1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 13 * Copyright 2013 Joyent, Inc. All rights reserved. 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 18 19 #ifdef HAVE_DEFOPEN 20 #include <deflt.h> 21 #endif /* HAVE_DEFOPEN */ 22 23 #if defined(KRB4) 24 #include <krb.h> 25 #endif 26 #if defined(KRB5) 27 #ifdef HEIMDAL 28 #include <krb.h> 29 #else 30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 31 * keytab */ 32 #define KEYFILE "/etc/krb5.keytab" 33 #endif 34 #endif 35 #ifdef AFS 36 #include <kafs.h> 37 #endif 38 39 #include "ssh.h" 40 #include "log.h" 41 #include "buffer.h" 42 #include "servconf.h" 43 #include "xmalloc.h" 44 #include "compat.h" 45 #include "pathnames.h" 46 #include "tildexpand.h" 47 #include "misc.h" 48 #include "cipher.h" 49 #include "kex.h" 50 #include "mac.h" 51 #include "auth.h" 52 #include "match.h" 53 #include "groupaccess.h" 54 55 static void add_listen_addr(ServerOptions *, char *, u_short); 56 static void add_one_listen_addr(ServerOptions *, char *, u_short); 57 58 extern Buffer cfg; 59 60 /* AF_UNSPEC or AF_INET or AF_INET6 */ 61 extern int IPv4or6; 62 63 /* 64 * Initializes the server options to their initial (unset) values. Some of those 65 * that stay unset after the command line options and configuration files are 66 * read are set to their default values in fill_default_server_options(). 67 */ 68 void 69 initialize_server_options(ServerOptions *options) 70 { 71 (void) memset(options, 0, sizeof(*options)); 72 73 /* Standard Options */ 74 options->num_ports = 0; 75 options->ports_from_cmdline = 0; 76 options->listen_addrs = NULL; 77 options->num_host_key_files = 0; 78 options->pid_file = NULL; 79 options->server_key_bits = -1; 80 options->login_grace_time = -1; 81 options->key_regeneration_time = -1; 82 options->permit_root_login = PERMIT_NOT_SET; 83 options->ignore_rhosts = -1; 84 options->ignore_user_known_hosts = -1; 85 options->print_motd = -1; 86 options->print_lastlog = -1; 87 options->x11_forwarding = -1; 88 options->x11_display_offset = -1; 89 options->x11_use_localhost = -1; 90 options->xauth_location = NULL; 91 options->strict_modes = -1; 92 options->keepalives = -1; 93 options->log_facility = SYSLOG_FACILITY_NOT_SET; 94 options->log_level = SYSLOG_LEVEL_NOT_SET; 95 options->rhosts_authentication = -1; 96 options->rhosts_rsa_authentication = -1; 97 options->hostbased_authentication = -1; 98 options->hostbased_uses_name_from_packet_only = -1; 99 options->rsa_authentication = -1; 100 options->pubkey_authentication = -1; 101 #ifdef GSSAPI 102 options->gss_authentication = -1; 103 options->gss_keyex = -1; 104 options->gss_store_creds = -1; 105 options->gss_use_session_ccache = -1; 106 options->gss_cleanup_creds = -1; 107 #endif 108 #if defined(KRB4) || defined(KRB5) 109 options->kerberos_authentication = -1; 110 options->kerberos_or_local_passwd = -1; 111 options->kerberos_ticket_cleanup = -1; 112 #endif 113 #if defined(AFS) || defined(KRB5) 114 options->kerberos_tgt_passing = -1; 115 #endif 116 #ifdef AFS 117 options->afs_token_passing = -1; 118 #endif 119 options->password_authentication = -1; 120 options->kbd_interactive_authentication = -1; 121 options->challenge_response_authentication = -1; 122 options->pam_authentication_via_kbd_int = -1; 123 options->permit_empty_passwd = -1; 124 options->permit_user_env = -1; 125 options->compression = -1; 126 options->allow_tcp_forwarding = -1; 127 options->num_allow_users = 0; 128 options->num_deny_users = 0; 129 options->num_allow_groups = 0; 130 options->num_deny_groups = 0; 131 options->ciphers = NULL; 132 options->macs = NULL; 133 options->protocol = SSH_PROTO_UNKNOWN; 134 options->gateway_ports = -1; 135 options->num_subsystems = 0; 136 options->max_startups_begin = -1; 137 options->max_startups_rate = -1; 138 options->max_startups = -1; 139 options->banner = NULL; 140 options->verify_reverse_mapping = -1; 141 options->client_alive_interval = -1; 142 options->client_alive_count_max = -1; 143 options->authorized_keys_file = NULL; 144 options->authorized_keys_file2 = NULL; 145 146 options->max_auth_tries = -1; 147 options->max_auth_tries_log = -1; 148 149 options->max_init_auth_tries = -1; 150 options->max_init_auth_tries_log = -1; 151 152 options->lookup_client_hostnames = -1; 153 options->use_openssl_engine = -1; 154 options->chroot_directory = NULL; 155 options->pre_userauth_hook = NULL; 156 options->pam_service_name = NULL; 157 options->pam_service_prefix = NULL; 158 } 159 160 #ifdef HAVE_DEFOPEN 161 /* 162 * Reads /etc/default/login and defaults several ServerOptions: 163 * 164 * PermitRootLogin 165 * PermitEmptyPasswords 166 * LoginGraceTime 167 * 168 * CONSOLE=* -> PermitRootLogin=without-password 169 * #CONSOLE=* -> PermitRootLogin=yes 170 * 171 * PASSREQ=YES -> PermitEmptyPasswords=no 172 * PASSREQ=NO -> PermitEmptyPasswords=yes 173 * #PASSREQ=* -> PermitEmptyPasswords=no 174 * 175 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 176 * #TIMEOUT=<secs> -> LoginGraceTime=300 177 */ 178 static 179 void 180 deflt_fill_default_server_options(ServerOptions *options) 181 { 182 int flags; 183 char *ptr; 184 185 if (defopen(_PATH_DEFAULT_LOGIN)) 186 return; 187 188 /* Ignore case */ 189 flags = defcntl(DC_GETFLAGS, 0); 190 TURNOFF(flags, DC_CASE); 191 (void) defcntl(DC_SETFLAGS, flags); 192 193 if (options->permit_root_login == PERMIT_NOT_SET && 194 (ptr = defread("CONSOLE=")) != NULL) 195 options->permit_root_login = PERMIT_NO_PASSWD; 196 197 if (options->permit_empty_passwd == -1 && 198 (ptr = defread("PASSREQ=")) != NULL) { 199 if (strcasecmp("YES", ptr) == 0) 200 options->permit_empty_passwd = 0; 201 else if (strcasecmp("NO", ptr) == 0) 202 options->permit_empty_passwd = 1; 203 } 204 205 if (options->max_init_auth_tries == -1 && 206 (ptr = defread("RETRIES=")) != NULL) { 207 options->max_init_auth_tries = atoi(ptr); 208 } 209 210 if (options->max_init_auth_tries_log == -1 && 211 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 212 options->max_init_auth_tries_log = atoi(ptr); 213 } 214 215 if (options->login_grace_time == -1) { 216 if ((ptr = defread("TIMEOUT=")) != NULL) 217 options->login_grace_time = (unsigned)atoi(ptr); 218 else 219 options->login_grace_time = 300; 220 } 221 222 (void) defopen((char *)NULL); 223 } 224 #endif /* HAVE_DEFOPEN */ 225 226 void 227 fill_default_server_options(ServerOptions *options) 228 { 229 230 #ifdef HAVE_DEFOPEN 231 deflt_fill_default_server_options(options); 232 #endif /* HAVE_DEFOPEN */ 233 234 /* Standard Options */ 235 if (options->protocol == SSH_PROTO_UNKNOWN) 236 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 237 if (options->num_host_key_files == 0) { 238 /* fill default hostkeys for protocols */ 239 if (options->protocol & SSH_PROTO_1) 240 options->host_key_files[options->num_host_key_files++] = 241 _PATH_HOST_KEY_FILE; 242 #ifndef GSSAPI 243 /* With GSS keyex we can run v2 w/ no host keys */ 244 if (options->protocol & SSH_PROTO_2) { 245 options->host_key_files[options->num_host_key_files++] = 246 _PATH_HOST_RSA_KEY_FILE; 247 options->host_key_files[options->num_host_key_files++] = 248 _PATH_HOST_DSA_KEY_FILE; 249 } 250 #endif /* GSSAPI */ 251 } 252 if (options->num_ports == 0) 253 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 254 if (options->listen_addrs == NULL) 255 add_listen_addr(options, NULL, 0); 256 if (options->pid_file == NULL) 257 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 258 if (options->server_key_bits == -1) 259 options->server_key_bits = 768; 260 if (options->login_grace_time == -1) 261 options->login_grace_time = 120; 262 if (options->key_regeneration_time == -1) 263 options->key_regeneration_time = 3600; 264 if (options->permit_root_login == PERMIT_NOT_SET) 265 options->permit_root_login = PERMIT_YES; 266 if (options->ignore_rhosts == -1) 267 options->ignore_rhosts = 1; 268 if (options->ignore_user_known_hosts == -1) 269 options->ignore_user_known_hosts = 0; 270 if (options->print_motd == -1) 271 options->print_motd = 1; 272 if (options->print_lastlog == -1) 273 options->print_lastlog = 1; 274 if (options->x11_forwarding == -1) 275 options->x11_forwarding = 1; 276 if (options->x11_display_offset == -1) 277 options->x11_display_offset = 10; 278 if (options->x11_use_localhost == -1) 279 options->x11_use_localhost = 1; 280 if (options->xauth_location == NULL) 281 options->xauth_location = _PATH_XAUTH; 282 if (options->strict_modes == -1) 283 options->strict_modes = 1; 284 if (options->keepalives == -1) 285 options->keepalives = 1; 286 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 287 options->log_facility = SYSLOG_FACILITY_AUTH; 288 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 289 options->log_level = SYSLOG_LEVEL_INFO; 290 if (options->rhosts_authentication == -1) 291 options->rhosts_authentication = 0; 292 if (options->rhosts_rsa_authentication == -1) 293 options->rhosts_rsa_authentication = 0; 294 if (options->hostbased_authentication == -1) 295 options->hostbased_authentication = 0; 296 if (options->hostbased_uses_name_from_packet_only == -1) 297 options->hostbased_uses_name_from_packet_only = 0; 298 if (options->rsa_authentication == -1) 299 options->rsa_authentication = 1; 300 if (options->pubkey_authentication == -1) 301 options->pubkey_authentication = 1; 302 #ifdef GSSAPI 303 if (options->gss_authentication == -1) 304 options->gss_authentication = 1; 305 if (options->gss_keyex == -1) 306 options->gss_keyex = 1; 307 if (options->gss_store_creds == -1) 308 options->gss_store_creds = 1; 309 if (options->gss_use_session_ccache == -1) 310 options->gss_use_session_ccache = 1; 311 if (options->gss_cleanup_creds == -1) 312 options->gss_cleanup_creds = 1; 313 #endif 314 #if defined(KRB4) || defined(KRB5) 315 if (options->kerberos_authentication == -1) 316 options->kerberos_authentication = 0; 317 if (options->kerberos_or_local_passwd == -1) 318 options->kerberos_or_local_passwd = 1; 319 if (options->kerberos_ticket_cleanup == -1) 320 options->kerberos_ticket_cleanup = 1; 321 #endif 322 #if defined(AFS) || defined(KRB5) 323 if (options->kerberos_tgt_passing == -1) 324 options->kerberos_tgt_passing = 0; 325 #endif 326 #ifdef AFS 327 if (options->afs_token_passing == -1) 328 options->afs_token_passing = 0; 329 #endif 330 if (options->password_authentication == -1) 331 options->password_authentication = 1; 332 /* 333 * options->pam_authentication_via_kbd_int has intentionally no default 334 * value since we do not need it. 335 */ 336 if (options->kbd_interactive_authentication == -1) 337 options->kbd_interactive_authentication = 1; 338 if (options->challenge_response_authentication == -1) 339 options->challenge_response_authentication = 1; 340 if (options->permit_empty_passwd == -1) 341 options->permit_empty_passwd = 0; 342 if (options->permit_user_env == -1) 343 options->permit_user_env = 0; 344 if (options->compression == -1) 345 options->compression = 1; 346 if (options->allow_tcp_forwarding == -1) 347 options->allow_tcp_forwarding = 1; 348 if (options->gateway_ports == -1) 349 options->gateway_ports = 0; 350 if (options->max_startups == -1) 351 options->max_startups = 10; 352 if (options->max_startups_rate == -1) 353 options->max_startups_rate = 100; /* 100% */ 354 if (options->max_startups_begin == -1) 355 options->max_startups_begin = options->max_startups; 356 if (options->verify_reverse_mapping == -1) 357 options->verify_reverse_mapping = 0; 358 if (options->client_alive_interval == -1) 359 options->client_alive_interval = 0; 360 if (options->client_alive_count_max == -1) 361 options->client_alive_count_max = 3; 362 if (options->authorized_keys_file2 == NULL) { 363 /* authorized_keys_file2 falls back to authorized_keys_file */ 364 if (options->authorized_keys_file != NULL) 365 options->authorized_keys_file2 = options->authorized_keys_file; 366 else 367 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 368 } 369 if (options->authorized_keys_file == NULL) 370 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 371 372 if (options->max_auth_tries == -1) 373 options->max_auth_tries = AUTH_FAIL_MAX; 374 if (options->max_auth_tries_log == -1) 375 options->max_auth_tries_log = options->max_auth_tries / 2; 376 377 if (options->max_init_auth_tries == -1) 378 options->max_init_auth_tries = AUTH_FAIL_MAX; 379 if (options->max_init_auth_tries_log == -1) 380 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 381 382 if (options->lookup_client_hostnames == -1) 383 options->lookup_client_hostnames = 1; 384 if (options->use_openssl_engine == -1) 385 options->use_openssl_engine = 1; 386 if (options->pam_service_prefix == NULL) 387 options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; 388 if (options->pam_service_name == NULL) 389 options->pam_service_name = NULL; 390 } 391 392 /* Keyword tokens. */ 393 typedef enum { 394 sBadOption, /* == unknown option */ 395 /* Portable-specific options */ 396 sPAMAuthenticationViaKbdInt, 397 /* Standard Options */ 398 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 399 sPermitRootLogin, sLogFacility, sLogLevel, 400 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 401 #ifdef GSSAPI 402 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 403 sGssUseSessionCredCache, sGssCleanupCreds, 404 #endif /* GSSAPI */ 405 #if defined(KRB4) || defined(KRB5) 406 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 407 #endif 408 #if defined(AFS) || defined(KRB5) 409 sKerberosTgtPassing, 410 #endif 411 #ifdef AFS 412 sAFSTokenPassing, 413 #endif 414 sChallengeResponseAuthentication, 415 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 416 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 417 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 418 sStrictModes, sEmptyPasswd, sKeepAlives, 419 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 420 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 421 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 422 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 423 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 424 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 425 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 426 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 427 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, 428 sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName, 429 sDeprecated 430 } ServerOpCodes; 431 432 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 433 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 434 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 435 436 /* Textual representation of the tokens. */ 437 static struct { 438 const char *name; 439 ServerOpCodes opcode; 440 u_int flags; 441 } keywords[] = { 442 /* Portable-specific options */ 443 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL }, 444 /* Standard Options */ 445 { "port", sPort, SSHCFG_GLOBAL }, 446 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 447 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 448 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 449 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 450 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 451 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 452 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 453 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 454 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 455 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL }, 456 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 457 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 458 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 459 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 460 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 461 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 462 #ifdef GSSAPI 463 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 464 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 465 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL }, 466 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */ 467 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */ 468 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */ 469 #ifndef SUNW_GSSAPI 470 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 471 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 472 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 473 #endif /* SUNW_GSSAPI */ 474 #endif 475 #if defined(KRB4) || defined(KRB5) 476 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 477 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 478 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 479 #endif 480 #if defined(AFS) || defined(KRB5) 481 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL }, 482 #endif 483 #ifdef AFS 484 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL }, 485 #endif 486 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 487 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 488 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 489 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 490 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 491 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 492 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 493 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 494 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 495 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 496 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 497 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 498 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 499 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 500 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 501 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 502 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 503 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 504 { "compression", sCompression, SSHCFG_GLOBAL }, 505 { "tcpkeepalive", sKeepAlives, SSHCFG_GLOBAL }, 506 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, /* obsolete */ 507 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 508 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 509 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 510 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 511 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 512 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 513 { "macs", sMacs, SSHCFG_GLOBAL}, 514 { "protocol", sProtocol,SSHCFG_GLOBAL }, 515 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 516 { "subsystem", sSubsystem, SSHCFG_GLOBAL}, 517 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 518 { "banner", sBanner, SSHCFG_ALL }, 519 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL }, 520 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL }, 521 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 522 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 523 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, 524 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, 525 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 526 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL }, 527 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, 528 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL }, 529 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL }, 530 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 531 { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL}, 532 { "match", sMatch, SSHCFG_ALL }, 533 { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, 534 { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, 535 536 { NULL, sBadOption, 0 } 537 }; 538 539 /* 540 * Returns the number of the token pointed to by cp or sBadOption. 541 */ 542 543 static ServerOpCodes 544 parse_token(const char *cp, const char *filename, 545 int linenum, u_int *flags) 546 { 547 u_int i; 548 549 for (i = 0; keywords[i].name; i++) 550 if (strcasecmp(cp, keywords[i].name) == 0) { 551 *flags = keywords[i].flags; 552 return keywords[i].opcode; 553 } 554 555 error("%s: line %d: Bad configuration option: %s", 556 filename, linenum, cp); 557 return sBadOption; 558 } 559 560 static void 561 add_listen_addr(ServerOptions *options, char *addr, u_short port) 562 { 563 int i; 564 565 if (options->num_ports == 0) 566 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 567 if (port == 0) 568 for (i = 0; i < options->num_ports; i++) 569 add_one_listen_addr(options, addr, options->ports[i]); 570 else 571 add_one_listen_addr(options, addr, port); 572 } 573 574 static void 575 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 576 { 577 struct addrinfo hints, *ai, *aitop; 578 char strport[NI_MAXSERV]; 579 int gaierr; 580 581 (void) memset(&hints, 0, sizeof(hints)); 582 hints.ai_family = IPv4or6; 583 hints.ai_socktype = SOCK_STREAM; 584 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 585 (void) snprintf(strport, sizeof strport, "%u", port); 586 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 587 fatal("bad addr or host: %s (%s)", 588 addr ? addr : "<NULL>", 589 gai_strerror(gaierr)); 590 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 591 ; 592 ai->ai_next = options->listen_addrs; 593 options->listen_addrs = aitop; 594 } 595 596 /* 597 * The strategy for the Match blocks is that the config file is parsed twice. 598 * 599 * The first time is at startup. activep is initialized to 1 and the 600 * directives in the global context are processed and acted on. Hitting a 601 * Match directive unsets activep and the directives inside the block are 602 * checked for syntax only. 603 * 604 * The second time is after a connection has been established but before 605 * authentication. activep is initialized to 2 and global config directives 606 * are ignored since they have already been processed. If the criteria in a 607 * Match block is met, activep is set and the subsequent directives 608 * processed and actioned until EOF or another Match block unsets it. Any 609 * options set are copied into the main server config. 610 * 611 * Potential additions/improvements: 612 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 613 * 614 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 615 * Match Address 192.168.0.* 616 * Tag trusted 617 * Match Group wheel 618 * Tag trusted 619 * Match Tag trusted 620 * AllowTcpForwarding yes 621 * GatewayPorts clientspecified 622 * [...] 623 * 624 * - Add a PermittedChannelRequests directive 625 * Match Group shell 626 * PermittedChannelRequests session,forwarded-tcpip 627 */ 628 629 static int 630 match_cfg_line_group(const char *grps, int line, const char *user) 631 { 632 int result = 0; 633 struct passwd *pw; 634 635 if (user == NULL) 636 goto out; 637 638 if ((pw = getpwnam(user)) == NULL) { 639 debug("Can't match group at line %d because user %.100s does " 640 "not exist", line, user); 641 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 642 debug("Can't Match group because user %.100s not in any group " 643 "at line %d", user, line); 644 } else if (ga_match_pattern_list(grps) != 1) { 645 debug("user %.100s does not match group list %.100s at line %d", 646 user, grps, line); 647 } else { 648 debug("user %.100s matched group list %.100s at line %d", user, 649 grps, line); 650 result = 1; 651 } 652 out: 653 ga_free(); 654 return result; 655 } 656 657 static int 658 match_cfg_line(char **condition, int line, const char *user, const char *host, 659 const char *address) 660 { 661 int result = 1; 662 char *arg, *attrib, *cp = *condition; 663 size_t len; 664 665 if (user == NULL) 666 debug3("checking syntax for 'Match %s'", cp); 667 else 668 debug3("checking match for '%s' user %s host %s addr %s", cp, 669 user ? user : "(null)", host ? host : "(null)", 670 address ? address : "(null)"); 671 672 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') { 673 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 674 error("Missing Match criteria for %s", attrib); 675 return -1; 676 } 677 len = strlen(arg); 678 if (strcasecmp(attrib, "user") == 0) { 679 if (!user) { 680 result = 0; 681 continue; 682 } 683 if (match_pattern_list(user, arg, len, 0) != 1) 684 result = 0; 685 else 686 debug("user %.100s matched 'User %.100s' at " 687 "line %d", user, arg, line); 688 } else if (strcasecmp(attrib, "group") == 0) { 689 switch (match_cfg_line_group(arg, line, user)) { 690 case -1: 691 return -1; 692 case 0: 693 result = 0; 694 } 695 } else if (strcasecmp(attrib, "host") == 0) { 696 if (!host) { 697 result = 0; 698 continue; 699 } 700 if (match_hostname(host, arg, len) != 1) 701 result = 0; 702 else 703 debug("connection from %.100s matched 'Host " 704 "%.100s' at line %d", host, arg, line); 705 } else if (strcasecmp(attrib, "address") == 0) { 706 switch (addr_match_list(address, arg)) { 707 case 1: 708 debug("connection from %.100s matched 'Address " 709 "%.100s' at line %d", address, arg, line); 710 break; 711 case 0: 712 case -1: 713 result = 0; 714 break; 715 case -2: 716 return -1; 717 } 718 } else { 719 error("Unsupported Match attribute %s", attrib); 720 return -1; 721 } 722 } 723 if (user != NULL) 724 debug3("match %sfound", result ? "" : "not "); 725 *condition = cp; 726 return result; 727 } 728 729 #define WHITESPACE " \t\r\n" 730 731 int 732 process_server_config_line(ServerOptions *options, char *line, 733 const char *filename, int linenum, int *activep, const char *user, 734 const char *host, const char *address) 735 { 736 char *cp, **charptr, *arg, *p; 737 int cmdline = 0, *intptr, value, n; 738 ServerOpCodes opcode; 739 u_int i, flags = 0; 740 size_t len; 741 742 cp = line; 743 arg = strdelim(&cp); 744 /* Ignore leading whitespace */ 745 if (*arg == '\0') 746 arg = strdelim(&cp); 747 if (!arg || !*arg || *arg == '#') 748 return 0; 749 intptr = NULL; 750 charptr = NULL; 751 opcode = parse_token(arg, filename, linenum, &flags); 752 753 if (activep == NULL) { /* We are processing a command line directive */ 754 cmdline = 1; 755 activep = &cmdline; 756 } 757 if (*activep && opcode != sMatch) 758 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 759 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 760 if (user == NULL) { 761 fatal("%s line %d: Directive '%s' is not allowed " 762 "within a Match block", filename, linenum, arg); 763 } else { /* this is a directive we have already processed */ 764 while (arg) 765 arg = strdelim(&cp); 766 return 0; 767 } 768 } 769 770 switch (opcode) { 771 /* Portable-specific options */ 772 case sPAMAuthenticationViaKbdInt: 773 log("%s line %d: PAMAuthenticationViaKbdInt has been " 774 "deprecated. You should use KbdInteractiveAuthentication " 775 "instead (which defaults to \"yes\").", filename, linenum); 776 intptr = &options->pam_authentication_via_kbd_int; 777 goto parse_flag; 778 779 /* Standard Options */ 780 case sBadOption: 781 return -1; 782 case sPort: 783 /* ignore ports from configfile if cmdline specifies ports */ 784 if (options->ports_from_cmdline) 785 return 0; 786 if (options->listen_addrs != NULL) 787 fatal("%s line %d: ports must be specified before " 788 "ListenAddress.", filename, linenum); 789 if (options->num_ports >= MAX_PORTS) 790 fatal("%s line %d: too many ports.", 791 filename, linenum); 792 arg = strdelim(&cp); 793 if (!arg || *arg == '\0') 794 fatal("%s line %d: missing port number.", 795 filename, linenum); 796 options->ports[options->num_ports++] = a2port(arg); 797 if (options->ports[options->num_ports-1] == 0) 798 fatal("%s line %d: Badly formatted port number.", 799 filename, linenum); 800 break; 801 802 case sServerKeyBits: 803 intptr = &options->server_key_bits; 804 parse_int: 805 arg = strdelim(&cp); 806 if (!arg || *arg == '\0') 807 fatal("%s line %d: missing integer value.", 808 filename, linenum); 809 value = atoi(arg); 810 if (*activep && *intptr == -1) 811 *intptr = value; 812 break; 813 814 case sLoginGraceTime: 815 intptr = &options->login_grace_time; 816 parse_time: 817 arg = strdelim(&cp); 818 if (!arg || *arg == '\0') 819 fatal("%s line %d: missing time value.", 820 filename, linenum); 821 if ((value = convtime(arg)) == -1) 822 fatal("%s line %d: invalid time value.", 823 filename, linenum); 824 if (*intptr == -1) 825 *intptr = value; 826 break; 827 828 case sKeyRegenerationTime: 829 intptr = &options->key_regeneration_time; 830 goto parse_time; 831 832 case sListenAddress: 833 arg = strdelim(&cp); 834 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 835 fatal("%s line %d: missing inet addr.", 836 filename, linenum); 837 if (*arg == '[') { 838 if ((p = strchr(arg, ']')) == NULL) 839 fatal("%s line %d: bad ipv6 inet addr usage.", 840 filename, linenum); 841 arg++; 842 (void) memmove(p, p+1, strlen(p+1)+1); 843 } else if (((p = strchr(arg, ':')) == NULL) || 844 (strchr(p+1, ':') != NULL)) { 845 add_listen_addr(options, arg, 0); 846 break; 847 } 848 if (*p == ':') { 849 u_short port; 850 851 p++; 852 if (*p == '\0') 853 fatal("%s line %d: bad inet addr:port usage.", 854 filename, linenum); 855 else { 856 *(p-1) = '\0'; 857 if ((port = a2port(p)) == 0) 858 fatal("%s line %d: bad port number.", 859 filename, linenum); 860 add_listen_addr(options, arg, port); 861 } 862 } else if (*p == '\0') 863 add_listen_addr(options, arg, 0); 864 else 865 fatal("%s line %d: bad inet addr usage.", 866 filename, linenum); 867 break; 868 869 case sHostKeyFile: 870 intptr = &options->num_host_key_files; 871 if (*intptr >= MAX_HOSTKEYS) 872 fatal("%s line %d: too many host keys specified (max %d).", 873 filename, linenum, MAX_HOSTKEYS); 874 charptr = &options->host_key_files[*intptr]; 875 parse_filename: 876 arg = strdelim(&cp); 877 if (!arg || *arg == '\0') 878 fatal("%s line %d: missing file name.", 879 filename, linenum); 880 if (*activep && *charptr == NULL) { 881 *charptr = tilde_expand_filename(arg, getuid()); 882 /* increase optional counter */ 883 if (intptr != NULL) 884 *intptr = *intptr + 1; 885 } 886 break; 887 888 case sPidFile: 889 charptr = &options->pid_file; 890 goto parse_filename; 891 892 case sPermitRootLogin: 893 intptr = &options->permit_root_login; 894 arg = strdelim(&cp); 895 if (!arg || *arg == '\0') 896 fatal("%s line %d: missing yes/" 897 "without-password/forced-commands-only/no " 898 "argument.", filename, linenum); 899 value = 0; /* silence compiler */ 900 if (strcmp(arg, "without-password") == 0) 901 value = PERMIT_NO_PASSWD; 902 else if (strcmp(arg, "forced-commands-only") == 0) 903 value = PERMIT_FORCED_ONLY; 904 else if (strcmp(arg, "yes") == 0) 905 value = PERMIT_YES; 906 else if (strcmp(arg, "no") == 0) 907 value = PERMIT_NO; 908 else 909 fatal("%s line %d: Bad yes/" 910 "without-password/forced-commands-only/no " 911 "argument: %s", filename, linenum, arg); 912 if (*activep && *intptr == -1) 913 *intptr = value; 914 break; 915 916 case sIgnoreRhosts: 917 intptr = &options->ignore_rhosts; 918 parse_flag: 919 arg = strdelim(&cp); 920 if (!arg || *arg == '\0') 921 fatal("%s line %d: missing yes/no argument.", 922 filename, linenum); 923 value = 0; /* silence compiler */ 924 if (strcmp(arg, "yes") == 0) 925 value = 1; 926 else if (strcmp(arg, "no") == 0) 927 value = 0; 928 else 929 fatal("%s line %d: Bad yes/no argument: %s", 930 filename, linenum, arg); 931 if (*activep && *intptr == -1) 932 *intptr = value; 933 break; 934 935 case sIgnoreUserKnownHosts: 936 intptr = &options->ignore_user_known_hosts; 937 goto parse_flag; 938 939 case sRhostsAuthentication: 940 intptr = &options->rhosts_authentication; 941 goto parse_flag; 942 943 case sRhostsRSAAuthentication: 944 intptr = &options->rhosts_rsa_authentication; 945 goto parse_flag; 946 947 case sHostbasedAuthentication: 948 intptr = &options->hostbased_authentication; 949 goto parse_flag; 950 951 case sHostbasedUsesNameFromPacketOnly: 952 intptr = &options->hostbased_uses_name_from_packet_only; 953 goto parse_flag; 954 955 case sRSAAuthentication: 956 intptr = &options->rsa_authentication; 957 goto parse_flag; 958 959 case sPubkeyAuthentication: 960 intptr = &options->pubkey_authentication; 961 goto parse_flag; 962 #ifdef GSSAPI 963 case sGssAuthentication: 964 intptr = &options->gss_authentication; 965 goto parse_flag; 966 case sGssKeyEx: 967 intptr = &options->gss_keyex; 968 goto parse_flag; 969 case sGssStoreDelegCreds: 970 intptr = &options->gss_keyex; 971 goto parse_flag; 972 #ifndef SUNW_GSSAPI 973 case sGssUseSessionCredCache: 974 intptr = &options->gss_use_session_ccache; 975 goto parse_flag; 976 case sGssCleanupCreds: 977 intptr = &options->gss_cleanup_creds; 978 goto parse_flag; 979 #endif /* SUNW_GSSAPI */ 980 #endif /* GSSAPI */ 981 #if defined(KRB4) || defined(KRB5) 982 case sKerberosAuthentication: 983 intptr = &options->kerberos_authentication; 984 goto parse_flag; 985 986 case sKerberosOrLocalPasswd: 987 intptr = &options->kerberos_or_local_passwd; 988 goto parse_flag; 989 990 case sKerberosTicketCleanup: 991 intptr = &options->kerberos_ticket_cleanup; 992 goto parse_flag; 993 #endif 994 #if defined(AFS) || defined(KRB5) 995 case sKerberosTgtPassing: 996 intptr = &options->kerberos_tgt_passing; 997 goto parse_flag; 998 #endif 999 #ifdef AFS 1000 case sAFSTokenPassing: 1001 intptr = &options->afs_token_passing; 1002 goto parse_flag; 1003 #endif 1004 1005 case sPasswordAuthentication: 1006 intptr = &options->password_authentication; 1007 goto parse_flag; 1008 1009 case sKbdInteractiveAuthentication: 1010 intptr = &options->kbd_interactive_authentication; 1011 goto parse_flag; 1012 1013 case sChallengeResponseAuthentication: 1014 intptr = &options->challenge_response_authentication; 1015 goto parse_flag; 1016 1017 case sPrintMotd: 1018 intptr = &options->print_motd; 1019 goto parse_flag; 1020 1021 case sPrintLastLog: 1022 log("%s line %d: ignoring PrintLastLog option value." 1023 " This option is always on.", filename, linenum); 1024 while (arg) 1025 arg = strdelim(&cp); 1026 break; 1027 1028 case sX11Forwarding: 1029 intptr = &options->x11_forwarding; 1030 goto parse_flag; 1031 1032 case sX11DisplayOffset: 1033 intptr = &options->x11_display_offset; 1034 goto parse_int; 1035 1036 case sX11UseLocalhost: 1037 intptr = &options->x11_use_localhost; 1038 goto parse_flag; 1039 1040 case sXAuthLocation: 1041 charptr = &options->xauth_location; 1042 goto parse_filename; 1043 1044 case sStrictModes: 1045 intptr = &options->strict_modes; 1046 goto parse_flag; 1047 1048 case sKeepAlives: 1049 intptr = &options->keepalives; 1050 goto parse_flag; 1051 1052 case sEmptyPasswd: 1053 intptr = &options->permit_empty_passwd; 1054 goto parse_flag; 1055 1056 case sPermitUserEnvironment: 1057 intptr = &options->permit_user_env; 1058 goto parse_flag; 1059 1060 case sUseLogin: 1061 log("%s line %d: ignoring UseLogin option value." 1062 " This option is always off.", filename, linenum); 1063 while (arg) 1064 arg = strdelim(&cp); 1065 break; 1066 1067 case sCompression: 1068 intptr = &options->compression; 1069 goto parse_flag; 1070 1071 case sGatewayPorts: 1072 intptr = &options->gateway_ports; 1073 arg = strdelim(&cp); 1074 if (!arg || *arg == '\0') 1075 fatal("%s line %d: missing yes/no/clientspecified " 1076 "argument.", filename, linenum); 1077 value = 0; /* silence compiler */ 1078 if (strcmp(arg, "clientspecified") == 0) 1079 value = 2; 1080 else if (strcmp(arg, "yes") == 0) 1081 value = 1; 1082 else if (strcmp(arg, "no") == 0) 1083 value = 0; 1084 else 1085 fatal("%s line %d: Bad yes/no/clientspecified " 1086 "argument: %s", filename, linenum, arg); 1087 if (*activep && *intptr == -1) 1088 *intptr = value; 1089 break; 1090 1091 case sVerifyReverseMapping: 1092 intptr = &options->verify_reverse_mapping; 1093 goto parse_flag; 1094 1095 case sLogFacility: 1096 intptr = (int *) &options->log_facility; 1097 arg = strdelim(&cp); 1098 value = log_facility_number(arg); 1099 if (value == SYSLOG_FACILITY_NOT_SET) 1100 fatal("%.200s line %d: unsupported log facility '%s'", 1101 filename, linenum, arg ? arg : "<NONE>"); 1102 if (*intptr == -1) 1103 *intptr = (SyslogFacility) value; 1104 break; 1105 1106 case sLogLevel: 1107 intptr = (int *) &options->log_level; 1108 arg = strdelim(&cp); 1109 value = log_level_number(arg); 1110 if (value == SYSLOG_LEVEL_NOT_SET) 1111 fatal("%.200s line %d: unsupported log level '%s'", 1112 filename, linenum, arg ? arg : "<NONE>"); 1113 if (*intptr == -1) 1114 *intptr = (LogLevel) value; 1115 break; 1116 1117 case sAllowTcpForwarding: 1118 intptr = &options->allow_tcp_forwarding; 1119 goto parse_flag; 1120 1121 case sUsePrivilegeSeparation: 1122 log("%s line %d: ignoring UsePrivilegeSeparation option value." 1123 " This option is always on.", filename, linenum); 1124 while (arg) 1125 arg = strdelim(&cp); 1126 break; 1127 1128 case sAllowUsers: 1129 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1130 if (options->num_allow_users >= MAX_ALLOW_USERS) 1131 fatal("%s line %d: too many allow users.", 1132 filename, linenum); 1133 options->allow_users[options->num_allow_users++] = 1134 xstrdup(arg); 1135 } 1136 break; 1137 1138 case sDenyUsers: 1139 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1140 if (options->num_deny_users >= MAX_DENY_USERS) 1141 fatal( "%s line %d: too many deny users.", 1142 filename, linenum); 1143 options->deny_users[options->num_deny_users++] = 1144 xstrdup(arg); 1145 } 1146 break; 1147 1148 case sAllowGroups: 1149 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1150 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1151 fatal("%s line %d: too many allow groups.", 1152 filename, linenum); 1153 options->allow_groups[options->num_allow_groups++] = 1154 xstrdup(arg); 1155 } 1156 break; 1157 1158 case sDenyGroups: 1159 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1160 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1161 fatal("%s line %d: too many deny groups.", 1162 filename, linenum); 1163 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1164 } 1165 break; 1166 1167 case sCiphers: 1168 arg = strdelim(&cp); 1169 if (!arg || *arg == '\0') 1170 fatal("%s line %d: Missing argument.", filename, linenum); 1171 if (!ciphers_valid(arg)) 1172 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1173 filename, linenum, arg ? arg : "<NONE>"); 1174 if (options->ciphers == NULL) 1175 options->ciphers = xstrdup(arg); 1176 break; 1177 1178 case sMacs: 1179 arg = strdelim(&cp); 1180 if (!arg || *arg == '\0') 1181 fatal("%s line %d: Missing argument.", filename, linenum); 1182 if (!mac_valid(arg)) 1183 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1184 filename, linenum, arg ? arg : "<NONE>"); 1185 if (options->macs == NULL) 1186 options->macs = xstrdup(arg); 1187 break; 1188 1189 case sProtocol: 1190 intptr = &options->protocol; 1191 arg = strdelim(&cp); 1192 if (!arg || *arg == '\0') 1193 fatal("%s line %d: Missing argument.", filename, linenum); 1194 value = proto_spec(arg); 1195 if (value == SSH_PROTO_UNKNOWN) 1196 fatal("%s line %d: Bad protocol spec '%s'.", 1197 filename, linenum, arg ? arg : "<NONE>"); 1198 if (*intptr == SSH_PROTO_UNKNOWN) 1199 *intptr = value; 1200 break; 1201 1202 case sSubsystem: 1203 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1204 fatal("%s line %d: too many subsystems defined.", 1205 filename, linenum); 1206 } 1207 arg = strdelim(&cp); 1208 if (!arg || *arg == '\0') 1209 fatal("%s line %d: Missing subsystem name.", 1210 filename, linenum); 1211 if (!*activep) { 1212 arg = strdelim(&cp); 1213 break; 1214 } 1215 for (i = 0; i < options->num_subsystems; i++) 1216 if (strcmp(arg, options->subsystem_name[i]) == 0) 1217 fatal("%s line %d: Subsystem '%s' already defined.", 1218 filename, linenum, arg); 1219 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1220 arg = strdelim(&cp); 1221 if (!arg || *arg == '\0') 1222 fatal("%s line %d: Missing subsystem command.", 1223 filename, linenum); 1224 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1225 1226 /* 1227 * Collect arguments (separate to executable), including the 1228 * name of the executable, in a way that is easier to parse 1229 * later. 1230 */ 1231 p = xstrdup(arg); 1232 len = strlen(p) + 1; 1233 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1234 len += 1 + strlen(arg); 1235 p = xrealloc(p, len); 1236 strlcat(p, " ", len); 1237 strlcat(p, arg, len); 1238 } 1239 options->subsystem_args[options->num_subsystems] = p; 1240 options->num_subsystems++; 1241 break; 1242 1243 case sMaxStartups: 1244 arg = strdelim(&cp); 1245 if (!arg || *arg == '\0') 1246 fatal("%s line %d: Missing MaxStartups spec.", 1247 filename, linenum); 1248 if ((n = sscanf(arg, "%d:%d:%d", 1249 &options->max_startups_begin, 1250 &options->max_startups_rate, 1251 &options->max_startups)) == 3) { 1252 if (options->max_startups_begin > 1253 options->max_startups || 1254 options->max_startups_rate > 100 || 1255 options->max_startups_rate < 1) 1256 fatal("%s line %d: Illegal MaxStartups spec.", 1257 filename, linenum); 1258 } else if (n != 1) 1259 fatal("%s line %d: Illegal MaxStartups spec.", 1260 filename, linenum); 1261 else 1262 options->max_startups = options->max_startups_begin; 1263 break; 1264 1265 case sBanner: 1266 charptr = &options->banner; 1267 goto parse_filename; 1268 /* 1269 * These options can contain %X options expanded at 1270 * connect time, so that you can specify paths like: 1271 * 1272 * AuthorizedKeysFile /etc/ssh_keys/%u 1273 */ 1274 case sAuthorizedKeysFile: 1275 case sAuthorizedKeysFile2: 1276 charptr = (opcode == sAuthorizedKeysFile) ? 1277 &options->authorized_keys_file : 1278 &options->authorized_keys_file2; 1279 goto parse_filename; 1280 1281 case sClientAliveInterval: 1282 intptr = &options->client_alive_interval; 1283 goto parse_time; 1284 1285 case sClientAliveCountMax: 1286 intptr = &options->client_alive_count_max; 1287 goto parse_int; 1288 1289 case sMaxAuthTries: 1290 intptr = &options->max_auth_tries; 1291 goto parse_int; 1292 1293 case sMaxAuthTriesLog: 1294 intptr = &options->max_auth_tries_log; 1295 goto parse_int; 1296 1297 case sLookupClientHostnames: 1298 intptr = &options->lookup_client_hostnames; 1299 goto parse_flag; 1300 1301 case sUseOpenSSLEngine: 1302 intptr = &options->use_openssl_engine; 1303 goto parse_flag; 1304 1305 case sChrootDirectory: 1306 charptr = &options->chroot_directory; 1307 1308 arg = strdelim(&cp); 1309 if (arg == NULL || *arg == '\0') 1310 fatal("%s line %d: missing directory name for " 1311 "ChrootDirectory.", filename, linenum); 1312 if (*activep && *charptr == NULL) 1313 *charptr = xstrdup(arg); 1314 break; 1315 1316 case sPreUserauthHook: 1317 charptr = &options->pre_userauth_hook; 1318 goto parse_filename; 1319 1320 case sMatch: 1321 if (cmdline) 1322 fatal("Match directive not supported as a command-line " 1323 "option"); 1324 value = match_cfg_line(&cp, linenum, user, host, address); 1325 if (value < 0) 1326 fatal("%s line %d: Bad Match condition", filename, 1327 linenum); 1328 *activep = value; 1329 break; 1330 1331 case sDeprecated: 1332 log("%s line %d: Deprecated option %s", 1333 filename, linenum, arg); 1334 while (arg) 1335 arg = strdelim(&cp); 1336 break; 1337 1338 case sPAMServicePrefix: 1339 arg = strdelim(&cp); 1340 if (!arg || *arg == '\0') 1341 fatal("%s line %d: Missing argument.", 1342 filename, linenum); 1343 if (options->pam_service_name != NULL) 1344 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1345 "are mutually exclusive.", filename, linenum); 1346 if (options->pam_service_prefix == NULL) 1347 options->pam_service_prefix = xstrdup(arg); 1348 break; 1349 1350 case sPAMServiceName: 1351 arg = strdelim(&cp); 1352 if (!arg || *arg == '\0') 1353 fatal("%s line %d: Missing argument.", 1354 filename, linenum); 1355 if (options->pam_service_prefix != NULL) 1356 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1357 "are mutually exclusive.", filename, linenum); 1358 if (options->pam_service_name == NULL) 1359 options->pam_service_name = xstrdup(arg); 1360 break; 1361 1362 default: 1363 fatal("%s line %d: Missing handler for opcode %s (%d)", 1364 filename, linenum, arg, opcode); 1365 } 1366 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1367 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1368 filename, linenum, arg); 1369 return 0; 1370 } 1371 1372 1373 /* Reads the server configuration file. */ 1374 1375 void 1376 load_server_config(const char *filename, Buffer *conf) 1377 { 1378 char line[1024], *cp; 1379 FILE *f; 1380 1381 debug2("%s: filename %s", __func__, filename); 1382 if ((f = fopen(filename, "r")) == NULL) { 1383 perror(filename); 1384 exit(1); 1385 } 1386 buffer_clear(conf); 1387 while (fgets(line, sizeof(line), f)) { 1388 /* 1389 * Trim out comments and strip whitespace 1390 * NB - preserve newlines, they are needed to reproduce 1391 * line numbers later for error messages 1392 */ 1393 if ((cp = strchr(line, '#')) != NULL) 1394 memcpy(cp, "\n", 2); 1395 cp = line + strspn(line, " \t\r"); 1396 1397 buffer_append(conf, cp, strlen(cp)); 1398 } 1399 buffer_append(conf, "\0", 1); 1400 fclose(f); 1401 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1402 } 1403 1404 void 1405 parse_server_match_config(ServerOptions *options, const char *user, 1406 const char *host, const char *address) 1407 { 1408 ServerOptions mo; 1409 1410 initialize_server_options(&mo); 1411 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1412 copy_set_server_options(options, &mo, 0); 1413 } 1414 1415 1416 1417 /* Helper macros */ 1418 #define M_CP_INTOPT(n) do {\ 1419 if (src->n != -1) \ 1420 dst->n = src->n; \ 1421 } while (0) 1422 #define M_CP_STROPT(n) do {\ 1423 if (src->n != NULL) { \ 1424 if (dst->n != NULL) \ 1425 xfree(dst->n); \ 1426 dst->n = src->n; \ 1427 } \ 1428 } while(0) 1429 1430 /* 1431 * Copy any supported values that are set. 1432 * 1433 * If the preauth flag is set, we do not bother copying the the string or 1434 * array values that are not used pre-authentication, because any that we 1435 * do use must be explictly sent in mm_getpwnamallow(). 1436 */ 1437 void 1438 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1439 { 1440 M_CP_INTOPT(password_authentication); 1441 M_CP_INTOPT(gss_authentication); 1442 M_CP_INTOPT(rsa_authentication); 1443 M_CP_INTOPT(pubkey_authentication); 1444 M_CP_INTOPT(hostbased_authentication); 1445 M_CP_INTOPT(kbd_interactive_authentication); 1446 M_CP_INTOPT(permit_root_login); 1447 M_CP_INTOPT(permit_empty_passwd); 1448 M_CP_INTOPT(allow_tcp_forwarding); 1449 M_CP_INTOPT(gateway_ports); 1450 M_CP_INTOPT(x11_display_offset); 1451 M_CP_INTOPT(x11_forwarding); 1452 M_CP_INTOPT(x11_use_localhost); 1453 M_CP_INTOPT(max_auth_tries); 1454 M_CP_STROPT(banner); 1455 1456 if (preauth) 1457 return; 1458 M_CP_STROPT(chroot_directory); 1459 } 1460 1461 #undef M_CP_INTOPT 1462 #undef M_CP_STROPT 1463 1464 void 1465 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1466 const char *user, const char *host, const char *address) 1467 { 1468 int active, linenum, bad_options = 0; 1469 char *cp, *obuf, *cbuf; 1470 1471 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1472 1473 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1474 active = user ? 0 : 1; 1475 linenum = 1; 1476 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1477 if (process_server_config_line(options, cp, filename, 1478 linenum++, &active, user, host, address) != 0) 1479 bad_options++; 1480 } 1481 xfree(obuf); 1482 if (bad_options > 0) 1483 fatal("%s: terminating, %d bad configuration options", 1484 filename, bad_options); 1485 } 1486 1487 1488 /* 1489 * Note that "none" is a special path having the same affect on sshd 1490 * configuration as not specifying ChrootDirectory at all. 1491 */ 1492 int 1493 chroot_requested(char *chroot_directory) 1494 { 1495 return (chroot_directory != NULL && 1496 strcasecmp(chroot_directory, "none") != 0); 1497 } 1498