xref: /freebsd/crypto/openssh/servconf.c (revision d4eeb02986980bf33dd56c41ceb9fc5f180c0d47)
1 
2 /* $OpenBSD: servconf.c,v 1.384 2022/03/18 04:04:11 djm Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/stat.h>
19 #ifdef __OpenBSD__
20 #include <sys/sysctl.h>
21 #endif
22 
23 #include <netinet/in.h>
24 #include <netinet/in_systm.h>
25 #include <netinet/ip.h>
26 #ifdef HAVE_NET_ROUTE_H
27 #include <net/route.h>
28 #endif
29 
30 #include <ctype.h>
31 #include <netdb.h>
32 #include <pwd.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include <signal.h>
37 #include <unistd.h>
38 #include <limits.h>
39 #include <stdarg.h>
40 #include <errno.h>
41 #ifdef HAVE_UTIL_H
42 #include <util.h>
43 #endif
44 #ifdef USE_SYSTEM_GLOB
45 # include <glob.h>
46 #else
47 # include "openbsd-compat/glob.h"
48 #endif
49 
50 #include "openbsd-compat/sys-queue.h"
51 #include "xmalloc.h"
52 #include "ssh.h"
53 #include "log.h"
54 #include "sshbuf.h"
55 #include "misc.h"
56 #include "servconf.h"
57 #include "compat.h"
58 #include "pathnames.h"
59 #include "cipher.h"
60 #include "sshkey.h"
61 #include "kex.h"
62 #include "mac.h"
63 #include "match.h"
64 #include "channels.h"
65 #include "groupaccess.h"
66 #include "canohost.h"
67 #include "packet.h"
68 #include "ssherr.h"
69 #include "hostfile.h"
70 #include "auth.h"
71 #include "myproposal.h"
72 #include "digest.h"
73 #include "version.h"
74 
75 static void add_listen_addr(ServerOptions *, const char *,
76     const char *, int);
77 static void add_one_listen_addr(ServerOptions *, const char *,
78     const char *, int);
79 static void parse_server_config_depth(ServerOptions *options,
80     const char *filename, struct sshbuf *conf, struct include_list *includes,
81     struct connection_info *connectinfo, int flags, int *activep, int depth);
82 
83 /* Use of privilege separation or not */
84 extern int use_privsep;
85 extern struct sshbuf *cfg;
86 
87 /* Initializes the server options to their default values. */
88 
89 void
90 initialize_server_options(ServerOptions *options)
91 {
92 	memset(options, 0, sizeof(*options));
93 
94 	/* Portable-specific options */
95 	options->use_pam = -1;
96 
97 	/* Standard Options */
98 	options->num_ports = 0;
99 	options->ports_from_cmdline = 0;
100 	options->queued_listen_addrs = NULL;
101 	options->num_queued_listens = 0;
102 	options->listen_addrs = NULL;
103 	options->num_listen_addrs = 0;
104 	options->address_family = -1;
105 	options->routing_domain = NULL;
106 	options->num_host_key_files = 0;
107 	options->num_host_cert_files = 0;
108 	options->host_key_agent = NULL;
109 	options->pid_file = NULL;
110 	options->login_grace_time = -1;
111 	options->permit_root_login = PERMIT_NOT_SET;
112 	options->ignore_rhosts = -1;
113 	options->ignore_user_known_hosts = -1;
114 	options->print_motd = -1;
115 	options->print_lastlog = -1;
116 	options->x11_forwarding = -1;
117 	options->x11_display_offset = -1;
118 	options->x11_use_localhost = -1;
119 	options->permit_tty = -1;
120 	options->permit_user_rc = -1;
121 	options->xauth_location = NULL;
122 	options->strict_modes = -1;
123 	options->tcp_keep_alive = -1;
124 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
125 	options->log_level = SYSLOG_LEVEL_NOT_SET;
126 	options->num_log_verbose = 0;
127 	options->log_verbose = NULL;
128 	options->hostbased_authentication = -1;
129 	options->hostbased_uses_name_from_packet_only = -1;
130 	options->hostbased_accepted_algos = NULL;
131 	options->hostkeyalgorithms = NULL;
132 	options->pubkey_authentication = -1;
133 	options->pubkey_auth_options = -1;
134 	options->pubkey_accepted_algos = NULL;
135 	options->kerberos_authentication = -1;
136 	options->kerberos_or_local_passwd = -1;
137 	options->kerberos_ticket_cleanup = -1;
138 	options->kerberos_get_afs_token = -1;
139 	options->gss_authentication=-1;
140 	options->gss_cleanup_creds = -1;
141 	options->gss_strict_acceptor = -1;
142 	options->password_authentication = -1;
143 	options->kbd_interactive_authentication = -1;
144 	options->permit_empty_passwd = -1;
145 	options->permit_user_env = -1;
146 	options->permit_user_env_allowlist = NULL;
147 	options->compression = -1;
148 	options->rekey_limit = -1;
149 	options->rekey_interval = -1;
150 	options->allow_tcp_forwarding = -1;
151 	options->allow_streamlocal_forwarding = -1;
152 	options->allow_agent_forwarding = -1;
153 	options->num_allow_users = 0;
154 	options->num_deny_users = 0;
155 	options->num_allow_groups = 0;
156 	options->num_deny_groups = 0;
157 	options->ciphers = NULL;
158 	options->macs = NULL;
159 	options->kex_algorithms = NULL;
160 	options->ca_sign_algorithms = NULL;
161 	options->fwd_opts.gateway_ports = -1;
162 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
163 	options->fwd_opts.streamlocal_bind_unlink = -1;
164 	options->num_subsystems = 0;
165 	options->max_startups_begin = -1;
166 	options->max_startups_rate = -1;
167 	options->max_startups = -1;
168 	options->per_source_max_startups = -1;
169 	options->per_source_masklen_ipv4 = -1;
170 	options->per_source_masklen_ipv6 = -1;
171 	options->max_authtries = -1;
172 	options->max_sessions = -1;
173 	options->banner = NULL;
174 	options->use_dns = -1;
175 	options->client_alive_interval = -1;
176 	options->client_alive_count_max = -1;
177 	options->num_authkeys_files = 0;
178 	options->num_accept_env = 0;
179 	options->num_setenv = 0;
180 	options->permit_tun = -1;
181 	options->permitted_opens = NULL;
182 	options->permitted_listens = NULL;
183 	options->adm_forced_command = NULL;
184 	options->chroot_directory = NULL;
185 	options->authorized_keys_command = NULL;
186 	options->authorized_keys_command_user = NULL;
187 	options->revoked_keys_file = NULL;
188 	options->sk_provider = NULL;
189 	options->trusted_user_ca_keys = NULL;
190 	options->authorized_principals_file = NULL;
191 	options->authorized_principals_command = NULL;
192 	options->authorized_principals_command_user = NULL;
193 	options->ip_qos_interactive = -1;
194 	options->ip_qos_bulk = -1;
195 	options->version_addendum = NULL;
196 	options->fingerprint_hash = -1;
197 	options->disable_forwarding = -1;
198 	options->expose_userauth_info = -1;
199 	options->use_blacklist = -1;
200 }
201 
202 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
203 static int
204 option_clear_or_none(const char *o)
205 {
206 	return o == NULL || strcasecmp(o, "none") == 0;
207 }
208 
209 static void
210 assemble_algorithms(ServerOptions *o)
211 {
212 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
213 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
214 	int r;
215 
216 	all_cipher = cipher_alg_list(',', 0);
217 	all_mac = mac_alg_list(',');
218 	all_kex = kex_alg_list(',');
219 	all_key = sshkey_alg_list(0, 0, 1, ',');
220 	all_sig = sshkey_alg_list(0, 1, 1, ',');
221 	/* remove unsupported algos from default lists */
222 	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
223 	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
224 	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
225 	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
226 	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
227 #define ASSEMBLE(what, defaults, all) \
228 	do { \
229 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
230 			fatal_fr(r, "%s", #what); \
231 	} while (0)
232 	ASSEMBLE(ciphers, def_cipher, all_cipher);
233 	ASSEMBLE(macs, def_mac, all_mac);
234 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
235 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
236 	ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
237 	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
238 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
239 #undef ASSEMBLE
240 	free(all_cipher);
241 	free(all_mac);
242 	free(all_kex);
243 	free(all_key);
244 	free(all_sig);
245 	free(def_cipher);
246 	free(def_mac);
247 	free(def_kex);
248 	free(def_key);
249 	free(def_sig);
250 }
251 
252 static const char *defaultkey = "[default]";
253 
254 void
255 servconf_add_hostkey(const char *file, const int line,
256     ServerOptions *options, const char *path, int userprovided)
257 {
258 	char *apath = derelativise_path(path);
259 
260 	if (file == defaultkey && access(path, R_OK) != 0)
261 		return;
262 	opt_array_append2(file, line, "HostKey",
263 	    &options->host_key_files, &options->host_key_file_userprovided,
264 	    &options->num_host_key_files, apath, userprovided);
265 	free(apath);
266 }
267 
268 void
269 servconf_add_hostcert(const char *file, const int line,
270     ServerOptions *options, const char *path)
271 {
272 	char *apath = derelativise_path(path);
273 
274 	opt_array_append(file, line, "HostCertificate",
275 	    &options->host_cert_files, &options->num_host_cert_files, apath);
276 	free(apath);
277 }
278 
279 void
280 fill_default_server_options(ServerOptions *options)
281 {
282 	u_int i;
283 
284 	/* Portable-specific options */
285 	if (options->use_pam == -1)
286 		options->use_pam = 1;
287 
288 	/* Standard Options */
289 	if (options->num_host_key_files == 0) {
290 		/* fill default hostkeys for protocols */
291 		servconf_add_hostkey(defaultkey, 0, options,
292 		    _PATH_HOST_RSA_KEY_FILE, 0);
293 #ifdef OPENSSL_HAS_ECC
294 		servconf_add_hostkey(defaultkey, 0, options,
295 		    _PATH_HOST_ECDSA_KEY_FILE, 0);
296 #endif
297 		servconf_add_hostkey(defaultkey, 0, options,
298 		    _PATH_HOST_ED25519_KEY_FILE, 0);
299 #ifdef WITH_XMSS
300 		servconf_add_hostkey(defaultkey, 0, options,
301 		    _PATH_HOST_XMSS_KEY_FILE, 0);
302 #endif /* WITH_XMSS */
303 	}
304 	if (options->num_host_key_files == 0)
305 		fatal("No host key files found");
306 	/* No certificates by default */
307 	if (options->num_ports == 0)
308 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
309 	if (options->address_family == -1)
310 		options->address_family = AF_UNSPEC;
311 	if (options->listen_addrs == NULL)
312 		add_listen_addr(options, NULL, NULL, 0);
313 	if (options->pid_file == NULL)
314 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
315 	if (options->moduli_file == NULL)
316 		options->moduli_file = xstrdup(_PATH_DH_MODULI);
317 	if (options->login_grace_time == -1)
318 		options->login_grace_time = 120;
319 	if (options->permit_root_login == PERMIT_NOT_SET)
320 		options->permit_root_login = PERMIT_NO;
321 	if (options->ignore_rhosts == -1)
322 		options->ignore_rhosts = 1;
323 	if (options->ignore_user_known_hosts == -1)
324 		options->ignore_user_known_hosts = 0;
325 	if (options->print_motd == -1)
326 		options->print_motd = 1;
327 	if (options->print_lastlog == -1)
328 		options->print_lastlog = 1;
329 	if (options->x11_forwarding == -1)
330 		options->x11_forwarding = 1;
331 	if (options->x11_display_offset == -1)
332 		options->x11_display_offset = 10;
333 	if (options->x11_use_localhost == -1)
334 		options->x11_use_localhost = 1;
335 	if (options->xauth_location == NULL)
336 		options->xauth_location = xstrdup(_PATH_XAUTH);
337 	if (options->permit_tty == -1)
338 		options->permit_tty = 1;
339 	if (options->permit_user_rc == -1)
340 		options->permit_user_rc = 1;
341 	if (options->strict_modes == -1)
342 		options->strict_modes = 1;
343 	if (options->tcp_keep_alive == -1)
344 		options->tcp_keep_alive = 1;
345 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
346 		options->log_facility = SYSLOG_FACILITY_AUTH;
347 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
348 		options->log_level = SYSLOG_LEVEL_INFO;
349 	if (options->hostbased_authentication == -1)
350 		options->hostbased_authentication = 0;
351 	if (options->hostbased_uses_name_from_packet_only == -1)
352 		options->hostbased_uses_name_from_packet_only = 0;
353 	if (options->pubkey_authentication == -1)
354 		options->pubkey_authentication = 1;
355 	if (options->pubkey_auth_options == -1)
356 		options->pubkey_auth_options = 0;
357 	if (options->kerberos_authentication == -1)
358 		options->kerberos_authentication = 0;
359 	if (options->kerberos_or_local_passwd == -1)
360 		options->kerberos_or_local_passwd = 1;
361 	if (options->kerberos_ticket_cleanup == -1)
362 		options->kerberos_ticket_cleanup = 1;
363 	if (options->kerberos_get_afs_token == -1)
364 		options->kerberos_get_afs_token = 0;
365 	if (options->gss_authentication == -1)
366 		options->gss_authentication = 0;
367 	if (options->gss_cleanup_creds == -1)
368 		options->gss_cleanup_creds = 1;
369 	if (options->gss_strict_acceptor == -1)
370 		options->gss_strict_acceptor = 1;
371 	if (options->password_authentication == -1)
372 		options->password_authentication = 0;
373 	if (options->kbd_interactive_authentication == -1)
374 		options->kbd_interactive_authentication = 1;
375 	if (options->permit_empty_passwd == -1)
376 		options->permit_empty_passwd = 0;
377 	if (options->permit_user_env == -1) {
378 		options->permit_user_env = 0;
379 		options->permit_user_env_allowlist = NULL;
380 	}
381 	if (options->compression == -1)
382 #ifdef WITH_ZLIB
383 		options->compression = COMP_DELAYED;
384 #else
385 		options->compression = COMP_NONE;
386 #endif
387 
388 	if (options->rekey_limit == -1)
389 		options->rekey_limit = 0;
390 	if (options->rekey_interval == -1)
391 		options->rekey_interval = 0;
392 	if (options->allow_tcp_forwarding == -1)
393 		options->allow_tcp_forwarding = FORWARD_ALLOW;
394 	if (options->allow_streamlocal_forwarding == -1)
395 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
396 	if (options->allow_agent_forwarding == -1)
397 		options->allow_agent_forwarding = 1;
398 	if (options->fwd_opts.gateway_ports == -1)
399 		options->fwd_opts.gateway_ports = 0;
400 	if (options->max_startups == -1)
401 		options->max_startups = 100;
402 	if (options->max_startups_rate == -1)
403 		options->max_startups_rate = 30;		/* 30% */
404 	if (options->max_startups_begin == -1)
405 		options->max_startups_begin = 10;
406 	if (options->per_source_max_startups == -1)
407 		options->per_source_max_startups = INT_MAX;
408 	if (options->per_source_masklen_ipv4 == -1)
409 		options->per_source_masklen_ipv4 = 32;
410 	if (options->per_source_masklen_ipv6 == -1)
411 		options->per_source_masklen_ipv6 = 128;
412 	if (options->max_authtries == -1)
413 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
414 	if (options->max_sessions == -1)
415 		options->max_sessions = DEFAULT_SESSIONS_MAX;
416 	if (options->use_dns == -1)
417 		options->use_dns = 1;
418 	if (options->client_alive_interval == -1)
419 		options->client_alive_interval = 0;
420 	if (options->client_alive_count_max == -1)
421 		options->client_alive_count_max = 3;
422 	if (options->num_authkeys_files == 0) {
423 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
424 		    &options->authorized_keys_files,
425 		    &options->num_authkeys_files,
426 		    _PATH_SSH_USER_PERMITTED_KEYS);
427 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
428 		    &options->authorized_keys_files,
429 		    &options->num_authkeys_files,
430 		    _PATH_SSH_USER_PERMITTED_KEYS2);
431 	}
432 	if (options->permit_tun == -1)
433 		options->permit_tun = SSH_TUNMODE_NO;
434 	if (options->ip_qos_interactive == -1)
435 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
436 	if (options->ip_qos_bulk == -1)
437 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
438 	if (options->version_addendum == NULL)
439 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
440 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
441 		options->fwd_opts.streamlocal_bind_mask = 0177;
442 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
443 		options->fwd_opts.streamlocal_bind_unlink = 0;
444 	if (options->fingerprint_hash == -1)
445 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
446 	if (options->disable_forwarding == -1)
447 		options->disable_forwarding = 0;
448 	if (options->expose_userauth_info == -1)
449 		options->expose_userauth_info = 0;
450 	if (options->sk_provider == NULL)
451 		options->sk_provider = xstrdup("internal");
452 	if (options->use_blacklist == -1)
453 		options->use_blacklist = 0;
454 
455 	assemble_algorithms(options);
456 
457 	/* Turn privilege separation and sandboxing on by default */
458 	if (use_privsep == -1)
459 		use_privsep = PRIVSEP_ON;
460 
461 #define CLEAR_ON_NONE(v) \
462 	do { \
463 		if (option_clear_or_none(v)) { \
464 			free(v); \
465 			v = NULL; \
466 		} \
467 	} while(0)
468 	CLEAR_ON_NONE(options->pid_file);
469 	CLEAR_ON_NONE(options->xauth_location);
470 	CLEAR_ON_NONE(options->banner);
471 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
472 	CLEAR_ON_NONE(options->revoked_keys_file);
473 	CLEAR_ON_NONE(options->sk_provider);
474 	CLEAR_ON_NONE(options->authorized_principals_file);
475 	CLEAR_ON_NONE(options->adm_forced_command);
476 	CLEAR_ON_NONE(options->chroot_directory);
477 	CLEAR_ON_NONE(options->routing_domain);
478 	CLEAR_ON_NONE(options->host_key_agent);
479 	for (i = 0; i < options->num_host_key_files; i++)
480 		CLEAR_ON_NONE(options->host_key_files[i]);
481 	for (i = 0; i < options->num_host_cert_files; i++)
482 		CLEAR_ON_NONE(options->host_cert_files[i]);
483 #undef CLEAR_ON_NONE
484 
485 	/* Similar handling for AuthenticationMethods=any */
486 	if (options->num_auth_methods == 1 &&
487 	    strcmp(options->auth_methods[0], "any") == 0) {
488 		free(options->auth_methods[0]);
489 		options->auth_methods[0] = NULL;
490 		options->num_auth_methods = 0;
491 	}
492 }
493 
494 /* Keyword tokens. */
495 typedef enum {
496 	sBadOption,		/* == unknown option */
497 	/* Portable-specific options */
498 	sUsePAM,
499 	/* Standard Options */
500 	sPort, sHostKeyFile, sLoginGraceTime,
501 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
502 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
503 	sKerberosGetAFSToken, sPasswordAuthentication,
504 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
505 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
506 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
507 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
508 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
509 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
510 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
511 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
512 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
513 	sBanner, sUseDNS, sHostbasedAuthentication,
514 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
515 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
516 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
517 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
518 	sAcceptEnv, sSetEnv, sPermitTunnel,
519 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
520 	sUsePrivilegeSeparation, sAllowAgentForwarding,
521 	sHostCertificate, sInclude,
522 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
523 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
524 	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
525 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
526 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
527 	sStreamLocalBindMask, sStreamLocalBindUnlink,
528 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
529 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
530 	sUseBlacklist,
531 	sDeprecated, sIgnore, sUnsupported
532 } ServerOpCodes;
533 
534 #define SSHCFG_GLOBAL		0x01	/* allowed in main section of config */
535 #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
536 #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
537 #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
538 #define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
539 
540 /* Textual representation of the tokens. */
541 static struct {
542 	const char *name;
543 	ServerOpCodes opcode;
544 	u_int flags;
545 } keywords[] = {
546 	/* Portable-specific options */
547 #ifdef USE_PAM
548 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
549 #else
550 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
551 #endif
552 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
553 	/* Standard Options */
554 	{ "port", sPort, SSHCFG_GLOBAL },
555 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
556 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
557 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
558 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
559 	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
560 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
561 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
562 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
563 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
564 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
565 	{ "loglevel", sLogLevel, SSHCFG_ALL },
566 	{ "logverbose", sLogVerbose, SSHCFG_ALL },
567 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
568 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
569 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
570 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
571 	{ "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
572 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
573 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
574 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
575 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
576 	{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
577 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
578 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
579 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
580 #ifdef KRB5
581 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
582 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
583 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
584 #ifdef USE_AFS
585 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
586 #else
587 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
588 #endif
589 #else
590 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
591 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
592 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
593 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
594 #endif
595 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
596 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
597 #ifdef GSSAPI
598 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
599 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
600 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
601 #else
602 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
603 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
604 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
605 #endif
606 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
607 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
608 	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
609 	{ "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
610 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
611 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
612 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
613 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
614 #ifdef DISABLE_LASTLOG
615 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
616 #else
617 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
618 #endif
619 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
620 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
621 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
622 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
623 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
624 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
625 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
626 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
627 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
628 	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
629 	{ "compression", sCompression, SSHCFG_GLOBAL },
630 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
631 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
632 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
633 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
634 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
635 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
636 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
637 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
638 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
639 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
640 	{ "macs", sMacs, SSHCFG_GLOBAL },
641 	{ "protocol", sIgnore, SSHCFG_GLOBAL },
642 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
643 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
644 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
645 	{ "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
646 	{ "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
647 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
648 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
649 	{ "banner", sBanner, SSHCFG_ALL },
650 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
651 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
652 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
653 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
654 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
655 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
656 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
657 	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
658 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
659 	{ "setenv", sSetEnv, SSHCFG_ALL },
660 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
661 	{ "permittty", sPermitTTY, SSHCFG_ALL },
662 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
663 	{ "match", sMatch, SSHCFG_ALL },
664 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
665 	{ "permitlisten", sPermitListen, SSHCFG_ALL },
666 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
667 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
668 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
669 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
670 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
671 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
672 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
673 	{ "include", sInclude, SSHCFG_ALL },
674 	{ "ipqos", sIPQoS, SSHCFG_ALL },
675 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
676 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
677 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
678 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
679 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
680 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
681 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
682 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
683 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
684 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
685 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
686 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
687 	{ "rdomain", sRDomain, SSHCFG_ALL },
688 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
689 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
690 	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
691 	{ "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
692 	{ "noneenabled", sUnsupported, SSHCFG_ALL },
693 	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
694 	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
695 	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
696 	{ NULL, sBadOption, 0 }
697 };
698 
699 static struct {
700 	int val;
701 	char *text;
702 } tunmode_desc[] = {
703 	{ SSH_TUNMODE_NO, "no" },
704 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
705 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
706 	{ SSH_TUNMODE_YES, "yes" },
707 	{ -1, NULL }
708 };
709 
710 /* Returns an opcode name from its number */
711 
712 static const char *
713 lookup_opcode_name(ServerOpCodes code)
714 {
715 	u_int i;
716 
717 	for (i = 0; keywords[i].name != NULL; i++)
718 		if (keywords[i].opcode == code)
719 			return(keywords[i].name);
720 	return "UNKNOWN";
721 }
722 
723 
724 /*
725  * Returns the number of the token pointed to by cp or sBadOption.
726  */
727 
728 static ServerOpCodes
729 parse_token(const char *cp, const char *filename,
730 	    int linenum, u_int *flags)
731 {
732 	u_int i;
733 
734 	for (i = 0; keywords[i].name; i++)
735 		if (strcasecmp(cp, keywords[i].name) == 0) {
736 			*flags = keywords[i].flags;
737 			return keywords[i].opcode;
738 		}
739 
740 	error("%s: line %d: Bad configuration option: %s",
741 	    filename, linenum, cp);
742 	return sBadOption;
743 }
744 
745 char *
746 derelativise_path(const char *path)
747 {
748 	char *expanded, *ret, cwd[PATH_MAX];
749 
750 	if (strcasecmp(path, "none") == 0)
751 		return xstrdup("none");
752 	expanded = tilde_expand_filename(path, getuid());
753 	if (path_absolute(expanded))
754 		return expanded;
755 	if (getcwd(cwd, sizeof(cwd)) == NULL)
756 		fatal_f("getcwd: %s", strerror(errno));
757 	xasprintf(&ret, "%s/%s", cwd, expanded);
758 	free(expanded);
759 	return ret;
760 }
761 
762 static void
763 add_listen_addr(ServerOptions *options, const char *addr,
764     const char *rdomain, int port)
765 {
766 	u_int i;
767 
768 	if (port > 0)
769 		add_one_listen_addr(options, addr, rdomain, port);
770 	else {
771 		for (i = 0; i < options->num_ports; i++) {
772 			add_one_listen_addr(options, addr, rdomain,
773 			    options->ports[i]);
774 		}
775 	}
776 }
777 
778 static void
779 add_one_listen_addr(ServerOptions *options, const char *addr,
780     const char *rdomain, int port)
781 {
782 	struct addrinfo hints, *ai, *aitop;
783 	char strport[NI_MAXSERV];
784 	int gaierr;
785 	u_int i;
786 
787 	/* Find listen_addrs entry for this rdomain */
788 	for (i = 0; i < options->num_listen_addrs; i++) {
789 		if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
790 			break;
791 		if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
792 			continue;
793 		if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
794 			break;
795 	}
796 	if (i >= options->num_listen_addrs) {
797 		/* No entry for this rdomain; allocate one */
798 		if (i >= INT_MAX)
799 			fatal_f("too many listen addresses");
800 		options->listen_addrs = xrecallocarray(options->listen_addrs,
801 		    options->num_listen_addrs, options->num_listen_addrs + 1,
802 		    sizeof(*options->listen_addrs));
803 		i = options->num_listen_addrs++;
804 		if (rdomain != NULL)
805 			options->listen_addrs[i].rdomain = xstrdup(rdomain);
806 	}
807 	/* options->listen_addrs[i] points to the addresses for this rdomain */
808 
809 	memset(&hints, 0, sizeof(hints));
810 	hints.ai_family = options->address_family;
811 	hints.ai_socktype = SOCK_STREAM;
812 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
813 	snprintf(strport, sizeof strport, "%d", port);
814 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
815 		fatal("bad addr or host: %s (%s)",
816 		    addr ? addr : "<NULL>",
817 		    ssh_gai_strerror(gaierr));
818 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
819 		;
820 	ai->ai_next = options->listen_addrs[i].addrs;
821 	options->listen_addrs[i].addrs = aitop;
822 }
823 
824 /* Returns nonzero if the routing domain name is valid */
825 static int
826 valid_rdomain(const char *name)
827 {
828 #if defined(HAVE_SYS_VALID_RDOMAIN)
829 	return sys_valid_rdomain(name);
830 #elif defined(__OpenBSD__)
831 	const char *errstr;
832 	long long num;
833 	struct rt_tableinfo info;
834 	int mib[6];
835 	size_t miblen = sizeof(mib);
836 
837 	if (name == NULL)
838 		return 1;
839 
840 	num = strtonum(name, 0, 255, &errstr);
841 	if (errstr != NULL)
842 		return 0;
843 
844 	/* Check whether the table actually exists */
845 	memset(mib, 0, sizeof(mib));
846 	mib[0] = CTL_NET;
847 	mib[1] = PF_ROUTE;
848 	mib[4] = NET_RT_TABLE;
849 	mib[5] = (int)num;
850 	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
851 		return 0;
852 
853 	return 1;
854 #else /* defined(__OpenBSD__) */
855 	error("Routing domains are not supported on this platform");
856 	return 0;
857 #endif
858 }
859 
860 /*
861  * Queue a ListenAddress to be processed once we have all of the Ports
862  * and AddressFamily options.
863  */
864 static void
865 queue_listen_addr(ServerOptions *options, const char *addr,
866     const char *rdomain, int port)
867 {
868 	struct queued_listenaddr *qla;
869 
870 	options->queued_listen_addrs = xrecallocarray(
871 	    options->queued_listen_addrs,
872 	    options->num_queued_listens, options->num_queued_listens + 1,
873 	    sizeof(*options->queued_listen_addrs));
874 	qla = &options->queued_listen_addrs[options->num_queued_listens++];
875 	qla->addr = xstrdup(addr);
876 	qla->port = port;
877 	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
878 }
879 
880 /*
881  * Process queued (text) ListenAddress entries.
882  */
883 static void
884 process_queued_listen_addrs(ServerOptions *options)
885 {
886 	u_int i;
887 	struct queued_listenaddr *qla;
888 
889 	if (options->num_ports == 0)
890 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
891 	if (options->address_family == -1)
892 		options->address_family = AF_UNSPEC;
893 
894 	for (i = 0; i < options->num_queued_listens; i++) {
895 		qla = &options->queued_listen_addrs[i];
896 		add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
897 		free(qla->addr);
898 		free(qla->rdomain);
899 	}
900 	free(options->queued_listen_addrs);
901 	options->queued_listen_addrs = NULL;
902 	options->num_queued_listens = 0;
903 }
904 
905 /*
906  * Inform channels layer of permitopen options for a single forwarding
907  * direction (local/remote).
908  */
909 static void
910 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
911     char **opens, u_int num_opens)
912 {
913 	u_int i;
914 	int port;
915 	char *host, *arg, *oarg;
916 	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
917 	const char *what = lookup_opcode_name(opcode);
918 
919 	channel_clear_permission(ssh, FORWARD_ADM, where);
920 	if (num_opens == 0)
921 		return; /* permit any */
922 
923 	/* handle keywords: "any" / "none" */
924 	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
925 		return;
926 	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
927 		channel_disable_admin(ssh, where);
928 		return;
929 	}
930 	/* Otherwise treat it as a list of permitted host:port */
931 	for (i = 0; i < num_opens; i++) {
932 		oarg = arg = xstrdup(opens[i]);
933 		host = hpdelim(&arg);
934 		if (host == NULL)
935 			fatal_f("missing host in %s", what);
936 		host = cleanhostname(host);
937 		if (arg == NULL || ((port = permitopen_port(arg)) < 0))
938 			fatal_f("bad port number in %s", what);
939 		/* Send it to channels layer */
940 		channel_add_permission(ssh, FORWARD_ADM,
941 		    where, host, port);
942 		free(oarg);
943 	}
944 }
945 
946 /*
947  * Inform channels layer of permitopen options from configuration.
948  */
949 void
950 process_permitopen(struct ssh *ssh, ServerOptions *options)
951 {
952 	process_permitopen_list(ssh, sPermitOpen,
953 	    options->permitted_opens, options->num_permitted_opens);
954 	process_permitopen_list(ssh, sPermitListen,
955 	    options->permitted_listens,
956 	    options->num_permitted_listens);
957 }
958 
959 struct connection_info *
960 get_connection_info(struct ssh *ssh, int populate, int use_dns)
961 {
962 	static struct connection_info ci;
963 
964 	if (ssh == NULL || !populate)
965 		return &ci;
966 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
967 	ci.address = ssh_remote_ipaddr(ssh);
968 	ci.laddress = ssh_local_ipaddr(ssh);
969 	ci.lport = ssh_local_port(ssh);
970 	ci.rdomain = ssh_packet_rdomain_in(ssh);
971 	return &ci;
972 }
973 
974 /*
975  * The strategy for the Match blocks is that the config file is parsed twice.
976  *
977  * The first time is at startup.  activep is initialized to 1 and the
978  * directives in the global context are processed and acted on.  Hitting a
979  * Match directive unsets activep and the directives inside the block are
980  * checked for syntax only.
981  *
982  * The second time is after a connection has been established but before
983  * authentication.  activep is initialized to 2 and global config directives
984  * are ignored since they have already been processed.  If the criteria in a
985  * Match block is met, activep is set and the subsequent directives
986  * processed and actioned until EOF or another Match block unsets it.  Any
987  * options set are copied into the main server config.
988  *
989  * Potential additions/improvements:
990  *  - Add Match support for pre-kex directives, eg. Ciphers.
991  *
992  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
993  *	Match Address 192.168.0.*
994  *		Tag trusted
995  *	Match Group wheel
996  *		Tag trusted
997  *	Match Tag trusted
998  *		AllowTcpForwarding yes
999  *		GatewayPorts clientspecified
1000  *		[...]
1001  *
1002  *  - Add a PermittedChannelRequests directive
1003  *	Match Group shell
1004  *		PermittedChannelRequests session,forwarded-tcpip
1005  */
1006 
1007 static int
1008 match_cfg_line_group(const char *grps, int line, const char *user)
1009 {
1010 	int result = 0;
1011 	struct passwd *pw;
1012 
1013 	if (user == NULL)
1014 		goto out;
1015 
1016 	if ((pw = getpwnam(user)) == NULL) {
1017 		debug("Can't match group at line %d because user %.100s does "
1018 		    "not exist", line, user);
1019 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1020 		debug("Can't Match group because user %.100s not in any group "
1021 		    "at line %d", user, line);
1022 	} else if (ga_match_pattern_list(grps) != 1) {
1023 		debug("user %.100s does not match group list %.100s at line %d",
1024 		    user, grps, line);
1025 	} else {
1026 		debug("user %.100s matched group list %.100s at line %d", user,
1027 		    grps, line);
1028 		result = 1;
1029 	}
1030 out:
1031 	ga_free();
1032 	return result;
1033 }
1034 
1035 static void
1036 match_test_missing_fatal(const char *criteria, const char *attrib)
1037 {
1038 	fatal("'Match %s' in configuration but '%s' not in connection "
1039 	    "test specification.", criteria, attrib);
1040 }
1041 
1042 /*
1043  * All of the attributes on a single Match line are ANDed together, so we need
1044  * to check every attribute and set the result to zero if any attribute does
1045  * not match.
1046  */
1047 static int
1048 match_cfg_line(char **condition, int line, struct connection_info *ci)
1049 {
1050 	int result = 1, attributes = 0, port;
1051 	char *arg, *attrib, *cp = *condition;
1052 
1053 	if (ci == NULL)
1054 		debug3("checking syntax for 'Match %s'", cp);
1055 	else
1056 		debug3("checking match for '%s' user %s host %s addr %s "
1057 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1058 		    ci->host ? ci->host : "(null)",
1059 		    ci->address ? ci->address : "(null)",
1060 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
1061 
1062 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1063 		/* Terminate on comment */
1064 		if (*attrib == '#') {
1065 			cp = NULL; /* mark all arguments consumed */
1066 			break;
1067 		}
1068 		arg = NULL;
1069 		attributes++;
1070 		/* Criterion "all" has no argument and must appear alone */
1071 		if (strcasecmp(attrib, "all") == 0) {
1072 			if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
1073 			    *arg != '\0' && *arg != '#')) {
1074 				error("'all' cannot be combined with other "
1075 				    "Match attributes");
1076 				return -1;
1077 			}
1078 			if (arg != NULL && *arg == '#')
1079 				cp = NULL; /* mark all arguments consumed */
1080 			*condition = cp;
1081 			return 1;
1082 		}
1083 		/* All other criteria require an argument */
1084 		if ((arg = strdelim(&cp)) == NULL ||
1085 		    *arg == '\0' || *arg == '#') {
1086 			error("Missing Match criteria for %s", attrib);
1087 			return -1;
1088 		}
1089 		if (strcasecmp(attrib, "user") == 0) {
1090 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1091 				result = 0;
1092 				continue;
1093 			}
1094 			if (ci->user == NULL)
1095 				match_test_missing_fatal("User", "user");
1096 			if (match_usergroup_pattern_list(ci->user, arg) != 1)
1097 				result = 0;
1098 			else
1099 				debug("user %.100s matched 'User %.100s' at "
1100 				    "line %d", ci->user, arg, line);
1101 		} else if (strcasecmp(attrib, "group") == 0) {
1102 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1103 				result = 0;
1104 				continue;
1105 			}
1106 			if (ci->user == NULL)
1107 				match_test_missing_fatal("Group", "user");
1108 			switch (match_cfg_line_group(arg, line, ci->user)) {
1109 			case -1:
1110 				return -1;
1111 			case 0:
1112 				result = 0;
1113 			}
1114 		} else if (strcasecmp(attrib, "host") == 0) {
1115 			if (ci == NULL || (ci->test && ci->host == NULL)) {
1116 				result = 0;
1117 				continue;
1118 			}
1119 			if (ci->host == NULL)
1120 				match_test_missing_fatal("Host", "host");
1121 			if (match_hostname(ci->host, arg) != 1)
1122 				result = 0;
1123 			else
1124 				debug("connection from %.100s matched 'Host "
1125 				    "%.100s' at line %d", ci->host, arg, line);
1126 		} else if (strcasecmp(attrib, "address") == 0) {
1127 			if (ci == NULL || (ci->test && ci->address == NULL)) {
1128 				if (addr_match_list(NULL, arg) != 0)
1129 					fatal("Invalid Match address argument "
1130 					    "'%s' at line %d", arg, line);
1131 				result = 0;
1132 				continue;
1133 			}
1134 			if (ci->address == NULL)
1135 				match_test_missing_fatal("Address", "addr");
1136 			switch (addr_match_list(ci->address, arg)) {
1137 			case 1:
1138 				debug("connection from %.100s matched 'Address "
1139 				    "%.100s' at line %d", ci->address, arg, line);
1140 				break;
1141 			case 0:
1142 			case -1:
1143 				result = 0;
1144 				break;
1145 			case -2:
1146 				return -1;
1147 			}
1148 		} else if (strcasecmp(attrib, "localaddress") == 0){
1149 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1150 				if (addr_match_list(NULL, arg) != 0)
1151 					fatal("Invalid Match localaddress "
1152 					    "argument '%s' at line %d", arg,
1153 					    line);
1154 				result = 0;
1155 				continue;
1156 			}
1157 			if (ci->laddress == NULL)
1158 				match_test_missing_fatal("LocalAddress",
1159 				    "laddr");
1160 			switch (addr_match_list(ci->laddress, arg)) {
1161 			case 1:
1162 				debug("connection from %.100s matched "
1163 				    "'LocalAddress %.100s' at line %d",
1164 				    ci->laddress, arg, line);
1165 				break;
1166 			case 0:
1167 			case -1:
1168 				result = 0;
1169 				break;
1170 			case -2:
1171 				return -1;
1172 			}
1173 		} else if (strcasecmp(attrib, "localport") == 0) {
1174 			if ((port = a2port(arg)) == -1) {
1175 				error("Invalid LocalPort '%s' on Match line",
1176 				    arg);
1177 				return -1;
1178 			}
1179 			if (ci == NULL || (ci->test && ci->lport == -1)) {
1180 				result = 0;
1181 				continue;
1182 			}
1183 			if (ci->lport == 0)
1184 				match_test_missing_fatal("LocalPort", "lport");
1185 			/* TODO support port lists */
1186 			if (port == ci->lport)
1187 				debug("connection from %.100s matched "
1188 				    "'LocalPort %d' at line %d",
1189 				    ci->laddress, port, line);
1190 			else
1191 				result = 0;
1192 		} else if (strcasecmp(attrib, "rdomain") == 0) {
1193 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1194 				result = 0;
1195 				continue;
1196 			}
1197 			if (ci->rdomain == NULL)
1198 				match_test_missing_fatal("RDomain", "rdomain");
1199 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1200 				result = 0;
1201 			else
1202 				debug("user %.100s matched 'RDomain %.100s' at "
1203 				    "line %d", ci->rdomain, arg, line);
1204 		} else {
1205 			error("Unsupported Match attribute %s", attrib);
1206 			return -1;
1207 		}
1208 	}
1209 	if (attributes == 0) {
1210 		error("One or more attributes required for Match");
1211 		return -1;
1212 	}
1213 	if (ci != NULL)
1214 		debug3("match %sfound", result ? "" : "not ");
1215 	*condition = cp;
1216 	return result;
1217 }
1218 
1219 #define WHITESPACE " \t\r\n"
1220 
1221 /* Multistate option parsing */
1222 struct multistate {
1223 	char *key;
1224 	int value;
1225 };
1226 static const struct multistate multistate_flag[] = {
1227 	{ "yes",			1 },
1228 	{ "no",				0 },
1229 	{ NULL, -1 }
1230 };
1231 static const struct multistate multistate_ignore_rhosts[] = {
1232 	{ "yes",			IGNORE_RHOSTS_YES },
1233 	{ "no",				IGNORE_RHOSTS_NO },
1234 	{ "shosts-only",		IGNORE_RHOSTS_SHOSTS },
1235 	{ NULL, -1 }
1236 };
1237 static const struct multistate multistate_addressfamily[] = {
1238 	{ "inet",			AF_INET },
1239 	{ "inet6",			AF_INET6 },
1240 	{ "any",			AF_UNSPEC },
1241 	{ NULL, -1 }
1242 };
1243 static const struct multistate multistate_permitrootlogin[] = {
1244 	{ "without-password",		PERMIT_NO_PASSWD },
1245 	{ "prohibit-password",		PERMIT_NO_PASSWD },
1246 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
1247 	{ "yes",			PERMIT_YES },
1248 	{ "no",				PERMIT_NO },
1249 	{ NULL, -1 }
1250 };
1251 static const struct multistate multistate_compression[] = {
1252 #ifdef WITH_ZLIB
1253 	{ "yes",			COMP_DELAYED },
1254 	{ "delayed",			COMP_DELAYED },
1255 #endif
1256 	{ "no",				COMP_NONE },
1257 	{ NULL, -1 }
1258 };
1259 static const struct multistate multistate_gatewayports[] = {
1260 	{ "clientspecified",		2 },
1261 	{ "yes",			1 },
1262 	{ "no",				0 },
1263 	{ NULL, -1 }
1264 };
1265 static const struct multistate multistate_tcpfwd[] = {
1266 	{ "yes",			FORWARD_ALLOW },
1267 	{ "all",			FORWARD_ALLOW },
1268 	{ "no",				FORWARD_DENY },
1269 	{ "remote",			FORWARD_REMOTE },
1270 	{ "local",			FORWARD_LOCAL },
1271 	{ NULL, -1 }
1272 };
1273 
1274 static int
1275 process_server_config_line_depth(ServerOptions *options, char *line,
1276     const char *filename, int linenum, int *activep,
1277     struct connection_info *connectinfo, int *inc_flags, int depth,
1278     struct include_list *includes)
1279 {
1280 	char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
1281 	int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1282 	SyslogFacility *log_facility_ptr;
1283 	LogLevel *log_level_ptr;
1284 	ServerOpCodes opcode;
1285 	u_int i, *uintptr, uvalue, flags = 0;
1286 	size_t len;
1287 	long long val64;
1288 	const struct multistate *multistate_ptr;
1289 	const char *errstr;
1290 	struct include_item *item;
1291 	glob_t gbuf;
1292 	char **oav = NULL, **av;
1293 	int oac = 0, ac;
1294 	int ret = -1;
1295 
1296 	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1297 	if ((len = strlen(line)) == 0)
1298 		return 0;
1299 	for (len--; len > 0; len--) {
1300 		if (strchr(WHITESPACE "\f", line[len]) == NULL)
1301 			break;
1302 		line[len] = '\0';
1303 	}
1304 
1305 	str = line;
1306 	if ((keyword = strdelim(&str)) == NULL)
1307 		return 0;
1308 	/* Ignore leading whitespace */
1309 	if (*keyword == '\0')
1310 		keyword = strdelim(&str);
1311 	if (!keyword || !*keyword || *keyword == '#')
1312 		return 0;
1313 	if (str == NULL || *str == '\0') {
1314 		error("%s line %d: no argument after keyword \"%s\"",
1315 		    filename, linenum, keyword);
1316 		return -1;
1317 	}
1318 	intptr = NULL;
1319 	charptr = NULL;
1320 	opcode = parse_token(keyword, filename, linenum, &flags);
1321 
1322 	if (argv_split(str, &oac, &oav, 1) != 0) {
1323 		error("%s line %d: invalid quotes", filename, linenum);
1324 		return -1;
1325 	}
1326 	ac = oac;
1327 	av = oav;
1328 
1329 	if (activep == NULL) { /* We are processing a command line directive */
1330 		cmdline = 1;
1331 		activep = &cmdline;
1332 	}
1333 	if (*activep && opcode != sMatch && opcode != sInclude)
1334 		debug3("%s:%d setting %s %s", filename, linenum, keyword, str);
1335 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1336 		if (connectinfo == NULL) {
1337 			fatal("%s line %d: Directive '%s' is not allowed "
1338 			    "within a Match block", filename, linenum, keyword);
1339 		} else { /* this is a directive we have already processed */
1340 			ret = 0;
1341 			goto out;
1342 		}
1343 	}
1344 
1345 	switch (opcode) {
1346 	/* Portable-specific options */
1347 	case sUsePAM:
1348 		intptr = &options->use_pam;
1349 		goto parse_flag;
1350 
1351 	/* Standard Options */
1352 	case sBadOption:
1353 		goto out;
1354 	case sPort:
1355 		/* ignore ports from configfile if cmdline specifies ports */
1356 		if (options->ports_from_cmdline) {
1357 			argv_consume(&ac);
1358 			break;
1359 		}
1360 		if (options->num_ports >= MAX_PORTS)
1361 			fatal("%s line %d: too many ports.",
1362 			    filename, linenum);
1363 		arg = argv_next(&ac, &av);
1364 		if (!arg || *arg == '\0')
1365 			fatal("%s line %d: missing port number.",
1366 			    filename, linenum);
1367 		options->ports[options->num_ports++] = a2port(arg);
1368 		if (options->ports[options->num_ports-1] <= 0)
1369 			fatal("%s line %d: Badly formatted port number.",
1370 			    filename, linenum);
1371 		break;
1372 
1373 	case sLoginGraceTime:
1374 		intptr = &options->login_grace_time;
1375  parse_time:
1376 		arg = argv_next(&ac, &av);
1377 		if (!arg || *arg == '\0')
1378 			fatal("%s line %d: missing time value.",
1379 			    filename, linenum);
1380 		if ((value = convtime(arg)) == -1)
1381 			fatal("%s line %d: invalid time value.",
1382 			    filename, linenum);
1383 		if (*activep && *intptr == -1)
1384 			*intptr = value;
1385 		break;
1386 
1387 	case sListenAddress:
1388 		arg = argv_next(&ac, &av);
1389 		if (arg == NULL || *arg == '\0')
1390 			fatal("%s line %d: missing address",
1391 			    filename, linenum);
1392 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1393 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1394 		    && strchr(p+1, ':') != NULL) {
1395 			port = 0;
1396 			p = arg;
1397 		} else {
1398 			arg2 = NULL;
1399 			p = hpdelim(&arg);
1400 			if (p == NULL)
1401 				fatal("%s line %d: bad address:port usage",
1402 				    filename, linenum);
1403 			p = cleanhostname(p);
1404 			if (arg == NULL)
1405 				port = 0;
1406 			else if ((port = a2port(arg)) <= 0)
1407 				fatal("%s line %d: bad port number",
1408 				    filename, linenum);
1409 		}
1410 		/* Optional routing table */
1411 		arg2 = NULL;
1412 		if ((arg = argv_next(&ac, &av)) != NULL) {
1413 			if (strcmp(arg, "rdomain") != 0 ||
1414 			    (arg2 = argv_next(&ac, &av)) == NULL)
1415 				fatal("%s line %d: bad ListenAddress syntax",
1416 				    filename, linenum);
1417 			if (!valid_rdomain(arg2))
1418 				fatal("%s line %d: bad routing domain",
1419 				    filename, linenum);
1420 		}
1421 		queue_listen_addr(options, p, arg2, port);
1422 
1423 		break;
1424 
1425 	case sAddressFamily:
1426 		intptr = &options->address_family;
1427 		multistate_ptr = multistate_addressfamily;
1428  parse_multistate:
1429 		arg = argv_next(&ac, &av);
1430 		if (!arg || *arg == '\0')
1431 			fatal("%s line %d: missing argument.",
1432 			    filename, linenum);
1433 		value = -1;
1434 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1435 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1436 				value = multistate_ptr[i].value;
1437 				break;
1438 			}
1439 		}
1440 		if (value == -1)
1441 			fatal("%s line %d: unsupported option \"%s\".",
1442 			    filename, linenum, arg);
1443 		if (*activep && *intptr == -1)
1444 			*intptr = value;
1445 		break;
1446 
1447 	case sHostKeyFile:
1448 		arg = argv_next(&ac, &av);
1449 		if (!arg || *arg == '\0')
1450 			fatal("%s line %d: missing file name.",
1451 			    filename, linenum);
1452 		if (*activep) {
1453 			servconf_add_hostkey(filename, linenum,
1454 			    options, arg, 1);
1455 		}
1456 		break;
1457 
1458 	case sHostKeyAgent:
1459 		charptr = &options->host_key_agent;
1460 		arg = argv_next(&ac, &av);
1461 		if (!arg || *arg == '\0')
1462 			fatal("%s line %d: missing socket name.",
1463 			    filename, linenum);
1464 		if (*activep && *charptr == NULL)
1465 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1466 			    xstrdup(arg) : derelativise_path(arg);
1467 		break;
1468 
1469 	case sHostCertificate:
1470 		arg = argv_next(&ac, &av);
1471 		if (!arg || *arg == '\0')
1472 			fatal("%s line %d: missing file name.",
1473 			    filename, linenum);
1474 		if (*activep)
1475 			servconf_add_hostcert(filename, linenum, options, arg);
1476 		break;
1477 
1478 	case sPidFile:
1479 		charptr = &options->pid_file;
1480  parse_filename:
1481 		arg = argv_next(&ac, &av);
1482 		if (!arg || *arg == '\0')
1483 			fatal("%s line %d: missing file name.",
1484 			    filename, linenum);
1485 		if (*activep && *charptr == NULL) {
1486 			*charptr = derelativise_path(arg);
1487 			/* increase optional counter */
1488 			if (intptr != NULL)
1489 				*intptr = *intptr + 1;
1490 		}
1491 		break;
1492 
1493 	case sModuliFile:
1494 		charptr = &options->moduli_file;
1495 		goto parse_filename;
1496 
1497 	case sPermitRootLogin:
1498 		intptr = &options->permit_root_login;
1499 		multistate_ptr = multistate_permitrootlogin;
1500 		goto parse_multistate;
1501 
1502 	case sIgnoreRhosts:
1503 		intptr = &options->ignore_rhosts;
1504 		multistate_ptr = multistate_ignore_rhosts;
1505 		goto parse_multistate;
1506 
1507 	case sIgnoreUserKnownHosts:
1508 		intptr = &options->ignore_user_known_hosts;
1509  parse_flag:
1510 		multistate_ptr = multistate_flag;
1511 		goto parse_multistate;
1512 
1513 	case sHostbasedAuthentication:
1514 		intptr = &options->hostbased_authentication;
1515 		goto parse_flag;
1516 
1517 	case sHostbasedUsesNameFromPacketOnly:
1518 		intptr = &options->hostbased_uses_name_from_packet_only;
1519 		goto parse_flag;
1520 
1521 	case sHostbasedAcceptedAlgorithms:
1522 		charptr = &options->hostbased_accepted_algos;
1523  parse_pubkey_algos:
1524 		arg = argv_next(&ac, &av);
1525 		if (!arg || *arg == '\0')
1526 			fatal("%s line %d: Missing argument.",
1527 			    filename, linenum);
1528 		if (*arg != '-' &&
1529 		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1530 		    arg + 1 : arg, 1))
1531 			fatal("%s line %d: Bad key types '%s'.",
1532 			    filename, linenum, arg ? arg : "<NONE>");
1533 		if (*activep && *charptr == NULL)
1534 			*charptr = xstrdup(arg);
1535 		break;
1536 
1537 	case sHostKeyAlgorithms:
1538 		charptr = &options->hostkeyalgorithms;
1539 		goto parse_pubkey_algos;
1540 
1541 	case sCASignatureAlgorithms:
1542 		charptr = &options->ca_sign_algorithms;
1543 		goto parse_pubkey_algos;
1544 
1545 	case sPubkeyAuthentication:
1546 		intptr = &options->pubkey_authentication;
1547 		goto parse_flag;
1548 
1549 	case sPubkeyAcceptedAlgorithms:
1550 		charptr = &options->pubkey_accepted_algos;
1551 		goto parse_pubkey_algos;
1552 
1553 	case sPubkeyAuthOptions:
1554 		intptr = &options->pubkey_auth_options;
1555 		value = 0;
1556 		while ((arg = argv_next(&ac, &av)) != NULL) {
1557 			if (strcasecmp(arg, "none") == 0)
1558 				continue;
1559 			if (strcasecmp(arg, "touch-required") == 0)
1560 				value |= PUBKEYAUTH_TOUCH_REQUIRED;
1561 			else if (strcasecmp(arg, "verify-required") == 0)
1562 				value |= PUBKEYAUTH_VERIFY_REQUIRED;
1563 			else {
1564 				error("%s line %d: unsupported %s option %s",
1565 				    filename, linenum, keyword, arg);
1566 				goto out;
1567 			}
1568 		}
1569 		if (*activep && *intptr == -1)
1570 			*intptr = value;
1571 		break;
1572 
1573 	case sKerberosAuthentication:
1574 		intptr = &options->kerberos_authentication;
1575 		goto parse_flag;
1576 
1577 	case sKerberosOrLocalPasswd:
1578 		intptr = &options->kerberos_or_local_passwd;
1579 		goto parse_flag;
1580 
1581 	case sKerberosTicketCleanup:
1582 		intptr = &options->kerberos_ticket_cleanup;
1583 		goto parse_flag;
1584 
1585 	case sKerberosGetAFSToken:
1586 		intptr = &options->kerberos_get_afs_token;
1587 		goto parse_flag;
1588 
1589 	case sGssAuthentication:
1590 		intptr = &options->gss_authentication;
1591 		goto parse_flag;
1592 
1593 	case sGssCleanupCreds:
1594 		intptr = &options->gss_cleanup_creds;
1595 		goto parse_flag;
1596 
1597 	case sGssStrictAcceptor:
1598 		intptr = &options->gss_strict_acceptor;
1599 		goto parse_flag;
1600 
1601 	case sPasswordAuthentication:
1602 		intptr = &options->password_authentication;
1603 		goto parse_flag;
1604 
1605 	case sKbdInteractiveAuthentication:
1606 		intptr = &options->kbd_interactive_authentication;
1607 		goto parse_flag;
1608 
1609 	case sPrintMotd:
1610 		intptr = &options->print_motd;
1611 		goto parse_flag;
1612 
1613 	case sPrintLastLog:
1614 		intptr = &options->print_lastlog;
1615 		goto parse_flag;
1616 
1617 	case sX11Forwarding:
1618 		intptr = &options->x11_forwarding;
1619 		goto parse_flag;
1620 
1621 	case sX11DisplayOffset:
1622 		intptr = &options->x11_display_offset;
1623  parse_int:
1624 		arg = argv_next(&ac, &av);
1625 		if ((errstr = atoi_err(arg, &value)) != NULL)
1626 			fatal("%s line %d: %s integer value %s.",
1627 			    filename, linenum, keyword, errstr);
1628 		if (*activep && *intptr == -1)
1629 			*intptr = value;
1630 		break;
1631 
1632 	case sX11UseLocalhost:
1633 		intptr = &options->x11_use_localhost;
1634 		goto parse_flag;
1635 
1636 	case sXAuthLocation:
1637 		charptr = &options->xauth_location;
1638 		goto parse_filename;
1639 
1640 	case sPermitTTY:
1641 		intptr = &options->permit_tty;
1642 		goto parse_flag;
1643 
1644 	case sPermitUserRC:
1645 		intptr = &options->permit_user_rc;
1646 		goto parse_flag;
1647 
1648 	case sStrictModes:
1649 		intptr = &options->strict_modes;
1650 		goto parse_flag;
1651 
1652 	case sTCPKeepAlive:
1653 		intptr = &options->tcp_keep_alive;
1654 		goto parse_flag;
1655 
1656 	case sEmptyPasswd:
1657 		intptr = &options->permit_empty_passwd;
1658 		goto parse_flag;
1659 
1660 	case sPermitUserEnvironment:
1661 		intptr = &options->permit_user_env;
1662 		charptr = &options->permit_user_env_allowlist;
1663 		arg = argv_next(&ac, &av);
1664 		if (!arg || *arg == '\0')
1665 			fatal("%s line %d: %s missing argument.",
1666 			    filename, linenum, keyword);
1667 		value = 0;
1668 		p = NULL;
1669 		if (strcmp(arg, "yes") == 0)
1670 			value = 1;
1671 		else if (strcmp(arg, "no") == 0)
1672 			value = 0;
1673 		else {
1674 			/* Pattern-list specified */
1675 			value = 1;
1676 			p = xstrdup(arg);
1677 		}
1678 		if (*activep && *intptr == -1) {
1679 			*intptr = value;
1680 			*charptr = p;
1681 			p = NULL;
1682 		}
1683 		free(p);
1684 		break;
1685 
1686 	case sCompression:
1687 		intptr = &options->compression;
1688 		multistate_ptr = multistate_compression;
1689 		goto parse_multistate;
1690 
1691 	case sRekeyLimit:
1692 		arg = argv_next(&ac, &av);
1693 		if (!arg || *arg == '\0')
1694 			fatal("%s line %d: %s missing argument.",
1695 			    filename, linenum, keyword);
1696 		if (strcmp(arg, "default") == 0) {
1697 			val64 = 0;
1698 		} else {
1699 			if (scan_scaled(arg, &val64) == -1)
1700 				fatal("%.200s line %d: Bad %s number '%s': %s",
1701 				    filename, linenum, keyword,
1702 				    arg, strerror(errno));
1703 			if (val64 != 0 && val64 < 16)
1704 				fatal("%.200s line %d: %s too small",
1705 				    filename, linenum, keyword);
1706 		}
1707 		if (*activep && options->rekey_limit == -1)
1708 			options->rekey_limit = val64;
1709 		if (ac != 0) { /* optional rekey interval present */
1710 			if (strcmp(av[0], "none") == 0) {
1711 				(void)argv_next(&ac, &av);	/* discard */
1712 				break;
1713 			}
1714 			intptr = &options->rekey_interval;
1715 			goto parse_time;
1716 		}
1717 		break;
1718 
1719 	case sGatewayPorts:
1720 		intptr = &options->fwd_opts.gateway_ports;
1721 		multistate_ptr = multistate_gatewayports;
1722 		goto parse_multistate;
1723 
1724 	case sUseDNS:
1725 		intptr = &options->use_dns;
1726 		goto parse_flag;
1727 
1728 	case sLogFacility:
1729 		log_facility_ptr = &options->log_facility;
1730 		arg = argv_next(&ac, &av);
1731 		value = log_facility_number(arg);
1732 		if (value == SYSLOG_FACILITY_NOT_SET)
1733 			fatal("%.200s line %d: unsupported log facility '%s'",
1734 			    filename, linenum, arg ? arg : "<NONE>");
1735 		if (*log_facility_ptr == -1)
1736 			*log_facility_ptr = (SyslogFacility) value;
1737 		break;
1738 
1739 	case sLogLevel:
1740 		log_level_ptr = &options->log_level;
1741 		arg = argv_next(&ac, &av);
1742 		value = log_level_number(arg);
1743 		if (value == SYSLOG_LEVEL_NOT_SET)
1744 			fatal("%.200s line %d: unsupported log level '%s'",
1745 			    filename, linenum, arg ? arg : "<NONE>");
1746 		if (*activep && *log_level_ptr == -1)
1747 			*log_level_ptr = (LogLevel) value;
1748 		break;
1749 
1750 	case sLogVerbose:
1751 		found = options->num_log_verbose == 0;
1752 		i = 0;
1753 		while ((arg = argv_next(&ac, &av)) != NULL) {
1754 			if (*arg == '\0') {
1755 				error("%s line %d: keyword %s empty argument",
1756 				    filename, linenum, keyword);
1757 				goto out;
1758 			}
1759 			/* Allow "none" only in first position */
1760 			if (strcasecmp(arg, "none") == 0) {
1761 				if (i > 0 || ac > 0) {
1762 					error("%s line %d: keyword %s \"none\" "
1763 					    "argument must appear alone.",
1764 					    filename, linenum, keyword);
1765 					goto out;
1766 				}
1767 			}
1768 			i++;
1769 			if (!found || !*activep)
1770 				continue;
1771 			opt_array_append(filename, linenum, keyword,
1772 			    &options->log_verbose, &options->num_log_verbose,
1773 			    arg);
1774 		}
1775 		break;
1776 
1777 	case sAllowTcpForwarding:
1778 		intptr = &options->allow_tcp_forwarding;
1779 		multistate_ptr = multistate_tcpfwd;
1780 		goto parse_multistate;
1781 
1782 	case sAllowStreamLocalForwarding:
1783 		intptr = &options->allow_streamlocal_forwarding;
1784 		multistate_ptr = multistate_tcpfwd;
1785 		goto parse_multistate;
1786 
1787 	case sAllowAgentForwarding:
1788 		intptr = &options->allow_agent_forwarding;
1789 		goto parse_flag;
1790 
1791 	case sDisableForwarding:
1792 		intptr = &options->disable_forwarding;
1793 		goto parse_flag;
1794 
1795 	case sAllowUsers:
1796 		chararrayptr = &options->allow_users;
1797 		uintptr = &options->num_allow_users;
1798  parse_allowdenyusers:
1799 		while ((arg = argv_next(&ac, &av)) != NULL) {
1800 			if (*arg == '\0' ||
1801 			    match_user(NULL, NULL, NULL, arg) == -1)
1802 				fatal("%s line %d: invalid %s pattern: \"%s\"",
1803 				    filename, linenum, keyword, arg);
1804 			if (!*activep)
1805 				continue;
1806 			opt_array_append(filename, linenum, keyword,
1807 			    chararrayptr, uintptr, arg);
1808 		}
1809 		break;
1810 
1811 	case sDenyUsers:
1812 		chararrayptr = &options->deny_users;
1813 		uintptr = &options->num_deny_users;
1814 		goto parse_allowdenyusers;
1815 
1816 	case sAllowGroups:
1817 		chararrayptr = &options->allow_groups;
1818 		uintptr = &options->num_allow_groups;
1819  parse_allowdenygroups:
1820 		while ((arg = argv_next(&ac, &av)) != NULL) {
1821 			if (*arg == '\0')
1822 				fatal("%s line %d: empty %s pattern",
1823 				    filename, linenum, keyword);
1824 			if (!*activep)
1825 				continue;
1826 			opt_array_append(filename, linenum, keyword,
1827 			    chararrayptr, uintptr, arg);
1828 		}
1829 		break;
1830 
1831 	case sDenyGroups:
1832 		chararrayptr = &options->deny_groups;
1833 		uintptr = &options->num_deny_groups;
1834 		goto parse_allowdenygroups;
1835 
1836 	case sCiphers:
1837 		arg = argv_next(&ac, &av);
1838 		if (!arg || *arg == '\0')
1839 			fatal("%s line %d: %s missing argument.",
1840 			    filename, linenum, keyword);
1841 		if (*arg != '-' &&
1842 		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1843 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1844 			    filename, linenum, arg ? arg : "<NONE>");
1845 		if (options->ciphers == NULL)
1846 			options->ciphers = xstrdup(arg);
1847 		break;
1848 
1849 	case sMacs:
1850 		arg = argv_next(&ac, &av);
1851 		if (!arg || *arg == '\0')
1852 			fatal("%s line %d: %s missing argument.",
1853 			    filename, linenum, keyword);
1854 		if (*arg != '-' &&
1855 		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1856 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1857 			    filename, linenum, arg ? arg : "<NONE>");
1858 		if (options->macs == NULL)
1859 			options->macs = xstrdup(arg);
1860 		break;
1861 
1862 	case sKexAlgorithms:
1863 		arg = argv_next(&ac, &av);
1864 		if (!arg || *arg == '\0')
1865 			fatal("%s line %d: %s missing argument.",
1866 			    filename, linenum, keyword);
1867 		if (*arg != '-' &&
1868 		    !kex_names_valid(*arg == '+' || *arg == '^' ?
1869 		    arg + 1 : arg))
1870 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1871 			    filename, linenum, arg ? arg : "<NONE>");
1872 		if (options->kex_algorithms == NULL)
1873 			options->kex_algorithms = xstrdup(arg);
1874 		break;
1875 
1876 	case sSubsystem:
1877 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1878 			fatal("%s line %d: too many subsystems defined.",
1879 			    filename, linenum);
1880 		}
1881 		arg = argv_next(&ac, &av);
1882 		if (!arg || *arg == '\0')
1883 			fatal("%s line %d: %s missing argument.",
1884 			    filename, linenum, keyword);
1885 		if (!*activep) {
1886 			arg = argv_next(&ac, &av);
1887 			break;
1888 		}
1889 		for (i = 0; i < options->num_subsystems; i++)
1890 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1891 				fatal("%s line %d: Subsystem '%s' "
1892 				    "already defined.", filename, linenum, arg);
1893 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1894 		arg = argv_next(&ac, &av);
1895 		if (!arg || *arg == '\0')
1896 			fatal("%s line %d: Missing subsystem command.",
1897 			    filename, linenum);
1898 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1899 
1900 		/* Collect arguments (separate to executable) */
1901 		p = xstrdup(arg);
1902 		len = strlen(p) + 1;
1903 		while ((arg = argv_next(&ac, &av)) != NULL) {
1904 			len += 1 + strlen(arg);
1905 			p = xreallocarray(p, 1, len);
1906 			strlcat(p, " ", len);
1907 			strlcat(p, arg, len);
1908 		}
1909 		options->subsystem_args[options->num_subsystems] = p;
1910 		options->num_subsystems++;
1911 		break;
1912 
1913 	case sMaxStartups:
1914 		arg = argv_next(&ac, &av);
1915 		if (!arg || *arg == '\0')
1916 			fatal("%s line %d: %s missing argument.",
1917 			    filename, linenum, keyword);
1918 		if ((n = sscanf(arg, "%d:%d:%d",
1919 		    &options->max_startups_begin,
1920 		    &options->max_startups_rate,
1921 		    &options->max_startups)) == 3) {
1922 			if (options->max_startups_begin >
1923 			    options->max_startups ||
1924 			    options->max_startups_rate > 100 ||
1925 			    options->max_startups_rate < 1)
1926 				fatal("%s line %d: Invalid %s spec.",
1927 				    filename, linenum, keyword);
1928 		} else if (n != 1)
1929 			fatal("%s line %d: Invalid %s spec.",
1930 			    filename, linenum, keyword);
1931 		else
1932 			options->max_startups = options->max_startups_begin;
1933 		break;
1934 
1935 	case sPerSourceNetBlockSize:
1936 		arg = argv_next(&ac, &av);
1937 		if (!arg || *arg == '\0')
1938 			fatal("%s line %d: %s missing argument.",
1939 			    filename, linenum, keyword);
1940 		switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
1941 		case 2:
1942 			if (value2 < 0 || value2 > 128)
1943 				n = -1;
1944 			/* FALLTHROUGH */
1945 		case 1:
1946 			if (value < 0 || value > 32)
1947 				n = -1;
1948 		}
1949 		if (n != 1 && n != 2)
1950 			fatal("%s line %d: Invalid %s spec.",
1951 			    filename, linenum, keyword);
1952 		if (*activep) {
1953 			options->per_source_masklen_ipv4 = value;
1954 			options->per_source_masklen_ipv6 = value2;
1955 		}
1956 		break;
1957 
1958 	case sPerSourceMaxStartups:
1959 		arg = argv_next(&ac, &av);
1960 		if (!arg || *arg == '\0')
1961 			fatal("%s line %d: %s missing argument.",
1962 			    filename, linenum, keyword);
1963 		if (strcmp(arg, "none") == 0) { /* no limit */
1964 			value = INT_MAX;
1965 		} else {
1966 			if ((errstr = atoi_err(arg, &value)) != NULL)
1967 				fatal("%s line %d: %s integer value %s.",
1968 				    filename, linenum, keyword, errstr);
1969 		}
1970 		if (*activep)
1971 			options->per_source_max_startups = value;
1972 		break;
1973 
1974 	case sMaxAuthTries:
1975 		intptr = &options->max_authtries;
1976 		goto parse_int;
1977 
1978 	case sMaxSessions:
1979 		intptr = &options->max_sessions;
1980 		goto parse_int;
1981 
1982 	case sBanner:
1983 		charptr = &options->banner;
1984 		goto parse_filename;
1985 
1986 	/*
1987 	 * These options can contain %X options expanded at
1988 	 * connect time, so that you can specify paths like:
1989 	 *
1990 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1991 	 */
1992 	case sAuthorizedKeysFile:
1993 		uvalue = options->num_authkeys_files;
1994 		while ((arg = argv_next(&ac, &av)) != NULL) {
1995 			if (*arg == '\0') {
1996 				error("%s line %d: keyword %s empty argument",
1997 				    filename, linenum, keyword);
1998 				goto out;
1999 			}
2000 			arg2 = tilde_expand_filename(arg, getuid());
2001 			if (*activep && uvalue == 0) {
2002 				opt_array_append(filename, linenum, keyword,
2003 				    &options->authorized_keys_files,
2004 				    &options->num_authkeys_files, arg2);
2005 			}
2006 			free(arg2);
2007 		}
2008 		break;
2009 
2010 	case sAuthorizedPrincipalsFile:
2011 		charptr = &options->authorized_principals_file;
2012 		arg = argv_next(&ac, &av);
2013 		if (!arg || *arg == '\0')
2014 			fatal("%s line %d: %s missing argument.",
2015 			    filename, linenum, keyword);
2016 		if (*activep && *charptr == NULL) {
2017 			*charptr = tilde_expand_filename(arg, getuid());
2018 			/* increase optional counter */
2019 			if (intptr != NULL)
2020 				*intptr = *intptr + 1;
2021 		}
2022 		break;
2023 
2024 	case sClientAliveInterval:
2025 		intptr = &options->client_alive_interval;
2026 		goto parse_time;
2027 
2028 	case sClientAliveCountMax:
2029 		intptr = &options->client_alive_count_max;
2030 		goto parse_int;
2031 
2032 	case sAcceptEnv:
2033 		while ((arg = argv_next(&ac, &av)) != NULL) {
2034 			if (*arg == '\0' || strchr(arg, '=') != NULL)
2035 				fatal("%s line %d: Invalid environment name.",
2036 				    filename, linenum);
2037 			if (!*activep)
2038 				continue;
2039 			opt_array_append(filename, linenum, keyword,
2040 			    &options->accept_env, &options->num_accept_env,
2041 			    arg);
2042 		}
2043 		break;
2044 
2045 	case sSetEnv:
2046 		uvalue = options->num_setenv;
2047 		while ((arg = argv_next(&ac, &av)) != NULL) {
2048 			if (*arg == '\0' || strchr(arg, '=') == NULL)
2049 				fatal("%s line %d: Invalid environment.",
2050 				    filename, linenum);
2051 			if (!*activep || uvalue != 0)
2052 				continue;
2053 			opt_array_append(filename, linenum, keyword,
2054 			    &options->setenv, &options->num_setenv, arg);
2055 		}
2056 		break;
2057 
2058 	case sPermitTunnel:
2059 		intptr = &options->permit_tun;
2060 		arg = argv_next(&ac, &av);
2061 		if (!arg || *arg == '\0')
2062 			fatal("%s line %d: %s missing argument.",
2063 			    filename, linenum, keyword);
2064 		value = -1;
2065 		for (i = 0; tunmode_desc[i].val != -1; i++)
2066 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
2067 				value = tunmode_desc[i].val;
2068 				break;
2069 			}
2070 		if (value == -1)
2071 			fatal("%s line %d: bad %s argument %s",
2072 			    filename, linenum, keyword, arg);
2073 		if (*activep && *intptr == -1)
2074 			*intptr = value;
2075 		break;
2076 
2077 	case sInclude:
2078 		if (cmdline) {
2079 			fatal("Include directive not supported as a "
2080 			    "command-line option");
2081 		}
2082 		value = 0;
2083 		while ((arg2 = argv_next(&ac, &av)) != NULL) {
2084 			if (*arg2 == '\0') {
2085 				error("%s line %d: keyword %s empty argument",
2086 				    filename, linenum, keyword);
2087 				goto out;
2088 			}
2089 			value++;
2090 			found = 0;
2091 			if (*arg2 != '/' && *arg2 != '~') {
2092 				xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2093 			} else
2094 				arg = xstrdup(arg2);
2095 
2096 			/*
2097 			 * Don't let included files clobber the containing
2098 			 * file's Match state.
2099 			 */
2100 			oactive = *activep;
2101 
2102 			/* consult cache of include files */
2103 			TAILQ_FOREACH(item, includes, entry) {
2104 				if (strcmp(item->selector, arg) != 0)
2105 					continue;
2106 				if (item->filename != NULL) {
2107 					parse_server_config_depth(options,
2108 					    item->filename, item->contents,
2109 					    includes, connectinfo,
2110 					    (*inc_flags & SSHCFG_MATCH_ONLY
2111 					        ? SSHCFG_MATCH_ONLY : (oactive
2112 					            ? 0 : SSHCFG_NEVERMATCH)),
2113 					    activep, depth + 1);
2114 				}
2115 				found = 1;
2116 				*activep = oactive;
2117 			}
2118 			if (found != 0) {
2119 				free(arg);
2120 				continue;
2121 			}
2122 
2123 			/* requested glob was not in cache */
2124 			debug2("%s line %d: new include %s",
2125 			    filename, linenum, arg);
2126 			if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2127 				if (r != GLOB_NOMATCH) {
2128 					fatal("%s line %d: include \"%s\" glob "
2129 					    "failed", filename, linenum, arg);
2130 				}
2131 				/*
2132 				 * If no entry matched then record a
2133 				 * placeholder to skip later glob calls.
2134 				 */
2135 				debug2("%s line %d: no match for %s",
2136 				    filename, linenum, arg);
2137 				item = xcalloc(1, sizeof(*item));
2138 				item->selector = strdup(arg);
2139 				TAILQ_INSERT_TAIL(includes,
2140 				    item, entry);
2141 			}
2142 			if (gbuf.gl_pathc > INT_MAX)
2143 				fatal_f("too many glob results");
2144 			for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2145 				debug2("%s line %d: including %s",
2146 				    filename, linenum, gbuf.gl_pathv[n]);
2147 				item = xcalloc(1, sizeof(*item));
2148 				item->selector = strdup(arg);
2149 				item->filename = strdup(gbuf.gl_pathv[n]);
2150 				if ((item->contents = sshbuf_new()) == NULL)
2151 					fatal_f("sshbuf_new failed");
2152 				load_server_config(item->filename,
2153 				    item->contents);
2154 				parse_server_config_depth(options,
2155 				    item->filename, item->contents,
2156 				    includes, connectinfo,
2157 				    (*inc_flags & SSHCFG_MATCH_ONLY
2158 				        ? SSHCFG_MATCH_ONLY : (oactive
2159 				            ? 0 : SSHCFG_NEVERMATCH)),
2160 				    activep, depth + 1);
2161 				*activep = oactive;
2162 				TAILQ_INSERT_TAIL(includes, item, entry);
2163 			}
2164 			globfree(&gbuf);
2165 			free(arg);
2166 		}
2167 		if (value == 0) {
2168 			fatal("%s line %d: %s missing filename argument",
2169 			    filename, linenum, keyword);
2170 		}
2171 		break;
2172 
2173 	case sMatch:
2174 		if (cmdline)
2175 			fatal("Match directive not supported as a command-line "
2176 			    "option");
2177 		value = match_cfg_line(&str, linenum,
2178 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2179 		if (value < 0)
2180 			fatal("%s line %d: Bad Match condition", filename,
2181 			    linenum);
2182 		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2183 		/*
2184 		 * The MATCH_ONLY flag is applicable only until the first
2185 		 * match block.
2186 		 */
2187 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
2188 		/*
2189 		 * If match_cfg_line() didn't consume all its arguments then
2190 		 * arrange for the extra arguments check below to fail.
2191 		 */
2192 		if (str == NULL || *str == '\0')
2193 			argv_consume(&ac);
2194 		break;
2195 
2196 	case sPermitListen:
2197 	case sPermitOpen:
2198 		if (opcode == sPermitListen) {
2199 			uintptr = &options->num_permitted_listens;
2200 			chararrayptr = &options->permitted_listens;
2201 		} else {
2202 			uintptr = &options->num_permitted_opens;
2203 			chararrayptr = &options->permitted_opens;
2204 		}
2205 		arg = argv_next(&ac, &av);
2206 		if (!arg || *arg == '\0')
2207 			fatal("%s line %d: %s missing argument.",
2208 			    filename, linenum, keyword);
2209 		uvalue = *uintptr;	/* modified later */
2210 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2211 			if (*activep && uvalue == 0) {
2212 				*uintptr = 1;
2213 				*chararrayptr = xcalloc(1,
2214 				    sizeof(**chararrayptr));
2215 				(*chararrayptr)[0] = xstrdup(arg);
2216 			}
2217 			break;
2218 		}
2219 		for (; arg != NULL && *arg != '\0'; arg = argv_next(&ac, &av)) {
2220 			if (opcode == sPermitListen &&
2221 			    strchr(arg, ':') == NULL) {
2222 				/*
2223 				 * Allow bare port number for PermitListen
2224 				 * to indicate a wildcard listen host.
2225 				 */
2226 				xasprintf(&arg2, "*:%s", arg);
2227 			} else {
2228 				arg2 = xstrdup(arg);
2229 				p = hpdelim(&arg);
2230 				if (p == NULL) {
2231 					fatal("%s line %d: %s missing host",
2232 					    filename, linenum, keyword);
2233 				}
2234 				p = cleanhostname(p);
2235 			}
2236 			if (arg == NULL ||
2237 			    ((port = permitopen_port(arg)) < 0)) {
2238 				fatal("%s line %d: %s bad port number",
2239 				    filename, linenum, keyword);
2240 			}
2241 			if (*activep && uvalue == 0) {
2242 				opt_array_append(filename, linenum, keyword,
2243 				    chararrayptr, uintptr, arg2);
2244 			}
2245 			free(arg2);
2246 		}
2247 		break;
2248 
2249 	case sForceCommand:
2250 		if (str == NULL || *str == '\0')
2251 			fatal("%s line %d: %s missing argument.",
2252 			    filename, linenum, keyword);
2253 		len = strspn(str, WHITESPACE);
2254 		if (*activep && options->adm_forced_command == NULL)
2255 			options->adm_forced_command = xstrdup(str + len);
2256 		argv_consume(&ac);
2257 		break;
2258 
2259 	case sChrootDirectory:
2260 		charptr = &options->chroot_directory;
2261 
2262 		arg = argv_next(&ac, &av);
2263 		if (!arg || *arg == '\0')
2264 			fatal("%s line %d: %s missing argument.",
2265 			    filename, linenum, keyword);
2266 		if (*activep && *charptr == NULL)
2267 			*charptr = xstrdup(arg);
2268 		break;
2269 
2270 	case sTrustedUserCAKeys:
2271 		charptr = &options->trusted_user_ca_keys;
2272 		goto parse_filename;
2273 
2274 	case sRevokedKeys:
2275 		charptr = &options->revoked_keys_file;
2276 		goto parse_filename;
2277 
2278 	case sSecurityKeyProvider:
2279 		charptr = &options->sk_provider;
2280 		arg = argv_next(&ac, &av);
2281 		if (!arg || *arg == '\0')
2282 			fatal("%s line %d: %s missing argument.",
2283 			    filename, linenum, keyword);
2284 		if (*activep && *charptr == NULL) {
2285 			*charptr = strcasecmp(arg, "internal") == 0 ?
2286 			    xstrdup(arg) : derelativise_path(arg);
2287 			/* increase optional counter */
2288 			if (intptr != NULL)
2289 				*intptr = *intptr + 1;
2290 		}
2291 		break;
2292 
2293 	case sIPQoS:
2294 		arg = argv_next(&ac, &av);
2295 		if (!arg || *arg == '\0')
2296 			fatal("%s line %d: %s missing argument.",
2297 			    filename, linenum, keyword);
2298 		if ((value = parse_ipqos(arg)) == -1)
2299 			fatal("%s line %d: Bad %s value: %s",
2300 			    filename, linenum, keyword, arg);
2301 		arg = argv_next(&ac, &av);
2302 		if (arg == NULL)
2303 			value2 = value;
2304 		else if ((value2 = parse_ipqos(arg)) == -1)
2305 			fatal("%s line %d: Bad %s value: %s",
2306 			    filename, linenum, keyword, arg);
2307 		if (*activep) {
2308 			options->ip_qos_interactive = value;
2309 			options->ip_qos_bulk = value2;
2310 		}
2311 		break;
2312 
2313 	case sVersionAddendum:
2314 		if (str == NULL || *str == '\0')
2315 			fatal("%s line %d: %s missing argument.",
2316 			    filename, linenum, keyword);
2317 		len = strspn(str, WHITESPACE);
2318 		if (strchr(str + len, '\r') != NULL) {
2319 			fatal("%.200s line %d: Invalid %s argument",
2320 			    filename, linenum, keyword);
2321 		}
2322 		if ((arg = strchr(line, '#')) != NULL) {
2323 			*arg = '\0';
2324 			rtrim(line);
2325 		}
2326 		if (*activep && options->version_addendum == NULL) {
2327 			if (strcasecmp(str + len, "none") == 0)
2328 				options->version_addendum = xstrdup("");
2329 			else
2330 				options->version_addendum = xstrdup(str + len);
2331 		}
2332 		argv_consume(&ac);
2333 		break;
2334 
2335 	case sAuthorizedKeysCommand:
2336 		charptr = &options->authorized_keys_command;
2337  parse_command:
2338 		len = strspn(str, WHITESPACE);
2339 		if (str[len] != '/' && strcasecmp(str + len, "none") != 0) {
2340 			fatal("%.200s line %d: %s must be an absolute path",
2341 			    filename, linenum, keyword);
2342 		}
2343 		if (*activep && options->authorized_keys_command == NULL)
2344 			*charptr = xstrdup(str + len);
2345 		argv_consume(&ac);
2346 		break;
2347 
2348 	case sAuthorizedKeysCommandUser:
2349 		charptr = &options->authorized_keys_command_user;
2350  parse_localuser:
2351 		arg = argv_next(&ac, &av);
2352 		if (!arg || *arg == '\0') {
2353 			fatal("%s line %d: missing %s argument.",
2354 			    filename, linenum, keyword);
2355 		}
2356 		if (*activep && *charptr == NULL)
2357 			*charptr = xstrdup(arg);
2358 		break;
2359 
2360 	case sAuthorizedPrincipalsCommand:
2361 		charptr = &options->authorized_principals_command;
2362 		goto parse_command;
2363 
2364 	case sAuthorizedPrincipalsCommandUser:
2365 		charptr = &options->authorized_principals_command_user;
2366 		goto parse_localuser;
2367 
2368 	case sAuthenticationMethods:
2369 		found = options->num_auth_methods == 0;
2370 		value = 0; /* seen "any" pseudo-method */
2371 		value2 = 0; /* successfully parsed any method */
2372 		while ((arg = argv_next(&ac, &av)) != NULL) {
2373 			if (strcmp(arg, "any") == 0) {
2374 				if (options->num_auth_methods > 0) {
2375 					fatal("%s line %d: \"any\" must "
2376 					    "appear alone in %s",
2377 					    filename, linenum, keyword);
2378 				}
2379 				value = 1;
2380 			} else if (value) {
2381 				fatal("%s line %d: \"any\" must appear "
2382 				    "alone in %s", filename, linenum, keyword);
2383 			} else if (auth2_methods_valid(arg, 0) != 0) {
2384 				fatal("%s line %d: invalid %s method list.",
2385 				    filename, linenum, keyword);
2386 			}
2387 			value2 = 1;
2388 			if (!found || !*activep)
2389 				continue;
2390 			opt_array_append(filename, linenum, keyword,
2391 			    &options->auth_methods,
2392 			    &options->num_auth_methods, arg);
2393 		}
2394 		if (value2 == 0) {
2395 			fatal("%s line %d: no %s specified",
2396 			    filename, linenum, keyword);
2397 		}
2398 		break;
2399 
2400 	case sStreamLocalBindMask:
2401 		arg = argv_next(&ac, &av);
2402 		if (!arg || *arg == '\0')
2403 			fatal("%s line %d: %s missing argument.",
2404 			    filename, linenum, keyword);
2405 		/* Parse mode in octal format */
2406 		value = strtol(arg, &p, 8);
2407 		if (arg == p || value < 0 || value > 0777)
2408 			fatal("%s line %d: Invalid %s.",
2409 			    filename, linenum, keyword);
2410 		if (*activep)
2411 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2412 		break;
2413 
2414 	case sStreamLocalBindUnlink:
2415 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
2416 		goto parse_flag;
2417 
2418 	case sFingerprintHash:
2419 		arg = argv_next(&ac, &av);
2420 		if (!arg || *arg == '\0')
2421 			fatal("%s line %d: %s missing argument.",
2422 			    filename, linenum, keyword);
2423 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
2424 			fatal("%.200s line %d: Invalid %s algorithm \"%s\".",
2425 			    filename, linenum, keyword, arg);
2426 		if (*activep)
2427 			options->fingerprint_hash = value;
2428 		break;
2429 
2430 	case sExposeAuthInfo:
2431 		intptr = &options->expose_userauth_info;
2432 		goto parse_flag;
2433 
2434 	case sRDomain:
2435 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2436 		fatal("%s line %d: setting RDomain not supported on this "
2437 		    "platform.", filename, linenum);
2438 #endif
2439 		charptr = &options->routing_domain;
2440 		arg = argv_next(&ac, &av);
2441 		if (!arg || *arg == '\0')
2442 			fatal("%s line %d: %s missing argument.",
2443 			    filename, linenum, keyword);
2444 		if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2445 		    !valid_rdomain(arg))
2446 			fatal("%s line %d: invalid routing domain",
2447 			    filename, linenum);
2448 		if (*activep && *charptr == NULL)
2449 			*charptr = xstrdup(arg);
2450 		break;
2451 
2452 	case sUseBlacklist:
2453 		intptr = &options->use_blacklist;
2454 		goto parse_flag;
2455 
2456 	case sDeprecated:
2457 	case sIgnore:
2458 	case sUnsupported:
2459 		do_log2(opcode == sIgnore ?
2460 		    SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2461 		    "%s line %d: %s option %s", filename, linenum,
2462 		    opcode == sUnsupported ? "Unsupported" : "Deprecated",
2463 		    keyword);
2464 		argv_consume(&ac);
2465 		break;
2466 
2467 	default:
2468 		fatal("%s line %d: Missing handler for opcode %s (%d)",
2469 		    filename, linenum, keyword, opcode);
2470 	}
2471 	/* Check that there is no garbage at end of line. */
2472 	if (ac > 0) {
2473 		error("%.200s line %d: keyword %s extra arguments "
2474 		    "at end of line", filename, linenum, keyword);
2475 		goto out;
2476 	}
2477 
2478 	/* success */
2479 	ret = 0;
2480  out:
2481 	argv_free(oav, oac);
2482 	return ret;
2483 }
2484 
2485 int
2486 process_server_config_line(ServerOptions *options, char *line,
2487     const char *filename, int linenum, int *activep,
2488     struct connection_info *connectinfo, struct include_list *includes)
2489 {
2490 	int inc_flags = 0;
2491 
2492 	return process_server_config_line_depth(options, line, filename,
2493 	    linenum, activep, connectinfo, &inc_flags, 0, includes);
2494 }
2495 
2496 
2497 /* Reads the server configuration file. */
2498 
2499 void
2500 load_server_config(const char *filename, struct sshbuf *conf)
2501 {
2502 	struct stat st;
2503 	char *line = NULL, *cp;
2504 	size_t linesize = 0;
2505 	FILE *f;
2506 	int r, lineno = 0;
2507 
2508 	debug2_f("filename %s", filename);
2509 	if ((f = fopen(filename, "r")) == NULL) {
2510 		perror(filename);
2511 		exit(1);
2512 	}
2513 	sshbuf_reset(conf);
2514 	/* grow buffer, so realloc is avoided for large config files */
2515 	if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2516 	    (r = sshbuf_allocate(conf, st.st_size)) != 0)
2517 		fatal_fr(r, "allocate");
2518 	while (getline(&line, &linesize, f) != -1) {
2519 		lineno++;
2520 		/*
2521 		 * Strip whitespace
2522 		 * NB - preserve newlines, they are needed to reproduce
2523 		 * line numbers later for error messages
2524 		 */
2525 		cp = line + strspn(line, " \t\r");
2526 		if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2527 			fatal_fr(r, "sshbuf_put");
2528 	}
2529 	free(line);
2530 	if ((r = sshbuf_put_u8(conf, 0)) != 0)
2531 		fatal_fr(r, "sshbuf_put_u8");
2532 	fclose(f);
2533 	debug2_f("done config len = %zu", sshbuf_len(conf));
2534 }
2535 
2536 void
2537 parse_server_match_config(ServerOptions *options,
2538    struct include_list *includes, struct connection_info *connectinfo)
2539 {
2540 	ServerOptions mo;
2541 
2542 	initialize_server_options(&mo);
2543 	parse_server_config(&mo, "reprocess config", cfg, includes,
2544 	    connectinfo, 0);
2545 	copy_set_server_options(options, &mo, 0);
2546 }
2547 
2548 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2549 {
2550 	char *p;
2551 
2552 	while ((p = strsep(&spec, ",")) && *p != '\0') {
2553 		if (strncmp(p, "addr=", 5) == 0) {
2554 			ci->address = xstrdup(p + 5);
2555 		} else if (strncmp(p, "host=", 5) == 0) {
2556 			ci->host = xstrdup(p + 5);
2557 		} else if (strncmp(p, "user=", 5) == 0) {
2558 			ci->user = xstrdup(p + 5);
2559 		} else if (strncmp(p, "laddr=", 6) == 0) {
2560 			ci->laddress = xstrdup(p + 6);
2561 		} else if (strncmp(p, "rdomain=", 8) == 0) {
2562 			ci->rdomain = xstrdup(p + 8);
2563 		} else if (strncmp(p, "lport=", 6) == 0) {
2564 			ci->lport = a2port(p + 6);
2565 			if (ci->lport == -1) {
2566 				fprintf(stderr, "Invalid port '%s' in test mode"
2567 				    " specification %s\n", p+6, p);
2568 				return -1;
2569 			}
2570 		} else {
2571 			fprintf(stderr, "Invalid test mode specification %s\n",
2572 			    p);
2573 			return -1;
2574 		}
2575 	}
2576 	return 0;
2577 }
2578 
2579 /*
2580  * Copy any supported values that are set.
2581  *
2582  * If the preauth flag is set, we do not bother copying the string or
2583  * array values that are not used pre-authentication, because any that we
2584  * do use must be explicitly sent in mm_getpwnamallow().
2585  */
2586 void
2587 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2588 {
2589 #define M_CP_INTOPT(n) do {\
2590 	if (src->n != -1) \
2591 		dst->n = src->n; \
2592 } while (0)
2593 
2594 	M_CP_INTOPT(password_authentication);
2595 	M_CP_INTOPT(gss_authentication);
2596 	M_CP_INTOPT(pubkey_authentication);
2597 	M_CP_INTOPT(pubkey_auth_options);
2598 	M_CP_INTOPT(kerberos_authentication);
2599 	M_CP_INTOPT(hostbased_authentication);
2600 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2601 	M_CP_INTOPT(kbd_interactive_authentication);
2602 	M_CP_INTOPT(permit_root_login);
2603 	M_CP_INTOPT(permit_empty_passwd);
2604 	M_CP_INTOPT(ignore_rhosts);
2605 
2606 	M_CP_INTOPT(allow_tcp_forwarding);
2607 	M_CP_INTOPT(allow_streamlocal_forwarding);
2608 	M_CP_INTOPT(allow_agent_forwarding);
2609 	M_CP_INTOPT(disable_forwarding);
2610 	M_CP_INTOPT(expose_userauth_info);
2611 	M_CP_INTOPT(permit_tun);
2612 	M_CP_INTOPT(fwd_opts.gateway_ports);
2613 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2614 	M_CP_INTOPT(x11_display_offset);
2615 	M_CP_INTOPT(x11_forwarding);
2616 	M_CP_INTOPT(x11_use_localhost);
2617 	M_CP_INTOPT(permit_tty);
2618 	M_CP_INTOPT(permit_user_rc);
2619 	M_CP_INTOPT(max_sessions);
2620 	M_CP_INTOPT(max_authtries);
2621 	M_CP_INTOPT(client_alive_count_max);
2622 	M_CP_INTOPT(client_alive_interval);
2623 	M_CP_INTOPT(ip_qos_interactive);
2624 	M_CP_INTOPT(ip_qos_bulk);
2625 	M_CP_INTOPT(rekey_limit);
2626 	M_CP_INTOPT(rekey_interval);
2627 	M_CP_INTOPT(log_level);
2628 
2629 	/*
2630 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2631 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2632 	 * warnings.
2633 	 */
2634 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2635 		dst->fwd_opts.streamlocal_bind_mask =
2636 		    src->fwd_opts.streamlocal_bind_mask;
2637 	}
2638 
2639 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2640 #define M_CP_STROPT(n) do {\
2641 	if (src->n != NULL && dst->n != src->n) { \
2642 		free(dst->n); \
2643 		dst->n = src->n; \
2644 	} \
2645 } while(0)
2646 #define M_CP_STRARRAYOPT(s, num_s) do {\
2647 	u_int i; \
2648 	if (src->num_s != 0) { \
2649 		for (i = 0; i < dst->num_s; i++) \
2650 			free(dst->s[i]); \
2651 		free(dst->s); \
2652 		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2653 		for (i = 0; i < src->num_s; i++) \
2654 			dst->s[i] = xstrdup(src->s[i]); \
2655 		dst->num_s = src->num_s; \
2656 	} \
2657 } while(0)
2658 
2659 	/* See comment in servconf.h */
2660 	COPY_MATCH_STRING_OPTS();
2661 
2662 	/* Arguments that accept '+...' need to be expanded */
2663 	assemble_algorithms(dst);
2664 
2665 	/*
2666 	 * The only things that should be below this point are string options
2667 	 * which are only used after authentication.
2668 	 */
2669 	if (preauth)
2670 		return;
2671 
2672 	/* These options may be "none" to clear a global setting */
2673 	M_CP_STROPT(adm_forced_command);
2674 	if (option_clear_or_none(dst->adm_forced_command)) {
2675 		free(dst->adm_forced_command);
2676 		dst->adm_forced_command = NULL;
2677 	}
2678 	M_CP_STROPT(chroot_directory);
2679 	if (option_clear_or_none(dst->chroot_directory)) {
2680 		free(dst->chroot_directory);
2681 		dst->chroot_directory = NULL;
2682 	}
2683 }
2684 
2685 #undef M_CP_INTOPT
2686 #undef M_CP_STROPT
2687 #undef M_CP_STRARRAYOPT
2688 
2689 #define SERVCONF_MAX_DEPTH	16
2690 static void
2691 parse_server_config_depth(ServerOptions *options, const char *filename,
2692     struct sshbuf *conf, struct include_list *includes,
2693     struct connection_info *connectinfo, int flags, int *activep, int depth)
2694 {
2695 	int linenum, bad_options = 0;
2696 	char *cp, *obuf, *cbuf;
2697 
2698 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2699 		fatal("Too many recursive configuration includes");
2700 
2701 	debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2702 	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2703 
2704 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2705 		fatal_f("sshbuf_dup_string failed");
2706 	linenum = 1;
2707 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2708 		if (process_server_config_line_depth(options, cp,
2709 		    filename, linenum++, activep, connectinfo, &flags,
2710 		    depth, includes) != 0)
2711 			bad_options++;
2712 	}
2713 	free(obuf);
2714 	if (bad_options > 0)
2715 		fatal("%s: terminating, %d bad configuration options",
2716 		    filename, bad_options);
2717 }
2718 
2719 void
2720 parse_server_config(ServerOptions *options, const char *filename,
2721     struct sshbuf *conf, struct include_list *includes,
2722     struct connection_info *connectinfo, int reexec)
2723 {
2724 	int active = connectinfo ? 0 : 1;
2725 	parse_server_config_depth(options, filename, conf, includes,
2726 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2727 	if (!reexec)
2728 		process_queued_listen_addrs(options);
2729 }
2730 
2731 static const char *
2732 fmt_multistate_int(int val, const struct multistate *m)
2733 {
2734 	u_int i;
2735 
2736 	for (i = 0; m[i].key != NULL; i++) {
2737 		if (m[i].value == val)
2738 			return m[i].key;
2739 	}
2740 	return "UNKNOWN";
2741 }
2742 
2743 static const char *
2744 fmt_intarg(ServerOpCodes code, int val)
2745 {
2746 	if (val == -1)
2747 		return "unset";
2748 	switch (code) {
2749 	case sAddressFamily:
2750 		return fmt_multistate_int(val, multistate_addressfamily);
2751 	case sPermitRootLogin:
2752 		return fmt_multistate_int(val, multistate_permitrootlogin);
2753 	case sGatewayPorts:
2754 		return fmt_multistate_int(val, multistate_gatewayports);
2755 	case sCompression:
2756 		return fmt_multistate_int(val, multistate_compression);
2757 	case sAllowTcpForwarding:
2758 		return fmt_multistate_int(val, multistate_tcpfwd);
2759 	case sAllowStreamLocalForwarding:
2760 		return fmt_multistate_int(val, multistate_tcpfwd);
2761 	case sIgnoreRhosts:
2762 		return fmt_multistate_int(val, multistate_ignore_rhosts);
2763 	case sFingerprintHash:
2764 		return ssh_digest_alg_name(val);
2765 	default:
2766 		switch (val) {
2767 		case 0:
2768 			return "no";
2769 		case 1:
2770 			return "yes";
2771 		default:
2772 			return "UNKNOWN";
2773 		}
2774 	}
2775 }
2776 
2777 static void
2778 dump_cfg_int(ServerOpCodes code, int val)
2779 {
2780 	printf("%s %d\n", lookup_opcode_name(code), val);
2781 }
2782 
2783 static void
2784 dump_cfg_oct(ServerOpCodes code, int val)
2785 {
2786 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2787 }
2788 
2789 static void
2790 dump_cfg_fmtint(ServerOpCodes code, int val)
2791 {
2792 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2793 }
2794 
2795 static void
2796 dump_cfg_string(ServerOpCodes code, const char *val)
2797 {
2798 	printf("%s %s\n", lookup_opcode_name(code),
2799 	    val == NULL ? "none" : val);
2800 }
2801 
2802 static void
2803 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2804 {
2805 	u_int i;
2806 
2807 	for (i = 0; i < count; i++)
2808 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2809 }
2810 
2811 static void
2812 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2813 {
2814 	u_int i;
2815 
2816 	if (count <= 0 && code != sAuthenticationMethods)
2817 		return;
2818 	printf("%s", lookup_opcode_name(code));
2819 	for (i = 0; i < count; i++)
2820 		printf(" %s",  vals[i]);
2821 	if (code == sAuthenticationMethods && count == 0)
2822 		printf(" any");
2823 	printf("\n");
2824 }
2825 
2826 static char *
2827 format_listen_addrs(struct listenaddr *la)
2828 {
2829 	int r;
2830 	struct addrinfo *ai;
2831 	char addr[NI_MAXHOST], port[NI_MAXSERV];
2832 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2833 
2834 	/*
2835 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2836 	 * addresses onto a stack, so to maintain ordering we need to
2837 	 * print these in reverse order.
2838 	 */
2839 	for (ai = la->addrs; ai; ai = ai->ai_next) {
2840 		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2841 		    sizeof(addr), port, sizeof(port),
2842 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2843 			error("getnameinfo: %.100s", ssh_gai_strerror(r));
2844 			continue;
2845 		}
2846 		laddr2 = laddr1;
2847 		if (ai->ai_family == AF_INET6) {
2848 			xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2849 			    addr, port,
2850 			    la->rdomain == NULL ? "" : " rdomain ",
2851 			    la->rdomain == NULL ? "" : la->rdomain,
2852 			    laddr2);
2853 		} else {
2854 			xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2855 			    addr, port,
2856 			    la->rdomain == NULL ? "" : " rdomain ",
2857 			    la->rdomain == NULL ? "" : la->rdomain,
2858 			    laddr2);
2859 		}
2860 		free(laddr2);
2861 	}
2862 	return laddr1;
2863 }
2864 
2865 void
2866 dump_config(ServerOptions *o)
2867 {
2868 	char *s;
2869 	u_int i;
2870 
2871 	/* these are usually at the top of the config */
2872 	for (i = 0; i < o->num_ports; i++)
2873 		printf("port %d\n", o->ports[i]);
2874 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2875 
2876 	for (i = 0; i < o->num_listen_addrs; i++) {
2877 		s = format_listen_addrs(&o->listen_addrs[i]);
2878 		printf("%s", s);
2879 		free(s);
2880 	}
2881 
2882 	/* integer arguments */
2883 #ifdef USE_PAM
2884 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2885 #endif
2886 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2887 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2888 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2889 	dump_cfg_int(sMaxSessions, o->max_sessions);
2890 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2891 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2892 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2893 
2894 	/* formatted integer arguments */
2895 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2896 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2897 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2898 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2899 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2900 	    o->hostbased_uses_name_from_packet_only);
2901 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2902 #ifdef KRB5
2903 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2904 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2905 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2906 # ifdef USE_AFS
2907 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2908 # endif
2909 #endif
2910 #ifdef GSSAPI
2911 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2912 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2913 #endif
2914 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2915 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2916 	    o->kbd_interactive_authentication);
2917 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2918 #ifndef DISABLE_LASTLOG
2919 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2920 #endif
2921 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2922 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2923 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2924 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2925 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2926 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2927 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2928 	dump_cfg_fmtint(sCompression, o->compression);
2929 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2930 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2931 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2932 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2933 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2934 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2935 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2936 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2937 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2938 	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
2939 
2940 	/* string arguments */
2941 	dump_cfg_string(sPidFile, o->pid_file);
2942 	dump_cfg_string(sModuliFile, o->moduli_file);
2943 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2944 	dump_cfg_string(sCiphers, o->ciphers);
2945 	dump_cfg_string(sMacs, o->macs);
2946 	dump_cfg_string(sBanner, o->banner);
2947 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2948 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2949 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2950 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2951 	dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
2952 	dump_cfg_string(sAuthorizedPrincipalsFile,
2953 	    o->authorized_principals_file);
2954 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2955 	    ? "none" : o->version_addendum);
2956 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2957 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2958 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2959 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2960 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2961 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
2962 	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
2963 	dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos);
2964 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
2965 	dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
2966 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2967 	dump_cfg_string(sRDomain, o->routing_domain);
2968 #endif
2969 
2970 	/* string arguments requiring a lookup */
2971 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2972 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2973 
2974 	/* string array arguments */
2975 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2976 	    o->authorized_keys_files);
2977 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2978 	    o->host_key_files);
2979 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2980 	    o->host_cert_files);
2981 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2982 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2983 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2984 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2985 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2986 	dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
2987 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2988 	    o->num_auth_methods, o->auth_methods);
2989 	dump_cfg_strarray_oneline(sLogVerbose,
2990 	    o->num_log_verbose, o->log_verbose);
2991 
2992 	/* other arguments */
2993 	for (i = 0; i < o->num_subsystems; i++)
2994 		printf("subsystem %s %s\n", o->subsystem_name[i],
2995 		    o->subsystem_args[i]);
2996 
2997 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2998 	    o->max_startups_rate, o->max_startups);
2999 	printf("persourcemaxstartups ");
3000 	if (o->per_source_max_startups == INT_MAX)
3001 		printf("none\n");
3002 	else
3003 		printf("%d\n", o->per_source_max_startups);
3004 	printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4,
3005 	    o->per_source_masklen_ipv6);
3006 
3007 	s = NULL;
3008 	for (i = 0; tunmode_desc[i].val != -1; i++) {
3009 		if (tunmode_desc[i].val == o->permit_tun) {
3010 			s = tunmode_desc[i].text;
3011 			break;
3012 		}
3013 	}
3014 	dump_cfg_string(sPermitTunnel, s);
3015 
3016 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
3017 	printf("%s\n", iptos2str(o->ip_qos_bulk));
3018 
3019 	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
3020 	    o->rekey_interval);
3021 
3022 	printf("permitopen");
3023 	if (o->num_permitted_opens == 0)
3024 		printf(" any");
3025 	else {
3026 		for (i = 0; i < o->num_permitted_opens; i++)
3027 			printf(" %s", o->permitted_opens[i]);
3028 	}
3029 	printf("\n");
3030 	printf("permitlisten");
3031 	if (o->num_permitted_listens == 0)
3032 		printf(" any");
3033 	else {
3034 		for (i = 0; i < o->num_permitted_listens; i++)
3035 			printf(" %s", o->permitted_listens[i]);
3036 	}
3037 	printf("\n");
3038 
3039 	if (o->permit_user_env_allowlist == NULL) {
3040 		dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
3041 	} else {
3042 		printf("permituserenvironment %s\n",
3043 		    o->permit_user_env_allowlist);
3044 	}
3045 
3046 	printf("pubkeyauthoptions");
3047 	if (o->pubkey_auth_options == 0)
3048 		printf(" none");
3049 	if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
3050 		printf(" touch-required");
3051 	if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
3052 		printf(" verify-required");
3053 	printf("\n");
3054 }
3055