1 /* $OpenBSD: servconf.h,v 1.120 2015/07/10 06:21:53 markus Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Definitions for server configuration data and for the functions reading it.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #define MAX_PORTS 256 /* Max # ports. */
21 #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */
22 #define MAX_DENY_USERS 256 /* Max # users on deny list. */
23 #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */
24 #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */
25 #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
26 #define MAX_HOSTKEYS 256 /* Max # hostkeys. */
27 #define MAX_HOSTCERTS 256 /* Max # host certificates. */
28 #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
29 #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */
30 #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */
31 #define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */
33 /* permit_root_login */
34 #define PERMIT_NOT_SET -1
36 #define PERMIT_FORCED_ONLY 1
37 #define PERMIT_NO_PASSWD 2
43 #define PRIVSEP_NOSANDBOX 2
45 /* AllowTCPForwarding */
46 #define FORWARD_DENY 0
47 #define FORWARD_REMOTE (1)
48 #define FORWARD_LOCAL (1<<1)
49 #define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
51 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
52 #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
54 /* Magic name for internal sftp-server */
55 #define INTERNAL_SFTP_NAME "internal-sftp"
59 u_int ports_from_cmdline
;
60 int ports
[MAX_PORTS
]; /* Port number to listen on. */
61 u_int num_queued_listens
;
62 char **queued_listen_addrs
;
63 int *queued_listen_ports
;
64 struct addrinfo
*listen_addrs
; /* Addresses on which the server listens. */
65 int address_family
; /* Address family used by the server. */
66 char *host_key_files
[MAX_HOSTKEYS
]; /* Files containing host keys. */
67 int num_host_key_files
; /* Number of files for host keys. */
68 char *host_cert_files
[MAX_HOSTCERTS
]; /* Files containing host certs. */
69 int num_host_cert_files
; /* Number of files for host certs. */
70 char *host_key_agent
; /* ssh-agent socket for host keys. */
71 char *pid_file
; /* Where to put our pid */
72 int server_key_bits
;/* Size of the server key. */
73 int login_grace_time
; /* Disconnect if no auth in this time
75 int key_regeneration_time
; /* Server key lifetime (seconds). */
76 int permit_root_login
; /* PERMIT_*, see above */
77 int ignore_rhosts
; /* Ignore .rhosts and .shosts. */
78 int ignore_user_known_hosts
; /* Ignore ~/.ssh/known_hosts
79 * for RhostsRsaAuth */
80 int print_motd
; /* If true, print /etc/motd. */
81 int print_lastlog
; /* If true, print lastlog */
82 int x11_forwarding
; /* If true, permit inet (spoofing) X11 fwd. */
83 int x11_display_offset
; /* What DISPLAY number to start
85 int x11_use_localhost
; /* If true, use localhost for fake X11 server. */
86 char *xauth_location
; /* Location of xauth program */
87 int permit_tty
; /* If false, deny pty allocation */
88 int permit_user_rc
; /* If false, deny ~/.ssh/rc execution */
89 int strict_modes
; /* If true, require string home dir modes. */
90 int tcp_keep_alive
; /* If true, set SO_KEEPALIVE. */
91 int ip_qos_interactive
; /* IP ToS/DSCP/class for interactive */
92 int ip_qos_bulk
; /* IP ToS/DSCP/class for bulk traffic */
93 char *ciphers
; /* Supported SSH2 ciphers. */
94 char *macs
; /* Supported SSH2 macs. */
95 char *kex_algorithms
; /* SSH2 kex methods in order of preference. */
96 int protocol
; /* Supported protocol versions. */
97 struct ForwardOptions fwd_opts
; /* forwarding options */
98 SyslogFacility log_facility
; /* Facility for system logging. */
99 LogLevel log_level
; /* Level for system logging. */
100 int rhosts_rsa_authentication
; /* If true, permit rhosts RSA
102 int hostbased_authentication
; /* If true, permit ssh2 hostbased auth */
103 int hostbased_uses_name_from_packet_only
; /* experimental */
104 char *hostbased_key_types
; /* Key types allowed for hostbased */
105 char *hostkeyalgorithms
; /* SSH2 server key types */
106 int rsa_authentication
; /* If true, permit RSA authentication. */
107 int pubkey_authentication
; /* If true, permit ssh2 pubkey authentication. */
108 char *pubkey_key_types
; /* Key types allowed for public key */
109 int kerberos_authentication
; /* If true, permit Kerberos
111 int kerberos_or_local_passwd
; /* If true, permit kerberos
112 * and any other password
113 * authentication mechanism,
116 int kerberos_ticket_cleanup
; /* If true, destroy ticket
118 int kerberos_get_afs_token
; /* If true, try to get AFS token if
119 * authenticated with Kerberos. */
120 int gss_authentication
; /* If true, permit GSSAPI authentication */
121 int gss_cleanup_creds
; /* If true, destroy cred cache on logout */
122 int gss_strict_acceptor
; /* If true, restrict the GSSAPI acceptor name */
123 int password_authentication
; /* If true, permit password
125 int kbd_interactive_authentication
; /* If true, permit */
126 int challenge_response_authentication
;
127 int permit_empty_passwd
; /* If false, do not permit empty
129 int permit_user_env
; /* If true, read ~/.ssh/environment */
130 int use_login
; /* If true, login(1) is used */
131 int compression
; /* If true, compression is allowed */
132 int allow_tcp_forwarding
; /* One of FORWARD_* */
133 int allow_streamlocal_forwarding
; /* One of FORWARD_* */
134 int allow_agent_forwarding
;
135 u_int num_allow_users
;
136 char *allow_users
[MAX_ALLOW_USERS
];
137 u_int num_deny_users
;
138 char *deny_users
[MAX_DENY_USERS
];
139 u_int num_allow_groups
;
140 char *allow_groups
[MAX_ALLOW_GROUPS
];
141 u_int num_deny_groups
;
142 char *deny_groups
[MAX_DENY_GROUPS
];
144 u_int num_subsystems
;
145 char *subsystem_name
[MAX_SUBSYSTEMS
];
146 char *subsystem_command
[MAX_SUBSYSTEMS
];
147 char *subsystem_args
[MAX_SUBSYSTEMS
];
149 u_int num_accept_env
;
150 char *accept_env
[MAX_ACCEPT_ENV
];
152 int max_startups_begin
;
153 int max_startups_rate
;
157 char *banner
; /* SSH-2 banner message */
159 int client_alive_interval
; /*
160 * poke the client this often to
161 * see if it's still there
163 int client_alive_count_max
; /*
164 * If the client is unresponsive
165 * for this many intervals above,
166 * disconnect the session
169 u_int num_authkeys_files
; /* Files containing public keys */
170 char *authorized_keys_files
[MAX_AUTHKEYS_FILES
];
172 char *adm_forced_command
;
174 int use_pam
; /* Enable auth via PAM */
178 int num_permitted_opens
;
180 char *chroot_directory
;
181 char *revoked_keys_file
;
182 char *trusted_user_ca_keys
;
183 char *authorized_keys_command
;
184 char *authorized_keys_command_user
;
185 char *authorized_principals_file
;
186 char *authorized_principals_command
;
187 char *authorized_principals_command_user
;
192 char *version_addendum
; /* Appended to SSH banner */
194 u_int num_auth_methods
;
195 char *auth_methods
[MAX_AUTH_METHODS
];
197 int fingerprint_hash
;
200 /* Information about the incoming connection as used by Match */
201 struct connection_info
{
203 const char *host
; /* possibly resolved hostname */
204 const char *address
; /* remote address */
205 const char *laddress
; /* local address */
206 int lport
; /* local port */
211 * These are string config options that must be copied between the
212 * Match sub-config and the main config, and must be sent from the
213 * privsep slave to the privsep master. We use a macro to ensure all
214 * the options are copied and the copies are done in the correct order.
216 * NB. an option must appear in servconf.c:copy_set_server_options() or
217 * COPY_MATCH_STRING_OPTS here but never both.
219 #define COPY_MATCH_STRING_OPTS() do { \
220 M_CP_STROPT(banner); \
221 M_CP_STROPT(trusted_user_ca_keys); \
222 M_CP_STROPT(revoked_keys_file); \
223 M_CP_STROPT(authorized_keys_command); \
224 M_CP_STROPT(authorized_keys_command_user); \
225 M_CP_STROPT(authorized_principals_file); \
226 M_CP_STROPT(authorized_principals_command); \
227 M_CP_STROPT(authorized_principals_command_user); \
228 M_CP_STROPT(hostbased_key_types); \
229 M_CP_STROPT(pubkey_key_types); \
230 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
231 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
232 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
233 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
234 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
235 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
236 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
239 struct connection_info
*get_connection_info(int, int);
240 void initialize_server_options(ServerOptions
*);
241 void fill_default_server_options(ServerOptions
*);
242 int process_server_config_line(ServerOptions
*, char *, const char *, int,
243 int *, struct connection_info
*);
244 void load_server_config(const char *, Buffer
*);
245 void parse_server_config(ServerOptions
*, const char *, Buffer
*,
246 struct connection_info
*);
247 void parse_server_match_config(ServerOptions
*, struct connection_info
*);
248 int parse_server_match_testspec(struct connection_info
*, char *);
249 int server_match_spec_complete(struct connection_info
*);
250 void copy_set_server_options(ServerOptions
*, ServerOptions
*, int);
251 void dump_config(ServerOptions
*);
252 char *derelativise_path(const char *);
254 #endif /* SERVCONF_H */