xref: /freebsd/crypto/openssh/servconf.c (revision f126890ac5386406dadf7c4cfa9566cbb56537c5)
1 /* $OpenBSD: servconf.c,v 1.405 2024/03/04 02:16:11 djm Exp $ */
2 /*
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  *
6  * As far as I am concerned, the code I have written for this software
7  * can be used freely for any purpose.  Any derived versions of this
8  * software must be clearly marked as such, and if the derived work is
9  * incompatible with the protocol description in the RFC file, it must be
10  * called by a name other than "ssh" or "Secure Shell".
11  */
12 
13 #include "includes.h"
14 
15 #include <sys/types.h>
16 #include <sys/socket.h>
17 #include <sys/stat.h>
18 #ifdef __OpenBSD__
19 #include <sys/sysctl.h>
20 #endif
21 
22 #include <netinet/in.h>
23 #include <netinet/in_systm.h>
24 #include <netinet/ip.h>
25 #ifdef HAVE_NET_ROUTE_H
26 #include <net/route.h>
27 #endif
28 
29 #include <ctype.h>
30 #include <netdb.h>
31 #include <pwd.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <signal.h>
36 #include <unistd.h>
37 #include <limits.h>
38 #include <stdarg.h>
39 #include <errno.h>
40 #ifdef HAVE_UTIL_H
41 #include <util.h>
42 #endif
43 #ifdef USE_SYSTEM_GLOB
44 # include <glob.h>
45 #else
46 # include "openbsd-compat/glob.h"
47 #endif
48 
49 #include "openbsd-compat/sys-queue.h"
50 #include "xmalloc.h"
51 #include "ssh.h"
52 #include "log.h"
53 #include "sshbuf.h"
54 #include "misc.h"
55 #include "servconf.h"
56 #include "pathnames.h"
57 #include "cipher.h"
58 #include "sshkey.h"
59 #include "kex.h"
60 #include "mac.h"
61 #include "match.h"
62 #include "channels.h"
63 #include "groupaccess.h"
64 #include "canohost.h"
65 #include "packet.h"
66 #include "ssherr.h"
67 #include "hostfile.h"
68 #include "auth.h"
69 #include "myproposal.h"
70 #include "digest.h"
71 #include "version.h"
72 
73 static void add_listen_addr(ServerOptions *, const char *,
74     const char *, int);
75 static void add_one_listen_addr(ServerOptions *, const char *,
76     const char *, int);
77 static void parse_server_config_depth(ServerOptions *options,
78     const char *filename, struct sshbuf *conf, struct include_list *includes,
79     struct connection_info *connectinfo, int flags, int *activep, int depth);
80 
81 /* Use of privilege separation or not */
82 extern int use_privsep;
83 extern struct sshbuf *cfg;
84 
85 /* Initializes the server options to their default values. */
86 
87 void
88 initialize_server_options(ServerOptions *options)
89 {
90 	memset(options, 0, sizeof(*options));
91 
92 	/* Portable-specific options */
93 	options->use_pam = -1;
94 
95 	/* Standard Options */
96 	options->num_ports = 0;
97 	options->ports_from_cmdline = 0;
98 	options->queued_listen_addrs = NULL;
99 	options->num_queued_listens = 0;
100 	options->listen_addrs = NULL;
101 	options->num_listen_addrs = 0;
102 	options->address_family = -1;
103 	options->routing_domain = NULL;
104 	options->num_host_key_files = 0;
105 	options->num_host_cert_files = 0;
106 	options->host_key_agent = NULL;
107 	options->pid_file = NULL;
108 	options->login_grace_time = -1;
109 	options->permit_root_login = PERMIT_NOT_SET;
110 	options->ignore_rhosts = -1;
111 	options->ignore_user_known_hosts = -1;
112 	options->print_motd = -1;
113 	options->print_lastlog = -1;
114 	options->x11_forwarding = -1;
115 	options->x11_display_offset = -1;
116 	options->x11_use_localhost = -1;
117 	options->permit_tty = -1;
118 	options->permit_user_rc = -1;
119 	options->xauth_location = NULL;
120 	options->strict_modes = -1;
121 	options->tcp_keep_alive = -1;
122 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
123 	options->log_level = SYSLOG_LEVEL_NOT_SET;
124 	options->num_log_verbose = 0;
125 	options->log_verbose = NULL;
126 	options->hostbased_authentication = -1;
127 	options->hostbased_uses_name_from_packet_only = -1;
128 	options->hostbased_accepted_algos = NULL;
129 	options->hostkeyalgorithms = NULL;
130 	options->pubkey_authentication = -1;
131 	options->pubkey_auth_options = -1;
132 	options->pubkey_accepted_algos = NULL;
133 	options->kerberos_authentication = -1;
134 	options->kerberos_or_local_passwd = -1;
135 	options->kerberos_ticket_cleanup = -1;
136 	options->kerberos_get_afs_token = -1;
137 	options->gss_authentication=-1;
138 	options->gss_cleanup_creds = -1;
139 	options->gss_strict_acceptor = -1;
140 	options->password_authentication = -1;
141 	options->kbd_interactive_authentication = -1;
142 	options->permit_empty_passwd = -1;
143 	options->permit_user_env = -1;
144 	options->permit_user_env_allowlist = NULL;
145 	options->compression = -1;
146 	options->rekey_limit = -1;
147 	options->rekey_interval = -1;
148 	options->allow_tcp_forwarding = -1;
149 	options->allow_streamlocal_forwarding = -1;
150 	options->allow_agent_forwarding = -1;
151 	options->num_allow_users = 0;
152 	options->num_deny_users = 0;
153 	options->num_allow_groups = 0;
154 	options->num_deny_groups = 0;
155 	options->ciphers = NULL;
156 	options->macs = NULL;
157 	options->kex_algorithms = NULL;
158 	options->ca_sign_algorithms = NULL;
159 	options->fwd_opts.gateway_ports = -1;
160 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
161 	options->fwd_opts.streamlocal_bind_unlink = -1;
162 	options->num_subsystems = 0;
163 	options->max_startups_begin = -1;
164 	options->max_startups_rate = -1;
165 	options->max_startups = -1;
166 	options->per_source_max_startups = -1;
167 	options->per_source_masklen_ipv4 = -1;
168 	options->per_source_masklen_ipv6 = -1;
169 	options->max_authtries = -1;
170 	options->max_sessions = -1;
171 	options->banner = NULL;
172 	options->use_dns = -1;
173 	options->client_alive_interval = -1;
174 	options->client_alive_count_max = -1;
175 	options->num_authkeys_files = 0;
176 	options->num_accept_env = 0;
177 	options->num_setenv = 0;
178 	options->permit_tun = -1;
179 	options->permitted_opens = NULL;
180 	options->permitted_listens = NULL;
181 	options->adm_forced_command = NULL;
182 	options->chroot_directory = NULL;
183 	options->authorized_keys_command = NULL;
184 	options->authorized_keys_command_user = NULL;
185 	options->revoked_keys_file = NULL;
186 	options->sk_provider = NULL;
187 	options->trusted_user_ca_keys = NULL;
188 	options->authorized_principals_file = NULL;
189 	options->authorized_principals_command = NULL;
190 	options->authorized_principals_command_user = NULL;
191 	options->ip_qos_interactive = -1;
192 	options->ip_qos_bulk = -1;
193 	options->version_addendum = NULL;
194 	options->fingerprint_hash = -1;
195 	options->disable_forwarding = -1;
196 	options->expose_userauth_info = -1;
197 	options->required_rsa_size = -1;
198 	options->channel_timeouts = NULL;
199 	options->num_channel_timeouts = 0;
200 	options->unused_connection_timeout = -1;
201 	options->use_blacklist = -1;
202 }
203 
204 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
205 static int
206 option_clear_or_none(const char *o)
207 {
208 	return o == NULL || strcasecmp(o, "none") == 0;
209 }
210 
211 static void
212 assemble_algorithms(ServerOptions *o)
213 {
214 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
215 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
216 	int r;
217 
218 	all_cipher = cipher_alg_list(',', 0);
219 	all_mac = mac_alg_list(',');
220 	all_kex = kex_alg_list(',');
221 	all_key = sshkey_alg_list(0, 0, 1, ',');
222 	all_sig = sshkey_alg_list(0, 1, 1, ',');
223 	/* remove unsupported algos from default lists */
224 	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
225 	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
226 	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
227 	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
228 	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
229 #define ASSEMBLE(what, defaults, all) \
230 	do { \
231 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
232 			fatal_fr(r, "%s", #what); \
233 	} while (0)
234 	ASSEMBLE(ciphers, def_cipher, all_cipher);
235 	ASSEMBLE(macs, def_mac, all_mac);
236 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
237 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
238 	ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
239 	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
240 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
241 #undef ASSEMBLE
242 	free(all_cipher);
243 	free(all_mac);
244 	free(all_kex);
245 	free(all_key);
246 	free(all_sig);
247 	free(def_cipher);
248 	free(def_mac);
249 	free(def_kex);
250 	free(def_key);
251 	free(def_sig);
252 }
253 
254 static const char *defaultkey = "[default]";
255 
256 void
257 servconf_add_hostkey(const char *file, const int line,
258     ServerOptions *options, const char *path, int userprovided)
259 {
260 	char *apath = derelativise_path(path);
261 
262 	if (file == defaultkey && access(path, R_OK) != 0)
263 		return;
264 	opt_array_append2(file, line, "HostKey",
265 	    &options->host_key_files, &options->host_key_file_userprovided,
266 	    &options->num_host_key_files, apath, userprovided);
267 	free(apath);
268 }
269 
270 void
271 servconf_add_hostcert(const char *file, const int line,
272     ServerOptions *options, const char *path)
273 {
274 	char *apath = derelativise_path(path);
275 
276 	opt_array_append(file, line, "HostCertificate",
277 	    &options->host_cert_files, &options->num_host_cert_files, apath);
278 	free(apath);
279 }
280 
281 void
282 fill_default_server_options(ServerOptions *options)
283 {
284 	u_int i;
285 
286 	/* Portable-specific options */
287 	if (options->use_pam == -1)
288 		options->use_pam = 1;
289 
290 	/* Standard Options */
291 	if (options->num_host_key_files == 0) {
292 		/* fill default hostkeys for protocols */
293 		servconf_add_hostkey(defaultkey, 0, options,
294 		    _PATH_HOST_RSA_KEY_FILE, 0);
295 #ifdef OPENSSL_HAS_ECC
296 		servconf_add_hostkey(defaultkey, 0, options,
297 		    _PATH_HOST_ECDSA_KEY_FILE, 0);
298 #endif
299 		servconf_add_hostkey(defaultkey, 0, options,
300 		    _PATH_HOST_ED25519_KEY_FILE, 0);
301 #ifdef WITH_XMSS
302 		servconf_add_hostkey(defaultkey, 0, options,
303 		    _PATH_HOST_XMSS_KEY_FILE, 0);
304 #endif /* WITH_XMSS */
305 	}
306 	if (options->num_host_key_files == 0)
307 		fatal("No host key files found");
308 	/* No certificates by default */
309 	if (options->num_ports == 0)
310 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
311 	if (options->address_family == -1)
312 		options->address_family = AF_UNSPEC;
313 	if (options->listen_addrs == NULL)
314 		add_listen_addr(options, NULL, NULL, 0);
315 	if (options->pid_file == NULL)
316 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
317 	if (options->moduli_file == NULL)
318 		options->moduli_file = xstrdup(_PATH_DH_MODULI);
319 	if (options->login_grace_time == -1)
320 		options->login_grace_time = 120;
321 	if (options->permit_root_login == PERMIT_NOT_SET)
322 		options->permit_root_login = PERMIT_NO;
323 	if (options->ignore_rhosts == -1)
324 		options->ignore_rhosts = 1;
325 	if (options->ignore_user_known_hosts == -1)
326 		options->ignore_user_known_hosts = 0;
327 	if (options->print_motd == -1)
328 		options->print_motd = 1;
329 	if (options->print_lastlog == -1)
330 		options->print_lastlog = 1;
331 	if (options->x11_forwarding == -1)
332 		options->x11_forwarding = 0;
333 	if (options->x11_display_offset == -1)
334 		options->x11_display_offset = 10;
335 	if (options->x11_use_localhost == -1)
336 		options->x11_use_localhost = 1;
337 	if (options->xauth_location == NULL)
338 		options->xauth_location = xstrdup(_PATH_XAUTH);
339 	if (options->permit_tty == -1)
340 		options->permit_tty = 1;
341 	if (options->permit_user_rc == -1)
342 		options->permit_user_rc = 1;
343 	if (options->strict_modes == -1)
344 		options->strict_modes = 1;
345 	if (options->tcp_keep_alive == -1)
346 		options->tcp_keep_alive = 1;
347 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
348 		options->log_facility = SYSLOG_FACILITY_AUTH;
349 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
350 		options->log_level = SYSLOG_LEVEL_INFO;
351 	if (options->hostbased_authentication == -1)
352 		options->hostbased_authentication = 0;
353 	if (options->hostbased_uses_name_from_packet_only == -1)
354 		options->hostbased_uses_name_from_packet_only = 0;
355 	if (options->pubkey_authentication == -1)
356 		options->pubkey_authentication = 1;
357 	if (options->pubkey_auth_options == -1)
358 		options->pubkey_auth_options = 0;
359 	if (options->kerberos_authentication == -1)
360 		options->kerberos_authentication = 0;
361 	if (options->kerberos_or_local_passwd == -1)
362 		options->kerberos_or_local_passwd = 1;
363 	if (options->kerberos_ticket_cleanup == -1)
364 		options->kerberos_ticket_cleanup = 1;
365 	if (options->kerberos_get_afs_token == -1)
366 		options->kerberos_get_afs_token = 0;
367 	if (options->gss_authentication == -1)
368 		options->gss_authentication = 0;
369 	if (options->gss_cleanup_creds == -1)
370 		options->gss_cleanup_creds = 1;
371 	if (options->gss_strict_acceptor == -1)
372 		options->gss_strict_acceptor = 1;
373 	if (options->password_authentication == -1)
374 		options->password_authentication = 0;
375 	if (options->kbd_interactive_authentication == -1)
376 		options->kbd_interactive_authentication = 1;
377 	if (options->permit_empty_passwd == -1)
378 		options->permit_empty_passwd = 0;
379 	if (options->permit_user_env == -1) {
380 		options->permit_user_env = 0;
381 		options->permit_user_env_allowlist = NULL;
382 	}
383 	if (options->compression == -1)
384 #ifdef WITH_ZLIB
385 		options->compression = COMP_DELAYED;
386 #else
387 		options->compression = COMP_NONE;
388 #endif
389 
390 	if (options->rekey_limit == -1)
391 		options->rekey_limit = 0;
392 	if (options->rekey_interval == -1)
393 		options->rekey_interval = 0;
394 	if (options->allow_tcp_forwarding == -1)
395 		options->allow_tcp_forwarding = FORWARD_ALLOW;
396 	if (options->allow_streamlocal_forwarding == -1)
397 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
398 	if (options->allow_agent_forwarding == -1)
399 		options->allow_agent_forwarding = 1;
400 	if (options->fwd_opts.gateway_ports == -1)
401 		options->fwd_opts.gateway_ports = 0;
402 	if (options->max_startups == -1)
403 		options->max_startups = 100;
404 	if (options->max_startups_rate == -1)
405 		options->max_startups_rate = 30;		/* 30% */
406 	if (options->max_startups_begin == -1)
407 		options->max_startups_begin = 10;
408 	if (options->per_source_max_startups == -1)
409 		options->per_source_max_startups = INT_MAX;
410 	if (options->per_source_masklen_ipv4 == -1)
411 		options->per_source_masklen_ipv4 = 32;
412 	if (options->per_source_masklen_ipv6 == -1)
413 		options->per_source_masklen_ipv6 = 128;
414 	if (options->max_authtries == -1)
415 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
416 	if (options->max_sessions == -1)
417 		options->max_sessions = DEFAULT_SESSIONS_MAX;
418 	if (options->use_dns == -1)
419 		options->use_dns = 1;
420 	if (options->client_alive_interval == -1)
421 		options->client_alive_interval = 0;
422 	if (options->client_alive_count_max == -1)
423 		options->client_alive_count_max = 3;
424 	if (options->num_authkeys_files == 0) {
425 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
426 		    &options->authorized_keys_files,
427 		    &options->num_authkeys_files,
428 		    _PATH_SSH_USER_PERMITTED_KEYS);
429 		opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
430 		    &options->authorized_keys_files,
431 		    &options->num_authkeys_files,
432 		    _PATH_SSH_USER_PERMITTED_KEYS2);
433 	}
434 	if (options->permit_tun == -1)
435 		options->permit_tun = SSH_TUNMODE_NO;
436 	if (options->ip_qos_interactive == -1)
437 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
438 	if (options->ip_qos_bulk == -1)
439 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
440 	if (options->version_addendum == NULL)
441 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
442 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
443 		options->fwd_opts.streamlocal_bind_mask = 0177;
444 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
445 		options->fwd_opts.streamlocal_bind_unlink = 0;
446 	if (options->fingerprint_hash == -1)
447 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
448 	if (options->disable_forwarding == -1)
449 		options->disable_forwarding = 0;
450 	if (options->expose_userauth_info == -1)
451 		options->expose_userauth_info = 0;
452 	if (options->sk_provider == NULL)
453 		options->sk_provider = xstrdup("internal");
454 	if (options->required_rsa_size == -1)
455 		options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
456 	if (options->unused_connection_timeout == -1)
457 		options->unused_connection_timeout = 0;
458 	if (options->use_blacklist == -1)
459 		options->use_blacklist = 0;
460 
461 	assemble_algorithms(options);
462 
463 	/* Turn privilege separation and sandboxing on by default */
464 	if (use_privsep == -1)
465 		use_privsep = PRIVSEP_ON;
466 
467 #define CLEAR_ON_NONE(v) \
468 	do { \
469 		if (option_clear_or_none(v)) { \
470 			free(v); \
471 			v = NULL; \
472 		} \
473 	} while(0)
474 #define CLEAR_ON_NONE_ARRAY(v, nv, none) \
475 	do { \
476 		if (options->nv == 1 && \
477 		    strcasecmp(options->v[0], none) == 0) { \
478 			free(options->v[0]); \
479 			free(options->v); \
480 			options->v = NULL; \
481 			options->nv = 0; \
482 		} \
483 	} while (0)
484 	CLEAR_ON_NONE(options->pid_file);
485 	CLEAR_ON_NONE(options->xauth_location);
486 	CLEAR_ON_NONE(options->banner);
487 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
488 	CLEAR_ON_NONE(options->revoked_keys_file);
489 	CLEAR_ON_NONE(options->sk_provider);
490 	CLEAR_ON_NONE(options->authorized_principals_file);
491 	CLEAR_ON_NONE(options->adm_forced_command);
492 	CLEAR_ON_NONE(options->chroot_directory);
493 	CLEAR_ON_NONE(options->routing_domain);
494 	CLEAR_ON_NONE(options->host_key_agent);
495 
496 	for (i = 0; i < options->num_host_key_files; i++)
497 		CLEAR_ON_NONE(options->host_key_files[i]);
498 	for (i = 0; i < options->num_host_cert_files; i++)
499 		CLEAR_ON_NONE(options->host_cert_files[i]);
500 
501 	CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none");
502 	CLEAR_ON_NONE_ARRAY(auth_methods, num_auth_methods, "any");
503 #undef CLEAR_ON_NONE
504 #undef CLEAR_ON_NONE_ARRAY
505 }
506 
507 /* Keyword tokens. */
508 typedef enum {
509 	sBadOption,		/* == unknown option */
510 	/* Portable-specific options */
511 	sUsePAM,
512 	/* Standard Options */
513 	sPort, sHostKeyFile, sLoginGraceTime,
514 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
515 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
516 	sKerberosGetAFSToken, sPasswordAuthentication,
517 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
518 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
519 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
520 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
521 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
522 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
523 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
524 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
525 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
526 	sBanner, sUseDNS, sHostbasedAuthentication,
527 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
528 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
529 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
530 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
531 	sAcceptEnv, sSetEnv, sPermitTunnel,
532 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
533 	sUsePrivilegeSeparation, sAllowAgentForwarding,
534 	sHostCertificate, sInclude,
535 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
536 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
537 	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
538 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
539 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
540 	sStreamLocalBindMask, sStreamLocalBindUnlink,
541 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
542 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
543 	sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
544 	sUseBlacklist,
545 	sDeprecated, sIgnore, sUnsupported
546 } ServerOpCodes;
547 
548 #define SSHCFG_GLOBAL		0x01	/* allowed in main section of config */
549 #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
550 #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
551 #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
552 #define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
553 
554 /* Textual representation of the tokens. */
555 static struct {
556 	const char *name;
557 	ServerOpCodes opcode;
558 	u_int flags;
559 } keywords[] = {
560 	/* Portable-specific options */
561 #ifdef USE_PAM
562 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
563 #else
564 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
565 #endif
566 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
567 	/* Standard Options */
568 	{ "port", sPort, SSHCFG_GLOBAL },
569 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
570 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
571 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
572 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
573 	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
574 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
575 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
576 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
577 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
578 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
579 	{ "loglevel", sLogLevel, SSHCFG_ALL },
580 	{ "logverbose", sLogVerbose, SSHCFG_ALL },
581 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
582 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
583 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
584 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
585 	{ "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
586 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
587 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
588 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
589 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
590 	{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
591 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
592 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
593 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
594 #ifdef KRB5
595 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
596 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
597 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
598 #ifdef USE_AFS
599 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
600 #else
601 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
602 #endif
603 #else
604 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
605 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
606 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
607 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
608 #endif
609 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
610 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
611 #ifdef GSSAPI
612 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
613 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
614 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
615 #else
616 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
617 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
618 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
619 #endif
620 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
621 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
622 	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
623 	{ "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
624 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
625 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
626 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
627 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
628 #ifdef DISABLE_LASTLOG
629 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
630 #else
631 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
632 #endif
633 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
634 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
635 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
636 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
637 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
638 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
639 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
640 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
641 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
642 	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
643 	{ "compression", sCompression, SSHCFG_GLOBAL },
644 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
645 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
646 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
647 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
648 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
649 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
650 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
651 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
652 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
653 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
654 	{ "macs", sMacs, SSHCFG_GLOBAL },
655 	{ "protocol", sIgnore, SSHCFG_GLOBAL },
656 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
657 	{ "subsystem", sSubsystem, SSHCFG_ALL },
658 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
659 	{ "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
660 	{ "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
661 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
662 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
663 	{ "banner", sBanner, SSHCFG_ALL },
664 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
665 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
666 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
667 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
668 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
669 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
670 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
671 	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
672 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
673 	{ "setenv", sSetEnv, SSHCFG_ALL },
674 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
675 	{ "permittty", sPermitTTY, SSHCFG_ALL },
676 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
677 	{ "match", sMatch, SSHCFG_ALL },
678 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
679 	{ "permitlisten", sPermitListen, SSHCFG_ALL },
680 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
681 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
682 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
683 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
684 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
685 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
686 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
687 	{ "include", sInclude, SSHCFG_ALL },
688 	{ "ipqos", sIPQoS, SSHCFG_ALL },
689 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
690 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
691 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
692 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
693 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
694 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
695 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
696 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
697 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
698 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
699 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
700 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
701 	{ "rdomain", sRDomain, SSHCFG_ALL },
702 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
703 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
704 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
705 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
706 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
707 	{ "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
708 	{ "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
709 
710 	{ NULL, sBadOption, 0 }
711 };
712 
713 static struct {
714 	int val;
715 	char *text;
716 } tunmode_desc[] = {
717 	{ SSH_TUNMODE_NO, "no" },
718 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
719 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
720 	{ SSH_TUNMODE_YES, "yes" },
721 	{ -1, NULL }
722 };
723 
724 /* Returns an opcode name from its number */
725 
726 static const char *
727 lookup_opcode_name(ServerOpCodes code)
728 {
729 	u_int i;
730 
731 	for (i = 0; keywords[i].name != NULL; i++)
732 		if (keywords[i].opcode == code)
733 			return(keywords[i].name);
734 	return "UNKNOWN";
735 }
736 
737 
738 /*
739  * Returns the number of the token pointed to by cp or sBadOption.
740  */
741 
742 static ServerOpCodes
743 parse_token(const char *cp, const char *filename,
744 	    int linenum, u_int *flags)
745 {
746 	u_int i;
747 
748 	for (i = 0; keywords[i].name; i++)
749 		if (strcasecmp(cp, keywords[i].name) == 0) {
750 			*flags = keywords[i].flags;
751 			return keywords[i].opcode;
752 		}
753 
754 	error("%s: line %d: Bad configuration option: %s",
755 	    filename, linenum, cp);
756 	return sBadOption;
757 }
758 
759 char *
760 derelativise_path(const char *path)
761 {
762 	char *expanded, *ret, cwd[PATH_MAX];
763 
764 	if (strcasecmp(path, "none") == 0)
765 		return xstrdup("none");
766 	expanded = tilde_expand_filename(path, getuid());
767 	if (path_absolute(expanded))
768 		return expanded;
769 	if (getcwd(cwd, sizeof(cwd)) == NULL)
770 		fatal_f("getcwd: %s", strerror(errno));
771 	xasprintf(&ret, "%s/%s", cwd, expanded);
772 	free(expanded);
773 	return ret;
774 }
775 
776 static void
777 add_listen_addr(ServerOptions *options, const char *addr,
778     const char *rdomain, int port)
779 {
780 	u_int i;
781 
782 	if (port > 0)
783 		add_one_listen_addr(options, addr, rdomain, port);
784 	else {
785 		for (i = 0; i < options->num_ports; i++) {
786 			add_one_listen_addr(options, addr, rdomain,
787 			    options->ports[i]);
788 		}
789 	}
790 }
791 
792 static void
793 add_one_listen_addr(ServerOptions *options, const char *addr,
794     const char *rdomain, int port)
795 {
796 	struct addrinfo hints, *ai, *aitop;
797 	char strport[NI_MAXSERV];
798 	int gaierr;
799 	u_int i;
800 
801 	/* Find listen_addrs entry for this rdomain */
802 	for (i = 0; i < options->num_listen_addrs; i++) {
803 		if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
804 			break;
805 		if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
806 			continue;
807 		if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
808 			break;
809 	}
810 	if (i >= options->num_listen_addrs) {
811 		/* No entry for this rdomain; allocate one */
812 		if (i >= INT_MAX)
813 			fatal_f("too many listen addresses");
814 		options->listen_addrs = xrecallocarray(options->listen_addrs,
815 		    options->num_listen_addrs, options->num_listen_addrs + 1,
816 		    sizeof(*options->listen_addrs));
817 		i = options->num_listen_addrs++;
818 		if (rdomain != NULL)
819 			options->listen_addrs[i].rdomain = xstrdup(rdomain);
820 	}
821 	/* options->listen_addrs[i] points to the addresses for this rdomain */
822 
823 	memset(&hints, 0, sizeof(hints));
824 	hints.ai_family = options->address_family;
825 	hints.ai_socktype = SOCK_STREAM;
826 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
827 	snprintf(strport, sizeof strport, "%d", port);
828 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
829 		fatal("bad addr or host: %s (%s)",
830 		    addr ? addr : "<NULL>",
831 		    ssh_gai_strerror(gaierr));
832 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
833 		;
834 	ai->ai_next = options->listen_addrs[i].addrs;
835 	options->listen_addrs[i].addrs = aitop;
836 }
837 
838 /* Returns nonzero if the routing domain name is valid */
839 static int
840 valid_rdomain(const char *name)
841 {
842 #if defined(HAVE_SYS_VALID_RDOMAIN)
843 	return sys_valid_rdomain(name);
844 #elif defined(__OpenBSD__)
845 	const char *errstr;
846 	long long num;
847 	struct rt_tableinfo info;
848 	int mib[6];
849 	size_t miblen = sizeof(mib);
850 
851 	if (name == NULL)
852 		return 1;
853 
854 	num = strtonum(name, 0, 255, &errstr);
855 	if (errstr != NULL)
856 		return 0;
857 
858 	/* Check whether the table actually exists */
859 	memset(mib, 0, sizeof(mib));
860 	mib[0] = CTL_NET;
861 	mib[1] = PF_ROUTE;
862 	mib[4] = NET_RT_TABLE;
863 	mib[5] = (int)num;
864 	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
865 		return 0;
866 
867 	return 1;
868 #else /* defined(__OpenBSD__) */
869 	error("Routing domains are not supported on this platform");
870 	return 0;
871 #endif
872 }
873 
874 /*
875  * Queue a ListenAddress to be processed once we have all of the Ports
876  * and AddressFamily options.
877  */
878 static void
879 queue_listen_addr(ServerOptions *options, const char *addr,
880     const char *rdomain, int port)
881 {
882 	struct queued_listenaddr *qla;
883 
884 	options->queued_listen_addrs = xrecallocarray(
885 	    options->queued_listen_addrs,
886 	    options->num_queued_listens, options->num_queued_listens + 1,
887 	    sizeof(*options->queued_listen_addrs));
888 	qla = &options->queued_listen_addrs[options->num_queued_listens++];
889 	qla->addr = xstrdup(addr);
890 	qla->port = port;
891 	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
892 }
893 
894 /*
895  * Process queued (text) ListenAddress entries.
896  */
897 static void
898 process_queued_listen_addrs(ServerOptions *options)
899 {
900 	u_int i;
901 	struct queued_listenaddr *qla;
902 
903 	if (options->num_ports == 0)
904 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
905 	if (options->address_family == -1)
906 		options->address_family = AF_UNSPEC;
907 
908 	for (i = 0; i < options->num_queued_listens; i++) {
909 		qla = &options->queued_listen_addrs[i];
910 		add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
911 		free(qla->addr);
912 		free(qla->rdomain);
913 	}
914 	free(options->queued_listen_addrs);
915 	options->queued_listen_addrs = NULL;
916 	options->num_queued_listens = 0;
917 }
918 
919 /*
920  * Inform channels layer of permitopen options for a single forwarding
921  * direction (local/remote).
922  */
923 static void
924 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
925     char **opens, u_int num_opens)
926 {
927 	u_int i;
928 	int port;
929 	char *host, *arg, *oarg;
930 	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
931 	const char *what = lookup_opcode_name(opcode);
932 
933 	channel_clear_permission(ssh, FORWARD_ADM, where);
934 	if (num_opens == 0)
935 		return; /* permit any */
936 
937 	/* handle keywords: "any" / "none" */
938 	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
939 		return;
940 	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
941 		channel_disable_admin(ssh, where);
942 		return;
943 	}
944 	/* Otherwise treat it as a list of permitted host:port */
945 	for (i = 0; i < num_opens; i++) {
946 		oarg = arg = xstrdup(opens[i]);
947 		host = hpdelim(&arg);
948 		if (host == NULL)
949 			fatal_f("missing host in %s", what);
950 		host = cleanhostname(host);
951 		if (arg == NULL || ((port = permitopen_port(arg)) < 0))
952 			fatal_f("bad port number in %s", what);
953 		/* Send it to channels layer */
954 		channel_add_permission(ssh, FORWARD_ADM,
955 		    where, host, port);
956 		free(oarg);
957 	}
958 }
959 
960 /*
961  * Inform channels layer of permitopen options from configuration.
962  */
963 void
964 process_permitopen(struct ssh *ssh, ServerOptions *options)
965 {
966 	process_permitopen_list(ssh, sPermitOpen,
967 	    options->permitted_opens, options->num_permitted_opens);
968 	process_permitopen_list(ssh, sPermitListen,
969 	    options->permitted_listens,
970 	    options->num_permitted_listens);
971 }
972 
973 void
974 process_channel_timeouts(struct ssh *ssh, ServerOptions *options)
975 {
976 	int secs;
977 	u_int i;
978 	char *type;
979 
980 	debug3_f("setting %u timeouts", options->num_channel_timeouts);
981 	channel_clear_timeouts(ssh);
982 	for (i = 0; i < options->num_channel_timeouts; i++) {
983 		if (parse_pattern_interval(options->channel_timeouts[i],
984 		    &type, &secs) != 0) {
985 			fatal_f("internal error: bad timeout %s",
986 			    options->channel_timeouts[i]);
987 		}
988 		channel_add_timeout(ssh, type, secs);
989 		free(type);
990 	}
991 }
992 
993 struct connection_info *
994 get_connection_info(struct ssh *ssh, int populate, int use_dns)
995 {
996 	static struct connection_info ci;
997 
998 	if (ssh == NULL || !populate)
999 		return &ci;
1000 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
1001 	ci.address = ssh_remote_ipaddr(ssh);
1002 	ci.laddress = ssh_local_ipaddr(ssh);
1003 	ci.lport = ssh_local_port(ssh);
1004 	ci.rdomain = ssh_packet_rdomain_in(ssh);
1005 	return &ci;
1006 }
1007 
1008 /*
1009  * The strategy for the Match blocks is that the config file is parsed twice.
1010  *
1011  * The first time is at startup.  activep is initialized to 1 and the
1012  * directives in the global context are processed and acted on.  Hitting a
1013  * Match directive unsets activep and the directives inside the block are
1014  * checked for syntax only.
1015  *
1016  * The second time is after a connection has been established but before
1017  * authentication.  activep is initialized to 2 and global config directives
1018  * are ignored since they have already been processed.  If the criteria in a
1019  * Match block is met, activep is set and the subsequent directives
1020  * processed and actioned until EOF or another Match block unsets it.  Any
1021  * options set are copied into the main server config.
1022  *
1023  * Potential additions/improvements:
1024  *  - Add Match support for pre-kex directives, eg. Ciphers.
1025  *
1026  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
1027  *	Match Address 192.168.0.*
1028  *		Tag trusted
1029  *	Match Group wheel
1030  *		Tag trusted
1031  *	Match Tag trusted
1032  *		AllowTcpForwarding yes
1033  *		GatewayPorts clientspecified
1034  *		[...]
1035  *
1036  *  - Add a PermittedChannelRequests directive
1037  *	Match Group shell
1038  *		PermittedChannelRequests session,forwarded-tcpip
1039  */
1040 
1041 static int
1042 match_cfg_line_group(const char *grps, int line, const char *user)
1043 {
1044 	int result = 0;
1045 	struct passwd *pw;
1046 
1047 	if (user == NULL)
1048 		goto out;
1049 
1050 	if ((pw = getpwnam(user)) == NULL) {
1051 		debug("Can't match group at line %d because user %.100s does "
1052 		    "not exist", line, user);
1053 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1054 		debug("Can't Match group because user %.100s not in any group "
1055 		    "at line %d", user, line);
1056 	} else if (ga_match_pattern_list(grps) != 1) {
1057 		debug("user %.100s does not match group list %.100s at line %d",
1058 		    user, grps, line);
1059 	} else {
1060 		debug("user %.100s matched group list %.100s at line %d", user,
1061 		    grps, line);
1062 		result = 1;
1063 	}
1064 out:
1065 	ga_free();
1066 	return result;
1067 }
1068 
1069 static void
1070 match_test_missing_fatal(const char *criteria, const char *attrib)
1071 {
1072 	fatal("'Match %s' in configuration but '%s' not in connection "
1073 	    "test specification.", criteria, attrib);
1074 }
1075 
1076 /*
1077  * All of the attributes on a single Match line are ANDed together, so we need
1078  * to check every attribute and set the result to zero if any attribute does
1079  * not match.
1080  */
1081 static int
1082 match_cfg_line(char **condition, int line, struct connection_info *ci)
1083 {
1084 	int result = 1, attributes = 0, port;
1085 	char *arg, *attrib, *cp = *condition;
1086 
1087 	if (ci == NULL)
1088 		debug3("checking syntax for 'Match %s'", cp);
1089 	else
1090 		debug3("checking match for '%s' user %s host %s addr %s "
1091 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1092 		    ci->host ? ci->host : "(null)",
1093 		    ci->address ? ci->address : "(null)",
1094 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
1095 
1096 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1097 		/* Terminate on comment */
1098 		if (*attrib == '#') {
1099 			cp = NULL; /* mark all arguments consumed */
1100 			break;
1101 		}
1102 		arg = NULL;
1103 		attributes++;
1104 		/* Criterion "all" has no argument and must appear alone */
1105 		if (strcasecmp(attrib, "all") == 0) {
1106 			if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
1107 			    *arg != '\0' && *arg != '#')) {
1108 				error("'all' cannot be combined with other "
1109 				    "Match attributes");
1110 				return -1;
1111 			}
1112 			if (arg != NULL && *arg == '#')
1113 				cp = NULL; /* mark all arguments consumed */
1114 			*condition = cp;
1115 			return 1;
1116 		}
1117 		/* All other criteria require an argument */
1118 		if ((arg = strdelim(&cp)) == NULL ||
1119 		    *arg == '\0' || *arg == '#') {
1120 			error("Missing Match criteria for %s", attrib);
1121 			return -1;
1122 		}
1123 		if (strcasecmp(attrib, "user") == 0) {
1124 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1125 				result = 0;
1126 				continue;
1127 			}
1128 			if (ci->user == NULL)
1129 				match_test_missing_fatal("User", "user");
1130 			if (match_usergroup_pattern_list(ci->user, arg) != 1)
1131 				result = 0;
1132 			else
1133 				debug("user %.100s matched 'User %.100s' at "
1134 				    "line %d", ci->user, arg, line);
1135 		} else if (strcasecmp(attrib, "group") == 0) {
1136 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1137 				result = 0;
1138 				continue;
1139 			}
1140 			if (ci->user == NULL)
1141 				match_test_missing_fatal("Group", "user");
1142 			switch (match_cfg_line_group(arg, line, ci->user)) {
1143 			case -1:
1144 				return -1;
1145 			case 0:
1146 				result = 0;
1147 			}
1148 		} else if (strcasecmp(attrib, "host") == 0) {
1149 			if (ci == NULL || (ci->test && ci->host == NULL)) {
1150 				result = 0;
1151 				continue;
1152 			}
1153 			if (ci->host == NULL)
1154 				match_test_missing_fatal("Host", "host");
1155 			if (match_hostname(ci->host, arg) != 1)
1156 				result = 0;
1157 			else
1158 				debug("connection from %.100s matched 'Host "
1159 				    "%.100s' at line %d", ci->host, arg, line);
1160 		} else if (strcasecmp(attrib, "address") == 0) {
1161 			if (ci == NULL || (ci->test && ci->address == NULL)) {
1162 				if (addr_match_list(NULL, arg) != 0)
1163 					fatal("Invalid Match address argument "
1164 					    "'%s' at line %d", arg, line);
1165 				result = 0;
1166 				continue;
1167 			}
1168 			if (ci->address == NULL)
1169 				match_test_missing_fatal("Address", "addr");
1170 			switch (addr_match_list(ci->address, arg)) {
1171 			case 1:
1172 				debug("connection from %.100s matched 'Address "
1173 				    "%.100s' at line %d", ci->address, arg, line);
1174 				break;
1175 			case 0:
1176 			case -1:
1177 				result = 0;
1178 				break;
1179 			case -2:
1180 				return -1;
1181 			}
1182 		} else if (strcasecmp(attrib, "localaddress") == 0){
1183 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1184 				if (addr_match_list(NULL, arg) != 0)
1185 					fatal("Invalid Match localaddress "
1186 					    "argument '%s' at line %d", arg,
1187 					    line);
1188 				result = 0;
1189 				continue;
1190 			}
1191 			if (ci->laddress == NULL)
1192 				match_test_missing_fatal("LocalAddress",
1193 				    "laddr");
1194 			switch (addr_match_list(ci->laddress, arg)) {
1195 			case 1:
1196 				debug("connection from %.100s matched "
1197 				    "'LocalAddress %.100s' at line %d",
1198 				    ci->laddress, arg, line);
1199 				break;
1200 			case 0:
1201 			case -1:
1202 				result = 0;
1203 				break;
1204 			case -2:
1205 				return -1;
1206 			}
1207 		} else if (strcasecmp(attrib, "localport") == 0) {
1208 			if ((port = a2port(arg)) == -1) {
1209 				error("Invalid LocalPort '%s' on Match line",
1210 				    arg);
1211 				return -1;
1212 			}
1213 			if (ci == NULL || (ci->test && ci->lport == -1)) {
1214 				result = 0;
1215 				continue;
1216 			}
1217 			if (ci->lport == 0)
1218 				match_test_missing_fatal("LocalPort", "lport");
1219 			/* TODO support port lists */
1220 			if (port == ci->lport)
1221 				debug("connection from %.100s matched "
1222 				    "'LocalPort %d' at line %d",
1223 				    ci->laddress, port, line);
1224 			else
1225 				result = 0;
1226 		} else if (strcasecmp(attrib, "rdomain") == 0) {
1227 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1228 				result = 0;
1229 				continue;
1230 			}
1231 			if (ci->rdomain == NULL)
1232 				match_test_missing_fatal("RDomain", "rdomain");
1233 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1234 				result = 0;
1235 			else
1236 				debug("user %.100s matched 'RDomain %.100s' at "
1237 				    "line %d", ci->rdomain, arg, line);
1238 		} else {
1239 			error("Unsupported Match attribute %s", attrib);
1240 			return -1;
1241 		}
1242 	}
1243 	if (attributes == 0) {
1244 		error("One or more attributes required for Match");
1245 		return -1;
1246 	}
1247 	if (ci != NULL)
1248 		debug3("match %sfound", result ? "" : "not ");
1249 	*condition = cp;
1250 	return result;
1251 }
1252 
1253 #define WHITESPACE " \t\r\n"
1254 
1255 /* Multistate option parsing */
1256 struct multistate {
1257 	char *key;
1258 	int value;
1259 };
1260 static const struct multistate multistate_flag[] = {
1261 	{ "yes",			1 },
1262 	{ "no",				0 },
1263 	{ NULL, -1 }
1264 };
1265 static const struct multistate multistate_ignore_rhosts[] = {
1266 	{ "yes",			IGNORE_RHOSTS_YES },
1267 	{ "no",				IGNORE_RHOSTS_NO },
1268 	{ "shosts-only",		IGNORE_RHOSTS_SHOSTS },
1269 	{ NULL, -1 }
1270 };
1271 static const struct multistate multistate_addressfamily[] = {
1272 	{ "inet",			AF_INET },
1273 	{ "inet6",			AF_INET6 },
1274 	{ "any",			AF_UNSPEC },
1275 	{ NULL, -1 }
1276 };
1277 static const struct multistate multistate_permitrootlogin[] = {
1278 	{ "without-password",		PERMIT_NO_PASSWD },
1279 	{ "prohibit-password",		PERMIT_NO_PASSWD },
1280 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
1281 	{ "yes",			PERMIT_YES },
1282 	{ "no",				PERMIT_NO },
1283 	{ NULL, -1 }
1284 };
1285 static const struct multistate multistate_compression[] = {
1286 #ifdef WITH_ZLIB
1287 	{ "yes",			COMP_DELAYED },
1288 	{ "delayed",			COMP_DELAYED },
1289 #endif
1290 	{ "no",				COMP_NONE },
1291 	{ NULL, -1 }
1292 };
1293 static const struct multistate multistate_gatewayports[] = {
1294 	{ "clientspecified",		2 },
1295 	{ "yes",			1 },
1296 	{ "no",				0 },
1297 	{ NULL, -1 }
1298 };
1299 static const struct multistate multistate_tcpfwd[] = {
1300 	{ "yes",			FORWARD_ALLOW },
1301 	{ "all",			FORWARD_ALLOW },
1302 	{ "no",				FORWARD_DENY },
1303 	{ "remote",			FORWARD_REMOTE },
1304 	{ "local",			FORWARD_LOCAL },
1305 	{ NULL, -1 }
1306 };
1307 
1308 static int
1309 process_server_config_line_depth(ServerOptions *options, char *line,
1310     const char *filename, int linenum, int *activep,
1311     struct connection_info *connectinfo, int *inc_flags, int depth,
1312     struct include_list *includes)
1313 {
1314 	char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
1315 	int cmdline = 0, *intptr, value, value2, n, port, oactive, r;
1316 	int ca_only = 0, found = 0;
1317 	SyslogFacility *log_facility_ptr;
1318 	LogLevel *log_level_ptr;
1319 	ServerOpCodes opcode;
1320 	u_int i, *uintptr, flags = 0;
1321 	size_t len;
1322 	long long val64;
1323 	const struct multistate *multistate_ptr;
1324 	const char *errstr;
1325 	struct include_item *item;
1326 	glob_t gbuf;
1327 	char **oav = NULL, **av;
1328 	int oac = 0, ac;
1329 	int ret = -1;
1330 	char **strs = NULL; /* string array arguments; freed implicitly */
1331 	u_int nstrs = 0;
1332 
1333 	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1334 	if ((len = strlen(line)) == 0)
1335 		return 0;
1336 	for (len--; len > 0; len--) {
1337 		if (strchr(WHITESPACE "\f", line[len]) == NULL)
1338 			break;
1339 		line[len] = '\0';
1340 	}
1341 
1342 	str = line;
1343 	if ((keyword = strdelim(&str)) == NULL)
1344 		return 0;
1345 	/* Ignore leading whitespace */
1346 	if (*keyword == '\0')
1347 		keyword = strdelim(&str);
1348 	if (!keyword || !*keyword || *keyword == '#')
1349 		return 0;
1350 	if (str == NULL || *str == '\0') {
1351 		error("%s line %d: no argument after keyword \"%s\"",
1352 		    filename, linenum, keyword);
1353 		return -1;
1354 	}
1355 	intptr = NULL;
1356 	charptr = NULL;
1357 	opcode = parse_token(keyword, filename, linenum, &flags);
1358 
1359 	if (argv_split(str, &oac, &oav, 1) != 0) {
1360 		error("%s line %d: invalid quotes", filename, linenum);
1361 		return -1;
1362 	}
1363 	ac = oac;
1364 	av = oav;
1365 
1366 	if (activep == NULL) { /* We are processing a command line directive */
1367 		cmdline = 1;
1368 		activep = &cmdline;
1369 	}
1370 	if (*activep && opcode != sMatch && opcode != sInclude)
1371 		debug3("%s:%d setting %s %s", filename, linenum, keyword, str);
1372 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1373 		if (connectinfo == NULL) {
1374 			fatal("%s line %d: Directive '%s' is not allowed "
1375 			    "within a Match block", filename, linenum, keyword);
1376 		} else { /* this is a directive we have already processed */
1377 			ret = 0;
1378 			goto out;
1379 		}
1380 	}
1381 
1382 	switch (opcode) {
1383 	/* Portable-specific options */
1384 	case sUsePAM:
1385 		intptr = &options->use_pam;
1386 		goto parse_flag;
1387 
1388 	/* Standard Options */
1389 	case sBadOption:
1390 		goto out;
1391 	case sPort:
1392 		/* ignore ports from configfile if cmdline specifies ports */
1393 		if (options->ports_from_cmdline) {
1394 			argv_consume(&ac);
1395 			break;
1396 		}
1397 		if (options->num_ports >= MAX_PORTS)
1398 			fatal("%s line %d: too many ports.",
1399 			    filename, linenum);
1400 		arg = argv_next(&ac, &av);
1401 		if (!arg || *arg == '\0')
1402 			fatal("%s line %d: missing port number.",
1403 			    filename, linenum);
1404 		options->ports[options->num_ports++] = a2port(arg);
1405 		if (options->ports[options->num_ports-1] <= 0)
1406 			fatal("%s line %d: Badly formatted port number.",
1407 			    filename, linenum);
1408 		break;
1409 
1410 	case sLoginGraceTime:
1411 		intptr = &options->login_grace_time;
1412  parse_time:
1413 		arg = argv_next(&ac, &av);
1414 		if (!arg || *arg == '\0')
1415 			fatal("%s line %d: missing time value.",
1416 			    filename, linenum);
1417 		if ((value = convtime(arg)) == -1)
1418 			fatal("%s line %d: invalid time value.",
1419 			    filename, linenum);
1420 		if (*activep && *intptr == -1)
1421 			*intptr = value;
1422 		break;
1423 
1424 	case sListenAddress:
1425 		arg = argv_next(&ac, &av);
1426 		if (arg == NULL || *arg == '\0')
1427 			fatal("%s line %d: missing address",
1428 			    filename, linenum);
1429 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1430 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1431 		    && strchr(p+1, ':') != NULL) {
1432 			port = 0;
1433 			p = arg;
1434 		} else {
1435 			arg2 = NULL;
1436 			p = hpdelim(&arg);
1437 			if (p == NULL)
1438 				fatal("%s line %d: bad address:port usage",
1439 				    filename, linenum);
1440 			p = cleanhostname(p);
1441 			if (arg == NULL)
1442 				port = 0;
1443 			else if ((port = a2port(arg)) <= 0)
1444 				fatal("%s line %d: bad port number",
1445 				    filename, linenum);
1446 		}
1447 		/* Optional routing table */
1448 		arg2 = NULL;
1449 		if ((arg = argv_next(&ac, &av)) != NULL) {
1450 			if (strcmp(arg, "rdomain") != 0 ||
1451 			    (arg2 = argv_next(&ac, &av)) == NULL)
1452 				fatal("%s line %d: bad ListenAddress syntax",
1453 				    filename, linenum);
1454 			if (!valid_rdomain(arg2))
1455 				fatal("%s line %d: bad routing domain",
1456 				    filename, linenum);
1457 		}
1458 		queue_listen_addr(options, p, arg2, port);
1459 
1460 		break;
1461 
1462 	case sAddressFamily:
1463 		intptr = &options->address_family;
1464 		multistate_ptr = multistate_addressfamily;
1465  parse_multistate:
1466 		arg = argv_next(&ac, &av);
1467 		if (!arg || *arg == '\0')
1468 			fatal("%s line %d: missing argument.",
1469 			    filename, linenum);
1470 		value = -1;
1471 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1472 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1473 				value = multistate_ptr[i].value;
1474 				break;
1475 			}
1476 		}
1477 		if (value == -1)
1478 			fatal("%s line %d: unsupported option \"%s\".",
1479 			    filename, linenum, arg);
1480 		if (*activep && *intptr == -1)
1481 			*intptr = value;
1482 		break;
1483 
1484 	case sHostKeyFile:
1485 		arg = argv_next(&ac, &av);
1486 		if (!arg || *arg == '\0')
1487 			fatal("%s line %d: missing file name.",
1488 			    filename, linenum);
1489 		if (*activep) {
1490 			servconf_add_hostkey(filename, linenum,
1491 			    options, arg, 1);
1492 		}
1493 		break;
1494 
1495 	case sHostKeyAgent:
1496 		charptr = &options->host_key_agent;
1497 		arg = argv_next(&ac, &av);
1498 		if (!arg || *arg == '\0')
1499 			fatal("%s line %d: missing socket name.",
1500 			    filename, linenum);
1501 		if (*activep && *charptr == NULL)
1502 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1503 			    xstrdup(arg) : derelativise_path(arg);
1504 		break;
1505 
1506 	case sHostCertificate:
1507 		arg = argv_next(&ac, &av);
1508 		if (!arg || *arg == '\0')
1509 			fatal("%s line %d: missing file name.",
1510 			    filename, linenum);
1511 		if (*activep)
1512 			servconf_add_hostcert(filename, linenum, options, arg);
1513 		break;
1514 
1515 	case sPidFile:
1516 		charptr = &options->pid_file;
1517  parse_filename:
1518 		arg = argv_next(&ac, &av);
1519 		if (!arg || *arg == '\0')
1520 			fatal("%s line %d: missing file name.",
1521 			    filename, linenum);
1522 		if (*activep && *charptr == NULL) {
1523 			*charptr = derelativise_path(arg);
1524 			/* increase optional counter */
1525 			if (intptr != NULL)
1526 				*intptr = *intptr + 1;
1527 		}
1528 		break;
1529 
1530 	case sModuliFile:
1531 		charptr = &options->moduli_file;
1532 		goto parse_filename;
1533 
1534 	case sPermitRootLogin:
1535 		intptr = &options->permit_root_login;
1536 		multistate_ptr = multistate_permitrootlogin;
1537 		goto parse_multistate;
1538 
1539 	case sIgnoreRhosts:
1540 		intptr = &options->ignore_rhosts;
1541 		multistate_ptr = multistate_ignore_rhosts;
1542 		goto parse_multistate;
1543 
1544 	case sIgnoreUserKnownHosts:
1545 		intptr = &options->ignore_user_known_hosts;
1546  parse_flag:
1547 		multistate_ptr = multistate_flag;
1548 		goto parse_multistate;
1549 
1550 	case sHostbasedAuthentication:
1551 		intptr = &options->hostbased_authentication;
1552 		goto parse_flag;
1553 
1554 	case sHostbasedUsesNameFromPacketOnly:
1555 		intptr = &options->hostbased_uses_name_from_packet_only;
1556 		goto parse_flag;
1557 
1558 	case sHostbasedAcceptedAlgorithms:
1559 		charptr = &options->hostbased_accepted_algos;
1560 		ca_only = 0;
1561  parse_pubkey_algos:
1562 		arg = argv_next(&ac, &av);
1563 		if (!arg || *arg == '\0')
1564 			fatal("%s line %d: Missing argument.",
1565 			    filename, linenum);
1566 		if (*arg != '-' &&
1567 		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1568 		    arg + 1 : arg, 1, ca_only))
1569 			fatal("%s line %d: Bad key types '%s'.",
1570 			    filename, linenum, arg ? arg : "<NONE>");
1571 		if (*activep && *charptr == NULL)
1572 			*charptr = xstrdup(arg);
1573 		break;
1574 
1575 	case sHostKeyAlgorithms:
1576 		charptr = &options->hostkeyalgorithms;
1577 		ca_only = 0;
1578 		goto parse_pubkey_algos;
1579 
1580 	case sCASignatureAlgorithms:
1581 		charptr = &options->ca_sign_algorithms;
1582 		ca_only = 1;
1583 		goto parse_pubkey_algos;
1584 
1585 	case sPubkeyAuthentication:
1586 		intptr = &options->pubkey_authentication;
1587 		ca_only = 0;
1588 		goto parse_flag;
1589 
1590 	case sPubkeyAcceptedAlgorithms:
1591 		charptr = &options->pubkey_accepted_algos;
1592 		ca_only = 0;
1593 		goto parse_pubkey_algos;
1594 
1595 	case sPubkeyAuthOptions:
1596 		intptr = &options->pubkey_auth_options;
1597 		value = 0;
1598 		while ((arg = argv_next(&ac, &av)) != NULL) {
1599 			if (strcasecmp(arg, "none") == 0)
1600 				continue;
1601 			if (strcasecmp(arg, "touch-required") == 0)
1602 				value |= PUBKEYAUTH_TOUCH_REQUIRED;
1603 			else if (strcasecmp(arg, "verify-required") == 0)
1604 				value |= PUBKEYAUTH_VERIFY_REQUIRED;
1605 			else {
1606 				error("%s line %d: unsupported %s option %s",
1607 				    filename, linenum, keyword, arg);
1608 				goto out;
1609 			}
1610 		}
1611 		if (*activep && *intptr == -1)
1612 			*intptr = value;
1613 		break;
1614 
1615 	case sKerberosAuthentication:
1616 		intptr = &options->kerberos_authentication;
1617 		goto parse_flag;
1618 
1619 	case sKerberosOrLocalPasswd:
1620 		intptr = &options->kerberos_or_local_passwd;
1621 		goto parse_flag;
1622 
1623 	case sKerberosTicketCleanup:
1624 		intptr = &options->kerberos_ticket_cleanup;
1625 		goto parse_flag;
1626 
1627 	case sKerberosGetAFSToken:
1628 		intptr = &options->kerberos_get_afs_token;
1629 		goto parse_flag;
1630 
1631 	case sGssAuthentication:
1632 		intptr = &options->gss_authentication;
1633 		goto parse_flag;
1634 
1635 	case sGssCleanupCreds:
1636 		intptr = &options->gss_cleanup_creds;
1637 		goto parse_flag;
1638 
1639 	case sGssStrictAcceptor:
1640 		intptr = &options->gss_strict_acceptor;
1641 		goto parse_flag;
1642 
1643 	case sPasswordAuthentication:
1644 		intptr = &options->password_authentication;
1645 		goto parse_flag;
1646 
1647 	case sKbdInteractiveAuthentication:
1648 		intptr = &options->kbd_interactive_authentication;
1649 		goto parse_flag;
1650 
1651 	case sPrintMotd:
1652 		intptr = &options->print_motd;
1653 		goto parse_flag;
1654 
1655 	case sPrintLastLog:
1656 		intptr = &options->print_lastlog;
1657 		goto parse_flag;
1658 
1659 	case sX11Forwarding:
1660 		intptr = &options->x11_forwarding;
1661 		goto parse_flag;
1662 
1663 	case sX11DisplayOffset:
1664 		intptr = &options->x11_display_offset;
1665  parse_int:
1666 		arg = argv_next(&ac, &av);
1667 		if ((errstr = atoi_err(arg, &value)) != NULL)
1668 			fatal("%s line %d: %s integer value %s.",
1669 			    filename, linenum, keyword, errstr);
1670 		if (*activep && *intptr == -1)
1671 			*intptr = value;
1672 		break;
1673 
1674 	case sX11UseLocalhost:
1675 		intptr = &options->x11_use_localhost;
1676 		goto parse_flag;
1677 
1678 	case sXAuthLocation:
1679 		charptr = &options->xauth_location;
1680 		goto parse_filename;
1681 
1682 	case sPermitTTY:
1683 		intptr = &options->permit_tty;
1684 		goto parse_flag;
1685 
1686 	case sPermitUserRC:
1687 		intptr = &options->permit_user_rc;
1688 		goto parse_flag;
1689 
1690 	case sStrictModes:
1691 		intptr = &options->strict_modes;
1692 		goto parse_flag;
1693 
1694 	case sTCPKeepAlive:
1695 		intptr = &options->tcp_keep_alive;
1696 		goto parse_flag;
1697 
1698 	case sEmptyPasswd:
1699 		intptr = &options->permit_empty_passwd;
1700 		goto parse_flag;
1701 
1702 	case sPermitUserEnvironment:
1703 		intptr = &options->permit_user_env;
1704 		charptr = &options->permit_user_env_allowlist;
1705 		arg = argv_next(&ac, &av);
1706 		if (!arg || *arg == '\0')
1707 			fatal("%s line %d: %s missing argument.",
1708 			    filename, linenum, keyword);
1709 		value = 0;
1710 		p = NULL;
1711 		if (strcmp(arg, "yes") == 0)
1712 			value = 1;
1713 		else if (strcmp(arg, "no") == 0)
1714 			value = 0;
1715 		else {
1716 			/* Pattern-list specified */
1717 			value = 1;
1718 			p = xstrdup(arg);
1719 		}
1720 		if (*activep && *intptr == -1) {
1721 			*intptr = value;
1722 			*charptr = p;
1723 			p = NULL;
1724 		}
1725 		free(p);
1726 		break;
1727 
1728 	case sCompression:
1729 		intptr = &options->compression;
1730 		multistate_ptr = multistate_compression;
1731 		goto parse_multistate;
1732 
1733 	case sRekeyLimit:
1734 		arg = argv_next(&ac, &av);
1735 		if (!arg || *arg == '\0')
1736 			fatal("%s line %d: %s missing argument.",
1737 			    filename, linenum, keyword);
1738 		if (strcmp(arg, "default") == 0) {
1739 			val64 = 0;
1740 		} else {
1741 			if (scan_scaled(arg, &val64) == -1)
1742 				fatal("%.200s line %d: Bad %s number '%s': %s",
1743 				    filename, linenum, keyword,
1744 				    arg, strerror(errno));
1745 			if (val64 != 0 && val64 < 16)
1746 				fatal("%.200s line %d: %s too small",
1747 				    filename, linenum, keyword);
1748 		}
1749 		if (*activep && options->rekey_limit == -1)
1750 			options->rekey_limit = val64;
1751 		if (ac != 0) { /* optional rekey interval present */
1752 			if (strcmp(av[0], "none") == 0) {
1753 				(void)argv_next(&ac, &av);	/* discard */
1754 				break;
1755 			}
1756 			intptr = &options->rekey_interval;
1757 			goto parse_time;
1758 		}
1759 		break;
1760 
1761 	case sGatewayPorts:
1762 		intptr = &options->fwd_opts.gateway_ports;
1763 		multistate_ptr = multistate_gatewayports;
1764 		goto parse_multistate;
1765 
1766 	case sUseDNS:
1767 		intptr = &options->use_dns;
1768 		goto parse_flag;
1769 
1770 	case sLogFacility:
1771 		log_facility_ptr = &options->log_facility;
1772 		arg = argv_next(&ac, &av);
1773 		value = log_facility_number(arg);
1774 		if (value == SYSLOG_FACILITY_NOT_SET)
1775 			fatal("%.200s line %d: unsupported log facility '%s'",
1776 			    filename, linenum, arg ? arg : "<NONE>");
1777 		if (*log_facility_ptr == -1)
1778 			*log_facility_ptr = (SyslogFacility) value;
1779 		break;
1780 
1781 	case sLogLevel:
1782 		log_level_ptr = &options->log_level;
1783 		arg = argv_next(&ac, &av);
1784 		value = log_level_number(arg);
1785 		if (value == SYSLOG_LEVEL_NOT_SET)
1786 			fatal("%.200s line %d: unsupported log level '%s'",
1787 			    filename, linenum, arg ? arg : "<NONE>");
1788 		if (*activep && *log_level_ptr == -1)
1789 			*log_level_ptr = (LogLevel) value;
1790 		break;
1791 
1792 	case sLogVerbose:
1793 		found = options->num_log_verbose == 0;
1794 		while ((arg = argv_next(&ac, &av)) != NULL) {
1795 			if (*arg == '\0') {
1796 				error("%s line %d: keyword %s empty argument",
1797 				    filename, linenum, keyword);
1798 				goto out;
1799 			}
1800 			/* Allow "none" only in first position */
1801 			if (strcasecmp(arg, "none") == 0) {
1802 				if (nstrs > 0 || ac > 0) {
1803 					error("%s line %d: keyword %s \"none\" "
1804 					    "argument must appear alone.",
1805 					    filename, linenum, keyword);
1806 					goto out;
1807 				}
1808 			}
1809 			opt_array_append(filename, linenum, keyword,
1810 			    &strs, &nstrs, arg);
1811 		}
1812 		if (nstrs == 0) {
1813 			fatal("%s line %d: no %s specified",
1814 			    filename, linenum, keyword);
1815 		}
1816 		if (found && *activep) {
1817 			options->log_verbose = strs;
1818 			options->num_log_verbose = nstrs;
1819 			strs = NULL; /* transferred */
1820 			nstrs = 0;
1821 		}
1822 		break;
1823 
1824 	case sAllowTcpForwarding:
1825 		intptr = &options->allow_tcp_forwarding;
1826 		multistate_ptr = multistate_tcpfwd;
1827 		goto parse_multistate;
1828 
1829 	case sAllowStreamLocalForwarding:
1830 		intptr = &options->allow_streamlocal_forwarding;
1831 		multistate_ptr = multistate_tcpfwd;
1832 		goto parse_multistate;
1833 
1834 	case sAllowAgentForwarding:
1835 		intptr = &options->allow_agent_forwarding;
1836 		goto parse_flag;
1837 
1838 	case sDisableForwarding:
1839 		intptr = &options->disable_forwarding;
1840 		goto parse_flag;
1841 
1842 	case sAllowUsers:
1843 		chararrayptr = &options->allow_users;
1844 		uintptr = &options->num_allow_users;
1845  parse_allowdenyusers:
1846 		/* XXX appends to list; doesn't respect first-match-wins */
1847 		while ((arg = argv_next(&ac, &av)) != NULL) {
1848 			if (*arg == '\0' ||
1849 			    match_user(NULL, NULL, NULL, arg) == -1)
1850 				fatal("%s line %d: invalid %s pattern: \"%s\"",
1851 				    filename, linenum, keyword, arg);
1852 			found = 1;
1853 			if (!*activep)
1854 				continue;
1855 			opt_array_append(filename, linenum, keyword,
1856 			    chararrayptr, uintptr, arg);
1857 		}
1858 		if (!found) {
1859 			fatal("%s line %d: no %s specified",
1860 			    filename, linenum, keyword);
1861 		}
1862 		break;
1863 
1864 	case sDenyUsers:
1865 		chararrayptr = &options->deny_users;
1866 		uintptr = &options->num_deny_users;
1867 		goto parse_allowdenyusers;
1868 
1869 	case sAllowGroups:
1870 		chararrayptr = &options->allow_groups;
1871 		uintptr = &options->num_allow_groups;
1872 		/* XXX appends to list; doesn't respect first-match-wins */
1873  parse_allowdenygroups:
1874 		while ((arg = argv_next(&ac, &av)) != NULL) {
1875 			if (*arg == '\0')
1876 				fatal("%s line %d: empty %s pattern",
1877 				    filename, linenum, keyword);
1878 			found = 1;
1879 			if (!*activep)
1880 				continue;
1881 			opt_array_append(filename, linenum, keyword,
1882 			    chararrayptr, uintptr, arg);
1883 		}
1884 		if (!found) {
1885 			fatal("%s line %d: no %s specified",
1886 			    filename, linenum, keyword);
1887 		}
1888 		break;
1889 
1890 	case sDenyGroups:
1891 		chararrayptr = &options->deny_groups;
1892 		uintptr = &options->num_deny_groups;
1893 		goto parse_allowdenygroups;
1894 
1895 	case sCiphers:
1896 		arg = argv_next(&ac, &av);
1897 		if (!arg || *arg == '\0')
1898 			fatal("%s line %d: %s missing argument.",
1899 			    filename, linenum, keyword);
1900 		if (*arg != '-' &&
1901 		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1902 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1903 			    filename, linenum, arg ? arg : "<NONE>");
1904 		if (options->ciphers == NULL)
1905 			options->ciphers = xstrdup(arg);
1906 		break;
1907 
1908 	case sMacs:
1909 		arg = argv_next(&ac, &av);
1910 		if (!arg || *arg == '\0')
1911 			fatal("%s line %d: %s missing argument.",
1912 			    filename, linenum, keyword);
1913 		if (*arg != '-' &&
1914 		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1915 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1916 			    filename, linenum, arg ? arg : "<NONE>");
1917 		if (options->macs == NULL)
1918 			options->macs = xstrdup(arg);
1919 		break;
1920 
1921 	case sKexAlgorithms:
1922 		arg = argv_next(&ac, &av);
1923 		if (!arg || *arg == '\0')
1924 			fatal("%s line %d: %s missing argument.",
1925 			    filename, linenum, keyword);
1926 		if (*arg != '-' &&
1927 		    !kex_names_valid(*arg == '+' || *arg == '^' ?
1928 		    arg + 1 : arg))
1929 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1930 			    filename, linenum, arg ? arg : "<NONE>");
1931 		if (options->kex_algorithms == NULL)
1932 			options->kex_algorithms = xstrdup(arg);
1933 		break;
1934 
1935 	case sSubsystem:
1936 		arg = argv_next(&ac, &av);
1937 		if (!arg || *arg == '\0')
1938 			fatal("%s line %d: %s missing argument.",
1939 			    filename, linenum, keyword);
1940 		if (!*activep) {
1941 			argv_consume(&ac);
1942 			break;
1943 		}
1944 		found = 0;
1945 		for (i = 0; i < options->num_subsystems; i++) {
1946 			if (strcmp(arg, options->subsystem_name[i]) == 0) {
1947 				found = 1;
1948 				break;
1949 			}
1950 		}
1951 		if (found) {
1952 			debug("%s line %d: Subsystem '%s' already defined.",
1953 			    filename, linenum, arg);
1954 			argv_consume(&ac);
1955 			break;
1956 		}
1957 		options->subsystem_name = xrecallocarray(
1958 		    options->subsystem_name, options->num_subsystems,
1959 		    options->num_subsystems + 1,
1960 		    sizeof(*options->subsystem_name));
1961 		options->subsystem_command = xrecallocarray(
1962 		    options->subsystem_command, options->num_subsystems,
1963 		    options->num_subsystems + 1,
1964 		    sizeof(*options->subsystem_command));
1965 		options->subsystem_args = xrecallocarray(
1966 		    options->subsystem_args, options->num_subsystems,
1967 		    options->num_subsystems + 1,
1968 		    sizeof(*options->subsystem_args));
1969 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1970 		arg = argv_next(&ac, &av);
1971 		if (!arg || *arg == '\0') {
1972 			fatal("%s line %d: Missing subsystem command.",
1973 			    filename, linenum);
1974 		}
1975 		options->subsystem_command[options->num_subsystems] =
1976 		    xstrdup(arg);
1977 		/* Collect arguments (separate to executable) */
1978 		arg = argv_assemble(1, &arg); /* quote command correctly */
1979 		arg2 = argv_assemble(ac, av); /* rest of command */
1980 		xasprintf(&options->subsystem_args[options->num_subsystems],
1981 		    "%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
1982 		free(arg2);
1983 		argv_consume(&ac);
1984 		options->num_subsystems++;
1985 		break;
1986 
1987 	case sMaxStartups:
1988 		arg = argv_next(&ac, &av);
1989 		if (!arg || *arg == '\0')
1990 			fatal("%s line %d: %s missing argument.",
1991 			    filename, linenum, keyword);
1992 		if ((n = sscanf(arg, "%d:%d:%d",
1993 		    &options->max_startups_begin,
1994 		    &options->max_startups_rate,
1995 		    &options->max_startups)) == 3) {
1996 			if (options->max_startups_begin >
1997 			    options->max_startups ||
1998 			    options->max_startups_rate > 100 ||
1999 			    options->max_startups_rate < 1)
2000 				fatal("%s line %d: Invalid %s spec.",
2001 				    filename, linenum, keyword);
2002 		} else if (n != 1)
2003 			fatal("%s line %d: Invalid %s spec.",
2004 			    filename, linenum, keyword);
2005 		else
2006 			options->max_startups = options->max_startups_begin;
2007 		if (options->max_startups <= 0 ||
2008 		    options->max_startups_begin <= 0)
2009 			fatal("%s line %d: Invalid %s spec.",
2010 			    filename, linenum, keyword);
2011 		break;
2012 
2013 	case sPerSourceNetBlockSize:
2014 		arg = argv_next(&ac, &av);
2015 		if (!arg || *arg == '\0')
2016 			fatal("%s line %d: %s missing argument.",
2017 			    filename, linenum, keyword);
2018 		switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
2019 		case 2:
2020 			if (value2 < 0 || value2 > 128)
2021 				n = -1;
2022 			/* FALLTHROUGH */
2023 		case 1:
2024 			if (value < 0 || value > 32)
2025 				n = -1;
2026 		}
2027 		if (n != 1 && n != 2)
2028 			fatal("%s line %d: Invalid %s spec.",
2029 			    filename, linenum, keyword);
2030 		if (*activep) {
2031 			options->per_source_masklen_ipv4 = value;
2032 			options->per_source_masklen_ipv6 = value2;
2033 		}
2034 		break;
2035 
2036 	case sPerSourceMaxStartups:
2037 		arg = argv_next(&ac, &av);
2038 		if (!arg || *arg == '\0')
2039 			fatal("%s line %d: %s missing argument.",
2040 			    filename, linenum, keyword);
2041 		if (strcmp(arg, "none") == 0) { /* no limit */
2042 			value = INT_MAX;
2043 		} else {
2044 			if ((errstr = atoi_err(arg, &value)) != NULL)
2045 				fatal("%s line %d: %s integer value %s.",
2046 				    filename, linenum, keyword, errstr);
2047 		}
2048 		if (*activep && options->per_source_max_startups == -1)
2049 			options->per_source_max_startups = value;
2050 		break;
2051 
2052 	case sMaxAuthTries:
2053 		intptr = &options->max_authtries;
2054 		goto parse_int;
2055 
2056 	case sMaxSessions:
2057 		intptr = &options->max_sessions;
2058 		goto parse_int;
2059 
2060 	case sBanner:
2061 		charptr = &options->banner;
2062 		goto parse_filename;
2063 
2064 	/*
2065 	 * These options can contain %X options expanded at
2066 	 * connect time, so that you can specify paths like:
2067 	 *
2068 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
2069 	 */
2070 	case sAuthorizedKeysFile:
2071 		found = options->num_authkeys_files == 0;
2072 		while ((arg = argv_next(&ac, &av)) != NULL) {
2073 			if (*arg == '\0') {
2074 				error("%s line %d: keyword %s empty argument",
2075 				    filename, linenum, keyword);
2076 				goto out;
2077 			}
2078 			arg2 = tilde_expand_filename(arg, getuid());
2079 			opt_array_append(filename, linenum, keyword,
2080 			    &strs, &nstrs, arg2);
2081 			free(arg2);
2082 		}
2083 		if (nstrs == 0) {
2084 			fatal("%s line %d: no %s specified",
2085 			    filename, linenum, keyword);
2086 		}
2087 		if (found && *activep) {
2088 			options->authorized_keys_files = strs;
2089 			options->num_authkeys_files = nstrs;
2090 			strs = NULL; /* transferred */
2091 			nstrs = 0;
2092 		}
2093 		break;
2094 
2095 	case sAuthorizedPrincipalsFile:
2096 		charptr = &options->authorized_principals_file;
2097 		arg = argv_next(&ac, &av);
2098 		if (!arg || *arg == '\0')
2099 			fatal("%s line %d: %s missing argument.",
2100 			    filename, linenum, keyword);
2101 		if (*activep && *charptr == NULL) {
2102 			*charptr = tilde_expand_filename(arg, getuid());
2103 			/* increase optional counter */
2104 			if (intptr != NULL)
2105 				*intptr = *intptr + 1;
2106 		}
2107 		break;
2108 
2109 	case sClientAliveInterval:
2110 		intptr = &options->client_alive_interval;
2111 		goto parse_time;
2112 
2113 	case sClientAliveCountMax:
2114 		intptr = &options->client_alive_count_max;
2115 		goto parse_int;
2116 
2117 	case sAcceptEnv:
2118 		/* XXX appends to list; doesn't respect first-match-wins */
2119 		while ((arg = argv_next(&ac, &av)) != NULL) {
2120 			if (*arg == '\0' || strchr(arg, '=') != NULL)
2121 				fatal("%s line %d: Invalid environment name.",
2122 				    filename, linenum);
2123 			found = 1;
2124 			if (!*activep)
2125 				continue;
2126 			opt_array_append(filename, linenum, keyword,
2127 			    &options->accept_env, &options->num_accept_env,
2128 			    arg);
2129 		}
2130 		if (!found) {
2131 			fatal("%s line %d: no %s specified",
2132 			    filename, linenum, keyword);
2133 		}
2134 		break;
2135 
2136 	case sSetEnv:
2137 		found = options->num_setenv == 0;
2138 		while ((arg = argv_next(&ac, &av)) != NULL) {
2139 			if (*arg == '\0' || strchr(arg, '=') == NULL)
2140 				fatal("%s line %d: Invalid environment.",
2141 				    filename, linenum);
2142 			if (lookup_setenv_in_list(arg, strs, nstrs) != NULL) {
2143 				debug2("%s line %d: ignoring duplicate env "
2144 				    "name \"%.64s\"", filename, linenum, arg);
2145 				continue;
2146 			}
2147 			opt_array_append(filename, linenum, keyword,
2148 			    &strs, &nstrs, arg);
2149 		}
2150 		if (nstrs == 0) {
2151 			fatal("%s line %d: no %s specified",
2152 			    filename, linenum, keyword);
2153 		}
2154 		if (found && *activep) {
2155 			options->setenv = strs;
2156 			options->num_setenv = nstrs;
2157 			strs = NULL; /* transferred */
2158 			nstrs = 0;
2159 		}
2160 		break;
2161 
2162 	case sPermitTunnel:
2163 		intptr = &options->permit_tun;
2164 		arg = argv_next(&ac, &av);
2165 		if (!arg || *arg == '\0')
2166 			fatal("%s line %d: %s missing argument.",
2167 			    filename, linenum, keyword);
2168 		value = -1;
2169 		for (i = 0; tunmode_desc[i].val != -1; i++)
2170 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
2171 				value = tunmode_desc[i].val;
2172 				break;
2173 			}
2174 		if (value == -1)
2175 			fatal("%s line %d: bad %s argument %s",
2176 			    filename, linenum, keyword, arg);
2177 		if (*activep && *intptr == -1)
2178 			*intptr = value;
2179 		break;
2180 
2181 	case sInclude:
2182 		if (cmdline) {
2183 			fatal("Include directive not supported as a "
2184 			    "command-line option");
2185 		}
2186 		value = 0;
2187 		while ((arg2 = argv_next(&ac, &av)) != NULL) {
2188 			if (*arg2 == '\0') {
2189 				error("%s line %d: keyword %s empty argument",
2190 				    filename, linenum, keyword);
2191 				goto out;
2192 			}
2193 			value++;
2194 			found = 0;
2195 			if (*arg2 != '/' && *arg2 != '~') {
2196 				xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2197 			} else
2198 				arg = xstrdup(arg2);
2199 
2200 			/*
2201 			 * Don't let included files clobber the containing
2202 			 * file's Match state.
2203 			 */
2204 			oactive = *activep;
2205 
2206 			/* consult cache of include files */
2207 			TAILQ_FOREACH(item, includes, entry) {
2208 				if (strcmp(item->selector, arg) != 0)
2209 					continue;
2210 				if (item->filename != NULL) {
2211 					parse_server_config_depth(options,
2212 					    item->filename, item->contents,
2213 					    includes, connectinfo,
2214 					    (*inc_flags & SSHCFG_MATCH_ONLY
2215 					        ? SSHCFG_MATCH_ONLY : (oactive
2216 					            ? 0 : SSHCFG_NEVERMATCH)),
2217 					    activep, depth + 1);
2218 				}
2219 				found = 1;
2220 				*activep = oactive;
2221 			}
2222 			if (found != 0) {
2223 				free(arg);
2224 				continue;
2225 			}
2226 
2227 			/* requested glob was not in cache */
2228 			debug2("%s line %d: new include %s",
2229 			    filename, linenum, arg);
2230 			if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2231 				if (r != GLOB_NOMATCH) {
2232 					fatal("%s line %d: include \"%s\" glob "
2233 					    "failed", filename, linenum, arg);
2234 				}
2235 				/*
2236 				 * If no entry matched then record a
2237 				 * placeholder to skip later glob calls.
2238 				 */
2239 				debug2("%s line %d: no match for %s",
2240 				    filename, linenum, arg);
2241 				item = xcalloc(1, sizeof(*item));
2242 				item->selector = strdup(arg);
2243 				TAILQ_INSERT_TAIL(includes,
2244 				    item, entry);
2245 			}
2246 			if (gbuf.gl_pathc > INT_MAX)
2247 				fatal_f("too many glob results");
2248 			for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2249 				debug2("%s line %d: including %s",
2250 				    filename, linenum, gbuf.gl_pathv[n]);
2251 				item = xcalloc(1, sizeof(*item));
2252 				item->selector = strdup(arg);
2253 				item->filename = strdup(gbuf.gl_pathv[n]);
2254 				if ((item->contents = sshbuf_new()) == NULL)
2255 					fatal_f("sshbuf_new failed");
2256 				load_server_config(item->filename,
2257 				    item->contents);
2258 				parse_server_config_depth(options,
2259 				    item->filename, item->contents,
2260 				    includes, connectinfo,
2261 				    (*inc_flags & SSHCFG_MATCH_ONLY
2262 				        ? SSHCFG_MATCH_ONLY : (oactive
2263 				            ? 0 : SSHCFG_NEVERMATCH)),
2264 				    activep, depth + 1);
2265 				*activep = oactive;
2266 				TAILQ_INSERT_TAIL(includes, item, entry);
2267 			}
2268 			globfree(&gbuf);
2269 			free(arg);
2270 		}
2271 		if (value == 0) {
2272 			fatal("%s line %d: %s missing filename argument",
2273 			    filename, linenum, keyword);
2274 		}
2275 		break;
2276 
2277 	case sMatch:
2278 		if (cmdline)
2279 			fatal("Match directive not supported as a command-line "
2280 			    "option");
2281 		value = match_cfg_line(&str, linenum,
2282 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2283 		if (value < 0)
2284 			fatal("%s line %d: Bad Match condition", filename,
2285 			    linenum);
2286 		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2287 		/*
2288 		 * The MATCH_ONLY flag is applicable only until the first
2289 		 * match block.
2290 		 */
2291 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
2292 		/*
2293 		 * If match_cfg_line() didn't consume all its arguments then
2294 		 * arrange for the extra arguments check below to fail.
2295 		 */
2296 		if (str == NULL || *str == '\0')
2297 			argv_consume(&ac);
2298 		break;
2299 
2300 	case sPermitListen:
2301 	case sPermitOpen:
2302 		if (opcode == sPermitListen) {
2303 			uintptr = &options->num_permitted_listens;
2304 			chararrayptr = &options->permitted_listens;
2305 		} else {
2306 			uintptr = &options->num_permitted_opens;
2307 			chararrayptr = &options->permitted_opens;
2308 		}
2309 		found = *uintptr == 0;
2310 		while ((arg = argv_next(&ac, &av)) != NULL) {
2311 			if (strcmp(arg, "any") == 0 ||
2312 			    strcmp(arg, "none") == 0) {
2313 				if (nstrs != 0) {
2314 					fatal("%s line %d: %s must appear "
2315 					    "alone on a %s line.",
2316 					    filename, linenum, arg, keyword);
2317 				}
2318 				opt_array_append(filename, linenum, keyword,
2319 				    &strs, &nstrs, arg);
2320 				continue;
2321 			}
2322 
2323 			if (opcode == sPermitListen &&
2324 			    strchr(arg, ':') == NULL) {
2325 				/*
2326 				 * Allow bare port number for PermitListen
2327 				 * to indicate a wildcard listen host.
2328 				 */
2329 				xasprintf(&arg2, "*:%s", arg);
2330 			} else {
2331 				arg2 = xstrdup(arg);
2332 				p = hpdelim(&arg);
2333 				if (p == NULL) {
2334 					fatal("%s line %d: %s missing host",
2335 					    filename, linenum, keyword);
2336 				}
2337 				p = cleanhostname(p);
2338 			}
2339 			if (arg == NULL ||
2340 			    ((port = permitopen_port(arg)) < 0)) {
2341 				fatal("%s line %d: %s bad port number",
2342 				    filename, linenum, keyword);
2343 			}
2344 			opt_array_append(filename, linenum, keyword,
2345 			    &strs, &nstrs, arg2);
2346 			free(arg2);
2347 		}
2348 		if (nstrs == 0) {
2349 			fatal("%s line %d: %s missing argument.",
2350 			    filename, linenum, keyword);
2351 		}
2352 		if (found && *activep) {
2353 			*chararrayptr = strs;
2354 			*uintptr = nstrs;
2355 			strs = NULL; /* transferred */
2356 			nstrs = 0;
2357 		}
2358 		break;
2359 
2360 	case sForceCommand:
2361 		if (str == NULL || *str == '\0')
2362 			fatal("%s line %d: %s missing argument.",
2363 			    filename, linenum, keyword);
2364 		len = strspn(str, WHITESPACE);
2365 		if (*activep && options->adm_forced_command == NULL)
2366 			options->adm_forced_command = xstrdup(str + len);
2367 		argv_consume(&ac);
2368 		break;
2369 
2370 	case sChrootDirectory:
2371 		charptr = &options->chroot_directory;
2372 
2373 		arg = argv_next(&ac, &av);
2374 		if (!arg || *arg == '\0')
2375 			fatal("%s line %d: %s missing argument.",
2376 			    filename, linenum, keyword);
2377 		if (*activep && *charptr == NULL)
2378 			*charptr = xstrdup(arg);
2379 		break;
2380 
2381 	case sTrustedUserCAKeys:
2382 		charptr = &options->trusted_user_ca_keys;
2383 		goto parse_filename;
2384 
2385 	case sRevokedKeys:
2386 		charptr = &options->revoked_keys_file;
2387 		goto parse_filename;
2388 
2389 	case sSecurityKeyProvider:
2390 		charptr = &options->sk_provider;
2391 		arg = argv_next(&ac, &av);
2392 		if (!arg || *arg == '\0')
2393 			fatal("%s line %d: %s missing argument.",
2394 			    filename, linenum, keyword);
2395 		if (*activep && *charptr == NULL) {
2396 			*charptr = strcasecmp(arg, "internal") == 0 ?
2397 			    xstrdup(arg) : derelativise_path(arg);
2398 			/* increase optional counter */
2399 			if (intptr != NULL)
2400 				*intptr = *intptr + 1;
2401 		}
2402 		break;
2403 
2404 	case sIPQoS:
2405 		arg = argv_next(&ac, &av);
2406 		if (!arg || *arg == '\0')
2407 			fatal("%s line %d: %s missing argument.",
2408 			    filename, linenum, keyword);
2409 		if ((value = parse_ipqos(arg)) == -1)
2410 			fatal("%s line %d: Bad %s value: %s",
2411 			    filename, linenum, keyword, arg);
2412 		arg = argv_next(&ac, &av);
2413 		if (arg == NULL)
2414 			value2 = value;
2415 		else if ((value2 = parse_ipqos(arg)) == -1)
2416 			fatal("%s line %d: Bad %s value: %s",
2417 			    filename, linenum, keyword, arg);
2418 		if (*activep) {
2419 			options->ip_qos_interactive = value;
2420 			options->ip_qos_bulk = value2;
2421 		}
2422 		break;
2423 
2424 	case sVersionAddendum:
2425 		if (str == NULL || *str == '\0')
2426 			fatal("%s line %d: %s missing argument.",
2427 			    filename, linenum, keyword);
2428 		len = strspn(str, WHITESPACE);
2429 		if (strchr(str + len, '\r') != NULL) {
2430 			fatal("%.200s line %d: Invalid %s argument",
2431 			    filename, linenum, keyword);
2432 		}
2433 		if ((arg = strchr(line, '#')) != NULL) {
2434 			*arg = '\0';
2435 			rtrim(line);
2436 		}
2437 		if (*activep && options->version_addendum == NULL) {
2438 			if (strcasecmp(str + len, "none") == 0)
2439 				options->version_addendum = xstrdup("");
2440 			else
2441 				options->version_addendum = xstrdup(str + len);
2442 		}
2443 		argv_consume(&ac);
2444 		break;
2445 
2446 	case sAuthorizedKeysCommand:
2447 		charptr = &options->authorized_keys_command;
2448  parse_command:
2449 		len = strspn(str, WHITESPACE);
2450 		if (str[len] != '/' && strcasecmp(str + len, "none") != 0) {
2451 			fatal("%.200s line %d: %s must be an absolute path",
2452 			    filename, linenum, keyword);
2453 		}
2454 		if (*activep && *charptr == NULL)
2455 			*charptr = xstrdup(str + len);
2456 		argv_consume(&ac);
2457 		break;
2458 
2459 	case sAuthorizedKeysCommandUser:
2460 		charptr = &options->authorized_keys_command_user;
2461  parse_localuser:
2462 		arg = argv_next(&ac, &av);
2463 		if (!arg || *arg == '\0') {
2464 			fatal("%s line %d: missing %s argument.",
2465 			    filename, linenum, keyword);
2466 		}
2467 		if (*activep && *charptr == NULL)
2468 			*charptr = xstrdup(arg);
2469 		break;
2470 
2471 	case sAuthorizedPrincipalsCommand:
2472 		charptr = &options->authorized_principals_command;
2473 		goto parse_command;
2474 
2475 	case sAuthorizedPrincipalsCommandUser:
2476 		charptr = &options->authorized_principals_command_user;
2477 		goto parse_localuser;
2478 
2479 	case sAuthenticationMethods:
2480 		found = options->num_auth_methods == 0;
2481 		value = 0; /* seen "any" pseudo-method */
2482 		while ((arg = argv_next(&ac, &av)) != NULL) {
2483 			if (strcmp(arg, "any") == 0) {
2484 				if (nstrs > 0) {
2485 					fatal("%s line %d: \"any\" must "
2486 					    "appear alone in %s",
2487 					    filename, linenum, keyword);
2488 				}
2489 				value = 1;
2490 			} else if (value) {
2491 				fatal("%s line %d: \"any\" must appear "
2492 				    "alone in %s", filename, linenum, keyword);
2493 			} else if (auth2_methods_valid(arg, 0) != 0) {
2494 				fatal("%s line %d: invalid %s method list.",
2495 				    filename, linenum, keyword);
2496 			}
2497 			opt_array_append(filename, linenum, keyword,
2498 			    &strs, &nstrs, arg);
2499 		}
2500 		if (nstrs == 0) {
2501 			fatal("%s line %d: no %s specified",
2502 			    filename, linenum, keyword);
2503 		}
2504 		if (found && *activep) {
2505 			options->auth_methods = strs;
2506 			options->num_auth_methods = nstrs;
2507 			strs = NULL; /* transferred */
2508 			nstrs = 0;
2509 		}
2510 		break;
2511 
2512 	case sStreamLocalBindMask:
2513 		arg = argv_next(&ac, &av);
2514 		if (!arg || *arg == '\0')
2515 			fatal("%s line %d: %s missing argument.",
2516 			    filename, linenum, keyword);
2517 		/* Parse mode in octal format */
2518 		value = strtol(arg, &p, 8);
2519 		if (arg == p || value < 0 || value > 0777)
2520 			fatal("%s line %d: Invalid %s.",
2521 			    filename, linenum, keyword);
2522 		if (*activep)
2523 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2524 		break;
2525 
2526 	case sStreamLocalBindUnlink:
2527 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
2528 		goto parse_flag;
2529 
2530 	case sFingerprintHash:
2531 		arg = argv_next(&ac, &av);
2532 		if (!arg || *arg == '\0')
2533 			fatal("%s line %d: %s missing argument.",
2534 			    filename, linenum, keyword);
2535 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
2536 			fatal("%.200s line %d: Invalid %s algorithm \"%s\".",
2537 			    filename, linenum, keyword, arg);
2538 		if (*activep)
2539 			options->fingerprint_hash = value;
2540 		break;
2541 
2542 	case sExposeAuthInfo:
2543 		intptr = &options->expose_userauth_info;
2544 		goto parse_flag;
2545 
2546 	case sRDomain:
2547 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2548 		fatal("%s line %d: setting RDomain not supported on this "
2549 		    "platform.", filename, linenum);
2550 #endif
2551 		charptr = &options->routing_domain;
2552 		arg = argv_next(&ac, &av);
2553 		if (!arg || *arg == '\0')
2554 			fatal("%s line %d: %s missing argument.",
2555 			    filename, linenum, keyword);
2556 		if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2557 		    !valid_rdomain(arg))
2558 			fatal("%s line %d: invalid routing domain",
2559 			    filename, linenum);
2560 		if (*activep && *charptr == NULL)
2561 			*charptr = xstrdup(arg);
2562 		break;
2563 
2564 	case sRequiredRSASize:
2565 		intptr = &options->required_rsa_size;
2566 		goto parse_int;
2567 
2568 	case sChannelTimeout:
2569 		found = options->num_channel_timeouts == 0;
2570 		while ((arg = argv_next(&ac, &av)) != NULL) {
2571 			/* Allow "none" only in first position */
2572 			if (strcasecmp(arg, "none") == 0) {
2573 				if (nstrs > 0 || ac > 0) {
2574 					error("%s line %d: keyword %s \"none\" "
2575 					    "argument must appear alone.",
2576 					    filename, linenum, keyword);
2577 					goto out;
2578 				}
2579 			} else if (parse_pattern_interval(arg,
2580 			    NULL, NULL) != 0) {
2581 				fatal("%s line %d: invalid channel timeout %s",
2582 				    filename, linenum, arg);
2583 			}
2584 			opt_array_append(filename, linenum, keyword,
2585 			    &strs, &nstrs, arg);
2586 		}
2587 		if (nstrs == 0) {
2588 			fatal("%s line %d: no %s specified",
2589 			    filename, linenum, keyword);
2590 		}
2591 		if (found && *activep) {
2592 			options->channel_timeouts = strs;
2593 			options->num_channel_timeouts = nstrs;
2594 			strs = NULL; /* transferred */
2595 			nstrs = 0;
2596 		}
2597 		break;
2598 
2599 	case sUnusedConnectionTimeout:
2600 		intptr = &options->unused_connection_timeout;
2601 		/* peek at first arg for "none" so we can reuse parse_time */
2602 		if (av[0] != NULL && strcasecmp(av[0], "none") == 0) {
2603 			(void)argv_next(&ac, &av); /* consume arg */
2604 			if (*activep)
2605 				*intptr = 0;
2606 			break;
2607 		}
2608 		goto parse_time;
2609 
2610 	case sUseBlacklist:
2611 		intptr = &options->use_blacklist;
2612 		goto parse_flag;
2613 
2614 	case sDeprecated:
2615 	case sIgnore:
2616 	case sUnsupported:
2617 		do_log2(opcode == sIgnore ?
2618 		    SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2619 		    "%s line %d: %s option %s", filename, linenum,
2620 		    opcode == sUnsupported ? "Unsupported" : "Deprecated",
2621 		    keyword);
2622 		argv_consume(&ac);
2623 		break;
2624 
2625 	default:
2626 		fatal("%s line %d: Missing handler for opcode %s (%d)",
2627 		    filename, linenum, keyword, opcode);
2628 	}
2629 	/* Check that there is no garbage at end of line. */
2630 	if (ac > 0) {
2631 		error("%.200s line %d: keyword %s extra arguments "
2632 		    "at end of line", filename, linenum, keyword);
2633 		goto out;
2634 	}
2635 
2636 	/* success */
2637 	ret = 0;
2638  out:
2639 	opt_array_free2(strs, NULL, nstrs);
2640 	argv_free(oav, oac);
2641 	return ret;
2642 }
2643 
2644 int
2645 process_server_config_line(ServerOptions *options, char *line,
2646     const char *filename, int linenum, int *activep,
2647     struct connection_info *connectinfo, struct include_list *includes)
2648 {
2649 	int inc_flags = 0;
2650 
2651 	return process_server_config_line_depth(options, line, filename,
2652 	    linenum, activep, connectinfo, &inc_flags, 0, includes);
2653 }
2654 
2655 
2656 /* Reads the server configuration file. */
2657 
2658 void
2659 load_server_config(const char *filename, struct sshbuf *conf)
2660 {
2661 	struct stat st;
2662 	char *line = NULL, *cp;
2663 	size_t linesize = 0;
2664 	FILE *f;
2665 	int r;
2666 
2667 	debug2_f("filename %s", filename);
2668 	if ((f = fopen(filename, "r")) == NULL) {
2669 		perror(filename);
2670 		exit(1);
2671 	}
2672 	sshbuf_reset(conf);
2673 	/* grow buffer, so realloc is avoided for large config files */
2674 	if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2675 	    (r = sshbuf_allocate(conf, st.st_size)) != 0)
2676 		fatal_fr(r, "allocate");
2677 	while (getline(&line, &linesize, f) != -1) {
2678 		/*
2679 		 * Strip whitespace
2680 		 * NB - preserve newlines, they are needed to reproduce
2681 		 * line numbers later for error messages
2682 		 */
2683 		cp = line + strspn(line, " \t\r");
2684 		if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2685 			fatal_fr(r, "sshbuf_put");
2686 	}
2687 	free(line);
2688 	if ((r = sshbuf_put_u8(conf, 0)) != 0)
2689 		fatal_fr(r, "sshbuf_put_u8");
2690 	fclose(f);
2691 	debug2_f("done config len = %zu", sshbuf_len(conf));
2692 }
2693 
2694 void
2695 parse_server_match_config(ServerOptions *options,
2696    struct include_list *includes, struct connection_info *connectinfo)
2697 {
2698 	ServerOptions mo;
2699 
2700 	initialize_server_options(&mo);
2701 	parse_server_config(&mo, "reprocess config", cfg, includes,
2702 	    connectinfo, 0);
2703 	copy_set_server_options(options, &mo, 0);
2704 }
2705 
2706 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2707 {
2708 	char *p;
2709 
2710 	while ((p = strsep(&spec, ",")) && *p != '\0') {
2711 		if (strncmp(p, "addr=", 5) == 0) {
2712 			ci->address = xstrdup(p + 5);
2713 		} else if (strncmp(p, "host=", 5) == 0) {
2714 			ci->host = xstrdup(p + 5);
2715 		} else if (strncmp(p, "user=", 5) == 0) {
2716 			ci->user = xstrdup(p + 5);
2717 		} else if (strncmp(p, "laddr=", 6) == 0) {
2718 			ci->laddress = xstrdup(p + 6);
2719 		} else if (strncmp(p, "rdomain=", 8) == 0) {
2720 			ci->rdomain = xstrdup(p + 8);
2721 		} else if (strncmp(p, "lport=", 6) == 0) {
2722 			ci->lport = a2port(p + 6);
2723 			if (ci->lport == -1) {
2724 				fprintf(stderr, "Invalid port '%s' in test mode"
2725 				    " specification %s\n", p+6, p);
2726 				return -1;
2727 			}
2728 		} else {
2729 			fprintf(stderr, "Invalid test mode specification %s\n",
2730 			    p);
2731 			return -1;
2732 		}
2733 	}
2734 	return 0;
2735 }
2736 
2737 void
2738 servconf_merge_subsystems(ServerOptions *dst, ServerOptions *src)
2739 {
2740 	u_int i, j, found;
2741 
2742 	for (i = 0; i < src->num_subsystems; i++) {
2743 		found = 0;
2744 		for (j = 0; j < dst->num_subsystems; j++) {
2745 			if (strcmp(src->subsystem_name[i],
2746 			    dst->subsystem_name[j]) == 0) {
2747 				found = 1;
2748 				break;
2749 			}
2750 		}
2751 		if (found) {
2752 			debug_f("override \"%s\"", dst->subsystem_name[j]);
2753 			free(dst->subsystem_command[j]);
2754 			free(dst->subsystem_args[j]);
2755 			dst->subsystem_command[j] =
2756 			    xstrdup(src->subsystem_command[i]);
2757 			dst->subsystem_args[j] =
2758 			    xstrdup(src->subsystem_args[i]);
2759 			continue;
2760 		}
2761 		debug_f("add \"%s\"", src->subsystem_name[i]);
2762 		dst->subsystem_name = xrecallocarray(
2763 		    dst->subsystem_name, dst->num_subsystems,
2764 		    dst->num_subsystems + 1, sizeof(*dst->subsystem_name));
2765 		dst->subsystem_command = xrecallocarray(
2766 		    dst->subsystem_command, dst->num_subsystems,
2767 		    dst->num_subsystems + 1, sizeof(*dst->subsystem_command));
2768 		dst->subsystem_args = xrecallocarray(
2769 		    dst->subsystem_args, dst->num_subsystems,
2770 		    dst->num_subsystems + 1, sizeof(*dst->subsystem_args));
2771 		j = dst->num_subsystems++;
2772 		dst->subsystem_name[j] = xstrdup(src->subsystem_name[i]);
2773 		dst->subsystem_command[j] = xstrdup(src->subsystem_command[i]);
2774 		dst->subsystem_args[j] = xstrdup(src->subsystem_args[i]);
2775 	}
2776 }
2777 
2778 /*
2779  * Copy any supported values that are set.
2780  *
2781  * If the preauth flag is set, we do not bother copying the string or
2782  * array values that are not used pre-authentication, because any that we
2783  * do use must be explicitly sent in mm_getpwnamallow().
2784  */
2785 void
2786 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2787 {
2788 #define M_CP_INTOPT(n) do {\
2789 	if (src->n != -1) \
2790 		dst->n = src->n; \
2791 } while (0)
2792 
2793 	M_CP_INTOPT(password_authentication);
2794 	M_CP_INTOPT(gss_authentication);
2795 	M_CP_INTOPT(pubkey_authentication);
2796 	M_CP_INTOPT(pubkey_auth_options);
2797 	M_CP_INTOPT(kerberos_authentication);
2798 	M_CP_INTOPT(hostbased_authentication);
2799 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2800 	M_CP_INTOPT(kbd_interactive_authentication);
2801 	M_CP_INTOPT(permit_root_login);
2802 	M_CP_INTOPT(permit_empty_passwd);
2803 	M_CP_INTOPT(ignore_rhosts);
2804 
2805 	M_CP_INTOPT(allow_tcp_forwarding);
2806 	M_CP_INTOPT(allow_streamlocal_forwarding);
2807 	M_CP_INTOPT(allow_agent_forwarding);
2808 	M_CP_INTOPT(disable_forwarding);
2809 	M_CP_INTOPT(expose_userauth_info);
2810 	M_CP_INTOPT(permit_tun);
2811 	M_CP_INTOPT(fwd_opts.gateway_ports);
2812 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2813 	M_CP_INTOPT(x11_display_offset);
2814 	M_CP_INTOPT(x11_forwarding);
2815 	M_CP_INTOPT(x11_use_localhost);
2816 	M_CP_INTOPT(permit_tty);
2817 	M_CP_INTOPT(permit_user_rc);
2818 	M_CP_INTOPT(max_sessions);
2819 	M_CP_INTOPT(max_authtries);
2820 	M_CP_INTOPT(client_alive_count_max);
2821 	M_CP_INTOPT(client_alive_interval);
2822 	M_CP_INTOPT(ip_qos_interactive);
2823 	M_CP_INTOPT(ip_qos_bulk);
2824 	M_CP_INTOPT(rekey_limit);
2825 	M_CP_INTOPT(rekey_interval);
2826 	M_CP_INTOPT(log_level);
2827 	M_CP_INTOPT(required_rsa_size);
2828 	M_CP_INTOPT(unused_connection_timeout);
2829 
2830 	/*
2831 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2832 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2833 	 * warnings.
2834 	 */
2835 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2836 		dst->fwd_opts.streamlocal_bind_mask =
2837 		    src->fwd_opts.streamlocal_bind_mask;
2838 	}
2839 
2840 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2841 #define M_CP_STROPT(n) do {\
2842 	if (src->n != NULL && dst->n != src->n) { \
2843 		free(dst->n); \
2844 		dst->n = src->n; \
2845 	} \
2846 } while(0)
2847 #define M_CP_STRARRAYOPT(s, num_s) do {\
2848 	u_int i; \
2849 	if (src->num_s != 0) { \
2850 		for (i = 0; i < dst->num_s; i++) \
2851 			free(dst->s[i]); \
2852 		free(dst->s); \
2853 		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2854 		for (i = 0; i < src->num_s; i++) \
2855 			dst->s[i] = xstrdup(src->s[i]); \
2856 		dst->num_s = src->num_s; \
2857 	} \
2858 } while(0)
2859 
2860 	/* See comment in servconf.h */
2861 	COPY_MATCH_STRING_OPTS();
2862 
2863 	/* Arguments that accept '+...' need to be expanded */
2864 	assemble_algorithms(dst);
2865 
2866 	/*
2867 	 * The only things that should be below this point are string options
2868 	 * which are only used after authentication.
2869 	 */
2870 	if (preauth)
2871 		return;
2872 
2873 	/* These options may be "none" to clear a global setting */
2874 	M_CP_STROPT(adm_forced_command);
2875 	if (option_clear_or_none(dst->adm_forced_command)) {
2876 		free(dst->adm_forced_command);
2877 		dst->adm_forced_command = NULL;
2878 	}
2879 	M_CP_STROPT(chroot_directory);
2880 	if (option_clear_or_none(dst->chroot_directory)) {
2881 		free(dst->chroot_directory);
2882 		dst->chroot_directory = NULL;
2883 	}
2884 
2885 	/* Subsystems require merging. */
2886 	servconf_merge_subsystems(dst, src);
2887 }
2888 
2889 #undef M_CP_INTOPT
2890 #undef M_CP_STROPT
2891 #undef M_CP_STRARRAYOPT
2892 
2893 #define SERVCONF_MAX_DEPTH	16
2894 static void
2895 parse_server_config_depth(ServerOptions *options, const char *filename,
2896     struct sshbuf *conf, struct include_list *includes,
2897     struct connection_info *connectinfo, int flags, int *activep, int depth)
2898 {
2899 	int linenum, bad_options = 0;
2900 	char *cp, *obuf, *cbuf;
2901 
2902 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2903 		fatal("Too many recursive configuration includes");
2904 
2905 	debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2906 	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2907 
2908 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2909 		fatal_f("sshbuf_dup_string failed");
2910 	linenum = 1;
2911 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2912 		if (process_server_config_line_depth(options, cp,
2913 		    filename, linenum++, activep, connectinfo, &flags,
2914 		    depth, includes) != 0)
2915 			bad_options++;
2916 	}
2917 	free(obuf);
2918 	if (bad_options > 0)
2919 		fatal("%s: terminating, %d bad configuration options",
2920 		    filename, bad_options);
2921 }
2922 
2923 void
2924 parse_server_config(ServerOptions *options, const char *filename,
2925     struct sshbuf *conf, struct include_list *includes,
2926     struct connection_info *connectinfo, int reexec)
2927 {
2928 	int active = connectinfo ? 0 : 1;
2929 	parse_server_config_depth(options, filename, conf, includes,
2930 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2931 	if (!reexec)
2932 		process_queued_listen_addrs(options);
2933 }
2934 
2935 static const char *
2936 fmt_multistate_int(int val, const struct multistate *m)
2937 {
2938 	u_int i;
2939 
2940 	for (i = 0; m[i].key != NULL; i++) {
2941 		if (m[i].value == val)
2942 			return m[i].key;
2943 	}
2944 	return "UNKNOWN";
2945 }
2946 
2947 static const char *
2948 fmt_intarg(ServerOpCodes code, int val)
2949 {
2950 	if (val == -1)
2951 		return "unset";
2952 	switch (code) {
2953 	case sAddressFamily:
2954 		return fmt_multistate_int(val, multistate_addressfamily);
2955 	case sPermitRootLogin:
2956 		return fmt_multistate_int(val, multistate_permitrootlogin);
2957 	case sGatewayPorts:
2958 		return fmt_multistate_int(val, multistate_gatewayports);
2959 	case sCompression:
2960 		return fmt_multistate_int(val, multistate_compression);
2961 	case sAllowTcpForwarding:
2962 		return fmt_multistate_int(val, multistate_tcpfwd);
2963 	case sAllowStreamLocalForwarding:
2964 		return fmt_multistate_int(val, multistate_tcpfwd);
2965 	case sIgnoreRhosts:
2966 		return fmt_multistate_int(val, multistate_ignore_rhosts);
2967 	case sFingerprintHash:
2968 		return ssh_digest_alg_name(val);
2969 	default:
2970 		switch (val) {
2971 		case 0:
2972 			return "no";
2973 		case 1:
2974 			return "yes";
2975 		default:
2976 			return "UNKNOWN";
2977 		}
2978 	}
2979 }
2980 
2981 static void
2982 dump_cfg_int(ServerOpCodes code, int val)
2983 {
2984 	if (code == sUnusedConnectionTimeout && val == 0) {
2985 		printf("%s none\n", lookup_opcode_name(code));
2986 		return;
2987 	}
2988 	printf("%s %d\n", lookup_opcode_name(code), val);
2989 }
2990 
2991 static void
2992 dump_cfg_oct(ServerOpCodes code, int val)
2993 {
2994 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2995 }
2996 
2997 static void
2998 dump_cfg_fmtint(ServerOpCodes code, int val)
2999 {
3000 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
3001 }
3002 
3003 static void
3004 dump_cfg_string(ServerOpCodes code, const char *val)
3005 {
3006 	printf("%s %s\n", lookup_opcode_name(code),
3007 	    val == NULL ? "none" : val);
3008 }
3009 
3010 static void
3011 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
3012 {
3013 	u_int i;
3014 
3015 	for (i = 0; i < count; i++)
3016 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
3017 }
3018 
3019 static void
3020 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
3021 {
3022 	u_int i;
3023 
3024 	switch (code) {
3025 	case sAuthenticationMethods:
3026 	case sChannelTimeout:
3027 		break;
3028 	default:
3029 		if (count <= 0)
3030 			return;
3031 		break;
3032 	}
3033 
3034 	printf("%s", lookup_opcode_name(code));
3035 	for (i = 0; i < count; i++)
3036 		printf(" %s",  vals[i]);
3037 	if (code == sAuthenticationMethods && count == 0)
3038 		printf(" any");
3039 	else if (code == sChannelTimeout && count == 0)
3040 		printf(" none");
3041 	printf("\n");
3042 }
3043 
3044 static char *
3045 format_listen_addrs(struct listenaddr *la)
3046 {
3047 	int r;
3048 	struct addrinfo *ai;
3049 	char addr[NI_MAXHOST], port[NI_MAXSERV];
3050 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
3051 
3052 	/*
3053 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
3054 	 * addresses onto a stack, so to maintain ordering we need to
3055 	 * print these in reverse order.
3056 	 */
3057 	for (ai = la->addrs; ai; ai = ai->ai_next) {
3058 		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
3059 		    sizeof(addr), port, sizeof(port),
3060 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
3061 			error("getnameinfo: %.100s", ssh_gai_strerror(r));
3062 			continue;
3063 		}
3064 		laddr2 = laddr1;
3065 		if (ai->ai_family == AF_INET6) {
3066 			xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
3067 			    addr, port,
3068 			    la->rdomain == NULL ? "" : " rdomain ",
3069 			    la->rdomain == NULL ? "" : la->rdomain,
3070 			    laddr2);
3071 		} else {
3072 			xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
3073 			    addr, port,
3074 			    la->rdomain == NULL ? "" : " rdomain ",
3075 			    la->rdomain == NULL ? "" : la->rdomain,
3076 			    laddr2);
3077 		}
3078 		free(laddr2);
3079 	}
3080 	return laddr1;
3081 }
3082 
3083 void
3084 dump_config(ServerOptions *o)
3085 {
3086 	char *s;
3087 	u_int i;
3088 
3089 	/* these are usually at the top of the config */
3090 	for (i = 0; i < o->num_ports; i++)
3091 		printf("port %d\n", o->ports[i]);
3092 	dump_cfg_fmtint(sAddressFamily, o->address_family);
3093 
3094 	for (i = 0; i < o->num_listen_addrs; i++) {
3095 		s = format_listen_addrs(&o->listen_addrs[i]);
3096 		printf("%s", s);
3097 		free(s);
3098 	}
3099 
3100 	/* integer arguments */
3101 #ifdef USE_PAM
3102 	dump_cfg_fmtint(sUsePAM, o->use_pam);
3103 #endif
3104 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
3105 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
3106 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
3107 	dump_cfg_int(sMaxSessions, o->max_sessions);
3108 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
3109 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
3110 	dump_cfg_int(sRequiredRSASize, o->required_rsa_size);
3111 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
3112 	dump_cfg_int(sUnusedConnectionTimeout, o->unused_connection_timeout);
3113 
3114 	/* formatted integer arguments */
3115 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
3116 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
3117 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
3118 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
3119 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
3120 	    o->hostbased_uses_name_from_packet_only);
3121 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
3122 #ifdef KRB5
3123 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
3124 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
3125 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
3126 # ifdef USE_AFS
3127 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
3128 # endif
3129 #endif
3130 #ifdef GSSAPI
3131 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3132 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
3133 #endif
3134 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3135 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
3136 	    o->kbd_interactive_authentication);
3137 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
3138 #ifndef DISABLE_LASTLOG
3139 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
3140 #endif
3141 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
3142 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
3143 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
3144 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
3145 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
3146 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
3147 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
3148 	dump_cfg_fmtint(sCompression, o->compression);
3149 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
3150 	dump_cfg_fmtint(sUseDNS, o->use_dns);
3151 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
3152 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
3153 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
3154 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
3155 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
3156 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
3157 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
3158 	dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
3159 
3160 	/* string arguments */
3161 	dump_cfg_string(sPidFile, o->pid_file);
3162 	dump_cfg_string(sModuliFile, o->moduli_file);
3163 	dump_cfg_string(sXAuthLocation, o->xauth_location);
3164 	dump_cfg_string(sCiphers, o->ciphers);
3165 	dump_cfg_string(sMacs, o->macs);
3166 	dump_cfg_string(sBanner, o->banner);
3167 	dump_cfg_string(sForceCommand, o->adm_forced_command);
3168 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
3169 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
3170 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
3171 	dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
3172 	dump_cfg_string(sAuthorizedPrincipalsFile,
3173 	    o->authorized_principals_file);
3174 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
3175 	    ? "none" : o->version_addendum);
3176 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
3177 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
3178 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
3179 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
3180 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
3181 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
3182 	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
3183 	dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos);
3184 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
3185 	dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
3186 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
3187 	dump_cfg_string(sRDomain, o->routing_domain);
3188 #endif
3189 
3190 	/* string arguments requiring a lookup */
3191 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
3192 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
3193 
3194 	/* string array arguments */
3195 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
3196 	    o->authorized_keys_files);
3197 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
3198 	    o->host_key_files);
3199 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
3200 	    o->host_cert_files);
3201 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
3202 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
3203 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
3204 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
3205 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
3206 	dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
3207 	dump_cfg_strarray_oneline(sAuthenticationMethods,
3208 	    o->num_auth_methods, o->auth_methods);
3209 	dump_cfg_strarray_oneline(sLogVerbose,
3210 	    o->num_log_verbose, o->log_verbose);
3211 	dump_cfg_strarray_oneline(sChannelTimeout,
3212 	    o->num_channel_timeouts, o->channel_timeouts);
3213 
3214 	/* other arguments */
3215 	for (i = 0; i < o->num_subsystems; i++)
3216 		printf("subsystem %s %s\n", o->subsystem_name[i],
3217 		    o->subsystem_args[i]);
3218 
3219 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
3220 	    o->max_startups_rate, o->max_startups);
3221 	printf("persourcemaxstartups ");
3222 	if (o->per_source_max_startups == INT_MAX)
3223 		printf("none\n");
3224 	else
3225 		printf("%d\n", o->per_source_max_startups);
3226 	printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4,
3227 	    o->per_source_masklen_ipv6);
3228 
3229 	s = NULL;
3230 	for (i = 0; tunmode_desc[i].val != -1; i++) {
3231 		if (tunmode_desc[i].val == o->permit_tun) {
3232 			s = tunmode_desc[i].text;
3233 			break;
3234 		}
3235 	}
3236 	dump_cfg_string(sPermitTunnel, s);
3237 
3238 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
3239 	printf("%s\n", iptos2str(o->ip_qos_bulk));
3240 
3241 	printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
3242 	    o->rekey_interval);
3243 
3244 	printf("permitopen");
3245 	if (o->num_permitted_opens == 0)
3246 		printf(" any");
3247 	else {
3248 		for (i = 0; i < o->num_permitted_opens; i++)
3249 			printf(" %s", o->permitted_opens[i]);
3250 	}
3251 	printf("\n");
3252 	printf("permitlisten");
3253 	if (o->num_permitted_listens == 0)
3254 		printf(" any");
3255 	else {
3256 		for (i = 0; i < o->num_permitted_listens; i++)
3257 			printf(" %s", o->permitted_listens[i]);
3258 	}
3259 	printf("\n");
3260 
3261 	if (o->permit_user_env_allowlist == NULL) {
3262 		dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
3263 	} else {
3264 		printf("permituserenvironment %s\n",
3265 		    o->permit_user_env_allowlist);
3266 	}
3267 
3268 	printf("pubkeyauthoptions");
3269 	if (o->pubkey_auth_options == 0)
3270 		printf(" none");
3271 	if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
3272 		printf(" touch-required");
3273 	if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
3274 		printf(" verify-required");
3275 	printf("\n");
3276 }
3277