1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 13 * Use is subject to license terms. 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 18 19 #ifdef HAVE_DEFOPEN 20 #include <deflt.h> 21 #endif /* HAVE_DEFOPEN */ 22 23 #if defined(KRB4) 24 #include <krb.h> 25 #endif 26 #if defined(KRB5) 27 #ifdef HEIMDAL 28 #include <krb.h> 29 #else 30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 31 * keytab */ 32 #define KEYFILE "/etc/krb5.keytab" 33 #endif 34 #endif 35 #ifdef AFS 36 #include <kafs.h> 37 #endif 38 39 #include "ssh.h" 40 #include "log.h" 41 #include "buffer.h" 42 #include "servconf.h" 43 #include "xmalloc.h" 44 #include "compat.h" 45 #include "pathnames.h" 46 #include "tildexpand.h" 47 #include "misc.h" 48 #include "cipher.h" 49 #include "kex.h" 50 #include "mac.h" 51 #include "auth.h" 52 #include "match.h" 53 #include "groupaccess.h" 54 55 static void add_listen_addr(ServerOptions *, char *, u_short); 56 static void add_one_listen_addr(ServerOptions *, char *, u_short); 57 58 extern Buffer cfg; 59 60 /* AF_UNSPEC or AF_INET or AF_INET6 */ 61 extern int IPv4or6; 62 63 /* 64 * Initializes the server options to their initial (unset) values. Some of those 65 * that stay unset after the command line options and configuration files are 66 * read are set to their default values in fill_default_server_options(). 67 */ 68 void 69 initialize_server_options(ServerOptions *options) 70 { 71 (void) memset(options, 0, sizeof(*options)); 72 73 /* Portable-specific options */ 74 options->pam_authentication_via_kbd_int = -1; 75 76 /* Standard Options */ 77 options->num_ports = 0; 78 options->ports_from_cmdline = 0; 79 options->listen_addrs = NULL; 80 options->num_host_key_files = 0; 81 options->pid_file = NULL; 82 options->server_key_bits = -1; 83 options->login_grace_time = -1; 84 options->key_regeneration_time = -1; 85 options->permit_root_login = PERMIT_NOT_SET; 86 options->ignore_rhosts = -1; 87 options->ignore_user_known_hosts = -1; 88 options->print_motd = -1; 89 options->print_lastlog = -1; 90 options->x11_forwarding = -1; 91 options->x11_display_offset = -1; 92 options->x11_use_localhost = -1; 93 options->xauth_location = NULL; 94 options->strict_modes = -1; 95 options->keepalives = -1; 96 options->log_facility = SYSLOG_FACILITY_NOT_SET; 97 options->log_level = SYSLOG_LEVEL_NOT_SET; 98 options->rhosts_authentication = -1; 99 options->rhosts_rsa_authentication = -1; 100 options->hostbased_authentication = -1; 101 options->hostbased_uses_name_from_packet_only = -1; 102 options->rsa_authentication = -1; 103 options->pubkey_authentication = -1; 104 #ifdef GSSAPI 105 options->gss_authentication = -1; 106 options->gss_keyex = -1; 107 options->gss_store_creds = -1; 108 options->gss_use_session_ccache = -1; 109 options->gss_cleanup_creds = -1; 110 #endif 111 #if defined(KRB4) || defined(KRB5) 112 options->kerberos_authentication = -1; 113 options->kerberos_or_local_passwd = -1; 114 options->kerberos_ticket_cleanup = -1; 115 #endif 116 #if defined(AFS) || defined(KRB5) 117 options->kerberos_tgt_passing = -1; 118 #endif 119 #ifdef AFS 120 options->afs_token_passing = -1; 121 #endif 122 options->password_authentication = -1; 123 options->kbd_interactive_authentication = -1; 124 options->challenge_response_authentication = -1; 125 options->permit_empty_passwd = -1; 126 options->permit_user_env = -1; 127 options->compression = -1; 128 options->allow_tcp_forwarding = -1; 129 options->num_allow_users = 0; 130 options->num_deny_users = 0; 131 options->num_allow_groups = 0; 132 options->num_deny_groups = 0; 133 options->ciphers = NULL; 134 options->macs = NULL; 135 options->protocol = SSH_PROTO_UNKNOWN; 136 options->gateway_ports = -1; 137 options->num_subsystems = 0; 138 options->max_startups_begin = -1; 139 options->max_startups_rate = -1; 140 options->max_startups = -1; 141 options->banner = NULL; 142 options->verify_reverse_mapping = -1; 143 options->client_alive_interval = -1; 144 options->client_alive_count_max = -1; 145 options->authorized_keys_file = NULL; 146 options->authorized_keys_file2 = NULL; 147 148 options->max_auth_tries = -1; 149 options->max_auth_tries_log = -1; 150 151 options->max_init_auth_tries = -1; 152 options->max_init_auth_tries_log = -1; 153 154 options->lookup_client_hostnames = -1; 155 options->use_openssl_engine = -1; 156 options->chroot_directory = NULL; 157 } 158 159 #ifdef HAVE_DEFOPEN 160 /* 161 * Reads /etc/default/login and defaults several ServerOptions: 162 * 163 * PermitRootLogin 164 * PermitEmptyPasswords 165 * LoginGraceTime 166 * 167 * CONSOLE=* -> PermitRootLogin=without-password 168 * #CONSOLE=* -> PermitRootLogin=yes 169 * 170 * PASSREQ=YES -> PermitEmptyPasswords=no 171 * PASSREQ=NO -> PermitEmptyPasswords=yes 172 * #PASSREQ=* -> PermitEmptyPasswords=no 173 * 174 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 175 * #TIMEOUT=<secs> -> LoginGraceTime=300 176 */ 177 static 178 void 179 deflt_fill_default_server_options(ServerOptions *options) 180 { 181 int flags; 182 char *ptr; 183 184 if (defopen(_PATH_DEFAULT_LOGIN)) 185 return; 186 187 /* Ignore case */ 188 flags = defcntl(DC_GETFLAGS, 0); 189 TURNOFF(flags, DC_CASE); 190 (void) defcntl(DC_SETFLAGS, flags); 191 192 if (options->permit_root_login == PERMIT_NOT_SET && 193 (ptr = defread("CONSOLE=")) != NULL) 194 options->permit_root_login = PERMIT_NO_PASSWD; 195 196 if (options->permit_empty_passwd == -1 && 197 (ptr = defread("PASSREQ=")) != NULL) { 198 if (strcasecmp("YES", ptr) == 0) 199 options->permit_empty_passwd = 0; 200 else if (strcasecmp("NO", ptr) == 0) 201 options->permit_empty_passwd = 1; 202 } 203 204 if (options->max_init_auth_tries == -1 && 205 (ptr = defread("RETRIES=")) != NULL) { 206 options->max_init_auth_tries = atoi(ptr); 207 } 208 209 if (options->max_init_auth_tries_log == -1 && 210 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 211 options->max_init_auth_tries_log = atoi(ptr); 212 } 213 214 if (options->login_grace_time == -1) { 215 if ((ptr = defread("TIMEOUT=")) != NULL) 216 options->login_grace_time = (unsigned)atoi(ptr); 217 else 218 options->login_grace_time = 300; 219 } 220 221 (void) defopen((char *)NULL); 222 } 223 #endif /* HAVE_DEFOPEN */ 224 225 void 226 fill_default_server_options(ServerOptions *options) 227 { 228 229 #ifdef HAVE_DEFOPEN 230 deflt_fill_default_server_options(options); 231 #endif /* HAVE_DEFOPEN */ 232 233 /* Portable-specific options */ 234 if (options->pam_authentication_via_kbd_int == -1) 235 options->pam_authentication_via_kbd_int = 0; 236 237 /* Standard Options */ 238 if (options->protocol == SSH_PROTO_UNKNOWN) 239 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 240 if (options->num_host_key_files == 0) { 241 /* fill default hostkeys for protocols */ 242 if (options->protocol & SSH_PROTO_1) 243 options->host_key_files[options->num_host_key_files++] = 244 _PATH_HOST_KEY_FILE; 245 #ifndef GSSAPI 246 /* With GSS keyex we can run v2 w/ no host keys */ 247 if (options->protocol & SSH_PROTO_2) { 248 options->host_key_files[options->num_host_key_files++] = 249 _PATH_HOST_RSA_KEY_FILE; 250 options->host_key_files[options->num_host_key_files++] = 251 _PATH_HOST_DSA_KEY_FILE; 252 } 253 #endif /* GSSAPI */ 254 } 255 if (options->num_ports == 0) 256 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 257 if (options->listen_addrs == NULL) 258 add_listen_addr(options, NULL, 0); 259 if (options->pid_file == NULL) 260 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 261 if (options->server_key_bits == -1) 262 options->server_key_bits = 768; 263 if (options->login_grace_time == -1) 264 options->login_grace_time = 120; 265 if (options->key_regeneration_time == -1) 266 options->key_regeneration_time = 3600; 267 if (options->permit_root_login == PERMIT_NOT_SET) 268 options->permit_root_login = PERMIT_YES; 269 if (options->ignore_rhosts == -1) 270 options->ignore_rhosts = 1; 271 if (options->ignore_user_known_hosts == -1) 272 options->ignore_user_known_hosts = 0; 273 if (options->print_motd == -1) 274 options->print_motd = 1; 275 if (options->print_lastlog == -1) 276 options->print_lastlog = 1; 277 if (options->x11_forwarding == -1) 278 options->x11_forwarding = 1; 279 if (options->x11_display_offset == -1) 280 options->x11_display_offset = 10; 281 if (options->x11_use_localhost == -1) 282 options->x11_use_localhost = 1; 283 if (options->xauth_location == NULL) 284 options->xauth_location = _PATH_XAUTH; 285 if (options->strict_modes == -1) 286 options->strict_modes = 1; 287 if (options->keepalives == -1) 288 options->keepalives = 1; 289 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 290 options->log_facility = SYSLOG_FACILITY_AUTH; 291 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 292 options->log_level = SYSLOG_LEVEL_INFO; 293 if (options->rhosts_authentication == -1) 294 options->rhosts_authentication = 0; 295 if (options->rhosts_rsa_authentication == -1) 296 options->rhosts_rsa_authentication = 0; 297 if (options->hostbased_authentication == -1) 298 options->hostbased_authentication = 0; 299 if (options->hostbased_uses_name_from_packet_only == -1) 300 options->hostbased_uses_name_from_packet_only = 0; 301 if (options->rsa_authentication == -1) 302 options->rsa_authentication = 1; 303 if (options->pubkey_authentication == -1) 304 options->pubkey_authentication = 1; 305 #ifdef GSSAPI 306 if (options->gss_authentication == -1) 307 options->gss_authentication = 1; 308 if (options->gss_keyex == -1) 309 options->gss_keyex = 1; 310 if (options->gss_store_creds == -1) 311 options->gss_store_creds = 1; 312 if (options->gss_use_session_ccache == -1) 313 options->gss_use_session_ccache = 1; 314 if (options->gss_cleanup_creds == -1) 315 options->gss_cleanup_creds = 1; 316 #endif 317 #if defined(KRB4) || defined(KRB5) 318 if (options->kerberos_authentication == -1) 319 options->kerberos_authentication = 0; 320 if (options->kerberos_or_local_passwd == -1) 321 options->kerberos_or_local_passwd = 1; 322 if (options->kerberos_ticket_cleanup == -1) 323 options->kerberos_ticket_cleanup = 1; 324 #endif 325 #if defined(AFS) || defined(KRB5) 326 if (options->kerberos_tgt_passing == -1) 327 options->kerberos_tgt_passing = 0; 328 #endif 329 #ifdef AFS 330 if (options->afs_token_passing == -1) 331 options->afs_token_passing = 0; 332 #endif 333 if (options->password_authentication == -1) 334 options->password_authentication = 1; 335 if (options->kbd_interactive_authentication == -1) 336 options->kbd_interactive_authentication = 0; 337 if (options->challenge_response_authentication == -1) 338 options->challenge_response_authentication = 1; 339 if (options->permit_empty_passwd == -1) 340 options->permit_empty_passwd = 0; 341 if (options->permit_user_env == -1) 342 options->permit_user_env = 0; 343 if (options->compression == -1) 344 options->compression = 1; 345 if (options->allow_tcp_forwarding == -1) 346 options->allow_tcp_forwarding = 1; 347 if (options->gateway_ports == -1) 348 options->gateway_ports = 0; 349 if (options->max_startups == -1) 350 options->max_startups = 10; 351 if (options->max_startups_rate == -1) 352 options->max_startups_rate = 100; /* 100% */ 353 if (options->max_startups_begin == -1) 354 options->max_startups_begin = options->max_startups; 355 if (options->verify_reverse_mapping == -1) 356 options->verify_reverse_mapping = 0; 357 if (options->client_alive_interval == -1) 358 options->client_alive_interval = 0; 359 if (options->client_alive_count_max == -1) 360 options->client_alive_count_max = 3; 361 if (options->authorized_keys_file2 == NULL) { 362 /* authorized_keys_file2 falls back to authorized_keys_file */ 363 if (options->authorized_keys_file != NULL) 364 options->authorized_keys_file2 = options->authorized_keys_file; 365 else 366 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 367 } 368 if (options->authorized_keys_file == NULL) 369 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 370 371 if (options->max_auth_tries == -1) 372 options->max_auth_tries = AUTH_FAIL_MAX; 373 if (options->max_auth_tries_log == -1) 374 options->max_auth_tries_log = options->max_auth_tries / 2; 375 376 if (options->max_init_auth_tries == -1) 377 options->max_init_auth_tries = AUTH_FAIL_MAX; 378 if (options->max_init_auth_tries_log == -1) 379 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 380 381 if (options->lookup_client_hostnames == -1) 382 options->lookup_client_hostnames = 1; 383 if (options->use_openssl_engine == -1) 384 options->use_openssl_engine = 1; 385 } 386 387 /* Keyword tokens. */ 388 typedef enum { 389 sBadOption, /* == unknown option */ 390 /* Portable-specific options */ 391 sPAMAuthenticationViaKbdInt, 392 /* Standard Options */ 393 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 394 sPermitRootLogin, sLogFacility, sLogLevel, 395 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 396 #ifdef GSSAPI 397 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 398 sGssUseSessionCredCache, sGssCleanupCreds, 399 #endif /* GSSAPI */ 400 #if defined(KRB4) || defined(KRB5) 401 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 402 #endif 403 #if defined(AFS) || defined(KRB5) 404 sKerberosTgtPassing, 405 #endif 406 #ifdef AFS 407 sAFSTokenPassing, 408 #endif 409 sChallengeResponseAuthentication, 410 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 411 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 412 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 413 sStrictModes, sEmptyPasswd, sKeepAlives, 414 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 415 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 416 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 417 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 418 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 419 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 420 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 421 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 422 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, 423 sMatch, 424 sDeprecated 425 } ServerOpCodes; 426 427 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 428 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 429 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 430 431 /* Textual representation of the tokens. */ 432 static struct { 433 const char *name; 434 ServerOpCodes opcode; 435 u_int flags; 436 } keywords[] = { 437 /* Portable-specific options */ 438 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL }, 439 /* Standard Options */ 440 { "port", sPort, SSHCFG_GLOBAL }, 441 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 442 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 443 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 444 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 445 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 446 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 447 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 448 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 449 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 450 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL }, 451 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 452 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 453 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 454 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 455 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 456 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 457 #ifdef GSSAPI 458 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 459 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 460 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL }, 461 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */ 462 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */ 463 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */ 464 #ifndef SUNW_GSSAPI 465 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 466 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 467 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 468 #endif /* SUNW_GSSAPI */ 469 #endif 470 #if defined(KRB4) || defined(KRB5) 471 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 472 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 473 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 474 #endif 475 #if defined(AFS) || defined(KRB5) 476 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL }, 477 #endif 478 #ifdef AFS 479 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL }, 480 #endif 481 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 482 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 483 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 484 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 485 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 486 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 487 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 488 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 489 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 490 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 491 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 492 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 493 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 494 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 495 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 496 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 497 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 498 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 499 { "compression", sCompression, SSHCFG_GLOBAL }, 500 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, 501 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 502 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 503 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 504 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 505 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 506 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 507 { "macs", sMacs, SSHCFG_GLOBAL}, 508 { "protocol", sProtocol,SSHCFG_GLOBAL }, 509 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 510 { "subsystem", sSubsystem, SSHCFG_GLOBAL}, 511 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 512 { "banner", sBanner, SSHCFG_ALL }, 513 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL }, 514 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL }, 515 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 516 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 517 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, 518 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, 519 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 520 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL }, 521 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, 522 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL }, 523 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL }, 524 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 525 { "match", sMatch, SSHCFG_ALL }, 526 527 { NULL, sBadOption, 0 } 528 }; 529 530 /* 531 * Returns the number of the token pointed to by cp or sBadOption. 532 */ 533 534 static ServerOpCodes 535 parse_token(const char *cp, const char *filename, 536 int linenum, u_int *flags) 537 { 538 u_int i; 539 540 for (i = 0; keywords[i].name; i++) 541 if (strcasecmp(cp, keywords[i].name) == 0) { 542 *flags = keywords[i].flags; 543 return keywords[i].opcode; 544 } 545 546 error("%s: line %d: Bad configuration option: %s", 547 filename, linenum, cp); 548 return sBadOption; 549 } 550 551 static void 552 add_listen_addr(ServerOptions *options, char *addr, u_short port) 553 { 554 int i; 555 556 if (options->num_ports == 0) 557 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 558 if (port == 0) 559 for (i = 0; i < options->num_ports; i++) 560 add_one_listen_addr(options, addr, options->ports[i]); 561 else 562 add_one_listen_addr(options, addr, port); 563 } 564 565 static void 566 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 567 { 568 struct addrinfo hints, *ai, *aitop; 569 char strport[NI_MAXSERV]; 570 int gaierr; 571 572 (void) memset(&hints, 0, sizeof(hints)); 573 hints.ai_family = IPv4or6; 574 hints.ai_socktype = SOCK_STREAM; 575 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 576 (void) snprintf(strport, sizeof strport, "%u", port); 577 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 578 fatal("bad addr or host: %s (%s)", 579 addr ? addr : "<NULL>", 580 gai_strerror(gaierr)); 581 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 582 ; 583 ai->ai_next = options->listen_addrs; 584 options->listen_addrs = aitop; 585 } 586 587 /* 588 * The strategy for the Match blocks is that the config file is parsed twice. 589 * 590 * The first time is at startup. activep is initialized to 1 and the 591 * directives in the global context are processed and acted on. Hitting a 592 * Match directive unsets activep and the directives inside the block are 593 * checked for syntax only. 594 * 595 * The second time is after a connection has been established but before 596 * authentication. activep is initialized to 2 and global config directives 597 * are ignored since they have already been processed. If the criteria in a 598 * Match block is met, activep is set and the subsequent directives 599 * processed and actioned until EOF or another Match block unsets it. Any 600 * options set are copied into the main server config. 601 * 602 * Potential additions/improvements: 603 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 604 * 605 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 606 * Match Address 192.168.0.* 607 * Tag trusted 608 * Match Group wheel 609 * Tag trusted 610 * Match Tag trusted 611 * AllowTcpForwarding yes 612 * GatewayPorts clientspecified 613 * [...] 614 * 615 * - Add a PermittedChannelRequests directive 616 * Match Group shell 617 * PermittedChannelRequests session,forwarded-tcpip 618 */ 619 620 static int 621 match_cfg_line_group(const char *grps, int line, const char *user) 622 { 623 int result = 0; 624 struct passwd *pw; 625 626 if (user == NULL) 627 goto out; 628 629 if ((pw = getpwnam(user)) == NULL) { 630 debug("Can't match group at line %d because user %.100s does " 631 "not exist", line, user); 632 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 633 debug("Can't Match group because user %.100s not in any group " 634 "at line %d", user, line); 635 } else if (ga_match_pattern_list(grps) != 1) { 636 debug("user %.100s does not match group list %.100s at line %d", 637 user, grps, line); 638 } else { 639 debug("user %.100s matched group list %.100s at line %d", user, 640 grps, line); 641 result = 1; 642 } 643 out: 644 ga_free(); 645 return result; 646 } 647 648 static int 649 match_cfg_line(char **condition, int line, const char *user, const char *host, 650 const char *address) 651 { 652 int result = 1; 653 char *arg, *attrib, *cp = *condition; 654 size_t len; 655 656 if (user == NULL) 657 debug3("checking syntax for 'Match %s'", cp); 658 else 659 debug3("checking match for '%s' user %s host %s addr %s", cp, 660 user ? user : "(null)", host ? host : "(null)", 661 address ? address : "(null)"); 662 663 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') { 664 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 665 error("Missing Match criteria for %s", attrib); 666 return -1; 667 } 668 len = strlen(arg); 669 if (strcasecmp(attrib, "user") == 0) { 670 if (!user) { 671 result = 0; 672 continue; 673 } 674 if (match_pattern_list(user, arg, len, 0) != 1) 675 result = 0; 676 else 677 debug("user %.100s matched 'User %.100s' at " 678 "line %d", user, arg, line); 679 } else if (strcasecmp(attrib, "group") == 0) { 680 switch (match_cfg_line_group(arg, line, user)) { 681 case -1: 682 return -1; 683 case 0: 684 result = 0; 685 } 686 } else if (strcasecmp(attrib, "host") == 0) { 687 if (!host) { 688 result = 0; 689 continue; 690 } 691 if (match_hostname(host, arg, len) != 1) 692 result = 0; 693 else 694 debug("connection from %.100s matched 'Host " 695 "%.100s' at line %d", host, arg, line); 696 } else if (strcasecmp(attrib, "address") == 0) { 697 switch (addr_match_list(address, arg)) { 698 case 1: 699 debug("connection from %.100s matched 'Address " 700 "%.100s' at line %d", address, arg, line); 701 break; 702 case 0: 703 case -1: 704 result = 0; 705 break; 706 case -2: 707 return -1; 708 } 709 } else { 710 error("Unsupported Match attribute %s", attrib); 711 return -1; 712 } 713 } 714 if (user != NULL) 715 debug3("match %sfound", result ? "" : "not "); 716 *condition = cp; 717 return result; 718 } 719 720 #define WHITESPACE " \t\r\n" 721 722 int 723 process_server_config_line(ServerOptions *options, char *line, 724 const char *filename, int linenum, int *activep, const char *user, 725 const char *host, const char *address) 726 { 727 char *cp, **charptr, *arg, *p; 728 int cmdline = 0, *intptr, value, n; 729 ServerOpCodes opcode; 730 u_int i, flags = 0; 731 size_t len; 732 733 cp = line; 734 arg = strdelim(&cp); 735 /* Ignore leading whitespace */ 736 if (*arg == '\0') 737 arg = strdelim(&cp); 738 if (!arg || !*arg || *arg == '#') 739 return 0; 740 intptr = NULL; 741 charptr = NULL; 742 opcode = parse_token(arg, filename, linenum, &flags); 743 744 if (activep == NULL) { /* We are processing a command line directive */ 745 cmdline = 1; 746 activep = &cmdline; 747 } 748 if (*activep && opcode != sMatch) 749 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 750 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 751 if (user == NULL) { 752 fatal("%s line %d: Directive '%s' is not allowed " 753 "within a Match block", filename, linenum, arg); 754 } else { /* this is a directive we have already processed */ 755 while (arg) 756 arg = strdelim(&cp); 757 return 0; 758 } 759 } 760 761 switch (opcode) { 762 /* Portable-specific options */ 763 case sPAMAuthenticationViaKbdInt: 764 intptr = &options->pam_authentication_via_kbd_int; 765 goto parse_flag; 766 767 /* Standard Options */ 768 case sBadOption: 769 return -1; 770 case sPort: 771 /* ignore ports from configfile if cmdline specifies ports */ 772 if (options->ports_from_cmdline) 773 return 0; 774 if (options->listen_addrs != NULL) 775 fatal("%s line %d: ports must be specified before " 776 "ListenAddress.", filename, linenum); 777 if (options->num_ports >= MAX_PORTS) 778 fatal("%s line %d: too many ports.", 779 filename, linenum); 780 arg = strdelim(&cp); 781 if (!arg || *arg == '\0') 782 fatal("%s line %d: missing port number.", 783 filename, linenum); 784 options->ports[options->num_ports++] = a2port(arg); 785 if (options->ports[options->num_ports-1] == 0) 786 fatal("%s line %d: Badly formatted port number.", 787 filename, linenum); 788 break; 789 790 case sServerKeyBits: 791 intptr = &options->server_key_bits; 792 parse_int: 793 arg = strdelim(&cp); 794 if (!arg || *arg == '\0') 795 fatal("%s line %d: missing integer value.", 796 filename, linenum); 797 value = atoi(arg); 798 if (*activep && *intptr == -1) 799 *intptr = value; 800 break; 801 802 case sLoginGraceTime: 803 intptr = &options->login_grace_time; 804 parse_time: 805 arg = strdelim(&cp); 806 if (!arg || *arg == '\0') 807 fatal("%s line %d: missing time value.", 808 filename, linenum); 809 if ((value = convtime(arg)) == -1) 810 fatal("%s line %d: invalid time value.", 811 filename, linenum); 812 if (*intptr == -1) 813 *intptr = value; 814 break; 815 816 case sKeyRegenerationTime: 817 intptr = &options->key_regeneration_time; 818 goto parse_time; 819 820 case sListenAddress: 821 arg = strdelim(&cp); 822 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 823 fatal("%s line %d: missing inet addr.", 824 filename, linenum); 825 if (*arg == '[') { 826 if ((p = strchr(arg, ']')) == NULL) 827 fatal("%s line %d: bad ipv6 inet addr usage.", 828 filename, linenum); 829 arg++; 830 (void) memmove(p, p+1, strlen(p+1)+1); 831 } else if (((p = strchr(arg, ':')) == NULL) || 832 (strchr(p+1, ':') != NULL)) { 833 add_listen_addr(options, arg, 0); 834 break; 835 } 836 if (*p == ':') { 837 u_short port; 838 839 p++; 840 if (*p == '\0') 841 fatal("%s line %d: bad inet addr:port usage.", 842 filename, linenum); 843 else { 844 *(p-1) = '\0'; 845 if ((port = a2port(p)) == 0) 846 fatal("%s line %d: bad port number.", 847 filename, linenum); 848 add_listen_addr(options, arg, port); 849 } 850 } else if (*p == '\0') 851 add_listen_addr(options, arg, 0); 852 else 853 fatal("%s line %d: bad inet addr usage.", 854 filename, linenum); 855 break; 856 857 case sHostKeyFile: 858 intptr = &options->num_host_key_files; 859 if (*intptr >= MAX_HOSTKEYS) 860 fatal("%s line %d: too many host keys specified (max %d).", 861 filename, linenum, MAX_HOSTKEYS); 862 charptr = &options->host_key_files[*intptr]; 863 parse_filename: 864 arg = strdelim(&cp); 865 if (!arg || *arg == '\0') 866 fatal("%s line %d: missing file name.", 867 filename, linenum); 868 if (*activep && *charptr == NULL) { 869 *charptr = tilde_expand_filename(arg, getuid()); 870 /* increase optional counter */ 871 if (intptr != NULL) 872 *intptr = *intptr + 1; 873 } 874 break; 875 876 case sPidFile: 877 charptr = &options->pid_file; 878 goto parse_filename; 879 880 case sPermitRootLogin: 881 intptr = &options->permit_root_login; 882 arg = strdelim(&cp); 883 if (!arg || *arg == '\0') 884 fatal("%s line %d: missing yes/" 885 "without-password/forced-commands-only/no " 886 "argument.", filename, linenum); 887 value = 0; /* silence compiler */ 888 if (strcmp(arg, "without-password") == 0) 889 value = PERMIT_NO_PASSWD; 890 else if (strcmp(arg, "forced-commands-only") == 0) 891 value = PERMIT_FORCED_ONLY; 892 else if (strcmp(arg, "yes") == 0) 893 value = PERMIT_YES; 894 else if (strcmp(arg, "no") == 0) 895 value = PERMIT_NO; 896 else 897 fatal("%s line %d: Bad yes/" 898 "without-password/forced-commands-only/no " 899 "argument: %s", filename, linenum, arg); 900 if (*activep && *intptr == -1) 901 *intptr = value; 902 break; 903 904 case sIgnoreRhosts: 905 intptr = &options->ignore_rhosts; 906 parse_flag: 907 arg = strdelim(&cp); 908 if (!arg || *arg == '\0') 909 fatal("%s line %d: missing yes/no argument.", 910 filename, linenum); 911 value = 0; /* silence compiler */ 912 if (strcmp(arg, "yes") == 0) 913 value = 1; 914 else if (strcmp(arg, "no") == 0) 915 value = 0; 916 else 917 fatal("%s line %d: Bad yes/no argument: %s", 918 filename, linenum, arg); 919 if (*activep && *intptr == -1) 920 *intptr = value; 921 break; 922 923 case sIgnoreUserKnownHosts: 924 intptr = &options->ignore_user_known_hosts; 925 goto parse_flag; 926 927 case sRhostsAuthentication: 928 intptr = &options->rhosts_authentication; 929 goto parse_flag; 930 931 case sRhostsRSAAuthentication: 932 intptr = &options->rhosts_rsa_authentication; 933 goto parse_flag; 934 935 case sHostbasedAuthentication: 936 intptr = &options->hostbased_authentication; 937 goto parse_flag; 938 939 case sHostbasedUsesNameFromPacketOnly: 940 intptr = &options->hostbased_uses_name_from_packet_only; 941 goto parse_flag; 942 943 case sRSAAuthentication: 944 intptr = &options->rsa_authentication; 945 goto parse_flag; 946 947 case sPubkeyAuthentication: 948 intptr = &options->pubkey_authentication; 949 goto parse_flag; 950 #ifdef GSSAPI 951 case sGssAuthentication: 952 intptr = &options->gss_authentication; 953 goto parse_flag; 954 case sGssKeyEx: 955 intptr = &options->gss_keyex; 956 goto parse_flag; 957 case sGssStoreDelegCreds: 958 intptr = &options->gss_keyex; 959 goto parse_flag; 960 #ifndef SUNW_GSSAPI 961 case sGssUseSessionCredCache: 962 intptr = &options->gss_use_session_ccache; 963 goto parse_flag; 964 case sGssCleanupCreds: 965 intptr = &options->gss_cleanup_creds; 966 goto parse_flag; 967 #endif /* SUNW_GSSAPI */ 968 #endif /* GSSAPI */ 969 #if defined(KRB4) || defined(KRB5) 970 case sKerberosAuthentication: 971 intptr = &options->kerberos_authentication; 972 goto parse_flag; 973 974 case sKerberosOrLocalPasswd: 975 intptr = &options->kerberos_or_local_passwd; 976 goto parse_flag; 977 978 case sKerberosTicketCleanup: 979 intptr = &options->kerberos_ticket_cleanup; 980 goto parse_flag; 981 #endif 982 #if defined(AFS) || defined(KRB5) 983 case sKerberosTgtPassing: 984 intptr = &options->kerberos_tgt_passing; 985 goto parse_flag; 986 #endif 987 #ifdef AFS 988 case sAFSTokenPassing: 989 intptr = &options->afs_token_passing; 990 goto parse_flag; 991 #endif 992 993 case sPasswordAuthentication: 994 intptr = &options->password_authentication; 995 goto parse_flag; 996 997 case sKbdInteractiveAuthentication: 998 intptr = &options->kbd_interactive_authentication; 999 goto parse_flag; 1000 1001 case sChallengeResponseAuthentication: 1002 intptr = &options->challenge_response_authentication; 1003 goto parse_flag; 1004 1005 case sPrintMotd: 1006 intptr = &options->print_motd; 1007 goto parse_flag; 1008 1009 case sPrintLastLog: 1010 intptr = &options->print_lastlog; 1011 goto parse_flag; 1012 1013 case sX11Forwarding: 1014 intptr = &options->x11_forwarding; 1015 goto parse_flag; 1016 1017 case sX11DisplayOffset: 1018 intptr = &options->x11_display_offset; 1019 goto parse_int; 1020 1021 case sX11UseLocalhost: 1022 intptr = &options->x11_use_localhost; 1023 goto parse_flag; 1024 1025 case sXAuthLocation: 1026 charptr = &options->xauth_location; 1027 goto parse_filename; 1028 1029 case sStrictModes: 1030 intptr = &options->strict_modes; 1031 goto parse_flag; 1032 1033 case sKeepAlives: 1034 intptr = &options->keepalives; 1035 goto parse_flag; 1036 1037 case sEmptyPasswd: 1038 intptr = &options->permit_empty_passwd; 1039 goto parse_flag; 1040 1041 case sPermitUserEnvironment: 1042 intptr = &options->permit_user_env; 1043 goto parse_flag; 1044 1045 case sUseLogin: 1046 log("%s line %d: ignoring UseLogin option value." 1047 " This option is always off.", filename, linenum); 1048 while (arg) 1049 arg = strdelim(&cp); 1050 break; 1051 1052 case sCompression: 1053 intptr = &options->compression; 1054 goto parse_flag; 1055 1056 case sGatewayPorts: 1057 intptr = &options->gateway_ports; 1058 arg = strdelim(&cp); 1059 if (!arg || *arg == '\0') 1060 fatal("%s line %d: missing yes/no/clientspecified " 1061 "argument.", filename, linenum); 1062 value = 0; /* silence compiler */ 1063 if (strcmp(arg, "clientspecified") == 0) 1064 value = 2; 1065 else if (strcmp(arg, "yes") == 0) 1066 value = 1; 1067 else if (strcmp(arg, "no") == 0) 1068 value = 0; 1069 else 1070 fatal("%s line %d: Bad yes/no/clientspecified " 1071 "argument: %s", filename, linenum, arg); 1072 if (*activep && *intptr == -1) 1073 *intptr = value; 1074 break; 1075 1076 case sVerifyReverseMapping: 1077 intptr = &options->verify_reverse_mapping; 1078 goto parse_flag; 1079 1080 case sLogFacility: 1081 intptr = (int *) &options->log_facility; 1082 arg = strdelim(&cp); 1083 value = log_facility_number(arg); 1084 if (value == SYSLOG_FACILITY_NOT_SET) 1085 fatal("%.200s line %d: unsupported log facility '%s'", 1086 filename, linenum, arg ? arg : "<NONE>"); 1087 if (*intptr == -1) 1088 *intptr = (SyslogFacility) value; 1089 break; 1090 1091 case sLogLevel: 1092 intptr = (int *) &options->log_level; 1093 arg = strdelim(&cp); 1094 value = log_level_number(arg); 1095 if (value == SYSLOG_LEVEL_NOT_SET) 1096 fatal("%.200s line %d: unsupported log level '%s'", 1097 filename, linenum, arg ? arg : "<NONE>"); 1098 if (*intptr == -1) 1099 *intptr = (LogLevel) value; 1100 break; 1101 1102 case sAllowTcpForwarding: 1103 intptr = &options->allow_tcp_forwarding; 1104 goto parse_flag; 1105 1106 case sUsePrivilegeSeparation: 1107 log("%s line %d: ignoring UsePrivilegeSeparation option value." 1108 " This option is always on.", filename, linenum); 1109 while (arg) 1110 arg = strdelim(&cp); 1111 break; 1112 1113 case sAllowUsers: 1114 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1115 if (options->num_allow_users >= MAX_ALLOW_USERS) 1116 fatal("%s line %d: too many allow users.", 1117 filename, linenum); 1118 options->allow_users[options->num_allow_users++] = 1119 xstrdup(arg); 1120 } 1121 break; 1122 1123 case sDenyUsers: 1124 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1125 if (options->num_deny_users >= MAX_DENY_USERS) 1126 fatal( "%s line %d: too many deny users.", 1127 filename, linenum); 1128 options->deny_users[options->num_deny_users++] = 1129 xstrdup(arg); 1130 } 1131 break; 1132 1133 case sAllowGroups: 1134 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1135 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1136 fatal("%s line %d: too many allow groups.", 1137 filename, linenum); 1138 options->allow_groups[options->num_allow_groups++] = 1139 xstrdup(arg); 1140 } 1141 break; 1142 1143 case sDenyGroups: 1144 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1145 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1146 fatal("%s line %d: too many deny groups.", 1147 filename, linenum); 1148 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1149 } 1150 break; 1151 1152 case sCiphers: 1153 arg = strdelim(&cp); 1154 if (!arg || *arg == '\0') 1155 fatal("%s line %d: Missing argument.", filename, linenum); 1156 if (!ciphers_valid(arg)) 1157 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1158 filename, linenum, arg ? arg : "<NONE>"); 1159 if (options->ciphers == NULL) 1160 options->ciphers = xstrdup(arg); 1161 break; 1162 1163 case sMacs: 1164 arg = strdelim(&cp); 1165 if (!arg || *arg == '\0') 1166 fatal("%s line %d: Missing argument.", filename, linenum); 1167 if (!mac_valid(arg)) 1168 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1169 filename, linenum, arg ? arg : "<NONE>"); 1170 if (options->macs == NULL) 1171 options->macs = xstrdup(arg); 1172 break; 1173 1174 case sProtocol: 1175 intptr = &options->protocol; 1176 arg = strdelim(&cp); 1177 if (!arg || *arg == '\0') 1178 fatal("%s line %d: Missing argument.", filename, linenum); 1179 value = proto_spec(arg); 1180 if (value == SSH_PROTO_UNKNOWN) 1181 fatal("%s line %d: Bad protocol spec '%s'.", 1182 filename, linenum, arg ? arg : "<NONE>"); 1183 if (*intptr == SSH_PROTO_UNKNOWN) 1184 *intptr = value; 1185 break; 1186 1187 case sSubsystem: 1188 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1189 fatal("%s line %d: too many subsystems defined.", 1190 filename, linenum); 1191 } 1192 arg = strdelim(&cp); 1193 if (!arg || *arg == '\0') 1194 fatal("%s line %d: Missing subsystem name.", 1195 filename, linenum); 1196 if (!*activep) { 1197 arg = strdelim(&cp); 1198 break; 1199 } 1200 for (i = 0; i < options->num_subsystems; i++) 1201 if (strcmp(arg, options->subsystem_name[i]) == 0) 1202 fatal("%s line %d: Subsystem '%s' already defined.", 1203 filename, linenum, arg); 1204 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1205 arg = strdelim(&cp); 1206 if (!arg || *arg == '\0') 1207 fatal("%s line %d: Missing subsystem command.", 1208 filename, linenum); 1209 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1210 1211 /* 1212 * Collect arguments (separate to executable), including the 1213 * name of the executable, in a way that is easier to parse 1214 * later. 1215 */ 1216 p = xstrdup(arg); 1217 len = strlen(p) + 1; 1218 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1219 len += 1 + strlen(arg); 1220 p = xrealloc(p, len); 1221 strlcat(p, " ", len); 1222 strlcat(p, arg, len); 1223 } 1224 options->subsystem_args[options->num_subsystems] = p; 1225 options->num_subsystems++; 1226 break; 1227 1228 case sMaxStartups: 1229 arg = strdelim(&cp); 1230 if (!arg || *arg == '\0') 1231 fatal("%s line %d: Missing MaxStartups spec.", 1232 filename, linenum); 1233 if ((n = sscanf(arg, "%d:%d:%d", 1234 &options->max_startups_begin, 1235 &options->max_startups_rate, 1236 &options->max_startups)) == 3) { 1237 if (options->max_startups_begin > 1238 options->max_startups || 1239 options->max_startups_rate > 100 || 1240 options->max_startups_rate < 1) 1241 fatal("%s line %d: Illegal MaxStartups spec.", 1242 filename, linenum); 1243 } else if (n != 1) 1244 fatal("%s line %d: Illegal MaxStartups spec.", 1245 filename, linenum); 1246 else 1247 options->max_startups = options->max_startups_begin; 1248 break; 1249 1250 case sBanner: 1251 charptr = &options->banner; 1252 goto parse_filename; 1253 /* 1254 * These options can contain %X options expanded at 1255 * connect time, so that you can specify paths like: 1256 * 1257 * AuthorizedKeysFile /etc/ssh_keys/%u 1258 */ 1259 case sAuthorizedKeysFile: 1260 case sAuthorizedKeysFile2: 1261 charptr = (opcode == sAuthorizedKeysFile) ? 1262 &options->authorized_keys_file : 1263 &options->authorized_keys_file2; 1264 goto parse_filename; 1265 1266 case sClientAliveInterval: 1267 intptr = &options->client_alive_interval; 1268 goto parse_time; 1269 1270 case sClientAliveCountMax: 1271 intptr = &options->client_alive_count_max; 1272 goto parse_int; 1273 1274 case sMaxAuthTries: 1275 intptr = &options->max_auth_tries; 1276 goto parse_int; 1277 1278 case sMaxAuthTriesLog: 1279 intptr = &options->max_auth_tries_log; 1280 goto parse_int; 1281 1282 case sLookupClientHostnames: 1283 intptr = &options->lookup_client_hostnames; 1284 goto parse_flag; 1285 1286 case sUseOpenSSLEngine: 1287 intptr = &options->use_openssl_engine; 1288 goto parse_flag; 1289 1290 case sChrootDirectory: 1291 charptr = &options->chroot_directory; 1292 1293 arg = strdelim(&cp); 1294 if (arg == NULL || *arg == '\0') 1295 fatal("%s line %d: missing directory name for " 1296 "ChrootDirectory.", filename, linenum); 1297 if (*activep && *charptr == NULL) 1298 *charptr = xstrdup(arg); 1299 break; 1300 1301 case sMatch: 1302 if (cmdline) 1303 fatal("Match directive not supported as a command-line " 1304 "option"); 1305 value = match_cfg_line(&cp, linenum, user, host, address); 1306 if (value < 0) 1307 fatal("%s line %d: Bad Match condition", filename, 1308 linenum); 1309 *activep = value; 1310 break; 1311 1312 case sDeprecated: 1313 log("%s line %d: Deprecated option %s", 1314 filename, linenum, arg); 1315 while (arg) 1316 arg = strdelim(&cp); 1317 break; 1318 1319 default: 1320 fatal("%s line %d: Missing handler for opcode %s (%d)", 1321 filename, linenum, arg, opcode); 1322 } 1323 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1324 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1325 filename, linenum, arg); 1326 return 0; 1327 } 1328 1329 1330 /* Reads the server configuration file. */ 1331 1332 void 1333 load_server_config(const char *filename, Buffer *conf) 1334 { 1335 char line[1024], *cp; 1336 FILE *f; 1337 1338 debug2("%s: filename %s", __func__, filename); 1339 if ((f = fopen(filename, "r")) == NULL) { 1340 perror(filename); 1341 exit(1); 1342 } 1343 buffer_clear(conf); 1344 while (fgets(line, sizeof(line), f)) { 1345 /* 1346 * Trim out comments and strip whitespace 1347 * NB - preserve newlines, they are needed to reproduce 1348 * line numbers later for error messages 1349 */ 1350 if ((cp = strchr(line, '#')) != NULL) 1351 memcpy(cp, "\n", 2); 1352 cp = line + strspn(line, " \t\r"); 1353 1354 buffer_append(conf, cp, strlen(cp)); 1355 } 1356 buffer_append(conf, "\0", 1); 1357 fclose(f); 1358 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1359 } 1360 1361 void 1362 parse_server_match_config(ServerOptions *options, const char *user, 1363 const char *host, const char *address) 1364 { 1365 ServerOptions mo; 1366 1367 initialize_server_options(&mo); 1368 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1369 copy_set_server_options(options, &mo, 0); 1370 } 1371 1372 1373 1374 /* Helper macros */ 1375 #define M_CP_INTOPT(n) do {\ 1376 if (src->n != -1) \ 1377 dst->n = src->n; \ 1378 } while (0) 1379 #define M_CP_STROPT(n) do {\ 1380 if (src->n != NULL) { \ 1381 if (dst->n != NULL) \ 1382 xfree(dst->n); \ 1383 dst->n = src->n; \ 1384 } \ 1385 } while(0) 1386 1387 /* 1388 * Copy any supported values that are set. 1389 * 1390 * If the preauth flag is set, we do not bother copying the the string or 1391 * array values that are not used pre-authentication, because any that we 1392 * do use must be explictly sent in mm_getpwnamallow(). 1393 */ 1394 void 1395 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1396 { 1397 M_CP_INTOPT(password_authentication); 1398 M_CP_INTOPT(gss_authentication); 1399 M_CP_INTOPT(rsa_authentication); 1400 M_CP_INTOPT(pubkey_authentication); 1401 M_CP_INTOPT(hostbased_authentication); 1402 M_CP_INTOPT(kbd_interactive_authentication); 1403 M_CP_INTOPT(permit_root_login); 1404 M_CP_INTOPT(permit_empty_passwd); 1405 M_CP_INTOPT(allow_tcp_forwarding); 1406 M_CP_INTOPT(gateway_ports); 1407 M_CP_INTOPT(x11_display_offset); 1408 M_CP_INTOPT(x11_forwarding); 1409 M_CP_INTOPT(x11_use_localhost); 1410 M_CP_INTOPT(max_auth_tries); 1411 M_CP_STROPT(banner); 1412 1413 if (preauth) 1414 return; 1415 M_CP_STROPT(chroot_directory); 1416 } 1417 1418 #undef M_CP_INTOPT 1419 #undef M_CP_STROPT 1420 1421 void 1422 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1423 const char *user, const char *host, const char *address) 1424 { 1425 int active, linenum, bad_options = 0; 1426 char *cp, *obuf, *cbuf; 1427 1428 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1429 1430 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1431 active = user ? 0 : 1; 1432 linenum = 1; 1433 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1434 if (process_server_config_line(options, cp, filename, 1435 linenum++, &active, user, host, address) != 0) 1436 bad_options++; 1437 } 1438 xfree(obuf); 1439 if (bad_options > 0) 1440 fatal("%s: terminating, %d bad configuration options", 1441 filename, bad_options); 1442 } 1443 1444 1445 /* 1446 * Note that "none" is a special path having the same affect on sshd 1447 * configuration as not specifying ChrootDirectory at all. 1448 */ 1449 int 1450 chroot_requested(char *chroot_directory) 1451 { 1452 return (chroot_directory != NULL && 1453 strcasecmp(chroot_directory, "none") != 0); 1454 } 1455