1 /* $OpenBSD: readconf.c,v 1.177 2009/06/27 09:35:06 andreas Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
48 /* Format of the configuration file:
50 # Configuration data is parsed as follows:
51 # 1. command line options
52 # 2. user-specific file
54 # Any configuration value is only changed the first time it is set.
55 # Thus, host-specific definitions should be at the beginning of the
56 # configuration file, and defaults at the end.
58 # Host-specific declarations. These may override anything above. A single
59 # host may match multiple declarations; these are processed in the order
60 # that they are given in.
66 HostName another.host.name.real.org
73 RemoteForward 9999 shadows.cs.hut.fi:9999
79 PasswordAuthentication no
83 ProxyCommand ssh-proxy %h %p
86 PublicKeyAuthentication no
90 PasswordAuthentication no
96 # Defaults for various options
100 PasswordAuthentication yes
101 RSAAuthentication yes
102 RhostsRSAAuthentication yes
103 StrictHostKeyChecking yes
105 IdentityFile ~/.ssh/identity
111 /* Keyword tokens. */
115 oForwardAgent
, oForwardX11
, oForwardX11Trusted
, oGatewayPorts
,
116 oExitOnForwardFailure
,
117 oPasswordAuthentication
, oRSAAuthentication
,
118 oChallengeResponseAuthentication
, oXAuthLocation
,
119 oIdentityFile
, oHostName
, oPort
, oCipher
, oRemoteForward
, oLocalForward
,
120 oUser
, oHost
, oEscapeChar
, oRhostsRSAAuthentication
, oProxyCommand
,
121 oGlobalKnownHostsFile
, oUserKnownHostsFile
, oConnectionAttempts
,
122 oBatchMode
, oCheckHostIP
, oStrictHostKeyChecking
, oCompression
,
123 oCompressionLevel
, oTCPKeepAlive
, oNumberOfPasswordPrompts
,
124 oUsePrivilegedPort
, oLogLevel
, oCiphers
, oProtocol
, oMacs
,
125 oGlobalKnownHostsFile2
, oUserKnownHostsFile2
, oPubkeyAuthentication
,
126 oKbdInteractiveAuthentication
, oKbdInteractiveDevices
, oHostKeyAlias
,
127 oDynamicForward
, oPreferredAuthentications
, oHostbasedAuthentication
,
128 oHostKeyAlgorithms
, oBindAddress
, oSmartcardDevice
,
129 oClearAllForwardings
, oNoHostAuthenticationForLocalhost
,
130 oEnableSSHKeysign
, oRekeyLimit
, oVerifyHostKeyDNS
, oConnectTimeout
,
131 oAddressFamily
, oGssAuthentication
, oGssDelegateCreds
,
132 oServerAliveInterval
, oServerAliveCountMax
, oIdentitiesOnly
,
134 oSendEnv
, oControlPath
, oControlMaster
, oHashKnownHosts
,
135 oTunnel
, oTunnelDevice
, oLocalCommand
, oPermitLocalCommand
,
136 oVisualHostKey
, oUseRoaming
, oZeroKnowledgePasswordAuthentication
,
137 oNoneEnabled
, oTcpRcvBufPoll
, oTcpRcvBuf
, oNoneSwitch
, oHPNDisabled
,
138 oHPNBufferSize
, oDeprecated
, oUnsupported
141 /* Textual representations of the tokens. */
147 { "forwardagent", oForwardAgent
},
148 { "forwardx11", oForwardX11
},
149 { "forwardx11trusted", oForwardX11Trusted
},
150 { "exitonforwardfailure", oExitOnForwardFailure
},
151 { "xauthlocation", oXAuthLocation
},
152 { "gatewayports", oGatewayPorts
},
153 { "useprivilegedport", oUsePrivilegedPort
},
154 { "rhostsauthentication", oDeprecated
},
155 { "passwordauthentication", oPasswordAuthentication
},
156 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication
},
157 { "kbdinteractivedevices", oKbdInteractiveDevices
},
158 { "rsaauthentication", oRSAAuthentication
},
159 { "pubkeyauthentication", oPubkeyAuthentication
},
160 { "dsaauthentication", oPubkeyAuthentication
}, /* alias */
161 { "rhostsrsaauthentication", oRhostsRSAAuthentication
},
162 { "hostbasedauthentication", oHostbasedAuthentication
},
163 { "challengeresponseauthentication", oChallengeResponseAuthentication
},
164 { "skeyauthentication", oChallengeResponseAuthentication
}, /* alias */
165 { "tisauthentication", oChallengeResponseAuthentication
}, /* alias */
166 { "kerberosauthentication", oUnsupported
},
167 { "kerberostgtpassing", oUnsupported
},
168 { "afstokenpassing", oUnsupported
},
170 { "gssapiauthentication", oGssAuthentication
},
171 { "gssapidelegatecredentials", oGssDelegateCreds
},
173 { "gssapiauthentication", oUnsupported
},
174 { "gssapidelegatecredentials", oUnsupported
},
176 { "fallbacktorsh", oDeprecated
},
177 { "usersh", oDeprecated
},
178 { "identityfile", oIdentityFile
},
179 { "identityfile2", oIdentityFile
}, /* obsolete */
180 { "identitiesonly", oIdentitiesOnly
},
181 { "hostname", oHostName
},
182 { "hostkeyalias", oHostKeyAlias
},
183 { "proxycommand", oProxyCommand
},
185 { "cipher", oCipher
},
186 { "ciphers", oCiphers
},
188 { "protocol", oProtocol
},
189 { "remoteforward", oRemoteForward
},
190 { "localforward", oLocalForward
},
193 { "escapechar", oEscapeChar
},
194 { "globalknownhostsfile", oGlobalKnownHostsFile
},
195 { "globalknownhostsfile2", oGlobalKnownHostsFile2
}, /* obsolete */
196 { "userknownhostsfile", oUserKnownHostsFile
},
197 { "userknownhostsfile2", oUserKnownHostsFile2
}, /* obsolete */
198 { "connectionattempts", oConnectionAttempts
},
199 { "batchmode", oBatchMode
},
200 { "checkhostip", oCheckHostIP
},
201 { "stricthostkeychecking", oStrictHostKeyChecking
},
202 { "compression", oCompression
},
203 { "compressionlevel", oCompressionLevel
},
204 { "tcpkeepalive", oTCPKeepAlive
},
205 { "keepalive", oTCPKeepAlive
}, /* obsolete */
206 { "numberofpasswordprompts", oNumberOfPasswordPrompts
},
207 { "loglevel", oLogLevel
},
208 { "dynamicforward", oDynamicForward
},
209 { "preferredauthentications", oPreferredAuthentications
},
210 { "hostkeyalgorithms", oHostKeyAlgorithms
},
211 { "bindaddress", oBindAddress
},
213 { "smartcarddevice", oSmartcardDevice
},
215 { "smartcarddevice", oUnsupported
},
217 { "clearallforwardings", oClearAllForwardings
},
218 { "enablesshkeysign", oEnableSSHKeysign
},
219 { "verifyhostkeydns", oVerifyHostKeyDNS
},
220 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost
},
221 { "rekeylimit", oRekeyLimit
},
222 { "connecttimeout", oConnectTimeout
},
223 { "addressfamily", oAddressFamily
},
224 { "serveraliveinterval", oServerAliveInterval
},
225 { "serveralivecountmax", oServerAliveCountMax
},
226 { "versionaddendum", oVersionAddendum
},
227 { "sendenv", oSendEnv
},
228 { "controlpath", oControlPath
},
229 { "controlmaster", oControlMaster
},
230 { "hashknownhosts", oHashKnownHosts
},
231 { "tunnel", oTunnel
},
232 { "tunneldevice", oTunnelDevice
},
233 { "localcommand", oLocalCommand
},
234 { "permitlocalcommand", oPermitLocalCommand
},
235 { "visualhostkey", oVisualHostKey
},
236 { "useroaming", oUseRoaming
},
238 { "zeroknowledgepasswordauthentication",
239 oZeroKnowledgePasswordAuthentication
},
241 { "zeroknowledgepasswordauthentication", oUnsupported
},
243 { "noneenabled", oNoneEnabled
},
244 { "tcprcvbufpoll", oTcpRcvBufPoll
},
245 { "tcprcvbuf", oTcpRcvBuf
},
246 { "noneswitch", oNoneSwitch
},
247 { "hpndisabled", oHPNDisabled
},
248 { "hpnbuffersize", oHPNBufferSize
},
254 * Adds a local TCP/IP port forward to options. Never returns if there is an
259 add_local_forward(Options
*options
, const Forward
*newfwd
)
262 #ifndef NO_IPPORT_RESERVED_CONCEPT
263 extern uid_t original_real_uid
;
264 if (newfwd
->listen_port
< IPPORT_RESERVED
&& original_real_uid
!= 0)
265 fatal("Privileged ports can only be forwarded by root.");
267 if (options
->num_local_forwards
>= SSH_MAX_FORWARDS_PER_DIRECTION
)
268 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION
);
269 fwd
= &options
->local_forwards
[options
->num_local_forwards
++];
271 fwd
->listen_host
= newfwd
->listen_host
;
272 fwd
->listen_port
= newfwd
->listen_port
;
273 fwd
->connect_host
= newfwd
->connect_host
;
274 fwd
->connect_port
= newfwd
->connect_port
;
278 * Adds a remote TCP/IP port forward to options. Never returns if there is
283 add_remote_forward(Options
*options
, const Forward
*newfwd
)
286 if (options
->num_remote_forwards
>= SSH_MAX_FORWARDS_PER_DIRECTION
)
287 fatal("Too many remote forwards (max %d).",
288 SSH_MAX_FORWARDS_PER_DIRECTION
);
289 fwd
= &options
->remote_forwards
[options
->num_remote_forwards
++];
291 fwd
->listen_host
= newfwd
->listen_host
;
292 fwd
->listen_port
= newfwd
->listen_port
;
293 fwd
->connect_host
= newfwd
->connect_host
;
294 fwd
->connect_port
= newfwd
->connect_port
;
298 clear_forwardings(Options
*options
)
302 for (i
= 0; i
< options
->num_local_forwards
; i
++) {
303 if (options
->local_forwards
[i
].listen_host
!= NULL
)
304 xfree(options
->local_forwards
[i
].listen_host
);
305 xfree(options
->local_forwards
[i
].connect_host
);
307 options
->num_local_forwards
= 0;
308 for (i
= 0; i
< options
->num_remote_forwards
; i
++) {
309 if (options
->remote_forwards
[i
].listen_host
!= NULL
)
310 xfree(options
->remote_forwards
[i
].listen_host
);
311 xfree(options
->remote_forwards
[i
].connect_host
);
313 options
->num_remote_forwards
= 0;
314 options
->tun_open
= SSH_TUNMODE_NO
;
318 * Returns the number of the token pointed to by cp or oBadOption.
322 parse_token(const char *cp
, const char *filename
, int linenum
)
326 for (i
= 0; keywords
[i
].name
; i
++)
327 if (strcasecmp(cp
, keywords
[i
].name
) == 0)
328 return keywords
[i
].opcode
;
330 error("%s: line %d: Bad configuration option: %s",
331 filename
, linenum
, cp
);
336 * Processes a single option line as used in the configuration files. This
337 * only sets those values that have not already been set.
339 #define WHITESPACE " \t\r\n"
342 process_config_line(Options
*options
, const char *host
,
343 char *line
, const char *filename
, int linenum
,
346 char *s
, **charptr
, *endofnumber
, *keyword
, *arg
, *arg2
, fwdarg
[256];
347 int opcode
, *intptr
, value
, value2
, scale
;
348 LogLevel
*log_level_ptr
;
349 long long orig
, val64
;
353 /* Strip trailing whitespace */
354 for (len
= strlen(line
) - 1; len
> 0; len
--) {
355 if (strchr(WHITESPACE
, line
[len
]) == NULL
)
361 /* Get the keyword. (Each line is supposed to begin with a keyword). */
362 if ((keyword
= strdelim(&s
)) == NULL
)
364 /* Ignore leading whitespace. */
365 if (*keyword
== '\0')
366 keyword
= strdelim(&s
);
367 if (keyword
== NULL
|| !*keyword
|| *keyword
== '\n' || *keyword
== '#')
370 opcode
= parse_token(keyword
, filename
, linenum
);
374 /* don't panic, but count bad options */
377 case oConnectTimeout
:
378 intptr
= &options
->connection_timeout
;
381 if (!arg
|| *arg
== '\0')
382 fatal("%s line %d: missing time value.",
384 if ((value
= convtime(arg
)) == -1)
385 fatal("%s line %d: invalid time value.",
387 if (*activep
&& *intptr
== -1)
392 intptr
= &options
->forward_agent
;
395 if (!arg
|| *arg
== '\0')
396 fatal("%.200s line %d: Missing yes/no argument.", filename
, linenum
);
397 value
= 0; /* To avoid compiler warning... */
398 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
400 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
403 fatal("%.200s line %d: Bad yes/no argument.", filename
, linenum
);
404 if (*activep
&& *intptr
== -1)
409 intptr
= &options
->forward_x11
;
412 case oForwardX11Trusted
:
413 intptr
= &options
->forward_x11_trusted
;
417 intptr
= &options
->gateway_ports
;
420 case oExitOnForwardFailure
:
421 intptr
= &options
->exit_on_forward_failure
;
424 case oUsePrivilegedPort
:
425 intptr
= &options
->use_privileged_port
;
428 case oPasswordAuthentication
:
429 intptr
= &options
->password_authentication
;
432 case oZeroKnowledgePasswordAuthentication
:
433 intptr
= &options
->zero_knowledge_password_authentication
;
436 case oKbdInteractiveAuthentication
:
437 intptr
= &options
->kbd_interactive_authentication
;
440 case oKbdInteractiveDevices
:
441 charptr
= &options
->kbd_interactive_devices
;
444 case oPubkeyAuthentication
:
445 intptr
= &options
->pubkey_authentication
;
448 case oRSAAuthentication
:
449 intptr
= &options
->rsa_authentication
;
452 case oRhostsRSAAuthentication
:
453 intptr
= &options
->rhosts_rsa_authentication
;
456 case oHostbasedAuthentication
:
457 intptr
= &options
->hostbased_authentication
;
460 case oChallengeResponseAuthentication
:
461 intptr
= &options
->challenge_response_authentication
;
464 case oGssAuthentication
:
465 intptr
= &options
->gss_authentication
;
468 case oGssDelegateCreds
:
469 intptr
= &options
->gss_deleg_creds
;
473 intptr
= &options
->batch_mode
;
477 intptr
= &options
->check_host_ip
;
481 intptr
= &options
->none_enabled
;
484 /* we check to see if the command comes from the */
485 /* command line or not. If it does then enable it */
486 /* otherwise fail. NONE should never be a default configuration */
488 if(strcmp(filename
,"command-line")==0)
490 intptr
= &options
->none_switch
;
493 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename
);
494 error("Continuing...");
495 debug("NoneSwitch directive found in %.200s.", filename
);
500 intptr
= &options
->hpn_disabled
;
504 intptr
= &options
->hpn_buffer_size
;
508 intptr
= &options
->tcp_rcv_buf_poll
;
511 case oVerifyHostKeyDNS
:
512 intptr
= &options
->verify_host_key_dns
;
515 case oStrictHostKeyChecking
:
516 intptr
= &options
->strict_host_key_checking
;
519 if (!arg
|| *arg
== '\0')
520 fatal("%.200s line %d: Missing yes/no/ask argument.",
522 value
= 0; /* To avoid compiler warning... */
523 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
525 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
527 else if (strcmp(arg
, "ask") == 0)
530 fatal("%.200s line %d: Bad yes/no/ask argument.", filename
, linenum
);
531 if (*activep
&& *intptr
== -1)
536 intptr
= &options
->compression
;
540 intptr
= &options
->tcp_keep_alive
;
543 case oNoHostAuthenticationForLocalhost
:
544 intptr
= &options
->no_host_authentication_for_localhost
;
547 case oNumberOfPasswordPrompts
:
548 intptr
= &options
->number_of_password_prompts
;
551 case oCompressionLevel
:
552 intptr
= &options
->compression_level
;
557 if (!arg
|| *arg
== '\0')
558 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
559 if (arg
[0] < '0' || arg
[0] > '9')
560 fatal("%.200s line %d: Bad number.", filename
, linenum
);
561 orig
= val64
= strtoll(arg
, &endofnumber
, 10);
562 if (arg
== endofnumber
)
563 fatal("%.200s line %d: Bad number.", filename
, linenum
);
564 switch (toupper(*endofnumber
)) {
578 fatal("%.200s line %d: Invalid RekeyLimit suffix",
582 /* detect integer wrap and too-large limits */
583 if ((val64
/ scale
) != orig
|| val64
> UINT_MAX
)
584 fatal("%.200s line %d: RekeyLimit too large",
587 fatal("%.200s line %d: RekeyLimit too small",
589 if (*activep
&& options
->rekey_limit
== -1)
590 options
->rekey_limit
= (u_int32_t
)val64
;
595 if (!arg
|| *arg
== '\0')
596 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
598 intptr
= &options
->num_identity_files
;
599 if (*intptr
>= SSH_MAX_IDENTITY_FILES
)
600 fatal("%.200s line %d: Too many identity files specified (max %d).",
601 filename
, linenum
, SSH_MAX_IDENTITY_FILES
);
602 charptr
= &options
->identity_files
[*intptr
];
603 *charptr
= xstrdup(arg
);
604 *intptr
= *intptr
+ 1;
609 charptr
=&options
->xauth_location
;
613 charptr
= &options
->user
;
616 if (!arg
|| *arg
== '\0')
617 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
618 if (*activep
&& *charptr
== NULL
)
619 *charptr
= xstrdup(arg
);
622 case oGlobalKnownHostsFile
:
623 charptr
= &options
->system_hostfile
;
626 case oUserKnownHostsFile
:
627 charptr
= &options
->user_hostfile
;
630 case oGlobalKnownHostsFile2
:
631 charptr
= &options
->system_hostfile2
;
634 case oUserKnownHostsFile2
:
635 charptr
= &options
->user_hostfile2
;
639 charptr
= &options
->hostname
;
643 charptr
= &options
->host_key_alias
;
646 case oPreferredAuthentications
:
647 charptr
= &options
->preferred_authentications
;
651 charptr
= &options
->bind_address
;
654 case oSmartcardDevice
:
655 charptr
= &options
->smartcard_device
;
659 charptr
= &options
->proxy_command
;
662 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
663 len
= strspn(s
, WHITESPACE
"=");
664 if (*activep
&& *charptr
== NULL
)
665 *charptr
= xstrdup(s
+ len
);
669 intptr
= &options
->port
;
672 if (!arg
|| *arg
== '\0')
673 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
674 if (arg
[0] < '0' || arg
[0] > '9')
675 fatal("%.200s line %d: Bad number.", filename
, linenum
);
677 /* Octal, decimal, or hex format? */
678 value
= strtol(arg
, &endofnumber
, 0);
679 if (arg
== endofnumber
)
680 fatal("%.200s line %d: Bad number.", filename
, linenum
);
681 if (*activep
&& *intptr
== -1)
685 case oConnectionAttempts
:
686 intptr
= &options
->connection_attempts
;
690 intptr
= &options
->tcp_rcv_buf
;
694 intptr
= &options
->cipher
;
696 if (!arg
|| *arg
== '\0')
697 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
698 value
= cipher_number(arg
);
700 fatal("%.200s line %d: Bad cipher '%s'.",
701 filename
, linenum
, arg
? arg
: "<NONE>");
702 if (*activep
&& *intptr
== -1)
708 if (!arg
|| *arg
== '\0')
709 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
710 if (!ciphers_valid(arg
))
711 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
712 filename
, linenum
, arg
? arg
: "<NONE>");
713 if (*activep
&& options
->ciphers
== NULL
)
714 options
->ciphers
= xstrdup(arg
);
719 if (!arg
|| *arg
== '\0')
720 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
722 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
723 filename
, linenum
, arg
? arg
: "<NONE>");
724 if (*activep
&& options
->macs
== NULL
)
725 options
->macs
= xstrdup(arg
);
728 case oHostKeyAlgorithms
:
730 if (!arg
|| *arg
== '\0')
731 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
732 if (!key_names_valid2(arg
))
733 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
734 filename
, linenum
, arg
? arg
: "<NONE>");
735 if (*activep
&& options
->hostkeyalgorithms
== NULL
)
736 options
->hostkeyalgorithms
= xstrdup(arg
);
740 intptr
= &options
->protocol
;
742 if (!arg
|| *arg
== '\0')
743 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
744 value
= proto_spec(arg
);
745 if (value
== SSH_PROTO_UNKNOWN
)
746 fatal("%.200s line %d: Bad protocol spec '%s'.",
747 filename
, linenum
, arg
? arg
: "<NONE>");
748 if (*activep
&& *intptr
== SSH_PROTO_UNKNOWN
)
753 log_level_ptr
= &options
->log_level
;
755 value
= log_level_number(arg
);
756 if (value
== SYSLOG_LEVEL_NOT_SET
)
757 fatal("%.200s line %d: unsupported log level '%s'",
758 filename
, linenum
, arg
? arg
: "<NONE>");
759 if (*activep
&& *log_level_ptr
== SYSLOG_LEVEL_NOT_SET
)
760 *log_level_ptr
= (LogLevel
) value
;
765 case oDynamicForward
:
767 if (arg
== NULL
|| *arg
== '\0')
768 fatal("%.200s line %d: Missing port argument.",
771 if (opcode
== oLocalForward
||
772 opcode
== oRemoteForward
) {
774 if (arg2
== NULL
|| *arg2
== '\0')
775 fatal("%.200s line %d: Missing target argument.",
778 /* construct a string for parse_forward */
779 snprintf(fwdarg
, sizeof(fwdarg
), "%s:%s", arg
, arg2
);
780 } else if (opcode
== oDynamicForward
) {
781 strlcpy(fwdarg
, arg
, sizeof(fwdarg
));
784 if (parse_forward(&fwd
, fwdarg
,
785 opcode
== oDynamicForward
? 1 : 0,
786 opcode
== oRemoteForward
? 1 : 0) == 0)
787 fatal("%.200s line %d: Bad forwarding specification.",
791 if (opcode
== oLocalForward
||
792 opcode
== oDynamicForward
)
793 add_local_forward(options
, &fwd
);
794 else if (opcode
== oRemoteForward
)
795 add_remote_forward(options
, &fwd
);
799 case oClearAllForwardings
:
800 intptr
= &options
->clear_forwardings
;
805 while ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0')
806 if (match_pattern(host
, arg
)) {
807 debug("Applying options for %.100s", arg
);
811 /* Avoid garbage check below, as strdelim is done. */
815 intptr
= &options
->escape_char
;
817 if (!arg
|| *arg
== '\0')
818 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
819 if (arg
[0] == '^' && arg
[2] == 0 &&
820 (u_char
) arg
[1] >= 64 && (u_char
) arg
[1] < 128)
821 value
= (u_char
) arg
[1] & 31;
822 else if (strlen(arg
) == 1)
823 value
= (u_char
) arg
[0];
824 else if (strcmp(arg
, "none") == 0)
825 value
= SSH_ESCAPECHAR_NONE
;
827 fatal("%.200s line %d: Bad escape character.",
830 value
= 0; /* Avoid compiler warning. */
832 if (*activep
&& *intptr
== -1)
838 if (!arg
|| *arg
== '\0')
839 fatal("%s line %d: missing address family.",
841 intptr
= &options
->address_family
;
842 if (strcasecmp(arg
, "inet") == 0)
844 else if (strcasecmp(arg
, "inet6") == 0)
846 else if (strcasecmp(arg
, "any") == 0)
849 fatal("Unsupported AddressFamily \"%s\"", arg
);
850 if (*activep
&& *intptr
== -1)
854 case oEnableSSHKeysign
:
855 intptr
= &options
->enable_ssh_keysign
;
858 case oIdentitiesOnly
:
859 intptr
= &options
->identities_only
;
862 case oServerAliveInterval
:
863 intptr
= &options
->server_alive_interval
;
866 case oServerAliveCountMax
:
867 intptr
= &options
->server_alive_count_max
;
870 case oVersionAddendum
:
871 ssh_version_set_addendum(strtok(s
, "\n"));
874 } while (arg
!= NULL
&& *arg
!= '\0');
878 while ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0') {
879 if (strchr(arg
, '=') != NULL
)
880 fatal("%s line %d: Invalid environment name.",
884 if (options
->num_send_env
>= MAX_SEND_ENV
)
885 fatal("%s line %d: too many send env.",
887 options
->send_env
[options
->num_send_env
++] =
893 charptr
= &options
->control_path
;
897 intptr
= &options
->control_master
;
899 if (!arg
|| *arg
== '\0')
900 fatal("%.200s line %d: Missing ControlMaster argument.",
902 value
= 0; /* To avoid compiler warning... */
903 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
904 value
= SSHCTL_MASTER_YES
;
905 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
906 value
= SSHCTL_MASTER_NO
;
907 else if (strcmp(arg
, "auto") == 0)
908 value
= SSHCTL_MASTER_AUTO
;
909 else if (strcmp(arg
, "ask") == 0)
910 value
= SSHCTL_MASTER_ASK
;
911 else if (strcmp(arg
, "autoask") == 0)
912 value
= SSHCTL_MASTER_AUTO_ASK
;
914 fatal("%.200s line %d: Bad ControlMaster argument.",
916 if (*activep
&& *intptr
== -1)
920 case oHashKnownHosts
:
921 intptr
= &options
->hash_known_hosts
;
925 intptr
= &options
->tun_open
;
927 if (!arg
|| *arg
== '\0')
928 fatal("%s line %d: Missing yes/point-to-point/"
929 "ethernet/no argument.", filename
, linenum
);
930 value
= 0; /* silence compiler */
931 if (strcasecmp(arg
, "ethernet") == 0)
932 value
= SSH_TUNMODE_ETHERNET
;
933 else if (strcasecmp(arg
, "point-to-point") == 0)
934 value
= SSH_TUNMODE_POINTOPOINT
;
935 else if (strcasecmp(arg
, "yes") == 0)
936 value
= SSH_TUNMODE_DEFAULT
;
937 else if (strcasecmp(arg
, "no") == 0)
938 value
= SSH_TUNMODE_NO
;
940 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
941 "no argument: %s", filename
, linenum
, arg
);
948 if (!arg
|| *arg
== '\0')
949 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
950 value
= a2tun(arg
, &value2
);
951 if (value
== SSH_TUNID_ERR
)
952 fatal("%.200s line %d: Bad tun device.", filename
, linenum
);
954 options
->tun_local
= value
;
955 options
->tun_remote
= value2
;
960 charptr
= &options
->local_command
;
963 case oPermitLocalCommand
:
964 intptr
= &options
->permit_local_command
;
968 intptr
= &options
->visual_host_key
;
972 intptr
= &options
->use_roaming
;
976 debug("%s line %d: Deprecated option \"%s\"",
977 filename
, linenum
, keyword
);
981 error("%s line %d: Unsupported option \"%s\"",
982 filename
, linenum
, keyword
);
986 fatal("process_config_line: Unimplemented opcode %d", opcode
);
989 /* Check that there is no garbage at end of line. */
990 if ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0') {
991 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
992 filename
, linenum
, arg
);
999 * Reads the config file and modifies the options accordingly. Options
1000 * should already be initialized before this call. This never returns if
1001 * there is an error. If the file does not exist, this returns 0.
1005 read_config_file(const char *filename
, const char *host
, Options
*options
,
1010 int active
, linenum
;
1011 int bad_options
= 0;
1013 if ((f
= fopen(filename
, "r")) == NULL
)
1019 if (fstat(fileno(f
), &sb
) == -1)
1020 fatal("fstat %s: %s", filename
, strerror(errno
));
1021 if (((sb
.st_uid
!= 0 && sb
.st_uid
!= getuid()) ||
1022 (sb
.st_mode
& 022) != 0))
1023 fatal("Bad owner or permissions on %s", filename
);
1026 debug("Reading configuration data %.200s", filename
);
1029 * Mark that we are now processing the options. This flag is turned
1030 * on/off by Host specifications.
1034 while (fgets(line
, sizeof(line
), f
)) {
1035 /* Update line number counter. */
1037 if (process_config_line(options
, host
, line
, filename
, linenum
, &active
) != 0)
1041 if (bad_options
> 0)
1042 fatal("%s: terminating, %d bad configuration options",
1043 filename
, bad_options
);
1048 * Initializes options to special values that indicate that they have not yet
1049 * been set. Read_config_file will only set options with this value. Options
1050 * are processed in the following order: command line, user config file,
1051 * system config file. Last, fill_default_options is called.
1055 initialize_options(Options
* options
)
1057 memset(options
, 'X', sizeof(*options
));
1058 options
->forward_agent
= -1;
1059 options
->forward_x11
= -1;
1060 options
->forward_x11_trusted
= -1;
1061 options
->exit_on_forward_failure
= -1;
1062 options
->xauth_location
= NULL
;
1063 options
->gateway_ports
= -1;
1064 options
->use_privileged_port
= -1;
1065 options
->rsa_authentication
= -1;
1066 options
->pubkey_authentication
= -1;
1067 options
->challenge_response_authentication
= -1;
1068 options
->gss_authentication
= -1;
1069 options
->gss_deleg_creds
= -1;
1070 options
->password_authentication
= -1;
1071 options
->kbd_interactive_authentication
= -1;
1072 options
->kbd_interactive_devices
= NULL
;
1073 options
->rhosts_rsa_authentication
= -1;
1074 options
->hostbased_authentication
= -1;
1075 options
->batch_mode
= -1;
1076 options
->check_host_ip
= -1;
1077 options
->strict_host_key_checking
= -1;
1078 options
->compression
= -1;
1079 options
->tcp_keep_alive
= -1;
1080 options
->compression_level
= -1;
1082 options
->address_family
= -1;
1083 options
->connection_attempts
= -1;
1084 options
->connection_timeout
= -1;
1085 options
->number_of_password_prompts
= -1;
1086 options
->cipher
= -1;
1087 options
->ciphers
= NULL
;
1088 options
->macs
= NULL
;
1089 options
->hostkeyalgorithms
= NULL
;
1090 options
->protocol
= SSH_PROTO_UNKNOWN
;
1091 options
->num_identity_files
= 0;
1092 options
->hostname
= NULL
;
1093 options
->host_key_alias
= NULL
;
1094 options
->proxy_command
= NULL
;
1095 options
->user
= NULL
;
1096 options
->escape_char
= -1;
1097 options
->system_hostfile
= NULL
;
1098 options
->user_hostfile
= NULL
;
1099 options
->system_hostfile2
= NULL
;
1100 options
->user_hostfile2
= NULL
;
1101 options
->num_local_forwards
= 0;
1102 options
->num_remote_forwards
= 0;
1103 options
->clear_forwardings
= -1;
1104 options
->log_level
= SYSLOG_LEVEL_NOT_SET
;
1105 options
->preferred_authentications
= NULL
;
1106 options
->bind_address
= NULL
;
1107 options
->smartcard_device
= NULL
;
1108 options
->enable_ssh_keysign
= - 1;
1109 options
->no_host_authentication_for_localhost
= - 1;
1110 options
->identities_only
= - 1;
1111 options
->rekey_limit
= - 1;
1112 options
->verify_host_key_dns
= -1;
1113 options
->server_alive_interval
= -1;
1114 options
->server_alive_count_max
= -1;
1115 options
->num_send_env
= 0;
1116 options
->control_path
= NULL
;
1117 options
->control_master
= -1;
1118 options
->hash_known_hosts
= -1;
1119 options
->tun_open
= -1;
1120 options
->tun_local
= -1;
1121 options
->tun_remote
= -1;
1122 options
->local_command
= NULL
;
1123 options
->permit_local_command
= -1;
1124 options
->use_roaming
= -1;
1125 options
->visual_host_key
= -1;
1126 options
->zero_knowledge_password_authentication
= -1;
1127 options
->none_switch
= -1;
1128 options
->none_enabled
= -1;
1129 options
->hpn_disabled
= -1;
1130 options
->hpn_buffer_size
= -1;
1131 options
->tcp_rcv_buf_poll
= -1;
1132 options
->tcp_rcv_buf
= -1;
1136 * Called after processing other sources of option data, this fills those
1137 * options for which no value has been specified with their default values.
1141 fill_default_options(Options
* options
)
1145 if (options
->forward_agent
== -1)
1146 options
->forward_agent
= 0;
1147 if (options
->forward_x11
== -1)
1148 options
->forward_x11
= 0;
1149 if (options
->forward_x11_trusted
== -1)
1150 options
->forward_x11_trusted
= 0;
1151 if (options
->exit_on_forward_failure
== -1)
1152 options
->exit_on_forward_failure
= 0;
1153 if (options
->xauth_location
== NULL
)
1154 options
->xauth_location
= _PATH_XAUTH
;
1155 if (options
->gateway_ports
== -1)
1156 options
->gateway_ports
= 0;
1157 if (options
->use_privileged_port
== -1)
1158 options
->use_privileged_port
= 0;
1159 if (options
->rsa_authentication
== -1)
1160 options
->rsa_authentication
= 1;
1161 if (options
->pubkey_authentication
== -1)
1162 options
->pubkey_authentication
= 1;
1163 if (options
->challenge_response_authentication
== -1)
1164 options
->challenge_response_authentication
= 1;
1165 if (options
->gss_authentication
== -1)
1166 options
->gss_authentication
= 0;
1167 if (options
->gss_deleg_creds
== -1)
1168 options
->gss_deleg_creds
= 0;
1169 if (options
->password_authentication
== -1)
1170 options
->password_authentication
= 1;
1171 if (options
->kbd_interactive_authentication
== -1)
1172 options
->kbd_interactive_authentication
= 1;
1173 if (options
->rhosts_rsa_authentication
== -1)
1174 options
->rhosts_rsa_authentication
= 0;
1175 if (options
->hostbased_authentication
== -1)
1176 options
->hostbased_authentication
= 0;
1177 if (options
->batch_mode
== -1)
1178 options
->batch_mode
= 0;
1179 if (options
->check_host_ip
== -1)
1180 options
->check_host_ip
= 0;
1181 if (options
->strict_host_key_checking
== -1)
1182 options
->strict_host_key_checking
= 2; /* 2 is default */
1183 if (options
->compression
== -1)
1184 options
->compression
= 0;
1185 if (options
->tcp_keep_alive
== -1)
1186 options
->tcp_keep_alive
= 1;
1187 if (options
->compression_level
== -1)
1188 options
->compression_level
= 6;
1189 if (options
->port
== -1)
1190 options
->port
= 0; /* Filled in ssh_connect. */
1191 if (options
->address_family
== -1)
1192 options
->address_family
= AF_UNSPEC
;
1193 if (options
->connection_attempts
== -1)
1194 options
->connection_attempts
= 1;
1195 if (options
->number_of_password_prompts
== -1)
1196 options
->number_of_password_prompts
= 3;
1197 /* Selected in ssh_login(). */
1198 if (options
->cipher
== -1)
1199 options
->cipher
= SSH_CIPHER_NOT_SET
;
1200 /* options->ciphers, default set in myproposals.h */
1201 /* options->macs, default set in myproposals.h */
1202 /* options->hostkeyalgorithms, default set in myproposals.h */
1203 if (options
->protocol
== SSH_PROTO_UNKNOWN
)
1204 options
->protocol
= SSH_PROTO_1
|SSH_PROTO_2
;
1205 if (options
->num_identity_files
== 0) {
1206 if (options
->protocol
& SSH_PROTO_1
) {
1207 len
= 2 + strlen(_PATH_SSH_CLIENT_IDENTITY
) + 1;
1208 options
->identity_files
[options
->num_identity_files
] =
1210 snprintf(options
->identity_files
[options
->num_identity_files
++],
1211 len
, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY
);
1213 if (options
->protocol
& SSH_PROTO_2
) {
1214 len
= 2 + strlen(_PATH_SSH_CLIENT_ID_RSA
) + 1;
1215 options
->identity_files
[options
->num_identity_files
] =
1217 snprintf(options
->identity_files
[options
->num_identity_files
++],
1218 len
, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA
);
1220 len
= 2 + strlen(_PATH_SSH_CLIENT_ID_DSA
) + 1;
1221 options
->identity_files
[options
->num_identity_files
] =
1223 snprintf(options
->identity_files
[options
->num_identity_files
++],
1224 len
, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA
);
1227 if (options
->escape_char
== -1)
1228 options
->escape_char
= '~';
1229 if (options
->system_hostfile
== NULL
)
1230 options
->system_hostfile
= _PATH_SSH_SYSTEM_HOSTFILE
;
1231 if (options
->user_hostfile
== NULL
)
1232 options
->user_hostfile
= _PATH_SSH_USER_HOSTFILE
;
1233 if (options
->system_hostfile2
== NULL
)
1234 options
->system_hostfile2
= _PATH_SSH_SYSTEM_HOSTFILE2
;
1235 if (options
->user_hostfile2
== NULL
)
1236 options
->user_hostfile2
= _PATH_SSH_USER_HOSTFILE2
;
1237 if (options
->log_level
== SYSLOG_LEVEL_NOT_SET
)
1238 options
->log_level
= SYSLOG_LEVEL_INFO
;
1239 if (options
->clear_forwardings
== 1)
1240 clear_forwardings(options
);
1241 if (options
->no_host_authentication_for_localhost
== - 1)
1242 options
->no_host_authentication_for_localhost
= 0;
1243 if (options
->identities_only
== -1)
1244 options
->identities_only
= 0;
1245 if (options
->enable_ssh_keysign
== -1)
1246 options
->enable_ssh_keysign
= 0;
1247 if (options
->rekey_limit
== -1)
1248 options
->rekey_limit
= 0;
1249 if (options
->verify_host_key_dns
== -1)
1250 options
->verify_host_key_dns
= 0;
1251 if (options
->server_alive_interval
== -1)
1252 options
->server_alive_interval
= 0;
1253 if (options
->server_alive_count_max
== -1)
1254 options
->server_alive_count_max
= 3;
1255 if (options
->none_switch
== -1)
1256 options
->none_switch
= 0;
1257 if (options
->hpn_disabled
== -1)
1258 options
->hpn_disabled
= 0;
1259 if (options
->hpn_buffer_size
> -1)
1261 /* if a user tries to set the size to 0 set it to 1KB */
1262 if (options
->hpn_buffer_size
== 0)
1263 options
->hpn_buffer_size
= 1024;
1264 /*limit the buffer to 64MB*/
1265 if (options
->hpn_buffer_size
> 65536)
1267 options
->hpn_buffer_size
= 65536*1024;
1268 debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1270 debug("hpn_buffer_size set to %d", options
->hpn_buffer_size
);
1272 if (options
->tcp_rcv_buf
== 0)
1273 options
->tcp_rcv_buf
= 1;
1274 if (options
->tcp_rcv_buf
> -1)
1275 options
->tcp_rcv_buf
*=1024;
1276 if (options
->tcp_rcv_buf_poll
== -1)
1277 options
->tcp_rcv_buf_poll
= 1;
1278 if (options
->control_master
== -1)
1279 options
->control_master
= 0;
1280 if (options
->hash_known_hosts
== -1)
1281 options
->hash_known_hosts
= 0;
1282 if (options
->tun_open
== -1)
1283 options
->tun_open
= SSH_TUNMODE_NO
;
1284 if (options
->tun_local
== -1)
1285 options
->tun_local
= SSH_TUNID_ANY
;
1286 if (options
->tun_remote
== -1)
1287 options
->tun_remote
= SSH_TUNID_ANY
;
1288 if (options
->permit_local_command
== -1)
1289 options
->permit_local_command
= 0;
1290 if (options
->use_roaming
== -1)
1291 options
->use_roaming
= 1;
1292 if (options
->visual_host_key
== -1)
1293 options
->visual_host_key
= 0;
1294 if (options
->zero_knowledge_password_authentication
== -1)
1295 options
->zero_knowledge_password_authentication
= 0;
1296 /* options->local_command should not be set by default */
1297 /* options->proxy_command should not be set by default */
1298 /* options->user will be set in the main program if appropriate */
1299 /* options->hostname will be set in the main program if appropriate */
1300 /* options->host_key_alias should not be set by default */
1301 /* options->preferred_authentications will be set in ssh */
1306 * parses a string containing a port forwarding specification of the form:
1308 * [listenhost:]listenport:connecthost:connectport
1310 * [listenhost:]listenport
1311 * returns number of arguments parsed or zero on error
1314 parse_forward(Forward
*fwd
, const char *fwdspec
, int dynamicfwd
, int remotefwd
)
1317 char *p
, *cp
, *fwdarg
[4];
1319 memset(fwd
, '\0', sizeof(*fwd
));
1321 cp
= p
= xstrdup(fwdspec
);
1323 /* skip leading spaces */
1324 while (isspace(*cp
))
1327 for (i
= 0; i
< 4; ++i
)
1328 if ((fwdarg
[i
] = hpdelim(&cp
)) == NULL
)
1331 /* Check for trailing garbage */
1333 i
= 0; /* failure */
1337 fwd
->listen_host
= NULL
;
1338 fwd
->listen_port
= a2port(fwdarg
[0]);
1339 fwd
->connect_host
= xstrdup("socks");
1343 fwd
->listen_host
= xstrdup(cleanhostname(fwdarg
[0]));
1344 fwd
->listen_port
= a2port(fwdarg
[1]);
1345 fwd
->connect_host
= xstrdup("socks");
1349 fwd
->listen_host
= NULL
;
1350 fwd
->listen_port
= a2port(fwdarg
[0]);
1351 fwd
->connect_host
= xstrdup(cleanhostname(fwdarg
[1]));
1352 fwd
->connect_port
= a2port(fwdarg
[2]);
1356 fwd
->listen_host
= xstrdup(cleanhostname(fwdarg
[0]));
1357 fwd
->listen_port
= a2port(fwdarg
[1]);
1358 fwd
->connect_host
= xstrdup(cleanhostname(fwdarg
[2]));
1359 fwd
->connect_port
= a2port(fwdarg
[3]);
1362 i
= 0; /* failure */
1368 if (!(i
== 1 || i
== 2))
1371 if (!(i
== 3 || i
== 4))
1373 if (fwd
->connect_port
<= 0)
1377 if (fwd
->listen_port
< 0 || (!remotefwd
&& fwd
->listen_port
== 0))
1380 if (fwd
->connect_host
!= NULL
&&
1381 strlen(fwd
->connect_host
) >= NI_MAXHOST
)
1383 if (fwd
->listen_host
!= NULL
&&
1384 strlen(fwd
->listen_host
) >= NI_MAXHOST
)
1391 if (fwd
->connect_host
!= NULL
) {
1392 xfree(fwd
->connect_host
);
1393 fwd
->connect_host
= NULL
;
1395 if (fwd
->listen_host
!= NULL
) {
1396 xfree(fwd
->listen_host
);
1397 fwd
->listen_host
= NULL
;