1 /* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Definitions for server configuration data and for the functions reading it.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #define MAX_PORTS 256 /* Max # ports. */
21 #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */
22 #define MAX_DENY_USERS 256 /* Max # users on deny list. */
23 #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */
24 #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */
25 #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
26 #define MAX_HOSTKEYS 256 /* Max # hostkeys. */
27 #define MAX_HOSTCERTS 256 /* Max # host certificates. */
28 #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
29 #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */
30 #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */
31 #define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */
33 /* permit_root_login */
34 #define PERMIT_NOT_SET -1
36 #define PERMIT_FORCED_ONLY 1
37 #define PERMIT_NO_PASSWD 2
43 #define PRIVSEP_NOSANDBOX 2
45 /* AllowTCPForwarding */
46 #define FORWARD_DENY 0
47 #define FORWARD_REMOTE (1)
48 #define FORWARD_LOCAL (1<<1)
49 #define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
51 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
52 #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
54 /* Magic name for internal sftp-server */
55 #define INTERNAL_SFTP_NAME "internal-sftp"
59 u_int ports_from_cmdline
;
60 int ports
[MAX_PORTS
]; /* Port number to listen on. */
61 char *listen_addr
; /* Address on which the server listens. */
62 struct addrinfo
*listen_addrs
; /* Addresses on which the server listens. */
63 int address_family
; /* Address family used by the server. */
64 char *host_key_files
[MAX_HOSTKEYS
]; /* Files containing host keys. */
65 int num_host_key_files
; /* Number of files for host keys. */
66 char *host_cert_files
[MAX_HOSTCERTS
]; /* Files containing host certs. */
67 int num_host_cert_files
; /* Number of files for host certs. */
68 char *host_key_agent
; /* ssh-agent socket for host keys. */
69 char *pid_file
; /* Where to put our pid */
70 int server_key_bits
;/* Size of the server key. */
71 int login_grace_time
; /* Disconnect if no auth in this time
73 int key_regeneration_time
; /* Server key lifetime (seconds). */
74 int permit_root_login
; /* PERMIT_*, see above */
75 int ignore_rhosts
; /* Ignore .rhosts and .shosts. */
76 int ignore_user_known_hosts
; /* Ignore ~/.ssh/known_hosts
77 * for RhostsRsaAuth */
78 int print_motd
; /* If true, print /etc/motd. */
79 int print_lastlog
; /* If true, print lastlog */
80 int x11_forwarding
; /* If true, permit inet (spoofing) X11 fwd. */
81 int x11_display_offset
; /* What DISPLAY number to start
83 int x11_use_localhost
; /* If true, use localhost for fake X11 server. */
84 char *xauth_location
; /* Location of xauth program */
85 int permit_tty
; /* If false, deny pty allocation */
86 int permit_user_rc
; /* If false, deny ~/.ssh/rc execution */
87 int strict_modes
; /* If true, require string home dir modes. */
88 int tcp_keep_alive
; /* If true, set SO_KEEPALIVE. */
89 int ip_qos_interactive
; /* IP ToS/DSCP/class for interactive */
90 int ip_qos_bulk
; /* IP ToS/DSCP/class for bulk traffic */
91 char *ciphers
; /* Supported SSH2 ciphers. */
92 char *macs
; /* Supported SSH2 macs. */
93 char *kex_algorithms
; /* SSH2 kex methods in order of preference. */
94 int protocol
; /* Supported protocol versions. */
95 struct ForwardOptions fwd_opts
; /* forwarding options */
96 SyslogFacility log_facility
; /* Facility for system logging. */
97 LogLevel log_level
; /* Level for system logging. */
98 int rhosts_rsa_authentication
; /* If true, permit rhosts RSA
100 int hostbased_authentication
; /* If true, permit ssh2 hostbased auth */
101 int hostbased_uses_name_from_packet_only
; /* experimental */
102 int rsa_authentication
; /* If true, permit RSA authentication. */
103 int pubkey_authentication
; /* If true, permit ssh2 pubkey authentication. */
104 int kerberos_authentication
; /* If true, permit Kerberos
106 int kerberos_or_local_passwd
; /* If true, permit kerberos
107 * and any other password
108 * authentication mechanism,
111 int kerberos_ticket_cleanup
; /* If true, destroy ticket
113 int kerberos_get_afs_token
; /* If true, try to get AFS token if
114 * authenticated with Kerberos. */
115 int gss_authentication
; /* If true, permit GSSAPI authentication */
116 int gss_cleanup_creds
; /* If true, destroy cred cache on logout */
117 int password_authentication
; /* If true, permit password
119 int kbd_interactive_authentication
; /* If true, permit */
120 int challenge_response_authentication
;
121 int permit_blacklisted_keys
; /* If true, permit */
122 int permit_empty_passwd
; /* If false, do not permit empty
124 int permit_user_env
; /* If true, read ~/.ssh/environment */
125 int use_login
; /* If true, login(1) is used */
126 int compression
; /* If true, compression is allowed */
127 int allow_tcp_forwarding
; /* One of FORWARD_* */
128 int allow_streamlocal_forwarding
; /* One of FORWARD_* */
129 int allow_agent_forwarding
;
130 u_int num_allow_users
;
131 char *allow_users
[MAX_ALLOW_USERS
];
132 u_int num_deny_users
;
133 char *deny_users
[MAX_DENY_USERS
];
134 u_int num_allow_groups
;
135 char *allow_groups
[MAX_ALLOW_GROUPS
];
136 u_int num_deny_groups
;
137 char *deny_groups
[MAX_DENY_GROUPS
];
139 u_int num_subsystems
;
140 char *subsystem_name
[MAX_SUBSYSTEMS
];
141 char *subsystem_command
[MAX_SUBSYSTEMS
];
142 char *subsystem_args
[MAX_SUBSYSTEMS
];
144 u_int num_accept_env
;
145 char *accept_env
[MAX_ACCEPT_ENV
];
147 int max_startups_begin
;
148 int max_startups_rate
;
152 char *banner
; /* SSH-2 banner message */
154 int client_alive_interval
; /*
155 * poke the client this often to
156 * see if it's still there
158 int client_alive_count_max
; /*
159 * If the client is unresponsive
160 * for this many intervals above,
161 * disconnect the session
164 u_int num_authkeys_files
; /* Files containing public keys */
165 char *authorized_keys_files
[MAX_AUTHKEYS_FILES
];
167 char *adm_forced_command
;
169 int use_pam
; /* Enable auth via PAM */
170 int none_enabled
; /* enable NONE cipher switch */
171 int tcp_rcv_buf_poll
; /* poll tcp rcv window in autotuning kernels*/
172 int hpn_disabled
; /* disable hpn functionality. false by default */
173 int hpn_buffer_size
; /* set the hpn buffer size - default 3MB */
177 int num_permitted_opens
;
179 char *chroot_directory
;
180 char *revoked_keys_file
;
181 char *trusted_user_ca_keys
;
182 char *authorized_principals_file
;
183 char *authorized_keys_command
;
184 char *authorized_keys_command_user
;
189 char *version_addendum
; /* Appended to SSH banner */
191 u_int num_auth_methods
;
192 char *auth_methods
[MAX_AUTH_METHODS
];
195 /* Information about the incoming connection as used by Match */
196 struct connection_info
{
198 const char *host
; /* possibly resolved hostname */
199 const char *address
; /* remote address */
200 const char *laddress
; /* local address */
201 int lport
; /* local port */
206 * These are string config options that must be copied between the
207 * Match sub-config and the main config, and must be sent from the
208 * privsep slave to the privsep master. We use a macro to ensure all
209 * the options are copied and the copies are done in the correct order.
211 * NB. an option must appear in servconf.c:copy_set_server_options() or
212 * COPY_MATCH_STRING_OPTS here but never both.
214 #define COPY_MATCH_STRING_OPTS() do { \
215 M_CP_STROPT(banner); \
216 M_CP_STROPT(trusted_user_ca_keys); \
217 M_CP_STROPT(revoked_keys_file); \
218 M_CP_STROPT(authorized_principals_file); \
219 M_CP_STROPT(authorized_keys_command); \
220 M_CP_STROPT(authorized_keys_command_user); \
221 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
222 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
223 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
224 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
225 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
226 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
227 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
230 struct connection_info
*get_connection_info(int, int);
231 void initialize_server_options(ServerOptions
*);
232 void fill_default_server_options(ServerOptions
*);
233 int process_server_config_line(ServerOptions
*, char *, const char *, int,
234 int *, struct connection_info
*);
235 void load_server_config(const char *, Buffer
*);
236 void parse_server_config(ServerOptions
*, const char *, Buffer
*,
237 struct connection_info
*);
238 void parse_server_match_config(ServerOptions
*, struct connection_info
*);
239 int parse_server_match_testspec(struct connection_info
*, char *);
240 int server_match_spec_complete(struct connection_info
*);
241 void copy_set_server_options(ServerOptions
*, ServerOptions
*, int);
242 void dump_config(ServerOptions
*);
243 char *derelativise_path(const char *);
245 #endif /* SERVCONF_H */