xref: /titanic_41/usr/src/cmd/ssh/libssh/common/readconf.c (revision 6185db853e024a486ff8837e6784dd290d866112)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * Functions for reading the configuration files.
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 /*
14  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
15  * Use is subject to license terms.
16  */
17 
18 #include "includes.h"
19 RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
20 
21 #pragma ident	"%Z%%M%	%I%	%E% SMI"
22 
23 #include "ssh.h"
24 #include "xmalloc.h"
25 #include "compat.h"
26 #include "cipher.h"
27 #include "pathnames.h"
28 #include "log.h"
29 #include "readconf.h"
30 #include "match.h"
31 #include "misc.h"
32 #include "kex.h"
33 #include "mac.h"
34 
35 /* Format of the configuration file:
36 
37    # Configuration data is parsed as follows:
38    #  1. command line options
39    #  2. user-specific file
40    #  3. system-wide file
41    # Any configuration value is only changed the first time it is set.
42    # Thus, host-specific definitions should be at the beginning of the
43    # configuration file, and defaults at the end.
44 
45    # Host-specific declarations.  These may override anything above.  A single
46    # host may match multiple declarations; these are processed in the order
47    # that they are given in.
48 
49    Host *.ngs.fi ngs.fi
50      User foo
51 
52    Host fake.com
53      HostName another.host.name.real.org
54      User blaah
55      Port 34289
56      ForwardX11 no
57      ForwardAgent no
58 
59    Host books.com
60      RemoteForward 9999 shadows.cs.hut.fi:9999
61      Cipher 3des
62 
63    Host fascist.blob.com
64      Port 23123
65      User tylonen
66      RhostsAuthentication no
67      PasswordAuthentication no
68 
69    Host puukko.hut.fi
70      User t35124p
71      ProxyCommand ssh-proxy %h %p
72 
73    Host *.fr
74      PublicKeyAuthentication no
75 
76    Host *.su
77      Cipher none
78      PasswordAuthentication no
79 
80    # Defaults for various options
81    Host *
82      ForwardAgent no
83      ForwardX11 no
84      RhostsAuthentication yes
85      PasswordAuthentication yes
86      RSAAuthentication yes
87      RhostsRSAAuthentication yes
88      StrictHostKeyChecking yes
89      KeepAlives no
90      IdentityFile ~/.ssh/identity
91      Port 22
92      EscapeChar ~
93 
94 */
95 
96 /* Keyword tokens. */
97 
98 typedef enum {
99 	oBadOption,
100 	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
101 	oPasswordAuthentication, oRSAAuthentication,
102 	oChallengeResponseAuthentication, oXAuthLocation,
103 #if defined(KRB4) || defined(KRB5)
104 	oKerberosAuthentication,
105 #endif
106 #ifdef GSSAPI
107 	oGssKeyEx, oGssAuthentication, oGssDelegateCreds,
108 #ifdef GSI
109 	oGssGlobusDelegateLimitedCreds,
110 #endif /* GSI */
111 #endif /* GSSAPI */
112 #if defined(AFS) || defined(KRB5)
113 	oKerberosTgtPassing,
114 #endif
115 #ifdef AFS
116 	oAFSTokenPassing,
117 #endif
118 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
119 	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
120 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
121 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
122 	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
123 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
124 	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
125 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
126 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
127 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
128 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
129 	oFallBackToRsh, oUseRsh,
130 	oDeprecated
131 } OpCodes;
132 
133 /* Textual representations of the tokens. */
134 
135 static struct {
136 	const char *name;
137 	OpCodes opcode;
138 } keywords[] = {
139 	{ "forwardagent", oForwardAgent },
140 	{ "forwardx11", oForwardX11 },
141 	{ "xauthlocation", oXAuthLocation },
142 	{ "gatewayports", oGatewayPorts },
143 	{ "useprivilegedport", oUsePrivilegedPort },
144 	{ "rhostsauthentication", oRhostsAuthentication },
145 	{ "passwordauthentication", oPasswordAuthentication },
146 	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
147 	{ "kbdinteractivedevices", oKbdInteractiveDevices },
148 	{ "rsaauthentication", oRSAAuthentication },
149 	{ "pubkeyauthentication", oPubkeyAuthentication },
150 	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
151 	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
152 	{ "hostbasedauthentication", oHostbasedAuthentication },
153 	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
154 	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
155 	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
156 #if defined(KRB4) || defined(KRB5)
157 	{ "kerberosauthentication", oKerberosAuthentication },
158 #endif
159 #ifdef GSSAPI
160 	{ "gssapikeyexchange", oGssKeyEx },
161 	{ "gssapiauthentication", oGssAuthentication },
162 	{ "gssapidelegatecredentials", oGssDelegateCreds },
163 	{ "gsskeyex", oGssKeyEx },				/* alias */
164 	{ "gssauthentication", oGssAuthentication },		/* alias */
165 	{ "gssdelegatecreds", oGssDelegateCreds },		/* alias */
166 #ifdef GSI
167 	/* For backwards compatability with old 1.2.27 client code */
168 	{ "forwardgssapiglobusproxy", oGssDelegateCreds }, /* alias */
169 	{ "forwardgssapiglobuslimitedproxy", oGssGlobusDelegateLimitedCreds },
170 #endif /* GSI */
171 #endif /* GSSAPI */
172 #if defined(AFS) || defined(KRB5)
173 	{ "kerberostgtpassing", oKerberosTgtPassing },
174 #endif
175 #ifdef AFS
176 	{ "afstokenpassing", oAFSTokenPassing },
177 #endif
178 	{ "fallbacktorsh", oFallBackToRsh },
179 	{ "usersh", oUseRsh },
180 	{ "identityfile", oIdentityFile },
181 	{ "identityfile2", oIdentityFile },			/* alias */
182 	{ "hostname", oHostName },
183 	{ "hostkeyalias", oHostKeyAlias },
184 	{ "proxycommand", oProxyCommand },
185 	{ "port", oPort },
186 	{ "cipher", oCipher },
187 	{ "ciphers", oCiphers },
188 	{ "macs", oMacs },
189 	{ "protocol", oProtocol },
190 	{ "remoteforward", oRemoteForward },
191 	{ "localforward", oLocalForward },
192 	{ "user", oUser },
193 	{ "host", oHost },
194 	{ "escapechar", oEscapeChar },
195 	{ "globalknownhostsfile", oGlobalKnownHostsFile },
196 	{ "userknownhostsfile", oUserKnownHostsFile },		/* obsolete */
197 	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },
198 	{ "userknownhostsfile2", oUserKnownHostsFile2 },	/* obsolete */
199 	{ "connectionattempts", oConnectionAttempts },
200 	{ "batchmode", oBatchMode },
201 	{ "checkhostip", oCheckHostIP },
202 	{ "stricthostkeychecking", oStrictHostKeyChecking },
203 	{ "compression", oCompression },
204 	{ "compressionlevel", oCompressionLevel },
205 	{ "keepalive", oKeepAlives },
206 	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
207 	{ "loglevel", oLogLevel },
208 	{ "dynamicforward", oDynamicForward },
209 	{ "preferredauthentications", oPreferredAuthentications },
210 	{ "hostkeyalgorithms", oHostKeyAlgorithms },
211 	{ "bindaddress", oBindAddress },
212 	{ "smartcarddevice", oSmartcardDevice },
213 	{ "clearallforwardings", oClearAllForwardings },
214 	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
215 	{ NULL, oBadOption }
216 };
217 
218 /*
219  * Adds a local TCP/IP port forward to options.  Never returns if there is an
220  * error.
221  */
222 
223 void
224 add_local_forward(Options *options, u_short port, const char *host,
225 		  u_short host_port)
226 {
227 	Forward *fwd;
228 #ifndef NO_IPPORT_RESERVED_CONCEPT
229 	extern uid_t original_real_uid;
230 	if (port < IPPORT_RESERVED && original_real_uid != 0)
231 		fatal("Privileged ports can only be forwarded by root.");
232 #endif
233 	if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
234 		fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
235 	fwd = &options->local_forwards[options->num_local_forwards++];
236 	fwd->port = port;
237 	fwd->host = xstrdup(host);
238 	fwd->host_port = host_port;
239 }
240 
241 /*
242  * Adds a remote TCP/IP port forward to options.  Never returns if there is
243  * an error.
244  */
245 
246 void
247 add_remote_forward(Options *options, u_short port, const char *host,
248 		   u_short host_port)
249 {
250 	Forward *fwd;
251 	if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
252 		fatal("Too many remote forwards (max %d).",
253 		    SSH_MAX_FORWARDS_PER_DIRECTION);
254 	fwd = &options->remote_forwards[options->num_remote_forwards++];
255 	fwd->port = port;
256 	fwd->host = xstrdup(host);
257 	fwd->host_port = host_port;
258 }
259 
260 static void
261 clear_forwardings(Options *options)
262 {
263 	int i;
264 
265 	for (i = 0; i < options->num_local_forwards; i++)
266 		xfree(options->local_forwards[i].host);
267 	options->num_local_forwards = 0;
268 	for (i = 0; i < options->num_remote_forwards; i++)
269 		xfree(options->remote_forwards[i].host);
270 	options->num_remote_forwards = 0;
271 }
272 
273 /*
274  * Returns the number of the token pointed to by cp or oBadOption.
275  */
276 
277 static OpCodes
278 parse_token(const char *cp, const char *filename, int linenum)
279 {
280 	u_int i;
281 
282 	for (i = 0; keywords[i].name; i++)
283 		if (strcasecmp(cp, keywords[i].name) == 0)
284 			return keywords[i].opcode;
285 
286 	error("%s: line %d: Bad configuration option: %s",
287 	    filename, linenum, cp);
288 	return oBadOption;
289 }
290 
291 /*
292  * Processes a single option line as used in the configuration files. This
293  * only sets those values that have not already been set.
294  */
295 
296 int
297 process_config_line(Options *options, const char *host,
298 		    char *line, const char *filename, int linenum,
299 		    int *activep)
300 {
301 	char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg;
302 	int opcode, *intptr, value;
303 	u_short fwd_port, fwd_host_port;
304 	char sfwd_host_port[6];
305 
306 	s = line;
307 	/* Get the keyword. (Each line is supposed to begin with a keyword). */
308 	keyword = strdelim(&s);
309 	/* Ignore leading whitespace. */
310 	if (*keyword == '\0')
311 		keyword = strdelim(&s);
312 	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
313 		return 0;
314 
315 	opcode = parse_token(keyword, filename, linenum);
316 
317 	switch (opcode) {
318 	case oBadOption:
319 		/* don't panic, but count bad options */
320 		return -1;
321 		/* NOTREACHED */
322 	case oForwardAgent:
323 		intptr = &options->forward_agent;
324 parse_flag:
325 		arg = strdelim(&s);
326 		if (!arg || *arg == '\0')
327 			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
328 		value = 0;	/* To avoid compiler warning... */
329 		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
330 			value = 1;
331 		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
332 			value = 0;
333 		else
334 			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
335 		if (*activep && *intptr == -1)
336 			*intptr = value;
337 		break;
338 
339 	case oForwardX11:
340 		intptr = &options->forward_x11;
341 		goto parse_flag;
342 
343 	case oGatewayPorts:
344 		intptr = &options->gateway_ports;
345 		goto parse_flag;
346 
347 	case oUsePrivilegedPort:
348 		intptr = &options->use_privileged_port;
349 		goto parse_flag;
350 
351 	case oRhostsAuthentication:
352 		intptr = &options->rhosts_authentication;
353 		goto parse_flag;
354 
355 	case oPasswordAuthentication:
356 		intptr = &options->password_authentication;
357 		goto parse_flag;
358 
359 	case oKbdInteractiveAuthentication:
360 		intptr = &options->kbd_interactive_authentication;
361 		goto parse_flag;
362 
363 	case oKbdInteractiveDevices:
364 		charptr = &options->kbd_interactive_devices;
365 		goto parse_string;
366 
367 	case oPubkeyAuthentication:
368 		intptr = &options->pubkey_authentication;
369 		goto parse_flag;
370 
371 	case oRSAAuthentication:
372 		intptr = &options->rsa_authentication;
373 		goto parse_flag;
374 
375 	case oRhostsRSAAuthentication:
376 		intptr = &options->rhosts_rsa_authentication;
377 		goto parse_flag;
378 
379 	case oHostbasedAuthentication:
380 		intptr = &options->hostbased_authentication;
381 		goto parse_flag;
382 
383 	case oChallengeResponseAuthentication:
384 		intptr = &options->challenge_response_authentication;
385 		goto parse_flag;
386 #if defined(KRB4) || defined(KRB5)
387 	case oKerberosAuthentication:
388 		intptr = &options->kerberos_authentication;
389 		goto parse_flag;
390 #endif
391 #ifdef GSSAPI
392 	case oGssKeyEx:
393 		intptr = &options->gss_keyex;
394 		goto parse_flag;
395 
396 	case oGssAuthentication:
397 		intptr = &options->gss_authentication;
398 		goto parse_flag;
399 
400 	case oGssDelegateCreds:
401 		intptr = &options->gss_deleg_creds;
402 		goto parse_flag;
403 
404 #ifdef GSI
405 	case oGssGlobusDelegateLimitedCreds:
406 		intptr = &options->gss_globus_deleg_limited_proxy;
407 		goto parse_flag;
408 #endif /* GSI */
409 
410 #endif /* GSSAPI */
411 
412 #if defined(AFS) || defined(KRB5)
413 	case oKerberosTgtPassing:
414 		intptr = &options->kerberos_tgt_passing;
415 		goto parse_flag;
416 #endif
417 #ifdef AFS
418 	case oAFSTokenPassing:
419 		intptr = &options->afs_token_passing;
420 		goto parse_flag;
421 #endif
422 	case oFallBackToRsh:
423 		intptr = &options->fallback_to_rsh;
424 		goto parse_flag;
425 
426 	case oUseRsh:
427 		intptr = &options->use_rsh;
428 		goto parse_flag;
429 
430 	case oBatchMode:
431 		intptr = &options->batch_mode;
432 		goto parse_flag;
433 
434 	case oCheckHostIP:
435 		intptr = &options->check_host_ip;
436 		goto parse_flag;
437 
438 	case oStrictHostKeyChecking:
439 		intptr = &options->strict_host_key_checking;
440 		arg = strdelim(&s);
441 		if (!arg || *arg == '\0')
442 			fatal("%.200s line %d: Missing yes/no/ask argument.",
443 			    filename, linenum);
444 		value = 0;	/* To avoid compiler warning... */
445 		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
446 			value = 1;
447 		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
448 			value = 0;
449 		else if (strcmp(arg, "ask") == 0)
450 			value = 2;
451 		else
452 			fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
453 		if (*activep && *intptr == -1)
454 			*intptr = value;
455 		break;
456 
457 	case oCompression:
458 		intptr = &options->compression;
459 		goto parse_flag;
460 
461 	case oKeepAlives:
462 		intptr = &options->keepalives;
463 		goto parse_flag;
464 
465 	case oNoHostAuthenticationForLocalhost:
466 		intptr = &options->no_host_authentication_for_localhost;
467 		goto parse_flag;
468 
469 	case oNumberOfPasswordPrompts:
470 		intptr = &options->number_of_password_prompts;
471 		goto parse_int;
472 
473 	case oCompressionLevel:
474 		intptr = &options->compression_level;
475 		goto parse_int;
476 
477 	case oIdentityFile:
478 		arg = strdelim(&s);
479 		if (!arg || *arg == '\0')
480 			fatal("%.200s line %d: Missing argument.", filename, linenum);
481 		if (*activep) {
482 			intptr = &options->num_identity_files;
483 			if (*intptr >= SSH_MAX_IDENTITY_FILES)
484 				fatal("%.200s line %d: Too many identity files specified (max %d).",
485 				    filename, linenum, SSH_MAX_IDENTITY_FILES);
486 			charptr =  &options->identity_files[*intptr];
487 			*charptr = xstrdup(arg);
488 			*intptr = *intptr + 1;
489 		}
490 		break;
491 
492 	case oXAuthLocation:
493 		charptr=&options->xauth_location;
494 		goto parse_string;
495 
496 	case oUser:
497 		charptr = &options->user;
498 parse_string:
499 		arg = strdelim(&s);
500 		if (!arg || *arg == '\0')
501 			fatal("%.200s line %d: Missing argument.", filename, linenum);
502 		if (*activep && *charptr == NULL)
503 			*charptr = xstrdup(arg);
504 		break;
505 
506 	case oGlobalKnownHostsFile:
507 		charptr = &options->system_hostfile;
508 		goto parse_string;
509 
510 	case oUserKnownHostsFile:
511 		charptr = &options->user_hostfile;
512 		goto parse_string;
513 
514 	case oGlobalKnownHostsFile2:
515 		charptr = &options->system_hostfile2;
516 		goto parse_string;
517 
518 	case oUserKnownHostsFile2:
519 		charptr = &options->user_hostfile2;
520 		goto parse_string;
521 
522 	case oHostName:
523 		charptr = &options->hostname;
524 		goto parse_string;
525 
526 	case oHostKeyAlias:
527 		charptr = &options->host_key_alias;
528 		goto parse_string;
529 
530 	case oPreferredAuthentications:
531 		charptr = &options->preferred_authentications;
532 		goto parse_string;
533 
534 	case oBindAddress:
535 		charptr = &options->bind_address;
536 		goto parse_string;
537 
538 	case oSmartcardDevice:
539 		charptr = &options->smartcard_device;
540 		goto parse_string;
541 
542 	case oProxyCommand:
543 		charptr = &options->proxy_command;
544 		string = xstrdup("");
545 		while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
546 			string = xrealloc(string, strlen(string) + strlen(arg) + 2);
547 			strcat(string, " ");
548 			strcat(string, arg);
549 		}
550 		if (*activep && *charptr == NULL)
551 			*charptr = string;
552 		else
553 			xfree(string);
554 		return 0;
555 
556 	case oPort:
557 		intptr = &options->port;
558 parse_int:
559 		arg = strdelim(&s);
560 		if (!arg || *arg == '\0')
561 			fatal("%.200s line %d: Missing argument.", filename, linenum);
562 		if (arg[0] < '0' || arg[0] > '9')
563 			fatal("%.200s line %d: Bad number.", filename, linenum);
564 
565 		/* Octal, decimal, or hex format? */
566 		value = strtol(arg, &endofnumber, 0);
567 		if (arg == endofnumber)
568 			fatal("%.200s line %d: Bad number.", filename, linenum);
569 		if (*activep && *intptr == -1)
570 			*intptr = value;
571 		break;
572 
573 	case oConnectionAttempts:
574 		intptr = &options->connection_attempts;
575 		goto parse_int;
576 
577 	case oCipher:
578 		intptr = &options->cipher;
579 		arg = strdelim(&s);
580 		if (!arg || *arg == '\0')
581 			fatal("%.200s line %d: Missing argument.", filename, linenum);
582 		value = cipher_number(arg);
583 		if (value == -1)
584 			fatal("%.200s line %d: Bad cipher '%s'.",
585 			    filename, linenum, arg ? arg : "<NONE>");
586 		if (*activep && *intptr == -1)
587 			*intptr = value;
588 		break;
589 
590 	case oCiphers:
591 		arg = strdelim(&s);
592 		if (!arg || *arg == '\0')
593 			fatal("%.200s line %d: Missing argument.", filename, linenum);
594 		if (!ciphers_valid(arg))
595 			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
596 			    filename, linenum, arg ? arg : "<NONE>");
597 		if (*activep && options->ciphers == NULL)
598 			options->ciphers = xstrdup(arg);
599 		break;
600 
601 	case oMacs:
602 		arg = strdelim(&s);
603 		if (!arg || *arg == '\0')
604 			fatal("%.200s line %d: Missing argument.", filename, linenum);
605 		if (!mac_valid(arg))
606 			fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
607 			    filename, linenum, arg ? arg : "<NONE>");
608 		if (*activep && options->macs == NULL)
609 			options->macs = xstrdup(arg);
610 		break;
611 
612 	case oHostKeyAlgorithms:
613 		arg = strdelim(&s);
614 		if (!arg || *arg == '\0')
615 			fatal("%.200s line %d: Missing argument.", filename, linenum);
616 		if (!key_names_valid2(arg))
617 			fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
618 			    filename, linenum, arg ? arg : "<NONE>");
619 		if (*activep && options->hostkeyalgorithms == NULL)
620 			options->hostkeyalgorithms = xstrdup(arg);
621 		break;
622 
623 	case oProtocol:
624 		intptr = &options->protocol;
625 		arg = strdelim(&s);
626 		if (!arg || *arg == '\0')
627 			fatal("%.200s line %d: Missing argument.", filename, linenum);
628 		value = proto_spec(arg);
629 		if (value == SSH_PROTO_UNKNOWN)
630 			fatal("%.200s line %d: Bad protocol spec '%s'.",
631 			    filename, linenum, arg ? arg : "<NONE>");
632 		if (*activep && *intptr == SSH_PROTO_UNKNOWN)
633 			*intptr = value;
634 		break;
635 
636 	case oLogLevel:
637 		intptr = (int *) &options->log_level;
638 		arg = strdelim(&s);
639 		value = log_level_number(arg);
640 		if (value == SYSLOG_LEVEL_NOT_SET)
641 			fatal("%.200s line %d: unsupported log level '%s'",
642 			    filename, linenum, arg ? arg : "<NONE>");
643 		if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
644 			*intptr = (LogLevel) value;
645 		break;
646 
647 	case oLocalForward:
648 	case oRemoteForward:
649 		arg = strdelim(&s);
650 		if (!arg || *arg == '\0')
651 			fatal("%.200s line %d: Missing port argument.",
652 			    filename, linenum);
653 		if ((fwd_port = a2port(arg)) == 0)
654 			fatal("%.200s line %d: Bad listen port.",
655 			    filename, linenum);
656 		arg = strdelim(&s);
657 		if (!arg || *arg == '\0')
658 			fatal("%.200s line %d: Missing second argument.",
659 			    filename, linenum);
660 		if (sscanf(arg, "%255[^:]:%5[0-9]", buf, sfwd_host_port) != 2 &&
661 		    sscanf(arg, "%255[^/]/%5[0-9]", buf, sfwd_host_port) != 2)
662 			fatal("%.200s line %d: Bad forwarding specification.",
663 			    filename, linenum);
664 		if ((fwd_host_port = a2port(sfwd_host_port)) == 0)
665 			fatal("%.200s line %d: Bad forwarding port.",
666 			    filename, linenum);
667 		if (*activep) {
668 			if (opcode == oLocalForward)
669 				add_local_forward(options, fwd_port, buf,
670 				    fwd_host_port);
671 			else if (opcode == oRemoteForward)
672 				add_remote_forward(options, fwd_port, buf,
673 				    fwd_host_port);
674 		}
675 		break;
676 
677 	case oDynamicForward:
678 		arg = strdelim(&s);
679 		if (!arg || *arg == '\0')
680 			fatal("%.200s line %d: Missing port argument.",
681 			    filename, linenum);
682 		fwd_port = a2port(arg);
683 		if (fwd_port == 0)
684 			fatal("%.200s line %d: Badly formatted port number.",
685 			    filename, linenum);
686 		if (*activep)
687 			add_local_forward(options, fwd_port, "socks4", 0);
688 		break;
689 
690 	case oClearAllForwardings:
691 		intptr = &options->clear_forwardings;
692 		goto parse_flag;
693 
694 	case oHost:
695 		*activep = 0;
696 		while ((arg = strdelim(&s)) != NULL && *arg != '\0')
697 			if (match_pattern(host, arg)) {
698 				debug("Applying options for %.100s", arg);
699 				*activep = 1;
700 				break;
701 			}
702 		/* Avoid garbage check below, as strdelim is done. */
703 		return 0;
704 
705 	case oEscapeChar:
706 		intptr = &options->escape_char;
707 		arg = strdelim(&s);
708 		if (!arg || *arg == '\0')
709 			fatal("%.200s line %d: Missing argument.", filename, linenum);
710 		if (arg[0] == '^' && arg[2] == 0 &&
711 		    (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
712 			value = (u_char) arg[1] & 31;
713 		else if (strlen(arg) == 1)
714 			value = (u_char) arg[0];
715 		else if (strcmp(arg, "none") == 0)
716 			value = SSH_ESCAPECHAR_NONE;
717 		else {
718 			fatal("%.200s line %d: Bad escape character.",
719 			    filename, linenum);
720 			/* NOTREACHED */
721 			value = 0;	/* Avoid compiler warning. */
722 		}
723 		if (*activep && *intptr == -1)
724 			*intptr = value;
725 		break;
726 
727 	case oDeprecated:
728 		debug("%s line %d: Deprecated option \"%s\"",
729 		    filename, linenum, keyword);
730 		return 0;
731 
732 	default:
733 		fatal("process_config_line: Unimplemented opcode %d", opcode);
734 	}
735 
736 	/* Check that there is no garbage at end of line. */
737 	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
738 		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
739 		     filename, linenum, arg);
740 	}
741 	return 0;
742 }
743 
744 
745 /*
746  * Reads the config file and modifies the options accordingly.  Options
747  * should already be initialized before this call.  This never returns if
748  * there is an error.  If the file does not exist, this returns 0.
749  */
750 
751 int
752 read_config_file(const char *filename, const char *host, Options *options)
753 {
754 	FILE *f;
755 	char line[1024];
756 	int active, linenum;
757 	int bad_options = 0;
758 
759 	/* Open the file. */
760 	f = fopen(filename, "r");
761 	if (!f)
762 		return 0;
763 
764 	debug("Reading configuration data %.200s", filename);
765 
766 	/*
767 	 * Mark that we are now processing the options.  This flag is turned
768 	 * on/off by Host specifications.
769 	 */
770 	active = 1;
771 	linenum = 0;
772 	while (fgets(line, sizeof(line), f)) {
773 		/* Update line number counter. */
774 		linenum++;
775 		if (process_config_line(options, host, line, filename, linenum, &active) != 0)
776 			bad_options++;
777 	}
778 	fclose(f);
779 	if (bad_options > 0)
780 		fatal("%s: terminating, %d bad configuration options",
781 		    filename, bad_options);
782 	return 1;
783 }
784 
785 /*
786  * Initializes options to special values that indicate that they have not yet
787  * been set.  Read_config_file will only set options with this value. Options
788  * are processed in the following order: command line, user config file,
789  * system config file.  Last, fill_default_options is called.
790  */
791 
792 void
793 initialize_options(Options * options)
794 {
795 	memset(options, 'X', sizeof(*options));
796 	options->forward_agent = -1;
797 	options->forward_x11 = -1;
798 	options->xauth_location = NULL;
799 	options->gateway_ports = -1;
800 	options->use_privileged_port = -1;
801 	options->rhosts_authentication = -1;
802 	options->rsa_authentication = -1;
803 	options->pubkey_authentication = -1;
804 	options->challenge_response_authentication = -1;
805 #ifdef GSSAPI
806         options->gss_keyex = -1;
807         options->gss_authentication = -1;
808         options->gss_deleg_creds = -1;
809 #ifdef GSI
810         options->gss_globus_deleg_limited_proxy = -1;
811 #endif /* GSI */
812 #endif /* GSSAPI */
813 
814 #if defined(KRB4) || defined(KRB5)
815 	options->kerberos_authentication = -1;
816 #endif
817 #if defined(AFS) || defined(KRB5)
818 	options->kerberos_tgt_passing = -1;
819 #endif
820 #ifdef AFS
821 	options->afs_token_passing = -1;
822 #endif
823 	options->password_authentication = -1;
824 	options->kbd_interactive_authentication = -1;
825 	options->kbd_interactive_devices = NULL;
826 	options->rhosts_rsa_authentication = -1;
827 	options->hostbased_authentication = -1;
828 	options->batch_mode = -1;
829 	options->check_host_ip = -1;
830 	options->strict_host_key_checking = -1;
831 	options->compression = -1;
832 	options->keepalives = -1;
833 	options->compression_level = -1;
834 	options->port = -1;
835 	options->connection_attempts = -1;
836 	options->number_of_password_prompts = -1;
837 	options->cipher = -1;
838 	options->ciphers = NULL;
839 	options->macs = NULL;
840 	options->hostkeyalgorithms = NULL;
841 	options->protocol = SSH_PROTO_UNKNOWN;
842 	options->num_identity_files = 0;
843 	options->hostname = NULL;
844 	options->host_key_alias = NULL;
845 	options->proxy_command = NULL;
846 	options->user = NULL;
847 	options->escape_char = -1;
848 	options->system_hostfile = NULL;
849 	options->user_hostfile = NULL;
850 	options->system_hostfile2 = NULL;
851 	options->user_hostfile2 = NULL;
852 	options->num_local_forwards = 0;
853 	options->num_remote_forwards = 0;
854 	options->clear_forwardings = -1;
855 	options->log_level = SYSLOG_LEVEL_NOT_SET;
856 	options->preferred_authentications = NULL;
857 	options->bind_address = NULL;
858 	options->smartcard_device = NULL;
859 	options->no_host_authentication_for_localhost = - 1;
860 	options->fallback_to_rsh = -1;
861 	options->use_rsh = -1;
862 }
863 
864 /*
865  * Called after processing other sources of option data, this fills those
866  * options for which no value has been specified with their default values.
867  */
868 
869 void
870 fill_default_options(Options * options)
871 {
872 	int len;
873 
874 	if (options->forward_agent == -1)
875 		options->forward_agent = 0;
876 	if (options->forward_x11 == -1)
877 		options->forward_x11 = 0;
878 	if (options->xauth_location == NULL)
879 		options->xauth_location = _PATH_XAUTH;
880 	if (options->gateway_ports == -1)
881 		options->gateway_ports = 0;
882 	if (options->use_privileged_port == -1)
883 		options->use_privileged_port = 0;
884 	if (options->rhosts_authentication == -1)
885 		options->rhosts_authentication = 0;
886 	if (options->rsa_authentication == -1)
887 		options->rsa_authentication = 1;
888 	if (options->pubkey_authentication == -1)
889 		options->pubkey_authentication = 1;
890 	if (options->challenge_response_authentication == -1)
891 		options->challenge_response_authentication = 1;
892 #ifdef GSSAPI
893 	if (options->gss_keyex == -1)
894 		options->gss_keyex = 1;
895 	if (options->gss_authentication == -1)
896 		options->gss_authentication = 1;
897 	if (options->gss_deleg_creds == -1)
898 		options->gss_deleg_creds = 0;
899 #ifdef GSI
900 	if (options->gss_globus_deleg_limited_proxy == -1)
901 		options->gss_globus_deleg_limited_proxy = 0;
902 #endif /* GSI */
903 #endif /* GSSAPI */
904 #if defined(KRB4) || defined(KRB5)
905 	if (options->kerberos_authentication == -1)
906 		options->kerberos_authentication = 1;
907 #endif
908 #if defined(AFS) || defined(KRB5)
909 	if (options->kerberos_tgt_passing == -1)
910 		options->kerberos_tgt_passing = 1;
911 #endif
912 #ifdef AFS
913 	if (options->afs_token_passing == -1)
914 		options->afs_token_passing = 1;
915 #endif
916 	if (options->password_authentication == -1)
917 		options->password_authentication = 1;
918 	if (options->kbd_interactive_authentication == -1)
919 		options->kbd_interactive_authentication = 1;
920 	if (options->rhosts_rsa_authentication == -1)
921 		options->rhosts_rsa_authentication = 0;
922 	if (options->hostbased_authentication == -1)
923 		options->hostbased_authentication = 0;
924 	if (options->batch_mode == -1)
925 		options->batch_mode = 0;
926 	if (options->check_host_ip == -1)
927 		options->check_host_ip = 1;
928 	if (options->strict_host_key_checking == -1)
929 		options->strict_host_key_checking = 2;	/* 2 is default */
930 	if (options->compression == -1)
931 		options->compression = 0;
932 	if (options->keepalives == -1)
933 		options->keepalives = 1;
934 	if (options->compression_level == -1)
935 		options->compression_level = 6;
936 	if (options->port == -1)
937 		options->port = 0;	/* Filled in ssh_connect. */
938 	if (options->connection_attempts == -1)
939 		options->connection_attempts = 1;
940 	if (options->number_of_password_prompts == -1)
941 		options->number_of_password_prompts = 3;
942 	/* Selected in ssh_login(). */
943 	if (options->cipher == -1)
944 		options->cipher = SSH_CIPHER_NOT_SET;
945 	/* options->ciphers, default set in myproposals.h */
946 	/* options->macs, default set in myproposals.h */
947 	/* options->hostkeyalgorithms, default set in myproposals.h */
948 	if (options->protocol == SSH_PROTO_UNKNOWN)
949 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
950 	if (options->num_identity_files == 0) {
951 		if (options->protocol & SSH_PROTO_1) {
952 			len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
953 			options->identity_files[options->num_identity_files] =
954 			    xmalloc(len);
955 			snprintf(options->identity_files[options->num_identity_files++],
956 			    len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
957 		}
958 		if (options->protocol & SSH_PROTO_2) {
959 			len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
960 			options->identity_files[options->num_identity_files] =
961 			    xmalloc(len);
962 			snprintf(options->identity_files[options->num_identity_files++],
963 			    len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
964 
965 			len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
966 			options->identity_files[options->num_identity_files] =
967 			    xmalloc(len);
968 			snprintf(options->identity_files[options->num_identity_files++],
969 			    len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
970 		}
971 	}
972 	if (options->escape_char == -1)
973 		options->escape_char = '~';
974 	if (options->system_hostfile == NULL)
975 		options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
976 	if (options->user_hostfile == NULL)
977 		options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
978 	if (options->system_hostfile2 == NULL)
979 		options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
980 	if (options->user_hostfile2 == NULL)
981 		options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
982 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
983 		options->log_level = SYSLOG_LEVEL_INFO;
984 	if (options->clear_forwardings == 1)
985 		clear_forwardings(options);
986 	if (options->no_host_authentication_for_localhost == - 1)
987 		options->no_host_authentication_for_localhost = 0;
988 	if (options->fallback_to_rsh == - 1)
989 		options->fallback_to_rsh = 0;
990 	if (options->use_rsh == - 1)
991 		options->use_rsh = 0;
992 	/* options->proxy_command should not be set by default */
993 	/* options->user will be set in the main program if appropriate */
994 	/* options->hostname will be set in the main program if appropriate */
995 	/* options->host_key_alias should not be set by default */
996 	/* options->preferred_authentications will be set in ssh */
997 }
998