1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 13 * Use is subject to license terms. 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 18 19 #ifdef HAVE_DEFOPEN 20 #include <deflt.h> 21 #endif /* HAVE_DEFOPEN */ 22 23 #if defined(KRB4) 24 #include <krb.h> 25 #endif 26 #if defined(KRB5) 27 #ifdef HEIMDAL 28 #include <krb.h> 29 #else 30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 31 * keytab */ 32 #define KEYFILE "/etc/krb5.keytab" 33 #endif 34 #endif 35 #ifdef AFS 36 #include <kafs.h> 37 #endif 38 39 #include "ssh.h" 40 #include "log.h" 41 #include "buffer.h" 42 #include "servconf.h" 43 #include "xmalloc.h" 44 #include "compat.h" 45 #include "pathnames.h" 46 #include "tildexpand.h" 47 #include "misc.h" 48 #include "cipher.h" 49 #include "kex.h" 50 #include "mac.h" 51 #include "auth.h" 52 #include "match.h" 53 #include "groupaccess.h" 54 55 static void add_listen_addr(ServerOptions *, char *, u_short); 56 static void add_one_listen_addr(ServerOptions *, char *, u_short); 57 58 extern Buffer cfg; 59 60 /* AF_UNSPEC or AF_INET or AF_INET6 */ 61 extern int IPv4or6; 62 63 /* 64 * Initializes the server options to their initial (unset) values. Some of those 65 * that stay unset after the command line options and configuration files are 66 * read are set to their default values in fill_default_server_options(). 67 */ 68 void 69 initialize_server_options(ServerOptions *options) 70 { 71 (void) memset(options, 0, sizeof(*options)); 72 73 /* Portable-specific options */ 74 options->pam_authentication_via_kbd_int = -1; 75 76 /* Standard Options */ 77 options->num_ports = 0; 78 options->ports_from_cmdline = 0; 79 options->listen_addrs = NULL; 80 options->num_host_key_files = 0; 81 options->pid_file = NULL; 82 options->server_key_bits = -1; 83 options->login_grace_time = -1; 84 options->key_regeneration_time = -1; 85 options->permit_root_login = PERMIT_NOT_SET; 86 options->ignore_rhosts = -1; 87 options->ignore_user_known_hosts = -1; 88 options->print_motd = -1; 89 options->print_lastlog = -1; 90 options->x11_forwarding = -1; 91 options->x11_display_offset = -1; 92 options->x11_use_localhost = -1; 93 options->xauth_location = NULL; 94 options->strict_modes = -1; 95 options->keepalives = -1; 96 options->log_facility = SYSLOG_FACILITY_NOT_SET; 97 options->log_level = SYSLOG_LEVEL_NOT_SET; 98 options->rhosts_authentication = -1; 99 options->rhosts_rsa_authentication = -1; 100 options->hostbased_authentication = -1; 101 options->hostbased_uses_name_from_packet_only = -1; 102 options->rsa_authentication = -1; 103 options->pubkey_authentication = -1; 104 #ifdef GSSAPI 105 options->gss_authentication = -1; 106 options->gss_keyex = -1; 107 options->gss_store_creds = -1; 108 options->gss_use_session_ccache = -1; 109 options->gss_cleanup_creds = -1; 110 #endif 111 #if defined(KRB4) || defined(KRB5) 112 options->kerberos_authentication = -1; 113 options->kerberos_or_local_passwd = -1; 114 options->kerberos_ticket_cleanup = -1; 115 #endif 116 #if defined(AFS) || defined(KRB5) 117 options->kerberos_tgt_passing = -1; 118 #endif 119 #ifdef AFS 120 options->afs_token_passing = -1; 121 #endif 122 options->password_authentication = -1; 123 options->kbd_interactive_authentication = -1; 124 options->challenge_response_authentication = -1; 125 options->permit_empty_passwd = -1; 126 options->permit_user_env = -1; 127 options->compression = -1; 128 options->allow_tcp_forwarding = -1; 129 options->num_allow_users = 0; 130 options->num_deny_users = 0; 131 options->num_allow_groups = 0; 132 options->num_deny_groups = 0; 133 options->ciphers = NULL; 134 options->macs = NULL; 135 options->protocol = SSH_PROTO_UNKNOWN; 136 options->gateway_ports = -1; 137 options->num_subsystems = 0; 138 options->max_startups_begin = -1; 139 options->max_startups_rate = -1; 140 options->max_startups = -1; 141 options->banner = NULL; 142 options->verify_reverse_mapping = -1; 143 options->client_alive_interval = -1; 144 options->client_alive_count_max = -1; 145 options->authorized_keys_file = NULL; 146 options->authorized_keys_file2 = NULL; 147 148 options->max_auth_tries = -1; 149 options->max_auth_tries_log = -1; 150 151 options->max_init_auth_tries = -1; 152 options->max_init_auth_tries_log = -1; 153 154 options->lookup_client_hostnames = -1; 155 options->use_openssl_engine = -1; 156 options->chroot_directory = NULL; 157 options->pre_userauth_hook = NULL; 158 } 159 160 #ifdef HAVE_DEFOPEN 161 /* 162 * Reads /etc/default/login and defaults several ServerOptions: 163 * 164 * PermitRootLogin 165 * PermitEmptyPasswords 166 * LoginGraceTime 167 * 168 * CONSOLE=* -> PermitRootLogin=without-password 169 * #CONSOLE=* -> PermitRootLogin=yes 170 * 171 * PASSREQ=YES -> PermitEmptyPasswords=no 172 * PASSREQ=NO -> PermitEmptyPasswords=yes 173 * #PASSREQ=* -> PermitEmptyPasswords=no 174 * 175 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 176 * #TIMEOUT=<secs> -> LoginGraceTime=300 177 */ 178 static 179 void 180 deflt_fill_default_server_options(ServerOptions *options) 181 { 182 int flags; 183 char *ptr; 184 185 if (defopen(_PATH_DEFAULT_LOGIN)) 186 return; 187 188 /* Ignore case */ 189 flags = defcntl(DC_GETFLAGS, 0); 190 TURNOFF(flags, DC_CASE); 191 (void) defcntl(DC_SETFLAGS, flags); 192 193 if (options->permit_root_login == PERMIT_NOT_SET && 194 (ptr = defread("CONSOLE=")) != NULL) 195 options->permit_root_login = PERMIT_NO_PASSWD; 196 197 if (options->permit_empty_passwd == -1 && 198 (ptr = defread("PASSREQ=")) != NULL) { 199 if (strcasecmp("YES", ptr) == 0) 200 options->permit_empty_passwd = 0; 201 else if (strcasecmp("NO", ptr) == 0) 202 options->permit_empty_passwd = 1; 203 } 204 205 if (options->max_init_auth_tries == -1 && 206 (ptr = defread("RETRIES=")) != NULL) { 207 options->max_init_auth_tries = atoi(ptr); 208 } 209 210 if (options->max_init_auth_tries_log == -1 && 211 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 212 options->max_init_auth_tries_log = atoi(ptr); 213 } 214 215 if (options->login_grace_time == -1) { 216 if ((ptr = defread("TIMEOUT=")) != NULL) 217 options->login_grace_time = (unsigned)atoi(ptr); 218 else 219 options->login_grace_time = 300; 220 } 221 222 (void) defopen((char *)NULL); 223 } 224 #endif /* HAVE_DEFOPEN */ 225 226 void 227 fill_default_server_options(ServerOptions *options) 228 { 229 230 #ifdef HAVE_DEFOPEN 231 deflt_fill_default_server_options(options); 232 #endif /* HAVE_DEFOPEN */ 233 234 /* Portable-specific options */ 235 if (options->pam_authentication_via_kbd_int == -1) 236 options->pam_authentication_via_kbd_int = 0; 237 238 /* Standard Options */ 239 if (options->protocol == SSH_PROTO_UNKNOWN) 240 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 241 if (options->num_host_key_files == 0) { 242 /* fill default hostkeys for protocols */ 243 if (options->protocol & SSH_PROTO_1) 244 options->host_key_files[options->num_host_key_files++] = 245 _PATH_HOST_KEY_FILE; 246 #ifndef GSSAPI 247 /* With GSS keyex we can run v2 w/ no host keys */ 248 if (options->protocol & SSH_PROTO_2) { 249 options->host_key_files[options->num_host_key_files++] = 250 _PATH_HOST_RSA_KEY_FILE; 251 options->host_key_files[options->num_host_key_files++] = 252 _PATH_HOST_DSA_KEY_FILE; 253 } 254 #endif /* GSSAPI */ 255 } 256 if (options->num_ports == 0) 257 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 258 if (options->listen_addrs == NULL) 259 add_listen_addr(options, NULL, 0); 260 if (options->pid_file == NULL) 261 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 262 if (options->server_key_bits == -1) 263 options->server_key_bits = 768; 264 if (options->login_grace_time == -1) 265 options->login_grace_time = 120; 266 if (options->key_regeneration_time == -1) 267 options->key_regeneration_time = 3600; 268 if (options->permit_root_login == PERMIT_NOT_SET) 269 options->permit_root_login = PERMIT_YES; 270 if (options->ignore_rhosts == -1) 271 options->ignore_rhosts = 1; 272 if (options->ignore_user_known_hosts == -1) 273 options->ignore_user_known_hosts = 0; 274 if (options->print_motd == -1) 275 options->print_motd = 1; 276 if (options->print_lastlog == -1) 277 options->print_lastlog = 1; 278 if (options->x11_forwarding == -1) 279 options->x11_forwarding = 1; 280 if (options->x11_display_offset == -1) 281 options->x11_display_offset = 10; 282 if (options->x11_use_localhost == -1) 283 options->x11_use_localhost = 1; 284 if (options->xauth_location == NULL) 285 options->xauth_location = _PATH_XAUTH; 286 if (options->strict_modes == -1) 287 options->strict_modes = 1; 288 if (options->keepalives == -1) 289 options->keepalives = 1; 290 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 291 options->log_facility = SYSLOG_FACILITY_AUTH; 292 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 293 options->log_level = SYSLOG_LEVEL_INFO; 294 if (options->rhosts_authentication == -1) 295 options->rhosts_authentication = 0; 296 if (options->rhosts_rsa_authentication == -1) 297 options->rhosts_rsa_authentication = 0; 298 if (options->hostbased_authentication == -1) 299 options->hostbased_authentication = 0; 300 if (options->hostbased_uses_name_from_packet_only == -1) 301 options->hostbased_uses_name_from_packet_only = 0; 302 if (options->rsa_authentication == -1) 303 options->rsa_authentication = 1; 304 if (options->pubkey_authentication == -1) 305 options->pubkey_authentication = 1; 306 #ifdef GSSAPI 307 if (options->gss_authentication == -1) 308 options->gss_authentication = 1; 309 if (options->gss_keyex == -1) 310 options->gss_keyex = 1; 311 if (options->gss_store_creds == -1) 312 options->gss_store_creds = 1; 313 if (options->gss_use_session_ccache == -1) 314 options->gss_use_session_ccache = 1; 315 if (options->gss_cleanup_creds == -1) 316 options->gss_cleanup_creds = 1; 317 #endif 318 #if defined(KRB4) || defined(KRB5) 319 if (options->kerberos_authentication == -1) 320 options->kerberos_authentication = 0; 321 if (options->kerberos_or_local_passwd == -1) 322 options->kerberos_or_local_passwd = 1; 323 if (options->kerberos_ticket_cleanup == -1) 324 options->kerberos_ticket_cleanup = 1; 325 #endif 326 #if defined(AFS) || defined(KRB5) 327 if (options->kerberos_tgt_passing == -1) 328 options->kerberos_tgt_passing = 0; 329 #endif 330 #ifdef AFS 331 if (options->afs_token_passing == -1) 332 options->afs_token_passing = 0; 333 #endif 334 if (options->password_authentication == -1) 335 options->password_authentication = 1; 336 if (options->kbd_interactive_authentication == -1) 337 options->kbd_interactive_authentication = 0; 338 if (options->challenge_response_authentication == -1) 339 options->challenge_response_authentication = 1; 340 if (options->permit_empty_passwd == -1) 341 options->permit_empty_passwd = 0; 342 if (options->permit_user_env == -1) 343 options->permit_user_env = 0; 344 if (options->compression == -1) 345 options->compression = 1; 346 if (options->allow_tcp_forwarding == -1) 347 options->allow_tcp_forwarding = 1; 348 if (options->gateway_ports == -1) 349 options->gateway_ports = 0; 350 if (options->max_startups == -1) 351 options->max_startups = 10; 352 if (options->max_startups_rate == -1) 353 options->max_startups_rate = 100; /* 100% */ 354 if (options->max_startups_begin == -1) 355 options->max_startups_begin = options->max_startups; 356 if (options->verify_reverse_mapping == -1) 357 options->verify_reverse_mapping = 0; 358 if (options->client_alive_interval == -1) 359 options->client_alive_interval = 0; 360 if (options->client_alive_count_max == -1) 361 options->client_alive_count_max = 3; 362 if (options->authorized_keys_file2 == NULL) { 363 /* authorized_keys_file2 falls back to authorized_keys_file */ 364 if (options->authorized_keys_file != NULL) 365 options->authorized_keys_file2 = options->authorized_keys_file; 366 else 367 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 368 } 369 if (options->authorized_keys_file == NULL) 370 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 371 372 if (options->max_auth_tries == -1) 373 options->max_auth_tries = AUTH_FAIL_MAX; 374 if (options->max_auth_tries_log == -1) 375 options->max_auth_tries_log = options->max_auth_tries / 2; 376 377 if (options->max_init_auth_tries == -1) 378 options->max_init_auth_tries = AUTH_FAIL_MAX; 379 if (options->max_init_auth_tries_log == -1) 380 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 381 382 if (options->lookup_client_hostnames == -1) 383 options->lookup_client_hostnames = 1; 384 if (options->use_openssl_engine == -1) 385 options->use_openssl_engine = 1; 386 } 387 388 /* Keyword tokens. */ 389 typedef enum { 390 sBadOption, /* == unknown option */ 391 /* Portable-specific options */ 392 sPAMAuthenticationViaKbdInt, 393 /* Standard Options */ 394 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 395 sPermitRootLogin, sLogFacility, sLogLevel, 396 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 397 #ifdef GSSAPI 398 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 399 sGssUseSessionCredCache, sGssCleanupCreds, 400 #endif /* GSSAPI */ 401 #if defined(KRB4) || defined(KRB5) 402 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 403 #endif 404 #if defined(AFS) || defined(KRB5) 405 sKerberosTgtPassing, 406 #endif 407 #ifdef AFS 408 sAFSTokenPassing, 409 #endif 410 sChallengeResponseAuthentication, 411 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 412 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 413 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 414 sStrictModes, sEmptyPasswd, sKeepAlives, 415 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 416 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 417 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 418 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 419 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 420 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 421 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 422 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 423 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, 424 sPreUserauthHook, sMatch, 425 sDeprecated 426 } ServerOpCodes; 427 428 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 429 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 430 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 431 432 /* Textual representation of the tokens. */ 433 static struct { 434 const char *name; 435 ServerOpCodes opcode; 436 u_int flags; 437 } keywords[] = { 438 /* Portable-specific options */ 439 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL }, 440 /* Standard Options */ 441 { "port", sPort, SSHCFG_GLOBAL }, 442 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 443 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 444 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 445 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 446 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 447 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 448 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 449 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 450 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 451 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL }, 452 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 453 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 454 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 455 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 456 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 457 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 458 #ifdef GSSAPI 459 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 460 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 461 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL }, 462 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */ 463 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */ 464 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */ 465 #ifndef SUNW_GSSAPI 466 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 467 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 468 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 469 #endif /* SUNW_GSSAPI */ 470 #endif 471 #if defined(KRB4) || defined(KRB5) 472 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 473 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 474 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 475 #endif 476 #if defined(AFS) || defined(KRB5) 477 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL }, 478 #endif 479 #ifdef AFS 480 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL }, 481 #endif 482 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 483 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 484 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 485 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 486 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 487 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 488 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 489 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 490 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 491 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 492 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 493 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 497 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 498 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 499 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 500 { "compression", sCompression, SSHCFG_GLOBAL }, 501 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, 502 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 503 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 504 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 505 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 506 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 507 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 508 { "macs", sMacs, SSHCFG_GLOBAL}, 509 { "protocol", sProtocol,SSHCFG_GLOBAL }, 510 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 511 { "subsystem", sSubsystem, SSHCFG_GLOBAL}, 512 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 513 { "banner", sBanner, SSHCFG_ALL }, 514 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL }, 515 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL }, 516 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 517 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 518 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, 519 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, 520 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 521 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL }, 522 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, 523 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL }, 524 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL }, 525 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 526 { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL}, 527 { "match", sMatch, SSHCFG_ALL }, 528 529 { NULL, sBadOption, 0 } 530 }; 531 532 /* 533 * Returns the number of the token pointed to by cp or sBadOption. 534 */ 535 536 static ServerOpCodes 537 parse_token(const char *cp, const char *filename, 538 int linenum, u_int *flags) 539 { 540 u_int i; 541 542 for (i = 0; keywords[i].name; i++) 543 if (strcasecmp(cp, keywords[i].name) == 0) { 544 *flags = keywords[i].flags; 545 return keywords[i].opcode; 546 } 547 548 error("%s: line %d: Bad configuration option: %s", 549 filename, linenum, cp); 550 return sBadOption; 551 } 552 553 static void 554 add_listen_addr(ServerOptions *options, char *addr, u_short port) 555 { 556 int i; 557 558 if (options->num_ports == 0) 559 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 560 if (port == 0) 561 for (i = 0; i < options->num_ports; i++) 562 add_one_listen_addr(options, addr, options->ports[i]); 563 else 564 add_one_listen_addr(options, addr, port); 565 } 566 567 static void 568 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 569 { 570 struct addrinfo hints, *ai, *aitop; 571 char strport[NI_MAXSERV]; 572 int gaierr; 573 574 (void) memset(&hints, 0, sizeof(hints)); 575 hints.ai_family = IPv4or6; 576 hints.ai_socktype = SOCK_STREAM; 577 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 578 (void) snprintf(strport, sizeof strport, "%u", port); 579 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 580 fatal("bad addr or host: %s (%s)", 581 addr ? addr : "<NULL>", 582 gai_strerror(gaierr)); 583 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 584 ; 585 ai->ai_next = options->listen_addrs; 586 options->listen_addrs = aitop; 587 } 588 589 /* 590 * The strategy for the Match blocks is that the config file is parsed twice. 591 * 592 * The first time is at startup. activep is initialized to 1 and the 593 * directives in the global context are processed and acted on. Hitting a 594 * Match directive unsets activep and the directives inside the block are 595 * checked for syntax only. 596 * 597 * The second time is after a connection has been established but before 598 * authentication. activep is initialized to 2 and global config directives 599 * are ignored since they have already been processed. If the criteria in a 600 * Match block is met, activep is set and the subsequent directives 601 * processed and actioned until EOF or another Match block unsets it. Any 602 * options set are copied into the main server config. 603 * 604 * Potential additions/improvements: 605 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 606 * 607 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 608 * Match Address 192.168.0.* 609 * Tag trusted 610 * Match Group wheel 611 * Tag trusted 612 * Match Tag trusted 613 * AllowTcpForwarding yes 614 * GatewayPorts clientspecified 615 * [...] 616 * 617 * - Add a PermittedChannelRequests directive 618 * Match Group shell 619 * PermittedChannelRequests session,forwarded-tcpip 620 */ 621 622 static int 623 match_cfg_line_group(const char *grps, int line, const char *user) 624 { 625 int result = 0; 626 struct passwd *pw; 627 628 if (user == NULL) 629 goto out; 630 631 if ((pw = getpwnam(user)) == NULL) { 632 debug("Can't match group at line %d because user %.100s does " 633 "not exist", line, user); 634 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 635 debug("Can't Match group because user %.100s not in any group " 636 "at line %d", user, line); 637 } else if (ga_match_pattern_list(grps) != 1) { 638 debug("user %.100s does not match group list %.100s at line %d", 639 user, grps, line); 640 } else { 641 debug("user %.100s matched group list %.100s at line %d", user, 642 grps, line); 643 result = 1; 644 } 645 out: 646 ga_free(); 647 return result; 648 } 649 650 static int 651 match_cfg_line(char **condition, int line, const char *user, const char *host, 652 const char *address) 653 { 654 int result = 1; 655 char *arg, *attrib, *cp = *condition; 656 size_t len; 657 658 if (user == NULL) 659 debug3("checking syntax for 'Match %s'", cp); 660 else 661 debug3("checking match for '%s' user %s host %s addr %s", cp, 662 user ? user : "(null)", host ? host : "(null)", 663 address ? address : "(null)"); 664 665 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') { 666 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 667 error("Missing Match criteria for %s", attrib); 668 return -1; 669 } 670 len = strlen(arg); 671 if (strcasecmp(attrib, "user") == 0) { 672 if (!user) { 673 result = 0; 674 continue; 675 } 676 if (match_pattern_list(user, arg, len, 0) != 1) 677 result = 0; 678 else 679 debug("user %.100s matched 'User %.100s' at " 680 "line %d", user, arg, line); 681 } else if (strcasecmp(attrib, "group") == 0) { 682 switch (match_cfg_line_group(arg, line, user)) { 683 case -1: 684 return -1; 685 case 0: 686 result = 0; 687 } 688 } else if (strcasecmp(attrib, "host") == 0) { 689 if (!host) { 690 result = 0; 691 continue; 692 } 693 if (match_hostname(host, arg, len) != 1) 694 result = 0; 695 else 696 debug("connection from %.100s matched 'Host " 697 "%.100s' at line %d", host, arg, line); 698 } else if (strcasecmp(attrib, "address") == 0) { 699 switch (addr_match_list(address, arg)) { 700 case 1: 701 debug("connection from %.100s matched 'Address " 702 "%.100s' at line %d", address, arg, line); 703 break; 704 case 0: 705 case -1: 706 result = 0; 707 break; 708 case -2: 709 return -1; 710 } 711 } else { 712 error("Unsupported Match attribute %s", attrib); 713 return -1; 714 } 715 } 716 if (user != NULL) 717 debug3("match %sfound", result ? "" : "not "); 718 *condition = cp; 719 return result; 720 } 721 722 #define WHITESPACE " \t\r\n" 723 724 int 725 process_server_config_line(ServerOptions *options, char *line, 726 const char *filename, int linenum, int *activep, const char *user, 727 const char *host, const char *address) 728 { 729 char *cp, **charptr, *arg, *p; 730 int cmdline = 0, *intptr, value, n; 731 ServerOpCodes opcode; 732 u_int i, flags = 0; 733 size_t len; 734 735 cp = line; 736 arg = strdelim(&cp); 737 /* Ignore leading whitespace */ 738 if (*arg == '\0') 739 arg = strdelim(&cp); 740 if (!arg || !*arg || *arg == '#') 741 return 0; 742 intptr = NULL; 743 charptr = NULL; 744 opcode = parse_token(arg, filename, linenum, &flags); 745 746 if (activep == NULL) { /* We are processing a command line directive */ 747 cmdline = 1; 748 activep = &cmdline; 749 } 750 if (*activep && opcode != sMatch) 751 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 752 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 753 if (user == NULL) { 754 fatal("%s line %d: Directive '%s' is not allowed " 755 "within a Match block", filename, linenum, arg); 756 } else { /* this is a directive we have already processed */ 757 while (arg) 758 arg = strdelim(&cp); 759 return 0; 760 } 761 } 762 763 switch (opcode) { 764 /* Portable-specific options */ 765 case sPAMAuthenticationViaKbdInt: 766 intptr = &options->pam_authentication_via_kbd_int; 767 goto parse_flag; 768 769 /* Standard Options */ 770 case sBadOption: 771 return -1; 772 case sPort: 773 /* ignore ports from configfile if cmdline specifies ports */ 774 if (options->ports_from_cmdline) 775 return 0; 776 if (options->listen_addrs != NULL) 777 fatal("%s line %d: ports must be specified before " 778 "ListenAddress.", filename, linenum); 779 if (options->num_ports >= MAX_PORTS) 780 fatal("%s line %d: too many ports.", 781 filename, linenum); 782 arg = strdelim(&cp); 783 if (!arg || *arg == '\0') 784 fatal("%s line %d: missing port number.", 785 filename, linenum); 786 options->ports[options->num_ports++] = a2port(arg); 787 if (options->ports[options->num_ports-1] == 0) 788 fatal("%s line %d: Badly formatted port number.", 789 filename, linenum); 790 break; 791 792 case sServerKeyBits: 793 intptr = &options->server_key_bits; 794 parse_int: 795 arg = strdelim(&cp); 796 if (!arg || *arg == '\0') 797 fatal("%s line %d: missing integer value.", 798 filename, linenum); 799 value = atoi(arg); 800 if (*activep && *intptr == -1) 801 *intptr = value; 802 break; 803 804 case sLoginGraceTime: 805 intptr = &options->login_grace_time; 806 parse_time: 807 arg = strdelim(&cp); 808 if (!arg || *arg == '\0') 809 fatal("%s line %d: missing time value.", 810 filename, linenum); 811 if ((value = convtime(arg)) == -1) 812 fatal("%s line %d: invalid time value.", 813 filename, linenum); 814 if (*intptr == -1) 815 *intptr = value; 816 break; 817 818 case sKeyRegenerationTime: 819 intptr = &options->key_regeneration_time; 820 goto parse_time; 821 822 case sListenAddress: 823 arg = strdelim(&cp); 824 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 825 fatal("%s line %d: missing inet addr.", 826 filename, linenum); 827 if (*arg == '[') { 828 if ((p = strchr(arg, ']')) == NULL) 829 fatal("%s line %d: bad ipv6 inet addr usage.", 830 filename, linenum); 831 arg++; 832 (void) memmove(p, p+1, strlen(p+1)+1); 833 } else if (((p = strchr(arg, ':')) == NULL) || 834 (strchr(p+1, ':') != NULL)) { 835 add_listen_addr(options, arg, 0); 836 break; 837 } 838 if (*p == ':') { 839 u_short port; 840 841 p++; 842 if (*p == '\0') 843 fatal("%s line %d: bad inet addr:port usage.", 844 filename, linenum); 845 else { 846 *(p-1) = '\0'; 847 if ((port = a2port(p)) == 0) 848 fatal("%s line %d: bad port number.", 849 filename, linenum); 850 add_listen_addr(options, arg, port); 851 } 852 } else if (*p == '\0') 853 add_listen_addr(options, arg, 0); 854 else 855 fatal("%s line %d: bad inet addr usage.", 856 filename, linenum); 857 break; 858 859 case sHostKeyFile: 860 intptr = &options->num_host_key_files; 861 if (*intptr >= MAX_HOSTKEYS) 862 fatal("%s line %d: too many host keys specified (max %d).", 863 filename, linenum, MAX_HOSTKEYS); 864 charptr = &options->host_key_files[*intptr]; 865 parse_filename: 866 arg = strdelim(&cp); 867 if (!arg || *arg == '\0') 868 fatal("%s line %d: missing file name.", 869 filename, linenum); 870 if (*activep && *charptr == NULL) { 871 *charptr = tilde_expand_filename(arg, getuid()); 872 /* increase optional counter */ 873 if (intptr != NULL) 874 *intptr = *intptr + 1; 875 } 876 break; 877 878 case sPidFile: 879 charptr = &options->pid_file; 880 goto parse_filename; 881 882 case sPermitRootLogin: 883 intptr = &options->permit_root_login; 884 arg = strdelim(&cp); 885 if (!arg || *arg == '\0') 886 fatal("%s line %d: missing yes/" 887 "without-password/forced-commands-only/no " 888 "argument.", filename, linenum); 889 value = 0; /* silence compiler */ 890 if (strcmp(arg, "without-password") == 0) 891 value = PERMIT_NO_PASSWD; 892 else if (strcmp(arg, "forced-commands-only") == 0) 893 value = PERMIT_FORCED_ONLY; 894 else if (strcmp(arg, "yes") == 0) 895 value = PERMIT_YES; 896 else if (strcmp(arg, "no") == 0) 897 value = PERMIT_NO; 898 else 899 fatal("%s line %d: Bad yes/" 900 "without-password/forced-commands-only/no " 901 "argument: %s", filename, linenum, arg); 902 if (*activep && *intptr == -1) 903 *intptr = value; 904 break; 905 906 case sIgnoreRhosts: 907 intptr = &options->ignore_rhosts; 908 parse_flag: 909 arg = strdelim(&cp); 910 if (!arg || *arg == '\0') 911 fatal("%s line %d: missing yes/no argument.", 912 filename, linenum); 913 value = 0; /* silence compiler */ 914 if (strcmp(arg, "yes") == 0) 915 value = 1; 916 else if (strcmp(arg, "no") == 0) 917 value = 0; 918 else 919 fatal("%s line %d: Bad yes/no argument: %s", 920 filename, linenum, arg); 921 if (*activep && *intptr == -1) 922 *intptr = value; 923 break; 924 925 case sIgnoreUserKnownHosts: 926 intptr = &options->ignore_user_known_hosts; 927 goto parse_flag; 928 929 case sRhostsAuthentication: 930 intptr = &options->rhosts_authentication; 931 goto parse_flag; 932 933 case sRhostsRSAAuthentication: 934 intptr = &options->rhosts_rsa_authentication; 935 goto parse_flag; 936 937 case sHostbasedAuthentication: 938 intptr = &options->hostbased_authentication; 939 goto parse_flag; 940 941 case sHostbasedUsesNameFromPacketOnly: 942 intptr = &options->hostbased_uses_name_from_packet_only; 943 goto parse_flag; 944 945 case sRSAAuthentication: 946 intptr = &options->rsa_authentication; 947 goto parse_flag; 948 949 case sPubkeyAuthentication: 950 intptr = &options->pubkey_authentication; 951 goto parse_flag; 952 #ifdef GSSAPI 953 case sGssAuthentication: 954 intptr = &options->gss_authentication; 955 goto parse_flag; 956 case sGssKeyEx: 957 intptr = &options->gss_keyex; 958 goto parse_flag; 959 case sGssStoreDelegCreds: 960 intptr = &options->gss_keyex; 961 goto parse_flag; 962 #ifndef SUNW_GSSAPI 963 case sGssUseSessionCredCache: 964 intptr = &options->gss_use_session_ccache; 965 goto parse_flag; 966 case sGssCleanupCreds: 967 intptr = &options->gss_cleanup_creds; 968 goto parse_flag; 969 #endif /* SUNW_GSSAPI */ 970 #endif /* GSSAPI */ 971 #if defined(KRB4) || defined(KRB5) 972 case sKerberosAuthentication: 973 intptr = &options->kerberos_authentication; 974 goto parse_flag; 975 976 case sKerberosOrLocalPasswd: 977 intptr = &options->kerberos_or_local_passwd; 978 goto parse_flag; 979 980 case sKerberosTicketCleanup: 981 intptr = &options->kerberos_ticket_cleanup; 982 goto parse_flag; 983 #endif 984 #if defined(AFS) || defined(KRB5) 985 case sKerberosTgtPassing: 986 intptr = &options->kerberos_tgt_passing; 987 goto parse_flag; 988 #endif 989 #ifdef AFS 990 case sAFSTokenPassing: 991 intptr = &options->afs_token_passing; 992 goto parse_flag; 993 #endif 994 995 case sPasswordAuthentication: 996 intptr = &options->password_authentication; 997 goto parse_flag; 998 999 case sKbdInteractiveAuthentication: 1000 intptr = &options->kbd_interactive_authentication; 1001 goto parse_flag; 1002 1003 case sChallengeResponseAuthentication: 1004 intptr = &options->challenge_response_authentication; 1005 goto parse_flag; 1006 1007 case sPrintMotd: 1008 intptr = &options->print_motd; 1009 goto parse_flag; 1010 1011 case sPrintLastLog: 1012 intptr = &options->print_lastlog; 1013 goto parse_flag; 1014 1015 case sX11Forwarding: 1016 intptr = &options->x11_forwarding; 1017 goto parse_flag; 1018 1019 case sX11DisplayOffset: 1020 intptr = &options->x11_display_offset; 1021 goto parse_int; 1022 1023 case sX11UseLocalhost: 1024 intptr = &options->x11_use_localhost; 1025 goto parse_flag; 1026 1027 case sXAuthLocation: 1028 charptr = &options->xauth_location; 1029 goto parse_filename; 1030 1031 case sStrictModes: 1032 intptr = &options->strict_modes; 1033 goto parse_flag; 1034 1035 case sKeepAlives: 1036 intptr = &options->keepalives; 1037 goto parse_flag; 1038 1039 case sEmptyPasswd: 1040 intptr = &options->permit_empty_passwd; 1041 goto parse_flag; 1042 1043 case sPermitUserEnvironment: 1044 intptr = &options->permit_user_env; 1045 goto parse_flag; 1046 1047 case sUseLogin: 1048 log("%s line %d: ignoring UseLogin option value." 1049 " This option is always off.", filename, linenum); 1050 while (arg) 1051 arg = strdelim(&cp); 1052 break; 1053 1054 case sCompression: 1055 intptr = &options->compression; 1056 goto parse_flag; 1057 1058 case sGatewayPorts: 1059 intptr = &options->gateway_ports; 1060 arg = strdelim(&cp); 1061 if (!arg || *arg == '\0') 1062 fatal("%s line %d: missing yes/no/clientspecified " 1063 "argument.", filename, linenum); 1064 value = 0; /* silence compiler */ 1065 if (strcmp(arg, "clientspecified") == 0) 1066 value = 2; 1067 else if (strcmp(arg, "yes") == 0) 1068 value = 1; 1069 else if (strcmp(arg, "no") == 0) 1070 value = 0; 1071 else 1072 fatal("%s line %d: Bad yes/no/clientspecified " 1073 "argument: %s", filename, linenum, arg); 1074 if (*activep && *intptr == -1) 1075 *intptr = value; 1076 break; 1077 1078 case sVerifyReverseMapping: 1079 intptr = &options->verify_reverse_mapping; 1080 goto parse_flag; 1081 1082 case sLogFacility: 1083 intptr = (int *) &options->log_facility; 1084 arg = strdelim(&cp); 1085 value = log_facility_number(arg); 1086 if (value == SYSLOG_FACILITY_NOT_SET) 1087 fatal("%.200s line %d: unsupported log facility '%s'", 1088 filename, linenum, arg ? arg : "<NONE>"); 1089 if (*intptr == -1) 1090 *intptr = (SyslogFacility) value; 1091 break; 1092 1093 case sLogLevel: 1094 intptr = (int *) &options->log_level; 1095 arg = strdelim(&cp); 1096 value = log_level_number(arg); 1097 if (value == SYSLOG_LEVEL_NOT_SET) 1098 fatal("%.200s line %d: unsupported log level '%s'", 1099 filename, linenum, arg ? arg : "<NONE>"); 1100 if (*intptr == -1) 1101 *intptr = (LogLevel) value; 1102 break; 1103 1104 case sAllowTcpForwarding: 1105 intptr = &options->allow_tcp_forwarding; 1106 goto parse_flag; 1107 1108 case sUsePrivilegeSeparation: 1109 log("%s line %d: ignoring UsePrivilegeSeparation option value." 1110 " This option is always on.", filename, linenum); 1111 while (arg) 1112 arg = strdelim(&cp); 1113 break; 1114 1115 case sAllowUsers: 1116 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1117 if (options->num_allow_users >= MAX_ALLOW_USERS) 1118 fatal("%s line %d: too many allow users.", 1119 filename, linenum); 1120 options->allow_users[options->num_allow_users++] = 1121 xstrdup(arg); 1122 } 1123 break; 1124 1125 case sDenyUsers: 1126 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1127 if (options->num_deny_users >= MAX_DENY_USERS) 1128 fatal( "%s line %d: too many deny users.", 1129 filename, linenum); 1130 options->deny_users[options->num_deny_users++] = 1131 xstrdup(arg); 1132 } 1133 break; 1134 1135 case sAllowGroups: 1136 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1137 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1138 fatal("%s line %d: too many allow groups.", 1139 filename, linenum); 1140 options->allow_groups[options->num_allow_groups++] = 1141 xstrdup(arg); 1142 } 1143 break; 1144 1145 case sDenyGroups: 1146 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1147 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1148 fatal("%s line %d: too many deny groups.", 1149 filename, linenum); 1150 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1151 } 1152 break; 1153 1154 case sCiphers: 1155 arg = strdelim(&cp); 1156 if (!arg || *arg == '\0') 1157 fatal("%s line %d: Missing argument.", filename, linenum); 1158 if (!ciphers_valid(arg)) 1159 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1160 filename, linenum, arg ? arg : "<NONE>"); 1161 if (options->ciphers == NULL) 1162 options->ciphers = xstrdup(arg); 1163 break; 1164 1165 case sMacs: 1166 arg = strdelim(&cp); 1167 if (!arg || *arg == '\0') 1168 fatal("%s line %d: Missing argument.", filename, linenum); 1169 if (!mac_valid(arg)) 1170 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1171 filename, linenum, arg ? arg : "<NONE>"); 1172 if (options->macs == NULL) 1173 options->macs = xstrdup(arg); 1174 break; 1175 1176 case sProtocol: 1177 intptr = &options->protocol; 1178 arg = strdelim(&cp); 1179 if (!arg || *arg == '\0') 1180 fatal("%s line %d: Missing argument.", filename, linenum); 1181 value = proto_spec(arg); 1182 if (value == SSH_PROTO_UNKNOWN) 1183 fatal("%s line %d: Bad protocol spec '%s'.", 1184 filename, linenum, arg ? arg : "<NONE>"); 1185 if (*intptr == SSH_PROTO_UNKNOWN) 1186 *intptr = value; 1187 break; 1188 1189 case sSubsystem: 1190 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1191 fatal("%s line %d: too many subsystems defined.", 1192 filename, linenum); 1193 } 1194 arg = strdelim(&cp); 1195 if (!arg || *arg == '\0') 1196 fatal("%s line %d: Missing subsystem name.", 1197 filename, linenum); 1198 if (!*activep) { 1199 arg = strdelim(&cp); 1200 break; 1201 } 1202 for (i = 0; i < options->num_subsystems; i++) 1203 if (strcmp(arg, options->subsystem_name[i]) == 0) 1204 fatal("%s line %d: Subsystem '%s' already defined.", 1205 filename, linenum, arg); 1206 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1207 arg = strdelim(&cp); 1208 if (!arg || *arg == '\0') 1209 fatal("%s line %d: Missing subsystem command.", 1210 filename, linenum); 1211 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1212 1213 /* 1214 * Collect arguments (separate to executable), including the 1215 * name of the executable, in a way that is easier to parse 1216 * later. 1217 */ 1218 p = xstrdup(arg); 1219 len = strlen(p) + 1; 1220 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1221 len += 1 + strlen(arg); 1222 p = xrealloc(p, len); 1223 strlcat(p, " ", len); 1224 strlcat(p, arg, len); 1225 } 1226 options->subsystem_args[options->num_subsystems] = p; 1227 options->num_subsystems++; 1228 break; 1229 1230 case sMaxStartups: 1231 arg = strdelim(&cp); 1232 if (!arg || *arg == '\0') 1233 fatal("%s line %d: Missing MaxStartups spec.", 1234 filename, linenum); 1235 if ((n = sscanf(arg, "%d:%d:%d", 1236 &options->max_startups_begin, 1237 &options->max_startups_rate, 1238 &options->max_startups)) == 3) { 1239 if (options->max_startups_begin > 1240 options->max_startups || 1241 options->max_startups_rate > 100 || 1242 options->max_startups_rate < 1) 1243 fatal("%s line %d: Illegal MaxStartups spec.", 1244 filename, linenum); 1245 } else if (n != 1) 1246 fatal("%s line %d: Illegal MaxStartups spec.", 1247 filename, linenum); 1248 else 1249 options->max_startups = options->max_startups_begin; 1250 break; 1251 1252 case sBanner: 1253 charptr = &options->banner; 1254 goto parse_filename; 1255 /* 1256 * These options can contain %X options expanded at 1257 * connect time, so that you can specify paths like: 1258 * 1259 * AuthorizedKeysFile /etc/ssh_keys/%u 1260 */ 1261 case sAuthorizedKeysFile: 1262 case sAuthorizedKeysFile2: 1263 charptr = (opcode == sAuthorizedKeysFile) ? 1264 &options->authorized_keys_file : 1265 &options->authorized_keys_file2; 1266 goto parse_filename; 1267 1268 case sClientAliveInterval: 1269 intptr = &options->client_alive_interval; 1270 goto parse_time; 1271 1272 case sClientAliveCountMax: 1273 intptr = &options->client_alive_count_max; 1274 goto parse_int; 1275 1276 case sMaxAuthTries: 1277 intptr = &options->max_auth_tries; 1278 goto parse_int; 1279 1280 case sMaxAuthTriesLog: 1281 intptr = &options->max_auth_tries_log; 1282 goto parse_int; 1283 1284 case sLookupClientHostnames: 1285 intptr = &options->lookup_client_hostnames; 1286 goto parse_flag; 1287 1288 case sUseOpenSSLEngine: 1289 intptr = &options->use_openssl_engine; 1290 goto parse_flag; 1291 1292 case sChrootDirectory: 1293 charptr = &options->chroot_directory; 1294 1295 arg = strdelim(&cp); 1296 if (arg == NULL || *arg == '\0') 1297 fatal("%s line %d: missing directory name for " 1298 "ChrootDirectory.", filename, linenum); 1299 if (*activep && *charptr == NULL) 1300 *charptr = xstrdup(arg); 1301 break; 1302 1303 case sPreUserauthHook: 1304 charptr = &options->pre_userauth_hook; 1305 goto parse_filename; 1306 1307 case sMatch: 1308 if (cmdline) 1309 fatal("Match directive not supported as a command-line " 1310 "option"); 1311 value = match_cfg_line(&cp, linenum, user, host, address); 1312 if (value < 0) 1313 fatal("%s line %d: Bad Match condition", filename, 1314 linenum); 1315 *activep = value; 1316 break; 1317 1318 case sDeprecated: 1319 log("%s line %d: Deprecated option %s", 1320 filename, linenum, arg); 1321 while (arg) 1322 arg = strdelim(&cp); 1323 break; 1324 1325 default: 1326 fatal("%s line %d: Missing handler for opcode %s (%d)", 1327 filename, linenum, arg, opcode); 1328 } 1329 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1330 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1331 filename, linenum, arg); 1332 return 0; 1333 } 1334 1335 1336 /* Reads the server configuration file. */ 1337 1338 void 1339 load_server_config(const char *filename, Buffer *conf) 1340 { 1341 char line[1024], *cp; 1342 FILE *f; 1343 1344 debug2("%s: filename %s", __func__, filename); 1345 if ((f = fopen(filename, "r")) == NULL) { 1346 perror(filename); 1347 exit(1); 1348 } 1349 buffer_clear(conf); 1350 while (fgets(line, sizeof(line), f)) { 1351 /* 1352 * Trim out comments and strip whitespace 1353 * NB - preserve newlines, they are needed to reproduce 1354 * line numbers later for error messages 1355 */ 1356 if ((cp = strchr(line, '#')) != NULL) 1357 memcpy(cp, "\n", 2); 1358 cp = line + strspn(line, " \t\r"); 1359 1360 buffer_append(conf, cp, strlen(cp)); 1361 } 1362 buffer_append(conf, "\0", 1); 1363 fclose(f); 1364 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1365 } 1366 1367 void 1368 parse_server_match_config(ServerOptions *options, const char *user, 1369 const char *host, const char *address) 1370 { 1371 ServerOptions mo; 1372 1373 initialize_server_options(&mo); 1374 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1375 copy_set_server_options(options, &mo, 0); 1376 } 1377 1378 1379 1380 /* Helper macros */ 1381 #define M_CP_INTOPT(n) do {\ 1382 if (src->n != -1) \ 1383 dst->n = src->n; \ 1384 } while (0) 1385 #define M_CP_STROPT(n) do {\ 1386 if (src->n != NULL) { \ 1387 if (dst->n != NULL) \ 1388 xfree(dst->n); \ 1389 dst->n = src->n; \ 1390 } \ 1391 } while(0) 1392 1393 /* 1394 * Copy any supported values that are set. 1395 * 1396 * If the preauth flag is set, we do not bother copying the the string or 1397 * array values that are not used pre-authentication, because any that we 1398 * do use must be explictly sent in mm_getpwnamallow(). 1399 */ 1400 void 1401 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1402 { 1403 M_CP_INTOPT(password_authentication); 1404 M_CP_INTOPT(gss_authentication); 1405 M_CP_INTOPT(rsa_authentication); 1406 M_CP_INTOPT(pubkey_authentication); 1407 M_CP_INTOPT(hostbased_authentication); 1408 M_CP_INTOPT(kbd_interactive_authentication); 1409 M_CP_INTOPT(permit_root_login); 1410 M_CP_INTOPT(permit_empty_passwd); 1411 M_CP_INTOPT(allow_tcp_forwarding); 1412 M_CP_INTOPT(gateway_ports); 1413 M_CP_INTOPT(x11_display_offset); 1414 M_CP_INTOPT(x11_forwarding); 1415 M_CP_INTOPT(x11_use_localhost); 1416 M_CP_INTOPT(max_auth_tries); 1417 M_CP_STROPT(banner); 1418 1419 if (preauth) 1420 return; 1421 M_CP_STROPT(chroot_directory); 1422 } 1423 1424 #undef M_CP_INTOPT 1425 #undef M_CP_STROPT 1426 1427 void 1428 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1429 const char *user, const char *host, const char *address) 1430 { 1431 int active, linenum, bad_options = 0; 1432 char *cp, *obuf, *cbuf; 1433 1434 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1435 1436 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1437 active = user ? 0 : 1; 1438 linenum = 1; 1439 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1440 if (process_server_config_line(options, cp, filename, 1441 linenum++, &active, user, host, address) != 0) 1442 bad_options++; 1443 } 1444 xfree(obuf); 1445 if (bad_options > 0) 1446 fatal("%s: terminating, %d bad configuration options", 1447 filename, bad_options); 1448 } 1449 1450 1451 /* 1452 * Note that "none" is a special path having the same affect on sshd 1453 * configuration as not specifying ChrootDirectory at all. 1454 */ 1455 int 1456 chroot_requested(char *chroot_directory) 1457 { 1458 return (chroot_directory != NULL && 1459 strcasecmp(chroot_directory, "none") != 0); 1460 } 1461