1 /* 2 * 3 * servconf.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Mon Aug 21 15:48:58 1995 ylo 11 * 12 * $FreeBSD$ 13 */ 14 15 #include "includes.h" 16 RCSID("$Id: servconf.c,v 1.30 2000/02/24 18:22:16 markus Exp $"); 17 18 #include "ssh.h" 19 #include "servconf.h" 20 #include "xmalloc.h" 21 22 /* add listen address */ 23 void add_listen_addr(ServerOptions *options, char *addr); 24 25 /* Initializes the server options to their default values. */ 26 27 void 28 initialize_server_options(ServerOptions *options) 29 { 30 memset(options, 0, sizeof(*options)); 31 options->num_ports = 0; 32 options->ports_from_cmdline = 0; 33 options->listen_addrs = NULL; 34 options->host_key_file = NULL; 35 options->server_key_bits = -1; 36 options->login_grace_time = -1; 37 options->key_regeneration_time = -1; 38 options->permit_root_login = -1; 39 options->ignore_rhosts = -1; 40 options->ignore_user_known_hosts = -1; 41 options->print_motd = -1; 42 options->check_mail = -1; 43 options->x11_forwarding = -1; 44 options->x11_display_offset = -1; 45 options->strict_modes = -1; 46 options->keepalives = -1; 47 options->log_facility = (SyslogFacility) - 1; 48 options->log_level = (LogLevel) - 1; 49 options->rhosts_authentication = -1; 50 options->rhosts_rsa_authentication = -1; 51 options->rsa_authentication = -1; 52 #ifdef KRB4 53 options->krb4_authentication = -1; 54 options->krb4_or_local_passwd = -1; 55 options->krb4_ticket_cleanup = -1; 56 #endif 57 #ifdef KRB5 58 options->krb5_authentication = -1; 59 options->krb5_tgt_passing = -1; 60 #endif /* KRB5 */ 61 #ifdef AFS 62 options->krb4_tgt_passing = -1; 63 options->afs_token_passing = -1; 64 #endif 65 options->password_authentication = -1; 66 #ifdef SKEY 67 options->skey_authentication = -1; 68 #endif 69 options->permit_empty_passwd = -1; 70 options->use_login = -1; 71 options->num_allow_users = 0; 72 options->num_deny_users = 0; 73 options->num_allow_groups = 0; 74 options->num_deny_groups = 0; 75 options->connections_per_period = 0; 76 options->connections_period = 0; 77 } 78 79 void 80 fill_default_server_options(ServerOptions *options) 81 { 82 if (options->num_ports == 0) 83 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 84 if (options->listen_addrs == NULL) 85 add_listen_addr(options, NULL); 86 if (options->host_key_file == NULL) 87 options->host_key_file = HOST_KEY_FILE; 88 if (options->server_key_bits == -1) 89 options->server_key_bits = 768; 90 if (options->login_grace_time == -1) 91 options->login_grace_time = 600; 92 if (options->key_regeneration_time == -1) 93 options->key_regeneration_time = 3600; 94 if (options->permit_root_login == -1) 95 options->permit_root_login = 1; /* yes */ 96 if (options->ignore_rhosts == -1) 97 options->ignore_rhosts = 1; 98 if (options->ignore_user_known_hosts == -1) 99 options->ignore_user_known_hosts = 0; 100 if (options->check_mail == -1) 101 options->check_mail = 0; 102 if (options->print_motd == -1) 103 options->print_motd = 1; 104 if (options->x11_forwarding == -1) 105 options->x11_forwarding = 1; 106 if (options->x11_display_offset == -1) 107 options->x11_display_offset = 10; 108 if (options->strict_modes == -1) 109 options->strict_modes = 1; 110 if (options->keepalives == -1) 111 options->keepalives = 1; 112 if (options->log_facility == (SyslogFacility) (-1)) 113 options->log_facility = SYSLOG_FACILITY_AUTH; 114 if (options->log_level == (LogLevel) (-1)) 115 options->log_level = SYSLOG_LEVEL_INFO; 116 if (options->rhosts_authentication == -1) 117 options->rhosts_authentication = 0; 118 if (options->rhosts_rsa_authentication == -1) 119 options->rhosts_rsa_authentication = 0; 120 if (options->rsa_authentication == -1) 121 options->rsa_authentication = 1; 122 #ifdef KRB4 123 if (options->krb4_authentication == -1) 124 options->krb4_authentication = (access(KEYFILE, R_OK) == 0); 125 if (options->krb4_or_local_passwd == -1) 126 options->krb4_or_local_passwd = 1; 127 if (options->krb4_ticket_cleanup == -1) 128 options->krb4_ticket_cleanup = 1; 129 #endif /* KRB4 */ 130 #ifdef KRB5 131 if (options->krb5_authentication == -1) 132 options->krb5_authentication = 1; 133 if (options->krb5_tgt_passing == -1) 134 options->krb5_tgt_passing = 1; 135 #endif /* KRB5 */ 136 #ifdef AFS 137 if (options->krb4_tgt_passing == -1) 138 options->krb4_tgt_passing = 0; 139 if (options->afs_token_passing == -1) 140 options->afs_token_passing = k_hasafs(); 141 #endif /* AFS */ 142 if (options->password_authentication == -1) 143 options->password_authentication = 1; 144 #ifdef SKEY 145 if (options->skey_authentication == -1) 146 options->skey_authentication = 1; 147 #endif 148 if (options->permit_empty_passwd == -1) 149 options->permit_empty_passwd = 0; 150 if (options->use_login == -1) 151 options->use_login = 0; 152 } 153 154 #define WHITESPACE " \t\r\n" 155 156 /* Keyword tokens. */ 157 typedef enum { 158 sBadOption, /* == unknown option */ 159 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 160 sPermitRootLogin, sLogFacility, sLogLevel, 161 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 162 #ifdef KRB4 163 sKrb4Authentication, sKrb4OrLocalPasswd, sKrb4TicketCleanup, 164 #endif 165 #ifdef KRB5 166 sKrb5Authentication, sKrb5TgtPassing, 167 #endif /* KRB5 */ 168 #ifdef AFS 169 sKrb4TgtPassing, sAFSTokenPassing, 170 #endif 171 #ifdef SKEY 172 sSkeyAuthentication, 173 #endif 174 sPasswordAuthentication, sListenAddress, 175 sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, 176 sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, 177 sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 178 sIgnoreUserKnownHosts, sConnectionsPerPeriod 179 } ServerOpCodes; 180 181 /* Textual representation of the tokens. */ 182 static struct { 183 const char *name; 184 ServerOpCodes opcode; 185 } keywords[] = { 186 { "port", sPort }, 187 { "hostkey", sHostKeyFile }, 188 { "serverkeybits", sServerKeyBits }, 189 { "logingracetime", sLoginGraceTime }, 190 { "keyregenerationinterval", sKeyRegenerationTime }, 191 { "permitrootlogin", sPermitRootLogin }, 192 { "syslogfacility", sLogFacility }, 193 { "loglevel", sLogLevel }, 194 { "rhostsauthentication", sRhostsAuthentication }, 195 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 196 { "rsaauthentication", sRSAAuthentication }, 197 #ifdef KRB4 198 { "kerberos4authentication", sKrb4Authentication }, 199 { "kerberos4orlocalpasswd", sKrb4OrLocalPasswd }, 200 { "kerberos4ticketcleanup", sKrb4TicketCleanup }, 201 #endif 202 #ifdef KRB5 203 { "kerberos5authentication", sKrb5Authentication }, 204 { "kerberos5tgtpassing", sKrb5TgtPassing }, 205 #endif /* KRB5 */ 206 #ifdef AFS 207 { "kerberos4tgtpassing", sKrb4TgtPassing }, 208 { "afstokenpassing", sAFSTokenPassing }, 209 #endif 210 { "passwordauthentication", sPasswordAuthentication }, 211 #ifdef SKEY 212 { "skeyauthentication", sSkeyAuthentication }, 213 #endif 214 { "checkmail", sCheckMail }, 215 { "listenaddress", sListenAddress }, 216 { "printmotd", sPrintMotd }, 217 { "ignorerhosts", sIgnoreRhosts }, 218 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 219 { "x11forwarding", sX11Forwarding }, 220 { "x11displayoffset", sX11DisplayOffset }, 221 { "strictmodes", sStrictModes }, 222 { "permitemptypasswords", sEmptyPasswd }, 223 { "uselogin", sUseLogin }, 224 { "randomseed", sRandomSeedFile }, 225 { "keepalive", sKeepAlives }, 226 { "allowusers", sAllowUsers }, 227 { "denyusers", sDenyUsers }, 228 { "allowgroups", sAllowGroups }, 229 { "denygroups", sDenyGroups }, 230 { "connectionsperperiod", sConnectionsPerPeriod }, 231 { NULL, 0 } 232 }; 233 234 /* 235 * Returns the number of the token pointed to by cp of length len. Never 236 * returns if the token is not known. 237 */ 238 239 static ServerOpCodes 240 parse_token(const char *cp, const char *filename, 241 int linenum) 242 { 243 unsigned int i; 244 245 for (i = 0; keywords[i].name; i++) 246 if (strcasecmp(cp, keywords[i].name) == 0) 247 return keywords[i].opcode; 248 249 fprintf(stderr, "%s: line %d: Bad configuration option: %s\n", 250 filename, linenum, cp); 251 return sBadOption; 252 } 253 254 /* 255 * add listen address 256 */ 257 void 258 add_listen_addr(ServerOptions *options, char *addr) 259 { 260 extern int IPv4or6; 261 struct addrinfo hints, *ai, *aitop; 262 char strport[NI_MAXSERV]; 263 int gaierr; 264 int i; 265 266 if (options->num_ports == 0) 267 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 268 for (i = 0; i < options->num_ports; i++) { 269 memset(&hints, 0, sizeof(hints)); 270 hints.ai_family = IPv4or6; 271 hints.ai_socktype = SOCK_STREAM; 272 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 273 snprintf(strport, sizeof strport, "%d", options->ports[i]); 274 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 275 fatal("bad addr or host: %s (%s)\n", 276 addr ? addr : "<NULL>", 277 gai_strerror(gaierr)); 278 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 279 ; 280 ai->ai_next = options->listen_addrs; 281 options->listen_addrs = aitop; 282 } 283 } 284 285 /* Reads the server configuration file. */ 286 287 void 288 read_server_config(ServerOptions *options, const char *filename) 289 { 290 FILE *f; 291 char line[1024]; 292 char *cp, **charptr; 293 int linenum, *intptr, value; 294 int bad_options = 0; 295 ServerOpCodes opcode; 296 297 f = fopen(filename, "r"); 298 if (!f) { 299 perror(filename); 300 exit(1); 301 } 302 linenum = 0; 303 while (fgets(line, sizeof(line), f)) { 304 linenum++; 305 cp = line + strspn(line, WHITESPACE); 306 if (!*cp || *cp == '#') 307 continue; 308 cp = strtok(cp, WHITESPACE); 309 opcode = parse_token(cp, filename, linenum); 310 switch (opcode) { 311 case sBadOption: 312 bad_options++; 313 continue; 314 case sPort: 315 /* ignore ports from configfile if cmdline specifies ports */ 316 if (options->ports_from_cmdline) 317 continue; 318 if (options->listen_addrs != NULL) 319 fatal("%s line %d: ports must be specified before " 320 "ListenAdress.\n", filename, linenum); 321 if (options->num_ports >= MAX_PORTS) 322 fatal("%s line %d: too many ports.\n", 323 filename, linenum); 324 cp = strtok(NULL, WHITESPACE); 325 if (!cp) 326 fatal("%s line %d: missing port number.\n", 327 filename, linenum); 328 options->ports[options->num_ports++] = atoi(cp); 329 break; 330 331 case sServerKeyBits: 332 intptr = &options->server_key_bits; 333 parse_int: 334 cp = strtok(NULL, WHITESPACE); 335 if (!cp) { 336 fprintf(stderr, "%s line %d: missing integer value.\n", 337 filename, linenum); 338 exit(1); 339 } 340 if (sscanf(cp, " %d ", &value) != 1) { 341 fprintf(stderr, "%s line %d: invalid integer value.\n", 342 filename, linenum); 343 exit(1); 344 } 345 if (*intptr == -1) 346 *intptr = value; 347 break; 348 349 case sLoginGraceTime: 350 intptr = &options->login_grace_time; 351 goto parse_int; 352 353 case sKeyRegenerationTime: 354 intptr = &options->key_regeneration_time; 355 goto parse_int; 356 357 case sListenAddress: 358 cp = strtok(NULL, WHITESPACE); 359 if (!cp) 360 fatal("%s line %d: missing inet addr.\n", 361 filename, linenum); 362 add_listen_addr(options, cp); 363 break; 364 365 case sHostKeyFile: 366 charptr = &options->host_key_file; 367 cp = strtok(NULL, WHITESPACE); 368 if (!cp) { 369 fprintf(stderr, "%s line %d: missing file name.\n", 370 filename, linenum); 371 exit(1); 372 } 373 if (*charptr == NULL) 374 *charptr = tilde_expand_filename(cp, getuid()); 375 break; 376 377 case sRandomSeedFile: 378 fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", 379 filename, linenum); 380 cp = strtok(NULL, WHITESPACE); 381 break; 382 383 case sPermitRootLogin: 384 intptr = &options->permit_root_login; 385 cp = strtok(NULL, WHITESPACE); 386 if (!cp) { 387 fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n", 388 filename, linenum); 389 exit(1); 390 } 391 if (strcmp(cp, "without-password") == 0) 392 value = 2; 393 else if (strcmp(cp, "yes") == 0) 394 value = 1; 395 else if (strcmp(cp, "no") == 0) 396 value = 0; 397 else { 398 fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n", 399 filename, linenum, cp); 400 exit(1); 401 } 402 if (*intptr == -1) 403 *intptr = value; 404 break; 405 406 case sIgnoreRhosts: 407 intptr = &options->ignore_rhosts; 408 parse_flag: 409 cp = strtok(NULL, WHITESPACE); 410 if (!cp) { 411 fprintf(stderr, "%s line %d: missing yes/no argument.\n", 412 filename, linenum); 413 exit(1); 414 } 415 if (strcmp(cp, "yes") == 0) 416 value = 1; 417 else if (strcmp(cp, "no") == 0) 418 value = 0; 419 else { 420 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n", 421 filename, linenum, cp); 422 exit(1); 423 } 424 if (*intptr == -1) 425 *intptr = value; 426 break; 427 428 case sIgnoreUserKnownHosts: 429 intptr = &options->ignore_user_known_hosts; 430 goto parse_int; 431 432 case sRhostsAuthentication: 433 intptr = &options->rhosts_authentication; 434 goto parse_flag; 435 436 case sRhostsRSAAuthentication: 437 intptr = &options->rhosts_rsa_authentication; 438 goto parse_flag; 439 440 case sRSAAuthentication: 441 intptr = &options->rsa_authentication; 442 goto parse_flag; 443 444 #ifdef KRB4 445 case sKrb4Authentication: 446 intptr = &options->krb4_authentication; 447 goto parse_flag; 448 449 case sKrb4OrLocalPasswd: 450 intptr = &options->krb4_or_local_passwd; 451 goto parse_flag; 452 453 case sKrb4TicketCleanup: 454 intptr = &options->krb4_ticket_cleanup; 455 goto parse_flag; 456 #endif 457 458 #ifdef KRB5 459 case sKrb5Authentication: 460 intptr = &options->krb5_authentication; 461 goto parse_flag; 462 463 case sKrb5TgtPassing: 464 intptr = &options->krb5_tgt_passing; 465 goto parse_flag; 466 #endif /* KRB5 */ 467 468 #ifdef AFS 469 case sKrb4TgtPassing: 470 intptr = &options->krb4_tgt_passing; 471 goto parse_flag; 472 473 case sAFSTokenPassing: 474 intptr = &options->afs_token_passing; 475 goto parse_flag; 476 #endif 477 478 case sPasswordAuthentication: 479 intptr = &options->password_authentication; 480 goto parse_flag; 481 482 case sCheckMail: 483 intptr = &options->check_mail; 484 goto parse_flag; 485 486 #ifdef SKEY 487 case sSkeyAuthentication: 488 intptr = &options->skey_authentication; 489 goto parse_flag; 490 #endif 491 492 case sPrintMotd: 493 intptr = &options->print_motd; 494 goto parse_flag; 495 496 case sX11Forwarding: 497 intptr = &options->x11_forwarding; 498 goto parse_flag; 499 500 case sX11DisplayOffset: 501 intptr = &options->x11_display_offset; 502 goto parse_int; 503 504 case sStrictModes: 505 intptr = &options->strict_modes; 506 goto parse_flag; 507 508 case sKeepAlives: 509 intptr = &options->keepalives; 510 goto parse_flag; 511 512 case sEmptyPasswd: 513 intptr = &options->permit_empty_passwd; 514 goto parse_flag; 515 516 case sUseLogin: 517 intptr = &options->use_login; 518 goto parse_flag; 519 520 case sLogFacility: 521 intptr = (int *) &options->log_facility; 522 cp = strtok(NULL, WHITESPACE); 523 value = log_facility_number(cp); 524 if (value == (SyslogFacility) - 1) 525 fatal("%.200s line %d: unsupported log facility '%s'\n", 526 filename, linenum, cp ? cp : "<NONE>"); 527 if (*intptr == -1) 528 *intptr = (SyslogFacility) value; 529 break; 530 531 case sLogLevel: 532 intptr = (int *) &options->log_level; 533 cp = strtok(NULL, WHITESPACE); 534 value = log_level_number(cp); 535 if (value == (LogLevel) - 1) 536 fatal("%.200s line %d: unsupported log level '%s'\n", 537 filename, linenum, cp ? cp : "<NONE>"); 538 if (*intptr == -1) 539 *intptr = (LogLevel) value; 540 break; 541 542 case sAllowUsers: 543 while ((cp = strtok(NULL, WHITESPACE))) { 544 if (options->num_allow_users >= MAX_ALLOW_USERS) 545 fatal("%.200s line %d: too many allow users.\n", filename, 546 linenum); 547 options->allow_users[options->num_allow_users++] = xstrdup(cp); 548 } 549 break; 550 551 case sDenyUsers: 552 while ((cp = strtok(NULL, WHITESPACE))) { 553 if (options->num_deny_users >= MAX_DENY_USERS) 554 fatal("%.200s line %d: too many deny users.\n", filename, 555 linenum); 556 options->deny_users[options->num_deny_users++] = xstrdup(cp); 557 } 558 break; 559 560 case sAllowGroups: 561 while ((cp = strtok(NULL, WHITESPACE))) { 562 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 563 fatal("%.200s line %d: too many allow groups.\n", filename, 564 linenum); 565 options->allow_groups[options->num_allow_groups++] = xstrdup(cp); 566 } 567 break; 568 569 case sDenyGroups: 570 while ((cp = strtok(NULL, WHITESPACE))) { 571 if (options->num_deny_groups >= MAX_DENY_GROUPS) 572 fatal("%.200s line %d: too many deny groups.\n", filename, 573 linenum); 574 options->deny_groups[options->num_deny_groups++] = xstrdup(cp); 575 } 576 break; 577 578 case sConnectionsPerPeriod: 579 cp = strtok(NULL, WHITESPACE); 580 if (cp == NULL) 581 fatal("%.200s line %d: missing (>= 0) number argument.\n", 582 filename, linenum); 583 if (sscanf(cp, " %u/%u ", &options->connections_per_period, 584 &options->connections_period) != 2) 585 fatal("%.200s line %d: invalid numerical argument(s).\n", 586 filename, linenum); 587 if (options->connections_per_period != 0 && 588 options->connections_period == 0) 589 fatal("%.200s line %d: invalid connections period.\n", 590 filename, linenum); 591 break; 592 593 default: 594 fatal("%.200s line %d: Missing handler for opcode %s (%d)\n", 595 filename, linenum, cp, opcode); 596 } 597 if (strtok(NULL, WHITESPACE) != NULL) 598 fatal("%.200s line %d: garbage at end of line.\n", filename, 599 linenum); 600 } 601 fclose(f); 602 if (bad_options > 0) 603 fatal("%.200s: terminating, %d bad configuration options\n", 604 filename, bad_options); 605 } 606