1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 13 * Copyright 2013 Joyent, Inc. All rights reserved. 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 18 19 #ifdef HAVE_DEFOPEN 20 #include <deflt.h> 21 #endif /* HAVE_DEFOPEN */ 22 23 #if defined(KRB4) 24 #include <krb.h> 25 #endif 26 #if defined(KRB5) 27 #ifdef HEIMDAL 28 #include <krb.h> 29 #else 30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 31 * keytab */ 32 #define KEYFILE "/etc/krb5.keytab" 33 #endif 34 #endif 35 #ifdef AFS 36 #include <kafs.h> 37 #endif 38 39 #include "ssh.h" 40 #include "log.h" 41 #include "buffer.h" 42 #include "servconf.h" 43 #include "xmalloc.h" 44 #include "compat.h" 45 #include "pathnames.h" 46 #include "tildexpand.h" 47 #include "misc.h" 48 #include "cipher.h" 49 #include "kex.h" 50 #include "mac.h" 51 #include "auth.h" 52 #include "match.h" 53 #include "groupaccess.h" 54 55 static void add_listen_addr(ServerOptions *, char *, u_short); 56 static void add_one_listen_addr(ServerOptions *, char *, u_short); 57 58 extern Buffer cfg; 59 60 /* AF_UNSPEC or AF_INET or AF_INET6 */ 61 extern int IPv4or6; 62 63 /* 64 * Initializes the server options to their initial (unset) values. Some of those 65 * that stay unset after the command line options and configuration files are 66 * read are set to their default values in fill_default_server_options(). 67 */ 68 void 69 initialize_server_options(ServerOptions *options) 70 { 71 (void) memset(options, 0, sizeof(*options)); 72 73 /* Standard Options */ 74 options->num_ports = 0; 75 options->ports_from_cmdline = 0; 76 options->listen_addrs = NULL; 77 options->num_host_key_files = 0; 78 options->pid_file = NULL; 79 options->server_key_bits = -1; 80 options->login_grace_time = -1; 81 options->key_regeneration_time = -1; 82 options->permit_root_login = PERMIT_NOT_SET; 83 options->ignore_rhosts = -1; 84 options->ignore_user_known_hosts = -1; 85 options->print_motd = -1; 86 options->print_lastlog = -1; 87 options->x11_forwarding = -1; 88 options->x11_display_offset = -1; 89 options->x11_use_localhost = -1; 90 options->xauth_location = NULL; 91 options->strict_modes = -1; 92 options->keepalives = -1; 93 options->log_facility = SYSLOG_FACILITY_NOT_SET; 94 options->log_level = SYSLOG_LEVEL_NOT_SET; 95 options->rhosts_authentication = -1; 96 options->rhosts_rsa_authentication = -1; 97 options->hostbased_authentication = -1; 98 options->hostbased_uses_name_from_packet_only = -1; 99 options->rsa_authentication = -1; 100 options->pubkey_authentication = -1; 101 #ifdef GSSAPI 102 options->gss_authentication = -1; 103 options->gss_keyex = -1; 104 options->gss_store_creds = -1; 105 options->gss_use_session_ccache = -1; 106 options->gss_cleanup_creds = -1; 107 #endif 108 #if defined(KRB4) || defined(KRB5) 109 options->kerberos_authentication = -1; 110 options->kerberos_or_local_passwd = -1; 111 options->kerberos_ticket_cleanup = -1; 112 #endif 113 #if defined(AFS) || defined(KRB5) 114 options->kerberos_tgt_passing = -1; 115 #endif 116 #ifdef AFS 117 options->afs_token_passing = -1; 118 #endif 119 options->password_authentication = -1; 120 options->kbd_interactive_authentication = -1; 121 options->challenge_response_authentication = -1; 122 options->pam_authentication_via_kbd_int = -1; 123 options->permit_empty_passwd = -1; 124 options->permit_user_env = -1; 125 options->compression = -1; 126 options->allow_tcp_forwarding = -1; 127 options->num_allow_users = 0; 128 options->num_deny_users = 0; 129 options->num_allow_groups = 0; 130 options->num_deny_groups = 0; 131 options->ciphers = NULL; 132 options->macs = NULL; 133 options->protocol = SSH_PROTO_UNKNOWN; 134 options->gateway_ports = -1; 135 options->num_subsystems = 0; 136 options->max_startups_begin = -1; 137 options->max_startups_rate = -1; 138 options->max_startups = -1; 139 options->banner = NULL; 140 options->verify_reverse_mapping = -1; 141 options->client_alive_interval = -1; 142 options->client_alive_count_max = -1; 143 options->authorized_keys_file = NULL; 144 options->authorized_keys_file2 = NULL; 145 146 options->max_auth_tries = -1; 147 options->max_auth_tries_log = -1; 148 149 options->max_init_auth_tries = -1; 150 options->max_init_auth_tries_log = -1; 151 152 options->lookup_client_hostnames = -1; 153 options->use_openssl_engine = -1; 154 options->chroot_directory = NULL; 155 options->pre_userauth_hook = NULL; 156 options->pam_service_name = NULL; 157 options->pam_service_prefix = NULL; 158 } 159 160 #ifdef HAVE_DEFOPEN 161 /* 162 * Reads /etc/default/login and defaults several ServerOptions: 163 * 164 * PermitRootLogin 165 * PermitEmptyPasswords 166 * LoginGraceTime 167 * 168 * CONSOLE=* -> PermitRootLogin=without-password 169 * #CONSOLE=* -> PermitRootLogin=yes 170 * 171 * PASSREQ=YES -> PermitEmptyPasswords=no 172 * PASSREQ=NO -> PermitEmptyPasswords=yes 173 * #PASSREQ=* -> PermitEmptyPasswords=no 174 * 175 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 176 * #TIMEOUT=<secs> -> LoginGraceTime=300 177 */ 178 static 179 void 180 deflt_fill_default_server_options(ServerOptions *options) 181 { 182 int flags; 183 char *ptr; 184 185 if (defopen(_PATH_DEFAULT_LOGIN)) 186 return; 187 188 /* Ignore case */ 189 flags = defcntl(DC_GETFLAGS, 0); 190 TURNOFF(flags, DC_CASE); 191 (void) defcntl(DC_SETFLAGS, flags); 192 193 if (options->permit_root_login == PERMIT_NOT_SET && 194 (ptr = defread("CONSOLE=")) != NULL) 195 options->permit_root_login = PERMIT_NO_PASSWD; 196 197 if (options->permit_empty_passwd == -1 && 198 (ptr = defread("PASSREQ=")) != NULL) { 199 if (strcasecmp("YES", ptr) == 0) 200 options->permit_empty_passwd = 0; 201 else if (strcasecmp("NO", ptr) == 0) 202 options->permit_empty_passwd = 1; 203 } 204 205 if (options->max_init_auth_tries == -1 && 206 (ptr = defread("RETRIES=")) != NULL) { 207 options->max_init_auth_tries = atoi(ptr); 208 } 209 210 if (options->max_init_auth_tries_log == -1 && 211 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 212 options->max_init_auth_tries_log = atoi(ptr); 213 } 214 215 if (options->login_grace_time == -1) { 216 if ((ptr = defread("TIMEOUT=")) != NULL) 217 options->login_grace_time = (unsigned)atoi(ptr); 218 else 219 options->login_grace_time = 300; 220 } 221 222 (void) defopen((char *)NULL); 223 } 224 #endif /* HAVE_DEFOPEN */ 225 226 void 227 fill_default_server_options(ServerOptions *options) 228 { 229 230 #ifdef HAVE_DEFOPEN 231 deflt_fill_default_server_options(options); 232 #endif /* HAVE_DEFOPEN */ 233 234 /* Standard Options */ 235 if (options->protocol == SSH_PROTO_UNKNOWN) 236 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 237 if (options->num_host_key_files == 0) { 238 /* fill default hostkeys for protocols */ 239 if (options->protocol & SSH_PROTO_1) 240 options->host_key_files[options->num_host_key_files++] = 241 _PATH_HOST_KEY_FILE; 242 #ifndef GSSAPI 243 /* With GSS keyex we can run v2 w/ no host keys */ 244 if (options->protocol & SSH_PROTO_2) { 245 options->host_key_files[options->num_host_key_files++] = 246 _PATH_HOST_RSA_KEY_FILE; 247 options->host_key_files[options->num_host_key_files++] = 248 _PATH_HOST_DSA_KEY_FILE; 249 } 250 #endif /* GSSAPI */ 251 } 252 if (options->num_ports == 0) 253 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 254 if (options->listen_addrs == NULL) 255 add_listen_addr(options, NULL, 0); 256 if (options->pid_file == NULL) 257 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 258 if (options->server_key_bits == -1) 259 options->server_key_bits = 768; 260 if (options->login_grace_time == -1) 261 options->login_grace_time = 120; 262 if (options->key_regeneration_time == -1) 263 options->key_regeneration_time = 3600; 264 if (options->permit_root_login == PERMIT_NOT_SET) 265 options->permit_root_login = PERMIT_YES; 266 if (options->ignore_rhosts == -1) 267 options->ignore_rhosts = 1; 268 if (options->ignore_user_known_hosts == -1) 269 options->ignore_user_known_hosts = 0; 270 if (options->print_motd == -1) 271 options->print_motd = 1; 272 if (options->print_lastlog == -1) 273 options->print_lastlog = 1; 274 if (options->x11_forwarding == -1) 275 options->x11_forwarding = 1; 276 if (options->x11_display_offset == -1) 277 options->x11_display_offset = 10; 278 if (options->x11_use_localhost == -1) 279 options->x11_use_localhost = 1; 280 if (options->xauth_location == NULL) 281 options->xauth_location = _PATH_XAUTH; 282 if (options->strict_modes == -1) 283 options->strict_modes = 1; 284 if (options->keepalives == -1) 285 options->keepalives = 1; 286 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 287 options->log_facility = SYSLOG_FACILITY_AUTH; 288 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 289 options->log_level = SYSLOG_LEVEL_INFO; 290 if (options->rhosts_authentication == -1) 291 options->rhosts_authentication = 0; 292 if (options->rhosts_rsa_authentication == -1) 293 options->rhosts_rsa_authentication = 0; 294 if (options->hostbased_authentication == -1) 295 options->hostbased_authentication = 0; 296 if (options->hostbased_uses_name_from_packet_only == -1) 297 options->hostbased_uses_name_from_packet_only = 0; 298 if (options->rsa_authentication == -1) 299 options->rsa_authentication = 1; 300 if (options->pubkey_authentication == -1) 301 options->pubkey_authentication = 1; 302 #ifdef GSSAPI 303 if (options->gss_authentication == -1) 304 options->gss_authentication = 1; 305 if (options->gss_keyex == -1) 306 options->gss_keyex = 1; 307 if (options->gss_store_creds == -1) 308 options->gss_store_creds = 1; 309 if (options->gss_use_session_ccache == -1) 310 options->gss_use_session_ccache = 1; 311 if (options->gss_cleanup_creds == -1) 312 options->gss_cleanup_creds = 1; 313 #endif 314 #if defined(KRB4) || defined(KRB5) 315 if (options->kerberos_authentication == -1) 316 options->kerberos_authentication = 0; 317 if (options->kerberos_or_local_passwd == -1) 318 options->kerberos_or_local_passwd = 1; 319 if (options->kerberos_ticket_cleanup == -1) 320 options->kerberos_ticket_cleanup = 1; 321 #endif 322 #if defined(AFS) || defined(KRB5) 323 if (options->kerberos_tgt_passing == -1) 324 options->kerberos_tgt_passing = 0; 325 #endif 326 #ifdef AFS 327 if (options->afs_token_passing == -1) 328 options->afs_token_passing = 0; 329 #endif 330 if (options->password_authentication == -1) 331 options->password_authentication = 1; 332 /* 333 * options->pam_authentication_via_kbd_int has intentionally no default 334 * value since we do not need it. 335 */ 336 if (options->kbd_interactive_authentication == -1) 337 options->kbd_interactive_authentication = 1; 338 if (options->challenge_response_authentication == -1) 339 options->challenge_response_authentication = 1; 340 if (options->permit_empty_passwd == -1) 341 options->permit_empty_passwd = 0; 342 if (options->permit_user_env == -1) 343 options->permit_user_env = 0; 344 if (options->compression == -1) 345 options->compression = 1; 346 if (options->allow_tcp_forwarding == -1) 347 options->allow_tcp_forwarding = 1; 348 if (options->gateway_ports == -1) 349 options->gateway_ports = 0; 350 if (options->max_startups == -1) 351 options->max_startups = 10; 352 if (options->max_startups_rate == -1) 353 options->max_startups_rate = 100; /* 100% */ 354 if (options->max_startups_begin == -1) 355 options->max_startups_begin = options->max_startups; 356 if (options->verify_reverse_mapping == -1) 357 options->verify_reverse_mapping = 0; 358 if (options->client_alive_interval == -1) 359 options->client_alive_interval = 0; 360 if (options->client_alive_count_max == -1) 361 options->client_alive_count_max = 3; 362 if (options->authorized_keys_file2 == NULL) { 363 /* authorized_keys_file2 falls back to authorized_keys_file */ 364 if (options->authorized_keys_file != NULL) 365 options->authorized_keys_file2 = options->authorized_keys_file; 366 else 367 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 368 } 369 if (options->authorized_keys_file == NULL) 370 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 371 372 if (options->max_auth_tries == -1) 373 options->max_auth_tries = AUTH_FAIL_MAX; 374 if (options->max_auth_tries_log == -1) 375 options->max_auth_tries_log = options->max_auth_tries / 2; 376 377 if (options->max_init_auth_tries == -1) 378 options->max_init_auth_tries = AUTH_FAIL_MAX; 379 if (options->max_init_auth_tries_log == -1) 380 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 381 382 if (options->lookup_client_hostnames == -1) 383 options->lookup_client_hostnames = 1; 384 if (options->use_openssl_engine == -1) 385 options->use_openssl_engine = 1; 386 if (options->pam_service_prefix == NULL) 387 options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; 388 if (options->pam_service_name == NULL) 389 options->pam_service_name = NULL; 390 } 391 392 /* Keyword tokens. */ 393 typedef enum { 394 sBadOption, /* == unknown option */ 395 /* Portable-specific options */ 396 sPAMAuthenticationViaKbdInt, 397 /* Standard Options */ 398 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 399 sPermitRootLogin, sLogFacility, sLogLevel, 400 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 401 #ifdef GSSAPI 402 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 403 sGssUseSessionCredCache, sGssCleanupCreds, 404 #endif /* GSSAPI */ 405 #if defined(KRB4) || defined(KRB5) 406 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 407 #endif 408 #if defined(AFS) || defined(KRB5) 409 sKerberosTgtPassing, 410 #endif 411 #ifdef AFS 412 sAFSTokenPassing, 413 #endif 414 sChallengeResponseAuthentication, 415 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 416 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 417 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 418 sStrictModes, sEmptyPasswd, sKeepAlives, 419 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 420 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 421 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 422 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 423 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 424 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 425 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 426 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 427 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, 428 sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName, 429 sDeprecated 430 } ServerOpCodes; 431 432 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 433 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 434 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 435 436 /* Textual representation of the tokens. */ 437 static struct { 438 const char *name; 439 ServerOpCodes opcode; 440 u_int flags; 441 } keywords[] = { 442 /* Portable-specific options */ 443 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL }, 444 /* Standard Options */ 445 { "port", sPort, SSHCFG_GLOBAL }, 446 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 447 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 448 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 449 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 450 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 451 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 452 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 453 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 454 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 455 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL }, 456 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 457 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 458 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 459 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 460 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 461 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 462 #ifdef GSSAPI 463 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 464 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 465 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL }, 466 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */ 467 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */ 468 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */ 469 #ifndef SUNW_GSSAPI 470 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 471 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL }, 472 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 473 #endif /* SUNW_GSSAPI */ 474 #endif 475 #if defined(KRB4) || defined(KRB5) 476 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 477 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 478 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 479 #endif 480 #if defined(AFS) || defined(KRB5) 481 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL }, 482 #endif 483 #ifdef AFS 484 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL }, 485 #endif 486 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 487 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 488 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 489 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 490 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 491 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 492 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 493 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 494 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 495 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 496 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 497 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 498 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 499 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 500 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 501 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 502 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 503 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 504 { "compression", sCompression, SSHCFG_GLOBAL }, 505 { "tcpkeepalive", sKeepAlives, SSHCFG_GLOBAL }, 506 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, /* obsolete */ 507 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 508 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 509 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 510 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 511 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 512 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 513 { "macs", sMacs, SSHCFG_GLOBAL}, 514 { "protocol", sProtocol,SSHCFG_GLOBAL }, 515 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 516 { "subsystem", sSubsystem, SSHCFG_GLOBAL}, 517 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 518 { "banner", sBanner, SSHCFG_ALL }, 519 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL }, 520 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL }, 521 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 522 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 523 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, 524 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, 525 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 526 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL }, 527 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, 528 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL }, 529 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL }, 530 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 531 { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL}, 532 { "match", sMatch, SSHCFG_ALL }, 533 { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, 534 { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, 535 536 { NULL, sBadOption, 0 } 537 }; 538 539 /* 540 * Returns the number of the token pointed to by cp or sBadOption. 541 */ 542 543 static ServerOpCodes 544 parse_token(const char *cp, const char *filename, 545 int linenum, u_int *flags) 546 { 547 u_int i; 548 549 for (i = 0; keywords[i].name; i++) 550 if (strcasecmp(cp, keywords[i].name) == 0) { 551 *flags = keywords[i].flags; 552 return keywords[i].opcode; 553 } 554 555 error("%s: line %d: Bad configuration option: %s", 556 filename, linenum, cp); 557 return sBadOption; 558 } 559 560 static void 561 add_listen_addr(ServerOptions *options, char *addr, u_short port) 562 { 563 int i; 564 565 if (options->num_ports == 0) 566 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 567 if (port == 0) 568 for (i = 0; i < options->num_ports; i++) 569 add_one_listen_addr(options, addr, options->ports[i]); 570 else 571 add_one_listen_addr(options, addr, port); 572 } 573 574 static void 575 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 576 { 577 struct addrinfo hints, *ai, *aitop; 578 char strport[NI_MAXSERV]; 579 int gaierr; 580 581 (void) memset(&hints, 0, sizeof(hints)); 582 hints.ai_family = IPv4or6; 583 hints.ai_socktype = SOCK_STREAM; 584 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 585 (void) snprintf(strport, sizeof strport, "%u", port); 586 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 587 fatal("bad addr or host: %s (%s)", 588 addr ? addr : "<NULL>", 589 gai_strerror(gaierr)); 590 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 591 ; 592 ai->ai_next = options->listen_addrs; 593 options->listen_addrs = aitop; 594 } 595 596 /* 597 * The strategy for the Match blocks is that the config file is parsed twice. 598 * 599 * The first time is at startup. activep is initialized to 1 and the 600 * directives in the global context are processed and acted on. Hitting a 601 * Match directive unsets activep and the directives inside the block are 602 * checked for syntax only. 603 * 604 * The second time is after a connection has been established but before 605 * authentication. activep is initialized to 2 and global config directives 606 * are ignored since they have already been processed. If the criteria in a 607 * Match block is met, activep is set and the subsequent directives 608 * processed and actioned until EOF or another Match block unsets it. Any 609 * options set are copied into the main server config. 610 * 611 * Potential additions/improvements: 612 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 613 * 614 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 615 * Match Address 192.168.0.* 616 * Tag trusted 617 * Match Group wheel 618 * Tag trusted 619 * Match Tag trusted 620 * AllowTcpForwarding yes 621 * GatewayPorts clientspecified 622 * [...] 623 * 624 * - Add a PermittedChannelRequests directive 625 * Match Group shell 626 * PermittedChannelRequests session,forwarded-tcpip 627 */ 628 629 static int 630 match_cfg_line_group(const char *grps, int line, const char *user) 631 { 632 int result = 0; 633 struct passwd *pw; 634 635 if (user == NULL) 636 goto out; 637 638 if ((pw = getpwnam(user)) == NULL) { 639 debug("Can't match group at line %d because user %.100s does " 640 "not exist", line, user); 641 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 642 debug("Can't Match group because user %.100s not in any group " 643 "at line %d", user, line); 644 } else if (ga_match_pattern_list(grps) != 1) { 645 debug("user %.100s does not match group list %.100s at line %d", 646 user, grps, line); 647 } else { 648 debug("user %.100s matched group list %.100s at line %d", user, 649 grps, line); 650 result = 1; 651 } 652 out: 653 ga_free(); 654 return result; 655 } 656 657 static int 658 match_cfg_line(char **condition, int line, const char *user, const char *host, 659 const char *address) 660 { 661 int result = 1; 662 char *arg, *attrib, *cp = *condition; 663 size_t len; 664 665 if (user == NULL) 666 debug3("checking syntax for 'Match %s'", cp); 667 else 668 debug3("checking match for '%s' user %s host %s addr %s", cp, 669 user ? user : "(null)", host ? host : "(null)", 670 address ? address : "(null)"); 671 672 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') { 673 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 674 error("Missing Match criteria for %s", attrib); 675 return -1; 676 } 677 len = strlen(arg); 678 if (strcasecmp(attrib, "user") == 0) { 679 if (!user) { 680 result = 0; 681 continue; 682 } 683 if (match_pattern_list(user, arg, len, 0) != 1) 684 result = 0; 685 else 686 debug("user %.100s matched 'User %.100s' at " 687 "line %d", user, arg, line); 688 } else if (strcasecmp(attrib, "group") == 0) { 689 switch (match_cfg_line_group(arg, line, user)) { 690 case -1: 691 return -1; 692 case 0: 693 result = 0; 694 } 695 } else if (strcasecmp(attrib, "host") == 0) { 696 if (!host) { 697 result = 0; 698 continue; 699 } 700 if (match_hostname(host, arg, len) != 1) 701 result = 0; 702 else 703 debug("connection from %.100s matched 'Host " 704 "%.100s' at line %d", host, arg, line); 705 } else if (strcasecmp(attrib, "address") == 0) { 706 switch (addr_match_list(address, arg)) { 707 case 1: 708 debug("connection from %.100s matched 'Address " 709 "%.100s' at line %d", address, arg, line); 710 break; 711 case 0: 712 case -1: 713 result = 0; 714 break; 715 case -2: 716 return -1; 717 } 718 } else { 719 error("Unsupported Match attribute %s", attrib); 720 return -1; 721 } 722 } 723 if (user != NULL) 724 debug3("match %sfound", result ? "" : "not "); 725 *condition = cp; 726 return result; 727 } 728 729 #define WHITESPACE " \t\r\n" 730 731 int 732 process_server_config_line(ServerOptions *options, char *line, 733 const char *filename, int linenum, int *activep, const char *user, 734 const char *host, const char *address) 735 { 736 char *cp, **charptr, *arg, *p; 737 int cmdline = 0, *intptr, value, n; 738 ServerOpCodes opcode; 739 u_int i, flags = 0; 740 size_t len; 741 742 cp = line; 743 arg = strdelim(&cp); 744 /* Ignore leading whitespace */ 745 if (*arg == '\0') 746 arg = strdelim(&cp); 747 if (!arg || !*arg || *arg == '#') 748 return 0; 749 intptr = NULL; 750 charptr = NULL; 751 opcode = parse_token(arg, filename, linenum, &flags); 752 753 if (activep == NULL) { /* We are processing a command line directive */ 754 cmdline = 1; 755 activep = &cmdline; 756 } 757 if (*activep && opcode != sMatch) 758 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 759 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 760 if (user == NULL) { 761 fatal("%s line %d: Directive '%s' is not allowed " 762 "within a Match block", filename, linenum, arg); 763 } else { /* this is a directive we have already processed */ 764 while (arg) 765 arg = strdelim(&cp); 766 return 0; 767 } 768 } 769 770 switch (opcode) { 771 /* Portable-specific options */ 772 case sPAMAuthenticationViaKbdInt: 773 log("%s line %d: PAMAuthenticationViaKbdInt has been " 774 "deprecated. You should use KbdInteractiveAuthentication " 775 "instead (which defaults to \"yes\").", filename, linenum); 776 intptr = &options->pam_authentication_via_kbd_int; 777 goto parse_flag; 778 779 /* Standard Options */ 780 case sBadOption: 781 return -1; 782 case sPort: 783 /* ignore ports from configfile if cmdline specifies ports */ 784 if (options->ports_from_cmdline) 785 return 0; 786 if (options->listen_addrs != NULL) 787 fatal("%s line %d: ports must be specified before " 788 "ListenAddress.", filename, linenum); 789 if (options->num_ports >= MAX_PORTS) 790 fatal("%s line %d: too many ports.", 791 filename, linenum); 792 arg = strdelim(&cp); 793 if (!arg || *arg == '\0') 794 fatal("%s line %d: missing port number.", 795 filename, linenum); 796 options->ports[options->num_ports++] = a2port(arg); 797 if (options->ports[options->num_ports-1] == 0) 798 fatal("%s line %d: Badly formatted port number.", 799 filename, linenum); 800 break; 801 802 case sServerKeyBits: 803 intptr = &options->server_key_bits; 804 parse_int: 805 arg = strdelim(&cp); 806 if (!arg || *arg == '\0') 807 fatal("%s line %d: missing integer value.", 808 filename, linenum); 809 value = atoi(arg); 810 if (*activep && *intptr == -1) 811 *intptr = value; 812 break; 813 814 case sLoginGraceTime: 815 intptr = &options->login_grace_time; 816 parse_time: 817 arg = strdelim(&cp); 818 if (!arg || *arg == '\0') 819 fatal("%s line %d: missing time value.", 820 filename, linenum); 821 if ((value = convtime(arg)) == -1) 822 fatal("%s line %d: invalid time value.", 823 filename, linenum); 824 if (*intptr == -1) 825 *intptr = value; 826 break; 827 828 case sKeyRegenerationTime: 829 intptr = &options->key_regeneration_time; 830 goto parse_time; 831 832 case sListenAddress: 833 arg = strdelim(&cp); 834 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 835 fatal("%s line %d: missing inet addr.", 836 filename, linenum); 837 if (*arg == '[') { 838 if ((p = strchr(arg, ']')) == NULL) 839 fatal("%s line %d: bad ipv6 inet addr usage.", 840 filename, linenum); 841 arg++; 842 (void) memmove(p, p+1, strlen(p+1)+1); 843 } else if (((p = strchr(arg, ':')) == NULL) || 844 (strchr(p+1, ':') != NULL)) { 845 add_listen_addr(options, arg, 0); 846 break; 847 } 848 if (*p == ':') { 849 u_short port; 850 851 p++; 852 if (*p == '\0') 853 fatal("%s line %d: bad inet addr:port usage.", 854 filename, linenum); 855 else { 856 *(p-1) = '\0'; 857 if ((port = a2port(p)) == 0) 858 fatal("%s line %d: bad port number.", 859 filename, linenum); 860 add_listen_addr(options, arg, port); 861 } 862 } else if (*p == '\0') 863 add_listen_addr(options, arg, 0); 864 else 865 fatal("%s line %d: bad inet addr usage.", 866 filename, linenum); 867 break; 868 869 case sHostKeyFile: 870 intptr = &options->num_host_key_files; 871 if (*intptr >= MAX_HOSTKEYS) 872 fatal("%s line %d: too many host keys specified (max %d).", 873 filename, linenum, MAX_HOSTKEYS); 874 charptr = &options->host_key_files[*intptr]; 875 parse_filename: 876 arg = strdelim(&cp); 877 if (!arg || *arg == '\0') 878 fatal("%s line %d: missing file name.", 879 filename, linenum); 880 if (*activep && *charptr == NULL) { 881 *charptr = tilde_expand_filename(arg, getuid()); 882 /* increase optional counter */ 883 if (intptr != NULL) 884 *intptr = *intptr + 1; 885 } 886 break; 887 888 case sPidFile: 889 charptr = &options->pid_file; 890 goto parse_filename; 891 892 case sPermitRootLogin: 893 intptr = &options->permit_root_login; 894 arg = strdelim(&cp); 895 if (!arg || *arg == '\0') 896 fatal("%s line %d: missing yes/" 897 "without-password/forced-commands-only/no " 898 "argument.", filename, linenum); 899 value = 0; /* silence compiler */ 900 if (strcmp(arg, "without-password") == 0) 901 value = PERMIT_NO_PASSWD; 902 else if (strcmp(arg, "forced-commands-only") == 0) 903 value = PERMIT_FORCED_ONLY; 904 else if (strcmp(arg, "yes") == 0) 905 value = PERMIT_YES; 906 else if (strcmp(arg, "no") == 0) 907 value = PERMIT_NO; 908 else 909 fatal("%s line %d: Bad yes/" 910 "without-password/forced-commands-only/no " 911 "argument: %s", filename, linenum, arg); 912 if (*activep && *intptr == -1) 913 *intptr = value; 914 break; 915 916 case sIgnoreRhosts: 917 intptr = &options->ignore_rhosts; 918 parse_flag: 919 arg = strdelim(&cp); 920 if (!arg || *arg == '\0') 921 fatal("%s line %d: missing yes/no argument.", 922 filename, linenum); 923 value = 0; /* silence compiler */ 924 if (strcmp(arg, "yes") == 0) 925 value = 1; 926 else if (strcmp(arg, "no") == 0) 927 value = 0; 928 else 929 fatal("%s line %d: Bad yes/no argument: %s", 930 filename, linenum, arg); 931 if (*activep && *intptr == -1) 932 *intptr = value; 933 break; 934 935 case sIgnoreUserKnownHosts: 936 intptr = &options->ignore_user_known_hosts; 937 goto parse_flag; 938 939 case sRhostsAuthentication: 940 intptr = &options->rhosts_authentication; 941 goto parse_flag; 942 943 case sRhostsRSAAuthentication: 944 intptr = &options->rhosts_rsa_authentication; 945 goto parse_flag; 946 947 case sHostbasedAuthentication: 948 intptr = &options->hostbased_authentication; 949 goto parse_flag; 950 951 case sHostbasedUsesNameFromPacketOnly: 952 intptr = &options->hostbased_uses_name_from_packet_only; 953 goto parse_flag; 954 955 case sRSAAuthentication: 956 intptr = &options->rsa_authentication; 957 goto parse_flag; 958 959 case sPubkeyAuthentication: 960 intptr = &options->pubkey_authentication; 961 goto parse_flag; 962 #ifdef GSSAPI 963 case sGssAuthentication: 964 intptr = &options->gss_authentication; 965 goto parse_flag; 966 case sGssKeyEx: 967 intptr = &options->gss_keyex; 968 goto parse_flag; 969 case sGssStoreDelegCreds: 970 intptr = &options->gss_keyex; 971 goto parse_flag; 972 #ifndef SUNW_GSSAPI 973 case sGssUseSessionCredCache: 974 intptr = &options->gss_use_session_ccache; 975 goto parse_flag; 976 case sGssCleanupCreds: 977 intptr = &options->gss_cleanup_creds; 978 goto parse_flag; 979 #endif /* SUNW_GSSAPI */ 980 #endif /* GSSAPI */ 981 #if defined(KRB4) || defined(KRB5) 982 case sKerberosAuthentication: 983 intptr = &options->kerberos_authentication; 984 goto parse_flag; 985 986 case sKerberosOrLocalPasswd: 987 intptr = &options->kerberos_or_local_passwd; 988 goto parse_flag; 989 990 case sKerberosTicketCleanup: 991 intptr = &options->kerberos_ticket_cleanup; 992 goto parse_flag; 993 #endif 994 #if defined(AFS) || defined(KRB5) 995 case sKerberosTgtPassing: 996 intptr = &options->kerberos_tgt_passing; 997 goto parse_flag; 998 #endif 999 #ifdef AFS 1000 case sAFSTokenPassing: 1001 intptr = &options->afs_token_passing; 1002 goto parse_flag; 1003 #endif 1004 1005 case sPasswordAuthentication: 1006 intptr = &options->password_authentication; 1007 goto parse_flag; 1008 1009 case sKbdInteractiveAuthentication: 1010 intptr = &options->kbd_interactive_authentication; 1011 goto parse_flag; 1012 1013 case sChallengeResponseAuthentication: 1014 intptr = &options->challenge_response_authentication; 1015 goto parse_flag; 1016 1017 case sPrintMotd: 1018 intptr = &options->print_motd; 1019 goto parse_flag; 1020 1021 case sPrintLastLog: 1022 intptr = &options->print_lastlog; 1023 goto parse_flag; 1024 1025 case sX11Forwarding: 1026 intptr = &options->x11_forwarding; 1027 goto parse_flag; 1028 1029 case sX11DisplayOffset: 1030 intptr = &options->x11_display_offset; 1031 goto parse_int; 1032 1033 case sX11UseLocalhost: 1034 intptr = &options->x11_use_localhost; 1035 goto parse_flag; 1036 1037 case sXAuthLocation: 1038 charptr = &options->xauth_location; 1039 goto parse_filename; 1040 1041 case sStrictModes: 1042 intptr = &options->strict_modes; 1043 goto parse_flag; 1044 1045 case sKeepAlives: 1046 intptr = &options->keepalives; 1047 goto parse_flag; 1048 1049 case sEmptyPasswd: 1050 intptr = &options->permit_empty_passwd; 1051 goto parse_flag; 1052 1053 case sPermitUserEnvironment: 1054 intptr = &options->permit_user_env; 1055 goto parse_flag; 1056 1057 case sUseLogin: 1058 log("%s line %d: ignoring UseLogin option value." 1059 " This option is always off.", filename, linenum); 1060 while (arg) 1061 arg = strdelim(&cp); 1062 break; 1063 1064 case sCompression: 1065 intptr = &options->compression; 1066 goto parse_flag; 1067 1068 case sGatewayPorts: 1069 intptr = &options->gateway_ports; 1070 arg = strdelim(&cp); 1071 if (!arg || *arg == '\0') 1072 fatal("%s line %d: missing yes/no/clientspecified " 1073 "argument.", filename, linenum); 1074 value = 0; /* silence compiler */ 1075 if (strcmp(arg, "clientspecified") == 0) 1076 value = 2; 1077 else if (strcmp(arg, "yes") == 0) 1078 value = 1; 1079 else if (strcmp(arg, "no") == 0) 1080 value = 0; 1081 else 1082 fatal("%s line %d: Bad yes/no/clientspecified " 1083 "argument: %s", filename, linenum, arg); 1084 if (*activep && *intptr == -1) 1085 *intptr = value; 1086 break; 1087 1088 case sVerifyReverseMapping: 1089 intptr = &options->verify_reverse_mapping; 1090 goto parse_flag; 1091 1092 case sLogFacility: 1093 intptr = (int *) &options->log_facility; 1094 arg = strdelim(&cp); 1095 value = log_facility_number(arg); 1096 if (value == SYSLOG_FACILITY_NOT_SET) 1097 fatal("%.200s line %d: unsupported log facility '%s'", 1098 filename, linenum, arg ? arg : "<NONE>"); 1099 if (*intptr == -1) 1100 *intptr = (SyslogFacility) value; 1101 break; 1102 1103 case sLogLevel: 1104 intptr = (int *) &options->log_level; 1105 arg = strdelim(&cp); 1106 value = log_level_number(arg); 1107 if (value == SYSLOG_LEVEL_NOT_SET) 1108 fatal("%.200s line %d: unsupported log level '%s'", 1109 filename, linenum, arg ? arg : "<NONE>"); 1110 if (*intptr == -1) 1111 *intptr = (LogLevel) value; 1112 break; 1113 1114 case sAllowTcpForwarding: 1115 intptr = &options->allow_tcp_forwarding; 1116 goto parse_flag; 1117 1118 case sUsePrivilegeSeparation: 1119 log("%s line %d: ignoring UsePrivilegeSeparation option value." 1120 " This option is always on.", filename, linenum); 1121 while (arg) 1122 arg = strdelim(&cp); 1123 break; 1124 1125 case sAllowUsers: 1126 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1127 if (options->num_allow_users >= MAX_ALLOW_USERS) 1128 fatal("%s line %d: too many allow users.", 1129 filename, linenum); 1130 options->allow_users[options->num_allow_users++] = 1131 xstrdup(arg); 1132 } 1133 break; 1134 1135 case sDenyUsers: 1136 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1137 if (options->num_deny_users >= MAX_DENY_USERS) 1138 fatal( "%s line %d: too many deny users.", 1139 filename, linenum); 1140 options->deny_users[options->num_deny_users++] = 1141 xstrdup(arg); 1142 } 1143 break; 1144 1145 case sAllowGroups: 1146 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1147 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1148 fatal("%s line %d: too many allow groups.", 1149 filename, linenum); 1150 options->allow_groups[options->num_allow_groups++] = 1151 xstrdup(arg); 1152 } 1153 break; 1154 1155 case sDenyGroups: 1156 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { 1157 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1158 fatal("%s line %d: too many deny groups.", 1159 filename, linenum); 1160 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1161 } 1162 break; 1163 1164 case sCiphers: 1165 arg = strdelim(&cp); 1166 if (!arg || *arg == '\0') 1167 fatal("%s line %d: Missing argument.", filename, linenum); 1168 if (!ciphers_valid(arg)) 1169 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1170 filename, linenum, arg ? arg : "<NONE>"); 1171 if (options->ciphers == NULL) 1172 options->ciphers = xstrdup(arg); 1173 break; 1174 1175 case sMacs: 1176 arg = strdelim(&cp); 1177 if (!arg || *arg == '\0') 1178 fatal("%s line %d: Missing argument.", filename, linenum); 1179 if (!mac_valid(arg)) 1180 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1181 filename, linenum, arg ? arg : "<NONE>"); 1182 if (options->macs == NULL) 1183 options->macs = xstrdup(arg); 1184 break; 1185 1186 case sProtocol: 1187 intptr = &options->protocol; 1188 arg = strdelim(&cp); 1189 if (!arg || *arg == '\0') 1190 fatal("%s line %d: Missing argument.", filename, linenum); 1191 value = proto_spec(arg); 1192 if (value == SSH_PROTO_UNKNOWN) 1193 fatal("%s line %d: Bad protocol spec '%s'.", 1194 filename, linenum, arg ? arg : "<NONE>"); 1195 if (*intptr == SSH_PROTO_UNKNOWN) 1196 *intptr = value; 1197 break; 1198 1199 case sSubsystem: 1200 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1201 fatal("%s line %d: too many subsystems defined.", 1202 filename, linenum); 1203 } 1204 arg = strdelim(&cp); 1205 if (!arg || *arg == '\0') 1206 fatal("%s line %d: Missing subsystem name.", 1207 filename, linenum); 1208 if (!*activep) { 1209 arg = strdelim(&cp); 1210 break; 1211 } 1212 for (i = 0; i < options->num_subsystems; i++) 1213 if (strcmp(arg, options->subsystem_name[i]) == 0) 1214 fatal("%s line %d: Subsystem '%s' already defined.", 1215 filename, linenum, arg); 1216 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1217 arg = strdelim(&cp); 1218 if (!arg || *arg == '\0') 1219 fatal("%s line %d: Missing subsystem command.", 1220 filename, linenum); 1221 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1222 1223 /* 1224 * Collect arguments (separate to executable), including the 1225 * name of the executable, in a way that is easier to parse 1226 * later. 1227 */ 1228 p = xstrdup(arg); 1229 len = strlen(p) + 1; 1230 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1231 len += 1 + strlen(arg); 1232 p = xrealloc(p, len); 1233 strlcat(p, " ", len); 1234 strlcat(p, arg, len); 1235 } 1236 options->subsystem_args[options->num_subsystems] = p; 1237 options->num_subsystems++; 1238 break; 1239 1240 case sMaxStartups: 1241 arg = strdelim(&cp); 1242 if (!arg || *arg == '\0') 1243 fatal("%s line %d: Missing MaxStartups spec.", 1244 filename, linenum); 1245 if ((n = sscanf(arg, "%d:%d:%d", 1246 &options->max_startups_begin, 1247 &options->max_startups_rate, 1248 &options->max_startups)) == 3) { 1249 if (options->max_startups_begin > 1250 options->max_startups || 1251 options->max_startups_rate > 100 || 1252 options->max_startups_rate < 1) 1253 fatal("%s line %d: Illegal MaxStartups spec.", 1254 filename, linenum); 1255 } else if (n != 1) 1256 fatal("%s line %d: Illegal MaxStartups spec.", 1257 filename, linenum); 1258 else 1259 options->max_startups = options->max_startups_begin; 1260 break; 1261 1262 case sBanner: 1263 charptr = &options->banner; 1264 goto parse_filename; 1265 /* 1266 * These options can contain %X options expanded at 1267 * connect time, so that you can specify paths like: 1268 * 1269 * AuthorizedKeysFile /etc/ssh_keys/%u 1270 */ 1271 case sAuthorizedKeysFile: 1272 case sAuthorizedKeysFile2: 1273 charptr = (opcode == sAuthorizedKeysFile) ? 1274 &options->authorized_keys_file : 1275 &options->authorized_keys_file2; 1276 goto parse_filename; 1277 1278 case sClientAliveInterval: 1279 intptr = &options->client_alive_interval; 1280 goto parse_time; 1281 1282 case sClientAliveCountMax: 1283 intptr = &options->client_alive_count_max; 1284 goto parse_int; 1285 1286 case sMaxAuthTries: 1287 intptr = &options->max_auth_tries; 1288 goto parse_int; 1289 1290 case sMaxAuthTriesLog: 1291 intptr = &options->max_auth_tries_log; 1292 goto parse_int; 1293 1294 case sLookupClientHostnames: 1295 intptr = &options->lookup_client_hostnames; 1296 goto parse_flag; 1297 1298 case sUseOpenSSLEngine: 1299 intptr = &options->use_openssl_engine; 1300 goto parse_flag; 1301 1302 case sChrootDirectory: 1303 charptr = &options->chroot_directory; 1304 1305 arg = strdelim(&cp); 1306 if (arg == NULL || *arg == '\0') 1307 fatal("%s line %d: missing directory name for " 1308 "ChrootDirectory.", filename, linenum); 1309 if (*activep && *charptr == NULL) 1310 *charptr = xstrdup(arg); 1311 break; 1312 1313 case sPreUserauthHook: 1314 charptr = &options->pre_userauth_hook; 1315 goto parse_filename; 1316 1317 case sMatch: 1318 if (cmdline) 1319 fatal("Match directive not supported as a command-line " 1320 "option"); 1321 value = match_cfg_line(&cp, linenum, user, host, address); 1322 if (value < 0) 1323 fatal("%s line %d: Bad Match condition", filename, 1324 linenum); 1325 *activep = value; 1326 break; 1327 1328 case sDeprecated: 1329 log("%s line %d: Deprecated option %s", 1330 filename, linenum, arg); 1331 while (arg) 1332 arg = strdelim(&cp); 1333 break; 1334 1335 case sPAMServicePrefix: 1336 arg = strdelim(&cp); 1337 if (!arg || *arg == '\0') 1338 fatal("%s line %d: Missing argument.", 1339 filename, linenum); 1340 if (options->pam_service_name != NULL) 1341 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1342 "are mutually exclusive.", filename, linenum); 1343 if (options->pam_service_prefix == NULL) 1344 options->pam_service_prefix = xstrdup(arg); 1345 break; 1346 1347 case sPAMServiceName: 1348 arg = strdelim(&cp); 1349 if (!arg || *arg == '\0') 1350 fatal("%s line %d: Missing argument.", 1351 filename, linenum); 1352 if (options->pam_service_prefix != NULL) 1353 fatal("%s line %d: PAMServiceName and PAMServicePrefix " 1354 "are mutually exclusive.", filename, linenum); 1355 if (options->pam_service_name == NULL) 1356 options->pam_service_name = xstrdup(arg); 1357 break; 1358 1359 default: 1360 fatal("%s line %d: Missing handler for opcode %s (%d)", 1361 filename, linenum, arg, opcode); 1362 } 1363 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1364 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1365 filename, linenum, arg); 1366 return 0; 1367 } 1368 1369 1370 /* Reads the server configuration file. */ 1371 1372 void 1373 load_server_config(const char *filename, Buffer *conf) 1374 { 1375 char line[1024], *cp; 1376 FILE *f; 1377 1378 debug2("%s: filename %s", __func__, filename); 1379 if ((f = fopen(filename, "r")) == NULL) { 1380 perror(filename); 1381 exit(1); 1382 } 1383 buffer_clear(conf); 1384 while (fgets(line, sizeof(line), f)) { 1385 /* 1386 * Trim out comments and strip whitespace 1387 * NB - preserve newlines, they are needed to reproduce 1388 * line numbers later for error messages 1389 */ 1390 if ((cp = strchr(line, '#')) != NULL) 1391 memcpy(cp, "\n", 2); 1392 cp = line + strspn(line, " \t\r"); 1393 1394 buffer_append(conf, cp, strlen(cp)); 1395 } 1396 buffer_append(conf, "\0", 1); 1397 fclose(f); 1398 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1399 } 1400 1401 void 1402 parse_server_match_config(ServerOptions *options, const char *user, 1403 const char *host, const char *address) 1404 { 1405 ServerOptions mo; 1406 1407 initialize_server_options(&mo); 1408 parse_server_config(&mo, "reprocess config", &cfg, user, host, address); 1409 copy_set_server_options(options, &mo, 0); 1410 } 1411 1412 1413 1414 /* Helper macros */ 1415 #define M_CP_INTOPT(n) do {\ 1416 if (src->n != -1) \ 1417 dst->n = src->n; \ 1418 } while (0) 1419 #define M_CP_STROPT(n) do {\ 1420 if (src->n != NULL) { \ 1421 if (dst->n != NULL) \ 1422 xfree(dst->n); \ 1423 dst->n = src->n; \ 1424 } \ 1425 } while(0) 1426 1427 /* 1428 * Copy any supported values that are set. 1429 * 1430 * If the preauth flag is set, we do not bother copying the the string or 1431 * array values that are not used pre-authentication, because any that we 1432 * do use must be explictly sent in mm_getpwnamallow(). 1433 */ 1434 void 1435 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1436 { 1437 M_CP_INTOPT(password_authentication); 1438 M_CP_INTOPT(gss_authentication); 1439 M_CP_INTOPT(rsa_authentication); 1440 M_CP_INTOPT(pubkey_authentication); 1441 M_CP_INTOPT(hostbased_authentication); 1442 M_CP_INTOPT(kbd_interactive_authentication); 1443 M_CP_INTOPT(permit_root_login); 1444 M_CP_INTOPT(permit_empty_passwd); 1445 M_CP_INTOPT(allow_tcp_forwarding); 1446 M_CP_INTOPT(gateway_ports); 1447 M_CP_INTOPT(x11_display_offset); 1448 M_CP_INTOPT(x11_forwarding); 1449 M_CP_INTOPT(x11_use_localhost); 1450 M_CP_INTOPT(max_auth_tries); 1451 M_CP_STROPT(banner); 1452 1453 if (preauth) 1454 return; 1455 M_CP_STROPT(chroot_directory); 1456 } 1457 1458 #undef M_CP_INTOPT 1459 #undef M_CP_STROPT 1460 1461 void 1462 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 1463 const char *user, const char *host, const char *address) 1464 { 1465 int active, linenum, bad_options = 0; 1466 char *cp, *obuf, *cbuf; 1467 1468 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 1469 1470 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1471 active = user ? 0 : 1; 1472 linenum = 1; 1473 while ((cp = strsep(&cbuf, "\n")) != NULL) { 1474 if (process_server_config_line(options, cp, filename, 1475 linenum++, &active, user, host, address) != 0) 1476 bad_options++; 1477 } 1478 xfree(obuf); 1479 if (bad_options > 0) 1480 fatal("%s: terminating, %d bad configuration options", 1481 filename, bad_options); 1482 } 1483 1484 1485 /* 1486 * Note that "none" is a special path having the same affect on sshd 1487 * configuration as not specifying ChrootDirectory at all. 1488 */ 1489 int 1490 chroot_requested(char *chroot_directory) 1491 { 1492 return (chroot_directory != NULL && 1493 strcasecmp(chroot_directory, "none") != 0); 1494 }