servconf.c revision 323120
1 2/* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ 3/* 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14#include "includes.h" 15__RCSID("$FreeBSD: stable/10/crypto/openssh/servconf.c 323120 2017-09-01 21:24:32Z des $"); 16 17#include <sys/types.h> 18#include <sys/socket.h> 19 20#include <netinet/in.h> 21#include <netinet/in_systm.h> 22#include <netinet/ip.h> 23 24#include <ctype.h> 25#include <netdb.h> 26#include <pwd.h> 27#include <stdio.h> 28#include <stdlib.h> 29#include <string.h> 30#include <signal.h> 31#include <unistd.h> 32#include <limits.h> 33#include <stdarg.h> 34#include <errno.h> 35#ifdef HAVE_UTIL_H 36#include <util.h> 37#endif 38 39#include "openbsd-compat/sys-queue.h" 40#include "xmalloc.h" 41#include "ssh.h" 42#include "log.h" 43#include "buffer.h" 44#include "misc.h" 45#include "servconf.h" 46#include "compat.h" 47#include "pathnames.h" 48#include "cipher.h" 49#include "key.h" 50#include "kex.h" 51#include "mac.h" 52#include "match.h" 53#include "channels.h" 54#include "groupaccess.h" 55#include "canohost.h" 56#include "packet.h" 57#include "hostfile.h" 58#include "auth.h" 59#include "myproposal.h" 60#include "digest.h" 61#include "version.h" 62 63static void add_listen_addr(ServerOptions *, char *, int); 64static void add_one_listen_addr(ServerOptions *, char *, int); 65 66/* Use of privilege separation or not */ 67extern int use_privsep; 68extern Buffer cfg; 69 70/* Initializes the server options to their default values. */ 71 72void 73initialize_server_options(ServerOptions *options) 74{ 75 memset(options, 0, sizeof(*options)); 76 77 /* Portable-specific options */ 78 options->use_pam = -1; 79 80 /* Standard Options */ 81 options->num_ports = 0; 82 options->ports_from_cmdline = 0; 83 options->queued_listen_addrs = NULL; 84 options->num_queued_listens = 0; 85 options->listen_addrs = NULL; 86 options->address_family = -1; 87 options->num_host_key_files = 0; 88 options->num_host_cert_files = 0; 89 options->host_key_agent = NULL; 90 options->pid_file = NULL; 91 options->server_key_bits = -1; 92 options->login_grace_time = -1; 93 options->key_regeneration_time = -1; 94 options->permit_root_login = PERMIT_NOT_SET; 95 options->ignore_rhosts = -1; 96 options->ignore_user_known_hosts = -1; 97 options->print_motd = -1; 98 options->print_lastlog = -1; 99 options->x11_forwarding = -1; 100 options->x11_display_offset = -1; 101 options->x11_use_localhost = -1; 102 options->permit_tty = -1; 103 options->permit_user_rc = -1; 104 options->xauth_location = NULL; 105 options->strict_modes = -1; 106 options->tcp_keep_alive = -1; 107 options->log_facility = SYSLOG_FACILITY_NOT_SET; 108 options->log_level = SYSLOG_LEVEL_NOT_SET; 109 options->rhosts_rsa_authentication = -1; 110 options->hostbased_authentication = -1; 111 options->hostbased_uses_name_from_packet_only = -1; 112 options->hostbased_key_types = NULL; 113 options->hostkeyalgorithms = NULL; 114 options->rsa_authentication = -1; 115 options->pubkey_authentication = -1; 116 options->pubkey_key_types = NULL; 117 options->kerberos_authentication = -1; 118 options->kerberos_or_local_passwd = -1; 119 options->kerberos_ticket_cleanup = -1; 120 options->kerberos_get_afs_token = -1; 121 options->gss_authentication=-1; 122 options->gss_cleanup_creds = -1; 123 options->gss_strict_acceptor = -1; 124 options->password_authentication = -1; 125 options->kbd_interactive_authentication = -1; 126 options->challenge_response_authentication = -1; 127 options->permit_empty_passwd = -1; 128 options->permit_user_env = -1; 129 options->use_login = -1; 130 options->compression = -1; 131 options->rekey_limit = -1; 132 options->rekey_interval = -1; 133 options->allow_tcp_forwarding = -1; 134 options->allow_streamlocal_forwarding = -1; 135 options->allow_agent_forwarding = -1; 136 options->num_allow_users = 0; 137 options->num_deny_users = 0; 138 options->num_allow_groups = 0; 139 options->num_deny_groups = 0; 140 options->ciphers = NULL; 141 options->macs = NULL; 142 options->kex_algorithms = NULL; 143 options->protocol = SSH_PROTO_UNKNOWN; 144 options->fwd_opts.gateway_ports = -1; 145 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 146 options->fwd_opts.streamlocal_bind_unlink = -1; 147 options->num_subsystems = 0; 148 options->max_startups_begin = -1; 149 options->max_startups_rate = -1; 150 options->max_startups = -1; 151 options->max_authtries = -1; 152 options->max_sessions = -1; 153 options->banner = NULL; 154 options->use_dns = -1; 155 options->client_alive_interval = -1; 156 options->client_alive_count_max = -1; 157 options->num_authkeys_files = 0; 158 options->num_accept_env = 0; 159 options->permit_tun = -1; 160 options->num_permitted_opens = -1; 161 options->adm_forced_command = NULL; 162 options->chroot_directory = NULL; 163 options->authorized_keys_command = NULL; 164 options->authorized_keys_command_user = NULL; 165 options->revoked_keys_file = NULL; 166 options->trusted_user_ca_keys = NULL; 167 options->authorized_principals_file = NULL; 168 options->authorized_principals_command = NULL; 169 options->authorized_principals_command_user = NULL; 170 options->ip_qos_interactive = -1; 171 options->ip_qos_bulk = -1; 172 options->version_addendum = NULL; 173 options->fingerprint_hash = -1; 174} 175 176/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 177static int 178option_clear_or_none(const char *o) 179{ 180 return o == NULL || strcasecmp(o, "none") == 0; 181} 182 183static void 184assemble_algorithms(ServerOptions *o) 185{ 186 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || 187 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || 188 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || 189 kex_assemble_names(KEX_DEFAULT_PK_ALG, 190 &o->hostkeyalgorithms) != 0 || 191 kex_assemble_names(KEX_DEFAULT_PK_ALG, 192 &o->hostbased_key_types) != 0 || 193 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) 194 fatal("kex_assemble_names failed"); 195} 196 197void 198fill_default_server_options(ServerOptions *options) 199{ 200 int i; 201 202 /* Portable-specific options */ 203 if (options->use_pam == -1) 204 options->use_pam = 1; 205 206 /* Standard Options */ 207 if (options->protocol == SSH_PROTO_UNKNOWN) 208 options->protocol = SSH_PROTO_2; 209 if (options->protocol & SSH_PROTO_1) 210 error("WARNING: SSH protocol version 1 enabled"); 211 if (options->num_host_key_files == 0) { 212 /* fill default hostkeys for protocols */ 213 if (options->protocol & SSH_PROTO_1) 214 options->host_key_files[options->num_host_key_files++] = 215 _PATH_HOST_KEY_FILE; 216 if (options->protocol & SSH_PROTO_2) { 217 options->host_key_files[options->num_host_key_files++] = 218 _PATH_HOST_RSA_KEY_FILE; 219 options->host_key_files[options->num_host_key_files++] = 220 _PATH_HOST_DSA_KEY_FILE; 221#ifdef OPENSSL_HAS_ECC 222 options->host_key_files[options->num_host_key_files++] = 223 _PATH_HOST_ECDSA_KEY_FILE; 224#endif 225 options->host_key_files[options->num_host_key_files++] = 226 _PATH_HOST_ED25519_KEY_FILE; 227 } 228 } 229 /* No certificates by default */ 230 if (options->num_ports == 0) 231 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 232 if (options->address_family == -1) 233 options->address_family = AF_UNSPEC; 234 if (options->listen_addrs == NULL) 235 add_listen_addr(options, NULL, 0); 236 if (options->pid_file == NULL) 237 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 238 if (options->server_key_bits == -1) 239 options->server_key_bits = 1024; 240 if (options->login_grace_time == -1) 241 options->login_grace_time = 120; 242 if (options->key_regeneration_time == -1) 243 options->key_regeneration_time = 3600; 244 if (options->permit_root_login == PERMIT_NOT_SET) 245 options->permit_root_login = PERMIT_NO; 246 if (options->ignore_rhosts == -1) 247 options->ignore_rhosts = 1; 248 if (options->ignore_user_known_hosts == -1) 249 options->ignore_user_known_hosts = 0; 250 if (options->print_motd == -1) 251 options->print_motd = 1; 252 if (options->print_lastlog == -1) 253 options->print_lastlog = 1; 254 if (options->x11_forwarding == -1) 255 options->x11_forwarding = 1; 256 if (options->x11_display_offset == -1) 257 options->x11_display_offset = 10; 258 if (options->x11_use_localhost == -1) 259 options->x11_use_localhost = 1; 260 if (options->xauth_location == NULL) 261 options->xauth_location = xstrdup(_PATH_XAUTH); 262 if (options->permit_tty == -1) 263 options->permit_tty = 1; 264 if (options->permit_user_rc == -1) 265 options->permit_user_rc = 1; 266 if (options->strict_modes == -1) 267 options->strict_modes = 1; 268 if (options->tcp_keep_alive == -1) 269 options->tcp_keep_alive = 1; 270 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 271 options->log_facility = SYSLOG_FACILITY_AUTH; 272 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 273 options->log_level = SYSLOG_LEVEL_INFO; 274 if (options->rhosts_rsa_authentication == -1) 275 options->rhosts_rsa_authentication = 0; 276 if (options->hostbased_authentication == -1) 277 options->hostbased_authentication = 0; 278 if (options->hostbased_uses_name_from_packet_only == -1) 279 options->hostbased_uses_name_from_packet_only = 0; 280 if (options->rsa_authentication == -1) 281 options->rsa_authentication = 1; 282 if (options->pubkey_authentication == -1) 283 options->pubkey_authentication = 1; 284 if (options->kerberos_authentication == -1) 285 options->kerberos_authentication = 0; 286 if (options->kerberos_or_local_passwd == -1) 287 options->kerberos_or_local_passwd = 1; 288 if (options->kerberos_ticket_cleanup == -1) 289 options->kerberos_ticket_cleanup = 1; 290 if (options->kerberos_get_afs_token == -1) 291 options->kerberos_get_afs_token = 0; 292 if (options->gss_authentication == -1) 293 options->gss_authentication = 0; 294 if (options->gss_cleanup_creds == -1) 295 options->gss_cleanup_creds = 1; 296 if (options->gss_strict_acceptor == -1) 297 options->gss_strict_acceptor = 0; 298 if (options->password_authentication == -1) 299 options->password_authentication = 0; 300 if (options->kbd_interactive_authentication == -1) 301 options->kbd_interactive_authentication = 0; 302 if (options->challenge_response_authentication == -1) 303 options->challenge_response_authentication = 1; 304 if (options->permit_empty_passwd == -1) 305 options->permit_empty_passwd = 0; 306 if (options->permit_user_env == -1) 307 options->permit_user_env = 0; 308 if (options->use_login == -1) 309 options->use_login = 0; 310 if (options->compression == -1) 311 options->compression = COMP_DELAYED; 312 if (options->rekey_limit == -1) 313 options->rekey_limit = 0; 314 if (options->rekey_interval == -1) 315 options->rekey_interval = 0; 316 if (options->allow_tcp_forwarding == -1) 317 options->allow_tcp_forwarding = FORWARD_ALLOW; 318 if (options->allow_streamlocal_forwarding == -1) 319 options->allow_streamlocal_forwarding = FORWARD_ALLOW; 320 if (options->allow_agent_forwarding == -1) 321 options->allow_agent_forwarding = 1; 322 if (options->fwd_opts.gateway_ports == -1) 323 options->fwd_opts.gateway_ports = 0; 324 if (options->max_startups == -1) 325 options->max_startups = 100; 326 if (options->max_startups_rate == -1) 327 options->max_startups_rate = 30; /* 30% */ 328 if (options->max_startups_begin == -1) 329 options->max_startups_begin = 10; 330 if (options->max_authtries == -1) 331 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 332 if (options->max_sessions == -1) 333 options->max_sessions = DEFAULT_SESSIONS_MAX; 334 if (options->use_dns == -1) 335 options->use_dns = 1; 336 if (options->client_alive_interval == -1) 337 options->client_alive_interval = 0; 338 if (options->client_alive_count_max == -1) 339 options->client_alive_count_max = 3; 340 if (options->num_authkeys_files == 0) { 341 options->authorized_keys_files[options->num_authkeys_files++] = 342 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); 343 options->authorized_keys_files[options->num_authkeys_files++] = 344 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); 345 } 346 if (options->permit_tun == -1) 347 options->permit_tun = SSH_TUNMODE_NO; 348 if (options->ip_qos_interactive == -1) 349 options->ip_qos_interactive = IPTOS_LOWDELAY; 350 if (options->ip_qos_bulk == -1) 351 options->ip_qos_bulk = IPTOS_THROUGHPUT; 352 if (options->version_addendum == NULL) 353 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); 354 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 355 options->fwd_opts.streamlocal_bind_mask = 0177; 356 if (options->fwd_opts.streamlocal_bind_unlink == -1) 357 options->fwd_opts.streamlocal_bind_unlink = 0; 358 if (options->fingerprint_hash == -1) 359 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 360 361 assemble_algorithms(options); 362 363 /* Turn privilege separation and sandboxing on by default */ 364 if (use_privsep == -1) 365 use_privsep = PRIVSEP_ON; 366 367#define CLEAR_ON_NONE(v) \ 368 do { \ 369 if (option_clear_or_none(v)) { \ 370 free(v); \ 371 v = NULL; \ 372 } \ 373 } while(0) 374 CLEAR_ON_NONE(options->pid_file); 375 CLEAR_ON_NONE(options->xauth_location); 376 CLEAR_ON_NONE(options->banner); 377 CLEAR_ON_NONE(options->trusted_user_ca_keys); 378 CLEAR_ON_NONE(options->revoked_keys_file); 379 CLEAR_ON_NONE(options->authorized_principals_file); 380 CLEAR_ON_NONE(options->adm_forced_command); 381 CLEAR_ON_NONE(options->chroot_directory); 382 for (i = 0; i < options->num_host_key_files; i++) 383 CLEAR_ON_NONE(options->host_key_files[i]); 384 for (i = 0; i < options->num_host_cert_files; i++) 385 CLEAR_ON_NONE(options->host_cert_files[i]); 386#undef CLEAR_ON_NONE 387 388 /* Similar handling for AuthenticationMethods=any */ 389 if (options->num_auth_methods == 1 && 390 strcmp(options->auth_methods[0], "any") == 0) { 391 free(options->auth_methods[0]); 392 options->auth_methods[0] = NULL; 393 options->num_auth_methods = 0; 394 } 395 396#ifndef HAVE_MMAP 397 if (use_privsep && options->compression == 1) { 398 error("This platform does not support both privilege " 399 "separation and compression"); 400 error("Compression disabled"); 401 options->compression = 0; 402 } 403#endif 404 405} 406 407/* Keyword tokens. */ 408typedef enum { 409 sBadOption, /* == unknown option */ 410 /* Portable-specific options */ 411 sUsePAM, 412 /* Standard Options */ 413 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, 414 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, 415 sRhostsRSAAuthentication, sRSAAuthentication, 416 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 417 sKerberosGetAFSToken, 418 sKerberosTgtPassing, sChallengeResponseAuthentication, 419 sPasswordAuthentication, sKbdInteractiveAuthentication, 420 sListenAddress, sAddressFamily, 421 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 422 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 423 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 424 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 425 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 426 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 427 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 428 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 429 sBanner, sUseDNS, sHostbasedAuthentication, 430 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, 431 sHostKeyAlgorithms, 432 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 433 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 434 sAcceptEnv, sPermitTunnel, 435 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 436 sUsePrivilegeSeparation, sAllowAgentForwarding, 437 sHostCertificate, 438 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 439 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, 440 sKexAlgorithms, sIPQoS, sVersionAddendum, 441 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 442 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 443 sStreamLocalBindMask, sStreamLocalBindUnlink, 444 sAllowStreamLocalForwarding, sFingerprintHash, 445 sDeprecated, sUnsupported 446} ServerOpCodes; 447 448#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 449#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 450#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 451 452/* Textual representation of the tokens. */ 453static struct { 454 const char *name; 455 ServerOpCodes opcode; 456 u_int flags; 457} keywords[] = { 458 /* Portable-specific options */ 459#ifdef USE_PAM 460 { "usepam", sUsePAM, SSHCFG_GLOBAL }, 461#else 462 { "usepam", sUnsupported, SSHCFG_GLOBAL }, 463#endif 464 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, 465 /* Standard Options */ 466 { "port", sPort, SSHCFG_GLOBAL }, 467 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 468 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 469 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 470 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 471 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 472 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 473 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 474 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 475 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 476 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 477 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 478 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 479 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 480 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 481 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 482 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, 483 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 484 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 485 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 486 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 487#ifdef KRB5 488 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 489 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, 490 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, 491#ifdef USE_AFS 492 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, 493#else 494 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 495#endif 496#else 497 { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, 498 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, 499 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, 500 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, 501#endif 502 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, 503 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, 504#ifdef GSSAPI 505 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 506 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 507 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 508#else 509 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 510 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 511 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 512#endif 513 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 514 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 515 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 516 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 517 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 518 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 519 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 520 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 521#ifdef DISABLE_LASTLOG 522 { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, 523#else 524 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 525#endif 526 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 527 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 528 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 529 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, 530 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 531 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 532 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 533 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 534 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 535 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 536 { "compression", sCompression, SSHCFG_GLOBAL }, 537 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 538 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 539 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 540 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 541 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 542 { "allowusers", sAllowUsers, SSHCFG_ALL }, 543 { "denyusers", sDenyUsers, SSHCFG_ALL }, 544 { "allowgroups", sAllowGroups, SSHCFG_ALL }, 545 { "denygroups", sDenyGroups, SSHCFG_ALL }, 546 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 547 { "macs", sMacs, SSHCFG_GLOBAL }, 548 { "protocol", sProtocol, SSHCFG_GLOBAL }, 549 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 550 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 551 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 552 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, 553 { "maxsessions", sMaxSessions, SSHCFG_ALL }, 554 { "banner", sBanner, SSHCFG_ALL }, 555 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 556 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 557 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 558 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 559 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 560 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 561 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 562 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 563 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 564 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 565 { "permittty", sPermitTTY, SSHCFG_ALL }, 566 { "permituserrc", sPermitUserRC, SSHCFG_ALL }, 567 { "match", sMatch, SSHCFG_ALL }, 568 { "permitopen", sPermitOpen, SSHCFG_ALL }, 569 { "forcecommand", sForceCommand, SSHCFG_ALL }, 570 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 571 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 572 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 573 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 574 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 575 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 576 { "ipqos", sIPQoS, SSHCFG_ALL }, 577 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, 578 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 579 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, 580 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, 581 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 582 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 583 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, 584 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 585 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 586 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 587 { "noneenabled", sUnsupported, SSHCFG_ALL }, 588 { "hpndisabled", sDeprecated, SSHCFG_ALL }, 589 { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, 590 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, 591 { NULL, sBadOption, 0 } 592}; 593 594static struct { 595 int val; 596 char *text; 597} tunmode_desc[] = { 598 { SSH_TUNMODE_NO, "no" }, 599 { SSH_TUNMODE_POINTOPOINT, "point-to-point" }, 600 { SSH_TUNMODE_ETHERNET, "ethernet" }, 601 { SSH_TUNMODE_YES, "yes" }, 602 { -1, NULL } 603}; 604 605/* 606 * Returns the number of the token pointed to by cp or sBadOption. 607 */ 608 609static ServerOpCodes 610parse_token(const char *cp, const char *filename, 611 int linenum, u_int *flags) 612{ 613 u_int i; 614 615 for (i = 0; keywords[i].name; i++) 616 if (strcasecmp(cp, keywords[i].name) == 0) { 617 *flags = keywords[i].flags; 618 return keywords[i].opcode; 619 } 620 621 error("%s: line %d: Bad configuration option: %s", 622 filename, linenum, cp); 623 return sBadOption; 624} 625 626char * 627derelativise_path(const char *path) 628{ 629 char *expanded, *ret, cwd[PATH_MAX]; 630 631 if (strcasecmp(path, "none") == 0) 632 return xstrdup("none"); 633 expanded = tilde_expand_filename(path, getuid()); 634 if (*expanded == '/') 635 return expanded; 636 if (getcwd(cwd, sizeof(cwd)) == NULL) 637 fatal("%s: getcwd: %s", __func__, strerror(errno)); 638 xasprintf(&ret, "%s/%s", cwd, expanded); 639 free(expanded); 640 return ret; 641} 642 643static void 644add_listen_addr(ServerOptions *options, char *addr, int port) 645{ 646 u_int i; 647 648 if (port == 0) 649 for (i = 0; i < options->num_ports; i++) 650 add_one_listen_addr(options, addr, options->ports[i]); 651 else 652 add_one_listen_addr(options, addr, port); 653} 654 655static void 656add_one_listen_addr(ServerOptions *options, char *addr, int port) 657{ 658 struct addrinfo hints, *ai, *aitop; 659 char strport[NI_MAXSERV]; 660 int gaierr; 661 662 memset(&hints, 0, sizeof(hints)); 663 hints.ai_family = options->address_family; 664 hints.ai_socktype = SOCK_STREAM; 665 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 666 snprintf(strport, sizeof strport, "%d", port); 667 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 668 fatal("bad addr or host: %s (%s)", 669 addr ? addr : "<NULL>", 670 ssh_gai_strerror(gaierr)); 671 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 672 ; 673 ai->ai_next = options->listen_addrs; 674 options->listen_addrs = aitop; 675} 676 677/* 678 * Queue a ListenAddress to be processed once we have all of the Ports 679 * and AddressFamily options. 680 */ 681static void 682queue_listen_addr(ServerOptions *options, char *addr, int port) 683{ 684 options->queued_listen_addrs = xreallocarray( 685 options->queued_listen_addrs, options->num_queued_listens + 1, 686 sizeof(addr)); 687 options->queued_listen_ports = xreallocarray( 688 options->queued_listen_ports, options->num_queued_listens + 1, 689 sizeof(port)); 690 options->queued_listen_addrs[options->num_queued_listens] = 691 xstrdup(addr); 692 options->queued_listen_ports[options->num_queued_listens] = port; 693 options->num_queued_listens++; 694} 695 696/* 697 * Process queued (text) ListenAddress entries. 698 */ 699static void 700process_queued_listen_addrs(ServerOptions *options) 701{ 702 u_int i; 703 704 if (options->num_ports == 0) 705 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 706 if (options->address_family == -1) 707 options->address_family = AF_UNSPEC; 708 709 for (i = 0; i < options->num_queued_listens; i++) { 710 add_listen_addr(options, options->queued_listen_addrs[i], 711 options->queued_listen_ports[i]); 712 free(options->queued_listen_addrs[i]); 713 options->queued_listen_addrs[i] = NULL; 714 } 715 free(options->queued_listen_addrs); 716 options->queued_listen_addrs = NULL; 717 free(options->queued_listen_ports); 718 options->queued_listen_ports = NULL; 719 options->num_queued_listens = 0; 720} 721 722struct connection_info * 723get_connection_info(int populate, int use_dns) 724{ 725 struct ssh *ssh = active_state; /* XXX */ 726 static struct connection_info ci; 727 728 if (!populate) 729 return &ci; 730 ci.host = auth_get_canonical_hostname(ssh, use_dns); 731 ci.address = ssh_remote_ipaddr(ssh); 732 ci.laddress = ssh_local_ipaddr(ssh); 733 ci.lport = ssh_local_port(ssh); 734 return &ci; 735} 736 737/* 738 * The strategy for the Match blocks is that the config file is parsed twice. 739 * 740 * The first time is at startup. activep is initialized to 1 and the 741 * directives in the global context are processed and acted on. Hitting a 742 * Match directive unsets activep and the directives inside the block are 743 * checked for syntax only. 744 * 745 * The second time is after a connection has been established but before 746 * authentication. activep is initialized to 2 and global config directives 747 * are ignored since they have already been processed. If the criteria in a 748 * Match block is met, activep is set and the subsequent directives 749 * processed and actioned until EOF or another Match block unsets it. Any 750 * options set are copied into the main server config. 751 * 752 * Potential additions/improvements: 753 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 754 * 755 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 756 * Match Address 192.168.0.* 757 * Tag trusted 758 * Match Group wheel 759 * Tag trusted 760 * Match Tag trusted 761 * AllowTcpForwarding yes 762 * GatewayPorts clientspecified 763 * [...] 764 * 765 * - Add a PermittedChannelRequests directive 766 * Match Group shell 767 * PermittedChannelRequests session,forwarded-tcpip 768 */ 769 770static int 771match_cfg_line_group(const char *grps, int line, const char *user) 772{ 773 int result = 0; 774 struct passwd *pw; 775 776 if (user == NULL) 777 goto out; 778 779 if ((pw = getpwnam(user)) == NULL) { 780 debug("Can't match group at line %d because user %.100s does " 781 "not exist", line, user); 782 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 783 debug("Can't Match group because user %.100s not in any group " 784 "at line %d", user, line); 785 } else if (ga_match_pattern_list(grps) != 1) { 786 debug("user %.100s does not match group list %.100s at line %d", 787 user, grps, line); 788 } else { 789 debug("user %.100s matched group list %.100s at line %d", user, 790 grps, line); 791 result = 1; 792 } 793out: 794 ga_free(); 795 return result; 796} 797 798/* 799 * All of the attributes on a single Match line are ANDed together, so we need 800 * to check every attribute and set the result to zero if any attribute does 801 * not match. 802 */ 803static int 804match_cfg_line(char **condition, int line, struct connection_info *ci) 805{ 806 int result = 1, attributes = 0, port; 807 char *arg, *attrib, *cp = *condition; 808 809 if (ci == NULL) 810 debug3("checking syntax for 'Match %s'", cp); 811 else 812 debug3("checking match for '%s' user %s host %s addr %s " 813 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)", 814 ci->host ? ci->host : "(null)", 815 ci->address ? ci->address : "(null)", 816 ci->laddress ? ci->laddress : "(null)", ci->lport); 817 818 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 819 attributes++; 820 if (strcasecmp(attrib, "all") == 0) { 821 if (attributes != 1 || 822 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { 823 error("'all' cannot be combined with other " 824 "Match attributes"); 825 return -1; 826 } 827 *condition = cp; 828 return 1; 829 } 830 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 831 error("Missing Match criteria for %s", attrib); 832 return -1; 833 } 834 if (strcasecmp(attrib, "user") == 0) { 835 if (ci == NULL || ci->user == NULL) { 836 result = 0; 837 continue; 838 } 839 if (match_pattern_list(ci->user, arg, 0) != 1) 840 result = 0; 841 else 842 debug("user %.100s matched 'User %.100s' at " 843 "line %d", ci->user, arg, line); 844 } else if (strcasecmp(attrib, "group") == 0) { 845 if (ci == NULL || ci->user == NULL) { 846 result = 0; 847 continue; 848 } 849 switch (match_cfg_line_group(arg, line, ci->user)) { 850 case -1: 851 return -1; 852 case 0: 853 result = 0; 854 } 855 } else if (strcasecmp(attrib, "host") == 0) { 856 if (ci == NULL || ci->host == NULL) { 857 result = 0; 858 continue; 859 } 860 if (match_hostname(ci->host, arg) != 1) 861 result = 0; 862 else 863 debug("connection from %.100s matched 'Host " 864 "%.100s' at line %d", ci->host, arg, line); 865 } else if (strcasecmp(attrib, "address") == 0) { 866 if (ci == NULL || ci->address == NULL) { 867 result = 0; 868 continue; 869 } 870 switch (addr_match_list(ci->address, arg)) { 871 case 1: 872 debug("connection from %.100s matched 'Address " 873 "%.100s' at line %d", ci->address, arg, line); 874 break; 875 case 0: 876 case -1: 877 result = 0; 878 break; 879 case -2: 880 return -1; 881 } 882 } else if (strcasecmp(attrib, "localaddress") == 0){ 883 if (ci == NULL || ci->laddress == NULL) { 884 result = 0; 885 continue; 886 } 887 switch (addr_match_list(ci->laddress, arg)) { 888 case 1: 889 debug("connection from %.100s matched " 890 "'LocalAddress %.100s' at line %d", 891 ci->laddress, arg, line); 892 break; 893 case 0: 894 case -1: 895 result = 0; 896 break; 897 case -2: 898 return -1; 899 } 900 } else if (strcasecmp(attrib, "localport") == 0) { 901 if ((port = a2port(arg)) == -1) { 902 error("Invalid LocalPort '%s' on Match line", 903 arg); 904 return -1; 905 } 906 if (ci == NULL || ci->lport == 0) { 907 result = 0; 908 continue; 909 } 910 /* TODO support port lists */ 911 if (port == ci->lport) 912 debug("connection from %.100s matched " 913 "'LocalPort %d' at line %d", 914 ci->laddress, port, line); 915 else 916 result = 0; 917 } else { 918 error("Unsupported Match attribute %s", attrib); 919 return -1; 920 } 921 } 922 if (attributes == 0) { 923 error("One or more attributes required for Match"); 924 return -1; 925 } 926 if (ci != NULL) 927 debug3("match %sfound", result ? "" : "not "); 928 *condition = cp; 929 return result; 930} 931 932#define WHITESPACE " \t\r\n" 933 934/* Multistate option parsing */ 935struct multistate { 936 char *key; 937 int value; 938}; 939static const struct multistate multistate_addressfamily[] = { 940 { "inet", AF_INET }, 941 { "inet6", AF_INET6 }, 942 { "any", AF_UNSPEC }, 943 { NULL, -1 } 944}; 945static const struct multistate multistate_permitrootlogin[] = { 946 { "without-password", PERMIT_NO_PASSWD }, 947 { "prohibit-password", PERMIT_NO_PASSWD }, 948 { "forced-commands-only", PERMIT_FORCED_ONLY }, 949 { "yes", PERMIT_YES }, 950 { "no", PERMIT_NO }, 951 { NULL, -1 } 952}; 953static const struct multistate multistate_compression[] = { 954 { "delayed", COMP_DELAYED }, 955 { "yes", COMP_ZLIB }, 956 { "no", COMP_NONE }, 957 { NULL, -1 } 958}; 959static const struct multistate multistate_gatewayports[] = { 960 { "clientspecified", 2 }, 961 { "yes", 1 }, 962 { "no", 0 }, 963 { NULL, -1 } 964}; 965static const struct multistate multistate_privsep[] = { 966 { "yes", PRIVSEP_NOSANDBOX }, 967 { "sandbox", PRIVSEP_ON }, 968 { "nosandbox", PRIVSEP_NOSANDBOX }, 969 { "no", PRIVSEP_OFF }, 970 { NULL, -1 } 971}; 972static const struct multistate multistate_tcpfwd[] = { 973 { "yes", FORWARD_ALLOW }, 974 { "all", FORWARD_ALLOW }, 975 { "no", FORWARD_DENY }, 976 { "remote", FORWARD_REMOTE }, 977 { "local", FORWARD_LOCAL }, 978 { NULL, -1 } 979}; 980 981int 982process_server_config_line(ServerOptions *options, char *line, 983 const char *filename, int linenum, int *activep, 984 struct connection_info *connectinfo) 985{ 986 char *cp, **charptr, *arg, *p; 987 int cmdline = 0, *intptr, value, value2, n, port; 988 SyslogFacility *log_facility_ptr; 989 LogLevel *log_level_ptr; 990 ServerOpCodes opcode; 991 u_int i, flags = 0; 992 size_t len; 993 long long val64; 994 const struct multistate *multistate_ptr; 995 996 cp = line; 997 if ((arg = strdelim(&cp)) == NULL) 998 return 0; 999 /* Ignore leading whitespace */ 1000 if (*arg == '\0') 1001 arg = strdelim(&cp); 1002 if (!arg || !*arg || *arg == '#') 1003 return 0; 1004 intptr = NULL; 1005 charptr = NULL; 1006 opcode = parse_token(arg, filename, linenum, &flags); 1007 1008 if (activep == NULL) { /* We are processing a command line directive */ 1009 cmdline = 1; 1010 activep = &cmdline; 1011 } 1012 if (*activep && opcode != sMatch) 1013 debug3("%s:%d setting %s %s", filename, linenum, arg, cp); 1014 if (*activep == 0 && !(flags & SSHCFG_MATCH)) { 1015 if (connectinfo == NULL) { 1016 fatal("%s line %d: Directive '%s' is not allowed " 1017 "within a Match block", filename, linenum, arg); 1018 } else { /* this is a directive we have already processed */ 1019 while (arg) 1020 arg = strdelim(&cp); 1021 return 0; 1022 } 1023 } 1024 1025 switch (opcode) { 1026 /* Portable-specific options */ 1027 case sUsePAM: 1028 intptr = &options->use_pam; 1029 goto parse_flag; 1030 1031 /* Standard Options */ 1032 case sBadOption: 1033 return -1; 1034 case sPort: 1035 /* ignore ports from configfile if cmdline specifies ports */ 1036 if (options->ports_from_cmdline) 1037 return 0; 1038 if (options->num_ports >= MAX_PORTS) 1039 fatal("%s line %d: too many ports.", 1040 filename, linenum); 1041 arg = strdelim(&cp); 1042 if (!arg || *arg == '\0') 1043 fatal("%s line %d: missing port number.", 1044 filename, linenum); 1045 options->ports[options->num_ports++] = a2port(arg); 1046 if (options->ports[options->num_ports-1] <= 0) 1047 fatal("%s line %d: Badly formatted port number.", 1048 filename, linenum); 1049 break; 1050 1051 case sServerKeyBits: 1052 intptr = &options->server_key_bits; 1053 parse_int: 1054 arg = strdelim(&cp); 1055 if (!arg || *arg == '\0') 1056 fatal("%s line %d: missing integer value.", 1057 filename, linenum); 1058 value = atoi(arg); 1059 if (*activep && *intptr == -1) 1060 *intptr = value; 1061 break; 1062 1063 case sLoginGraceTime: 1064 intptr = &options->login_grace_time; 1065 parse_time: 1066 arg = strdelim(&cp); 1067 if (!arg || *arg == '\0') 1068 fatal("%s line %d: missing time value.", 1069 filename, linenum); 1070 if ((value = convtime(arg)) == -1) 1071 fatal("%s line %d: invalid time value.", 1072 filename, linenum); 1073 if (*activep && *intptr == -1) 1074 *intptr = value; 1075 break; 1076 1077 case sKeyRegenerationTime: 1078 intptr = &options->key_regeneration_time; 1079 goto parse_time; 1080 1081 case sListenAddress: 1082 arg = strdelim(&cp); 1083 if (arg == NULL || *arg == '\0') 1084 fatal("%s line %d: missing address", 1085 filename, linenum); 1086 /* check for bare IPv6 address: no "[]" and 2 or more ":" */ 1087 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL 1088 && strchr(p+1, ':') != NULL) { 1089 queue_listen_addr(options, arg, 0); 1090 break; 1091 } 1092 p = hpdelim(&arg); 1093 if (p == NULL) 1094 fatal("%s line %d: bad address:port usage", 1095 filename, linenum); 1096 p = cleanhostname(p); 1097 if (arg == NULL) 1098 port = 0; 1099 else if ((port = a2port(arg)) <= 0) 1100 fatal("%s line %d: bad port number", filename, linenum); 1101 1102 queue_listen_addr(options, p, port); 1103 1104 break; 1105 1106 case sAddressFamily: 1107 intptr = &options->address_family; 1108 multistate_ptr = multistate_addressfamily; 1109 parse_multistate: 1110 arg = strdelim(&cp); 1111 if (!arg || *arg == '\0') 1112 fatal("%s line %d: missing argument.", 1113 filename, linenum); 1114 value = -1; 1115 for (i = 0; multistate_ptr[i].key != NULL; i++) { 1116 if (strcasecmp(arg, multistate_ptr[i].key) == 0) { 1117 value = multistate_ptr[i].value; 1118 break; 1119 } 1120 } 1121 if (value == -1) 1122 fatal("%s line %d: unsupported option \"%s\".", 1123 filename, linenum, arg); 1124 if (*activep && *intptr == -1) 1125 *intptr = value; 1126 break; 1127 1128 case sHostKeyFile: 1129 intptr = &options->num_host_key_files; 1130 if (*intptr >= MAX_HOSTKEYS) 1131 fatal("%s line %d: too many host keys specified (max %d).", 1132 filename, linenum, MAX_HOSTKEYS); 1133 charptr = &options->host_key_files[*intptr]; 1134 parse_filename: 1135 arg = strdelim(&cp); 1136 if (!arg || *arg == '\0') 1137 fatal("%s line %d: missing file name.", 1138 filename, linenum); 1139 if (*activep && *charptr == NULL) { 1140 *charptr = derelativise_path(arg); 1141 /* increase optional counter */ 1142 if (intptr != NULL) 1143 *intptr = *intptr + 1; 1144 } 1145 break; 1146 1147 case sHostKeyAgent: 1148 charptr = &options->host_key_agent; 1149 arg = strdelim(&cp); 1150 if (!arg || *arg == '\0') 1151 fatal("%s line %d: missing socket name.", 1152 filename, linenum); 1153 if (*activep && *charptr == NULL) 1154 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? 1155 xstrdup(arg) : derelativise_path(arg); 1156 break; 1157 1158 case sHostCertificate: 1159 intptr = &options->num_host_cert_files; 1160 if (*intptr >= MAX_HOSTKEYS) 1161 fatal("%s line %d: too many host certificates " 1162 "specified (max %d).", filename, linenum, 1163 MAX_HOSTCERTS); 1164 charptr = &options->host_cert_files[*intptr]; 1165 goto parse_filename; 1166 break; 1167 1168 case sPidFile: 1169 charptr = &options->pid_file; 1170 goto parse_filename; 1171 1172 case sPermitRootLogin: 1173 intptr = &options->permit_root_login; 1174 multistate_ptr = multistate_permitrootlogin; 1175 goto parse_multistate; 1176 1177 case sIgnoreRhosts: 1178 intptr = &options->ignore_rhosts; 1179 parse_flag: 1180 arg = strdelim(&cp); 1181 if (!arg || *arg == '\0') 1182 fatal("%s line %d: missing yes/no argument.", 1183 filename, linenum); 1184 value = 0; /* silence compiler */ 1185 if (strcmp(arg, "yes") == 0) 1186 value = 1; 1187 else if (strcmp(arg, "no") == 0) 1188 value = 0; 1189 else 1190 fatal("%s line %d: Bad yes/no argument: %s", 1191 filename, linenum, arg); 1192 if (*activep && *intptr == -1) 1193 *intptr = value; 1194 break; 1195 1196 case sIgnoreUserKnownHosts: 1197 intptr = &options->ignore_user_known_hosts; 1198 goto parse_flag; 1199 1200 case sRhostsRSAAuthentication: 1201 intptr = &options->rhosts_rsa_authentication; 1202 goto parse_flag; 1203 1204 case sHostbasedAuthentication: 1205 intptr = &options->hostbased_authentication; 1206 goto parse_flag; 1207 1208 case sHostbasedUsesNameFromPacketOnly: 1209 intptr = &options->hostbased_uses_name_from_packet_only; 1210 goto parse_flag; 1211 1212 case sHostbasedAcceptedKeyTypes: 1213 charptr = &options->hostbased_key_types; 1214 parse_keytypes: 1215 arg = strdelim(&cp); 1216 if (!arg || *arg == '\0') 1217 fatal("%s line %d: Missing argument.", 1218 filename, linenum); 1219 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) 1220 fatal("%s line %d: Bad key types '%s'.", 1221 filename, linenum, arg ? arg : "<NONE>"); 1222 if (*activep && *charptr == NULL) 1223 *charptr = xstrdup(arg); 1224 break; 1225 1226 case sHostKeyAlgorithms: 1227 charptr = &options->hostkeyalgorithms; 1228 goto parse_keytypes; 1229 1230 case sRSAAuthentication: 1231 intptr = &options->rsa_authentication; 1232 goto parse_flag; 1233 1234 case sPubkeyAuthentication: 1235 intptr = &options->pubkey_authentication; 1236 goto parse_flag; 1237 1238 case sPubkeyAcceptedKeyTypes: 1239 charptr = &options->pubkey_key_types; 1240 goto parse_keytypes; 1241 1242 case sKerberosAuthentication: 1243 intptr = &options->kerberos_authentication; 1244 goto parse_flag; 1245 1246 case sKerberosOrLocalPasswd: 1247 intptr = &options->kerberos_or_local_passwd; 1248 goto parse_flag; 1249 1250 case sKerberosTicketCleanup: 1251 intptr = &options->kerberos_ticket_cleanup; 1252 goto parse_flag; 1253 1254 case sKerberosGetAFSToken: 1255 intptr = &options->kerberos_get_afs_token; 1256 goto parse_flag; 1257 1258 case sGssAuthentication: 1259 intptr = &options->gss_authentication; 1260 goto parse_flag; 1261 1262 case sGssCleanupCreds: 1263 intptr = &options->gss_cleanup_creds; 1264 goto parse_flag; 1265 1266 case sGssStrictAcceptor: 1267 intptr = &options->gss_strict_acceptor; 1268 goto parse_flag; 1269 1270 case sPasswordAuthentication: 1271 intptr = &options->password_authentication; 1272 goto parse_flag; 1273 1274 case sKbdInteractiveAuthentication: 1275 intptr = &options->kbd_interactive_authentication; 1276 goto parse_flag; 1277 1278 case sChallengeResponseAuthentication: 1279 intptr = &options->challenge_response_authentication; 1280 goto parse_flag; 1281 1282 case sPrintMotd: 1283 intptr = &options->print_motd; 1284 goto parse_flag; 1285 1286 case sPrintLastLog: 1287 intptr = &options->print_lastlog; 1288 goto parse_flag; 1289 1290 case sX11Forwarding: 1291 intptr = &options->x11_forwarding; 1292 goto parse_flag; 1293 1294 case sX11DisplayOffset: 1295 intptr = &options->x11_display_offset; 1296 goto parse_int; 1297 1298 case sX11UseLocalhost: 1299 intptr = &options->x11_use_localhost; 1300 goto parse_flag; 1301 1302 case sXAuthLocation: 1303 charptr = &options->xauth_location; 1304 goto parse_filename; 1305 1306 case sPermitTTY: 1307 intptr = &options->permit_tty; 1308 goto parse_flag; 1309 1310 case sPermitUserRC: 1311 intptr = &options->permit_user_rc; 1312 goto parse_flag; 1313 1314 case sStrictModes: 1315 intptr = &options->strict_modes; 1316 goto parse_flag; 1317 1318 case sTCPKeepAlive: 1319 intptr = &options->tcp_keep_alive; 1320 goto parse_flag; 1321 1322 case sEmptyPasswd: 1323 intptr = &options->permit_empty_passwd; 1324 goto parse_flag; 1325 1326 case sPermitUserEnvironment: 1327 intptr = &options->permit_user_env; 1328 goto parse_flag; 1329 1330 case sUseLogin: 1331 intptr = &options->use_login; 1332 goto parse_flag; 1333 1334 case sCompression: 1335 intptr = &options->compression; 1336 multistate_ptr = multistate_compression; 1337 goto parse_multistate; 1338 1339 case sRekeyLimit: 1340 arg = strdelim(&cp); 1341 if (!arg || *arg == '\0') 1342 fatal("%.200s line %d: Missing argument.", filename, 1343 linenum); 1344 if (strcmp(arg, "default") == 0) { 1345 val64 = 0; 1346 } else { 1347 if (scan_scaled(arg, &val64) == -1) 1348 fatal("%.200s line %d: Bad number '%s': %s", 1349 filename, linenum, arg, strerror(errno)); 1350 if (val64 != 0 && val64 < 16) 1351 fatal("%.200s line %d: RekeyLimit too small", 1352 filename, linenum); 1353 } 1354 if (*activep && options->rekey_limit == -1) 1355 options->rekey_limit = val64; 1356 if (cp != NULL) { /* optional rekey interval present */ 1357 if (strcmp(cp, "none") == 0) { 1358 (void)strdelim(&cp); /* discard */ 1359 break; 1360 } 1361 intptr = &options->rekey_interval; 1362 goto parse_time; 1363 } 1364 break; 1365 1366 case sGatewayPorts: 1367 intptr = &options->fwd_opts.gateway_ports; 1368 multistate_ptr = multistate_gatewayports; 1369 goto parse_multistate; 1370 1371 case sUseDNS: 1372 intptr = &options->use_dns; 1373 goto parse_flag; 1374 1375 case sLogFacility: 1376 log_facility_ptr = &options->log_facility; 1377 arg = strdelim(&cp); 1378 value = log_facility_number(arg); 1379 if (value == SYSLOG_FACILITY_NOT_SET) 1380 fatal("%.200s line %d: unsupported log facility '%s'", 1381 filename, linenum, arg ? arg : "<NONE>"); 1382 if (*log_facility_ptr == -1) 1383 *log_facility_ptr = (SyslogFacility) value; 1384 break; 1385 1386 case sLogLevel: 1387 log_level_ptr = &options->log_level; 1388 arg = strdelim(&cp); 1389 value = log_level_number(arg); 1390 if (value == SYSLOG_LEVEL_NOT_SET) 1391 fatal("%.200s line %d: unsupported log level '%s'", 1392 filename, linenum, arg ? arg : "<NONE>"); 1393 if (*log_level_ptr == -1) 1394 *log_level_ptr = (LogLevel) value; 1395 break; 1396 1397 case sAllowTcpForwarding: 1398 intptr = &options->allow_tcp_forwarding; 1399 multistate_ptr = multistate_tcpfwd; 1400 goto parse_multistate; 1401 1402 case sAllowStreamLocalForwarding: 1403 intptr = &options->allow_streamlocal_forwarding; 1404 multistate_ptr = multistate_tcpfwd; 1405 goto parse_multistate; 1406 1407 case sAllowAgentForwarding: 1408 intptr = &options->allow_agent_forwarding; 1409 goto parse_flag; 1410 1411 case sUsePrivilegeSeparation: 1412 intptr = &use_privsep; 1413 multistate_ptr = multistate_privsep; 1414 goto parse_multistate; 1415 1416 case sAllowUsers: 1417 while ((arg = strdelim(&cp)) && *arg != '\0') { 1418 if (options->num_allow_users >= MAX_ALLOW_USERS) 1419 fatal("%s line %d: too many allow users.", 1420 filename, linenum); 1421 if (!*activep) 1422 continue; 1423 options->allow_users[options->num_allow_users++] = 1424 xstrdup(arg); 1425 } 1426 break; 1427 1428 case sDenyUsers: 1429 while ((arg = strdelim(&cp)) && *arg != '\0') { 1430 if (options->num_deny_users >= MAX_DENY_USERS) 1431 fatal("%s line %d: too many deny users.", 1432 filename, linenum); 1433 if (!*activep) 1434 continue; 1435 options->deny_users[options->num_deny_users++] = 1436 xstrdup(arg); 1437 } 1438 break; 1439 1440 case sAllowGroups: 1441 while ((arg = strdelim(&cp)) && *arg != '\0') { 1442 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1443 fatal("%s line %d: too many allow groups.", 1444 filename, linenum); 1445 if (!*activep) 1446 continue; 1447 options->allow_groups[options->num_allow_groups++] = 1448 xstrdup(arg); 1449 } 1450 break; 1451 1452 case sDenyGroups: 1453 while ((arg = strdelim(&cp)) && *arg != '\0') { 1454 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1455 fatal("%s line %d: too many deny groups.", 1456 filename, linenum); 1457 if (!*activep) 1458 continue; 1459 options->deny_groups[options->num_deny_groups++] = 1460 xstrdup(arg); 1461 } 1462 break; 1463 1464 case sCiphers: 1465 arg = strdelim(&cp); 1466 if (!arg || *arg == '\0') 1467 fatal("%s line %d: Missing argument.", filename, linenum); 1468 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) 1469 fatal("%s line %d: Bad SSH2 cipher spec '%s'.", 1470 filename, linenum, arg ? arg : "<NONE>"); 1471 if (options->ciphers == NULL) 1472 options->ciphers = xstrdup(arg); 1473 break; 1474 1475 case sMacs: 1476 arg = strdelim(&cp); 1477 if (!arg || *arg == '\0') 1478 fatal("%s line %d: Missing argument.", filename, linenum); 1479 if (!mac_valid(*arg == '+' ? arg + 1 : arg)) 1480 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1481 filename, linenum, arg ? arg : "<NONE>"); 1482 if (options->macs == NULL) 1483 options->macs = xstrdup(arg); 1484 break; 1485 1486 case sKexAlgorithms: 1487 arg = strdelim(&cp); 1488 if (!arg || *arg == '\0') 1489 fatal("%s line %d: Missing argument.", 1490 filename, linenum); 1491 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) 1492 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1493 filename, linenum, arg ? arg : "<NONE>"); 1494 if (options->kex_algorithms == NULL) 1495 options->kex_algorithms = xstrdup(arg); 1496 break; 1497 1498 case sProtocol: 1499 intptr = &options->protocol; 1500 arg = strdelim(&cp); 1501 if (!arg || *arg == '\0') 1502 fatal("%s line %d: Missing argument.", filename, linenum); 1503 value = proto_spec(arg); 1504 if (value == SSH_PROTO_UNKNOWN) 1505 fatal("%s line %d: Bad protocol spec '%s'.", 1506 filename, linenum, arg ? arg : "<NONE>"); 1507 if (*intptr == SSH_PROTO_UNKNOWN) 1508 *intptr = value; 1509 break; 1510 1511 case sSubsystem: 1512 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1513 fatal("%s line %d: too many subsystems defined.", 1514 filename, linenum); 1515 } 1516 arg = strdelim(&cp); 1517 if (!arg || *arg == '\0') 1518 fatal("%s line %d: Missing subsystem name.", 1519 filename, linenum); 1520 if (!*activep) { 1521 arg = strdelim(&cp); 1522 break; 1523 } 1524 for (i = 0; i < options->num_subsystems; i++) 1525 if (strcmp(arg, options->subsystem_name[i]) == 0) 1526 fatal("%s line %d: Subsystem '%s' already defined.", 1527 filename, linenum, arg); 1528 options->subsystem_name[options->num_subsystems] = xstrdup(arg); 1529 arg = strdelim(&cp); 1530 if (!arg || *arg == '\0') 1531 fatal("%s line %d: Missing subsystem command.", 1532 filename, linenum); 1533 options->subsystem_command[options->num_subsystems] = xstrdup(arg); 1534 1535 /* Collect arguments (separate to executable) */ 1536 p = xstrdup(arg); 1537 len = strlen(p) + 1; 1538 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { 1539 len += 1 + strlen(arg); 1540 p = xreallocarray(p, 1, len); 1541 strlcat(p, " ", len); 1542 strlcat(p, arg, len); 1543 } 1544 options->subsystem_args[options->num_subsystems] = p; 1545 options->num_subsystems++; 1546 break; 1547 1548 case sMaxStartups: 1549 arg = strdelim(&cp); 1550 if (!arg || *arg == '\0') 1551 fatal("%s line %d: Missing MaxStartups spec.", 1552 filename, linenum); 1553 if ((n = sscanf(arg, "%d:%d:%d", 1554 &options->max_startups_begin, 1555 &options->max_startups_rate, 1556 &options->max_startups)) == 3) { 1557 if (options->max_startups_begin > 1558 options->max_startups || 1559 options->max_startups_rate > 100 || 1560 options->max_startups_rate < 1) 1561 fatal("%s line %d: Illegal MaxStartups spec.", 1562 filename, linenum); 1563 } else if (n != 1) 1564 fatal("%s line %d: Illegal MaxStartups spec.", 1565 filename, linenum); 1566 else 1567 options->max_startups = options->max_startups_begin; 1568 break; 1569 1570 case sMaxAuthTries: 1571 intptr = &options->max_authtries; 1572 goto parse_int; 1573 1574 case sMaxSessions: 1575 intptr = &options->max_sessions; 1576 goto parse_int; 1577 1578 case sBanner: 1579 charptr = &options->banner; 1580 goto parse_filename; 1581 1582 /* 1583 * These options can contain %X options expanded at 1584 * connect time, so that you can specify paths like: 1585 * 1586 * AuthorizedKeysFile /etc/ssh_keys/%u 1587 */ 1588 case sAuthorizedKeysFile: 1589 if (*activep && options->num_authkeys_files == 0) { 1590 while ((arg = strdelim(&cp)) && *arg != '\0') { 1591 if (options->num_authkeys_files >= 1592 MAX_AUTHKEYS_FILES) 1593 fatal("%s line %d: " 1594 "too many authorized keys files.", 1595 filename, linenum); 1596 options->authorized_keys_files[ 1597 options->num_authkeys_files++] = 1598 tilde_expand_filename(arg, getuid()); 1599 } 1600 } 1601 return 0; 1602 1603 case sAuthorizedPrincipalsFile: 1604 charptr = &options->authorized_principals_file; 1605 arg = strdelim(&cp); 1606 if (!arg || *arg == '\0') 1607 fatal("%s line %d: missing file name.", 1608 filename, linenum); 1609 if (*activep && *charptr == NULL) { 1610 *charptr = tilde_expand_filename(arg, getuid()); 1611 /* increase optional counter */ 1612 if (intptr != NULL) 1613 *intptr = *intptr + 1; 1614 } 1615 break; 1616 1617 case sClientAliveInterval: 1618 intptr = &options->client_alive_interval; 1619 goto parse_time; 1620 1621 case sClientAliveCountMax: 1622 intptr = &options->client_alive_count_max; 1623 goto parse_int; 1624 1625 case sAcceptEnv: 1626 while ((arg = strdelim(&cp)) && *arg != '\0') { 1627 if (strchr(arg, '=') != NULL) 1628 fatal("%s line %d: Invalid environment name.", 1629 filename, linenum); 1630 if (options->num_accept_env >= MAX_ACCEPT_ENV) 1631 fatal("%s line %d: too many allow env.", 1632 filename, linenum); 1633 if (!*activep) 1634 continue; 1635 options->accept_env[options->num_accept_env++] = 1636 xstrdup(arg); 1637 } 1638 break; 1639 1640 case sPermitTunnel: 1641 intptr = &options->permit_tun; 1642 arg = strdelim(&cp); 1643 if (!arg || *arg == '\0') 1644 fatal("%s line %d: Missing yes/point-to-point/" 1645 "ethernet/no argument.", filename, linenum); 1646 value = -1; 1647 for (i = 0; tunmode_desc[i].val != -1; i++) 1648 if (strcmp(tunmode_desc[i].text, arg) == 0) { 1649 value = tunmode_desc[i].val; 1650 break; 1651 } 1652 if (value == -1) 1653 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1654 "no argument: %s", filename, linenum, arg); 1655 if (*activep && *intptr == -1) 1656 *intptr = value; 1657 break; 1658 1659 case sMatch: 1660 if (cmdline) 1661 fatal("Match directive not supported as a command-line " 1662 "option"); 1663 value = match_cfg_line(&cp, linenum, connectinfo); 1664 if (value < 0) 1665 fatal("%s line %d: Bad Match condition", filename, 1666 linenum); 1667 *activep = value; 1668 break; 1669 1670 case sPermitOpen: 1671 arg = strdelim(&cp); 1672 if (!arg || *arg == '\0') 1673 fatal("%s line %d: missing PermitOpen specification", 1674 filename, linenum); 1675 n = options->num_permitted_opens; /* modified later */ 1676 if (strcmp(arg, "any") == 0) { 1677 if (*activep && n == -1) { 1678 channel_clear_adm_permitted_opens(); 1679 options->num_permitted_opens = 0; 1680 } 1681 break; 1682 } 1683 if (strcmp(arg, "none") == 0) { 1684 if (*activep && n == -1) { 1685 options->num_permitted_opens = 1; 1686 channel_disable_adm_local_opens(); 1687 } 1688 break; 1689 } 1690 if (*activep && n == -1) 1691 channel_clear_adm_permitted_opens(); 1692 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { 1693 p = hpdelim(&arg); 1694 if (p == NULL) 1695 fatal("%s line %d: missing host in PermitOpen", 1696 filename, linenum); 1697 p = cleanhostname(p); 1698 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1699 fatal("%s line %d: bad port number in " 1700 "PermitOpen", filename, linenum); 1701 if (*activep && n == -1) 1702 options->num_permitted_opens = 1703 channel_add_adm_permitted_opens(p, port); 1704 } 1705 break; 1706 1707 case sForceCommand: 1708 if (cp == NULL || *cp == '\0') 1709 fatal("%.200s line %d: Missing argument.", filename, 1710 linenum); 1711 len = strspn(cp, WHITESPACE); 1712 if (*activep && options->adm_forced_command == NULL) 1713 options->adm_forced_command = xstrdup(cp + len); 1714 return 0; 1715 1716 case sChrootDirectory: 1717 charptr = &options->chroot_directory; 1718 1719 arg = strdelim(&cp); 1720 if (!arg || *arg == '\0') 1721 fatal("%s line %d: missing file name.", 1722 filename, linenum); 1723 if (*activep && *charptr == NULL) 1724 *charptr = xstrdup(arg); 1725 break; 1726 1727 case sTrustedUserCAKeys: 1728 charptr = &options->trusted_user_ca_keys; 1729 goto parse_filename; 1730 1731 case sRevokedKeys: 1732 charptr = &options->revoked_keys_file; 1733 goto parse_filename; 1734 1735 case sIPQoS: 1736 arg = strdelim(&cp); 1737 if ((value = parse_ipqos(arg)) == -1) 1738 fatal("%s line %d: Bad IPQoS value: %s", 1739 filename, linenum, arg); 1740 arg = strdelim(&cp); 1741 if (arg == NULL) 1742 value2 = value; 1743 else if ((value2 = parse_ipqos(arg)) == -1) 1744 fatal("%s line %d: Bad IPQoS value: %s", 1745 filename, linenum, arg); 1746 if (*activep) { 1747 options->ip_qos_interactive = value; 1748 options->ip_qos_bulk = value2; 1749 } 1750 break; 1751 1752 case sVersionAddendum: 1753 if (cp == NULL || *cp == '\0') 1754 fatal("%.200s line %d: Missing argument.", filename, 1755 linenum); 1756 len = strspn(cp, WHITESPACE); 1757 if (*activep && options->version_addendum == NULL) { 1758 if (strcasecmp(cp + len, "none") == 0) 1759 options->version_addendum = xstrdup(""); 1760 else if (strchr(cp + len, '\r') != NULL) 1761 fatal("%.200s line %d: Invalid argument", 1762 filename, linenum); 1763 else 1764 options->version_addendum = xstrdup(cp + len); 1765 } 1766 return 0; 1767 1768 case sAuthorizedKeysCommand: 1769 if (cp == NULL) 1770 fatal("%.200s line %d: Missing argument.", filename, 1771 linenum); 1772 len = strspn(cp, WHITESPACE); 1773 if (*activep && options->authorized_keys_command == NULL) { 1774 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1775 fatal("%.200s line %d: AuthorizedKeysCommand " 1776 "must be an absolute path", 1777 filename, linenum); 1778 options->authorized_keys_command = xstrdup(cp + len); 1779 } 1780 return 0; 1781 1782 case sAuthorizedKeysCommandUser: 1783 charptr = &options->authorized_keys_command_user; 1784 1785 arg = strdelim(&cp); 1786 if (!arg || *arg == '\0') 1787 fatal("%s line %d: missing AuthorizedKeysCommandUser " 1788 "argument.", filename, linenum); 1789 if (*activep && *charptr == NULL) 1790 *charptr = xstrdup(arg); 1791 break; 1792 1793 case sAuthorizedPrincipalsCommand: 1794 if (cp == NULL) 1795 fatal("%.200s line %d: Missing argument.", filename, 1796 linenum); 1797 len = strspn(cp, WHITESPACE); 1798 if (*activep && 1799 options->authorized_principals_command == NULL) { 1800 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) 1801 fatal("%.200s line %d: " 1802 "AuthorizedPrincipalsCommand must be " 1803 "an absolute path", filename, linenum); 1804 options->authorized_principals_command = 1805 xstrdup(cp + len); 1806 } 1807 return 0; 1808 1809 case sAuthorizedPrincipalsCommandUser: 1810 charptr = &options->authorized_principals_command_user; 1811 1812 arg = strdelim(&cp); 1813 if (!arg || *arg == '\0') 1814 fatal("%s line %d: missing " 1815 "AuthorizedPrincipalsCommandUser argument.", 1816 filename, linenum); 1817 if (*activep && *charptr == NULL) 1818 *charptr = xstrdup(arg); 1819 break; 1820 1821 case sAuthenticationMethods: 1822 if (options->num_auth_methods == 0) { 1823 value = 0; /* seen "any" pseudo-method */ 1824 value2 = 0; /* sucessfully parsed any method */ 1825 while ((arg = strdelim(&cp)) && *arg != '\0') { 1826 if (options->num_auth_methods >= 1827 MAX_AUTH_METHODS) 1828 fatal("%s line %d: " 1829 "too many authentication methods.", 1830 filename, linenum); 1831 if (strcmp(arg, "any") == 0) { 1832 if (options->num_auth_methods > 0) { 1833 fatal("%s line %d: \"any\" " 1834 "must appear alone in " 1835 "AuthenticationMethods", 1836 filename, linenum); 1837 } 1838 value = 1; 1839 } else if (value) { 1840 fatal("%s line %d: \"any\" must appear " 1841 "alone in AuthenticationMethods", 1842 filename, linenum); 1843 } else if (auth2_methods_valid(arg, 0) != 0) { 1844 fatal("%s line %d: invalid " 1845 "authentication method list.", 1846 filename, linenum); 1847 } 1848 value2 = 1; 1849 if (!*activep) 1850 continue; 1851 options->auth_methods[ 1852 options->num_auth_methods++] = xstrdup(arg); 1853 } 1854 if (value2 == 0) { 1855 fatal("%s line %d: no AuthenticationMethods " 1856 "specified", filename, linenum); 1857 } 1858 } 1859 return 0; 1860 1861 case sStreamLocalBindMask: 1862 arg = strdelim(&cp); 1863 if (!arg || *arg == '\0') 1864 fatal("%s line %d: missing StreamLocalBindMask " 1865 "argument.", filename, linenum); 1866 /* Parse mode in octal format */ 1867 value = strtol(arg, &p, 8); 1868 if (arg == p || value < 0 || value > 0777) 1869 fatal("%s line %d: Bad mask.", filename, linenum); 1870 if (*activep) 1871 options->fwd_opts.streamlocal_bind_mask = (mode_t)value; 1872 break; 1873 1874 case sStreamLocalBindUnlink: 1875 intptr = &options->fwd_opts.streamlocal_bind_unlink; 1876 goto parse_flag; 1877 1878 case sFingerprintHash: 1879 arg = strdelim(&cp); 1880 if (!arg || *arg == '\0') 1881 fatal("%.200s line %d: Missing argument.", 1882 filename, linenum); 1883 if ((value = ssh_digest_alg_by_name(arg)) == -1) 1884 fatal("%.200s line %d: Invalid hash algorithm \"%s\".", 1885 filename, linenum, arg); 1886 if (*activep) 1887 options->fingerprint_hash = value; 1888 break; 1889 1890 case sDeprecated: 1891 logit("%s line %d: Deprecated option %s", 1892 filename, linenum, arg); 1893 while (arg) 1894 arg = strdelim(&cp); 1895 break; 1896 1897 case sUnsupported: 1898 logit("%s line %d: Unsupported option %s", 1899 filename, linenum, arg); 1900 while (arg) 1901 arg = strdelim(&cp); 1902 break; 1903 1904 default: 1905 fatal("%s line %d: Missing handler for opcode %s (%d)", 1906 filename, linenum, arg, opcode); 1907 } 1908 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') 1909 fatal("%s line %d: garbage at end of line; \"%.200s\".", 1910 filename, linenum, arg); 1911 return 0; 1912} 1913 1914/* Reads the server configuration file. */ 1915 1916void 1917load_server_config(const char *filename, Buffer *conf) 1918{ 1919 char line[4096], *cp; 1920 FILE *f; 1921 int lineno = 0; 1922 1923 debug2("%s: filename %s", __func__, filename); 1924 if ((f = fopen(filename, "r")) == NULL) { 1925 perror(filename); 1926 exit(1); 1927 } 1928 buffer_clear(conf); 1929 while (fgets(line, sizeof(line), f)) { 1930 lineno++; 1931 if (strlen(line) == sizeof(line) - 1) 1932 fatal("%s line %d too long", filename, lineno); 1933 /* 1934 * Trim out comments and strip whitespace 1935 * NB - preserve newlines, they are needed to reproduce 1936 * line numbers later for error messages 1937 */ 1938 if ((cp = strchr(line, '#')) != NULL) 1939 memcpy(cp, "\n", 2); 1940 cp = line + strspn(line, " \t\r"); 1941 1942 buffer_append(conf, cp, strlen(cp)); 1943 } 1944 buffer_append(conf, "\0", 1); 1945 fclose(f); 1946 debug2("%s: done config len = %d", __func__, buffer_len(conf)); 1947} 1948 1949void 1950parse_server_match_config(ServerOptions *options, 1951 struct connection_info *connectinfo) 1952{ 1953 ServerOptions mo; 1954 1955 initialize_server_options(&mo); 1956 parse_server_config(&mo, "reprocess config", &cfg, connectinfo); 1957 copy_set_server_options(options, &mo, 0); 1958} 1959 1960int parse_server_match_testspec(struct connection_info *ci, char *spec) 1961{ 1962 char *p; 1963 1964 while ((p = strsep(&spec, ",")) && *p != '\0') { 1965 if (strncmp(p, "addr=", 5) == 0) { 1966 ci->address = xstrdup(p + 5); 1967 } else if (strncmp(p, "host=", 5) == 0) { 1968 ci->host = xstrdup(p + 5); 1969 } else if (strncmp(p, "user=", 5) == 0) { 1970 ci->user = xstrdup(p + 5); 1971 } else if (strncmp(p, "laddr=", 6) == 0) { 1972 ci->laddress = xstrdup(p + 6); 1973 } else if (strncmp(p, "lport=", 6) == 0) { 1974 ci->lport = a2port(p + 6); 1975 if (ci->lport == -1) { 1976 fprintf(stderr, "Invalid port '%s' in test mode" 1977 " specification %s\n", p+6, p); 1978 return -1; 1979 } 1980 } else { 1981 fprintf(stderr, "Invalid test mode specification %s\n", 1982 p); 1983 return -1; 1984 } 1985 } 1986 return 0; 1987} 1988 1989/* 1990 * returns 1 for a complete spec, 0 for partial spec and -1 for an 1991 * empty spec. 1992 */ 1993int server_match_spec_complete(struct connection_info *ci) 1994{ 1995 if (ci->user && ci->host && ci->address) 1996 return 1; /* complete */ 1997 if (!ci->user && !ci->host && !ci->address) 1998 return -1; /* empty */ 1999 return 0; /* partial */ 2000} 2001 2002/* 2003 * Copy any supported values that are set. 2004 * 2005 * If the preauth flag is set, we do not bother copying the string or 2006 * array values that are not used pre-authentication, because any that we 2007 * do use must be explictly sent in mm_getpwnamallow(). 2008 */ 2009void 2010copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 2011{ 2012#define M_CP_INTOPT(n) do {\ 2013 if (src->n != -1) \ 2014 dst->n = src->n; \ 2015} while (0) 2016 2017 M_CP_INTOPT(password_authentication); 2018 M_CP_INTOPT(gss_authentication); 2019 M_CP_INTOPT(rsa_authentication); 2020 M_CP_INTOPT(pubkey_authentication); 2021 M_CP_INTOPT(kerberos_authentication); 2022 M_CP_INTOPT(hostbased_authentication); 2023 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 2024 M_CP_INTOPT(kbd_interactive_authentication); 2025 M_CP_INTOPT(permit_root_login); 2026 M_CP_INTOPT(permit_empty_passwd); 2027 2028 M_CP_INTOPT(allow_tcp_forwarding); 2029 M_CP_INTOPT(allow_streamlocal_forwarding); 2030 M_CP_INTOPT(allow_agent_forwarding); 2031 M_CP_INTOPT(permit_tun); 2032 M_CP_INTOPT(fwd_opts.gateway_ports); 2033 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 2034 M_CP_INTOPT(x11_display_offset); 2035 M_CP_INTOPT(x11_forwarding); 2036 M_CP_INTOPT(x11_use_localhost); 2037 M_CP_INTOPT(permit_tty); 2038 M_CP_INTOPT(permit_user_rc); 2039 M_CP_INTOPT(max_sessions); 2040 M_CP_INTOPT(max_authtries); 2041 M_CP_INTOPT(ip_qos_interactive); 2042 M_CP_INTOPT(ip_qos_bulk); 2043 M_CP_INTOPT(rekey_limit); 2044 M_CP_INTOPT(rekey_interval); 2045 2046 /* 2047 * The bind_mask is a mode_t that may be unsigned, so we can't use 2048 * M_CP_INTOPT - it does a signed comparison that causes compiler 2049 * warnings. 2050 */ 2051 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { 2052 dst->fwd_opts.streamlocal_bind_mask = 2053 src->fwd_opts.streamlocal_bind_mask; 2054 } 2055 2056 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 2057#define M_CP_STROPT(n) do {\ 2058 if (src->n != NULL && dst->n != src->n) { \ 2059 free(dst->n); \ 2060 dst->n = src->n; \ 2061 } \ 2062} while(0) 2063#define M_CP_STRARRAYOPT(n, num_n) do {\ 2064 if (src->num_n != 0) { \ 2065 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ 2066 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ 2067 } \ 2068} while(0) 2069 2070 /* See comment in servconf.h */ 2071 COPY_MATCH_STRING_OPTS(); 2072 2073 /* Arguments that accept '+...' need to be expanded */ 2074 assemble_algorithms(dst); 2075 2076 /* 2077 * The only things that should be below this point are string options 2078 * which are only used after authentication. 2079 */ 2080 if (preauth) 2081 return; 2082 2083 /* These options may be "none" to clear a global setting */ 2084 M_CP_STROPT(adm_forced_command); 2085 if (option_clear_or_none(dst->adm_forced_command)) { 2086 free(dst->adm_forced_command); 2087 dst->adm_forced_command = NULL; 2088 } 2089 M_CP_STROPT(chroot_directory); 2090 if (option_clear_or_none(dst->chroot_directory)) { 2091 free(dst->chroot_directory); 2092 dst->chroot_directory = NULL; 2093 } 2094} 2095 2096#undef M_CP_INTOPT 2097#undef M_CP_STROPT 2098#undef M_CP_STRARRAYOPT 2099 2100void 2101parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, 2102 struct connection_info *connectinfo) 2103{ 2104 int active, linenum, bad_options = 0; 2105 char *cp, *obuf, *cbuf; 2106 2107 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 2108 2109 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) 2110 fatal("%s: sshbuf_dup_string failed", __func__); 2111 active = connectinfo ? 0 : 1; 2112 linenum = 1; 2113 while ((cp = strsep(&cbuf, "\n")) != NULL) { 2114 if (process_server_config_line(options, cp, filename, 2115 linenum++, &active, connectinfo) != 0) 2116 bad_options++; 2117 } 2118 free(obuf); 2119 if (bad_options > 0) 2120 fatal("%s: terminating, %d bad configuration options", 2121 filename, bad_options); 2122 process_queued_listen_addrs(options); 2123} 2124 2125static const char * 2126fmt_multistate_int(int val, const struct multistate *m) 2127{ 2128 u_int i; 2129 2130 for (i = 0; m[i].key != NULL; i++) { 2131 if (m[i].value == val) 2132 return m[i].key; 2133 } 2134 return "UNKNOWN"; 2135} 2136 2137static const char * 2138fmt_intarg(ServerOpCodes code, int val) 2139{ 2140 if (val == -1) 2141 return "unset"; 2142 switch (code) { 2143 case sAddressFamily: 2144 return fmt_multistate_int(val, multistate_addressfamily); 2145 case sPermitRootLogin: 2146 return fmt_multistate_int(val, multistate_permitrootlogin); 2147 case sGatewayPorts: 2148 return fmt_multistate_int(val, multistate_gatewayports); 2149 case sCompression: 2150 return fmt_multistate_int(val, multistate_compression); 2151 case sUsePrivilegeSeparation: 2152 return fmt_multistate_int(val, multistate_privsep); 2153 case sAllowTcpForwarding: 2154 return fmt_multistate_int(val, multistate_tcpfwd); 2155 case sAllowStreamLocalForwarding: 2156 return fmt_multistate_int(val, multistate_tcpfwd); 2157 case sFingerprintHash: 2158 return ssh_digest_alg_name(val); 2159 case sProtocol: 2160 switch (val) { 2161 case SSH_PROTO_1: 2162 return "1"; 2163 case SSH_PROTO_2: 2164 return "2"; 2165 case (SSH_PROTO_1|SSH_PROTO_2): 2166 return "2,1"; 2167 default: 2168 return "UNKNOWN"; 2169 } 2170 default: 2171 switch (val) { 2172 case 0: 2173 return "no"; 2174 case 1: 2175 return "yes"; 2176 default: 2177 return "UNKNOWN"; 2178 } 2179 } 2180} 2181 2182static const char * 2183lookup_opcode_name(ServerOpCodes code) 2184{ 2185 u_int i; 2186 2187 for (i = 0; keywords[i].name != NULL; i++) 2188 if (keywords[i].opcode == code) 2189 return(keywords[i].name); 2190 return "UNKNOWN"; 2191} 2192 2193static void 2194dump_cfg_int(ServerOpCodes code, int val) 2195{ 2196 printf("%s %d\n", lookup_opcode_name(code), val); 2197} 2198 2199static void 2200dump_cfg_oct(ServerOpCodes code, int val) 2201{ 2202 printf("%s 0%o\n", lookup_opcode_name(code), val); 2203} 2204 2205static void 2206dump_cfg_fmtint(ServerOpCodes code, int val) 2207{ 2208 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); 2209} 2210 2211static void 2212dump_cfg_string(ServerOpCodes code, const char *val) 2213{ 2214 if (val == NULL) 2215 return; 2216 printf("%s %s\n", lookup_opcode_name(code), 2217 val == NULL ? "none" : val); 2218} 2219 2220static void 2221dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals) 2222{ 2223 u_int i; 2224 2225 for (i = 0; i < count; i++) 2226 printf("%s %s\n", lookup_opcode_name(code), vals[i]); 2227} 2228 2229static void 2230dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) 2231{ 2232 u_int i; 2233 2234 if (count <= 0 && code != sAuthenticationMethods) 2235 return; 2236 printf("%s", lookup_opcode_name(code)); 2237 for (i = 0; i < count; i++) 2238 printf(" %s", vals[i]); 2239 if (code == sAuthenticationMethods && count == 0) 2240 printf(" any"); 2241 printf("\n"); 2242} 2243 2244void 2245dump_config(ServerOptions *o) 2246{ 2247 u_int i; 2248 int ret; 2249 struct addrinfo *ai; 2250 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL; 2251 char *laddr1 = xstrdup(""), *laddr2 = NULL; 2252 2253 /* these are usually at the top of the config */ 2254 for (i = 0; i < o->num_ports; i++) 2255 printf("port %d\n", o->ports[i]); 2256 dump_cfg_fmtint(sProtocol, o->protocol); 2257 dump_cfg_fmtint(sAddressFamily, o->address_family); 2258 2259 /* 2260 * ListenAddress must be after Port. add_one_listen_addr pushes 2261 * addresses onto a stack, so to maintain ordering we need to 2262 * print these in reverse order. 2263 */ 2264 for (ai = o->listen_addrs; ai; ai = ai->ai_next) { 2265 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr, 2266 sizeof(addr), port, sizeof(port), 2267 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 2268 error("getnameinfo failed: %.100s", 2269 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 2270 strerror(errno)); 2271 } else { 2272 laddr2 = laddr1; 2273 if (ai->ai_family == AF_INET6) 2274 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s", 2275 addr, port, laddr2); 2276 else 2277 xasprintf(&laddr1, "listenaddress %s:%s\n%s", 2278 addr, port, laddr2); 2279 free(laddr2); 2280 } 2281 } 2282 printf("%s", laddr1); 2283 free(laddr1); 2284 2285 /* integer arguments */ 2286#ifdef USE_PAM 2287 dump_cfg_fmtint(sUsePAM, o->use_pam); 2288#endif 2289 dump_cfg_int(sServerKeyBits, o->server_key_bits); 2290 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2291 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 2292 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2293 dump_cfg_int(sMaxAuthTries, o->max_authtries); 2294 dump_cfg_int(sMaxSessions, o->max_sessions); 2295 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 2296 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 2297 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); 2298 2299 /* formatted integer arguments */ 2300 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2301 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2302 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2303 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); 2304 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2305 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2306 o->hostbased_uses_name_from_packet_only); 2307 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 2308 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2309#ifdef KRB5 2310 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2311 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 2312 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 2313# ifdef USE_AFS 2314 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 2315# endif 2316#endif 2317#ifdef GSSAPI 2318 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2319 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2320#endif 2321 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2322 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2323 o->kbd_interactive_authentication); 2324 dump_cfg_fmtint(sChallengeResponseAuthentication, 2325 o->challenge_response_authentication); 2326 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2327#ifndef DISABLE_LASTLOG 2328 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2329#endif 2330 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2331 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2332 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2333 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); 2334 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2335 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2336 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2337 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2338 dump_cfg_fmtint(sUseLogin, o->use_login); 2339 dump_cfg_fmtint(sCompression, o->compression); 2340 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2341 dump_cfg_fmtint(sUseDNS, o->use_dns); 2342 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2343 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2344 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2345 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2346 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2347 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2348 2349 /* string arguments */ 2350 dump_cfg_string(sPidFile, o->pid_file); 2351 dump_cfg_string(sXAuthLocation, o->xauth_location); 2352 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); 2353 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); 2354 dump_cfg_string(sBanner, o->banner); 2355 dump_cfg_string(sForceCommand, o->adm_forced_command); 2356 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2357 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2358 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2359 dump_cfg_string(sAuthorizedPrincipalsFile, 2360 o->authorized_principals_file); 2361 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' 2362 ? "none" : o->version_addendum); 2363 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2364 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2365 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); 2366 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); 2367 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2368 dump_cfg_string(sKexAlgorithms, 2369 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2370 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2371 o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2372 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2373 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); 2374 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2375 o->pubkey_key_types : KEX_DEFAULT_PK_ALG); 2376 2377 /* string arguments requiring a lookup */ 2378 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2379 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility)); 2380 2381 /* string array arguments */ 2382 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files, 2383 o->authorized_keys_files); 2384 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 2385 o->host_key_files); 2386 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, 2387 o->host_cert_files); 2388 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 2389 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 2390 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2391 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2392 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2393 dump_cfg_strarray_oneline(sAuthenticationMethods, 2394 o->num_auth_methods, o->auth_methods); 2395 2396 /* other arguments */ 2397 for (i = 0; i < o->num_subsystems; i++) 2398 printf("subsystem %s %s\n", o->subsystem_name[i], 2399 o->subsystem_args[i]); 2400 2401 printf("maxstartups %d:%d:%d\n", o->max_startups_begin, 2402 o->max_startups_rate, o->max_startups); 2403 2404 for (i = 0; tunmode_desc[i].val != -1; i++) 2405 if (tunmode_desc[i].val == o->permit_tun) { 2406 s = tunmode_desc[i].text; 2407 break; 2408 } 2409 dump_cfg_string(sPermitTunnel, s); 2410 2411 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2412 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2413 2414 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, 2415 o->rekey_interval); 2416 2417 channel_print_adm_permitted_opens(); 2418} 2419