
348 	if (options->ip_qos_interactive == -1)
349 		options->ip_qos_interactive = IPTOS_LOWDELAY;
350 	if (options->ip_qos_bulk == -1)
351 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
352 	if (options->version_addendum == NULL)
353 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
354 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
355 		options->fwd_opts.streamlocal_bind_mask = 0177;
356 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
357 		options->fwd_opts.streamlocal_bind_unlink = 0;
358 	if (options->fingerprint_hash == -1)
359 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
360 
361 	assemble_algorithms(options);
362 
363 	/* Turn privilege separation and sandboxing on by default */
364 	if (use_privsep == -1)
365 		use_privsep = PRIVSEP_ON;
366 
367 #define CLEAR_ON_NONE(v) \
368 	do { \
369 		if (option_clear_or_none(v)) { \
370 			free(v); \
371 			v = NULL; \
372 		} \
373 	} while(0)
374 	CLEAR_ON_NONE(options->pid_file);
375 	CLEAR_ON_NONE(options->xauth_location);
376 	CLEAR_ON_NONE(options->banner);
377 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
378 	CLEAR_ON_NONE(options->revoked_keys_file);
379 	CLEAR_ON_NONE(options->authorized_principals_file);
380 	CLEAR_ON_NONE(options->adm_forced_command);
381 	CLEAR_ON_NONE(options->chroot_directory);
382 	for (i = 0; i < options->num_host_key_files; i++)
383 		CLEAR_ON_NONE(options->host_key_files[i]);
384 	for (i = 0; i < options->num_host_cert_files; i++)
385 		CLEAR_ON_NONE(options->host_cert_files[i]);
386 #undef CLEAR_ON_NONE
387 
388 #ifndef HAVE_MMAP
389 	if (use_privsep && options->compression == 1) {
390 		error("This platform does not support both privilege "
391 		    "separation and compression");
392 		error("Compression disabled");
393 		options->compression = 0;
394 	}
395 #endif
396 
397 }
398 
399 /* Keyword tokens. */
400 typedef enum {
401 	sBadOption,		/* == unknown option */
402 	/* Portable-specific options */
403 	sUsePAM,
404 	/* Standard Options */
405 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
406 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
407 	sRhostsRSAAuthentication, sRSAAuthentication,
408 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
409 	sKerberosGetAFSToken,
410 	sKerberosTgtPassing, sChallengeResponseAuthentication,
411 	sPasswordAuthentication, sKbdInteractiveAuthentication,
412 	sListenAddress, sAddressFamily,
413 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
414 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
415 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
416 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
417 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
418 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
419 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
420 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
421 	sBanner, sUseDNS, sHostbasedAuthentication,
422 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
423 	sHostKeyAlgorithms,
424 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
425 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
426 	sAcceptEnv, sPermitTunnel,
427 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
428 	sUsePrivilegeSeparation, sAllowAgentForwarding,
429 	sHostCertificate,
430 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
431 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
432 	sKexAlgorithms, sIPQoS, sVersionAddendum,
433 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
434 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
435 	sStreamLocalBindMask, sStreamLocalBindUnlink,
436 	sAllowStreamLocalForwarding, sFingerprintHash,
437 	sDeprecated, sUnsupported
438 } ServerOpCodes;
439 
440 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
441 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
442 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
443 
444 /* Textual representation of the tokens. */
445 static struct {
446 	const char *name;
447 	ServerOpCodes opcode;
448 	u_int flags;
449 } keywords[] = {
450 	/* Portable-specific options */
451 #ifdef USE_PAM
452 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
453 #else
454 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
455 #endif
456 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
457 	/* Standard Options */
458 	{ "port", sPort, SSHCFG_GLOBAL },
459 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
460 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
461 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
462 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
463 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
464 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
465 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
466 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
467 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
468 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
469 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
470 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
471 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
472 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
473 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
474 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
475 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
476 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
477 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
478 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
479 #ifdef KRB5
480 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
481 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
482 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
483 #ifdef USE_AFS
484 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
485 #else
486 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
487 #endif
488 #else
489 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
490 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
491 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
492 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
493 #endif
494 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
495 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
496 #ifdef GSSAPI
497 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
498 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
499 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
500 #else
501 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
502 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
503 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
504 #endif
505 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
506 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
507 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
508 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
509 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
510 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
511 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
512 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
513 #ifdef DISABLE_LASTLOG
514 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
515 #else
516 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
517 #endif
518 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
519 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
520 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
521 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
522 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
523 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
524 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
525 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
526 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
527 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
528 	{ "compression", sCompression, SSHCFG_GLOBAL },
529 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
530 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
531 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
532 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
533 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
534 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
535 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
536 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
537 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
538 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
539 	{ "macs", sMacs, SSHCFG_GLOBAL },
540 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
541 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
542 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
543 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
544 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
545 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
546 	{ "banner", sBanner, SSHCFG_ALL },
547 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
548 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
549 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
550 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
551 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
552 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
553 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
554 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
555 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
556 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
557 	{ "permittty", sPermitTTY, SSHCFG_ALL },
558 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
559 	{ "match", sMatch, SSHCFG_ALL },
560 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
561 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
562 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
563 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
564 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
565 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
566 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
567 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
568 	{ "ipqos", sIPQoS, SSHCFG_ALL },
569 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
570 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
571 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
572 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
573 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
574 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
575 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
576 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
577 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
578 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
579 	{ "noneenabled", sUnsupported, SSHCFG_ALL },
580 	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
581 	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
582 	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
583 	{ NULL, sBadOption, 0 }
584 };
585 
586 static struct {
587 	int val;
588 	char *text;
589 } tunmode_desc[] = {
590 	{ SSH_TUNMODE_NO, "no" },
591 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
592 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
593 	{ SSH_TUNMODE_YES, "yes" },
594 	{ -1, NULL }
595 };
596 
597 /*
598  * Returns the number of the token pointed to by cp or sBadOption.
599  */
600 
601 static ServerOpCodes
602 parse_token(const char *cp, const char *filename,
603 	    int linenum, u_int *flags)
604 {
605 	u_int i;
606 
607 	for (i = 0; keywords[i].name; i++)
608 		if (strcasecmp(cp, keywords[i].name) == 0) {
609 			*flags = keywords[i].flags;
610 			return keywords[i].opcode;
611 		}
612 
613 	error("%s: line %d: Bad configuration option: %s",
614 	    filename, linenum, cp);
615 	return sBadOption;
616 }
617 
618 char *
619 derelativise_path(const char *path)
620 {
621 	char *expanded, *ret, cwd[PATH_MAX];
622 
623 	if (strcasecmp(path, "none") == 0)
624 		return xstrdup("none");
625 	expanded = tilde_expand_filename(path, getuid());
626 	if (*expanded == '/')
627 		return expanded;
628 	if (getcwd(cwd, sizeof(cwd)) == NULL)
629 		fatal("%s: getcwd: %s", __func__, strerror(errno));
630 	xasprintf(&ret, "%s/%s", cwd, expanded);
631 	free(expanded);
632 	return ret;
633 }
634 
635 static void
636 add_listen_addr(ServerOptions *options, char *addr, int port)
637 {
638 	u_int i;
639 
640 	if (port == 0)
641 		for (i = 0; i < options->num_ports; i++)
642 			add_one_listen_addr(options, addr, options->ports[i]);
643 	else
644 		add_one_listen_addr(options, addr, port);
645 }
646 
647 static void
648 add_one_listen_addr(ServerOptions *options, char *addr, int port)
649 {
650 	struct addrinfo hints, *ai, *aitop;
651 	char strport[NI_MAXSERV];
652 	int gaierr;
653 
654 	memset(&hints, 0, sizeof(hints));
655 	hints.ai_family = options->address_family;
656 	hints.ai_socktype = SOCK_STREAM;
657 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
658 	snprintf(strport, sizeof strport, "%d", port);
659 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
660 		fatal("bad addr or host: %s (%s)",
661 		    addr ? addr : "<NULL>",
662 		    ssh_gai_strerror(gaierr));
663 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
664 		;
665 	ai->ai_next = options->listen_addrs;
666 	options->listen_addrs = aitop;
667 }
668 
669 /*
670  * Queue a ListenAddress to be processed once we have all of the Ports
671  * and AddressFamily options.
672  */
673 static void
674 queue_listen_addr(ServerOptions *options, char *addr, int port)
675 {
676 	options->queued_listen_addrs = xreallocarray(
677 	    options->queued_listen_addrs, options->num_queued_listens + 1,
678 	    sizeof(addr));
679 	options->queued_listen_ports = xreallocarray(
680 	    options->queued_listen_ports, options->num_queued_listens + 1,
681 	    sizeof(port));
682 	options->queued_listen_addrs[options->num_queued_listens] =
683 	    xstrdup(addr);
684 	options->queued_listen_ports[options->num_queued_listens] = port;
685 	options->num_queued_listens++;
686 }
687 
688 /*
689  * Process queued (text) ListenAddress entries.
690  */
691 static void
692 process_queued_listen_addrs(ServerOptions *options)
693 {
694 	u_int i;
695 
696 	if (options->num_ports == 0)
697 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
698 	if (options->address_family == -1)
699 		options->address_family = AF_UNSPEC;
700 
701 	for (i = 0; i < options->num_queued_listens; i++) {
702 		add_listen_addr(options, options->queued_listen_addrs[i],
703 		    options->queued_listen_ports[i]);
704 		free(options->queued_listen_addrs[i]);
705 		options->queued_listen_addrs[i] = NULL;
706 	}
707 	free(options->queued_listen_addrs);
708 	options->queued_listen_addrs = NULL;
709 	free(options->queued_listen_ports);
710 	options->queued_listen_ports = NULL;
711 	options->num_queued_listens = 0;
712 }
713 
714 struct connection_info *
715 get_connection_info(int populate, int use_dns)
716 {
717 	static struct connection_info ci;
718 
719 	if (!populate)
720 		return &ci;
721 	ci.host = get_canonical_hostname(use_dns);
722 	ci.address = get_remote_ipaddr();
723 	ci.laddress = get_local_ipaddr(packet_get_connection_in());
724 	ci.lport = get_local_port();
725 	return &ci;
726 }
727 
728 /*
729  * The strategy for the Match blocks is that the config file is parsed twice.
730  *
731  * The first time is at startup.  activep is initialized to 1 and the
732  * directives in the global context are processed and acted on.  Hitting a
733  * Match directive unsets activep and the directives inside the block are
734  * checked for syntax only.
735  *
736  * The second time is after a connection has been established but before
737  * authentication.  activep is initialized to 2 and global config directives
738  * are ignored since they have already been processed.  If the criteria in a
739  * Match block is met, activep is set and the subsequent directives
740  * processed and actioned until EOF or another Match block unsets it.  Any
741  * options set are copied into the main server config.
742  *
743  * Potential additions/improvements:
744  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
745  *
746  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
747  *	Match Address 192.168.0.*
748  *		Tag trusted
749  *	Match Group wheel
750  *		Tag trusted
751  *	Match Tag trusted
752  *		AllowTcpForwarding yes
753  *		GatewayPorts clientspecified
754  *		[...]
755  *
756  *  - Add a PermittedChannelRequests directive
757  *	Match Group shell
758  *		PermittedChannelRequests session,forwarded-tcpip
759  */
760 
761 static int
762 match_cfg_line_group(const char *grps, int line, const char *user)
763 {
764 	int result = 0;
765 	struct passwd *pw;
766 
767 	if (user == NULL)
768 		goto out;
769 
770 	if ((pw = getpwnam(user)) == NULL) {
771 		debug("Can't match group at line %d because user %.100s does "
772 		    "not exist", line, user);
773 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
774 		debug("Can't Match group because user %.100s not in any group "
775 		    "at line %d", user, line);
776 	} else if (ga_match_pattern_list(grps) != 1) {
777 		debug("user %.100s does not match group list %.100s at line %d",
778 		    user, grps, line);
779 	} else {
780 		debug("user %.100s matched group list %.100s at line %d", user,
781 		    grps, line);
782 		result = 1;
783 	}
784 out:
785 	ga_free();
786 	return result;
787 }
788 
789 /*
790  * All of the attributes on a single Match line are ANDed together, so we need
791  * to check every attribute and set the result to zero if any attribute does
792  * not match.
793  */
794 static int
795 match_cfg_line(char **condition, int line, struct connection_info *ci)
796 {
797 	int result = 1, attributes = 0, port;
798 	char *arg, *attrib, *cp = *condition;
799 
800 	if (ci == NULL)
801 		debug3("checking syntax for 'Match %s'", cp);
802 	else
803 		debug3("checking match for '%s' user %s host %s addr %s "
804 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
805 		    ci->host ? ci->host : "(null)",
806 		    ci->address ? ci->address : "(null)",
807 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
808 
809 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
810 		attributes++;
811 		if (strcasecmp(attrib, "all") == 0) {
812 			if (attributes != 1 ||
813 			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
814 				error("'all' cannot be combined with other "
815 				    "Match attributes");
816 				return -1;
817 			}
818 			*condition = cp;
819 			return 1;
820 		}
821 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
822 			error("Missing Match criteria for %s", attrib);
823 			return -1;
824 		}
825 		if (strcasecmp(attrib, "user") == 0) {
826 			if (ci == NULL || ci->user == NULL) {
827 				result = 0;
828 				continue;
829 			}
830 			if (match_pattern_list(ci->user, arg, 0) != 1)
831 				result = 0;
832 			else
833 				debug("user %.100s matched 'User %.100s' at "
834 				    "line %d", ci->user, arg, line);
835 		} else if (strcasecmp(attrib, "group") == 0) {
836 			if (ci == NULL || ci->user == NULL) {
837 				result = 0;
838 				continue;
839 			}
840 			switch (match_cfg_line_group(arg, line, ci->user)) {
841 			case -1:
842 				return -1;
843 			case 0:
844 				result = 0;
845 			}
846 		} else if (strcasecmp(attrib, "host") == 0) {
847 			if (ci == NULL || ci->host == NULL) {
848 				result = 0;
849 				continue;
850 			}
851 			if (match_hostname(ci->host, arg) != 1)
852 				result = 0;
853 			else
854 				debug("connection from %.100s matched 'Host "
855 				    "%.100s' at line %d", ci->host, arg, line);
856 		} else if (strcasecmp(attrib, "address") == 0) {
857 			if (ci == NULL || ci->address == NULL) {
858 				result = 0;
859 				continue;
860 			}
861 			switch (addr_match_list(ci->address, arg)) {
862 			case 1:
863 				debug("connection from %.100s matched 'Address "
864 				    "%.100s' at line %d", ci->address, arg, line);
865 				break;
866 			case 0:
867 			case -1:
868 				result = 0;
869 				break;
870 			case -2:
871 				return -1;
872 			}
873 		} else if (strcasecmp(attrib, "localaddress") == 0){
874 			if (ci == NULL || ci->laddress == NULL) {
875 				result = 0;
876 				continue;
877 			}
878 			switch (addr_match_list(ci->laddress, arg)) {
879 			case 1:
880 				debug("connection from %.100s matched "
881 				    "'LocalAddress %.100s' at line %d",
882 				    ci->laddress, arg, line);
883 				break;
884 			case 0:
885 			case -1:
886 				result = 0;
887 				break;
888 			case -2:
889 				return -1;
890 			}
891 		} else if (strcasecmp(attrib, "localport") == 0) {
892 			if ((port = a2port(arg)) == -1) {
893 				error("Invalid LocalPort '%s' on Match line",
894 				    arg);
895 				return -1;
896 			}
897 			if (ci == NULL || ci->lport == 0) {
898 				result = 0;
899 				continue;
900 			}
901 			/* TODO support port lists */
902 			if (port == ci->lport)
903 				debug("connection from %.100s matched "
904 				    "'LocalPort %d' at line %d",
905 				    ci->laddress, port, line);
906 			else
907 				result = 0;
908 		} else {
909 			error("Unsupported Match attribute %s", attrib);
910 			return -1;
911 		}
912 	}
913 	if (attributes == 0) {
914 		error("One or more attributes required for Match");
915 		return -1;
916 	}
917 	if (ci != NULL)
918 		debug3("match %sfound", result ? "" : "not ");
919 	*condition = cp;
920 	return result;
921 }
922 
923 #define WHITESPACE " \t\r\n"
924 
925 /* Multistate option parsing */
926 struct multistate {
927 	char *key;
928 	int value;
929 };
930 static const struct multistate multistate_addressfamily[] = {
931 	{ "inet",			AF_INET },
932 	{ "inet6",			AF_INET6 },
933 	{ "any",			AF_UNSPEC },
934 	{ NULL, -1 }
935 };
936 static const struct multistate multistate_permitrootlogin[] = {
937 	{ "without-password",		PERMIT_NO_PASSWD },
938 	{ "prohibit-password",		PERMIT_NO_PASSWD },
939 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
940 	{ "yes",			PERMIT_YES },
941 	{ "no",				PERMIT_NO },
942 	{ NULL, -1 }
943 };
944 static const struct multistate multistate_compression[] = {
945 	{ "delayed",			COMP_DELAYED },
946 	{ "yes",			COMP_ZLIB },
947 	{ "no",				COMP_NONE },
948 	{ NULL, -1 }
949 };
950 static const struct multistate multistate_gatewayports[] = {
951 	{ "clientspecified",		2 },
952 	{ "yes",			1 },
953 	{ "no",				0 },
954 	{ NULL, -1 }
955 };
956 static const struct multistate multistate_privsep[] = {
957 	{ "yes",			PRIVSEP_NOSANDBOX },
958 	{ "sandbox",			PRIVSEP_ON },
959 	{ "nosandbox",			PRIVSEP_NOSANDBOX },
960 	{ "no",				PRIVSEP_OFF },
961 	{ NULL, -1 }
962 };
963 static const struct multistate multistate_tcpfwd[] = {
964 	{ "yes",			FORWARD_ALLOW },
965 	{ "all",			FORWARD_ALLOW },
966 	{ "no",				FORWARD_DENY },
967 	{ "remote",			FORWARD_REMOTE },
968 	{ "local",			FORWARD_LOCAL },
969 	{ NULL, -1 }
970 };
971 
972 int
973 process_server_config_line(ServerOptions *options, char *line,
974     const char *filename, int linenum, int *activep,
975     struct connection_info *connectinfo)
976 {
977 	char *cp, **charptr, *arg, *p;
978 	int cmdline = 0, *intptr, value, value2, n, port;
979 	SyslogFacility *log_facility_ptr;
980 	LogLevel *log_level_ptr;
981 	ServerOpCodes opcode;
982 	u_int i, flags = 0;
983 	size_t len;
984 	long long val64;
985 	const struct multistate *multistate_ptr;
986 
987 	cp = line;
988 	if ((arg = strdelim(&cp)) == NULL)
989 		return 0;
990 	/* Ignore leading whitespace */
991 	if (*arg == '\0')
992 		arg = strdelim(&cp);
993 	if (!arg || !*arg || *arg == '#')
994 		return 0;
995 	intptr = NULL;
996 	charptr = NULL;
997 	opcode = parse_token(arg, filename, linenum, &flags);
998 
999 	if (activep == NULL) { /* We are processing a command line directive */
1000 		cmdline = 1;
1001 		activep = &cmdline;
1002 	}
1003 	if (*activep && opcode != sMatch)
1004 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1005 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1006 		if (connectinfo == NULL) {
1007 			fatal("%s line %d: Directive '%s' is not allowed "
1008 			    "within a Match block", filename, linenum, arg);
1009 		} else { /* this is a directive we have already processed */
1010 			while (arg)
1011 				arg = strdelim(&cp);
1012 			return 0;
1013 		}
1014 	}
1015 
1016 	switch (opcode) {
1017 	/* Portable-specific options */
1018 	case sUsePAM:
1019 		intptr = &options->use_pam;
1020 		goto parse_flag;
1021 
1022 	/* Standard Options */
1023 	case sBadOption:
1024 		return -1;
1025 	case sPort:
1026 		/* ignore ports from configfile if cmdline specifies ports */
1027 		if (options->ports_from_cmdline)
1028 			return 0;
1029 		if (options->num_ports >= MAX_PORTS)
1030 			fatal("%s line %d: too many ports.",
1031 			    filename, linenum);
1032 		arg = strdelim(&cp);
1033 		if (!arg || *arg == '\0')
1034 			fatal("%s line %d: missing port number.",
1035 			    filename, linenum);
1036 		options->ports[options->num_ports++] = a2port(arg);
1037 		if (options->ports[options->num_ports-1] <= 0)
1038 			fatal("%s line %d: Badly formatted port number.",
1039 			    filename, linenum);
1040 		break;
1041 
1042 	case sServerKeyBits:
1043 		intptr = &options->server_key_bits;
1044  parse_int:
1045 		arg = strdelim(&cp);
1046 		if (!arg || *arg == '\0')
1047 			fatal("%s line %d: missing integer value.",
1048 			    filename, linenum);
1049 		value = atoi(arg);
1050 		if (*activep && *intptr == -1)
1051 			*intptr = value;
1052 		break;
1053 
1054 	case sLoginGraceTime:
1055 		intptr = &options->login_grace_time;
1056  parse_time:
1057 		arg = strdelim(&cp);
1058 		if (!arg || *arg == '\0')
1059 			fatal("%s line %d: missing time value.",
1060 			    filename, linenum);
1061 		if ((value = convtime(arg)) == -1)
1062 			fatal("%s line %d: invalid time value.",
1063 			    filename, linenum);
1064 		if (*activep && *intptr == -1)
1065 			*intptr = value;
1066 		break;
1067 
1068 	case sKeyRegenerationTime:
1069 		intptr = &options->key_regeneration_time;
1070 		goto parse_time;
1071 
1072 	case sListenAddress:
1073 		arg = strdelim(&cp);
1074 		if (arg == NULL || *arg == '\0')
1075 			fatal("%s line %d: missing address",
1076 			    filename, linenum);
1077 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1078 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1079 		    && strchr(p+1, ':') != NULL) {
1080 			queue_listen_addr(options, arg, 0);
1081 			break;
1082 		}
1083 		p = hpdelim(&arg);
1084 		if (p == NULL)
1085 			fatal("%s line %d: bad address:port usage",
1086 			    filename, linenum);
1087 		p = cleanhostname(p);
1088 		if (arg == NULL)
1089 			port = 0;
1090 		else if ((port = a2port(arg)) <= 0)
1091 			fatal("%s line %d: bad port number", filename, linenum);
1092 
1093 		queue_listen_addr(options, p, port);
1094 
1095 		break;
1096 
1097 	case sAddressFamily:
1098 		intptr = &options->address_family;
1099 		multistate_ptr = multistate_addressfamily;
1100  parse_multistate:
1101 		arg = strdelim(&cp);
1102 		if (!arg || *arg == '\0')
1103 			fatal("%s line %d: missing argument.",
1104 			    filename, linenum);
1105 		value = -1;
1106 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1107 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1108 				value = multistate_ptr[i].value;
1109 				break;
1110 			}
1111 		}
1112 		if (value == -1)
1113 			fatal("%s line %d: unsupported option \"%s\".",
1114 			    filename, linenum, arg);
1115 		if (*activep && *intptr == -1)
1116 			*intptr = value;
1117 		break;
1118 
1119 	case sHostKeyFile:
1120 		intptr = &options->num_host_key_files;
1121 		if (*intptr >= MAX_HOSTKEYS)
1122 			fatal("%s line %d: too many host keys specified (max %d).",
1123 			    filename, linenum, MAX_HOSTKEYS);
1124 		charptr = &options->host_key_files[*intptr];
1125  parse_filename:
1126 		arg = strdelim(&cp);
1127 		if (!arg || *arg == '\0')
1128 			fatal("%s line %d: missing file name.",
1129 			    filename, linenum);
1130 		if (*activep && *charptr == NULL) {
1131 			*charptr = derelativise_path(arg);
1132 			/* increase optional counter */
1133 			if (intptr != NULL)
1134 				*intptr = *intptr + 1;
1135 		}
1136 		break;
1137 
1138 	case sHostKeyAgent:
1139 		charptr = &options->host_key_agent;
1140 		arg = strdelim(&cp);
1141 		if (!arg || *arg == '\0')
1142 			fatal("%s line %d: missing socket name.",
1143 			    filename, linenum);
1144 		if (*activep && *charptr == NULL)
1145 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1146 			    xstrdup(arg) : derelativise_path(arg);
1147 		break;
1148 
1149 	case sHostCertificate:
1150 		intptr = &options->num_host_cert_files;
1151 		if (*intptr >= MAX_HOSTKEYS)
1152 			fatal("%s line %d: too many host certificates "
1153 			    "specified (max %d).", filename, linenum,
1154 			    MAX_HOSTCERTS);
1155 		charptr = &options->host_cert_files[*intptr];
1156 		goto parse_filename;
1157 		break;
1158 
1159 	case sPidFile:
1160 		charptr = &options->pid_file;
1161 		goto parse_filename;
1162 
1163 	case sPermitRootLogin:
1164 		intptr = &options->permit_root_login;
1165 		multistate_ptr = multistate_permitrootlogin;
1166 		goto parse_multistate;
1167 
1168 	case sIgnoreRhosts:
1169 		intptr = &options->ignore_rhosts;
1170  parse_flag:
1171 		arg = strdelim(&cp);
1172 		if (!arg || *arg == '\0')
1173 			fatal("%s line %d: missing yes/no argument.",
1174 			    filename, linenum);
1175 		value = 0;	/* silence compiler */
1176 		if (strcmp(arg, "yes") == 0)
1177 			value = 1;
1178 		else if (strcmp(arg, "no") == 0)
1179 			value = 0;
1180 		else
1181 			fatal("%s line %d: Bad yes/no argument: %s",
1182 				filename, linenum, arg);
1183 		if (*activep && *intptr == -1)
1184 			*intptr = value;
1185 		break;
1186 
1187 	case sIgnoreUserKnownHosts:
1188 		intptr = &options->ignore_user_known_hosts;
1189 		goto parse_flag;
1190 
1191 	case sRhostsRSAAuthentication:
1192 		intptr = &options->rhosts_rsa_authentication;
1193 		goto parse_flag;
1194 
1195 	case sHostbasedAuthentication:
1196 		intptr = &options->hostbased_authentication;
1197 		goto parse_flag;
1198 
1199 	case sHostbasedUsesNameFromPacketOnly:
1200 		intptr = &options->hostbased_uses_name_from_packet_only;
1201 		goto parse_flag;
1202 
1203 	case sHostbasedAcceptedKeyTypes:
1204 		charptr = &options->hostbased_key_types;
1205  parse_keytypes:
1206 		arg = strdelim(&cp);
1207 		if (!arg || *arg == '\0')
1208 			fatal("%s line %d: Missing argument.",
1209 			    filename, linenum);
1210 		if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1211 			fatal("%s line %d: Bad key types '%s'.",
1212 			    filename, linenum, arg ? arg : "<NONE>");
1213 		if (*activep && *charptr == NULL)
1214 			*charptr = xstrdup(arg);
1215 		break;
1216 
1217 	case sHostKeyAlgorithms:
1218 		charptr = &options->hostkeyalgorithms;
1219 		goto parse_keytypes;
1220 
1221 	case sRSAAuthentication:
1222 		intptr = &options->rsa_authentication;
1223 		goto parse_flag;
1224 
1225 	case sPubkeyAuthentication:
1226 		intptr = &options->pubkey_authentication;
1227 		goto parse_flag;
1228 
1229 	case sPubkeyAcceptedKeyTypes:
1230 		charptr = &options->pubkey_key_types;
1231 		goto parse_keytypes;
1232 
1233 	case sKerberosAuthentication:
1234 		intptr = &options->kerberos_authentication;
1235 		goto parse_flag;
1236 
1237 	case sKerberosOrLocalPasswd:
1238 		intptr = &options->kerberos_or_local_passwd;
1239 		goto parse_flag;
1240 
1241 	case sKerberosTicketCleanup:
1242 		intptr = &options->kerberos_ticket_cleanup;
1243 		goto parse_flag;
1244 
1245 	case sKerberosGetAFSToken:
1246 		intptr = &options->kerberos_get_afs_token;
1247 		goto parse_flag;
1248 
1249 	case sGssAuthentication:
1250 		intptr = &options->gss_authentication;
1251 		goto parse_flag;
1252 
1253 	case sGssCleanupCreds:
1254 		intptr = &options->gss_cleanup_creds;
1255 		goto parse_flag;
1256 
1257 	case sGssStrictAcceptor:
1258 		intptr = &options->gss_strict_acceptor;
1259 		goto parse_flag;
1260 
1261 	case sPasswordAuthentication:
1262 		intptr = &options->password_authentication;
1263 		goto parse_flag;
1264 
1265 	case sKbdInteractiveAuthentication:
1266 		intptr = &options->kbd_interactive_authentication;
1267 		goto parse_flag;
1268 
1269 	case sChallengeResponseAuthentication:
1270 		intptr = &options->challenge_response_authentication;
1271 		goto parse_flag;
1272 
1273 	case sPrintMotd:
1274 		intptr = &options->print_motd;
1275 		goto parse_flag;
1276 
1277 	case sPrintLastLog:
1278 		intptr = &options->print_lastlog;
1279 		goto parse_flag;
1280 
1281 	case sX11Forwarding:
1282 		intptr = &options->x11_forwarding;
1283 		goto parse_flag;
1284 
1285 	case sX11DisplayOffset:
1286 		intptr = &options->x11_display_offset;
1287 		goto parse_int;
1288 
1289 	case sX11UseLocalhost:
1290 		intptr = &options->x11_use_localhost;
1291 		goto parse_flag;
1292 
1293 	case sXAuthLocation:
1294 		charptr = &options->xauth_location;
1295 		goto parse_filename;
1296 
1297 	case sPermitTTY:
1298 		intptr = &options->permit_tty;
1299 		goto parse_flag;
1300 
1301 	case sPermitUserRC:
1302 		intptr = &options->permit_user_rc;
1303 		goto parse_flag;
1304 
1305 	case sStrictModes:
1306 		intptr = &options->strict_modes;
1307 		goto parse_flag;
1308 
1309 	case sTCPKeepAlive:
1310 		intptr = &options->tcp_keep_alive;
1311 		goto parse_flag;
1312 
1313 	case sEmptyPasswd:
1314 		intptr = &options->permit_empty_passwd;
1315 		goto parse_flag;
1316 
1317 	case sPermitUserEnvironment:
1318 		intptr = &options->permit_user_env;
1319 		goto parse_flag;
1320 
1321 	case sUseLogin:
1322 		intptr = &options->use_login;
1323 		goto parse_flag;
1324 
1325 	case sCompression:
1326 		intptr = &options->compression;
1327 		multistate_ptr = multistate_compression;
1328 		goto parse_multistate;
1329 
1330 	case sRekeyLimit:
1331 		arg = strdelim(&cp);
1332 		if (!arg || *arg == '\0')
1333 			fatal("%.200s line %d: Missing argument.", filename,
1334 			    linenum);
1335 		if (strcmp(arg, "default") == 0) {
1336 			val64 = 0;
1337 		} else {
1338 			if (scan_scaled(arg, &val64) == -1)
1339 				fatal("%.200s line %d: Bad number '%s': %s",
1340 				    filename, linenum, arg, strerror(errno));
1341 			if (val64 != 0 && val64 < 16)
1342 				fatal("%.200s line %d: RekeyLimit too small",
1343 				    filename, linenum);
1344 		}
1345 		if (*activep && options->rekey_limit == -1)
1346 			options->rekey_limit = val64;
1347 		if (cp != NULL) { /* optional rekey interval present */
1348 			if (strcmp(cp, "none") == 0) {
1349 				(void)strdelim(&cp);	/* discard */
1350 				break;
1351 			}
1352 			intptr = &options->rekey_interval;
1353 			goto parse_time;
1354 		}
1355 		break;
1356 
1357 	case sGatewayPorts:
1358 		intptr = &options->fwd_opts.gateway_ports;
1359 		multistate_ptr = multistate_gatewayports;
1360 		goto parse_multistate;
1361 
1362 	case sUseDNS:
1363 		intptr = &options->use_dns;
1364 		goto parse_flag;
1365 
1366 	case sLogFacility:
1367 		log_facility_ptr = &options->log_facility;
1368 		arg = strdelim(&cp);
1369 		value = log_facility_number(arg);
1370 		if (value == SYSLOG_FACILITY_NOT_SET)
1371 			fatal("%.200s line %d: unsupported log facility '%s'",
1372 			    filename, linenum, arg ? arg : "<NONE>");
1373 		if (*log_facility_ptr == -1)
1374 			*log_facility_ptr = (SyslogFacility) value;
1375 		break;
1376 
1377 	case sLogLevel:
1378 		log_level_ptr = &options->log_level;
1379 		arg = strdelim(&cp);
1380 		value = log_level_number(arg);
1381 		if (value == SYSLOG_LEVEL_NOT_SET)
1382 			fatal("%.200s line %d: unsupported log level '%s'",
1383 			    filename, linenum, arg ? arg : "<NONE>");
1384 		if (*log_level_ptr == -1)
1385 			*log_level_ptr = (LogLevel) value;
1386 		break;
1387 
1388 	case sAllowTcpForwarding:
1389 		intptr = &options->allow_tcp_forwarding;
1390 		multistate_ptr = multistate_tcpfwd;
1391 		goto parse_multistate;
1392 
1393 	case sAllowStreamLocalForwarding:
1394 		intptr = &options->allow_streamlocal_forwarding;
1395 		multistate_ptr = multistate_tcpfwd;
1396 		goto parse_multistate;
1397 
1398 	case sAllowAgentForwarding:
1399 		intptr = &options->allow_agent_forwarding;
1400 		goto parse_flag;
1401 
1402 	case sUsePrivilegeSeparation:
1403 		intptr = &use_privsep;
1404 		multistate_ptr = multistate_privsep;
1405 		goto parse_multistate;
1406 
1407 	case sAllowUsers:
1408 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1409 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1410 				fatal("%s line %d: too many allow users.",
1411 				    filename, linenum);
1412 			if (!*activep)
1413 				continue;
1414 			options->allow_users[options->num_allow_users++] =
1415 			    xstrdup(arg);
1416 		}
1417 		break;
1418 
1419 	case sDenyUsers:
1420 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1421 			if (options->num_deny_users >= MAX_DENY_USERS)
1422 				fatal("%s line %d: too many deny users.",
1423 				    filename, linenum);
1424 			if (!*activep)
1425 				continue;
1426 			options->deny_users[options->num_deny_users++] =
1427 			    xstrdup(arg);
1428 		}
1429 		break;
1430 
1431 	case sAllowGroups:
1432 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1433 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1434 				fatal("%s line %d: too many allow groups.",
1435 				    filename, linenum);
1436 			if (!*activep)
1437 				continue;
1438 			options->allow_groups[options->num_allow_groups++] =
1439 			    xstrdup(arg);
1440 		}
1441 		break;
1442 
1443 	case sDenyGroups:
1444 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1445 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1446 				fatal("%s line %d: too many deny groups.",
1447 				    filename, linenum);
1448 			if (!*activep)
1449 				continue;
1450 			options->deny_groups[options->num_deny_groups++] =
1451 			    xstrdup(arg);
1452 		}
1453 		break;
1454 
1455 	case sCiphers:
1456 		arg = strdelim(&cp);
1457 		if (!arg || *arg == '\0')
1458 			fatal("%s line %d: Missing argument.", filename, linenum);
1459 		if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1460 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1461 			    filename, linenum, arg ? arg : "<NONE>");
1462 		if (options->ciphers == NULL)
1463 			options->ciphers = xstrdup(arg);
1464 		break;
1465 
1466 	case sMacs:
1467 		arg = strdelim(&cp);
1468 		if (!arg || *arg == '\0')
1469 			fatal("%s line %d: Missing argument.", filename, linenum);
1470 		if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1471 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1472 			    filename, linenum, arg ? arg : "<NONE>");
1473 		if (options->macs == NULL)
1474 			options->macs = xstrdup(arg);
1475 		break;
1476 
1477 	case sKexAlgorithms:
1478 		arg = strdelim(&cp);
1479 		if (!arg || *arg == '\0')
1480 			fatal("%s line %d: Missing argument.",
1481 			    filename, linenum);
1482 		if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1483 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1484 			    filename, linenum, arg ? arg : "<NONE>");
1485 		if (options->kex_algorithms == NULL)
1486 			options->kex_algorithms = xstrdup(arg);
1487 		break;
1488 
1489 	case sProtocol:
1490 		intptr = &options->protocol;
1491 		arg = strdelim(&cp);
1492 		if (!arg || *arg == '\0')
1493 			fatal("%s line %d: Missing argument.", filename, linenum);
1494 		value = proto_spec(arg);
1495 		if (value == SSH_PROTO_UNKNOWN)
1496 			fatal("%s line %d: Bad protocol spec '%s'.",
1497 			    filename, linenum, arg ? arg : "<NONE>");
1498 		if (*intptr == SSH_PROTO_UNKNOWN)
1499 			*intptr = value;
1500 		break;
1501 
1502 	case sSubsystem:
1503 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1504 			fatal("%s line %d: too many subsystems defined.",
1505 			    filename, linenum);
1506 		}
1507 		arg = strdelim(&cp);
1508 		if (!arg || *arg == '\0')
1509 			fatal("%s line %d: Missing subsystem name.",
1510 			    filename, linenum);
1511 		if (!*activep) {
1512 			arg = strdelim(&cp);
1513 			break;
1514 		}
1515 		for (i = 0; i < options->num_subsystems; i++)
1516 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1517 				fatal("%s line %d: Subsystem '%s' already defined.",
1518 				    filename, linenum, arg);
1519 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1520 		arg = strdelim(&cp);
1521 		if (!arg || *arg == '\0')
1522 			fatal("%s line %d: Missing subsystem command.",
1523 			    filename, linenum);
1524 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1525 
1526 		/* Collect arguments (separate to executable) */
1527 		p = xstrdup(arg);
1528 		len = strlen(p) + 1;
1529 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1530 			len += 1 + strlen(arg);
1531 			p = xreallocarray(p, 1, len);
1532 			strlcat(p, " ", len);
1533 			strlcat(p, arg, len);
1534 		}
1535 		options->subsystem_args[options->num_subsystems] = p;
1536 		options->num_subsystems++;
1537 		break;
1538 
1539 	case sMaxStartups:
1540 		arg = strdelim(&cp);
1541 		if (!arg || *arg == '\0')
1542 			fatal("%s line %d: Missing MaxStartups spec.",
1543 			    filename, linenum);
1544 		if ((n = sscanf(arg, "%d:%d:%d",
1545 		    &options->max_startups_begin,
1546 		    &options->max_startups_rate,
1547 		    &options->max_startups)) == 3) {
1548 			if (options->max_startups_begin >
1549 			    options->max_startups ||
1550 			    options->max_startups_rate > 100 ||
1551 			    options->max_startups_rate < 1)
1552 				fatal("%s line %d: Illegal MaxStartups spec.",
1553 				    filename, linenum);
1554 		} else if (n != 1)
1555 			fatal("%s line %d: Illegal MaxStartups spec.",
1556 			    filename, linenum);
1557 		else
1558 			options->max_startups = options->max_startups_begin;
1559 		break;
1560 
1561 	case sMaxAuthTries:
1562 		intptr = &options->max_authtries;
1563 		goto parse_int;
1564 
1565 	case sMaxSessions:
1566 		intptr = &options->max_sessions;
1567 		goto parse_int;
1568 
1569 	case sBanner:
1570 		charptr = &options->banner;
1571 		goto parse_filename;
1572 
1573 	/*
1574 	 * These options can contain %X options expanded at
1575 	 * connect time, so that you can specify paths like:
1576 	 *
1577 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1578 	 */
1579 	case sAuthorizedKeysFile:
1580 		if (*activep && options->num_authkeys_files == 0) {
1581 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1582 				if (options->num_authkeys_files >=
1583 				    MAX_AUTHKEYS_FILES)
1584 					fatal("%s line %d: "
1585 					    "too many authorized keys files.",
1586 					    filename, linenum);
1587 				options->authorized_keys_files[
1588 				    options->num_authkeys_files++] =
1589 				    tilde_expand_filename(arg, getuid());
1590 			}
1591 		}
1592 		return 0;
1593 
1594 	case sAuthorizedPrincipalsFile:
1595 		charptr = &options->authorized_principals_file;
1596 		arg = strdelim(&cp);
1597 		if (!arg || *arg == '\0')
1598 			fatal("%s line %d: missing file name.",
1599 			    filename, linenum);
1600 		if (*activep && *charptr == NULL) {
1601 			*charptr = tilde_expand_filename(arg, getuid());
1602 			/* increase optional counter */
1603 			if (intptr != NULL)
1604 				*intptr = *intptr + 1;
1605 		}
1606 		break;
1607 
1608 	case sClientAliveInterval:
1609 		intptr = &options->client_alive_interval;
1610 		goto parse_time;
1611 
1612 	case sClientAliveCountMax:
1613 		intptr = &options->client_alive_count_max;
1614 		goto parse_int;
1615 
1616 	case sAcceptEnv:
1617 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1618 			if (strchr(arg, '=') != NULL)
1619 				fatal("%s line %d: Invalid environment name.",
1620 				    filename, linenum);
1621 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1622 				fatal("%s line %d: too many allow env.",
1623 				    filename, linenum);
1624 			if (!*activep)
1625 				continue;
1626 			options->accept_env[options->num_accept_env++] =
1627 			    xstrdup(arg);
1628 		}
1629 		break;
1630 
1631 	case sPermitTunnel:
1632 		intptr = &options->permit_tun;
1633 		arg = strdelim(&cp);
1634 		if (!arg || *arg == '\0')
1635 			fatal("%s line %d: Missing yes/point-to-point/"
1636 			    "ethernet/no argument.", filename, linenum);
1637 		value = -1;
1638 		for (i = 0; tunmode_desc[i].val != -1; i++)
1639 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1640 				value = tunmode_desc[i].val;
1641 				break;
1642 			}
1643 		if (value == -1)
1644 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1645 			    "no argument: %s", filename, linenum, arg);
1646 		if (*activep && *intptr == -1)
1647 			*intptr = value;
1648 		break;
1649 
1650 	case sMatch:
1651 		if (cmdline)
1652 			fatal("Match directive not supported as a command-line "
1653 			   "option");
1654 		value = match_cfg_line(&cp, linenum, connectinfo);
1655 		if (value < 0)
1656 			fatal("%s line %d: Bad Match condition", filename,
1657 			    linenum);
1658 		*activep = value;
1659 		break;
1660 
1661 	case sPermitOpen:
1662 		arg = strdelim(&cp);
1663 		if (!arg || *arg == '\0')
1664 			fatal("%s line %d: missing PermitOpen specification",
1665 			    filename, linenum);
1666 		n = options->num_permitted_opens;	/* modified later */
1667 		if (strcmp(arg, "any") == 0) {
1668 			if (*activep && n == -1) {
1669 				channel_clear_adm_permitted_opens();
1670 				options->num_permitted_opens = 0;
1671 			}
1672 			break;
1673 		}
1674 		if (strcmp(arg, "none") == 0) {
1675 			if (*activep && n == -1) {
1676 				options->num_permitted_opens = 1;
1677 				channel_disable_adm_local_opens();
1678 			}
1679 			break;
1680 		}
1681 		if (*activep && n == -1)
1682 			channel_clear_adm_permitted_opens();
1683 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1684 			p = hpdelim(&arg);
1685 			if (p == NULL)
1686 				fatal("%s line %d: missing host in PermitOpen",
1687 				    filename, linenum);
1688 			p = cleanhostname(p);
1689 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1690 				fatal("%s line %d: bad port number in "
1691 				    "PermitOpen", filename, linenum);
1692 			if (*activep && n == -1)
1693 				options->num_permitted_opens =
1694 				    channel_add_adm_permitted_opens(p, port);
1695 		}
1696 		break;
1697 
1698 	case sForceCommand:
1699 		if (cp == NULL || *cp == '\0')
1700 			fatal("%.200s line %d: Missing argument.", filename,
1701 			    linenum);
1702 		len = strspn(cp, WHITESPACE);
1703 		if (*activep && options->adm_forced_command == NULL)
1704 			options->adm_forced_command = xstrdup(cp + len);
1705 		return 0;
1706 
1707 	case sChrootDirectory:
1708 		charptr = &options->chroot_directory;
1709 
1710 		arg = strdelim(&cp);
1711 		if (!arg || *arg == '\0')
1712 			fatal("%s line %d: missing file name.",
1713 			    filename, linenum);
1714 		if (*activep && *charptr == NULL)
1715 			*charptr = xstrdup(arg);
1716 		break;
1717 
1718 	case sTrustedUserCAKeys:
1719 		charptr = &options->trusted_user_ca_keys;
1720 		goto parse_filename;
1721 
1722 	case sRevokedKeys:
1723 		charptr = &options->revoked_keys_file;
1724 		goto parse_filename;
1725 
1726 	case sIPQoS:
1727 		arg = strdelim(&cp);
1728 		if ((value = parse_ipqos(arg)) == -1)
1729 			fatal("%s line %d: Bad IPQoS value: %s",
1730 			    filename, linenum, arg);
1731 		arg = strdelim(&cp);
1732 		if (arg == NULL)
1733 			value2 = value;
1734 		else if ((value2 = parse_ipqos(arg)) == -1)
1735 			fatal("%s line %d: Bad IPQoS value: %s",
1736 			    filename, linenum, arg);
1737 		if (*activep) {
1738 			options->ip_qos_interactive = value;
1739 			options->ip_qos_bulk = value2;
1740 		}
1741 		break;
1742 
1743 	case sVersionAddendum:
1744 		if (cp == NULL || *cp == '\0')
1745 			fatal("%.200s line %d: Missing argument.", filename,
1746 			    linenum);
1747 		len = strspn(cp, WHITESPACE);
1748 		if (*activep && options->version_addendum == NULL) {
1749 			if (strcasecmp(cp + len, "none") == 0)
1750 				options->version_addendum = xstrdup("");
1751 			else if (strchr(cp + len, '\r') != NULL)
1752 				fatal("%.200s line %d: Invalid argument",
1753 				    filename, linenum);
1754 			else
1755 				options->version_addendum = xstrdup(cp + len);
1756 		}
1757 		return 0;
1758 
1759 	case sAuthorizedKeysCommand:
1760 		if (cp == NULL)
1761 			fatal("%.200s line %d: Missing argument.", filename,
1762 			    linenum);
1763 		len = strspn(cp, WHITESPACE);
1764 		if (*activep && options->authorized_keys_command == NULL) {
1765 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1766 				fatal("%.200s line %d: AuthorizedKeysCommand "
1767 				    "must be an absolute path",
1768 				    filename, linenum);
1769 			options->authorized_keys_command = xstrdup(cp + len);
1770 		}
1771 		return 0;
1772 
1773 	case sAuthorizedKeysCommandUser:
1774 		charptr = &options->authorized_keys_command_user;
1775 
1776 		arg = strdelim(&cp);
1777 		if (!arg || *arg == '\0')
1778 			fatal("%s line %d: missing AuthorizedKeysCommandUser "
1779 			    "argument.", filename, linenum);
1780 		if (*activep && *charptr == NULL)
1781 			*charptr = xstrdup(arg);
1782 		break;
1783 
1784 	case sAuthorizedPrincipalsCommand:
1785 		if (cp == NULL)
1786 			fatal("%.200s line %d: Missing argument.", filename,
1787 			    linenum);
1788 		len = strspn(cp, WHITESPACE);
1789 		if (*activep &&
1790 		    options->authorized_principals_command == NULL) {
1791 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1792 				fatal("%.200s line %d: "
1793 				    "AuthorizedPrincipalsCommand must be "
1794 				    "an absolute path", filename, linenum);
1795 			options->authorized_principals_command =
1796 			    xstrdup(cp + len);
1797 		}
1798 		return 0;
1799 
1800 	case sAuthorizedPrincipalsCommandUser:
1801 		charptr = &options->authorized_principals_command_user;
1802 
1803 		arg = strdelim(&cp);
1804 		if (!arg || *arg == '\0')
1805 			fatal("%s line %d: missing "
1806 			    "AuthorizedPrincipalsCommandUser argument.",
1807 			    filename, linenum);
1808 		if (*activep && *charptr == NULL)
1809 			*charptr = xstrdup(arg);
1810 		break;
1811 
1812 	case sAuthenticationMethods:
1813 		if (options->num_auth_methods == 0) {
1814 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1815 				if (options->num_auth_methods >=
1816 				    MAX_AUTH_METHODS)
1817 					fatal("%s line %d: "
1818 					    "too many authentication methods.",
1819 					    filename, linenum);
1820 				if (auth2_methods_valid(arg, 0) != 0)
1821 					fatal("%s line %d: invalid "
1822 					    "authentication method list.",
1823 					    filename, linenum);
1824 				if (!*activep)
1825 					continue;
1826 				options->auth_methods[
1827 				    options->num_auth_methods++] = xstrdup(arg);
1828 			}
1829 		}
1830 		return 0;
1831 
1832 	case sStreamLocalBindMask:
1833 		arg = strdelim(&cp);
1834 		if (!arg || *arg == '\0')
1835 			fatal("%s line %d: missing StreamLocalBindMask "
1836 			    "argument.", filename, linenum);
1837 		/* Parse mode in octal format */
1838 		value = strtol(arg, &p, 8);
1839 		if (arg == p || value < 0 || value > 0777)
1840 			fatal("%s line %d: Bad mask.", filename, linenum);
1841 		if (*activep)
1842 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1843 		break;
1844 
1845 	case sStreamLocalBindUnlink:
1846 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
1847 		goto parse_flag;
1848 
1849 	case sFingerprintHash:
1850 		arg = strdelim(&cp);
1851 		if (!arg || *arg == '\0')
1852 			fatal("%.200s line %d: Missing argument.",
1853 			    filename, linenum);
1854 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
1855 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1856 			    filename, linenum, arg);
1857 		if (*activep)
1858 			options->fingerprint_hash = value;
1859 		break;
1860 
1861 	case sDeprecated:
1862 		logit("%s line %d: Deprecated option %s",
1863 		    filename, linenum, arg);
1864 		while (arg)
1865 		    arg = strdelim(&cp);
1866 		break;
1867 
1868 	case sUnsupported:
1869 		logit("%s line %d: Unsupported option %s",
1870 		    filename, linenum, arg);
1871 		while (arg)
1872 		    arg = strdelim(&cp);
1873 		break;
1874 
1875 	default:
1876 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1877 		    filename, linenum, arg, opcode);
1878 	}
1879 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1880 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1881 		    filename, linenum, arg);
1882 	return 0;
1883 }
1884 
1885 /* Reads the server configuration file. */
1886 
1887 void
1888 load_server_config(const char *filename, Buffer *conf)
1889 {
1890 	char line[4096], *cp;
1891 	FILE *f;
1892 	int lineno = 0;
1893 
1894 	debug2("%s: filename %s", __func__, filename);
1895 	if ((f = fopen(filename, "r")) == NULL) {
1896 		perror(filename);
1897 		exit(1);
1898 	}
1899 	buffer_clear(conf);
1900 	while (fgets(line, sizeof(line), f)) {
1901 		lineno++;
1902 		if (strlen(line) == sizeof(line) - 1)
1903 			fatal("%s line %d too long", filename, lineno);
1904 		/*
1905 		 * Trim out comments and strip whitespace
1906 		 * NB - preserve newlines, they are needed to reproduce
1907 		 * line numbers later for error messages
1908 		 */
1909 		if ((cp = strchr(line, '#')) != NULL)
1910 			memcpy(cp, "\n", 2);
1911 		cp = line + strspn(line, " \t\r");
1912 
1913 		buffer_append(conf, cp, strlen(cp));
1914 	}
1915 	buffer_append(conf, "\0", 1);
1916 	fclose(f);
1917 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1918 }
1919 
1920 void
1921 parse_server_match_config(ServerOptions *options,
1922    struct connection_info *connectinfo)
1923 {
1924 	ServerOptions mo;
1925 
1926 	initialize_server_options(&mo);
1927 	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1928 	copy_set_server_options(options, &mo, 0);
1929 }
1930 
1931 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1932 {
1933 	char *p;
1934 
1935 	while ((p = strsep(&spec, ",")) && *p != '\0') {
1936 		if (strncmp(p, "addr=", 5) == 0) {
1937 			ci->address = xstrdup(p + 5);
1938 		} else if (strncmp(p, "host=", 5) == 0) {
1939 			ci->host = xstrdup(p + 5);
1940 		} else if (strncmp(p, "user=", 5) == 0) {
1941 			ci->user = xstrdup(p + 5);
1942 		} else if (strncmp(p, "laddr=", 6) == 0) {
1943 			ci->laddress = xstrdup(p + 6);
1944 		} else if (strncmp(p, "lport=", 6) == 0) {
1945 			ci->lport = a2port(p + 6);
1946 			if (ci->lport == -1) {
1947 				fprintf(stderr, "Invalid port '%s' in test mode"
1948 				   " specification %s\n", p+6, p);
1949 				return -1;
1950 			}
1951 		} else {
1952 			fprintf(stderr, "Invalid test mode specification %s\n",
1953 			   p);
1954 			return -1;
1955 		}
1956 	}
1957 	return 0;
1958 }
1959 
1960 /*
1961  * returns 1 for a complete spec, 0 for partial spec and -1 for an
1962  * empty spec.
1963  */
1964 int server_match_spec_complete(struct connection_info *ci)
1965 {
1966 	if (ci->user && ci->host && ci->address)
1967 		return 1;	/* complete */
1968 	if (!ci->user && !ci->host && !ci->address)
1969 		return -1;	/* empty */
1970 	return 0;	/* partial */
1971 }
1972 
1973 /*
1974  * Copy any supported values that are set.
1975  *
1976  * If the preauth flag is set, we do not bother copying the string or
1977  * array values that are not used pre-authentication, because any that we
1978  * do use must be explictly sent in mm_getpwnamallow().
1979  */
1980 void
1981 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1982 {
1983 #define M_CP_INTOPT(n) do {\
1984 	if (src->n != -1) \
1985 		dst->n = src->n; \
1986 } while (0)
1987 
1988 	M_CP_INTOPT(password_authentication);
1989 	M_CP_INTOPT(gss_authentication);
1990 	M_CP_INTOPT(rsa_authentication);
1991 	M_CP_INTOPT(pubkey_authentication);
1992 	M_CP_INTOPT(kerberos_authentication);
1993 	M_CP_INTOPT(hostbased_authentication);
1994 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1995 	M_CP_INTOPT(kbd_interactive_authentication);
1996 	M_CP_INTOPT(permit_root_login);
1997 	M_CP_INTOPT(permit_empty_passwd);
1998 
1999 	M_CP_INTOPT(allow_tcp_forwarding);
2000 	M_CP_INTOPT(allow_streamlocal_forwarding);
2001 	M_CP_INTOPT(allow_agent_forwarding);
2002 	M_CP_INTOPT(permit_tun);
2003 	M_CP_INTOPT(fwd_opts.gateway_ports);
2004 	M_CP_INTOPT(x11_display_offset);
2005 	M_CP_INTOPT(x11_forwarding);
2006 	M_CP_INTOPT(x11_use_localhost);
2007 	M_CP_INTOPT(permit_tty);
2008 	M_CP_INTOPT(permit_user_rc);
2009 	M_CP_INTOPT(max_sessions);
2010 	M_CP_INTOPT(max_authtries);
2011 	M_CP_INTOPT(ip_qos_interactive);
2012 	M_CP_INTOPT(ip_qos_bulk);
2013 	M_CP_INTOPT(rekey_limit);
2014 	M_CP_INTOPT(rekey_interval);
2015 
2016 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2017 #define M_CP_STROPT(n) do {\
2018 	if (src->n != NULL && dst->n != src->n) { \
2019 		free(dst->n); \
2020 		dst->n = src->n; \
2021 	} \
2022 } while(0)
2023 #define M_CP_STRARRAYOPT(n, num_n) do {\
2024 	if (src->num_n != 0) { \
2025 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2026 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2027 	} \
2028 } while(0)
2029 
2030 	/* See comment in servconf.h */
2031 	COPY_MATCH_STRING_OPTS();
2032 
2033 	/* Arguments that accept '+...' need to be expanded */
2034 	assemble_algorithms(dst);
2035 
2036 	/*
2037 	 * The only things that should be below this point are string options
2038 	 * which are only used after authentication.
2039 	 */
2040 	if (preauth)
2041 		return;
2042 
2043 	/* These options may be "none" to clear a global setting */
2044 	M_CP_STROPT(adm_forced_command);
2045 	if (option_clear_or_none(dst->adm_forced_command)) {
2046 		free(dst->adm_forced_command);
2047 		dst->adm_forced_command = NULL;
2048 	}
2049 	M_CP_STROPT(chroot_directory);
2050 	if (option_clear_or_none(dst->chroot_directory)) {
2051 		free(dst->chroot_directory);
2052 		dst->chroot_directory = NULL;
2053 	}
2054 }
2055 
2056 #undef M_CP_INTOPT
2057 #undef M_CP_STROPT
2058 #undef M_CP_STRARRAYOPT
2059 
2060 void
2061 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2062     struct connection_info *connectinfo)
2063 {
2064 	int active, linenum, bad_options = 0;
2065 	char *cp, *obuf, *cbuf;
2066 
2067 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2068 
2069 	obuf = cbuf = xstrdup(buffer_ptr(conf));
2070 	active = connectinfo ? 0 : 1;
2071 	linenum = 1;
2072 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2073 		if (process_server_config_line(options, cp, filename,
2074 		    linenum++, &active, connectinfo) != 0)
2075 			bad_options++;
2076 	}
2077 	free(obuf);
2078 	if (bad_options > 0)
2079 		fatal("%s: terminating, %d bad configuration options",
2080 		    filename, bad_options);
2081 	process_queued_listen_addrs(options);
2082 }
2083 
2084 static const char *
2085 fmt_multistate_int(int val, const struct multistate *m)
2086 {
2087 	u_int i;
2088 
2089 	for (i = 0; m[i].key != NULL; i++) {
2090 		if (m[i].value == val)
2091 			return m[i].key;
2092 	}
2093 	return "UNKNOWN";
2094 }
2095 
2096 static const char *
2097 fmt_intarg(ServerOpCodes code, int val)
2098 {
2099 	if (val == -1)
2100 		return "unset";
2101 	switch (code) {
2102 	case sAddressFamily:
2103 		return fmt_multistate_int(val, multistate_addressfamily);
2104 	case sPermitRootLogin:
2105 		return fmt_multistate_int(val, multistate_permitrootlogin);
2106 	case sGatewayPorts:
2107 		return fmt_multistate_int(val, multistate_gatewayports);
2108 	case sCompression:
2109 		return fmt_multistate_int(val, multistate_compression);
2110 	case sUsePrivilegeSeparation:
2111 		return fmt_multistate_int(val, multistate_privsep);
2112 	case sAllowTcpForwarding:
2113 		return fmt_multistate_int(val, multistate_tcpfwd);
2114 	case sAllowStreamLocalForwarding:
2115 		return fmt_multistate_int(val, multistate_tcpfwd);
2116 	case sFingerprintHash:
2117 		return ssh_digest_alg_name(val);
2118 	case sProtocol:
2119 		switch (val) {
2120 		case SSH_PROTO_1:
2121 			return "1";
2122 		case SSH_PROTO_2:
2123 			return "2";
2124 		case (SSH_PROTO_1|SSH_PROTO_2):
2125 			return "2,1";
2126 		default:
2127 			return "UNKNOWN";
2128 		}
2129 	default:
2130 		switch (val) {
2131 		case 0:
2132 			return "no";
2133 		case 1:
2134 			return "yes";
2135 		default:
2136 			return "UNKNOWN";
2137 		}
2138 	}
2139 }
2140 
2141 static const char *
2142 lookup_opcode_name(ServerOpCodes code)
2143 {
2144 	u_int i;
2145 
2146 	for (i = 0; keywords[i].name != NULL; i++)
2147 		if (keywords[i].opcode == code)
2148 			return(keywords[i].name);
2149 	return "UNKNOWN";
2150 }
2151 
2152 static void
2153 dump_cfg_int(ServerOpCodes code, int val)
2154 {
2155 	printf("%s %d\n", lookup_opcode_name(code), val);
2156 }
2157 
2158 static void
2159 dump_cfg_oct(ServerOpCodes code, int val)
2160 {
2161 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2162 }
2163 
2164 static void
2165 dump_cfg_fmtint(ServerOpCodes code, int val)
2166 {
2167 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2168 }
2169 
2170 static void
2171 dump_cfg_string(ServerOpCodes code, const char *val)
2172 {
2173 	if (val == NULL)
2174 		return;
2175 	printf("%s %s\n", lookup_opcode_name(code),
2176 	    val == NULL ? "none" : val);
2177 }
2178 
2179 static void
2180 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2181 {
2182 	u_int i;
2183 
2184 	for (i = 0; i < count; i++)
2185 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2186 }
2187 
2188 static void
2189 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2190 {
2191 	u_int i;
2192 
2193 	if (count <= 0)
2194 		return;
2195 	printf("%s", lookup_opcode_name(code));
2196 	for (i = 0; i < count; i++)
2197 		printf(" %s",  vals[i]);
2198 	printf("\n");
2199 }
2200 
2201 void
2202 dump_config(ServerOptions *o)
2203 {
2204 	u_int i;
2205 	int ret;
2206 	struct addrinfo *ai;
2207 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2208 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2209 
2210 	/* these are usually at the top of the config */
2211 	for (i = 0; i < o->num_ports; i++)
2212 		printf("port %d\n", o->ports[i]);
2213 	dump_cfg_fmtint(sProtocol, o->protocol);
2214 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2215 
2216 	/*
2217 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2218 	 * addresses onto a stack, so to maintain ordering we need to
2219 	 * print these in reverse order.
2220 	 */
2221 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2222 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2223 		    sizeof(addr), port, sizeof(port),
2224 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2225 			error("getnameinfo failed: %.100s",
2226 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2227 			    strerror(errno));
2228 		} else {
2229 			laddr2 = laddr1;
2230 			if (ai->ai_family == AF_INET6)
2231 				xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2232 				    addr, port, laddr2);
2233 			else
2234 				xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2235 				    addr, port, laddr2);
2236 			free(laddr2);
2237 		}
2238 	}
2239 	printf("%s", laddr1);
2240 	free(laddr1);
2241 
2242 	/* integer arguments */
2243 #ifdef USE_PAM
2244 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2245 #endif
2246 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
2247 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2248 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2249 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2250 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2251 	dump_cfg_int(sMaxSessions, o->max_sessions);
2252 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2253 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2254 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2255 
2256 	/* formatted integer arguments */
2257 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2258 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2259 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2260 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2261 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2262 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2263 	    o->hostbased_uses_name_from_packet_only);
2264 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2265 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2266 #ifdef KRB5
2267 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2268 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2269 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2270 # ifdef USE_AFS
2271 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2272 # endif
2273 #endif
2274 #ifdef GSSAPI
2275 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2276 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2277 #endif
2278 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2279 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2280 	    o->kbd_interactive_authentication);
2281 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2282 	    o->challenge_response_authentication);
2283 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2284 #ifndef DISABLE_LASTLOG
2285 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2286 #endif
2287 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2288 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2289 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2290 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2291 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2292 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2293 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2294 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2295 	dump_cfg_fmtint(sUseLogin, o->use_login);
2296 	dump_cfg_fmtint(sCompression, o->compression);
2297 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2298 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2299 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2300 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2301 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2302 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2303 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2304 
2305 	/* string arguments */
2306 	dump_cfg_string(sPidFile, o->pid_file);
2307 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2308 	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2309 	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2310 	dump_cfg_string(sBanner, o->banner);
2311 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2312 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2313 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2314 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2315 	dump_cfg_string(sAuthorizedPrincipalsFile,
2316 	    o->authorized_principals_file);
2317 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2318 	    ? "none" : o->version_addendum);
2319 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2320 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2321 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2322 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2323 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2324 	dump_cfg_string(sKexAlgorithms,
2325 	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2326 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2327 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2328 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2329 	    o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2330 	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2331 	    o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2332 
2333 	/* string arguments requiring a lookup */
2334 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2335 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2336 
2337 	/* string array arguments */
2338 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2339 	    o->authorized_keys_files);
2340 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2341 	     o->host_key_files);
2342 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2343 	     o->host_cert_files);
2344 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2345 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2346 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2347 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2348 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2349 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2350 	    o->num_auth_methods, o->auth_methods);
2351 
2352 	/* other arguments */
2353 	for (i = 0; i < o->num_subsystems; i++)
2354 		printf("subsystem %s %s\n", o->subsystem_name[i],
2355 		    o->subsystem_args[i]);
2356 
2357 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2358 	    o->max_startups_rate, o->max_startups);
2359 
2360 	for (i = 0; tunmode_desc[i].val != -1; i++)
2361 		if (tunmode_desc[i].val == o->permit_tun) {
2362 			s = tunmode_desc[i].text;
2363 			break;
2364 		}
2365 	dump_cfg_string(sPermitTunnel, s);
2366 
2367 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2368 	printf("%s\n", iptos2str(o->ip_qos_bulk));
2369 
2370 	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2371 	    o->rekey_interval);
2372 
2373 	channel_print_adm_permitted_opens();
2374 }
2375