2 /* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
37 #include "openbsd-compat/sys-queue.h"
45 #include "pathnames.h"
52 #include "groupaccess.h"
58 static void add_listen_addr(ServerOptions
*, char *, int);
59 static void add_one_listen_addr(ServerOptions
*, char *, int);
61 /* Use of privilege separation or not */
62 extern int use_privsep
;
65 /* Initializes the server options to their default values. */
68 initialize_server_options(ServerOptions
*options
)
70 memset(options
, 0, sizeof(*options
));
72 /* Portable-specific options */
73 options
->use_pam
= -1;
75 /* Standard Options */
76 options
->num_ports
= 0;
77 options
->ports_from_cmdline
= 0;
78 options
->listen_addrs
= NULL
;
79 options
->address_family
= -1;
80 options
->num_host_key_files
= 0;
81 options
->num_host_cert_files
= 0;
82 options
->host_key_agent
= NULL
;
83 options
->pid_file
= NULL
;
84 options
->server_key_bits
= -1;
85 options
->login_grace_time
= -1;
86 options
->key_regeneration_time
= -1;
87 options
->permit_root_login
= PERMIT_NOT_SET
;
88 options
->ignore_rhosts
= -1;
89 options
->ignore_user_known_hosts
= -1;
90 options
->print_motd
= -1;
91 options
->print_lastlog
= -1;
92 options
->x11_forwarding
= -1;
93 options
->x11_display_offset
= -1;
94 options
->x11_use_localhost
= -1;
95 options
->permit_tty
= -1;
96 options
->permit_user_rc
= -1;
97 options
->xauth_location
= NULL
;
98 options
->strict_modes
= -1;
99 options
->tcp_keep_alive
= -1;
100 options
->log_facility
= SYSLOG_FACILITY_NOT_SET
;
101 options
->log_level
= SYSLOG_LEVEL_NOT_SET
;
102 options
->rhosts_rsa_authentication
= -1;
103 options
->hostbased_authentication
= -1;
104 options
->hostbased_uses_name_from_packet_only
= -1;
105 options
->rsa_authentication
= -1;
106 options
->pubkey_authentication
= -1;
107 options
->kerberos_authentication
= -1;
108 options
->kerberos_or_local_passwd
= -1;
109 options
->kerberos_ticket_cleanup
= -1;
110 options
->kerberos_get_afs_token
= -1;
111 options
->gss_authentication
=-1;
112 options
->gss_cleanup_creds
= -1;
113 options
->password_authentication
= -1;
114 options
->kbd_interactive_authentication
= -1;
115 options
->challenge_response_authentication
= -1;
116 options
->permit_empty_passwd
= -1;
117 options
->permit_user_env
= -1;
118 options
->use_login
= -1;
119 options
->compression
= -1;
120 options
->rekey_limit
= -1;
121 options
->rekey_interval
= -1;
122 options
->allow_tcp_forwarding
= -1;
123 options
->allow_streamlocal_forwarding
= -1;
124 options
->allow_agent_forwarding
= -1;
125 options
->num_allow_users
= 0;
126 options
->num_deny_users
= 0;
127 options
->num_allow_groups
= 0;
128 options
->num_deny_groups
= 0;
129 options
->ciphers
= NULL
;
130 options
->macs
= NULL
;
131 options
->kex_algorithms
= NULL
;
132 options
->protocol
= SSH_PROTO_UNKNOWN
;
133 options
->fwd_opts
.gateway_ports
= -1;
134 options
->fwd_opts
.streamlocal_bind_mask
= (mode_t
)-1;
135 options
->fwd_opts
.streamlocal_bind_unlink
= -1;
136 options
->num_subsystems
= 0;
137 options
->max_startups_begin
= -1;
138 options
->max_startups_rate
= -1;
139 options
->max_startups
= -1;
140 options
->max_authtries
= -1;
141 options
->max_sessions
= -1;
142 options
->banner
= NULL
;
143 options
->use_dns
= -1;
144 options
->client_alive_interval
= -1;
145 options
->client_alive_count_max
= -1;
146 options
->num_authkeys_files
= 0;
147 options
->num_accept_env
= 0;
148 options
->permit_tun
= -1;
149 options
->num_permitted_opens
= -1;
150 options
->adm_forced_command
= NULL
;
151 options
->chroot_directory
= NULL
;
152 options
->authorized_keys_command
= NULL
;
153 options
->authorized_keys_command_user
= NULL
;
154 options
->revoked_keys_file
= NULL
;
155 options
->trusted_user_ca_keys
= NULL
;
156 options
->authorized_principals_file
= NULL
;
157 options
->ip_qos_interactive
= -1;
158 options
->ip_qos_bulk
= -1;
159 options
->version_addendum
= NULL
;
163 fill_default_server_options(ServerOptions
*options
)
165 /* Portable-specific options */
166 if (options
->use_pam
== -1)
167 options
->use_pam
= 0;
169 /* Standard Options */
170 if (options
->protocol
== SSH_PROTO_UNKNOWN
)
171 options
->protocol
= SSH_PROTO_2
;
172 if (options
->num_host_key_files
== 0) {
173 /* fill default hostkeys for protocols */
174 if (options
->protocol
& SSH_PROTO_1
)
175 options
->host_key_files
[options
->num_host_key_files
++] =
177 if (options
->protocol
& SSH_PROTO_2
) {
178 options
->host_key_files
[options
->num_host_key_files
++] =
179 _PATH_HOST_RSA_KEY_FILE
;
180 options
->host_key_files
[options
->num_host_key_files
++] =
181 _PATH_HOST_DSA_KEY_FILE
;
182 #ifdef OPENSSL_HAS_ECC
183 options
->host_key_files
[options
->num_host_key_files
++] =
184 _PATH_HOST_ECDSA_KEY_FILE
;
186 options
->host_key_files
[options
->num_host_key_files
++] =
187 _PATH_HOST_ED25519_KEY_FILE
;
190 /* No certificates by default */
191 if (options
->num_ports
== 0)
192 options
->ports
[options
->num_ports
++] = SSH_DEFAULT_PORT
;
193 if (options
->listen_addrs
== NULL
)
194 add_listen_addr(options
, NULL
, 0);
195 if (options
->pid_file
== NULL
)
196 options
->pid_file
= _PATH_SSH_DAEMON_PID_FILE
;
197 if (options
->server_key_bits
== -1)
198 options
->server_key_bits
= 1024;
199 if (options
->login_grace_time
== -1)
200 options
->login_grace_time
= 120;
201 if (options
->key_regeneration_time
== -1)
202 options
->key_regeneration_time
= 3600;
203 if (options
->permit_root_login
== PERMIT_NOT_SET
)
204 options
->permit_root_login
= PERMIT_YES
;
205 if (options
->ignore_rhosts
== -1)
206 options
->ignore_rhosts
= 1;
207 if (options
->ignore_user_known_hosts
== -1)
208 options
->ignore_user_known_hosts
= 0;
209 if (options
->print_motd
== -1)
210 options
->print_motd
= 1;
211 if (options
->print_lastlog
== -1)
212 options
->print_lastlog
= 1;
213 if (options
->x11_forwarding
== -1)
214 options
->x11_forwarding
= 0;
215 if (options
->x11_display_offset
== -1)
216 options
->x11_display_offset
= 10;
217 if (options
->x11_use_localhost
== -1)
218 options
->x11_use_localhost
= 1;
219 if (options
->xauth_location
== NULL
)
220 options
->xauth_location
= _PATH_XAUTH
;
221 if (options
->permit_tty
== -1)
222 options
->permit_tty
= 1;
223 if (options
->permit_user_rc
== -1)
224 options
->permit_user_rc
= 1;
225 if (options
->strict_modes
== -1)
226 options
->strict_modes
= 1;
227 if (options
->tcp_keep_alive
== -1)
228 options
->tcp_keep_alive
= 1;
229 if (options
->log_facility
== SYSLOG_FACILITY_NOT_SET
)
230 options
->log_facility
= SYSLOG_FACILITY_AUTH
;
231 if (options
->log_level
== SYSLOG_LEVEL_NOT_SET
)
232 options
->log_level
= SYSLOG_LEVEL_INFO
;
233 if (options
->rhosts_rsa_authentication
== -1)
234 options
->rhosts_rsa_authentication
= 0;
235 if (options
->hostbased_authentication
== -1)
236 options
->hostbased_authentication
= 0;
237 if (options
->hostbased_uses_name_from_packet_only
== -1)
238 options
->hostbased_uses_name_from_packet_only
= 0;
239 if (options
->rsa_authentication
== -1)
240 options
->rsa_authentication
= 1;
241 if (options
->pubkey_authentication
== -1)
242 options
->pubkey_authentication
= 1;
243 if (options
->kerberos_authentication
== -1)
244 options
->kerberos_authentication
= 0;
245 if (options
->kerberos_or_local_passwd
== -1)
246 options
->kerberos_or_local_passwd
= 1;
247 if (options
->kerberos_ticket_cleanup
== -1)
248 options
->kerberos_ticket_cleanup
= 1;
249 if (options
->kerberos_get_afs_token
== -1)
250 options
->kerberos_get_afs_token
= 0;
251 if (options
->gss_authentication
== -1)
252 options
->gss_authentication
= 0;
253 if (options
->gss_cleanup_creds
== -1)
254 options
->gss_cleanup_creds
= 1;
255 if (options
->password_authentication
== -1)
256 options
->password_authentication
= 1;
257 if (options
->kbd_interactive_authentication
== -1)
258 options
->kbd_interactive_authentication
= 0;
259 if (options
->challenge_response_authentication
== -1)
260 options
->challenge_response_authentication
= 1;
261 if (options
->permit_empty_passwd
== -1)
262 options
->permit_empty_passwd
= 0;
263 if (options
->permit_user_env
== -1)
264 options
->permit_user_env
= 0;
265 if (options
->use_login
== -1)
266 options
->use_login
= 0;
267 if (options
->compression
== -1)
268 options
->compression
= COMP_DELAYED
;
269 if (options
->rekey_limit
== -1)
270 options
->rekey_limit
= 0;
271 if (options
->rekey_interval
== -1)
272 options
->rekey_interval
= 0;
273 if (options
->allow_tcp_forwarding
== -1)
274 options
->allow_tcp_forwarding
= FORWARD_ALLOW
;
275 if (options
->allow_streamlocal_forwarding
== -1)
276 options
->allow_streamlocal_forwarding
= FORWARD_ALLOW
;
277 if (options
->allow_agent_forwarding
== -1)
278 options
->allow_agent_forwarding
= 1;
279 if (options
->fwd_opts
.gateway_ports
== -1)
280 options
->fwd_opts
.gateway_ports
= 0;
281 if (options
->max_startups
== -1)
282 options
->max_startups
= 100;
283 if (options
->max_startups_rate
== -1)
284 options
->max_startups_rate
= 30; /* 30% */
285 if (options
->max_startups_begin
== -1)
286 options
->max_startups_begin
= 10;
287 if (options
->max_authtries
== -1)
288 options
->max_authtries
= DEFAULT_AUTH_FAIL_MAX
;
289 if (options
->max_sessions
== -1)
290 options
->max_sessions
= DEFAULT_SESSIONS_MAX
;
291 if (options
->use_dns
== -1)
292 options
->use_dns
= 1;
293 if (options
->client_alive_interval
== -1)
294 options
->client_alive_interval
= 0;
295 if (options
->client_alive_count_max
== -1)
296 options
->client_alive_count_max
= 3;
297 if (options
->num_authkeys_files
== 0) {
298 options
->authorized_keys_files
[options
->num_authkeys_files
++] =
299 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS
);
300 options
->authorized_keys_files
[options
->num_authkeys_files
++] =
301 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2
);
303 if (options
->permit_tun
== -1)
304 options
->permit_tun
= SSH_TUNMODE_NO
;
305 if (options
->ip_qos_interactive
== -1)
306 options
->ip_qos_interactive
= IPTOS_LOWDELAY
;
307 if (options
->ip_qos_bulk
== -1)
308 options
->ip_qos_bulk
= IPTOS_THROUGHPUT
;
309 if (options
->version_addendum
== NULL
)
310 options
->version_addendum
= xstrdup("");
311 if (options
->fwd_opts
.streamlocal_bind_mask
== (mode_t
)-1)
312 options
->fwd_opts
.streamlocal_bind_mask
= 0177;
313 if (options
->fwd_opts
.streamlocal_bind_unlink
== -1)
314 options
->fwd_opts
.streamlocal_bind_unlink
= 0;
315 /* Turn privilege separation on by default */
316 if (use_privsep
== -1)
317 use_privsep
= PRIVSEP_NOSANDBOX
;
320 if (use_privsep
&& options
->compression
== 1) {
321 error("This platform does not support both privilege "
322 "separation and compression");
323 error("Compression disabled");
324 options
->compression
= 0;
330 /* Keyword tokens. */
332 sBadOption
, /* == unknown option */
333 /* Portable-specific options */
335 /* Standard Options */
336 sPort
, sHostKeyFile
, sServerKeyBits
, sLoginGraceTime
, sKeyRegenerationTime
,
337 sPermitRootLogin
, sLogFacility
, sLogLevel
,
338 sRhostsRSAAuthentication
, sRSAAuthentication
,
339 sKerberosAuthentication
, sKerberosOrLocalPasswd
, sKerberosTicketCleanup
,
340 sKerberosGetAFSToken
,
341 sKerberosTgtPassing
, sChallengeResponseAuthentication
,
342 sPasswordAuthentication
, sKbdInteractiveAuthentication
,
343 sListenAddress
, sAddressFamily
,
344 sPrintMotd
, sPrintLastLog
, sIgnoreRhosts
,
345 sX11Forwarding
, sX11DisplayOffset
, sX11UseLocalhost
,
346 sPermitTTY
, sStrictModes
, sEmptyPasswd
, sTCPKeepAlive
,
347 sPermitUserEnvironment
, sUseLogin
, sAllowTcpForwarding
, sCompression
,
348 sRekeyLimit
, sAllowUsers
, sDenyUsers
, sAllowGroups
, sDenyGroups
,
349 sIgnoreUserKnownHosts
, sCiphers
, sMacs
, sProtocol
, sPidFile
,
350 sGatewayPorts
, sPubkeyAuthentication
, sXAuthLocation
, sSubsystem
,
351 sMaxStartups
, sMaxAuthTries
, sMaxSessions
,
352 sBanner
, sUseDNS
, sHostbasedAuthentication
,
353 sHostbasedUsesNameFromPacketOnly
, sClientAliveInterval
,
354 sClientAliveCountMax
, sAuthorizedKeysFile
,
355 sGssAuthentication
, sGssCleanupCreds
, sAcceptEnv
, sPermitTunnel
,
356 sMatch
, sPermitOpen
, sForceCommand
, sChrootDirectory
,
357 sUsePrivilegeSeparation
, sAllowAgentForwarding
,
359 sRevokedKeys
, sTrustedUserCAKeys
, sAuthorizedPrincipalsFile
,
360 sKexAlgorithms
, sIPQoS
, sVersionAddendum
,
361 sAuthorizedKeysCommand
, sAuthorizedKeysCommandUser
,
362 sAuthenticationMethods
, sHostKeyAgent
, sPermitUserRC
,
363 sStreamLocalBindMask
, sStreamLocalBindUnlink
,
364 sAllowStreamLocalForwarding
,
365 sDeprecated
, sUnsupported
368 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
369 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
370 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
372 /* Textual representation of the tokens. */
375 ServerOpCodes opcode
;
378 /* Portable-specific options */
380 { "usepam", sUsePAM
, SSHCFG_GLOBAL
},
382 { "usepam", sUnsupported
, SSHCFG_GLOBAL
},
384 { "pamauthenticationviakbdint", sDeprecated
, SSHCFG_GLOBAL
},
385 /* Standard Options */
386 { "port", sPort
, SSHCFG_GLOBAL
},
387 { "hostkey", sHostKeyFile
, SSHCFG_GLOBAL
},
388 { "hostdsakey", sHostKeyFile
, SSHCFG_GLOBAL
}, /* alias */
389 { "hostkeyagent", sHostKeyAgent
, SSHCFG_GLOBAL
},
390 { "pidfile", sPidFile
, SSHCFG_GLOBAL
},
391 { "serverkeybits", sServerKeyBits
, SSHCFG_GLOBAL
},
392 { "logingracetime", sLoginGraceTime
, SSHCFG_GLOBAL
},
393 { "keyregenerationinterval", sKeyRegenerationTime
, SSHCFG_GLOBAL
},
394 { "permitrootlogin", sPermitRootLogin
, SSHCFG_ALL
},
395 { "syslogfacility", sLogFacility
, SSHCFG_GLOBAL
},
396 { "loglevel", sLogLevel
, SSHCFG_GLOBAL
},
397 { "rhostsauthentication", sDeprecated
, SSHCFG_GLOBAL
},
398 { "rhostsrsaauthentication", sRhostsRSAAuthentication
, SSHCFG_ALL
},
399 { "hostbasedauthentication", sHostbasedAuthentication
, SSHCFG_ALL
},
400 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly
, SSHCFG_ALL
},
401 { "rsaauthentication", sRSAAuthentication
, SSHCFG_ALL
},
402 { "pubkeyauthentication", sPubkeyAuthentication
, SSHCFG_ALL
},
403 { "dsaauthentication", sPubkeyAuthentication
, SSHCFG_GLOBAL
}, /* alias */
405 { "kerberosauthentication", sKerberosAuthentication
, SSHCFG_ALL
},
406 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd
, SSHCFG_GLOBAL
},
407 { "kerberosticketcleanup", sKerberosTicketCleanup
, SSHCFG_GLOBAL
},
409 { "kerberosgetafstoken", sKerberosGetAFSToken
, SSHCFG_GLOBAL
},
411 { "kerberosgetafstoken", sUnsupported
, SSHCFG_GLOBAL
},
414 { "kerberosauthentication", sUnsupported
, SSHCFG_ALL
},
415 { "kerberosorlocalpasswd", sUnsupported
, SSHCFG_GLOBAL
},
416 { "kerberosticketcleanup", sUnsupported
, SSHCFG_GLOBAL
},
417 { "kerberosgetafstoken", sUnsupported
, SSHCFG_GLOBAL
},
419 { "kerberostgtpassing", sUnsupported
, SSHCFG_GLOBAL
},
420 { "afstokenpassing", sUnsupported
, SSHCFG_GLOBAL
},
422 { "gssapiauthentication", sGssAuthentication
, SSHCFG_ALL
},
423 { "gssapicleanupcredentials", sGssCleanupCreds
, SSHCFG_GLOBAL
},
425 { "gssapiauthentication", sUnsupported
, SSHCFG_ALL
},
426 { "gssapicleanupcredentials", sUnsupported
, SSHCFG_GLOBAL
},
428 { "passwordauthentication", sPasswordAuthentication
, SSHCFG_ALL
},
429 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication
, SSHCFG_ALL
},
430 { "challengeresponseauthentication", sChallengeResponseAuthentication
, SSHCFG_GLOBAL
},
431 { "skeyauthentication", sChallengeResponseAuthentication
, SSHCFG_GLOBAL
}, /* alias */
432 { "checkmail", sDeprecated
, SSHCFG_GLOBAL
},
433 { "listenaddress", sListenAddress
, SSHCFG_GLOBAL
},
434 { "addressfamily", sAddressFamily
, SSHCFG_GLOBAL
},
435 { "printmotd", sPrintMotd
, SSHCFG_GLOBAL
},
436 { "printlastlog", sPrintLastLog
, SSHCFG_GLOBAL
},
437 { "ignorerhosts", sIgnoreRhosts
, SSHCFG_GLOBAL
},
438 { "ignoreuserknownhosts", sIgnoreUserKnownHosts
, SSHCFG_GLOBAL
},
439 { "x11forwarding", sX11Forwarding
, SSHCFG_ALL
},
440 { "x11displayoffset", sX11DisplayOffset
, SSHCFG_ALL
},
441 { "x11uselocalhost", sX11UseLocalhost
, SSHCFG_ALL
},
442 { "xauthlocation", sXAuthLocation
, SSHCFG_GLOBAL
},
443 { "strictmodes", sStrictModes
, SSHCFG_GLOBAL
},
444 { "permitemptypasswords", sEmptyPasswd
, SSHCFG_ALL
},
445 { "permituserenvironment", sPermitUserEnvironment
, SSHCFG_GLOBAL
},
446 { "uselogin", sUseLogin
, SSHCFG_GLOBAL
},
447 { "compression", sCompression
, SSHCFG_GLOBAL
},
448 { "rekeylimit", sRekeyLimit
, SSHCFG_ALL
},
449 { "tcpkeepalive", sTCPKeepAlive
, SSHCFG_GLOBAL
},
450 { "keepalive", sTCPKeepAlive
, SSHCFG_GLOBAL
}, /* obsolete alias */
451 { "allowtcpforwarding", sAllowTcpForwarding
, SSHCFG_ALL
},
452 { "allowagentforwarding", sAllowAgentForwarding
, SSHCFG_ALL
},
453 { "allowusers", sAllowUsers
, SSHCFG_ALL
},
454 { "denyusers", sDenyUsers
, SSHCFG_ALL
},
455 { "allowgroups", sAllowGroups
, SSHCFG_ALL
},
456 { "denygroups", sDenyGroups
, SSHCFG_ALL
},
457 { "ciphers", sCiphers
, SSHCFG_GLOBAL
},
458 { "macs", sMacs
, SSHCFG_GLOBAL
},
459 { "protocol", sProtocol
, SSHCFG_GLOBAL
},
460 { "gatewayports", sGatewayPorts
, SSHCFG_ALL
},
461 { "subsystem", sSubsystem
, SSHCFG_GLOBAL
},
462 { "maxstartups", sMaxStartups
, SSHCFG_GLOBAL
},
463 { "maxauthtries", sMaxAuthTries
, SSHCFG_ALL
},
464 { "maxsessions", sMaxSessions
, SSHCFG_ALL
},
465 { "banner", sBanner
, SSHCFG_ALL
},
466 { "usedns", sUseDNS
, SSHCFG_GLOBAL
},
467 { "verifyreversemapping", sDeprecated
, SSHCFG_GLOBAL
},
468 { "reversemappingcheck", sDeprecated
, SSHCFG_GLOBAL
},
469 { "clientaliveinterval", sClientAliveInterval
, SSHCFG_GLOBAL
},
470 { "clientalivecountmax", sClientAliveCountMax
, SSHCFG_GLOBAL
},
471 { "authorizedkeysfile", sAuthorizedKeysFile
, SSHCFG_ALL
},
472 { "authorizedkeysfile2", sDeprecated
, SSHCFG_ALL
},
473 { "useprivilegeseparation", sUsePrivilegeSeparation
, SSHCFG_GLOBAL
},
474 { "acceptenv", sAcceptEnv
, SSHCFG_ALL
},
475 { "permittunnel", sPermitTunnel
, SSHCFG_ALL
},
476 { "permittty", sPermitTTY
, SSHCFG_ALL
},
477 { "permituserrc", sPermitUserRC
, SSHCFG_ALL
},
478 { "match", sMatch
, SSHCFG_ALL
},
479 { "permitopen", sPermitOpen
, SSHCFG_ALL
},
480 { "forcecommand", sForceCommand
, SSHCFG_ALL
},
481 { "chrootdirectory", sChrootDirectory
, SSHCFG_ALL
},
482 { "hostcertificate", sHostCertificate
, SSHCFG_GLOBAL
},
483 { "revokedkeys", sRevokedKeys
, SSHCFG_ALL
},
484 { "trustedusercakeys", sTrustedUserCAKeys
, SSHCFG_ALL
},
485 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile
, SSHCFG_ALL
},
486 { "kexalgorithms", sKexAlgorithms
, SSHCFG_GLOBAL
},
487 { "ipqos", sIPQoS
, SSHCFG_ALL
},
488 { "authorizedkeyscommand", sAuthorizedKeysCommand
, SSHCFG_ALL
},
489 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser
, SSHCFG_ALL
},
490 { "versionaddendum", sVersionAddendum
, SSHCFG_GLOBAL
},
491 { "authenticationmethods", sAuthenticationMethods
, SSHCFG_ALL
},
492 { "streamlocalbindmask", sStreamLocalBindMask
, SSHCFG_ALL
},
493 { "streamlocalbindunlink", sStreamLocalBindUnlink
, SSHCFG_ALL
},
494 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding
, SSHCFG_ALL
},
495 { NULL
, sBadOption
, 0 }
502 { SSH_TUNMODE_NO
, "no" },
503 { SSH_TUNMODE_POINTOPOINT
, "point-to-point" },
504 { SSH_TUNMODE_ETHERNET
, "ethernet" },
505 { SSH_TUNMODE_YES
, "yes" },
510 * Returns the number of the token pointed to by cp or sBadOption.
514 parse_token(const char *cp
, const char *filename
,
515 int linenum
, u_int
*flags
)
519 for (i
= 0; keywords
[i
].name
; i
++)
520 if (strcasecmp(cp
, keywords
[i
].name
) == 0) {
521 *flags
= keywords
[i
].flags
;
522 return keywords
[i
].opcode
;
525 error("%s: line %d: Bad configuration option: %s",
526 filename
, linenum
, cp
);
531 derelativise_path(const char *path
)
533 char *expanded
, *ret
, cwd
[MAXPATHLEN
];
535 expanded
= tilde_expand_filename(path
, getuid());
536 if (*expanded
== '/')
538 if (getcwd(cwd
, sizeof(cwd
)) == NULL
)
539 fatal("%s: getcwd: %s", __func__
, strerror(errno
));
540 xasprintf(&ret
, "%s/%s", cwd
, expanded
);
546 add_listen_addr(ServerOptions
*options
, char *addr
, int port
)
550 if (options
->num_ports
== 0)
551 options
->ports
[options
->num_ports
++] = SSH_DEFAULT_PORT
;
552 if (options
->address_family
== -1)
553 options
->address_family
= AF_UNSPEC
;
555 for (i
= 0; i
< options
->num_ports
; i
++)
556 add_one_listen_addr(options
, addr
, options
->ports
[i
]);
558 add_one_listen_addr(options
, addr
, port
);
562 add_one_listen_addr(ServerOptions
*options
, char *addr
, int port
)
564 struct addrinfo hints
, *ai
, *aitop
;
565 char strport
[NI_MAXSERV
];
568 memset(&hints
, 0, sizeof(hints
));
569 hints
.ai_family
= options
->address_family
;
570 hints
.ai_socktype
= SOCK_STREAM
;
571 hints
.ai_flags
= (addr
== NULL
) ? AI_PASSIVE
: 0;
572 snprintf(strport
, sizeof strport
, "%d", port
);
573 if ((gaierr
= getaddrinfo(addr
, strport
, &hints
, &aitop
)) != 0)
574 fatal("bad addr or host: %s (%s)",
575 addr
? addr
: "<NULL>",
576 ssh_gai_strerror(gaierr
));
577 for (ai
= aitop
; ai
->ai_next
; ai
= ai
->ai_next
)
579 ai
->ai_next
= options
->listen_addrs
;
580 options
->listen_addrs
= aitop
;
583 struct connection_info
*
584 get_connection_info(int populate
, int use_dns
)
586 static struct connection_info ci
;
590 ci
.host
= get_canonical_hostname(use_dns
);
591 ci
.address
= get_remote_ipaddr();
592 ci
.laddress
= get_local_ipaddr(packet_get_connection_in());
593 ci
.lport
= get_local_port();
598 * The strategy for the Match blocks is that the config file is parsed twice.
600 * The first time is at startup. activep is initialized to 1 and the
601 * directives in the global context are processed and acted on. Hitting a
602 * Match directive unsets activep and the directives inside the block are
603 * checked for syntax only.
605 * The second time is after a connection has been established but before
606 * authentication. activep is initialized to 2 and global config directives
607 * are ignored since they have already been processed. If the criteria in a
608 * Match block is met, activep is set and the subsequent directives
609 * processed and actioned until EOF or another Match block unsets it. Any
610 * options set are copied into the main server config.
612 * Potential additions/improvements:
613 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
615 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
616 * Match Address 192.168.0.*
621 * AllowTcpForwarding yes
622 * GatewayPorts clientspecified
625 * - Add a PermittedChannelRequests directive
627 * PermittedChannelRequests session,forwarded-tcpip
631 match_cfg_line_group(const char *grps
, int line
, const char *user
)
639 if ((pw
= getpwnam(user
)) == NULL
) {
640 debug("Can't match group at line %d because user %.100s does "
641 "not exist", line
, user
);
642 } else if (ga_init(pw
->pw_name
, pw
->pw_gid
) == 0) {
643 debug("Can't Match group because user %.100s not in any group "
644 "at line %d", user
, line
);
645 } else if (ga_match_pattern_list(grps
) != 1) {
646 debug("user %.100s does not match group list %.100s at line %d",
649 debug("user %.100s matched group list %.100s at line %d", user
,
659 * All of the attributes on a single Match line are ANDed together, so we need
660 * to check every attribute and set the result to zero if any attribute does
664 match_cfg_line(char **condition
, int line
, struct connection_info
*ci
)
666 int result
= 1, attributes
= 0, port
;
667 char *arg
, *attrib
, *cp
= *condition
;
671 debug3("checking syntax for 'Match %s'", cp
);
673 debug3("checking match for '%s' user %s host %s addr %s "
674 "laddr %s lport %d", cp
, ci
->user
? ci
->user
: "(null)",
675 ci
->host
? ci
->host
: "(null)",
676 ci
->address
? ci
->address
: "(null)",
677 ci
->laddress
? ci
->laddress
: "(null)", ci
->lport
);
679 while ((attrib
= strdelim(&cp
)) && *attrib
!= '\0') {
681 if (strcasecmp(attrib
, "all") == 0) {
682 if (attributes
!= 1 ||
683 ((arg
= strdelim(&cp
)) != NULL
&& *arg
!= '\0')) {
684 error("'all' cannot be combined with other "
691 if ((arg
= strdelim(&cp
)) == NULL
|| *arg
== '\0') {
692 error("Missing Match criteria for %s", attrib
);
696 if (strcasecmp(attrib
, "user") == 0) {
697 if (ci
== NULL
|| ci
->user
== NULL
) {
701 if (match_pattern_list(ci
->user
, arg
, len
, 0) != 1)
704 debug("user %.100s matched 'User %.100s' at "
705 "line %d", ci
->user
, arg
, line
);
706 } else if (strcasecmp(attrib
, "group") == 0) {
707 if (ci
== NULL
|| ci
->user
== NULL
) {
711 switch (match_cfg_line_group(arg
, line
, ci
->user
)) {
717 } else if (strcasecmp(attrib
, "host") == 0) {
718 if (ci
== NULL
|| ci
->host
== NULL
) {
722 if (match_hostname(ci
->host
, arg
, len
) != 1)
725 debug("connection from %.100s matched 'Host "
726 "%.100s' at line %d", ci
->host
, arg
, line
);
727 } else if (strcasecmp(attrib
, "address") == 0) {
728 if (ci
== NULL
|| ci
->address
== NULL
) {
732 switch (addr_match_list(ci
->address
, arg
)) {
734 debug("connection from %.100s matched 'Address "
735 "%.100s' at line %d", ci
->address
, arg
, line
);
744 } else if (strcasecmp(attrib
, "localaddress") == 0){
745 if (ci
== NULL
|| ci
->laddress
== NULL
) {
749 switch (addr_match_list(ci
->laddress
, arg
)) {
751 debug("connection from %.100s matched "
752 "'LocalAddress %.100s' at line %d",
753 ci
->laddress
, arg
, line
);
762 } else if (strcasecmp(attrib
, "localport") == 0) {
763 if ((port
= a2port(arg
)) == -1) {
764 error("Invalid LocalPort '%s' on Match line",
768 if (ci
== NULL
|| ci
->lport
== 0) {
772 /* TODO support port lists */
773 if (port
== ci
->lport
)
774 debug("connection from %.100s matched "
775 "'LocalPort %d' at line %d",
776 ci
->laddress
, port
, line
);
780 error("Unsupported Match attribute %s", attrib
);
784 if (attributes
== 0) {
785 error("One or more attributes required for Match");
789 debug3("match %sfound", result
? "" : "not ");
794 #define WHITESPACE " \t\r\n"
796 /* Multistate option parsing */
801 static const struct multistate multistate_addressfamily
[] = {
803 { "inet6", AF_INET6
},
804 { "any", AF_UNSPEC
},
807 static const struct multistate multistate_permitrootlogin
[] = {
808 { "without-password", PERMIT_NO_PASSWD
},
809 { "forced-commands-only", PERMIT_FORCED_ONLY
},
810 { "yes", PERMIT_YES
},
814 static const struct multistate multistate_compression
[] = {
815 { "delayed", COMP_DELAYED
},
816 { "yes", COMP_ZLIB
},
820 static const struct multistate multistate_gatewayports
[] = {
821 { "clientspecified", 2 },
826 static const struct multistate multistate_privsep
[] = {
827 { "yes", PRIVSEP_NOSANDBOX
},
828 { "sandbox", PRIVSEP_ON
},
829 { "nosandbox", PRIVSEP_NOSANDBOX
},
830 { "no", PRIVSEP_OFF
},
833 static const struct multistate multistate_tcpfwd
[] = {
834 { "yes", FORWARD_ALLOW
},
835 { "all", FORWARD_ALLOW
},
836 { "no", FORWARD_DENY
},
837 { "remote", FORWARD_REMOTE
},
838 { "local", FORWARD_LOCAL
},
843 process_server_config_line(ServerOptions
*options
, char *line
,
844 const char *filename
, int linenum
, int *activep
,
845 struct connection_info
*connectinfo
)
847 char *cp
, **charptr
, *arg
, *p
;
848 int cmdline
= 0, *intptr
, value
, value2
, n
, port
;
849 SyslogFacility
*log_facility_ptr
;
850 LogLevel
*log_level_ptr
;
851 ServerOpCodes opcode
;
855 const struct multistate
*multistate_ptr
;
858 if ((arg
= strdelim(&cp
)) == NULL
)
860 /* Ignore leading whitespace */
863 if (!arg
|| !*arg
|| *arg
== '#')
867 opcode
= parse_token(arg
, filename
, linenum
, &flags
);
869 if (activep
== NULL
) { /* We are processing a command line directive */
873 if (*activep
&& opcode
!= sMatch
)
874 debug3("%s:%d setting %s %s", filename
, linenum
, arg
, cp
);
875 if (*activep
== 0 && !(flags
& SSHCFG_MATCH
)) {
876 if (connectinfo
== NULL
) {
877 fatal("%s line %d: Directive '%s' is not allowed "
878 "within a Match block", filename
, linenum
, arg
);
879 } else { /* this is a directive we have already processed */
887 /* Portable-specific options */
889 intptr
= &options
->use_pam
;
892 /* Standard Options */
896 /* ignore ports from configfile if cmdline specifies ports */
897 if (options
->ports_from_cmdline
)
899 if (options
->listen_addrs
!= NULL
)
900 fatal("%s line %d: ports must be specified before "
901 "ListenAddress.", filename
, linenum
);
902 if (options
->num_ports
>= MAX_PORTS
)
903 fatal("%s line %d: too many ports.",
906 if (!arg
|| *arg
== '\0')
907 fatal("%s line %d: missing port number.",
909 options
->ports
[options
->num_ports
++] = a2port(arg
);
910 if (options
->ports
[options
->num_ports
-1] <= 0)
911 fatal("%s line %d: Badly formatted port number.",
916 intptr
= &options
->server_key_bits
;
919 if (!arg
|| *arg
== '\0')
920 fatal("%s line %d: missing integer value.",
923 if (*activep
&& *intptr
== -1)
927 case sLoginGraceTime
:
928 intptr
= &options
->login_grace_time
;
931 if (!arg
|| *arg
== '\0')
932 fatal("%s line %d: missing time value.",
934 if ((value
= convtime(arg
)) == -1)
935 fatal("%s line %d: invalid time value.",
941 case sKeyRegenerationTime
:
942 intptr
= &options
->key_regeneration_time
;
947 if (arg
== NULL
|| *arg
== '\0')
948 fatal("%s line %d: missing address",
950 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
951 if (strchr(arg
, '[') == NULL
&& (p
= strchr(arg
, ':')) != NULL
952 && strchr(p
+1, ':') != NULL
) {
953 add_listen_addr(options
, arg
, 0);
958 fatal("%s line %d: bad address:port usage",
960 p
= cleanhostname(p
);
963 else if ((port
= a2port(arg
)) <= 0)
964 fatal("%s line %d: bad port number", filename
, linenum
);
966 add_listen_addr(options
, p
, port
);
971 intptr
= &options
->address_family
;
972 multistate_ptr
= multistate_addressfamily
;
973 if (options
->listen_addrs
!= NULL
)
974 fatal("%s line %d: address family must be specified "
975 "before ListenAddress.", filename
, linenum
);
978 if (!arg
|| *arg
== '\0')
979 fatal("%s line %d: missing argument.",
982 for (i
= 0; multistate_ptr
[i
].key
!= NULL
; i
++) {
983 if (strcasecmp(arg
, multistate_ptr
[i
].key
) == 0) {
984 value
= multistate_ptr
[i
].value
;
989 fatal("%s line %d: unsupported option \"%s\".",
990 filename
, linenum
, arg
);
991 if (*activep
&& *intptr
== -1)
996 intptr
= &options
->num_host_key_files
;
997 if (*intptr
>= MAX_HOSTKEYS
)
998 fatal("%s line %d: too many host keys specified (max %d).",
999 filename
, linenum
, MAX_HOSTKEYS
);
1000 charptr
= &options
->host_key_files
[*intptr
];
1002 arg
= strdelim(&cp
);
1003 if (!arg
|| *arg
== '\0')
1004 fatal("%s line %d: missing file name.",
1006 if (*activep
&& *charptr
== NULL
) {
1007 *charptr
= derelativise_path(arg
);
1008 /* increase optional counter */
1010 *intptr
= *intptr
+ 1;
1015 charptr
= &options
->host_key_agent
;
1016 arg
= strdelim(&cp
);
1017 if (!arg
|| *arg
== '\0')
1018 fatal("%s line %d: missing socket name.",
1020 if (*activep
&& *charptr
== NULL
)
1021 *charptr
= !strcmp(arg
, SSH_AUTHSOCKET_ENV_NAME
) ?
1022 xstrdup(arg
) : derelativise_path(arg
);
1025 case sHostCertificate
:
1026 intptr
= &options
->num_host_cert_files
;
1027 if (*intptr
>= MAX_HOSTKEYS
)
1028 fatal("%s line %d: too many host certificates "
1029 "specified (max %d).", filename
, linenum
,
1031 charptr
= &options
->host_cert_files
[*intptr
];
1032 goto parse_filename
;
1036 charptr
= &options
->pid_file
;
1037 goto parse_filename
;
1039 case sPermitRootLogin
:
1040 intptr
= &options
->permit_root_login
;
1041 multistate_ptr
= multistate_permitrootlogin
;
1042 goto parse_multistate
;
1045 intptr
= &options
->ignore_rhosts
;
1047 arg
= strdelim(&cp
);
1048 if (!arg
|| *arg
== '\0')
1049 fatal("%s line %d: missing yes/no argument.",
1051 value
= 0; /* silence compiler */
1052 if (strcmp(arg
, "yes") == 0)
1054 else if (strcmp(arg
, "no") == 0)
1057 fatal("%s line %d: Bad yes/no argument: %s",
1058 filename
, linenum
, arg
);
1059 if (*activep
&& *intptr
== -1)
1063 case sIgnoreUserKnownHosts
:
1064 intptr
= &options
->ignore_user_known_hosts
;
1067 case sRhostsRSAAuthentication
:
1068 intptr
= &options
->rhosts_rsa_authentication
;
1071 case sHostbasedAuthentication
:
1072 intptr
= &options
->hostbased_authentication
;
1075 case sHostbasedUsesNameFromPacketOnly
:
1076 intptr
= &options
->hostbased_uses_name_from_packet_only
;
1079 case sRSAAuthentication
:
1080 intptr
= &options
->rsa_authentication
;
1083 case sPubkeyAuthentication
:
1084 intptr
= &options
->pubkey_authentication
;
1087 case sKerberosAuthentication
:
1088 intptr
= &options
->kerberos_authentication
;
1091 case sKerberosOrLocalPasswd
:
1092 intptr
= &options
->kerberos_or_local_passwd
;
1095 case sKerberosTicketCleanup
:
1096 intptr
= &options
->kerberos_ticket_cleanup
;
1099 case sKerberosGetAFSToken
:
1100 intptr
= &options
->kerberos_get_afs_token
;
1103 case sGssAuthentication
:
1104 intptr
= &options
->gss_authentication
;
1107 case sGssCleanupCreds
:
1108 intptr
= &options
->gss_cleanup_creds
;
1111 case sPasswordAuthentication
:
1112 intptr
= &options
->password_authentication
;
1115 case sKbdInteractiveAuthentication
:
1116 intptr
= &options
->kbd_interactive_authentication
;
1119 case sChallengeResponseAuthentication
:
1120 intptr
= &options
->challenge_response_authentication
;
1124 intptr
= &options
->print_motd
;
1128 intptr
= &options
->print_lastlog
;
1131 case sX11Forwarding
:
1132 intptr
= &options
->x11_forwarding
;
1135 case sX11DisplayOffset
:
1136 intptr
= &options
->x11_display_offset
;
1139 case sX11UseLocalhost
:
1140 intptr
= &options
->x11_use_localhost
;
1143 case sXAuthLocation
:
1144 charptr
= &options
->xauth_location
;
1145 goto parse_filename
;
1148 intptr
= &options
->permit_tty
;
1152 intptr
= &options
->permit_user_rc
;
1156 intptr
= &options
->strict_modes
;
1160 intptr
= &options
->tcp_keep_alive
;
1164 intptr
= &options
->permit_empty_passwd
;
1167 case sPermitUserEnvironment
:
1168 intptr
= &options
->permit_user_env
;
1172 intptr
= &options
->use_login
;
1176 intptr
= &options
->compression
;
1177 multistate_ptr
= multistate_compression
;
1178 goto parse_multistate
;
1181 arg
= strdelim(&cp
);
1182 if (!arg
|| *arg
== '\0')
1183 fatal("%.200s line %d: Missing argument.", filename
,
1185 if (strcmp(arg
, "default") == 0) {
1188 if (scan_scaled(arg
, &val64
) == -1)
1189 fatal("%.200s line %d: Bad number '%s': %s",
1190 filename
, linenum
, arg
, strerror(errno
));
1191 /* check for too-large or too-small limits */
1192 if (val64
> UINT_MAX
)
1193 fatal("%.200s line %d: RekeyLimit too large",
1195 if (val64
!= 0 && val64
< 16)
1196 fatal("%.200s line %d: RekeyLimit too small",
1199 if (*activep
&& options
->rekey_limit
== -1)
1200 options
->rekey_limit
= (u_int32_t
)val64
;
1201 if (cp
!= NULL
) { /* optional rekey interval present */
1202 if (strcmp(cp
, "none") == 0) {
1203 (void)strdelim(&cp
); /* discard */
1206 intptr
= &options
->rekey_interval
;
1212 intptr
= &options
->fwd_opts
.gateway_ports
;
1213 multistate_ptr
= multistate_gatewayports
;
1214 goto parse_multistate
;
1217 intptr
= &options
->use_dns
;
1221 log_facility_ptr
= &options
->log_facility
;
1222 arg
= strdelim(&cp
);
1223 value
= log_facility_number(arg
);
1224 if (value
== SYSLOG_FACILITY_NOT_SET
)
1225 fatal("%.200s line %d: unsupported log facility '%s'",
1226 filename
, linenum
, arg
? arg
: "<NONE>");
1227 if (*log_facility_ptr
== -1)
1228 *log_facility_ptr
= (SyslogFacility
) value
;
1232 log_level_ptr
= &options
->log_level
;
1233 arg
= strdelim(&cp
);
1234 value
= log_level_number(arg
);
1235 if (value
== SYSLOG_LEVEL_NOT_SET
)
1236 fatal("%.200s line %d: unsupported log level '%s'",
1237 filename
, linenum
, arg
? arg
: "<NONE>");
1238 if (*log_level_ptr
== -1)
1239 *log_level_ptr
= (LogLevel
) value
;
1242 case sAllowTcpForwarding
:
1243 intptr
= &options
->allow_tcp_forwarding
;
1244 multistate_ptr
= multistate_tcpfwd
;
1245 goto parse_multistate
;
1247 case sAllowStreamLocalForwarding
:
1248 intptr
= &options
->allow_streamlocal_forwarding
;
1249 multistate_ptr
= multistate_tcpfwd
;
1250 goto parse_multistate
;
1252 case sAllowAgentForwarding
:
1253 intptr
= &options
->allow_agent_forwarding
;
1256 case sUsePrivilegeSeparation
:
1257 intptr
= &use_privsep
;
1258 multistate_ptr
= multistate_privsep
;
1259 goto parse_multistate
;
1262 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1263 if (options
->num_allow_users
>= MAX_ALLOW_USERS
)
1264 fatal("%s line %d: too many allow users.",
1268 options
->allow_users
[options
->num_allow_users
++] =
1274 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1275 if (options
->num_deny_users
>= MAX_DENY_USERS
)
1276 fatal("%s line %d: too many deny users.",
1280 options
->deny_users
[options
->num_deny_users
++] =
1286 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1287 if (options
->num_allow_groups
>= MAX_ALLOW_GROUPS
)
1288 fatal("%s line %d: too many allow groups.",
1292 options
->allow_groups
[options
->num_allow_groups
++] =
1298 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1299 if (options
->num_deny_groups
>= MAX_DENY_GROUPS
)
1300 fatal("%s line %d: too many deny groups.",
1304 options
->deny_groups
[options
->num_deny_groups
++] =
1310 arg
= strdelim(&cp
);
1311 if (!arg
|| *arg
== '\0')
1312 fatal("%s line %d: Missing argument.", filename
, linenum
);
1313 if (!ciphers_valid(arg
))
1314 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1315 filename
, linenum
, arg
? arg
: "<NONE>");
1316 if (options
->ciphers
== NULL
)
1317 options
->ciphers
= xstrdup(arg
);
1321 arg
= strdelim(&cp
);
1322 if (!arg
|| *arg
== '\0')
1323 fatal("%s line %d: Missing argument.", filename
, linenum
);
1324 if (!mac_valid(arg
))
1325 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1326 filename
, linenum
, arg
? arg
: "<NONE>");
1327 if (options
->macs
== NULL
)
1328 options
->macs
= xstrdup(arg
);
1331 case sKexAlgorithms
:
1332 arg
= strdelim(&cp
);
1333 if (!arg
|| *arg
== '\0')
1334 fatal("%s line %d: Missing argument.",
1336 if (!kex_names_valid(arg
))
1337 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1338 filename
, linenum
, arg
? arg
: "<NONE>");
1339 if (options
->kex_algorithms
== NULL
)
1340 options
->kex_algorithms
= xstrdup(arg
);
1344 intptr
= &options
->protocol
;
1345 arg
= strdelim(&cp
);
1346 if (!arg
|| *arg
== '\0')
1347 fatal("%s line %d: Missing argument.", filename
, linenum
);
1348 value
= proto_spec(arg
);
1349 if (value
== SSH_PROTO_UNKNOWN
)
1350 fatal("%s line %d: Bad protocol spec '%s'.",
1351 filename
, linenum
, arg
? arg
: "<NONE>");
1352 if (*intptr
== SSH_PROTO_UNKNOWN
)
1357 if (options
->num_subsystems
>= MAX_SUBSYSTEMS
) {
1358 fatal("%s line %d: too many subsystems defined.",
1361 arg
= strdelim(&cp
);
1362 if (!arg
|| *arg
== '\0')
1363 fatal("%s line %d: Missing subsystem name.",
1366 arg
= strdelim(&cp
);
1369 for (i
= 0; i
< options
->num_subsystems
; i
++)
1370 if (strcmp(arg
, options
->subsystem_name
[i
]) == 0)
1371 fatal("%s line %d: Subsystem '%s' already defined.",
1372 filename
, linenum
, arg
);
1373 options
->subsystem_name
[options
->num_subsystems
] = xstrdup(arg
);
1374 arg
= strdelim(&cp
);
1375 if (!arg
|| *arg
== '\0')
1376 fatal("%s line %d: Missing subsystem command.",
1378 options
->subsystem_command
[options
->num_subsystems
] = xstrdup(arg
);
1380 /* Collect arguments (separate to executable) */
1382 len
= strlen(p
) + 1;
1383 while ((arg
= strdelim(&cp
)) != NULL
&& *arg
!= '\0') {
1384 len
+= 1 + strlen(arg
);
1385 p
= xrealloc(p
, 1, len
);
1386 strlcat(p
, " ", len
);
1387 strlcat(p
, arg
, len
);
1389 options
->subsystem_args
[options
->num_subsystems
] = p
;
1390 options
->num_subsystems
++;
1394 arg
= strdelim(&cp
);
1395 if (!arg
|| *arg
== '\0')
1396 fatal("%s line %d: Missing MaxStartups spec.",
1398 if ((n
= sscanf(arg
, "%d:%d:%d",
1399 &options
->max_startups_begin
,
1400 &options
->max_startups_rate
,
1401 &options
->max_startups
)) == 3) {
1402 if (options
->max_startups_begin
>
1403 options
->max_startups
||
1404 options
->max_startups_rate
> 100 ||
1405 options
->max_startups_rate
< 1)
1406 fatal("%s line %d: Illegal MaxStartups spec.",
1409 fatal("%s line %d: Illegal MaxStartups spec.",
1412 options
->max_startups
= options
->max_startups_begin
;
1416 intptr
= &options
->max_authtries
;
1420 intptr
= &options
->max_sessions
;
1424 charptr
= &options
->banner
;
1425 goto parse_filename
;
1428 * These options can contain %X options expanded at
1429 * connect time, so that you can specify paths like:
1431 * AuthorizedKeysFile /etc/ssh_keys/%u
1433 case sAuthorizedKeysFile
:
1434 if (*activep
&& options
->num_authkeys_files
== 0) {
1435 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1436 if (options
->num_authkeys_files
>=
1438 fatal("%s line %d: "
1439 "too many authorized keys files.",
1441 options
->authorized_keys_files
[
1442 options
->num_authkeys_files
++] =
1443 tilde_expand_filename(arg
, getuid());
1448 case sAuthorizedPrincipalsFile
:
1449 charptr
= &options
->authorized_principals_file
;
1450 arg
= strdelim(&cp
);
1451 if (!arg
|| *arg
== '\0')
1452 fatal("%s line %d: missing file name.",
1454 if (*activep
&& *charptr
== NULL
) {
1455 *charptr
= tilde_expand_filename(arg
, getuid());
1456 /* increase optional counter */
1458 *intptr
= *intptr
+ 1;
1462 case sClientAliveInterval
:
1463 intptr
= &options
->client_alive_interval
;
1466 case sClientAliveCountMax
:
1467 intptr
= &options
->client_alive_count_max
;
1471 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1472 if (strchr(arg
, '=') != NULL
)
1473 fatal("%s line %d: Invalid environment name.",
1475 if (options
->num_accept_env
>= MAX_ACCEPT_ENV
)
1476 fatal("%s line %d: too many allow env.",
1480 options
->accept_env
[options
->num_accept_env
++] =
1486 intptr
= &options
->permit_tun
;
1487 arg
= strdelim(&cp
);
1488 if (!arg
|| *arg
== '\0')
1489 fatal("%s line %d: Missing yes/point-to-point/"
1490 "ethernet/no argument.", filename
, linenum
);
1492 for (i
= 0; tunmode_desc
[i
].val
!= -1; i
++)
1493 if (strcmp(tunmode_desc
[i
].text
, arg
) == 0) {
1494 value
= tunmode_desc
[i
].val
;
1498 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1499 "no argument: %s", filename
, linenum
, arg
);
1506 fatal("Match directive not supported as a command-line "
1508 value
= match_cfg_line(&cp
, linenum
, connectinfo
);
1510 fatal("%s line %d: Bad Match condition", filename
,
1516 arg
= strdelim(&cp
);
1517 if (!arg
|| *arg
== '\0')
1518 fatal("%s line %d: missing PermitOpen specification",
1520 n
= options
->num_permitted_opens
; /* modified later */
1521 if (strcmp(arg
, "any") == 0) {
1522 if (*activep
&& n
== -1) {
1523 channel_clear_adm_permitted_opens();
1524 options
->num_permitted_opens
= 0;
1528 if (strcmp(arg
, "none") == 0) {
1529 if (*activep
&& n
== -1) {
1530 options
->num_permitted_opens
= 1;
1531 channel_disable_adm_local_opens();
1535 if (*activep
&& n
== -1)
1536 channel_clear_adm_permitted_opens();
1537 for (; arg
!= NULL
&& *arg
!= '\0'; arg
= strdelim(&cp
)) {
1540 fatal("%s line %d: missing host in PermitOpen",
1542 p
= cleanhostname(p
);
1543 if (arg
== NULL
|| ((port
= permitopen_port(arg
)) < 0))
1544 fatal("%s line %d: bad port number in "
1545 "PermitOpen", filename
, linenum
);
1546 if (*activep
&& n
== -1)
1547 options
->num_permitted_opens
=
1548 channel_add_adm_permitted_opens(p
, port
);
1554 fatal("%.200s line %d: Missing argument.", filename
,
1556 len
= strspn(cp
, WHITESPACE
);
1557 if (*activep
&& options
->adm_forced_command
== NULL
)
1558 options
->adm_forced_command
= xstrdup(cp
+ len
);
1561 case sChrootDirectory
:
1562 charptr
= &options
->chroot_directory
;
1564 arg
= strdelim(&cp
);
1565 if (!arg
|| *arg
== '\0')
1566 fatal("%s line %d: missing file name.",
1568 if (*activep
&& *charptr
== NULL
)
1569 *charptr
= xstrdup(arg
);
1572 case sTrustedUserCAKeys
:
1573 charptr
= &options
->trusted_user_ca_keys
;
1574 goto parse_filename
;
1577 charptr
= &options
->revoked_keys_file
;
1578 goto parse_filename
;
1581 arg
= strdelim(&cp
);
1582 if ((value
= parse_ipqos(arg
)) == -1)
1583 fatal("%s line %d: Bad IPQoS value: %s",
1584 filename
, linenum
, arg
);
1585 arg
= strdelim(&cp
);
1588 else if ((value2
= parse_ipqos(arg
)) == -1)
1589 fatal("%s line %d: Bad IPQoS value: %s",
1590 filename
, linenum
, arg
);
1592 options
->ip_qos_interactive
= value
;
1593 options
->ip_qos_bulk
= value2
;
1597 case sVersionAddendum
:
1599 fatal("%.200s line %d: Missing argument.", filename
,
1601 len
= strspn(cp
, WHITESPACE
);
1602 if (*activep
&& options
->version_addendum
== NULL
) {
1603 if (strcasecmp(cp
+ len
, "none") == 0)
1604 options
->version_addendum
= xstrdup("");
1605 else if (strchr(cp
+ len
, '\r') != NULL
)
1606 fatal("%.200s line %d: Invalid argument",
1609 options
->version_addendum
= xstrdup(cp
+ len
);
1613 case sAuthorizedKeysCommand
:
1614 len
= strspn(cp
, WHITESPACE
);
1615 if (*activep
&& options
->authorized_keys_command
== NULL
) {
1616 if (cp
[len
] != '/' && strcasecmp(cp
+ len
, "none") != 0)
1617 fatal("%.200s line %d: AuthorizedKeysCommand "
1618 "must be an absolute path",
1620 options
->authorized_keys_command
= xstrdup(cp
+ len
);
1624 case sAuthorizedKeysCommandUser
:
1625 charptr
= &options
->authorized_keys_command_user
;
1627 arg
= strdelim(&cp
);
1628 if (*activep
&& *charptr
== NULL
)
1629 *charptr
= xstrdup(arg
);
1632 case sAuthenticationMethods
:
1633 if (*activep
&& options
->num_auth_methods
== 0) {
1634 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1635 if (options
->num_auth_methods
>=
1637 fatal("%s line %d: "
1638 "too many authentication methods.",
1640 if (auth2_methods_valid(arg
, 0) != 0)
1641 fatal("%s line %d: invalid "
1642 "authentication method list.",
1644 options
->auth_methods
[
1645 options
->num_auth_methods
++] = xstrdup(arg
);
1650 case sStreamLocalBindMask
:
1651 arg
= strdelim(&cp
);
1652 if (!arg
|| *arg
== '\0')
1653 fatal("%s line %d: missing StreamLocalBindMask argument.",
1655 /* Parse mode in octal format */
1656 value
= strtol(arg
, &p
, 8);
1657 if (arg
== p
|| value
< 0 || value
> 0777)
1658 fatal("%s line %d: Bad mask.", filename
, linenum
);
1659 options
->fwd_opts
.streamlocal_bind_mask
= (mode_t
)value
;
1662 case sStreamLocalBindUnlink
:
1663 intptr
= &options
->fwd_opts
.streamlocal_bind_unlink
;
1667 logit("%s line %d: Deprecated option %s",
1668 filename
, linenum
, arg
);
1670 arg
= strdelim(&cp
);
1674 logit("%s line %d: Unsupported option %s",
1675 filename
, linenum
, arg
);
1677 arg
= strdelim(&cp
);
1681 fatal("%s line %d: Missing handler for opcode %s (%d)",
1682 filename
, linenum
, arg
, opcode
);
1684 if ((arg
= strdelim(&cp
)) != NULL
&& *arg
!= '\0')
1685 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1686 filename
, linenum
, arg
);
1690 /* Reads the server configuration file. */
1693 load_server_config(const char *filename
, Buffer
*conf
)
1695 char line
[4096], *cp
;
1699 debug2("%s: filename %s", __func__
, filename
);
1700 if ((f
= fopen(filename
, "r")) == NULL
) {
1705 while (fgets(line
, sizeof(line
), f
)) {
1707 if (strlen(line
) == sizeof(line
) - 1)
1708 fatal("%s line %d too long", filename
, lineno
);
1710 * Trim out comments and strip whitespace
1711 * NB - preserve newlines, they are needed to reproduce
1712 * line numbers later for error messages
1714 if ((cp
= strchr(line
, '#')) != NULL
)
1715 memcpy(cp
, "\n", 2);
1716 cp
= line
+ strspn(line
, " \t\r");
1718 buffer_append(conf
, cp
, strlen(cp
));
1720 buffer_append(conf
, "\0", 1);
1722 debug2("%s: done config len = %d", __func__
, buffer_len(conf
));
1726 parse_server_match_config(ServerOptions
*options
,
1727 struct connection_info
*connectinfo
)
1731 initialize_server_options(&mo
);
1732 parse_server_config(&mo
, "reprocess config", &cfg
, connectinfo
);
1733 copy_set_server_options(options
, &mo
, 0);
1736 int parse_server_match_testspec(struct connection_info
*ci
, char *spec
)
1740 while ((p
= strsep(&spec
, ",")) && *p
!= '\0') {
1741 if (strncmp(p
, "addr=", 5) == 0) {
1742 ci
->address
= xstrdup(p
+ 5);
1743 } else if (strncmp(p
, "host=", 5) == 0) {
1744 ci
->host
= xstrdup(p
+ 5);
1745 } else if (strncmp(p
, "user=", 5) == 0) {
1746 ci
->user
= xstrdup(p
+ 5);
1747 } else if (strncmp(p
, "laddr=", 6) == 0) {
1748 ci
->laddress
= xstrdup(p
+ 6);
1749 } else if (strncmp(p
, "lport=", 6) == 0) {
1750 ci
->lport
= a2port(p
+ 6);
1751 if (ci
->lport
== -1) {
1752 fprintf(stderr
, "Invalid port '%s' in test mode"
1753 " specification %s\n", p
+6, p
);
1757 fprintf(stderr
, "Invalid test mode specification %s\n",
1766 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1769 int server_match_spec_complete(struct connection_info
*ci
)
1771 if (ci
->user
&& ci
->host
&& ci
->address
)
1772 return 1; /* complete */
1773 if (!ci
->user
&& !ci
->host
&& !ci
->address
)
1774 return -1; /* empty */
1775 return 0; /* partial */
1779 * Copy any supported values that are set.
1781 * If the preauth flag is set, we do not bother copying the string or
1782 * array values that are not used pre-authentication, because any that we
1783 * do use must be explictly sent in mm_getpwnamallow().
1786 copy_set_server_options(ServerOptions
*dst
, ServerOptions
*src
, int preauth
)
1788 #define M_CP_INTOPT(n) do {\
1793 M_CP_INTOPT(password_authentication
);
1794 M_CP_INTOPT(gss_authentication
);
1795 M_CP_INTOPT(rsa_authentication
);
1796 M_CP_INTOPT(pubkey_authentication
);
1797 M_CP_INTOPT(kerberos_authentication
);
1798 M_CP_INTOPT(hostbased_authentication
);
1799 M_CP_INTOPT(hostbased_uses_name_from_packet_only
);
1800 M_CP_INTOPT(kbd_interactive_authentication
);
1801 M_CP_INTOPT(permit_root_login
);
1802 M_CP_INTOPT(permit_empty_passwd
);
1804 M_CP_INTOPT(allow_tcp_forwarding
);
1805 M_CP_INTOPT(allow_streamlocal_forwarding
);
1806 M_CP_INTOPT(allow_agent_forwarding
);
1807 M_CP_INTOPT(permit_tun
);
1808 M_CP_INTOPT(fwd_opts
.gateway_ports
);
1809 M_CP_INTOPT(x11_display_offset
);
1810 M_CP_INTOPT(x11_forwarding
);
1811 M_CP_INTOPT(x11_use_localhost
);
1812 M_CP_INTOPT(permit_tty
);
1813 M_CP_INTOPT(permit_user_rc
);
1814 M_CP_INTOPT(max_sessions
);
1815 M_CP_INTOPT(max_authtries
);
1816 M_CP_INTOPT(ip_qos_interactive
);
1817 M_CP_INTOPT(ip_qos_bulk
);
1818 M_CP_INTOPT(rekey_limit
);
1819 M_CP_INTOPT(rekey_interval
);
1821 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
1822 #define M_CP_STROPT(n) do {\
1823 if (src->n != NULL && dst->n != src->n) { \
1828 #define M_CP_STRARRAYOPT(n, num_n) do {\
1829 if (src->num_n != 0) { \
1830 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1831 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1835 /* See comment in servconf.h */
1836 COPY_MATCH_STRING_OPTS();
1839 * The only things that should be below this point are string options
1840 * which are only used after authentication.
1845 M_CP_STROPT(adm_forced_command
);
1846 M_CP_STROPT(chroot_directory
);
1851 #undef M_CP_STRARRAYOPT
1854 parse_server_config(ServerOptions
*options
, const char *filename
, Buffer
*conf
,
1855 struct connection_info
*connectinfo
)
1857 int active
, linenum
, bad_options
= 0;
1858 char *cp
, *obuf
, *cbuf
;
1860 debug2("%s: config %s len %d", __func__
, filename
, buffer_len(conf
));
1862 obuf
= cbuf
= xstrdup(buffer_ptr(conf
));
1863 active
= connectinfo
? 0 : 1;
1865 while ((cp
= strsep(&cbuf
, "\n")) != NULL
) {
1866 if (process_server_config_line(options
, cp
, filename
,
1867 linenum
++, &active
, connectinfo
) != 0)
1871 if (bad_options
> 0)
1872 fatal("%s: terminating, %d bad configuration options",
1873 filename
, bad_options
);
1877 fmt_multistate_int(int val
, const struct multistate
*m
)
1881 for (i
= 0; m
[i
].key
!= NULL
; i
++) {
1882 if (m
[i
].value
== val
)
1889 fmt_intarg(ServerOpCodes code
, int val
)
1894 case sAddressFamily
:
1895 return fmt_multistate_int(val
, multistate_addressfamily
);
1896 case sPermitRootLogin
:
1897 return fmt_multistate_int(val
, multistate_permitrootlogin
);
1899 return fmt_multistate_int(val
, multistate_gatewayports
);
1901 return fmt_multistate_int(val
, multistate_compression
);
1902 case sUsePrivilegeSeparation
:
1903 return fmt_multistate_int(val
, multistate_privsep
);
1904 case sAllowTcpForwarding
:
1905 return fmt_multistate_int(val
, multistate_tcpfwd
);
1906 case sAllowStreamLocalForwarding
:
1907 return fmt_multistate_int(val
, multistate_tcpfwd
);
1914 case (SSH_PROTO_1
|SSH_PROTO_2
):
1932 lookup_opcode_name(ServerOpCodes code
)
1936 for (i
= 0; keywords
[i
].name
!= NULL
; i
++)
1937 if (keywords
[i
].opcode
== code
)
1938 return(keywords
[i
].name
);
1943 dump_cfg_int(ServerOpCodes code
, int val
)
1945 printf("%s %d\n", lookup_opcode_name(code
), val
);
1949 dump_cfg_fmtint(ServerOpCodes code
, int val
)
1951 printf("%s %s\n", lookup_opcode_name(code
), fmt_intarg(code
, val
));
1955 dump_cfg_string(ServerOpCodes code
, const char *val
)
1959 printf("%s %s\n", lookup_opcode_name(code
), val
);
1963 dump_cfg_strarray(ServerOpCodes code
, u_int count
, char **vals
)
1967 for (i
= 0; i
< count
; i
++)
1968 printf("%s %s\n", lookup_opcode_name(code
), vals
[i
]);
1972 dump_cfg_strarray_oneline(ServerOpCodes code
, u_int count
, char **vals
)
1976 printf("%s", lookup_opcode_name(code
));
1977 for (i
= 0; i
< count
; i
++)
1978 printf(" %s", vals
[i
]);
1983 dump_config(ServerOptions
*o
)
1987 struct addrinfo
*ai
;
1988 char addr
[NI_MAXHOST
], port
[NI_MAXSERV
], *s
= NULL
;
1990 /* these are usually at the top of the config */
1991 for (i
= 0; i
< o
->num_ports
; i
++)
1992 printf("port %d\n", o
->ports
[i
]);
1993 dump_cfg_fmtint(sProtocol
, o
->protocol
);
1994 dump_cfg_fmtint(sAddressFamily
, o
->address_family
);
1996 /* ListenAddress must be after Port */
1997 for (ai
= o
->listen_addrs
; ai
; ai
= ai
->ai_next
) {
1998 if ((ret
= getnameinfo(ai
->ai_addr
, ai
->ai_addrlen
, addr
,
1999 sizeof(addr
), port
, sizeof(port
),
2000 NI_NUMERICHOST
|NI_NUMERICSERV
)) != 0) {
2001 error("getnameinfo failed: %.100s",
2002 (ret
!= EAI_SYSTEM
) ? gai_strerror(ret
) :
2005 if (ai
->ai_family
== AF_INET6
)
2006 printf("listenaddress [%s]:%s\n", addr
, port
);
2008 printf("listenaddress %s:%s\n", addr
, port
);
2012 /* integer arguments */
2014 dump_cfg_int(sUsePAM
, o
->use_pam
);
2016 dump_cfg_int(sServerKeyBits
, o
->server_key_bits
);
2017 dump_cfg_int(sLoginGraceTime
, o
->login_grace_time
);
2018 dump_cfg_int(sKeyRegenerationTime
, o
->key_regeneration_time
);
2019 dump_cfg_int(sX11DisplayOffset
, o
->x11_display_offset
);
2020 dump_cfg_int(sMaxAuthTries
, o
->max_authtries
);
2021 dump_cfg_int(sMaxSessions
, o
->max_sessions
);
2022 dump_cfg_int(sClientAliveInterval
, o
->client_alive_interval
);
2023 dump_cfg_int(sClientAliveCountMax
, o
->client_alive_count_max
);
2025 /* formatted integer arguments */
2026 dump_cfg_fmtint(sPermitRootLogin
, o
->permit_root_login
);
2027 dump_cfg_fmtint(sIgnoreRhosts
, o
->ignore_rhosts
);
2028 dump_cfg_fmtint(sIgnoreUserKnownHosts
, o
->ignore_user_known_hosts
);
2029 dump_cfg_fmtint(sRhostsRSAAuthentication
, o
->rhosts_rsa_authentication
);
2030 dump_cfg_fmtint(sHostbasedAuthentication
, o
->hostbased_authentication
);
2031 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly
,
2032 o
->hostbased_uses_name_from_packet_only
);
2033 dump_cfg_fmtint(sRSAAuthentication
, o
->rsa_authentication
);
2034 dump_cfg_fmtint(sPubkeyAuthentication
, o
->pubkey_authentication
);
2036 dump_cfg_fmtint(sKerberosAuthentication
, o
->kerberos_authentication
);
2037 dump_cfg_fmtint(sKerberosOrLocalPasswd
, o
->kerberos_or_local_passwd
);
2038 dump_cfg_fmtint(sKerberosTicketCleanup
, o
->kerberos_ticket_cleanup
);
2040 dump_cfg_fmtint(sKerberosGetAFSToken
, o
->kerberos_get_afs_token
);
2044 dump_cfg_fmtint(sGssAuthentication
, o
->gss_authentication
);
2045 dump_cfg_fmtint(sGssCleanupCreds
, o
->gss_cleanup_creds
);
2047 dump_cfg_fmtint(sPasswordAuthentication
, o
->password_authentication
);
2048 dump_cfg_fmtint(sKbdInteractiveAuthentication
,
2049 o
->kbd_interactive_authentication
);
2050 dump_cfg_fmtint(sChallengeResponseAuthentication
,
2051 o
->challenge_response_authentication
);
2052 dump_cfg_fmtint(sPrintMotd
, o
->print_motd
);
2053 dump_cfg_fmtint(sPrintLastLog
, o
->print_lastlog
);
2054 dump_cfg_fmtint(sX11Forwarding
, o
->x11_forwarding
);
2055 dump_cfg_fmtint(sX11UseLocalhost
, o
->x11_use_localhost
);
2056 dump_cfg_fmtint(sPermitTTY
, o
->permit_tty
);
2057 dump_cfg_fmtint(sPermitUserRC
, o
->permit_user_rc
);
2058 dump_cfg_fmtint(sStrictModes
, o
->strict_modes
);
2059 dump_cfg_fmtint(sTCPKeepAlive
, o
->tcp_keep_alive
);
2060 dump_cfg_fmtint(sEmptyPasswd
, o
->permit_empty_passwd
);
2061 dump_cfg_fmtint(sPermitUserEnvironment
, o
->permit_user_env
);
2062 dump_cfg_fmtint(sUseLogin
, o
->use_login
);
2063 dump_cfg_fmtint(sCompression
, o
->compression
);
2064 dump_cfg_fmtint(sGatewayPorts
, o
->fwd_opts
.gateway_ports
);
2065 dump_cfg_fmtint(sUseDNS
, o
->use_dns
);
2066 dump_cfg_fmtint(sAllowTcpForwarding
, o
->allow_tcp_forwarding
);
2067 dump_cfg_fmtint(sAllowStreamLocalForwarding
, o
->allow_streamlocal_forwarding
);
2068 dump_cfg_fmtint(sUsePrivilegeSeparation
, use_privsep
);
2070 /* string arguments */
2071 dump_cfg_string(sPidFile
, o
->pid_file
);
2072 dump_cfg_string(sXAuthLocation
, o
->xauth_location
);
2073 dump_cfg_string(sCiphers
, o
->ciphers
? o
->ciphers
:
2074 cipher_alg_list(',', 0));
2075 dump_cfg_string(sMacs
, o
->macs
? o
->macs
: mac_alg_list(','));
2076 dump_cfg_string(sBanner
, o
->banner
);
2077 dump_cfg_string(sForceCommand
, o
->adm_forced_command
);
2078 dump_cfg_string(sChrootDirectory
, o
->chroot_directory
);
2079 dump_cfg_string(sTrustedUserCAKeys
, o
->trusted_user_ca_keys
);
2080 dump_cfg_string(sRevokedKeys
, o
->revoked_keys_file
);
2081 dump_cfg_string(sAuthorizedPrincipalsFile
,
2082 o
->authorized_principals_file
);
2083 dump_cfg_string(sVersionAddendum
, o
->version_addendum
);
2084 dump_cfg_string(sAuthorizedKeysCommand
, o
->authorized_keys_command
);
2085 dump_cfg_string(sAuthorizedKeysCommandUser
, o
->authorized_keys_command_user
);
2086 dump_cfg_string(sHostKeyAgent
, o
->host_key_agent
);
2087 dump_cfg_string(sKexAlgorithms
, o
->kex_algorithms
? o
->kex_algorithms
:
2090 /* string arguments requiring a lookup */
2091 dump_cfg_string(sLogLevel
, log_level_name(o
->log_level
));
2092 dump_cfg_string(sLogFacility
, log_facility_name(o
->log_facility
));
2094 /* string array arguments */
2095 dump_cfg_strarray_oneline(sAuthorizedKeysFile
, o
->num_authkeys_files
,
2096 o
->authorized_keys_files
);
2097 dump_cfg_strarray(sHostKeyFile
, o
->num_host_key_files
,
2099 dump_cfg_strarray(sHostKeyFile
, o
->num_host_cert_files
,
2100 o
->host_cert_files
);
2101 dump_cfg_strarray(sAllowUsers
, o
->num_allow_users
, o
->allow_users
);
2102 dump_cfg_strarray(sDenyUsers
, o
->num_deny_users
, o
->deny_users
);
2103 dump_cfg_strarray(sAllowGroups
, o
->num_allow_groups
, o
->allow_groups
);
2104 dump_cfg_strarray(sDenyGroups
, o
->num_deny_groups
, o
->deny_groups
);
2105 dump_cfg_strarray(sAcceptEnv
, o
->num_accept_env
, o
->accept_env
);
2106 dump_cfg_strarray_oneline(sAuthenticationMethods
,
2107 o
->num_auth_methods
, o
->auth_methods
);
2109 /* other arguments */
2110 for (i
= 0; i
< o
->num_subsystems
; i
++)
2111 printf("subsystem %s %s\n", o
->subsystem_name
[i
],
2112 o
->subsystem_args
[i
]);
2114 printf("maxstartups %d:%d:%d\n", o
->max_startups_begin
,
2115 o
->max_startups_rate
, o
->max_startups
);
2117 for (i
= 0; tunmode_desc
[i
].val
!= -1; i
++)
2118 if (tunmode_desc
[i
].val
== o
->permit_tun
) {
2119 s
= tunmode_desc
[i
].text
;
2122 dump_cfg_string(sPermitTunnel
, s
);
2124 printf("ipqos %s ", iptos2str(o
->ip_qos_interactive
));
2125 printf("%s\n", iptos2str(o
->ip_qos_bulk
));
2127 printf("rekeylimit %lld %d\n", (long long)o
->rekey_limit
,
2130 channel_print_adm_permitted_opens();