search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nrelease - fix/improve livecd
[dragonfly.git] / crypto / openssh / servconf.h
blob9346155ce5bc001eff6bca5fd54b7622e3d73dc2
1 /* $OpenBSD: servconf.h,v 1.157 2022/09/17 10:34:29 djm Exp $ */
2
3 /*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * All rights reserved
7 * Definitions for server configuration data and for the functions reading it.
8 *
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
14 */
15
16 #ifndef SERVCONF_H
17 #define SERVCONF_H
18
19 #include <openbsd-compat/sys-queue.h>
20
21 #define MAX_PORTS 256 /* Max # ports. */
22
23 #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
24
25 /* permit_root_login */
26 #define PERMIT_NOT_SET -1
27 #define PERMIT_NO 0
28 #define PERMIT_FORCED_ONLY 1
29 #define PERMIT_NO_PASSWD 2
30 #define PERMIT_YES 3
31
32 /* use_privsep */
33 #define PRIVSEP_OFF 0
34 #define PRIVSEP_ON 1
35 #define PRIVSEP_NOSANDBOX 2
36
37 /* PermitOpen */
38 #define PERMITOPEN_ANY 0
39 #define PERMITOPEN_NONE -2
40
41 /* IgnoreRhosts */
42 #define IGNORE_RHOSTS_NO 0
43 #define IGNORE_RHOSTS_YES 1
44 #define IGNORE_RHOSTS_SHOSTS 2
45
46 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
47 #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
48
49 /* Magic name for internal sftp-server */
50 #define INTERNAL_SFTP_NAME "internal-sftp"
51
52 /* PubkeyAuthOptions flags */
53 #define PUBKEYAUTH_TOUCH_REQUIRED (1)
54 #define PUBKEYAUTH_VERIFY_REQUIRED (1<<1)
55
56 struct ssh;
57 struct fwd_perm_list;
58
59 /*
60 * Used to store addresses from ListenAddr directives. These may be
61 * incomplete, as they may specify addresses that need to be merged
62 * with any ports requested by ListenPort.
63 */
64 struct queued_listenaddr {
65 char *addr;
66 int port; /* <=0 if unspecified */
67 char *rdomain;
68 };
69
70 /* Resolved listen addresses, grouped by optional routing domain */
71 struct listenaddr {
72 char *rdomain;
73 struct addrinfo *addrs;
74 };
75
76 typedef struct {
77 u_int num_ports;
78 u_int ports_from_cmdline;
79 int ports[MAX_PORTS]; /* Port number to listen on. */
80 struct queued_listenaddr *queued_listen_addrs;
81 u_int num_queued_listens;
82 struct listenaddr *listen_addrs;
83 u_int num_listen_addrs;
84 int address_family; /* Address family used by the server. */
85
86 char *routing_domain; /* Bind session to routing domain */
87
88 char **host_key_files; /* Files containing host keys. */
89 int *host_key_file_userprovided; /* Key was specified by user. */
90 u_int num_host_key_files; /* Number of files for host keys. */
91 char **host_cert_files; /* Files containing host certs. */
92 u_int num_host_cert_files; /* Number of files for host certs. */
93
94 char *host_key_agent; /* ssh-agent socket for host keys. */
95 char *pid_file; /* Where to put our pid */
96 char *moduli_file; /* moduli file for DH-GEX */
97 int login_grace_time; /* Disconnect if no auth in this time
98 * (sec). */
99 int permit_root_login; /* PERMIT_*, see above */
100 int ignore_rhosts; /* Ignore .rhosts and .shosts. */
101 int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts
102 * for RhostsRsaAuth */
103 int print_motd; /* If true, print /etc/motd. */
104 int print_lastlog; /* If true, print lastlog */
105 int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
106 int x11_display_offset; /* What DISPLAY number to start
107 * searching at */
108 int x11_use_localhost; /* If true, use localhost for fake X11 server. */
109 char *xauth_location; /* Location of xauth program */
110 int permit_tty; /* If false, deny pty allocation */
111 int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
112 int strict_modes; /* If true, require string home dir modes. */
113 int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
114 int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
115 int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
116 char *ciphers; /* Supported SSH2 ciphers. */
117 char *macs; /* Supported SSH2 macs. */
118 char *kex_algorithms; /* SSH2 kex methods in order of preference. */
119 struct ForwardOptions fwd_opts; /* forwarding options */
120 SyslogFacility log_facility; /* Facility for system logging. */
121 LogLevel log_level; /* Level for system logging. */
122 u_int num_log_verbose; /* Verbose log overrides */
123 char **log_verbose;
124 int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
125 int hostbased_uses_name_from_packet_only; /* experimental */
126 char *hostbased_accepted_algos; /* Algos allowed for hostbased */
127 char *hostkeyalgorithms; /* SSH2 server key types */
128 char *ca_sign_algorithms; /* Allowed CA signature algorithms */
129 int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
130 char *pubkey_accepted_algos; /* Signature algos allowed for pubkey */
131 int pubkey_auth_options; /* -1 or mask of PUBKEYAUTH_* flags */
132 int kerberos_authentication; /* If true, permit Kerberos
133 * authentication. */
134 int kerberos_or_local_passwd; /* If true, permit kerberos
135 * and any other password
136 * authentication mechanism,
137 * such as SecurID or
138 * /etc/passwd */
139 int kerberos_ticket_cleanup; /* If true, destroy ticket
140 * file on logout. */
141 int kerberos_get_afs_token; /* If true, try to get AFS token if
142 * authenticated with Kerberos. */
143 int gss_authentication; /* If true, permit GSSAPI authentication */
144 int gss_cleanup_creds; /* If true, destroy cred cache on logout */
145 int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
146 int password_authentication; /* If true, permit password
147 * authentication. */
148 int kbd_interactive_authentication; /* If true, permit */
149 int permit_empty_passwd; /* If false, do not permit empty
150 * passwords. */
151 int permit_user_env; /* If true, read ~/.ssh/environment */
152 char *permit_user_env_allowlist; /* pattern-list of allowed env names */
153 int compression; /* If true, compression is allowed */
154 int allow_tcp_forwarding; /* One of FORWARD_* */
155 int allow_streamlocal_forwarding; /* One of FORWARD_* */
156 int allow_agent_forwarding;
157 int disable_forwarding;
158 u_int num_allow_users;
159 char **allow_users;
160 u_int num_deny_users;
161 char **deny_users;
162 u_int num_allow_groups;
163 char **allow_groups;
164 u_int num_deny_groups;
165 char **deny_groups;
166
167 u_int num_subsystems;
168 char *subsystem_name[MAX_SUBSYSTEMS];
169 char *subsystem_command[MAX_SUBSYSTEMS];
170 char *subsystem_args[MAX_SUBSYSTEMS];
171
172 u_int num_accept_env;
173 char **accept_env;
174 u_int num_setenv;
175 char **setenv;
176
177 int max_startups_begin;
178 int max_startups_rate;
179 int max_startups;
180 int per_source_max_startups;
181 int per_source_masklen_ipv4;
182 int per_source_masklen_ipv6;
183 int max_authtries;
184 int max_sessions;
185 char *banner; /* SSH-2 banner message */
186 int use_dns;
187 int client_alive_interval; /*
188 * poke the client this often to
189 * see if it's still there
190 */
191 int client_alive_count_max; /*
192 * If the client is unresponsive
193 * for this many intervals above,
194 * disconnect the session
195 */
196
197 u_int num_authkeys_files; /* Files containing public keys */
198 char **authorized_keys_files;
199
200 char *adm_forced_command;
201
202 int use_pam; /* Enable auth via PAM */
203
204 int permit_tun;
205
206 char **permitted_opens; /* May also be one of PERMITOPEN_* */
207 u_int num_permitted_opens;
208 char **permitted_listens; /* May also be one of PERMITOPEN_* */
209 u_int num_permitted_listens;
210
211 char *chroot_directory;
212 char *revoked_keys_file;
213 char *trusted_user_ca_keys;
214 char *authorized_keys_command;
215 char *authorized_keys_command_user;
216 char *authorized_principals_file;
217 char *authorized_principals_command;
218 char *authorized_principals_command_user;
219
220 int64_t rekey_limit;
221 int rekey_interval;
222
223 char *version_addendum; /* Appended to SSH banner */
224
225 u_int num_auth_methods;
226 char **auth_methods;
227
228 int fingerprint_hash;
229 int expose_userauth_info;
230 u_int64_t timing_secret;
231 char *sk_provider;
232 int required_rsa_size; /* minimum size of RSA keys */
233 } ServerOptions;
234
235 /* Information about the incoming connection as used by Match */
236 struct connection_info {
237 const char *user;
238 const char *host; /* possibly resolved hostname */
239 const char *address; /* remote address */
240 const char *laddress; /* local address */
241 int lport; /* local port */
242 const char *rdomain; /* routing domain if available */
243 int test; /* test mode, allow some attributes to be
244 * unspecified */
245 };
246
247 /* List of included files for re-exec from the parsed configuration */
248 struct include_item {
249 char *selector;
250 char *filename;
251 struct sshbuf *contents;
252 TAILQ_ENTRY(include_item) entry;
253 };
254 TAILQ_HEAD(include_list, include_item);
255
256
257 /*
258 * These are string config options that must be copied between the
259 * Match sub-config and the main config, and must be sent from the
260 * privsep child to the privsep master. We use a macro to ensure all
261 * the options are copied and the copies are done in the correct order.
262 *
263 * NB. an option must appear in servconf.c:copy_set_server_options() or
264 * COPY_MATCH_STRING_OPTS here but never both.
265 */
266 #define COPY_MATCH_STRING_OPTS() do { \
267 M_CP_STROPT(banner); \
268 M_CP_STROPT(trusted_user_ca_keys); \
269 M_CP_STROPT(revoked_keys_file); \
270 M_CP_STROPT(authorized_keys_command); \
271 M_CP_STROPT(authorized_keys_command_user); \
272 M_CP_STROPT(authorized_principals_file); \
273 M_CP_STROPT(authorized_principals_command); \
274 M_CP_STROPT(authorized_principals_command_user); \
275 M_CP_STROPT(hostbased_accepted_algos); \
276 M_CP_STROPT(pubkey_accepted_algos); \
277 M_CP_STROPT(ca_sign_algorithms); \
278 M_CP_STROPT(routing_domain); \
279 M_CP_STROPT(permit_user_env_allowlist); \
280 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
281 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
282 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
283 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
284 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
285 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
286 M_CP_STRARRAYOPT(setenv, num_setenv); \
287 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
288 M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
289 M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
290 M_CP_STRARRAYOPT(log_verbose, num_log_verbose); \
291 } while (0)
292
293 struct connection_info *get_connection_info(struct ssh *, int, int);
294 void initialize_server_options(ServerOptions *);
295 void fill_default_server_options(ServerOptions *);
296 int process_server_config_line(ServerOptions *, char *, const char *, int,
297 int *, struct connection_info *, struct include_list *includes);
298 void process_permitopen(struct ssh *ssh, ServerOptions *options);
299 void load_server_config(const char *, struct sshbuf *);
300 void parse_server_config(ServerOptions *, const char *, struct sshbuf *,
301 struct include_list *includes, struct connection_info *, int);
302 void parse_server_match_config(ServerOptions *,
303 struct include_list *includes, struct connection_info *);
304 int parse_server_match_testspec(struct connection_info *, char *);
305 int server_match_spec_complete(struct connection_info *);
306 void copy_set_server_options(ServerOptions *, ServerOptions *, int);
307 void dump_config(ServerOptions *);
308 char *derelativise_path(const char *);
309 void servconf_add_hostkey(const char *, const int,
310 ServerOptions *, const char *path, int);
311 void servconf_add_hostcert(const char *, const int,
312 ServerOptions *, const char *path);
313
314 #endif /* SERVCONF_H */
DragonFly BSD