1 /* 2 * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 3 * All rights reserved 4 * 5 * As far as I am concerned, the code I have written for this software 6 * can be used freely for any purpose. Any derived versions of this 7 * software must be clearly marked as such, and if the derived work is 8 * incompatible with the protocol description in the RFC file, it must be 9 * called by a name other than "ssh" or "Secure Shell". 10 */ 11 /* 12 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 13 * Use is subject to license terms. 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); 18 19 #ifdef HAVE_DEFOPEN 20 #include <deflt.h> 21 #endif /* HAVE_DEFOPEN */ 22 23 #if defined(KRB4) 24 #include <krb.h> 25 #endif 26 #if defined(KRB5) 27 #ifdef HEIMDAL 28 #include <krb.h> 29 #else 30 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V 31 * keytab */ 32 #define KEYFILE "/etc/krb5.keytab" 33 #endif 34 #endif 35 #ifdef AFS 36 #include <kafs.h> 37 #endif 38 39 #include "ssh.h" 40 #include "log.h" 41 #include "servconf.h" 42 #include "xmalloc.h" 43 #include "compat.h" 44 #include "pathnames.h" 45 #include "tildexpand.h" 46 #include "misc.h" 47 #include "cipher.h" 48 #include "kex.h" 49 #include "mac.h" 50 #include "auth.h" 51 52 static void add_listen_addr(ServerOptions *, char *, u_short); 53 static void add_one_listen_addr(ServerOptions *, char *, u_short); 54 55 /* AF_UNSPEC or AF_INET or AF_INET6 */ 56 extern int IPv4or6; 57 58 /* Initializes the server options to their default values. */ 59 60 void 61 initialize_server_options(ServerOptions *options) 62 { 63 (void) memset(options, 0, sizeof(*options)); 64 65 /* Portable-specific options */ 66 options->pam_authentication_via_kbd_int = -1; 67 68 /* Standard Options */ 69 options->num_ports = 0; 70 options->ports_from_cmdline = 0; 71 options->listen_addrs = NULL; 72 options->num_host_key_files = 0; 73 options->pid_file = NULL; 74 options->server_key_bits = -1; 75 options->login_grace_time = -1; 76 options->key_regeneration_time = -1; 77 options->permit_root_login = PERMIT_NOT_SET; 78 options->ignore_rhosts = -1; 79 options->ignore_user_known_hosts = -1; 80 options->print_motd = -1; 81 options->print_lastlog = -1; 82 options->x11_forwarding = -1; 83 options->x11_display_offset = -1; 84 options->x11_use_localhost = -1; 85 options->xauth_location = NULL; 86 options->strict_modes = -1; 87 options->keepalives = -1; 88 options->log_facility = SYSLOG_FACILITY_NOT_SET; 89 options->log_level = SYSLOG_LEVEL_NOT_SET; 90 options->rhosts_authentication = -1; 91 options->rhosts_rsa_authentication = -1; 92 options->hostbased_authentication = -1; 93 options->hostbased_uses_name_from_packet_only = -1; 94 options->rsa_authentication = -1; 95 options->pubkey_authentication = -1; 96 #ifdef GSSAPI 97 options->gss_authentication = -1; 98 options->gss_keyex = -1; 99 options->gss_store_creds = -1; 100 options->gss_use_session_ccache = -1; 101 options->gss_cleanup_creds = -1; 102 #endif 103 #if defined(KRB4) || defined(KRB5) 104 options->kerberos_authentication = -1; 105 options->kerberos_or_local_passwd = -1; 106 options->kerberos_ticket_cleanup = -1; 107 #endif 108 #if defined(AFS) || defined(KRB5) 109 options->kerberos_tgt_passing = -1; 110 #endif 111 #ifdef AFS 112 options->afs_token_passing = -1; 113 #endif 114 options->password_authentication = -1; 115 options->kbd_interactive_authentication = -1; 116 options->challenge_response_authentication = -1; 117 options->permit_empty_passwd = -1; 118 options->permit_user_env = -1; 119 options->use_login = -1; 120 options->compression = -1; 121 options->allow_tcp_forwarding = -1; 122 options->num_allow_users = 0; 123 options->num_deny_users = 0; 124 options->num_allow_groups = 0; 125 options->num_deny_groups = 0; 126 options->ciphers = NULL; 127 options->macs = NULL; 128 options->protocol = SSH_PROTO_UNKNOWN; 129 options->gateway_ports = -1; 130 options->num_subsystems = 0; 131 options->max_startups_begin = -1; 132 options->max_startups_rate = -1; 133 options->max_startups = -1; 134 options->banner = NULL; 135 options->verify_reverse_mapping = -1; 136 options->client_alive_interval = -1; 137 options->client_alive_count_max = -1; 138 options->authorized_keys_file = NULL; 139 options->authorized_keys_file2 = NULL; 140 141 options->max_auth_tries = -1; 142 options->max_auth_tries_log = -1; 143 144 options->max_init_auth_tries = -1; 145 options->max_init_auth_tries_log = -1; 146 147 options->lookup_client_hostnames = -1; 148 options->use_openssl_engine = -1; 149 } 150 151 #ifdef HAVE_DEFOPEN 152 /* 153 * Reads /etc/default/login and defaults several ServerOptions: 154 * 155 * PermitRootLogin 156 * PermitEmptyPasswords 157 * LoginGraceTime 158 * 159 * CONSOLE=* -> PermitRootLogin=without-password 160 * #CONSOLE=* -> PermitRootLogin=yes 161 * 162 * PASSREQ=YES -> PermitEmptyPasswords=no 163 * PASSREQ=NO -> PermitEmptyPasswords=yes 164 * #PASSREQ=* -> PermitEmptyPasswords=no 165 * 166 * TIMEOUT=<secs> -> LoginGraceTime=<secs> 167 * #TIMEOUT=<secs> -> LoginGraceTime=300 168 */ 169 static 170 void 171 deflt_fill_default_server_options(ServerOptions *options) 172 { 173 int flags; 174 char *ptr; 175 176 if (defopen(_PATH_DEFAULT_LOGIN)) 177 return; 178 179 /* Ignore case */ 180 flags = defcntl(DC_GETFLAGS, 0); 181 TURNOFF(flags, DC_CASE); 182 (void) defcntl(DC_SETFLAGS, flags); 183 184 if (options->permit_root_login == PERMIT_NOT_SET && 185 (ptr = defread("CONSOLE=")) != NULL) 186 options->permit_root_login = PERMIT_NO_PASSWD; 187 188 if (options->permit_empty_passwd == -1 && 189 (ptr = defread("PASSREQ=")) != NULL) { 190 if (strcasecmp("YES", ptr) == 0) 191 options->permit_empty_passwd = 0; 192 else if (strcasecmp("NO", ptr) == 0) 193 options->permit_empty_passwd = 1; 194 } 195 196 if (options->max_init_auth_tries == -1 && 197 (ptr = defread("RETRIES=")) != NULL) { 198 options->max_init_auth_tries = atoi(ptr); 199 } 200 201 if (options->max_init_auth_tries_log == -1 && 202 (ptr = defread("SYSLOG_FAILED_LOGINS=")) != NULL) { 203 options->max_init_auth_tries_log = atoi(ptr); 204 } 205 206 if (options->login_grace_time == -1) { 207 if ((ptr = defread("TIMEOUT=")) != NULL) 208 options->login_grace_time = (unsigned)atoi(ptr); 209 else 210 options->login_grace_time = 300; 211 } 212 213 (void) defopen((char *)NULL); 214 } 215 #endif /* HAVE_DEFOPEN */ 216 217 void 218 fill_default_server_options(ServerOptions *options) 219 { 220 221 #ifdef HAVE_DEFOPEN 222 deflt_fill_default_server_options(options); 223 #endif /* HAVE_DEFOPEN */ 224 225 /* Portable-specific options */ 226 if (options->pam_authentication_via_kbd_int == -1) 227 options->pam_authentication_via_kbd_int = 0; 228 229 /* Standard Options */ 230 if (options->protocol == SSH_PROTO_UNKNOWN) 231 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 232 if (options->num_host_key_files == 0) { 233 /* fill default hostkeys for protocols */ 234 if (options->protocol & SSH_PROTO_1) 235 options->host_key_files[options->num_host_key_files++] = 236 _PATH_HOST_KEY_FILE; 237 #ifndef GSSAPI 238 /* With GSS keyex we can run v2 w/ no host keys */ 239 if (options->protocol & SSH_PROTO_2) { 240 options->host_key_files[options->num_host_key_files++] = 241 _PATH_HOST_RSA_KEY_FILE; 242 options->host_key_files[options->num_host_key_files++] = 243 _PATH_HOST_DSA_KEY_FILE; 244 } 245 #endif /* GSSAPI */ 246 } 247 if (options->num_ports == 0) 248 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 249 if (options->listen_addrs == NULL) 250 add_listen_addr(options, NULL, 0); 251 if (options->pid_file == NULL) 252 options->pid_file = _PATH_SSH_DAEMON_PID_FILE; 253 if (options->server_key_bits == -1) 254 options->server_key_bits = 768; 255 if (options->login_grace_time == -1) 256 options->login_grace_time = 120; 257 if (options->key_regeneration_time == -1) 258 options->key_regeneration_time = 3600; 259 if (options->permit_root_login == PERMIT_NOT_SET) 260 options->permit_root_login = PERMIT_YES; 261 if (options->ignore_rhosts == -1) 262 options->ignore_rhosts = 1; 263 if (options->ignore_user_known_hosts == -1) 264 options->ignore_user_known_hosts = 0; 265 if (options->print_motd == -1) 266 options->print_motd = 1; 267 if (options->print_lastlog == -1) 268 options->print_lastlog = 1; 269 if (options->x11_forwarding == -1) 270 options->x11_forwarding = 1; 271 if (options->x11_display_offset == -1) 272 options->x11_display_offset = 10; 273 if (options->x11_use_localhost == -1) 274 options->x11_use_localhost = 1; 275 if (options->xauth_location == NULL) 276 options->xauth_location = _PATH_XAUTH; 277 if (options->strict_modes == -1) 278 options->strict_modes = 1; 279 if (options->keepalives == -1) 280 options->keepalives = 1; 281 if (options->log_facility == SYSLOG_FACILITY_NOT_SET) 282 options->log_facility = SYSLOG_FACILITY_AUTH; 283 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 284 options->log_level = SYSLOG_LEVEL_INFO; 285 if (options->rhosts_authentication == -1) 286 options->rhosts_authentication = 0; 287 if (options->rhosts_rsa_authentication == -1) 288 options->rhosts_rsa_authentication = 0; 289 if (options->hostbased_authentication == -1) 290 options->hostbased_authentication = 0; 291 if (options->hostbased_uses_name_from_packet_only == -1) 292 options->hostbased_uses_name_from_packet_only = 0; 293 if (options->rsa_authentication == -1) 294 options->rsa_authentication = 1; 295 if (options->pubkey_authentication == -1) 296 options->pubkey_authentication = 1; 297 #ifdef GSSAPI 298 if (options->gss_authentication == -1) 299 options->gss_authentication = 1; 300 if (options->gss_keyex == -1) 301 options->gss_keyex = 1; 302 if (options->gss_store_creds == -1) 303 options->gss_store_creds = 1; 304 if (options->gss_use_session_ccache == -1) 305 options->gss_use_session_ccache = 1; 306 if (options->gss_cleanup_creds == -1) 307 options->gss_cleanup_creds = 1; 308 #endif 309 #if defined(KRB4) || defined(KRB5) 310 if (options->kerberos_authentication == -1) 311 options->kerberos_authentication = 0; 312 if (options->kerberos_or_local_passwd == -1) 313 options->kerberos_or_local_passwd = 1; 314 if (options->kerberos_ticket_cleanup == -1) 315 options->kerberos_ticket_cleanup = 1; 316 #endif 317 #if defined(AFS) || defined(KRB5) 318 if (options->kerberos_tgt_passing == -1) 319 options->kerberos_tgt_passing = 0; 320 #endif 321 #ifdef AFS 322 if (options->afs_token_passing == -1) 323 options->afs_token_passing = 0; 324 #endif 325 if (options->password_authentication == -1) 326 options->password_authentication = 1; 327 if (options->kbd_interactive_authentication == -1) 328 options->kbd_interactive_authentication = 0; 329 if (options->challenge_response_authentication == -1) 330 options->challenge_response_authentication = 1; 331 if (options->permit_empty_passwd == -1) 332 options->permit_empty_passwd = 0; 333 if (options->permit_user_env == -1) 334 options->permit_user_env = 0; 335 if (options->use_login == -1) 336 options->use_login = 0; 337 if (options->compression == -1) 338 options->compression = 1; 339 if (options->allow_tcp_forwarding == -1) 340 options->allow_tcp_forwarding = 1; 341 if (options->gateway_ports == -1) 342 options->gateway_ports = 0; 343 if (options->max_startups == -1) 344 options->max_startups = 10; 345 if (options->max_startups_rate == -1) 346 options->max_startups_rate = 100; /* 100% */ 347 if (options->max_startups_begin == -1) 348 options->max_startups_begin = options->max_startups; 349 if (options->verify_reverse_mapping == -1) 350 options->verify_reverse_mapping = 0; 351 if (options->client_alive_interval == -1) 352 options->client_alive_interval = 0; 353 if (options->client_alive_count_max == -1) 354 options->client_alive_count_max = 3; 355 if (options->authorized_keys_file2 == NULL) { 356 /* authorized_keys_file2 falls back to authorized_keys_file */ 357 if (options->authorized_keys_file != NULL) 358 options->authorized_keys_file2 = options->authorized_keys_file; 359 else 360 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; 361 } 362 if (options->authorized_keys_file == NULL) 363 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 364 365 if (options->max_auth_tries == -1) 366 options->max_auth_tries = AUTH_FAIL_MAX; 367 if (options->max_auth_tries_log == -1) 368 options->max_auth_tries_log = options->max_auth_tries / 2; 369 370 if (options->max_init_auth_tries == -1) 371 options->max_init_auth_tries = AUTH_FAIL_MAX; 372 if (options->max_init_auth_tries_log == -1) 373 options->max_init_auth_tries_log = options->max_init_auth_tries / 2; 374 375 if (options->lookup_client_hostnames == -1) 376 options->lookup_client_hostnames = 1; 377 if (options->use_openssl_engine == -1) 378 options->use_openssl_engine = 1; 379 } 380 381 /* Keyword tokens. */ 382 typedef enum { 383 sBadOption, /* == unknown option */ 384 /* Portable-specific options */ 385 sPAMAuthenticationViaKbdInt, 386 /* Standard Options */ 387 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, 388 sPermitRootLogin, sLogFacility, sLogLevel, 389 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 390 #ifdef GSSAPI 391 sGssAuthentication, sGssKeyEx, sGssStoreDelegCreds, 392 sGssUseSessionCredCache, sGssCleanupCreds, 393 #endif /* GSSAPI */ 394 #if defined(KRB4) || defined(KRB5) 395 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 396 #endif 397 #if defined(AFS) || defined(KRB5) 398 sKerberosTgtPassing, 399 #endif 400 #ifdef AFS 401 sAFSTokenPassing, 402 #endif 403 sChallengeResponseAuthentication, 404 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 405 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 406 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 407 sStrictModes, sEmptyPasswd, sKeepAlives, 408 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 409 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 410 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 411 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 412 sBanner, sVerifyReverseMapping, sHostbasedAuthentication, 413 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 414 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 415 sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, 416 sLookupClientHostnames, sUseOpenSSLEngine, 417 sDeprecated 418 } ServerOpCodes; 419 420 /* Textual representation of the tokens. */ 421 static struct { 422 const char *name; 423 ServerOpCodes opcode; 424 } keywords[] = { 425 /* Portable-specific options */ 426 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, 427 /* Standard Options */ 428 { "port", sPort }, 429 { "hostkey", sHostKeyFile }, 430 { "hostdsakey", sHostKeyFile }, /* alias */ 431 { "pidfile", sPidFile }, 432 { "serverkeybits", sServerKeyBits }, 433 { "logingracetime", sLoginGraceTime }, 434 { "keyregenerationinterval", sKeyRegenerationTime }, 435 { "permitrootlogin", sPermitRootLogin }, 436 { "syslogfacility", sLogFacility }, 437 { "loglevel", sLogLevel }, 438 { "rhostsauthentication", sRhostsAuthentication }, 439 { "rhostsrsaauthentication", sRhostsRSAAuthentication }, 440 { "hostbasedauthentication", sHostbasedAuthentication }, 441 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, 442 { "rsaauthentication", sRSAAuthentication }, 443 { "pubkeyauthentication", sPubkeyAuthentication }, 444 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 445 #ifdef GSSAPI 446 { "gssapiauthentication", sGssAuthentication }, 447 { "gssapikeyexchange", sGssKeyEx }, 448 { "gssapistoredelegatedcredentials", sGssStoreDelegCreds }, 449 { "gssauthentication", sGssAuthentication }, /* alias */ 450 { "gsskeyex", sGssKeyEx }, /* alias */ 451 { "gssstoredelegcreds", sGssStoreDelegCreds }, /* alias */ 452 #ifndef SUNW_GSSAPI 453 { "gssusesessionccache", sGssUseSessionCredCache }, 454 { "gssusesessioncredcache", sGssUseSessionCredCache }, 455 { "gsscleanupcreds", sGssCleanupCreds }, 456 #endif /* SUNW_GSSAPI */ 457 #endif 458 #if defined(KRB4) || defined(KRB5) 459 { "kerberosauthentication", sKerberosAuthentication }, 460 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 461 { "kerberosticketcleanup", sKerberosTicketCleanup }, 462 #endif 463 #if defined(AFS) || defined(KRB5) 464 { "kerberostgtpassing", sKerberosTgtPassing }, 465 #endif 466 #ifdef AFS 467 { "afstokenpassing", sAFSTokenPassing }, 468 #endif 469 { "passwordauthentication", sPasswordAuthentication }, 470 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 471 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 472 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ 473 { "checkmail", sDeprecated }, 474 { "listenaddress", sListenAddress }, 475 { "printmotd", sPrintMotd }, 476 { "printlastlog", sPrintLastLog }, 477 { "ignorerhosts", sIgnoreRhosts }, 478 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 479 { "x11forwarding", sX11Forwarding }, 480 { "x11displayoffset", sX11DisplayOffset }, 481 { "x11uselocalhost", sX11UseLocalhost }, 482 { "xauthlocation", sXAuthLocation }, 483 { "strictmodes", sStrictModes }, 484 { "permitemptypasswords", sEmptyPasswd }, 485 { "permituserenvironment", sPermitUserEnvironment }, 486 { "uselogin", sUseLogin }, 487 { "compression", sCompression }, 488 { "keepalive", sKeepAlives }, 489 { "allowtcpforwarding", sAllowTcpForwarding }, 490 { "allowusers", sAllowUsers }, 491 { "denyusers", sDenyUsers }, 492 { "allowgroups", sAllowGroups }, 493 { "denygroups", sDenyGroups }, 494 { "ciphers", sCiphers }, 495 { "macs", sMacs }, 496 { "protocol", sProtocol }, 497 { "gatewayports", sGatewayPorts }, 498 { "subsystem", sSubsystem }, 499 { "maxstartups", sMaxStartups }, 500 { "banner", sBanner }, 501 { "verifyreversemapping", sVerifyReverseMapping }, 502 { "reversemappingcheck", sVerifyReverseMapping }, 503 { "clientaliveinterval", sClientAliveInterval }, 504 { "clientalivecountmax", sClientAliveCountMax }, 505 { "authorizedkeysfile", sAuthorizedKeysFile }, 506 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 507 { "maxauthtries", sMaxAuthTries }, 508 { "maxauthtrieslog", sMaxAuthTriesLog }, 509 { "useprivilegeseparation", sUsePrivilegeSeparation}, 510 { "lookupclienthostnames", sLookupClientHostnames}, 511 { "useopensslengine", sUseOpenSSLEngine}, 512 { NULL, sBadOption } 513 }; 514 515 /* 516 * Returns the number of the token pointed to by cp or sBadOption. 517 */ 518 519 static ServerOpCodes 520 parse_token(const char *cp, const char *filename, 521 int linenum) 522 { 523 u_int i; 524 525 for (i = 0; keywords[i].name; i++) 526 if (strcasecmp(cp, keywords[i].name) == 0) 527 return keywords[i].opcode; 528 529 error("%s: line %d: Bad configuration option: %s", 530 filename, linenum, cp); 531 return sBadOption; 532 } 533 534 static void 535 add_listen_addr(ServerOptions *options, char *addr, u_short port) 536 { 537 int i; 538 539 if (options->num_ports == 0) 540 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 541 if (port == 0) 542 for (i = 0; i < options->num_ports; i++) 543 add_one_listen_addr(options, addr, options->ports[i]); 544 else 545 add_one_listen_addr(options, addr, port); 546 } 547 548 static void 549 add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 550 { 551 struct addrinfo hints, *ai, *aitop; 552 char strport[NI_MAXSERV]; 553 int gaierr; 554 555 (void) memset(&hints, 0, sizeof(hints)); 556 hints.ai_family = IPv4or6; 557 hints.ai_socktype = SOCK_STREAM; 558 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 559 (void) snprintf(strport, sizeof strport, "%u", port); 560 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 561 fatal("bad addr or host: %s (%s)", 562 addr ? addr : "<NULL>", 563 gai_strerror(gaierr)); 564 for (ai = aitop; ai->ai_next; ai = ai->ai_next) 565 ; 566 ai->ai_next = options->listen_addrs; 567 options->listen_addrs = aitop; 568 } 569 570 int 571 process_server_config_line(ServerOptions *options, char *line, 572 const char *filename, int linenum) 573 { 574 char *cp, **charptr, *arg, *p; 575 int *intptr, value, i, n; 576 ServerOpCodes opcode; 577 578 cp = line; 579 arg = strdelim(&cp); 580 /* Ignore leading whitespace */ 581 if (*arg == '\0') 582 arg = strdelim(&cp); 583 if (!arg || !*arg || *arg == '#') 584 return 0; 585 intptr = NULL; 586 charptr = NULL; 587 opcode = parse_token(arg, filename, linenum); 588 switch (opcode) { 589 /* Portable-specific options */ 590 case sPAMAuthenticationViaKbdInt: 591 intptr = &options->pam_authentication_via_kbd_int; 592 goto parse_flag; 593 594 /* Standard Options */ 595 case sBadOption: 596 return -1; 597 case sPort: 598 /* ignore ports from configfile if cmdline specifies ports */ 599 if (options->ports_from_cmdline) 600 return 0; 601 if (options->listen_addrs != NULL) 602 fatal("%s line %d: ports must be specified before " 603 "ListenAddress.", filename, linenum); 604 if (options->num_ports >= MAX_PORTS) 605 fatal("%s line %d: too many ports.", 606 filename, linenum); 607 arg = strdelim(&cp); 608 if (!arg || *arg == '\0') 609 fatal("%s line %d: missing port number.", 610 filename, linenum); 611 options->ports[options->num_ports++] = a2port(arg); 612 if (options->ports[options->num_ports-1] == 0) 613 fatal("%s line %d: Badly formatted port number.", 614 filename, linenum); 615 break; 616 617 case sServerKeyBits: 618 intptr = &options->server_key_bits; 619 parse_int: 620 arg = strdelim(&cp); 621 if (!arg || *arg == '\0') 622 fatal("%s line %d: missing integer value.", 623 filename, linenum); 624 value = atoi(arg); 625 if (*intptr == -1) 626 *intptr = value; 627 break; 628 629 case sLoginGraceTime: 630 intptr = &options->login_grace_time; 631 parse_time: 632 arg = strdelim(&cp); 633 if (!arg || *arg == '\0') 634 fatal("%s line %d: missing time value.", 635 filename, linenum); 636 if ((value = convtime(arg)) == -1) 637 fatal("%s line %d: invalid time value.", 638 filename, linenum); 639 if (*intptr == -1) 640 *intptr = value; 641 break; 642 643 case sKeyRegenerationTime: 644 intptr = &options->key_regeneration_time; 645 goto parse_time; 646 647 case sListenAddress: 648 arg = strdelim(&cp); 649 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0) 650 fatal("%s line %d: missing inet addr.", 651 filename, linenum); 652 if (*arg == '[') { 653 if ((p = strchr(arg, ']')) == NULL) 654 fatal("%s line %d: bad ipv6 inet addr usage.", 655 filename, linenum); 656 arg++; 657 (void) memmove(p, p+1, strlen(p+1)+1); 658 } else if (((p = strchr(arg, ':')) == NULL) || 659 (strchr(p+1, ':') != NULL)) { 660 add_listen_addr(options, arg, 0); 661 break; 662 } 663 if (*p == ':') { 664 u_short port; 665 666 p++; 667 if (*p == '\0') 668 fatal("%s line %d: bad inet addr:port usage.", 669 filename, linenum); 670 else { 671 *(p-1) = '\0'; 672 if ((port = a2port(p)) == 0) 673 fatal("%s line %d: bad port number.", 674 filename, linenum); 675 add_listen_addr(options, arg, port); 676 } 677 } else if (*p == '\0') 678 add_listen_addr(options, arg, 0); 679 else 680 fatal("%s line %d: bad inet addr usage.", 681 filename, linenum); 682 break; 683 684 case sHostKeyFile: 685 intptr = &options->num_host_key_files; 686 if (*intptr >= MAX_HOSTKEYS) 687 fatal("%s line %d: too many host keys specified (max %d).", 688 filename, linenum, MAX_HOSTKEYS); 689 charptr = &options->host_key_files[*intptr]; 690 parse_filename: 691 arg = strdelim(&cp); 692 if (!arg || *arg == '\0') 693 fatal("%s line %d: missing file name.", 694 filename, linenum); 695 if (*charptr == NULL) { 696 *charptr = tilde_expand_filename(arg, getuid()); 697 /* increase optional counter */ 698 if (intptr != NULL) 699 *intptr = *intptr + 1; 700 } 701 break; 702 703 case sPidFile: 704 charptr = &options->pid_file; 705 goto parse_filename; 706 707 case sPermitRootLogin: 708 intptr = &options->permit_root_login; 709 arg = strdelim(&cp); 710 if (!arg || *arg == '\0') 711 fatal("%s line %d: missing yes/" 712 "without-password/forced-commands-only/no " 713 "argument.", filename, linenum); 714 value = 0; /* silence compiler */ 715 if (strcmp(arg, "without-password") == 0) 716 value = PERMIT_NO_PASSWD; 717 else if (strcmp(arg, "forced-commands-only") == 0) 718 value = PERMIT_FORCED_ONLY; 719 else if (strcmp(arg, "yes") == 0) 720 value = PERMIT_YES; 721 else if (strcmp(arg, "no") == 0) 722 value = PERMIT_NO; 723 else 724 fatal("%s line %d: Bad yes/" 725 "without-password/forced-commands-only/no " 726 "argument: %s", filename, linenum, arg); 727 if (*intptr == -1) 728 *intptr = value; 729 break; 730 731 case sIgnoreRhosts: 732 intptr = &options->ignore_rhosts; 733 parse_flag: 734 arg = strdelim(&cp); 735 if (!arg || *arg == '\0') 736 fatal("%s line %d: missing yes/no argument.", 737 filename, linenum); 738 value = 0; /* silence compiler */ 739 if (strcmp(arg, "yes") == 0) 740 value = 1; 741 else if (strcmp(arg, "no") == 0) 742 value = 0; 743 else 744 fatal("%s line %d: Bad yes/no argument: %s", 745 filename, linenum, arg); 746 if (*intptr == -1) 747 *intptr = value; 748 break; 749 750 case sIgnoreUserKnownHosts: 751 intptr = &options->ignore_user_known_hosts; 752 goto parse_flag; 753 754 case sRhostsAuthentication: 755 intptr = &options->rhosts_authentication; 756 goto parse_flag; 757 758 case sRhostsRSAAuthentication: 759 intptr = &options->rhosts_rsa_authentication; 760 goto parse_flag; 761 762 case sHostbasedAuthentication: 763 intptr = &options->hostbased_authentication; 764 goto parse_flag; 765 766 case sHostbasedUsesNameFromPacketOnly: 767 intptr = &options->hostbased_uses_name_from_packet_only; 768 goto parse_flag; 769 770 case sRSAAuthentication: 771 intptr = &options->rsa_authentication; 772 goto parse_flag; 773 774 case sPubkeyAuthentication: 775 intptr = &options->pubkey_authentication; 776 goto parse_flag; 777 #ifdef GSSAPI 778 case sGssAuthentication: 779 intptr = &options->gss_authentication; 780 goto parse_flag; 781 case sGssKeyEx: 782 intptr = &options->gss_keyex; 783 goto parse_flag; 784 case sGssStoreDelegCreds: 785 intptr = &options->gss_keyex; 786 goto parse_flag; 787 #ifndef SUNW_GSSAPI 788 case sGssUseSessionCredCache: 789 intptr = &options->gss_use_session_ccache; 790 goto parse_flag; 791 case sGssCleanupCreds: 792 intptr = &options->gss_cleanup_creds; 793 goto parse_flag; 794 #endif /* SUNW_GSSAPI */ 795 #endif /* GSSAPI */ 796 #if defined(KRB4) || defined(KRB5) 797 case sKerberosAuthentication: 798 intptr = &options->kerberos_authentication; 799 goto parse_flag; 800 801 case sKerberosOrLocalPasswd: 802 intptr = &options->kerberos_or_local_passwd; 803 goto parse_flag; 804 805 case sKerberosTicketCleanup: 806 intptr = &options->kerberos_ticket_cleanup; 807 goto parse_flag; 808 #endif 809 #if defined(AFS) || defined(KRB5) 810 case sKerberosTgtPassing: 811 intptr = &options->kerberos_tgt_passing; 812 goto parse_flag; 813 #endif 814 #ifdef AFS 815 case sAFSTokenPassing: 816 intptr = &options->afs_token_passing; 817 goto parse_flag; 818 #endif 819 820 case sPasswordAuthentication: 821 intptr = &options->password_authentication; 822 goto parse_flag; 823 824 case sKbdInteractiveAuthentication: 825 intptr = &options->kbd_interactive_authentication; 826 goto parse_flag; 827 828 case sChallengeResponseAuthentication: 829 intptr = &options->challenge_response_authentication; 830 goto parse_flag; 831 832 case sPrintMotd: 833 intptr = &options->print_motd; 834 goto parse_flag; 835 836 case sPrintLastLog: 837 intptr = &options->print_lastlog; 838 goto parse_flag; 839 840 case sX11Forwarding: 841 intptr = &options->x11_forwarding; 842 goto parse_flag; 843 844 case sX11DisplayOffset: 845 intptr = &options->x11_display_offset; 846 goto parse_int; 847 848 case sX11UseLocalhost: 849 intptr = &options->x11_use_localhost; 850 goto parse_flag; 851 852 case sXAuthLocation: 853 charptr = &options->xauth_location; 854 goto parse_filename; 855 856 case sStrictModes: 857 intptr = &options->strict_modes; 858 goto parse_flag; 859 860 case sKeepAlives: 861 intptr = &options->keepalives; 862 goto parse_flag; 863 864 case sEmptyPasswd: 865 intptr = &options->permit_empty_passwd; 866 goto parse_flag; 867 868 case sPermitUserEnvironment: 869 intptr = &options->permit_user_env; 870 goto parse_flag; 871 872 case sUseLogin: 873 intptr = &options->use_login; 874 goto parse_flag; 875 876 case sCompression: 877 intptr = &options->compression; 878 goto parse_flag; 879 880 case sGatewayPorts: 881 arg = strdelim(&cp); 882 if (get_yes_no_flag(&options->gateway_ports, arg, filename, 883 linenum, 1) == 1)