1 /*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11 /*
12 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
13 * Copyright 2012 Joyent, Inc. All rights reserved.
14 */
15
16 #include "includes.h"
17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
18
19 #ifdef HAVE_DEFOPEN
20 #include <deflt.h>
21 #endif /* HAVE_DEFOPEN */
22
23 #if defined(KRB4)
24 #include <krb.h>
25 #endif
26 #if defined(KRB5)
27 #ifdef HEIMDAL
28 #include <krb.h>
29 #else
30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
31 * keytab */
32 #define KEYFILE "/etc/krb5.keytab"
33 #endif
34 #endif
35 #ifdef AFS
36 #include <kafs.h>
37 #endif
38
39 #include "ssh.h"
40 #include "log.h"
41 #include "buffer.h"
42 #include "servconf.h"
43 #include "xmalloc.h"
44 #include "compat.h"
45 #include "pathnames.h"
46 #include "tildexpand.h"
47 #include "misc.h"
48 #include "cipher.h"
49 #include "kex.h"
50 #include "mac.h"
51 #include "auth.h"
52 #include "match.h"
53 #include "groupaccess.h"
54
55 static void add_listen_addr(ServerOptions *, char *, u_short);
56 static void add_one_listen_addr(ServerOptions *, char *, u_short);
57
58 extern Buffer cfg;
59
60 /* AF_UNSPEC or AF_INET or AF_INET6 */
61 extern int IPv4or6;
62
63 /*
64 * Initializes the server options to their initial (unset) values. Some of those
65 * that stay unset after the command line options and configuration files are
66 * read are set to their default values in fill_default_server_options().
67 */
68 void
69 initialize_server_options(ServerOptions *options)
70 {
71 (void) memset(options, 0, sizeof(*options));
72
73 /* Standard Options */
74 options->num_ports = 0;
75 options->ports_from_cmdline = 0;
76 options->listen_addrs = NULL;
77 options->num_host_key_files = 0;
78 options->pid_file = NULL;
79 options->server_key_bits = -1;
80 options->login_grace_time = -1;
81 options->key_regeneration_time = -1;
82 options->permit_root_login = PERMIT_NOT_SET;
83 options->ignore_rhosts = -1;
84 options->ignore_user_known_hosts = -1;
85 options->print_motd = -1;
86 options->print_lastlog = -1;
87 options->x11_forwarding = -1;
88 options->x11_display_offset = -1;
89 options->x11_use_localhost = -1;
90 options->xauth_location = NULL;
91 options->strict_modes = -1;
92 options->keepalives = -1;
93 options->log_facility = SYSLOG_FACILITY_NOT_SET;
94 options->log_level = SYSLOG_LEVEL_NOT_SET;
95 options->rhosts_authentication = -1;
96 options->rhosts_rsa_authentication = -1;
97 options->hostbased_authentication = -1;
98 options->hostbased_uses_name_from_packet_only = -1;
99 options->rsa_authentication = -1;
100 options->pubkey_authentication = -1;
101 #ifdef GSSAPI
102 options->gss_authentication = -1;
103 options->gss_keyex = -1;
104 options->gss_store_creds = -1;
105 options->gss_use_session_ccache = -1;
106 options->gss_cleanup_creds = -1;
107 #endif
108 #if defined(KRB4) || defined(KRB5)
109 options->kerberos_authentication = -1;
110 options->kerberos_or_local_passwd = -1;
111 options->kerberos_ticket_cleanup = -1;
112 #endif
113 #if defined(AFS) || defined(KRB5)
114 options->kerberos_tgt_passing = -1;
115 #endif
116 #ifdef AFS
117 options->afs_token_passing = -1;
118 #endif
119 options->password_authentication = -1;
120 options->kbd_interactive_authentication = -1;
121 options->challenge_response_authentication = -1;
122 options->pam_authentication_via_kbd_int = -1;
123 options->permit_empty_passwd = -1;
124 options->permit_user_env = -1;
125 options->compression = -1;
126 options->allow_tcp_forwarding = -1;
127 options->num_allow_users = 0;
128 options->num_deny_users = 0;
129 options->num_allow_groups = 0;
130 options->num_deny_groups = 0;
131 options->ciphers = NULL;
132 options->macs = NULL;
133 options->protocol = SSH_PROTO_UNKNOWN;
134 options->gateway_ports = -1;
135 options->num_subsystems = 0;
136 options->max_startups_begin = -1;
137 options->max_startups_rate = -1;
138 options->max_startups = -1;
139 options->banner = NULL;
140 options->verify_reverse_mapping = -1;
141 options->client_alive_interval = -1;
142 options->client_alive_count_max = -1;
143 options->authorized_keys_file = NULL;
144 options->authorized_keys_file2 = NULL;
145
146 options->max_auth_tries = -1;
147 options->max_auth_tries_log = -1;
148
149 options->max_init_auth_tries = -1;
150 options->max_init_auth_tries_log = -1;
151
152 options->lookup_client_hostnames = -1;
153 options->use_openssl_engine = -1;
154 options->chroot_directory = NULL;
155 options->pre_userauth_hook = NULL;
156 options->pam_service_name = NULL;
157 options->pam_service_prefix = NULL;
158 options->pubkey_plugin = NULL;
159 }
160
161 #ifdef HAVE_DEFOPEN
162 /*
163 * Reads /etc/default/login and defaults several ServerOptions:
164 *
165 * PermitRootLogin
166 * PermitEmptyPasswords
167 * LoginGraceTime
168 *
169 * CONSOLE=* -> PermitRootLogin=without-password
170 * #CONSOLE=* -> PermitRootLogin=yes
171 *
172 * PASSREQ=YES -> PermitEmptyPasswords=no
173 * PASSREQ=NO -> PermitEmptyPasswords=yes
174 * #PASSREQ=* -> PermitEmptyPasswords=no
175 *
176 * TIMEOUT=<secs> -> LoginGraceTime=<secs>
177 * #TIMEOUT=<secs> -> LoginGraceTime=300
178 */
179 static
180 void
181 deflt_fill_default_server_options(ServerOptions *options)
182 {
183 int flags;
184 char *ptr;
185
186 if (defopen(_PATH_DEFAULT_LOGIN))
187 return;
188
189 /* Ignore case */
190 flags = defcntl(DC_GETFLAGS, 0);
191 TURNOFF(flags, DC_CASE);
192 (void) defcntl(DC_SETFLAGS, flags);
193
194 if (options->permit_root_login == PERMIT_NOT_SET &&
195 (ptr = defread("CONSOLE=")) != NULL)
196 options->permit_root_login = PERMIT_NO_PASSWD;
197
198 if (options->permit_empty_passwd == -1 &&
199 (ptr = defread("PASSREQ=")) != NULL) {
200 if (strcasecmp("YES", ptr) == 0)
201 options->permit_empty_passwd = 0;
202 else if (strcasecmp("NO", ptr) == 0)
203 options->permit_empty_passwd = 1;
204 }
205
206 if (options->max_init_auth_tries == -1 &&
207 (ptr = defread("RETRIES=")) != NULL) {
208 options->max_init_auth_tries = atoi(ptr);
209 }
210
211 if (options->max_init_auth_tries_log == -1 &&
212 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) {
213 options->max_init_auth_tries_log = atoi(ptr);
214 }
215
216 if (options->login_grace_time == -1) {
217 if ((ptr = defread("TIMEOUT=")) != NULL)
218 options->login_grace_time = (unsigned)atoi(ptr);
219 else
220 options->login_grace_time = 300;
221 }
222
223 (void) defopen((char *)NULL);
224 }
225 #endif /* HAVE_DEFOPEN */
226
227 void
228 fill_default_server_options(ServerOptions *options)
229 {
230
231 #ifdef HAVE_DEFOPEN
232 deflt_fill_default_server_options(options);
233 #endif /* HAVE_DEFOPEN */
234
235 /* Standard Options */
236 if (options->protocol == SSH_PROTO_UNKNOWN)
237 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
238 if (options->num_host_key_files == 0) {
239 /* fill default hostkeys for protocols */
240 if (options->protocol & SSH_PROTO_1)
241 options->host_key_files[options->num_host_key_files++] =
242 _PATH_HOST_KEY_FILE;
243 #ifndef GSSAPI
244 /* With GSS keyex we can run v2 w/ no host keys */
245 if (options->protocol & SSH_PROTO_2) {
246 options->host_key_files[options->num_host_key_files++] =
247 _PATH_HOST_RSA_KEY_FILE;
248 options->host_key_files[options->num_host_key_files++] =
249 _PATH_HOST_DSA_KEY_FILE;
250 }
251 #endif /* GSSAPI */
252 }
253 if (options->num_ports == 0)
254 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
255 if (options->listen_addrs == NULL)
256 add_listen_addr(options, NULL, 0);
257 if (options->pid_file == NULL)
258 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
259 if (options->server_key_bits == -1)
260 options->server_key_bits = 768;
261 if (options->login_grace_time == -1)
262 options->login_grace_time = 120;
263 if (options->key_regeneration_time == -1)
264 options->key_regeneration_time = 3600;
265 if (options->permit_root_login == PERMIT_NOT_SET)
266 options->permit_root_login = PERMIT_YES;
267 if (options->ignore_rhosts == -1)
268 options->ignore_rhosts = 1;
269 if (options->ignore_user_known_hosts == -1)
270 options->ignore_user_known_hosts = 0;
271 if (options->print_motd == -1)
272 options->print_motd = 1;
273 if (options->print_lastlog == -1)
274 options->print_lastlog = 1;
275 if (options->x11_forwarding == -1)
276 options->x11_forwarding = 1;
277 if (options->x11_display_offset == -1)
278 options->x11_display_offset = 10;
279 if (options->x11_use_localhost == -1)
280 options->x11_use_localhost = 1;
281 if (options->xauth_location == NULL)
282 options->xauth_location = _PATH_XAUTH;
283 if (options->strict_modes == -1)
284 options->strict_modes = 1;
285 if (options->keepalives == -1)
286 options->keepalives = 1;
287 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
288 options->log_facility = SYSLOG_FACILITY_AUTH;
289 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
290 options->log_level = SYSLOG_LEVEL_INFO;
291 if (options->rhosts_authentication == -1)
292 options->rhosts_authentication = 0;
293 if (options->rhosts_rsa_authentication == -1)
294 options->rhosts_rsa_authentication = 0;
295 if (options->hostbased_authentication == -1)
296 options->hostbased_authentication = 0;
297 if (options->hostbased_uses_name_from_packet_only == -1)
298 options->hostbased_uses_name_from_packet_only = 0;
299 if (options->rsa_authentication == -1)
300 options->rsa_authentication = 1;
301 if (options->pubkey_authentication == -1)
302 options->pubkey_authentication = 1;
303 #ifdef GSSAPI
304 if (options->gss_authentication == -1)
305 options->gss_authentication = 1;
306 if (options->gss_keyex == -1)
307 options->gss_keyex = 1;
308 if (options->gss_store_creds == -1)
309 options->gss_store_creds = 1;
310 if (options->gss_use_session_ccache == -1)
311 options->gss_use_session_ccache = 1;
312 if (options->gss_cleanup_creds == -1)
313 options->gss_cleanup_creds = 1;
314 #endif
315 #if defined(KRB4) || defined(KRB5)
316 if (options->kerberos_authentication == -1)
317 options->kerberos_authentication = 0;
318 if (options->kerberos_or_local_passwd == -1)
319 options->kerberos_or_local_passwd = 1;
320 if (options->kerberos_ticket_cleanup == -1)
321 options->kerberos_ticket_cleanup = 1;
322 #endif
323 #if defined(AFS) || defined(KRB5)
324 if (options->kerberos_tgt_passing == -1)
325 options->kerberos_tgt_passing = 0;
326 #endif
327 #ifdef AFS
328 if (options->afs_token_passing == -1)
329 options->afs_token_passing = 0;
330 #endif
331 if (options->password_authentication == -1)
332 options->password_authentication = 1;
333 /*
334 * options->pam_authentication_via_kbd_int has intentionally no default
335 * value since we do not need it.
336 */
337 if (options->kbd_interactive_authentication == -1)
338 options->kbd_interactive_authentication = 1;
339 if (options->challenge_response_authentication == -1)
340 options->challenge_response_authentication = 1;
341 if (options->permit_empty_passwd == -1)
342 options->permit_empty_passwd = 0;
343 if (options->permit_user_env == -1)
344 options->permit_user_env = 0;
345 if (options->compression == -1)
346 options->compression = 1;
347 if (options->allow_tcp_forwarding == -1)
348 options->allow_tcp_forwarding = 1;
349 if (options->gateway_ports == -1)
350 options->gateway_ports = 0;
351 if (options->max_startups == -1)
352 options->max_startups = 10;
353 if (options->max_startups_rate == -1)
354 options->max_startups_rate = 100; /* 100% */
355 if (options->max_startups_begin == -1)
356 options->max_startups_begin = options->max_startups;
357 if (options->verify_reverse_mapping == -1)
358 options->verify_reverse_mapping = 0;
359 if (options->client_alive_interval == -1)
360 options->client_alive_interval = 0;
361 if (options->client_alive_count_max == -1)
362 options->client_alive_count_max = 3;
363 if (options->authorized_keys_file2 == NULL) {
364 /* authorized_keys_file2 falls back to authorized_keys_file */
365 if (options->authorized_keys_file != NULL)
366 options->authorized_keys_file2 = options->authorized_keys_file;
367 else
368 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
369 }
370 if (options->authorized_keys_file == NULL)
371 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
372
373 if (options->max_auth_tries == -1)
374 options->max_auth_tries = AUTH_FAIL_MAX;
375 if (options->max_auth_tries_log == -1)
376 options->max_auth_tries_log = options->max_auth_tries / 2;
377
378 if (options->max_init_auth_tries == -1)
379 options->max_init_auth_tries = AUTH_FAIL_MAX;
380 if (options->max_init_auth_tries_log == -1)
381 options->max_init_auth_tries_log = options->max_init_auth_tries / 2;
382
383 if (options->lookup_client_hostnames == -1)
384 options->lookup_client_hostnames = 1;
385 if (options->use_openssl_engine == -1)
386 options->use_openssl_engine = 1;
387 if (options->pam_service_prefix == NULL)
388 options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
389 if (options->pam_service_name == NULL)
390 options->pam_service_name = NULL;
391 }
392
393 /* Keyword tokens. */
394 typedef enum {
395 sBadOption, /* == unknown option */
396 /* Portable-specific options */
397 sPAMAuthenticationViaKbdInt,
398 /* Standard Options */
399 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
400 sPermitRootLogin, sLogFacility, sLogLevel,
401 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
402 #ifdef GSSAPI
403 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds,
404 sGssUseSessionCredCache, sGssCleanupCreds,
405 #endif /* GSSAPI */
406 #if defined(KRB4) || defined(KRB5)
407 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
408 #endif
409 #if defined(AFS) || defined(KRB5)
410 sKerberosTgtPassing,
411 #endif
412 #ifdef AFS
413 sAFSTokenPassing,
414 #endif
415 sChallengeResponseAuthentication,
416 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
417 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
418 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
419 sStrictModes, sEmptyPasswd, sKeepAlives,
420 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
421 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
422 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
423 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
424 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
425 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
426 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
427 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation,
428 sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory,
429 sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName,
430 sMaxStartups, sPubKeyPlugin,
431 sDeprecated
432 } ServerOpCodes;
433
434 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
435 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
436 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
437
438 /* Textual representation of the tokens. */
439 static struct {
440 const char *name;
441 ServerOpCodes opcode;
442 u_int flags;
443 } keywords[] = {
444 /* Portable-specific options */
445 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt, SSHCFG_GLOBAL },
446 /* Standard Options */
447 { "port", sPort, SSHCFG_GLOBAL },
448 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
449 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
450 { "pidfile", sPidFile, SSHCFG_GLOBAL },
451 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
452 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
453 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
454 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
455 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
456 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
457 { "rhostsauthentication", sRhostsAuthentication, SSHCFG_GLOBAL },
458 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
459 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
460 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
461 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
462 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
463 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
464 #ifdef GSSAPI
465 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
466 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
467 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds, SSHCFG_GLOBAL },
468 { "gssauthentication", sGssAuthentication, SSHCFG_GLOBAL }, /* alias */
469 { "gsskeyex", sGssKeyEx, SSHCFG_GLOBAL }, /* alias */
470 { "gssstoredelegcreds", sGssStoreDelegCreds, SSHCFG_GLOBAL }, /* alias */
471 #ifndef SUNW_GSSAPI
472 { "gssusesessionccache", sGssUseSessionCredCache, SSHCFG_GLOBAL },
473 { "gssusesessioncredcache", sGssUseSessionCredCache, SSHCFG_GLOBAL },
474 { "gsscleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
475 #endif /* SUNW_GSSAPI */
476 #endif
477 #if defined(KRB4) || defined(KRB5)
478 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
479 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
480 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
481 #endif
482 #if defined(AFS) || defined(KRB5)
483 { "kerberostgtpassing", sKerberosTgtPassing, SSHCFG_GLOBAL },
484 #endif
485 #ifdef AFS
486 { "afstokenpassing", sAFSTokenPassing, SSHCFG_GLOBAL },
487 #endif
488 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
489 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
490 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
491 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
492 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
493 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
494 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
495 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
496 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
497 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
498 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
499 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
500 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
501 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
502 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
503 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
504 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
505 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
506 { "compression", sCompression, SSHCFG_GLOBAL },
507 { "tcpkeepalive", sKeepAlives, SSHCFG_GLOBAL },
508 { "keepalive", sKeepAlives, SSHCFG_GLOBAL }, /* obsolete */
509 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
510 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
511 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
512 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
513 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
514 { "ciphers", sCiphers, SSHCFG_GLOBAL },
515 { "macs", sMacs, SSHCFG_GLOBAL},
516 { "protocol", sProtocol,SSHCFG_GLOBAL },
517 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
518 { "subsystem", sSubsystem, SSHCFG_GLOBAL},
519 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
520 { "banner", sBanner, SSHCFG_ALL },
521 { "verifyreversemapping", sVerifyReverseMapping, SSHCFG_GLOBAL },
522 { "reversemappingcheck", sVerifyReverseMapping,SSHCFG_GLOBAL },
523 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
524 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
525 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
526 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
527 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
528 { "maxauthtrieslog", sMaxAuthTriesLog, SSHCFG_GLOBAL },
529 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
530 { "lookupclienthostnames", sLookupClientHostnames, SSHCFG_GLOBAL },
531 { "useopensslengine", sUseOpenSSLEngine, SSHCFG_GLOBAL },
532 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
533 { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL},
534 { "match", sMatch, SSHCFG_ALL },
535 { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
536 { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
537 { "pubkeyplugin", sPubKeyPlugin, SSHCFG_ALL },
538
539 { NULL, sBadOption, 0 }
540 };
541
542 /*
543 * Returns the number of the token pointed to by cp or sBadOption.
544 */
545
546 static ServerOpCodes
547 parse_token(const char *cp, const char *filename,
548 int linenum, u_int *flags)
549 {
550 u_int i;
551
552 for (i = 0; keywords[i].name; i++)
553 if (strcasecmp(cp, keywords[i].name) == 0) {
554 *flags = keywords[i].flags;
555 return keywords[i].opcode;
556 }
557
558 error("%s: line %d: Bad configuration option: %s",
559 filename, linenum, cp);
560 return sBadOption;
561 }
562
563 static void
564 add_listen_addr(ServerOptions *options, char *addr, u_short port)
565 {
566 int i;
567
568 if (options->num_ports == 0)
569 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
570 if (port == 0)
571 for (i = 0; i < options->num_ports; i++)
572 add_one_listen_addr(options, addr, options->ports[i]);
573 else
574 add_one_listen_addr(options, addr, port);
575 }
576
577 static void
578 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
579 {
580 struct addrinfo hints, *ai, *aitop;
581 char strport[NI_MAXSERV];
582 int gaierr;
583
584 (void) memset(&hints, 0, sizeof(hints));
585 hints.ai_family = IPv4or6;
586 hints.ai_socktype = SOCK_STREAM;
587 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
588 (void) snprintf(strport, sizeof strport, "%u", port);
589 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
590 fatal("bad addr or host: %s (%s)",
591 addr ? addr : "<NULL>",
592 gai_strerror(gaierr));
593 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
594 ;
595 ai->ai_next = options->listen_addrs;
596 options->listen_addrs = aitop;
597 }
598
599 /*
600 * The strategy for the Match blocks is that the config file is parsed twice.
601 *
602 * The first time is at startup. activep is initialized to 1 and the
603 * directives in the global context are processed and acted on. Hitting a
604 * Match directive unsets activep and the directives inside the block are
605 * checked for syntax only.
606 *
607 * The second time is after a connection has been established but before
608 * authentication. activep is initialized to 2 and global config directives
609 * are ignored since they have already been processed. If the criteria in a
610 * Match block is met, activep is set and the subsequent directives
611 * processed and actioned until EOF or another Match block unsets it. Any
612 * options set are copied into the main server config.
613 *
614 * Potential additions/improvements:
615 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
616 *
617 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
618 * Match Address 192.168.0.*
619 * Tag trusted
620 * Match Group wheel
621 * Tag trusted
622 * Match Tag trusted
623 * AllowTcpForwarding yes
624 * GatewayPorts clientspecified
625 * [...]
626 *
627 * - Add a PermittedChannelRequests directive
628 * Match Group shell
629 * PermittedChannelRequests session,forwarded-tcpip
630 */
631
632 static int
633 match_cfg_line_group(const char *grps, int line, const char *user)
634 {
635 int result = 0;
636 struct passwd *pw;
637
638 if (user == NULL)
639 goto out;
640
641 if ((pw = getpwnam(user)) == NULL) {
642 debug("Can't match group at line %d because user %.100s does "
643 "not exist", line, user);
644 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
645 debug("Can't Match group because user %.100s not in any group "
646 "at line %d", user, line);
647 } else if (ga_match_pattern_list(grps) != 1) {
648 debug("user %.100s does not match group list %.100s at line %d",
649 user, grps, line);
650 } else {
651 debug("user %.100s matched group list %.100s at line %d", user,
652 grps, line);
653 result = 1;
654 }
655 out:
656 ga_free();
657 return result;
658 }
659
660 static int
661 match_cfg_line(char **condition, int line, const char *user, const char *host,
662 const char *address)
663 {
664 int result = 1;
665 char *arg, *attrib, *cp = *condition;
666 size_t len;
667
668 if (user == NULL)
669 debug3("checking syntax for 'Match %s'", cp);
670 else
671 debug3("checking match for '%s' user %s host %s addr %s", cp,
672 user ? user : "(null)", host ? host : "(null)",
673 address ? address : "(null)");
674
675 while ((attrib = strdelim(&cp)) != NULL && *attrib != '\0') {
676 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
677 error("Missing Match criteria for %s", attrib);
678 return -1;
679 }
680 len = strlen(arg);
681 if (strcasecmp(attrib, "user") == 0) {
682 if (!user) {
683 result = 0;
684 continue;
685 }
686 if (match_pattern_list(user, arg, len, 0) != 1)
687 result = 0;
688 else
689 debug("user %.100s matched 'User %.100s' at "
690 "line %d", user, arg, line);
691 } else if (strcasecmp(attrib, "group") == 0) {
692 switch (match_cfg_line_group(arg, line, user)) {
693 case -1:
694 return -1;
695 case 0:
696 result = 0;
697 }
698 } else if (strcasecmp(attrib, "host") == 0) {
699 if (!host) {
700 result = 0;
701 continue;
702 }
703 if (match_hostname(host, arg, len) != 1)
704 result = 0;
705 else
706 debug("connection from %.100s matched 'Host "
707 "%.100s' at line %d", host, arg, line);
708 } else if (strcasecmp(attrib, "address") == 0) {
709 switch (addr_match_list(address, arg)) {
710 case 1:
711 debug("connection from %.100s matched 'Address "
712 "%.100s' at line %d", address, arg, line);
713 break;
714 case 0:
715 case -1:
716 result = 0;
717 break;
718 case -2:
719 return -1;
720 }
721 } else {
722 error("Unsupported Match attribute %s", attrib);
723 return -1;
724 }
725 }
726 if (user != NULL)
727 debug3("match %sfound", result ? "" : "not ");
728 *condition = cp;
729 return result;
730 }
731
732 #define WHITESPACE " \t\r\n"
733
734 int
735 process_server_config_line(ServerOptions *options, char *line,
736 const char *filename, int linenum, int *activep, const char *user,
737 const char *host, const char *address)
738 {
739 char *cp, **charptr, *arg, *p;
740 int cmdline = 0, *intptr, value, n;
741 ServerOpCodes opcode;
742 u_int i, flags = 0;
743 size_t len;
744
745 cp = line;
746 arg = strdelim(&cp);
747 /* Ignore leading whitespace */
748 if (*arg == '\0')
749 arg = strdelim(&cp);
750 if (!arg || !*arg || *arg == '#')
751 return 0;
752 intptr = NULL;
753 charptr = NULL;
754 opcode = parse_token(arg, filename, linenum, &flags);
755
756 if (activep == NULL) { /* We are processing a command line directive */
757 cmdline = 1;
758 activep = &cmdline;
759 }
760 if (*activep && opcode != sMatch)
761 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
762 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
763 if (user == NULL) {
764 fatal("%s line %d: Directive '%s' is not allowed "
765 "within a Match block", filename, linenum, arg);
766 } else { /* this is a directive we have already processed */
767 while (arg)
768 arg = strdelim(&cp);
769 return 0;
770 }
771 }
772
773 switch (opcode) {
774 /* Portable-specific options */
775 case sPAMAuthenticationViaKbdInt:
776 log("%s line %d: PAMAuthenticationViaKbdInt has been "
777 "deprecated. You should use KbdInteractiveAuthentication "
778 "instead (which defaults to \"yes\").", filename, linenum);
779 intptr = &options->pam_authentication_via_kbd_int;
780 goto parse_flag;
781
782 /* Standard Options */
783 case sBadOption:
784 return -1;
785 case sPort:
786 /* ignore ports from configfile if cmdline specifies ports */
787 if (options->ports_from_cmdline)
788 return 0;
789 if (options->listen_addrs != NULL)
790 fatal("%s line %d: ports must be specified before "
791 "ListenAddress.", filename, linenum);
792 if (options->num_ports >= MAX_PORTS)
793 fatal("%s line %d: too many ports.",
794 filename, linenum);
795 arg = strdelim(&cp);
796 if (!arg || *arg == '\0')
797 fatal("%s line %d: missing port number.",
798 filename, linenum);
799 options->ports[options->num_ports++] = a2port(arg);
800 if (options->ports[options->num_ports-1] == 0)
801 fatal("%s line %d: Badly formatted port number.",
802 filename, linenum);
803 break;
804
805 case sServerKeyBits:
806 intptr = &options->server_key_bits;
807 parse_int:
808 arg = strdelim(&cp);
809 if (!arg || *arg == '\0')
810 fatal("%s line %d: missing integer value.",
811 filename, linenum);
812 value = atoi(arg);
813 if (*activep && *intptr == -1)
814 *intptr = value;
815 break;
816
817 case sLoginGraceTime:
818 intptr = &options->login_grace_time;
819 parse_time:
820 arg = strdelim(&cp);
821 if (!arg || *arg == '\0')
822 fatal("%s line %d: missing time value.",
823 filename, linenum);
824 if ((value = convtime(arg)) == -1)
825 fatal("%s line %d: invalid time value.",
826 filename, linenum);
827 if (*intptr == -1)
828 *intptr = value;
829 break;
830
831 case sKeyRegenerationTime:
832 intptr = &options->key_regeneration_time;
833 goto parse_time;
834
835 case sListenAddress:
836 arg = strdelim(&cp);
837 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
838 fatal("%s line %d: missing inet addr.",
839 filename, linenum);
840 if (*arg == '[') {
841 if ((p = strchr(arg, ']')) == NULL)
842 fatal("%s line %d: bad ipv6 inet addr usage.",
843 filename, linenum);
844 arg++;
845 (void) memmove(p, p+1, strlen(p+1)+1);
846 } else if (((p = strchr(arg, ':')) == NULL) ||
847 (strchr(p+1, ':') != NULL)) {
848 add_listen_addr(options, arg, 0);
849 break;
850 }
851 if (*p == ':') {
852 u_short port;
853
854 p++;
855 if (*p == '\0')
856 fatal("%s line %d: bad inet addr:port usage.",
857 filename, linenum);
858 else {
859 *(p-1) = '\0';
860 if ((port = a2port(p)) == 0)
861 fatal("%s line %d: bad port number.",
862 filename, linenum);
863 add_listen_addr(options, arg, port);
864 }
865 } else if (*p == '\0')
866 add_listen_addr(options, arg, 0);
867 else
868 fatal("%s line %d: bad inet addr usage.",
869 filename, linenum);
870 break;
871
872 case sHostKeyFile:
873 intptr = &options->num_host_key_files;
874 if (*intptr >= MAX_HOSTKEYS)
875 fatal("%s line %d: too many host keys specified (max %d).",
876 filename, linenum, MAX_HOSTKEYS);
877 charptr = &options->host_key_files[*intptr];
878 parse_filename:
879 arg = strdelim(&cp);
880 if (!arg || *arg == '\0')
881 fatal("%s line %d: missing file name.",
882 filename, linenum);
883 if (*activep && *charptr == NULL) {
884 *charptr = tilde_expand_filename(arg, getuid());
885 /* increase optional counter */
886 if (intptr != NULL)
887 *intptr = *intptr + 1;
888 }
889 break;
890
891 case sPidFile:
892 charptr = &options->pid_file;
893 goto parse_filename;
894
895 case sPermitRootLogin:
896 intptr = &options->permit_root_login;
897 arg = strdelim(&cp);
898 if (!arg || *arg == '\0')
899 fatal("%s line %d: missing yes/"
900 "without-password/forced-commands-only/no "
901 "argument.", filename, linenum);
902 value = 0; /* silence compiler */
903 if (strcmp(arg, "without-password") == 0)
904 value = PERMIT_NO_PASSWD;
905 else if (strcmp(arg, "forced-commands-only") == 0)
906 value = PERMIT_FORCED_ONLY;
907 else if (strcmp(arg, "yes") == 0)
908 value = PERMIT_YES;
909 else if (strcmp(arg, "no") == 0)
910 value = PERMIT_NO;
911 else
912 fatal("%s line %d: Bad yes/"
913 "without-password/forced-commands-only/no "
914 "argument: %s", filename, linenum, arg);
915 if (*activep && *intptr == -1)
916 *intptr = value;
917 break;
918
919 case sIgnoreRhosts:
920 intptr = &options->ignore_rhosts;
921 parse_flag:
922 arg = strdelim(&cp);
923 if (!arg || *arg == '\0')
924 fatal("%s line %d: missing yes/no argument.",
925 filename, linenum);
926 value = 0; /* silence compiler */
927 if (strcmp(arg, "yes") == 0)
928 value = 1;
929 else if (strcmp(arg, "no") == 0)
930 value = 0;
931 else
932 fatal("%s line %d: Bad yes/no argument: %s",
933 filename, linenum, arg);
934 if (*activep && *intptr == -1)
935 *intptr = value;
936 break;
937
938 case sIgnoreUserKnownHosts:
939 intptr = &options->ignore_user_known_hosts;
940 goto parse_flag;
941
942 case sRhostsAuthentication:
943 intptr = &options->rhosts_authentication;
944 goto parse_flag;
945
946 case sRhostsRSAAuthentication:
947 intptr = &options->rhosts_rsa_authentication;
948 goto parse_flag;
949
950 case sHostbasedAuthentication:
951 intptr = &options->hostbased_authentication;
952 goto parse_flag;
953
954 case sHostbasedUsesNameFromPacketOnly:
955 intptr = &options->hostbased_uses_name_from_packet_only;
956 goto parse_flag;
957
958 case sRSAAuthentication:
959 intptr = &options->rsa_authentication;
960 goto parse_flag;
961
962 case sPubkeyAuthentication:
963 intptr = &options->pubkey_authentication;
964 goto parse_flag;
965 #ifdef GSSAPI
966 case sGssAuthentication:
967 intptr = &options->gss_authentication;
968 goto parse_flag;
969 case sGssKeyEx:
970 intptr = &options->gss_keyex;
971 goto parse_flag;
972 case sGssStoreDelegCreds:
973 intptr = &options->gss_keyex;
974 goto parse_flag;
975 #ifndef SUNW_GSSAPI
976 case sGssUseSessionCredCache:
977 intptr = &options->gss_use_session_ccache;
978 goto parse_flag;
979 case sGssCleanupCreds:
980 intptr = &options->gss_cleanup_creds;
981 goto parse_flag;
982 #endif /* SUNW_GSSAPI */
983 #endif /* GSSAPI */
984 #if defined(KRB4) || defined(KRB5)
985 case sKerberosAuthentication:
986 intptr = &options->kerberos_authentication;
987 goto parse_flag;
988
989 case sKerberosOrLocalPasswd:
990 intptr = &options->kerberos_or_local_passwd;
991 goto parse_flag;
992
993 case sKerberosTicketCleanup:
994 intptr = &options->kerberos_ticket_cleanup;
995 goto parse_flag;
996 #endif
997 #if defined(AFS) || defined(KRB5)
998 case sKerberosTgtPassing:
999 intptr = &options->kerberos_tgt_passing;
1000 goto parse_flag;
1001 #endif
1002 #ifdef AFS
1003 case sAFSTokenPassing:
1004 intptr = &options->afs_token_passing;
1005 goto parse_flag;
1006 #endif
1007
1008 case sPasswordAuthentication:
1009 intptr = &options->password_authentication;
1010 goto parse_flag;
1011
1012 case sKbdInteractiveAuthentication:
1013 intptr = &options->kbd_interactive_authentication;
1014 goto parse_flag;
1015
1016 case sChallengeResponseAuthentication:
1017 intptr = &options->challenge_response_authentication;
1018 goto parse_flag;
1019
1020 case sPrintMotd:
1021 intptr = &options->print_motd;
1022 goto parse_flag;
1023
1024 case sPrintLastLog:
1025 intptr = &options->print_lastlog;
1026 goto parse_flag;
1027
1028 case sX11Forwarding:
1029 intptr = &options->x11_forwarding;
1030 goto parse_flag;
1031
1032 case sX11DisplayOffset:
1033 intptr = &options->x11_display_offset;
1034 goto parse_int;
1035
1036 case sX11UseLocalhost:
1037 intptr = &options->x11_use_localhost;
1038 goto parse_flag;
1039
1040 case sXAuthLocation:
1041 charptr = &options->xauth_location;
1042 goto parse_filename;
1043
1044 case sStrictModes:
1045 intptr = &options->strict_modes;
1046 goto parse_flag;
1047
1048 case sKeepAlives:
1049 intptr = &options->keepalives;
1050 goto parse_flag;
1051
1052 case sEmptyPasswd:
1053 intptr = &options->permit_empty_passwd;
1054 goto parse_flag;
1055
1056 case sPermitUserEnvironment:
1057 intptr = &options->permit_user_env;
1058 goto parse_flag;
1059
1060 case sUseLogin:
1061 log("%s line %d: ignoring UseLogin option value."
1062 " This option is always off.", filename, linenum);
1063 while (arg)
1064 arg = strdelim(&cp);
1065 break;
1066
1067 case sCompression:
1068 intptr = &options->compression;
1069 goto parse_flag;
1070
1071 case sGatewayPorts:
1072 intptr = &options->gateway_ports;
1073 arg = strdelim(&cp);
1074 if (!arg || *arg == '\0')
1075 fatal("%s line %d: missing yes/no/clientspecified "
1076 "argument.", filename, linenum);
1077 value = 0; /* silence compiler */
1078 if (strcmp(arg, "clientspecified") == 0)
1079 value = 2;
1080 else if (strcmp(arg, "yes") == 0)
1081 value = 1;
1082 else if (strcmp(arg, "no") == 0)
1083 value = 0;
1084 else
1085 fatal("%s line %d: Bad yes/no/clientspecified "
1086 "argument: %s", filename, linenum, arg);
1087 if (*activep && *intptr == -1)
1088 *intptr = value;
1089 break;
1090
1091 case sVerifyReverseMapping:
1092 intptr = &options->verify_reverse_mapping;
1093 goto parse_flag;
1094
1095 case sLogFacility:
1096 intptr = (int *) &options->log_facility;
1097 arg = strdelim(&cp);
1098 value = log_facility_number(arg);
1099 if (value == SYSLOG_FACILITY_NOT_SET)
1100 fatal("%.200s line %d: unsupported log facility '%s'",
1101 filename, linenum, arg ? arg : "<NONE>");
1102 if (*intptr == -1)
1103 *intptr = (SyslogFacility) value;
1104 break;
1105
1106 case sLogLevel:
1107 intptr = (int *) &options->log_level;
1108 arg = strdelim(&cp);
1109 value = log_level_number(arg);
1110 if (value == SYSLOG_LEVEL_NOT_SET)
1111 fatal("%.200s line %d: unsupported log level '%s'",
1112 filename, linenum, arg ? arg : "<NONE>");
1113 if (*intptr == -1)
1114 *intptr = (LogLevel) value;
1115 break;
1116
1117 case sAllowTcpForwarding:
1118 intptr = &options->allow_tcp_forwarding;
1119 goto parse_flag;
1120
1121 case sUsePrivilegeSeparation:
1122 log("%s line %d: ignoring UsePrivilegeSeparation option value."
1123 " This option is always on.", filename, linenum);
1124 while (arg)
1125 arg = strdelim(&cp);
1126 break;
1127
1128 case sAllowUsers:
1129 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1130 if (options->num_allow_users >= MAX_ALLOW_USERS)
1131 fatal("%s line %d: too many allow users.",
1132 filename, linenum);
1133 options->allow_users[options->num_allow_users++] =
1134 xstrdup(arg);
1135 }
1136 break;
1137
1138 case sDenyUsers:
1139 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1140 if (options->num_deny_users >= MAX_DENY_USERS)
1141 fatal( "%s line %d: too many deny users.",
1142 filename, linenum);
1143 options->deny_users[options->num_deny_users++] =
1144 xstrdup(arg);
1145 }
1146 break;
1147
1148 case sAllowGroups:
1149 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1150 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1151 fatal("%s line %d: too many allow groups.",
1152 filename, linenum);
1153 options->allow_groups[options->num_allow_groups++] =
1154 xstrdup(arg);
1155 }
1156 break;
1157
1158 case sDenyGroups:
1159 while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') {
1160 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1161 fatal("%s line %d: too many deny groups.",
1162 filename, linenum);
1163 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1164 }
1165 break;
1166
1167 case sCiphers:
1168 arg = strdelim(&cp);
1169 if (!arg || *arg == '\0')
1170 fatal("%s line %d: Missing argument.", filename, linenum);
1171 if (!ciphers_valid(arg))
1172 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1173 filename, linenum, arg ? arg : "<NONE>");
1174 if (options->ciphers == NULL)
1175 options->ciphers = xstrdup(arg);
1176 break;
1177
1178 case sMacs:
1179 arg = strdelim(&cp);
1180 if (!arg || *arg == '\0')
1181 fatal("%s line %d: Missing argument.", filename, linenum);
1182 if (!mac_valid(arg))
1183 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1184 filename, linenum, arg ? arg : "<NONE>");
1185 if (options->macs == NULL)
1186 options->macs = xstrdup(arg);
1187 break;
1188
1189 case sProtocol:
1190 intptr = &options->protocol;
1191 arg = strdelim(&cp);
1192 if (!arg || *arg == '\0')
1193 fatal("%s line %d: Missing argument.", filename, linenum);
1194 value = proto_spec(arg);
1195 if (value == SSH_PROTO_UNKNOWN)
1196 fatal("%s line %d: Bad protocol spec '%s'.",
1197 filename, linenum, arg ? arg : "<NONE>");
1198 if (*intptr == SSH_PROTO_UNKNOWN)
1199 *intptr = value;
1200 break;
1201
1202 case sSubsystem:
1203 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1204 fatal("%s line %d: too many subsystems defined.",
1205 filename, linenum);
1206 }
1207 arg = strdelim(&cp);
1208 if (!arg || *arg == '\0')
1209 fatal("%s line %d: Missing subsystem name.",
1210 filename, linenum);
1211 if (!*activep) {
1212 arg = strdelim(&cp);
1213 break;
1214 }
1215 for (i = 0; i < options->num_subsystems; i++)
1216 if (strcmp(arg, options->subsystem_name[i]) == 0)
1217 fatal("%s line %d: Subsystem '%s' already defined.",
1218 filename, linenum, arg);
1219 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1220 arg = strdelim(&cp);
1221 if (!arg || *arg == '\0')
1222 fatal("%s line %d: Missing subsystem command.",
1223 filename, linenum);
1224 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1225
1226 /*
1227 * Collect arguments (separate to executable), including the
1228 * name of the executable, in a way that is easier to parse
1229 * later.
1230 */
1231 p = xstrdup(arg);
1232 len = strlen(p) + 1;
1233 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1234 len += 1 + strlen(arg);
1235 p = xrealloc(p, len);
1236 strlcat(p, " ", len);
1237 strlcat(p, arg, len);
1238 }
1239 options->subsystem_args[options->num_subsystems] = p;
1240 options->num_subsystems++;
1241 break;
1242
1243 case sMaxStartups:
1244 arg = strdelim(&cp);
1245 if (!arg || *arg == '\0')
1246 fatal("%s line %d: Missing MaxStartups spec.",
1247 filename, linenum);
1248 if ((n = sscanf(arg, "%d:%d:%d",
1249 &options->max_startups_begin,
1250 &options->max_startups_rate,
1251 &options->max_startups)) == 3) {
1252 if (options->max_startups_begin >
1253 options->max_startups ||
1254 options->max_startups_rate > 100 ||
1255 options->max_startups_rate < 1)
1256 fatal("%s line %d: Illegal MaxStartups spec.",
1257 filename, linenum);
1258 } else if (n != 1)
1259 fatal("%s line %d: Illegal MaxStartups spec.",
1260 filename, linenum);
1261 else
1262 options->max_startups = options->max_startups_begin;
1263 break;
1264
1265 case sBanner:
1266 charptr = &options->banner;
1267 goto parse_filename;
1268 /*
1269 * These options can contain %X options expanded at
1270 * connect time, so that you can specify paths like:
1271 *
1272 * AuthorizedKeysFile /etc/ssh_keys/%u
1273 */
1274 case sAuthorizedKeysFile:
1275 case sAuthorizedKeysFile2:
1276 charptr = (opcode == sAuthorizedKeysFile) ?
1277 &options->authorized_keys_file :
1278 &options->authorized_keys_file2;
1279 goto parse_filename;
1280
1281 case sClientAliveInterval:
1282 intptr = &options->client_alive_interval;
1283 goto parse_time;
1284
1285 case sClientAliveCountMax:
1286 intptr = &options->client_alive_count_max;
1287 goto parse_int;
1288
1289 case sMaxAuthTries:
1290 intptr = &options->max_auth_tries;
1291 goto parse_int;
1292
1293 case sMaxAuthTriesLog:
1294 intptr = &options->max_auth_tries_log;
1295 goto parse_int;
1296
1297 case sLookupClientHostnames:
1298 intptr = &options->lookup_client_hostnames;
1299 goto parse_flag;
1300
1301 case sUseOpenSSLEngine:
1302 intptr = &options->use_openssl_engine;
1303 goto parse_flag;
1304
1305 case sChrootDirectory:
1306 charptr = &options->chroot_directory;
1307
1308 arg = strdelim(&cp);
1309 if (arg == NULL || *arg == '\0')
1310 fatal("%s line %d: missing directory name for "
1311 "ChrootDirectory.", filename, linenum);
1312 if (*activep && *charptr == NULL)
1313 *charptr = xstrdup(arg);
1314 break;
1315
1316 case sPreUserauthHook:
1317 charptr = &options->pre_userauth_hook;
1318 goto parse_filename;
1319
1320 case sMatch:
1321 if (cmdline)
1322 fatal("Match directive not supported as a command-line "
1323 "option");
1324 value = match_cfg_line(&cp, linenum, user, host, address);
1325 if (value < 0)
1326 fatal("%s line %d: Bad Match condition", filename,
1327 linenum);
1328 *activep = value;
1329 break;
1330
1331 case sDeprecated:
1332 log("%s line %d: Deprecated option %s",
1333 filename, linenum, arg);
1334 while (arg)
1335 arg = strdelim(&cp);
1336 break;
1337
1338 case sPAMServicePrefix:
1339 arg = strdelim(&cp);
1340 if (!arg || *arg == '\0')
1341 fatal("%s line %d: Missing argument.",
1342 filename, linenum);
1343 if (options->pam_service_name != NULL)
1344 fatal("%s line %d: PAMServiceName and PAMServicePrefix "
1345 "are mutually exclusive.", filename, linenum);
1346 if (options->pam_service_prefix == NULL)
1347 options->pam_service_prefix = xstrdup(arg);
1348 break;
1349
1350 case sPAMServiceName:
1351 arg = strdelim(&cp);
1352 if (!arg || *arg == '\0')
1353 fatal("%s line %d: Missing argument.",
1354 filename, linenum);
1355 if (options->pam_service_prefix != NULL)
1356 fatal("%s line %d: PAMServiceName and PAMServicePrefix "
1357 "are mutually exclusive.", filename, linenum);
1358 if (options->pam_service_name == NULL)
1359 options->pam_service_name = xstrdup(arg);
1360 break;
1361
1362 case sPubKeyPlugin:
1363 charptr = &options->pubkey_plugin;
1364 goto parse_filename;
1365
1366 default:
1367 fatal("%s line %d: Missing handler for opcode %s (%d)",
1368 filename, linenum, arg, opcode);
1369 }
1370 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1371 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1372 filename, linenum, arg);
1373 return 0;
1374 }
1375
1376
1377 /* Reads the server configuration file. */
1378
1379 void
1380 load_server_config(const char *filename, Buffer *conf)
1381 {
1382 char line[1024], *cp;
1383 FILE *f;
1384
1385 debug2("%s: filename %s", __func__, filename);
1386 if ((f = fopen(filename, "r")) == NULL) {
1387 perror(filename);
1388 exit(1);
1389 }
1390 buffer_clear(conf);
1391 while (fgets(line, sizeof(line), f)) {
1392 /*
1393 * Trim out comments and strip whitespace
1394 * NB - preserve newlines, they are needed to reproduce
1395 * line numbers later for error messages
1396 */
1397 if ((cp = strchr(line, '#')) != NULL)
1398 memcpy(cp, "\n", 2);
1399 cp = line + strspn(line, " \t\r");
1400
1401 buffer_append(conf, cp, strlen(cp));
1402 }
1403 buffer_append(conf, "\0", 1);
1404 fclose(f);
1405 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1406 }
1407
1408 void
1409 parse_server_match_config(ServerOptions *options, const char *user,
1410 const char *host, const char *address)
1411 {
1412 ServerOptions mo;
1413
1414 initialize_server_options(&mo);
1415 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1416 copy_set_server_options(options, &mo, 0);
1417 }
1418
1419
1420
1421 /* Helper macros */
1422 #define M_CP_INTOPT(n) do {\
1423 if (src->n != -1) \
1424 dst->n = src->n; \
1425 } while (0)
1426 #define M_CP_STROPT(n) do {\
1427 if (src->n != NULL) { \
1428 if (dst->n != NULL) \
1429 xfree(dst->n); \
1430 dst->n = src->n; \
1431 } \
1432 } while(0)
1433
1434 /*
1435 * Copy any supported values that are set.
1436 *
1437 * If the preauth flag is set, we do not bother copying the the string or
1438 * array values that are not used pre-authentication, because any that we
1439 * do use must be explictly sent in mm_getpwnamallow().
1440 */
1441 void
1442 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1443 {
1444 M_CP_INTOPT(password_authentication);
1445 M_CP_INTOPT(gss_authentication);
1446 M_CP_INTOPT(rsa_authentication);
1447 M_CP_INTOPT(pubkey_authentication);
1448 M_CP_INTOPT(hostbased_authentication);
1449 M_CP_INTOPT(kbd_interactive_authentication);
1450 M_CP_INTOPT(permit_root_login);
1451 M_CP_INTOPT(permit_empty_passwd);
1452 M_CP_INTOPT(allow_tcp_forwarding);
1453 M_CP_INTOPT(gateway_ports);
1454 M_CP_INTOPT(x11_display_offset);
1455 M_CP_INTOPT(x11_forwarding);
1456 M_CP_INTOPT(x11_use_localhost);
1457 M_CP_INTOPT(max_auth_tries);
1458 M_CP_STROPT(banner);
1459
1460 if (preauth)
1461 return;
1462 M_CP_STROPT(chroot_directory);
1463 }
1464
1465 #undef M_CP_INTOPT
1466 #undef M_CP_STROPT
1467
1468 void
1469 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1470 const char *user, const char *host, const char *address)
1471 {
1472 int active, linenum, bad_options = 0;
1473 char *cp, *obuf, *cbuf;
1474
1475 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1476
1477 obuf = cbuf = xstrdup(buffer_ptr(conf));
1478 active = user ? 0 : 1;
1479 linenum = 1;
1480 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1481 if (process_server_config_line(options, cp, filename,
1482 linenum++, &active, user, host, address) != 0)
1483 bad_options++;
1484 }
1485 xfree(obuf);
1486 if (bad_options > 0)
1487 fatal("%s: terminating, %d bad configuration options",
1488 filename, bad_options);
1489 }
1490
1491
1492 /*
1493 * Note that "none" is a special path having the same affect on sshd
1494 * configuration as not specifying ChrootDirectory at all.
1495 */
1496 int
1497 chroot_requested(char *chroot_directory)
1498 {
1499 return (chroot_directory != NULL &&
1500 strcasecmp(chroot_directory, "none") != 0);
1501 }