search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
if_vtnet - Use ifsq_watchdog_* functions as the watchdog.
[dragonfly.git] / crypto / openssh / servconf.c
blob9568629594cb15ed7fdebb07f6bf69fb4dcd4c94
1
2 /* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
3 /*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
6 *
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
12 */
13
14 #include "includes.h"
15
16 #include <sys/types.h>
17 #include <sys/socket.h>
18
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
22
23 #include <ctype.h>
24 #include <netdb.h>
25 #include <pwd.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <signal.h>
30 #include <unistd.h>
31 #include <limits.h>
32 #include <stdarg.h>
33 #include <errno.h>
34 #ifdef HAVE_UTIL_H
35 #include <util.h>
36 #endif
37
38 #include "openbsd-compat/sys-queue.h"
39 #include "xmalloc.h"
40 #include "ssh.h"
41 #include "log.h"
42 #include "buffer.h"
43 #include "misc.h"
44 #include "servconf.h"
45 #include "compat.h"
46 #include "pathnames.h"
47 #include "cipher.h"
48 #include "key.h"
49 #include "kex.h"
50 #include "mac.h"
51 #include "match.h"
52 #include "channels.h"
53 #include "groupaccess.h"
54 #include "canohost.h"
55 #include "packet.h"
56 #include "hostfile.h"
57 #include "auth.h"
58 #include "myproposal.h"
59 #include "digest.h"
60
61 static void add_listen_addr(ServerOptions *, char *, int);
62 static void add_one_listen_addr(ServerOptions *, char *, int);
63
64 /* Use of privilege separation or not */
65 extern int use_privsep;
66 extern Buffer cfg;
67
68 /* Initializes the server options to their default values. */
69
70 void
71 initialize_server_options(ServerOptions *options)
72 {
73 memset(options, 0, sizeof(*options));
74
75 /* Portable-specific options */
76 options->use_pam = -1;
77
78 /* Standard Options */
79 options->num_ports = 0;
80 options->ports_from_cmdline = 0;
81 options->queued_listen_addrs = NULL;
82 options->num_queued_listens = 0;
83 options->listen_addrs = NULL;
84 options->address_family = -1;
85 options->num_host_key_files = 0;
86 options->num_host_cert_files = 0;
87 options->host_key_agent = NULL;
88 options->pid_file = NULL;
89 options->login_grace_time = -1;
90 options->permit_root_login = PERMIT_NOT_SET;
91 options->ignore_rhosts = -1;
92 options->ignore_user_known_hosts = -1;
93 options->print_motd = -1;
94 options->print_lastlog = -1;
95 options->x11_forwarding = -1;
96 options->x11_display_offset = -1;
97 options->x11_use_localhost = -1;
98 options->permit_tty = -1;
99 options->permit_user_rc = -1;
100 options->xauth_location = NULL;
101 options->strict_modes = -1;
102 options->tcp_keep_alive = -1;
103 options->log_facility = SYSLOG_FACILITY_NOT_SET;
104 options->log_level = SYSLOG_LEVEL_NOT_SET;
105 options->hostbased_authentication = -1;
106 options->hostbased_uses_name_from_packet_only = -1;
107 options->hostbased_key_types = NULL;
108 options->hostkeyalgorithms = NULL;
109 options->pubkey_authentication = -1;
110 options->pubkey_key_types = NULL;
111 options->kerberos_authentication = -1;
112 options->kerberos_or_local_passwd = -1;
113 options->kerberos_ticket_cleanup = -1;
114 options->kerberos_get_afs_token = -1;
115 options->gss_authentication=-1;
116 options->gss_cleanup_creds = -1;
117 options->gss_strict_acceptor = -1;
118 options->password_authentication = -1;
119 options->kbd_interactive_authentication = -1;
120 options->challenge_response_authentication = -1;
121 options->permit_empty_passwd = -1;
122 options->permit_user_env = -1;
123 options->compression = -1;
124 options->rekey_limit = -1;
125 options->rekey_interval = -1;
126 options->allow_tcp_forwarding = -1;
127 options->allow_streamlocal_forwarding = -1;
128 options->allow_agent_forwarding = -1;
129 options->num_allow_users = 0;
130 options->num_deny_users = 0;
131 options->num_allow_groups = 0;
132 options->num_deny_groups = 0;
133 options->ciphers = NULL;
134 options->macs = NULL;
135 options->kex_algorithms = NULL;
136 options->fwd_opts.gateway_ports = -1;
137 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
138 options->fwd_opts.streamlocal_bind_unlink = -1;
139 options->num_subsystems = 0;
140 options->max_startups_begin = -1;
141 options->max_startups_rate = -1;
142 options->max_startups = -1;
143 options->max_authtries = -1;
144 options->max_sessions = -1;
145 options->banner = NULL;
146 options->use_dns = -1;
147 options->client_alive_interval = -1;
148 options->client_alive_count_max = -1;
149 options->num_authkeys_files = 0;
150 options->num_accept_env = 0;
151 options->permit_tun = -1;
152 options->permitted_opens = NULL;
153 options->adm_forced_command = NULL;
154 options->chroot_directory = NULL;
155 options->authorized_keys_command = NULL;
156 options->authorized_keys_command_user = NULL;
157 options->revoked_keys_file = NULL;
158 options->trusted_user_ca_keys = NULL;
159 options->authorized_principals_file = NULL;
160 options->authorized_principals_command = NULL;
161 options->authorized_principals_command_user = NULL;
162 options->ip_qos_interactive = -1;
163 options->ip_qos_bulk = -1;
164 options->version_addendum = NULL;
165 options->fingerprint_hash = -1;
166 options->disable_forwarding = -1;
167 options->expose_userauth_info = -1;
168 }
169
170 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
171 static int
172 option_clear_or_none(const char *o)
173 {
174 return o == NULL || strcasecmp(o, "none") == 0;
175 }
176
177 static void
178 assemble_algorithms(ServerOptions *o)
179 {
180 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
181 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
182 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
183 kex_assemble_names(KEX_DEFAULT_PK_ALG,
184 &o->hostkeyalgorithms) != 0 ||
185 kex_assemble_names(KEX_DEFAULT_PK_ALG,
186 &o->hostbased_key_types) != 0 ||
187 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
188 fatal("kex_assemble_names failed");
189 }
190
191 void
192 fill_default_server_options(ServerOptions *options)
193 {
194 int i;
195
196 /* Portable-specific options */
197 if (options->use_pam == -1)
198 options->use_pam = 0;
199
200 /* Standard Options */
201 if (options->num_host_key_files == 0) {
202 /* fill default hostkeys for protocols */
203 options->host_key_files[options->num_host_key_files++] =
204 _PATH_HOST_RSA_KEY_FILE;
205 options->host_key_files[options->num_host_key_files++] =
206 _PATH_HOST_DSA_KEY_FILE;
207 #ifdef OPENSSL_HAS_ECC
208 options->host_key_files[options->num_host_key_files++] =
209 _PATH_HOST_ECDSA_KEY_FILE;
210 #endif
211 options->host_key_files[options->num_host_key_files++] =
212 _PATH_HOST_ED25519_KEY_FILE;
213 }
214 /* No certificates by default */
215 if (options->num_ports == 0)
216 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
217 if (options->address_family == -1)
218 options->address_family = AF_UNSPEC;
219 if (options->listen_addrs == NULL)
220 add_listen_addr(options, NULL, 0);
221 if (options->pid_file == NULL)
222 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
223 if (options->login_grace_time == -1)
224 options->login_grace_time = 120;
225 if (options->permit_root_login == PERMIT_NOT_SET)
226 options->permit_root_login = PERMIT_NO_PASSWD;
227 if (options->ignore_rhosts == -1)
228 options->ignore_rhosts = 1;
229 if (options->ignore_user_known_hosts == -1)
230 options->ignore_user_known_hosts = 0;
231 if (options->print_motd == -1)
232 options->print_motd = 1;
233 if (options->print_lastlog == -1)
234 options->print_lastlog = 1;
235 if (options->x11_forwarding == -1)
236 options->x11_forwarding = 0;
237 if (options->x11_display_offset == -1)
238 options->x11_display_offset = 10;
239 if (options->x11_use_localhost == -1)
240 options->x11_use_localhost = 1;
241 if (options->xauth_location == NULL)
242 options->xauth_location = xstrdup(_PATH_XAUTH);
243 if (options->permit_tty == -1)
244 options->permit_tty = 1;
245 if (options->permit_user_rc == -1)
246 options->permit_user_rc = 1;
247 if (options->strict_modes == -1)
248 options->strict_modes = 1;
249 if (options->tcp_keep_alive == -1)
250 options->tcp_keep_alive = 1;
251 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
252 options->log_facility = SYSLOG_FACILITY_AUTH;
253 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
254 options->log_level = SYSLOG_LEVEL_INFO;
255 if (options->hostbased_authentication == -1)
256 options->hostbased_authentication = 0;
257 if (options->hostbased_uses_name_from_packet_only == -1)
258 options->hostbased_uses_name_from_packet_only = 0;
259 if (options->pubkey_authentication == -1)
260 options->pubkey_authentication = 1;
261 if (options->kerberos_authentication == -1)
262 options->kerberos_authentication = 0;
263 if (options->kerberos_or_local_passwd == -1)
264 options->kerberos_or_local_passwd = 1;
265 if (options->kerberos_ticket_cleanup == -1)
266 options->kerberos_ticket_cleanup = 1;
267 if (options->kerberos_get_afs_token == -1)
268 options->kerberos_get_afs_token = 0;
269 if (options->gss_authentication == -1)
270 options->gss_authentication = 0;
271 if (options->gss_cleanup_creds == -1)
272 options->gss_cleanup_creds = 1;
273 if (options->gss_strict_acceptor == -1)
274 options->gss_strict_acceptor = 1;
275 if (options->password_authentication == -1)
276 options->password_authentication = 1;
277 if (options->kbd_interactive_authentication == -1)
278 options->kbd_interactive_authentication = 0;
279 if (options->challenge_response_authentication == -1)
280 options->challenge_response_authentication = 1;
281 if (options->permit_empty_passwd == -1)
282 options->permit_empty_passwd = 0;
283 if (options->permit_user_env == -1)
284 options->permit_user_env = 0;
285 if (options->compression == -1)
286 options->compression = COMP_DELAYED;
287 if (options->rekey_limit == -1)
288 options->rekey_limit = 0;
289 if (options->rekey_interval == -1)
290 options->rekey_interval = 0;
291 if (options->allow_tcp_forwarding == -1)
292 options->allow_tcp_forwarding = FORWARD_ALLOW;
293 if (options->allow_streamlocal_forwarding == -1)
294 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
295 if (options->allow_agent_forwarding == -1)
296 options->allow_agent_forwarding = 1;
297 if (options->fwd_opts.gateway_ports == -1)
298 options->fwd_opts.gateway_ports = 0;
299 if (options->max_startups == -1)
300 options->max_startups = 100;
301 if (options->max_startups_rate == -1)
302 options->max_startups_rate = 30; /* 30% */
303 if (options->max_startups_begin == -1)
304 options->max_startups_begin = 10;
305 if (options->max_authtries == -1)
306 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
307 if (options->max_sessions == -1)
308 options->max_sessions = DEFAULT_SESSIONS_MAX;
309 if (options->use_dns == -1)
310 options->use_dns = 0;
311 if (options->client_alive_interval == -1)
312 options->client_alive_interval = 0;
313 if (options->client_alive_count_max == -1)
314 options->client_alive_count_max = 3;
315 if (options->num_authkeys_files == 0) {
316 options->authorized_keys_files[options->num_authkeys_files++] =
317 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
318 options->authorized_keys_files[options->num_authkeys_files++] =
319 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
320 }
321 if (options->permit_tun == -1)
322 options->permit_tun = SSH_TUNMODE_NO;
323 if (options->ip_qos_interactive == -1)
324 options->ip_qos_interactive = IPTOS_LOWDELAY;
325 if (options->ip_qos_bulk == -1)
326 options->ip_qos_bulk = IPTOS_THROUGHPUT;
327 if (options->version_addendum == NULL)
328 options->version_addendum = xstrdup("");
329 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
330 options->fwd_opts.streamlocal_bind_mask = 0177;
331 if (options->fwd_opts.streamlocal_bind_unlink == -1)
332 options->fwd_opts.streamlocal_bind_unlink = 0;
333 if (options->fingerprint_hash == -1)
334 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
335 if (options->disable_forwarding == -1)
336 options->disable_forwarding = 0;
337 if (options->expose_userauth_info == -1)
338 options->expose_userauth_info = 0;
339
340 assemble_algorithms(options);
341
342 /* Turn privilege separation and sandboxing on by default */
343 if (use_privsep == -1)
344 use_privsep = PRIVSEP_ON;
345
346 #define CLEAR_ON_NONE(v) \
347 do { \
348 if (option_clear_or_none(v)) { \
349 free(v); \
350 v = NULL; \
351 } \
352 } while(0)
353 CLEAR_ON_NONE(options->pid_file);
354 CLEAR_ON_NONE(options->xauth_location);
355 CLEAR_ON_NONE(options->banner);
356 CLEAR_ON_NONE(options->trusted_user_ca_keys);
357 CLEAR_ON_NONE(options->revoked_keys_file);
358 CLEAR_ON_NONE(options->authorized_principals_file);
359 CLEAR_ON_NONE(options->adm_forced_command);
360 CLEAR_ON_NONE(options->chroot_directory);
361 for (i = 0; i < options->num_host_key_files; i++)
362 CLEAR_ON_NONE(options->host_key_files[i]);
363 for (i = 0; i < options->num_host_cert_files; i++)
364 CLEAR_ON_NONE(options->host_cert_files[i]);
365 #undef CLEAR_ON_NONE
366
367 /* Similar handling for AuthenticationMethods=any */
368 if (options->num_auth_methods == 1 &&
369 strcmp(options->auth_methods[0], "any") == 0) {
370 free(options->auth_methods[0]);
371 options->auth_methods[0] = NULL;
372 options->num_auth_methods = 0;
373 }
374
375 #ifndef HAVE_MMAP
376 if (use_privsep && options->compression == 1) {
377 error("This platform does not support both privilege "
378 "separation and compression");
379 error("Compression disabled");
380 options->compression = 0;
381 }
382 #endif
383
384 }
385
386 /* Keyword tokens. */
387 typedef enum {
388 sBadOption, /* == unknown option */
389 /* Portable-specific options */
390 sUsePAM,
391 /* Standard Options */
392 sPort, sHostKeyFile, sLoginGraceTime,
393 sPermitRootLogin, sLogFacility, sLogLevel,
394 sRhostsRSAAuthentication, sRSAAuthentication,
395 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
396 sKerberosGetAFSToken,
397 sKerberosTgtPassing, sChallengeResponseAuthentication,
398 sPasswordAuthentication, sKbdInteractiveAuthentication,
399 sListenAddress, sAddressFamily,
400 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
401 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
402 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
403 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
404 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
405 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
406 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
407 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
408 sBanner, sUseDNS, sHostbasedAuthentication,
409 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
410 sHostKeyAlgorithms,
411 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
412 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
413 sAcceptEnv, sPermitTunnel,
414 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
415 sUsePrivilegeSeparation, sAllowAgentForwarding,
416 sHostCertificate,
417 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
418 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
419 sKexAlgorithms, sIPQoS, sVersionAddendum,
420 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
421 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
422 sStreamLocalBindMask, sStreamLocalBindUnlink,
423 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
424 sExposeAuthInfo,
425 sDeprecated, sIgnore, sUnsupported
426 } ServerOpCodes;
427
428 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
429 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
430 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
431
432 /* Textual representation of the tokens. */
433 static struct {
434 const char *name;
435 ServerOpCodes opcode;
436 u_int flags;
437 } keywords[] = {
438 /* Portable-specific options */
439 #ifdef USE_PAM
440 { "usepam", sUsePAM, SSHCFG_GLOBAL },
441 #else
442 { "usepam", sUnsupported, SSHCFG_GLOBAL },
443 #endif
444 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
445 /* Standard Options */
446 { "port", sPort, SSHCFG_GLOBAL },
447 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
448 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
449 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
450 { "pidfile", sPidFile, SSHCFG_GLOBAL },
451 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
452 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
453 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
454 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
455 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
456 { "loglevel", sLogLevel, SSHCFG_ALL },
457 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
458 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
459 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
460 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
461 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
462 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
463 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
464 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
465 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
466 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
467 #ifdef KRB5
468 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
469 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
470 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
471 #ifdef USE_AFS
472 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
473 #else
474 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
475 #endif
476 #else
477 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
478 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
479 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
480 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
481 #endif
482 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
483 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
484 #ifdef GSSAPI
485 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
486 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
487 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
488 #else
489 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
490 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
491 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
492 #endif
493 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
494 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
495 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
496 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
497 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
498 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
499 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
500 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
501 #ifdef DISABLE_LASTLOG
502 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
503 #else
504 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
505 #endif
506 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
507 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
508 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
509 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
510 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
511 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
512 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
513 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
514 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
515 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
516 { "compression", sCompression, SSHCFG_GLOBAL },
517 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
518 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
519 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
520 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
521 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
522 { "allowusers", sAllowUsers, SSHCFG_ALL },
523 { "denyusers", sDenyUsers, SSHCFG_ALL },
524 { "allowgroups", sAllowGroups, SSHCFG_ALL },
525 { "denygroups", sDenyGroups, SSHCFG_ALL },
526 { "ciphers", sCiphers, SSHCFG_GLOBAL },
527 { "macs", sMacs, SSHCFG_GLOBAL },
528 { "protocol", sIgnore, SSHCFG_GLOBAL },
529 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
530 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
531 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
532 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
533 { "maxsessions", sMaxSessions, SSHCFG_ALL },
534 { "banner", sBanner, SSHCFG_ALL },
535 { "usedns", sUseDNS, SSHCFG_GLOBAL },
536 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
537 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
538 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
539 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
540 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
541 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
542 { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
543 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
544 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
545 { "permittty", sPermitTTY, SSHCFG_ALL },
546 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
547 { "match", sMatch, SSHCFG_ALL },
548 { "permitopen", sPermitOpen, SSHCFG_ALL },
549 { "forcecommand", sForceCommand, SSHCFG_ALL },
550 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
551 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
552 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
553 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
554 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
555 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
556 { "ipqos", sIPQoS, SSHCFG_ALL },
557 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
558 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
559 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
560 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
561 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
562 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
563 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
564 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
565 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
566 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
567 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
568 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
569 { NULL, sBadOption, 0 }
570 };
571
572 static struct {
573 int val;
574 char *text;
575 } tunmode_desc[] = {
576 { SSH_TUNMODE_NO, "no" },
577 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
578 { SSH_TUNMODE_ETHERNET, "ethernet" },
579 { SSH_TUNMODE_YES, "yes" },
580 { -1, NULL }
581 };
582
583 /*
584 * Returns the number of the token pointed to by cp or sBadOption.
585 */
586
587 static ServerOpCodes
588 parse_token(const char *cp, const char *filename,
589 int linenum, u_int *flags)
590 {
591 u_int i;
592
593 for (i = 0; keywords[i].name; i++)
594 if (strcasecmp(cp, keywords[i].name) == 0) {
595 *flags = keywords[i].flags;
596 return keywords[i].opcode;
597 }
598
599 error("%s: line %d: Bad configuration option: %s",
600 filename, linenum, cp);
601 return sBadOption;
602 }
603
604 char *
605 derelativise_path(const char *path)
606 {
607 char *expanded, *ret, cwd[PATH_MAX];
608
609 if (strcasecmp(path, "none") == 0)
610 return xstrdup("none");
611 expanded = tilde_expand_filename(path, getuid());
612 if (*expanded == '/')
613 return expanded;
614 if (getcwd(cwd, sizeof(cwd)) == NULL)
615 fatal("%s: getcwd: %s", __func__, strerror(errno));
616 xasprintf(&ret, "%s/%s", cwd, expanded);
617 free(expanded);
618 return ret;
619 }
620
621 static void
622 add_listen_addr(ServerOptions *options, char *addr, int port)
623 {
624 u_int i;
625
626 if (port == 0)
627 for (i = 0; i < options->num_ports; i++)
628 add_one_listen_addr(options, addr, options->ports[i]);
629 else
630 add_one_listen_addr(options, addr, port);
631 }
632
633 static void
634 add_one_listen_addr(ServerOptions *options, char *addr, int port)
635 {
636 struct addrinfo hints, *ai, *aitop;
637 char strport[NI_MAXSERV];
638 int gaierr;
639
640 memset(&hints, 0, sizeof(hints));
641 hints.ai_family = options->address_family;
642 hints.ai_socktype = SOCK_STREAM;
643 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
644 snprintf(strport, sizeof strport, "%d", port);
645 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
646 fatal("bad addr or host: %s (%s)",
647 addr ? addr : "<NULL>",
648 ssh_gai_strerror(gaierr));
649 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
650 ;
651 ai->ai_next = options->listen_addrs;
652 options->listen_addrs = aitop;
653 }
654
655 /*
656 * Queue a ListenAddress to be processed once we have all of the Ports
657 * and AddressFamily options.
658 */
659 static void
660 queue_listen_addr(ServerOptions *options, char *addr, int port)
661 {
662 options->queued_listen_addrs = xreallocarray(
663 options->queued_listen_addrs, options->num_queued_listens + 1,
664 sizeof(addr));
665 options->queued_listen_ports = xreallocarray(
666 options->queued_listen_ports, options->num_queued_listens + 1,
667 sizeof(port));
668 options->queued_listen_addrs[options->num_queued_listens] =
669 xstrdup(addr);
670 options->queued_listen_ports[options->num_queued_listens] = port;
671 options->num_queued_listens++;
672 }
673
674 /*
675 * Process queued (text) ListenAddress entries.
676 */
677 static void
678 process_queued_listen_addrs(ServerOptions *options)
679 {
680 u_int i;
681
682 if (options->num_ports == 0)
683 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
684 if (options->address_family == -1)
685 options->address_family = AF_UNSPEC;
686
687 for (i = 0; i < options->num_queued_listens; i++) {
688 add_listen_addr(options, options->queued_listen_addrs[i],
689 options->queued_listen_ports[i]);
690 free(options->queued_listen_addrs[i]);
691 options->queued_listen_addrs[i] = NULL;
692 }
693 free(options->queued_listen_addrs);
694 options->queued_listen_addrs = NULL;
695 free(options->queued_listen_ports);
696 options->queued_listen_ports = NULL;
697 options->num_queued_listens = 0;
698 }
699
700 /*
701 * Inform channels layer of permitopen options from configuration.
702 */
703 void
704 process_permitopen(struct ssh *ssh, ServerOptions *options)
705 {
706 u_int i;
707 int port;
708 char *host, *arg, *oarg;
709
710 channel_clear_adm_permitted_opens(ssh);
711 if (options->num_permitted_opens == 0)
712 return; /* permit any */
713
714 /* handle keywords: "any" / "none" */
715 if (options->num_permitted_opens == 1 &&
716 strcmp(options->permitted_opens[0], "any") == 0)
717 return;
718 if (options->num_permitted_opens == 1 &&
719 strcmp(options->permitted_opens[0], "none") == 0) {
720 channel_disable_adm_local_opens(ssh);
721 return;
722 }
723 /* Otherwise treat it as a list of permitted host:port */
724 for (i = 0; i < options->num_permitted_opens; i++) {
725 oarg = arg = xstrdup(options->permitted_opens[i]);
726 host = hpdelim(&arg);
727 if (host == NULL)
728 fatal("%s: missing host in PermitOpen", __func__);
729 host = cleanhostname(host);
730 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
731 fatal("%s: bad port number in PermitOpen", __func__);
732 /* Send it to channels layer */
733 channel_add_adm_permitted_opens(ssh, host, port);
734 free(oarg);
735 }
736 }
737
738 struct connection_info *
739 get_connection_info(int populate, int use_dns)
740 {
741 struct ssh *ssh = active_state; /* XXX */
742 static struct connection_info ci;
743
744 if (!populate)
745 return &ci;
746 ci.host = auth_get_canonical_hostname(ssh, use_dns);
747 ci.address = ssh_remote_ipaddr(ssh);
748 ci.laddress = ssh_local_ipaddr(ssh);
749 ci.lport = ssh_local_port(ssh);
750 return &ci;
751 }
752
753 /*
754 * The strategy for the Match blocks is that the config file is parsed twice.
755 *
756 * The first time is at startup. activep is initialized to 1 and the
757 * directives in the global context are processed and acted on. Hitting a
758 * Match directive unsets activep and the directives inside the block are
759 * checked for syntax only.
760 *
761 * The second time is after a connection has been established but before
762 * authentication. activep is initialized to 2 and global config directives
763 * are ignored since they have already been processed. If the criteria in a
764 * Match block is met, activep is set and the subsequent directives
765 * processed and actioned until EOF or another Match block unsets it. Any
766 * options set are copied into the main server config.
767 *
768 * Potential additions/improvements:
769 * - Add Match support for pre-kex directives, eg. Ciphers.
770 *
771 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
772 * Match Address 192.168.0.*
773 * Tag trusted
774 * Match Group wheel
775 * Tag trusted
776 * Match Tag trusted
777 * AllowTcpForwarding yes
778 * GatewayPorts clientspecified
779 * [...]
780 *
781 * - Add a PermittedChannelRequests directive
782 * Match Group shell
783 * PermittedChannelRequests session,forwarded-tcpip
784 */
785
786 static int
787 match_cfg_line_group(const char *grps, int line, const char *user)
788 {
789 int result = 0;
790 struct passwd *pw;
791
792 if (user == NULL)
793 goto out;
794
795 if ((pw = getpwnam(user)) == NULL) {
796 debug("Can't match group at line %d because user %.100s does "
797 "not exist", line, user);
798 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
799 debug("Can't Match group because user %.100s not in any group "
800 "at line %d", user, line);
801 } else if (ga_match_pattern_list(grps) != 1) {
802 debug("user %.100s does not match group list %.100s at line %d",
803 user, grps, line);
804 } else {
805 debug("user %.100s matched group list %.100s at line %d", user,
806 grps, line);
807 result = 1;
808 }
809 out:
810 ga_free();
811 return result;
812 }
813
814 /*
815 * All of the attributes on a single Match line are ANDed together, so we need
816 * to check every attribute and set the result to zero if any attribute does
817 * not match.
818 */
819 static int
820 match_cfg_line(char **condition, int line, struct connection_info *ci)
821 {
822 int result = 1, attributes = 0, port;
823 char *arg, *attrib, *cp = *condition;
824
825 if (ci == NULL)
826 debug3("checking syntax for 'Match %s'", cp);
827 else
828 debug3("checking match for '%s' user %s host %s addr %s "
829 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
830 ci->host ? ci->host : "(null)",
831 ci->address ? ci->address : "(null)",
832 ci->laddress ? ci->laddress : "(null)", ci->lport);
833
834 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
835 attributes++;
836 if (strcasecmp(attrib, "all") == 0) {
837 if (attributes != 1 ||
838 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
839 error("'all' cannot be combined with other "
840 "Match attributes");
841 return -1;
842 }
843 *condition = cp;
844 return 1;
845 }
846 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
847 error("Missing Match criteria for %s", attrib);
848 return -1;
849 }
850 if (strcasecmp(attrib, "user") == 0) {
851 if (ci == NULL || ci->user == NULL) {
852 result = 0;
853 continue;
854 }
855 if (match_pattern_list(ci->user, arg, 0) != 1)
856 result = 0;
857 else
858 debug("user %.100s matched 'User %.100s' at "
859 "line %d", ci->user, arg, line);
860 } else if (strcasecmp(attrib, "group") == 0) {
861 if (ci == NULL || ci->user == NULL) {
862 result = 0;
863 continue;
864 }
865 switch (match_cfg_line_group(arg, line, ci->user)) {
866 case -1:
867 return -1;
868 case 0:
869 result = 0;
870 }
871 } else if (strcasecmp(attrib, "host") == 0) {
872 if (ci == NULL || ci->host == NULL) {
873 result = 0;
874 continue;
875 }
876 if (match_hostname(ci->host, arg) != 1)
877 result = 0;
878 else
879 debug("connection from %.100s matched 'Host "
880 "%.100s' at line %d", ci->host, arg, line);
881 } else if (strcasecmp(attrib, "address") == 0) {
882 if (ci == NULL || ci->address == NULL) {
883 result = 0;
884 continue;
885 }
886 switch (addr_match_list(ci->address, arg)) {
887 case 1:
888 debug("connection from %.100s matched 'Address "
889 "%.100s' at line %d", ci->address, arg, line);
890 break;
891 case 0:
892 case -1:
893 result = 0;
894 break;
895 case -2:
896 return -1;
897 }
898 } else if (strcasecmp(attrib, "localaddress") == 0){
899 if (ci == NULL || ci->laddress == NULL) {
900 result = 0;
901 continue;
902 }
903 switch (addr_match_list(ci->laddress, arg)) {
904 case 1:
905 debug("connection from %.100s matched "
906 "'LocalAddress %.100s' at line %d",
907 ci->laddress, arg, line);
908 break;
909 case 0:
910 case -1:
911 result = 0;
912 break;
913 case -2:
914 return -1;
915 }
916 } else if (strcasecmp(attrib, "localport") == 0) {
917 if ((port = a2port(arg)) == -1) {
918 error("Invalid LocalPort '%s' on Match line",
919 arg);
920 return -1;
921 }
922 if (ci == NULL || ci->lport == 0) {
923 result = 0;
924 continue;
925 }
926 /* TODO support port lists */
927 if (port == ci->lport)
928 debug("connection from %.100s matched "
929 "'LocalPort %d' at line %d",
930 ci->laddress, port, line);
931 else
932 result = 0;
933 } else {
934 error("Unsupported Match attribute %s", attrib);
935 return -1;
936 }
937 }
938 if (attributes == 0) {
939 error("One or more attributes required for Match");
940 return -1;
941 }
942 if (ci != NULL)
943 debug3("match %sfound", result ? "" : "not ");
944 *condition = cp;
945 return result;
946 }
947
948 #define WHITESPACE " \t\r\n"
949
950 /* Multistate option parsing */
951 struct multistate {
952 char *key;
953 int value;
954 };
955 static const struct multistate multistate_addressfamily[] = {
956 { "inet", AF_INET },
957 { "inet6", AF_INET6 },
958 { "any", AF_UNSPEC },
959 { NULL, -1 }
960 };
961 static const struct multistate multistate_permitrootlogin[] = {
962 { "without-password", PERMIT_NO_PASSWD },
963 { "prohibit-password", PERMIT_NO_PASSWD },
964 { "forced-commands-only", PERMIT_FORCED_ONLY },
965 { "yes", PERMIT_YES },
966 { "no", PERMIT_NO },
967 { NULL, -1 }
968 };
969 static const struct multistate multistate_compression[] = {
970 { "yes", COMP_DELAYED },
971 { "delayed", COMP_DELAYED },
972 { "no", COMP_NONE },
973 { NULL, -1 }
974 };
975 static const struct multistate multistate_gatewayports[] = {
976 { "clientspecified", 2 },
977 { "yes", 1 },
978 { "no", 0 },
979 { NULL, -1 }
980 };
981 static const struct multistate multistate_tcpfwd[] = {
982 { "yes", FORWARD_ALLOW },
983 { "all", FORWARD_ALLOW },
984 { "no", FORWARD_DENY },
985 { "remote", FORWARD_REMOTE },
986 { "local", FORWARD_LOCAL },
987 { NULL, -1 }
988 };
989
990 int
991 process_server_config_line(ServerOptions *options, char *line,
992 const char *filename, int linenum, int *activep,
993 struct connection_info *connectinfo)
994 {
995 char *cp, **charptr, *arg, *arg2, *p;
996 int cmdline = 0, *intptr, value, value2, n, port;
997 SyslogFacility *log_facility_ptr;
998 LogLevel *log_level_ptr;
999 ServerOpCodes opcode;
1000 u_int i, flags = 0;
1001 size_t len;
1002 long long val64;
1003 const struct multistate *multistate_ptr;
1004
1005 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1006 if ((len = strlen(line)) == 0)
1007 return 0;
1008 for (len--; len > 0; len--) {
1009 if (strchr(WHITESPACE "\f", line[len]) == NULL)
1010 break;
1011 line[len] = '\0';
1012 }
1013
1014 cp = line;
1015 if ((arg = strdelim(&cp)) == NULL)
1016 return 0;
1017 /* Ignore leading whitespace */
1018 if (*arg == '\0')
1019 arg = strdelim(&cp);
1020 if (!arg || !*arg || *arg == '#')
1021 return 0;
1022 intptr = NULL;
1023 charptr = NULL;
1024 opcode = parse_token(arg, filename, linenum, &flags);
1025
1026 if (activep == NULL) { /* We are processing a command line directive */
1027 cmdline = 1;
1028 activep = &cmdline;
1029 }
1030 if (*activep && opcode != sMatch)
1031 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1032 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1033 if (connectinfo == NULL) {
1034 fatal("%s line %d: Directive '%s' is not allowed "
1035 "within a Match block", filename, linenum, arg);
1036 } else { /* this is a directive we have already processed */
1037 while (arg)
1038 arg = strdelim(&cp);
1039 return 0;
1040 }
1041 }
1042
1043 switch (opcode) {
1044 /* Portable-specific options */
1045 case sUsePAM:
1046 intptr = &options->use_pam;
1047 goto parse_flag;
1048
1049 /* Standard Options */
1050 case sBadOption:
1051 return -1;
1052 case sPort:
1053 /* ignore ports from configfile if cmdline specifies ports */
1054 if (options->ports_from_cmdline)
1055 return 0;
1056 if (options->num_ports >= MAX_PORTS)
1057 fatal("%s line %d: too many ports.",
1058 filename, linenum);
1059 arg = strdelim(&cp);
1060 if (!arg || *arg == '\0')
1061 fatal("%s line %d: missing port number.",
1062 filename, linenum);
1063 options->ports[options->num_ports++] = a2port(arg);
1064 if (options->ports[options->num_ports-1] <= 0)
1065 fatal("%s line %d: Badly formatted port number.",
1066 filename, linenum);
1067 break;
1068
1069 case sLoginGraceTime:
1070 intptr = &options->login_grace_time;
1071 parse_time:
1072 arg = strdelim(&cp);
1073 if (!arg || *arg == '\0')
1074 fatal("%s line %d: missing time value.",
1075 filename, linenum);
1076 if ((value = convtime(arg)) == -1)
1077 fatal("%s line %d: invalid time value.",
1078 filename, linenum);
1079 if (*activep && *intptr == -1)
1080 *intptr = value;
1081 break;
1082
1083 case sListenAddress:
1084 arg = strdelim(&cp);
1085 if (arg == NULL || *arg == '\0')
1086 fatal("%s line %d: missing address",
1087 filename, linenum);
1088 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1089 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1090 && strchr(p+1, ':') != NULL) {
1091 queue_listen_addr(options, arg, 0);
1092 break;
1093 }
1094 p = hpdelim(&arg);
1095 if (p == NULL)
1096 fatal("%s line %d: bad address:port usage",
1097 filename, linenum);
1098 p = cleanhostname(p);
1099 if (arg == NULL)
1100 port = 0;
1101 else if ((port = a2port(arg)) <= 0)
1102 fatal("%s line %d: bad port number", filename, linenum);
1103
1104 queue_listen_addr(options, p, port);
1105
1106 break;
1107
1108 case sAddressFamily:
1109 intptr = &options->address_family;
1110 multistate_ptr = multistate_addressfamily;
1111 parse_multistate:
1112 arg = strdelim(&cp);
1113 if (!arg || *arg == '\0')
1114 fatal("%s line %d: missing argument.",
1115 filename, linenum);
1116 value = -1;
1117 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1118 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1119 value = multistate_ptr[i].value;
1120 break;
1121 }
1122 }
1123 if (value == -1)
1124 fatal("%s line %d: unsupported option \"%s\".",
1125 filename, linenum, arg);
1126 if (*activep && *intptr == -1)
1127 *intptr = value;
1128 break;
1129
1130 case sHostKeyFile:
1131 intptr = &options->num_host_key_files;
1132 if (*intptr >= MAX_HOSTKEYS)
1133 fatal("%s line %d: too many host keys specified (max %d).",
1134 filename, linenum, MAX_HOSTKEYS);
1135 charptr = &options->host_key_files[*intptr];
1136 parse_filename:
1137 arg = strdelim(&cp);
1138 if (!arg || *arg == '\0')
1139 fatal("%s line %d: missing file name.",
1140 filename, linenum);
1141 if (*activep && *charptr == NULL) {
1142 *charptr = derelativise_path(arg);
1143 /* increase optional counter */
1144 if (intptr != NULL)
1145 *intptr = *intptr + 1;
1146 }
1147 break;
1148
1149 case sHostKeyAgent:
1150 charptr = &options->host_key_agent;
1151 arg = strdelim(&cp);
1152 if (!arg || *arg == '\0')
1153 fatal("%s line %d: missing socket name.",
1154 filename, linenum);
1155 if (*activep && *charptr == NULL)
1156 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1157 xstrdup(arg) : derelativise_path(arg);
1158 break;
1159
1160 case sHostCertificate:
1161 intptr = &options->num_host_cert_files;
1162 if (*intptr >= MAX_HOSTKEYS)
1163 fatal("%s line %d: too many host certificates "
1164 "specified (max %d).", filename, linenum,
1165 MAX_HOSTCERTS);
1166 charptr = &options->host_cert_files[*intptr];
1167 goto parse_filename;
1168
1169 case sPidFile:
1170 charptr = &options->pid_file;
1171 goto parse_filename;
1172
1173 case sPermitRootLogin:
1174 intptr = &options->permit_root_login;
1175 multistate_ptr = multistate_permitrootlogin;
1176 goto parse_multistate;
1177
1178 case sIgnoreRhosts:
1179 intptr = &options->ignore_rhosts;
1180 parse_flag:
1181 arg = strdelim(&cp);
1182 if (!arg || *arg == '\0')
1183 fatal("%s line %d: missing yes/no argument.",
1184 filename, linenum);
1185 value = 0; /* silence compiler */
1186 if (strcmp(arg, "yes") == 0)
1187 value = 1;
1188 else if (strcmp(arg, "no") == 0)
1189 value = 0;
1190 else
1191 fatal("%s line %d: Bad yes/no argument: %s",
1192 filename, linenum, arg);
1193 if (*activep && *intptr == -1)
1194 *intptr = value;
1195 break;
1196
1197 case sIgnoreUserKnownHosts:
1198 intptr = &options->ignore_user_known_hosts;
1199 goto parse_flag;
1200
1201 case sHostbasedAuthentication:
1202 intptr = &options->hostbased_authentication;
1203 goto parse_flag;
1204
1205 case sHostbasedUsesNameFromPacketOnly:
1206 intptr = &options->hostbased_uses_name_from_packet_only;
1207 goto parse_flag;
1208
1209 case sHostbasedAcceptedKeyTypes:
1210 charptr = &options->hostbased_key_types;
1211 parse_keytypes:
1212 arg = strdelim(&cp);
1213 if (!arg || *arg == '\0')
1214 fatal("%s line %d: Missing argument.",
1215 filename, linenum);
1216 if (*arg != '-' &&
1217 !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1218 fatal("%s line %d: Bad key types '%s'.",
1219 filename, linenum, arg ? arg : "<NONE>");
1220 if (*activep && *charptr == NULL)
1221 *charptr = xstrdup(arg);
1222 break;
1223
1224 case sHostKeyAlgorithms:
1225 charptr = &options->hostkeyalgorithms;
1226 goto parse_keytypes;
1227
1228 case sPubkeyAuthentication:
1229 intptr = &options->pubkey_authentication;
1230 goto parse_flag;
1231
1232 case sPubkeyAcceptedKeyTypes:
1233 charptr = &options->pubkey_key_types;
1234 goto parse_keytypes;
1235
1236 case sKerberosAuthentication:
1237 intptr = &options->kerberos_authentication;
1238 goto parse_flag;
1239
1240 case sKerberosOrLocalPasswd:
1241 intptr = &options->kerberos_or_local_passwd;
1242 goto parse_flag;
1243
1244 case sKerberosTicketCleanup:
1245 intptr = &options->kerberos_ticket_cleanup;
1246 goto parse_flag;
1247
1248 case sKerberosGetAFSToken:
1249 intptr = &options->kerberos_get_afs_token;
1250 goto parse_flag;
1251
1252 case sGssAuthentication:
1253 intptr = &options->gss_authentication;
1254 goto parse_flag;
1255
1256 case sGssCleanupCreds:
1257 intptr = &options->gss_cleanup_creds;
1258 goto parse_flag;
1259
1260 case sGssStrictAcceptor:
1261 intptr = &options->gss_strict_acceptor;
1262 goto parse_flag;
1263
1264 case sPasswordAuthentication:
1265 intptr = &options->password_authentication;
1266 goto parse_flag;
1267
1268 case sKbdInteractiveAuthentication:
1269 intptr = &options->kbd_interactive_authentication;
1270 goto parse_flag;
1271
1272 case sChallengeResponseAuthentication:
1273 intptr = &options->challenge_response_authentication;
1274 goto parse_flag;
1275
1276 case sPrintMotd:
1277 intptr = &options->print_motd;
1278 goto parse_flag;
1279
1280 case sPrintLastLog:
1281 intptr = &options->print_lastlog;
1282 goto parse_flag;
1283
1284 case sX11Forwarding:
1285 intptr = &options->x11_forwarding;
1286 goto parse_flag;
1287
1288 case sX11DisplayOffset:
1289 intptr = &options->x11_display_offset;
1290 parse_int:
1291 arg = strdelim(&cp);
1292 if (!arg || *arg == '\0')
1293 fatal("%s line %d: missing integer value.",
1294 filename, linenum);
1295 value = atoi(arg);
1296 if (*activep && *intptr == -1)
1297 *intptr = value;
1298 break;
1299
1300 case sX11UseLocalhost:
1301 intptr = &options->x11_use_localhost;
1302 goto parse_flag;
1303
1304 case sXAuthLocation:
1305 charptr = &options->xauth_location;
1306 goto parse_filename;
1307
1308 case sPermitTTY:
1309 intptr = &options->permit_tty;
1310 goto parse_flag;
1311
1312 case sPermitUserRC:
1313 intptr = &options->permit_user_rc;
1314 goto parse_flag;
1315
1316 case sStrictModes:
1317 intptr = &options->strict_modes;
1318 goto parse_flag;
1319
1320 case sTCPKeepAlive:
1321 intptr = &options->tcp_keep_alive;
1322 goto parse_flag;
1323
1324 case sEmptyPasswd:
1325 intptr = &options->permit_empty_passwd;
1326 goto parse_flag;
1327
1328 case sPermitUserEnvironment:
1329 intptr = &options->permit_user_env;
1330 goto parse_flag;
1331
1332 case sCompression:
1333 intptr = &options->compression;
1334 multistate_ptr = multistate_compression;
1335 goto parse_multistate;
1336
1337 case sRekeyLimit:
1338 arg = strdelim(&cp);
1339 if (!arg || *arg == '\0')
1340 fatal("%.200s line %d: Missing argument.", filename,
1341 linenum);
1342 if (strcmp(arg, "default") == 0) {
1343 val64 = 0;
1344 } else {
1345 if (scan_scaled(arg, &val64) == -1)
1346 fatal("%.200s line %d: Bad number '%s': %s",
1347 filename, linenum, arg, strerror(errno));
1348 if (val64 != 0 && val64 < 16)
1349 fatal("%.200s line %d: RekeyLimit too small",
1350 filename, linenum);
1351 }
1352 if (*activep && options->rekey_limit == -1)
1353 options->rekey_limit = val64;
1354 if (cp != NULL) { /* optional rekey interval present */
1355 if (strcmp(cp, "none") == 0) {
1356 (void)strdelim(&cp); /* discard */
1357 break;
1358 }
1359 intptr = &options->rekey_interval;
1360 goto parse_time;
1361 }
1362 break;
1363
1364 case sGatewayPorts:
1365 intptr = &options->fwd_opts.gateway_ports;
1366 multistate_ptr = multistate_gatewayports;
1367 goto parse_multistate;
1368
1369 case sUseDNS:
1370 intptr = &options->use_dns;
1371 goto parse_flag;
1372
1373 case sLogFacility:
1374 log_facility_ptr = &options->log_facility;
1375 arg = strdelim(&cp);
1376 value = log_facility_number(arg);
1377 if (value == SYSLOG_FACILITY_NOT_SET)
1378 fatal("%.200s line %d: unsupported log facility '%s'",
1379 filename, linenum, arg ? arg : "<NONE>");
1380 if (*log_facility_ptr == -1)
1381 *log_facility_ptr = (SyslogFacility) value;
1382 break;
1383
1384 case sLogLevel:
1385 log_level_ptr = &options->log_level;
1386 arg = strdelim(&cp);
1387 value = log_level_number(arg);
1388 if (value == SYSLOG_LEVEL_NOT_SET)
1389 fatal("%.200s line %d: unsupported log level '%s'",
1390 filename, linenum, arg ? arg : "<NONE>");
1391 if (*activep && *log_level_ptr == -1)
1392 *log_level_ptr = (LogLevel) value;
1393 break;
1394
1395 case sAllowTcpForwarding:
1396 intptr = &options->allow_tcp_forwarding;
1397 multistate_ptr = multistate_tcpfwd;
1398 goto parse_multistate;
1399
1400 case sAllowStreamLocalForwarding:
1401 intptr = &options->allow_streamlocal_forwarding;
1402 multistate_ptr = multistate_tcpfwd;
1403 goto parse_multistate;
1404
1405 case sAllowAgentForwarding:
1406 intptr = &options->allow_agent_forwarding;
1407 goto parse_flag;
1408
1409 case sDisableForwarding:
1410 intptr = &options->disable_forwarding;
1411 goto parse_flag;
1412
1413 case sAllowUsers:
1414 while ((arg = strdelim(&cp)) && *arg != '\0') {
1415 if (options->num_allow_users >= MAX_ALLOW_USERS)
1416 fatal("%s line %d: too many allow users.",
1417 filename, linenum);
1418 if (match_user(NULL, NULL, NULL, arg) == -1)
1419 fatal("%s line %d: invalid AllowUsers pattern: "
1420 "\"%.100s\"", filename, linenum, arg);
1421 if (!*activep)
1422 continue;
1423 options->allow_users[options->num_allow_users++] =
1424 xstrdup(arg);
1425 }
1426 break;
1427
1428 case sDenyUsers:
1429 while ((arg = strdelim(&cp)) && *arg != '\0') {
1430 if (options->num_deny_users >= MAX_DENY_USERS)
1431 fatal("%s line %d: too many deny users.",
1432 filename, linenum);
1433 if (match_user(NULL, NULL, NULL, arg) == -1)
1434 fatal("%s line %d: invalid DenyUsers pattern: "
1435 "\"%.100s\"", filename, linenum, arg);
1436 if (!*activep)
1437 continue;
1438 options->deny_users[options->num_deny_users++] =
1439 xstrdup(arg);
1440 }
1441 break;
1442
1443 case sAllowGroups:
1444 while ((arg = strdelim(&cp)) && *arg != '\0') {
1445 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1446 fatal("%s line %d: too many allow groups.",
1447 filename, linenum);
1448 if (!*activep)
1449 continue;
1450 options->allow_groups[options->num_allow_groups++] =
1451 xstrdup(arg);
1452 }
1453 break;
1454
1455 case sDenyGroups:
1456 while ((arg = strdelim(&cp)) && *arg != '\0') {
1457 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1458 fatal("%s line %d: too many deny groups.",
1459 filename, linenum);
1460 if (!*activep)
1461 continue;
1462 options->deny_groups[options->num_deny_groups++] =
1463 xstrdup(arg);
1464 }
1465 break;
1466
1467 case sCiphers:
1468 arg = strdelim(&cp);
1469 if (!arg || *arg == '\0')
1470 fatal("%s line %d: Missing argument.", filename, linenum);
1471 if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
1472 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1473 filename, linenum, arg ? arg : "<NONE>");
1474 if (options->ciphers == NULL)
1475 options->ciphers = xstrdup(arg);
1476 break;
1477
1478 case sMacs:
1479 arg = strdelim(&cp);
1480 if (!arg || *arg == '\0')
1481 fatal("%s line %d: Missing argument.", filename, linenum);
1482 if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
1483 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1484 filename, linenum, arg ? arg : "<NONE>");
1485 if (options->macs == NULL)
1486 options->macs = xstrdup(arg);
1487 break;
1488
1489 case sKexAlgorithms:
1490 arg = strdelim(&cp);
1491 if (!arg || *arg == '\0')
1492 fatal("%s line %d: Missing argument.",
1493 filename, linenum);
1494 if (*arg != '-' &&
1495 !kex_names_valid(*arg == '+' ? arg + 1 : arg))
1496 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1497 filename, linenum, arg ? arg : "<NONE>");
1498 if (options->kex_algorithms == NULL)
1499 options->kex_algorithms = xstrdup(arg);
1500 break;
1501
1502 case sSubsystem:
1503 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1504 fatal("%s line %d: too many subsystems defined.",
1505 filename, linenum);
1506 }
1507 arg = strdelim(&cp);
1508 if (!arg || *arg == '\0')
1509 fatal("%s line %d: Missing subsystem name.",
1510 filename, linenum);
1511 if (!*activep) {
1512 arg = strdelim(&cp);
1513 break;
1514 }
1515 for (i = 0; i < options->num_subsystems; i++)
1516 if (strcmp(arg, options->subsystem_name[i]) == 0)
1517 fatal("%s line %d: Subsystem '%s' already defined.",
1518 filename, linenum, arg);
1519 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1520 arg = strdelim(&cp);
1521 if (!arg || *arg == '\0')
1522 fatal("%s line %d: Missing subsystem command.",
1523 filename, linenum);
1524 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1525
1526 /* Collect arguments (separate to executable) */
1527 p = xstrdup(arg);
1528 len = strlen(p) + 1;
1529 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1530 len += 1 + strlen(arg);
1531 p = xreallocarray(p, 1, len);
1532 strlcat(p, " ", len);
1533 strlcat(p, arg, len);
1534 }
1535 options->subsystem_args[options->num_subsystems] = p;
1536 options->num_subsystems++;
1537 break;
1538
1539 case sMaxStartups:
1540 arg = strdelim(&cp);
1541 if (!arg || *arg == '\0')
1542 fatal("%s line %d: Missing MaxStartups spec.",
1543 filename, linenum);
1544 if ((n = sscanf(arg, "%d:%d:%d",
1545 &options->max_startups_begin,
1546 &options->max_startups_rate,
1547 &options->max_startups)) == 3) {
1548 if (options->max_startups_begin >
1549 options->max_startups ||
1550 options->max_startups_rate > 100 ||
1551 options->max_startups_rate < 1)
1552 fatal("%s line %d: Illegal MaxStartups spec.",
1553 filename, linenum);
1554 } else if (n != 1)
1555 fatal("%s line %d: Illegal MaxStartups spec.",
1556 filename, linenum);
1557 else
1558 options->max_startups = options->max_startups_begin;
1559 break;
1560
1561 case sMaxAuthTries:
1562 intptr = &options->max_authtries;
1563 goto parse_int;
1564
1565 case sMaxSessions:
1566 intptr = &options->max_sessions;
1567 goto parse_int;
1568
1569 case sBanner:
1570 charptr = &options->banner;
1571 goto parse_filename;
1572
1573 /*
1574 * These options can contain %X options expanded at
1575 * connect time, so that you can specify paths like:
1576 *
1577 * AuthorizedKeysFile /etc/ssh_keys/%u
1578 */
1579 case sAuthorizedKeysFile:
1580 if (*activep && options->num_authkeys_files == 0) {
1581 while ((arg = strdelim(&cp)) && *arg != '\0') {
1582 if (options->num_authkeys_files >=
1583 MAX_AUTHKEYS_FILES)
1584 fatal("%s line %d: "
1585 "too many authorized keys files.",
1586 filename, linenum);
1587 options->authorized_keys_files[
1588 options->num_authkeys_files++] =
1589 tilde_expand_filename(arg, getuid());
1590 }
1591 }
1592 return 0;
1593
1594 case sAuthorizedPrincipalsFile:
1595 charptr = &options->authorized_principals_file;
1596 arg = strdelim(&cp);
1597 if (!arg || *arg == '\0')
1598 fatal("%s line %d: missing file name.",
1599 filename, linenum);
1600 if (*activep && *charptr == NULL) {
1601 *charptr = tilde_expand_filename(arg, getuid());
1602 /* increase optional counter */
1603 if (intptr != NULL)
1604 *intptr = *intptr + 1;
1605 }
1606 break;
1607
1608 case sClientAliveInterval:
1609 intptr = &options->client_alive_interval;
1610 goto parse_time;
1611
1612 case sClientAliveCountMax:
1613 intptr = &options->client_alive_count_max;
1614 goto parse_int;
1615
1616 case sAcceptEnv:
1617 while ((arg = strdelim(&cp)) && *arg != '\0') {
1618 if (strchr(arg, '=') != NULL)
1619 fatal("%s line %d: Invalid environment name.",
1620 filename, linenum);
1621 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1622 fatal("%s line %d: too many allow env.",
1623 filename, linenum);
1624 if (!*activep)
1625 continue;
1626 options->accept_env[options->num_accept_env++] =
1627 xstrdup(arg);
1628 }
1629 break;
1630
1631 case sPermitTunnel:
1632 intptr = &options->permit_tun;
1633 arg = strdelim(&cp);
1634 if (!arg || *arg == '\0')
1635 fatal("%s line %d: Missing yes/point-to-point/"
1636 "ethernet/no argument.", filename, linenum);
1637 value = -1;
1638 for (i = 0; tunmode_desc[i].val != -1; i++)
1639 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1640 value = tunmode_desc[i].val;
1641 break;
1642 }
1643 if (value == -1)
1644 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1645 "no argument: %s", filename, linenum, arg);
1646 if (*activep && *intptr == -1)
1647 *intptr = value;
1648 break;
1649
1650 case sMatch:
1651 if (cmdline)
1652 fatal("Match directive not supported as a command-line "
1653 "option");
1654 value = match_cfg_line(&cp, linenum, connectinfo);
1655 if (value < 0)
1656 fatal("%s line %d: Bad Match condition", filename,
1657 linenum);
1658 *activep = value;
1659 break;
1660
1661 case sPermitOpen:
1662 arg = strdelim(&cp);
1663 if (!arg || *arg == '\0')
1664 fatal("%s line %d: missing PermitOpen specification",
1665 filename, linenum);
1666 value = options->num_permitted_opens; /* modified later */
1667 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
1668 if (*activep && value == 0) {
1669 options->num_permitted_opens = 1;
1670 options->permitted_opens = xcalloc(1,
1671 sizeof(*options->permitted_opens));
1672 options->permitted_opens[0] = xstrdup(arg);
1673 }
1674 break;
1675 }
1676 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1677 arg2 = xstrdup(arg);
1678 p = hpdelim(&arg);
1679 if (p == NULL)
1680 fatal("%s line %d: missing host in PermitOpen",
1681 filename, linenum);
1682 p = cleanhostname(p);
1683 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1684 fatal("%s line %d: bad port number in "
1685 "PermitOpen", filename, linenum);
1686 if (*activep && value == 0) {
1687 options->permitted_opens = xrecallocarray(
1688 options->permitted_opens,
1689 options->num_permitted_opens,
1690 options->num_permitted_opens + 1,
1691 sizeof(*options->permitted_opens));
1692 i = options->num_permitted_opens++;
1693 options->permitted_opens[i] = arg2;
1694 } else
1695 free(arg2);
1696 }
1697 break;
1698
1699 case sForceCommand:
1700 if (cp == NULL || *cp == '\0')
1701 fatal("%.200s line %d: Missing argument.", filename,
1702 linenum);
1703 len = strspn(cp, WHITESPACE);
1704 if (*activep && options->adm_forced_command == NULL)
1705 options->adm_forced_command = xstrdup(cp + len);
1706 return 0;
1707
1708 case sChrootDirectory:
1709 charptr = &options->chroot_directory;
1710
1711 arg = strdelim(&cp);
1712 if (!arg || *arg == '\0')
1713 fatal("%s line %d: missing file name.",
1714 filename, linenum);
1715 if (*activep && *charptr == NULL)
1716 *charptr = xstrdup(arg);
1717 break;
1718
1719 case sTrustedUserCAKeys:
1720 charptr = &options->trusted_user_ca_keys;
1721 goto parse_filename;
1722
1723 case sRevokedKeys:
1724 charptr = &options->revoked_keys_file;
1725 goto parse_filename;
1726
1727 case sIPQoS:
1728 arg = strdelim(&cp);
1729 if ((value = parse_ipqos(arg)) == -1)
1730 fatal("%s line %d: Bad IPQoS value: %s",
1731 filename, linenum, arg);
1732 arg = strdelim(&cp);
1733 if (arg == NULL)
1734 value2 = value;
1735 else if ((value2 = parse_ipqos(arg)) == -1)
1736 fatal("%s line %d: Bad IPQoS value: %s",
1737 filename, linenum, arg);
1738 if (*activep) {
1739 options->ip_qos_interactive = value;
1740 options->ip_qos_bulk = value2;
1741 }
1742 break;
1743
1744 case sVersionAddendum:
1745 if (cp == NULL || *cp == '\0')
1746 fatal("%.200s line %d: Missing argument.", filename,
1747 linenum);
1748 len = strspn(cp, WHITESPACE);
1749 if (*activep && options->version_addendum == NULL) {
1750 if (strcasecmp(cp + len, "none") == 0)
1751 options->version_addendum = xstrdup("");
1752 else if (strchr(cp + len, '\r') != NULL)
1753 fatal("%.200s line %d: Invalid argument",
1754 filename, linenum);
1755 else
1756 options->version_addendum = xstrdup(cp + len);
1757 }
1758 return 0;
1759
1760 case sAuthorizedKeysCommand:
1761 if (cp == NULL)
1762 fatal("%.200s line %d: Missing argument.", filename,
1763 linenum);
1764 len = strspn(cp, WHITESPACE);
1765 if (*activep && options->authorized_keys_command == NULL) {
1766 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1767 fatal("%.200s line %d: AuthorizedKeysCommand "
1768 "must be an absolute path",
1769 filename, linenum);
1770 options->authorized_keys_command = xstrdup(cp + len);
1771 }
1772 return 0;
1773
1774 case sAuthorizedKeysCommandUser:
1775 charptr = &options->authorized_keys_command_user;
1776
1777 arg = strdelim(&cp);
1778 if (!arg || *arg == '\0')
1779 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1780 "argument.", filename, linenum);
1781 if (*activep && *charptr == NULL)
1782 *charptr = xstrdup(arg);
1783 break;
1784
1785 case sAuthorizedPrincipalsCommand:
1786 if (cp == NULL)
1787 fatal("%.200s line %d: Missing argument.", filename,
1788 linenum);
1789 len = strspn(cp, WHITESPACE);
1790 if (*activep &&
1791 options->authorized_principals_command == NULL) {
1792 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1793 fatal("%.200s line %d: "
1794 "AuthorizedPrincipalsCommand must be "
1795 "an absolute path", filename, linenum);
1796 options->authorized_principals_command =
1797 xstrdup(cp + len);
1798 }
1799 return 0;
1800
1801 case sAuthorizedPrincipalsCommandUser:
1802 charptr = &options->authorized_principals_command_user;
1803
1804 arg = strdelim(&cp);
1805 if (!arg || *arg == '\0')
1806 fatal("%s line %d: missing "
1807 "AuthorizedPrincipalsCommandUser argument.",
1808 filename, linenum);
1809 if (*activep && *charptr == NULL)
1810 *charptr = xstrdup(arg);
1811 break;
1812
1813 case sAuthenticationMethods:
1814 if (options->num_auth_methods == 0) {
1815 value = 0; /* seen "any" pseudo-method */
1816 value2 = 0; /* sucessfully parsed any method */
1817 while ((arg = strdelim(&cp)) && *arg != '\0') {
1818 if (options->num_auth_methods >=
1819 MAX_AUTH_METHODS)
1820 fatal("%s line %d: "
1821 "too many authentication methods.",
1822 filename, linenum);
1823 if (strcmp(arg, "any") == 0) {
1824 if (options->num_auth_methods > 0) {
1825 fatal("%s line %d: \"any\" "
1826 "must appear alone in "
1827 "AuthenticationMethods",
1828 filename, linenum);
1829 }
1830 value = 1;
1831 } else if (value) {
1832 fatal("%s line %d: \"any\" must appear "
1833 "alone in AuthenticationMethods",
1834 filename, linenum);
1835 } else if (auth2_methods_valid(arg, 0) != 0) {
1836 fatal("%s line %d: invalid "
1837 "authentication method list.",
1838 filename, linenum);
1839 }
1840 value2 = 1;
1841 if (!*activep)
1842 continue;
1843 options->auth_methods[
1844 options->num_auth_methods++] = xstrdup(arg);
1845 }
1846 if (value2 == 0) {
1847 fatal("%s line %d: no AuthenticationMethods "
1848 "specified", filename, linenum);
1849 }
1850 }
1851 return 0;
1852
1853 case sStreamLocalBindMask:
1854 arg = strdelim(&cp);
1855 if (!arg || *arg == '\0')
1856 fatal("%s line %d: missing StreamLocalBindMask "
1857 "argument.", filename, linenum);
1858 /* Parse mode in octal format */
1859 value = strtol(arg, &p, 8);
1860 if (arg == p || value < 0 || value > 0777)
1861 fatal("%s line %d: Bad mask.", filename, linenum);
1862 if (*activep)
1863 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1864 break;
1865
1866 case sStreamLocalBindUnlink:
1867 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1868 goto parse_flag;
1869
1870 case sFingerprintHash:
1871 arg = strdelim(&cp);
1872 if (!arg || *arg == '\0')
1873 fatal("%.200s line %d: Missing argument.",
1874 filename, linenum);
1875 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1876 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1877 filename, linenum, arg);
1878 if (*activep)
1879 options->fingerprint_hash = value;
1880 break;
1881
1882 case sExposeAuthInfo:
1883 intptr = &options->expose_userauth_info;
1884 goto parse_flag;
1885
1886 case sDeprecated:
1887 case sIgnore:
1888 case sUnsupported:
1889 do_log2(opcode == sIgnore ?
1890 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
1891 "%s line %d: %s option %s", filename, linenum,
1892 opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
1893 while (arg)
1894 arg = strdelim(&cp);
1895 break;
1896
1897 default:
1898 fatal("%s line %d: Missing handler for opcode %s (%d)",
1899 filename, linenum, arg, opcode);
1900 }
1901 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1902 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1903 filename, linenum, arg);
1904 return 0;
1905 }
1906
1907 /* Reads the server configuration file. */
1908
1909 void
1910 load_server_config(const char *filename, Buffer *conf)
1911 {
1912 char line[4096], *cp;
1913 FILE *f;
1914 int lineno = 0;
1915
1916 debug2("%s: filename %s", __func__, filename);
1917 if ((f = fopen(filename, "r")) == NULL) {
1918 perror(filename);
1919 exit(1);
1920 }
1921 buffer_clear(conf);
1922 while (fgets(line, sizeof(line), f)) {
1923 lineno++;
1924 if (strlen(line) == sizeof(line) - 1)
1925 fatal("%s line %d too long", filename, lineno);
1926 /*
1927 * Trim out comments and strip whitespace
1928 * NB - preserve newlines, they are needed to reproduce
1929 * line numbers later for error messages
1930 */
1931 if ((cp = strchr(line, '#')) != NULL)
1932 memcpy(cp, "\n", 2);
1933 cp = line + strspn(line, " \t\r");
1934
1935 buffer_append(conf, cp, strlen(cp));
1936 }
1937 buffer_append(conf, "\0", 1);
1938 fclose(f);
1939 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1940 }
1941
1942 void
1943 parse_server_match_config(ServerOptions *options,
1944 struct connection_info *connectinfo)
1945 {
1946 ServerOptions mo;
1947
1948 initialize_server_options(&mo);
1949 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1950 copy_set_server_options(options, &mo, 0);
1951 }
1952
1953 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1954 {
1955 char *p;
1956
1957 while ((p = strsep(&spec, ",")) && *p != '\0') {
1958 if (strncmp(p, "addr=", 5) == 0) {
1959 ci->address = xstrdup(p + 5);
1960 } else if (strncmp(p, "host=", 5) == 0) {
1961 ci->host = xstrdup(p + 5);
1962 } else if (strncmp(p, "user=", 5) == 0) {
1963 ci->user = xstrdup(p + 5);
1964 } else if (strncmp(p, "laddr=", 6) == 0) {
1965 ci->laddress = xstrdup(p + 6);
1966 } else if (strncmp(p, "lport=", 6) == 0) {
1967 ci->lport = a2port(p + 6);
1968 if (ci->lport == -1) {
1969 fprintf(stderr, "Invalid port '%s' in test mode"
1970 " specification %s\n", p+6, p);
1971 return -1;
1972 }
1973 } else {
1974 fprintf(stderr, "Invalid test mode specification %s\n",
1975 p);
1976 return -1;
1977 }
1978 }
1979 return 0;
1980 }
1981
1982 /*
1983 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1984 * empty spec.
1985 */
1986 int server_match_spec_complete(struct connection_info *ci)
1987 {
1988 if (ci->user && ci->host && ci->address)
1989 return 1; /* complete */
1990 if (!ci->user && !ci->host && !ci->address)
1991 return -1; /* empty */
1992 return 0; /* partial */
1993 }
1994
1995 /*
1996 * Copy any supported values that are set.
1997 *
1998 * If the preauth flag is set, we do not bother copying the string or
1999 * array values that are not used pre-authentication, because any that we
2000 * do use must be explictly sent in mm_getpwnamallow().
2001 */
2002 void
2003 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2004 {
2005 #define M_CP_INTOPT(n) do {\
2006 if (src->n != -1) \
2007 dst->n = src->n; \
2008 } while (0)
2009
2010 M_CP_INTOPT(password_authentication);
2011 M_CP_INTOPT(gss_authentication);
2012 M_CP_INTOPT(pubkey_authentication);
2013 M_CP_INTOPT(kerberos_authentication);
2014 M_CP_INTOPT(hostbased_authentication);
2015 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2016 M_CP_INTOPT(kbd_interactive_authentication);
2017 M_CP_INTOPT(permit_root_login);
2018 M_CP_INTOPT(permit_empty_passwd);
2019
2020 M_CP_INTOPT(allow_tcp_forwarding);
2021 M_CP_INTOPT(allow_streamlocal_forwarding);
2022 M_CP_INTOPT(allow_agent_forwarding);
2023 M_CP_INTOPT(disable_forwarding);
2024 M_CP_INTOPT(expose_userauth_info);
2025 M_CP_INTOPT(permit_tun);
2026 M_CP_INTOPT(fwd_opts.gateway_ports);
2027 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2028 M_CP_INTOPT(x11_display_offset);
2029 M_CP_INTOPT(x11_forwarding);
2030 M_CP_INTOPT(x11_use_localhost);
2031 M_CP_INTOPT(permit_tty);
2032 M_CP_INTOPT(permit_user_rc);
2033 M_CP_INTOPT(max_sessions);
2034 M_CP_INTOPT(max_authtries);
2035 M_CP_INTOPT(client_alive_count_max);
2036 M_CP_INTOPT(client_alive_interval);
2037 M_CP_INTOPT(ip_qos_interactive);
2038 M_CP_INTOPT(ip_qos_bulk);
2039 M_CP_INTOPT(rekey_limit);
2040 M_CP_INTOPT(rekey_interval);
2041 M_CP_INTOPT(log_level);
2042
2043 /*
2044 * The bind_mask is a mode_t that may be unsigned, so we can't use
2045 * M_CP_INTOPT - it does a signed comparison that causes compiler
2046 * warnings.
2047 */
2048 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2049 dst->fwd_opts.streamlocal_bind_mask =
2050 src->fwd_opts.streamlocal_bind_mask;
2051 }
2052
2053 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2054 #define M_CP_STROPT(n) do {\
2055 if (src->n != NULL && dst->n != src->n) { \
2056 free(dst->n); \
2057 dst->n = src->n; \
2058 } \
2059 } while(0)
2060 #define M_CP_STRARRAYOPT(n, num_n) do {\
2061 if (src->num_n != 0) { \
2062 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2063 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2064 } \
2065 } while(0)
2066 #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
2067 if (src->num_n != 0) { \
2068 dst->n = xcalloc(src->num_n, sizeof(*dst->n)); \
2069 M_CP_STRARRAYOPT(n, num_n); \
2070 dst->num_n = src->num_n; \
2071 } \
2072 } while(0)
2073
2074 /* See comment in servconf.h */
2075 COPY_MATCH_STRING_OPTS();
2076
2077 /* Arguments that accept '+...' need to be expanded */
2078 assemble_algorithms(dst);
2079
2080 /*
2081 * The only things that should be below this point are string options
2082 * which are only used after authentication.
2083 */
2084 if (preauth)
2085 return;
2086
2087 /* These options may be "none" to clear a global setting */
2088 M_CP_STROPT(adm_forced_command);
2089 if (option_clear_or_none(dst->adm_forced_command)) {
2090 free(dst->adm_forced_command);
2091 dst->adm_forced_command = NULL;
2092 }
2093 M_CP_STROPT(chroot_directory);
2094 if (option_clear_or_none(dst->chroot_directory)) {
2095 free(dst->chroot_directory);
2096 dst->chroot_directory = NULL;
2097 }
2098 }
2099
2100 #undef M_CP_INTOPT
2101 #undef M_CP_STROPT
2102 #undef M_CP_STRARRAYOPT
2103 #undef M_CP_STRARRAYOPT_ALLOC
2104
2105 void
2106 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2107 struct connection_info *connectinfo)
2108 {
2109 int active, linenum, bad_options = 0;
2110 char *cp, *obuf, *cbuf;
2111
2112 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2113
2114 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2115 fatal("%s: sshbuf_dup_string failed", __func__);
2116 active = connectinfo ? 0 : 1;
2117 linenum = 1;
2118 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2119 if (process_server_config_line(options, cp, filename,
2120 linenum++, &active, connectinfo) != 0)
2121 bad_options++;
2122 }
2123 free(obuf);
2124 if (bad_options > 0)
2125 fatal("%s: terminating, %d bad configuration options",
2126 filename, bad_options);
2127 process_queued_listen_addrs(options);
2128 }
2129
2130 static const char *
2131 fmt_multistate_int(int val, const struct multistate *m)
2132 {
2133 u_int i;
2134
2135 for (i = 0; m[i].key != NULL; i++) {
2136 if (m[i].value == val)
2137 return m[i].key;
2138 }
2139 return "UNKNOWN";
2140 }
2141
2142 static const char *
2143 fmt_intarg(ServerOpCodes code, int val)
2144 {
2145 if (val == -1)
2146 return "unset";
2147 switch (code) {
2148 case sAddressFamily:
2149 return fmt_multistate_int(val, multistate_addressfamily);
2150 case sPermitRootLogin:
2151 return fmt_multistate_int(val, multistate_permitrootlogin);
2152 case sGatewayPorts:
2153 return fmt_multistate_int(val, multistate_gatewayports);
2154 case sCompression:
2155 return fmt_multistate_int(val, multistate_compression);
2156 case sAllowTcpForwarding:
2157 return fmt_multistate_int(val, multistate_tcpfwd);
2158 case sAllowStreamLocalForwarding:
2159 return fmt_multistate_int(val, multistate_tcpfwd);
2160 case sFingerprintHash:
2161 return ssh_digest_alg_name(val);
2162 default:
2163 switch (val) {
2164 case 0:
2165 return "no";
2166 case 1:
2167 return "yes";
2168 default:
2169 return "UNKNOWN";
2170 }
2171 }
2172 }
2173
2174 static const char *
2175 lookup_opcode_name(ServerOpCodes code)
2176 {
2177 u_int i;
2178
2179 for (i = 0; keywords[i].name != NULL; i++)
2180 if (keywords[i].opcode == code)
2181 return(keywords[i].name);
2182 return "UNKNOWN";
2183 }
2184
2185 static void
2186 dump_cfg_int(ServerOpCodes code, int val)
2187 {
2188 printf("%s %d\n", lookup_opcode_name(code), val);
2189 }
2190
2191 static void
2192 dump_cfg_oct(ServerOpCodes code, int val)
2193 {
2194 printf("%s 0%o\n", lookup_opcode_name(code), val);
2195 }
2196
2197 static void
2198 dump_cfg_fmtint(ServerOpCodes code, int val)
2199 {
2200 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2201 }
2202
2203 static void
2204 dump_cfg_string(ServerOpCodes code, const char *val)
2205 {
2206 printf("%s %s\n", lookup_opcode_name(code),
2207 val == NULL ? "none" : val);
2208 }
2209
2210 static void
2211 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2212 {
2213 u_int i;
2214
2215 for (i = 0; i < count; i++)
2216 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2217 }
2218
2219 static void
2220 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2221 {
2222 u_int i;
2223
2224 if (count <= 0 && code != sAuthenticationMethods)
2225 return;
2226 printf("%s", lookup_opcode_name(code));
2227 for (i = 0; i < count; i++)
2228 printf(" %s", vals[i]);
2229 if (code == sAuthenticationMethods && count == 0)
2230 printf(" any");
2231 printf("\n");
2232 }
2233
2234 void
2235 dump_config(ServerOptions *o)
2236 {
2237 u_int i;
2238 int ret;
2239 struct addrinfo *ai;
2240 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2241 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2242
2243 /* these are usually at the top of the config */
2244 for (i = 0; i < o->num_ports; i++)
2245 printf("port %d\n", o->ports[i]);
2246 dump_cfg_fmtint(sAddressFamily, o->address_family);
2247
2248 /*
2249 * ListenAddress must be after Port. add_one_listen_addr pushes
2250 * addresses onto a stack, so to maintain ordering we need to
2251 * print these in reverse order.
2252 */
2253 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2254 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2255 sizeof(addr), port, sizeof(port),
2256 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2257 error("getnameinfo failed: %.100s",
2258 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2259 strerror(errno));
2260 } else {
2261 laddr2 = laddr1;
2262 if (ai->ai_family == AF_INET6)
2263 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2264 addr, port, laddr2);
2265 else
2266 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2267 addr, port, laddr2);
2268 free(laddr2);
2269 }
2270 }
2271 printf("%s", laddr1);
2272 free(laddr1);
2273
2274 /* integer arguments */
2275 #ifdef USE_PAM
2276 dump_cfg_fmtint(sUsePAM, o->use_pam);
2277 #endif
2278 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2279 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2280 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2281 dump_cfg_int(sMaxSessions, o->max_sessions);
2282 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2283 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2284 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2285
2286 /* formatted integer arguments */
2287 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2288 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2289 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2290 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2291 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2292 o->hostbased_uses_name_from_packet_only);
2293 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2294 #ifdef KRB5
2295 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2296 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2297 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2298 # ifdef USE_AFS
2299 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2300 # endif
2301 #endif
2302 #ifdef GSSAPI
2303 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2304 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2305 #endif
2306 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2307 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2308 o->kbd_interactive_authentication);
2309 dump_cfg_fmtint(sChallengeResponseAuthentication,
2310 o->challenge_response_authentication);
2311 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2312 #ifndef DISABLE_LASTLOG
2313 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2314 #endif
2315 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2316 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2317 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2318 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2319 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2320 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2321 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2322 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2323 dump_cfg_fmtint(sCompression, o->compression);
2324 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2325 dump_cfg_fmtint(sUseDNS, o->use_dns);
2326 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2327 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2328 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2329 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2330 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2331 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2332 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2333
2334 /* string arguments */
2335 dump_cfg_string(sPidFile, o->pid_file);
2336 dump_cfg_string(sXAuthLocation, o->xauth_location);
2337 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2338 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2339 dump_cfg_string(sBanner, o->banner);
2340 dump_cfg_string(sForceCommand, o->adm_forced_command);
2341 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2342 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2343 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2344 dump_cfg_string(sAuthorizedPrincipalsFile,
2345 o->authorized_principals_file);
2346 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2347 ? "none" : o->version_addendum);
2348 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2349 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2350 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2351 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2352 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2353 dump_cfg_string(sKexAlgorithms,
2354 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2355 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2356 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2357 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2358 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2359 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2360 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2361
2362 /* string arguments requiring a lookup */
2363 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2364 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2365
2366 /* string array arguments */
2367 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2368 o->authorized_keys_files);
2369 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2370 o->host_key_files);
2371 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2372 o->host_cert_files);
2373 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2374 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2375 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2376 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2377 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2378 dump_cfg_strarray_oneline(sAuthenticationMethods,
2379 o->num_auth_methods, o->auth_methods);
2380
2381 /* other arguments */
2382 for (i = 0; i < o->num_subsystems; i++)
2383 printf("subsystem %s %s\n", o->subsystem_name[i],
2384 o->subsystem_args[i]);
2385
2386 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2387 o->max_startups_rate, o->max_startups);
2388
2389 for (i = 0; tunmode_desc[i].val != -1; i++)
2390 if (tunmode_desc[i].val == o->permit_tun) {
2391 s = tunmode_desc[i].text;
2392 break;
2393 }
2394 dump_cfg_string(sPermitTunnel, s);
2395
2396 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2397 printf("%s\n", iptos2str(o->ip_qos_bulk));
2398
2399 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2400 o->rekey_interval);
2401
2402 printf("permitopen");
2403 if (o->num_permitted_opens == 0)
2404 printf(" any");
2405 else {
2406 for (i = 0; i < o->num_permitted_opens; i++)
2407 printf(" %s", o->permitted_opens[i]);
2408 }
2409 printf("\n");
2410 }
DragonFly BSD