xref: /titanic_44/usr/src/cmd/ssh/sshd/servconf.c (revision 6935f61b0d202f1b87f0234824e4a6ab88c492ac)
1 /*
2  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3  *                    All rights reserved
4  *
5  * As far as I am concerned, the code I have written for this software
6  * can be used freely for any purpose.  Any derived versions of this
7  * software must be clearly marked as such, and if the derived work is
8  * incompatible with the protocol description in the RFC file, it must be
9  * called by a name other than "ssh" or "Secure Shell".
10  */
11 /*
12  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
13  * Copyright 2013 Joyent, Inc.  All rights reserved.
14  */
15 
16 #include "includes.h"
17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
18 
19 #ifdef HAVE_DEFOPEN
20 #include <deflt.h>
21 #endif /* HAVE_DEFOPEN */
22 
23 #if defined(KRB4)
24 #include <krb.h>
25 #endif
26 #if defined(KRB5)
27 #ifdef HEIMDAL
28 #include <krb.h>
29 #else
30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
31  * keytab */
32 #define KEYFILE "/etc/krb5.keytab"
33 #endif
34 #endif
35 #ifdef AFS
36 #include <kafs.h>
37 #endif
38 
39 #include "ssh.h"
40 #include "log.h"
41 #include "buffer.h"
42 #include "servconf.h"
43 #include "xmalloc.h"
44 #include "compat.h"
45 #include "pathnames.h"
46 #include "tildexpand.h"
47 #include "misc.h"
48 #include "cipher.h"
49 #include "kex.h"
50 #include "mac.h"
51 #include "auth.h"
52 #include "match.h"
53 #include "groupaccess.h"
54 
55 static void add_listen_addr(ServerOptions *, char *, u_short);
56 static void add_one_listen_addr(ServerOptions *, char *, u_short);
57 
58 extern Buffer cfg;
59 
60 /* AF_UNSPEC or AF_INET or AF_INET6 */
61 extern int IPv4or6;
62 
63 /*
64  * Initializes the server options to their initial (unset) values. Some of those
65  * that stay unset after the command line options and configuration files are
66  * read are set to their default values in fill_default_server_options().
67  */
68 void
69 initialize_server_options(ServerOptions *options)
70 {
71 	(void) memset(options, 0, sizeof(*options));
72 
73 	/* Standard Options */
74 	options->num_ports = 0;
75 	options->ports_from_cmdline = 0;
76 	options->listen_addrs = NULL;
77 	options->num_host_key_files = 0;
78 	options->pid_file = NULL;
79 	options->server_key_bits = -1;
80 	options->login_grace_time = -1;
81 	options->key_regeneration_time = -1;
82 	options->permit_root_login = PERMIT_NOT_SET;
83 	options->ignore_rhosts = -1;
84 	options->ignore_user_known_hosts = -1;
85 	options->print_motd = -1;
86 	options->print_lastlog = -1;
87 	options->x11_forwarding = -1;
88 	options->x11_display_offset = -1;
89 	options->x11_use_localhost = -1;
90 	options->xauth_location = NULL;
91 	options->strict_modes = -1;
92 	options->keepalives = -1;
93 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
94 	options->log_level = SYSLOG_LEVEL_NOT_SET;
95 	options->rhosts_authentication = -1;
96 	options->rhosts_rsa_authentication = -1;
97 	options->hostbased_authentication = -1;
98 	options->hostbased_uses_name_from_packet_only = -1;
99 	options->rsa_authentication = -1;
100 	options->pubkey_authentication = -1;
101 #ifdef GSSAPI
102 	options->gss_authentication = -1;
103 	options->gss_keyex = -1;
104 	options->gss_store_creds = -1;
105 	options->gss_use_session_ccache = -1;
106 	options->gss_cleanup_creds = -1;
107 #endif
108 #if defined(KRB4) || defined(KRB5)
109 	options->kerberos_authentication = -1;
110 	options->kerberos_or_local_passwd = -1;
111 	options->kerberos_ticket_cleanup = -1;
112 #endif
113 #if defined(AFS) || defined(KRB5)
114 	options->kerberos_tgt_passing = -1;
115 #endif
116 #ifdef AFS
117 	options->afs_token_passing = -1;
118 #endif
119 	options->password_authentication = -1;
120 	options->kbd_interactive_authentication = -1;
121 	options->challenge_response_authentication = -1;
122 	options->pam_authentication_via_kbd_int = -1;
123 	options->permit_empty_passwd = -1;
124 	options->permit_user_env = -1;
125 	options->compression = -1;
126 	options->allow_tcp_forwarding = -1;
127 	options->num_allow_users = 0;
128 	options->num_deny_users = 0;
129 	options->num_allow_groups = 0;
130 	options->num_deny_groups = 0;
131 	options->ciphers = NULL;
132 	options->macs = NULL;
133 	options->protocol = SSH_PROTO_UNKNOWN;
134 	options->gateway_ports = -1;
135 	options->num_subsystems = 0;
136 	options->max_startups_begin = -1;
137 	options->max_startups_rate = -1;
138 	options->max_startups = -1;
139 	options->banner = NULL;
140 	options->verify_reverse_mapping = -1;
141 	options->client_alive_interval = -1;
142 	options->client_alive_count_max = -1;
143 	options->authorized_keys_file = NULL;
144 	options->authorized_keys_file2 = NULL;
145 
146 	options->max_auth_tries = -1;
147 	options->max_auth_tries_log = -1;
148 
149 	options->max_init_auth_tries = -1;
150 	options->max_init_auth_tries_log = -1;
151 
152 	options->lookup_client_hostnames = -1;
153 	options->use_openssl_engine = -1;
154 	options->chroot_directory = NULL;
155 	options->pre_userauth_hook = NULL;
156 	options->pam_service_name = NULL;
157 	options->pam_service_prefix = NULL;
158 }
159 
160 #ifdef HAVE_DEFOPEN
161 /*
162  * Reads /etc/default/login and defaults several ServerOptions:
163  *
164  * PermitRootLogin
165  * PermitEmptyPasswords
166  * LoginGraceTime
167  *
168  * CONSOLE=*      -> PermitRootLogin=without-password
169  * #CONSOLE=*     -> PermitRootLogin=yes
170  *
171  * PASSREQ=YES    -> PermitEmptyPasswords=no
172  * PASSREQ=NO     -> PermitEmptyPasswords=yes
173  * #PASSREQ=*     -> PermitEmptyPasswords=no
174  *
175  * TIMEOUT=<secs> -> LoginGraceTime=<secs>
176  * #TIMEOUT=<secs> -> LoginGraceTime=300
177  */
178 static
179 void
180 deflt_fill_default_server_options(ServerOptions *options)
181 {
182 	int	flags;
183 	char	*ptr;
184 
185 	if (defopen(_PATH_DEFAULT_LOGIN))
186 		return;
187 
188 	/* Ignore case */
189 	flags = defcntl(DC_GETFLAGS, 0);
190 	TURNOFF(flags, DC_CASE);
191 	(void) defcntl(DC_SETFLAGS, flags);
192 
193 	if (options->permit_root_login == PERMIT_NOT_SET &&
194 	    (ptr = defread("CONSOLE=")) != NULL)
195 		options->permit_root_login = PERMIT_NO_PASSWD;
196 
197 	if (options->permit_empty_passwd == -1 &&
198 	    (ptr = defread("PASSREQ=")) != NULL) {
199 		if (strcasecmp("YES", ptr) == 0)
200 			options->permit_empty_passwd = 0;
201 		else if (strcasecmp("NO", ptr) == 0)
202 			options->permit_empty_passwd = 1;
203 	}
204 
205 	if (options->max_init_auth_tries == -1 &&
206 	    (ptr = defread("RETRIES=")) != NULL) {
207 		options->max_init_auth_tries = atoi(ptr);
208 	}
209 
210 	if (options->max_init_auth_tries_log == -1 &&
211 	    (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) {
212 		options->max_init_auth_tries_log = atoi(ptr);
213 	}
214 
215 	if (options->login_grace_time == -1) {
216 		if ((ptr = defread("TIMEOUT=")) != NULL)
217 			options->login_grace_time = (unsigned)atoi(ptr);
218 		else
219 			options->login_grace_time = 300;
220 	}
221 
222 	(void) defopen((char *)NULL);
223 }
224 #endif /* HAVE_DEFOPEN */
225 
226 void
227 fill_default_server_options(ServerOptions *options)
228 {
229 
230 #ifdef HAVE_DEFOPEN
231 	deflt_fill_default_server_options(options);
232 #endif /* HAVE_DEFOPEN */
233 
234 	/* Standard Options */
235 	if (options->protocol == SSH_PROTO_UNKNOWN)
236 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
237 	if (options->num_host_key_files == 0) {
238 		/* fill default hostkeys for protocols */
239 		if (options->protocol & SSH_PROTO_1)
240 			options->host_key_files[options->num_host_key_files++] =
241 			    _PATH_HOST_KEY_FILE;
242 #ifndef GSSAPI
243 		/* With GSS keyex we can run v2 w/ no host keys */
244 		if (options->protocol & SSH_PROTO_2) {
245 			options->host_key_files[options->num_host_key_files++] =
246 			    _PATH_HOST_RSA_KEY_FILE;
247 			options->host_key_files[options->num_host_key_files++] =
248 			    _PATH_HOST_DSA_KEY_FILE;
249 		}
250 #endif /* GSSAPI */
251 	}
252 	if (options->num_ports == 0)
253 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
254 	if (options->listen_addrs == NULL)
255 		add_listen_addr(options, NULL, 0);
256 	if (options->pid_file == NULL)
257 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
258 	if (options->server_key_bits == -1)
259 		options->server_key_bits = 768;
260 	if (options->login_grace_time == -1)
261 		options->login_grace_time = 120;
262 	if (options->key_regeneration_time == -1)
263 		options->key_regeneration_time = 3600;
264 	if (options->permit_root_login == PERMIT_NOT_SET)
265 		options->permit_root_login = PERMIT_YES;
266 	if (options->ignore_rhosts == -1)
267 		options->ignore_rhosts = 1;
268 	if (options->ignore_user_known_hosts == -1)
269 		options->ignore_user_known_hosts = 0;
270 	if (options->print_motd == -1)
271 		options->print_motd = 1;
272 	if (options->print_lastlog == -1)
273 		options->print_lastlog = 1;
274 	if (options->x11_forwarding == -1)
275 		options->x11_forwarding = 1;
276 	if (options->x11_display_offset == -1)
277 		options->x11_display_offset = 10;
278 	if (options->x11_use_localhost == -1)
279 		options->x11_use_localhost = 1;
280 	if (options->xauth_location == NULL)
281 		options->xauth_location = _PATH_XAUTH;
282 	if (options->strict_modes == -1)
283 		options->strict_modes = 1;
284 	if (options->keepalives == -1)
285 		options->keepalives = 1;
286 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
287 		options->log_facility = SYSLOG_FACILITY_AUTH;
288 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
289 		options->log_level = SYSLOG_LEVEL_INFO;
290 	if (options->rhosts_authentication == -1)
291 		options->rhosts_authentication = 0;
292 	if (options->rhosts_rsa_authentication == -1)
293 		options->rhosts_rsa_authentication = 0;
294 	if (options->hostbased_authentication == -1)
295 		options->hostbased_authentication = 0;
296 	if (options->hostbased_uses_name_from_packet_only == -1)
297 		options->hostbased_uses_name_from_packet_only = 0;
298 	if (options->rsa_authentication == -1)
299 		options->rsa_authentication = 1;
300 	if (options->pubkey_authentication == -1)
301 		options->pubkey_authentication = 1;
302 #ifdef GSSAPI
303 	if (options->gss_authentication == -1)
304 		options->gss_authentication = 1;
305 	if (options->gss_keyex == -1)
306 		options->gss_keyex = 1;
307 	if (options->gss_store_creds == -1)
308 		options->gss_store_creds = 1;
309 	if (options->gss_use_session_ccache == -1)
310 		options->gss_use_session_ccache = 1;
311 	if (options->gss_cleanup_creds == -1)
312 		options->gss_cleanup_creds = 1;
313 #endif
314 #if defined(KRB4) || defined(KRB5)
315 	if (options->kerberos_authentication == -1)
316 		options->kerberos_authentication = 0;
317 	if (options->kerberos_or_local_passwd == -1)
318 		options->kerberos_or_local_passwd = 1;
319 	if (options->kerberos_ticket_cleanup == -1)
320 		options->kerberos_ticket_cleanup = 1;
321 #endif
322 #if defined(AFS) || defined(KRB5)
323 	if (options->kerberos_tgt_passing == -1)
324 		options->kerberos_tgt_passing = 0;
325 #endif
326 #ifdef AFS
327 	if (options->afs_token_passing == -1)
328 		options->afs_token_passing = 0;
329 #endif
330 	if (options->password_authentication == -1)
331 		options->password_authentication = 1;
332 	/*
333 	 * options->pam_authentication_via_kbd_int has intentionally no default
334 	 * value since we do not need it.
335 	 */
336 	if (options->kbd_interactive_authentication == -1)
337 		options->kbd_interactive_authentication = 1;
338 	if (options->challenge_response_authentication == -1)
339 		options->challenge_response_authentication = 1;
340 	if (options->permit_empty_passwd == -1)
341 		options->permit_empty_passwd = 0;
342 	if (options->permit_user_env == -1)
343 		options->permit_user_env = 0;
344 	if (options->compression == -1)
345 		options->compression = 1;
346 	if (options->allow_tcp_forwarding == -1)
347 		options->allow_tcp_forwarding = 1;
348 	if (options->gateway_ports == -1)
349 		options->gateway_ports = 0;
350 	if (options->max_startups == -1)
351 		options->max_startups = 10;
352 	if (options->max_startups_rate == -1)
353 		options->max_startups_rate = 100;		/* 100% */
354 	if (options->max_startups_begin == -1)
355 		options->max_startups_begin = options->max_startups;
356 	if (options->verify_reverse_mapping == -1)
357 		options->verify_reverse_mapping = 0;
358 	if (options->client_alive_interval == -1)
359 		options->client_alive_interval = 0;
360 	if (options->client_alive_count_max == -1)
361 		options->client_alive_count_max = 3;
362 	if (options->authorized_keys_file2 == NULL) {
363 		/* authorized_keys_file2 falls back to authorized_keys_file */
364 		if (options->authorized_keys_file != NULL)
365 			options->authorized_keys_file2 = options->authorized_keys_file;
366 		else
367 			options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
368 	}
369 	if (options->authorized_keys_file == NULL)
370 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
371 
372 	if (options->max_auth_tries == -1)
373 		options->max_auth_tries = AUTH_FAIL_MAX;
374 	if (options->max_auth_tries_log == -1)
375 		options->max_auth_tries_log = options->max_auth_tries / 2;
376 
377 	if (options->max_init_auth_tries == -1)
378 		options->max_init_auth_tries = AUTH_FAIL_MAX;
379 	if (options->max_init_auth_tries_log == -1)
380 		options->max_init_auth_tries_log = options->max_init_auth_tries / 2;
381 
382 	if (options->lookup_client_hostnames == -1)
383 		options->lookup_client_hostnames = 1;
384 	if (options->use_openssl_engine == -1)
385 		options->use_openssl_engine = 1;
386 	if (options->pam_service_prefix == NULL)
387 		options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
388 	if (options->pam_service_name == NULL)
389 		options->pam_service_name = NULL;
390 }
391 
392 /* Keyword tokens. */
393 typedef enum {
394 	sBadOption,		/* == unknown option */
395 	/* Portable-specific options */
396 	sPAMAuthenticationViaKbdInt,
397 	/* Standard Options */
398 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
399 	sPermitRootLogin, sLogFacility, sLogLevel,
400 	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
401 #ifdef GSSAPI
402 	sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds,
403 	sGssUseSessionCredCache, sGssCleanupCreds,
404 #endif /* GSSAPI */
405 #if defined(KRB4) || defined(KRB5)
406 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
407 #endif
408 #if defined(AFS) || defined(KRB5)
409 	sKerberosTgtPassing,
410 #endif
411 #ifdef AFS
412 	sAFSTokenPassing,
413 #endif
414 	sChallengeResponseAuthentication,
415 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
416 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
417 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
418 	sStrictModes, sEmptyPasswd, sKeepAlives,
419 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
420 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
421 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
422 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
423 	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
424 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
425 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
426 	sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation,
427 	sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory,
428 	sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName,
429 	sDeprecated
430 } ServerOpCodes;
431 
432 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
433 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
434 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
435 
436 /* Textual representation of the tokens. */
437 static struct {
438 	const char *name;
439 	ServerOpCodes opcode;
440 	u_int flags;
441 } keywords[] = {
442 	/* Portable-specific options */
443 	{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL },
444 	/* Standard Options */
445 	{ "port", sPort, SSHCFG_GLOBAL },
446 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
447 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },			/* alias */
448 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
449 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
450 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
451 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
452 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
453 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
454 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
455 	{ "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL },
456 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
457 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
458 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
459 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
460 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
461 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },	/* alias */
462 #ifdef GSSAPI
463 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
464 	{ "gssapikeyexchange", sGssKeyEx,   SSHCFG_GLOBAL },
465 	{ "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL },
466 	{ "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL },	/* alias */
467 	{ "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL },	/* alias */
468 	{ "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL },	/* alias */
469 #ifndef SUNW_GSSAPI
470 	{ "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL },
471 	{ "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL },
472 	{ "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
473 #endif /* SUNW_GSSAPI */
474 #endif
475 #if defined(KRB4) || defined(KRB5)
476 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
477 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
478 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
479 #endif
480 #if defined(AFS) || defined(KRB5)
481 	{ "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL },
482 #endif
483 #ifdef AFS
484 	{ "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL },
485 #endif
486 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
487 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
488 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
489 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
490 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
491 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
492 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
493 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
494 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
495 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
496 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
497 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
498 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
499 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
500 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
501 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
502 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
503 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
504 	{ "compression", sCompression, SSHCFG_GLOBAL },
505 	{ "tcpkeepalive", sKeepAlives, SSHCFG_GLOBAL },
506 	{ "keepalive", sKeepAlives, SSHCFG_GLOBAL },		/* obsolete */
507 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
508 	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
509 	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
510 	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
511 	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
512 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
513 	{ "macs", sMacs, SSHCFG_GLOBAL},
514 	{ "protocol", sProtocol,SSHCFG_GLOBAL },
515 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
516 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL},
517 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
518 	{ "banner", sBanner, SSHCFG_ALL },
519 	{ "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL },
520 	{ "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL },
521 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
522 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
523 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
524 	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
525 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
526 	{ "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL },
527 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
528 	{ "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL },
529 	{ "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL },
530 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
531 	{ "preuserauthhook", sPreUserauthHook, SSHCFG_ALL},
532 	{ "match", sMatch, SSHCFG_ALL },
533 	{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
534 	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
535 
536 	{ NULL, sBadOption, 0 }
537 };
538 
539 /*
540  * Returns the number of the token pointed to by cp or sBadOption.
541  */
542 
543 static ServerOpCodes
544 parse_token(const char *cp, const char *filename,
545 	    int linenum, u_int *flags)
546 {
547 	u_int i;
548 
549 	for (i = 0; keywords[i].name; i++)
550 		if (strcasecmp(cp, keywords[i].name) == 0) {
551 			*flags = keywords[i].flags;
552 			return keywords[i].opcode;
553 		}
554 
555 	error("%s: line %d: Bad configuration option: %s",
556 	    filename, linenum, cp);
557 	return sBadOption;
558 }
559 
560 static void
561 add_listen_addr(ServerOptions *options, char *addr, u_short port)
562 {
563 	int i;
564 
565 	if (options->num_ports == 0)
566 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
567 	if (port == 0)
568 		for (i = 0; i < options->num_ports; i++)
569 			add_one_listen_addr(options, addr, options->ports[i]);
570 	else
571 		add_one_listen_addr(options, addr, port);
572 }
573 
574 static void
575 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
576 {
577 	struct addrinfo hints, *ai, *aitop;
578 	char strport[NI_MAXSERV];
579 	int gaierr;
580 
581 	(void) memset(&hints, 0, sizeof(hints));
582 	hints.ai_family = IPv4or6;
583 	hints.ai_socktype = SOCK_STREAM;
584 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
585 	(void) snprintf(strport, sizeof strport, "%u", port);
586 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
587 		fatal("bad addr or host: %s (%s)",
588 		    addr ? addr : "<NULL>",
589 		    gai_strerror(gaierr));
590 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
591 		;
592 	ai->ai_next = options->listen_addrs;
593 	options->listen_addrs = aitop;
594 }
595 
596 /*
597  * The strategy for the Match blocks is that the config file is parsed twice.
598  *
599  * The first time is at startup.  activep is initialized to 1 and the
600  * directives in the global context are processed and acted on.  Hitting a
601  * Match directive unsets activep and the directives inside the block are
602  * checked for syntax only.
603  *
604  * The second time is after a connection has been established but before
605  * authentication.  activep is initialized to 2 and global config directives
606  * are ignored since they have already been processed.  If the criteria in a
607  * Match block is met, activep is set and the subsequent directives
608  * processed and actioned until EOF or another Match block unsets it.  Any
609  * options set are copied into the main server config.
610  *
611  * Potential additions/improvements:
612  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
613  *
614  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
615  *	Match Address 192.168.0.*
616  *		Tag trusted
617  *	Match Group wheel
618  *		Tag trusted
619  *	Match Tag trusted
620  *		AllowTcpForwarding yes
621  *		GatewayPorts clientspecified
622  *		[...]
623  *
624  *  - Add a PermittedChannelRequests directive
625  *	Match Group shell
626  *		PermittedChannelRequests session,forwarded-tcpip
627  */
628 
629 static int
630 match_cfg_line_group(const char *grps, int line, const char *user)
631 {
632 	int result = 0;
633 	struct passwd *pw;
634 
635 	if (user == NULL)
636 		goto out;
637 
638 	if ((pw = getpwnam(user)) == NULL) {
639 		debug("Can't match group at line %d because user %.100s does "
640 		    "not exist", line, user);
641 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
642 		debug("Can't Match group because user %.100s not in any group "
643 		    "at line %d", user, line);
644 	} else if (ga_match_pattern_list(grps) != 1) {
645 		debug("user %.100s does not match group list %.100s at line %d",
646 		    user, grps, line);
647 	} else {
648 		debug("user %.100s matched group list %.100s at line %d", user,
649 		    grps, line);
650 		result = 1;
651 	}
652 out:
653 	ga_free();
654 	return result;
655 }
656 
657 static int
658 match_cfg_line(char **condition, int line, const char *user, const char *host,
659     const char *address)
660 {
661 	int result = 1;
662 	char *arg, *attrib, *cp = *condition;
663 	size_t len;
664 
665 	if (user == NULL)
666 		debug3("checking syntax for 'Match %s'", cp);
667 	else
668 		debug3("checking match for '%s' user %s host %s addr %s", cp,
669 		    user ? user : "(null)", host ? host : "(null)",
670 		    address ? address : "(null)");
671 
672 	while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') {
673 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
674 			error("Missing Match criteria for %s", attrib);
675 			return -1;
676 		}
677 		len = strlen(arg);
678 		if (strcasecmp(attrib, "user") == 0) {
679 			if (!user) {
680 				result = 0;
681 				continue;
682 			}
683 			if (match_pattern_list(user, arg, len, 0) != 1)
684 				result = 0;
685 			else
686 				debug("user %.100s matched 'User %.100s' at "
687 				    "line %d", user, arg, line);
688 		} else if (strcasecmp(attrib, "group") == 0) {
689 			switch (match_cfg_line_group(arg, line, user)) {
690 			case -1:
691 				return -1;
692 			case 0:
693 				result = 0;
694 			}
695 		} else if (strcasecmp(attrib, "host") == 0) {
696 			if (!host) {
697 				result = 0;
698 				continue;
699 			}
700 			if (match_hostname(host, arg, len) != 1)
701 				result = 0;
702 			else
703 				debug("connection from %.100s matched 'Host "
704 				    "%.100s' at line %d", host, arg, line);
705 		} else if (strcasecmp(attrib, "address") == 0) {
706 			switch (addr_match_list(address, arg)) {
707 			case 1:
708 				debug("connection from %.100s matched 'Address "
709 				    "%.100s' at line %d", address, arg, line);
710 				break;
711 			case 0:
712 			case -1:
713 				result = 0;
714 				break;
715 			case -2:
716 				return -1;
717 			}
718 		} else {
719 			error("Unsupported Match attribute %s", attrib);
720 			return -1;
721 		}
722 	}
723 	if (user != NULL)
724 		debug3("match %sfound", result ? "" : "not ");
725 	*condition = cp;
726 	return result;
727 }
728 
729 #define WHITESPACE " \t\r\n"
730 
731 int
732 process_server_config_line(ServerOptions *options, char *line,
733     const char *filename, int linenum, int *activep, const char *user,
734     const char *host, const char *address)
735 {
736 	char *cp, **charptr, *arg, *p;
737 	int cmdline = 0, *intptr, value, n;
738 	ServerOpCodes opcode;
739 	u_int i, flags = 0;
740 	size_t len;
741 
742 	cp = line;
743 	arg = strdelim(&cp);
744 	/* Ignore leading whitespace */
745 	if (*arg == '\0')
746 		arg = strdelim(&cp);
747 	if (!arg || !*arg || *arg == '#')
748 		return 0;
749 	intptr = NULL;
750 	charptr = NULL;
751 	opcode = parse_token(arg, filename, linenum, &flags);
752 
753 	if (activep == NULL) { /* We are processing a command line directive */
754 		cmdline = 1;
755 		activep = &cmdline;
756 	}
757 	if (*activep && opcode != sMatch)
758 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
759 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
760 		if (user == NULL) {
761 			fatal("%s line %d: Directive '%s' is not allowed "
762 			    "within a Match block", filename, linenum, arg);
763 		} else { /* this is a directive we have already processed */
764 			while (arg)
765 				arg = strdelim(&cp);
766 			return 0;
767 		}
768 	}
769 
770 	switch (opcode) {
771 	/* Portable-specific options */
772 	case sPAMAuthenticationViaKbdInt:
773 		log("%s line %d: PAMAuthenticationViaKbdInt has been "
774 		    "deprecated. You should use KbdInteractiveAuthentication "
775 		    "instead (which defaults to \"yes\").", filename, linenum);
776 		intptr = &options->pam_authentication_via_kbd_int;
777 		goto parse_flag;
778 
779 	/* Standard Options */
780 	case sBadOption:
781 		return -1;
782 	case sPort:
783 		/* ignore ports from configfile if cmdline specifies ports */
784 		if (options->ports_from_cmdline)
785 			return 0;
786 		if (options->listen_addrs != NULL)
787 			fatal("%s line %d: ports must be specified before "
788 			    "ListenAddress.", filename, linenum);
789 		if (options->num_ports >= MAX_PORTS)
790 			fatal("%s line %d: too many ports.",
791 			    filename, linenum);
792 		arg = strdelim(&cp);
793 		if (!arg || *arg == '\0')
794 			fatal("%s line %d: missing port number.",
795 			    filename, linenum);
796 		options->ports[options->num_ports++] = a2port(arg);
797 		if (options->ports[options->num_ports-1] == 0)
798 			fatal("%s line %d: Badly formatted port number.",
799 			    filename, linenum);
800 		break;
801 
802 	case sServerKeyBits:
803 		intptr = &options->server_key_bits;
804 parse_int:
805 		arg = strdelim(&cp);
806 		if (!arg || *arg == '\0')
807 			fatal("%s line %d: missing integer value.",
808 			    filename, linenum);
809 		value = atoi(arg);
810 		if (*activep && *intptr == -1)
811 			*intptr = value;
812 		break;
813 
814 	case sLoginGraceTime:
815 		intptr = &options->login_grace_time;
816 parse_time:
817 		arg = strdelim(&cp);
818 		if (!arg || *arg == '\0')
819 			fatal("%s line %d: missing time value.",
820 			    filename, linenum);
821 		if ((value = convtime(arg)) == -1)
822 			fatal("%s line %d: invalid time value.",
823 			    filename, linenum);
824 		if (*intptr == -1)
825 			*intptr = value;
826 		break;
827 
828 	case sKeyRegenerationTime:
829 		intptr = &options->key_regeneration_time;
830 		goto parse_time;
831 
832 	case sListenAddress:
833 		arg = strdelim(&cp);
834 		if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
835 			fatal("%s line %d: missing inet addr.",
836 			    filename, linenum);
837 		if (*arg == '[') {
838 			if ((p = strchr(arg, ']')) == NULL)
839 				fatal("%s line %d: bad ipv6 inet addr usage.",
840 				    filename, linenum);
841 			arg++;
842 			(void) memmove(p, p+1, strlen(p+1)+1);
843 		} else if (((p = strchr(arg, ':')) == NULL) ||
844 			    (strchr(p+1, ':') != NULL)) {
845 			add_listen_addr(options, arg, 0);
846 			break;
847 		}
848 		if (*p == ':') {
849 			u_short port;
850 
851 			p++;
852 			if (*p == '\0')
853 				fatal("%s line %d: bad inet addr:port usage.",
854 				    filename, linenum);
855 			else {
856 				*(p-1) = '\0';
857 				if ((port = a2port(p)) == 0)
858 					fatal("%s line %d: bad port number.",
859 					    filename, linenum);
860 				add_listen_addr(options, arg, port);
861 			}
862 		} else if (*p == '\0')
863 			add_listen_addr(options, arg, 0);
864 		else
865 			fatal("%s line %d: bad inet addr usage.",
866 			    filename, linenum);
867 		break;
868 
869 	case sHostKeyFile:
870 		intptr = &options->num_host_key_files;
871 		if (*intptr >= MAX_HOSTKEYS)
872 			fatal("%s line %d: too many host keys specified (max %d).",
873 			    filename, linenum, MAX_HOSTKEYS);
874 		charptr = &options->host_key_files[*intptr];
875 parse_filename:
876 		arg = strdelim(&cp);
877 		if (!arg || *arg == '\0')
878 			fatal("%s line %d: missing file name.",
879 			    filename, linenum);
880 		if (*activep && *charptr == NULL) {
881 			*charptr = tilde_expand_filename(arg, getuid());
882 			/* increase optional counter */
883 			if (intptr != NULL)
884 				*intptr = *intptr + 1;
885 		}
886 		break;
887 
888 	case sPidFile:
889 		charptr = &options->pid_file;
890 		goto parse_filename;
891 
892 	case sPermitRootLogin:
893 		intptr = &options->permit_root_login;
894 		arg = strdelim(&cp);
895 		if (!arg || *arg == '\0')
896 			fatal("%s line %d: missing yes/"
897 			    "without-password/forced-commands-only/no "
898 			    "argument.", filename, linenum);
899 		value = 0;	/* silence compiler */
900 		if (strcmp(arg, "without-password") == 0)
901 			value = PERMIT_NO_PASSWD;
902 		else if (strcmp(arg, "forced-commands-only") == 0)
903 			value = PERMIT_FORCED_ONLY;
904 		else if (strcmp(arg, "yes") == 0)
905 			value = PERMIT_YES;
906 		else if (strcmp(arg, "no") == 0)
907 			value = PERMIT_NO;
908 		else
909 			fatal("%s line %d: Bad yes/"
910 			    "without-password/forced-commands-only/no "
911 			    "argument: %s", filename, linenum, arg);
912 		if (*activep && *intptr == -1)
913 			*intptr = value;
914 		break;
915 
916 	case sIgnoreRhosts:
917 		intptr = &options->ignore_rhosts;
918 parse_flag:
919 		arg = strdelim(&cp);
920 		if (!arg || *arg == '\0')
921 			fatal("%s line %d: missing yes/no argument.",
922 			    filename, linenum);
923 		value = 0;	/* silence compiler */
924 		if (strcmp(arg, "yes") == 0)
925 			value = 1;
926 		else if (strcmp(arg, "no") == 0)
927 			value = 0;
928 		else
929 			fatal("%s line %d: Bad yes/no argument: %s",
930 				filename, linenum, arg);
931 		if (*activep && *intptr == -1)
932 			*intptr = value;
933 		break;
934 
935 	case sIgnoreUserKnownHosts:
936 		intptr = &options->ignore_user_known_hosts;
937 		goto parse_flag;
938 
939 	case sRhostsAuthentication:
940 		intptr = &options->rhosts_authentication;
941 		goto parse_flag;
942 
943 	case sRhostsRSAAuthentication:
944 		intptr = &options->rhosts_rsa_authentication;
945 		goto parse_flag;
946 
947 	case sHostbasedAuthentication:
948 		intptr = &options->hostbased_authentication;
949 		goto parse_flag;
950 
951 	case sHostbasedUsesNameFromPacketOnly:
952 		intptr = &options->hostbased_uses_name_from_packet_only;
953 		goto parse_flag;
954 
955 	case sRSAAuthentication:
956 		intptr = &options->rsa_authentication;
957 		goto parse_flag;
958 
959 	case sPubkeyAuthentication:
960 		intptr = &options->pubkey_authentication;
961 		goto parse_flag;
962 #ifdef GSSAPI
963 	case sGssAuthentication:
964 		intptr = &options->gss_authentication;
965 		goto parse_flag;
966 	case sGssKeyEx:
967 		intptr = &options->gss_keyex;
968 		goto parse_flag;
969 	case sGssStoreDelegCreds:
970 		intptr = &options->gss_keyex;
971 		goto parse_flag;
972 #ifndef SUNW_GSSAPI
973 	case sGssUseSessionCredCache:
974 		intptr = &options->gss_use_session_ccache;
975 		goto parse_flag;
976 	case sGssCleanupCreds:
977 		intptr = &options->gss_cleanup_creds;
978 		goto parse_flag;
979 #endif /* SUNW_GSSAPI */
980 #endif /* GSSAPI */
981 #if defined(KRB4) || defined(KRB5)
982 	case sKerberosAuthentication:
983 		intptr = &options->kerberos_authentication;
984 		goto parse_flag;
985 
986 	case sKerberosOrLocalPasswd:
987 		intptr = &options->kerberos_or_local_passwd;
988 		goto parse_flag;
989 
990 	case sKerberosTicketCleanup:
991 		intptr = &options->kerberos_ticket_cleanup;
992 		goto parse_flag;
993 #endif
994 #if defined(AFS) || defined(KRB5)
995 	case sKerberosTgtPassing:
996 		intptr = &options->kerberos_tgt_passing;
997 		goto parse_flag;
998 #endif
999 #ifdef AFS
1000 	case sAFSTokenPassing:
1001 		intptr = &options->afs_token_passing;
1002 		goto parse_flag;
1003 #endif
1004 
1005 	case sPasswordAuthentication:
1006 		intptr = &options->password_authentication;
1007 		goto parse_flag;
1008 
1009 	case sKbdInteractiveAuthentication:
1010 		intptr = &options->kbd_interactive_authentication;
1011 		goto parse_flag;
1012 
1013 	case sChallengeResponseAuthentication:
1014 		intptr = &options->challenge_response_authentication;
1015 		goto parse_flag;
1016 
1017 	case sPrintMotd:
1018 		intptr = &options->print_motd;
1019 		goto parse_flag;
1020 
1021 	case sPrintLastLog:
1022 		intptr = &options->print_lastlog;
1023 		goto parse_flag;
1024 
1025 	case sX11Forwarding:
1026 		intptr = &options->x11_forwarding;
1027 		goto parse_flag;
1028 
1029 	case sX11DisplayOffset:
1030 		intptr = &options->x11_display_offset;
1031 		goto parse_int;
1032 
1033 	case sX11UseLocalhost:
1034 		intptr = &options->x11_use_localhost;
1035 		goto parse_flag;
1036 
1037 	case sXAuthLocation:
1038 		charptr = &options->xauth_location;
1039 		goto parse_filename;
1040 
1041 	case sStrictModes:
1042 		intptr = &options->strict_modes;
1043 		goto parse_flag;
1044 
1045 	case sKeepAlives:
1046 		intptr = &options->keepalives;
1047 		goto parse_flag;
1048 
1049 	case sEmptyPasswd:
1050 		intptr = &options->permit_empty_passwd;
1051 		goto parse_flag;
1052 
1053 	case sPermitUserEnvironment:
1054 		intptr = &options->permit_user_env;
1055 		goto parse_flag;
1056 
1057 	case sUseLogin:
1058 		log("%s line %d: ignoring UseLogin option value."
1059 		    " This option is always off.", filename, linenum);
1060 		while (arg)
1061 			arg = strdelim(&cp);
1062 		break;
1063 
1064 	case sCompression:
1065 		intptr = &options->compression;
1066 		goto parse_flag;
1067 
1068 	case sGatewayPorts:
1069 		intptr = &options->gateway_ports;
1070 		arg = strdelim(&cp);
1071 		if (!arg || *arg == '\0')
1072 			fatal("%s line %d: missing yes/no/clientspecified "
1073 			    "argument.", filename, linenum);
1074 		value = 0;	/* silence compiler */
1075 		if (strcmp(arg, "clientspecified") == 0)
1076 			value = 2;
1077 		else if (strcmp(arg, "yes") == 0)
1078 			value = 1;
1079 		else if (strcmp(arg, "no") == 0)
1080 			value = 0;
1081 		else
1082 			fatal("%s line %d: Bad yes/no/clientspecified "
1083 			    "argument: %s", filename, linenum, arg);
1084 		if (*activep && *intptr == -1)
1085 			*intptr = value;
1086 		break;
1087 
1088 	case sVerifyReverseMapping:
1089 		intptr = &options->verify_reverse_mapping;
1090 		goto parse_flag;
1091 
1092 	case sLogFacility:
1093 		intptr = (int *) &options->log_facility;
1094 		arg = strdelim(&cp);
1095 		value = log_facility_number(arg);
1096 		if (value == SYSLOG_FACILITY_NOT_SET)
1097 			fatal("%.200s line %d: unsupported log facility '%s'",
1098 			    filename, linenum, arg ? arg : "<NONE>");
1099 		if (*intptr == -1)
1100 			*intptr = (SyslogFacility) value;
1101 		break;
1102 
1103 	case sLogLevel:
1104 		intptr = (int *) &options->log_level;
1105 		arg = strdelim(&cp);
1106 		value = log_level_number(arg);
1107 		if (value == SYSLOG_LEVEL_NOT_SET)
1108 			fatal("%.200s line %d: unsupported log level '%s'",
1109 			    filename, linenum, arg ? arg : "<NONE>");
1110 		if (*intptr == -1)
1111 			*intptr = (LogLevel) value;
1112 		break;
1113 
1114 	case sAllowTcpForwarding:
1115 		intptr = &options->allow_tcp_forwarding;
1116 		goto parse_flag;
1117 
1118 	case sUsePrivilegeSeparation:
1119 		log("%s line %d: ignoring UsePrivilegeSeparation option value."
1120 		    " This option is always on.", filename, linenum);
1121 		while (arg)
1122 			arg = strdelim(&cp);
1123 		break;
1124 
1125 	case sAllowUsers:
1126 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1127 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1128 				fatal("%s line %d: too many allow users.",
1129 				    filename, linenum);
1130 			options->allow_users[options->num_allow_users++] =
1131 			    xstrdup(arg);
1132 		}
1133 		break;
1134 
1135 	case sDenyUsers:
1136 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1137 			if (options->num_deny_users >= MAX_DENY_USERS)
1138 				fatal( "%s line %d: too many deny users.",
1139 				    filename, linenum);
1140 			options->deny_users[options->num_deny_users++] =
1141 			    xstrdup(arg);
1142 		}
1143 		break;
1144 
1145 	case sAllowGroups:
1146 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1147 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1148 				fatal("%s line %d: too many allow groups.",
1149 				    filename, linenum);
1150 			options->allow_groups[options->num_allow_groups++] =
1151 			    xstrdup(arg);
1152 		}
1153 		break;
1154 
1155 	case sDenyGroups:
1156 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1157 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1158 				fatal("%s line %d: too many deny groups.",
1159 				    filename, linenum);
1160 			options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1161 		}
1162 		break;
1163 
1164 	case sCiphers:
1165 		arg = strdelim(&cp);
1166 		if (!arg || *arg == '\0')
1167 			fatal("%s line %d: Missing argument.", filename, linenum);
1168 		if (!ciphers_valid(arg))
1169 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1170 			    filename, linenum, arg ? arg : "<NONE>");
1171 		if (options->ciphers == NULL)
1172 			options->ciphers = xstrdup(arg);
1173 		break;
1174 
1175 	case sMacs:
1176 		arg = strdelim(&cp);
1177 		if (!arg || *arg == '\0')
1178 			fatal("%s line %d: Missing argument.", filename, linenum);
1179 		if (!mac_valid(arg))
1180 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1181 			    filename, linenum, arg ? arg : "<NONE>");
1182 		if (options->macs == NULL)
1183 			options->macs = xstrdup(arg);
1184 		break;
1185 
1186 	case sProtocol:
1187 		intptr = &options->protocol;
1188 		arg = strdelim(&cp);
1189 		if (!arg || *arg == '\0')
1190 			fatal("%s line %d: Missing argument.", filename, linenum);
1191 		value = proto_spec(arg);
1192 		if (value == SSH_PROTO_UNKNOWN)
1193 			fatal("%s line %d: Bad protocol spec '%s'.",
1194 			    filename, linenum, arg ? arg : "<NONE>");
1195 		if (*intptr == SSH_PROTO_UNKNOWN)
1196 			*intptr = value;
1197 		break;
1198 
1199 	case sSubsystem:
1200 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1201 			fatal("%s line %d: too many subsystems defined.",
1202 			    filename, linenum);
1203 		}
1204 		arg = strdelim(&cp);
1205 		if (!arg || *arg == '\0')
1206 			fatal("%s line %d: Missing subsystem name.",
1207 			    filename, linenum);
1208 		if (!*activep) {
1209 			arg = strdelim(&cp);
1210 			break;
1211 		}
1212 		for (i = 0; i < options->num_subsystems; i++)
1213 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1214 				fatal("%s line %d: Subsystem '%s' already defined.",
1215 				    filename, linenum, arg);
1216 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1217 		arg = strdelim(&cp);
1218 		if (!arg || *arg == '\0')
1219 			fatal("%s line %d: Missing subsystem command.",
1220 			    filename, linenum);
1221 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1222 
1223 		/*
1224 		 * Collect arguments (separate to executable), including the
1225 		 * name of the executable, in a way that is easier to parse
1226 		 * later.
1227 		 */
1228 		p = xstrdup(arg);
1229 		len = strlen(p) + 1;
1230 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1231 			len += 1 + strlen(arg);
1232 			p = xrealloc(p, len);
1233 			strlcat(p, " ", len);
1234 			strlcat(p, arg, len);
1235 		}
1236 		options->subsystem_args[options->num_subsystems] = p;
1237 		options->num_subsystems++;
1238 		break;
1239 
1240 	case sMaxStartups:
1241 		arg = strdelim(&cp);
1242 		if (!arg || *arg == '\0')
1243 			fatal("%s line %d: Missing MaxStartups spec.",
1244 			    filename, linenum);
1245 		if ((n = sscanf(arg, "%d:%d:%d",
1246 		    &options->max_startups_begin,
1247 		    &options->max_startups_rate,
1248 		    &options->max_startups)) == 3) {
1249 			if (options->max_startups_begin >
1250 			    options->max_startups ||
1251 			    options->max_startups_rate > 100 ||
1252 			    options->max_startups_rate < 1)
1253 				fatal("%s line %d: Illegal MaxStartups spec.",
1254 				    filename, linenum);
1255 		} else if (n != 1)
1256 			fatal("%s line %d: Illegal MaxStartups spec.",
1257 			    filename, linenum);
1258 		else
1259 			options->max_startups = options->max_startups_begin;
1260 		break;
1261 
1262 	case sBanner:
1263 		charptr = &options->banner;
1264 		goto parse_filename;
1265 	/*
1266 	 * These options can contain %X options expanded at
1267 	 * connect time, so that you can specify paths like:
1268 	 *
1269 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1270 	 */
1271 	case sAuthorizedKeysFile:
1272 	case sAuthorizedKeysFile2:
1273 		charptr = (opcode == sAuthorizedKeysFile) ?
1274 		    &options->authorized_keys_file :
1275 		    &options->authorized_keys_file2;
1276 		goto parse_filename;
1277 
1278 	case sClientAliveInterval:
1279 		intptr = &options->client_alive_interval;
1280 		goto parse_time;
1281 
1282 	case sClientAliveCountMax:
1283 		intptr = &options->client_alive_count_max;
1284 		goto parse_int;
1285 
1286 	case sMaxAuthTries:
1287 		intptr = &options->max_auth_tries;
1288 		goto parse_int;
1289 
1290 	case sMaxAuthTriesLog:
1291 		intptr = &options->max_auth_tries_log;
1292 		goto parse_int;
1293 
1294 	case sLookupClientHostnames:
1295 		intptr = &options->lookup_client_hostnames;
1296 		goto parse_flag;
1297 
1298 	case sUseOpenSSLEngine:
1299 		intptr = &options->use_openssl_engine;
1300 		goto parse_flag;
1301 
1302 	case sChrootDirectory:
1303 		charptr = &options->chroot_directory;
1304 
1305 		arg = strdelim(&cp);
1306 		if (arg == NULL || *arg == '\0')
1307 			fatal("%s line %d: missing directory name for "
1308 			    "ChrootDirectory.", filename, linenum);
1309 		if (*activep && *charptr == NULL)
1310 			*charptr = xstrdup(arg);
1311 		break;
1312 
1313 	case sPreUserauthHook:
1314 		charptr = &options->pre_userauth_hook;
1315 		goto parse_filename;
1316 
1317 	case sMatch:
1318 		if (cmdline)
1319 			fatal("Match directive not supported as a command-line "
1320 			   "option");
1321 		value = match_cfg_line(&cp, linenum, user, host, address);
1322 		if (value < 0)
1323 			fatal("%s line %d: Bad Match condition", filename,
1324 			    linenum);
1325 		*activep = value;
1326 		break;
1327 
1328 	case sDeprecated:
1329 		log("%s line %d: Deprecated option %s",
1330 		    filename, linenum, arg);
1331 		while (arg)
1332 		    arg = strdelim(&cp);
1333 		break;
1334 
1335 	case sPAMServicePrefix:
1336 		arg = strdelim(&cp);
1337 		if (!arg || *arg == '\0')
1338 			fatal("%s line %d: Missing argument.",
1339 			    filename, linenum);
1340 		if (options->pam_service_name != NULL)
1341 			fatal("%s line %d: PAMServiceName and PAMServicePrefix "
1342 			    "are mutually exclusive.", filename, linenum);
1343 		if (options->pam_service_prefix == NULL)
1344 			options->pam_service_prefix = xstrdup(arg);
1345 		break;
1346 
1347 	case sPAMServiceName:
1348 		arg = strdelim(&cp);
1349 		if (!arg || *arg == '\0')
1350 			fatal("%s line %d: Missing argument.",
1351 			    filename, linenum);
1352 		if (options->pam_service_prefix != NULL)
1353 			fatal("%s line %d: PAMServiceName and PAMServicePrefix "
1354 			    "are mutually exclusive.", filename, linenum);
1355 		if (options->pam_service_name == NULL)
1356 			options->pam_service_name = xstrdup(arg);
1357 		break;
1358 
1359 	default:
1360 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1361 		    filename, linenum, arg, opcode);
1362 	}
1363 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1364 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1365 		    filename, linenum, arg);
1366 	return 0;
1367 }
1368 
1369 
1370 /* Reads the server configuration file. */
1371 
1372 void
1373 load_server_config(const char *filename, Buffer *conf)
1374 {
1375 	char line[1024], *cp;
1376 	FILE *f;
1377 
1378 	debug2("%s: filename %s", __func__, filename);
1379 	if ((f = fopen(filename, "r")) == NULL) {
1380 		perror(filename);
1381 		exit(1);
1382 	}
1383 	buffer_clear(conf);
1384 	while (fgets(line, sizeof(line), f)) {
1385 		/*
1386 		 * Trim out comments and strip whitespace
1387 		 * NB - preserve newlines, they are needed to reproduce
1388 		 * line numbers later for error messages
1389 		 */
1390 		if ((cp = strchr(line, '#')) != NULL)
1391 			memcpy(cp, "\n", 2);
1392 		cp = line + strspn(line, " \t\r");
1393 
1394 		buffer_append(conf, cp, strlen(cp));
1395 	}
1396 	buffer_append(conf, "\0", 1);
1397 	fclose(f);
1398 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1399 }
1400 
1401 void
1402 parse_server_match_config(ServerOptions *options, const char *user,
1403     const char *host, const char *address)
1404 {
1405 	ServerOptions mo;
1406 
1407 	initialize_server_options(&mo);
1408 	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1409 	copy_set_server_options(options, &mo, 0);
1410 }
1411 
1412 
1413 
1414 /* Helper macros */
1415 #define M_CP_INTOPT(n) do {\
1416 	if (src->n != -1) \
1417 		dst->n = src->n; \
1418 } while (0)
1419 #define M_CP_STROPT(n) do {\
1420 	if (src->n != NULL) { \
1421 		if (dst->n != NULL) \
1422 			xfree(dst->n); \
1423 		dst->n = src->n; \
1424 	} \
1425 } while(0)
1426 
1427 /*
1428  * Copy any supported values that are set.
1429  *
1430  * If the preauth flag is set, we do not bother copying the the string or
1431  * array values that are not used pre-authentication, because any that we
1432  * do use must be explictly sent in mm_getpwnamallow().
1433  */
1434 void
1435 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1436 {
1437 	M_CP_INTOPT(password_authentication);
1438 	M_CP_INTOPT(gss_authentication);
1439 	M_CP_INTOPT(rsa_authentication);
1440 	M_CP_INTOPT(pubkey_authentication);
1441 	M_CP_INTOPT(hostbased_authentication);
1442 	M_CP_INTOPT(kbd_interactive_authentication);
1443 	M_CP_INTOPT(permit_root_login);
1444 	M_CP_INTOPT(permit_empty_passwd);
1445 	M_CP_INTOPT(allow_tcp_forwarding);
1446 	M_CP_INTOPT(gateway_ports);
1447 	M_CP_INTOPT(x11_display_offset);
1448 	M_CP_INTOPT(x11_forwarding);
1449 	M_CP_INTOPT(x11_use_localhost);
1450 	M_CP_INTOPT(max_auth_tries);
1451 	M_CP_STROPT(banner);
1452 
1453 	if (preauth)
1454 		return;
1455 	M_CP_STROPT(chroot_directory);
1456 }
1457 
1458 #undef M_CP_INTOPT
1459 #undef M_CP_STROPT
1460 
1461 void
1462 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1463     const char *user, const char *host, const char *address)
1464 {
1465 	int active, linenum, bad_options = 0;
1466 	char *cp, *obuf, *cbuf;
1467 
1468 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1469 
1470 	obuf = cbuf = xstrdup(buffer_ptr(conf));
1471 	active = user ? 0 : 1;
1472 	linenum = 1;
1473 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
1474 		if (process_server_config_line(options, cp, filename,
1475 		    linenum++, &active, user, host, address) != 0)
1476 			bad_options++;
1477 	}
1478 	xfree(obuf);
1479 	if (bad_options > 0)
1480 		fatal("%s: terminating, %d bad configuration options",
1481 		    filename, bad_options);
1482 }
1483 
1484 
1485 /*
1486  * Note that "none" is a special path having the same affect on sshd
1487  * configuration as not specifying ChrootDirectory at all.
1488  */
1489 int
1490 chroot_requested(char *chroot_directory)
1491 {
1492 	return (chroot_directory != NULL &&
1493 	    strcasecmp(chroot_directory, "none") != 0);
1494 }
1495