xref: /freebsd/crypto/openssh/servconf.c (revision d2ce15bd43b3a1dcce08eecbff8d5d359946d972)
1 
2 /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
3 /* $FreeBSD$ */
4 /*
5  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6  *                    All rights reserved
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  */
14 
15 #include "includes.h"
16 __RCSID("$FreeBSD$");
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
24 
25 #include <netdb.h>
26 #include <pwd.h>
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <signal.h>
31 #include <unistd.h>
32 #include <stdarg.h>
33 #include <errno.h>
34 
35 #include "openbsd-compat/sys-queue.h"
36 #include "xmalloc.h"
37 #include "ssh.h"
38 #include "log.h"
39 #include "buffer.h"
40 #include "servconf.h"
41 #include "compat.h"
42 #include "pathnames.h"
43 #include "misc.h"
44 #include "cipher.h"
45 #include "key.h"
46 #include "kex.h"
47 #include "mac.h"
48 #include "match.h"
49 #include "channels.h"
50 #include "groupaccess.h"
51 #include "canohost.h"
52 #include "packet.h"
53 #include "hostfile.h"
54 #include "auth.h"
55 #include "version.h"
56 
57 static void add_listen_addr(ServerOptions *, char *, int);
58 static void add_one_listen_addr(ServerOptions *, char *, int);
59 
60 /* Use of privilege separation or not */
61 extern int use_privsep;
62 extern Buffer cfg;
63 
64 /* Initializes the server options to their default values. */
65 
66 void
67 initialize_server_options(ServerOptions *options)
68 {
69 	memset(options, 0, sizeof(*options));
70 
71 	/* Portable-specific options */
72 	options->use_pam = -1;
73 
74 	/* Standard Options */
75 	options->num_ports = 0;
76 	options->ports_from_cmdline = 0;
77 	options->listen_addrs = NULL;
78 	options->address_family = -1;
79 	options->num_host_key_files = 0;
80 	options->num_host_cert_files = 0;
81 	options->pid_file = NULL;
82 	options->server_key_bits = -1;
83 	options->login_grace_time = -1;
84 	options->key_regeneration_time = -1;
85 	options->permit_root_login = PERMIT_NOT_SET;
86 	options->ignore_rhosts = -1;
87 	options->ignore_user_known_hosts = -1;
88 	options->print_motd = -1;
89 	options->print_lastlog = -1;
90 	options->x11_forwarding = -1;
91 	options->x11_display_offset = -1;
92 	options->x11_use_localhost = -1;
93 	options->xauth_location = NULL;
94 	options->strict_modes = -1;
95 	options->tcp_keep_alive = -1;
96 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
97 	options->log_level = SYSLOG_LEVEL_NOT_SET;
98 	options->rhosts_rsa_authentication = -1;
99 	options->hostbased_authentication = -1;
100 	options->hostbased_uses_name_from_packet_only = -1;
101 	options->rsa_authentication = -1;
102 	options->pubkey_authentication = -1;
103 	options->kerberos_authentication = -1;
104 	options->kerberos_or_local_passwd = -1;
105 	options->kerberos_ticket_cleanup = -1;
106 	options->kerberos_get_afs_token = -1;
107 	options->gss_authentication=-1;
108 	options->gss_cleanup_creds = -1;
109 	options->password_authentication = -1;
110 	options->kbd_interactive_authentication = -1;
111 	options->challenge_response_authentication = -1;
112 	options->permit_empty_passwd = -1;
113 	options->permit_user_env = -1;
114 	options->use_login = -1;
115 	options->compression = -1;
116 	options->allow_tcp_forwarding = -1;
117 	options->allow_agent_forwarding = -1;
118 	options->num_allow_users = 0;
119 	options->num_deny_users = 0;
120 	options->num_allow_groups = 0;
121 	options->num_deny_groups = 0;
122 	options->ciphers = NULL;
123 	options->macs = NULL;
124 	options->kex_algorithms = NULL;
125 	options->protocol = SSH_PROTO_UNKNOWN;
126 	options->gateway_ports = -1;
127 	options->num_subsystems = 0;
128 	options->max_startups_begin = -1;
129 	options->max_startups_rate = -1;
130 	options->max_startups = -1;
131 	options->max_authtries = -1;
132 	options->max_sessions = -1;
133 	options->banner = NULL;
134 	options->use_dns = -1;
135 	options->client_alive_interval = -1;
136 	options->client_alive_count_max = -1;
137 	options->num_authkeys_files = 0;
138 	options->num_accept_env = 0;
139 	options->permit_tun = -1;
140 	options->num_permitted_opens = -1;
141 	options->adm_forced_command = NULL;
142 	options->chroot_directory = NULL;
143 	options->authorized_keys_command = NULL;
144 	options->authorized_keys_command_user = NULL;
145 	options->zero_knowledge_password_authentication = -1;
146 	options->revoked_keys_file = NULL;
147 	options->trusted_user_ca_keys = NULL;
148 	options->authorized_principals_file = NULL;
149 	options->ip_qos_interactive = -1;
150 	options->ip_qos_bulk = -1;
151 	options->version_addendum = NULL;
152 	options->hpn_disabled = -1;
153 	options->hpn_buffer_size = -1;
154 	options->tcp_rcv_buf_poll = -1;
155 #ifdef	NONE_CIPHER_ENABLED
156 	options->none_enabled = -1;
157 #endif
158 }
159 
160 void
161 fill_default_server_options(ServerOptions *options)
162 {
163 	/* Portable-specific options */
164 	if (options->use_pam == -1)
165 		options->use_pam = 1;
166 
167 	/* Standard Options */
168 	if (options->protocol == SSH_PROTO_UNKNOWN)
169 		options->protocol = SSH_PROTO_2;
170 	if (options->num_host_key_files == 0) {
171 		/* fill default hostkeys for protocols */
172 		if (options->protocol & SSH_PROTO_1)
173 			options->host_key_files[options->num_host_key_files++] =
174 			    _PATH_HOST_KEY_FILE;
175 		if (options->protocol & SSH_PROTO_2) {
176 			options->host_key_files[options->num_host_key_files++] =
177 			    _PATH_HOST_RSA_KEY_FILE;
178 			options->host_key_files[options->num_host_key_files++] =
179 			    _PATH_HOST_DSA_KEY_FILE;
180 #ifdef OPENSSL_HAS_ECC
181 			options->host_key_files[options->num_host_key_files++] =
182 			    _PATH_HOST_ECDSA_KEY_FILE;
183 #endif
184 		}
185 	}
186 	/* No certificates by default */
187 	if (options->num_ports == 0)
188 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
189 	if (options->listen_addrs == NULL)
190 		add_listen_addr(options, NULL, 0);
191 	if (options->pid_file == NULL)
192 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
193 	if (options->server_key_bits == -1)
194 		options->server_key_bits = 1024;
195 	if (options->login_grace_time == -1)
196 		options->login_grace_time = 120;
197 	if (options->key_regeneration_time == -1)
198 		options->key_regeneration_time = 3600;
199 	if (options->permit_root_login == PERMIT_NOT_SET)
200 		options->permit_root_login = PERMIT_NO;
201 	if (options->ignore_rhosts == -1)
202 		options->ignore_rhosts = 1;
203 	if (options->ignore_user_known_hosts == -1)
204 		options->ignore_user_known_hosts = 0;
205 	if (options->print_motd == -1)
206 		options->print_motd = 1;
207 	if (options->print_lastlog == -1)
208 		options->print_lastlog = 1;
209 	if (options->x11_forwarding == -1)
210 		options->x11_forwarding = 1;
211 	if (options->x11_display_offset == -1)
212 		options->x11_display_offset = 10;
213 	if (options->x11_use_localhost == -1)
214 		options->x11_use_localhost = 1;
215 	if (options->xauth_location == NULL)
216 		options->xauth_location = _PATH_XAUTH;
217 	if (options->strict_modes == -1)
218 		options->strict_modes = 1;
219 	if (options->tcp_keep_alive == -1)
220 		options->tcp_keep_alive = 1;
221 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
222 		options->log_facility = SYSLOG_FACILITY_AUTH;
223 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
224 		options->log_level = SYSLOG_LEVEL_INFO;
225 	if (options->rhosts_rsa_authentication == -1)
226 		options->rhosts_rsa_authentication = 0;
227 	if (options->hostbased_authentication == -1)
228 		options->hostbased_authentication = 0;
229 	if (options->hostbased_uses_name_from_packet_only == -1)
230 		options->hostbased_uses_name_from_packet_only = 0;
231 	if (options->rsa_authentication == -1)
232 		options->rsa_authentication = 1;
233 	if (options->pubkey_authentication == -1)
234 		options->pubkey_authentication = 1;
235 	if (options->kerberos_authentication == -1)
236 		options->kerberos_authentication = 0;
237 	if (options->kerberos_or_local_passwd == -1)
238 		options->kerberos_or_local_passwd = 1;
239 	if (options->kerberos_ticket_cleanup == -1)
240 		options->kerberos_ticket_cleanup = 1;
241 	if (options->kerberos_get_afs_token == -1)
242 		options->kerberos_get_afs_token = 0;
243 	if (options->gss_authentication == -1)
244 		options->gss_authentication = 0;
245 	if (options->gss_cleanup_creds == -1)
246 		options->gss_cleanup_creds = 1;
247 	if (options->password_authentication == -1)
248 		options->password_authentication = 0;
249 	if (options->kbd_interactive_authentication == -1)
250 		options->kbd_interactive_authentication = 0;
251 	if (options->challenge_response_authentication == -1)
252 		options->challenge_response_authentication = 1;
253 	if (options->permit_empty_passwd == -1)
254 		options->permit_empty_passwd = 0;
255 	if (options->permit_user_env == -1)
256 		options->permit_user_env = 0;
257 	if (options->use_login == -1)
258 		options->use_login = 0;
259 	if (options->compression == -1)
260 		options->compression = COMP_DELAYED;
261 	if (options->allow_tcp_forwarding == -1)
262 		options->allow_tcp_forwarding = FORWARD_ALLOW;
263 	if (options->allow_agent_forwarding == -1)
264 		options->allow_agent_forwarding = 1;
265 	if (options->gateway_ports == -1)
266 		options->gateway_ports = 0;
267 	if (options->max_startups == -1)
268 		options->max_startups = 100;
269 	if (options->max_startups_rate == -1)
270 		options->max_startups_rate = 30;		/* 30% */
271 	if (options->max_startups_begin == -1)
272 		options->max_startups_begin = 10;
273 	if (options->max_authtries == -1)
274 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
275 	if (options->max_sessions == -1)
276 		options->max_sessions = DEFAULT_SESSIONS_MAX;
277 	if (options->use_dns == -1)
278 		options->use_dns = 1;
279 	if (options->client_alive_interval == -1)
280 		options->client_alive_interval = 0;
281 	if (options->client_alive_count_max == -1)
282 		options->client_alive_count_max = 3;
283 	if (options->num_authkeys_files == 0) {
284 		options->authorized_keys_files[options->num_authkeys_files++] =
285 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
286 		options->authorized_keys_files[options->num_authkeys_files++] =
287 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
288 	}
289 	if (options->permit_tun == -1)
290 		options->permit_tun = SSH_TUNMODE_NO;
291 	if (options->zero_knowledge_password_authentication == -1)
292 		options->zero_knowledge_password_authentication = 0;
293 	if (options->ip_qos_interactive == -1)
294 		options->ip_qos_interactive = IPTOS_LOWDELAY;
295 	if (options->ip_qos_bulk == -1)
296 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
297 	if (options->version_addendum == NULL)
298 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
299 	/* Turn privilege separation on by default */
300 	if (use_privsep == -1)
301 		use_privsep = PRIVSEP_ON;
302 
303 #ifndef HAVE_MMAP
304 	if (use_privsep && options->compression == 1) {
305 		error("This platform does not support both privilege "
306 		    "separation and compression");
307 		error("Compression disabled");
308 		options->compression = 0;
309 	}
310 #endif
311 
312 	if (options->hpn_disabled == -1)
313 		options->hpn_disabled = 0;
314 	if (options->hpn_buffer_size == -1) {
315 		/*
316 		 * HPN buffer size option not explicitly set.  Try to figure
317 		 * out what value to use or resort to default.
318 		 */
319 		options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
320 		if (!options->hpn_disabled) {
321 			sock_get_rcvbuf(&options->hpn_buffer_size, 0);
322 			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
323 		}
324 	} else {
325 		/*
326 		 * In the case that the user sets both values in a
327 		 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
328 		 */
329 		if (options->hpn_disabled <= 0) {
330 			u_int maxlen;
331 
332 			maxlen = buffer_get_max_len();
333 			if (options->hpn_buffer_size == 0)
334 				options->hpn_buffer_size = 1;
335 			/* Limit the maximum buffer to BUFFER_MAX_LEN. */
336 			if (options->hpn_buffer_size > maxlen / 1024)
337 				options->hpn_buffer_size = maxlen;
338 			else
339 				options->hpn_buffer_size *= 1024;
340 		} else {
341 			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
342 		}
343 	}
344 }
345 
346 /* Keyword tokens. */
347 typedef enum {
348 	sBadOption,		/* == unknown option */
349 	/* Portable-specific options */
350 	sUsePAM,
351 	/* Standard Options */
352 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
353 	sPermitRootLogin, sLogFacility, sLogLevel,
354 	sRhostsRSAAuthentication, sRSAAuthentication,
355 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
356 	sKerberosGetAFSToken,
357 	sKerberosTgtPassing, sChallengeResponseAuthentication,
358 	sPasswordAuthentication, sKbdInteractiveAuthentication,
359 	sListenAddress, sAddressFamily,
360 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
361 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
362 	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
363 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
364 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
365 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
366 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
367 	sMaxStartups, sMaxAuthTries, sMaxSessions,
368 	sBanner, sUseDNS, sHostbasedAuthentication,
369 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
370 	sClientAliveCountMax, sAuthorizedKeysFile,
371 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
372 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
373 	sUsePrivilegeSeparation, sAllowAgentForwarding,
374 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
375 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
376 	sKexAlgorithms, sIPQoS, sVersionAddendum,
377 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
378 	sAuthenticationMethods,
379 	sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
380 #ifdef NONE_CIPHER_ENABLED
381 	sNoneEnabled,
382 #endif
383 	sDeprecated, sUnsupported
384 } ServerOpCodes;
385 
386 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
387 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
388 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
389 
390 /* Textual representation of the tokens. */
391 static struct {
392 	const char *name;
393 	ServerOpCodes opcode;
394 	u_int flags;
395 } keywords[] = {
396 	/* Portable-specific options */
397 #ifdef USE_PAM
398 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
399 #else
400 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
401 #endif
402 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
403 	/* Standard Options */
404 	{ "port", sPort, SSHCFG_GLOBAL },
405 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
406 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
407 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
408 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
409 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
410 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
411 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
412 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
413 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
414 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
415 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
416 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
417 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
418 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
419 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
420 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
421 #ifdef KRB5
422 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
423 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
424 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
425 #ifdef USE_AFS
426 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
427 #else
428 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
429 #endif
430 #else
431 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
432 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
433 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
434 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
435 #endif
436 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
437 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
438 #ifdef GSSAPI
439 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
440 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
441 #else
442 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
443 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
444 #endif
445 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
446 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
447 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
448 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
449 #ifdef JPAKE
450 	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
451 #else
452 	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
453 #endif
454 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
455 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
456 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
457 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
458 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
459 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
460 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
461 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
462 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
463 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
464 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
465 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
466 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
467 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
468 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
469 	{ "compression", sCompression, SSHCFG_GLOBAL },
470 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
471 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
472 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
473 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
474 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
475 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
476 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
477 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
478 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
479 	{ "macs", sMacs, SSHCFG_GLOBAL },
480 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
481 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
482 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
483 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
484 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
485 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
486 	{ "banner", sBanner, SSHCFG_ALL },
487 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
488 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
489 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
490 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
491 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
492 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
493 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
494 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
495 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
496 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
497 	{ "match", sMatch, SSHCFG_ALL },
498 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
499 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
500 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
501 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
502 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
503 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
504 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
505 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
506 	{ "ipqos", sIPQoS, SSHCFG_ALL },
507 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
508 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
509 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
510 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
511 	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
512 	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
513 	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
514 #ifdef NONE_CIPHER_ENABLED
515 	{ "noneenabled", sNoneEnabled, SSHCFG_ALL },
516 #endif
517 	{ NULL, sBadOption, 0 }
518 };
519 
520 static struct {
521 	int val;
522 	char *text;
523 } tunmode_desc[] = {
524 	{ SSH_TUNMODE_NO, "no" },
525 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
526 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
527 	{ SSH_TUNMODE_YES, "yes" },
528 	{ -1, NULL }
529 };
530 
531 /*
532  * Returns the number of the token pointed to by cp or sBadOption.
533  */
534 
535 static ServerOpCodes
536 parse_token(const char *cp, const char *filename,
537 	    int linenum, u_int *flags)
538 {
539 	u_int i;
540 
541 	for (i = 0; keywords[i].name; i++)
542 		if (strcasecmp(cp, keywords[i].name) == 0) {
543 			*flags = keywords[i].flags;
544 			return keywords[i].opcode;
545 		}
546 
547 	error("%s: line %d: Bad configuration option: %s",
548 	    filename, linenum, cp);
549 	return sBadOption;
550 }
551 
552 char *
553 derelativise_path(const char *path)
554 {
555 	char *expanded, *ret, cwd[MAXPATHLEN];
556 
557 	expanded = tilde_expand_filename(path, getuid());
558 	if (*expanded == '/')
559 		return expanded;
560 	if (getcwd(cwd, sizeof(cwd)) == NULL)
561 		fatal("%s: getcwd: %s", __func__, strerror(errno));
562 	xasprintf(&ret, "%s/%s", cwd, expanded);
563 	xfree(expanded);
564 	return ret;
565 }
566 
567 static void
568 add_listen_addr(ServerOptions *options, char *addr, int port)
569 {
570 	u_int i;
571 
572 	if (options->num_ports == 0)
573 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
574 	if (options->address_family == -1)
575 		options->address_family = AF_UNSPEC;
576 	if (port == 0)
577 		for (i = 0; i < options->num_ports; i++)
578 			add_one_listen_addr(options, addr, options->ports[i]);
579 	else
580 		add_one_listen_addr(options, addr, port);
581 }
582 
583 static void
584 add_one_listen_addr(ServerOptions *options, char *addr, int port)
585 {
586 	struct addrinfo hints, *ai, *aitop;
587 	char strport[NI_MAXSERV];
588 	int gaierr;
589 
590 	memset(&hints, 0, sizeof(hints));
591 	hints.ai_family = options->address_family;
592 	hints.ai_socktype = SOCK_STREAM;
593 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
594 	snprintf(strport, sizeof strport, "%d", port);
595 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
596 		fatal("bad addr or host: %s (%s)",
597 		    addr ? addr : "<NULL>",
598 		    ssh_gai_strerror(gaierr));
599 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
600 		;
601 	ai->ai_next = options->listen_addrs;
602 	options->listen_addrs = aitop;
603 }
604 
605 struct connection_info *
606 get_connection_info(int populate, int use_dns)
607 {
608 	static struct connection_info ci;
609 
610 	if (!populate)
611 		return &ci;
612 	ci.host = get_canonical_hostname(use_dns);
613 	ci.address = get_remote_ipaddr();
614 	ci.laddress = get_local_ipaddr(packet_get_connection_in());
615 	ci.lport = get_local_port();
616 	return &ci;
617 }
618 
619 /*
620  * The strategy for the Match blocks is that the config file is parsed twice.
621  *
622  * The first time is at startup.  activep is initialized to 1 and the
623  * directives in the global context are processed and acted on.  Hitting a
624  * Match directive unsets activep and the directives inside the block are
625  * checked for syntax only.
626  *
627  * The second time is after a connection has been established but before
628  * authentication.  activep is initialized to 2 and global config directives
629  * are ignored since they have already been processed.  If the criteria in a
630  * Match block is met, activep is set and the subsequent directives
631  * processed and actioned until EOF or another Match block unsets it.  Any
632  * options set are copied into the main server config.
633  *
634  * Potential additions/improvements:
635  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
636  *
637  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
638  *	Match Address 192.168.0.*
639  *		Tag trusted
640  *	Match Group wheel
641  *		Tag trusted
642  *	Match Tag trusted
643  *		AllowTcpForwarding yes
644  *		GatewayPorts clientspecified
645  *		[...]
646  *
647  *  - Add a PermittedChannelRequests directive
648  *	Match Group shell
649  *		PermittedChannelRequests session,forwarded-tcpip
650  */
651 
652 static int
653 match_cfg_line_group(const char *grps, int line, const char *user)
654 {
655 	int result = 0;
656 	struct passwd *pw;
657 
658 	if (user == NULL)
659 		goto out;
660 
661 	if ((pw = getpwnam(user)) == NULL) {
662 		debug("Can't match group at line %d because user %.100s does "
663 		    "not exist", line, user);
664 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
665 		debug("Can't Match group because user %.100s not in any group "
666 		    "at line %d", user, line);
667 	} else if (ga_match_pattern_list(grps) != 1) {
668 		debug("user %.100s does not match group list %.100s at line %d",
669 		    user, grps, line);
670 	} else {
671 		debug("user %.100s matched group list %.100s at line %d", user,
672 		    grps, line);
673 		result = 1;
674 	}
675 out:
676 	ga_free();
677 	return result;
678 }
679 
680 /*
681  * All of the attributes on a single Match line are ANDed together, so we need
682  * to check every * attribute and set the result to zero if any attribute does
683  * not match.
684  */
685 static int
686 match_cfg_line(char **condition, int line, struct connection_info *ci)
687 {
688 	int result = 1, port;
689 	char *arg, *attrib, *cp = *condition;
690 	size_t len;
691 
692 	if (ci == NULL)
693 		debug3("checking syntax for 'Match %s'", cp);
694 	else
695 		debug3("checking match for '%s' user %s host %s addr %s "
696 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
697 		    ci->host ? ci->host : "(null)",
698 		    ci->address ? ci->address : "(null)",
699 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
700 
701 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
702 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
703 			error("Missing Match criteria for %s", attrib);
704 			return -1;
705 		}
706 		len = strlen(arg);
707 		if (strcasecmp(attrib, "user") == 0) {
708 			if (ci == NULL || ci->user == NULL) {
709 				result = 0;
710 				continue;
711 			}
712 			if (match_pattern_list(ci->user, arg, len, 0) != 1)
713 				result = 0;
714 			else
715 				debug("user %.100s matched 'User %.100s' at "
716 				    "line %d", ci->user, arg, line);
717 		} else if (strcasecmp(attrib, "group") == 0) {
718 			if (ci == NULL || ci->user == NULL) {
719 				result = 0;
720 				continue;
721 			}
722 			switch (match_cfg_line_group(arg, line, ci->user)) {
723 			case -1:
724 				return -1;
725 			case 0:
726 				result = 0;
727 			}
728 		} else if (strcasecmp(attrib, "host") == 0) {
729 			if (ci == NULL || ci->host == NULL) {
730 				result = 0;
731 				continue;
732 			}
733 			if (match_hostname(ci->host, arg, len) != 1)
734 				result = 0;
735 			else
736 				debug("connection from %.100s matched 'Host "
737 				    "%.100s' at line %d", ci->host, arg, line);
738 		} else if (strcasecmp(attrib, "address") == 0) {
739 			if (ci == NULL || ci->address == NULL) {
740 				result = 0;
741 				continue;
742 			}
743 			switch (addr_match_list(ci->address, arg)) {
744 			case 1:
745 				debug("connection from %.100s matched 'Address "
746 				    "%.100s' at line %d", ci->address, arg, line);
747 				break;
748 			case 0:
749 			case -1:
750 				result = 0;
751 				break;
752 			case -2:
753 				return -1;
754 			}
755 		} else if (strcasecmp(attrib, "localaddress") == 0){
756 			if (ci == NULL || ci->laddress == NULL) {
757 				result = 0;
758 				continue;
759 			}
760 			switch (addr_match_list(ci->laddress, arg)) {
761 			case 1:
762 				debug("connection from %.100s matched "
763 				    "'LocalAddress %.100s' at line %d",
764 				    ci->laddress, arg, line);
765 				break;
766 			case 0:
767 			case -1:
768 				result = 0;
769 				break;
770 			case -2:
771 				return -1;
772 			}
773 		} else if (strcasecmp(attrib, "localport") == 0) {
774 			if ((port = a2port(arg)) == -1) {
775 				error("Invalid LocalPort '%s' on Match line",
776 				    arg);
777 				return -1;
778 			}
779 			if (ci == NULL || ci->lport == 0) {
780 				result = 0;
781 				continue;
782 			}
783 			/* TODO support port lists */
784 			if (port == ci->lport)
785 				debug("connection from %.100s matched "
786 				    "'LocalPort %d' at line %d",
787 				    ci->laddress, port, line);
788 			else
789 				result = 0;
790 		} else {
791 			error("Unsupported Match attribute %s", attrib);
792 			return -1;
793 		}
794 	}
795 	if (ci != NULL)
796 		debug3("match %sfound", result ? "" : "not ");
797 	*condition = cp;
798 	return result;
799 }
800 
801 #define WHITESPACE " \t\r\n"
802 
803 /* Multistate option parsing */
804 struct multistate {
805 	char *key;
806 	int value;
807 };
808 static const struct multistate multistate_addressfamily[] = {
809 	{ "inet",			AF_INET },
810 	{ "inet6",			AF_INET6 },
811 	{ "any",			AF_UNSPEC },
812 	{ NULL, -1 }
813 };
814 static const struct multistate multistate_permitrootlogin[] = {
815 	{ "without-password",		PERMIT_NO_PASSWD },
816 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
817 	{ "yes",			PERMIT_YES },
818 	{ "no",				PERMIT_NO },
819 	{ NULL, -1 }
820 };
821 static const struct multistate multistate_compression[] = {
822 	{ "delayed",			COMP_DELAYED },
823 	{ "yes",			COMP_ZLIB },
824 	{ "no",				COMP_NONE },
825 	{ NULL, -1 }
826 };
827 static const struct multistate multistate_gatewayports[] = {
828 	{ "clientspecified",		2 },
829 	{ "yes",			1 },
830 	{ "no",				0 },
831 	{ NULL, -1 }
832 };
833 static const struct multistate multistate_privsep[] = {
834 	{ "yes",			PRIVSEP_NOSANDBOX },
835 	{ "sandbox",			PRIVSEP_ON },
836 	{ "nosandbox",			PRIVSEP_NOSANDBOX },
837 	{ "no",				PRIVSEP_OFF },
838 	{ NULL, -1 }
839 };
840 static const struct multistate multistate_tcpfwd[] = {
841 	{ "yes",			FORWARD_ALLOW },
842 	{ "all",			FORWARD_ALLOW },
843 	{ "no",				FORWARD_DENY },
844 	{ "remote",			FORWARD_REMOTE },
845 	{ "local",			FORWARD_LOCAL },
846 	{ NULL, -1 }
847 };
848 
849 int
850 process_server_config_line(ServerOptions *options, char *line,
851     const char *filename, int linenum, int *activep,
852     struct connection_info *connectinfo)
853 {
854 	char *cp, **charptr, *arg, *p;
855 	int cmdline = 0, *intptr, value, value2, n;
856 	SyslogFacility *log_facility_ptr;
857 	LogLevel *log_level_ptr;
858 	ServerOpCodes opcode;
859 	int port;
860 	u_int i, flags = 0;
861 	size_t len;
862 	const struct multistate *multistate_ptr;
863 
864 	cp = line;
865 	if ((arg = strdelim(&cp)) == NULL)
866 		return 0;
867 	/* Ignore leading whitespace */
868 	if (*arg == '\0')
869 		arg = strdelim(&cp);
870 	if (!arg || !*arg || *arg == '#')
871 		return 0;
872 	intptr = NULL;
873 	charptr = NULL;
874 	opcode = parse_token(arg, filename, linenum, &flags);
875 
876 	if (activep == NULL) { /* We are processing a command line directive */
877 		cmdline = 1;
878 		activep = &cmdline;
879 	}
880 	if (*activep && opcode != sMatch)
881 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
882 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
883 		if (connectinfo == NULL) {
884 			fatal("%s line %d: Directive '%s' is not allowed "
885 			    "within a Match block", filename, linenum, arg);
886 		} else { /* this is a directive we have already processed */
887 			while (arg)
888 				arg = strdelim(&cp);
889 			return 0;
890 		}
891 	}
892 
893 	switch (opcode) {
894 	/* Portable-specific options */
895 	case sUsePAM:
896 		intptr = &options->use_pam;
897 		goto parse_flag;
898 
899 	/* Standard Options */
900 	case sBadOption:
901 		return -1;
902 	case sPort:
903 		/* ignore ports from configfile if cmdline specifies ports */
904 		if (options->ports_from_cmdline)
905 			return 0;
906 		if (options->listen_addrs != NULL)
907 			fatal("%s line %d: ports must be specified before "
908 			    "ListenAddress.", filename, linenum);
909 		if (options->num_ports >= MAX_PORTS)
910 			fatal("%s line %d: too many ports.",
911 			    filename, linenum);
912 		arg = strdelim(&cp);
913 		if (!arg || *arg == '\0')
914 			fatal("%s line %d: missing port number.",
915 			    filename, linenum);
916 		options->ports[options->num_ports++] = a2port(arg);
917 		if (options->ports[options->num_ports-1] <= 0)
918 			fatal("%s line %d: Badly formatted port number.",
919 			    filename, linenum);
920 		break;
921 
922 	case sServerKeyBits:
923 		intptr = &options->server_key_bits;
924  parse_int:
925 		arg = strdelim(&cp);
926 		if (!arg || *arg == '\0')
927 			fatal("%s line %d: missing integer value.",
928 			    filename, linenum);
929 		value = atoi(arg);
930 		if (*activep && *intptr == -1)
931 			*intptr = value;
932 		break;
933 
934 	case sLoginGraceTime:
935 		intptr = &options->login_grace_time;
936  parse_time:
937 		arg = strdelim(&cp);
938 		if (!arg || *arg == '\0')
939 			fatal("%s line %d: missing time value.",
940 			    filename, linenum);
941 		if ((value = convtime(arg)) == -1)
942 			fatal("%s line %d: invalid time value.",
943 			    filename, linenum);
944 		if (*intptr == -1)
945 			*intptr = value;
946 		break;
947 
948 	case sKeyRegenerationTime:
949 		intptr = &options->key_regeneration_time;
950 		goto parse_time;
951 
952 	case sListenAddress:
953 		arg = strdelim(&cp);
954 		if (arg == NULL || *arg == '\0')
955 			fatal("%s line %d: missing address",
956 			    filename, linenum);
957 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
958 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
959 		    && strchr(p+1, ':') != NULL) {
960 			add_listen_addr(options, arg, 0);
961 			break;
962 		}
963 		p = hpdelim(&arg);
964 		if (p == NULL)
965 			fatal("%s line %d: bad address:port usage",
966 			    filename, linenum);
967 		p = cleanhostname(p);
968 		if (arg == NULL)
969 			port = 0;
970 		else if ((port = a2port(arg)) <= 0)
971 			fatal("%s line %d: bad port number", filename, linenum);
972 
973 		add_listen_addr(options, p, port);
974 
975 		break;
976 
977 	case sAddressFamily:
978 		intptr = &options->address_family;
979 		multistate_ptr = multistate_addressfamily;
980 		if (options->listen_addrs != NULL)
981 			fatal("%s line %d: address family must be specified "
982 			    "before ListenAddress.", filename, linenum);
983  parse_multistate:
984 		arg = strdelim(&cp);
985 		if (!arg || *arg == '\0')
986 			fatal("%s line %d: missing argument.",
987 			    filename, linenum);
988 		value = -1;
989 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
990 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
991 				value = multistate_ptr[i].value;
992 				break;
993 			}
994 		}
995 		if (value == -1)
996 			fatal("%s line %d: unsupported option \"%s\".",
997 			    filename, linenum, arg);
998 		if (*activep && *intptr == -1)
999 			*intptr = value;
1000 		break;
1001 
1002 	case sHostKeyFile:
1003 		intptr = &options->num_host_key_files;
1004 		if (*intptr >= MAX_HOSTKEYS)
1005 			fatal("%s line %d: too many host keys specified (max %d).",
1006 			    filename, linenum, MAX_HOSTKEYS);
1007 		charptr = &options->host_key_files[*intptr];
1008  parse_filename:
1009 		arg = strdelim(&cp);
1010 		if (!arg || *arg == '\0')
1011 			fatal("%s line %d: missing file name.",
1012 			    filename, linenum);
1013 		if (*activep && *charptr == NULL) {
1014 			*charptr = derelativise_path(arg);
1015 			/* increase optional counter */
1016 			if (intptr != NULL)
1017 				*intptr = *intptr + 1;
1018 		}
1019 		break;
1020 
1021 	case sHostCertificate:
1022 		intptr = &options->num_host_cert_files;
1023 		if (*intptr >= MAX_HOSTKEYS)
1024 			fatal("%s line %d: too many host certificates "
1025 			    "specified (max %d).", filename, linenum,
1026 			    MAX_HOSTCERTS);
1027 		charptr = &options->host_cert_files[*intptr];
1028 		goto parse_filename;
1029 		break;
1030 
1031 	case sPidFile:
1032 		charptr = &options->pid_file;
1033 		goto parse_filename;
1034 
1035 	case sPermitRootLogin:
1036 		intptr = &options->permit_root_login;
1037 		multistate_ptr = multistate_permitrootlogin;
1038 		goto parse_multistate;
1039 
1040 	case sIgnoreRhosts:
1041 		intptr = &options->ignore_rhosts;
1042  parse_flag:
1043 		arg = strdelim(&cp);
1044 		if (!arg || *arg == '\0')
1045 			fatal("%s line %d: missing yes/no argument.",
1046 			    filename, linenum);
1047 		value = 0;	/* silence compiler */
1048 		if (strcmp(arg, "yes") == 0)
1049 			value = 1;
1050 		else if (strcmp(arg, "no") == 0)
1051 			value = 0;
1052 		else
1053 			fatal("%s line %d: Bad yes/no argument: %s",
1054 				filename, linenum, arg);
1055 		if (*activep && *intptr == -1)
1056 			*intptr = value;
1057 		break;
1058 
1059 	case sIgnoreUserKnownHosts:
1060 		intptr = &options->ignore_user_known_hosts;
1061 		goto parse_flag;
1062 
1063 	case sRhostsRSAAuthentication:
1064 		intptr = &options->rhosts_rsa_authentication;
1065 		goto parse_flag;
1066 
1067 	case sHostbasedAuthentication:
1068 		intptr = &options->hostbased_authentication;
1069 		goto parse_flag;
1070 
1071 	case sHostbasedUsesNameFromPacketOnly:
1072 		intptr = &options->hostbased_uses_name_from_packet_only;
1073 		goto parse_flag;
1074 
1075 	case sRSAAuthentication:
1076 		intptr = &options->rsa_authentication;
1077 		goto parse_flag;
1078 
1079 	case sPubkeyAuthentication:
1080 		intptr = &options->pubkey_authentication;
1081 		goto parse_flag;
1082 
1083 	case sKerberosAuthentication:
1084 		intptr = &options->kerberos_authentication;
1085 		goto parse_flag;
1086 
1087 	case sKerberosOrLocalPasswd:
1088 		intptr = &options->kerberos_or_local_passwd;
1089 		goto parse_flag;
1090 
1091 	case sKerberosTicketCleanup:
1092 		intptr = &options->kerberos_ticket_cleanup;
1093 		goto parse_flag;
1094 
1095 	case sKerberosGetAFSToken:
1096 		intptr = &options->kerberos_get_afs_token;
1097 		goto parse_flag;
1098 
1099 	case sGssAuthentication:
1100 		intptr = &options->gss_authentication;
1101 		goto parse_flag;
1102 
1103 	case sGssCleanupCreds:
1104 		intptr = &options->gss_cleanup_creds;
1105 		goto parse_flag;
1106 
1107 	case sPasswordAuthentication:
1108 		intptr = &options->password_authentication;
1109 		goto parse_flag;
1110 
1111 	case sZeroKnowledgePasswordAuthentication:
1112 		intptr = &options->zero_knowledge_password_authentication;
1113 		goto parse_flag;
1114 
1115 	case sKbdInteractiveAuthentication:
1116 		intptr = &options->kbd_interactive_authentication;
1117 		goto parse_flag;
1118 
1119 	case sChallengeResponseAuthentication:
1120 		intptr = &options->challenge_response_authentication;
1121 		goto parse_flag;
1122 
1123 	case sPrintMotd:
1124 		intptr = &options->print_motd;
1125 		goto parse_flag;
1126 
1127 	case sPrintLastLog:
1128 		intptr = &options->print_lastlog;
1129 		goto parse_flag;
1130 
1131 	case sX11Forwarding:
1132 		intptr = &options->x11_forwarding;
1133 		goto parse_flag;
1134 
1135 	case sX11DisplayOffset:
1136 		intptr = &options->x11_display_offset;
1137 		goto parse_int;
1138 
1139 	case sX11UseLocalhost:
1140 		intptr = &options->x11_use_localhost;
1141 		goto parse_flag;
1142 
1143 	case sXAuthLocation:
1144 		charptr = &options->xauth_location;
1145 		goto parse_filename;
1146 
1147 	case sStrictModes:
1148 		intptr = &options->strict_modes;
1149 		goto parse_flag;
1150 
1151 	case sTCPKeepAlive:
1152 		intptr = &options->tcp_keep_alive;
1153 		goto parse_flag;
1154 
1155 	case sEmptyPasswd:
1156 		intptr = &options->permit_empty_passwd;
1157 		goto parse_flag;
1158 
1159 	case sPermitUserEnvironment:
1160 		intptr = &options->permit_user_env;
1161 		goto parse_flag;
1162 
1163 	case sUseLogin:
1164 		intptr = &options->use_login;
1165 		goto parse_flag;
1166 
1167 	case sCompression:
1168 		intptr = &options->compression;
1169 		multistate_ptr = multistate_compression;
1170 		goto parse_multistate;
1171 
1172 	case sGatewayPorts:
1173 		intptr = &options->gateway_ports;
1174 		multistate_ptr = multistate_gatewayports;
1175 		goto parse_multistate;
1176 
1177 	case sUseDNS:
1178 		intptr = &options->use_dns;
1179 		goto parse_flag;
1180 
1181 	case sLogFacility:
1182 		log_facility_ptr = &options->log_facility;
1183 		arg = strdelim(&cp);
1184 		value = log_facility_number(arg);
1185 		if (value == SYSLOG_FACILITY_NOT_SET)
1186 			fatal("%.200s line %d: unsupported log facility '%s'",
1187 			    filename, linenum, arg ? arg : "<NONE>");
1188 		if (*log_facility_ptr == -1)
1189 			*log_facility_ptr = (SyslogFacility) value;
1190 		break;
1191 
1192 	case sLogLevel:
1193 		log_level_ptr = &options->log_level;
1194 		arg = strdelim(&cp);
1195 		value = log_level_number(arg);
1196 		if (value == SYSLOG_LEVEL_NOT_SET)
1197 			fatal("%.200s line %d: unsupported log level '%s'",
1198 			    filename, linenum, arg ? arg : "<NONE>");
1199 		if (*log_level_ptr == -1)
1200 			*log_level_ptr = (LogLevel) value;
1201 		break;
1202 
1203 	case sAllowTcpForwarding:
1204 		intptr = &options->allow_tcp_forwarding;
1205 		multistate_ptr = multistate_tcpfwd;
1206 		goto parse_multistate;
1207 
1208 	case sAllowAgentForwarding:
1209 		intptr = &options->allow_agent_forwarding;
1210 		goto parse_flag;
1211 
1212 	case sUsePrivilegeSeparation:
1213 		intptr = &use_privsep;
1214 		multistate_ptr = multistate_privsep;
1215 		goto parse_multistate;
1216 
1217 	case sAllowUsers:
1218 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1219 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1220 				fatal("%s line %d: too many allow users.",
1221 				    filename, linenum);
1222 			if (!*activep)
1223 				continue;
1224 			options->allow_users[options->num_allow_users++] =
1225 			    xstrdup(arg);
1226 		}
1227 		break;
1228 
1229 	case sDenyUsers:
1230 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1231 			if (options->num_deny_users >= MAX_DENY_USERS)
1232 				fatal("%s line %d: too many deny users.",
1233 				    filename, linenum);
1234 			if (!*activep)
1235 				continue;
1236 			options->deny_users[options->num_deny_users++] =
1237 			    xstrdup(arg);
1238 		}
1239 		break;
1240 
1241 	case sAllowGroups:
1242 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1243 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1244 				fatal("%s line %d: too many allow groups.",
1245 				    filename, linenum);
1246 			if (!*activep)
1247 				continue;
1248 			options->allow_groups[options->num_allow_groups++] =
1249 			    xstrdup(arg);
1250 		}
1251 		break;
1252 
1253 	case sDenyGroups:
1254 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1255 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1256 				fatal("%s line %d: too many deny groups.",
1257 				    filename, linenum);
1258 			if (!*activep)
1259 				continue;
1260 			options->deny_groups[options->num_deny_groups++] =
1261 			    xstrdup(arg);
1262 		}
1263 		break;
1264 
1265 	case sCiphers:
1266 		arg = strdelim(&cp);
1267 		if (!arg || *arg == '\0')
1268 			fatal("%s line %d: Missing argument.", filename, linenum);
1269 		if (!ciphers_valid(arg))
1270 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1271 			    filename, linenum, arg ? arg : "<NONE>");
1272 		if (options->ciphers == NULL)
1273 			options->ciphers = xstrdup(arg);
1274 		break;
1275 
1276 	case sMacs:
1277 		arg = strdelim(&cp);
1278 		if (!arg || *arg == '\0')
1279 			fatal("%s line %d: Missing argument.", filename, linenum);
1280 		if (!mac_valid(arg))
1281 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1282 			    filename, linenum, arg ? arg : "<NONE>");
1283 		if (options->macs == NULL)
1284 			options->macs = xstrdup(arg);
1285 		break;
1286 
1287 	case sKexAlgorithms:
1288 		arg = strdelim(&cp);
1289 		if (!arg || *arg == '\0')
1290 			fatal("%s line %d: Missing argument.",
1291 			    filename, linenum);
1292 		if (!kex_names_valid(arg))
1293 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1294 			    filename, linenum, arg ? arg : "<NONE>");
1295 		if (options->kex_algorithms == NULL)
1296 			options->kex_algorithms = xstrdup(arg);
1297 		break;
1298 
1299 	case sProtocol:
1300 		intptr = &options->protocol;
1301 		arg = strdelim(&cp);
1302 		if (!arg || *arg == '\0')
1303 			fatal("%s line %d: Missing argument.", filename, linenum);
1304 		value = proto_spec(arg);
1305 		if (value == SSH_PROTO_UNKNOWN)
1306 			fatal("%s line %d: Bad protocol spec '%s'.",
1307 			    filename, linenum, arg ? arg : "<NONE>");
1308 		if (*intptr == SSH_PROTO_UNKNOWN)
1309 			*intptr = value;
1310 		break;
1311 
1312 	case sSubsystem:
1313 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1314 			fatal("%s line %d: too many subsystems defined.",
1315 			    filename, linenum);
1316 		}
1317 		arg = strdelim(&cp);
1318 		if (!arg || *arg == '\0')
1319 			fatal("%s line %d: Missing subsystem name.",
1320 			    filename, linenum);
1321 		if (!*activep) {
1322 			arg = strdelim(&cp);
1323 			break;
1324 		}
1325 		for (i = 0; i < options->num_subsystems; i++)
1326 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1327 				fatal("%s line %d: Subsystem '%s' already defined.",
1328 				    filename, linenum, arg);
1329 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1330 		arg = strdelim(&cp);
1331 		if (!arg || *arg == '\0')
1332 			fatal("%s line %d: Missing subsystem command.",
1333 			    filename, linenum);
1334 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1335 
1336 		/* Collect arguments (separate to executable) */
1337 		p = xstrdup(arg);
1338 		len = strlen(p) + 1;
1339 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1340 			len += 1 + strlen(arg);
1341 			p = xrealloc(p, 1, len);
1342 			strlcat(p, " ", len);
1343 			strlcat(p, arg, len);
1344 		}
1345 		options->subsystem_args[options->num_subsystems] = p;
1346 		options->num_subsystems++;
1347 		break;
1348 
1349 	case sMaxStartups:
1350 		arg = strdelim(&cp);
1351 		if (!arg || *arg == '\0')
1352 			fatal("%s line %d: Missing MaxStartups spec.",
1353 			    filename, linenum);
1354 		if ((n = sscanf(arg, "%d:%d:%d",
1355 		    &options->max_startups_begin,
1356 		    &options->max_startups_rate,
1357 		    &options->max_startups)) == 3) {
1358 			if (options->max_startups_begin >
1359 			    options->max_startups ||
1360 			    options->max_startups_rate > 100 ||
1361 			    options->max_startups_rate < 1)
1362 				fatal("%s line %d: Illegal MaxStartups spec.",
1363 				    filename, linenum);
1364 		} else if (n != 1)
1365 			fatal("%s line %d: Illegal MaxStartups spec.",
1366 			    filename, linenum);
1367 		else
1368 			options->max_startups = options->max_startups_begin;
1369 		break;
1370 
1371 	case sMaxAuthTries:
1372 		intptr = &options->max_authtries;
1373 		goto parse_int;
1374 
1375 	case sMaxSessions:
1376 		intptr = &options->max_sessions;
1377 		goto parse_int;
1378 
1379 	case sBanner:
1380 		charptr = &options->banner;
1381 		goto parse_filename;
1382 
1383 	/*
1384 	 * These options can contain %X options expanded at
1385 	 * connect time, so that you can specify paths like:
1386 	 *
1387 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1388 	 */
1389 	case sAuthorizedKeysFile:
1390 		if (*activep && options->num_authkeys_files == 0) {
1391 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1392 				if (options->num_authkeys_files >=
1393 				    MAX_AUTHKEYS_FILES)
1394 					fatal("%s line %d: "
1395 					    "too many authorized keys files.",
1396 					    filename, linenum);
1397 				options->authorized_keys_files[
1398 				    options->num_authkeys_files++] =
1399 				    tilde_expand_filename(arg, getuid());
1400 			}
1401 		}
1402 		return 0;
1403 
1404 	case sAuthorizedPrincipalsFile:
1405 		charptr = &options->authorized_principals_file;
1406 		arg = strdelim(&cp);
1407 		if (!arg || *arg == '\0')
1408 			fatal("%s line %d: missing file name.",
1409 			    filename, linenum);
1410 		if (*activep && *charptr == NULL) {
1411 			*charptr = tilde_expand_filename(arg, getuid());
1412 			/* increase optional counter */
1413 			if (intptr != NULL)
1414 				*intptr = *intptr + 1;
1415 		}
1416 		break;
1417 
1418 	case sClientAliveInterval:
1419 		intptr = &options->client_alive_interval;
1420 		goto parse_time;
1421 
1422 	case sClientAliveCountMax:
1423 		intptr = &options->client_alive_count_max;
1424 		goto parse_int;
1425 
1426 	case sAcceptEnv:
1427 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1428 			if (strchr(arg, '=') != NULL)
1429 				fatal("%s line %d: Invalid environment name.",
1430 				    filename, linenum);
1431 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1432 				fatal("%s line %d: too many allow env.",
1433 				    filename, linenum);
1434 			if (!*activep)
1435 				continue;
1436 			options->accept_env[options->num_accept_env++] =
1437 			    xstrdup(arg);
1438 		}
1439 		break;
1440 
1441 	case sPermitTunnel:
1442 		intptr = &options->permit_tun;
1443 		arg = strdelim(&cp);
1444 		if (!arg || *arg == '\0')
1445 			fatal("%s line %d: Missing yes/point-to-point/"
1446 			    "ethernet/no argument.", filename, linenum);
1447 		value = -1;
1448 		for (i = 0; tunmode_desc[i].val != -1; i++)
1449 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1450 				value = tunmode_desc[i].val;
1451 				break;
1452 			}
1453 		if (value == -1)
1454 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1455 			    "no argument: %s", filename, linenum, arg);
1456 		if (*intptr == -1)
1457 			*intptr = value;
1458 		break;
1459 
1460 	case sMatch:
1461 		if (cmdline)
1462 			fatal("Match directive not supported as a command-line "
1463 			   "option");
1464 		value = match_cfg_line(&cp, linenum, connectinfo);
1465 		if (value < 0)
1466 			fatal("%s line %d: Bad Match condition", filename,
1467 			    linenum);
1468 		*activep = value;
1469 		break;
1470 
1471 	case sPermitOpen:
1472 		arg = strdelim(&cp);
1473 		if (!arg || *arg == '\0')
1474 			fatal("%s line %d: missing PermitOpen specification",
1475 			    filename, linenum);
1476 		n = options->num_permitted_opens;	/* modified later */
1477 		if (strcmp(arg, "any") == 0) {
1478 			if (*activep && n == -1) {
1479 				channel_clear_adm_permitted_opens();
1480 				options->num_permitted_opens = 0;
1481 			}
1482 			break;
1483 		}
1484 		if (strcmp(arg, "none") == 0) {
1485 			if (*activep && n == -1) {
1486 				options->num_permitted_opens = 1;
1487 				channel_disable_adm_local_opens();
1488 			}
1489 			break;
1490 		}
1491 		if (*activep && n == -1)
1492 			channel_clear_adm_permitted_opens();
1493 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1494 			p = hpdelim(&arg);
1495 			if (p == NULL)
1496 				fatal("%s line %d: missing host in PermitOpen",
1497 				    filename, linenum);
1498 			p = cleanhostname(p);
1499 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1500 				fatal("%s line %d: bad port number in "
1501 				    "PermitOpen", filename, linenum);
1502 			if (*activep && n == -1)
1503 				options->num_permitted_opens =
1504 				    channel_add_adm_permitted_opens(p, port);
1505 		}
1506 		break;
1507 
1508 	case sForceCommand:
1509 		if (cp == NULL)
1510 			fatal("%.200s line %d: Missing argument.", filename,
1511 			    linenum);
1512 		len = strspn(cp, WHITESPACE);
1513 		if (*activep && options->adm_forced_command == NULL)
1514 			options->adm_forced_command = xstrdup(cp + len);
1515 		return 0;
1516 
1517 	case sChrootDirectory:
1518 		charptr = &options->chroot_directory;
1519 
1520 		arg = strdelim(&cp);
1521 		if (!arg || *arg == '\0')
1522 			fatal("%s line %d: missing file name.",
1523 			    filename, linenum);
1524 		if (*activep && *charptr == NULL)
1525 			*charptr = xstrdup(arg);
1526 		break;
1527 
1528 	case sTrustedUserCAKeys:
1529 		charptr = &options->trusted_user_ca_keys;
1530 		goto parse_filename;
1531 
1532 	case sRevokedKeys:
1533 		charptr = &options->revoked_keys_file;
1534 		goto parse_filename;
1535 
1536 	case sIPQoS:
1537 		arg = strdelim(&cp);
1538 		if ((value = parse_ipqos(arg)) == -1)
1539 			fatal("%s line %d: Bad IPQoS value: %s",
1540 			    filename, linenum, arg);
1541 		arg = strdelim(&cp);
1542 		if (arg == NULL)
1543 			value2 = value;
1544 		else if ((value2 = parse_ipqos(arg)) == -1)
1545 			fatal("%s line %d: Bad IPQoS value: %s",
1546 			    filename, linenum, arg);
1547 		if (*activep) {
1548 			options->ip_qos_interactive = value;
1549 			options->ip_qos_bulk = value2;
1550 		}
1551 		break;
1552 
1553 	case sVersionAddendum:
1554 		if (cp == NULL)
1555 			fatal("%.200s line %d: Missing argument.", filename,
1556 			    linenum);
1557 		len = strspn(cp, WHITESPACE);
1558 		if (*activep && options->version_addendum == NULL) {
1559 			if (strcasecmp(cp + len, "none") == 0)
1560 				options->version_addendum = xstrdup("");
1561 			else if (strchr(cp + len, '\r') != NULL)
1562 				fatal("%.200s line %d: Invalid argument",
1563 				    filename, linenum);
1564 			else
1565 				options->version_addendum = xstrdup(cp + len);
1566 		}
1567 		return 0;
1568 
1569 	case sAuthorizedKeysCommand:
1570 		len = strspn(cp, WHITESPACE);
1571 		if (*activep && options->authorized_keys_command == NULL) {
1572 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1573 				fatal("%.200s line %d: AuthorizedKeysCommand "
1574 				    "must be an absolute path",
1575 				    filename, linenum);
1576 			options->authorized_keys_command = xstrdup(cp + len);
1577 		}
1578 		return 0;
1579 
1580 	case sAuthorizedKeysCommandUser:
1581 		charptr = &options->authorized_keys_command_user;
1582 
1583 		arg = strdelim(&cp);
1584 		if (*activep && *charptr == NULL)
1585 			*charptr = xstrdup(arg);
1586 		break;
1587 
1588 	case sAuthenticationMethods:
1589 		if (*activep && options->num_auth_methods == 0) {
1590 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1591 				if (options->num_auth_methods >=
1592 				    MAX_AUTH_METHODS)
1593 					fatal("%s line %d: "
1594 					    "too many authentication methods.",
1595 					    filename, linenum);
1596 				if (auth2_methods_valid(arg, 0) != 0)
1597 					fatal("%s line %d: invalid "
1598 					    "authentication method list.",
1599 					    filename, linenum);
1600 				options->auth_methods[
1601 				    options->num_auth_methods++] = xstrdup(arg);
1602 			}
1603 		}
1604 		return 0;
1605 
1606 	case sHPNDisabled:
1607 		intptr = &options->hpn_disabled;
1608 		goto parse_flag;
1609 
1610 	case sHPNBufferSize:
1611 		intptr = &options->hpn_buffer_size;
1612 		goto parse_int;
1613 
1614 	case sTcpRcvBufPoll:
1615 		intptr = &options->tcp_rcv_buf_poll;
1616 		goto parse_flag;
1617 
1618 #ifdef	NONE_CIPHER_ENABLED
1619 	case sNoneEnabled:
1620 		intptr = &options->none_enabled;
1621 		goto parse_flag;
1622 #endif
1623 
1624 	case sDeprecated:
1625 		logit("%s line %d: Deprecated option %s",
1626 		    filename, linenum, arg);
1627 		while (arg)
1628 		    arg = strdelim(&cp);
1629 		break;
1630 
1631 	case sUnsupported:
1632 		logit("%s line %d: Unsupported option %s",
1633 		    filename, linenum, arg);
1634 		while (arg)
1635 		    arg = strdelim(&cp);
1636 		break;
1637 
1638 	default:
1639 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1640 		    filename, linenum, arg, opcode);
1641 	}
1642 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1643 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1644 		    filename, linenum, arg);
1645 	return 0;
1646 }
1647 
1648 /* Reads the server configuration file. */
1649 
1650 void
1651 load_server_config(const char *filename, Buffer *conf)
1652 {
1653 	char line[4096], *cp;
1654 	FILE *f;
1655 	int lineno = 0;
1656 
1657 	debug2("%s: filename %s", __func__, filename);
1658 	if ((f = fopen(filename, "r")) == NULL) {
1659 		perror(filename);
1660 		exit(1);
1661 	}
1662 	buffer_clear(conf);
1663 	while (fgets(line, sizeof(line), f)) {
1664 		lineno++;
1665 		if (strlen(line) == sizeof(line) - 1)
1666 			fatal("%s line %d too long", filename, lineno);
1667 		/*
1668 		 * Trim out comments and strip whitespace
1669 		 * NB - preserve newlines, they are needed to reproduce
1670 		 * line numbers later for error messages
1671 		 */
1672 		if ((cp = strchr(line, '#')) != NULL)
1673 			memcpy(cp, "\n", 2);
1674 		cp = line + strspn(line, " \t\r");
1675 
1676 		buffer_append(conf, cp, strlen(cp));
1677 	}
1678 	buffer_append(conf, "\0", 1);
1679 	fclose(f);
1680 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1681 }
1682 
1683 void
1684 parse_server_match_config(ServerOptions *options,
1685    struct connection_info *connectinfo)
1686 {
1687 	ServerOptions mo;
1688 
1689 	initialize_server_options(&mo);
1690 	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1691 	copy_set_server_options(options, &mo, 0);
1692 }
1693 
1694 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1695 {
1696 	char *p;
1697 
1698 	while ((p = strsep(&spec, ",")) && *p != '\0') {
1699 		if (strncmp(p, "addr=", 5) == 0) {
1700 			ci->address = xstrdup(p + 5);
1701 		} else if (strncmp(p, "host=", 5) == 0) {
1702 			ci->host = xstrdup(p + 5);
1703 		} else if (strncmp(p, "user=", 5) == 0) {
1704 			ci->user = xstrdup(p + 5);
1705 		} else if (strncmp(p, "laddr=", 6) == 0) {
1706 			ci->laddress = xstrdup(p + 6);
1707 		} else if (strncmp(p, "lport=", 6) == 0) {
1708 			ci->lport = a2port(p + 6);
1709 			if (ci->lport == -1) {
1710 				fprintf(stderr, "Invalid port '%s' in test mode"
1711 				   " specification %s\n", p+6, p);
1712 				return -1;
1713 			}
1714 		} else {
1715 			fprintf(stderr, "Invalid test mode specification %s\n",
1716 			   p);
1717 			return -1;
1718 		}
1719 	}
1720 	return 0;
1721 }
1722 
1723 /*
1724  * returns 1 for a complete spec, 0 for partial spec and -1 for an
1725  * empty spec.
1726  */
1727 int server_match_spec_complete(struct connection_info *ci)
1728 {
1729 	if (ci->user && ci->host && ci->address)
1730 		return 1;	/* complete */
1731 	if (!ci->user && !ci->host && !ci->address)
1732 		return -1;	/* empty */
1733 	return 0;	/* partial */
1734 }
1735 
1736 /* Helper macros */
1737 #define M_CP_INTOPT(n) do {\
1738 	if (src->n != -1) \
1739 		dst->n = src->n; \
1740 } while (0)
1741 #define M_CP_STROPT(n) do {\
1742 	if (src->n != NULL) { \
1743 		if (dst->n != NULL) \
1744 			xfree(dst->n); \
1745 		dst->n = src->n; \
1746 	} \
1747 } while(0)
1748 #define M_CP_STRARRAYOPT(n, num_n) do {\
1749 	if (src->num_n != 0) { \
1750 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1751 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1752 	} \
1753 } while(0)
1754 
1755 /*
1756  * Copy any supported values that are set.
1757  *
1758  * If the preauth flag is set, we do not bother copying the string or
1759  * array values that are not used pre-authentication, because any that we
1760  * do use must be explictly sent in mm_getpwnamallow().
1761  */
1762 void
1763 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1764 {
1765 	M_CP_INTOPT(password_authentication);
1766 	M_CP_INTOPT(gss_authentication);
1767 	M_CP_INTOPT(rsa_authentication);
1768 	M_CP_INTOPT(pubkey_authentication);
1769 	M_CP_INTOPT(kerberos_authentication);
1770 	M_CP_INTOPT(hostbased_authentication);
1771 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1772 	M_CP_INTOPT(kbd_interactive_authentication);
1773 	M_CP_INTOPT(zero_knowledge_password_authentication);
1774 	M_CP_STROPT(authorized_keys_command);
1775 	M_CP_STROPT(authorized_keys_command_user);
1776 	M_CP_INTOPT(permit_root_login);
1777 	M_CP_INTOPT(permit_empty_passwd);
1778 
1779 	M_CP_INTOPT(allow_tcp_forwarding);
1780 	M_CP_INTOPT(allow_agent_forwarding);
1781 	M_CP_INTOPT(permit_tun);
1782 	M_CP_INTOPT(gateway_ports);
1783 	M_CP_INTOPT(x11_display_offset);
1784 	M_CP_INTOPT(x11_forwarding);
1785 	M_CP_INTOPT(x11_use_localhost);
1786 	M_CP_INTOPT(max_sessions);
1787 	M_CP_INTOPT(max_authtries);
1788 	M_CP_INTOPT(ip_qos_interactive);
1789 	M_CP_INTOPT(ip_qos_bulk);
1790 
1791 	/* See comment in servconf.h */
1792 	COPY_MATCH_STRING_OPTS();
1793 
1794 	/*
1795 	 * The only things that should be below this point are string options
1796 	 * which are only used after authentication.
1797 	 */
1798 	if (preauth)
1799 		return;
1800 
1801 	M_CP_STROPT(adm_forced_command);
1802 	M_CP_STROPT(chroot_directory);
1803 }
1804 
1805 #undef M_CP_INTOPT
1806 #undef M_CP_STROPT
1807 #undef M_CP_STRARRAYOPT
1808 
1809 void
1810 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1811     struct connection_info *connectinfo)
1812 {
1813 	int active, linenum, bad_options = 0;
1814 	char *cp, *obuf, *cbuf;
1815 
1816 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1817 
1818 	obuf = cbuf = xstrdup(buffer_ptr(conf));
1819 	active = connectinfo ? 0 : 1;
1820 	linenum = 1;
1821 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
1822 		if (process_server_config_line(options, cp, filename,
1823 		    linenum++, &active, connectinfo) != 0)
1824 			bad_options++;
1825 	}
1826 	xfree(obuf);
1827 	if (bad_options > 0)
1828 		fatal("%s: terminating, %d bad configuration options",
1829 		    filename, bad_options);
1830 }
1831 
1832 static const char *
1833 fmt_multistate_int(int val, const struct multistate *m)
1834 {
1835 	u_int i;
1836 
1837 	for (i = 0; m[i].key != NULL; i++) {
1838 		if (m[i].value == val)
1839 			return m[i].key;
1840 	}
1841 	return "UNKNOWN";
1842 }
1843 
1844 static const char *
1845 fmt_intarg(ServerOpCodes code, int val)
1846 {
1847 	if (val == -1)
1848 		return "unset";
1849 	switch (code) {
1850 	case sAddressFamily:
1851 		return fmt_multistate_int(val, multistate_addressfamily);
1852 	case sPermitRootLogin:
1853 		return fmt_multistate_int(val, multistate_permitrootlogin);
1854 	case sGatewayPorts:
1855 		return fmt_multistate_int(val, multistate_gatewayports);
1856 	case sCompression:
1857 		return fmt_multistate_int(val, multistate_compression);
1858 	case sUsePrivilegeSeparation:
1859 		return fmt_multistate_int(val, multistate_privsep);
1860 	case sAllowTcpForwarding:
1861 		return fmt_multistate_int(val, multistate_tcpfwd);
1862 	case sProtocol:
1863 		switch (val) {
1864 		case SSH_PROTO_1:
1865 			return "1";
1866 		case SSH_PROTO_2:
1867 			return "2";
1868 		case (SSH_PROTO_1|SSH_PROTO_2):
1869 			return "2,1";
1870 		default:
1871 			return "UNKNOWN";
1872 		}
1873 	default:
1874 		switch (val) {
1875 		case 0:
1876 			return "no";
1877 		case 1:
1878 			return "yes";
1879 		default:
1880 			return "UNKNOWN";
1881 		}
1882 	}
1883 }
1884 
1885 static const char *
1886 lookup_opcode_name(ServerOpCodes code)
1887 {
1888 	u_int i;
1889 
1890 	for (i = 0; keywords[i].name != NULL; i++)
1891 		if (keywords[i].opcode == code)
1892 			return(keywords[i].name);
1893 	return "UNKNOWN";
1894 }
1895 
1896 static void
1897 dump_cfg_int(ServerOpCodes code, int val)
1898 {
1899 	printf("%s %d\n", lookup_opcode_name(code), val);
1900 }
1901 
1902 static void
1903 dump_cfg_fmtint(ServerOpCodes code, int val)
1904 {
1905 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1906 }
1907 
1908 static void
1909 dump_cfg_string(ServerOpCodes code, const char *val)
1910 {
1911 	if (val == NULL)
1912 		return;
1913 	printf("%s %s\n", lookup_opcode_name(code), val);
1914 }
1915 
1916 static void
1917 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1918 {
1919 	u_int i;
1920 
1921 	for (i = 0; i < count; i++)
1922 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1923 }
1924 
1925 static void
1926 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1927 {
1928 	u_int i;
1929 
1930 	printf("%s", lookup_opcode_name(code));
1931 	for (i = 0; i < count; i++)
1932 		printf(" %s",  vals[i]);
1933 	printf("\n");
1934 }
1935 
1936 void
1937 dump_config(ServerOptions *o)
1938 {
1939 	u_int i;
1940 	int ret;
1941 	struct addrinfo *ai;
1942 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1943 
1944 	/* these are usually at the top of the config */
1945 	for (i = 0; i < o->num_ports; i++)
1946 		printf("port %d\n", o->ports[i]);
1947 	dump_cfg_fmtint(sProtocol, o->protocol);
1948 	dump_cfg_fmtint(sAddressFamily, o->address_family);
1949 
1950 	/* ListenAddress must be after Port */
1951 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1952 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1953 		    sizeof(addr), port, sizeof(port),
1954 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1955 			error("getnameinfo failed: %.100s",
1956 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1957 			    strerror(errno));
1958 		} else {
1959 			if (ai->ai_family == AF_INET6)
1960 				printf("listenaddress [%s]:%s\n", addr, port);
1961 			else
1962 				printf("listenaddress %s:%s\n", addr, port);
1963 		}
1964 	}
1965 
1966 	/* integer arguments */
1967 #ifdef USE_PAM
1968 	dump_cfg_int(sUsePAM, o->use_pam);
1969 #endif
1970 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
1971 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1972 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1973 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1974 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
1975 	dump_cfg_int(sMaxSessions, o->max_sessions);
1976 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1977 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1978 
1979 	/* formatted integer arguments */
1980 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1981 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1982 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1983 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1984 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1985 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1986 	    o->hostbased_uses_name_from_packet_only);
1987 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1988 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1989 #ifdef KRB5
1990 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1991 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1992 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1993 # ifdef USE_AFS
1994 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1995 # endif
1996 #endif
1997 #ifdef GSSAPI
1998 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1999 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2000 #endif
2001 #ifdef JPAKE
2002 	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2003 	    o->zero_knowledge_password_authentication);
2004 #endif
2005 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2006 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2007 	    o->kbd_interactive_authentication);
2008 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2009 	    o->challenge_response_authentication);
2010 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2011 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2012 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2013 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2014 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2015 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2016 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2017 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2018 	dump_cfg_fmtint(sUseLogin, o->use_login);
2019 	dump_cfg_fmtint(sCompression, o->compression);
2020 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
2021 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2022 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2023 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2024 
2025 	/* string arguments */
2026 	dump_cfg_string(sPidFile, o->pid_file);
2027 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2028 	dump_cfg_string(sCiphers, o->ciphers);
2029 	dump_cfg_string(sMacs, o->macs);
2030 	dump_cfg_string(sBanner, o->banner);
2031 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2032 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2033 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2034 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2035 	dump_cfg_string(sAuthorizedPrincipalsFile,
2036 	    o->authorized_principals_file);
2037 	dump_cfg_string(sVersionAddendum, o->version_addendum);
2038 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2039 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2040 
2041 	/* string arguments requiring a lookup */
2042 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2043 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2044 
2045 	/* string array arguments */
2046 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2047 	    o->authorized_keys_files);
2048 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2049 	     o->host_key_files);
2050 	dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2051 	     o->host_cert_files);
2052 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2053 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2054 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2055 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2056 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2057 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2058 	    o->num_auth_methods, o->auth_methods);
2059 
2060 	/* other arguments */
2061 	for (i = 0; i < o->num_subsystems; i++)
2062 		printf("subsystem %s %s\n", o->subsystem_name[i],
2063 		    o->subsystem_args[i]);
2064 
2065 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2066 	    o->max_startups_rate, o->max_startups);
2067 
2068 	for (i = 0; tunmode_desc[i].val != -1; i++)
2069 		if (tunmode_desc[i].val == o->permit_tun) {
2070 			s = tunmode_desc[i].text;
2071 			break;
2072 		}
2073 	dump_cfg_string(sPermitTunnel, s);
2074 
2075 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2076 	printf("%s\n", iptos2str(o->ip_qos_bulk));
2077 
2078 	channel_print_adm_permitted_opens();
2079 }
2080