1 /* $OpenBSD: readconf.c,v 1.167 2008/06/26 11:46:31 grunk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
47 /* Format of the configuration file:
49 # Configuration data is parsed as follows:
50 # 1. command line options
51 # 2. user-specific file
53 # Any configuration value is only changed the first time it is set.
54 # Thus, host-specific definitions should be at the beginning of the
55 # configuration file, and defaults at the end.
57 # Host-specific declarations. These may override anything above. A single
58 # host may match multiple declarations; these are processed in the order
59 # that they are given in.
65 HostName another.host.name.real.org
72 RemoteForward 9999 shadows.cs.hut.fi:9999
78 PasswordAuthentication no
82 ProxyCommand ssh-proxy %h %p
85 PublicKeyAuthentication no
89 PasswordAuthentication no
95 # Defaults for various options
99 PasswordAuthentication yes
100 RSAAuthentication yes
101 RhostsRSAAuthentication yes
102 StrictHostKeyChecking yes
104 IdentityFile ~/.ssh/identity
110 /* Keyword tokens. */
114 oForwardAgent
, oForwardX11
, oForwardX11Trusted
, oGatewayPorts
,
115 oExitOnForwardFailure
,
116 oPasswordAuthentication
, oRSAAuthentication
,
117 oChallengeResponseAuthentication
, oXAuthLocation
,
118 oIdentityFile
, oHostName
, oPort
, oCipher
, oRemoteForward
, oLocalForward
,
119 oUser
, oHost
, oEscapeChar
, oRhostsRSAAuthentication
, oProxyCommand
,
120 oGlobalKnownHostsFile
, oUserKnownHostsFile
, oConnectionAttempts
,
121 oBatchMode
, oCheckHostIP
, oStrictHostKeyChecking
, oCompression
,
122 oCompressionLevel
, oTCPKeepAlive
, oNumberOfPasswordPrompts
,
123 oUsePrivilegedPort
, oLogLevel
, oCiphers
, oProtocol
, oMacs
,
124 oGlobalKnownHostsFile2
, oUserKnownHostsFile2
, oPubkeyAuthentication
,
125 oKbdInteractiveAuthentication
, oKbdInteractiveDevices
, oHostKeyAlias
,
126 oDynamicForward
, oPreferredAuthentications
, oHostbasedAuthentication
,
127 oHostKeyAlgorithms
, oBindAddress
, oSmartcardDevice
,
128 oClearAllForwardings
, oNoHostAuthenticationForLocalhost
,
129 oEnableSSHKeysign
, oRekeyLimit
, oVerifyHostKeyDNS
, oConnectTimeout
,
130 oAddressFamily
, oGssAuthentication
, oGssDelegateCreds
,
131 oServerAliveInterval
, oServerAliveCountMax
, oIdentitiesOnly
,
133 oSendEnv
, oControlPath
, oControlMaster
, oHashKnownHosts
,
134 oTunnel
, oTunnelDevice
, oLocalCommand
, oPermitLocalCommand
,
136 oDeprecated
, oUnsupported
139 /* Textual representations of the tokens. */
145 { "forwardagent", oForwardAgent
},
146 { "forwardx11", oForwardX11
},
147 { "forwardx11trusted", oForwardX11Trusted
},
148 { "exitonforwardfailure", oExitOnForwardFailure
},
149 { "xauthlocation", oXAuthLocation
},
150 { "gatewayports", oGatewayPorts
},
151 { "useprivilegedport", oUsePrivilegedPort
},
152 { "rhostsauthentication", oDeprecated
},
153 { "passwordauthentication", oPasswordAuthentication
},
154 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication
},
155 { "kbdinteractivedevices", oKbdInteractiveDevices
},
156 { "rsaauthentication", oRSAAuthentication
},
157 { "pubkeyauthentication", oPubkeyAuthentication
},
158 { "dsaauthentication", oPubkeyAuthentication
}, /* alias */
159 { "rhostsrsaauthentication", oRhostsRSAAuthentication
},
160 { "hostbasedauthentication", oHostbasedAuthentication
},
161 { "challengeresponseauthentication", oChallengeResponseAuthentication
},
162 { "skeyauthentication", oChallengeResponseAuthentication
}, /* alias */
163 { "tisauthentication", oChallengeResponseAuthentication
}, /* alias */
164 { "kerberosauthentication", oUnsupported
},
165 { "kerberostgtpassing", oUnsupported
},
166 { "afstokenpassing", oUnsupported
},
168 { "gssapiauthentication", oGssAuthentication
},
169 { "gssapidelegatecredentials", oGssDelegateCreds
},
171 { "gssapiauthentication", oUnsupported
},
172 { "gssapidelegatecredentials", oUnsupported
},
174 { "fallbacktorsh", oDeprecated
},
175 { "usersh", oDeprecated
},
176 { "identityfile", oIdentityFile
},
177 { "identityfile2", oIdentityFile
}, /* alias */
178 { "identitiesonly", oIdentitiesOnly
},
179 { "hostname", oHostName
},
180 { "hostkeyalias", oHostKeyAlias
},
181 { "proxycommand", oProxyCommand
},
183 { "cipher", oCipher
},
184 { "ciphers", oCiphers
},
186 { "protocol", oProtocol
},
187 { "remoteforward", oRemoteForward
},
188 { "localforward", oLocalForward
},
191 { "escapechar", oEscapeChar
},
192 { "globalknownhostsfile", oGlobalKnownHostsFile
},
193 { "userknownhostsfile", oUserKnownHostsFile
}, /* obsolete */
194 { "globalknownhostsfile2", oGlobalKnownHostsFile2
},
195 { "userknownhostsfile2", oUserKnownHostsFile2
}, /* obsolete */
196 { "connectionattempts", oConnectionAttempts
},
197 { "batchmode", oBatchMode
},
198 { "checkhostip", oCheckHostIP
},
199 { "stricthostkeychecking", oStrictHostKeyChecking
},
200 { "compression", oCompression
},
201 { "compressionlevel", oCompressionLevel
},
202 { "tcpkeepalive", oTCPKeepAlive
},
203 { "keepalive", oTCPKeepAlive
}, /* obsolete */
204 { "numberofpasswordprompts", oNumberOfPasswordPrompts
},
205 { "loglevel", oLogLevel
},
206 { "dynamicforward", oDynamicForward
},
207 { "preferredauthentications", oPreferredAuthentications
},
208 { "hostkeyalgorithms", oHostKeyAlgorithms
},
209 { "bindaddress", oBindAddress
},
211 { "smartcarddevice", oSmartcardDevice
},
213 { "smartcarddevice", oUnsupported
},
215 { "clearallforwardings", oClearAllForwardings
},
216 { "enablesshkeysign", oEnableSSHKeysign
},
217 { "verifyhostkeydns", oVerifyHostKeyDNS
},
218 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost
},
219 { "rekeylimit", oRekeyLimit
},
220 { "connecttimeout", oConnectTimeout
},
221 { "addressfamily", oAddressFamily
},
222 { "serveraliveinterval", oServerAliveInterval
},
223 { "serveralivecountmax", oServerAliveCountMax
},
224 { "versionaddendum", oVersionAddendum
},
225 { "sendenv", oSendEnv
},
226 { "controlpath", oControlPath
},
227 { "controlmaster", oControlMaster
},
228 { "hashknownhosts", oHashKnownHosts
},
229 { "tunnel", oTunnel
},
230 { "tunneldevice", oTunnelDevice
},
231 { "localcommand", oLocalCommand
},
232 { "permitlocalcommand", oPermitLocalCommand
},
233 { "visualhostkey", oVisualHostKey
},
238 * Adds a local TCP/IP port forward to options. Never returns if there is an
243 add_local_forward(Options
*options
, const Forward
*newfwd
)
246 #ifndef NO_IPPORT_RESERVED_CONCEPT
247 extern uid_t original_real_uid
;
248 if (newfwd
->listen_port
< IPPORT_RESERVED
&& original_real_uid
!= 0)
249 fatal("Privileged ports can only be forwarded by root.");
251 if (options
->num_local_forwards
>= SSH_MAX_FORWARDS_PER_DIRECTION
)
252 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION
);
253 fwd
= &options
->local_forwards
[options
->num_local_forwards
++];
255 fwd
->listen_host
= (newfwd
->listen_host
== NULL
) ?
256 NULL
: xstrdup(newfwd
->listen_host
);
257 fwd
->listen_port
= newfwd
->listen_port
;
258 fwd
->connect_host
= xstrdup(newfwd
->connect_host
);
259 fwd
->connect_port
= newfwd
->connect_port
;
263 * Adds a remote TCP/IP port forward to options. Never returns if there is
268 add_remote_forward(Options
*options
, const Forward
*newfwd
)
271 if (options
->num_remote_forwards
>= SSH_MAX_FORWARDS_PER_DIRECTION
)
272 fatal("Too many remote forwards (max %d).",
273 SSH_MAX_FORWARDS_PER_DIRECTION
);
274 fwd
= &options
->remote_forwards
[options
->num_remote_forwards
++];
276 fwd
->listen_host
= (newfwd
->listen_host
== NULL
) ?
277 NULL
: xstrdup(newfwd
->listen_host
);
278 fwd
->listen_port
= newfwd
->listen_port
;
279 fwd
->connect_host
= xstrdup(newfwd
->connect_host
);
280 fwd
->connect_port
= newfwd
->connect_port
;
284 clear_forwardings(Options
*options
)
288 for (i
= 0; i
< options
->num_local_forwards
; i
++) {
289 if (options
->local_forwards
[i
].listen_host
!= NULL
)
290 xfree(options
->local_forwards
[i
].listen_host
);
291 xfree(options
->local_forwards
[i
].connect_host
);
293 options
->num_local_forwards
= 0;
294 for (i
= 0; i
< options
->num_remote_forwards
; i
++) {
295 if (options
->remote_forwards
[i
].listen_host
!= NULL
)
296 xfree(options
->remote_forwards
[i
].listen_host
);
297 xfree(options
->remote_forwards
[i
].connect_host
);
299 options
->num_remote_forwards
= 0;
300 options
->tun_open
= SSH_TUNMODE_NO
;
304 * Returns the number of the token pointed to by cp or oBadOption.
308 parse_token(const char *cp
, const char *filename
, int linenum
)
312 for (i
= 0; keywords
[i
].name
; i
++)
313 if (strcasecmp(cp
, keywords
[i
].name
) == 0)
314 return keywords
[i
].opcode
;
316 error("%s: line %d: Bad configuration option: %s",
317 filename
, linenum
, cp
);
322 * Processes a single option line as used in the configuration files. This
323 * only sets those values that have not already been set.
325 #define WHITESPACE " \t\r\n"
328 process_config_line(Options
*options
, const char *host
,
329 char *line
, const char *filename
, int linenum
,
332 char *s
, **charptr
, *endofnumber
, *keyword
, *arg
, *arg2
, fwdarg
[256];
333 int opcode
, *intptr
, value
, value2
, scale
;
334 LogLevel
*log_level_ptr
;
335 long long orig
, val64
;
339 /* Strip trailing whitespace */
340 for (len
= strlen(line
) - 1; len
> 0; len
--) {
341 if (strchr(WHITESPACE
, line
[len
]) == NULL
)
347 /* Get the keyword. (Each line is supposed to begin with a keyword). */
348 if ((keyword
= strdelim(&s
)) == NULL
)
350 /* Ignore leading whitespace. */
351 if (*keyword
== '\0')
352 keyword
= strdelim(&s
);
353 if (keyword
== NULL
|| !*keyword
|| *keyword
== '\n' || *keyword
== '#')
356 opcode
= parse_token(keyword
, filename
, linenum
);
360 /* don't panic, but count bad options */
363 case oConnectTimeout
:
364 intptr
= &options
->connection_timeout
;
367 if (!arg
|| *arg
== '\0')
368 fatal("%s line %d: missing time value.",
370 if ((value
= convtime(arg
)) == -1)
371 fatal("%s line %d: invalid time value.",
373 if (*activep
&& *intptr
== -1)
378 intptr
= &options
->forward_agent
;
381 if (!arg
|| *arg
== '\0')
382 fatal("%.200s line %d: Missing yes/no argument.", filename
, linenum
);
383 value
= 0; /* To avoid compiler warning... */
384 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
386 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
389 fatal("%.200s line %d: Bad yes/no argument.", filename
, linenum
);
390 if (*activep
&& *intptr
== -1)
395 intptr
= &options
->forward_x11
;
398 case oForwardX11Trusted
:
399 intptr
= &options
->forward_x11_trusted
;
403 intptr
= &options
->gateway_ports
;
406 case oExitOnForwardFailure
:
407 intptr
= &options
->exit_on_forward_failure
;
410 case oUsePrivilegedPort
:
411 intptr
= &options
->use_privileged_port
;
414 case oPasswordAuthentication
:
415 intptr
= &options
->password_authentication
;
418 case oKbdInteractiveAuthentication
:
419 intptr
= &options
->kbd_interactive_authentication
;
422 case oKbdInteractiveDevices
:
423 charptr
= &options
->kbd_interactive_devices
;
426 case oPubkeyAuthentication
:
427 intptr
= &options
->pubkey_authentication
;
430 case oRSAAuthentication
:
431 intptr
= &options
->rsa_authentication
;
434 case oRhostsRSAAuthentication
:
435 intptr
= &options
->rhosts_rsa_authentication
;
438 case oHostbasedAuthentication
:
439 intptr
= &options
->hostbased_authentication
;
442 case oChallengeResponseAuthentication
:
443 intptr
= &options
->challenge_response_authentication
;
446 case oGssAuthentication
:
447 intptr
= &options
->gss_authentication
;
450 case oGssDelegateCreds
:
451 intptr
= &options
->gss_deleg_creds
;
455 intptr
= &options
->batch_mode
;
459 intptr
= &options
->check_host_ip
;
462 case oVerifyHostKeyDNS
:
463 intptr
= &options
->verify_host_key_dns
;
466 case oStrictHostKeyChecking
:
467 intptr
= &options
->strict_host_key_checking
;
470 if (!arg
|| *arg
== '\0')
471 fatal("%.200s line %d: Missing yes/no/ask argument.",
473 value
= 0; /* To avoid compiler warning... */
474 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
476 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
478 else if (strcmp(arg
, "ask") == 0)
481 fatal("%.200s line %d: Bad yes/no/ask argument.", filename
, linenum
);
482 if (*activep
&& *intptr
== -1)
487 intptr
= &options
->compression
;
491 intptr
= &options
->tcp_keep_alive
;
494 case oNoHostAuthenticationForLocalhost
:
495 intptr
= &options
->no_host_authentication_for_localhost
;
498 case oNumberOfPasswordPrompts
:
499 intptr
= &options
->number_of_password_prompts
;
502 case oCompressionLevel
:
503 intptr
= &options
->compression_level
;
508 if (!arg
|| *arg
== '\0')
509 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
510 if (arg
[0] < '0' || arg
[0] > '9')
511 fatal("%.200s line %d: Bad number.", filename
, linenum
);
512 orig
= val64
= strtoll(arg
, &endofnumber
, 10);
513 if (arg
== endofnumber
)
514 fatal("%.200s line %d: Bad number.", filename
, linenum
);
515 switch (toupper(*endofnumber
)) {
529 fatal("%.200s line %d: Invalid RekeyLimit suffix",
533 /* detect integer wrap and too-large limits */
534 if ((val64
/ scale
) != orig
|| val64
> UINT_MAX
)
535 fatal("%.200s line %d: RekeyLimit too large",
538 fatal("%.200s line %d: RekeyLimit too small",
540 if (*activep
&& options
->rekey_limit
== -1)
541 options
->rekey_limit
= (u_int32_t
)val64
;
546 if (!arg
|| *arg
== '\0')
547 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
549 intptr
= &options
->num_identity_files
;
550 if (*intptr
>= SSH_MAX_IDENTITY_FILES
)
551 fatal("%.200s line %d: Too many identity files specified (max %d).",
552 filename
, linenum
, SSH_MAX_IDENTITY_FILES
);
553 charptr
= &options
->identity_files
[*intptr
];
554 *charptr
= xstrdup(arg
);
555 *intptr
= *intptr
+ 1;
560 charptr
=&options
->xauth_location
;
564 charptr
= &options
->user
;
567 if (!arg
|| *arg
== '\0')
568 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
569 if (*activep
&& *charptr
== NULL
)
570 *charptr
= xstrdup(arg
);
573 case oGlobalKnownHostsFile
:
574 charptr
= &options
->system_hostfile
;
577 case oUserKnownHostsFile
:
578 charptr
= &options
->user_hostfile
;
581 case oGlobalKnownHostsFile2
:
582 charptr
= &options
->system_hostfile2
;
585 case oUserKnownHostsFile2
:
586 charptr
= &options
->user_hostfile2
;
590 charptr
= &options
->hostname
;
594 charptr
= &options
->host_key_alias
;
597 case oPreferredAuthentications
:
598 charptr
= &options
->preferred_authentications
;
602 charptr
= &options
->bind_address
;
605 case oSmartcardDevice
:
606 charptr
= &options
->smartcard_device
;
610 charptr
= &options
->proxy_command
;
613 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
614 len
= strspn(s
, WHITESPACE
"=");
615 if (*activep
&& *charptr
== NULL
)
616 *charptr
= xstrdup(s
+ len
);
620 intptr
= &options
->port
;
623 if (!arg
|| *arg
== '\0')
624 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
625 if (arg
[0] < '0' || arg
[0] > '9')
626 fatal("%.200s line %d: Bad number.", filename
, linenum
);
628 /* Octal, decimal, or hex format? */
629 value
= strtol(arg
, &endofnumber
, 0);
630 if (arg
== endofnumber
)
631 fatal("%.200s line %d: Bad number.", filename
, linenum
);
632 if (*activep
&& *intptr
== -1)
636 case oConnectionAttempts
:
637 intptr
= &options
->connection_attempts
;
641 intptr
= &options
->cipher
;
643 if (!arg
|| *arg
== '\0')
644 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
645 value
= cipher_number(arg
);
647 fatal("%.200s line %d: Bad cipher '%s'.",
648 filename
, linenum
, arg
? arg
: "<NONE>");
649 if (*activep
&& *intptr
== -1)
655 if (!arg
|| *arg
== '\0')
656 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
657 if (!ciphers_valid(arg
))
658 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
659 filename
, linenum
, arg
? arg
: "<NONE>");
660 if (*activep
&& options
->ciphers
== NULL
)
661 options
->ciphers
= xstrdup(arg
);
666 if (!arg
|| *arg
== '\0')
667 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
669 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
670 filename
, linenum
, arg
? arg
: "<NONE>");
671 if (*activep
&& options
->macs
== NULL
)
672 options
->macs
= xstrdup(arg
);
675 case oHostKeyAlgorithms
:
677 if (!arg
|| *arg
== '\0')
678 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
679 if (!key_names_valid2(arg
))
680 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
681 filename
, linenum
, arg
? arg
: "<NONE>");
682 if (*activep
&& options
->hostkeyalgorithms
== NULL
)
683 options
->hostkeyalgorithms
= xstrdup(arg
);
687 intptr
= &options
->protocol
;
689 if (!arg
|| *arg
== '\0')
690 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
691 value
= proto_spec(arg
);
692 if (value
== SSH_PROTO_UNKNOWN
)
693 fatal("%.200s line %d: Bad protocol spec '%s'.",
694 filename
, linenum
, arg
? arg
: "<NONE>");
695 if (*activep
&& *intptr
== SSH_PROTO_UNKNOWN
)
700 log_level_ptr
= &options
->log_level
;
702 value
= log_level_number(arg
);
703 if (value
== SYSLOG_LEVEL_NOT_SET
)
704 fatal("%.200s line %d: unsupported log level '%s'",
705 filename
, linenum
, arg
? arg
: "<NONE>");
706 if (*activep
&& *log_level_ptr
== SYSLOG_LEVEL_NOT_SET
)
707 *log_level_ptr
= (LogLevel
) value
;
713 if (arg
== NULL
|| *arg
== '\0')
714 fatal("%.200s line %d: Missing port argument.",
717 if (arg2
== NULL
|| *arg2
== '\0')
718 fatal("%.200s line %d: Missing target argument.",
721 /* construct a string for parse_forward */
722 snprintf(fwdarg
, sizeof(fwdarg
), "%s:%s", arg
, arg2
);
724 if (parse_forward(&fwd
, fwdarg
) == 0)
725 fatal("%.200s line %d: Bad forwarding specification.",
729 if (opcode
== oLocalForward
)
730 add_local_forward(options
, &fwd
);
731 else if (opcode
== oRemoteForward
)
732 add_remote_forward(options
, &fwd
);
736 case oDynamicForward
:
738 if (!arg
|| *arg
== '\0')
739 fatal("%.200s line %d: Missing port argument.",
741 memset(&fwd
, '\0', sizeof(fwd
));
742 fwd
.connect_host
= "socks";
743 fwd
.listen_host
= hpdelim(&arg
);
744 if (fwd
.listen_host
== NULL
||
745 strlen(fwd
.listen_host
) >= NI_MAXHOST
)
746 fatal("%.200s line %d: Bad forwarding specification.",
749 fwd
.listen_port
= a2port(arg
);
750 fwd
.listen_host
= cleanhostname(fwd
.listen_host
);
752 fwd
.listen_port
= a2port(fwd
.listen_host
);
753 fwd
.listen_host
= NULL
;
755 if (fwd
.listen_port
== 0)
756 fatal("%.200s line %d: Badly formatted port number.",
759 add_local_forward(options
, &fwd
);
762 case oClearAllForwardings
:
763 intptr
= &options
->clear_forwardings
;
768 while ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0')
769 if (match_pattern(host
, arg
)) {
770 debug("Applying options for %.100s", arg
);
774 /* Avoid garbage check below, as strdelim is done. */
778 intptr
= &options
->escape_char
;
780 if (!arg
|| *arg
== '\0')
781 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
782 if (arg
[0] == '^' && arg
[2] == 0 &&
783 (u_char
) arg
[1] >= 64 && (u_char
) arg
[1] < 128)
784 value
= (u_char
) arg
[1] & 31;
785 else if (strlen(arg
) == 1)
786 value
= (u_char
) arg
[0];
787 else if (strcmp(arg
, "none") == 0)
788 value
= SSH_ESCAPECHAR_NONE
;
790 fatal("%.200s line %d: Bad escape character.",
793 value
= 0; /* Avoid compiler warning. */
795 if (*activep
&& *intptr
== -1)
801 if (!arg
|| *arg
== '\0')
802 fatal("%s line %d: missing address family.",
804 intptr
= &options
->address_family
;
805 if (strcasecmp(arg
, "inet") == 0)
807 else if (strcasecmp(arg
, "inet6") == 0)
809 else if (strcasecmp(arg
, "any") == 0)
812 fatal("Unsupported AddressFamily \"%s\"", arg
);
813 if (*activep
&& *intptr
== -1)
817 case oEnableSSHKeysign
:
818 intptr
= &options
->enable_ssh_keysign
;
821 case oIdentitiesOnly
:
822 intptr
= &options
->identities_only
;
825 case oServerAliveInterval
:
826 intptr
= &options
->server_alive_interval
;
829 case oServerAliveCountMax
:
830 intptr
= &options
->server_alive_count_max
;
833 case oVersionAddendum
:
834 ssh_version_set_addendum(strtok(s
, "\n"));
837 } while (arg
!= NULL
&& *arg
!= '\0');
841 while ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0') {
842 if (strchr(arg
, '=') != NULL
)
843 fatal("%s line %d: Invalid environment name.",
847 if (options
->num_send_env
>= MAX_SEND_ENV
)
848 fatal("%s line %d: too many send env.",
850 options
->send_env
[options
->num_send_env
++] =
856 charptr
= &options
->control_path
;
860 intptr
= &options
->control_master
;
862 if (!arg
|| *arg
== '\0')
863 fatal("%.200s line %d: Missing ControlMaster argument.",
865 value
= 0; /* To avoid compiler warning... */
866 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
867 value
= SSHCTL_MASTER_YES
;
868 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
869 value
= SSHCTL_MASTER_NO
;
870 else if (strcmp(arg
, "auto") == 0)
871 value
= SSHCTL_MASTER_AUTO
;
872 else if (strcmp(arg
, "ask") == 0)
873 value
= SSHCTL_MASTER_ASK
;
874 else if (strcmp(arg
, "autoask") == 0)
875 value
= SSHCTL_MASTER_AUTO_ASK
;
877 fatal("%.200s line %d: Bad ControlMaster argument.",
879 if (*activep
&& *intptr
== -1)
883 case oHashKnownHosts
:
884 intptr
= &options
->hash_known_hosts
;
888 intptr
= &options
->tun_open
;
890 if (!arg
|| *arg
== '\0')
891 fatal("%s line %d: Missing yes/point-to-point/"
892 "ethernet/no argument.", filename
, linenum
);
893 value
= 0; /* silence compiler */
894 if (strcasecmp(arg
, "ethernet") == 0)
895 value
= SSH_TUNMODE_ETHERNET
;
896 else if (strcasecmp(arg
, "point-to-point") == 0)
897 value
= SSH_TUNMODE_POINTOPOINT
;
898 else if (strcasecmp(arg
, "yes") == 0)
899 value
= SSH_TUNMODE_DEFAULT
;
900 else if (strcasecmp(arg
, "no") == 0)
901 value
= SSH_TUNMODE_NO
;
903 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
904 "no argument: %s", filename
, linenum
, arg
);
911 if (!arg
|| *arg
== '\0')
912 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
913 value
= a2tun(arg
, &value2
);
914 if (value
== SSH_TUNID_ERR
)
915 fatal("%.200s line %d: Bad tun device.", filename
, linenum
);
917 options
->tun_local
= value
;
918 options
->tun_remote
= value2
;
923 charptr
= &options
->local_command
;
926 case oPermitLocalCommand
:
927 intptr
= &options
->permit_local_command
;
931 intptr
= &options
->visual_host_key
;
935 debug("%s line %d: Deprecated option \"%s\"",
936 filename
, linenum
, keyword
);
940 error("%s line %d: Unsupported option \"%s\"",
941 filename
, linenum
, keyword
);
945 fatal("process_config_line: Unimplemented opcode %d", opcode
);
948 /* Check that there is no garbage at end of line. */
949 if ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0') {
950 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
951 filename
, linenum
, arg
);
958 * Reads the config file and modifies the options accordingly. Options
959 * should already be initialized before this call. This never returns if
960 * there is an error. If the file does not exist, this returns 0.
964 read_config_file(const char *filename
, const char *host
, Options
*options
,
973 if ((f
= fopen(filename
, "r")) == NULL
)
979 if (fstat(fileno(f
), &sb
) == -1)
980 fatal("fstat %s: %s", filename
, strerror(errno
));
981 if (((sb
.st_uid
!= 0 && sb
.st_uid
!= getuid()) ||
982 (sb
.st_mode
& 022) != 0))
983 fatal("Bad owner or permissions on %s", filename
);
986 debug("Reading configuration data %.200s", filename
);
989 * Mark that we are now processing the options. This flag is turned
990 * on/off by Host specifications.
994 while (fgets(line
, sizeof(line
), f
)) {
995 /* Update line number counter. */
997 if (process_config_line(options
, host
, line
, filename
, linenum
, &active
) != 0)
1001 if (bad_options
> 0)
1002 fatal("%s: terminating, %d bad configuration options",
1003 filename
, bad_options
);
1008 * Initializes options to special values that indicate that they have not yet
1009 * been set. Read_config_file will only set options with this value. Options
1010 * are processed in the following order: command line, user config file,
1011 * system config file. Last, fill_default_options is called.
1015 initialize_options(Options
* options
)
1017 memset(options
, 'X', sizeof(*options
));
1018 options
->forward_agent
= -1;
1019 options
->forward_x11
= -1;
1020 options
->forward_x11_trusted
= -1;
1021 options
->exit_on_forward_failure
= -1;
1022 options
->xauth_location
= NULL
;
1023 options
->gateway_ports
= -1;
1024 options
->use_privileged_port
= -1;
1025 options
->rsa_authentication
= -1;
1026 options
->pubkey_authentication
= -1;
1027 options
->challenge_response_authentication
= -1;
1028 options
->gss_authentication
= -1;
1029 options
->gss_deleg_creds
= -1;
1030 options
->password_authentication
= -1;
1031 options
->kbd_interactive_authentication
= -1;
1032 options
->kbd_interactive_devices
= NULL
;
1033 options
->rhosts_rsa_authentication
= -1;
1034 options
->hostbased_authentication
= -1;
1035 options
->batch_mode
= -1;
1036 options
->check_host_ip
= -1;
1037 options
->strict_host_key_checking
= -1;
1038 options
->compression
= -1;
1039 options
->tcp_keep_alive
= -1;
1040 options
->compression_level
= -1;
1042 options
->address_family
= -1;
1043 options
->connection_attempts
= -1;
1044 options
->connection_timeout
= -1;
1045 options
->number_of_password_prompts
= -1;
1046 options
->cipher
= -1;
1047 options
->ciphers
= NULL
;
1048 options
->macs
= NULL
;
1049 options
->hostkeyalgorithms
= NULL
;
1050 options
->protocol
= SSH_PROTO_UNKNOWN
;
1051 options
->num_identity_files
= 0;
1052 options
->hostname
= NULL
;
1053 options
->host_key_alias
= NULL
;
1054 options
->proxy_command
= NULL
;
1055 options
->user
= NULL
;
1056 options
->escape_char
= -1;
1057 options
->system_hostfile
= NULL
;
1058 options
->user_hostfile
= NULL
;
1059 options
->system_hostfile2
= NULL
;
1060 options
->user_hostfile2
= NULL
;
1061 options
->num_local_forwards
= 0;
1062 options
->num_remote_forwards
= 0;
1063 options
->clear_forwardings
= -1;
1064 options
->log_level
= SYSLOG_LEVEL_NOT_SET
;
1065 options
->preferred_authentications
= NULL
;
1066 options
->bind_address
= NULL
;
1067 options
->smartcard_device
= NULL
;
1068 options
->enable_ssh_keysign
= - 1;
1069 options
->no_host_authentication_for_localhost
= - 1;
1070 options
->identities_only
= - 1;
1071 options
->rekey_limit
= - 1;
1072 options
->verify_host_key_dns
= -1;
1073 options
->server_alive_interval
= -1;
1074 options
->server_alive_count_max
= -1;
1075 options
->num_send_env
= 0;
1076 options
->control_path
= NULL
;
1077 options
->control_master
= -1;
1078 options
->hash_known_hosts
= -1;
1079 options
->tun_open
= -1;
1080 options
->tun_local
= -1;
1081 options
->tun_remote
= -1;
1082 options
->local_command
= NULL
;
1083 options
->permit_local_command
= -1;
1084 options
->visual_host_key
= -1;
1088 * Called after processing other sources of option data, this fills those
1089 * options for which no value has been specified with their default values.
1093 fill_default_options(Options
* options
)
1097 if (options
->forward_agent
== -1)
1098 options
->forward_agent
= 0;
1099 if (options
->forward_x11
== -1)
1100 options
->forward_x11
= 0;
1101 if (options
->forward_x11_trusted
== -1)
1102 options
->forward_x11_trusted
= 0;
1103 if (options
->exit_on_forward_failure
== -1)
1104 options
->exit_on_forward_failure
= 0;
1105 if (options
->xauth_location
== NULL
)
1106 options
->xauth_location
= _PATH_XAUTH
;
1107 if (options
->gateway_ports
== -1)
1108 options
->gateway_ports
= 0;
1109 if (options
->use_privileged_port
== -1)
1110 options
->use_privileged_port
= 0;
1111 if (options
->rsa_authentication
== -1)
1112 options
->rsa_authentication
= 1;
1113 if (options
->pubkey_authentication
== -1)
1114 options
->pubkey_authentication
= 1;
1115 if (options
->challenge_response_authentication
== -1)
1116 options
->challenge_response_authentication
= 1;
1117 if (options
->gss_authentication
== -1)
1118 options
->gss_authentication
= 0;
1119 if (options
->gss_deleg_creds
== -1)
1120 options
->gss_deleg_creds
= 0;
1121 if (options
->password_authentication
== -1)
1122 options
->password_authentication
= 1;
1123 if (options
->kbd_interactive_authentication
== -1)
1124 options
->kbd_interactive_authentication
= 1;
1125 if (options
->rhosts_rsa_authentication
== -1)
1126 options
->rhosts_rsa_authentication
= 0;
1127 if (options
->hostbased_authentication
== -1)
1128 options
->hostbased_authentication
= 0;
1129 if (options
->batch_mode
== -1)
1130 options
->batch_mode
= 0;
1131 if (options
->check_host_ip
== -1)
1132 options
->check_host_ip
= 0;
1133 if (options
->strict_host_key_checking
== -1)
1134 options
->strict_host_key_checking
= 2; /* 2 is default */
1135 if (options
->compression
== -1)
1136 options
->compression
= 0;
1137 if (options
->tcp_keep_alive
== -1)
1138 options
->tcp_keep_alive
= 1;
1139 if (options
->compression_level
== -1)
1140 options
->compression_level
= 6;
1141 if (options
->port
== -1)
1142 options
->port
= 0; /* Filled in ssh_connect. */
1143 if (options
->address_family
== -1)
1144 options
->address_family
= AF_UNSPEC
;
1145 if (options
->connection_attempts
== -1)
1146 options
->connection_attempts
= 1;
1147 if (options
->number_of_password_prompts
== -1)
1148 options
->number_of_password_prompts
= 3;
1149 /* Selected in ssh_login(). */
1150 if (options
->cipher
== -1)
1151 options
->cipher
= SSH_CIPHER_NOT_SET
;
1152 /* options->ciphers, default set in myproposals.h */
1153 /* options->macs, default set in myproposals.h */
1154 /* options->hostkeyalgorithms, default set in myproposals.h */
1155 if (options
->protocol
== SSH_PROTO_UNKNOWN
)
1156 options
->protocol
= SSH_PROTO_1
|SSH_PROTO_2
;
1157 if (options
->num_identity_files
== 0) {
1158 if (options
->protocol
& SSH_PROTO_1
) {
1159 len
= 2 + strlen(_PATH_SSH_CLIENT_IDENTITY
) + 1;
1160 options
->identity_files
[options
->num_identity_files
] =
1162 snprintf(options
->identity_files
[options
->num_identity_files
++],
1163 len
, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY
);
1165 if (options
->protocol
& SSH_PROTO_2
) {
1166 len
= 2 + strlen(_PATH_SSH_CLIENT_ID_RSA
) + 1;
1167 options
->identity_files
[options
->num_identity_files
] =
1169 snprintf(options
->identity_files
[options
->num_identity_files
++],
1170 len
, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA
);
1172 len
= 2 + strlen(_PATH_SSH_CLIENT_ID_DSA
) + 1;
1173 options
->identity_files
[options
->num_identity_files
] =
1175 snprintf(options
->identity_files
[options
->num_identity_files
++],
1176 len
, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA
);
1179 if (options
->escape_char
== -1)
1180 options
->escape_char
= '~';
1181 if (options
->system_hostfile
== NULL
)
1182 options
->system_hostfile
= _PATH_SSH_SYSTEM_HOSTFILE
;
1183 if (options
->user_hostfile
== NULL
)
1184 options
->user_hostfile
= _PATH_SSH_USER_HOSTFILE
;
1185 if (options
->system_hostfile2
== NULL
)
1186 options
->system_hostfile2
= _PATH_SSH_SYSTEM_HOSTFILE2
;
1187 if (options
->user_hostfile2
== NULL
)
1188 options
->user_hostfile2
= _PATH_SSH_USER_HOSTFILE2
;
1189 if (options
->log_level
== SYSLOG_LEVEL_NOT_SET
)
1190 options
->log_level
= SYSLOG_LEVEL_INFO
;
1191 if (options
->clear_forwardings
== 1)
1192 clear_forwardings(options
);
1193 if (options
->no_host_authentication_for_localhost
== - 1)
1194 options
->no_host_authentication_for_localhost
= 0;
1195 if (options
->identities_only
== -1)
1196 options
->identities_only
= 0;
1197 if (options
->enable_ssh_keysign
== -1)
1198 options
->enable_ssh_keysign
= 0;
1199 if (options
->rekey_limit
== -1)
1200 options
->rekey_limit
= 0;
1201 if (options
->verify_host_key_dns
== -1)
1202 options
->verify_host_key_dns
= 0;
1203 if (options
->server_alive_interval
== -1)
1204 options
->server_alive_interval
= 0;
1205 if (options
->server_alive_count_max
== -1)
1206 options
->server_alive_count_max
= 3;
1207 if (options
->control_master
== -1)
1208 options
->control_master
= 0;
1209 if (options
->hash_known_hosts
== -1)
1210 options
->hash_known_hosts
= 0;
1211 if (options
->tun_open
== -1)
1212 options
->tun_open
= SSH_TUNMODE_NO
;
1213 if (options
->tun_local
== -1)
1214 options
->tun_local
= SSH_TUNID_ANY
;
1215 if (options
->tun_remote
== -1)
1216 options
->tun_remote
= SSH_TUNID_ANY
;
1217 if (options
->permit_local_command
== -1)
1218 options
->permit_local_command
= 0;
1219 if (options
->visual_host_key
== -1)
1220 options
->visual_host_key
= 0;
1221 /* options->local_command should not be set by default */
1222 /* options->proxy_command should not be set by default */
1223 /* options->user will be set in the main program if appropriate */
1224 /* options->hostname will be set in the main program if appropriate */
1225 /* options->host_key_alias should not be set by default */
1226 /* options->preferred_authentications will be set in ssh */
1231 * parses a string containing a port forwarding specification of the form:
1232 * [listenhost:]listenport:connecthost:connectport
1233 * returns number of arguments parsed or zero on error
1236 parse_forward(Forward
*fwd
, const char *fwdspec
)
1239 char *p
, *cp
, *fwdarg
[4];
1241 memset(fwd
, '\0', sizeof(*fwd
));
1243 cp
= p
= xstrdup(fwdspec
);
1245 /* skip leading spaces */
1246 while (isspace(*cp
))
1249 for (i
= 0; i
< 4; ++i
)
1250 if ((fwdarg
[i
] = hpdelim(&cp
)) == NULL
)
1253 /* Check for trailing garbage in 4-arg case*/
1255 i
= 0; /* failure */
1259 fwd
->listen_host
= NULL
;
1260 fwd
->listen_port
= a2port(fwdarg
[0]);
1261 fwd
->connect_host
= xstrdup(cleanhostname(fwdarg
[1]));
1262 fwd
->connect_port
= a2port(fwdarg
[2]);
1266 fwd
->listen_host
= xstrdup(cleanhostname(fwdarg
[0]));
1267 fwd
->listen_port
= a2port(fwdarg
[1]);
1268 fwd
->connect_host
= xstrdup(cleanhostname(fwdarg
[2]));
1269 fwd
->connect_port
= a2port(fwdarg
[3]);
1272 i
= 0; /* failure */
1277 if (fwd
->listen_port
== 0 || fwd
->connect_port
== 0)
1280 if (fwd
->connect_host
!= NULL
&&
1281 strlen(fwd
->connect_host
) >= NI_MAXHOST
)
1287 if (fwd
->connect_host
!= NULL
)
1288 xfree(fwd
->connect_host
);
1289 if (fwd
->listen_host
!= NULL
)
1290 xfree(fwd
->listen_host
);