2 /* $OpenBSD: servconf.c,v 1.260 2015/02/02 01:57:44 deraadt Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
38 #include "openbsd-compat/sys-queue.h"
46 #include "pathnames.h"
53 #include "groupaccess.h"
58 #include "myproposal.h"
62 #include <cutils/properties.h>
65 static void add_listen_addr(ServerOptions *, char *, int);
66 static void add_one_listen_addr(ServerOptions *, char *, int);
68 /* Use of privilege separation or not */
69 extern int use_privsep;
72 /* Initializes the server options to their default values. */
75 initialize_server_options(ServerOptions *options)
77 memset(options, 0, sizeof(*options));
79 /* Portable-specific options */
80 options->use_pam = -1;
82 /* Standard Options */
83 options->num_ports = 0;
84 options->ports_from_cmdline = 0;
85 options->listen_addrs = NULL;
86 options->address_family = -1;
87 options->num_host_key_files = 0;
88 options->num_host_cert_files = 0;
89 options->host_key_agent = NULL;
90 options->pid_file = NULL;
91 options->server_key_bits = -1;
92 options->login_grace_time = -1;
93 options->key_regeneration_time = -1;
94 options->permit_root_login = PERMIT_NOT_SET;
95 options->ignore_rhosts = -1;
96 options->ignore_user_known_hosts = -1;
97 options->print_motd = -1;
98 options->print_lastlog = -1;
99 options->x11_forwarding = -1;
100 options->x11_display_offset = -1;
101 options->x11_use_localhost = -1;
102 options->permit_tty = -1;
103 options->permit_user_rc = -1;
104 options->xauth_location = NULL;
105 options->strict_modes = -1;
106 options->tcp_keep_alive = -1;
107 options->log_facility = SYSLOG_FACILITY_NOT_SET;
108 options->log_level = SYSLOG_LEVEL_NOT_SET;
109 options->rhosts_rsa_authentication = -1;
110 options->hostbased_authentication = -1;
111 options->hostbased_uses_name_from_packet_only = -1;
112 options->hostbased_key_types = NULL;
113 options->rsa_authentication = -1;
114 options->pubkey_authentication = -1;
115 options->pubkey_key_types = NULL;
116 options->kerberos_authentication = -1;
117 options->kerberos_or_local_passwd = -1;
118 options->kerberos_ticket_cleanup = -1;
119 options->kerberos_get_afs_token = -1;
120 options->gss_authentication=-1;
121 options->gss_cleanup_creds = -1;
122 options->password_authentication = -1;
123 options->kbd_interactive_authentication = -1;
124 options->challenge_response_authentication = -1;
125 options->permit_empty_passwd = -1;
126 options->permit_user_env = -1;
127 options->use_login = -1;
128 options->compression = -1;
129 options->rekey_limit = -1;
130 options->rekey_interval = -1;
131 options->allow_tcp_forwarding = -1;
132 options->allow_streamlocal_forwarding = -1;
133 options->allow_agent_forwarding = -1;
134 options->num_allow_users = 0;
135 options->num_deny_users = 0;
136 options->num_allow_groups = 0;
137 options->num_deny_groups = 0;
138 options->ciphers = NULL;
139 options->macs = NULL;
140 options->kex_algorithms = NULL;
141 options->protocol = SSH_PROTO_UNKNOWN;
142 options->fwd_opts.gateway_ports = -1;
143 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
144 options->fwd_opts.streamlocal_bind_unlink = -1;
145 options->num_subsystems = 0;
146 options->max_startups_begin = -1;
147 options->max_startups_rate = -1;
148 options->max_startups = -1;
149 options->max_authtries = -1;
150 options->max_sessions = -1;
151 options->banner = NULL;
152 options->use_dns = -1;
153 options->client_alive_interval = -1;
154 options->client_alive_count_max = -1;
155 options->num_authkeys_files = 0;
156 options->num_accept_env = 0;
157 options->permit_tun = -1;
158 options->num_permitted_opens = -1;
159 options->adm_forced_command = NULL;
160 options->chroot_directory = NULL;
161 options->authorized_keys_command = NULL;
162 options->authorized_keys_command_user = NULL;
163 options->revoked_keys_file = NULL;
164 options->trusted_user_ca_keys = NULL;
165 options->authorized_principals_file = NULL;
166 options->ip_qos_interactive = -1;
167 options->ip_qos_bulk = -1;
168 options->version_addendum = NULL;
169 options->fingerprint_hash = -1;
172 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
174 option_clear_or_none(const char *o)
176 return o == NULL || strcasecmp(o, "none") == 0;
180 fill_default_server_options(ServerOptions *options)
184 /* Portable-specific options */
185 if (options->use_pam == -1)
186 options->use_pam = 0;
188 /* Standard Options */
189 if (options->protocol == SSH_PROTO_UNKNOWN)
190 options->protocol = SSH_PROTO_2;
191 if (options->num_host_key_files == 0) {
192 /* fill default hostkeys for protocols */
193 if (options->protocol & SSH_PROTO_1)
194 options->host_key_files[options->num_host_key_files++] =
196 if (options->protocol & SSH_PROTO_2) {
197 options->host_key_files[options->num_host_key_files++] =
198 _PATH_HOST_RSA_KEY_FILE;
199 options->host_key_files[options->num_host_key_files++] =
200 _PATH_HOST_DSA_KEY_FILE;
201 #ifdef OPENSSL_HAS_ECC
202 options->host_key_files[options->num_host_key_files++] =
203 _PATH_HOST_ECDSA_KEY_FILE;
205 options->host_key_files[options->num_host_key_files++] =
206 _PATH_HOST_ED25519_KEY_FILE;
209 /* No certificates by default */
210 if (options->num_ports == 0)
211 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
212 if (options->listen_addrs == NULL)
213 add_listen_addr(options, NULL, 0);
214 if (options->pid_file == NULL)
215 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
216 if (options->server_key_bits == -1)
217 options->server_key_bits = 1024;
218 if (options->login_grace_time == -1)
219 options->login_grace_time = 120;
220 if (options->key_regeneration_time == -1)
221 options->key_regeneration_time = 3600;
222 if (options->permit_root_login == PERMIT_NOT_SET)
223 options->permit_root_login = PERMIT_YES;
224 if (options->ignore_rhosts == -1)
225 options->ignore_rhosts = 1;
226 if (options->ignore_user_known_hosts == -1)
227 options->ignore_user_known_hosts = 0;
228 if (options->print_motd == -1)
229 options->print_motd = 1;
230 if (options->print_lastlog == -1)
231 options->print_lastlog = 1;
232 if (options->x11_forwarding == -1)
233 options->x11_forwarding = 0;
234 if (options->x11_display_offset == -1)
235 options->x11_display_offset = 10;
236 if (options->x11_use_localhost == -1)
237 options->x11_use_localhost = 1;
238 if (options->xauth_location == NULL)
239 options->xauth_location = xstrdup(_PATH_XAUTH);
240 if (options->permit_tty == -1)
241 options->permit_tty = 1;
242 if (options->permit_user_rc == -1)
243 options->permit_user_rc = 1;
244 if (options->strict_modes == -1)
245 options->strict_modes = 1;
246 if (options->tcp_keep_alive == -1)
247 options->tcp_keep_alive = 1;
248 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
249 options->log_facility = SYSLOG_FACILITY_AUTH;
250 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
251 options->log_level = SYSLOG_LEVEL_INFO;
252 if (options->rhosts_rsa_authentication == -1)
253 options->rhosts_rsa_authentication = 0;
254 if (options->hostbased_authentication == -1)
255 options->hostbased_authentication = 0;
256 if (options->hostbased_uses_name_from_packet_only == -1)
257 options->hostbased_uses_name_from_packet_only = 0;
258 if (options->hostbased_key_types == NULL)
259 options->hostbased_key_types = xstrdup("*");
260 if (options->rsa_authentication == -1)
261 options->rsa_authentication = 1;
262 if (options->pubkey_authentication == -1)
263 options->pubkey_authentication = 1;
264 if (options->pubkey_key_types == NULL)
265 options->pubkey_key_types = xstrdup("*");
266 if (options->kerberos_authentication == -1)
267 options->kerberos_authentication = 0;
268 if (options->kerberos_or_local_passwd == -1)
269 options->kerberos_or_local_passwd = 1;
270 if (options->kerberos_ticket_cleanup == -1)
271 options->kerberos_ticket_cleanup = 1;
272 if (options->kerberos_get_afs_token == -1)
273 options->kerberos_get_afs_token = 0;
274 if (options->gss_authentication == -1)
275 options->gss_authentication = 0;
276 if (options->gss_cleanup_creds == -1)
277 options->gss_cleanup_creds = 1;
278 if (options->password_authentication == -1)
279 options->password_authentication = 1;
280 if (options->kbd_interactive_authentication == -1)
281 options->kbd_interactive_authentication = 0;
282 if (options->challenge_response_authentication == -1)
283 options->challenge_response_authentication = 1;
284 if (options->permit_empty_passwd == -1)
285 options->permit_empty_passwd = 0;
286 if (options->permit_user_env == -1)
287 options->permit_user_env = 0;
288 if (options->use_login == -1)
289 options->use_login = 0;
290 if (options->compression == -1)
291 options->compression = COMP_DELAYED;
292 if (options->rekey_limit == -1)
293 options->rekey_limit = 0;
294 if (options->rekey_interval == -1)
295 options->rekey_interval = 0;
296 if (options->allow_tcp_forwarding == -1)
297 options->allow_tcp_forwarding = FORWARD_ALLOW;
298 if (options->allow_streamlocal_forwarding == -1)
299 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
300 if (options->allow_agent_forwarding == -1)
301 options->allow_agent_forwarding = 1;
302 if (options->fwd_opts.gateway_ports == -1)
303 options->fwd_opts.gateway_ports = 0;
304 if (options->max_startups == -1)
305 options->max_startups = 100;
306 if (options->max_startups_rate == -1)
307 options->max_startups_rate = 30; /* 30% */
308 if (options->max_startups_begin == -1)
309 options->max_startups_begin = 10;
310 if (options->max_authtries == -1)
311 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
312 if (options->max_sessions == -1)
313 options->max_sessions = DEFAULT_SESSIONS_MAX;
314 if (options->use_dns == -1)
315 options->use_dns = 0;
316 if (options->client_alive_interval == -1)
317 options->client_alive_interval = 0;
318 if (options->client_alive_count_max == -1)
319 options->client_alive_count_max = 3;
320 if (options->num_authkeys_files == 0) {
321 options->authorized_keys_files[options->num_authkeys_files++] =
322 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
323 options->authorized_keys_files[options->num_authkeys_files++] =
324 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
326 if (options->permit_tun == -1)
327 options->permit_tun = SSH_TUNMODE_NO;
328 if (options->ip_qos_interactive == -1)
329 options->ip_qos_interactive = IPTOS_LOWDELAY;
330 if (options->ip_qos_bulk == -1)
331 options->ip_qos_bulk = IPTOS_THROUGHPUT;
332 if (options->version_addendum == NULL)
333 options->version_addendum = xstrdup("");
334 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
335 options->fwd_opts.streamlocal_bind_mask = 0177;
336 if (options->fwd_opts.streamlocal_bind_unlink == -1)
337 options->fwd_opts.streamlocal_bind_unlink = 0;
338 if (options->fingerprint_hash == -1)
339 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
340 /* Turn privilege separation on by default */
341 if (use_privsep == -1)
342 use_privsep = PRIVSEP_NOSANDBOX;
344 #define CLEAR_ON_NONE(v) \
346 if (option_clear_or_none(v)) { \
351 CLEAR_ON_NONE(options->pid_file);
352 CLEAR_ON_NONE(options->xauth_location);
353 CLEAR_ON_NONE(options->banner);
354 CLEAR_ON_NONE(options->trusted_user_ca_keys);
355 CLEAR_ON_NONE(options->revoked_keys_file);
356 for (i = 0; i < options->num_host_key_files; i++)
357 CLEAR_ON_NONE(options->host_key_files[i]);
358 for (i = 0; i < options->num_host_cert_files; i++)
359 CLEAR_ON_NONE(options->host_cert_files[i]);
363 if (use_privsep && options->compression == 1) {
364 error("This platform does not support both privilege "
365 "separation and compression");
366 error("Compression disabled");
367 options->compression = 0;
373 /* Keyword tokens. */
375 sBadOption, /* == unknown option */
376 /* Portable-specific options */
378 /* Standard Options */
379 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
380 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
381 sRhostsRSAAuthentication, sRSAAuthentication,
382 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
383 sKerberosGetAFSToken,
384 sKerberosTgtPassing, sChallengeResponseAuthentication,
385 sPasswordAuthentication, sKbdInteractiveAuthentication,
386 sListenAddress, sAddressFamily,
387 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
388 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
389 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
390 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
391 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
392 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
393 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
394 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
395 sBanner, sUseDNS, sHostbasedAuthentication,
396 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
397 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
398 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
399 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
400 sUsePrivilegeSeparation, sAllowAgentForwarding,
402 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
403 sKexAlgorithms, sIPQoS, sVersionAddendum,
404 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
405 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
406 sStreamLocalBindMask, sStreamLocalBindUnlink,
407 sAllowStreamLocalForwarding, sFingerprintHash,
408 sDeprecated, sUnsupported
411 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
412 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
413 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
415 /* Textual representation of the tokens. */
418 ServerOpCodes opcode;
421 /* Portable-specific options */
423 { "usepam", sUsePAM, SSHCFG_GLOBAL },
425 { "usepam", sUnsupported, SSHCFG_GLOBAL },
427 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
428 /* Standard Options */
429 { "port", sPort, SSHCFG_GLOBAL },
430 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
431 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
432 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
433 { "pidfile", sPidFile, SSHCFG_GLOBAL },
434 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
435 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
436 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
437 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
438 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
439 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
440 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
441 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
442 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
443 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
444 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
445 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
446 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
447 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
448 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
450 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
451 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
452 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
454 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
456 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
459 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
460 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
461 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
462 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
464 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
465 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
467 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
468 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
470 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
471 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
473 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
474 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
475 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
476 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
477 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
478 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
479 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
480 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
481 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
482 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
483 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
484 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
485 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
486 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
487 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
488 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
489 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
490 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
491 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
492 { "compression", sCompression, SSHCFG_GLOBAL },
493 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
494 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
495 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
496 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
497 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
498 { "allowusers", sAllowUsers, SSHCFG_ALL },
499 { "denyusers", sDenyUsers, SSHCFG_ALL },
500 { "allowgroups", sAllowGroups, SSHCFG_ALL },
501 { "denygroups", sDenyGroups, SSHCFG_ALL },
502 { "ciphers", sCiphers, SSHCFG_GLOBAL },
503 { "macs", sMacs, SSHCFG_GLOBAL },
504 { "protocol", sProtocol, SSHCFG_GLOBAL },
505 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
506 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
507 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
508 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
509 { "maxsessions", sMaxSessions, SSHCFG_ALL },
510 { "banner", sBanner, SSHCFG_ALL },
511 { "usedns", sUseDNS, SSHCFG_GLOBAL },
512 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
513 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
514 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
515 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
516 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
517 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
518 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
519 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
520 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
521 { "permittty", sPermitTTY, SSHCFG_ALL },
522 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
523 { "match", sMatch, SSHCFG_ALL },
524 { "permitopen", sPermitOpen, SSHCFG_ALL },
525 { "forcecommand", sForceCommand, SSHCFG_ALL },
526 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
527 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
528 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
529 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
530 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
531 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
532 { "ipqos", sIPQoS, SSHCFG_ALL },
533 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
534 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
535 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
536 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
537 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
538 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
539 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
540 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
541 { NULL, sBadOption, 0 }
548 { SSH_TUNMODE_NO, "no" },
549 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
550 { SSH_TUNMODE_ETHERNET, "ethernet" },
551 { SSH_TUNMODE_YES, "yes" },
556 * Returns the number of the token pointed to by cp or sBadOption.
560 parse_token(const char *cp, const char *filename,
561 int linenum, u_int *flags)
565 for (i = 0; keywords[i].name; i++)
566 if (strcasecmp(cp, keywords[i].name) == 0) {
567 *flags = keywords[i].flags;
568 return keywords[i].opcode;
571 error("%s: line %d: Bad configuration option: %s",
572 filename, linenum, cp);
577 derelativise_path(const char *path)
579 char *expanded, *ret, cwd[PATH_MAX];
581 if (strcasecmp(path, "none") == 0)
582 return xstrdup("none");
583 expanded = tilde_expand_filename(path, getuid());
584 if (*expanded == '/')
586 if (getcwd(cwd, sizeof(cwd)) == NULL)
587 fatal("%s: getcwd: %s", __func__, strerror(errno));
588 xasprintf(&ret, "%s/%s", cwd, expanded);
594 add_listen_addr(ServerOptions *options, char *addr, int port)
598 if (options->num_ports == 0)
599 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
600 if (options->address_family == -1)
601 options->address_family = AF_UNSPEC;
603 for (i = 0; i < options->num_ports; i++)
604 add_one_listen_addr(options, addr, options->ports[i]);
606 add_one_listen_addr(options, addr, port);
610 add_one_listen_addr(ServerOptions *options, char *addr, int port)
612 struct addrinfo hints, *ai, *aitop;
613 char strport[NI_MAXSERV];
616 memset(&hints, 0, sizeof(hints));
617 hints.ai_family = options->address_family;
618 hints.ai_socktype = SOCK_STREAM;
619 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
620 snprintf(strport, sizeof strport, "%d", port);
621 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
622 fatal("bad addr or host: %s (%s)",
623 addr ? addr : "<NULL>",
624 ssh_gai_strerror(gaierr));
625 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
627 ai->ai_next = options->listen_addrs;
628 options->listen_addrs = aitop;
631 struct connection_info *
632 get_connection_info(int populate, int use_dns)
634 static struct connection_info ci;
638 ci.host = get_canonical_hostname(use_dns);
639 ci.address = get_remote_ipaddr();
640 ci.laddress = get_local_ipaddr(packet_get_connection_in());
641 ci.lport = get_local_port();
646 * The strategy for the Match blocks is that the config file is parsed twice.
648 * The first time is at startup. activep is initialized to 1 and the
649 * directives in the global context are processed and acted on. Hitting a
650 * Match directive unsets activep and the directives inside the block are
651 * checked for syntax only.
653 * The second time is after a connection has been established but before
654 * authentication. activep is initialized to 2 and global config directives
655 * are ignored since they have already been processed. If the criteria in a
656 * Match block is met, activep is set and the subsequent directives
657 * processed and actioned until EOF or another Match block unsets it. Any
658 * options set are copied into the main server config.
660 * Potential additions/improvements:
661 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
663 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
664 * Match Address 192.168.0.*
669 * AllowTcpForwarding yes
670 * GatewayPorts clientspecified
673 * - Add a PermittedChannelRequests directive
675 * PermittedChannelRequests session,forwarded-tcpip
679 match_cfg_line_group(const char *grps, int line, const char *user)
687 if ((pw = getpwnam(user)) == NULL) {
688 debug("Can't match group at line %d because user %.100s does "
689 "not exist", line, user);
690 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
691 debug("Can't Match group because user %.100s not in any group "
692 "at line %d", user, line);
693 } else if (ga_match_pattern_list(grps) != 1) {
694 debug("user %.100s does not match group list %.100s at line %d",
697 debug("user %.100s matched group list %.100s at line %d", user,
707 * All of the attributes on a single Match line are ANDed together, so we need
708 * to check every attribute and set the result to zero if any attribute does
712 match_cfg_line(char **condition, int line, struct connection_info *ci)
714 int result = 1, attributes = 0, port;
715 char *arg, *attrib, *cp = *condition;
719 debug3("checking syntax for 'Match %s'", cp);
721 debug3("checking match for '%s' user %s host %s addr %s "
722 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
723 ci->host ? ci->host : "(null)",
724 ci->address ? ci->address : "(null)",
725 ci->laddress ? ci->laddress : "(null)", ci->lport);
727 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
729 if (strcasecmp(attrib, "all") == 0) {
730 if (attributes != 1 ||
731 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
732 error("'all' cannot be combined with other "
739 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
740 error("Missing Match criteria for %s", attrib);
744 if (strcasecmp(attrib, "user") == 0) {
745 if (ci == NULL || ci->user == NULL) {
749 if (match_pattern_list(ci->user, arg, len, 0) != 1)
752 debug("user %.100s matched 'User %.100s' at "
753 "line %d", ci->user, arg, line);
754 } else if (strcasecmp(attrib, "group") == 0) {
755 if (ci == NULL || ci->user == NULL) {
759 switch (match_cfg_line_group(arg, line, ci->user)) {
765 } else if (strcasecmp(attrib, "host") == 0) {
766 if (ci == NULL || ci->host == NULL) {
770 if (match_hostname(ci->host, arg, len) != 1)
773 debug("connection from %.100s matched 'Host "
774 "%.100s' at line %d", ci->host, arg, line);
775 } else if (strcasecmp(attrib, "address") == 0) {
776 if (ci == NULL || ci->address == NULL) {
780 switch (addr_match_list(ci->address, arg)) {
782 debug("connection from %.100s matched 'Address "
783 "%.100s' at line %d", ci->address, arg, line);
792 } else if (strcasecmp(attrib, "localaddress") == 0){
793 if (ci == NULL || ci->laddress == NULL) {
797 switch (addr_match_list(ci->laddress, arg)) {
799 debug("connection from %.100s matched "
800 "'LocalAddress %.100s' at line %d",
801 ci->laddress, arg, line);
810 } else if (strcasecmp(attrib, "localport") == 0) {
811 if ((port = a2port(arg)) == -1) {
812 error("Invalid LocalPort '%s' on Match line",
816 if (ci == NULL || ci->lport == 0) {
820 /* TODO support port lists */
821 if (port == ci->lport)
822 debug("connection from %.100s matched "
823 "'LocalPort %d' at line %d",
824 ci->laddress, port, line);
828 error("Unsupported Match attribute %s", attrib);
832 if (attributes == 0) {
833 error("One or more attributes required for Match");
837 debug3("match %sfound", result ? "" : "not ");
842 #define WHITESPACE " \t\r\n"
844 /* Multistate option parsing */
849 static const struct multistate multistate_addressfamily[] = {
851 { "inet6", AF_INET6 },
852 { "any", AF_UNSPEC },
855 static const struct multistate multistate_permitrootlogin[] = {
856 { "without-password", PERMIT_NO_PASSWD },
857 { "forced-commands-only", PERMIT_FORCED_ONLY },
858 { "yes", PERMIT_YES },
862 static const struct multistate multistate_compression[] = {
863 { "delayed", COMP_DELAYED },
864 { "yes", COMP_ZLIB },
868 static const struct multistate multistate_gatewayports[] = {
869 { "clientspecified", 2 },
874 static const struct multistate multistate_privsep[] = {
875 { "yes", PRIVSEP_NOSANDBOX },
876 { "sandbox", PRIVSEP_ON },
877 { "nosandbox", PRIVSEP_NOSANDBOX },
878 { "no", PRIVSEP_OFF },
881 static const struct multistate multistate_tcpfwd[] = {
882 { "yes", FORWARD_ALLOW },
883 { "all", FORWARD_ALLOW },
884 { "no", FORWARD_DENY },
885 { "remote", FORWARD_REMOTE },
886 { "local", FORWARD_LOCAL },
891 process_server_config_line(ServerOptions *options, char *line,
892 const char *filename, int linenum, int *activep,
893 struct connection_info *connectinfo)
895 char *cp, **charptr, *arg, *p;
896 int cmdline = 0, *intptr, value, value2, n, port;
897 SyslogFacility *log_facility_ptr;
898 LogLevel *log_level_ptr;
899 ServerOpCodes opcode;
903 const struct multistate *multistate_ptr;
906 if ((arg = strdelim(&cp)) == NULL)
908 /* Ignore leading whitespace */
911 if (!arg || !*arg || *arg == '#')
915 opcode = parse_token(arg, filename, linenum, &flags);
917 if (activep == NULL) { /* We are processing a command line directive */
921 if (*activep && opcode != sMatch)
922 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
923 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
924 if (connectinfo == NULL) {
925 fatal("%s line %d: Directive '%s' is not allowed "
926 "within a Match block", filename, linenum, arg);
927 } else { /* this is a directive we have already processed */
935 /* Portable-specific options */
937 intptr = &options->use_pam;
940 /* Standard Options */
944 /* ignore ports from configfile if cmdline specifies ports */
945 if (options->ports_from_cmdline)
947 if (options->listen_addrs != NULL)
948 fatal("%s line %d: ports must be specified before "
949 "ListenAddress.", filename, linenum);
950 if (options->num_ports >= MAX_PORTS)
951 fatal("%s line %d: too many ports.",
954 if (!arg || *arg == '\0')
955 fatal("%s line %d: missing port number.",
957 options->ports[options->num_ports++] = a2port(arg);
958 if (options->ports[options->num_ports-1] <= 0)
959 fatal("%s line %d: Badly formatted port number.",
964 intptr = &options->server_key_bits;
967 if (!arg || *arg == '\0')
968 fatal("%s line %d: missing integer value.",
971 if (*activep && *intptr == -1)
975 case sLoginGraceTime:
976 intptr = &options->login_grace_time;
979 if (!arg || *arg == '\0')
980 fatal("%s line %d: missing time value.",
982 if ((value = convtime(arg)) == -1)
983 fatal("%s line %d: invalid time value.",
989 case sKeyRegenerationTime:
990 intptr = &options->key_regeneration_time;
995 if (arg == NULL || *arg == '\0')
996 fatal("%s line %d: missing address",
998 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
999 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1000 && strchr(p+1, ':') != NULL) {
1001 add_listen_addr(options, arg, 0);
1006 fatal("%s line %d: bad address:port usage",
1008 p = cleanhostname(p);
1011 else if ((port = a2port(arg)) <= 0)
1012 fatal("%s line %d: bad port number", filename, linenum);
1014 add_listen_addr(options, p, port);
1018 case sAddressFamily:
1019 intptr = &options->address_family;
1020 multistate_ptr = multistate_addressfamily;
1021 if (options->listen_addrs != NULL)
1022 fatal("%s line %d: address family must be specified "
1023 "before ListenAddress.", filename, linenum);
1025 arg = strdelim(&cp);
1026 if (!arg || *arg == '\0')
1027 fatal("%s line %d: missing argument.",
1030 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1031 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1032 value = multistate_ptr[i].value;
1037 fatal("%s line %d: unsupported option \"%s\".",
1038 filename, linenum, arg);
1039 if (*activep && *intptr == -1)
1044 intptr = &options->num_host_key_files;
1045 if (*intptr >= MAX_HOSTKEYS)
1046 fatal("%s line %d: too many host keys specified (max %d).",
1047 filename, linenum, MAX_HOSTKEYS);
1048 charptr = &options->host_key_files[*intptr];
1050 arg = strdelim(&cp);
1051 if (!arg || *arg == '\0')
1052 fatal("%s line %d: missing file name.",
1054 if (*activep && *charptr == NULL) {
1055 *charptr = derelativise_path(arg);
1056 /* increase optional counter */
1058 *intptr = *intptr + 1;
1063 charptr = &options->host_key_agent;
1064 arg = strdelim(&cp);
1065 if (!arg || *arg == '\0')
1066 fatal("%s line %d: missing socket name.",
1068 if (*activep && *charptr == NULL)
1069 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1070 xstrdup(arg) : derelativise_path(arg);
1073 case sHostCertificate:
1074 intptr = &options->num_host_cert_files;
1075 if (*intptr >= MAX_HOSTKEYS)
1076 fatal("%s line %d: too many host certificates "
1077 "specified (max %d).", filename, linenum,
1079 charptr = &options->host_cert_files[*intptr];
1080 goto parse_filename;
1084 charptr = &options->pid_file;
1085 goto parse_filename;
1087 case sPermitRootLogin:
1088 intptr = &options->permit_root_login;
1089 multistate_ptr = multistate_permitrootlogin;
1090 goto parse_multistate;
1093 intptr = &options->ignore_rhosts;
1095 arg = strdelim(&cp);
1096 if (!arg || *arg == '\0')
1097 fatal("%s line %d: missing yes/no argument.",
1099 value = 0; /* silence compiler */
1100 if (strcmp(arg, "yes") == 0)
1102 else if (strcmp(arg, "no") == 0)
1105 fatal("%s line %d: Bad yes/no argument: %s",
1106 filename, linenum, arg);
1107 if (*activep && *intptr == -1)
1111 case sIgnoreUserKnownHosts:
1112 intptr = &options->ignore_user_known_hosts;
1115 case sRhostsRSAAuthentication:
1116 intptr = &options->rhosts_rsa_authentication;
1119 case sHostbasedAuthentication:
1120 intptr = &options->hostbased_authentication;
1123 case sHostbasedUsesNameFromPacketOnly:
1124 intptr = &options->hostbased_uses_name_from_packet_only;
1127 case sHostbasedAcceptedKeyTypes:
1128 charptr = &options->hostbased_key_types;
1130 arg = strdelim(&cp);
1131 if (!arg || *arg == '\0')
1132 fatal("%s line %d: Missing argument.",
1134 if (!sshkey_names_valid2(arg, 1))
1135 fatal("%s line %d: Bad key types '%s'.",
1136 filename, linenum, arg ? arg : "<NONE>");
1137 if (*activep && *charptr == NULL)
1138 *charptr = xstrdup(arg);
1141 case sRSAAuthentication:
1142 intptr = &options->rsa_authentication;
1145 case sPubkeyAuthentication:
1146 intptr = &options->pubkey_authentication;
1149 case sPubkeyAcceptedKeyTypes:
1150 charptr = &options->pubkey_key_types;
1151 goto parse_keytypes;
1153 case sKerberosAuthentication:
1154 intptr = &options->kerberos_authentication;
1157 case sKerberosOrLocalPasswd:
1158 intptr = &options->kerberos_or_local_passwd;
1161 case sKerberosTicketCleanup:
1162 intptr = &options->kerberos_ticket_cleanup;
1165 case sKerberosGetAFSToken:
1166 intptr = &options->kerberos_get_afs_token;
1169 case sGssAuthentication:
1170 intptr = &options->gss_authentication;
1173 case sGssCleanupCreds:
1174 intptr = &options->gss_cleanup_creds;
1177 case sPasswordAuthentication:
1178 intptr = &options->password_authentication;
1181 case sKbdInteractiveAuthentication:
1182 intptr = &options->kbd_interactive_authentication;
1185 case sChallengeResponseAuthentication:
1186 intptr = &options->challenge_response_authentication;
1190 intptr = &options->print_motd;
1194 intptr = &options->print_lastlog;
1197 case sX11Forwarding:
1198 intptr = &options->x11_forwarding;
1201 case sX11DisplayOffset:
1202 intptr = &options->x11_display_offset;
1205 case sX11UseLocalhost:
1206 intptr = &options->x11_use_localhost;
1209 case sXAuthLocation:
1210 charptr = &options->xauth_location;
1211 goto parse_filename;
1214 intptr = &options->permit_tty;
1218 intptr = &options->permit_user_rc;
1222 intptr = &options->strict_modes;
1226 intptr = &options->tcp_keep_alive;
1230 intptr = &options->permit_empty_passwd;
1233 case sPermitUserEnvironment:
1234 intptr = &options->permit_user_env;
1238 intptr = &options->use_login;
1242 intptr = &options->compression;
1243 multistate_ptr = multistate_compression;
1244 goto parse_multistate;
1247 arg = strdelim(&cp);
1248 if (!arg || *arg == '\0')
1249 fatal("%.200s line %d: Missing argument.", filename,
1251 if (strcmp(arg, "default") == 0) {
1254 if (scan_scaled(arg, &val64) == -1)
1255 fatal("%.200s line %d: Bad number '%s': %s",
1256 filename, linenum, arg, strerror(errno));
1257 /* check for too-large or too-small limits */
1258 if (val64 > UINT_MAX)
1259 fatal("%.200s line %d: RekeyLimit too large",
1261 if (val64 != 0 && val64 < 16)
1262 fatal("%.200s line %d: RekeyLimit too small",
1265 if (*activep && options->rekey_limit == -1)
1266 options->rekey_limit = (u_int32_t)val64;
1267 if (cp != NULL) { /* optional rekey interval present */
1268 if (strcmp(cp, "none") == 0) {
1269 (void)strdelim(&cp); /* discard */
1272 intptr = &options->rekey_interval;
1278 intptr = &options->fwd_opts.gateway_ports;
1279 multistate_ptr = multistate_gatewayports;
1280 goto parse_multistate;
1283 intptr = &options->use_dns;
1287 log_facility_ptr = &options->log_facility;
1288 arg = strdelim(&cp);
1289 value = log_facility_number(arg);
1290 if (value == SYSLOG_FACILITY_NOT_SET)
1291 fatal("%.200s line %d: unsupported log facility '%s'",
1292 filename, linenum, arg ? arg : "<NONE>");
1293 if (*log_facility_ptr == -1)
1294 *log_facility_ptr = (SyslogFacility) value;
1298 log_level_ptr = &options->log_level;
1299 arg = strdelim(&cp);
1300 value = log_level_number(arg);
1301 if (value == SYSLOG_LEVEL_NOT_SET)
1302 fatal("%.200s line %d: unsupported log level '%s'",
1303 filename, linenum, arg ? arg : "<NONE>");
1304 if (*log_level_ptr == -1)
1305 *log_level_ptr = (LogLevel) value;
1308 case sAllowTcpForwarding:
1309 intptr = &options->allow_tcp_forwarding;
1310 multistate_ptr = multistate_tcpfwd;
1311 goto parse_multistate;
1313 case sAllowStreamLocalForwarding:
1314 intptr = &options->allow_streamlocal_forwarding;
1315 multistate_ptr = multistate_tcpfwd;
1316 goto parse_multistate;
1318 case sAllowAgentForwarding:
1319 intptr = &options->allow_agent_forwarding;
1322 case sUsePrivilegeSeparation:
1323 intptr = &use_privsep;
1324 multistate_ptr = multistate_privsep;
1325 goto parse_multistate;
1328 while ((arg = strdelim(&cp)) && *arg != '\0') {
1329 if (options->num_allow_users >= MAX_ALLOW_USERS)
1330 fatal("%s line %d: too many allow users.",
1334 options->allow_users[options->num_allow_users++] =
1340 while ((arg = strdelim(&cp)) && *arg != '\0') {
1341 if (options->num_deny_users >= MAX_DENY_USERS)
1342 fatal("%s line %d: too many deny users.",
1346 options->deny_users[options->num_deny_users++] =
1352 while ((arg = strdelim(&cp)) && *arg != '\0') {
1353 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1354 fatal("%s line %d: too many allow groups.",
1358 options->allow_groups[options->num_allow_groups++] =
1364 while ((arg = strdelim(&cp)) && *arg != '\0') {
1365 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1366 fatal("%s line %d: too many deny groups.",
1370 options->deny_groups[options->num_deny_groups++] =
1376 arg = strdelim(&cp);
1377 if (!arg || *arg == '\0')
1378 fatal("%s line %d: Missing argument.", filename, linenum);
1379 if (!ciphers_valid(arg))
1380 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1381 filename, linenum, arg ? arg : "<NONE>");
1382 if (options->ciphers == NULL)
1383 options->ciphers = xstrdup(arg);
1387 arg = strdelim(&cp);
1388 if (!arg || *arg == '\0')
1389 fatal("%s line %d: Missing argument.", filename, linenum);
1390 if (!mac_valid(arg))
1391 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1392 filename, linenum, arg ? arg : "<NONE>");
1393 if (options->macs == NULL)
1394 options->macs = xstrdup(arg);
1397 case sKexAlgorithms:
1398 arg = strdelim(&cp);
1399 if (!arg || *arg == '\0')
1400 fatal("%s line %d: Missing argument.",
1402 if (!kex_names_valid(arg))
1403 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1404 filename, linenum, arg ? arg : "<NONE>");
1405 if (options->kex_algorithms == NULL)
1406 options->kex_algorithms = xstrdup(arg);
1410 intptr = &options->protocol;
1411 arg = strdelim(&cp);
1412 if (!arg || *arg == '\0')
1413 fatal("%s line %d: Missing argument.", filename, linenum);
1414 value = proto_spec(arg);
1415 if (value == SSH_PROTO_UNKNOWN)
1416 fatal("%s line %d: Bad protocol spec '%s'.",
1417 filename, linenum, arg ? arg : "<NONE>");
1418 if (*intptr == SSH_PROTO_UNKNOWN)
1423 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1424 fatal("%s line %d: too many subsystems defined.",
1427 arg = strdelim(&cp);
1428 if (!arg || *arg == '\0')
1429 fatal("%s line %d: Missing subsystem name.",
1432 arg = strdelim(&cp);
1435 for (i = 0; i < options->num_subsystems; i++)
1436 if (strcmp(arg, options->subsystem_name[i]) == 0)
1437 fatal("%s line %d: Subsystem '%s' already defined.",
1438 filename, linenum, arg);
1439 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1440 arg = strdelim(&cp);
1441 if (!arg || *arg == '\0')
1442 fatal("%s line %d: Missing subsystem command.",
1444 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1446 /* Collect arguments (separate to executable) */
1448 len = strlen(p) + 1;
1449 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1450 len += 1 + strlen(arg);
1451 p = xrealloc(p, 1, len);
1452 strlcat(p, " ", len);
1453 strlcat(p, arg, len);
1455 options->subsystem_args[options->num_subsystems] = p;
1456 options->num_subsystems++;
1460 arg = strdelim(&cp);
1461 if (!arg || *arg == '\0')
1462 fatal("%s line %d: Missing MaxStartups spec.",
1464 if ((n = sscanf(arg, "%d:%d:%d",
1465 &options->max_startups_begin,
1466 &options->max_startups_rate,
1467 &options->max_startups)) == 3) {
1468 if (options->max_startups_begin >
1469 options->max_startups ||
1470 options->max_startups_rate > 100 ||
1471 options->max_startups_rate < 1)
1472 fatal("%s line %d: Illegal MaxStartups spec.",
1475 fatal("%s line %d: Illegal MaxStartups spec.",
1478 options->max_startups = options->max_startups_begin;
1482 intptr = &options->max_authtries;
1486 intptr = &options->max_sessions;
1490 charptr = &options->banner;
1491 goto parse_filename;
1494 * These options can contain %X options expanded at
1495 * connect time, so that you can specify paths like:
1497 * AuthorizedKeysFile /etc/ssh_keys/%u
1499 case sAuthorizedKeysFile:
1500 if (*activep && options->num_authkeys_files == 0) {
1501 while ((arg = strdelim(&cp)) && *arg != '\0') {
1502 if (options->num_authkeys_files >=
1504 fatal("%s line %d: "
1505 "too many authorized keys files.",
1507 options->authorized_keys_files[
1508 options->num_authkeys_files++] =
1509 tilde_expand_filename(arg, getuid());
1514 case sAuthorizedPrincipalsFile:
1515 charptr = &options->authorized_principals_file;
1516 arg = strdelim(&cp);
1517 if (!arg || *arg == '\0')
1518 fatal("%s line %d: missing file name.",
1520 if (*activep && *charptr == NULL) {
1521 *charptr = tilde_expand_filename(arg, getuid());
1522 /* increase optional counter */
1524 *intptr = *intptr + 1;
1528 case sClientAliveInterval:
1529 intptr = &options->client_alive_interval;
1532 case sClientAliveCountMax:
1533 intptr = &options->client_alive_count_max;
1537 while ((arg = strdelim(&cp)) && *arg != '\0') {
1538 if (strchr(arg, '=') != NULL)
1539 fatal("%s line %d: Invalid environment name.",
1541 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1542 fatal("%s line %d: too many allow env.",
1546 options->accept_env[options->num_accept_env++] =
1552 intptr = &options->permit_tun;
1553 arg = strdelim(&cp);
1554 if (!arg || *arg == '\0')
1555 fatal("%s line %d: Missing yes/point-to-point/"
1556 "ethernet/no argument.", filename, linenum);
1558 for (i = 0; tunmode_desc[i].val != -1; i++)
1559 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1560 value = tunmode_desc[i].val;
1564 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1565 "no argument: %s", filename, linenum, arg);
1572 fatal("Match directive not supported as a command-line "
1574 value = match_cfg_line(&cp, linenum, connectinfo);
1576 fatal("%s line %d: Bad Match condition", filename,
1582 arg = strdelim(&cp);
1583 if (!arg || *arg == '\0')
1584 fatal("%s line %d: missing PermitOpen specification",
1586 n = options->num_permitted_opens; /* modified later */
1587 if (strcmp(arg, "any") == 0) {
1588 if (*activep && n == -1) {
1589 channel_clear_adm_permitted_opens();
1590 options->num_permitted_opens = 0;
1594 if (strcmp(arg, "none") == 0) {
1595 if (*activep && n == -1) {
1596 options->num_permitted_opens = 1;
1597 channel_disable_adm_local_opens();
1601 if (*activep && n == -1)
1602 channel_clear_adm_permitted_opens();
1603 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1606 fatal("%s line %d: missing host in PermitOpen",
1608 p = cleanhostname(p);
1609 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1610 fatal("%s line %d: bad port number in "
1611 "PermitOpen", filename, linenum);
1612 if (*activep && n == -1)
1613 options->num_permitted_opens =
1614 channel_add_adm_permitted_opens(p, port);
1620 fatal("%.200s line %d: Missing argument.", filename,
1622 len = strspn(cp, WHITESPACE);
1623 if (*activep && options->adm_forced_command == NULL)
1624 options->adm_forced_command = xstrdup(cp + len);
1627 case sChrootDirectory:
1628 charptr = &options->chroot_directory;
1630 arg = strdelim(&cp);
1631 if (!arg || *arg == '\0')
1632 fatal("%s line %d: missing file name.",
1634 if (*activep && *charptr == NULL)
1635 *charptr = xstrdup(arg);
1638 case sTrustedUserCAKeys:
1639 charptr = &options->trusted_user_ca_keys;
1640 goto parse_filename;
1643 charptr = &options->revoked_keys_file;
1644 goto parse_filename;
1647 arg = strdelim(&cp);
1648 if ((value = parse_ipqos(arg)) == -1)
1649 fatal("%s line %d: Bad IPQoS value: %s",
1650 filename, linenum, arg);
1651 arg = strdelim(&cp);
1654 else if ((value2 = parse_ipqos(arg)) == -1)
1655 fatal("%s line %d: Bad IPQoS value: %s",
1656 filename, linenum, arg);
1658 options->ip_qos_interactive = value;
1659 options->ip_qos_bulk = value2;
1663 case sVersionAddendum:
1665 fatal("%.200s line %d: Missing argument.", filename,
1667 len = strspn(cp, WHITESPACE);
1668 if (*activep && options->version_addendum == NULL) {
1669 if (strcasecmp(cp + len, "none") == 0)
1670 options->version_addendum = xstrdup("");
1671 else if (strchr(cp + len, '\r') != NULL)
1672 fatal("%.200s line %d: Invalid argument",
1675 options->version_addendum = xstrdup(cp + len);
1679 case sAuthorizedKeysCommand:
1681 fatal("%.200s line %d: Missing argument.", filename,
1683 len = strspn(cp, WHITESPACE);
1684 if (*activep && options->authorized_keys_command == NULL) {
1685 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1686 fatal("%.200s line %d: AuthorizedKeysCommand "
1687 "must be an absolute path",
1689 options->authorized_keys_command = xstrdup(cp + len);
1693 case sAuthorizedKeysCommandUser:
1694 charptr = &options->authorized_keys_command_user;
1696 arg = strdelim(&cp);
1697 if (!arg || *arg == '\0')
1698 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1699 "argument.", filename, linenum);
1700 if (*activep && *charptr == NULL)
1701 *charptr = xstrdup(arg);
1704 case sAuthenticationMethods:
1705 if (*activep && options->num_auth_methods == 0) {
1706 while ((arg = strdelim(&cp)) && *arg != '\0') {
1707 if (options->num_auth_methods >=
1709 fatal("%s line %d: "
1710 "too many authentication methods.",
1712 if (auth2_methods_valid(arg, 0) != 0)
1713 fatal("%s line %d: invalid "
1714 "authentication method list.",
1716 options->auth_methods[
1717 options->num_auth_methods++] = xstrdup(arg);
1722 case sStreamLocalBindMask:
1723 arg = strdelim(&cp);
1724 if (!arg || *arg == '\0')
1725 fatal("%s line %d: missing StreamLocalBindMask argument.",
1727 /* Parse mode in octal format */
1728 value = strtol(arg, &p, 8);
1729 if (arg == p || value < 0 || value > 0777)
1730 fatal("%s line %d: Bad mask.", filename, linenum);
1731 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1734 case sStreamLocalBindUnlink:
1735 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1738 case sFingerprintHash:
1739 arg = strdelim(&cp);
1740 if (!arg || *arg == '\0')
1741 fatal("%.200s line %d: Missing argument.",
1743 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1744 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1745 filename, linenum, arg);
1747 options->fingerprint_hash = value;
1751 logit("%s line %d: Deprecated option %s",
1752 filename, linenum, arg);
1754 arg = strdelim(&cp);
1758 logit("%s line %d: Unsupported option %s",
1759 filename, linenum, arg);
1761 arg = strdelim(&cp);
1765 fatal("%s line %d: Missing handler for opcode %s (%d)",
1766 filename, linenum, arg, opcode);
1768 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1769 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1770 filename, linenum, arg);
1774 /* Reads the server configuration file. */
1777 load_server_config(const char *filename, Buffer *conf)
1779 char line[4096], *cp;
1783 debug2("%s: filename %s", __func__, filename);
1784 if ((f = fopen(filename, "r")) == NULL) {
1789 while (fgets(line, sizeof(line), f)) {
1791 if (strlen(line) == sizeof(line) - 1)
1792 fatal("%s line %d too long", filename, lineno);
1794 * Trim out comments and strip whitespace
1795 * NB - preserve newlines, they are needed to reproduce
1796 * line numbers later for error messages
1798 if ((cp = strchr(line, '#')) != NULL)
1799 memcpy(cp, "\n", 2);
1800 cp = line + strspn(line, " \t\r");
1802 buffer_append(conf, cp, strlen(cp));
1804 buffer_append(conf, "\0", 1);
1806 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1810 parse_server_match_config(ServerOptions *options,
1811 struct connection_info *connectinfo)
1814 #if defined(ANDROID)
1815 char value[PROPERTY_VALUE_MAX];
1818 initialize_server_options(&mo);
1819 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1820 #if defined(ANDROID)
1821 /* Allow root login if ro.debuggable is set. */
1822 property_get("ro.debuggable", value, "");
1823 if (strcmp(value, "1") == 0) {
1824 mo.permit_root_login = PERMIT_YES;
1827 copy_set_server_options(options, &mo, 0);
1830 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1834 while ((p = strsep(&spec, ",")) && *p != '\0') {
1835 if (strncmp(p, "addr=", 5) == 0) {
1836 ci->address = xstrdup(p + 5);
1837 } else if (strncmp(p, "host=", 5) == 0) {
1838 ci->host = xstrdup(p + 5);
1839 } else if (strncmp(p, "user=", 5) == 0) {
1840 ci->user = xstrdup(p + 5);
1841 } else if (strncmp(p, "laddr=", 6) == 0) {
1842 ci->laddress = xstrdup(p + 6);
1843 } else if (strncmp(p, "lport=", 6) == 0) {
1844 ci->lport = a2port(p + 6);
1845 if (ci->lport == -1) {
1846 fprintf(stderr, "Invalid port '%s' in test mode"
1847 " specification %s\n", p+6, p);
1851 fprintf(stderr, "Invalid test mode specification %s\n",
1860 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1863 int server_match_spec_complete(struct connection_info *ci)
1865 if (ci->user && ci->host && ci->address)
1866 return 1; /* complete */
1867 if (!ci->user && !ci->host && !ci->address)
1868 return -1; /* empty */
1869 return 0; /* partial */
1873 * Copy any supported values that are set.
1875 * If the preauth flag is set, we do not bother copying the string or
1876 * array values that are not used pre-authentication, because any that we
1877 * do use must be explictly sent in mm_getpwnamallow().
1880 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1882 #define M_CP_INTOPT(n) do {\
1887 M_CP_INTOPT(password_authentication);
1888 M_CP_INTOPT(gss_authentication);
1889 M_CP_INTOPT(rsa_authentication);
1890 M_CP_INTOPT(pubkey_authentication);
1891 M_CP_INTOPT(kerberos_authentication);
1892 M_CP_INTOPT(hostbased_authentication);
1893 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1894 M_CP_INTOPT(kbd_interactive_authentication);
1895 M_CP_INTOPT(permit_root_login);
1896 M_CP_INTOPT(permit_empty_passwd);
1898 M_CP_INTOPT(allow_tcp_forwarding);
1899 M_CP_INTOPT(allow_streamlocal_forwarding);
1900 M_CP_INTOPT(allow_agent_forwarding);
1901 M_CP_INTOPT(permit_tun);
1902 M_CP_INTOPT(fwd_opts.gateway_ports);
1903 M_CP_INTOPT(x11_display_offset);
1904 M_CP_INTOPT(x11_forwarding);
1905 M_CP_INTOPT(x11_use_localhost);
1906 M_CP_INTOPT(permit_tty);
1907 M_CP_INTOPT(permit_user_rc);
1908 M_CP_INTOPT(max_sessions);
1909 M_CP_INTOPT(max_authtries);
1910 M_CP_INTOPT(ip_qos_interactive);
1911 M_CP_INTOPT(ip_qos_bulk);
1912 M_CP_INTOPT(rekey_limit);
1913 M_CP_INTOPT(rekey_interval);
1915 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
1916 #define M_CP_STROPT(n) do {\
1917 if (src->n != NULL && dst->n != src->n) { \
1922 #define M_CP_STRARRAYOPT(n, num_n) do {\
1923 if (src->num_n != 0) { \
1924 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1925 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1929 /* See comment in servconf.h */
1930 COPY_MATCH_STRING_OPTS();
1933 * The only things that should be below this point are string options
1934 * which are only used after authentication.
1939 M_CP_STROPT(adm_forced_command);
1940 M_CP_STROPT(chroot_directory);
1945 #undef M_CP_STRARRAYOPT
1948 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1949 struct connection_info *connectinfo)
1951 int active, linenum, bad_options = 0;
1952 char *cp, *obuf, *cbuf;
1954 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1956 obuf = cbuf = xstrdup(buffer_ptr(conf));
1957 active = connectinfo ? 0 : 1;
1959 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1960 if (process_server_config_line(options, cp, filename,
1961 linenum++, &active, connectinfo) != 0)
1965 if (bad_options > 0)
1966 fatal("%s: terminating, %d bad configuration options",
1967 filename, bad_options);
1971 fmt_multistate_int(int val, const struct multistate *m)
1975 for (i = 0; m[i].key != NULL; i++) {
1976 if (m[i].value == val)
1983 fmt_intarg(ServerOpCodes code, int val)
1988 case sAddressFamily:
1989 return fmt_multistate_int(val, multistate_addressfamily);
1990 case sPermitRootLogin:
1991 return fmt_multistate_int(val, multistate_permitrootlogin);
1993 return fmt_multistate_int(val, multistate_gatewayports);
1995 return fmt_multistate_int(val, multistate_compression);
1996 case sUsePrivilegeSeparation:
1997 return fmt_multistate_int(val, multistate_privsep);
1998 case sAllowTcpForwarding:
1999 return fmt_multistate_int(val, multistate_tcpfwd);
2000 case sAllowStreamLocalForwarding:
2001 return fmt_multistate_int(val, multistate_tcpfwd);
2002 case sFingerprintHash:
2003 return ssh_digest_alg_name(val);
2010 case (SSH_PROTO_1|SSH_PROTO_2):
2028 lookup_opcode_name(ServerOpCodes code)
2032 for (i = 0; keywords[i].name != NULL; i++)
2033 if (keywords[i].opcode == code)
2034 return(keywords[i].name);
2039 dump_cfg_int(ServerOpCodes code, int val)
2041 printf("%s %d\n", lookup_opcode_name(code), val);
2045 dump_cfg_fmtint(ServerOpCodes code, int val)
2047 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2051 dump_cfg_string(ServerOpCodes code, const char *val)
2055 printf("%s %s\n", lookup_opcode_name(code),
2056 val == NULL ? "none" : val);
2060 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2064 for (i = 0; i < count; i++)
2065 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2069 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2073 printf("%s", lookup_opcode_name(code));
2074 for (i = 0; i < count; i++)
2075 printf(" %s", vals[i]);
2080 dump_config(ServerOptions *o)
2084 struct addrinfo *ai;
2085 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2087 /* these are usually at the top of the config */
2088 for (i = 0; i < o->num_ports; i++)
2089 printf("port %d\n", o->ports[i]);
2090 dump_cfg_fmtint(sProtocol, o->protocol);
2091 dump_cfg_fmtint(sAddressFamily, o->address_family);
2093 /* ListenAddress must be after Port */
2094 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2095 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2096 sizeof(addr), port, sizeof(port),
2097 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2098 error("getnameinfo failed: %.100s",
2099 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2102 if (ai->ai_family == AF_INET6)
2103 printf("listenaddress [%s]:%s\n", addr, port);
2105 printf("listenaddress %s:%s\n", addr, port);
2109 /* integer arguments */
2111 dump_cfg_int(sUsePAM, o->use_pam);
2113 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2114 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2115 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2116 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2117 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2118 dump_cfg_int(sMaxSessions, o->max_sessions);
2119 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2120 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2122 /* formatted integer arguments */
2123 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2124 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2125 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2126 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2127 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2128 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2129 o->hostbased_uses_name_from_packet_only);
2130 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2131 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2133 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2134 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2135 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2137 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2141 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2142 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2144 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2145 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2146 o->kbd_interactive_authentication);
2147 dump_cfg_fmtint(sChallengeResponseAuthentication,
2148 o->challenge_response_authentication);
2149 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2150 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2151 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2152 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2153 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2154 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2155 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2156 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2157 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2158 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2159 dump_cfg_fmtint(sUseLogin, o->use_login);
2160 dump_cfg_fmtint(sCompression, o->compression);
2161 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2162 dump_cfg_fmtint(sUseDNS, o->use_dns);
2163 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2164 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2165 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2166 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2168 /* string arguments */
2169 dump_cfg_string(sPidFile, o->pid_file);
2170 dump_cfg_string(sXAuthLocation, o->xauth_location);
2171 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2172 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2173 dump_cfg_string(sBanner, o->banner);
2174 dump_cfg_string(sForceCommand, o->adm_forced_command);
2175 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2176 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2177 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2178 dump_cfg_string(sAuthorizedPrincipalsFile,
2179 o->authorized_principals_file);
2180 dump_cfg_string(sVersionAddendum, o->version_addendum);
2181 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2182 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2183 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2184 dump_cfg_string(sKexAlgorithms,
2185 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2186 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2187 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2188 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2189 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2191 /* string arguments requiring a lookup */
2192 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2193 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2195 /* string array arguments */
2196 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2197 o->authorized_keys_files);
2198 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2200 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2201 o->host_cert_files);
2202 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2203 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2204 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2205 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2206 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2207 dump_cfg_strarray_oneline(sAuthenticationMethods,
2208 o->num_auth_methods, o->auth_methods);
2210 /* other arguments */
2211 for (i = 0; i < o->num_subsystems; i++)
2212 printf("subsystem %s %s\n", o->subsystem_name[i],
2213 o->subsystem_args[i]);
2215 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2216 o->max_startups_rate, o->max_startups);
2218 for (i = 0; tunmode_desc[i].val != -1; i++)
2219 if (tunmode_desc[i].val == o->permit_tun) {
2220 s = tunmode_desc[i].text;
2223 dump_cfg_string(sPermitTunnel, s);
2225 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2226 printf("%s\n", iptos2str(o->ip_qos_bulk));
2228 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2231 channel_print_adm_permitted_opens();