1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 13 */ 14 15 #include "includes.h" 16 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 17 18 #ifdef HAVE_DEFOPEN 19 #include <deflt.h> 20 #endif /* HAVE_DEFOPEN */ 21 22 #if defined(KRB4) 23 #include <krb.h> 24 #endif 25 #if defined(KRB5) 26 #ifdef HEIMDAL 27 #include <krb.h> 28 #else 29 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 30 * keytab */ 31 #define KEYFILE "/etc/krb5.keytab" 32 #endif 33 #endif 34 #ifdef AFS 35 #include <kafs.h> 36 #endif 37 38 #include "ssh.h" 39 #include "log.h" 40 #include "buffer.h" 41 #include "servconf.h" 42 #include "xmalloc.h" 43 #include "compat.h" 44 #include "pathnames.h" 45 #include "tildexpand.h" 46 #include "misc.h" 47 #include "cipher.h" 48 #include "kex.h" 49 #include "mac.h" 50 #include "auth.h" 51 #include "match.h" 52 #include "groupaccess.h" 53 54 static void add_listen_addr(ServerOptions *, char *, u_short); 55 static void add_one_listen_addr(ServerOptions *, char *, u_short); 56 57 extern Buffer cfg; 58 59 /* AF_UNSPEC or AF_INET or AF_INET6 */ 60 extern int IPv4or6; 61 62 /* 63 * Initializes the server options to their initial (unset) values. Some of those 64 * that stay unset after the command line options and configuration files are 65 * read are set to their default values in fill_default_server_options(). 66 */ 67 void 68 initialize_server_options(ServerOptions *options) 69 { 70 (void) memset(options, 0, sizeof(*options)); 71 72 /* Portable-specific options */ 73 options->pam_authentication_via_kbd_int = -1; 74 75 /* Standard Options */ 76 options->num_ports = 0; 77 options->ports_from_cmdline = 0; 78 options->listen_addrs = NULL; 79 options->num_host_key_files = 0; 80 options->pid_file = NULL; 81 options->server_key_bits = -1; 82 options->login_grace_time = -1; 83 options->key_regeneration_time = -1; 84 options->permit_root_login = PERMIT_NOT_SET; 85 options->ignore_rhosts = -1; 86 options->ignore_user_known_hosts = -1; 87 options->print_motd = -1; 88 options->print_lastlog = -1; 89 options->x11_forwarding = -1; 90 options->x11_display_offset = -1; 91 options->x11_use_localhost = -1; 92 options->xauth_location = NULL; 93 options->strict_modes = -1; 94 options->keepalives = -1; 95 options->log_facility = SYSLOG_FACILITY_NOT_SET; 96 options->log_level = SYSLOG_LEVEL_NOT_SET; 97 options->rhosts_authentication = -1; 98 options->rhosts_rsa_authentication = -1; 99 options->hostbased_authentication = -1; 100 options->hostbased_uses_name_from_packet_only = -1; 101 options->rsa_authentication = -1; 102 options->pubkey_authentication = -1; 103 #ifdef GSSAPI 104 options->gss_authentication = -1; 105 options->gss_keyex = -1; 106 options->gss_store_creds = -1; 107 options->gss_use_session_ccache = -1; 108 options->gss_cleanup_creds = -1; 109 #endif 110 #if defined(KRB4) || defined(KRB5) 111 options->kerberos_authentication = -1; 112 options->kerberos_or_local_passwd = -1; 113 options->kerberos_ticket_cleanup = -1; 114 #endif 115 #if defined(AFS) || defined(KRB5) 116 options->kerberos_tgt_passing = -1; 117 #endif 118 #ifdef AFS 119 options->afs_token_passing = -1; 120 #endif 121 options->password_authentication = -1; 122 options->kbd_interactive_authentication = -1; 123 options->challenge_response_authentication = -1; 124 options->permit_empty_passwd = -1; 125 options->permit_user_env = -1; 126 options->compression = -1; 127 options->allow_tcp_forwarding = -1; 128 options->num_allow_users = 0; 129 options->num_deny_users = 0; 130 options->num_allow_groups = 0; 131 options->num_deny_groups = 0; 132 options->ciphers = NULL; 133 options->macs = NULL; 134 options->protocol = SSH_PROTO_UNKNOWN; 135 options->gateway_ports = -1; 136 options->num_subsystems = 0; 137 options->max_startups_begin = -1; 138 options->max_startups_rate = -1; 139 options->max_startups = -1; 140 options->banner = NULL; 141 options->verify_reverse_mapping = -1; 142 options->client_alive_interval = -1; 143 options->client_alive_count_max = -1; 144 options->authorized_keys_file = NULL; 145 options->authorized_keys_file2 = NULL; 146 147 options->max_auth_tries = -1; 148 options->max_auth_tries_log = -1; 149 150 options->max_init_auth_tries = -1; 151 options->max_init_auth_tries_log = -1; 152 153 options->lookup_client_hostnames = -1; 154 options->use_openssl_engine = -1; 155 options->chroot_directory = NULL; 156 options->pre_userauth_hook = NULL; 157 options->pam_service_name = NULL; 158 options->pam_service_prefix = NULL; 159 } 160 161 #ifdef HAVE_DEFOPEN 162 /* 163 * Reads /etc/default/login and defaults several ServerOptions: 164 * 165 * PermitRootLogin 166 * PermitEmptyPasswords 167 * LoginGraceTime 168 * 169 * CONSOLE=* -> PermitRootLogin=without-password 170 * #CONSOLE=* -> PermitRootLogin=yes 171 * 172 * PASSREQ=YES -> PermitEmptyPasswords=no 173 * PASSREQ=NO -> PermitEmptyPasswords=yes 174 * #PASSREQ=* -> PermitEmptyPasswords=no 175 * 176 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 177 * #TIMEOUT=<secs> -> LoginGraceTime=300 178 */ 179 static 180 void 181 deflt_fill_default_server_options(ServerOptions *options) 182 { 183 int flags; 184 char *ptr; 185 186 if (defopen(_PATH_DEFAULT_LOGIN)) 187 return; 188 189 /* Ignore case */ 190 flags = defcntl(DC_GETFLAGS, 0); 191 TURNOFF(flags, DC_CASE); 192 (void) defcntl(DC_SETFLAGS, flags); 193 194 if (options->permit_root_login == PERMIT_NOT_SET && 195 (ptr = defread("CONSOLE=")) != NULL) 196 options->permit_root_login = PERMIT_NO_PASSWD; 197 198 if (options->permit_empty_passwd == -1 && 199 (ptr = defread("PASSREQ=")) != NULL) { 200 if (strcasecmp("YES", ptr) == 0) 201 options->permit_empty_passwd = 0; 202 else if (strcasecmp("NO", ptr) == 0) 203 options->permit_empty_passwd = 1; 204 } 205 206 if (options->max_init_auth_tries == -1 && 207 (ptr = defread("RETRIES=")) != NULL) { 208 options->max_init_auth_tries = atoi(ptr); 209 } 210 211 if (options->max_init_auth_tries_log == -1 && 212 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 213 options->max_init_auth_tries_log = atoi(ptr); 214 } 215 216 if (options->login_grace_time == -1) { 217 if ((ptr = defread("TIMEOUT=")) != NULL) 218 options->login_grace_time = (unsigned)atoi(ptr); 219 else 220 options->login_grace_time = 300; 221 } 222 223 (void) defopen((char *)NULL); 224 } 225 #endif /* HAVE_DEFOPEN */ 226 227 void 228 fill_default_server_options(ServerOptions *options) 229 { 230 231 #ifdef HAVE_DEFOPEN 232 deflt_fill_default_server_options(options); 233 #endif /* HAVE_DEFOPEN */ 234 235 /* Portable-specific options */ 236 if (options->pam_authentication_via_kbd_int == -1) 237 options->pam_authentication_via_kbd_int = 0; 238 239 /* Standard Options */ 240 if (options->protocol == SSH_PROTO_UNKNOWN) 241 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 242 if (options->num_host_key_files == 0) { 243 /* fill default hostkeys for protocols */ 244 if (options->protocol & SSH_PROTO_1) 245 options->host_key_files[options->num_host_key_files++] = 246 _PATH_HOST_KEY_FILE; 247 #ifndef GSSAPI 248 /* With GSS keyex we can run v2 w/ no host keys */ 249 if (options->protocol & SSH_PROTO_2) { 250 options->host_key_files[options->num_host_key_files++] = 251 _PATH_HOST_RSA_KEY_FILE; 252 options->host_key_files[options->num_host_key_files++] = 253 _PATH_HOST_DSA_KEY_FILE; 254 } 255 #endif /* GSSAPI */ 256 } 257 if (options->num_ports == 0) 258 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 259 if (options->listen_addrs == NULL) 260 add_listen_addr(options, NULL, 0); 261 if (options->pid_file == NULL) 262 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 263 if (options->server_key_bits == -1) 264 options->server_key_bits = 768; 265 if (options->login_grace_time == -1) 266 options->login_grace_time = 120; 267 if (options->key_regeneration_time == -1) 268 options->key_regeneration_time = 3600; 269 if (options->permit_root_login == PERMIT_NOT_SET) 270 options->permit_root_login = PERMIT_YES; 271 if (options->ignore_rhosts == -1) 272 options->ignore_rhosts = 1; 273 if (options->ignore_user_known_hosts == -1) 274 options->ignore_user_known_hosts = 0; 275 if (options->print_motd == -1) 276 options->print_motd = 1; 277 if (options->print_lastlog == -1) 278 options->print_lastlog = 1; 279 if (options->x11_forwarding == -1) 280 options->x11_forwarding = 1; 281 if (options->x11_display_offset == -1) 282 options->x11_display_offset = 10; 283 if (options->x11_use_localhost == -1) 284 options->x11_use_localhost = 1; 285 if (options->xauth_location == NULL) 286 options->xauth_location = _PATH_XAUTH; 287 if (options->strict_modes == -1) 288 options->strict_modes = 1; 289 if (options->keepalives == -1) 290 options->keepalives = 1; 291 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 292 options->log_facility = SYSLOG_FACILITY_AUTH; 293 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 294 options->log_level = SYSLOG_LEVEL_INFO; 295 if (options->rhosts_authentication == -1) 296 options->rhosts_authentication = 0; 297 if (options->rhosts_rsa_authentication == -1) 298 options->rhosts_rsa_authentication = 0; 299 if (options->hostbased_authentication == -1) 300 options->hostbased_authentication = 0; 301 if (options->hostbased_uses_name_from_packet_only == -1) 302 options->hostbased_uses_name_from_packet_only = 0; 303 if (options->rsa_authentication == -1) 304 options->rsa_authentication = 1; 305 if (options->pubkey_authentication == -1) 306 options->pubkey_authentication = 1; 307 #ifdef GSSAPI 308 if (options->gss_authentication == -1) 309 options->gss_authentication = 1; 310 if (options->gss_keyex == -1) 311 options->gss_keyex = 1; 312 if (options->gss_store_creds == -1) 313 options->gss_store_creds = 1; 314 if (options->gss_use_session_ccache == -1) 315 options->gss_use_session_ccache = 1; 316 if (options->gss_cleanup_creds == -1) 317 options->gss_cleanup_creds = 1; 318 #endif 319 #if defined(KRB4) || defined(KRB5) 320 if (options->kerberos_authentication == -1) 321 options->kerberos_authentication = 0; 322 if (options->kerberos_or_local_passwd == -1) 323 options->kerberos_or_local_passwd = 1; 324 if (options->kerberos_ticket_cleanup == -1) 325 options->kerberos_ticket_cleanup = 1; 326 #endif 327 #if defined(AFS) || defined(KRB5) 328 if (options->kerberos_tgt_passing == -1) 329 options->kerberos_tgt_passing = 0; 330 #endif 331 #ifdef AFS 332 if (options->afs_token_passing == -1) 333 options->afs_token_passing = 0; 334 #endif 335 if (options->password_authentication == -1) 336 options->password_authentication = 1; 337 if (options->kbd_interactive_authentication == -1) 338 options->kbd_interactive_authentication = 0; 339 if (options->challenge_response_authentication == -1) 340 options->challenge_response_authentication = 1; 341 if (options->permit_empty_passwd == -1) 342 options->permit_empty_passwd = 0; 343 if (options->permit_user_env == -1) 344 options->permit_user_env = 0; 345 if (options->compression == -1) 346 options->compression = 1; 347 if (options->allow_tcp_forwarding == -1) 348 options->allow_tcp_forwarding = 1; 349 if (options->gateway_ports == -1) 350 options->gateway_ports = 0; 351 if (options->max_startups == -1) 352 options->max_startups = 10; 353 if (options->max_startups_rate == -1) 354 options->max_startups_rate = 100; /* 100% */ 355 if (options->max_startups_begin == -1) 356 options->max_startups_begin = options->max_startups; 357 if (options->verify_reverse_mapping == -1) 358 options->verify_reverse_mapping = 0; 359 if (options->client_alive_interval == -1) 360 options->client_alive_interval = 0; 361 if (options->client_alive_count_max == -1) 362 options->client_alive_count_max = 3; 363 if (options->authorized_keys_file2 == NULL) { 364 /* authorized_keys_file2 falls back to authorized_keys_file */ 365 if (options->authorized_keys_file != NULL) 366 options->authorized_keys_file2 = options->authorized_keys_file; 367 else 368 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 369 } 370 if (options->authorized_keys_file == NULL) 371 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 372 373 if (options->max_auth_tries == -1) 374 options->max_auth_tries = AUTH_FAIL_MAX; 375 if (options->max_auth_tries_log == -1) 376 options->max_auth_tries_log = options->max_auth_tries / 2; 377 378 if (options->max_init_auth_tries == -1) 379 options->max_init_auth_tries = AUTH_FAIL_MAX; 380 if (options->max_init_auth_tries_log == -1) 381 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 382 383 if (options->lookup_client_hostnames == -1) 384 options->lookup_client_hostnames = 1; 385 if (options->use_openssl_engine == -1) 386 options->use_openssl_engine = 1; 387 if (options->pam_service_prefix == NULL) 388 options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; 389 if (options->pam_service_name == NULL) 390 options->pam_service_name = NULL; 391 } 392 393 /* Keyword tokens. */ 394 typedef enum { 395 sBadOption, /* == unknown option */ 396 /* Portable-specific options */ 397 sPAMAuthenticationViaKbdInt, 398 /* Standard Options */ 399 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 400 sPermitRootLogin, sLogFacility, sLogLevel, 401 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 402 #ifdef GSSAPI 403 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 404 sGssUseSessionCredCache, sGssCleanupCreds, 405 #endif /* GSSAPI */ 406 #if defined(KRB4) || defined(KRB5) 407 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 408 #endif 409 #if defined(AFS) || defined(KRB5) 410 sKerberosTgtPassing, 411 #endif 412 #ifdef AFS 413 sAFSTokenPassing, 414 #endif 415 sChallengeResponseAuthentication, 416 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 417 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 418 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 419 sStrictModes, sEmptyPasswd, sKeepAlives, 420 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 421 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 422 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 423 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 424 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 425 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 426 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 427 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 428 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, 429 sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName, 430 sDeprecated 431 } ServerOpCodes; 432 433 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 434 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 435 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 436 437 /* Textual representation of the tokens. */ 438 static struct { 439 const char *name; 440 ServerOpCodes opcode; 441 u_int flags; 442 } keywords[] = { 443 /* Portable-specific options */ 444 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL }, 445 /* Standard Options */ 446 { "port", sPort, SSHCFG_GLOBAL }, 447 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 448 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 449 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 450 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 451 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 452 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 453 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 454 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 455 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 456 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL }, 457 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 458 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 459 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 460 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 461 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 462 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 463 #ifdef GSSAPI 464 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 465 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 466 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL }, 467 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */ 468 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */ 469 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */ 470 #ifndef SUNW_GSSAPI 471 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 472 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 473 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 474 #endif /* SUNW_GSSAPI */ 475 #endif 476 #if defined(KRB4) || defined(KRB5) 477 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 478 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 479 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 480 #endif 481 #if defined(AFS) || defined(KRB5) 482 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL }, 483 #endif 484 #ifdef AFS 485 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL }, 486 #endif 487 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 488 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 489 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 490 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 491 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 492 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 493 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 494 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 495 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 496 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 497 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 498 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 499 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 500 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 501 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 502 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 503 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 504 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 505 { "compression", sCompression, SSHCFG_GLOBAL }, 506 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, 507 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 508 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 509 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 510 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 511 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 512 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 513 { "macs", sMacs, SSHCFG_GLOBAL}, 514 { "protocol", sProtocol,SSHCFG_GLOBAL }, 515 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 516 { "subsystem", sSubsystem, SSHCFG_GLOBAL}, 517 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 518 { "banner", sBanner, SSHCFG_ALL }, 519 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL }, 520 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL }, 521 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 522 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 523 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, 524 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, 525 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 526 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL }, 527 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, 528 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL }, 529 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL }, 530 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 531 { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL}, 532 { "match", sMatch, SSHCFG_ALL }, 533 { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, 534 { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, 535 536 { NULL, sBadOption, 0 } 537 }; 538 539 /* 540 * Returns the number of the token pointed to by cp or sBadOption. 541 */ 542 543 static ServerOpCodes 544 parse_token(const char *cp, const char *filename, 545 int linenum, u_int *flags) 546 { 547 u_int i; 548 549 for (i = 0; keywords[i].name; i++) 550 if (strcasecmp(cp, keywords[i].name) == 0) { 551 *flags = keywords[i].flags; 552 return keywords[i].opcode; 553 } 554 555 error("%s: line %d: Bad configuration option: %s", 556 filename, linenum, cp); 557 return sBadOption; 558 } 559 560 static void 561 add_listen_addr(ServerOptions *options, char *addr, u_short port) 562 { 563 int i; 564 565 if (options->num_ports == 0) 566 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 567 if (port == 0) 568 for (i = 0; i < options->num_ports; i++) 569 add_one_listen_addr(options, addr, options->ports[i]); 570 else 571 add_one_listen_addr(options, addr, port); 572 } 573 574 static void 575 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 576 { 577 struct addrinfo hints, *ai, *aitop; 578 char strport[NI_MAXSERV]; 579 int gaierr; 580 581 (void) memset(&hints, 0, sizeof(hints)); 582 hints.ai_family = IPv4or6; 583 hints.ai_socktype = SOCK_STREAM; 584 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 585 (void) snprintf(strport, sizeof strport, "%u", port); 586 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 587 fatal("bad addr or host: %s (%s)", 588 addr ? addr : "<NULL>", 589 gai_strerror(gaierr)); 590 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 591 ; 592 ai->ai_next = options->listen_addrs; 593 options->listen_addrs = aitop; 594 } 595 596 /* 597 * The strategy for the Match blocks is that the config file is parsed twice. 598 * 599 * The first time is at startup. activep is initialized to 1 and the 600 * directives in the global context are processed and acted on. Hitting a 601 * Match directive unsets activep and the directives inside the block are 602 * checked for syntax only. 603 * 604 * The second time is after a connection has been established but before 605 * authentication. activep is initialized to 2 and global config directives 606 * are ignored since they have already been processed. If the criteria in a 607 * Match block is met, activep is set and the subsequent directives 608 * processed and actioned until EOF or another Match block unsets it. Any 609 * options set are copied into the main server config. 610 * 611 * Potential additions/improvements: 612 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 613 * 614 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 615 * Match Address 192.168.0.* 616 * Tag trusted 617 * Match Group wheel 618 * Tag trusted 619 * Match Tag trusted 620 * AllowTcpForwarding yes 621 * GatewayPorts clientspecified 622 * [...] 623 * 624 * - Add a PermittedChannelRequests directive 625 * Match Group shell 626 * PermittedChannelRequests session,forwarded-tcpip 627 */ 628 629 static int 630 match_cfg_line_group(const char *grps, int line, const char *user) 631 { 632 int result = 0; 633 struct passwd *pw; 634 635 if (user == NULL) 636 goto out; 637 638 if ((pw = getpwnam(user)) == NULL) { 639 debug("Can't match group at line %d because user %.100s does " 640 "not exist", line, user); 641 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 642 debug("Can't Match group because user %.100s not in any group " 643 "at line %d", user, line); 644 } else if (ga_match_pattern_list(grps) != 1) { 645 debug("user %.100s does not match group list %.100s at line %d", 646 user, grps, line); 647 } else { 648 debug("user %.100s matched group list %.100s at line %d", user, 649 grps, line); 650 result = 1; 651 } 652 out: 653 ga_free(); 654 return result; 655 } 656 657 static int 658 match_cfg_line(char **condition, int line, const char *user, const char *host, 659 const char *address) 660 { 661 int result = 1; 662 char *arg, *attrib, *cp = *condition; 663 size_t len; 664 665 if (user == NULL) 666 debug3("checking syntax for 'Match %s'", cp); 667 else 668 debug3("checking match for '%s' user %s host %s addr %s", cp, 669 user ? user : "(null)", host ? host : "(null)", 670 address ? address : "(null)"); 671 672 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') { 673 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 674 error("Missing Match criteria for %s", attrib); 675 return -1; 676 } 677 len = strlen(arg); 678 if (strcasecmp(attrib, "user") == 0) { 679 if (!user) { 680 result = 0; 681 continue; 682 } 683 if (match_pattern_list(user, arg, len, 0) != 1) 684 result = 0; 685 else 686 debug("user %.100s matched 'User %.100s' at " 687 "line %d", user, arg, line); 688 } else if (strcasecmp(attrib, "group") == 0) { 689 switch (match_cfg_line_group(arg, line, user)) { 690 case -1: 691 return -1; 692 case 0: 693 result = 0; 694 } 695 } else if (strcasecmp(attrib, "host") == 0) { 696 if (!host) { 697 result = 0; 698 continue; 699 } 700 if (match_hostname(host, arg, len) != 1) 701 result = 0; 702 else 703 debug("connection from %.100s matched 'Host " 704 "%.100s' at line %d", host, arg, line); 705 } else if (strcasecmp(attrib, "address") == 0) { 706 switch (addr_match_list(address, arg)) { 707 case 1: 708 debug("connection from %.100s matched 'Address " 709 "%.100s' at line %d", address, arg, line); 710 break; 711 case 0: 712 case -1: 713 result = 0; 714 break; 715 case -2: 716 return -1; 717 } 718 } else { 719 error("Unsupported Match attribute %s", attrib); 720 return -1; 721 } 722 } 723 if (user != NULL) 724 debug3("match %sfound", result ? "" : "not "); 725 *condition = cp; 726 return result; 727 } 728 729 #define WHITESPACE " \t\r\n" 730 731 int 732 process_server_config_line(ServerOptions *options, char *line, 733 const char *filename, int linenum, int *activep, const char *user, 734 const char *host, const char *address) 735 { 736 char *cp, **charptr, *arg, *p; 737 int cmdline = 0, *intptr, value, n; 738 ServerOpCodes opcode; 739 u_int i, flags = 0; 740 size_t len; 741 742 cp = line; 743 arg = strdelim(&cp); 744 /* Ignore leading whitespace */ 745 if (*arg == '\0') 746 arg = strdelim(&cp); 747 if (!arg || !*arg || *arg == '#') 748 return 0; 749 intptr = NULL; 750 charptr = NULL; 751 opcode = parse_token(arg, filename, linenum, &flags); 752 753 if (activep == NULL) { /* We are processing a command line directive */ 754 cmdline = 1; 755 activep = &cmdline; 756 } 757 if (*activep && opcode != sMatch) 758 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 759 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 760 if (user == NULL) { 761 fatal("%s line %d: Directive '%s' is not allowed " 762 "within a Match block", filename, linenum, arg); 763 } else { /* this is a directive we have already processed */ 764 while (arg) 765 arg = strdelim(&cp); 766 return 0; 767 } 768 } 769 770 switch (opcode) { 771 /* Portable-specific options */ 772 case sPAMAuthenticationViaKbdInt: 773 intptr = &options->pam_authentication_via_kbd_int; 774 goto parse_flag; 775 776 /* Standard Options */ 777 case sBadOption: 778 return -1; 779 case sPort: 780 /* ignore ports from configfile if cmdline specifies ports */ 781 if (options->ports_from_cmdline) 782 return 0; 783 if (options->listen_addrs != NULL) 784 fatal("%s line %d: ports must be specified before " 785 "ListenAddress.", filename, linenum); 786 if (options->num_ports >= MAX_PORTS) 787 fatal("%s line %d: too many ports.", 788 filename, linenum); 789 arg = strdelim(&cp); 790 if (!arg || *arg == '\0') 791 fatal("%s line %d: missing port number.", 792 filename, linenum); 793 options->ports[options->num_ports++] = a2port(arg); 794 if (options->ports[options->num_ports-1] == 0) 795 fatal("%s line %d: Badly formatted port number.", 796 filename, linenum); 797 break; 798 799 case sServerKeyBits: 800 intptr = &options->server_key_bits; 801 parse_int: 802 arg = strdelim(&cp); 803 if (!arg || *arg == '\0') 804 fatal("%s line %d: missing integer value.", 805 filename, linenum); 806 value = atoi(arg); 807 if (*activep && *intptr == -1) 808 *intptr = value; 809 break; 810 811 case sLoginGraceTime: 812 intptr = &options->login_grace_time; 813 parse_time: 814 arg = strdelim(&cp); 815 if (!arg || *arg == '\0') 816 fatal("%s line %d: missing time value.", 817 filename, linenum); 818 if ((value = convtime(arg)) == -1) 819 fatal("%s line %d: invalid time value.", 820 filename, linenum); 821 if (*intptr == -1) 822 *intptr = value; 823 break; 824 825 case sKeyRegenerationTime: 826 intptr = &options->key_regeneration_time; 827 goto parse_time; 828 829 case sListenAddress: 830 arg = strdelim(&cp); 831 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 832 fatal("%s line %d: missing inet addr.", 833 filename, linenum); 834 if (*arg == '[') { 835 if ((p = strchr(arg, ']')) == NULL) 836 fatal("%s line %d: bad ipv6 inet addr usage.", 837 filename, linenum); 838 arg++; 839 (void) memmove(p, p+1, strlen(p+1)+1); 840 } else if (((p = strchr(arg, ':')) == NULL) || 841 (strchr(p+1, ':') != NULL)) { 842 add_listen_addr(options, arg, 0); 843 break; 844 } 845 if (*p == ':') { 846 u_short port; 847 848 p++; 849 if (*p == '\0') 850 fatal("%s line %d: bad inet addr:port usage.", 851 filename, linenum); 852 else { 853 *(p-1) = '\0'; 854 if ((port = a2port(p)) == 0) 855 fatal("%s line %d: bad port number.", 856 filename, linenum); 857 add_listen_addr(options, arg, port); 858 } 859 } else if (*p == '\0') 860 add_listen_addr(options, arg, 0); 861 else 862 fatal("%s line %d: bad inet addr usage.", 863 filename, linenum); 864 break; 865 866 case sHostKeyFile: 867 intptr = &options->num_host_key_files; 868 if (*intptr >= MAX_HOSTKEYS) 869 fatal("%s line %d: too many host keys specified (max %d).", 870 filename, linenum, MAX_HOSTKEYS); 871 charptr = &options->host_key_files[*intptr]; 872 parse_filename: 873 arg = strdelim(&cp); 874 if (!arg || *arg == '\0') 875 fatal("%s line %d: missing file name.", 876 filename, linenum); 877 if (*activep && *charptr == NULL) { 878 *charptr = tilde_expand_filename(arg, getuid()); 879 /* increase optional counter */ 880 if (intptr != NULL) 881 *intptr = *intptr + 1; 882 } 883 break; 884 885 case sPidFile: 886 charptr = &options->pid_file; 887 goto parse_filename; 888 889 case sPermitRootLogin: 890 intptr = &options->permit_root_login; 891 arg = strdelim(&cp); 892 if (!arg || *arg == '\0') 893 fatal("%s line %d: missing yes/" 894 "without-password/forced-commands-only/no " 895 "argument.", filename, linenum); 896 value = 0; /* silence compiler */ 897 if (strcmp(arg, "without-password") == 0) 898 value = PERMIT_NO_PASSWD; 899 else if (strcmp(arg, "forced-commands-only") == 0) 900 value = PERMIT_FORCED_ONLY; 901 else if (strcmp(arg, "yes") == 0) 902 value = PERMIT_YES; 903 else if (strcmp(arg, "no") == 0) 904 value = PERMIT_NO; 905 else 906 fatal("%s line %d: Bad yes/" 907 "without-password/forced-commands-only/no " 908 "argument: %s", filename, linenum, arg); 909 if (*activep && *intptr == -1) 910 *intptr = value; 911 break; 912 913 case sIgnoreRhosts: 914 intptr = &options->ignore_rhosts; 915 parse_flag: 916 arg = strdelim(&cp); 917 if (!arg || *arg == '\0') 918 fatal("%s line %d: missing yes/no argument.", 919 filename, linenum); 920 value = 0; /* silence compiler */ 921 if (strcmp(arg, "yes") == 0) 922 value = 1; 923 else if (strcmp(arg, "no") == 0) 924 value = 0; 925 else 926 fatal("%s line %d: Bad yes/no argument: %s", 927 filename, linenum, arg); 928 if (*activep && *intptr == -1) 929 *intptr = value; 930 break; 931 932 case sIgnoreUserKnownHosts: 933 intptr = &options->ignore_user_known_hosts; 934 goto parse_flag; 935 936 case sRhostsAuthentication: 937 intptr = &options->rhosts_authentication; 938 goto parse_flag; 939 940 case sRhostsRSAAuthentication: 941 intptr = &options->rhosts_rsa_authentication; 942 goto parse_flag; 943 944 case sHostbasedAuthentication: 945 intptr = &options->hostbased_authentication; 946 goto parse_flag; 947 948 case sHostbasedUsesNameFromPacketOnly: 949 intptr = &options->hostbased_uses_name_from_packet_only; 950 goto parse_flag; 951 952 case sRSAAuthentication: 953 intptr = &options->rsa_authentication; 954 goto parse_flag; 955 956 case sPubkeyAuthentication: 957 intptr = &options->pubkey_authentication; 958 goto parse_flag; 959 #ifdef GSSAPI 960 case sGssAuthentication: 961 intptr = &options->gss_authentication; 962 goto parse_flag; 963 case sGssKeyEx: 964 intptr = &options->gss_keyex; 965 goto parse_flag; 966 case sGssStoreDelegCreds: 967 intptr = &options->gss_keyex; 968 goto parse_flag; 969 #ifndef SUNW_GSSAPI 970 case sGssUseSessionCredCache: 971 intptr = &options->gss_use_session_ccache; 972 goto parse_flag; 973 case sGssCleanupCreds: 974 intptr = &options->gss_cleanup_creds; 975 goto parse_flag; 976 #endif /* SUNW_GSSAPI */ 977 #endif /* GSSAPI */ 978 #if defined(KRB4) || defined(KRB5) 979 case sKerberosAuthentication: 980 intptr = &options->kerberos_authentication; 981 goto parse_flag; 982 983 case sKerberosOrLocalPasswd: 984 intptr = &options->kerberos_or_local_passwd; 985 goto parse_flag; 986 987 case sKerberosTicketCleanup: 988 intptr = &options->kerberos_ticket_cleanup; 989 goto parse_flag; 990 #endif 991 #if defined(AFS) || defined(KRB5) 992 case sKerberosTgtPassing: 993 intptr = &options->kerberos_tgt_passing; 994 goto parse_flag; 995 #endif 996 #ifdef AFS 997 case sAFSTokenPassing: 998 intptr = &options->afs_token_passing; 999 goto parse_flag; 1000 #endif 1001 1002 case sPasswordAuthentication: 1003 intptr = &options->password_authentication; 1004 goto parse_flag; 1005 1006 case sKbdInteractiveAuthentication: 1007 intptr = &options->kbd_interactive_authentication; 1008 goto parse_flag; 1009 1010 case sChallengeResponseAuthentication: 1011 intptr = &options->challenge_response_authentication; 1012 goto parse_flag; 1013 1014 case sPrintMotd: 1015 intptr = &options->print_motd; 1016 goto parse_flag; 1017 1018 case sPrintLastLog: 1019 intptr = &options->print_lastlog; 1020 goto parse_flag; 1021 1022 case sX11Forwarding: 1023 intptr = &options->x11_forwarding; 1024 goto parse_flag; 1025 1026 case sX11DisplayOffset: 1027 intptr = &options->x11_display_offset; 1028 goto parse_int; 1029 1030 case sX11UseLocalhost: 1031 intptr = &options->x11_use_localhost; 1032 goto parse_flag; 1033 1034 case sXAuthLocation: 1035 charptr = &options->xauth_location; 1036 goto parse_filename; 1037 1038 case sStrictModes: 1039 intptr = &options->strict_modes; 1040 goto parse_flag; 1041 1042 case sKeepAlives: 1043 intptr = &options->keepalives; 1044 goto parse_flag; 1045 1046 case sEmptyPasswd: 1047 intptr = &options->permit_empty_passwd; 1048 goto parse_flag; 1049 1050 case sPermitUserEnvironment: 1051 intptr = &options->permit_user_env; 1052 goto parse_flag; 1053 1054 case sUseLogin: 1055 log("%s line %d: ignoring UseLogin option value." 1056 " This option is always off.", filename, linenum); 1057 while (arg) 1058 arg = strdelim(&cp); 1059 break; 1060 1061 case sCompression: 1062 intptr = &options->compression; 1063 goto parse_flag; 1064 1065 case sGatewayPorts: 1066 intptr = &options->gateway_ports; 1067 arg = strdelim(&cp); 1068 if (!arg || *arg == '\0') 1069 fatal("%s line %d: missing yes/no/clientspecified " 1070 "argument.", filename, linenum); 1071 value = 0; /* silence compiler */ 1072 if (strcmp(arg, "clientspecified") == 0) 1073 value = 2; 1074 else if (strcmp(arg, "yes") == 0) 1075 value = 1; 1076 else if (strcmp(arg, "no") == 0) 1077 value = 0; 1078 else 1079 fatal("%s line %d: Bad yes/no/clientspecified " 1080 "argument: %s", filename, linenum, arg); 1081 if (*activep && *intptr == -1) 1082 *intptr = value; 1083 break; 1084 1085 case sVerifyReverseMapping: 1086 intptr = &options->verify_reverse_mapping; 1087 goto parse_flag; 1088 1089 case sLogFacility: 1090 intptr = (int *) &options->log_facility; 1091 arg = strdelim(&cp); 1092 value = log_facility_number(arg); 1093 if (value == SYSLOG_FACILITY_NOT_SET) 1094 fatal("%.200s line %d: unsupported log facility '%s'", 1095 filename, linenum, arg ? arg : "<NONE>"); 1096 if (*intptr == -1) 1097 *intptr = (SyslogFacility) value; 1098 break; 1099 1100 case sLogLevel: 1101 intptr = (int *) &options->log_level; 1102 arg = strdelim(&cp); 1103 value = log_level_number(arg); 1104 if (value == SYSLOG_LEVEL_NOT_SET) 1105 fatal("%.200s line %d: unsupported log level '%s'", 1106 filename, linenum, arg ? arg : "<NONE>"); 1107 if (*intptr == -1) 1108 *intptr = (LogLevel) value; 1109 break; 1110 1111 case sAllowTcpForwarding: 1112 intptr = &options->allow_tcp_forwarding; 1113 goto parse_flag; 1114 1115 case sUsePrivilegeSeparation: 1116 log("%s line %d: ignoring UsePrivilegeSeparation option value." 1117 " This option is always on.", filename, linenum); 1118 while (arg) 1119 arg = strdelim(&cp); 1120 break; 1121 1122 case sAllowUsers: 1123 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1124 if (options->num_allow_users >= MAX_ALLOW_USERS) 1125 fatal("%s line %d: too many allow users.", 1126 filename, linenum); 1127 options->allow_users[options->num_allow_users++] = 1128 xstrdup(arg); 1129 } 1130 break; 1131 1132 case sDenyUsers: 1133 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1134 if (options->num_deny_users >= MAX_DENY_USERS) 1135 fatal( "%s line %d: too many deny users.", 1136 filename, linenum); 1137 options->deny_users[options->num_deny_users++] = 1138 xstrdup(arg); 1139 } 1140 break; 1141 1142 case sAllowGroups: 1143 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1144 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1145 fatal("%s line %d: too many allow groups.", 1146 filename, linenum); 1147 options->allow_groups[options->num_allow_groups++] = 1148 xstrdup(arg); 1149 } 1150 break; 1151 1152 case sDenyGroups: 1153 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1154 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1155 fatal("%s line %d: too many deny groups.", 1156 filename, linenum); 1157 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1158 } 1159 break; 1160 1161 case sCiphers: 1162 arg = strdelim(&cp); 1163 if (!arg || *arg == '\0') 1164 fatal("%s line %d: Missing argument.", filename, linenum); 1165 if (!ciphers_valid(arg)) 1166 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1167 filename, linenum, arg ? arg : "<NONE>"); 1168 if (options->ciphers == NULL) 1169 options->ciphers = xstrdup(arg); 1170 break; 1171 1172 case sMacs: 1173 arg = strdelim(&cp); 1174 if (!arg || *arg == '\0') 1175 fatal("%s line %d: Missing argument.", filename, linenum); 1176 if (!mac_valid(arg)) 1177 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1178 filename, linenum, arg ? arg : "<NONE>"); 1179 if (options->macs == NULL) 1180 options->macs = xstrdup(arg); 1181 break; 1182 1183 case sProtocol: 1184 intptr = &options->protocol; 1185 arg = strdelim(&cp); 1186 if (!arg || *arg == '\0') 1187 fatal("%s line %d: Missing argument.", filename, linenum); 1188 value = proto_spec(arg); 1189 if (value == SSH_PROTO_UNKNOWN) 1190 fatal("%s line %d: Bad protocol spec '%s'.", 1191 filename, linenum, arg ? arg : "<NONE>"); 1192 if (*intptr == SSH_PROTO_UNKNOWN) 1193 *intptr = value; 1194 break; 1195 1196 case sSubsystem: 1197 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1198 fatal("%s line %d: too many subsystems defined.", 1199 filename, linenum); 1200 } 1201 arg = strdelim(&cp); 1202 if (!arg || *arg == '\0') 1203 fatal("%s line %d: Missing subsystem name.", 1204 filename, linenum); 1205 if (!*activep) { 1206 arg = strdelim(&cp); 1207 break; 1208 } 1209 for (i = 0; i < options->num_subsystems; i++) 1210 if (strcmp(arg, options->subsystem_name[i]) == 0) 1211 fatal("%s line %d: Subsystem '%s' already defined.", 1212 filename, linenum, arg); 1213 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1214 arg = strdelim(&cp); 1215 if (!arg || *arg == '\0') 1216 fatal("%s line %d: Missing subsystem command.", 1217 filename, linenum); 1218 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1219 1220 /* 1221 * Collect arguments (separate to executable), including the 1222 * name of the executable, in a way that is easier to parse 1223 * later. 1224 */ 1225 p = xstrdup(arg); 1226 len = strlen(p) + 1; 1227 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1228 len += 1 + strlen(arg); 1229 p = xrealloc(p, len); 1230 strlcat(p, " ", len); 1231 strlcat(p, arg, len); 1232 } 1233 options->subsystem_args[options->num_subsystems] = p; 1234 options->num_subsystems++; 1235 break; 1236 1237 case sMaxStartups: 1238 arg = strdelim(&cp); 1239 if (!arg || *arg == '\0') 1240 fatal("%s line %d: Missing MaxStartups spec.", 1241 filename, linenum); 1242 if ((n = sscanf(arg, "%d:%d:%d", 1243 &options->max_startups_begin, 1244 &options->max_startups_rate, 1245 &options->max_startups)) == 3) { 1246 if (options->max_startups_begin > 1247 options->max_startups || 1248 options->max_startups_rate > 100 || 1249 options->max_startups_rate < 1) 1250 fatal("%s line %d: Illegal MaxStartups spec.", 1251 filename, linenum); 1252 } else if (n != 1) 1253 fatal("%s line %d: Illegal MaxStartups spec.", 1254 filename, linenum); 1255 else 1256 options->max_startups = options->max_startups_begin; 1257 break; 1258 1259 case sBanner: 1260 charptr = &options->banner; 1261 goto parse_filename; 1262 /* 1263 * These options can contain %X options expanded at 1264 * connect time, so that you can specify paths like: 1265 * 1266 * AuthorizedKeysFile /etc/ssh_keys/%u 1267 */ 1268 case sAuthorizedKeysFile: 1269 case sAuthorizedKeysFile2: 1270 charptr = (opcode == sAuthorizedKeysFile) ? 1271 &options->authorized_keys_file : 1272 &options->authorized_keys_file2; 1273 goto parse_filename; 1274 1275 case sClientAliveInterval: 1276 intptr = &options->client_alive_interval; 1277 goto parse_time; 1278 1279 case sClientAliveCountMax: 1280 intptr = &options->client_alive_count_max; 1281 goto parse_int; 1282 1283 case sMaxAuthTries: 1284 intptr = &options->max_auth_tries; 1285 goto parse_int; 1286 1287 case sMaxAuthTriesLog: 1288 intptr = &options->max_auth_tries_log; 1289 goto parse_int; 1290 1291 case sLookupClientHostnames: 1292 intptr = &options->lookup_client_hostnames; 1293 goto parse_flag; 1294 1295 case sUseOpenSSLEngine: 1296 intptr = &options->use_openssl_engine; 1297 goto parse_flag; 1298 1299 case sChrootDirectory: 1300 charptr = &options->chroot_directory; 1301 1302 arg = strdelim(&cp); 1303 if (arg == NULL || *arg == '\0') 1304 fatal("%s line %d: missing directory name for " 1305 "ChrootDirectory.", filename, linenum); 1306 if (*activep && *charptr == NULL) 1307 *charptr = xstrdup(arg); 1308 break; 1309 1310 case sPreUserauthHook: 1311 charptr = &options->pre_userauth_hook; 1312 goto parse_filename; 1313 1314 case sMatch: 1315 if (cmdline) 1316 fatal("Match directive not supported as a command-line " 1317 "option"); 1318 value = match_cfg_line(&cp, linenum, user, host, address); 1319 if (value < 0) 1320 fatal("%s line %d: Bad Match condition", filename, 1321 linenum); 1322 *activep = value; 1323 break; 1324 1325 case sDeprecated: 1326 log("%s line %d: Deprecated option %s", 1327 filename, linenum, arg); 1328 while (arg) 1329 arg = strdelim(&cp); 1330 break; 1331 1332 case sPAMServicePrefix: 1333 arg = strdelim(&cp); 1334 if (!arg || *arg == '\0') 1335 fatal("%s line %d: Missing argument.", 1336 filename, linenum); 1337 if (options->pam_service_name != NULL) 1338 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1339 "are mutually exclusive.", filename, linenum); 1340 if (options->pam_service_prefix == NULL) 1341 options->pam_service_prefix = xstrdup(arg); 1342 break; 1343 1344 case sPAMServiceName: 1345 arg = strdelim(&cp); 1346 if (!arg || *arg == '\0') 1347 fatal("%s line %d: Missing argument.", 1348 filename, linenum); 1349 if (options->pam_service_prefix != NULL) 1350 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1351 "are mutually exclusive.", filename, linenum); 1352 if (options->pam_service_name == NULL) 1353 options->pam_service_name = xstrdup(arg); 1354 break; 1355 1356 default: 1357 fatal("%s line %d: Missing handler for opcode %s (%d)", 1358 filename, linenum, arg, opcode); 1359 } 1360 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1361 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1362 filename, linenum, arg); 1363 return 0; 1364 } 1365 1366 1367 /* Reads the server configuration file. */ 1368 1369 void 1370 load_server_config(const char *filename, Buffer *conf) 1371 { 1372 char line[1024], *cp; 1373 FILE *f; 1374 1375 debug2("%s: filename %s", __func__, filename); 1376 if ((f = fopen(filename, "r")) == NULL) { 1377 perror(filename); 1378 exit(1); 1379 } 1380 buffer_clear(conf); 1381 while (fgets(line, sizeof(line), f)) { 1382 /* 1383 * Trim out comments and strip whitespace 1384 * NB - preserve newlines, they are needed to reproduce 1385 * line numbers later for error messages 1386 */ 1387 if ((cp = strchr(line, '#')) != NULL) 1388 memcpy(cp, "\n", 2); 1389 cp = line + strspn(line, " \t\r"); 1390 1391 buffer_append(conf, cp, strlen(cp)); 1392 } 1393 buffer_append(conf, "\0", 1); 1394 fclose(f); 1395 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1396 } 1397 1398 void 1399 parse_server_match_config(ServerOptions *options, const char *user, 1400 const char *host, const char *address) 1401 { 1402 ServerOptions mo; 1403 1404 initialize_server_options(&mo); 1405 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1406 copy_set_server_options(options, &mo, 0); 1407 } 1408 1409 1410 1411 /* Helper macros */ 1412 #define M_CP_INTOPT(n) do {\ 1413 if (src->n != -1) \ 1414 dst->n = src->n; \ 1415 } while (0) 1416 #define M_CP_STROPT(n) do {\ 1417 if (src->n != NULL) { \ 1418 if (dst->n != NULL) \ 1419 xfree(dst->n); \ 1420 dst->n = src->n; \ 1421 } \ 1422 } while(0) 1423 1424 /* 1425 * Copy any supported values that are set. 1426 * 1427 * If the preauth flag is set, we do not bother copying the the string or 1428 * array values that are not used pre-authentication, because any that we 1429 * do use must be explictly sent in mm_getpwnamallow(). 1430 */ 1431 void 1432 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1433 { 1434 M_CP_INTOPT(password_authentication); 1435 M_CP_INTOPT(gss_authentication); 1436 M_CP_INTOPT(rsa_authentication); 1437 M_CP_INTOPT(pubkey_authentication); 1438 M_CP_INTOPT(hostbased_authentication); 1439 M_CP_INTOPT(kbd_interactive_authentication); 1440 M_CP_INTOPT(permit_root_login); 1441 M_CP_INTOPT(permit_empty_passwd); 1442 M_CP_INTOPT(allow_tcp_forwarding); 1443 M_CP_INTOPT(gateway_ports); 1444 M_CP_INTOPT(x11_display_offset); 1445 M_CP_INTOPT(x11_forwarding); 1446 M_CP_INTOPT(x11_use_localhost); 1447 M_CP_INTOPT(max_auth_tries); 1448 M_CP_STROPT(banner); 1449 1450 if (preauth) 1451 return; 1452 M_CP_STROPT(chroot_directory); 1453 } 1454 1455 #undef M_CP_INTOPT 1456 #undef M_CP_STROPT 1457 1458 void 1459 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1460 const char *user, const char *host, const char *address) 1461 { 1462 int active, linenum, bad_options = 0; 1463 char *cp, *obuf, *cbuf; 1464 1465 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1466 1467 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1468 active = user ? 0 : 1; 1469 linenum = 1; 1470 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1471 if (process_server_config_line(options, cp, filename, 1472 linenum++, &active, user, host, address) != 0) 1473 bad_options++; 1474 } 1475 xfree(obuf); 1476 if (bad_options > 0) 1477 fatal("%s: terminating, %d bad configuration options", 1478 filename, bad_options); 1479 } 1480 1481 1482 /* 1483 * Note that "none" is a special path having the same affect on sshd 1484 * configuration as not specifying ChrootDirectory at all. 1485 */ 1486 int 1487 chroot_requested(char *chroot_directory) 1488 { 1489 return (chroot_directory != NULL && 1490 strcasecmp(chroot_directory, "none") != 0); 1491 } 1492