1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 13 */ 14 15 #include "includes.h" 16 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 17 18 #ifdef HAVE_DEFOPEN 19 #include <deflt.h> 20 #endif /* HAVE_DEFOPEN */ 21 22 #if defined(KRB4) 23 #include <krb.h> 24 #endif 25 #if defined(KRB5) 26 #ifdef HEIMDAL 27 #include <krb.h> 28 #else 29 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 30 * keytab */ 31 #define KEYFILE "/etc/krb5.keytab" 32 #endif 33 #endif 34 #ifdef AFS 35 #include <kafs.h> 36 #endif 37 38 #include "ssh.h" 39 #include "log.h" 40 #include "buffer.h" 41 #include "servconf.h" 42 #include "xmalloc.h" 43 #include "compat.h" 44 #include "pathnames.h" 45 #include "tildexpand.h" 46 #include "misc.h" 47 #include "cipher.h" 48 #include "kex.h" 49 #include "mac.h" 50 #include "auth.h" 51 #include "match.h" 52 #include "groupaccess.h" 53 54 static void add_listen_addr(ServerOptions *, char *, u_short); 55 static void add_one_listen_addr(ServerOptions *, char *, u_short); 56 57 extern Buffer cfg; 58 59 /* AF_UNSPEC or AF_INET or AF_INET6 */ 60 extern int IPv4or6; 61 62 /* 63 * Initializes the server options to their initial (unset) values. Some of those 64 * that stay unset after the command line options and configuration files are 65 * read are set to their default values in fill_default_server_options(). 66 */ 67 void 68 initialize_server_options(ServerOptions *options) 69 { 70 (void) memset(options, 0, sizeof(*options)); 71 72 /* Standard Options */ 73 options->num_ports = 0; 74 options->ports_from_cmdline = 0; 75 options->listen_addrs = NULL; 76 options->num_host_key_files = 0; 77 options->pid_file = NULL; 78 options->server_key_bits = -1; 79 options->login_grace_time = -1; 80 options->key_regeneration_time = -1; 81 options->permit_root_login = PERMIT_NOT_SET; 82 options->ignore_rhosts = -1; 83 options->ignore_user_known_hosts = -1; 84 options->print_motd = -1; 85 options->print_lastlog = -1; 86 options->x11_forwarding = -1; 87 options->x11_display_offset = -1; 88 options->x11_use_localhost = -1; 89 options->xauth_location = NULL; 90 options->strict_modes = -1; 91 options->keepalives = -1; 92 options->log_facility = SYSLOG_FACILITY_NOT_SET; 93 options->log_level = SYSLOG_LEVEL_NOT_SET; 94 options->rhosts_authentication = -1; 95 options->rhosts_rsa_authentication = -1; 96 options->hostbased_authentication = -1; 97 options->hostbased_uses_name_from_packet_only = -1; 98 options->rsa_authentication = -1; 99 options->pubkey_authentication = -1; 100 #ifdef GSSAPI 101 options->gss_authentication = -1; 102 options->gss_keyex = -1; 103 options->gss_store_creds = -1; 104 options->gss_use_session_ccache = -1; 105 options->gss_cleanup_creds = -1; 106 #endif 107 #if defined(KRB4) || defined(KRB5) 108 options->kerberos_authentication = -1; 109 options->kerberos_or_local_passwd = -1; 110 options->kerberos_ticket_cleanup = -1; 111 #endif 112 #if defined(AFS) || defined(KRB5) 113 options->kerberos_tgt_passing = -1; 114 #endif 115 #ifdef AFS 116 options->afs_token_passing = -1; 117 #endif 118 options->password_authentication = -1; 119 options->kbd_interactive_authentication = -1; 120 options->challenge_response_authentication = -1; 121 options->pam_authentication_via_kbd_int = -1; 122 options->permit_empty_passwd = -1; 123 options->permit_user_env = -1; 124 options->compression = -1; 125 options->allow_tcp_forwarding = -1; 126 options->num_allow_users = 0; 127 options->num_deny_users = 0; 128 options->num_allow_groups = 0; 129 options->num_deny_groups = 0; 130 options->ciphers = NULL; 131 options->macs = NULL; 132 options->protocol = SSH_PROTO_UNKNOWN; 133 options->gateway_ports = -1; 134 options->num_subsystems = 0; 135 options->max_startups_begin = -1; 136 options->max_startups_rate = -1; 137 options->max_startups = -1; 138 options->banner = NULL; 139 options->verify_reverse_mapping = -1; 140 options->client_alive_interval = -1; 141 options->client_alive_count_max = -1; 142 options->authorized_keys_file = NULL; 143 options->authorized_keys_file2 = NULL; 144 145 options->max_auth_tries = -1; 146 options->max_auth_tries_log = -1; 147 148 options->max_init_auth_tries = -1; 149 options->max_init_auth_tries_log = -1; 150 151 options->lookup_client_hostnames = -1; 152 options->use_openssl_engine = -1; 153 options->chroot_directory = NULL; 154 options->pre_userauth_hook = NULL; 155 options->pam_service_name = NULL; 156 options->pam_service_prefix = NULL; 157 } 158 159 #ifdef HAVE_DEFOPEN 160 /* 161 * Reads /etc/default/login and defaults several ServerOptions: 162 * 163 * PermitRootLogin 164 * PermitEmptyPasswords 165 * LoginGraceTime 166 * 167 * CONSOLE=* -> PermitRootLogin=without-password 168 * #CONSOLE=* -> PermitRootLogin=yes 169 * 170 * PASSREQ=YES -> PermitEmptyPasswords=no 171 * PASSREQ=NO -> PermitEmptyPasswords=yes 172 * #PASSREQ=* -> PermitEmptyPasswords=no 173 * 174 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 175 * #TIMEOUT=<secs> -> LoginGraceTime=300 176 */ 177 static 178 void 179 deflt_fill_default_server_options(ServerOptions *options) 180 { 181 int flags; 182 char *ptr; 183 184 if (defopen(_PATH_DEFAULT_LOGIN)) 185 return; 186 187 /* Ignore case */ 188 flags = defcntl(DC_GETFLAGS, 0); 189 TURNOFF(flags, DC_CASE); 190 (void) defcntl(DC_SETFLAGS, flags); 191 192 if (options->permit_root_login == PERMIT_NOT_SET && 193 (ptr = defread("CONSOLE=")) != NULL) 194 options->permit_root_login = PERMIT_NO_PASSWD; 195 196 if (options->permit_empty_passwd == -1 && 197 (ptr = defread("PASSREQ=")) != NULL) { 198 if (strcasecmp("YES", ptr) == 0) 199 options->permit_empty_passwd = 0; 200 else if (strcasecmp("NO", ptr) == 0) 201 options->permit_empty_passwd = 1; 202 } 203 204 if (options->max_init_auth_tries == -1 && 205 (ptr = defread("RETRIES=")) != NULL) { 206 options->max_init_auth_tries = atoi(ptr); 207 } 208 209 if (options->max_init_auth_tries_log == -1 && 210 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 211 options->max_init_auth_tries_log = atoi(ptr); 212 } 213 214 if (options->login_grace_time == -1) { 215 if ((ptr = defread("TIMEOUT=")) != NULL) 216 options->login_grace_time = (unsigned)atoi(ptr); 217 else 218 options->login_grace_time = 300; 219 } 220 221 (void) defopen((char *)NULL); 222 } 223 #endif /* HAVE_DEFOPEN */ 224 225 void 226 fill_default_server_options(ServerOptions *options) 227 { 228 229 #ifdef HAVE_DEFOPEN 230 deflt_fill_default_server_options(options); 231 #endif /* HAVE_DEFOPEN */ 232 233 /* Standard Options */ 234 if (options->protocol == SSH_PROTO_UNKNOWN) 235 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 236 if (options->num_host_key_files == 0) { 237 /* fill default hostkeys for protocols */ 238 if (options->protocol & SSH_PROTO_1) 239 options->host_key_files[options->num_host_key_files++] = 240 _PATH_HOST_KEY_FILE; 241 #ifndef GSSAPI 242 /* With GSS keyex we can run v2 w/ no host keys */ 243 if (options->protocol & SSH_PROTO_2) { 244 options->host_key_files[options->num_host_key_files++] = 245 _PATH_HOST_RSA_KEY_FILE; 246 options->host_key_files[options->num_host_key_files++] = 247 _PATH_HOST_DSA_KEY_FILE; 248 } 249 #endif /* GSSAPI */ 250 } 251 if (options->num_ports == 0) 252 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 253 if (options->listen_addrs == NULL) 254 add_listen_addr(options, NULL, 0); 255 if (options->pid_file == NULL) 256 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 257 if (options->server_key_bits == -1) 258 options->server_key_bits = 768; 259 if (options->login_grace_time == -1) 260 options->login_grace_time = 120; 261 if (options->key_regeneration_time == -1) 262 options->key_regeneration_time = 3600; 263 if (options->permit_root_login == PERMIT_NOT_SET) 264 options->permit_root_login = PERMIT_YES; 265 if (options->ignore_rhosts == -1) 266 options->ignore_rhosts = 1; 267 if (options->ignore_user_known_hosts == -1) 268 options->ignore_user_known_hosts = 0; 269 if (options->print_motd == -1) 270 options->print_motd = 1; 271 if (options->print_lastlog == -1) 272 options->print_lastlog = 1; 273 if (options->x11_forwarding == -1) 274 options->x11_forwarding = 1; 275 if (options->x11_display_offset == -1) 276 options->x11_display_offset = 10; 277 if (options->x11_use_localhost == -1) 278 options->x11_use_localhost = 1; 279 if (options->xauth_location == NULL) 280 options->xauth_location = _PATH_XAUTH; 281 if (options->strict_modes == -1) 282 options->strict_modes = 1; 283 if (options->keepalives == -1) 284 options->keepalives = 1; 285 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 286 options->log_facility = SYSLOG_FACILITY_AUTH; 287 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 288 options->log_level = SYSLOG_LEVEL_INFO; 289 if (options->rhosts_authentication == -1) 290 options->rhosts_authentication = 0; 291 if (options->rhosts_rsa_authentication == -1) 292 options->rhosts_rsa_authentication = 0; 293 if (options->hostbased_authentication == -1) 294 options->hostbased_authentication = 0; 295 if (options->hostbased_uses_name_from_packet_only == -1) 296 options->hostbased_uses_name_from_packet_only = 0; 297 if (options->rsa_authentication == -1) 298 options->rsa_authentication = 1; 299 if (options->pubkey_authentication == -1) 300 options->pubkey_authentication = 1; 301 #ifdef GSSAPI 302 if (options->gss_authentication == -1) 303 options->gss_authentication = 1; 304 if (options->gss_keyex == -1) 305 options->gss_keyex = 1; 306 if (options->gss_store_creds == -1) 307 options->gss_store_creds = 1; 308 if (options->gss_use_session_ccache == -1) 309 options->gss_use_session_ccache = 1; 310 if (options->gss_cleanup_creds == -1) 311 options->gss_cleanup_creds = 1; 312 #endif 313 #if defined(KRB4) || defined(KRB5) 314 if (options->kerberos_authentication == -1) 315 options->kerberos_authentication = 0; 316 if (options->kerberos_or_local_passwd == -1) 317 options->kerberos_or_local_passwd = 1; 318 if (options->kerberos_ticket_cleanup == -1) 319 options->kerberos_ticket_cleanup = 1; 320 #endif 321 #if defined(AFS) || defined(KRB5) 322 if (options->kerberos_tgt_passing == -1) 323 options->kerberos_tgt_passing = 0; 324 #endif 325 #ifdef AFS 326 if (options->afs_token_passing == -1) 327 options->afs_token_passing = 0; 328 #endif 329 if (options->password_authentication == -1) 330 options->password_authentication = 1; 331 /* 332 * options->pam_authentication_via_kbd_int has intentionally no default 333 * value since we do not need it. 334 */ 335 if (options->kbd_interactive_authentication == -1) 336 options->kbd_interactive_authentication = 1; 337 if (options->challenge_response_authentication == -1) 338 options->challenge_response_authentication = 1; 339 if (options->permit_empty_passwd == -1) 340 options->permit_empty_passwd = 0; 341 if (options->permit_user_env == -1) 342 options->permit_user_env = 0; 343 if (options->compression == -1) 344 options->compression = 1; 345 if (options->allow_tcp_forwarding == -1) 346 options->allow_tcp_forwarding = 1; 347 if (options->gateway_ports == -1) 348 options->gateway_ports = 0; 349 if (options->max_startups == -1) 350 options->max_startups = 10; 351 if (options->max_startups_rate == -1) 352 options->max_startups_rate = 100; /* 100% */ 353 if (options->max_startups_begin == -1) 354 options->max_startups_begin = options->max_startups; 355 if (options->verify_reverse_mapping == -1) 356 options->verify_reverse_mapping = 0; 357 if (options->client_alive_interval == -1) 358 options->client_alive_interval = 0; 359 if (options->client_alive_count_max == -1) 360 options->client_alive_count_max = 3; 361 if (options->authorized_keys_file2 == NULL) { 362 /* authorized_keys_file2 falls back to authorized_keys_file */ 363 if (options->authorized_keys_file != NULL) 364 options->authorized_keys_file2 = options->authorized_keys_file; 365 else 366 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 367 } 368 if (options->authorized_keys_file == NULL) 369 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 370 371 if (options->max_auth_tries == -1) 372 options->max_auth_tries = AUTH_FAIL_MAX; 373 if (options->max_auth_tries_log == -1) 374 options->max_auth_tries_log = options->max_auth_tries / 2; 375 376 if (options->max_init_auth_tries == -1) 377 options->max_init_auth_tries = AUTH_FAIL_MAX; 378 if (options->max_init_auth_tries_log == -1) 379 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 380 381 if (options->lookup_client_hostnames == -1) 382 options->lookup_client_hostnames = 1; 383 if (options->use_openssl_engine == -1) 384 options->use_openssl_engine = 1; 385 if (options->pam_service_prefix == NULL) 386 options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; 387 if (options->pam_service_name == NULL) 388 options->pam_service_name = NULL; 389 } 390 391 /* Keyword tokens. */ 392 typedef enum { 393 sBadOption, /* == unknown option */ 394 /* Portable-specific options */ 395 sPAMAuthenticationViaKbdInt, 396 /* Standard Options */ 397 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 398 sPermitRootLogin, sLogFacility, sLogLevel, 399 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 400 #ifdef GSSAPI 401 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 402 sGssUseSessionCredCache, sGssCleanupCreds, 403 #endif /* GSSAPI */ 404 #if defined(KRB4) || defined(KRB5) 405 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 406 #endif 407 #if defined(AFS) || defined(KRB5) 408 sKerberosTgtPassing, 409 #endif 410 #ifdef AFS 411 sAFSTokenPassing, 412 #endif 413 sChallengeResponseAuthentication, 414 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 415 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 416 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 417 sStrictModes, sEmptyPasswd, sKeepAlives, 418 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 419 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 420 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 421 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 422 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 423 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 424 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 425 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 426 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, 427 sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName, 428 sDeprecated 429 } ServerOpCodes; 430 431 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 432 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 433 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 434 435 /* Textual representation of the tokens. */ 436 static struct { 437 const char *name; 438 ServerOpCodes opcode; 439 u_int flags; 440 } keywords[] = { 441 /* Portable-specific options */ 442 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL }, 443 /* Standard Options */ 444 { "port", sPort, SSHCFG_GLOBAL }, 445 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 446 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 447 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 448 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 449 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 450 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 451 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 452 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 453 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 454 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL }, 455 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 456 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 457 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 458 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 459 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 460 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 461 #ifdef GSSAPI 462 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 463 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 464 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL }, 465 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */ 466 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */ 467 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */ 468 #ifndef SUNW_GSSAPI 469 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 470 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 471 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 472 #endif /* SUNW_GSSAPI */ 473 #endif 474 #if defined(KRB4) || defined(KRB5) 475 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 476 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 477 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 478 #endif 479 #if defined(AFS) || defined(KRB5) 480 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL }, 481 #endif 482 #ifdef AFS 483 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL }, 484 #endif 485 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 486 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 487 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 488 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 489 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 490 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 491 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 492 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 493 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 494 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 495 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 496 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 497 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 498 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 499 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 500 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 501 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 502 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 503 { "compression", sCompression, SSHCFG_GLOBAL }, 504 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, 505 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 506 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 507 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 508 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 509 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 510 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 511 { "macs", sMacs, SSHCFG_GLOBAL}, 512 { "protocol", sProtocol,SSHCFG_GLOBAL }, 513 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 514 { "subsystem", sSubsystem, SSHCFG_GLOBAL}, 515 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 516 { "banner", sBanner, SSHCFG_ALL }, 517 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL }, 518 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL }, 519 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 520 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 521 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, 522 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, 523 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 524 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL }, 525 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, 526 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL }, 527 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL }, 528 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 529 { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL}, 530 { "match", sMatch, SSHCFG_ALL }, 531 { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, 532 { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, 533 534 { NULL, sBadOption, 0 } 535 }; 536 537 /* 538 * Returns the number of the token pointed to by cp or sBadOption. 539 */ 540 541 static ServerOpCodes 542 parse_token(const char *cp, const char *filename, 543 int linenum, u_int *flags) 544 { 545 u_int i; 546 547 for (i = 0; keywords[i].name; i++) 548 if (strcasecmp(cp, keywords[i].name) == 0) { 549 *flags = keywords[i].flags; 550 return keywords[i].opcode; 551 } 552 553 error("%s: line %d: Bad configuration option: %s", 554 filename, linenum, cp); 555 return sBadOption; 556 } 557 558 static void 559 add_listen_addr(ServerOptions *options, char *addr, u_short port) 560 { 561 int i; 562 563 if (options->num_ports == 0) 564 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 565 if (port == 0) 566 for (i = 0; i < options->num_ports; i++) 567 add_one_listen_addr(options, addr, options->ports[i]); 568 else 569 add_one_listen_addr(options, addr, port); 570 } 571 572 static void 573 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 574 { 575 struct addrinfo hints, *ai, *aitop; 576 char strport[NI_MAXSERV]; 577 int gaierr; 578 579 (void) memset(&hints, 0, sizeof(hints)); 580 hints.ai_family = IPv4or6; 581 hints.ai_socktype = SOCK_STREAM; 582 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 583 (void) snprintf(strport, sizeof strport, "%u", port); 584 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 585 fatal("bad addr or host: %s (%s)", 586 addr ? addr : "<NULL>", 587 gai_strerror(gaierr)); 588 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 589 ; 590 ai->ai_next = options->listen_addrs; 591 options->listen_addrs = aitop; 592 } 593 594 /* 595 * The strategy for the Match blocks is that the config file is parsed twice. 596 * 597 * The first time is at startup. activep is initialized to 1 and the 598 * directives in the global context are processed and acted on. Hitting a 599 * Match directive unsets activep and the directives inside the block are 600 * checked for syntax only. 601 * 602 * The second time is after a connection has been established but before 603 * authentication. activep is initialized to 2 and global config directives 604 * are ignored since they have already been processed. If the criteria in a 605 * Match block is met, activep is set and the subsequent directives 606 * processed and actioned until EOF or another Match block unsets it. Any 607 * options set are copied into the main server config. 608 * 609 * Potential additions/improvements: 610 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 611 * 612 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 613 * Match Address 192.168.0.* 614 * Tag trusted 615 * Match Group wheel 616 * Tag trusted 617 * Match Tag trusted 618 * AllowTcpForwarding yes 619 * GatewayPorts clientspecified 620 * [...] 621 * 622 * - Add a PermittedChannelRequests directive 623 * Match Group shell 624 * PermittedChannelRequests session,forwarded-tcpip 625 */ 626 627 static int 628 match_cfg_line_group(const char *grps, int line, const char *user) 629 { 630 int result = 0; 631 struct passwd *pw; 632 633 if (user == NULL) 634 goto out; 635 636 if ((pw = getpwnam(user)) == NULL) { 637 debug("Can't match group at line %d because user %.100s does " 638 "not exist", line, user); 639 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 640 debug("Can't Match group because user %.100s not in any group " 641 "at line %d", user, line); 642 } else if (ga_match_pattern_list(grps) != 1) { 643 debug("user %.100s does not match group list %.100s at line %d", 644 user, grps, line); 645 } else { 646 debug("user %.100s matched group list %.100s at line %d", user, 647 grps, line); 648 result = 1; 649 } 650 out: 651 ga_free(); 652 return result; 653 } 654 655 static int 656 match_cfg_line(char **condition, int line, const char *user, const char *host, 657 const char *address) 658 { 659 int result = 1; 660 char *arg, *attrib, *cp = *condition; 661 size_t len; 662 663 if (user == NULL) 664 debug3("checking syntax for 'Match %s'", cp); 665 else 666 debug3("checking match for '%s' user %s host %s addr %s", cp, 667 user ? user : "(null)", host ? host : "(null)", 668 address ? address : "(null)"); 669 670 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') { 671 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 672 error("Missing Match criteria for %s", attrib); 673 return -1; 674 } 675 len = strlen(arg); 676 if (strcasecmp(attrib, "user") == 0) { 677 if (!user) { 678 result = 0; 679 continue; 680 } 681 if (match_pattern_list(user, arg, len, 0) != 1) 682 result = 0; 683 else 684 debug("user %.100s matched 'User %.100s' at " 685 "line %d", user, arg, line); 686 } else if (strcasecmp(attrib, "group") == 0) { 687 switch (match_cfg_line_group(arg, line, user)) { 688 case -1: 689 return -1; 690 case 0: 691 result = 0; 692 } 693 } else if (strcasecmp(attrib, "host") == 0) { 694 if (!host) { 695 result = 0; 696 continue; 697 } 698 if (match_hostname(host, arg, len) != 1) 699 result = 0; 700 else 701 debug("connection from %.100s matched 'Host " 702 "%.100s' at line %d", host, arg, line); 703 } else if (strcasecmp(attrib, "address") == 0) { 704 switch (addr_match_list(address, arg)) { 705 case 1: 706 debug("connection from %.100s matched 'Address " 707 "%.100s' at line %d", address, arg, line); 708 break; 709 case 0: 710 case -1: 711 result = 0; 712 break; 713 case -2: 714 return -1; 715 } 716 } else { 717 error("Unsupported Match attribute %s", attrib); 718 return -1; 719 } 720 } 721 if (user != NULL) 722 debug3("match %sfound", result ? "" : "not "); 723 *condition = cp; 724 return result; 725 } 726 727 #define WHITESPACE " \t\r\n" 728 729 int 730 process_server_config_line(ServerOptions *options, char *line, 731 const char *filename, int linenum, int *activep, const char *user, 732 const char *host, const char *address) 733 { 734 char *cp, **charptr, *arg, *p; 735 int cmdline = 0, *intptr, value, n; 736 ServerOpCodes opcode; 737 u_int i, flags = 0; 738 size_t len; 739 740 cp = line; 741 arg = strdelim(&cp); 742 /* Ignore leading whitespace */ 743 if (*arg == '\0') 744 arg = strdelim(&cp); 745 if (!arg || !*arg || *arg == '#') 746 return 0; 747 intptr = NULL; 748 charptr = NULL; 749 opcode = parse_token(arg, filename, linenum, &flags); 750 751 if (activep == NULL) { /* We are processing a command line directive */ 752 cmdline = 1; 753 activep = &cmdline; 754 } 755 if (*activep && opcode != sMatch) 756 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 757 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 758 if (user == NULL) { 759 fatal("%s line %d: Directive '%s' is not allowed " 760 "within a Match block", filename, linenum, arg); 761 } else { /* this is a directive we have already processed */ 762 while (arg) 763 arg = strdelim(&cp); 764 return 0; 765 } 766 } 767 768 switch (opcode) { 769 /* Portable-specific options */ 770 case sPAMAuthenticationViaKbdInt: 771 log("%s line %d: PAMAuthenticationViaKbdInt has been " 772 "deprecated. You should use KbdInteractiveAuthentication " 773 "instead (which defaults to \"yes\").", filename, linenum); 774 intptr = &options->pam_authentication_via_kbd_int; 775 goto parse_flag; 776 777 /* Standard Options */ 778 case sBadOption: 779 return -1; 780 case sPort: 781 /* ignore ports from configfile if cmdline specifies ports */ 782 if (options->ports_from_cmdline) 783 return 0; 784 if (options->listen_addrs != NULL) 785 fatal("%s line %d: ports must be specified before " 786 "ListenAddress.", filename, linenum); 787 if (options->num_ports >= MAX_PORTS) 788 fatal("%s line %d: too many ports.", 789 filename, linenum); 790 arg = strdelim(&cp); 791 if (!arg || *arg == '\0') 792 fatal("%s line %d: missing port number.", 793 filename, linenum); 794 options->ports[options->num_ports++] = a2port(arg); 795 if (options->ports[options->num_ports-1] == 0) 796 fatal("%s line %d: Badly formatted port number.", 797 filename, linenum); 798 break; 799 800 case sServerKeyBits: 801 intptr = &options->server_key_bits; 802 parse_int: 803 arg = strdelim(&cp); 804 if (!arg || *arg == '\0') 805 fatal("%s line %d: missing integer value.", 806 filename, linenum); 807 value = atoi(arg); 808 if (*activep && *intptr == -1) 809 *intptr = value; 810 break; 811 812 case sLoginGraceTime: 813 intptr = &options->login_grace_time; 814 parse_time: 815 arg = strdelim(&cp); 816 if (!arg || *arg == '\0') 817 fatal("%s line %d: missing time value.", 818 filename, linenum); 819 if ((value = convtime(arg)) == -1) 820 fatal("%s line %d: invalid time value.", 821 filename, linenum); 822 if (*intptr == -1) 823 *intptr = value; 824 break; 825 826 case sKeyRegenerationTime: 827 intptr = &options->key_regeneration_time; 828 goto parse_time; 829 830 case sListenAddress: 831 arg = strdelim(&cp); 832 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 833 fatal("%s line %d: missing inet addr.", 834 filename, linenum); 835 if (*arg == '[') { 836 if ((p = strchr(arg, ']')) == NULL) 837 fatal("%s line %d: bad ipv6 inet addr usage.", 838 filename, linenum); 839 arg++; 840 (void) memmove(p, p+1, strlen(p+1)+1); 841 } else if (((p = strchr(arg, ':')) == NULL) || 842 (strchr(p+1, ':') != NULL)) { 843 add_listen_addr(options, arg, 0); 844 break; 845 } 846 if (*p == ':') { 847 u_short port; 848 849 p++; 850 if (*p == '\0') 851 fatal("%s line %d: bad inet addr:port usage.", 852 filename, linenum); 853 else { 854 *(p-1) = '\0'; 855 if ((port = a2port(p)) == 0) 856 fatal("%s line %d: bad port number.", 857 filename, linenum); 858 add_listen_addr(options, arg, port); 859 } 860 } else if (*p == '\0') 861 add_listen_addr(options, arg, 0); 862 else 863 fatal("%s line %d: bad inet addr usage.", 864 filename, linenum); 865 break; 866 867 case sHostKeyFile: 868 intptr = &options->num_host_key_files; 869 if (*intptr >= MAX_HOSTKEYS) 870 fatal("%s line %d: too many host keys specified (max %d).", 871 filename, linenum, MAX_HOSTKEYS); 872 charptr = &options->host_key_files[*intptr]; 873 parse_filename: 874 arg = strdelim(&cp); 875 if (!arg || *arg == '\0') 876 fatal("%s line %d: missing file name.", 877 filename, linenum); 878 if (*activep && *charptr == NULL) { 879 *charptr = tilde_expand_filename(arg, getuid()); 880 /* increase optional counter */ 881 if (intptr != NULL) 882 *intptr = *intptr + 1; 883 } 884 break; 885 886 case sPidFile: 887 charptr = &options->pid_file; 888 goto parse_filename; 889 890 case sPermitRootLogin: 891 intptr = &options->permit_root_login; 892 arg = strdelim(&cp); 893 if (!arg || *arg == '\0') 894 fatal("%s line %d: missing yes/" 895 "without-password/forced-commands-only/no " 896 "argument.", filename, linenum); 897 value = 0; /* silence compiler */ 898 if (strcmp(arg, "without-password") == 0) 899 value = PERMIT_NO_PASSWD; 900 else if (strcmp(arg, "forced-commands-only") == 0) 901 value = PERMIT_FORCED_ONLY; 902 else if (strcmp(arg, "yes") == 0) 903 value = PERMIT_YES; 904 else if (strcmp(arg, "no") == 0) 905 value = PERMIT_NO; 906 else 907 fatal("%s line %d: Bad yes/" 908 "without-password/forced-commands-only/no " 909 "argument: %s", filename, linenum, arg); 910 if (*activep && *intptr == -1) 911 *intptr = value; 912 break; 913 914 case sIgnoreRhosts: 915 intptr = &options->ignore_rhosts; 916 parse_flag: 917 arg = strdelim(&cp); 918 if (!arg || *arg == '\0') 919 fatal("%s line %d: missing yes/no argument.", 920 filename, linenum); 921 value = 0; /* silence compiler */ 922 if (strcmp(arg, "yes") == 0) 923 value = 1; 924 else if (strcmp(arg, "no") == 0) 925 value = 0; 926 else 927 fatal("%s line %d: Bad yes/no argument: %s", 928 filename, linenum, arg); 929 if (*activep && *intptr == -1) 930 *intptr = value; 931 break; 932 933 case sIgnoreUserKnownHosts: 934 intptr = &options->ignore_user_known_hosts; 935 goto parse_flag; 936 937 case sRhostsAuthentication: 938 intptr = &options->rhosts_authentication; 939 goto parse_flag; 940 941 case sRhostsRSAAuthentication: 942 intptr = &options->rhosts_rsa_authentication; 943 goto parse_flag; 944 945 case sHostbasedAuthentication: 946 intptr = &options->hostbased_authentication; 947 goto parse_flag; 948 949 case sHostbasedUsesNameFromPacketOnly: 950 intptr = &options->hostbased_uses_name_from_packet_only; 951 goto parse_flag; 952 953 case sRSAAuthentication: 954 intptr = &options->rsa_authentication; 955 goto parse_flag; 956 957 case sPubkeyAuthentication: 958 intptr = &options->pubkey_authentication; 959 goto parse_flag; 960 #ifdef GSSAPI 961 case sGssAuthentication: 962 intptr = &options->gss_authentication; 963 goto parse_flag; 964 case sGssKeyEx: 965 intptr = &options->gss_keyex; 966 goto parse_flag; 967 case sGssStoreDelegCreds: 968 intptr = &options->gss_keyex; 969 goto parse_flag; 970 #ifndef SUNW_GSSAPI 971 case sGssUseSessionCredCache: 972 intptr = &options->gss_use_session_ccache; 973 goto parse_flag; 974 case sGssCleanupCreds: 975 intptr = &options->gss_cleanup_creds; 976 goto parse_flag; 977 #endif /* SUNW_GSSAPI */ 978 #endif /* GSSAPI */ 979 #if defined(KRB4) || defined(KRB5) 980 case sKerberosAuthentication: 981 intptr = &options->kerberos_authentication; 982 goto parse_flag; 983 984 case sKerberosOrLocalPasswd: 985 intptr = &options->kerberos_or_local_passwd; 986 goto parse_flag; 987 988 case sKerberosTicketCleanup: 989 intptr = &options->kerberos_ticket_cleanup; 990 goto parse_flag; 991 #endif 992 #if defined(AFS) || defined(KRB5) 993 case sKerberosTgtPassing: 994 intptr = &options->kerberos_tgt_passing; 995 goto parse_flag; 996 #endif 997 #ifdef AFS 998 case sAFSTokenPassing: 999 intptr = &options->afs_token_passing; 1000 goto parse_flag; 1001 #endif 1002 1003 case sPasswordAuthentication: 1004 intptr = &options->password_authentication; 1005 goto parse_flag; 1006 1007 case sKbdInteractiveAuthentication: 1008 intptr = &options->kbd_interactive_authentication; 1009 goto parse_flag; 1010 1011 case sChallengeResponseAuthentication: 1012 intptr = &options->challenge_response_authentication; 1013 goto parse_flag; 1014 1015 case sPrintMotd: 1016 intptr = &options->print_motd; 1017 goto parse_flag; 1018 1019 case sPrintLastLog: 1020 intptr = &options->print_lastlog; 1021 goto parse_flag; 1022 1023 case sX11Forwarding: 1024 intptr = &options->x11_forwarding; 1025 goto parse_flag; 1026 1027 case sX11DisplayOffset: 1028 intptr = &options->x11_display_offset; 1029 goto parse_int; 1030 1031 case sX11UseLocalhost: 1032 intptr = &options->x11_use_localhost; 1033 goto parse_flag; 1034 1035 case sXAuthLocation: 1036 charptr = &options->xauth_location; 1037 goto parse_filename; 1038 1039 case sStrictModes: 1040 intptr = &options->strict_modes; 1041 goto parse_flag; 1042 1043 case sKeepAlives: 1044 intptr = &options->keepalives; 1045 goto parse_flag; 1046 1047 case sEmptyPasswd: 1048 intptr = &options->permit_empty_passwd; 1049 goto parse_flag; 1050 1051 case sPermitUserEnvironment: 1052 intptr = &options->permit_user_env; 1053 goto parse_flag; 1054 1055 case sUseLogin: 1056 log("%s line %d: ignoring UseLogin option value." 1057 " This option is always off.", filename, linenum); 1058 while (arg) 1059 arg = strdelim(&cp); 1060 break; 1061 1062 case sCompression: 1063 intptr = &options->compression; 1064 goto parse_flag; 1065 1066 case sGatewayPorts: 1067 intptr = &options->gateway_ports; 1068 arg = strdelim(&cp); 1069 if (!arg || *arg == '\0') 1070 fatal("%s line %d: missing yes/no/clientspecified " 1071 "argument.", filename, linenum); 1072 value = 0; /* silence compiler */ 1073 if (strcmp(arg, "clientspecified") == 0) 1074 value = 2; 1075 else if (strcmp(arg, "yes") == 0) 1076 value = 1; 1077 else if (strcmp(arg, "no") == 0) 1078 value = 0; 1079 else 1080 fatal("%s line %d: Bad yes/no/clientspecified " 1081 "argument: %s", filename, linenum, arg); 1082 if (*activep && *intptr == -1) 1083 *intptr = value; 1084 break; 1085 1086 case sVerifyReverseMapping: 1087 intptr = &options->verify_reverse_mapping; 1088 goto parse_flag; 1089 1090 case sLogFacility: 1091 intptr = (int *) &options->log_facility; 1092 arg = strdelim(&cp); 1093 value = log_facility_number(arg); 1094 if (value == SYSLOG_FACILITY_NOT_SET) 1095 fatal("%.200s line %d: unsupported log facility '%s'", 1096 filename, linenum, arg ? arg : "<NONE>"); 1097 if (*intptr == -1) 1098 *intptr = (SyslogFacility) value; 1099 break; 1100 1101 case sLogLevel: 1102 intptr = (int *) &options->log_level; 1103 arg = strdelim(&cp); 1104 value = log_level_number(arg); 1105 if (value == SYSLOG_LEVEL_NOT_SET) 1106 fatal("%.200s line %d: unsupported log level '%s'", 1107 filename, linenum, arg ? arg : "<NONE>"); 1108 if (*intptr == -1) 1109 *intptr = (LogLevel) value; 1110 break; 1111 1112 case sAllowTcpForwarding: 1113 intptr = &options->allow_tcp_forwarding; 1114 goto parse_flag; 1115 1116 case sUsePrivilegeSeparation: 1117 log("%s line %d: ignoring UsePrivilegeSeparation option value." 1118 " This option is always on.", filename, linenum); 1119 while (arg) 1120 arg = strdelim(&cp); 1121 break; 1122 1123 case sAllowUsers: 1124 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1125 if (options->num_allow_users >= MAX_ALLOW_USERS) 1126 fatal("%s line %d: too many allow users.", 1127 filename, linenum); 1128 options->allow_users[options->num_allow_users++] = 1129 xstrdup(arg); 1130 } 1131 break; 1132 1133 case sDenyUsers: 1134 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1135 if (options->num_deny_users >= MAX_DENY_USERS) 1136 fatal( "%s line %d: too many deny users.", 1137 filename, linenum); 1138 options->deny_users[options->num_deny_users++] = 1139 xstrdup(arg); 1140 } 1141 break; 1142 1143 case sAllowGroups: 1144 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1145 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1146 fatal("%s line %d: too many allow groups.", 1147 filename, linenum); 1148 options->allow_groups[options->num_allow_groups++] = 1149 xstrdup(arg); 1150 } 1151 break; 1152 1153 case sDenyGroups: 1154 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1155 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1156 fatal("%s line %d: too many deny groups.", 1157 filename, linenum); 1158 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1159 } 1160 break; 1161 1162 case sCiphers: 1163 arg = strdelim(&cp); 1164 if (!arg || *arg == '\0') 1165 fatal("%s line %d: Missing argument.", filename, linenum); 1166 if (!ciphers_valid(arg)) 1167 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1168 filename, linenum, arg ? arg : "<NONE>"); 1169 if (options->ciphers == NULL) 1170 options->ciphers = xstrdup(arg); 1171 break; 1172 1173 case sMacs: 1174 arg = strdelim(&cp); 1175 if (!arg || *arg == '\0') 1176 fatal("%s line %d: Missing argument.", filename, linenum); 1177 if (!mac_valid(arg)) 1178 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1179 filename, linenum, arg ? arg : "<NONE>"); 1180 if (options->macs == NULL) 1181 options->macs = xstrdup(arg); 1182 break; 1183 1184 case sProtocol: 1185 intptr = &options->protocol; 1186 arg = strdelim(&cp); 1187 if (!arg || *arg == '\0') 1188 fatal("%s line %d: Missing argument.", filename, linenum); 1189 value = proto_spec(arg); 1190 if (value == SSH_PROTO_UNKNOWN) 1191 fatal("%s line %d: Bad protocol spec '%s'.", 1192 filename, linenum, arg ? arg : "<NONE>"); 1193 if (*intptr == SSH_PROTO_UNKNOWN) 1194 *intptr = value; 1195 break; 1196 1197 case sSubsystem: 1198 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1199 fatal("%s line %d: too many subsystems defined.", 1200 filename, linenum); 1201 } 1202 arg = strdelim(&cp); 1203 if (!arg || *arg == '\0') 1204 fatal("%s line %d: Missing subsystem name.", 1205 filename, linenum); 1206 if (!*activep) { 1207 arg = strdelim(&cp); 1208 break; 1209 } 1210 for (i = 0; i < options->num_subsystems; i++) 1211 if (strcmp(arg, options->subsystem_name[i]) == 0) 1212 fatal("%s line %d: Subsystem '%s' already defined.", 1213 filename, linenum, arg); 1214 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1215 arg = strdelim(&cp); 1216 if (!arg || *arg == '\0') 1217 fatal("%s line %d: Missing subsystem command.", 1218 filename, linenum); 1219 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1220 1221 /* 1222 * Collect arguments (separate to executable), including the 1223 * name of the executable, in a way that is easier to parse 1224 * later. 1225 */ 1226 p = xstrdup(arg); 1227 len = strlen(p) + 1; 1228 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1229 len += 1 + strlen(arg); 1230 p = xrealloc(p, len); 1231 strlcat(p, " ", len); 1232 strlcat(p, arg, len); 1233 } 1234 options->subsystem_args[options->num_subsystems] = p; 1235 options->num_subsystems++; 1236 break; 1237 1238 case sMaxStartups: 1239 arg = strdelim(&cp); 1240 if (!arg || *arg == '\0') 1241 fatal("%s line %d: Missing MaxStartups spec.", 1242 filename, linenum); 1243 if ((n = sscanf(arg, "%d:%d:%d", 1244 &options->max_startups_begin, 1245 &options->max_startups_rate, 1246 &options->max_startups)) == 3) { 1247 if (options->max_startups_begin > 1248 options->max_startups || 1249 options->max_startups_rate > 100 || 1250 options->max_startups_rate < 1) 1251 fatal("%s line %d: Illegal MaxStartups spec.", 1252 filename, linenum); 1253 } else if (n != 1) 1254 fatal("%s line %d: Illegal MaxStartups spec.", 1255 filename, linenum); 1256 else 1257 options->max_startups = options->max_startups_begin; 1258 break; 1259 1260 case sBanner: 1261 charptr = &options->banner; 1262 goto parse_filename; 1263 /* 1264 * These options can contain %X options expanded at 1265 * connect time, so that you can specify paths like: 1266 * 1267 * AuthorizedKeysFile /etc/ssh_keys/%u 1268 */ 1269 case sAuthorizedKeysFile: 1270 case sAuthorizedKeysFile2: 1271 charptr = (opcode == sAuthorizedKeysFile) ? 1272 &options->authorized_keys_file : 1273 &options->authorized_keys_file2; 1274 goto parse_filename; 1275 1276 case sClientAliveInterval: 1277 intptr = &options->client_alive_interval; 1278 goto parse_time; 1279 1280 case sClientAliveCountMax: 1281 intptr = &options->client_alive_count_max; 1282 goto parse_int; 1283 1284 case sMaxAuthTries: 1285 intptr = &options->max_auth_tries; 1286 goto parse_int; 1287 1288 case sMaxAuthTriesLog: 1289 intptr = &options->max_auth_tries_log; 1290 goto parse_int; 1291 1292 case sLookupClientHostnames: 1293 intptr = &options->lookup_client_hostnames; 1294 goto parse_flag; 1295 1296 case sUseOpenSSLEngine: 1297 intptr = &options->use_openssl_engine; 1298 goto parse_flag; 1299 1300 case sChrootDirectory: 1301 charptr = &options->chroot_directory; 1302 1303 arg = strdelim(&cp); 1304 if (arg == NULL || *arg == '\0') 1305 fatal("%s line %d: missing directory name for " 1306 "ChrootDirectory.", filename, linenum); 1307 if (*activep && *charptr == NULL) 1308 *charptr = xstrdup(arg); 1309 break; 1310 1311 case sPreUserauthHook: 1312 charptr = &options->pre_userauth_hook; 1313 goto parse_filename; 1314 1315 case sMatch: 1316 if (cmdline) 1317 fatal("Match directive not supported as a command-line " 1318 "option"); 1319 value = match_cfg_line(&cp, linenum, user, host, address); 1320 if (value < 0) 1321 fatal("%s line %d: Bad Match condition", filename, 1322 linenum); 1323 *activep = value; 1324 break; 1325 1326 case sDeprecated: 1327 log("%s line %d: Deprecated option %s", 1328 filename, linenum, arg); 1329 while (arg) 1330 arg = strdelim(&cp); 1331 break; 1332 1333 case sPAMServicePrefix: 1334 arg = strdelim(&cp); 1335 if (!arg || *arg == '\0') 1336 fatal("%s line %d: Missing argument.", 1337 filename, linenum); 1338 if (options->pam_service_name != NULL) 1339 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1340 "are mutually exclusive.", filename, linenum); 1341 if (options->pam_service_prefix == NULL) 1342 options->pam_service_prefix = xstrdup(arg); 1343 break; 1344 1345 case sPAMServiceName: 1346 arg = strdelim(&cp); 1347 if (!arg || *arg == '\0') 1348 fatal("%s line %d: Missing argument.", 1349 filename, linenum); 1350 if (options->pam_service_prefix != NULL) 1351 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1352 "are mutually exclusive.", filename, linenum); 1353 if (options->pam_service_name == NULL) 1354 options->pam_service_name = xstrdup(arg); 1355 break; 1356 1357 default: 1358 fatal("%s line %d: Missing handler for opcode %s (%d)", 1359 filename, linenum, arg, opcode); 1360 } 1361 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1362 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1363 filename, linenum, arg); 1364 return 0; 1365 } 1366 1367 1368 /* Reads the server configuration file. */ 1369 1370 void 1371 load_server_config(const char *filename, Buffer *conf) 1372 { 1373 char line[1024], *cp; 1374 FILE *f; 1375 1376 debug2("%s: filename %s", __func__, filename); 1377 if ((f = fopen(filename, "r")) == NULL) { 1378 perror(filename); 1379 exit(1); 1380 } 1381 buffer_clear(conf); 1382 while (fgets(line, sizeof(line), f)) { 1383 /* 1384 * Trim out comments and strip whitespace 1385 * NB - preserve newlines, they are needed to reproduce 1386 * line numbers later for error messages 1387 */ 1388 if ((cp = strchr(line, '#')) != NULL) 1389 memcpy(cp, "\n", 2); 1390 cp = line + strspn(line, " \t\r"); 1391 1392 buffer_append(conf, cp, strlen(cp)); 1393 } 1394 buffer_append(conf, "\0", 1); 1395 fclose(f); 1396 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1397 } 1398 1399 void 1400 parse_server_match_config(ServerOptions *options, const char *user, 1401 const char *host, const char *address) 1402 { 1403 ServerOptions mo; 1404 1405 initialize_server_options(&mo); 1406 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1407 copy_set_server_options(options, &mo, 0); 1408 } 1409 1410 1411 1412 /* Helper macros */ 1413 #define M_CP_INTOPT(n) do {\ 1414 if (src->n != -1) \ 1415 dst->n = src->n; \ 1416 } while (0) 1417 #define M_CP_STROPT(n) do {\ 1418 if (src->n != NULL) { \ 1419 if (dst->n != NULL) \ 1420 xfree(dst->n); \ 1421 dst->n = src->n; \ 1422 } \ 1423 } while(0) 1424 1425 /* 1426 * Copy any supported values that are set. 1427 * 1428 * If the preauth flag is set, we do not bother copying the the string or 1429 * array values that are not used pre-authentication, because any that we 1430 * do use must be explictly sent in mm_getpwnamallow(). 1431 */ 1432 void 1433 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1434 { 1435 M_CP_INTOPT(password_authentication); 1436 M_CP_INTOPT(gss_authentication); 1437 M_CP_INTOPT(rsa_authentication); 1438 M_CP_INTOPT(pubkey_authentication); 1439 M_CP_INTOPT(hostbased_authentication); 1440 M_CP_INTOPT(kbd_interactive_authentication); 1441 M_CP_INTOPT(permit_root_login); 1442 M_CP_INTOPT(permit_empty_passwd); 1443 M_CP_INTOPT(allow_tcp_forwarding); 1444 M_CP_INTOPT(gateway_ports); 1445 M_CP_INTOPT(x11_display_offset); 1446 M_CP_INTOPT(x11_forwarding); 1447 M_CP_INTOPT(x11_use_localhost); 1448 M_CP_INTOPT(max_auth_tries); 1449 M_CP_STROPT(banner); 1450 1451 if (preauth) 1452 return; 1453 M_CP_STROPT(chroot_directory); 1454 } 1455 1456 #undef M_CP_INTOPT 1457 #undef M_CP_STROPT 1458 1459 void 1460 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1461 const char *user, const char *host, const char *address) 1462 { 1463 int active, linenum, bad_options = 0; 1464 char *cp, *obuf, *cbuf; 1465 1466 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1467 1468 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1469 active = user ? 0 : 1; 1470 linenum = 1; 1471 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1472 if (process_server_config_line(options, cp, filename, 1473 linenum++, &active, user, host, address) != 0) 1474 bad_options++; 1475 } 1476 xfree(obuf); 1477 if (bad_options > 0) 1478 fatal("%s: terminating, %d bad configuration options", 1479 filename, bad_options); 1480 } 1481 1482 1483 /* 1484 * Note that "none" is a special path having the same affect on sshd 1485 * configuration as not specifying ChrootDirectory at all. 1486 */ 1487 int 1488 chroot_requested(char *chroot_directory) 1489 { 1490 return (chroot_directory != NULL && 1491 strcasecmp(chroot_directory, "none") != 0); 1492 }