xref: /freebsd/crypto/openssh/servconf.c (revision e92ffd9b626833ebdbf2742c8ffddc6cd94b963e)
1 
2 /* $OpenBSD: servconf.c,v 1.382 2021/09/06 00:36:01 millert Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 __RCSID("$FreeBSD$");
16 
17 #include <sys/types.h>
18 #include <sys/socket.h>
19 #include <sys/stat.h>
20 #ifdef __OpenBSD__
21 #include <sys/sysctl.h>
22 #endif
23 
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
26 #include <netinet/ip.h>
27 #ifdef HAVE_NET_ROUTE_H
28 #include <net/route.h>
29 #endif
30 
31 #include <ctype.h>
32 #include <netdb.h>
33 #include <pwd.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <signal.h>
38 #include <unistd.h>
39 #include <limits.h>
40 #include <stdarg.h>
41 #include <errno.h>
42 #ifdef HAVE_UTIL_H
43 #include <util.h>
44 #endif
45 #ifdef USE_SYSTEM_GLOB
46 # include <glob.h>
47 #else
48 # include "openbsd-compat/glob.h"
49 #endif
50 
51 #include "openbsd-compat/sys-queue.h"
52 #include "xmalloc.h"
53 #include "ssh.h"
54 #include "log.h"
55 #include "sshbuf.h"
56 #include "misc.h"
57 #include "servconf.h"
58 #include "compat.h"
59 #include "pathnames.h"
60 #include "cipher.h"
61 #include "sshkey.h"
62 #include "kex.h"
63 #include "mac.h"
64 #include "match.h"
65 #include "channels.h"
66 #include "groupaccess.h"
67 #include "canohost.h"
68 #include "packet.h"
69 #include "ssherr.h"
70 #include "hostfile.h"
71 #include "auth.h"
72 #include "myproposal.h"
73 #include "digest.h"
74 #include "version.h"
75 
76 static void add_listen_addr(ServerOptions *, const char *,
77     const char *, int);
78 static void add_one_listen_addr(ServerOptions *, const char *,
79     const char *, int);
80 static void parse_server_config_depth(ServerOptions *options,
81     const char *filename, struct sshbuf *conf, struct include_list *includes,
82     struct connection_info *connectinfo, int flags, int *activep, int depth);
83 
84 /* Use of privilege separation or not */
85 extern int use_privsep;
86 extern struct sshbuf *cfg;
87 
88 /* Initializes the server options to their default values. */
89 
90 void
91 initialize_server_options(ServerOptions *options)
92 {
93 	memset(options, 0, sizeof(*options));
94 
95 	/* Portable-specific options */
96 	options->use_pam = -1;
97 
98 	/* Standard Options */
99 	options->num_ports = 0;
100 	options->ports_from_cmdline = 0;
101 	options->queued_listen_addrs = NULL;
102 	options->num_queued_listens = 0;
103 	options->listen_addrs = NULL;
104 	options->num_listen_addrs = 0;
105 	options->address_family = -1;
106 	options->routing_domain = NULL;
107 	options->num_host_key_files = 0;
108 	options->num_host_cert_files = 0;
109 	options->host_key_agent = NULL;
110 	options->pid_file = NULL;
111 	options->login_grace_time = -1;
112 	options->permit_root_login = PERMIT_NOT_SET;
113 	options->ignore_rhosts = -1;
114 	options->ignore_user_known_hosts = -1;
115 	options->print_motd = -1;
116 	options->print_lastlog = -1;
117 	options->x11_forwarding = -1;
118 	options->x11_display_offset = -1;
119 	options->x11_use_localhost = -1;
120 	options->permit_tty = -1;
121 	options->permit_user_rc = -1;
122 	options->xauth_location = NULL;
123 	options->strict_modes = -1;
124 	options->tcp_keep_alive = -1;
125 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
126 	options->log_level = SYSLOG_LEVEL_NOT_SET;
127 	options->num_log_verbose = 0;
128 	options->log_verbose = NULL;
129 	options->hostbased_authentication = -1;
130 	options->hostbased_uses_name_from_packet_only = -1;
131 	options->hostbased_accepted_algos = NULL;
132 	options->hostkeyalgorithms = NULL;
133 	options->pubkey_authentication = -1;
134 	options->pubkey_auth_options = -1;
135 	options->pubkey_accepted_algos = NULL;
136 	options->kerberos_authentication = -1;
137 	options->kerberos_or_local_passwd = -1;
138 	options->kerberos_ticket_cleanup = -1;
139 	options->kerberos_get_afs_token = -1;
140 	options->gss_authentication=-1;
141 	options->gss_cleanup_creds = -1;
142 	options->gss_strict_acceptor = -1;
143 	options->password_authentication = -1;
144 	options->kbd_interactive_authentication = -1;
145 	options->permit_empty_passwd = -1;
146 	options->permit_user_env = -1;
147 	options->permit_user_env_allowlist = NULL;
148 	options->compression = -1;
149 	options->rekey_limit = -1;
150 	options->rekey_interval = -1;
151 	options->allow_tcp_forwarding = -1;
152 	options->allow_streamlocal_forwarding = -1;
153 	options->allow_agent_forwarding = -1;
154 	options->num_allow_users = 0;
155 	options->num_deny_users = 0;
156 	options->num_allow_groups = 0;
157 	options->num_deny_groups = 0;
158 	options->ciphers = NULL;
159 	options->macs = NULL;
160 	options->kex_algorithms = NULL;
161 	options->ca_sign_algorithms = NULL;
162 	options->fwd_opts.gateway_ports = -1;
163 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
164 	options->fwd_opts.streamlocal_bind_unlink = -1;
165 	options->num_subsystems = 0;
166 	options->max_startups_begin = -1;
167 	options->max_startups_rate = -1;
168 	options->max_startups = -1;
169 	options->per_source_max_startups = -1;
170 	options->per_source_masklen_ipv4 = -1;
171 	options->per_source_masklen_ipv6 = -1;
172 	options->max_authtries = -1;
173 	options->max_sessions = -1;
174 	options->banner = NULL;
175 	options->use_dns = -1;
176 	options->client_alive_interval = -1;
177 	options->client_alive_count_max = -1;
178 	options->num_authkeys_files = 0;
179 	options->num_accept_env = 0;
180 	options->num_setenv = 0;
181 	options->permit_tun = -1;
182 	options->permitted_opens = NULL;
183 	options->permitted_listens = NULL;
184 	options->adm_forced_command = NULL;
185 	options->chroot_directory = NULL;
186 	options->authorized_keys_command = NULL;
187 	options->authorized_keys_command_user = NULL;
188 	options->revoked_keys_file = NULL;
189 	options->sk_provider = NULL;
190 	options->trusted_user_ca_keys = NULL;
191 	options->authorized_principals_file = NULL;
192 	options->authorized_principals_command = NULL;
193 	options->authorized_principals_command_user = NULL;
194 	options->ip_qos_interactive = -1;
195 	options->ip_qos_bulk = -1;
196 	options->version_addendum = NULL;
197 	options->fingerprint_hash = -1;
198 	options->disable_forwarding = -1;
199 	options->expose_userauth_info = -1;
200 	options->use_blacklist = -1;
201 }
202 
203 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
204 static int
205 option_clear_or_none(const char *o)
206 {
207 	return o == NULL || strcasecmp(o, "none") == 0;
208 }
209 
210 static void
211 assemble_algorithms(ServerOptions *o)
212 {
213 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
214 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
215 	int r;
216 
217 	all_cipher = cipher_alg_list(',', 0);
218 	all_mac = mac_alg_list(',');
219 	all_kex = kex_alg_list(',');
220 	all_key = sshkey_alg_list(0, 0, 1, ',');
221 	all_sig = sshkey_alg_list(0, 1, 1, ',');
222 	/* remove unsupported algos from default lists */
223 	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
224 	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
225 	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
226 	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
227 	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
228 #define ASSEMBLE(what, defaults, all) \
229 	do { \
230 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
231 			fatal_fr(r, "%s", #what); \
232 	} while (0)
233 	ASSEMBLE(ciphers, def_cipher, all_cipher);
234 	ASSEMBLE(macs, def_mac, all_mac);
235 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
236 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
237 	ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
238 	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
239 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
240 #undef ASSEMBLE
241 	free(all_cipher);
242 	free(all_mac);
243 	free(all_kex);
244 	free(all_key);
245 	free(all_sig);
246 	free(def_cipher);
247 	free(def_mac);
248 	free(def_kex);
249 	free(def_key);
250 	free(def_sig);
251 }
252 
253 static const char *defaultkey = "[default]";
254 
255 void
256 servconf_add_hostkey(const char *file, const int line,
257     ServerOptions *options, const char *path, int userprovided)
258 {
259 	char *apath = derelativise_path(path);
260 
261 	if (file == defaultkey && access(path, R_OK) != 0)
262 		return;
263 	opt_array_append2(file, line, "HostKey",
264 	    &options->host_key_files, &options->host_key_file_userprovided,
265 	    &options->num_host_key_files, apath, userprovided);
266 	free(apath);
267 }
268 
269 void
270 servconf_add_hostcert(const char *file, const int line,
271     ServerOptions *options, const char *path)
272 {
273 	char *apath = derelativise_path(path);
274 
275 	opt_array_append(file, line, "HostCertificate",
276 	    &options->host_cert_files, &options->num_host_cert_files, apath);
277 	free(apath);
278 }
279 
280 void
281 fill_default_server_options(ServerOptions *options)
282 {
283 	u_int i;
284 
285 	/* Portable-specific options */
286 	if (options->use_pam == -1)
287 		options->use_pam = 1;
288 
289 	/* Standard Options */
290 	if (options->num_host_key_files == 0) {
291 		/* fill default hostkeys for protocols */
292 		servconf_add_hostkey(defaultkey, 0, options,
293 		    _PATH_HOST_RSA_KEY_FILE, 0);
294 #ifdef OPENSSL_HAS_ECC
295 		servconf_add_hostkey(defaultkey, 0, options,
296 		    _PATH_HOST_ECDSA_KEY_FILE, 0);
297 #endif
298 		servconf_add_hostkey(defaultkey, 0, options,
299 		    _PATH_HOST_ED25519_KEY_FILE, 0);
300 #ifdef WITH_XMSS
301 		servconf_add_hostkey(defaultkey, 0, options,
302 		    _PATH_HOST_XMSS_KEY_FILE, 0);
303 #endif /* WITH_XMSS */
304 	}
305 	if (options->num_host_key_files == 0)
306 		fatal("No host key files found");
307 	/* No certificates by default */
308 	if (options->num_ports == 0)
309 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
310 	if (options->address_family == -1)
311 		options->address_family = AF_UNSPEC;
312 	if (options->listen_addrs == NULL)
313 		add_listen_addr(options, NULL, NULL, 0);
314 	if (options->pid_file == NULL)
315 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
316 	if (options->moduli_file == NULL)
317 		options->moduli_file = xstrdup(_PATH_DH_MODULI);
318 	if (options->login_grace_time == -1)
319 		options->login_grace_time = 120;
320 	if (options->permit_root_login == PERMIT_NOT_SET)
321 		options->permit_root_login = PERMIT_NO;
322 	if (options->ignore_rhosts == -1)
323 		options->ignore_rhosts = 1;
324 	if (options->ignore_user_known_hosts == -1)
325 		options->ignore_user_known_hosts = 0;
326 	if (options->print_motd == -1)
327 		options->print_motd = 1;
328 	if (options->print_lastlog == -1)
329 		options->print_lastlog = 1;
330 	if (options->x11_forwarding == -1)
331 		options->x11_forwarding = 1;
332 	if (options->x11_display_offset == -1)
333 		options->x11_display_offset = 10;
334 	if (options->x11_use_localhost == -1)
335 		options->x11_use_localhost = 1;
336 	if (options->xauth_location == NULL)
337 		options->xauth_location = xstrdup(_PATH_XAUTH);
338 	if (options->permit_tty == -1)
339 		options->permit_tty = 1;
340 	if (options->permit_user_rc == -1)
341 		options->permit_user_rc = 1;
342 	if (options->strict_modes == -1)
343 		options->strict_modes = 1;
344 	if (options->tcp_keep_alive == -1)
345 		options->tcp_keep_alive = 1;
346 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
347 		options->log_facility = SYSLOG_FACILITY_AUTH;
348 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
349 		options->log_level = SYSLOG_LEVEL_INFO;
350 	if (options->hostbased_authentication == -1)
351 		options->hostbased_authentication = 0;
352 	if (options->hostbased_uses_name_from_packet_only == -1)
353 		options->hostbased_uses_name_from_packet_only = 0;
354 	if (options->pubkey_authentication == -1)
355 		options->pubkey_authentication = 1;
356 	if (options->pubkey_auth_options == -1)
357 		options->pubkey_auth_options = 0;
358 	if (options->kerberos_authentication == -1)
359 		options->kerberos_authentication = 0;
360 	if (options->kerberos_or_local_passwd == -1)
361 		options->kerberos_or_local_passwd = 1;
362 	if (options->kerberos_ticket_cleanup == -1)
363 		options->kerberos_ticket_cleanup = 1;
364 	if (options->kerberos_get_afs_token == -1)
365 		options->kerberos_get_afs_token = 0;
366 	if (options->gss_authentication == -1)
367 		options->gss_authentication = 0;
368 	if (options->gss_cleanup_creds == -1)
369 		options->gss_cleanup_creds = 1;
370 	if (options->gss_strict_acceptor == -1)
371 		options->gss_strict_acceptor = 1;
372 	if (options->password_authentication == -1)
373 		options->password_authentication = 0;
374 	if (options->kbd_interactive_authentication == -1)
375 		options->kbd_interactive_authentication = 1;
376 	if (options->permit_empty_passwd == -1)
377 		options->permit_empty_passwd = 0;
378 	if (options->permit_user_env == -1) {
379 		options->permit_user_env = 0;
380 		options->permit_user_env_allowlist = NULL;
381 	}
382 	if (options->compression == -1)
383 #ifdef WITH_ZLIB
384 		options->compression = COMP_DELAYED;
385 #else
386 		options->compression = COMP_NONE;
387 #endif
388 
389 	if (options->rekey_limit == -1)
390 		options->rekey_limit = 0;
391 	if (options->rekey_interval == -1)
392 		options->rekey_interval = 0;
393 	if (options->allow_tcp_forwarding == -1)
394 		options->allow_tcp_forwarding = FORWARD_ALLOW;
395 	if (options->allow_streamlocal_forwarding == -1)
396 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
397 	if (options->allow_agent_forwarding == -1)
398 		options->allow_agent_forwarding = 1;
399 	if (options->fwd_opts.gateway_ports == -1)
400 		options->fwd_opts.gateway_ports = 0;
401 	if (options->max_startups == -1)
402 		options->max_startups = 100;
403 	if (options->max_startups_rate == -1)
404 		options->max_startups_rate = 30;		/* 30% */
405 	if (options->max_startups_begin == -1)
406 		options->max_startups_begin = 10;
407 	if (options->per_source_max_startups == -1)
408 		options->per_source_max_startups = INT_MAX;
409 	if (options->per_source_masklen_ipv4 == -1)
410 		options->per_source_masklen_ipv4 = 32;
411 	if (options->per_source_masklen_ipv6 == -1)
412 		options->per_source_masklen_ipv6 = 128;
413 	if (options->max_authtries == -1)
414 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
415 	if (options->max_sessions == -1)
416 		options->max_sessions = DEFAULT_SESSIONS_MAX;
417 	if (options->use_dns == -1)
418 		options->use_dns = 1;
419 	if (options->client_alive_interval == -1)
420 		options->client_alive_interval = 0;
421 	if (options->client_alive_count_max == -1)
422 		options->client_alive_count_max = 3;
423 	if (options->num_authkeys_files == 0) {
424 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
425 		    &options->authorized_keys_files,
426 		    &options->num_authkeys_files,
427 		    _PATH_SSH_USER_PERMITTED_KEYS);
428 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
429 		    &options->authorized_keys_files,
430 		    &options->num_authkeys_files,
431 		    _PATH_SSH_USER_PERMITTED_KEYS2);
432 	}
433 	if (options->permit_tun == -1)
434 		options->permit_tun = SSH_TUNMODE_NO;
435 	if (options->ip_qos_interactive == -1)
436 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
437 	if (options->ip_qos_bulk == -1)
438 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
439 	if (options->version_addendum == NULL)
440 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
441 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
442 		options->fwd_opts.streamlocal_bind_mask = 0177;
443 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
444 		options->fwd_opts.streamlocal_bind_unlink = 0;
445 	if (options->fingerprint_hash == -1)
446 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
447 	if (options->disable_forwarding == -1)
448 		options->disable_forwarding = 0;
449 	if (options->expose_userauth_info == -1)
450 		options->expose_userauth_info = 0;
451 	if (options->sk_provider == NULL)
452 		options->sk_provider = xstrdup("internal");
453 	if (options->use_blacklist == -1)
454 		options->use_blacklist = 0;
455 
456 	assemble_algorithms(options);
457 
458 	/* Turn privilege separation and sandboxing on by default */
459 	if (use_privsep == -1)
460 		use_privsep = PRIVSEP_ON;
461 
462 #define CLEAR_ON_NONE(v) \
463 	do { \
464 		if (option_clear_or_none(v)) { \
465 			free(v); \
466 			v = NULL; \
467 		} \
468 	} while(0)
469 	CLEAR_ON_NONE(options->pid_file);
470 	CLEAR_ON_NONE(options->xauth_location);
471 	CLEAR_ON_NONE(options->banner);
472 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
473 	CLEAR_ON_NONE(options->revoked_keys_file);
474 	CLEAR_ON_NONE(options->sk_provider);
475 	CLEAR_ON_NONE(options->authorized_principals_file);
476 	CLEAR_ON_NONE(options->adm_forced_command);
477 	CLEAR_ON_NONE(options->chroot_directory);
478 	CLEAR_ON_NONE(options->routing_domain);
479 	CLEAR_ON_NONE(options->host_key_agent);
480 	for (i = 0; i < options->num_host_key_files; i++)
481 		CLEAR_ON_NONE(options->host_key_files[i]);
482 	for (i = 0; i < options->num_host_cert_files; i++)
483 		CLEAR_ON_NONE(options->host_cert_files[i]);
484 #undef CLEAR_ON_NONE
485 
486 	/* Similar handling for AuthenticationMethods=any */
487 	if (options->num_auth_methods == 1 &&
488 	    strcmp(options->auth_methods[0], "any") == 0) {
489 		free(options->auth_methods[0]);
490 		options->auth_methods[0] = NULL;
491 		options->num_auth_methods = 0;
492 	}
493 }
494 
495 /* Keyword tokens. */
496 typedef enum {
497 	sBadOption,		/* == unknown option */
498 	/* Portable-specific options */
499 	sUsePAM,
500 	/* Standard Options */
501 	sPort, sHostKeyFile, sLoginGraceTime,
502 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
503 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
504 	sKerberosGetAFSToken, sPasswordAuthentication,
505 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
506 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
507 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
508 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
509 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
510 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
511 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
512 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
513 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
514 	sBanner, sUseDNS, sHostbasedAuthentication,
515 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
516 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
517 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
518 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
519 	sAcceptEnv, sSetEnv, sPermitTunnel,
520 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
521 	sUsePrivilegeSeparation, sAllowAgentForwarding,
522 	sHostCertificate, sInclude,
523 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
524 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
525 	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
526 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
527 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
528 	sStreamLocalBindMask, sStreamLocalBindUnlink,
529 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
530 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
531 	sUseBlacklist,
532 	sDeprecated, sIgnore, sUnsupported
533 } ServerOpCodes;
534 
535 #define SSHCFG_GLOBAL		0x01	/* allowed in main section of config */
536 #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
537 #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
538 #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
539 #define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
540 
541 /* Textual representation of the tokens. */
542 static struct {
543 	const char *name;
544 	ServerOpCodes opcode;
545 	u_int flags;
546 } keywords[] = {
547 	/* Portable-specific options */
548 #ifdef USE_PAM
549 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
550 #else
551 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
552 #endif
553 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
554 	/* Standard Options */
555 	{ "port", sPort, SSHCFG_GLOBAL },
556 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
557 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
558 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
559 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
560 	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
561 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
562 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
563 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
564 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
565 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
566 	{ "loglevel", sLogLevel, SSHCFG_ALL },
567 	{ "logverbose", sLogVerbose, SSHCFG_ALL },
568 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
569 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
570 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
571 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
572 	{ "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
573 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
574 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
575 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
576 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
577 	{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
578 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
579 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
580 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
581 #ifdef KRB5
582 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
583 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
584 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
585 #ifdef USE_AFS
586 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
587 #else
588 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
589 #endif
590 #else
591 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
592 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
593 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
594 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
595 #endif
596 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
597 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
598 #ifdef GSSAPI
599 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
600 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
601 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
602 #else
603 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
604 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
605 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
606 #endif
607 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
608 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
609 	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
610 	{ "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
611 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
612 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
613 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
614 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
615 #ifdef DISABLE_LASTLOG
616 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
617 #else
618 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
619 #endif
620 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
621 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
622 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
623 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
624 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
625 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
626 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
627 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
628 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
629 	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
630 	{ "compression", sCompression, SSHCFG_GLOBAL },
631 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
632 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
633 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
634 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
635 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
636 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
637 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
638 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
639 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
640 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
641 	{ "macs", sMacs, SSHCFG_GLOBAL },
642 	{ "protocol", sIgnore, SSHCFG_GLOBAL },
643 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
644 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
645 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
646 	{ "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
647 	{ "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
648 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
649 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
650 	{ "banner", sBanner, SSHCFG_ALL },
651 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
652 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
653 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
654 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
655 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
656 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
657 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
658 	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
659 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
660 	{ "setenv", sSetEnv, SSHCFG_ALL },
661 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
662 	{ "permittty", sPermitTTY, SSHCFG_ALL },
663 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
664 	{ "match", sMatch, SSHCFG_ALL },
665 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
666 	{ "permitlisten", sPermitListen, SSHCFG_ALL },
667 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
668 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
669 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
670 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
671 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
672 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
673 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
674 	{ "include", sInclude, SSHCFG_ALL },
675 	{ "ipqos", sIPQoS, SSHCFG_ALL },
676 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
677 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
678 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
679 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
680 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
681 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
682 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
683 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
684 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
685 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
686 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
687 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
688 	{ "rdomain", sRDomain, SSHCFG_ALL },
689 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
690 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
691 	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
692 	{ "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
693 	{ "noneenabled", sUnsupported, SSHCFG_ALL },
694 	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
695 	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
696 	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
697 	{ NULL, sBadOption, 0 }
698 };
699 
700 static struct {
701 	int val;
702 	char *text;
703 } tunmode_desc[] = {
704 	{ SSH_TUNMODE_NO, "no" },
705 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
706 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
707 	{ SSH_TUNMODE_YES, "yes" },
708 	{ -1, NULL }
709 };
710 
711 /* Returns an opcode name from its number */
712 
713 static const char *
714 lookup_opcode_name(ServerOpCodes code)
715 {
716 	u_int i;
717 
718 	for (i = 0; keywords[i].name != NULL; i++)
719 		if (keywords[i].opcode == code)
720 			return(keywords[i].name);
721 	return "UNKNOWN";
722 }
723 
724 
725 /*
726  * Returns the number of the token pointed to by cp or sBadOption.
727  */
728 
729 static ServerOpCodes
730 parse_token(const char *cp, const char *filename,
731 	    int linenum, u_int *flags)
732 {
733 	u_int i;
734 
735 	for (i = 0; keywords[i].name; i++)
736 		if (strcasecmp(cp, keywords[i].name) == 0) {
737 			*flags = keywords[i].flags;
738 			return keywords[i].opcode;
739 		}
740 
741 	error("%s: line %d: Bad configuration option: %s",
742 	    filename, linenum, cp);
743 	return sBadOption;
744 }
745 
746 char *
747 derelativise_path(const char *path)
748 {
749 	char *expanded, *ret, cwd[PATH_MAX];
750 
751 	if (strcasecmp(path, "none") == 0)
752 		return xstrdup("none");
753 	expanded = tilde_expand_filename(path, getuid());
754 	if (path_absolute(expanded))
755 		return expanded;
756 	if (getcwd(cwd, sizeof(cwd)) == NULL)
757 		fatal_f("getcwd: %s", strerror(errno));
758 	xasprintf(&ret, "%s/%s", cwd, expanded);
759 	free(expanded);
760 	return ret;
761 }
762 
763 static void
764 add_listen_addr(ServerOptions *options, const char *addr,
765     const char *rdomain, int port)
766 {
767 	u_int i;
768 
769 	if (port > 0)
770 		add_one_listen_addr(options, addr, rdomain, port);
771 	else {
772 		for (i = 0; i < options->num_ports; i++) {
773 			add_one_listen_addr(options, addr, rdomain,
774 			    options->ports[i]);
775 		}
776 	}
777 }
778 
779 static void
780 add_one_listen_addr(ServerOptions *options, const char *addr,
781     const char *rdomain, int port)
782 {
783 	struct addrinfo hints, *ai, *aitop;
784 	char strport[NI_MAXSERV];
785 	int gaierr;
786 	u_int i;
787 
788 	/* Find listen_addrs entry for this rdomain */
789 	for (i = 0; i < options->num_listen_addrs; i++) {
790 		if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
791 			break;
792 		if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
793 			continue;
794 		if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
795 			break;
796 	}
797 	if (i >= options->num_listen_addrs) {
798 		/* No entry for this rdomain; allocate one */
799 		if (i >= INT_MAX)
800 			fatal_f("too many listen addresses");
801 		options->listen_addrs = xrecallocarray(options->listen_addrs,
802 		    options->num_listen_addrs, options->num_listen_addrs + 1,
803 		    sizeof(*options->listen_addrs));
804 		i = options->num_listen_addrs++;
805 		if (rdomain != NULL)
806 			options->listen_addrs[i].rdomain = xstrdup(rdomain);
807 	}
808 	/* options->listen_addrs[i] points to the addresses for this rdomain */
809 
810 	memset(&hints, 0, sizeof(hints));
811 	hints.ai_family = options->address_family;
812 	hints.ai_socktype = SOCK_STREAM;
813 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
814 	snprintf(strport, sizeof strport, "%d", port);
815 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
816 		fatal("bad addr or host: %s (%s)",
817 		    addr ? addr : "<NULL>",
818 		    ssh_gai_strerror(gaierr));
819 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
820 		;
821 	ai->ai_next = options->listen_addrs[i].addrs;
822 	options->listen_addrs[i].addrs = aitop;
823 }
824 
825 /* Returns nonzero if the routing domain name is valid */
826 static int
827 valid_rdomain(const char *name)
828 {
829 #if defined(HAVE_SYS_VALID_RDOMAIN)
830 	return sys_valid_rdomain(name);
831 #elif defined(__OpenBSD__)
832 	const char *errstr;
833 	long long num;
834 	struct rt_tableinfo info;
835 	int mib[6];
836 	size_t miblen = sizeof(mib);
837 
838 	if (name == NULL)
839 		return 1;
840 
841 	num = strtonum(name, 0, 255, &errstr);
842 	if (errstr != NULL)
843 		return 0;
844 
845 	/* Check whether the table actually exists */
846 	memset(mib, 0, sizeof(mib));
847 	mib[0] = CTL_NET;
848 	mib[1] = PF_ROUTE;
849 	mib[4] = NET_RT_TABLE;
850 	mib[5] = (int)num;
851 	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
852 		return 0;
853 
854 	return 1;
855 #else /* defined(__OpenBSD__) */
856 	error("Routing domains are not supported on this platform");
857 	return 0;
858 #endif
859 }
860 
861 /*
862  * Queue a ListenAddress to be processed once we have all of the Ports
863  * and AddressFamily options.
864  */
865 static void
866 queue_listen_addr(ServerOptions *options, const char *addr,
867     const char *rdomain, int port)
868 {
869 	struct queued_listenaddr *qla;
870 
871 	options->queued_listen_addrs = xrecallocarray(
872 	    options->queued_listen_addrs,
873 	    options->num_queued_listens, options->num_queued_listens + 1,
874 	    sizeof(*options->queued_listen_addrs));
875 	qla = &options->queued_listen_addrs[options->num_queued_listens++];
876 	qla->addr = xstrdup(addr);
877 	qla->port = port;
878 	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
879 }
880 
881 /*
882  * Process queued (text) ListenAddress entries.
883  */
884 static void
885 process_queued_listen_addrs(ServerOptions *options)
886 {
887 	u_int i;
888 	struct queued_listenaddr *qla;
889 
890 	if (options->num_ports == 0)
891 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
892 	if (options->address_family == -1)
893 		options->address_family = AF_UNSPEC;
894 
895 	for (i = 0; i < options->num_queued_listens; i++) {
896 		qla = &options->queued_listen_addrs[i];
897 		add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
898 		free(qla->addr);
899 		free(qla->rdomain);
900 	}
901 	free(options->queued_listen_addrs);
902 	options->queued_listen_addrs = NULL;
903 	options->num_queued_listens = 0;
904 }
905 
906 /*
907  * Inform channels layer of permitopen options for a single forwarding
908  * direction (local/remote).
909  */
910 static void
911 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
912     char **opens, u_int num_opens)
913 {
914 	u_int i;
915 	int port;
916 	char *host, *arg, *oarg, ch;
917 	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
918 	const char *what = lookup_opcode_name(opcode);
919 
920 	channel_clear_permission(ssh, FORWARD_ADM, where);
921 	if (num_opens == 0)
922 		return; /* permit any */
923 
924 	/* handle keywords: "any" / "none" */
925 	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
926 		return;
927 	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
928 		channel_disable_admin(ssh, where);
929 		return;
930 	}
931 	/* Otherwise treat it as a list of permitted host:port */
932 	for (i = 0; i < num_opens; i++) {
933 		oarg = arg = xstrdup(opens[i]);
934 		ch = '\0';
935 		host = hpdelim2(&arg, &ch);
936 		if (host == NULL || ch == '/')
937 			fatal_f("missing host in %s", what);
938 		host = cleanhostname(host);
939 		if (arg == NULL || ((port = permitopen_port(arg)) < 0))
940 			fatal_f("bad port number in %s", what);
941 		/* Send it to channels layer */
942 		channel_add_permission(ssh, FORWARD_ADM,
943 		    where, host, port);
944 		free(oarg);
945 	}
946 }
947 
948 /*
949  * Inform channels layer of permitopen options from configuration.
950  */
951 void
952 process_permitopen(struct ssh *ssh, ServerOptions *options)
953 {
954 	process_permitopen_list(ssh, sPermitOpen,
955 	    options->permitted_opens, options->num_permitted_opens);
956 	process_permitopen_list(ssh, sPermitListen,
957 	    options->permitted_listens,
958 	    options->num_permitted_listens);
959 }
960 
961 struct connection_info *
962 get_connection_info(struct ssh *ssh, int populate, int use_dns)
963 {
964 	static struct connection_info ci;
965 
966 	if (ssh == NULL || !populate)
967 		return &ci;
968 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
969 	ci.address = ssh_remote_ipaddr(ssh);
970 	ci.laddress = ssh_local_ipaddr(ssh);
971 	ci.lport = ssh_local_port(ssh);
972 	ci.rdomain = ssh_packet_rdomain_in(ssh);
973 	return &ci;
974 }
975 
976 /*
977  * The strategy for the Match blocks is that the config file is parsed twice.
978  *
979  * The first time is at startup.  activep is initialized to 1 and the
980  * directives in the global context are processed and acted on.  Hitting a
981  * Match directive unsets activep and the directives inside the block are
982  * checked for syntax only.
983  *
984  * The second time is after a connection has been established but before
985  * authentication.  activep is initialized to 2 and global config directives
986  * are ignored since they have already been processed.  If the criteria in a
987  * Match block is met, activep is set and the subsequent directives
988  * processed and actioned until EOF or another Match block unsets it.  Any
989  * options set are copied into the main server config.
990  *
991  * Potential additions/improvements:
992  *  - Add Match support for pre-kex directives, eg. Ciphers.
993  *
994  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
995  *	Match Address 192.168.0.*
996  *		Tag trusted
997  *	Match Group wheel
998  *		Tag trusted
999  *	Match Tag trusted
1000  *		AllowTcpForwarding yes
1001  *		GatewayPorts clientspecified
1002  *		[...]
1003  *
1004  *  - Add a PermittedChannelRequests directive
1005  *	Match Group shell
1006  *		PermittedChannelRequests session,forwarded-tcpip
1007  */
1008 
1009 static int
1010 match_cfg_line_group(const char *grps, int line, const char *user)
1011 {
1012 	int result = 0;
1013 	struct passwd *pw;
1014 
1015 	if (user == NULL)
1016 		goto out;
1017 
1018 	if ((pw = getpwnam(user)) == NULL) {
1019 		debug("Can't match group at line %d because user %.100s does "
1020 		    "not exist", line, user);
1021 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1022 		debug("Can't Match group because user %.100s not in any group "
1023 		    "at line %d", user, line);
1024 	} else if (ga_match_pattern_list(grps) != 1) {
1025 		debug("user %.100s does not match group list %.100s at line %d",
1026 		    user, grps, line);
1027 	} else {
1028 		debug("user %.100s matched group list %.100s at line %d", user,
1029 		    grps, line);
1030 		result = 1;
1031 	}
1032 out:
1033 	ga_free();
1034 	return result;
1035 }
1036 
1037 static void
1038 match_test_missing_fatal(const char *criteria, const char *attrib)
1039 {
1040 	fatal("'Match %s' in configuration but '%s' not in connection "
1041 	    "test specification.", criteria, attrib);
1042 }
1043 
1044 /*
1045  * All of the attributes on a single Match line are ANDed together, so we need
1046  * to check every attribute and set the result to zero if any attribute does
1047  * not match.
1048  */
1049 static int
1050 match_cfg_line(char **condition, int line, struct connection_info *ci)
1051 {
1052 	int result = 1, attributes = 0, port;
1053 	char *arg, *attrib, *cp = *condition;
1054 
1055 	if (ci == NULL)
1056 		debug3("checking syntax for 'Match %s'", cp);
1057 	else
1058 		debug3("checking match for '%s' user %s host %s addr %s "
1059 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1060 		    ci->host ? ci->host : "(null)",
1061 		    ci->address ? ci->address : "(null)",
1062 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
1063 
1064 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1065 		/* Terminate on comment */
1066 		if (*attrib == '#') {
1067 			cp = NULL; /* mark all arguments consumed */
1068 			break;
1069 		}
1070 		arg = NULL;
1071 		attributes++;
1072 		/* Criterion "all" has no argument and must appear alone */
1073 		if (strcasecmp(attrib, "all") == 0) {
1074 			if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
1075 			    *arg != '\0' && *arg != '#')) {
1076 				error("'all' cannot be combined with other "
1077 				    "Match attributes");
1078 				return -1;
1079 			}
1080 			if (arg != NULL && *arg == '#')
1081 				cp = NULL; /* mark all arguments consumed */
1082 			*condition = cp;
1083 			return 1;
1084 		}
1085 		/* All other criteria require an argument */
1086 		if ((arg = strdelim(&cp)) == NULL ||
1087 		    *arg == '\0' || *arg == '#') {
1088 			error("Missing Match criteria for %s", attrib);
1089 			return -1;
1090 		}
1091 		if (strcasecmp(attrib, "user") == 0) {
1092 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1093 				result = 0;
1094 				continue;
1095 			}
1096 			if (ci->user == NULL)
1097 				match_test_missing_fatal("User", "user");
1098 			if (match_usergroup_pattern_list(ci->user, arg) != 1)
1099 				result = 0;
1100 			else
1101 				debug("user %.100s matched 'User %.100s' at "
1102 				    "line %d", ci->user, arg, line);
1103 		} else if (strcasecmp(attrib, "group") == 0) {
1104 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1105 				result = 0;
1106 				continue;
1107 			}
1108 			if (ci->user == NULL)
1109 				match_test_missing_fatal("Group", "user");
1110 			switch (match_cfg_line_group(arg, line, ci->user)) {
1111 			case -1:
1112 				return -1;
1113 			case 0:
1114 				result = 0;
1115 			}
1116 		} else if (strcasecmp(attrib, "host") == 0) {
1117 			if (ci == NULL || (ci->test && ci->host == NULL)) {
1118 				result = 0;
1119 				continue;
1120 			}
1121 			if (ci->host == NULL)
1122 				match_test_missing_fatal("Host", "host");
1123 			if (match_hostname(ci->host, arg) != 1)
1124 				result = 0;
1125 			else
1126 				debug("connection from %.100s matched 'Host "
1127 				    "%.100s' at line %d", ci->host, arg, line);
1128 		} else if (strcasecmp(attrib, "address") == 0) {
1129 			if (ci == NULL || (ci->test && ci->address == NULL)) {
1130 				if (addr_match_list(NULL, arg) != 0)
1131 					fatal("Invalid Match address argument "
1132 					    "'%s' at line %d", arg, line);
1133 				result = 0;
1134 				continue;
1135 			}
1136 			if (ci->address == NULL)
1137 				match_test_missing_fatal("Address", "addr");
1138 			switch (addr_match_list(ci->address, arg)) {
1139 			case 1:
1140 				debug("connection from %.100s matched 'Address "
1141 				    "%.100s' at line %d", ci->address, arg, line);
1142 				break;
1143 			case 0:
1144 			case -1:
1145 				result = 0;
1146 				break;
1147 			case -2:
1148 				return -1;
1149 			}
1150 		} else if (strcasecmp(attrib, "localaddress") == 0){
1151 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1152 				if (addr_match_list(NULL, arg) != 0)
1153 					fatal("Invalid Match localaddress "
1154 					    "argument '%s' at line %d", arg,
1155 					    line);
1156 				result = 0;
1157 				continue;
1158 			}
1159 			if (ci->laddress == NULL)
1160 				match_test_missing_fatal("LocalAddress",
1161 				    "laddr");
1162 			switch (addr_match_list(ci->laddress, arg)) {
1163 			case 1:
1164 				debug("connection from %.100s matched "
1165 				    "'LocalAddress %.100s' at line %d",
1166 				    ci->laddress, arg, line);
1167 				break;
1168 			case 0:
1169 			case -1:
1170 				result = 0;
1171 				break;
1172 			case -2:
1173 				return -1;
1174 			}
1175 		} else if (strcasecmp(attrib, "localport") == 0) {
1176 			if ((port = a2port(arg)) == -1) {
1177 				error("Invalid LocalPort '%s' on Match line",
1178 				    arg);
1179 				return -1;
1180 			}
1181 			if (ci == NULL || (ci->test && ci->lport == -1)) {
1182 				result = 0;
1183 				continue;
1184 			}
1185 			if (ci->lport == 0)
1186 				match_test_missing_fatal("LocalPort", "lport");
1187 			/* TODO support port lists */
1188 			if (port == ci->lport)
1189 				debug("connection from %.100s matched "
1190 				    "'LocalPort %d' at line %d",
1191 				    ci->laddress, port, line);
1192 			else
1193 				result = 0;
1194 		} else if (strcasecmp(attrib, "rdomain") == 0) {
1195 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1196 				result = 0;
1197 				continue;
1198 			}
1199 			if (ci->rdomain == NULL)
1200 				match_test_missing_fatal("RDomain", "rdomain");
1201 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1202 				result = 0;
1203 			else
1204 				debug("user %.100s matched 'RDomain %.100s' at "
1205 				    "line %d", ci->rdomain, arg, line);
1206 		} else {
1207 			error("Unsupported Match attribute %s", attrib);
1208 			return -1;
1209 		}
1210 	}
1211 	if (attributes == 0) {
1212 		error("One or more attributes required for Match");
1213 		return -1;
1214 	}
1215 	if (ci != NULL)
1216 		debug3("match %sfound", result ? "" : "not ");
1217 	*condition = cp;
1218 	return result;
1219 }
1220 
1221 #define WHITESPACE " \t\r\n"
1222 
1223 /* Multistate option parsing */
1224 struct multistate {
1225 	char *key;
1226 	int value;
1227 };
1228 static const struct multistate multistate_flag[] = {
1229 	{ "yes",			1 },
1230 	{ "no",				0 },
1231 	{ NULL, -1 }
1232 };
1233 static const struct multistate multistate_ignore_rhosts[] = {
1234 	{ "yes",			IGNORE_RHOSTS_YES },
1235 	{ "no",				IGNORE_RHOSTS_NO },
1236 	{ "shosts-only",		IGNORE_RHOSTS_SHOSTS },
1237 	{ NULL, -1 }
1238 };
1239 static const struct multistate multistate_addressfamily[] = {
1240 	{ "inet",			AF_INET },
1241 	{ "inet6",			AF_INET6 },
1242 	{ "any",			AF_UNSPEC },
1243 	{ NULL, -1 }
1244 };
1245 static const struct multistate multistate_permitrootlogin[] = {
1246 	{ "without-password",		PERMIT_NO_PASSWD },
1247 	{ "prohibit-password",		PERMIT_NO_PASSWD },
1248 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
1249 	{ "yes",			PERMIT_YES },
1250 	{ "no",				PERMIT_NO },
1251 	{ NULL, -1 }
1252 };
1253 static const struct multistate multistate_compression[] = {
1254 #ifdef WITH_ZLIB
1255 	{ "yes",			COMP_DELAYED },
1256 	{ "delayed",			COMP_DELAYED },
1257 #endif
1258 	{ "no",				COMP_NONE },
1259 	{ NULL, -1 }
1260 };
1261 static const struct multistate multistate_gatewayports[] = {
1262 	{ "clientspecified",		2 },
1263 	{ "yes",			1 },
1264 	{ "no",				0 },
1265 	{ NULL, -1 }
1266 };
1267 static const struct multistate multistate_tcpfwd[] = {
1268 	{ "yes",			FORWARD_ALLOW },
1269 	{ "all",			FORWARD_ALLOW },
1270 	{ "no",				FORWARD_DENY },
1271 	{ "remote",			FORWARD_REMOTE },
1272 	{ "local",			FORWARD_LOCAL },
1273 	{ NULL, -1 }
1274 };
1275 
1276 static int
1277 process_server_config_line_depth(ServerOptions *options, char *line,
1278     const char *filename, int linenum, int *activep,
1279     struct connection_info *connectinfo, int *inc_flags, int depth,
1280     struct include_list *includes)
1281 {
1282 	char ch, *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
1283 	int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1284 	SyslogFacility *log_facility_ptr;
1285 	LogLevel *log_level_ptr;
1286 	ServerOpCodes opcode;
1287 	u_int i, *uintptr, uvalue, flags = 0;
1288 	size_t len;
1289 	long long val64;
1290 	const struct multistate *multistate_ptr;
1291 	const char *errstr;
1292 	struct include_item *item;
1293 	glob_t gbuf;
1294 	char **oav = NULL, **av;
1295 	int oac = 0, ac;
1296 	int ret = -1;
1297 
1298 	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1299 	if ((len = strlen(line)) == 0)
1300 		return 0;
1301 	for (len--; len > 0; len--) {
1302 		if (strchr(WHITESPACE "\f", line[len]) == NULL)
1303 			break;
1304 		line[len] = '\0';
1305 	}
1306 
1307 	str = line;
1308 	if ((keyword = strdelim(&str)) == NULL)
1309 		return 0;
1310 	/* Ignore leading whitespace */
1311 	if (*keyword == '\0')
1312 		keyword = strdelim(&str);
1313 	if (!keyword || !*keyword || *keyword == '#')
1314 		return 0;
1315 	if (str == NULL || *str == '\0') {
1316 		error("%s line %d: no argument after keyword \"%s\"",
1317 		    filename, linenum, keyword);
1318 		return -1;
1319 	}
1320 	intptr = NULL;
1321 	charptr = NULL;
1322 	opcode = parse_token(keyword, filename, linenum, &flags);
1323 
1324 	if (argv_split(str, &oac, &oav, 1) != 0) {
1325 		error("%s line %d: invalid quotes", filename, linenum);
1326 		return -1;
1327 	}
1328 	ac = oac;
1329 	av = oav;
1330 
1331 	if (activep == NULL) { /* We are processing a command line directive */
1332 		cmdline = 1;
1333 		activep = &cmdline;
1334 	}
1335 	if (*activep && opcode != sMatch && opcode != sInclude)
1336 		debug3("%s:%d setting %s %s", filename, linenum, keyword, str);
1337 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1338 		if (connectinfo == NULL) {
1339 			fatal("%s line %d: Directive '%s' is not allowed "
1340 			    "within a Match block", filename, linenum, keyword);
1341 		} else { /* this is a directive we have already processed */
1342 			ret = 0;
1343 			goto out;
1344 		}
1345 	}
1346 
1347 	switch (opcode) {
1348 	/* Portable-specific options */
1349 	case sUsePAM:
1350 		intptr = &options->use_pam;
1351 		goto parse_flag;
1352 
1353 	/* Standard Options */
1354 	case sBadOption:
1355 		goto out;
1356 	case sPort:
1357 		/* ignore ports from configfile if cmdline specifies ports */
1358 		if (options->ports_from_cmdline) {
1359 			argv_consume(&ac);
1360 			break;
1361 		}
1362 		if (options->num_ports >= MAX_PORTS)
1363 			fatal("%s line %d: too many ports.",
1364 			    filename, linenum);
1365 		arg = argv_next(&ac, &av);
1366 		if (!arg || *arg == '\0')
1367 			fatal("%s line %d: missing port number.",
1368 			    filename, linenum);
1369 		options->ports[options->num_ports++] = a2port(arg);
1370 		if (options->ports[options->num_ports-1] <= 0)
1371 			fatal("%s line %d: Badly formatted port number.",
1372 			    filename, linenum);
1373 		break;
1374 
1375 	case sLoginGraceTime:
1376 		intptr = &options->login_grace_time;
1377  parse_time:
1378 		arg = argv_next(&ac, &av);
1379 		if (!arg || *arg == '\0')
1380 			fatal("%s line %d: missing time value.",
1381 			    filename, linenum);
1382 		if ((value = convtime(arg)) == -1)
1383 			fatal("%s line %d: invalid time value.",
1384 			    filename, linenum);
1385 		if (*activep && *intptr == -1)
1386 			*intptr = value;
1387 		break;
1388 
1389 	case sListenAddress:
1390 		arg = argv_next(&ac, &av);
1391 		if (arg == NULL || *arg == '\0')
1392 			fatal("%s line %d: missing address",
1393 			    filename, linenum);
1394 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1395 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1396 		    && strchr(p+1, ':') != NULL) {
1397 			port = 0;
1398 			p = arg;
1399 		} else {
1400 			arg2 = NULL;
1401 			ch = '\0';
1402 			p = hpdelim2(&arg, &ch);
1403 			if (p == NULL || ch == '/')
1404 				fatal("%s line %d: bad address:port usage",
1405 				    filename, linenum);
1406 			p = cleanhostname(p);
1407 			if (arg == NULL)
1408 				port = 0;
1409 			else if ((port = a2port(arg)) <= 0)
1410 				fatal("%s line %d: bad port number",
1411 				    filename, linenum);
1412 		}
1413 		/* Optional routing table */
1414 		arg2 = NULL;
1415 		if ((arg = argv_next(&ac, &av)) != NULL) {
1416 			if (strcmp(arg, "rdomain") != 0 ||
1417 			    (arg2 = argv_next(&ac, &av)) == NULL)
1418 				fatal("%s line %d: bad ListenAddress syntax",
1419 				    filename, linenum);
1420 			if (!valid_rdomain(arg2))
1421 				fatal("%s line %d: bad routing domain",
1422 				    filename, linenum);
1423 		}
1424 		queue_listen_addr(options, p, arg2, port);
1425 
1426 		break;
1427 
1428 	case sAddressFamily:
1429 		intptr = &options->address_family;
1430 		multistate_ptr = multistate_addressfamily;
1431  parse_multistate:
1432 		arg = argv_next(&ac, &av);
1433 		if (!arg || *arg == '\0')
1434 			fatal("%s line %d: missing argument.",
1435 			    filename, linenum);
1436 		value = -1;
1437 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1438 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1439 				value = multistate_ptr[i].value;
1440 				break;
1441 			}
1442 		}
1443 		if (value == -1)
1444 			fatal("%s line %d: unsupported option \"%s\".",
1445 			    filename, linenum, arg);
1446 		if (*activep && *intptr == -1)
1447 			*intptr = value;
1448 		break;
1449 
1450 	case sHostKeyFile:
1451 		arg = argv_next(&ac, &av);
1452 		if (!arg || *arg == '\0')
1453 			fatal("%s line %d: missing file name.",
1454 			    filename, linenum);
1455 		if (*activep) {
1456 			servconf_add_hostkey(filename, linenum,
1457 			    options, arg, 1);
1458 		}
1459 		break;
1460 
1461 	case sHostKeyAgent:
1462 		charptr = &options->host_key_agent;
1463 		arg = argv_next(&ac, &av);
1464 		if (!arg || *arg == '\0')
1465 			fatal("%s line %d: missing socket name.",
1466 			    filename, linenum);
1467 		if (*activep && *charptr == NULL)
1468 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1469 			    xstrdup(arg) : derelativise_path(arg);
1470 		break;
1471 
1472 	case sHostCertificate:
1473 		arg = argv_next(&ac, &av);
1474 		if (!arg || *arg == '\0')
1475 			fatal("%s line %d: missing file name.",
1476 			    filename, linenum);
1477 		if (*activep)
1478 			servconf_add_hostcert(filename, linenum, options, arg);
1479 		break;
1480 
1481 	case sPidFile:
1482 		charptr = &options->pid_file;
1483  parse_filename:
1484 		arg = argv_next(&ac, &av);
1485 		if (!arg || *arg == '\0')
1486 			fatal("%s line %d: missing file name.",
1487 			    filename, linenum);
1488 		if (*activep && *charptr == NULL) {
1489 			*charptr = derelativise_path(arg);
1490 			/* increase optional counter */
1491 			if (intptr != NULL)
1492 				*intptr = *intptr + 1;
1493 		}
1494 		break;
1495 
1496 	case sModuliFile:
1497 		charptr = &options->moduli_file;
1498 		goto parse_filename;
1499 
1500 	case sPermitRootLogin:
1501 		intptr = &options->permit_root_login;
1502 		multistate_ptr = multistate_permitrootlogin;
1503 		goto parse_multistate;
1504 
1505 	case sIgnoreRhosts:
1506 		intptr = &options->ignore_rhosts;
1507 		multistate_ptr = multistate_ignore_rhosts;
1508 		goto parse_multistate;
1509 
1510 	case sIgnoreUserKnownHosts:
1511 		intptr = &options->ignore_user_known_hosts;
1512  parse_flag:
1513 		multistate_ptr = multistate_flag;
1514 		goto parse_multistate;
1515 
1516 	case sHostbasedAuthentication:
1517 		intptr = &options->hostbased_authentication;
1518 		goto parse_flag;
1519 
1520 	case sHostbasedUsesNameFromPacketOnly:
1521 		intptr = &options->hostbased_uses_name_from_packet_only;
1522 		goto parse_flag;
1523 
1524 	case sHostbasedAcceptedAlgorithms:
1525 		charptr = &options->hostbased_accepted_algos;
1526  parse_pubkey_algos:
1527 		arg = argv_next(&ac, &av);
1528 		if (!arg || *arg == '\0')
1529 			fatal("%s line %d: Missing argument.",
1530 			    filename, linenum);
1531 		if (*arg != '-' &&
1532 		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1533 		    arg + 1 : arg, 1))
1534 			fatal("%s line %d: Bad key types '%s'.",
1535 			    filename, linenum, arg ? arg : "<NONE>");
1536 		if (*activep && *charptr == NULL)
1537 			*charptr = xstrdup(arg);
1538 		break;
1539 
1540 	case sHostKeyAlgorithms:
1541 		charptr = &options->hostkeyalgorithms;
1542 		goto parse_pubkey_algos;
1543 
1544 	case sCASignatureAlgorithms:
1545 		charptr = &options->ca_sign_algorithms;
1546 		goto parse_pubkey_algos;
1547 
1548 	case sPubkeyAuthentication:
1549 		intptr = &options->pubkey_authentication;
1550 		goto parse_flag;
1551 
1552 	case sPubkeyAcceptedAlgorithms:
1553 		charptr = &options->pubkey_accepted_algos;
1554 		goto parse_pubkey_algos;
1555 
1556 	case sPubkeyAuthOptions:
1557 		intptr = &options->pubkey_auth_options;
1558 		value = 0;
1559 		while ((arg = argv_next(&ac, &av)) != NULL) {
1560 			if (strcasecmp(arg, "none") == 0)
1561 				continue;
1562 			if (strcasecmp(arg, "touch-required") == 0)
1563 				value |= PUBKEYAUTH_TOUCH_REQUIRED;
1564 			else if (strcasecmp(arg, "verify-required") == 0)
1565 				value |= PUBKEYAUTH_VERIFY_REQUIRED;
1566 			else {
1567 				error("%s line %d: unsupported %s option %s",
1568 				    filename, linenum, keyword, arg);
1569 				goto out;
1570 			}
1571 		}
1572 		if (*activep && *intptr == -1)
1573 			*intptr = value;
1574 		break;
1575 
1576 	case sKerberosAuthentication:
1577 		intptr = &options->kerberos_authentication;
1578 		goto parse_flag;
1579 
1580 	case sKerberosOrLocalPasswd:
1581 		intptr = &options->kerberos_or_local_passwd;
1582 		goto parse_flag;
1583 
1584 	case sKerberosTicketCleanup:
1585 		intptr = &options->kerberos_ticket_cleanup;
1586 		goto parse_flag;
1587 
1588 	case sKerberosGetAFSToken:
1589 		intptr = &options->kerberos_get_afs_token;
1590 		goto parse_flag;
1591 
1592 	case sGssAuthentication:
1593 		intptr = &options->gss_authentication;
1594 		goto parse_flag;
1595 
1596 	case sGssCleanupCreds:
1597 		intptr = &options->gss_cleanup_creds;
1598 		goto parse_flag;
1599 
1600 	case sGssStrictAcceptor:
1601 		intptr = &options->gss_strict_acceptor;
1602 		goto parse_flag;
1603 
1604 	case sPasswordAuthentication:
1605 		intptr = &options->password_authentication;
1606 		goto parse_flag;
1607 
1608 	case sKbdInteractiveAuthentication:
1609 		intptr = &options->kbd_interactive_authentication;
1610 		goto parse_flag;
1611 
1612 	case sPrintMotd:
1613 		intptr = &options->print_motd;
1614 		goto parse_flag;
1615 
1616 	case sPrintLastLog:
1617 		intptr = &options->print_lastlog;
1618 		goto parse_flag;
1619 
1620 	case sX11Forwarding:
1621 		intptr = &options->x11_forwarding;
1622 		goto parse_flag;
1623 
1624 	case sX11DisplayOffset:
1625 		intptr = &options->x11_display_offset;
1626  parse_int:
1627 		arg = argv_next(&ac, &av);
1628 		if ((errstr = atoi_err(arg, &value)) != NULL)
1629 			fatal("%s line %d: %s integer value %s.",
1630 			    filename, linenum, keyword, errstr);
1631 		if (*activep && *intptr == -1)
1632 			*intptr = value;
1633 		break;
1634 
1635 	case sX11UseLocalhost:
1636 		intptr = &options->x11_use_localhost;
1637 		goto parse_flag;
1638 
1639 	case sXAuthLocation:
1640 		charptr = &options->xauth_location;
1641 		goto parse_filename;
1642 
1643 	case sPermitTTY:
1644 		intptr = &options->permit_tty;
1645 		goto parse_flag;
1646 
1647 	case sPermitUserRC:
1648 		intptr = &options->permit_user_rc;
1649 		goto parse_flag;
1650 
1651 	case sStrictModes:
1652 		intptr = &options->strict_modes;
1653 		goto parse_flag;
1654 
1655 	case sTCPKeepAlive:
1656 		intptr = &options->tcp_keep_alive;
1657 		goto parse_flag;
1658 
1659 	case sEmptyPasswd:
1660 		intptr = &options->permit_empty_passwd;
1661 		goto parse_flag;
1662 
1663 	case sPermitUserEnvironment:
1664 		intptr = &options->permit_user_env;
1665 		charptr = &options->permit_user_env_allowlist;
1666 		arg = argv_next(&ac, &av);
1667 		if (!arg || *arg == '\0')
1668 			fatal("%s line %d: %s missing argument.",
1669 			    filename, linenum, keyword);
1670 		value = 0;
1671 		p = NULL;
1672 		if (strcmp(arg, "yes") == 0)
1673 			value = 1;
1674 		else if (strcmp(arg, "no") == 0)
1675 			value = 0;
1676 		else {
1677 			/* Pattern-list specified */
1678 			value = 1;
1679 			p = xstrdup(arg);
1680 		}
1681 		if (*activep && *intptr == -1) {
1682 			*intptr = value;
1683 			*charptr = p;
1684 			p = NULL;
1685 		}
1686 		free(p);
1687 		break;
1688 
1689 	case sCompression:
1690 		intptr = &options->compression;
1691 		multistate_ptr = multistate_compression;
1692 		goto parse_multistate;
1693 
1694 	case sRekeyLimit:
1695 		arg = argv_next(&ac, &av);
1696 		if (!arg || *arg == '\0')
1697 			fatal("%s line %d: %s missing argument.",
1698 			    filename, linenum, keyword);
1699 		if (strcmp(arg, "default") == 0) {
1700 			val64 = 0;
1701 		} else {
1702 			if (scan_scaled(arg, &val64) == -1)
1703 				fatal("%.200s line %d: Bad %s number '%s': %s",
1704 				    filename, linenum, keyword,
1705 				    arg, strerror(errno));
1706 			if (val64 != 0 && val64 < 16)
1707 				fatal("%.200s line %d: %s too small",
1708 				    filename, linenum, keyword);
1709 		}
1710 		if (*activep && options->rekey_limit == -1)
1711 			options->rekey_limit = val64;
1712 		if (ac != 0) { /* optional rekey interval present */
1713 			if (strcmp(av[0], "none") == 0) {
1714 				(void)argv_next(&ac, &av);	/* discard */
1715 				break;
1716 			}
1717 			intptr = &options->rekey_interval;
1718 			goto parse_time;
1719 		}
1720 		break;
1721 
1722 	case sGatewayPorts:
1723 		intptr = &options->fwd_opts.gateway_ports;
1724 		multistate_ptr = multistate_gatewayports;
1725 		goto parse_multistate;
1726 
1727 	case sUseDNS:
1728 		intptr = &options->use_dns;
1729 		goto parse_flag;
1730 
1731 	case sLogFacility:
1732 		log_facility_ptr = &options->log_facility;
1733 		arg = argv_next(&ac, &av);
1734 		value = log_facility_number(arg);
1735 		if (value == SYSLOG_FACILITY_NOT_SET)
1736 			fatal("%.200s line %d: unsupported log facility '%s'",
1737 			    filename, linenum, arg ? arg : "<NONE>");
1738 		if (*log_facility_ptr == -1)
1739 			*log_facility_ptr = (SyslogFacility) value;
1740 		break;
1741 
1742 	case sLogLevel:
1743 		log_level_ptr = &options->log_level;
1744 		arg = argv_next(&ac, &av);
1745 		value = log_level_number(arg);
1746 		if (value == SYSLOG_LEVEL_NOT_SET)
1747 			fatal("%.200s line %d: unsupported log level '%s'",
1748 			    filename, linenum, arg ? arg : "<NONE>");
1749 		if (*activep && *log_level_ptr == -1)
1750 			*log_level_ptr = (LogLevel) value;
1751 		break;
1752 
1753 	case sLogVerbose:
1754 		found = options->num_log_verbose == 0;
1755 		i = 0;
1756 		while ((arg = argv_next(&ac, &av)) != NULL) {
1757 			if (*arg == '\0') {
1758 				error("%s line %d: keyword %s empty argument",
1759 				    filename, linenum, keyword);
1760 				goto out;
1761 			}
1762 			/* Allow "none" only in first position */
1763 			if (strcasecmp(arg, "none") == 0) {
1764 				if (i > 0 || ac > 0) {
1765 					error("%s line %d: keyword %s \"none\" "
1766 					    "argument must appear alone.",
1767 					    filename, linenum, keyword);
1768 					goto out;
1769 				}
1770 			}
1771 			i++;
1772 			if (!found || !*activep)
1773 				continue;
1774 			opt_array_append(filename, linenum, keyword,
1775 			    &options->log_verbose, &options->num_log_verbose,
1776 			    arg);
1777 		}
1778 		break;
1779 
1780 	case sAllowTcpForwarding:
1781 		intptr = &options->allow_tcp_forwarding;
1782 		multistate_ptr = multistate_tcpfwd;
1783 		goto parse_multistate;
1784 
1785 	case sAllowStreamLocalForwarding:
1786 		intptr = &options->allow_streamlocal_forwarding;
1787 		multistate_ptr = multistate_tcpfwd;
1788 		goto parse_multistate;
1789 
1790 	case sAllowAgentForwarding:
1791 		intptr = &options->allow_agent_forwarding;
1792 		goto parse_flag;
1793 
1794 	case sDisableForwarding:
1795 		intptr = &options->disable_forwarding;
1796 		goto parse_flag;
1797 
1798 	case sAllowUsers:
1799 		chararrayptr = &options->allow_users;
1800 		uintptr = &options->num_allow_users;
1801  parse_allowdenyusers:
1802 		while ((arg = argv_next(&ac, &av)) != NULL) {
1803 			if (*arg == '\0' ||
1804 			    match_user(NULL, NULL, NULL, arg) == -1)
1805 				fatal("%s line %d: invalid %s pattern: \"%s\"",
1806 				    filename, linenum, keyword, arg);
1807 			if (!*activep)
1808 				continue;
1809 			opt_array_append(filename, linenum, keyword,
1810 			    chararrayptr, uintptr, arg);
1811 		}
1812 		break;
1813 
1814 	case sDenyUsers:
1815 		chararrayptr = &options->deny_users;
1816 		uintptr = &options->num_deny_users;
1817 		goto parse_allowdenyusers;
1818 
1819 	case sAllowGroups:
1820 		chararrayptr = &options->allow_groups;
1821 		uintptr = &options->num_allow_groups;
1822  parse_allowdenygroups:
1823 		while ((arg = argv_next(&ac, &av)) != NULL) {
1824 			if (*arg == '\0')
1825 				fatal("%s line %d: empty %s pattern",
1826 				    filename, linenum, keyword);
1827 			if (!*activep)
1828 				continue;
1829 			opt_array_append(filename, linenum, keyword,
1830 			    chararrayptr, uintptr, arg);
1831 		}
1832 		break;
1833 
1834 	case sDenyGroups:
1835 		chararrayptr = &options->deny_groups;
1836 		uintptr = &options->num_deny_groups;
1837 		goto parse_allowdenygroups;
1838 
1839 	case sCiphers:
1840 		arg = argv_next(&ac, &av);
1841 		if (!arg || *arg == '\0')
1842 			fatal("%s line %d: %s missing argument.",
1843 			    filename, linenum, keyword);
1844 		if (*arg != '-' &&
1845 		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1846 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1847 			    filename, linenum, arg ? arg : "<NONE>");
1848 		if (options->ciphers == NULL)
1849 			options->ciphers = xstrdup(arg);
1850 		break;
1851 
1852 	case sMacs:
1853 		arg = argv_next(&ac, &av);
1854 		if (!arg || *arg == '\0')
1855 			fatal("%s line %d: %s missing argument.",
1856 			    filename, linenum, keyword);
1857 		if (*arg != '-' &&
1858 		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1859 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1860 			    filename, linenum, arg ? arg : "<NONE>");
1861 		if (options->macs == NULL)
1862 			options->macs = xstrdup(arg);
1863 		break;
1864 
1865 	case sKexAlgorithms:
1866 		arg = argv_next(&ac, &av);
1867 		if (!arg || *arg == '\0')
1868 			fatal("%s line %d: %s missing argument.",
1869 			    filename, linenum, keyword);
1870 		if (*arg != '-' &&
1871 		    !kex_names_valid(*arg == '+' || *arg == '^' ?
1872 		    arg + 1 : arg))
1873 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1874 			    filename, linenum, arg ? arg : "<NONE>");
1875 		if (options->kex_algorithms == NULL)
1876 			options->kex_algorithms = xstrdup(arg);
1877 		break;
1878 
1879 	case sSubsystem:
1880 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1881 			fatal("%s line %d: too many subsystems defined.",
1882 			    filename, linenum);
1883 		}
1884 		arg = argv_next(&ac, &av);
1885 		if (!arg || *arg == '\0')
1886 			fatal("%s line %d: %s missing argument.",
1887 			    filename, linenum, keyword);
1888 		if (!*activep) {
1889 			arg = argv_next(&ac, &av);
1890 			break;
1891 		}
1892 		for (i = 0; i < options->num_subsystems; i++)
1893 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1894 				fatal("%s line %d: Subsystem '%s' "
1895 				    "already defined.", filename, linenum, arg);
1896 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1897 		arg = argv_next(&ac, &av);
1898 		if (!arg || *arg == '\0')
1899 			fatal("%s line %d: Missing subsystem command.",
1900 			    filename, linenum);
1901 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1902 
1903 		/* Collect arguments (separate to executable) */
1904 		p = xstrdup(arg);
1905 		len = strlen(p) + 1;
1906 		while ((arg = argv_next(&ac, &av)) != NULL) {
1907 			len += 1 + strlen(arg);
1908 			p = xreallocarray(p, 1, len);
1909 			strlcat(p, " ", len);
1910 			strlcat(p, arg, len);
1911 		}
1912 		options->subsystem_args[options->num_subsystems] = p;
1913 		options->num_subsystems++;
1914 		break;
1915 
1916 	case sMaxStartups:
1917 		arg = argv_next(&ac, &av);
1918 		if (!arg || *arg == '\0')
1919 			fatal("%s line %d: %s missing argument.",
1920 			    filename, linenum, keyword);
1921 		if ((n = sscanf(arg, "%d:%d:%d",
1922 		    &options->max_startups_begin,
1923 		    &options->max_startups_rate,
1924 		    &options->max_startups)) == 3) {
1925 			if (options->max_startups_begin >
1926 			    options->max_startups ||
1927 			    options->max_startups_rate > 100 ||
1928 			    options->max_startups_rate < 1)
1929 				fatal("%s line %d: Invalid %s spec.",
1930 				    filename, linenum, keyword);
1931 		} else if (n != 1)
1932 			fatal("%s line %d: Invalid %s spec.",
1933 			    filename, linenum, keyword);
1934 		else
1935 			options->max_startups = options->max_startups_begin;
1936 		break;
1937 
1938 	case sPerSourceNetBlockSize:
1939 		arg = argv_next(&ac, &av);
1940 		if (!arg || *arg == '\0')
1941 			fatal("%s line %d: %s missing argument.",
1942 			    filename, linenum, keyword);
1943 		switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
1944 		case 2:
1945 			if (value2 < 0 || value2 > 128)
1946 				n = -1;
1947 			/* FALLTHROUGH */
1948 		case 1:
1949 			if (value < 0 || value > 32)
1950 				n = -1;
1951 		}
1952 		if (n != 1 && n != 2)
1953 			fatal("%s line %d: Invalid %s spec.",
1954 			    filename, linenum, keyword);
1955 		if (*activep) {
1956 			options->per_source_masklen_ipv4 = value;
1957 			options->per_source_masklen_ipv6 = value2;
1958 		}
1959 		break;
1960 
1961 	case sPerSourceMaxStartups:
1962 		arg = argv_next(&ac, &av);
1963 		if (!arg || *arg == '\0')
1964 			fatal("%s line %d: %s missing argument.",
1965 			    filename, linenum, keyword);
1966 		if (strcmp(arg, "none") == 0) { /* no limit */
1967 			value = INT_MAX;
1968 		} else {
1969 			if ((errstr = atoi_err(arg, &value)) != NULL)
1970 				fatal("%s line %d: %s integer value %s.",
1971 				    filename, linenum, keyword, errstr);
1972 		}
1973 		if (*activep)
1974 			options->per_source_max_startups = value;
1975 		break;
1976 
1977 	case sMaxAuthTries:
1978 		intptr = &options->max_authtries;
1979 		goto parse_int;
1980 
1981 	case sMaxSessions:
1982 		intptr = &options->max_sessions;
1983 		goto parse_int;
1984 
1985 	case sBanner:
1986 		charptr = &options->banner;
1987 		goto parse_filename;
1988 
1989 	/*
1990 	 * These options can contain %X options expanded at
1991 	 * connect time, so that you can specify paths like:
1992 	 *
1993 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1994 	 */
1995 	case sAuthorizedKeysFile:
1996 		uvalue = options->num_authkeys_files;
1997 		while ((arg = argv_next(&ac, &av)) != NULL) {
1998 			if (*arg == '\0') {
1999 				error("%s line %d: keyword %s empty argument",
2000 				    filename, linenum, keyword);
2001 				goto out;
2002 			}
2003 			arg2 = tilde_expand_filename(arg, getuid());
2004 			if (*activep && uvalue == 0) {
2005 				opt_array_append(filename, linenum, keyword,
2006 				    &options->authorized_keys_files,
2007 				    &options->num_authkeys_files, arg2);
2008 			}
2009 			free(arg2);
2010 		}
2011 		break;
2012 
2013 	case sAuthorizedPrincipalsFile:
2014 		charptr = &options->authorized_principals_file;
2015 		arg = argv_next(&ac, &av);
2016 		if (!arg || *arg == '\0')
2017 			fatal("%s line %d: %s missing argument.",
2018 			    filename, linenum, keyword);
2019 		if (*activep && *charptr == NULL) {
2020 			*charptr = tilde_expand_filename(arg, getuid());
2021 			/* increase optional counter */
2022 			if (intptr != NULL)
2023 				*intptr = *intptr + 1;
2024 		}
2025 		break;
2026 
2027 	case sClientAliveInterval:
2028 		intptr = &options->client_alive_interval;
2029 		goto parse_time;
2030 
2031 	case sClientAliveCountMax:
2032 		intptr = &options->client_alive_count_max;
2033 		goto parse_int;
2034 
2035 	case sAcceptEnv:
2036 		while ((arg = argv_next(&ac, &av)) != NULL) {
2037 			if (*arg == '\0' || strchr(arg, '=') != NULL)
2038 				fatal("%s line %d: Invalid environment name.",
2039 				    filename, linenum);
2040 			if (!*activep)
2041 				continue;
2042 			opt_array_append(filename, linenum, keyword,
2043 			    &options->accept_env, &options->num_accept_env,
2044 			    arg);
2045 		}
2046 		break;
2047 
2048 	case sSetEnv:
2049 		uvalue = options->num_setenv;
2050 		while ((arg = argv_next(&ac, &av)) != NULL) {
2051 			if (*arg == '\0' || strchr(arg, '=') == NULL)
2052 				fatal("%s line %d: Invalid environment.",
2053 				    filename, linenum);
2054 			if (!*activep || uvalue != 0)
2055 				continue;
2056 			opt_array_append(filename, linenum, keyword,
2057 			    &options->setenv, &options->num_setenv, arg);
2058 		}
2059 		break;
2060 
2061 	case sPermitTunnel:
2062 		intptr = &options->permit_tun;
2063 		arg = argv_next(&ac, &av);
2064 		if (!arg || *arg == '\0')
2065 			fatal("%s line %d: %s missing argument.",
2066 			    filename, linenum, keyword);
2067 		value = -1;
2068 		for (i = 0; tunmode_desc[i].val != -1; i++)
2069 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
2070 				value = tunmode_desc[i].val;
2071 				break;
2072 			}
2073 		if (value == -1)
2074 			fatal("%s line %d: bad %s argument %s",
2075 			    filename, linenum, keyword, arg);
2076 		if (*activep && *intptr == -1)
2077 			*intptr = value;
2078 		break;
2079 
2080 	case sInclude:
2081 		if (cmdline) {
2082 			fatal("Include directive not supported as a "
2083 			    "command-line option");
2084 		}
2085 		value = 0;
2086 		while ((arg2 = argv_next(&ac, &av)) != NULL) {
2087 			if (*arg2 == '\0') {
2088 				error("%s line %d: keyword %s empty argument",
2089 				    filename, linenum, keyword);
2090 				goto out;
2091 			}
2092 			value++;
2093 			found = 0;
2094 			if (*arg2 != '/' && *arg2 != '~') {
2095 				xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2096 			} else
2097 				arg = xstrdup(arg2);
2098 
2099 			/*
2100 			 * Don't let included files clobber the containing
2101 			 * file's Match state.
2102 			 */
2103 			oactive = *activep;
2104 
2105 			/* consult cache of include files */
2106 			TAILQ_FOREACH(item, includes, entry) {
2107 				if (strcmp(item->selector, arg) != 0)
2108 					continue;
2109 				if (item->filename != NULL) {
2110 					parse_server_config_depth(options,
2111 					    item->filename, item->contents,
2112 					    includes, connectinfo,
2113 					    (*inc_flags & SSHCFG_MATCH_ONLY
2114 					        ? SSHCFG_MATCH_ONLY : (oactive
2115 					            ? 0 : SSHCFG_NEVERMATCH)),
2116 					    activep, depth + 1);
2117 				}
2118 				found = 1;
2119 				*activep = oactive;
2120 			}
2121 			if (found != 0) {
2122 				free(arg);
2123 				continue;
2124 			}
2125 
2126 			/* requested glob was not in cache */
2127 			debug2("%s line %d: new include %s",
2128 			    filename, linenum, arg);
2129 			if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2130 				if (r != GLOB_NOMATCH) {
2131 					fatal("%s line %d: include \"%s\" glob "
2132 					    "failed", filename, linenum, arg);
2133 				}
2134 				/*
2135 				 * If no entry matched then record a
2136 				 * placeholder to skip later glob calls.
2137 				 */
2138 				debug2("%s line %d: no match for %s",
2139 				    filename, linenum, arg);
2140 				item = xcalloc(1, sizeof(*item));
2141 				item->selector = strdup(arg);
2142 				TAILQ_INSERT_TAIL(includes,
2143 				    item, entry);
2144 			}
2145 			if (gbuf.gl_pathc > INT_MAX)
2146 				fatal_f("too many glob results");
2147 			for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2148 				debug2("%s line %d: including %s",
2149 				    filename, linenum, gbuf.gl_pathv[n]);
2150 				item = xcalloc(1, sizeof(*item));
2151 				item->selector = strdup(arg);
2152 				item->filename = strdup(gbuf.gl_pathv[n]);
2153 				if ((item->contents = sshbuf_new()) == NULL)
2154 					fatal_f("sshbuf_new failed");
2155 				load_server_config(item->filename,
2156 				    item->contents);
2157 				parse_server_config_depth(options,
2158 				    item->filename, item->contents,
2159 				    includes, connectinfo,
2160 				    (*inc_flags & SSHCFG_MATCH_ONLY
2161 				        ? SSHCFG_MATCH_ONLY : (oactive
2162 				            ? 0 : SSHCFG_NEVERMATCH)),
2163 				    activep, depth + 1);
2164 				*activep = oactive;
2165 				TAILQ_INSERT_TAIL(includes, item, entry);
2166 			}
2167 			globfree(&gbuf);
2168 			free(arg);
2169 		}
2170 		if (value == 0) {
2171 			fatal("%s line %d: %s missing filename argument",
2172 			    filename, linenum, keyword);
2173 		}
2174 		break;
2175 
2176 	case sMatch:
2177 		if (cmdline)
2178 			fatal("Match directive not supported as a command-line "
2179 			    "option");
2180 		value = match_cfg_line(&str, linenum,
2181 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2182 		if (value < 0)
2183 			fatal("%s line %d: Bad Match condition", filename,
2184 			    linenum);
2185 		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2186 		/*
2187 		 * The MATCH_ONLY flag is applicable only until the first
2188 		 * match block.
2189 		 */
2190 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
2191 		/*
2192 		 * If match_cfg_line() didn't consume all its arguments then
2193 		 * arrange for the extra arguments check below to fail.
2194 		 */
2195 		if (str == NULL || *str == '\0')
2196 			argv_consume(&ac);
2197 		break;
2198 
2199 	case sPermitListen:
2200 	case sPermitOpen:
2201 		if (opcode == sPermitListen) {
2202 			uintptr = &options->num_permitted_listens;
2203 			chararrayptr = &options->permitted_listens;
2204 		} else {
2205 			uintptr = &options->num_permitted_opens;
2206 			chararrayptr = &options->permitted_opens;
2207 		}
2208 		arg = argv_next(&ac, &av);
2209 		if (!arg || *arg == '\0')
2210 			fatal("%s line %d: %s missing argument.",
2211 			    filename, linenum, keyword);
2212 		uvalue = *uintptr;	/* modified later */
2213 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2214 			if (*activep && uvalue == 0) {
2215 				*uintptr = 1;
2216 				*chararrayptr = xcalloc(1,
2217 				    sizeof(**chararrayptr));
2218 				(*chararrayptr)[0] = xstrdup(arg);
2219 			}
2220 			break;
2221 		}
2222 		for (; arg != NULL && *arg != '\0'; arg = argv_next(&ac, &av)) {
2223 			if (opcode == sPermitListen &&
2224 			    strchr(arg, ':') == NULL) {
2225 				/*
2226 				 * Allow bare port number for PermitListen
2227 				 * to indicate a wildcard listen host.
2228 				 */
2229 				xasprintf(&arg2, "*:%s", arg);
2230 			} else {
2231 				arg2 = xstrdup(arg);
2232 				ch = '\0';
2233 				p = hpdelim2(&arg, &ch);
2234 				if (p == NULL || ch == '/') {
2235 					fatal("%s line %d: %s missing host",
2236 					    filename, linenum, keyword);
2237 				}
2238 				p = cleanhostname(p);
2239 			}
2240 			if (arg == NULL ||
2241 			    ((port = permitopen_port(arg)) < 0)) {
2242 				fatal("%s line %d: %s bad port number",
2243 				    filename, linenum, keyword);
2244 			}
2245 			if (*activep && uvalue == 0) {
2246 				opt_array_append(filename, linenum, keyword,
2247 				    chararrayptr, uintptr, arg2);
2248 			}
2249 			free(arg2);
2250 		}
2251 		break;
2252 
2253 	case sForceCommand:
2254 		if (str == NULL || *str == '\0')
2255 			fatal("%s line %d: %s missing argument.",
2256 			    filename, linenum, keyword);
2257 		len = strspn(str, WHITESPACE);
2258 		if (*activep && options->adm_forced_command == NULL)
2259 			options->adm_forced_command = xstrdup(str + len);
2260 		argv_consume(&ac);
2261 		break;
2262 
2263 	case sChrootDirectory:
2264 		charptr = &options->chroot_directory;
2265 
2266 		arg = argv_next(&ac, &av);
2267 		if (!arg || *arg == '\0')
2268 			fatal("%s line %d: %s missing argument.",
2269 			    filename, linenum, keyword);
2270 		if (*activep && *charptr == NULL)
2271 			*charptr = xstrdup(arg);
2272 		break;
2273 
2274 	case sTrustedUserCAKeys:
2275 		charptr = &options->trusted_user_ca_keys;
2276 		goto parse_filename;
2277 
2278 	case sRevokedKeys:
2279 		charptr = &options->revoked_keys_file;
2280 		goto parse_filename;
2281 
2282 	case sSecurityKeyProvider:
2283 		charptr = &options->sk_provider;
2284 		arg = argv_next(&ac, &av);
2285 		if (!arg || *arg == '\0')
2286 			fatal("%s line %d: %s missing argument.",
2287 			    filename, linenum, keyword);
2288 		if (*activep && *charptr == NULL) {
2289 			*charptr = strcasecmp(arg, "internal") == 0 ?
2290 			    xstrdup(arg) : derelativise_path(arg);
2291 			/* increase optional counter */
2292 			if (intptr != NULL)
2293 				*intptr = *intptr + 1;
2294 		}
2295 		break;
2296 
2297 	case sIPQoS:
2298 		arg = argv_next(&ac, &av);
2299 		if (!arg || *arg == '\0')
2300 			fatal("%s line %d: %s missing argument.",
2301 			    filename, linenum, keyword);
2302 		if ((value = parse_ipqos(arg)) == -1)
2303 			fatal("%s line %d: Bad %s value: %s",
2304 			    filename, linenum, keyword, arg);
2305 		arg = argv_next(&ac, &av);
2306 		if (arg == NULL)
2307 			value2 = value;
2308 		else if ((value2 = parse_ipqos(arg)) == -1)
2309 			fatal("%s line %d: Bad %s value: %s",
2310 			    filename, linenum, keyword, arg);
2311 		if (*activep) {
2312 			options->ip_qos_interactive = value;
2313 			options->ip_qos_bulk = value2;
2314 		}
2315 		break;
2316 
2317 	case sVersionAddendum:
2318 		if (str == NULL || *str == '\0')
2319 			fatal("%s line %d: %s missing argument.",
2320 			    filename, linenum, keyword);
2321 		len = strspn(str, WHITESPACE);
2322 		if (strchr(str + len, '\r') != NULL) {
2323 			fatal("%.200s line %d: Invalid %s argument",
2324 			    filename, linenum, keyword);
2325 		}
2326 		if ((arg = strchr(line, '#')) != NULL) {
2327 			*arg = '\0';
2328 			rtrim(line);
2329 		}
2330 		if (*activep && options->version_addendum == NULL) {
2331 			if (strcasecmp(str + len, "none") == 0)
2332 				options->version_addendum = xstrdup("");
2333 			else
2334 				options->version_addendum = xstrdup(str + len);
2335 		}
2336 		argv_consume(&ac);
2337 		break;
2338 
2339 	case sAuthorizedKeysCommand:
2340 		charptr = &options->authorized_keys_command;
2341  parse_command:
2342 		len = strspn(str, WHITESPACE);
2343 		if (str[len] != '/' && strcasecmp(str + len, "none") != 0) {
2344 			fatal("%.200s line %d: %s must be an absolute path",
2345 			    filename, linenum, keyword);
2346 		}
2347 		if (*activep && options->authorized_keys_command == NULL)
2348 			*charptr = xstrdup(str + len);
2349 		argv_consume(&ac);
2350 		break;
2351 
2352 	case sAuthorizedKeysCommandUser:
2353 		charptr = &options->authorized_keys_command_user;
2354  parse_localuser:
2355 		arg = argv_next(&ac, &av);
2356 		if (!arg || *arg == '\0') {
2357 			fatal("%s line %d: missing %s argument.",
2358 			    filename, linenum, keyword);
2359 		}
2360 		if (*activep && *charptr == NULL)
2361 			*charptr = xstrdup(arg);
2362 		break;
2363 
2364 	case sAuthorizedPrincipalsCommand:
2365 		charptr = &options->authorized_principals_command;
2366 		goto parse_command;
2367 
2368 	case sAuthorizedPrincipalsCommandUser:
2369 		charptr = &options->authorized_principals_command_user;
2370 		goto parse_localuser;
2371 
2372 	case sAuthenticationMethods:
2373 		found = options->num_auth_methods == 0;
2374 		value = 0; /* seen "any" pseudo-method */
2375 		value2 = 0; /* successfully parsed any method */
2376 		while ((arg = argv_next(&ac, &av)) != NULL) {
2377 			if (strcmp(arg, "any") == 0) {
2378 				if (options->num_auth_methods > 0) {
2379 					fatal("%s line %d: \"any\" must "
2380 					    "appear alone in %s",
2381 					    filename, linenum, keyword);
2382 				}
2383 				value = 1;
2384 			} else if (value) {
2385 				fatal("%s line %d: \"any\" must appear "
2386 				    "alone in %s", filename, linenum, keyword);
2387 			} else if (auth2_methods_valid(arg, 0) != 0) {
2388 				fatal("%s line %d: invalid %s method list.",
2389 				    filename, linenum, keyword);
2390 			}
2391 			value2 = 1;
2392 			if (!found || !*activep)
2393 				continue;
2394 			opt_array_append(filename, linenum, keyword,
2395 			    &options->auth_methods,
2396 			    &options->num_auth_methods, arg);
2397 		}
2398 		if (value2 == 0) {
2399 			fatal("%s line %d: no %s specified",
2400 			    filename, linenum, keyword);
2401 		}
2402 		break;
2403 
2404 	case sStreamLocalBindMask:
2405 		arg = argv_next(&ac, &av);
2406 		if (!arg || *arg == '\0')
2407 			fatal("%s line %d: %s missing argument.",
2408 			    filename, linenum, keyword);
2409 		/* Parse mode in octal format */
2410 		value = strtol(arg, &p, 8);
2411 		if (arg == p || value < 0 || value > 0777)
2412 			fatal("%s line %d: Invalid %s.",
2413 			    filename, linenum, keyword);
2414 		if (*activep)
2415 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2416 		break;
2417 
2418 	case sStreamLocalBindUnlink:
2419 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
2420 		goto parse_flag;
2421 
2422 	case sFingerprintHash:
2423 		arg = argv_next(&ac, &av);
2424 		if (!arg || *arg == '\0')
2425 			fatal("%s line %d: %s missing argument.",
2426 			    filename, linenum, keyword);
2427 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
2428 			fatal("%.200s line %d: Invalid %s algorithm \"%s\".",
2429 			    filename, linenum, keyword, arg);
2430 		if (*activep)
2431 			options->fingerprint_hash = value;
2432 		break;
2433 
2434 	case sExposeAuthInfo:
2435 		intptr = &options->expose_userauth_info;
2436 		goto parse_flag;
2437 
2438 	case sRDomain:
2439 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2440 		fatal("%s line %d: setting RDomain not supported on this "
2441 		    "platform.", filename, linenum);
2442 #endif
2443 		charptr = &options->routing_domain;
2444 		arg = argv_next(&ac, &av);
2445 		if (!arg || *arg == '\0')
2446 			fatal("%s line %d: %s missing argument.",
2447 			    filename, linenum, keyword);
2448 		if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2449 		    !valid_rdomain(arg))
2450 			fatal("%s line %d: invalid routing domain",
2451 			    filename, linenum);
2452 		if (*activep && *charptr == NULL)
2453 			*charptr = xstrdup(arg);
2454 		break;
2455 
2456 	case sUseBlacklist:
2457 		intptr = &options->use_blacklist;
2458 		goto parse_flag;
2459 
2460 	case sDeprecated:
2461 	case sIgnore:
2462 	case sUnsupported:
2463 		do_log2(opcode == sIgnore ?
2464 		    SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2465 		    "%s line %d: %s option %s", filename, linenum,
2466 		    opcode == sUnsupported ? "Unsupported" : "Deprecated",
2467 		    keyword);
2468 		argv_consume(&ac);
2469 		break;
2470 
2471 	default:
2472 		fatal("%s line %d: Missing handler for opcode %s (%d)",
2473 		    filename, linenum, keyword, opcode);
2474 	}
2475 	/* Check that there is no garbage at end of line. */
2476 	if (ac > 0) {
2477 		error("%.200s line %d: keyword %s extra arguments "
2478 		    "at end of line", filename, linenum, keyword);
2479 		goto out;
2480 	}
2481 
2482 	/* success */
2483 	ret = 0;
2484  out:
2485 	argv_free(oav, oac);
2486 	return ret;
2487 }
2488 
2489 int
2490 process_server_config_line(ServerOptions *options, char *line,
2491     const char *filename, int linenum, int *activep,
2492     struct connection_info *connectinfo, struct include_list *includes)
2493 {
2494 	int inc_flags = 0;
2495 
2496 	return process_server_config_line_depth(options, line, filename,
2497 	    linenum, activep, connectinfo, &inc_flags, 0, includes);
2498 }
2499 
2500 
2501 /* Reads the server configuration file. */
2502 
2503 void
2504 load_server_config(const char *filename, struct sshbuf *conf)
2505 {
2506 	struct stat st;
2507 	char *line = NULL, *cp;
2508 	size_t linesize = 0;
2509 	FILE *f;
2510 	int r, lineno = 0;
2511 
2512 	debug2_f("filename %s", filename);
2513 	if ((f = fopen(filename, "r")) == NULL) {
2514 		perror(filename);
2515 		exit(1);
2516 	}
2517 	sshbuf_reset(conf);
2518 	/* grow buffer, so realloc is avoided for large config files */
2519 	if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2520 	    (r = sshbuf_allocate(conf, st.st_size)) != 0)
2521 		fatal_fr(r, "allocate");
2522 	while (getline(&line, &linesize, f) != -1) {
2523 		lineno++;
2524 		/*
2525 		 * Strip whitespace
2526 		 * NB - preserve newlines, they are needed to reproduce
2527 		 * line numbers later for error messages
2528 		 */
2529 		cp = line + strspn(line, " \t\r");
2530 		if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2531 			fatal_fr(r, "sshbuf_put");
2532 	}
2533 	free(line);
2534 	if ((r = sshbuf_put_u8(conf, 0)) != 0)
2535 		fatal_fr(r, "sshbuf_put_u8");
2536 	fclose(f);
2537 	debug2_f("done config len = %zu", sshbuf_len(conf));
2538 }
2539 
2540 void
2541 parse_server_match_config(ServerOptions *options,
2542    struct include_list *includes, struct connection_info *connectinfo)
2543 {
2544 	ServerOptions mo;
2545 
2546 	initialize_server_options(&mo);
2547 	parse_server_config(&mo, "reprocess config", cfg, includes,
2548 	    connectinfo);
2549 	copy_set_server_options(options, &mo, 0);
2550 }
2551 
2552 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2553 {
2554 	char *p;
2555 
2556 	while ((p = strsep(&spec, ",")) && *p != '\0') {
2557 		if (strncmp(p, "addr=", 5) == 0) {
2558 			ci->address = xstrdup(p + 5);
2559 		} else if (strncmp(p, "host=", 5) == 0) {
2560 			ci->host = xstrdup(p + 5);
2561 		} else if (strncmp(p, "user=", 5) == 0) {
2562 			ci->user = xstrdup(p + 5);
2563 		} else if (strncmp(p, "laddr=", 6) == 0) {
2564 			ci->laddress = xstrdup(p + 6);
2565 		} else if (strncmp(p, "rdomain=", 8) == 0) {
2566 			ci->rdomain = xstrdup(p + 8);
2567 		} else if (strncmp(p, "lport=", 6) == 0) {
2568 			ci->lport = a2port(p + 6);
2569 			if (ci->lport == -1) {
2570 				fprintf(stderr, "Invalid port '%s' in test mode"
2571 				    " specification %s\n", p+6, p);
2572 				return -1;
2573 			}
2574 		} else {
2575 			fprintf(stderr, "Invalid test mode specification %s\n",
2576 			    p);
2577 			return -1;
2578 		}
2579 	}
2580 	return 0;
2581 }
2582 
2583 /*
2584  * Copy any supported values that are set.
2585  *
2586  * If the preauth flag is set, we do not bother copying the string or
2587  * array values that are not used pre-authentication, because any that we
2588  * do use must be explicitly sent in mm_getpwnamallow().
2589  */
2590 void
2591 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2592 {
2593 #define M_CP_INTOPT(n) do {\
2594 	if (src->n != -1) \
2595 		dst->n = src->n; \
2596 } while (0)
2597 
2598 	M_CP_INTOPT(password_authentication);
2599 	M_CP_INTOPT(gss_authentication);
2600 	M_CP_INTOPT(pubkey_authentication);
2601 	M_CP_INTOPT(pubkey_auth_options);
2602 	M_CP_INTOPT(kerberos_authentication);
2603 	M_CP_INTOPT(hostbased_authentication);
2604 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2605 	M_CP_INTOPT(kbd_interactive_authentication);
2606 	M_CP_INTOPT(permit_root_login);
2607 	M_CP_INTOPT(permit_empty_passwd);
2608 	M_CP_INTOPT(ignore_rhosts);
2609 
2610 	M_CP_INTOPT(allow_tcp_forwarding);
2611 	M_CP_INTOPT(allow_streamlocal_forwarding);
2612 	M_CP_INTOPT(allow_agent_forwarding);
2613 	M_CP_INTOPT(disable_forwarding);
2614 	M_CP_INTOPT(expose_userauth_info);
2615 	M_CP_INTOPT(permit_tun);
2616 	M_CP_INTOPT(fwd_opts.gateway_ports);
2617 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2618 	M_CP_INTOPT(x11_display_offset);
2619 	M_CP_INTOPT(x11_forwarding);
2620 	M_CP_INTOPT(x11_use_localhost);
2621 	M_CP_INTOPT(permit_tty);
2622 	M_CP_INTOPT(permit_user_rc);
2623 	M_CP_INTOPT(max_sessions);
2624 	M_CP_INTOPT(max_authtries);
2625 	M_CP_INTOPT(client_alive_count_max);
2626 	M_CP_INTOPT(client_alive_interval);
2627 	M_CP_INTOPT(ip_qos_interactive);
2628 	M_CP_INTOPT(ip_qos_bulk);
2629 	M_CP_INTOPT(rekey_limit);
2630 	M_CP_INTOPT(rekey_interval);
2631 	M_CP_INTOPT(log_level);
2632 
2633 	/*
2634 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2635 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2636 	 * warnings.
2637 	 */
2638 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2639 		dst->fwd_opts.streamlocal_bind_mask =
2640 		    src->fwd_opts.streamlocal_bind_mask;
2641 	}
2642 
2643 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2644 #define M_CP_STROPT(n) do {\
2645 	if (src->n != NULL && dst->n != src->n) { \
2646 		free(dst->n); \
2647 		dst->n = src->n; \
2648 	} \
2649 } while(0)
2650 #define M_CP_STRARRAYOPT(s, num_s) do {\
2651 	u_int i; \
2652 	if (src->num_s != 0) { \
2653 		for (i = 0; i < dst->num_s; i++) \
2654 			free(dst->s[i]); \
2655 		free(dst->s); \
2656 		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2657 		for (i = 0; i < src->num_s; i++) \
2658 			dst->s[i] = xstrdup(src->s[i]); \
2659 		dst->num_s = src->num_s; \
2660 	} \
2661 } while(0)
2662 
2663 	/* See comment in servconf.h */
2664 	COPY_MATCH_STRING_OPTS();
2665 
2666 	/* Arguments that accept '+...' need to be expanded */
2667 	assemble_algorithms(dst);
2668 
2669 	/*
2670 	 * The only things that should be below this point are string options
2671 	 * which are only used after authentication.
2672 	 */
2673 	if (preauth)
2674 		return;
2675 
2676 	/* These options may be "none" to clear a global setting */
2677 	M_CP_STROPT(adm_forced_command);
2678 	if (option_clear_or_none(dst->adm_forced_command)) {
2679 		free(dst->adm_forced_command);
2680 		dst->adm_forced_command = NULL;
2681 	}
2682 	M_CP_STROPT(chroot_directory);
2683 	if (option_clear_or_none(dst->chroot_directory)) {
2684 		free(dst->chroot_directory);
2685 		dst->chroot_directory = NULL;
2686 	}
2687 }
2688 
2689 #undef M_CP_INTOPT
2690 #undef M_CP_STROPT
2691 #undef M_CP_STRARRAYOPT
2692 
2693 #define SERVCONF_MAX_DEPTH	16
2694 static void
2695 parse_server_config_depth(ServerOptions *options, const char *filename,
2696     struct sshbuf *conf, struct include_list *includes,
2697     struct connection_info *connectinfo, int flags, int *activep, int depth)
2698 {
2699 	int linenum, bad_options = 0;
2700 	char *cp, *obuf, *cbuf;
2701 
2702 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2703 		fatal("Too many recursive configuration includes");
2704 
2705 	debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2706 	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2707 
2708 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2709 		fatal_f("sshbuf_dup_string failed");
2710 	linenum = 1;
2711 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2712 		if (process_server_config_line_depth(options, cp,
2713 		    filename, linenum++, activep, connectinfo, &flags,
2714 		    depth, includes) != 0)
2715 			bad_options++;
2716 	}
2717 	free(obuf);
2718 	if (bad_options > 0)
2719 		fatal("%s: terminating, %d bad configuration options",
2720 		    filename, bad_options);
2721 }
2722 
2723 void
2724 parse_server_config(ServerOptions *options, const char *filename,
2725     struct sshbuf *conf, struct include_list *includes,
2726     struct connection_info *connectinfo)
2727 {
2728 	int active = connectinfo ? 0 : 1;
2729 	parse_server_config_depth(options, filename, conf, includes,
2730 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2731 	process_queued_listen_addrs(options);
2732 }
2733 
2734 static const char *
2735 fmt_multistate_int(int val, const struct multistate *m)
2736 {
2737 	u_int i;
2738 
2739 	for (i = 0; m[i].key != NULL; i++) {
2740 		if (m[i].value == val)
2741 			return m[i].key;
2742 	}
2743 	return "UNKNOWN";
2744 }
2745 
2746 static const char *
2747 fmt_intarg(ServerOpCodes code, int val)
2748 {
2749 	if (val == -1)
2750 		return "unset";
2751 	switch (code) {
2752 	case sAddressFamily:
2753 		return fmt_multistate_int(val, multistate_addressfamily);
2754 	case sPermitRootLogin:
2755 		return fmt_multistate_int(val, multistate_permitrootlogin);
2756 	case sGatewayPorts:
2757 		return fmt_multistate_int(val, multistate_gatewayports);
2758 	case sCompression:
2759 		return fmt_multistate_int(val, multistate_compression);
2760 	case sAllowTcpForwarding:
2761 		return fmt_multistate_int(val, multistate_tcpfwd);
2762 	case sAllowStreamLocalForwarding:
2763 		return fmt_multistate_int(val, multistate_tcpfwd);
2764 	case sIgnoreRhosts:
2765 		return fmt_multistate_int(val, multistate_ignore_rhosts);
2766 	case sFingerprintHash:
2767 		return ssh_digest_alg_name(val);
2768 	default:
2769 		switch (val) {
2770 		case 0:
2771 			return "no";
2772 		case 1:
2773 			return "yes";
2774 		default:
2775 			return "UNKNOWN";
2776 		}
2777 	}
2778 }
2779 
2780 static void
2781 dump_cfg_int(ServerOpCodes code, int val)
2782 {
2783 	printf("%s %d\n", lookup_opcode_name(code), val);
2784 }
2785 
2786 static void
2787 dump_cfg_oct(ServerOpCodes code, int val)
2788 {
2789 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2790 }
2791 
2792 static void
2793 dump_cfg_fmtint(ServerOpCodes code, int val)
2794 {
2795 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2796 }
2797 
2798 static void
2799 dump_cfg_string(ServerOpCodes code, const char *val)
2800 {
2801 	printf("%s %s\n", lookup_opcode_name(code),
2802 	    val == NULL ? "none" : val);
2803 }
2804 
2805 static void
2806 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2807 {
2808 	u_int i;
2809 
2810 	for (i = 0; i < count; i++)
2811 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2812 }
2813 
2814 static void
2815 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2816 {
2817 	u_int i;
2818 
2819 	if (count <= 0 && code != sAuthenticationMethods)
2820 		return;
2821 	printf("%s", lookup_opcode_name(code));
2822 	for (i = 0; i < count; i++)
2823 		printf(" %s",  vals[i]);
2824 	if (code == sAuthenticationMethods && count == 0)
2825 		printf(" any");
2826 	printf("\n");
2827 }
2828 
2829 static char *
2830 format_listen_addrs(struct listenaddr *la)
2831 {
2832 	int r;
2833 	struct addrinfo *ai;
2834 	char addr[NI_MAXHOST], port[NI_MAXSERV];
2835 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2836 
2837 	/*
2838 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2839 	 * addresses onto a stack, so to maintain ordering we need to
2840 	 * print these in reverse order.
2841 	 */
2842 	for (ai = la->addrs; ai; ai = ai->ai_next) {
2843 		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2844 		    sizeof(addr), port, sizeof(port),
2845 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2846 			error("getnameinfo: %.100s", ssh_gai_strerror(r));
2847 			continue;
2848 		}
2849 		laddr2 = laddr1;
2850 		if (ai->ai_family == AF_INET6) {
2851 			xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2852 			    addr, port,
2853 			    la->rdomain == NULL ? "" : " rdomain ",
2854 			    la->rdomain == NULL ? "" : la->rdomain,
2855 			    laddr2);
2856 		} else {
2857 			xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2858 			    addr, port,
2859 			    la->rdomain == NULL ? "" : " rdomain ",
2860 			    la->rdomain == NULL ? "" : la->rdomain,
2861 			    laddr2);
2862 		}
2863 		free(laddr2);
2864 	}
2865 	return laddr1;
2866 }
2867 
2868 void
2869 dump_config(ServerOptions *o)
2870 {
2871 	char *s;
2872 	u_int i;
2873 
2874 	/* these are usually at the top of the config */
2875 	for (i = 0; i < o->num_ports; i++)
2876 		printf("port %d\n", o->ports[i]);
2877 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2878 
2879 	for (i = 0; i < o->num_listen_addrs; i++) {
2880 		s = format_listen_addrs(&o->listen_addrs[i]);
2881 		printf("%s", s);
2882 		free(s);
2883 	}
2884 
2885 	/* integer arguments */
2886 #ifdef USE_PAM
2887 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2888 #endif
2889 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2890 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2891 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2892 	dump_cfg_int(sMaxSessions, o->max_sessions);
2893 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2894 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2895 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2896 
2897 	/* formatted integer arguments */
2898 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2899 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2900 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2901 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2902 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2903 	    o->hostbased_uses_name_from_packet_only);
2904 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2905 #ifdef KRB5
2906 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2907 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2908 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2909 # ifdef USE_AFS
2910 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2911 # endif
2912 #endif
2913 #ifdef GSSAPI
2914 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2915 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2916 #endif
2917 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2918 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2919 	    o->kbd_interactive_authentication);
2920 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2921 #ifndef DISABLE_LASTLOG
2922 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2923 #endif
2924 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2925 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2926 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2927 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2928 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2929 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2930 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2931 	dump_cfg_fmtint(sCompression, o->compression);
2932 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2933 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2934 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2935 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2936 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2937 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2938 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2939 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2940 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2941 	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
2942 
2943 	/* string arguments */
2944 	dump_cfg_string(sPidFile, o->pid_file);
2945 	dump_cfg_string(sModuliFile, o->moduli_file);
2946 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2947 	dump_cfg_string(sCiphers, o->ciphers);
2948 	dump_cfg_string(sMacs, o->macs);
2949 	dump_cfg_string(sBanner, o->banner);
2950 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2951 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2952 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2953 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2954 	dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
2955 	dump_cfg_string(sAuthorizedPrincipalsFile,
2956 	    o->authorized_principals_file);
2957 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2958 	    ? "none" : o->version_addendum);
2959 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2960 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2961 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2962 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2963 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2964 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
2965 	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
2966 	dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos);
2967 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
2968 	dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
2969 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2970 	dump_cfg_string(sRDomain, o->routing_domain);
2971 #endif
2972 
2973 	/* string arguments requiring a lookup */
2974 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2975 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2976 
2977 	/* string array arguments */
2978 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2979 	    o->authorized_keys_files);
2980 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2981 	    o->host_key_files);
2982 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2983 	    o->host_cert_files);
2984 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2985 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2986 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2987 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2988 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2989 	dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
2990 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2991 	    o->num_auth_methods, o->auth_methods);
2992 	dump_cfg_strarray_oneline(sLogVerbose,
2993 	    o->num_log_verbose, o->log_verbose);
2994 
2995 	/* other arguments */
2996 	for (i = 0; i < o->num_subsystems; i++)
2997 		printf("subsystem %s %s\n", o->subsystem_name[i],
2998 		    o->subsystem_args[i]);
2999 
3000 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
3001 	    o->max_startups_rate, o->max_startups);
3002 	printf("persourcemaxstartups ");
3003 	if (o->per_source_max_startups == INT_MAX)
3004 		printf("none\n");
3005 	else
3006 		printf("%d\n", o->per_source_max_startups);
3007 	printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4,
3008 	    o->per_source_masklen_ipv6);
3009 
3010 	s = NULL;
3011 	for (i = 0; tunmode_desc[i].val != -1; i++) {
3012 		if (tunmode_desc[i].val == o->permit_tun) {
3013 			s = tunmode_desc[i].text;
3014 			break;
3015 		}
3016 	}
3017 	dump_cfg_string(sPermitTunnel, s);
3018 
3019 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
3020 	printf("%s\n", iptos2str(o->ip_qos_bulk));
3021 
3022 	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
3023 	    o->rekey_interval);
3024 
3025 	printf("permitopen");
3026 	if (o->num_permitted_opens == 0)
3027 		printf(" any");
3028 	else {
3029 		for (i = 0; i < o->num_permitted_opens; i++)
3030 			printf(" %s", o->permitted_opens[i]);
3031 	}
3032 	printf("\n");
3033 	printf("permitlisten");
3034 	if (o->num_permitted_listens == 0)
3035 		printf(" any");
3036 	else {
3037 		for (i = 0; i < o->num_permitted_listens; i++)
3038 			printf(" %s", o->permitted_listens[i]);
3039 	}
3040 	printf("\n");
3041 
3042 	if (o->permit_user_env_allowlist == NULL) {
3043 		dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
3044 	} else {
3045 		printf("permituserenvironment %s\n",
3046 		    o->permit_user_env_allowlist);
3047 	}
3048 
3049 	printf("pubkeyauthoptions");
3050 	if (o->pubkey_auth_options == 0)
3051 		printf(" none");
3052 	if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
3053 		printf(" touch-required");
3054 	if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
3055 		printf(" verify-required");
3056 	printf("\n");
3057 }
3058