1 /* $OpenBSD: servconf.h,v 1.157 2022/09/17 10:34:29 djm Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Definitions for server configuration data and for the functions reading it.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #include <openbsd-compat/sys-queue.h>
21 #define MAX_PORTS 256 /* Max # ports. */
23 #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
25 /* permit_root_login */
26 #define PERMIT_NOT_SET -1
28 #define PERMIT_FORCED_ONLY 1
29 #define PERMIT_NO_PASSWD 2
35 #define PRIVSEP_NOSANDBOX 2
38 #define PERMITOPEN_ANY 0
39 #define PERMITOPEN_NONE -2
42 #define IGNORE_RHOSTS_NO 0
43 #define IGNORE_RHOSTS_YES 1
44 #define IGNORE_RHOSTS_SHOSTS 2
46 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
47 #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
49 /* Magic name for internal sftp-server */
50 #define INTERNAL_SFTP_NAME "internal-sftp"
52 /* PubkeyAuthOptions flags */
53 #define PUBKEYAUTH_TOUCH_REQUIRED (1)
54 #define PUBKEYAUTH_VERIFY_REQUIRED (1<<1)
60 * Used to store addresses from ListenAddr directives. These may be
61 * incomplete, as they may specify addresses that need to be merged
62 * with any ports requested by ListenPort.
64 struct queued_listenaddr
{
66 int port
; /* <=0 if unspecified */
70 /* Resolved listen addresses, grouped by optional routing domain */
73 struct addrinfo
*addrs
;
78 u_int ports_from_cmdline
;
79 int ports
[MAX_PORTS
]; /* Port number to listen on. */
80 struct queued_listenaddr
*queued_listen_addrs
;
81 u_int num_queued_listens
;
82 struct listenaddr
*listen_addrs
;
83 u_int num_listen_addrs
;
84 int address_family
; /* Address family used by the server. */
86 char *routing_domain
; /* Bind session to routing domain */
88 char **host_key_files
; /* Files containing host keys. */
89 int *host_key_file_userprovided
; /* Key was specified by user. */
90 u_int num_host_key_files
; /* Number of files for host keys. */
91 char **host_cert_files
; /* Files containing host certs. */
92 u_int num_host_cert_files
; /* Number of files for host certs. */
94 char *host_key_agent
; /* ssh-agent socket for host keys. */
95 char *pid_file
; /* Where to put our pid */
96 char *moduli_file
; /* moduli file for DH-GEX */
97 int login_grace_time
; /* Disconnect if no auth in this time
99 int permit_root_login
; /* PERMIT_*, see above */
100 int ignore_rhosts
; /* Ignore .rhosts and .shosts. */
101 int ignore_user_known_hosts
; /* Ignore ~/.ssh/known_hosts
102 * for RhostsRsaAuth */
103 int print_motd
; /* If true, print /etc/motd. */
104 int print_lastlog
; /* If true, print lastlog */
105 int x11_forwarding
; /* If true, permit inet (spoofing) X11 fwd. */
106 int x11_display_offset
; /* What DISPLAY number to start
108 int x11_use_localhost
; /* If true, use localhost for fake X11 server. */
109 char *xauth_location
; /* Location of xauth program */
110 int permit_tty
; /* If false, deny pty allocation */
111 int permit_user_rc
; /* If false, deny ~/.ssh/rc execution */
112 int strict_modes
; /* If true, require string home dir modes. */
113 int tcp_keep_alive
; /* If true, set SO_KEEPALIVE. */
114 int ip_qos_interactive
; /* IP ToS/DSCP/class for interactive */
115 int ip_qos_bulk
; /* IP ToS/DSCP/class for bulk traffic */
116 char *ciphers
; /* Supported SSH2 ciphers. */
117 char *macs
; /* Supported SSH2 macs. */
118 char *kex_algorithms
; /* SSH2 kex methods in order of preference. */
119 struct ForwardOptions fwd_opts
; /* forwarding options */
120 SyslogFacility log_facility
; /* Facility for system logging. */
121 LogLevel log_level
; /* Level for system logging. */
122 u_int num_log_verbose
; /* Verbose log overrides */
124 int hostbased_authentication
; /* If true, permit ssh2 hostbased auth */
125 int hostbased_uses_name_from_packet_only
; /* experimental */
126 char *hostbased_accepted_algos
; /* Algos allowed for hostbased */
127 char *hostkeyalgorithms
; /* SSH2 server key types */
128 char *ca_sign_algorithms
; /* Allowed CA signature algorithms */
129 int pubkey_authentication
; /* If true, permit ssh2 pubkey authentication. */
130 char *pubkey_accepted_algos
; /* Signature algos allowed for pubkey */
131 int pubkey_auth_options
; /* -1 or mask of PUBKEYAUTH_* flags */
132 int kerberos_authentication
; /* If true, permit Kerberos
134 int kerberos_or_local_passwd
; /* If true, permit kerberos
135 * and any other password
136 * authentication mechanism,
139 int kerberos_ticket_cleanup
; /* If true, destroy ticket
141 int kerberos_get_afs_token
; /* If true, try to get AFS token if
142 * authenticated with Kerberos. */
143 int gss_authentication
; /* If true, permit GSSAPI authentication */
144 int gss_cleanup_creds
; /* If true, destroy cred cache on logout */
145 int gss_strict_acceptor
; /* If true, restrict the GSSAPI acceptor name */
146 int password_authentication
; /* If true, permit password
148 int kbd_interactive_authentication
; /* If true, permit */
149 int permit_empty_passwd
; /* If false, do not permit empty
151 int permit_user_env
; /* If true, read ~/.ssh/environment */
152 char *permit_user_env_allowlist
; /* pattern-list of allowed env names */
153 int compression
; /* If true, compression is allowed */
154 int allow_tcp_forwarding
; /* One of FORWARD_* */
155 int allow_streamlocal_forwarding
; /* One of FORWARD_* */
156 int allow_agent_forwarding
;
157 int disable_forwarding
;
158 u_int num_allow_users
;
160 u_int num_deny_users
;
162 u_int num_allow_groups
;
164 u_int num_deny_groups
;
167 u_int num_subsystems
;
168 char *subsystem_name
[MAX_SUBSYSTEMS
];
169 char *subsystem_command
[MAX_SUBSYSTEMS
];
170 char *subsystem_args
[MAX_SUBSYSTEMS
];
172 u_int num_accept_env
;
177 int max_startups_begin
;
178 int max_startups_rate
;
180 int per_source_max_startups
;
181 int per_source_masklen_ipv4
;
182 int per_source_masklen_ipv6
;
185 char *banner
; /* SSH-2 banner message */
187 int client_alive_interval
; /*
188 * poke the client this often to
189 * see if it's still there
191 int client_alive_count_max
; /*
192 * If the client is unresponsive
193 * for this many intervals above,
194 * disconnect the session
197 u_int num_authkeys_files
; /* Files containing public keys */
198 char **authorized_keys_files
;
200 char *adm_forced_command
;
202 int use_pam
; /* Enable auth via PAM */
206 char **permitted_opens
; /* May also be one of PERMITOPEN_* */
207 u_int num_permitted_opens
;
208 char **permitted_listens
; /* May also be one of PERMITOPEN_* */
209 u_int num_permitted_listens
;
211 char *chroot_directory
;
212 char *revoked_keys_file
;
213 char *trusted_user_ca_keys
;
214 char *authorized_keys_command
;
215 char *authorized_keys_command_user
;
216 char *authorized_principals_file
;
217 char *authorized_principals_command
;
218 char *authorized_principals_command_user
;
223 char *version_addendum
; /* Appended to SSH banner */
225 u_int num_auth_methods
;
228 int fingerprint_hash
;
229 int expose_userauth_info
;
230 u_int64_t timing_secret
;
232 int required_rsa_size
; /* minimum size of RSA keys */
235 /* Information about the incoming connection as used by Match */
236 struct connection_info
{
238 const char *host
; /* possibly resolved hostname */
239 const char *address
; /* remote address */
240 const char *laddress
; /* local address */
241 int lport
; /* local port */
242 const char *rdomain
; /* routing domain if available */
243 int test
; /* test mode, allow some attributes to be
247 /* List of included files for re-exec from the parsed configuration */
248 struct include_item
{
251 struct sshbuf
*contents
;
252 TAILQ_ENTRY(include_item
) entry
;
254 TAILQ_HEAD(include_list
, include_item
);
258 * These are string config options that must be copied between the
259 * Match sub-config and the main config, and must be sent from the
260 * privsep child to the privsep master. We use a macro to ensure all
261 * the options are copied and the copies are done in the correct order.
263 * NB. an option must appear in servconf.c:copy_set_server_options() or
264 * COPY_MATCH_STRING_OPTS here but never both.
266 #define COPY_MATCH_STRING_OPTS() do { \
267 M_CP_STROPT(banner); \
268 M_CP_STROPT(trusted_user_ca_keys); \
269 M_CP_STROPT(revoked_keys_file); \
270 M_CP_STROPT(authorized_keys_command); \
271 M_CP_STROPT(authorized_keys_command_user); \
272 M_CP_STROPT(authorized_principals_file); \
273 M_CP_STROPT(authorized_principals_command); \
274 M_CP_STROPT(authorized_principals_command_user); \
275 M_CP_STROPT(hostbased_accepted_algos); \
276 M_CP_STROPT(pubkey_accepted_algos); \
277 M_CP_STROPT(ca_sign_algorithms); \
278 M_CP_STROPT(routing_domain); \
279 M_CP_STROPT(permit_user_env_allowlist); \
280 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
281 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
282 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
283 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
284 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
285 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
286 M_CP_STRARRAYOPT(setenv, num_setenv); \
287 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
288 M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
289 M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
290 M_CP_STRARRAYOPT(log_verbose, num_log_verbose); \
293 struct connection_info
*get_connection_info(struct ssh
*, int, int);
294 void initialize_server_options(ServerOptions
*);
295 void fill_default_server_options(ServerOptions
*);
296 int process_server_config_line(ServerOptions
*, char *, const char *, int,
297 int *, struct connection_info
*, struct include_list
*includes
);
298 void process_permitopen(struct ssh
*ssh
, ServerOptions
*options
);
299 void load_server_config(const char *, struct sshbuf
*);
300 void parse_server_config(ServerOptions
*, const char *, struct sshbuf
*,
301 struct include_list
*includes
, struct connection_info
*, int);
302 void parse_server_match_config(ServerOptions
*,
303 struct include_list
*includes
, struct connection_info
*);
304 int parse_server_match_testspec(struct connection_info
*, char *);
305 int server_match_spec_complete(struct connection_info
*);
306 void copy_set_server_options(ServerOptions
*, ServerOptions
*, int);
307 void dump_config(ServerOptions
*);
308 char *derelativise_path(const char *);
309 void servconf_add_hostkey(const char *, const int,
310 ServerOptions
*, const char *path
, int);
311 void servconf_add_hostcert(const char *, const int,
312 ServerOptions
*, const char *path
);
314 #endif /* SERVCONF_H */