xref: /titanic_50/usr/src/cmd/ssh/sshd/servconf.c (revision b494511a9cf72b1fc4eb13a0e593f55c624ab829)
1 /*
2  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3  *                    All rights reserved
4  *
5  * As far as I am concerned, the code I have written for this software
6  * can be used freely for any purpose.  Any derived versions of this
7  * software must be clearly marked as such, and if the derived work is
8  * incompatible with the protocol description in the RFC file, it must be
9  * called by a name other than "ssh" or "Secure Shell".
10  */
11 /*
12  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
13  */
14 
15 #include "includes.h"
16 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
17 
18 #ifdef HAVE_DEFOPEN
19 #include <deflt.h>
20 #endif /* HAVE_DEFOPEN */
21 
22 #if defined(KRB4)
23 #include <krb.h>
24 #endif
25 #if defined(KRB5)
26 #ifdef HEIMDAL
27 #include <krb.h>
28 #else
29 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
30  * keytab */
31 #define KEYFILE "/etc/krb5.keytab"
32 #endif
33 #endif
34 #ifdef AFS
35 #include <kafs.h>
36 #endif
37 
38 #include "ssh.h"
39 #include "log.h"
40 #include "buffer.h"
41 #include "servconf.h"
42 #include "xmalloc.h"
43 #include "compat.h"
44 #include "pathnames.h"
45 #include "tildexpand.h"
46 #include "misc.h"
47 #include "cipher.h"
48 #include "kex.h"
49 #include "mac.h"
50 #include "auth.h"
51 #include "match.h"
52 #include "groupaccess.h"
53 
54 static void add_listen_addr(ServerOptions *, char *, u_short);
55 static void add_one_listen_addr(ServerOptions *, char *, u_short);
56 
57 extern Buffer cfg;
58 
59 /* AF_UNSPEC or AF_INET or AF_INET6 */
60 extern int IPv4or6;
61 
62 /*
63  * Initializes the server options to their initial (unset) values. Some of those
64  * that stay unset after the command line options and configuration files are
65  * read are set to their default values in fill_default_server_options().
66  */
67 void
68 initialize_server_options(ServerOptions *options)
69 {
70 	(void) memset(options, 0, sizeof(*options));
71 
72 	/* Standard Options */
73 	options->num_ports = 0;
74 	options->ports_from_cmdline = 0;
75 	options->listen_addrs = NULL;
76 	options->num_host_key_files = 0;
77 	options->pid_file = NULL;
78 	options->server_key_bits = -1;
79 	options->login_grace_time = -1;
80 	options->key_regeneration_time = -1;
81 	options->permit_root_login = PERMIT_NOT_SET;
82 	options->ignore_rhosts = -1;
83 	options->ignore_user_known_hosts = -1;
84 	options->print_motd = -1;
85 	options->print_lastlog = -1;
86 	options->x11_forwarding = -1;
87 	options->x11_display_offset = -1;
88 	options->x11_use_localhost = -1;
89 	options->xauth_location = NULL;
90 	options->strict_modes = -1;
91 	options->keepalives = -1;
92 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
93 	options->log_level = SYSLOG_LEVEL_NOT_SET;
94 	options->rhosts_authentication = -1;
95 	options->rhosts_rsa_authentication = -1;
96 	options->hostbased_authentication = -1;
97 	options->hostbased_uses_name_from_packet_only = -1;
98 	options->rsa_authentication = -1;
99 	options->pubkey_authentication = -1;
100 #ifdef GSSAPI
101 	options->gss_authentication = -1;
102 	options->gss_keyex = -1;
103 	options->gss_store_creds = -1;
104 	options->gss_use_session_ccache = -1;
105 	options->gss_cleanup_creds = -1;
106 #endif
107 #if defined(KRB4) || defined(KRB5)
108 	options->kerberos_authentication = -1;
109 	options->kerberos_or_local_passwd = -1;
110 	options->kerberos_ticket_cleanup = -1;
111 #endif
112 #if defined(AFS) || defined(KRB5)
113 	options->kerberos_tgt_passing = -1;
114 #endif
115 #ifdef AFS
116 	options->afs_token_passing = -1;
117 #endif
118 	options->password_authentication = -1;
119 	options->kbd_interactive_authentication = -1;
120 	options->challenge_response_authentication = -1;
121 	options->pam_authentication_via_kbd_int = -1;
122 	options->permit_empty_passwd = -1;
123 	options->permit_user_env = -1;
124 	options->compression = -1;
125 	options->allow_tcp_forwarding = -1;
126 	options->num_allow_users = 0;
127 	options->num_deny_users = 0;
128 	options->num_allow_groups = 0;
129 	options->num_deny_groups = 0;
130 	options->ciphers = NULL;
131 	options->macs = NULL;
132 	options->protocol = SSH_PROTO_UNKNOWN;
133 	options->gateway_ports = -1;
134 	options->num_subsystems = 0;
135 	options->max_startups_begin = -1;
136 	options->max_startups_rate = -1;
137 	options->max_startups = -1;
138 	options->banner = NULL;
139 	options->verify_reverse_mapping = -1;
140 	options->client_alive_interval = -1;
141 	options->client_alive_count_max = -1;
142 	options->authorized_keys_file = NULL;
143 	options->authorized_keys_file2 = NULL;
144 
145 	options->max_auth_tries = -1;
146 	options->max_auth_tries_log = -1;
147 
148 	options->max_init_auth_tries = -1;
149 	options->max_init_auth_tries_log = -1;
150 
151 	options->lookup_client_hostnames = -1;
152 	options->use_openssl_engine = -1;
153 	options->chroot_directory = NULL;
154 	options->pre_userauth_hook = NULL;
155 	options->pam_service_name = NULL;
156 	options->pam_service_prefix = NULL;
157 }
158 
159 #ifdef HAVE_DEFOPEN
160 /*
161  * Reads /etc/default/login and defaults several ServerOptions:
162  *
163  * PermitRootLogin
164  * PermitEmptyPasswords
165  * LoginGraceTime
166  *
167  * CONSOLE=*      -> PermitRootLogin=without-password
168  * #CONSOLE=*     -> PermitRootLogin=yes
169  *
170  * PASSREQ=YES    -> PermitEmptyPasswords=no
171  * PASSREQ=NO     -> PermitEmptyPasswords=yes
172  * #PASSREQ=*     -> PermitEmptyPasswords=no
173  *
174  * TIMEOUT=<secs> -> LoginGraceTime=<secs>
175  * #TIMEOUT=<secs> -> LoginGraceTime=300
176  */
177 static
178 void
179 deflt_fill_default_server_options(ServerOptions *options)
180 {
181 	int	flags;
182 	char	*ptr;
183 
184 	if (defopen(_PATH_DEFAULT_LOGIN))
185 		return;
186 
187 	/* Ignore case */
188 	flags = defcntl(DC_GETFLAGS, 0);
189 	TURNOFF(flags, DC_CASE);
190 	(void) defcntl(DC_SETFLAGS, flags);
191 
192 	if (options->permit_root_login == PERMIT_NOT_SET &&
193 	    (ptr = defread("CONSOLE=")) != NULL)
194 		options->permit_root_login = PERMIT_NO_PASSWD;
195 
196 	if (options->permit_empty_passwd == -1 &&
197 	    (ptr = defread("PASSREQ=")) != NULL) {
198 		if (strcasecmp("YES", ptr) == 0)
199 			options->permit_empty_passwd = 0;
200 		else if (strcasecmp("NO", ptr) == 0)
201 			options->permit_empty_passwd = 1;
202 	}
203 
204 	if (options->max_init_auth_tries == -1 &&
205 	    (ptr = defread("RETRIES=")) != NULL) {
206 		options->max_init_auth_tries = atoi(ptr);
207 	}
208 
209 	if (options->max_init_auth_tries_log == -1 &&
210 	    (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) {
211 		options->max_init_auth_tries_log = atoi(ptr);
212 	}
213 
214 	if (options->login_grace_time == -1) {
215 		if ((ptr = defread("TIMEOUT=")) != NULL)
216 			options->login_grace_time = (unsigned)atoi(ptr);
217 		else
218 			options->login_grace_time = 300;
219 	}
220 
221 	(void) defopen((char *)NULL);
222 }
223 #endif /* HAVE_DEFOPEN */
224 
225 void
226 fill_default_server_options(ServerOptions *options)
227 {
228 
229 #ifdef HAVE_DEFOPEN
230 	deflt_fill_default_server_options(options);
231 #endif /* HAVE_DEFOPEN */
232 
233 	/* Standard Options */
234 	if (options->protocol == SSH_PROTO_UNKNOWN)
235 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
236 	if (options->num_host_key_files == 0) {
237 		/* fill default hostkeys for protocols */
238 		if (options->protocol & SSH_PROTO_1)
239 			options->host_key_files[options->num_host_key_files++] =
240 			    _PATH_HOST_KEY_FILE;
241 #ifndef GSSAPI
242 		/* With GSS keyex we can run v2 w/ no host keys */
243 		if (options->protocol & SSH_PROTO_2) {
244 			options->host_key_files[options->num_host_key_files++] =
245 			    _PATH_HOST_RSA_KEY_FILE;
246 			options->host_key_files[options->num_host_key_files++] =
247 			    _PATH_HOST_DSA_KEY_FILE;
248 		}
249 #endif /* GSSAPI */
250 	}
251 	if (options->num_ports == 0)
252 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
253 	if (options->listen_addrs == NULL)
254 		add_listen_addr(options, NULL, 0);
255 	if (options->pid_file == NULL)
256 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
257 	if (options->server_key_bits == -1)
258 		options->server_key_bits = 768;
259 	if (options->login_grace_time == -1)
260 		options->login_grace_time = 120;
261 	if (options->key_regeneration_time == -1)
262 		options->key_regeneration_time = 3600;
263 	if (options->permit_root_login == PERMIT_NOT_SET)
264 		options->permit_root_login = PERMIT_YES;
265 	if (options->ignore_rhosts == -1)
266 		options->ignore_rhosts = 1;
267 	if (options->ignore_user_known_hosts == -1)
268 		options->ignore_user_known_hosts = 0;
269 	if (options->print_motd == -1)
270 		options->print_motd = 1;
271 	if (options->print_lastlog == -1)
272 		options->print_lastlog = 1;
273 	if (options->x11_forwarding == -1)
274 		options->x11_forwarding = 1;
275 	if (options->x11_display_offset == -1)
276 		options->x11_display_offset = 10;
277 	if (options->x11_use_localhost == -1)
278 		options->x11_use_localhost = 1;
279 	if (options->xauth_location == NULL)
280 		options->xauth_location = _PATH_XAUTH;
281 	if (options->strict_modes == -1)
282 		options->strict_modes = 1;
283 	if (options->keepalives == -1)
284 		options->keepalives = 1;
285 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
286 		options->log_facility = SYSLOG_FACILITY_AUTH;
287 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
288 		options->log_level = SYSLOG_LEVEL_INFO;
289 	if (options->rhosts_authentication == -1)
290 		options->rhosts_authentication = 0;
291 	if (options->rhosts_rsa_authentication == -1)
292 		options->rhosts_rsa_authentication = 0;
293 	if (options->hostbased_authentication == -1)
294 		options->hostbased_authentication = 0;
295 	if (options->hostbased_uses_name_from_packet_only == -1)
296 		options->hostbased_uses_name_from_packet_only = 0;
297 	if (options->rsa_authentication == -1)
298 		options->rsa_authentication = 1;
299 	if (options->pubkey_authentication == -1)
300 		options->pubkey_authentication = 1;
301 #ifdef GSSAPI
302 	if (options->gss_authentication == -1)
303 		options->gss_authentication = 1;
304 	if (options->gss_keyex == -1)
305 		options->gss_keyex = 1;
306 	if (options->gss_store_creds == -1)
307 		options->gss_store_creds = 1;
308 	if (options->gss_use_session_ccache == -1)
309 		options->gss_use_session_ccache = 1;
310 	if (options->gss_cleanup_creds == -1)
311 		options->gss_cleanup_creds = 1;
312 #endif
313 #if defined(KRB4) || defined(KRB5)
314 	if (options->kerberos_authentication == -1)
315 		options->kerberos_authentication = 0;
316 	if (options->kerberos_or_local_passwd == -1)
317 		options->kerberos_or_local_passwd = 1;
318 	if (options->kerberos_ticket_cleanup == -1)
319 		options->kerberos_ticket_cleanup = 1;
320 #endif
321 #if defined(AFS) || defined(KRB5)
322 	if (options->kerberos_tgt_passing == -1)
323 		options->kerberos_tgt_passing = 0;
324 #endif
325 #ifdef AFS
326 	if (options->afs_token_passing == -1)
327 		options->afs_token_passing = 0;
328 #endif
329 	if (options->password_authentication == -1)
330 		options->password_authentication = 1;
331 	/*
332 	 * options->pam_authentication_via_kbd_int has intentionally no default
333 	 * value since we do not need it.
334 	 */
335 	if (options->kbd_interactive_authentication == -1)
336 		options->kbd_interactive_authentication = 1;
337 	if (options->challenge_response_authentication == -1)
338 		options->challenge_response_authentication = 1;
339 	if (options->permit_empty_passwd == -1)
340 		options->permit_empty_passwd = 0;
341 	if (options->permit_user_env == -1)
342 		options->permit_user_env = 0;
343 	if (options->compression == -1)
344 		options->compression = 1;
345 	if (options->allow_tcp_forwarding == -1)
346 		options->allow_tcp_forwarding = 1;
347 	if (options->gateway_ports == -1)
348 		options->gateway_ports = 0;
349 	if (options->max_startups == -1)
350 		options->max_startups = 10;
351 	if (options->max_startups_rate == -1)
352 		options->max_startups_rate = 100;		/* 100% */
353 	if (options->max_startups_begin == -1)
354 		options->max_startups_begin = options->max_startups;
355 	if (options->verify_reverse_mapping == -1)
356 		options->verify_reverse_mapping = 0;
357 	if (options->client_alive_interval == -1)
358 		options->client_alive_interval = 0;
359 	if (options->client_alive_count_max == -1)
360 		options->client_alive_count_max = 3;
361 	if (options->authorized_keys_file2 == NULL) {
362 		/* authorized_keys_file2 falls back to authorized_keys_file */
363 		if (options->authorized_keys_file != NULL)
364 			options->authorized_keys_file2 = options->authorized_keys_file;
365 		else
366 			options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
367 	}
368 	if (options->authorized_keys_file == NULL)
369 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
370 
371 	if (options->max_auth_tries == -1)
372 		options->max_auth_tries = AUTH_FAIL_MAX;
373 	if (options->max_auth_tries_log == -1)
374 		options->max_auth_tries_log = options->max_auth_tries / 2;
375 
376 	if (options->max_init_auth_tries == -1)
377 		options->max_init_auth_tries = AUTH_FAIL_MAX;
378 	if (options->max_init_auth_tries_log == -1)
379 		options->max_init_auth_tries_log = options->max_init_auth_tries / 2;
380 
381 	if (options->lookup_client_hostnames == -1)
382 		options->lookup_client_hostnames = 1;
383 	if (options->use_openssl_engine == -1)
384 		options->use_openssl_engine = 1;
385 	if (options->pam_service_prefix == NULL)
386 		options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
387 	if (options->pam_service_name == NULL)
388 		options->pam_service_name = NULL;
389 }
390 
391 /* Keyword tokens. */
392 typedef enum {
393 	sBadOption,		/* == unknown option */
394 	/* Portable-specific options */
395 	sPAMAuthenticationViaKbdInt,
396 	/* Standard Options */
397 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
398 	sPermitRootLogin, sLogFacility, sLogLevel,
399 	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
400 #ifdef GSSAPI
401 	sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds,
402 	sGssUseSessionCredCache, sGssCleanupCreds,
403 #endif /* GSSAPI */
404 #if defined(KRB4) || defined(KRB5)
405 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
406 #endif
407 #if defined(AFS) || defined(KRB5)
408 	sKerberosTgtPassing,
409 #endif
410 #ifdef AFS
411 	sAFSTokenPassing,
412 #endif
413 	sChallengeResponseAuthentication,
414 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
415 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
416 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
417 	sStrictModes, sEmptyPasswd, sKeepAlives,
418 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
419 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
420 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
421 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
422 	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
423 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
424 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
425 	sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation,
426 	sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory,
427 	sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName,
428 	sDeprecated
429 } ServerOpCodes;
430 
431 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
432 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
433 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
434 
435 /* Textual representation of the tokens. */
436 static struct {
437 	const char *name;
438 	ServerOpCodes opcode;
439 	u_int flags;
440 } keywords[] = {
441 	/* Portable-specific options */
442 	{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL },
443 	/* Standard Options */
444 	{ "port", sPort, SSHCFG_GLOBAL },
445 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
446 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },			/* alias */
447 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
448 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
449 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
450 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
451 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
452 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
453 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
454 	{ "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL },
455 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
456 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
457 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
458 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
459 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
460 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },	/* alias */
461 #ifdef GSSAPI
462 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
463 	{ "gssapikeyexchange", sGssKeyEx,   SSHCFG_GLOBAL },
464 	{ "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL },
465 	{ "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL },	/* alias */
466 	{ "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL },	/* alias */
467 	{ "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL },	/* alias */
468 #ifndef SUNW_GSSAPI
469 	{ "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL },
470 	{ "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL },
471 	{ "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
472 #endif /* SUNW_GSSAPI */
473 #endif
474 #if defined(KRB4) || defined(KRB5)
475 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
476 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
477 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
478 #endif
479 #if defined(AFS) || defined(KRB5)
480 	{ "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL },
481 #endif
482 #ifdef AFS
483 	{ "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL },
484 #endif
485 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
486 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
487 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
488 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
489 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
490 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
491 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
492 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
493 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
494 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
495 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
496 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
497 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
498 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
499 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
500 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
501 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
502 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
503 	{ "compression", sCompression, SSHCFG_GLOBAL },
504 	{ "keepalive", sKeepAlives, SSHCFG_GLOBAL },
505 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
506 	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
507 	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
508 	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
509 	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
510 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
511 	{ "macs", sMacs, SSHCFG_GLOBAL},
512 	{ "protocol", sProtocol,SSHCFG_GLOBAL },
513 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
514 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL},
515 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
516 	{ "banner", sBanner, SSHCFG_ALL },
517 	{ "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL },
518 	{ "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL },
519 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
520 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
521 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
522 	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
523 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
524 	{ "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL },
525 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
526 	{ "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL },
527 	{ "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL },
528 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
529 	{ "preuserauthhook", sPreUserauthHook, SSHCFG_ALL},
530 	{ "match", sMatch, SSHCFG_ALL },
531 	{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
532 	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
533 
534 	{ NULL, sBadOption, 0 }
535 };
536 
537 /*
538  * Returns the number of the token pointed to by cp or sBadOption.
539  */
540 
541 static ServerOpCodes
542 parse_token(const char *cp, const char *filename,
543 	    int linenum, u_int *flags)
544 {
545 	u_int i;
546 
547 	for (i = 0; keywords[i].name; i++)
548 		if (strcasecmp(cp, keywords[i].name) == 0) {
549 			*flags = keywords[i].flags;
550 			return keywords[i].opcode;
551 		}
552 
553 	error("%s: line %d: Bad configuration option: %s",
554 	    filename, linenum, cp);
555 	return sBadOption;
556 }
557 
558 static void
559 add_listen_addr(ServerOptions *options, char *addr, u_short port)
560 {
561 	int i;
562 
563 	if (options->num_ports == 0)
564 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
565 	if (port == 0)
566 		for (i = 0; i < options->num_ports; i++)
567 			add_one_listen_addr(options, addr, options->ports[i]);
568 	else
569 		add_one_listen_addr(options, addr, port);
570 }
571 
572 static void
573 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
574 {
575 	struct addrinfo hints, *ai, *aitop;
576 	char strport[NI_MAXSERV];
577 	int gaierr;
578 
579 	(void) memset(&hints, 0, sizeof(hints));
580 	hints.ai_family = IPv4or6;
581 	hints.ai_socktype = SOCK_STREAM;
582 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
583 	(void) snprintf(strport, sizeof strport, "%u", port);
584 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
585 		fatal("bad addr or host: %s (%s)",
586 		    addr ? addr : "<NULL>",
587 		    gai_strerror(gaierr));
588 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
589 		;
590 	ai->ai_next = options->listen_addrs;
591 	options->listen_addrs = aitop;
592 }
593 
594 /*
595  * The strategy for the Match blocks is that the config file is parsed twice.
596  *
597  * The first time is at startup.  activep is initialized to 1 and the
598  * directives in the global context are processed and acted on.  Hitting a
599  * Match directive unsets activep and the directives inside the block are
600  * checked for syntax only.
601  *
602  * The second time is after a connection has been established but before
603  * authentication.  activep is initialized to 2 and global config directives
604  * are ignored since they have already been processed.  If the criteria in a
605  * Match block is met, activep is set and the subsequent directives
606  * processed and actioned until EOF or another Match block unsets it.  Any
607  * options set are copied into the main server config.
608  *
609  * Potential additions/improvements:
610  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
611  *
612  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
613  *	Match Address 192.168.0.*
614  *		Tag trusted
615  *	Match Group wheel
616  *		Tag trusted
617  *	Match Tag trusted
618  *		AllowTcpForwarding yes
619  *		GatewayPorts clientspecified
620  *		[...]
621  *
622  *  - Add a PermittedChannelRequests directive
623  *	Match Group shell
624  *		PermittedChannelRequests session,forwarded-tcpip
625  */
626 
627 static int
628 match_cfg_line_group(const char *grps, int line, const char *user)
629 {
630 	int result = 0;
631 	struct passwd *pw;
632 
633 	if (user == NULL)
634 		goto out;
635 
636 	if ((pw = getpwnam(user)) == NULL) {
637 		debug("Can't match group at line %d because user %.100s does "
638 		    "not exist", line, user);
639 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
640 		debug("Can't Match group because user %.100s not in any group "
641 		    "at line %d", user, line);
642 	} else if (ga_match_pattern_list(grps) != 1) {
643 		debug("user %.100s does not match group list %.100s at line %d",
644 		    user, grps, line);
645 	} else {
646 		debug("user %.100s matched group list %.100s at line %d", user,
647 		    grps, line);
648 		result = 1;
649 	}
650 out:
651 	ga_free();
652 	return result;
653 }
654 
655 static int
656 match_cfg_line(char **condition, int line, const char *user, const char *host,
657     const char *address)
658 {
659 	int result = 1;
660 	char *arg, *attrib, *cp = *condition;
661 	size_t len;
662 
663 	if (user == NULL)
664 		debug3("checking syntax for 'Match %s'", cp);
665 	else
666 		debug3("checking match for '%s' user %s host %s addr %s", cp,
667 		    user ? user : "(null)", host ? host : "(null)",
668 		    address ? address : "(null)");
669 
670 	while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') {
671 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
672 			error("Missing Match criteria for %s", attrib);
673 			return -1;
674 		}
675 		len = strlen(arg);
676 		if (strcasecmp(attrib, "user") == 0) {
677 			if (!user) {
678 				result = 0;
679 				continue;
680 			}
681 			if (match_pattern_list(user, arg, len, 0) != 1)
682 				result = 0;
683 			else
684 				debug("user %.100s matched 'User %.100s' at "
685 				    "line %d", user, arg, line);
686 		} else if (strcasecmp(attrib, "group") == 0) {
687 			switch (match_cfg_line_group(arg, line, user)) {
688 			case -1:
689 				return -1;
690 			case 0:
691 				result = 0;
692 			}
693 		} else if (strcasecmp(attrib, "host") == 0) {
694 			if (!host) {
695 				result = 0;
696 				continue;
697 			}
698 			if (match_hostname(host, arg, len) != 1)
699 				result = 0;
700 			else
701 				debug("connection from %.100s matched 'Host "
702 				    "%.100s' at line %d", host, arg, line);
703 		} else if (strcasecmp(attrib, "address") == 0) {
704 			switch (addr_match_list(address, arg)) {
705 			case 1:
706 				debug("connection from %.100s matched 'Address "
707 				    "%.100s' at line %d", address, arg, line);
708 				break;
709 			case 0:
710 			case -1:
711 				result = 0;
712 				break;
713 			case -2:
714 				return -1;
715 			}
716 		} else {
717 			error("Unsupported Match attribute %s", attrib);
718 			return -1;
719 		}
720 	}
721 	if (user != NULL)
722 		debug3("match %sfound", result ? "" : "not ");
723 	*condition = cp;
724 	return result;
725 }
726 
727 #define WHITESPACE " \t\r\n"
728 
729 int
730 process_server_config_line(ServerOptions *options, char *line,
731     const char *filename, int linenum, int *activep, const char *user,
732     const char *host, const char *address)
733 {
734 	char *cp, **charptr, *arg, *p;
735 	int cmdline = 0, *intptr, value, n;
736 	ServerOpCodes opcode;
737 	u_int i, flags = 0;
738 	size_t len;
739 
740 	cp = line;
741 	arg = strdelim(&cp);
742 	/* Ignore leading whitespace */
743 	if (*arg == '\0')
744 		arg = strdelim(&cp);
745 	if (!arg || !*arg || *arg == '#')
746 		return 0;
747 	intptr = NULL;
748 	charptr = NULL;
749 	opcode = parse_token(arg, filename, linenum, &flags);
750 
751 	if (activep == NULL) { /* We are processing a command line directive */
752 		cmdline = 1;
753 		activep = &cmdline;
754 	}
755 	if (*activep && opcode != sMatch)
756 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
757 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
758 		if (user == NULL) {
759 			fatal("%s line %d: Directive '%s' is not allowed "
760 			    "within a Match block", filename, linenum, arg);
761 		} else { /* this is a directive we have already processed */
762 			while (arg)
763 				arg = strdelim(&cp);
764 			return 0;
765 		}
766 	}
767 
768 	switch (opcode) {
769 	/* Portable-specific options */
770 	case sPAMAuthenticationViaKbdInt:
771 		log("%s line %d: PAMAuthenticationViaKbdInt has been "
772 		    "deprecated. You should use KbdInteractiveAuthentication "
773 		    "instead (which defaults to \"yes\").", filename, linenum);
774 		intptr = &options->pam_authentication_via_kbd_int;
775 		goto parse_flag;
776 
777 	/* Standard Options */
778 	case sBadOption:
779 		return -1;
780 	case sPort:
781 		/* ignore ports from configfile if cmdline specifies ports */
782 		if (options->ports_from_cmdline)
783 			return 0;
784 		if (options->listen_addrs != NULL)
785 			fatal("%s line %d: ports must be specified before "
786 			    "ListenAddress.", filename, linenum);
787 		if (options->num_ports >= MAX_PORTS)
788 			fatal("%s line %d: too many ports.",
789 			    filename, linenum);
790 		arg = strdelim(&cp);
791 		if (!arg || *arg == '\0')
792 			fatal("%s line %d: missing port number.",
793 			    filename, linenum);
794 		options->ports[options->num_ports++] = a2port(arg);
795 		if (options->ports[options->num_ports-1] == 0)
796 			fatal("%s line %d: Badly formatted port number.",
797 			    filename, linenum);
798 		break;
799 
800 	case sServerKeyBits:
801 		intptr = &options->server_key_bits;
802 parse_int:
803 		arg = strdelim(&cp);
804 		if (!arg || *arg == '\0')
805 			fatal("%s line %d: missing integer value.",
806 			    filename, linenum);
807 		value = atoi(arg);
808 		if (*activep && *intptr == -1)
809 			*intptr = value;
810 		break;
811 
812 	case sLoginGraceTime:
813 		intptr = &options->login_grace_time;
814 parse_time:
815 		arg = strdelim(&cp);
816 		if (!arg || *arg == '\0')
817 			fatal("%s line %d: missing time value.",
818 			    filename, linenum);
819 		if ((value = convtime(arg)) == -1)
820 			fatal("%s line %d: invalid time value.",
821 			    filename, linenum);
822 		if (*intptr == -1)
823 			*intptr = value;
824 		break;
825 
826 	case sKeyRegenerationTime:
827 		intptr = &options->key_regeneration_time;
828 		goto parse_time;
829 
830 	case sListenAddress:
831 		arg = strdelim(&cp);
832 		if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
833 			fatal("%s line %d: missing inet addr.",
834 			    filename, linenum);
835 		if (*arg == '[') {
836 			if ((p = strchr(arg, ']')) == NULL)
837 				fatal("%s line %d: bad ipv6 inet addr usage.",
838 				    filename, linenum);
839 			arg++;
840 			(void) memmove(p, p+1, strlen(p+1)+1);
841 		} else if (((p = strchr(arg, ':')) == NULL) ||
842 			    (strchr(p+1, ':') != NULL)) {
843 			add_listen_addr(options, arg, 0);
844 			break;
845 		}
846 		if (*p == ':') {
847 			u_short port;
848 
849 			p++;
850 			if (*p == '\0')
851 				fatal("%s line %d: bad inet addr:port usage.",
852 				    filename, linenum);
853 			else {
854 				*(p-1) = '\0';
855 				if ((port = a2port(p)) == 0)
856 					fatal("%s line %d: bad port number.",
857 					    filename, linenum);
858 				add_listen_addr(options, arg, port);
859 			}
860 		} else if (*p == '\0')
861 			add_listen_addr(options, arg, 0);
862 		else
863 			fatal("%s line %d: bad inet addr usage.",
864 			    filename, linenum);
865 		break;
866 
867 	case sHostKeyFile:
868 		intptr = &options->num_host_key_files;
869 		if (*intptr >= MAX_HOSTKEYS)
870 			fatal("%s line %d: too many host keys specified (max %d).",
871 			    filename, linenum, MAX_HOSTKEYS);
872 		charptr = &options->host_key_files[*intptr];
873 parse_filename:
874 		arg = strdelim(&cp);
875 		if (!arg || *arg == '\0')
876 			fatal("%s line %d: missing file name.",
877 			    filename, linenum);
878 		if (*activep && *charptr == NULL) {
879 			*charptr = tilde_expand_filename(arg, getuid());
880 			/* increase optional counter */
881 			if (intptr != NULL)
882 				*intptr = *intptr + 1;
883 		}
884 		break;
885 
886 	case sPidFile:
887 		charptr = &options->pid_file;
888 		goto parse_filename;
889 
890 	case sPermitRootLogin:
891 		intptr = &options->permit_root_login;
892 		arg = strdelim(&cp);
893 		if (!arg || *arg == '\0')
894 			fatal("%s line %d: missing yes/"
895 			    "without-password/forced-commands-only/no "
896 			    "argument.", filename, linenum);
897 		value = 0;	/* silence compiler */
898 		if (strcmp(arg, "without-password") == 0)
899 			value = PERMIT_NO_PASSWD;
900 		else if (strcmp(arg, "forced-commands-only") == 0)
901 			value = PERMIT_FORCED_ONLY;
902 		else if (strcmp(arg, "yes") == 0)
903 			value = PERMIT_YES;
904 		else if (strcmp(arg, "no") == 0)
905 			value = PERMIT_NO;
906 		else
907 			fatal("%s line %d: Bad yes/"
908 			    "without-password/forced-commands-only/no "
909 			    "argument: %s", filename, linenum, arg);
910 		if (*activep && *intptr == -1)
911 			*intptr = value;
912 		break;
913 
914 	case sIgnoreRhosts:
915 		intptr = &options->ignore_rhosts;
916 parse_flag:
917 		arg = strdelim(&cp);
918 		if (!arg || *arg == '\0')
919 			fatal("%s line %d: missing yes/no argument.",
920 			    filename, linenum);
921 		value = 0;	/* silence compiler */
922 		if (strcmp(arg, "yes") == 0)
923 			value = 1;
924 		else if (strcmp(arg, "no") == 0)
925 			value = 0;
926 		else
927 			fatal("%s line %d: Bad yes/no argument: %s",
928 				filename, linenum, arg);
929 		if (*activep && *intptr == -1)
930 			*intptr = value;
931 		break;
932 
933 	case sIgnoreUserKnownHosts:
934 		intptr = &options->ignore_user_known_hosts;
935 		goto parse_flag;
936 
937 	case sRhostsAuthentication:
938 		intptr = &options->rhosts_authentication;
939 		goto parse_flag;
940 
941 	case sRhostsRSAAuthentication:
942 		intptr = &options->rhosts_rsa_authentication;
943 		goto parse_flag;
944 
945 	case sHostbasedAuthentication:
946 		intptr = &options->hostbased_authentication;
947 		goto parse_flag;
948 
949 	case sHostbasedUsesNameFromPacketOnly:
950 		intptr = &options->hostbased_uses_name_from_packet_only;
951 		goto parse_flag;
952 
953 	case sRSAAuthentication:
954 		intptr = &options->rsa_authentication;
955 		goto parse_flag;
956 
957 	case sPubkeyAuthentication:
958 		intptr = &options->pubkey_authentication;
959 		goto parse_flag;
960 #ifdef GSSAPI
961 	case sGssAuthentication:
962 		intptr = &options->gss_authentication;
963 		goto parse_flag;
964 	case sGssKeyEx:
965 		intptr = &options->gss_keyex;
966 		goto parse_flag;
967 	case sGssStoreDelegCreds:
968 		intptr = &options->gss_keyex;
969 		goto parse_flag;
970 #ifndef SUNW_GSSAPI
971 	case sGssUseSessionCredCache:
972 		intptr = &options->gss_use_session_ccache;
973 		goto parse_flag;
974 	case sGssCleanupCreds:
975 		intptr = &options->gss_cleanup_creds;
976 		goto parse_flag;
977 #endif /* SUNW_GSSAPI */
978 #endif /* GSSAPI */
979 #if defined(KRB4) || defined(KRB5)
980 	case sKerberosAuthentication:
981 		intptr = &options->kerberos_authentication;
982 		goto parse_flag;
983 
984 	case sKerberosOrLocalPasswd:
985 		intptr = &options->kerberos_or_local_passwd;
986 		goto parse_flag;
987 
988 	case sKerberosTicketCleanup:
989 		intptr = &options->kerberos_ticket_cleanup;
990 		goto parse_flag;
991 #endif
992 #if defined(AFS) || defined(KRB5)
993 	case sKerberosTgtPassing:
994 		intptr = &options->kerberos_tgt_passing;
995 		goto parse_flag;
996 #endif
997 #ifdef AFS
998 	case sAFSTokenPassing:
999 		intptr = &options->afs_token_passing;
1000 		goto parse_flag;
1001 #endif
1002 
1003 	case sPasswordAuthentication:
1004 		intptr = &options->password_authentication;
1005 		goto parse_flag;
1006 
1007 	case sKbdInteractiveAuthentication:
1008 		intptr = &options->kbd_interactive_authentication;
1009 		goto parse_flag;
1010 
1011 	case sChallengeResponseAuthentication:
1012 		intptr = &options->challenge_response_authentication;
1013 		goto parse_flag;
1014 
1015 	case sPrintMotd:
1016 		intptr = &options->print_motd;
1017 		goto parse_flag;
1018 
1019 	case sPrintLastLog:
1020 		intptr = &options->print_lastlog;
1021 		goto parse_flag;
1022 
1023 	case sX11Forwarding:
1024 		intptr = &options->x11_forwarding;
1025 		goto parse_flag;
1026 
1027 	case sX11DisplayOffset:
1028 		intptr = &options->x11_display_offset;
1029 		goto parse_int;
1030 
1031 	case sX11UseLocalhost:
1032 		intptr = &options->x11_use_localhost;
1033 		goto parse_flag;
1034 
1035 	case sXAuthLocation:
1036 		charptr = &options->xauth_location;
1037 		goto parse_filename;
1038 
1039 	case sStrictModes:
1040 		intptr = &options->strict_modes;
1041 		goto parse_flag;
1042 
1043 	case sKeepAlives:
1044 		intptr = &options->keepalives;
1045 		goto parse_flag;
1046 
1047 	case sEmptyPasswd:
1048 		intptr = &options->permit_empty_passwd;
1049 		goto parse_flag;
1050 
1051 	case sPermitUserEnvironment:
1052 		intptr = &options->permit_user_env;
1053 		goto parse_flag;
1054 
1055 	case sUseLogin:
1056 		log("%s line %d: ignoring UseLogin option value."
1057 		    " This option is always off.", filename, linenum);
1058 		while (arg)
1059 			arg = strdelim(&cp);
1060 		break;
1061 
1062 	case sCompression:
1063 		intptr = &options->compression;
1064 		goto parse_flag;
1065 
1066 	case sGatewayPorts:
1067 		intptr = &options->gateway_ports;
1068 		arg = strdelim(&cp);
1069 		if (!arg || *arg == '\0')
1070 			fatal("%s line %d: missing yes/no/clientspecified "
1071 			    "argument.", filename, linenum);
1072 		value = 0;	/* silence compiler */
1073 		if (strcmp(arg, "clientspecified") == 0)
1074 			value = 2;
1075 		else if (strcmp(arg, "yes") == 0)
1076 			value = 1;
1077 		else if (strcmp(arg, "no") == 0)
1078 			value = 0;
1079 		else
1080 			fatal("%s line %d: Bad yes/no/clientspecified "
1081 			    "argument: %s", filename, linenum, arg);
1082 		if (*activep && *intptr == -1)
1083 			*intptr = value;
1084 		break;
1085 
1086 	case sVerifyReverseMapping:
1087 		intptr = &options->verify_reverse_mapping;
1088 		goto parse_flag;
1089 
1090 	case sLogFacility:
1091 		intptr = (int *) &options->log_facility;
1092 		arg = strdelim(&cp);
1093 		value = log_facility_number(arg);
1094 		if (value == SYSLOG_FACILITY_NOT_SET)
1095 			fatal("%.200s line %d: unsupported log facility '%s'",
1096 			    filename, linenum, arg ? arg : "<NONE>");
1097 		if (*intptr == -1)
1098 			*intptr = (SyslogFacility) value;
1099 		break;
1100 
1101 	case sLogLevel:
1102 		intptr = (int *) &options->log_level;
1103 		arg = strdelim(&cp);
1104 		value = log_level_number(arg);
1105 		if (value == SYSLOG_LEVEL_NOT_SET)
1106 			fatal("%.200s line %d: unsupported log level '%s'",
1107 			    filename, linenum, arg ? arg : "<NONE>");
1108 		if (*intptr == -1)
1109 			*intptr = (LogLevel) value;
1110 		break;
1111 
1112 	case sAllowTcpForwarding:
1113 		intptr = &options->allow_tcp_forwarding;
1114 		goto parse_flag;
1115 
1116 	case sUsePrivilegeSeparation:
1117 		log("%s line %d: ignoring UsePrivilegeSeparation option value."
1118 		    " This option is always on.", filename, linenum);
1119 		while (arg)
1120 			arg = strdelim(&cp);
1121 		break;
1122 
1123 	case sAllowUsers:
1124 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1125 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1126 				fatal("%s line %d: too many allow users.",
1127 				    filename, linenum);
1128 			options->allow_users[options->num_allow_users++] =
1129 			    xstrdup(arg);
1130 		}
1131 		break;
1132 
1133 	case sDenyUsers:
1134 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1135 			if (options->num_deny_users >= MAX_DENY_USERS)
1136 				fatal( "%s line %d: too many deny users.",
1137 				    filename, linenum);
1138 			options->deny_users[options->num_deny_users++] =
1139 			    xstrdup(arg);
1140 		}
1141 		break;
1142 
1143 	case sAllowGroups:
1144 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1145 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1146 				fatal("%s line %d: too many allow groups.",
1147 				    filename, linenum);
1148 			options->allow_groups[options->num_allow_groups++] =
1149 			    xstrdup(arg);
1150 		}
1151 		break;
1152 
1153 	case sDenyGroups:
1154 		while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1155 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1156 				fatal("%s line %d: too many deny groups.",
1157 				    filename, linenum);
1158 			options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1159 		}
1160 		break;
1161 
1162 	case sCiphers:
1163 		arg = strdelim(&cp);
1164 		if (!arg || *arg == '\0')
1165 			fatal("%s line %d: Missing argument.", filename, linenum);
1166 		if (!ciphers_valid(arg))
1167 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1168 			    filename, linenum, arg ? arg : "<NONE>");
1169 		if (options->ciphers == NULL)
1170 			options->ciphers = xstrdup(arg);
1171 		break;
1172 
1173 	case sMacs:
1174 		arg = strdelim(&cp);
1175 		if (!arg || *arg == '\0')
1176 			fatal("%s line %d: Missing argument.", filename, linenum);
1177 		if (!mac_valid(arg))
1178 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1179 			    filename, linenum, arg ? arg : "<NONE>");
1180 		if (options->macs == NULL)
1181 			options->macs = xstrdup(arg);
1182 		break;
1183 
1184 	case sProtocol:
1185 		intptr = &options->protocol;
1186 		arg = strdelim(&cp);
1187 		if (!arg || *arg == '\0')
1188 			fatal("%s line %d: Missing argument.", filename, linenum);
1189 		value = proto_spec(arg);
1190 		if (value == SSH_PROTO_UNKNOWN)
1191 			fatal("%s line %d: Bad protocol spec '%s'.",
1192 			    filename, linenum, arg ? arg : "<NONE>");
1193 		if (*intptr == SSH_PROTO_UNKNOWN)
1194 			*intptr = value;
1195 		break;
1196 
1197 	case sSubsystem:
1198 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1199 			fatal("%s line %d: too many subsystems defined.",
1200 			    filename, linenum);
1201 		}
1202 		arg = strdelim(&cp);
1203 		if (!arg || *arg == '\0')
1204 			fatal("%s line %d: Missing subsystem name.",
1205 			    filename, linenum);
1206 		if (!*activep) {
1207 			arg = strdelim(&cp);
1208 			break;
1209 		}
1210 		for (i = 0; i < options->num_subsystems; i++)
1211 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1212 				fatal("%s line %d: Subsystem '%s' already defined.",
1213 				    filename, linenum, arg);
1214 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1215 		arg = strdelim(&cp);
1216 		if (!arg || *arg == '\0')
1217 			fatal("%s line %d: Missing subsystem command.",
1218 			    filename, linenum);
1219 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1220 
1221 		/*
1222 		 * Collect arguments (separate to executable), including the
1223 		 * name of the executable, in a way that is easier to parse
1224 		 * later.
1225 		 */
1226 		p = xstrdup(arg);
1227 		len = strlen(p) + 1;
1228 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1229 			len += 1 + strlen(arg);
1230 			p = xrealloc(p, len);
1231 			strlcat(p, " ", len);
1232 			strlcat(p, arg, len);
1233 		}
1234 		options->subsystem_args[options->num_subsystems] = p;
1235 		options->num_subsystems++;
1236 		break;
1237 
1238 	case sMaxStartups:
1239 		arg = strdelim(&cp);
1240 		if (!arg || *arg == '\0')
1241 			fatal("%s line %d: Missing MaxStartups spec.",
1242 			    filename, linenum);
1243 		if ((n = sscanf(arg, "%d:%d:%d",
1244 		    &options->max_startups_begin,
1245 		    &options->max_startups_rate,
1246 		    &options->max_startups)) == 3) {
1247 			if (options->max_startups_begin >
1248 			    options->max_startups ||
1249 			    options->max_startups_rate > 100 ||
1250 			    options->max_startups_rate < 1)
1251 				fatal("%s line %d: Illegal MaxStartups spec.",
1252 				    filename, linenum);
1253 		} else if (n != 1)
1254 			fatal("%s line %d: Illegal MaxStartups spec.",
1255 			    filename, linenum);
1256 		else
1257 			options->max_startups = options->max_startups_begin;
1258 		break;
1259 
1260 	case sBanner:
1261 		charptr = &options->banner;
1262 		goto parse_filename;
1263 	/*
1264 	 * These options can contain %X options expanded at
1265 	 * connect time, so that you can specify paths like:
1266 	 *
1267 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1268 	 */
1269 	case sAuthorizedKeysFile:
1270 	case sAuthorizedKeysFile2:
1271 		charptr = (opcode == sAuthorizedKeysFile) ?
1272 		    &options->authorized_keys_file :
1273 		    &options->authorized_keys_file2;
1274 		goto parse_filename;
1275 
1276 	case sClientAliveInterval:
1277 		intptr = &options->client_alive_interval;
1278 		goto parse_time;
1279 
1280 	case sClientAliveCountMax:
1281 		intptr = &options->client_alive_count_max;
1282 		goto parse_int;
1283 
1284 	case sMaxAuthTries:
1285 		intptr = &options->max_auth_tries;
1286 		goto parse_int;
1287 
1288 	case sMaxAuthTriesLog:
1289 		intptr = &options->max_auth_tries_log;
1290 		goto parse_int;
1291 
1292 	case sLookupClientHostnames:
1293 		intptr = &options->lookup_client_hostnames;
1294 		goto parse_flag;
1295 
1296 	case sUseOpenSSLEngine:
1297 		intptr = &options->use_openssl_engine;
1298 		goto parse_flag;
1299 
1300 	case sChrootDirectory:
1301 		charptr = &options->chroot_directory;
1302 
1303 		arg = strdelim(&cp);
1304 		if (arg == NULL || *arg == '\0')
1305 			fatal("%s line %d: missing directory name for "
1306 			    "ChrootDirectory.", filename, linenum);
1307 		if (*activep && *charptr == NULL)
1308 			*charptr = xstrdup(arg);
1309 		break;
1310 
1311 	case sPreUserauthHook:
1312 		charptr = &options->pre_userauth_hook;
1313 		goto parse_filename;
1314 
1315 	case sMatch:
1316 		if (cmdline)
1317 			fatal("Match directive not supported as a command-line "
1318 			   "option");
1319 		value = match_cfg_line(&cp, linenum, user, host, address);
1320 		if (value < 0)
1321 			fatal("%s line %d: Bad Match condition", filename,
1322 			    linenum);
1323 		*activep = value;
1324 		break;
1325 
1326 	case sDeprecated:
1327 		log("%s line %d: Deprecated option %s",
1328 		    filename, linenum, arg);
1329 		while (arg)
1330 		    arg = strdelim(&cp);
1331 		break;
1332 
1333 	case sPAMServicePrefix:
1334 		arg = strdelim(&cp);
1335 		if (!arg || *arg == '\0')
1336 			fatal("%s line %d: Missing argument.",
1337 			    filename, linenum);
1338 		if (options->pam_service_name != NULL)
1339 			fatal("%s line %d: PAMServiceName and PAMServicePrefix "
1340 			    "are mutually exclusive.", filename, linenum);
1341 		if (options->pam_service_prefix == NULL)
1342 			options->pam_service_prefix = xstrdup(arg);
1343 		break;
1344 
1345 	case sPAMServiceName:
1346 		arg = strdelim(&cp);
1347 		if (!arg || *arg == '\0')
1348 			fatal("%s line %d: Missing argument.",
1349 			    filename, linenum);
1350 		if (options->pam_service_prefix != NULL)
1351 			fatal("%s line %d: PAMServiceName and PAMServicePrefix "
1352 			    "are mutually exclusive.", filename, linenum);
1353 		if (options->pam_service_name == NULL)
1354 			options->pam_service_name = xstrdup(arg);
1355 		break;
1356 
1357 	default:
1358 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1359 		    filename, linenum, arg, opcode);
1360 	}
1361 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1362 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1363 		    filename, linenum, arg);
1364 	return 0;
1365 }
1366 
1367 
1368 /* Reads the server configuration file. */
1369 
1370 void
1371 load_server_config(const char *filename, Buffer *conf)
1372 {
1373 	char line[1024], *cp;
1374 	FILE *f;
1375 
1376 	debug2("%s: filename %s", __func__, filename);
1377 	if ((f = fopen(filename, "r")) == NULL) {
1378 		perror(filename);
1379 		exit(1);
1380 	}
1381 	buffer_clear(conf);
1382 	while (fgets(line, sizeof(line), f)) {
1383 		/*
1384 		 * Trim out comments and strip whitespace
1385 		 * NB - preserve newlines, they are needed to reproduce
1386 		 * line numbers later for error messages
1387 		 */
1388 		if ((cp = strchr(line, '#')) != NULL)
1389 			memcpy(cp, "\n", 2);
1390 		cp = line + strspn(line, " \t\r");
1391 
1392 		buffer_append(conf, cp, strlen(cp));
1393 	}
1394 	buffer_append(conf, "\0", 1);
1395 	fclose(f);
1396 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1397 }
1398 
1399 void
1400 parse_server_match_config(ServerOptions *options, const char *user,
1401     const char *host, const char *address)
1402 {
1403 	ServerOptions mo;
1404 
1405 	initialize_server_options(&mo);
1406 	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1407 	copy_set_server_options(options, &mo, 0);
1408 }
1409 
1410 
1411 
1412 /* Helper macros */
1413 #define M_CP_INTOPT(n) do {\
1414 	if (src->n != -1) \
1415 		dst->n = src->n; \
1416 } while (0)
1417 #define M_CP_STROPT(n) do {\
1418 	if (src->n != NULL) { \
1419 		if (dst->n != NULL) \
1420 			xfree(dst->n); \
1421 		dst->n = src->n; \
1422 	} \
1423 } while(0)
1424 
1425 /*
1426  * Copy any supported values that are set.
1427  *
1428  * If the preauth flag is set, we do not bother copying the the string or
1429  * array values that are not used pre-authentication, because any that we
1430  * do use must be explictly sent in mm_getpwnamallow().
1431  */
1432 void
1433 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1434 {
1435 	M_CP_INTOPT(password_authentication);
1436 	M_CP_INTOPT(gss_authentication);
1437 	M_CP_INTOPT(rsa_authentication);
1438 	M_CP_INTOPT(pubkey_authentication);
1439 	M_CP_INTOPT(hostbased_authentication);
1440 	M_CP_INTOPT(kbd_interactive_authentication);
1441 	M_CP_INTOPT(permit_root_login);
1442 	M_CP_INTOPT(permit_empty_passwd);
1443 	M_CP_INTOPT(allow_tcp_forwarding);
1444 	M_CP_INTOPT(gateway_ports);
1445 	M_CP_INTOPT(x11_display_offset);
1446 	M_CP_INTOPT(x11_forwarding);
1447 	M_CP_INTOPT(x11_use_localhost);
1448 	M_CP_INTOPT(max_auth_tries);
1449 	M_CP_STROPT(banner);
1450 
1451 	if (preauth)
1452 		return;
1453 	M_CP_STROPT(chroot_directory);
1454 }
1455 
1456 #undef M_CP_INTOPT
1457 #undef M_CP_STROPT
1458 
1459 void
1460 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1461     const char *user, const char *host, const char *address)
1462 {
1463 	int active, linenum, bad_options = 0;
1464 	char *cp, *obuf, *cbuf;
1465 
1466 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1467 
1468 	obuf = cbuf = xstrdup(buffer_ptr(conf));
1469 	active = user ? 0 : 1;
1470 	linenum = 1;
1471 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
1472 		if (process_server_config_line(options, cp, filename,
1473 		    linenum++, &active, user, host, address) != 0)
1474 			bad_options++;
1475 	}
1476 	xfree(obuf);
1477 	if (bad_options > 0)
1478 		fatal("%s: terminating, %d bad configuration options",
1479 		    filename, bad_options);
1480 }
1481 
1482 
1483 /*
1484  * Note that "none" is a special path having the same affect on sshd
1485  * configuration as not specifying ChrootDirectory at all.
1486  */
1487 int
1488 chroot_requested(char *chroot_directory)
1489 {
1490 	return (chroot_directory != NULL &&
1491 	    strcasecmp(chroot_directory, "none") != 0);
1492 }
1493