xref: /freebsd/crypto/openssh/servconf.c (revision b1d046441de9053152c7cf03d6b60d9882687e1b)
1 /* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
2 /* $FreeBSD$ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 __RCSID("$FreeBSD$");
16 
17 #include <sys/types.h>
18 #include <sys/socket.h>
19 
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
23 
24 #include <netdb.h>
25 #include <pwd.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <signal.h>
30 #include <unistd.h>
31 #include <stdarg.h>
32 #include <errno.h>
33 
34 #include "openbsd-compat/sys-queue.h"
35 #include "xmalloc.h"
36 #include "ssh.h"
37 #include "log.h"
38 #include "buffer.h"
39 #include "servconf.h"
40 #include "compat.h"
41 #include "pathnames.h"
42 #include "misc.h"
43 #include "cipher.h"
44 #include "key.h"
45 #include "kex.h"
46 #include "mac.h"
47 #include "match.h"
48 #include "channels.h"
49 #include "groupaccess.h"
50 #include "version.h"
51 
52 static void add_listen_addr(ServerOptions *, char *, int);
53 static void add_one_listen_addr(ServerOptions *, char *, int);
54 
55 /* Use of privilege separation or not */
56 extern int use_privsep;
57 extern Buffer cfg;
58 
59 /* Initializes the server options to their default values. */
60 
61 void
62 initialize_server_options(ServerOptions *options)
63 {
64 	memset(options, 0, sizeof(*options));
65 
66 	/* Portable-specific options */
67 	options->use_pam = -1;
68 
69 	/* Standard Options */
70 	options->num_ports = 0;
71 	options->ports_from_cmdline = 0;
72 	options->listen_addrs = NULL;
73 	options->address_family = -1;
74 	options->num_host_key_files = 0;
75 	options->num_host_cert_files = 0;
76 	options->pid_file = NULL;
77 	options->server_key_bits = -1;
78 	options->login_grace_time = -1;
79 	options->key_regeneration_time = -1;
80 	options->permit_root_login = PERMIT_NOT_SET;
81 	options->ignore_rhosts = -1;
82 	options->ignore_user_known_hosts = -1;
83 	options->print_motd = -1;
84 	options->print_lastlog = -1;
85 	options->x11_forwarding = -1;
86 	options->x11_display_offset = -1;
87 	options->x11_use_localhost = -1;
88 	options->xauth_location = NULL;
89 	options->strict_modes = -1;
90 	options->tcp_keep_alive = -1;
91 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
92 	options->log_level = SYSLOG_LEVEL_NOT_SET;
93 	options->rhosts_rsa_authentication = -1;
94 	options->hostbased_authentication = -1;
95 	options->hostbased_uses_name_from_packet_only = -1;
96 	options->rsa_authentication = -1;
97 	options->pubkey_authentication = -1;
98 	options->kerberos_authentication = -1;
99 	options->kerberos_or_local_passwd = -1;
100 	options->kerberos_ticket_cleanup = -1;
101 	options->kerberos_get_afs_token = -1;
102 	options->gss_authentication=-1;
103 	options->gss_cleanup_creds = -1;
104 	options->password_authentication = -1;
105 	options->kbd_interactive_authentication = -1;
106 	options->challenge_response_authentication = -1;
107 	options->permit_empty_passwd = -1;
108 	options->permit_user_env = -1;
109 	options->use_login = -1;
110 	options->compression = -1;
111 	options->allow_tcp_forwarding = -1;
112 	options->allow_agent_forwarding = -1;
113 	options->num_allow_users = 0;
114 	options->num_deny_users = 0;
115 	options->num_allow_groups = 0;
116 	options->num_deny_groups = 0;
117 	options->ciphers = NULL;
118 	options->macs = NULL;
119 	options->kex_algorithms = NULL;
120 	options->protocol = SSH_PROTO_UNKNOWN;
121 	options->gateway_ports = -1;
122 	options->num_subsystems = 0;
123 	options->max_startups_begin = -1;
124 	options->max_startups_rate = -1;
125 	options->max_startups = -1;
126 	options->max_authtries = -1;
127 	options->max_sessions = -1;
128 	options->banner = NULL;
129 	options->use_dns = -1;
130 	options->client_alive_interval = -1;
131 	options->client_alive_count_max = -1;
132 	options->num_authkeys_files = 0;
133 	options->num_accept_env = 0;
134 	options->permit_tun = -1;
135 	options->num_permitted_opens = -1;
136 	options->adm_forced_command = NULL;
137 	options->chroot_directory = NULL;
138 	options->zero_knowledge_password_authentication = -1;
139 	options->revoked_keys_file = NULL;
140 	options->trusted_user_ca_keys = NULL;
141 	options->authorized_principals_file = NULL;
142 	options->ip_qos_interactive = -1;
143 	options->ip_qos_bulk = -1;
144 	options->hpn_disabled = -1;
145 	options->hpn_buffer_size = -1;
146 	options->tcp_rcv_buf_poll = -1;
147 #ifdef	NONE_CIPHER_ENABLED
148 	options->none_enabled = -1;
149 #endif
150 }
151 
152 void
153 fill_default_server_options(ServerOptions *options)
154 {
155 	/* Portable-specific options */
156 	if (options->use_pam == -1)
157 		options->use_pam = 1;
158 
159 	/* Standard Options */
160 	if (options->protocol == SSH_PROTO_UNKNOWN)
161 		options->protocol = SSH_PROTO_2;
162 	if (options->num_host_key_files == 0) {
163 		/* fill default hostkeys for protocols */
164 		if (options->protocol & SSH_PROTO_1)
165 			options->host_key_files[options->num_host_key_files++] =
166 			    _PATH_HOST_KEY_FILE;
167 		if (options->protocol & SSH_PROTO_2) {
168 			options->host_key_files[options->num_host_key_files++] =
169                             _PATH_HOST_RSA_KEY_FILE;
170 			options->host_key_files[options->num_host_key_files++] =
171 			    _PATH_HOST_DSA_KEY_FILE;
172 #ifdef OPENSSL_HAS_ECC
173 			options->host_key_files[options->num_host_key_files++] =
174 			    _PATH_HOST_ECDSA_KEY_FILE;
175 #endif
176 		}
177 	}
178 	/* No certificates by default */
179 	if (options->num_ports == 0)
180 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
181 	if (options->listen_addrs == NULL)
182 		add_listen_addr(options, NULL, 0);
183 	if (options->pid_file == NULL)
184 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
185 	if (options->server_key_bits == -1)
186 		options->server_key_bits = 1024;
187 	if (options->login_grace_time == -1)
188 		options->login_grace_time = 120;
189 	if (options->key_regeneration_time == -1)
190 		options->key_regeneration_time = 3600;
191 	if (options->permit_root_login == PERMIT_NOT_SET)
192 		options->permit_root_login = PERMIT_NO;
193 	if (options->ignore_rhosts == -1)
194 		options->ignore_rhosts = 1;
195 	if (options->ignore_user_known_hosts == -1)
196 		options->ignore_user_known_hosts = 0;
197 	if (options->print_motd == -1)
198 		options->print_motd = 1;
199 	if (options->print_lastlog == -1)
200 		options->print_lastlog = 1;
201 	if (options->x11_forwarding == -1)
202 		options->x11_forwarding = 1;
203 	if (options->x11_display_offset == -1)
204 		options->x11_display_offset = 10;
205 	if (options->x11_use_localhost == -1)
206 		options->x11_use_localhost = 1;
207 	if (options->xauth_location == NULL)
208 		options->xauth_location = _PATH_XAUTH;
209 	if (options->strict_modes == -1)
210 		options->strict_modes = 1;
211 	if (options->tcp_keep_alive == -1)
212 		options->tcp_keep_alive = 1;
213 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
214 		options->log_facility = SYSLOG_FACILITY_AUTH;
215 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
216 		options->log_level = SYSLOG_LEVEL_INFO;
217 	if (options->rhosts_rsa_authentication == -1)
218 		options->rhosts_rsa_authentication = 0;
219 	if (options->hostbased_authentication == -1)
220 		options->hostbased_authentication = 0;
221 	if (options->hostbased_uses_name_from_packet_only == -1)
222 		options->hostbased_uses_name_from_packet_only = 0;
223 	if (options->rsa_authentication == -1)
224 		options->rsa_authentication = 1;
225 	if (options->pubkey_authentication == -1)
226 		options->pubkey_authentication = 1;
227 	if (options->kerberos_authentication == -1)
228 		options->kerberos_authentication = 0;
229 	if (options->kerberos_or_local_passwd == -1)
230 		options->kerberos_or_local_passwd = 1;
231 	if (options->kerberos_ticket_cleanup == -1)
232 		options->kerberos_ticket_cleanup = 1;
233 	if (options->kerberos_get_afs_token == -1)
234 		options->kerberos_get_afs_token = 0;
235 	if (options->gss_authentication == -1)
236 		options->gss_authentication = 0;
237 	if (options->gss_cleanup_creds == -1)
238 		options->gss_cleanup_creds = 1;
239 	if (options->password_authentication == -1)
240 		options->password_authentication = 0;
241 	if (options->kbd_interactive_authentication == -1)
242 		options->kbd_interactive_authentication = 0;
243 	if (options->challenge_response_authentication == -1)
244 		options->challenge_response_authentication = 1;
245 	if (options->permit_empty_passwd == -1)
246 		options->permit_empty_passwd = 0;
247 	if (options->permit_user_env == -1)
248 		options->permit_user_env = 0;
249 	if (options->use_login == -1)
250 		options->use_login = 0;
251 	if (options->compression == -1)
252 		options->compression = COMP_DELAYED;
253 	if (options->allow_tcp_forwarding == -1)
254 		options->allow_tcp_forwarding = 1;
255 	if (options->allow_agent_forwarding == -1)
256 		options->allow_agent_forwarding = 1;
257 	if (options->gateway_ports == -1)
258 		options->gateway_ports = 0;
259 	if (options->max_startups == -1)
260 		options->max_startups = 10;
261 	if (options->max_startups_rate == -1)
262 		options->max_startups_rate = 100;		/* 100% */
263 	if (options->max_startups_begin == -1)
264 		options->max_startups_begin = options->max_startups;
265 	if (options->max_authtries == -1)
266 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
267 	if (options->max_sessions == -1)
268 		options->max_sessions = DEFAULT_SESSIONS_MAX;
269 	if (options->use_dns == -1)
270 		options->use_dns = 1;
271 	if (options->client_alive_interval == -1)
272 		options->client_alive_interval = 0;
273 	if (options->client_alive_count_max == -1)
274 		options->client_alive_count_max = 3;
275 	if (options->num_authkeys_files == 0) {
276 		options->authorized_keys_files[options->num_authkeys_files++] =
277 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
278 		options->authorized_keys_files[options->num_authkeys_files++] =
279 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
280 	}
281 	if (options->permit_tun == -1)
282 		options->permit_tun = SSH_TUNMODE_NO;
283 	if (options->zero_knowledge_password_authentication == -1)
284 		options->zero_knowledge_password_authentication = 0;
285 	if (options->ip_qos_interactive == -1)
286 		options->ip_qos_interactive = IPTOS_LOWDELAY;
287 	if (options->ip_qos_bulk == -1)
288 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
289 	if (options->hpn_disabled == -1)
290 		options->hpn_disabled = 0;
291 	if (options->hpn_buffer_size == -1) {
292 		/*
293 		 * HPN buffer size option not explicitly set.  Try to figure
294 		 * out what value to use or resort to default.
295 		 */
296 		options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
297 		if (!options->hpn_disabled) {
298 			sock_get_rcvbuf(&options->hpn_buffer_size, 0);
299 			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
300 		}
301 	} else {
302 		/*
303 		 * In the case that the user sets both values in a
304 		 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
305 		 */
306 		if (options->hpn_disabled <= 0) {
307 			u_int maxlen;
308 
309 			maxlen = buffer_get_max_len();
310 			if (options->hpn_buffer_size == 0)
311 				options->hpn_buffer_size = 1;
312 			/* Limit the maximum buffer to BUFFER_MAX_LEN. */
313 			if (options->hpn_buffer_size > maxlen / 1024)
314 				options->hpn_buffer_size = maxlen;
315 			else
316 				options->hpn_buffer_size *= 1024;
317 		} else
318 			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
319 	}
320 
321 	/* Turn privilege separation on by default */
322 	if (use_privsep == -1)
323 		use_privsep = PRIVSEP_ON;
324 
325 #ifndef HAVE_MMAP
326 	if (use_privsep && options->compression == 1) {
327 		error("This platform does not support both privilege "
328 		    "separation and compression");
329 		error("Compression disabled");
330 		options->compression = 0;
331 	}
332 #endif
333 
334 }
335 
336 /* Keyword tokens. */
337 typedef enum {
338 	sBadOption,		/* == unknown option */
339 	/* Portable-specific options */
340 	sUsePAM,
341 	/* Standard Options */
342 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
343 	sPermitRootLogin, sLogFacility, sLogLevel,
344 	sRhostsRSAAuthentication, sRSAAuthentication,
345 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
346 	sKerberosGetAFSToken,
347 	sKerberosTgtPassing, sChallengeResponseAuthentication,
348 	sPasswordAuthentication, sKbdInteractiveAuthentication,
349 	sListenAddress, sAddressFamily,
350 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
351 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
352 	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
353 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
354 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
355 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
356 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
357 	sMaxStartups, sMaxAuthTries, sMaxSessions,
358 	sBanner, sUseDNS, sHostbasedAuthentication,
359 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
360 	sClientAliveCountMax, sAuthorizedKeysFile,
361 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
362 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
363 	sUsePrivilegeSeparation, sAllowAgentForwarding,
364 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
365 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
366 	sKexAlgorithms, sIPQoS,
367 	sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
368 #ifdef NONE_CIPHER_ENABLED
369 	sNoneEnabled,
370 #endif
371 	sVersionAddendum,
372 	sDeprecated, sUnsupported
373 } ServerOpCodes;
374 
375 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
376 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
377 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
378 
379 /* Textual representation of the tokens. */
380 static struct {
381 	const char *name;
382 	ServerOpCodes opcode;
383 	u_int flags;
384 } keywords[] = {
385 	/* Portable-specific options */
386 #ifdef USE_PAM
387 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
388 #else
389 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
390 #endif
391 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
392 	/* Standard Options */
393 	{ "port", sPort, SSHCFG_GLOBAL },
394 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
395 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
396 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
397 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
398 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
399 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
400 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
401 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
402 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
403 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
404 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
405 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
406 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
407 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
408 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
409 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
410 #ifdef KRB5
411 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
412 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
413 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
414 #ifdef USE_AFS
415 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
416 #else
417 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
418 #endif
419 #else
420 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
421 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
422 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
423 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
424 #endif
425 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
426 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
427 #ifdef GSSAPI
428 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
429 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
430 #else
431 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
432 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
433 #endif
434 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
435 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
436 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
437 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
438 #ifdef JPAKE
439 	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
440 #else
441 	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
442 #endif
443 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
444 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
445 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
446 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
447 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
448 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
449 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
450 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
451 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
452 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
453 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
454 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
455 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
456 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
457 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
458 	{ "compression", sCompression, SSHCFG_GLOBAL },
459 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
460 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
461 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
462 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
463 	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
464 	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
465 	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
466 	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
467 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
468 	{ "macs", sMacs, SSHCFG_GLOBAL },
469 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
470 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
471 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
472 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
473 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
474 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
475 	{ "banner", sBanner, SSHCFG_ALL },
476 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
477 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
478 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
479 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
480 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
481 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
482 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
483 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
484 	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
485 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
486 	{ "match", sMatch, SSHCFG_ALL },
487 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
488 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
489 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
490 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
491 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
492 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
493 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
494 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
495 	{ "ipqos", sIPQoS, SSHCFG_ALL },
496 	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
497 	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
498 	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
499 #ifdef NONE_CIPHER_ENABLED
500 	{ "noneenabled", sNoneEnabled, SSHCFG_ALL },
501 #endif
502 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
503 	{ NULL, sBadOption, 0 }
504 };
505 
506 static struct {
507 	int val;
508 	char *text;
509 } tunmode_desc[] = {
510 	{ SSH_TUNMODE_NO, "no" },
511 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
512 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
513 	{ SSH_TUNMODE_YES, "yes" },
514 	{ -1, NULL }
515 };
516 
517 /*
518  * Returns the number of the token pointed to by cp or sBadOption.
519  */
520 
521 static ServerOpCodes
522 parse_token(const char *cp, const char *filename,
523 	    int linenum, u_int *flags)
524 {
525 	u_int i;
526 
527 	for (i = 0; keywords[i].name; i++)
528 		if (strcasecmp(cp, keywords[i].name) == 0) {
529 			*flags = keywords[i].flags;
530 			return keywords[i].opcode;
531 		}
532 
533 	error("%s: line %d: Bad configuration option: %s",
534 	    filename, linenum, cp);
535 	return sBadOption;
536 }
537 
538 char *
539 derelativise_path(const char *path)
540 {
541 	char *expanded, *ret, cwd[MAXPATHLEN];
542 
543 	expanded = tilde_expand_filename(path, getuid());
544 	if (*expanded == '/')
545 		return expanded;
546 	if (getcwd(cwd, sizeof(cwd)) == NULL)
547 		fatal("%s: getcwd: %s", __func__, strerror(errno));
548 	xasprintf(&ret, "%s/%s", cwd, expanded);
549 	xfree(expanded);
550 	return ret;
551 }
552 
553 static void
554 add_listen_addr(ServerOptions *options, char *addr, int port)
555 {
556 	u_int i;
557 
558 	if (options->num_ports == 0)
559 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
560 	if (options->address_family == -1)
561 		options->address_family = AF_UNSPEC;
562 	if (port == 0)
563 		for (i = 0; i < options->num_ports; i++)
564 			add_one_listen_addr(options, addr, options->ports[i]);
565 	else
566 		add_one_listen_addr(options, addr, port);
567 }
568 
569 static void
570 add_one_listen_addr(ServerOptions *options, char *addr, int port)
571 {
572 	struct addrinfo hints, *ai, *aitop;
573 	char strport[NI_MAXSERV];
574 	int gaierr;
575 
576 	memset(&hints, 0, sizeof(hints));
577 	hints.ai_family = options->address_family;
578 	hints.ai_socktype = SOCK_STREAM;
579 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
580 	snprintf(strport, sizeof strport, "%d", port);
581 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
582 		fatal("bad addr or host: %s (%s)",
583 		    addr ? addr : "<NULL>",
584 		    ssh_gai_strerror(gaierr));
585 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
586 		;
587 	ai->ai_next = options->listen_addrs;
588 	options->listen_addrs = aitop;
589 }
590 
591 /*
592  * The strategy for the Match blocks is that the config file is parsed twice.
593  *
594  * The first time is at startup.  activep is initialized to 1 and the
595  * directives in the global context are processed and acted on.  Hitting a
596  * Match directive unsets activep and the directives inside the block are
597  * checked for syntax only.
598  *
599  * The second time is after a connection has been established but before
600  * authentication.  activep is initialized to 2 and global config directives
601  * are ignored since they have already been processed.  If the criteria in a
602  * Match block is met, activep is set and the subsequent directives
603  * processed and actioned until EOF or another Match block unsets it.  Any
604  * options set are copied into the main server config.
605  *
606  * Potential additions/improvements:
607  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
608  *
609  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
610  *	Match Address 192.168.0.*
611  *		Tag trusted
612  *	Match Group wheel
613  *		Tag trusted
614  *	Match Tag trusted
615  *		AllowTcpForwarding yes
616  *		GatewayPorts clientspecified
617  *		[...]
618  *
619  *  - Add a PermittedChannelRequests directive
620  *	Match Group shell
621  *		PermittedChannelRequests session,forwarded-tcpip
622  */
623 
624 static int
625 match_cfg_line_group(const char *grps, int line, const char *user)
626 {
627 	int result = 0;
628 	struct passwd *pw;
629 
630 	if (user == NULL)
631 		goto out;
632 
633 	if ((pw = getpwnam(user)) == NULL) {
634 		debug("Can't match group at line %d because user %.100s does "
635 		    "not exist", line, user);
636 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
637 		debug("Can't Match group because user %.100s not in any group "
638 		    "at line %d", user, line);
639 	} else if (ga_match_pattern_list(grps) != 1) {
640 		debug("user %.100s does not match group list %.100s at line %d",
641 		    user, grps, line);
642 	} else {
643 		debug("user %.100s matched group list %.100s at line %d", user,
644 		    grps, line);
645 		result = 1;
646 	}
647 out:
648 	ga_free();
649 	return result;
650 }
651 
652 static int
653 match_cfg_line(char **condition, int line, const char *user, const char *host,
654     const char *address)
655 {
656 	int result = 1;
657 	char *arg, *attrib, *cp = *condition;
658 	size_t len;
659 
660 	if (user == NULL)
661 		debug3("checking syntax for 'Match %s'", cp);
662 	else
663 		debug3("checking match for '%s' user %s host %s addr %s", cp,
664 		    user ? user : "(null)", host ? host : "(null)",
665 		    address ? address : "(null)");
666 
667 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
668 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
669 			error("Missing Match criteria for %s", attrib);
670 			return -1;
671 		}
672 		len = strlen(arg);
673 		if (strcasecmp(attrib, "user") == 0) {
674 			if (!user) {
675 				result = 0;
676 				continue;
677 			}
678 			if (match_pattern_list(user, arg, len, 0) != 1)
679 				result = 0;
680 			else
681 				debug("user %.100s matched 'User %.100s' at "
682 				    "line %d", user, arg, line);
683 		} else if (strcasecmp(attrib, "group") == 0) {
684 			switch (match_cfg_line_group(arg, line, user)) {
685 			case -1:
686 				return -1;
687 			case 0:
688 				result = 0;
689 			}
690 		} else if (strcasecmp(attrib, "host") == 0) {
691 			if (!host) {
692 				result = 0;
693 				continue;
694 			}
695 			if (match_hostname(host, arg, len) != 1)
696 				result = 0;
697 			else
698 				debug("connection from %.100s matched 'Host "
699 				    "%.100s' at line %d", host, arg, line);
700 		} else if (strcasecmp(attrib, "address") == 0) {
701 			switch (addr_match_list(address, arg)) {
702 			case 1:
703 				debug("connection from %.100s matched 'Address "
704 				    "%.100s' at line %d", address, arg, line);
705 				break;
706 			case 0:
707 			case -1:
708 				result = 0;
709 				break;
710 			case -2:
711 				return -1;
712 			}
713 		} else {
714 			error("Unsupported Match attribute %s", attrib);
715 			return -1;
716 		}
717 	}
718 	if (user != NULL)
719 		debug3("match %sfound", result ? "" : "not ");
720 	*condition = cp;
721 	return result;
722 }
723 
724 #define WHITESPACE " \t\r\n"
725 
726 /* Multistate option parsing */
727 struct multistate {
728 	char *key;
729 	int value;
730 };
731 static const struct multistate multistate_addressfamily[] = {
732 	{ "inet",			AF_INET },
733 	{ "inet6",			AF_INET6 },
734 	{ "any",			AF_UNSPEC },
735 	{ NULL, -1 }
736 };
737 static const struct multistate multistate_permitrootlogin[] = {
738 	{ "without-password",		PERMIT_NO_PASSWD },
739 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
740 	{ "yes",			PERMIT_YES },
741 	{ "no",				PERMIT_NO },
742 	{ NULL, -1 }
743 };
744 static const struct multistate multistate_compression[] = {
745 	{ "delayed",			COMP_DELAYED },
746 	{ "yes",			COMP_ZLIB },
747 	{ "no",				COMP_NONE },
748 	{ NULL, -1 }
749 };
750 static const struct multistate multistate_gatewayports[] = {
751 	{ "clientspecified",		2 },
752 	{ "yes",			1 },
753 	{ "no",				0 },
754 	{ NULL, -1 }
755 };
756 static const struct multistate multistate_privsep[] = {
757 	{ "sandbox",			PRIVSEP_SANDBOX },
758 	{ "yes",			PRIVSEP_ON },
759 	{ "no",				PRIVSEP_OFF },
760 	{ NULL, -1 }
761 };
762 
763 int
764 process_server_config_line(ServerOptions *options, char *line,
765     const char *filename, int linenum, int *activep, const char *user,
766     const char *host, const char *address)
767 {
768 	char *cp, **charptr, *arg, *p;
769 	int cmdline = 0, *intptr, value, value2, n;
770 	SyslogFacility *log_facility_ptr;
771 	LogLevel *log_level_ptr;
772 	ServerOpCodes opcode;
773 	int port;
774 	u_int i, flags = 0;
775 	size_t len;
776 	const struct multistate *multistate_ptr;
777 
778 	cp = line;
779 	if ((arg = strdelim(&cp)) == NULL)
780 		return 0;
781 	/* Ignore leading whitespace */
782 	if (*arg == '\0')
783 		arg = strdelim(&cp);
784 	if (!arg || !*arg || *arg == '#')
785 		return 0;
786 	intptr = NULL;
787 	charptr = NULL;
788 	opcode = parse_token(arg, filename, linenum, &flags);
789 
790 	if (activep == NULL) { /* We are processing a command line directive */
791 		cmdline = 1;
792 		activep = &cmdline;
793 	}
794 	if (*activep && opcode != sMatch)
795 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
796 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
797 		if (user == NULL) {
798 			fatal("%s line %d: Directive '%s' is not allowed "
799 			    "within a Match block", filename, linenum, arg);
800 		} else { /* this is a directive we have already processed */
801 			while (arg)
802 				arg = strdelim(&cp);
803 			return 0;
804 		}
805 	}
806 
807 	switch (opcode) {
808 	/* Portable-specific options */
809 	case sUsePAM:
810 		intptr = &options->use_pam;
811 		goto parse_flag;
812 
813 	/* Standard Options */
814 	case sBadOption:
815 		return -1;
816 	case sPort:
817 		/* ignore ports from configfile if cmdline specifies ports */
818 		if (options->ports_from_cmdline)
819 			return 0;
820 		if (options->listen_addrs != NULL)
821 			fatal("%s line %d: ports must be specified before "
822 			    "ListenAddress.", filename, linenum);
823 		if (options->num_ports >= MAX_PORTS)
824 			fatal("%s line %d: too many ports.",
825 			    filename, linenum);
826 		arg = strdelim(&cp);
827 		if (!arg || *arg == '\0')
828 			fatal("%s line %d: missing port number.",
829 			    filename, linenum);
830 		options->ports[options->num_ports++] = a2port(arg);
831 		if (options->ports[options->num_ports-1] <= 0)
832 			fatal("%s line %d: Badly formatted port number.",
833 			    filename, linenum);
834 		break;
835 
836 	case sServerKeyBits:
837 		intptr = &options->server_key_bits;
838  parse_int:
839 		arg = strdelim(&cp);
840 		if (!arg || *arg == '\0')
841 			fatal("%s line %d: missing integer value.",
842 			    filename, linenum);
843 		value = atoi(arg);
844 		if (*activep && *intptr == -1)
845 			*intptr = value;
846 		break;
847 
848 	case sLoginGraceTime:
849 		intptr = &options->login_grace_time;
850  parse_time:
851 		arg = strdelim(&cp);
852 		if (!arg || *arg == '\0')
853 			fatal("%s line %d: missing time value.",
854 			    filename, linenum);
855 		if ((value = convtime(arg)) == -1)
856 			fatal("%s line %d: invalid time value.",
857 			    filename, linenum);
858 		if (*intptr == -1)
859 			*intptr = value;
860 		break;
861 
862 	case sKeyRegenerationTime:
863 		intptr = &options->key_regeneration_time;
864 		goto parse_time;
865 
866 	case sListenAddress:
867 		arg = strdelim(&cp);
868 		if (arg == NULL || *arg == '\0')
869 			fatal("%s line %d: missing address",
870 			    filename, linenum);
871 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
872 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
873 		    && strchr(p+1, ':') != NULL) {
874 			add_listen_addr(options, arg, 0);
875 			break;
876 		}
877 		p = hpdelim(&arg);
878 		if (p == NULL)
879 			fatal("%s line %d: bad address:port usage",
880 			    filename, linenum);
881 		p = cleanhostname(p);
882 		if (arg == NULL)
883 			port = 0;
884 		else if ((port = a2port(arg)) <= 0)
885 			fatal("%s line %d: bad port number", filename, linenum);
886 
887 		add_listen_addr(options, p, port);
888 
889 		break;
890 
891 	case sAddressFamily:
892 		intptr = &options->address_family;
893 		multistate_ptr = multistate_addressfamily;
894 		if (options->listen_addrs != NULL)
895 			fatal("%s line %d: address family must be specified "
896 			    "before ListenAddress.", filename, linenum);
897  parse_multistate:
898 		arg = strdelim(&cp);
899 		if (!arg || *arg == '\0')
900 			fatal("%s line %d: missing argument.",
901 			    filename, linenum);
902 		value = -1;
903 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
904 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
905 				value = multistate_ptr[i].value;
906 				break;
907 			}
908 		}
909 		if (value == -1)
910 			fatal("%s line %d: unsupported option \"%s\".",
911 			    filename, linenum, arg);
912 		if (*activep && *intptr == -1)
913 			*intptr = value;
914 		break;
915 
916 	case sHostKeyFile:
917 		intptr = &options->num_host_key_files;
918 		if (*intptr >= MAX_HOSTKEYS)
919 			fatal("%s line %d: too many host keys specified (max %d).",
920 			    filename, linenum, MAX_HOSTKEYS);
921 		charptr = &options->host_key_files[*intptr];
922  parse_filename:
923 		arg = strdelim(&cp);
924 		if (!arg || *arg == '\0')
925 			fatal("%s line %d: missing file name.",
926 			    filename, linenum);
927 		if (*activep && *charptr == NULL) {
928 			*charptr = derelativise_path(arg);
929 			/* increase optional counter */
930 			if (intptr != NULL)
931 				*intptr = *intptr + 1;
932 		}
933 		break;
934 
935 	case sHostCertificate:
936 		intptr = &options->num_host_cert_files;
937 		if (*intptr >= MAX_HOSTKEYS)
938 			fatal("%s line %d: too many host certificates "
939 			    "specified (max %d).", filename, linenum,
940 			    MAX_HOSTCERTS);
941 		charptr = &options->host_cert_files[*intptr];
942 		goto parse_filename;
943 		break;
944 
945 	case sPidFile:
946 		charptr = &options->pid_file;
947 		goto parse_filename;
948 
949 	case sPermitRootLogin:
950 		intptr = &options->permit_root_login;
951 		multistate_ptr = multistate_permitrootlogin;
952 		goto parse_multistate;
953 
954 	case sIgnoreRhosts:
955 		intptr = &options->ignore_rhosts;
956  parse_flag:
957 		arg = strdelim(&cp);
958 		if (!arg || *arg == '\0')
959 			fatal("%s line %d: missing yes/no argument.",
960 			    filename, linenum);
961 		value = 0;	/* silence compiler */
962 		if (strcmp(arg, "yes") == 0)
963 			value = 1;
964 		else if (strcmp(arg, "no") == 0)
965 			value = 0;
966 		else
967 			fatal("%s line %d: Bad yes/no argument: %s",
968 				filename, linenum, arg);
969 		if (*activep && *intptr == -1)
970 			*intptr = value;
971 		break;
972 
973 	case sIgnoreUserKnownHosts:
974 		intptr = &options->ignore_user_known_hosts;
975 		goto parse_flag;
976 
977 	case sRhostsRSAAuthentication:
978 		intptr = &options->rhosts_rsa_authentication;
979 		goto parse_flag;
980 
981 	case sHostbasedAuthentication:
982 		intptr = &options->hostbased_authentication;
983 		goto parse_flag;
984 
985 	case sHostbasedUsesNameFromPacketOnly:
986 		intptr = &options->hostbased_uses_name_from_packet_only;
987 		goto parse_flag;
988 
989 	case sRSAAuthentication:
990 		intptr = &options->rsa_authentication;
991 		goto parse_flag;
992 
993 	case sPubkeyAuthentication:
994 		intptr = &options->pubkey_authentication;
995 		goto parse_flag;
996 
997 	case sKerberosAuthentication:
998 		intptr = &options->kerberos_authentication;
999 		goto parse_flag;
1000 
1001 	case sKerberosOrLocalPasswd:
1002 		intptr = &options->kerberos_or_local_passwd;
1003 		goto parse_flag;
1004 
1005 	case sKerberosTicketCleanup:
1006 		intptr = &options->kerberos_ticket_cleanup;
1007 		goto parse_flag;
1008 
1009 	case sKerberosGetAFSToken:
1010 		intptr = &options->kerberos_get_afs_token;
1011 		goto parse_flag;
1012 
1013 	case sGssAuthentication:
1014 		intptr = &options->gss_authentication;
1015 		goto parse_flag;
1016 
1017 	case sGssCleanupCreds:
1018 		intptr = &options->gss_cleanup_creds;
1019 		goto parse_flag;
1020 
1021 	case sPasswordAuthentication:
1022 		intptr = &options->password_authentication;
1023 		goto parse_flag;
1024 
1025 	case sZeroKnowledgePasswordAuthentication:
1026 		intptr = &options->zero_knowledge_password_authentication;
1027 		goto parse_flag;
1028 
1029 	case sKbdInteractiveAuthentication:
1030 		intptr = &options->kbd_interactive_authentication;
1031 		goto parse_flag;
1032 
1033 	case sChallengeResponseAuthentication:
1034 		intptr = &options->challenge_response_authentication;
1035 		goto parse_flag;
1036 
1037 	case sPrintMotd:
1038 		intptr = &options->print_motd;
1039 		goto parse_flag;
1040 
1041 	case sPrintLastLog:
1042 		intptr = &options->print_lastlog;
1043 		goto parse_flag;
1044 
1045 	case sX11Forwarding:
1046 		intptr = &options->x11_forwarding;
1047 		goto parse_flag;
1048 
1049 	case sX11DisplayOffset:
1050 		intptr = &options->x11_display_offset;
1051 		goto parse_int;
1052 
1053 	case sX11UseLocalhost:
1054 		intptr = &options->x11_use_localhost;
1055 		goto parse_flag;
1056 
1057 	case sXAuthLocation:
1058 		charptr = &options->xauth_location;
1059 		goto parse_filename;
1060 
1061 	case sStrictModes:
1062 		intptr = &options->strict_modes;
1063 		goto parse_flag;
1064 
1065 	case sTCPKeepAlive:
1066 		intptr = &options->tcp_keep_alive;
1067 		goto parse_flag;
1068 
1069 	case sEmptyPasswd:
1070 		intptr = &options->permit_empty_passwd;
1071 		goto parse_flag;
1072 
1073 	case sPermitUserEnvironment:
1074 		intptr = &options->permit_user_env;
1075 		goto parse_flag;
1076 
1077 	case sUseLogin:
1078 		intptr = &options->use_login;
1079 		goto parse_flag;
1080 
1081 	case sCompression:
1082 		intptr = &options->compression;
1083 		multistate_ptr = multistate_compression;
1084 		goto parse_multistate;
1085 
1086 	case sGatewayPorts:
1087 		intptr = &options->gateway_ports;
1088 		multistate_ptr = multistate_gatewayports;
1089 		goto parse_multistate;
1090 
1091 	case sUseDNS:
1092 		intptr = &options->use_dns;
1093 		goto parse_flag;
1094 
1095 	case sLogFacility:
1096 		log_facility_ptr = &options->log_facility;
1097 		arg = strdelim(&cp);
1098 		value = log_facility_number(arg);
1099 		if (value == SYSLOG_FACILITY_NOT_SET)
1100 			fatal("%.200s line %d: unsupported log facility '%s'",
1101 			    filename, linenum, arg ? arg : "<NONE>");
1102 		if (*log_facility_ptr == -1)
1103 			*log_facility_ptr = (SyslogFacility) value;
1104 		break;
1105 
1106 	case sLogLevel:
1107 		log_level_ptr = &options->log_level;
1108 		arg = strdelim(&cp);
1109 		value = log_level_number(arg);
1110 		if (value == SYSLOG_LEVEL_NOT_SET)
1111 			fatal("%.200s line %d: unsupported log level '%s'",
1112 			    filename, linenum, arg ? arg : "<NONE>");
1113 		if (*log_level_ptr == -1)
1114 			*log_level_ptr = (LogLevel) value;
1115 		break;
1116 
1117 	case sAllowTcpForwarding:
1118 		intptr = &options->allow_tcp_forwarding;
1119 		goto parse_flag;
1120 
1121 	case sAllowAgentForwarding:
1122 		intptr = &options->allow_agent_forwarding;
1123 		goto parse_flag;
1124 
1125 	case sUsePrivilegeSeparation:
1126 		intptr = &use_privsep;
1127 		multistate_ptr = multistate_privsep;
1128 		goto parse_multistate;
1129 
1130 	case sAllowUsers:
1131 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1132 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1133 				fatal("%s line %d: too many allow users.",
1134 				    filename, linenum);
1135 			options->allow_users[options->num_allow_users++] =
1136 			    xstrdup(arg);
1137 		}
1138 		break;
1139 
1140 	case sDenyUsers:
1141 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1142 			if (options->num_deny_users >= MAX_DENY_USERS)
1143 				fatal("%s line %d: too many deny users.",
1144 				    filename, linenum);
1145 			options->deny_users[options->num_deny_users++] =
1146 			    xstrdup(arg);
1147 		}
1148 		break;
1149 
1150 	case sAllowGroups:
1151 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1152 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1153 				fatal("%s line %d: too many allow groups.",
1154 				    filename, linenum);
1155 			options->allow_groups[options->num_allow_groups++] =
1156 			    xstrdup(arg);
1157 		}
1158 		break;
1159 
1160 	case sDenyGroups:
1161 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1162 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1163 				fatal("%s line %d: too many deny groups.",
1164 				    filename, linenum);
1165 			options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1166 		}
1167 		break;
1168 
1169 	case sCiphers:
1170 		arg = strdelim(&cp);
1171 		if (!arg || *arg == '\0')
1172 			fatal("%s line %d: Missing argument.", filename, linenum);
1173 		if (!ciphers_valid(arg))
1174 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1175 			    filename, linenum, arg ? arg : "<NONE>");
1176 		if (options->ciphers == NULL)
1177 			options->ciphers = xstrdup(arg);
1178 		break;
1179 
1180 	case sMacs:
1181 		arg = strdelim(&cp);
1182 		if (!arg || *arg == '\0')
1183 			fatal("%s line %d: Missing argument.", filename, linenum);
1184 		if (!mac_valid(arg))
1185 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1186 			    filename, linenum, arg ? arg : "<NONE>");
1187 		if (options->macs == NULL)
1188 			options->macs = xstrdup(arg);
1189 		break;
1190 
1191 	case sKexAlgorithms:
1192 		arg = strdelim(&cp);
1193 		if (!arg || *arg == '\0')
1194 			fatal("%s line %d: Missing argument.",
1195 			    filename, linenum);
1196 		if (!kex_names_valid(arg))
1197 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1198 			    filename, linenum, arg ? arg : "<NONE>");
1199 		if (options->kex_algorithms == NULL)
1200 			options->kex_algorithms = xstrdup(arg);
1201 		break;
1202 
1203 	case sProtocol:
1204 		intptr = &options->protocol;
1205 		arg = strdelim(&cp);
1206 		if (!arg || *arg == '\0')
1207 			fatal("%s line %d: Missing argument.", filename, linenum);
1208 		value = proto_spec(arg);
1209 		if (value == SSH_PROTO_UNKNOWN)
1210 			fatal("%s line %d: Bad protocol spec '%s'.",
1211 			    filename, linenum, arg ? arg : "<NONE>");
1212 		if (*intptr == SSH_PROTO_UNKNOWN)
1213 			*intptr = value;
1214 		break;
1215 
1216 	case sSubsystem:
1217 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1218 			fatal("%s line %d: too many subsystems defined.",
1219 			    filename, linenum);
1220 		}
1221 		arg = strdelim(&cp);
1222 		if (!arg || *arg == '\0')
1223 			fatal("%s line %d: Missing subsystem name.",
1224 			    filename, linenum);
1225 		if (!*activep) {
1226 			arg = strdelim(&cp);
1227 			break;
1228 		}
1229 		for (i = 0; i < options->num_subsystems; i++)
1230 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1231 				fatal("%s line %d: Subsystem '%s' already defined.",
1232 				    filename, linenum, arg);
1233 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1234 		arg = strdelim(&cp);
1235 		if (!arg || *arg == '\0')
1236 			fatal("%s line %d: Missing subsystem command.",
1237 			    filename, linenum);
1238 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1239 
1240 		/* Collect arguments (separate to executable) */
1241 		p = xstrdup(arg);
1242 		len = strlen(p) + 1;
1243 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1244 			len += 1 + strlen(arg);
1245 			p = xrealloc(p, 1, len);
1246 			strlcat(p, " ", len);
1247 			strlcat(p, arg, len);
1248 		}
1249 		options->subsystem_args[options->num_subsystems] = p;
1250 		options->num_subsystems++;
1251 		break;
1252 
1253 	case sMaxStartups:
1254 		arg = strdelim(&cp);
1255 		if (!arg || *arg == '\0')
1256 			fatal("%s line %d: Missing MaxStartups spec.",
1257 			    filename, linenum);
1258 		if ((n = sscanf(arg, "%d:%d:%d",
1259 		    &options->max_startups_begin,
1260 		    &options->max_startups_rate,
1261 		    &options->max_startups)) == 3) {
1262 			if (options->max_startups_begin >
1263 			    options->max_startups ||
1264 			    options->max_startups_rate > 100 ||
1265 			    options->max_startups_rate < 1)
1266 				fatal("%s line %d: Illegal MaxStartups spec.",
1267 				    filename, linenum);
1268 		} else if (n != 1)
1269 			fatal("%s line %d: Illegal MaxStartups spec.",
1270 			    filename, linenum);
1271 		else
1272 			options->max_startups = options->max_startups_begin;
1273 		break;
1274 
1275 	case sMaxAuthTries:
1276 		intptr = &options->max_authtries;
1277 		goto parse_int;
1278 
1279 	case sMaxSessions:
1280 		intptr = &options->max_sessions;
1281 		goto parse_int;
1282 
1283 	case sBanner:
1284 		charptr = &options->banner;
1285 		goto parse_filename;
1286 
1287 	/*
1288 	 * These options can contain %X options expanded at
1289 	 * connect time, so that you can specify paths like:
1290 	 *
1291 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1292 	 */
1293 	case sAuthorizedKeysFile:
1294 		if (*activep && options->num_authkeys_files == 0) {
1295 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1296 				if (options->num_authkeys_files >=
1297 				    MAX_AUTHKEYS_FILES)
1298 					fatal("%s line %d: "
1299 					    "too many authorized keys files.",
1300 					    filename, linenum);
1301 				options->authorized_keys_files[
1302 				    options->num_authkeys_files++] =
1303 				    tilde_expand_filename(arg, getuid());
1304 			}
1305 		}
1306 		return 0;
1307 
1308 	case sAuthorizedPrincipalsFile:
1309 		charptr = &options->authorized_principals_file;
1310 		arg = strdelim(&cp);
1311 		if (!arg || *arg == '\0')
1312 			fatal("%s line %d: missing file name.",
1313 			    filename, linenum);
1314 		if (*activep && *charptr == NULL) {
1315 			*charptr = tilde_expand_filename(arg, getuid());
1316 			/* increase optional counter */
1317 			if (intptr != NULL)
1318 				*intptr = *intptr + 1;
1319 		}
1320 		break;
1321 
1322 	case sClientAliveInterval:
1323 		intptr = &options->client_alive_interval;
1324 		goto parse_time;
1325 
1326 	case sClientAliveCountMax:
1327 		intptr = &options->client_alive_count_max;
1328 		goto parse_int;
1329 
1330 	case sAcceptEnv:
1331 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1332 			if (strchr(arg, '=') != NULL)
1333 				fatal("%s line %d: Invalid environment name.",
1334 				    filename, linenum);
1335 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1336 				fatal("%s line %d: too many allow env.",
1337 				    filename, linenum);
1338 			if (!*activep)
1339 				break;
1340 			options->accept_env[options->num_accept_env++] =
1341 			    xstrdup(arg);
1342 		}
1343 		break;
1344 
1345 	case sPermitTunnel:
1346 		intptr = &options->permit_tun;
1347 		arg = strdelim(&cp);
1348 		if (!arg || *arg == '\0')
1349 			fatal("%s line %d: Missing yes/point-to-point/"
1350 			    "ethernet/no argument.", filename, linenum);
1351 		value = -1;
1352 		for (i = 0; tunmode_desc[i].val != -1; i++)
1353 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1354 				value = tunmode_desc[i].val;
1355 				break;
1356 			}
1357 		if (value == -1)
1358 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1359 			    "no argument: %s", filename, linenum, arg);
1360 		if (*intptr == -1)
1361 			*intptr = value;
1362 		break;
1363 
1364 	case sMatch:
1365 		if (cmdline)
1366 			fatal("Match directive not supported as a command-line "
1367 			   "option");
1368 		value = match_cfg_line(&cp, linenum, user, host, address);
1369 		if (value < 0)
1370 			fatal("%s line %d: Bad Match condition", filename,
1371 			    linenum);
1372 		*activep = value;
1373 		break;
1374 
1375 	case sPermitOpen:
1376 		arg = strdelim(&cp);
1377 		if (!arg || *arg == '\0')
1378 			fatal("%s line %d: missing PermitOpen specification",
1379 			    filename, linenum);
1380 		n = options->num_permitted_opens;	/* modified later */
1381 		if (strcmp(arg, "any") == 0) {
1382 			if (*activep && n == -1) {
1383 				channel_clear_adm_permitted_opens();
1384 				options->num_permitted_opens = 0;
1385 			}
1386 			break;
1387 		}
1388 		if (*activep && n == -1)
1389 			channel_clear_adm_permitted_opens();
1390 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1391 			p = hpdelim(&arg);
1392 			if (p == NULL)
1393 				fatal("%s line %d: missing host in PermitOpen",
1394 				    filename, linenum);
1395 			p = cleanhostname(p);
1396 			if (arg == NULL || (port = a2port(arg)) <= 0)
1397 				fatal("%s line %d: bad port number in "
1398 				    "PermitOpen", filename, linenum);
1399 			if (*activep && n == -1)
1400 				options->num_permitted_opens =
1401 				    channel_add_adm_permitted_opens(p, port);
1402 		}
1403 		break;
1404 
1405 	case sForceCommand:
1406 		if (cp == NULL)
1407 			fatal("%.200s line %d: Missing argument.", filename,
1408 			    linenum);
1409 		len = strspn(cp, WHITESPACE);
1410 		if (*activep && options->adm_forced_command == NULL)
1411 			options->adm_forced_command = xstrdup(cp + len);
1412 		return 0;
1413 
1414 	case sChrootDirectory:
1415 		charptr = &options->chroot_directory;
1416 
1417 		arg = strdelim(&cp);
1418 		if (!arg || *arg == '\0')
1419 			fatal("%s line %d: missing file name.",
1420 			    filename, linenum);
1421 		if (*activep && *charptr == NULL)
1422 			*charptr = xstrdup(arg);
1423 		break;
1424 
1425 	case sTrustedUserCAKeys:
1426 		charptr = &options->trusted_user_ca_keys;
1427 		goto parse_filename;
1428 
1429 	case sRevokedKeys:
1430 		charptr = &options->revoked_keys_file;
1431 		goto parse_filename;
1432 
1433 	case sIPQoS:
1434 		arg = strdelim(&cp);
1435 		if ((value = parse_ipqos(arg)) == -1)
1436 			fatal("%s line %d: Bad IPQoS value: %s",
1437 			    filename, linenum, arg);
1438 		arg = strdelim(&cp);
1439 		if (arg == NULL)
1440 			value2 = value;
1441 		else if ((value2 = parse_ipqos(arg)) == -1)
1442 			fatal("%s line %d: Bad IPQoS value: %s",
1443 			    filename, linenum, arg);
1444 		if (*activep) {
1445 			options->ip_qos_interactive = value;
1446 			options->ip_qos_bulk = value2;
1447 		}
1448 		break;
1449 
1450 	case sVersionAddendum:
1451 		ssh_version_set_addendum(strtok(cp, "\n"));
1452 		do {
1453 			arg = strdelim(&cp);
1454 		} while (arg != NULL && *arg != '\0');
1455 		break;
1456 
1457 	case sHPNDisabled:
1458 		intptr = &options->hpn_disabled;
1459 		goto parse_flag;
1460 
1461 	case sHPNBufferSize:
1462 		intptr = &options->hpn_buffer_size;
1463 		goto parse_int;
1464 
1465 	case sTcpRcvBufPoll:
1466 		intptr = &options->tcp_rcv_buf_poll;
1467 		goto parse_flag;
1468 
1469 #ifdef	NONE_CIPHER_ENABLED
1470 	case sNoneEnabled:
1471 		intptr = &options->none_enabled;
1472 		goto parse_flag;
1473 #endif
1474 
1475 	case sDeprecated:
1476 		logit("%s line %d: Deprecated option %s",
1477 		    filename, linenum, arg);
1478 		while (arg)
1479 		    arg = strdelim(&cp);
1480 		break;
1481 
1482 	case sUnsupported:
1483 		logit("%s line %d: Unsupported option %s",
1484 		    filename, linenum, arg);
1485 		while (arg)
1486 		    arg = strdelim(&cp);
1487 		break;
1488 
1489 	default:
1490 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1491 		    filename, linenum, arg, opcode);
1492 	}
1493 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1494 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1495 		    filename, linenum, arg);
1496 	return 0;
1497 }
1498 
1499 /* Reads the server configuration file. */
1500 
1501 void
1502 load_server_config(const char *filename, Buffer *conf)
1503 {
1504 	char line[1024], *cp;
1505 	FILE *f;
1506 
1507 	debug2("%s: filename %s", __func__, filename);
1508 	if ((f = fopen(filename, "r")) == NULL) {
1509 		perror(filename);
1510 		exit(1);
1511 	}
1512 	buffer_clear(conf);
1513 	while (fgets(line, sizeof(line), f)) {
1514 		/*
1515 		 * Trim out comments and strip whitespace
1516 		 * NB - preserve newlines, they are needed to reproduce
1517 		 * line numbers later for error messages
1518 		 */
1519 		if ((cp = strchr(line, '#')) != NULL)
1520 			memcpy(cp, "\n", 2);
1521 		cp = line + strspn(line, " \t\r");
1522 
1523 		buffer_append(conf, cp, strlen(cp));
1524 	}
1525 	buffer_append(conf, "\0", 1);
1526 	fclose(f);
1527 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1528 }
1529 
1530 void
1531 parse_server_match_config(ServerOptions *options, const char *user,
1532     const char *host, const char *address)
1533 {
1534 	ServerOptions mo;
1535 
1536 	initialize_server_options(&mo);
1537 	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1538 	copy_set_server_options(options, &mo, 0);
1539 }
1540 
1541 /* Helper macros */
1542 #define M_CP_INTOPT(n) do {\
1543 	if (src->n != -1) \
1544 		dst->n = src->n; \
1545 } while (0)
1546 #define M_CP_STROPT(n) do {\
1547 	if (src->n != NULL) { \
1548 		if (dst->n != NULL) \
1549 			xfree(dst->n); \
1550 		dst->n = src->n; \
1551 	} \
1552 } while(0)
1553 #define M_CP_STRARRAYOPT(n, num_n) do {\
1554 	if (src->num_n != 0) { \
1555 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1556 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1557 	} \
1558 } while(0)
1559 
1560 /*
1561  * Copy any supported values that are set.
1562  *
1563  * If the preauth flag is set, we do not bother copying the string or
1564  * array values that are not used pre-authentication, because any that we
1565  * do use must be explictly sent in mm_getpwnamallow().
1566  */
1567 void
1568 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1569 {
1570 	M_CP_INTOPT(password_authentication);
1571 	M_CP_INTOPT(gss_authentication);
1572 	M_CP_INTOPT(rsa_authentication);
1573 	M_CP_INTOPT(pubkey_authentication);
1574 	M_CP_INTOPT(kerberos_authentication);
1575 	M_CP_INTOPT(hostbased_authentication);
1576 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1577 	M_CP_INTOPT(kbd_interactive_authentication);
1578 	M_CP_INTOPT(zero_knowledge_password_authentication);
1579 	M_CP_INTOPT(permit_root_login);
1580 	M_CP_INTOPT(permit_empty_passwd);
1581 
1582 	M_CP_INTOPT(allow_tcp_forwarding);
1583 	M_CP_INTOPT(allow_agent_forwarding);
1584 	M_CP_INTOPT(permit_tun);
1585 	M_CP_INTOPT(gateway_ports);
1586 	M_CP_INTOPT(x11_display_offset);
1587 	M_CP_INTOPT(x11_forwarding);
1588 	M_CP_INTOPT(x11_use_localhost);
1589 	M_CP_INTOPT(max_sessions);
1590 	M_CP_INTOPT(max_authtries);
1591 	M_CP_INTOPT(ip_qos_interactive);
1592 	M_CP_INTOPT(ip_qos_bulk);
1593 
1594 	/* See comment in servconf.h */
1595 	COPY_MATCH_STRING_OPTS();
1596 
1597 	/*
1598 	 * The only things that should be below this point are string options
1599 	 * which are only used after authentication.
1600 	 */
1601 	if (preauth)
1602 		return;
1603 
1604 	M_CP_STROPT(adm_forced_command);
1605 	M_CP_STROPT(chroot_directory);
1606 }
1607 
1608 #undef M_CP_INTOPT
1609 #undef M_CP_STROPT
1610 #undef M_CP_STRARRAYOPT
1611 
1612 void
1613 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1614     const char *user, const char *host, const char *address)
1615 {
1616 	int active, linenum, bad_options = 0;
1617 	char *cp, *obuf, *cbuf;
1618 
1619 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1620 
1621 	obuf = cbuf = xstrdup(buffer_ptr(conf));
1622 	active = user ? 0 : 1;
1623 	linenum = 1;
1624 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
1625 		if (process_server_config_line(options, cp, filename,
1626 		    linenum++, &active, user, host, address) != 0)
1627 			bad_options++;
1628 	}
1629 	xfree(obuf);
1630 	if (bad_options > 0)
1631 		fatal("%s: terminating, %d bad configuration options",
1632 		    filename, bad_options);
1633 }
1634 
1635 static const char *
1636 fmt_multistate_int(int val, const struct multistate *m)
1637 {
1638 	u_int i;
1639 
1640 	for (i = 0; m[i].key != NULL; i++) {
1641 		if (m[i].value == val)
1642 			return m[i].key;
1643 	}
1644 	return "UNKNOWN";
1645 }
1646 
1647 static const char *
1648 fmt_intarg(ServerOpCodes code, int val)
1649 {
1650 	if (val == -1)
1651 		return "unset";
1652 	switch (code) {
1653 	case sAddressFamily:
1654 		return fmt_multistate_int(val, multistate_addressfamily);
1655 	case sPermitRootLogin:
1656 		return fmt_multistate_int(val, multistate_permitrootlogin);
1657 	case sGatewayPorts:
1658 		return fmt_multistate_int(val, multistate_gatewayports);
1659 	case sCompression:
1660 		return fmt_multistate_int(val, multistate_compression);
1661 	case sUsePrivilegeSeparation:
1662 		return fmt_multistate_int(val, multistate_privsep);
1663 	case sProtocol:
1664 		switch (val) {
1665 		case SSH_PROTO_1:
1666 			return "1";
1667 		case SSH_PROTO_2:
1668 			return "2";
1669 		case (SSH_PROTO_1|SSH_PROTO_2):
1670 			return "2,1";
1671 		default:
1672 			return "UNKNOWN";
1673 		}
1674 	default:
1675 		switch (val) {
1676 		case 0:
1677 			return "no";
1678 		case 1:
1679 			return "yes";
1680 		default:
1681 			return "UNKNOWN";
1682 		}
1683 	}
1684 }
1685 
1686 static const char *
1687 lookup_opcode_name(ServerOpCodes code)
1688 {
1689 	u_int i;
1690 
1691 	for (i = 0; keywords[i].name != NULL; i++)
1692 		if (keywords[i].opcode == code)
1693 			return(keywords[i].name);
1694 	return "UNKNOWN";
1695 }
1696 
1697 static void
1698 dump_cfg_int(ServerOpCodes code, int val)
1699 {
1700 	printf("%s %d\n", lookup_opcode_name(code), val);
1701 }
1702 
1703 static void
1704 dump_cfg_fmtint(ServerOpCodes code, int val)
1705 {
1706 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1707 }
1708 
1709 static void
1710 dump_cfg_string(ServerOpCodes code, const char *val)
1711 {
1712 	if (val == NULL)
1713 		return;
1714 	printf("%s %s\n", lookup_opcode_name(code), val);
1715 }
1716 
1717 static void
1718 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1719 {
1720 	u_int i;
1721 
1722 	for (i = 0; i < count; i++)
1723 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1724 }
1725 
1726 static void
1727 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1728 {
1729 	u_int i;
1730 
1731 	printf("%s", lookup_opcode_name(code));
1732 	for (i = 0; i < count; i++)
1733 		printf(" %s",  vals[i]);
1734 	printf("\n");
1735 }
1736 
1737 void
1738 dump_config(ServerOptions *o)
1739 {
1740 	u_int i;
1741 	int ret;
1742 	struct addrinfo *ai;
1743 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1744 
1745 	/* these are usually at the top of the config */
1746 	for (i = 0; i < o->num_ports; i++)
1747 		printf("port %d\n", o->ports[i]);
1748 	dump_cfg_fmtint(sProtocol, o->protocol);
1749 	dump_cfg_fmtint(sAddressFamily, o->address_family);
1750 
1751 	/* ListenAddress must be after Port */
1752 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1753 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1754 		    sizeof(addr), port, sizeof(port),
1755 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1756 			error("getnameinfo failed: %.100s",
1757 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1758 			    strerror(errno));
1759 		} else {
1760 			if (ai->ai_family == AF_INET6)
1761 				printf("listenaddress [%s]:%s\n", addr, port);
1762 			else
1763 				printf("listenaddress %s:%s\n", addr, port);
1764 		}
1765 	}
1766 
1767 	/* integer arguments */
1768 #ifdef USE_PAM
1769 	dump_cfg_int(sUsePAM, o->use_pam);
1770 #endif
1771 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
1772 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1773 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1774 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1775 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
1776 	dump_cfg_int(sMaxSessions, o->max_sessions);
1777 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1778 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1779 
1780 	/* formatted integer arguments */
1781 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1782 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1783 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1784 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1785 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1786 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1787 	    o->hostbased_uses_name_from_packet_only);
1788 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1789 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1790 #ifdef KRB5
1791 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1792 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1793 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1794 # ifdef USE_AFS
1795 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1796 # endif
1797 #endif
1798 #ifdef GSSAPI
1799 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1800 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1801 #endif
1802 #ifdef JPAKE
1803 	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1804 	    o->zero_knowledge_password_authentication);
1805 #endif
1806 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1807 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
1808 	    o->kbd_interactive_authentication);
1809 	dump_cfg_fmtint(sChallengeResponseAuthentication,
1810 	    o->challenge_response_authentication);
1811 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
1812 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1813 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1814 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1815 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
1816 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1817 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1818 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1819 	dump_cfg_fmtint(sUseLogin, o->use_login);
1820 	dump_cfg_fmtint(sCompression, o->compression);
1821 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1822 	dump_cfg_fmtint(sUseDNS, o->use_dns);
1823 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1824 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1825 
1826 	/* string arguments */
1827 	dump_cfg_string(sPidFile, o->pid_file);
1828 	dump_cfg_string(sXAuthLocation, o->xauth_location);
1829 	dump_cfg_string(sCiphers, o->ciphers);
1830 	dump_cfg_string(sMacs, o->macs);
1831 	dump_cfg_string(sBanner, o->banner);
1832 	dump_cfg_string(sForceCommand, o->adm_forced_command);
1833 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
1834 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1835 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1836 	dump_cfg_string(sAuthorizedPrincipalsFile,
1837 	    o->authorized_principals_file);
1838 
1839 	/* string arguments requiring a lookup */
1840 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1841 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1842 
1843 	/* string array arguments */
1844 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
1845 	    o->authorized_keys_files);
1846 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1847 	     o->host_key_files);
1848 	dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1849 	     o->host_cert_files);
1850 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1851 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1852 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1853 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1854 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1855 
1856 	/* other arguments */
1857 	for (i = 0; i < o->num_subsystems; i++)
1858 		printf("subsystem %s %s\n", o->subsystem_name[i],
1859 		    o->subsystem_args[i]);
1860 
1861 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1862 	    o->max_startups_rate, o->max_startups);
1863 
1864 	for (i = 0; tunmode_desc[i].val != -1; i++)
1865 		if (tunmode_desc[i].val == o->permit_tun) {
1866 			s = tunmode_desc[i].text;
1867 			break;
1868 		}
1869 	dump_cfg_string(sPermitTunnel, s);
1870 
1871 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
1872 	printf("%s\n", iptos2str(o->ip_qos_bulk));
1873 
1874 	channel_print_adm_permitted_opens();
1875 }
1876