1 /* $OpenBSD: readconf.c,v 1.167 2008/06/26 11:46:31 grunk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent
, oForwardX11
, oForwardX11Trusted
, oGatewayPorts
,
114 oExitOnForwardFailure
,
115 oPasswordAuthentication
, oRSAAuthentication
,
116 oChallengeResponseAuthentication
, oXAuthLocation
,
117 oIdentityFile
, oHostName
, oPort
, oCipher
, oRemoteForward
, oLocalForward
,
118 oUser
, oHost
, oEscapeChar
, oRhostsRSAAuthentication
, oProxyCommand
,
119 oGlobalKnownHostsFile
, oUserKnownHostsFile
, oConnectionAttempts
,
120 oBatchMode
, oCheckHostIP
, oStrictHostKeyChecking
, oCompression
,
121 oCompressionLevel
, oTCPKeepAlive
, oNumberOfPasswordPrompts
,
122 oUsePrivilegedPort
, oLogLevel
, oCiphers
, oProtocol
, oMacs
,
123 oGlobalKnownHostsFile2
, oUserKnownHostsFile2
, oPubkeyAuthentication
,
124 oKbdInteractiveAuthentication
, oKbdInteractiveDevices
, oHostKeyAlias
,
125 oDynamicForward
, oPreferredAuthentications
, oHostbasedAuthentication
,
126 oHostKeyAlgorithms
, oBindAddress
, oSmartcardDevice
,
127 oClearAllForwardings
, oNoHostAuthenticationForLocalhost
,
128 oEnableSSHKeysign
, oRekeyLimit
, oVerifyHostKeyDNS
, oConnectTimeout
,
129 oAddressFamily
, oGssAuthentication
, oGssDelegateCreds
,
130 oServerAliveInterval
, oServerAliveCountMax
, oIdentitiesOnly
,
131 oSendEnv
, oControlPath
, oControlMaster
, oHashKnownHosts
,
132 oTunnel
, oTunnelDevice
, oLocalCommand
, oPermitLocalCommand
,
134 oDeprecated
, oUnsupported
137 /* Textual representations of the tokens. */
143 { "forwardagent", oForwardAgent
},
144 { "forwardx11", oForwardX11
},
145 { "forwardx11trusted", oForwardX11Trusted
},
146 { "exitonforwardfailure", oExitOnForwardFailure
},
147 { "xauthlocation", oXAuthLocation
},
148 { "gatewayports", oGatewayPorts
},
149 { "useprivilegedport", oUsePrivilegedPort
},
150 { "rhostsauthentication", oDeprecated
},
151 { "passwordauthentication", oPasswordAuthentication
},
152 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication
},
153 { "kbdinteractivedevices", oKbdInteractiveDevices
},
154 { "rsaauthentication", oRSAAuthentication
},
155 { "pubkeyauthentication", oPubkeyAuthentication
},
156 { "dsaauthentication", oPubkeyAuthentication
}, /* alias */
157 { "rhostsrsaauthentication", oRhostsRSAAuthentication
},
158 { "hostbasedauthentication", oHostbasedAuthentication
},
159 { "challengeresponseauthentication", oChallengeResponseAuthentication
},
160 { "skeyauthentication", oChallengeResponseAuthentication
}, /* alias */
161 { "tisauthentication", oChallengeResponseAuthentication
}, /* alias */
162 { "kerberosauthentication", oUnsupported
},
163 { "kerberostgtpassing", oUnsupported
},
164 { "afstokenpassing", oUnsupported
},
166 { "gssapiauthentication", oGssAuthentication
},
167 { "gssapidelegatecredentials", oGssDelegateCreds
},
169 { "gssapiauthentication", oUnsupported
},
170 { "gssapidelegatecredentials", oUnsupported
},
172 { "fallbacktorsh", oDeprecated
},
173 { "usersh", oDeprecated
},
174 { "identityfile", oIdentityFile
},
175 { "identityfile2", oIdentityFile
}, /* alias */
176 { "identitiesonly", oIdentitiesOnly
},
177 { "hostname", oHostName
},
178 { "hostkeyalias", oHostKeyAlias
},
179 { "proxycommand", oProxyCommand
},
181 { "cipher", oCipher
},
182 { "ciphers", oCiphers
},
184 { "protocol", oProtocol
},
185 { "remoteforward", oRemoteForward
},
186 { "localforward", oLocalForward
},
189 { "escapechar", oEscapeChar
},
190 { "globalknownhostsfile", oGlobalKnownHostsFile
},
191 { "userknownhostsfile", oUserKnownHostsFile
}, /* obsolete */
192 { "globalknownhostsfile2", oGlobalKnownHostsFile2
},
193 { "userknownhostsfile2", oUserKnownHostsFile2
}, /* obsolete */
194 { "connectionattempts", oConnectionAttempts
},
195 { "batchmode", oBatchMode
},
196 { "checkhostip", oCheckHostIP
},
197 { "stricthostkeychecking", oStrictHostKeyChecking
},
198 { "compression", oCompression
},
199 { "compressionlevel", oCompressionLevel
},
200 { "tcpkeepalive", oTCPKeepAlive
},
201 { "keepalive", oTCPKeepAlive
}, /* obsolete */
202 { "numberofpasswordprompts", oNumberOfPasswordPrompts
},
203 { "loglevel", oLogLevel
},
204 { "dynamicforward", oDynamicForward
},
205 { "preferredauthentications", oPreferredAuthentications
},
206 { "hostkeyalgorithms", oHostKeyAlgorithms
},
207 { "bindaddress", oBindAddress
},
209 { "smartcarddevice", oSmartcardDevice
},
211 { "smartcarddevice", oUnsupported
},
213 { "clearallforwardings", oClearAllForwardings
},
214 { "enablesshkeysign", oEnableSSHKeysign
},
215 { "verifyhostkeydns", oVerifyHostKeyDNS
},
216 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost
},
217 { "rekeylimit", oRekeyLimit
},
218 { "connecttimeout", oConnectTimeout
},
219 { "addressfamily", oAddressFamily
},
220 { "serveraliveinterval", oServerAliveInterval
},
221 { "serveralivecountmax", oServerAliveCountMax
},
222 { "sendenv", oSendEnv
},
223 { "controlpath", oControlPath
},
224 { "controlmaster", oControlMaster
},
225 { "hashknownhosts", oHashKnownHosts
},
226 { "tunnel", oTunnel
},
227 { "tunneldevice", oTunnelDevice
},
228 { "localcommand", oLocalCommand
},
229 { "permitlocalcommand", oPermitLocalCommand
},
230 { "visualhostkey", oVisualHostKey
},
235 * Adds a local TCP/IP port forward to options. Never returns if there is an
240 add_local_forward(Options
*options
, const Forward
*newfwd
)
243 #ifndef NO_IPPORT_RESERVED_CONCEPT
244 extern uid_t original_real_uid
;
245 if (newfwd
->listen_port
< IPPORT_RESERVED
&& original_real_uid
!= 0)
246 fatal("Privileged ports can only be forwarded by root.");
248 if (options
->num_local_forwards
>= SSH_MAX_FORWARDS_PER_DIRECTION
)
249 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION
);
250 fwd
= &options
->local_forwards
[options
->num_local_forwards
++];
252 fwd
->listen_host
= (newfwd
->listen_host
== NULL
) ?
253 NULL
: xstrdup(newfwd
->listen_host
);
254 fwd
->listen_port
= newfwd
->listen_port
;
255 fwd
->connect_host
= xstrdup(newfwd
->connect_host
);
256 fwd
->connect_port
= newfwd
->connect_port
;
260 * Adds a remote TCP/IP port forward to options. Never returns if there is
265 add_remote_forward(Options
*options
, const Forward
*newfwd
)
268 if (options
->num_remote_forwards
>= SSH_MAX_FORWARDS_PER_DIRECTION
)
269 fatal("Too many remote forwards (max %d).",
270 SSH_MAX_FORWARDS_PER_DIRECTION
);
271 fwd
= &options
->remote_forwards
[options
->num_remote_forwards
++];
273 fwd
->listen_host
= (newfwd
->listen_host
== NULL
) ?
274 NULL
: xstrdup(newfwd
->listen_host
);
275 fwd
->listen_port
= newfwd
->listen_port
;
276 fwd
->connect_host
= xstrdup(newfwd
->connect_host
);
277 fwd
->connect_port
= newfwd
->connect_port
;
281 clear_forwardings(Options
*options
)
285 for (i
= 0; i
< options
->num_local_forwards
; i
++) {
286 if (options
->local_forwards
[i
].listen_host
!= NULL
)
287 xfree(options
->local_forwards
[i
].listen_host
);
288 xfree(options
->local_forwards
[i
].connect_host
);
290 options
->num_local_forwards
= 0;
291 for (i
= 0; i
< options
->num_remote_forwards
; i
++) {
292 if (options
->remote_forwards
[i
].listen_host
!= NULL
)
293 xfree(options
->remote_forwards
[i
].listen_host
);
294 xfree(options
->remote_forwards
[i
].connect_host
);
296 options
->num_remote_forwards
= 0;
297 options
->tun_open
= SSH_TUNMODE_NO
;
301 * Returns the number of the token pointed to by cp or oBadOption.
305 parse_token(const char *cp
, const char *filename
, int linenum
)
309 for (i
= 0; keywords
[i
].name
; i
++)
310 if (strcasecmp(cp
, keywords
[i
].name
) == 0)
311 return keywords
[i
].opcode
;
313 error("%s: line %d: Bad configuration option: %s",
314 filename
, linenum
, cp
);
319 * Processes a single option line as used in the configuration files. This
320 * only sets those values that have not already been set.
322 #define WHITESPACE " \t\r\n"
325 process_config_line(Options
*options
, const char *host
,
326 char *line
, const char *filename
, int linenum
,
329 char *s
, **charptr
, *endofnumber
, *keyword
, *arg
, *arg2
, fwdarg
[256];
330 int opcode
, *intptr
, value
, value2
, scale
;
331 LogLevel
*log_level_ptr
;
332 long long orig
, val64
;
336 /* Strip trailing whitespace */
337 for (len
= strlen(line
) - 1; len
> 0; len
--) {
338 if (strchr(WHITESPACE
, line
[len
]) == NULL
)
344 /* Get the keyword. (Each line is supposed to begin with a keyword). */
345 if ((keyword
= strdelim(&s
)) == NULL
)
347 /* Ignore leading whitespace. */
348 if (*keyword
== '\0')
349 keyword
= strdelim(&s
);
350 if (keyword
== NULL
|| !*keyword
|| *keyword
== '\n' || *keyword
== '#')
353 opcode
= parse_token(keyword
, filename
, linenum
);
357 /* don't panic, but count bad options */
360 case oConnectTimeout
:
361 intptr
= &options
->connection_timeout
;
364 if (!arg
|| *arg
== '\0')
365 fatal("%s line %d: missing time value.",
367 if ((value
= convtime(arg
)) == -1)
368 fatal("%s line %d: invalid time value.",
370 if (*activep
&& *intptr
== -1)
375 intptr
= &options
->forward_agent
;
378 if (!arg
|| *arg
== '\0')
379 fatal("%.200s line %d: Missing yes/no argument.", filename
, linenum
);
380 value
= 0; /* To avoid compiler warning... */
381 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
383 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
386 fatal("%.200s line %d: Bad yes/no argument.", filename
, linenum
);
387 if (*activep
&& *intptr
== -1)
392 intptr
= &options
->forward_x11
;
395 case oForwardX11Trusted
:
396 intptr
= &options
->forward_x11_trusted
;
400 intptr
= &options
->gateway_ports
;
403 case oExitOnForwardFailure
:
404 intptr
= &options
->exit_on_forward_failure
;
407 case oUsePrivilegedPort
:
408 intptr
= &options
->use_privileged_port
;
411 case oPasswordAuthentication
:
412 intptr
= &options
->password_authentication
;
415 case oKbdInteractiveAuthentication
:
416 intptr
= &options
->kbd_interactive_authentication
;
419 case oKbdInteractiveDevices
:
420 charptr
= &options
->kbd_interactive_devices
;
423 case oPubkeyAuthentication
:
424 intptr
= &options
->pubkey_authentication
;
427 case oRSAAuthentication
:
428 intptr
= &options
->rsa_authentication
;
431 case oRhostsRSAAuthentication
:
432 intptr
= &options
->rhosts_rsa_authentication
;
435 case oHostbasedAuthentication
:
436 intptr
= &options
->hostbased_authentication
;
439 case oChallengeResponseAuthentication
:
440 intptr
= &options
->challenge_response_authentication
;
443 case oGssAuthentication
:
444 intptr
= &options
->gss_authentication
;
447 case oGssDelegateCreds
:
448 intptr
= &options
->gss_deleg_creds
;
452 intptr
= &options
->batch_mode
;
456 intptr
= &options
->check_host_ip
;
459 case oVerifyHostKeyDNS
:
460 intptr
= &options
->verify_host_key_dns
;
463 case oStrictHostKeyChecking
:
464 intptr
= &options
->strict_host_key_checking
;
467 if (!arg
|| *arg
== '\0')
468 fatal("%.200s line %d: Missing yes/no/ask argument.",
470 value
= 0; /* To avoid compiler warning... */
471 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
473 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
475 else if (strcmp(arg
, "ask") == 0)
478 fatal("%.200s line %d: Bad yes/no/ask argument.", filename
, linenum
);
479 if (*activep
&& *intptr
== -1)
484 intptr
= &options
->compression
;
488 intptr
= &options
->tcp_keep_alive
;
491 case oNoHostAuthenticationForLocalhost
:
492 intptr
= &options
->no_host_authentication_for_localhost
;
495 case oNumberOfPasswordPrompts
:
496 intptr
= &options
->number_of_password_prompts
;
499 case oCompressionLevel
:
500 intptr
= &options
->compression_level
;
505 if (!arg
|| *arg
== '\0')
506 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
507 if (arg
[0] < '0' || arg
[0] > '9')
508 fatal("%.200s line %d: Bad number.", filename
, linenum
);
509 orig
= val64
= strtoll(arg
, &endofnumber
, 10);
510 if (arg
== endofnumber
)
511 fatal("%.200s line %d: Bad number.", filename
, linenum
);
512 switch (toupper(*endofnumber
)) {
526 fatal("%.200s line %d: Invalid RekeyLimit suffix",
530 /* detect integer wrap and too-large limits */
531 if ((val64
/ scale
) != orig
|| val64
> UINT_MAX
)
532 fatal("%.200s line %d: RekeyLimit too large",
535 fatal("%.200s line %d: RekeyLimit too small",
537 if (*activep
&& options
->rekey_limit
== -1)
538 options
->rekey_limit
= (u_int32_t
)val64
;
543 if (!arg
|| *arg
== '\0')
544 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
546 intptr
= &options
->num_identity_files
;
547 if (*intptr
>= SSH_MAX_IDENTITY_FILES
)
548 fatal("%.200s line %d: Too many identity files specified (max %d).",
549 filename
, linenum
, SSH_MAX_IDENTITY_FILES
);
550 charptr
= &options
->identity_files
[*intptr
];
551 *charptr
= xstrdup(arg
);
552 *intptr
= *intptr
+ 1;
557 charptr
=&options
->xauth_location
;
561 charptr
= &options
->user
;
564 if (!arg
|| *arg
== '\0')
565 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
566 if (*activep
&& *charptr
== NULL
)
567 *charptr
= xstrdup(arg
);
570 case oGlobalKnownHostsFile
:
571 charptr
= &options
->system_hostfile
;
574 case oUserKnownHostsFile
:
575 charptr
= &options
->user_hostfile
;
578 case oGlobalKnownHostsFile2
:
579 charptr
= &options
->system_hostfile2
;
582 case oUserKnownHostsFile2
:
583 charptr
= &options
->user_hostfile2
;
587 charptr
= &options
->hostname
;
591 charptr
= &options
->host_key_alias
;
594 case oPreferredAuthentications
:
595 charptr
= &options
->preferred_authentications
;
599 charptr
= &options
->bind_address
;
602 case oSmartcardDevice
:
603 charptr
= &options
->smartcard_device
;
607 charptr
= &options
->proxy_command
;
610 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
611 len
= strspn(s
, WHITESPACE
"=");
612 if (*activep
&& *charptr
== NULL
)
613 *charptr
= xstrdup(s
+ len
);
617 intptr
= &options
->port
;
620 if (!arg
|| *arg
== '\0')
621 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
622 if (arg
[0] < '0' || arg
[0] > '9')
623 fatal("%.200s line %d: Bad number.", filename
, linenum
);
625 /* Octal, decimal, or hex format? */
626 value
= strtol(arg
, &endofnumber
, 0);
627 if (arg
== endofnumber
)
628 fatal("%.200s line %d: Bad number.", filename
, linenum
);
629 if (*activep
&& *intptr
== -1)
633 case oConnectionAttempts
:
634 intptr
= &options
->connection_attempts
;
638 intptr
= &options
->cipher
;
640 if (!arg
|| *arg
== '\0')
641 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
642 value
= cipher_number(arg
);
644 fatal("%.200s line %d: Bad cipher '%s'.",
645 filename
, linenum
, arg
? arg
: "<NONE>");
646 if (*activep
&& *intptr
== -1)
652 if (!arg
|| *arg
== '\0')
653 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
654 if (!ciphers_valid(arg
))
655 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
656 filename
, linenum
, arg
? arg
: "<NONE>");
657 if (*activep
&& options
->ciphers
== NULL
)
658 options
->ciphers
= xstrdup(arg
);
663 if (!arg
|| *arg
== '\0')
664 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
666 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
667 filename
, linenum
, arg
? arg
: "<NONE>");
668 if (*activep
&& options
->macs
== NULL
)
669 options
->macs
= xstrdup(arg
);
672 case oHostKeyAlgorithms
:
674 if (!arg
|| *arg
== '\0')
675 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
676 if (!key_names_valid2(arg
))
677 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
678 filename
, linenum
, arg
? arg
: "<NONE>");
679 if (*activep
&& options
->hostkeyalgorithms
== NULL
)
680 options
->hostkeyalgorithms
= xstrdup(arg
);
684 intptr
= &options
->protocol
;
686 if (!arg
|| *arg
== '\0')
687 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
688 value
= proto_spec(arg
);
689 if (value
== SSH_PROTO_UNKNOWN
)
690 fatal("%.200s line %d: Bad protocol spec '%s'.",
691 filename
, linenum
, arg
? arg
: "<NONE>");
692 if (*activep
&& *intptr
== SSH_PROTO_UNKNOWN
)
697 log_level_ptr
= &options
->log_level
;
699 value
= log_level_number(arg
);
700 if (value
== SYSLOG_LEVEL_NOT_SET
)
701 fatal("%.200s line %d: unsupported log level '%s'",
702 filename
, linenum
, arg
? arg
: "<NONE>");
703 if (*activep
&& *log_level_ptr
== SYSLOG_LEVEL_NOT_SET
)
704 *log_level_ptr
= (LogLevel
) value
;
710 if (arg
== NULL
|| *arg
== '\0')
711 fatal("%.200s line %d: Missing port argument.",
714 if (arg2
== NULL
|| *arg2
== '\0')
715 fatal("%.200s line %d: Missing target argument.",
718 /* construct a string for parse_forward */
719 snprintf(fwdarg
, sizeof(fwdarg
), "%s:%s", arg
, arg2
);
721 if (parse_forward(&fwd
, fwdarg
) == 0)
722 fatal("%.200s line %d: Bad forwarding specification.",
726 if (opcode
== oLocalForward
)
727 add_local_forward(options
, &fwd
);
728 else if (opcode
== oRemoteForward
)
729 add_remote_forward(options
, &fwd
);
733 case oDynamicForward
:
735 if (!arg
|| *arg
== '\0')
736 fatal("%.200s line %d: Missing port argument.",
738 memset(&fwd
, '\0', sizeof(fwd
));
739 fwd
.connect_host
= "socks";
740 fwd
.listen_host
= hpdelim(&arg
);
741 if (fwd
.listen_host
== NULL
||
742 strlen(fwd
.listen_host
) >= NI_MAXHOST
)
743 fatal("%.200s line %d: Bad forwarding specification.",
746 fwd
.listen_port
= a2port(arg
);
747 fwd
.listen_host
= cleanhostname(fwd
.listen_host
);
749 fwd
.listen_port
= a2port(fwd
.listen_host
);
750 fwd
.listen_host
= NULL
;
752 if (fwd
.listen_port
== 0)
753 fatal("%.200s line %d: Badly formatted port number.",
756 add_local_forward(options
, &fwd
);
759 case oClearAllForwardings
:
760 intptr
= &options
->clear_forwardings
;
765 while ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0')
766 if (match_pattern(host
, arg
)) {
767 debug("Applying options for %.100s", arg
);
771 /* Avoid garbage check below, as strdelim is done. */
775 intptr
= &options
->escape_char
;
777 if (!arg
|| *arg
== '\0')
778 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
779 if (arg
[0] == '^' && arg
[2] == 0 &&
780 (u_char
) arg
[1] >= 64 && (u_char
) arg
[1] < 128)
781 value
= (u_char
) arg
[1] & 31;
782 else if (strlen(arg
) == 1)
783 value
= (u_char
) arg
[0];
784 else if (strcmp(arg
, "none") == 0)
785 value
= SSH_ESCAPECHAR_NONE
;
787 fatal("%.200s line %d: Bad escape character.",
790 value
= 0; /* Avoid compiler warning. */
792 if (*activep
&& *intptr
== -1)
798 if (!arg
|| *arg
== '\0')
799 fatal("%s line %d: missing address family.",
801 intptr
= &options
->address_family
;
802 if (strcasecmp(arg
, "inet") == 0)
804 else if (strcasecmp(arg
, "inet6") == 0)
806 else if (strcasecmp(arg
, "any") == 0)
809 fatal("Unsupported AddressFamily \"%s\"", arg
);
810 if (*activep
&& *intptr
== -1)
814 case oEnableSSHKeysign
:
815 intptr
= &options
->enable_ssh_keysign
;
818 case oIdentitiesOnly
:
819 intptr
= &options
->identities_only
;
822 case oServerAliveInterval
:
823 intptr
= &options
->server_alive_interval
;
826 case oServerAliveCountMax
:
827 intptr
= &options
->server_alive_count_max
;
831 while ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0') {
832 if (strchr(arg
, '=') != NULL
)
833 fatal("%s line %d: Invalid environment name.",
837 if (options
->num_send_env
>= MAX_SEND_ENV
)
838 fatal("%s line %d: too many send env.",
840 options
->send_env
[options
->num_send_env
++] =
846 charptr
= &options
->control_path
;
850 intptr
= &options
->control_master
;
852 if (!arg
|| *arg
== '\0')
853 fatal("%.200s line %d: Missing ControlMaster argument.",
855 value
= 0; /* To avoid compiler warning... */
856 if (strcmp(arg
, "yes") == 0 || strcmp(arg
, "true") == 0)
857 value
= SSHCTL_MASTER_YES
;
858 else if (strcmp(arg
, "no") == 0 || strcmp(arg
, "false") == 0)
859 value
= SSHCTL_MASTER_NO
;
860 else if (strcmp(arg
, "auto") == 0)
861 value
= SSHCTL_MASTER_AUTO
;
862 else if (strcmp(arg
, "ask") == 0)
863 value
= SSHCTL_MASTER_ASK
;
864 else if (strcmp(arg
, "autoask") == 0)
865 value
= SSHCTL_MASTER_AUTO_ASK
;
867 fatal("%.200s line %d: Bad ControlMaster argument.",
869 if (*activep
&& *intptr
== -1)
873 case oHashKnownHosts
:
874 intptr
= &options
->hash_known_hosts
;
878 intptr
= &options
->tun_open
;
880 if (!arg
|| *arg
== '\0')
881 fatal("%s line %d: Missing yes/point-to-point/"
882 "ethernet/no argument.", filename
, linenum
);
883 value
= 0; /* silence compiler */
884 if (strcasecmp(arg
, "ethernet") == 0)
885 value
= SSH_TUNMODE_ETHERNET
;
886 else if (strcasecmp(arg
, "point-to-point") == 0)
887 value
= SSH_TUNMODE_POINTOPOINT
;
888 else if (strcasecmp(arg
, "yes") == 0)
889 value
= SSH_TUNMODE_DEFAULT
;
890 else if (strcasecmp(arg
, "no") == 0)
891 value
= SSH_TUNMODE_NO
;
893 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
894 "no argument: %s", filename
, linenum
, arg
);
901 if (!arg
|| *arg
== '\0')
902 fatal("%.200s line %d: Missing argument.", filename
, linenum
);
903 value
= a2tun(arg
, &value2
);
904 if (value
== SSH_TUNID_ERR
)
905 fatal("%.200s line %d: Bad tun device.", filename
, linenum
);
907 options
->tun_local
= value
;
908 options
->tun_remote
= value2
;
913 charptr
= &options
->local_command
;
916 case oPermitLocalCommand
:
917 intptr
= &options
->permit_local_command
;
921 intptr
= &options
->visual_host_key
;
925 debug("%s line %d: Deprecated option \"%s\"",
926 filename
, linenum
, keyword
);
930 error("%s line %d: Unsupported option \"%s\"",
931 filename
, linenum
, keyword
);
935 fatal("process_config_line: Unimplemented opcode %d", opcode
);
938 /* Check that there is no garbage at end of line. */
939 if ((arg
= strdelim(&s
)) != NULL
&& *arg
!= '\0') {
940 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
941 filename
, linenum
, arg
);
948 * Reads the config file and modifies the options accordingly. Options
949 * should already be initialized before this call. This never returns if
950 * there is an error. If the file does not exist, this returns 0.
954 read_config_file(const char *filename
, const char *host
, Options
*options
,
963 if ((f
= fopen(filename
, "r")) == NULL
)
969 if (fstat(fileno(f
), &sb
) == -1)
970 fatal("fstat %s: %s", filename
, strerror(errno
));
971 if (((sb
.st_uid
!= 0 && sb
.st_uid
!= getuid()) ||
972 (sb
.st_mode
& 022) != 0))
973 fatal("Bad owner or permissions on %s", filename
);
976 debug("Reading configuration data %.200s", filename
);
979 * Mark that we are now processing the options. This flag is turned
980 * on/off by Host specifications.
984 while (fgets(line
, sizeof(line
), f
)) {
985 /* Update line number counter. */
987 if (process_config_line(options
, host
, line
, filename
, linenum
, &active
) != 0)
992 fatal("%s: terminating, %d bad configuration options",
993 filename
, bad_options
);
998 * Initializes options to special values that indicate that they have not yet
999 * been set. Read_config_file will only set options with this value. Options
1000 * are processed in the following order: command line, user config file,
1001 * system config file. Last, fill_default_options is called.
1005 initialize_options(Options
* options
)
1007 memset(options
, 'X', sizeof(*options
));
1008 options
->forward_agent
= -1;
1009 options
->forward_x11
= -1;
1010 options
->forward_x11_trusted
= -1;
1011 options
->exit_on_forward_failure
= -1;
1012 options
->xauth_location
= NULL
;
1013 options
->gateway_ports
= -1;
1014 options
->use_privileged_port
= -1;
1015 options
->rsa_authentication
= -1;
1016 options
->pubkey_authentication
= -1;
1017 options
->challenge_response_authentication
= -1;
1018 options
->gss_authentication
= -1;
1019 options
->gss_deleg_creds
= -1;
1020 options
->password_authentication
= -1;
1021 options
->kbd_interactive_authentication
= -1;
1022 options
->kbd_interactive_devices
= NULL
;
1023 options
->rhosts_rsa_authentication
= -1;
1024 options
->hostbased_authentication
= -1;
1025 options
->batch_mode
= -1;
1026 options
->check_host_ip
= -1;
1027 options
->strict_host_key_checking
= -1;
1028 options
->compression
= -1;
1029 options
->tcp_keep_alive
= -1;
1030 options
->compression_level
= -1;
1032 options
->address_family
= -1;
1033 options
->connection_attempts
= -1;
1034 options
->connection_timeout
= -1;
1035 options
->number_of_password_prompts
= -1;
1036 options
->cipher
= -1;
1037 options
->ciphers
= NULL
;
1038 options
->macs
= NULL
;
1039 options
->hostkeyalgorithms
= NULL
;
1040 options
->protocol
= SSH_PROTO_UNKNOWN
;
1041 options
->num_identity_files
= 0;
1042 options
->hostname
= NULL
;
1043 options
->host_key_alias
= NULL
;
1044 options
->proxy_command
= NULL
;
1045 options
->user
= NULL
;
1046 options
->escape_char
= -1;
1047 options
->system_hostfile
= NULL
;
1048 options
->user_hostfile
= NULL
;
1049 options
->system_hostfile2
= NULL
;
1050 options
->user_hostfile2
= NULL
;
1051 options
->num_local_forwards
= 0;
1052 options
->num_remote_forwards
= 0;
1053 options
->clear_forwardings
= -1;
1054 options
->log_level
= SYSLOG_LEVEL_NOT_SET
;
1055 options
->preferred_authentications
= NULL
;
1056 options
->bind_address
= NULL
;
1057 options
->smartcard_device
= NULL
;
1058 options
->enable_ssh_keysign
= - 1;
1059 options
->no_host_authentication_for_localhost
= - 1;
1060 options
->identities_only
= - 1;
1061 options
->rekey_limit
= - 1;
1062 options
->verify_host_key_dns
= -1;
1063 options
->server_alive_interval
= -1;
1064 options
->server_alive_count_max
= -1;
1065 options
->num_send_env
= 0;
1066 options
->control_path
= NULL
;
1067 options
->control_master
= -1;
1068 options
->hash_known_hosts
= -1;
1069 options
->tun_open
= -1;
1070 options
->tun_local
= -1;
1071 options
->tun_remote
= -1;
1072 options
->local_command
= NULL
;
1073 options
->permit_local_command
= -1;
1074 options
->visual_host_key
= -1;
1078 * Called after processing other sources of option data, this fills those
1079 * options for which no value has been specified with their default values.
1083 fill_default_options(Options
* options
)
1087 if (options
->forward_agent
== -1)
1088 options
->forward_agent
= 0;
1089 if (options
->forward_x11
== -1)
1090 options
->forward_x11
= 0;
1091 if (options
->forward_x11_trusted
== -1)
1092 options
->forward_x11_trusted
= 0;
1093 if (options
->exit_on_forward_failure
== -1)
1094 options
->exit_on_forward_failure
= 0;
1095 if (options
->xauth_location
== NULL
)
1096 options
->xauth_location
= _PATH_XAUTH
;
1097 if (options
->gateway_ports
== -1)
1098 options
->gateway_ports
= 0;
1099 if (options
->use_privileged_port
== -1)
1100 options
->use_privileged_port
= 0;
1101 if (options
->rsa_authentication
== -1)
1102 options
->rsa_authentication
= 1;
1103 if (options
->pubkey_authentication
== -1)
1104 options
->pubkey_authentication
= 1;
1105 if (options
->challenge_response_authentication
== -1)
1106 options
->challenge_response_authentication
= 1;
1107 if (options
->gss_authentication
== -1)
1108 options
->gss_authentication
= 0;
1109 if (options
->gss_deleg_creds
== -1)
1110 options
->gss_deleg_creds
= 0;
1111 if (options
->password_authentication
== -1)
1112 options
->password_authentication
= 1;
1113 if (options
->kbd_interactive_authentication
== -1)
1114 options
->kbd_interactive_authentication
= 1;
1115 if (options
->rhosts_rsa_authentication
== -1)
1116 options
->rhosts_rsa_authentication
= 0;
1117 if (options
->hostbased_authentication
== -1)
1118 options
->hostbased_authentication
= 0;
1119 if (options
->batch_mode
== -1)
1120 options
->batch_mode
= 0;
1121 if (options
->check_host_ip
== -1)
1122 options
->check_host_ip
= 1;
1123 if (options
->strict_host_key_checking
== -1)
1124 options
->strict_host_key_checking
= 2; /* 2 is default */
1125 if (options
->compression
== -1)
1126 options
->compression
= 0;
1127 if (options
->tcp_keep_alive
== -1)
1128 options
->tcp_keep_alive
= 1;
1129 if (options
->compression_level
== -1)
1130 options
->compression_level
= 6;
1131 if (options
->port
== -1)
1132 options
->port
= 0; /* Filled in ssh_connect. */
1133 if (options
->address_family
== -1)
1134 options
->address_family
= AF_UNSPEC
;
1135 if (options
->connection_attempts
== -1)
1136 options
->connection_attempts
= 1;
1137 if (options
->number_of_password_prompts
== -1)
1138 options
->number_of_password_prompts
= 3;
1139 /* Selected in ssh_login(). */
1140 if (options
->cipher
== -1)
1141 options
->cipher
= SSH_CIPHER_NOT_SET
;
1142 /* options->ciphers, default set in myproposals.h */
1143 /* options->macs, default set in myproposals.h */
1144 /* options->hostkeyalgorithms, default set in myproposals.h */
1145 if (options
->protocol
== SSH_PROTO_UNKNOWN
)
1146 options
->protocol
= SSH_PROTO_1
|SSH_PROTO_2
;
1147 if (options
->num_identity_files
== 0) {
1148 if (options
->protocol
& SSH_PROTO_1
) {
1149 len
= 2 + strlen(_PATH_SSH_CLIENT_IDENTITY
) + 1;
1150 options
->identity_files
[options
->num_identity_files
] =
1152 snprintf(options
->identity_files
[options
->num_identity_files
++],
1153 len
, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY
);
1155 if (options
->protocol
& SSH_PROTO_2
) {
1156 len
= 2 + strlen(_PATH_SSH_CLIENT_ID_RSA
) + 1;
1157 options
->identity_files
[options
->num_identity_files
] =
1159 snprintf(options
->identity_files
[options
->num_identity_files
++],
1160 len
, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA
);
1162 len
= 2 + strlen(_PATH_SSH_CLIENT_ID_DSA
) + 1;
1163 options
->identity_files
[options
->num_identity_files
] =
1165 snprintf(options
->identity_files
[options
->num_identity_files
++],
1166 len
, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA
);
1169 if (options
->escape_char
== -1)
1170 options
->escape_char
= '~';
1171 if (options
->system_hostfile
== NULL
)
1172 options
->system_hostfile
= _PATH_SSH_SYSTEM_HOSTFILE
;
1173 if (options
->user_hostfile
== NULL
)
1174 options
->user_hostfile
= _PATH_SSH_USER_HOSTFILE
;
1175 if (options
->system_hostfile2
== NULL
)
1176 options
->system_hostfile2
= _PATH_SSH_SYSTEM_HOSTFILE2
;
1177 if (options
->user_hostfile2
== NULL
)
1178 options
->user_hostfile2
= _PATH_SSH_USER_HOSTFILE2
;
1179 if (options
->log_level
== SYSLOG_LEVEL_NOT_SET
)
1180 options
->log_level
= SYSLOG_LEVEL_INFO
;
1181 if (options
->clear_forwardings
== 1)
1182 clear_forwardings(options
);
1183 if (options
->no_host_authentication_for_localhost
== - 1)
1184 options
->no_host_authentication_for_localhost
= 0;
1185 if (options
->identities_only
== -1)
1186 options
->identities_only
= 0;
1187 if (options
->enable_ssh_keysign
== -1)
1188 options
->enable_ssh_keysign
= 0;
1189 if (options
->rekey_limit
== -1)
1190 options
->rekey_limit
= 0;
1191 if (options
->verify_host_key_dns
== -1)
1192 options
->verify_host_key_dns
= 0;
1193 if (options
->server_alive_interval
== -1)
1194 options
->server_alive_interval
= 0;
1195 if (options
->server_alive_count_max
== -1)
1196 options
->server_alive_count_max
= 3;
1197 if (options
->control_master
== -1)
1198 options
->control_master
= 0;
1199 if (options
->hash_known_hosts
== -1)
1200 options
->hash_known_hosts
= 0;
1201 if (options
->tun_open
== -1)
1202 options
->tun_open
= SSH_TUNMODE_NO
;
1203 if (options
->tun_local
== -1)
1204 options
->tun_local
= SSH_TUNID_ANY
;
1205 if (options
->tun_remote
== -1)
1206 options
->tun_remote
= SSH_TUNID_ANY
;
1207 if (options
->permit_local_command
== -1)
1208 options
->permit_local_command
= 0;
1209 if (options
->visual_host_key
== -1)
1210 options
->visual_host_key
= 0;
1211 /* options->local_command should not be set by default */
1212 /* options->proxy_command should not be set by default */
1213 /* options->user will be set in the main program if appropriate */
1214 /* options->hostname will be set in the main program if appropriate */
1215 /* options->host_key_alias should not be set by default */
1216 /* options->preferred_authentications will be set in ssh */
1221 * parses a string containing a port forwarding specification of the form:
1222 * [listenhost:]listenport:connecthost:connectport
1223 * returns number of arguments parsed or zero on error
1226 parse_forward(Forward
*fwd
, const char *fwdspec
)
1229 char *p
, *cp
, *fwdarg
[4];
1231 memset(fwd
, '\0', sizeof(*fwd
));
1233 cp
= p
= xstrdup(fwdspec
);
1235 /* skip leading spaces */
1236 while (isspace(*cp
))
1239 for (i
= 0; i
< 4; ++i
)
1240 if ((fwdarg
[i
] = hpdelim(&cp
)) == NULL
)
1243 /* Check for trailing garbage in 4-arg case*/
1245 i
= 0; /* failure */
1249 fwd
->listen_host
= NULL
;
1250 fwd
->listen_port
= a2port(fwdarg
[0]);
1251 fwd
->connect_host
= xstrdup(cleanhostname(fwdarg
[1]));
1252 fwd
->connect_port
= a2port(fwdarg
[2]);
1256 fwd
->listen_host
= xstrdup(cleanhostname(fwdarg
[0]));
1257 fwd
->listen_port
= a2port(fwdarg
[1]);
1258 fwd
->connect_host
= xstrdup(cleanhostname(fwdarg
[2]));
1259 fwd
->connect_port
= a2port(fwdarg
[3]);
1262 i
= 0; /* failure */
1267 if (fwd
->listen_port
== 0 || fwd
->connect_port
== 0)
1270 if (fwd
->connect_host
!= NULL
&&
1271 strlen(fwd
->connect_host
) >= NI_MAXHOST
)
1277 if (fwd
->connect_host
!= NULL
)
1278 xfree(fwd
->connect_host
);
1279 if (fwd
->listen_host
!= NULL
)
1280 xfree(fwd
->listen_host
);