2 /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
38 #include "openbsd-compat/sys-queue.h"
46 #include "pathnames.h"
53 #include "groupaccess.h"
58 #include "myproposal.h"
62 #include <cutils/properties.h>
65 static void add_listen_addr(ServerOptions *, char *, int);
66 static void add_one_listen_addr(ServerOptions *, char *, int);
68 /* Use of privilege separation or not */
69 extern int use_privsep;
72 /* Initializes the server options to their default values. */
75 initialize_server_options(ServerOptions *options)
77 memset(options, 0, sizeof(*options));
79 /* Portable-specific options */
80 options->use_pam = -1;
82 /* Standard Options */
83 options->num_ports = 0;
84 options->ports_from_cmdline = 0;
85 options->queued_listen_addrs = NULL;
86 options->num_queued_listens = 0;
87 options->listen_addrs = NULL;
88 options->address_family = -1;
89 options->num_host_key_files = 0;
90 options->num_host_cert_files = 0;
91 options->host_key_agent = NULL;
92 options->pid_file = NULL;
93 options->server_key_bits = -1;
94 options->login_grace_time = -1;
95 options->key_regeneration_time = -1;
96 options->permit_root_login = PERMIT_NOT_SET;
97 options->ignore_rhosts = -1;
98 options->ignore_user_known_hosts = -1;
99 options->print_motd = -1;
100 options->print_lastlog = -1;
101 options->x11_forwarding = -1;
102 options->x11_display_offset = -1;
103 options->x11_use_localhost = -1;
104 options->permit_tty = -1;
105 options->permit_user_rc = -1;
106 options->xauth_location = NULL;
107 options->strict_modes = -1;
108 options->tcp_keep_alive = -1;
109 options->log_facility = SYSLOG_FACILITY_NOT_SET;
110 options->log_level = SYSLOG_LEVEL_NOT_SET;
111 options->rhosts_rsa_authentication = -1;
112 options->hostbased_authentication = -1;
113 options->hostbased_uses_name_from_packet_only = -1;
114 options->hostbased_key_types = NULL;
115 options->hostkeyalgorithms = NULL;
116 options->rsa_authentication = -1;
117 options->pubkey_authentication = -1;
118 options->pubkey_key_types = NULL;
119 options->kerberos_authentication = -1;
120 options->kerberos_or_local_passwd = -1;
121 options->kerberos_ticket_cleanup = -1;
122 options->kerberos_get_afs_token = -1;
123 options->gss_authentication=-1;
124 options->gss_cleanup_creds = -1;
125 options->gss_strict_acceptor = -1;
126 options->password_authentication = -1;
127 options->kbd_interactive_authentication = -1;
128 options->challenge_response_authentication = -1;
129 options->permit_empty_passwd = -1;
130 options->permit_user_env = -1;
131 options->use_login = -1;
132 options->compression = -1;
133 options->rekey_limit = -1;
134 options->rekey_interval = -1;
135 options->allow_tcp_forwarding = -1;
136 options->allow_streamlocal_forwarding = -1;
137 options->allow_agent_forwarding = -1;
138 options->num_allow_users = 0;
139 options->num_deny_users = 0;
140 options->num_allow_groups = 0;
141 options->num_deny_groups = 0;
142 options->ciphers = NULL;
143 options->macs = NULL;
144 options->kex_algorithms = NULL;
145 options->protocol = SSH_PROTO_UNKNOWN;
146 options->fwd_opts.gateway_ports = -1;
147 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
148 options->fwd_opts.streamlocal_bind_unlink = -1;
149 options->num_subsystems = 0;
150 options->max_startups_begin = -1;
151 options->max_startups_rate = -1;
152 options->max_startups = -1;
153 options->max_authtries = -1;
154 options->max_sessions = -1;
155 options->banner = NULL;
156 options->use_dns = -1;
157 options->client_alive_interval = -1;
158 options->client_alive_count_max = -1;
159 options->num_authkeys_files = 0;
160 options->num_accept_env = 0;
161 options->permit_tun = -1;
162 options->num_permitted_opens = -1;
163 options->adm_forced_command = NULL;
164 options->chroot_directory = NULL;
165 options->authorized_keys_command = NULL;
166 options->authorized_keys_command_user = NULL;
167 options->revoked_keys_file = NULL;
168 options->trusted_user_ca_keys = NULL;
169 options->authorized_principals_file = NULL;
170 options->authorized_principals_command = NULL;
171 options->authorized_principals_command_user = NULL;
172 options->ip_qos_interactive = -1;
173 options->ip_qos_bulk = -1;
174 options->version_addendum = NULL;
175 options->fingerprint_hash = -1;
178 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
180 option_clear_or_none(const char *o)
182 return o == NULL || strcasecmp(o, "none") == 0;
186 fill_default_server_options(ServerOptions *options)
190 /* Portable-specific options */
191 if (options->use_pam == -1)
192 options->use_pam = 0;
194 /* Standard Options */
195 if (options->protocol == SSH_PROTO_UNKNOWN)
196 options->protocol = SSH_PROTO_2;
197 if (options->num_host_key_files == 0) {
198 /* fill default hostkeys for protocols */
199 if (options->protocol & SSH_PROTO_1)
200 options->host_key_files[options->num_host_key_files++] =
202 if (options->protocol & SSH_PROTO_2) {
203 options->host_key_files[options->num_host_key_files++] =
204 _PATH_HOST_RSA_KEY_FILE;
205 options->host_key_files[options->num_host_key_files++] =
206 _PATH_HOST_DSA_KEY_FILE;
207 #ifdef OPENSSL_HAS_ECC
208 options->host_key_files[options->num_host_key_files++] =
209 _PATH_HOST_ECDSA_KEY_FILE;
211 options->host_key_files[options->num_host_key_files++] =
212 _PATH_HOST_ED25519_KEY_FILE;
215 /* No certificates by default */
216 if (options->num_ports == 0)
217 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
218 if (options->address_family == -1)
219 options->address_family = AF_UNSPEC;
220 if (options->listen_addrs == NULL)
221 add_listen_addr(options, NULL, 0);
222 if (options->pid_file == NULL)
223 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
224 if (options->server_key_bits == -1)
225 options->server_key_bits = 1024;
226 if (options->login_grace_time == -1)
227 options->login_grace_time = 120;
228 if (options->key_regeneration_time == -1)
229 options->key_regeneration_time = 3600;
230 if (options->permit_root_login == PERMIT_NOT_SET)
231 options->permit_root_login = PERMIT_NO_PASSWD;
232 if (options->ignore_rhosts == -1)
233 options->ignore_rhosts = 1;
234 if (options->ignore_user_known_hosts == -1)
235 options->ignore_user_known_hosts = 0;
236 if (options->print_motd == -1)
237 options->print_motd = 1;
238 if (options->print_lastlog == -1)
239 options->print_lastlog = 1;
240 if (options->x11_forwarding == -1)
241 options->x11_forwarding = 0;
242 if (options->x11_display_offset == -1)
243 options->x11_display_offset = 10;
244 if (options->x11_use_localhost == -1)
245 options->x11_use_localhost = 1;
246 if (options->xauth_location == NULL)
247 options->xauth_location = xstrdup(_PATH_XAUTH);
248 if (options->permit_tty == -1)
249 options->permit_tty = 1;
250 if (options->permit_user_rc == -1)
251 options->permit_user_rc = 1;
252 if (options->strict_modes == -1)
253 options->strict_modes = 1;
254 if (options->tcp_keep_alive == -1)
255 options->tcp_keep_alive = 1;
256 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
257 options->log_facility = SYSLOG_FACILITY_AUTH;
258 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
259 options->log_level = SYSLOG_LEVEL_INFO;
260 if (options->rhosts_rsa_authentication == -1)
261 options->rhosts_rsa_authentication = 0;
262 if (options->hostbased_authentication == -1)
263 options->hostbased_authentication = 0;
264 if (options->hostbased_uses_name_from_packet_only == -1)
265 options->hostbased_uses_name_from_packet_only = 0;
266 if (options->hostkeyalgorithms == NULL)
267 options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
268 if (options->rsa_authentication == -1)
269 options->rsa_authentication = 1;
270 if (options->pubkey_authentication == -1)
271 options->pubkey_authentication = 1;
272 if (options->kerberos_authentication == -1)
273 options->kerberos_authentication = 0;
274 if (options->kerberos_or_local_passwd == -1)
275 options->kerberos_or_local_passwd = 1;
276 if (options->kerberos_ticket_cleanup == -1)
277 options->kerberos_ticket_cleanup = 1;
278 if (options->kerberos_get_afs_token == -1)
279 options->kerberos_get_afs_token = 0;
280 if (options->gss_authentication == -1)
281 options->gss_authentication = 0;
282 if (options->gss_cleanup_creds == -1)
283 options->gss_cleanup_creds = 1;
284 if (options->gss_strict_acceptor == -1)
285 options->gss_strict_acceptor = 0;
286 if (options->password_authentication == -1)
287 options->password_authentication = 1;
288 if (options->kbd_interactive_authentication == -1)
289 options->kbd_interactive_authentication = 0;
290 if (options->challenge_response_authentication == -1)
291 options->challenge_response_authentication = 1;
292 if (options->permit_empty_passwd == -1)
293 options->permit_empty_passwd = 0;
294 if (options->permit_user_env == -1)
295 options->permit_user_env = 0;
296 if (options->use_login == -1)
297 options->use_login = 0;
298 if (options->compression == -1)
299 options->compression = COMP_DELAYED;
300 if (options->rekey_limit == -1)
301 options->rekey_limit = 0;
302 if (options->rekey_interval == -1)
303 options->rekey_interval = 0;
304 if (options->allow_tcp_forwarding == -1)
305 options->allow_tcp_forwarding = FORWARD_ALLOW;
306 if (options->allow_streamlocal_forwarding == -1)
307 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
308 if (options->allow_agent_forwarding == -1)
309 options->allow_agent_forwarding = 1;
310 if (options->fwd_opts.gateway_ports == -1)
311 options->fwd_opts.gateway_ports = 0;
312 if (options->max_startups == -1)
313 options->max_startups = 100;
314 if (options->max_startups_rate == -1)
315 options->max_startups_rate = 30; /* 30% */
316 if (options->max_startups_begin == -1)
317 options->max_startups_begin = 10;
318 if (options->max_authtries == -1)
319 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
320 if (options->max_sessions == -1)
321 options->max_sessions = DEFAULT_SESSIONS_MAX;
322 if (options->use_dns == -1)
323 options->use_dns = 0;
324 if (options->client_alive_interval == -1)
325 options->client_alive_interval = 0;
326 if (options->client_alive_count_max == -1)
327 options->client_alive_count_max = 3;
328 if (options->num_authkeys_files == 0) {
329 options->authorized_keys_files[options->num_authkeys_files++] =
330 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
331 options->authorized_keys_files[options->num_authkeys_files++] =
332 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
334 if (options->permit_tun == -1)
335 options->permit_tun = SSH_TUNMODE_NO;
336 if (options->ip_qos_interactive == -1)
337 options->ip_qos_interactive = IPTOS_LOWDELAY;
338 if (options->ip_qos_bulk == -1)
339 options->ip_qos_bulk = IPTOS_THROUGHPUT;
340 if (options->version_addendum == NULL)
341 options->version_addendum = xstrdup("");
342 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
343 options->fwd_opts.streamlocal_bind_mask = 0177;
344 if (options->fwd_opts.streamlocal_bind_unlink == -1)
345 options->fwd_opts.streamlocal_bind_unlink = 0;
346 if (options->fingerprint_hash == -1)
347 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
349 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
350 kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
351 kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
352 kex_assemble_names(KEX_DEFAULT_PK_ALG,
353 &options->hostbased_key_types) != 0 ||
354 kex_assemble_names(KEX_DEFAULT_PK_ALG,
355 &options->pubkey_key_types) != 0)
356 fatal("%s: kex_assemble_names failed", __func__);
358 /* Turn privilege separation on by default */
359 if (use_privsep == -1)
360 use_privsep = PRIVSEP_NOSANDBOX;
362 #define CLEAR_ON_NONE(v) \
364 if (option_clear_or_none(v)) { \
369 CLEAR_ON_NONE(options->pid_file);
370 CLEAR_ON_NONE(options->xauth_location);
371 CLEAR_ON_NONE(options->banner);
372 CLEAR_ON_NONE(options->trusted_user_ca_keys);
373 CLEAR_ON_NONE(options->revoked_keys_file);
374 CLEAR_ON_NONE(options->authorized_principals_file);
375 for (i = 0; i < options->num_host_key_files; i++)
376 CLEAR_ON_NONE(options->host_key_files[i]);
377 for (i = 0; i < options->num_host_cert_files; i++)
378 CLEAR_ON_NONE(options->host_cert_files[i]);
382 if (use_privsep && options->compression == 1) {
383 error("This platform does not support both privilege "
384 "separation and compression");
385 error("Compression disabled");
386 options->compression = 0;
392 /* Keyword tokens. */
394 sBadOption, /* == unknown option */
395 /* Portable-specific options */
397 /* Standard Options */
398 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
399 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
400 sRhostsRSAAuthentication, sRSAAuthentication,
401 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
402 sKerberosGetAFSToken,
403 sKerberosTgtPassing, sChallengeResponseAuthentication,
404 sPasswordAuthentication, sKbdInteractiveAuthentication,
405 sListenAddress, sAddressFamily,
406 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
407 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
408 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
409 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
410 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
411 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
412 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
413 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
414 sBanner, sUseDNS, sHostbasedAuthentication,
415 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
417 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
418 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
419 sAcceptEnv, sPermitTunnel,
420 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
421 sUsePrivilegeSeparation, sAllowAgentForwarding,
423 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
424 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
425 sKexAlgorithms, sIPQoS, sVersionAddendum,
426 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
427 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
428 sStreamLocalBindMask, sStreamLocalBindUnlink,
429 sAllowStreamLocalForwarding, sFingerprintHash,
430 sDeprecated, sUnsupported
433 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
434 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
435 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
437 /* Textual representation of the tokens. */
440 ServerOpCodes opcode;
443 /* Portable-specific options */
445 { "usepam", sUsePAM, SSHCFG_GLOBAL },
447 { "usepam", sUnsupported, SSHCFG_GLOBAL },
449 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
450 /* Standard Options */
451 { "port", sPort, SSHCFG_GLOBAL },
452 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
453 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
454 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
455 { "pidfile", sPidFile, SSHCFG_GLOBAL },
456 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
457 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
458 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
459 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
460 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
461 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
462 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
463 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
464 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
465 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
466 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
467 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
468 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
469 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
470 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
471 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
473 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
474 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
475 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
477 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
479 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
482 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
483 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
484 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
485 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
487 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
488 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
490 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
491 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
492 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
494 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
495 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
496 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
498 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
499 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
500 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
501 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
502 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
503 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
504 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
505 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
506 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
507 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
508 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
509 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
510 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
511 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
512 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
513 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
514 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
515 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
516 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
517 { "compression", sCompression, SSHCFG_GLOBAL },
518 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
519 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
520 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
521 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
522 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
523 { "allowusers", sAllowUsers, SSHCFG_ALL },
524 { "denyusers", sDenyUsers, SSHCFG_ALL },
525 { "allowgroups", sAllowGroups, SSHCFG_ALL },
526 { "denygroups", sDenyGroups, SSHCFG_ALL },
527 { "ciphers", sCiphers, SSHCFG_GLOBAL },
528 { "macs", sMacs, SSHCFG_GLOBAL },
529 { "protocol", sProtocol, SSHCFG_GLOBAL },
530 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
531 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
532 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
533 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
534 { "maxsessions", sMaxSessions, SSHCFG_ALL },
535 { "banner", sBanner, SSHCFG_ALL },
536 { "usedns", sUseDNS, SSHCFG_GLOBAL },
537 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
538 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
539 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
540 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
541 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
542 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
543 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
544 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
545 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
546 { "permittty", sPermitTTY, SSHCFG_ALL },
547 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
548 { "match", sMatch, SSHCFG_ALL },
549 { "permitopen", sPermitOpen, SSHCFG_ALL },
550 { "forcecommand", sForceCommand, SSHCFG_ALL },
551 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
552 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
553 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
554 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
555 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
556 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
557 { "ipqos", sIPQoS, SSHCFG_ALL },
558 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
559 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
560 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
561 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
562 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
563 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
564 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
565 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
566 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
567 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
568 { NULL, sBadOption, 0 }
575 { SSH_TUNMODE_NO, "no" },
576 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
577 { SSH_TUNMODE_ETHERNET, "ethernet" },
578 { SSH_TUNMODE_YES, "yes" },
583 * Returns the number of the token pointed to by cp or sBadOption.
587 parse_token(const char *cp, const char *filename,
588 int linenum, u_int *flags)
592 for (i = 0; keywords[i].name; i++)
593 if (strcasecmp(cp, keywords[i].name) == 0) {
594 *flags = keywords[i].flags;
595 return keywords[i].opcode;
598 error("%s: line %d: Bad configuration option: %s",
599 filename, linenum, cp);
604 derelativise_path(const char *path)
606 char *expanded, *ret, cwd[PATH_MAX];
608 if (strcasecmp(path, "none") == 0)
609 return xstrdup("none");
610 expanded = tilde_expand_filename(path, getuid());
611 if (*expanded == '/')
613 if (getcwd(cwd, sizeof(cwd)) == NULL)
614 fatal("%s: getcwd: %s", __func__, strerror(errno));
615 xasprintf(&ret, "%s/%s", cwd, expanded);
621 add_listen_addr(ServerOptions *options, char *addr, int port)
626 for (i = 0; i < options->num_ports; i++)
627 add_one_listen_addr(options, addr, options->ports[i]);
629 add_one_listen_addr(options, addr, port);
633 add_one_listen_addr(ServerOptions *options, char *addr, int port)
635 struct addrinfo hints, *ai, *aitop;
636 char strport[NI_MAXSERV];
639 memset(&hints, 0, sizeof(hints));
640 hints.ai_family = options->address_family;
641 hints.ai_socktype = SOCK_STREAM;
642 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
643 snprintf(strport, sizeof strport, "%d", port);
644 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
645 fatal("bad addr or host: %s (%s)",
646 addr ? addr : "<NULL>",
647 ssh_gai_strerror(gaierr));
648 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
650 ai->ai_next = options->listen_addrs;
651 options->listen_addrs = aitop;
655 * Queue a ListenAddress to be processed once we have all of the Ports
656 * and AddressFamily options.
659 queue_listen_addr(ServerOptions *options, char *addr, int port)
661 options->queued_listen_addrs = xreallocarray(
662 options->queued_listen_addrs, options->num_queued_listens + 1,
664 options->queued_listen_ports = xreallocarray(
665 options->queued_listen_ports, options->num_queued_listens + 1,
667 options->queued_listen_addrs[options->num_queued_listens] =
669 options->queued_listen_ports[options->num_queued_listens] = port;
670 options->num_queued_listens++;
674 * Process queued (text) ListenAddress entries.
677 process_queued_listen_addrs(ServerOptions *options)
681 if (options->num_ports == 0)
682 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
683 if (options->address_family == -1)
684 options->address_family = AF_UNSPEC;
686 for (i = 0; i < options->num_queued_listens; i++) {
687 add_listen_addr(options, options->queued_listen_addrs[i],
688 options->queued_listen_ports[i]);
689 free(options->queued_listen_addrs[i]);
690 options->queued_listen_addrs[i] = NULL;
692 free(options->queued_listen_addrs);
693 options->queued_listen_addrs = NULL;
694 free(options->queued_listen_ports);
695 options->queued_listen_ports = NULL;
696 options->num_queued_listens = 0;
699 struct connection_info *
700 get_connection_info(int populate, int use_dns)
702 static struct connection_info ci;
706 ci.host = get_canonical_hostname(use_dns);
707 ci.address = get_remote_ipaddr();
708 ci.laddress = get_local_ipaddr(packet_get_connection_in());
709 ci.lport = get_local_port();
714 * The strategy for the Match blocks is that the config file is parsed twice.
716 * The first time is at startup. activep is initialized to 1 and the
717 * directives in the global context are processed and acted on. Hitting a
718 * Match directive unsets activep and the directives inside the block are
719 * checked for syntax only.
721 * The second time is after a connection has been established but before
722 * authentication. activep is initialized to 2 and global config directives
723 * are ignored since they have already been processed. If the criteria in a
724 * Match block is met, activep is set and the subsequent directives
725 * processed and actioned until EOF or another Match block unsets it. Any
726 * options set are copied into the main server config.
728 * Potential additions/improvements:
729 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
731 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
732 * Match Address 192.168.0.*
737 * AllowTcpForwarding yes
738 * GatewayPorts clientspecified
741 * - Add a PermittedChannelRequests directive
743 * PermittedChannelRequests session,forwarded-tcpip
747 match_cfg_line_group(const char *grps, int line, const char *user)
755 if ((pw = getpwnam(user)) == NULL) {
756 debug("Can't match group at line %d because user %.100s does "
757 "not exist", line, user);
758 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
759 debug("Can't Match group because user %.100s not in any group "
760 "at line %d", user, line);
761 } else if (ga_match_pattern_list(grps) != 1) {
762 debug("user %.100s does not match group list %.100s at line %d",
765 debug("user %.100s matched group list %.100s at line %d", user,
775 * All of the attributes on a single Match line are ANDed together, so we need
776 * to check every attribute and set the result to zero if any attribute does
780 match_cfg_line(char **condition, int line, struct connection_info *ci)
782 int result = 1, attributes = 0, port;
783 char *arg, *attrib, *cp = *condition;
786 debug3("checking syntax for 'Match %s'", cp);
788 debug3("checking match for '%s' user %s host %s addr %s "
789 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
790 ci->host ? ci->host : "(null)",
791 ci->address ? ci->address : "(null)",
792 ci->laddress ? ci->laddress : "(null)", ci->lport);
794 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
796 if (strcasecmp(attrib, "all") == 0) {
797 if (attributes != 1 ||
798 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
799 error("'all' cannot be combined with other "
806 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
807 error("Missing Match criteria for %s", attrib);
810 if (strcasecmp(attrib, "user") == 0) {
811 if (ci == NULL || ci->user == NULL) {
815 if (match_pattern_list(ci->user, arg, 0) != 1)
818 debug("user %.100s matched 'User %.100s' at "
819 "line %d", ci->user, arg, line);
820 } else if (strcasecmp(attrib, "group") == 0) {
821 if (ci == NULL || ci->user == NULL) {
825 switch (match_cfg_line_group(arg, line, ci->user)) {
831 } else if (strcasecmp(attrib, "host") == 0) {
832 if (ci == NULL || ci->host == NULL) {
836 if (match_hostname(ci->host, arg) != 1)
839 debug("connection from %.100s matched 'Host "
840 "%.100s' at line %d", ci->host, arg, line);
841 } else if (strcasecmp(attrib, "address") == 0) {
842 if (ci == NULL || ci->address == NULL) {
846 switch (addr_match_list(ci->address, arg)) {
848 debug("connection from %.100s matched 'Address "
849 "%.100s' at line %d", ci->address, arg, line);
858 } else if (strcasecmp(attrib, "localaddress") == 0){
859 if (ci == NULL || ci->laddress == NULL) {
863 switch (addr_match_list(ci->laddress, arg)) {
865 debug("connection from %.100s matched "
866 "'LocalAddress %.100s' at line %d",
867 ci->laddress, arg, line);
876 } else if (strcasecmp(attrib, "localport") == 0) {
877 if ((port = a2port(arg)) == -1) {
878 error("Invalid LocalPort '%s' on Match line",
882 if (ci == NULL || ci->lport == 0) {
886 /* TODO support port lists */
887 if (port == ci->lport)
888 debug("connection from %.100s matched "
889 "'LocalPort %d' at line %d",
890 ci->laddress, port, line);
894 error("Unsupported Match attribute %s", attrib);
898 if (attributes == 0) {
899 error("One or more attributes required for Match");
903 debug3("match %sfound", result ? "" : "not ");
908 #define WHITESPACE " \t\r\n"
910 /* Multistate option parsing */
915 static const struct multistate multistate_addressfamily[] = {
917 { "inet6", AF_INET6 },
918 { "any", AF_UNSPEC },
921 static const struct multistate multistate_permitrootlogin[] = {
922 { "without-password", PERMIT_NO_PASSWD },
923 { "prohibit-password", PERMIT_NO_PASSWD },
924 { "forced-commands-only", PERMIT_FORCED_ONLY },
925 { "yes", PERMIT_YES },
929 static const struct multistate multistate_compression[] = {
930 { "delayed", COMP_DELAYED },
931 { "yes", COMP_ZLIB },
935 static const struct multistate multistate_gatewayports[] = {
936 { "clientspecified", 2 },
941 static const struct multistate multistate_privsep[] = {
942 { "yes", PRIVSEP_NOSANDBOX },
943 { "sandbox", PRIVSEP_ON },
944 { "nosandbox", PRIVSEP_NOSANDBOX },
945 { "no", PRIVSEP_OFF },
948 static const struct multistate multistate_tcpfwd[] = {
949 { "yes", FORWARD_ALLOW },
950 { "all", FORWARD_ALLOW },
951 { "no", FORWARD_DENY },
952 { "remote", FORWARD_REMOTE },
953 { "local", FORWARD_LOCAL },
958 process_server_config_line(ServerOptions *options, char *line,
959 const char *filename, int linenum, int *activep,
960 struct connection_info *connectinfo)
962 char *cp, **charptr, *arg, *p;
963 int cmdline = 0, *intptr, value, value2, n, port;
964 SyslogFacility *log_facility_ptr;
965 LogLevel *log_level_ptr;
966 ServerOpCodes opcode;
970 const struct multistate *multistate_ptr;
973 if ((arg = strdelim(&cp)) == NULL)
975 /* Ignore leading whitespace */
978 if (!arg || !*arg || *arg == '#')
982 opcode = parse_token(arg, filename, linenum, &flags);
984 if (activep == NULL) { /* We are processing a command line directive */
988 if (*activep && opcode != sMatch)
989 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
990 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
991 if (connectinfo == NULL) {
992 fatal("%s line %d: Directive '%s' is not allowed "
993 "within a Match block", filename, linenum, arg);
994 } else { /* this is a directive we have already processed */
1002 /* Portable-specific options */
1004 intptr = &options->use_pam;
1007 /* Standard Options */
1011 /* ignore ports from configfile if cmdline specifies ports */
1012 if (options->ports_from_cmdline)
1014 if (options->num_ports >= MAX_PORTS)
1015 fatal("%s line %d: too many ports.",
1017 arg = strdelim(&cp);
1018 if (!arg || *arg == '\0')
1019 fatal("%s line %d: missing port number.",
1021 options->ports[options->num_ports++] = a2port(arg);
1022 if (options->ports[options->num_ports-1] <= 0)
1023 fatal("%s line %d: Badly formatted port number.",
1027 case sServerKeyBits:
1028 intptr = &options->server_key_bits;
1030 arg = strdelim(&cp);
1031 if (!arg || *arg == '\0')
1032 fatal("%s line %d: missing integer value.",
1035 if (*activep && *intptr == -1)
1039 case sLoginGraceTime:
1040 intptr = &options->login_grace_time;
1042 arg = strdelim(&cp);
1043 if (!arg || *arg == '\0')
1044 fatal("%s line %d: missing time value.",
1046 if ((value = convtime(arg)) == -1)
1047 fatal("%s line %d: invalid time value.",
1049 if (*activep && *intptr == -1)
1053 case sKeyRegenerationTime:
1054 intptr = &options->key_regeneration_time;
1057 case sListenAddress:
1058 arg = strdelim(&cp);
1059 if (arg == NULL || *arg == '\0')
1060 fatal("%s line %d: missing address",
1062 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1063 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1064 && strchr(p+1, ':') != NULL) {
1065 queue_listen_addr(options, arg, 0);
1070 fatal("%s line %d: bad address:port usage",
1072 p = cleanhostname(p);
1075 else if ((port = a2port(arg)) <= 0)
1076 fatal("%s line %d: bad port number", filename, linenum);
1078 queue_listen_addr(options, p, port);
1082 case sAddressFamily:
1083 intptr = &options->address_family;
1084 multistate_ptr = multistate_addressfamily;
1086 arg = strdelim(&cp);
1087 if (!arg || *arg == '\0')
1088 fatal("%s line %d: missing argument.",
1091 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1092 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1093 value = multistate_ptr[i].value;
1098 fatal("%s line %d: unsupported option \"%s\".",
1099 filename, linenum, arg);
1100 if (*activep && *intptr == -1)
1105 intptr = &options->num_host_key_files;
1106 if (*intptr >= MAX_HOSTKEYS)
1107 fatal("%s line %d: too many host keys specified (max %d).",
1108 filename, linenum, MAX_HOSTKEYS);
1109 charptr = &options->host_key_files[*intptr];
1111 arg = strdelim(&cp);
1112 if (!arg || *arg == '\0')
1113 fatal("%s line %d: missing file name.",
1115 if (*activep && *charptr == NULL) {
1116 *charptr = derelativise_path(arg);
1117 /* increase optional counter */
1119 *intptr = *intptr + 1;
1124 charptr = &options->host_key_agent;
1125 arg = strdelim(&cp);
1126 if (!arg || *arg == '\0')
1127 fatal("%s line %d: missing socket name.",
1129 if (*activep && *charptr == NULL)
1130 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1131 xstrdup(arg) : derelativise_path(arg);
1134 case sHostCertificate:
1135 intptr = &options->num_host_cert_files;
1136 if (*intptr >= MAX_HOSTKEYS)
1137 fatal("%s line %d: too many host certificates "
1138 "specified (max %d).", filename, linenum,
1140 charptr = &options->host_cert_files[*intptr];
1141 goto parse_filename;
1145 charptr = &options->pid_file;
1146 goto parse_filename;
1148 case sPermitRootLogin:
1149 intptr = &options->permit_root_login;
1150 multistate_ptr = multistate_permitrootlogin;
1151 goto parse_multistate;
1154 intptr = &options->ignore_rhosts;
1156 arg = strdelim(&cp);
1157 if (!arg || *arg == '\0')
1158 fatal("%s line %d: missing yes/no argument.",
1160 value = 0; /* silence compiler */
1161 if (strcmp(arg, "yes") == 0)
1163 else if (strcmp(arg, "no") == 0)
1166 fatal("%s line %d: Bad yes/no argument: %s",
1167 filename, linenum, arg);
1168 if (*activep && *intptr == -1)
1172 case sIgnoreUserKnownHosts:
1173 intptr = &options->ignore_user_known_hosts;
1176 case sRhostsRSAAuthentication:
1177 intptr = &options->rhosts_rsa_authentication;
1180 case sHostbasedAuthentication:
1181 intptr = &options->hostbased_authentication;
1184 case sHostbasedUsesNameFromPacketOnly:
1185 intptr = &options->hostbased_uses_name_from_packet_only;
1188 case sHostbasedAcceptedKeyTypes:
1189 charptr = &options->hostbased_key_types;
1191 arg = strdelim(&cp);
1192 if (!arg || *arg == '\0')
1193 fatal("%s line %d: Missing argument.",
1195 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1196 fatal("%s line %d: Bad key types '%s'.",
1197 filename, linenum, arg ? arg : "<NONE>");
1198 if (*activep && *charptr == NULL)
1199 *charptr = xstrdup(arg);
1202 case sHostKeyAlgorithms:
1203 charptr = &options->hostkeyalgorithms;
1204 goto parse_keytypes;
1206 case sRSAAuthentication:
1207 intptr = &options->rsa_authentication;
1210 case sPubkeyAuthentication:
1211 intptr = &options->pubkey_authentication;
1214 case sPubkeyAcceptedKeyTypes:
1215 charptr = &options->pubkey_key_types;
1216 goto parse_keytypes;
1218 case sKerberosAuthentication:
1219 intptr = &options->kerberos_authentication;
1222 case sKerberosOrLocalPasswd:
1223 intptr = &options->kerberos_or_local_passwd;
1226 case sKerberosTicketCleanup:
1227 intptr = &options->kerberos_ticket_cleanup;
1230 case sKerberosGetAFSToken:
1231 intptr = &options->kerberos_get_afs_token;
1234 case sGssAuthentication:
1235 intptr = &options->gss_authentication;
1238 case sGssCleanupCreds:
1239 intptr = &options->gss_cleanup_creds;
1242 case sGssStrictAcceptor:
1243 intptr = &options->gss_strict_acceptor;
1246 case sPasswordAuthentication:
1247 intptr = &options->password_authentication;
1250 case sKbdInteractiveAuthentication:
1251 intptr = &options->kbd_interactive_authentication;
1254 case sChallengeResponseAuthentication:
1255 intptr = &options->challenge_response_authentication;
1259 intptr = &options->print_motd;
1263 intptr = &options->print_lastlog;
1266 case sX11Forwarding:
1267 intptr = &options->x11_forwarding;
1270 case sX11DisplayOffset:
1271 intptr = &options->x11_display_offset;
1274 case sX11UseLocalhost:
1275 intptr = &options->x11_use_localhost;
1278 case sXAuthLocation:
1279 charptr = &options->xauth_location;
1280 goto parse_filename;
1283 intptr = &options->permit_tty;
1287 intptr = &options->permit_user_rc;
1291 intptr = &options->strict_modes;
1295 intptr = &options->tcp_keep_alive;
1299 intptr = &options->permit_empty_passwd;
1302 case sPermitUserEnvironment:
1303 intptr = &options->permit_user_env;
1307 intptr = &options->use_login;
1311 intptr = &options->compression;
1312 multistate_ptr = multistate_compression;
1313 goto parse_multistate;
1316 arg = strdelim(&cp);
1317 if (!arg || *arg == '\0')
1318 fatal("%.200s line %d: Missing argument.", filename,
1320 if (strcmp(arg, "default") == 0) {
1323 if (scan_scaled(arg, &val64) == -1)
1324 fatal("%.200s line %d: Bad number '%s': %s",
1325 filename, linenum, arg, strerror(errno));
1326 /* check for too-large or too-small limits */
1327 if (val64 > UINT_MAX)
1328 fatal("%.200s line %d: RekeyLimit too large",
1330 if (val64 != 0 && val64 < 16)
1331 fatal("%.200s line %d: RekeyLimit too small",
1334 if (*activep && options->rekey_limit == -1)
1335 options->rekey_limit = (u_int32_t)val64;
1336 if (cp != NULL) { /* optional rekey interval present */
1337 if (strcmp(cp, "none") == 0) {
1338 (void)strdelim(&cp); /* discard */
1341 intptr = &options->rekey_interval;
1347 intptr = &options->fwd_opts.gateway_ports;
1348 multistate_ptr = multistate_gatewayports;
1349 goto parse_multistate;
1352 intptr = &options->use_dns;
1356 log_facility_ptr = &options->log_facility;
1357 arg = strdelim(&cp);
1358 value = log_facility_number(arg);
1359 if (value == SYSLOG_FACILITY_NOT_SET)
1360 fatal("%.200s line %d: unsupported log facility '%s'",
1361 filename, linenum, arg ? arg : "<NONE>");
1362 if (*log_facility_ptr == -1)
1363 *log_facility_ptr = (SyslogFacility) value;
1367 log_level_ptr = &options->log_level;
1368 arg = strdelim(&cp);
1369 value = log_level_number(arg);
1370 if (value == SYSLOG_LEVEL_NOT_SET)
1371 fatal("%.200s line %d: unsupported log level '%s'",
1372 filename, linenum, arg ? arg : "<NONE>");
1373 if (*log_level_ptr == -1)
1374 *log_level_ptr = (LogLevel) value;
1377 case sAllowTcpForwarding:
1378 intptr = &options->allow_tcp_forwarding;
1379 multistate_ptr = multistate_tcpfwd;
1380 goto parse_multistate;
1382 case sAllowStreamLocalForwarding:
1383 intptr = &options->allow_streamlocal_forwarding;
1384 multistate_ptr = multistate_tcpfwd;
1385 goto parse_multistate;
1387 case sAllowAgentForwarding:
1388 intptr = &options->allow_agent_forwarding;
1391 case sUsePrivilegeSeparation:
1392 intptr = &use_privsep;
1393 multistate_ptr = multistate_privsep;
1394 goto parse_multistate;
1397 while ((arg = strdelim(&cp)) && *arg != '\0') {
1398 if (options->num_allow_users >= MAX_ALLOW_USERS)
1399 fatal("%s line %d: too many allow users.",
1403 options->allow_users[options->num_allow_users++] =
1409 while ((arg = strdelim(&cp)) && *arg != '\0') {
1410 if (options->num_deny_users >= MAX_DENY_USERS)
1411 fatal("%s line %d: too many deny users.",
1415 options->deny_users[options->num_deny_users++] =
1421 while ((arg = strdelim(&cp)) && *arg != '\0') {
1422 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1423 fatal("%s line %d: too many allow groups.",
1427 options->allow_groups[options->num_allow_groups++] =
1433 while ((arg = strdelim(&cp)) && *arg != '\0') {
1434 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1435 fatal("%s line %d: too many deny groups.",
1439 options->deny_groups[options->num_deny_groups++] =
1445 arg = strdelim(&cp);
1446 if (!arg || *arg == '\0')
1447 fatal("%s line %d: Missing argument.", filename, linenum);
1448 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1449 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1450 filename, linenum, arg ? arg : "<NONE>");
1451 if (options->ciphers == NULL)
1452 options->ciphers = xstrdup(arg);
1456 arg = strdelim(&cp);
1457 if (!arg || *arg == '\0')
1458 fatal("%s line %d: Missing argument.", filename, linenum);
1459 if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1460 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1461 filename, linenum, arg ? arg : "<NONE>");
1462 if (options->macs == NULL)
1463 options->macs = xstrdup(arg);
1466 case sKexAlgorithms:
1467 arg = strdelim(&cp);
1468 if (!arg || *arg == '\0')
1469 fatal("%s line %d: Missing argument.",
1471 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1472 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1473 filename, linenum, arg ? arg : "<NONE>");
1474 if (options->kex_algorithms == NULL)
1475 options->kex_algorithms = xstrdup(arg);
1479 intptr = &options->protocol;
1480 arg = strdelim(&cp);
1481 if (!arg || *arg == '\0')
1482 fatal("%s line %d: Missing argument.", filename, linenum);
1483 value = proto_spec(arg);
1484 if (value == SSH_PROTO_UNKNOWN)
1485 fatal("%s line %d: Bad protocol spec '%s'.",
1486 filename, linenum, arg ? arg : "<NONE>");
1487 if (*intptr == SSH_PROTO_UNKNOWN)
1492 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1493 fatal("%s line %d: too many subsystems defined.",
1496 arg = strdelim(&cp);
1497 if (!arg || *arg == '\0')
1498 fatal("%s line %d: Missing subsystem name.",
1501 arg = strdelim(&cp);
1504 for (i = 0; i < options->num_subsystems; i++)
1505 if (strcmp(arg, options->subsystem_name[i]) == 0)
1506 fatal("%s line %d: Subsystem '%s' already defined.",
1507 filename, linenum, arg);
1508 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1509 arg = strdelim(&cp);
1510 if (!arg || *arg == '\0')
1511 fatal("%s line %d: Missing subsystem command.",
1513 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1515 /* Collect arguments (separate to executable) */
1517 len = strlen(p) + 1;
1518 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1519 len += 1 + strlen(arg);
1520 p = xreallocarray(p, 1, len);
1521 strlcat(p, " ", len);
1522 strlcat(p, arg, len);
1524 options->subsystem_args[options->num_subsystems] = p;
1525 options->num_subsystems++;
1529 arg = strdelim(&cp);
1530 if (!arg || *arg == '\0')
1531 fatal("%s line %d: Missing MaxStartups spec.",
1533 if ((n = sscanf(arg, "%d:%d:%d",
1534 &options->max_startups_begin,
1535 &options->max_startups_rate,
1536 &options->max_startups)) == 3) {
1537 if (options->max_startups_begin >
1538 options->max_startups ||
1539 options->max_startups_rate > 100 ||
1540 options->max_startups_rate < 1)
1541 fatal("%s line %d: Illegal MaxStartups spec.",
1544 fatal("%s line %d: Illegal MaxStartups spec.",
1547 options->max_startups = options->max_startups_begin;
1551 intptr = &options->max_authtries;
1555 intptr = &options->max_sessions;
1559 charptr = &options->banner;
1560 goto parse_filename;
1563 * These options can contain %X options expanded at
1564 * connect time, so that you can specify paths like:
1566 * AuthorizedKeysFile /etc/ssh_keys/%u
1568 case sAuthorizedKeysFile:
1569 if (*activep && options->num_authkeys_files == 0) {
1570 while ((arg = strdelim(&cp)) && *arg != '\0') {
1571 if (options->num_authkeys_files >=
1573 fatal("%s line %d: "
1574 "too many authorized keys files.",
1576 options->authorized_keys_files[
1577 options->num_authkeys_files++] =
1578 tilde_expand_filename(arg, getuid());
1583 case sAuthorizedPrincipalsFile:
1584 charptr = &options->authorized_principals_file;
1585 arg = strdelim(&cp);
1586 if (!arg || *arg == '\0')
1587 fatal("%s line %d: missing file name.",
1589 if (*activep && *charptr == NULL) {
1590 *charptr = tilde_expand_filename(arg, getuid());
1591 /* increase optional counter */
1593 *intptr = *intptr + 1;
1597 case sClientAliveInterval:
1598 intptr = &options->client_alive_interval;
1601 case sClientAliveCountMax:
1602 intptr = &options->client_alive_count_max;
1606 while ((arg = strdelim(&cp)) && *arg != '\0') {
1607 if (strchr(arg, '=') != NULL)
1608 fatal("%s line %d: Invalid environment name.",
1610 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1611 fatal("%s line %d: too many allow env.",
1615 options->accept_env[options->num_accept_env++] =
1621 intptr = &options->permit_tun;
1622 arg = strdelim(&cp);
1623 if (!arg || *arg == '\0')
1624 fatal("%s line %d: Missing yes/point-to-point/"
1625 "ethernet/no argument.", filename, linenum);
1627 for (i = 0; tunmode_desc[i].val != -1; i++)
1628 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1629 value = tunmode_desc[i].val;
1633 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1634 "no argument: %s", filename, linenum, arg);
1635 if (*activep && *intptr == -1)
1641 fatal("Match directive not supported as a command-line "
1643 value = match_cfg_line(&cp, linenum, connectinfo);
1645 fatal("%s line %d: Bad Match condition", filename,
1651 arg = strdelim(&cp);
1652 if (!arg || *arg == '\0')
1653 fatal("%s line %d: missing PermitOpen specification",
1655 n = options->num_permitted_opens; /* modified later */
1656 if (strcmp(arg, "any") == 0) {
1657 if (*activep && n == -1) {
1658 channel_clear_adm_permitted_opens();
1659 options->num_permitted_opens = 0;
1663 if (strcmp(arg, "none") == 0) {
1664 if (*activep && n == -1) {
1665 options->num_permitted_opens = 1;
1666 channel_disable_adm_local_opens();
1670 if (*activep && n == -1)
1671 channel_clear_adm_permitted_opens();
1672 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1675 fatal("%s line %d: missing host in PermitOpen",
1677 p = cleanhostname(p);
1678 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1679 fatal("%s line %d: bad port number in "
1680 "PermitOpen", filename, linenum);
1681 if (*activep && n == -1)
1682 options->num_permitted_opens =
1683 channel_add_adm_permitted_opens(p, port);
1688 if (cp == NULL || *cp == '\0')
1689 fatal("%.200s line %d: Missing argument.", filename,
1691 len = strspn(cp, WHITESPACE);
1692 if (*activep && options->adm_forced_command == NULL)
1693 options->adm_forced_command = xstrdup(cp + len);
1696 case sChrootDirectory:
1697 charptr = &options->chroot_directory;
1699 arg = strdelim(&cp);
1700 if (!arg || *arg == '\0')
1701 fatal("%s line %d: missing file name.",
1703 if (*activep && *charptr == NULL)
1704 *charptr = xstrdup(arg);
1707 case sTrustedUserCAKeys:
1708 charptr = &options->trusted_user_ca_keys;
1709 goto parse_filename;
1712 charptr = &options->revoked_keys_file;
1713 goto parse_filename;
1716 arg = strdelim(&cp);
1717 if ((value = parse_ipqos(arg)) == -1)
1718 fatal("%s line %d: Bad IPQoS value: %s",
1719 filename, linenum, arg);
1720 arg = strdelim(&cp);
1723 else if ((value2 = parse_ipqos(arg)) == -1)
1724 fatal("%s line %d: Bad IPQoS value: %s",
1725 filename, linenum, arg);
1727 options->ip_qos_interactive = value;
1728 options->ip_qos_bulk = value2;
1732 case sVersionAddendum:
1733 if (cp == NULL || *cp == '\0')
1734 fatal("%.200s line %d: Missing argument.", filename,
1736 len = strspn(cp, WHITESPACE);
1737 if (*activep && options->version_addendum == NULL) {
1738 if (strcasecmp(cp + len, "none") == 0)
1739 options->version_addendum = xstrdup("");
1740 else if (strchr(cp + len, '\r') != NULL)
1741 fatal("%.200s line %d: Invalid argument",
1744 options->version_addendum = xstrdup(cp + len);
1748 case sAuthorizedKeysCommand:
1750 fatal("%.200s line %d: Missing argument.", filename,
1752 len = strspn(cp, WHITESPACE);
1753 if (*activep && options->authorized_keys_command == NULL) {
1754 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1755 fatal("%.200s line %d: AuthorizedKeysCommand "
1756 "must be an absolute path",
1758 options->authorized_keys_command = xstrdup(cp + len);
1762 case sAuthorizedKeysCommandUser:
1763 charptr = &options->authorized_keys_command_user;
1765 arg = strdelim(&cp);
1766 if (!arg || *arg == '\0')
1767 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1768 "argument.", filename, linenum);
1769 if (*activep && *charptr == NULL)
1770 *charptr = xstrdup(arg);
1773 case sAuthorizedPrincipalsCommand:
1775 fatal("%.200s line %d: Missing argument.", filename,
1777 len = strspn(cp, WHITESPACE);
1779 options->authorized_principals_command == NULL) {
1780 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1781 fatal("%.200s line %d: "
1782 "AuthorizedPrincipalsCommand must be "
1783 "an absolute path", filename, linenum);
1784 options->authorized_principals_command =
1789 case sAuthorizedPrincipalsCommandUser:
1790 charptr = &options->authorized_principals_command_user;
1792 arg = strdelim(&cp);
1793 if (!arg || *arg == '\0')
1794 fatal("%s line %d: missing "
1795 "AuthorizedPrincipalsCommandUser argument.",
1797 if (*activep && *charptr == NULL)
1798 *charptr = xstrdup(arg);
1801 case sAuthenticationMethods:
1802 if (options->num_auth_methods == 0) {
1803 while ((arg = strdelim(&cp)) && *arg != '\0') {
1804 if (options->num_auth_methods >=
1806 fatal("%s line %d: "
1807 "too many authentication methods.",
1809 if (auth2_methods_valid(arg, 0) != 0)
1810 fatal("%s line %d: invalid "
1811 "authentication method list.",
1815 options->auth_methods[
1816 options->num_auth_methods++] = xstrdup(arg);
1821 case sStreamLocalBindMask:
1822 arg = strdelim(&cp);
1823 if (!arg || *arg == '\0')
1824 fatal("%s line %d: missing StreamLocalBindMask "
1825 "argument.", filename, linenum);
1826 /* Parse mode in octal format */
1827 value = strtol(arg, &p, 8);
1828 if (arg == p || value < 0 || value > 0777)
1829 fatal("%s line %d: Bad mask.", filename, linenum);
1831 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1834 case sStreamLocalBindUnlink:
1835 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1838 case sFingerprintHash:
1839 arg = strdelim(&cp);
1840 if (!arg || *arg == '\0')
1841 fatal("%.200s line %d: Missing argument.",
1843 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1844 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1845 filename, linenum, arg);
1847 options->fingerprint_hash = value;
1851 logit("%s line %d: Deprecated option %s",
1852 filename, linenum, arg);
1854 arg = strdelim(&cp);
1858 logit("%s line %d: Unsupported option %s",
1859 filename, linenum, arg);
1861 arg = strdelim(&cp);
1865 fatal("%s line %d: Missing handler for opcode %s (%d)",
1866 filename, linenum, arg, opcode);
1868 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1869 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1870 filename, linenum, arg);
1874 /* Reads the server configuration file. */
1877 load_server_config(const char *filename, Buffer *conf)
1879 char line[4096], *cp;
1883 debug2("%s: filename %s", __func__, filename);
1884 if ((f = fopen(filename, "r")) == NULL) {
1889 while (fgets(line, sizeof(line), f)) {
1891 if (strlen(line) == sizeof(line) - 1)
1892 fatal("%s line %d too long", filename, lineno);
1894 * Trim out comments and strip whitespace
1895 * NB - preserve newlines, they are needed to reproduce
1896 * line numbers later for error messages
1898 if ((cp = strchr(line, '#')) != NULL)
1899 memcpy(cp, "\n", 2);
1900 cp = line + strspn(line, " \t\r");
1902 buffer_append(conf, cp, strlen(cp));
1904 buffer_append(conf, "\0", 1);
1906 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1910 parse_server_match_config(ServerOptions *options,
1911 struct connection_info *connectinfo)
1914 #if defined(ANDROID)
1915 char value[PROPERTY_VALUE_MAX];
1918 initialize_server_options(&mo);
1919 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1920 #if defined(ANDROID)
1921 /* Allow root login if ro.debuggable is set. */
1922 property_get("ro.debuggable", value, "");
1923 if (strcmp(value, "1") == 0) {
1924 mo.permit_root_login = PERMIT_YES;
1927 copy_set_server_options(options, &mo, 0);
1930 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1934 while ((p = strsep(&spec, ",")) && *p != '\0') {
1935 if (strncmp(p, "addr=", 5) == 0) {
1936 ci->address = xstrdup(p + 5);
1937 } else if (strncmp(p, "host=", 5) == 0) {
1938 ci->host = xstrdup(p + 5);
1939 } else if (strncmp(p, "user=", 5) == 0) {
1940 ci->user = xstrdup(p + 5);
1941 } else if (strncmp(p, "laddr=", 6) == 0) {
1942 ci->laddress = xstrdup(p + 6);
1943 } else if (strncmp(p, "lport=", 6) == 0) {
1944 ci->lport = a2port(p + 6);
1945 if (ci->lport == -1) {
1946 fprintf(stderr, "Invalid port '%s' in test mode"
1947 " specification %s\n", p+6, p);
1951 fprintf(stderr, "Invalid test mode specification %s\n",
1960 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1963 int server_match_spec_complete(struct connection_info *ci)
1965 if (ci->user && ci->host && ci->address)
1966 return 1; /* complete */
1967 if (!ci->user && !ci->host && !ci->address)
1968 return -1; /* empty */
1969 return 0; /* partial */
1973 * Copy any supported values that are set.
1975 * If the preauth flag is set, we do not bother copying the string or
1976 * array values that are not used pre-authentication, because any that we
1977 * do use must be explictly sent in mm_getpwnamallow().
1980 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1982 #define M_CP_INTOPT(n) do {\
1987 M_CP_INTOPT(password_authentication);
1988 M_CP_INTOPT(gss_authentication);
1989 M_CP_INTOPT(rsa_authentication);
1990 M_CP_INTOPT(pubkey_authentication);
1991 M_CP_INTOPT(kerberos_authentication);
1992 M_CP_INTOPT(hostbased_authentication);
1993 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1994 M_CP_INTOPT(kbd_interactive_authentication);
1995 M_CP_INTOPT(permit_root_login);
1996 M_CP_INTOPT(permit_empty_passwd);
1998 M_CP_INTOPT(allow_tcp_forwarding);
1999 M_CP_INTOPT(allow_streamlocal_forwarding);
2000 M_CP_INTOPT(allow_agent_forwarding);
2001 M_CP_INTOPT(permit_tun);
2002 M_CP_INTOPT(fwd_opts.gateway_ports);
2003 M_CP_INTOPT(x11_display_offset);
2004 M_CP_INTOPT(x11_forwarding);
2005 M_CP_INTOPT(x11_use_localhost);
2006 M_CP_INTOPT(permit_tty);
2007 M_CP_INTOPT(permit_user_rc);
2008 M_CP_INTOPT(max_sessions);
2009 M_CP_INTOPT(max_authtries);
2010 M_CP_INTOPT(ip_qos_interactive);
2011 M_CP_INTOPT(ip_qos_bulk);
2012 M_CP_INTOPT(rekey_limit);
2013 M_CP_INTOPT(rekey_interval);
2015 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2016 #define M_CP_STROPT(n) do {\
2017 if (src->n != NULL && dst->n != src->n) { \
2022 #define M_CP_STRARRAYOPT(n, num_n) do {\
2023 if (src->num_n != 0) { \
2024 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2025 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2029 /* See comment in servconf.h */
2030 COPY_MATCH_STRING_OPTS();
2033 * The only things that should be below this point are string options
2034 * which are only used after authentication.
2039 M_CP_STROPT(adm_forced_command);
2040 M_CP_STROPT(chroot_directory);
2045 #undef M_CP_STRARRAYOPT
2048 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2049 struct connection_info *connectinfo)
2051 int active, linenum, bad_options = 0;
2052 char *cp, *obuf, *cbuf;
2054 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2056 obuf = cbuf = xstrdup(buffer_ptr(conf));
2057 active = connectinfo ? 0 : 1;
2059 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2060 if (process_server_config_line(options, cp, filename,
2061 linenum++, &active, connectinfo) != 0)
2065 if (bad_options > 0)
2066 fatal("%s: terminating, %d bad configuration options",
2067 filename, bad_options);
2068 process_queued_listen_addrs(options);
2072 fmt_multistate_int(int val, const struct multistate *m)
2076 for (i = 0; m[i].key != NULL; i++) {
2077 if (m[i].value == val)
2084 fmt_intarg(ServerOpCodes code, int val)
2089 case sAddressFamily:
2090 return fmt_multistate_int(val, multistate_addressfamily);
2091 case sPermitRootLogin:
2092 return fmt_multistate_int(val, multistate_permitrootlogin);
2094 return fmt_multistate_int(val, multistate_gatewayports);
2096 return fmt_multistate_int(val, multistate_compression);
2097 case sUsePrivilegeSeparation:
2098 return fmt_multistate_int(val, multistate_privsep);
2099 case sAllowTcpForwarding:
2100 return fmt_multistate_int(val, multistate_tcpfwd);
2101 case sAllowStreamLocalForwarding:
2102 return fmt_multistate_int(val, multistate_tcpfwd);
2103 case sFingerprintHash:
2104 return ssh_digest_alg_name(val);
2111 case (SSH_PROTO_1|SSH_PROTO_2):
2129 lookup_opcode_name(ServerOpCodes code)
2133 for (i = 0; keywords[i].name != NULL; i++)
2134 if (keywords[i].opcode == code)
2135 return(keywords[i].name);
2140 dump_cfg_int(ServerOpCodes code, int val)
2142 printf("%s %d\n", lookup_opcode_name(code), val);
2146 dump_cfg_oct(ServerOpCodes code, int val)
2148 printf("%s 0%o\n", lookup_opcode_name(code), val);
2152 dump_cfg_fmtint(ServerOpCodes code, int val)
2154 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2158 dump_cfg_string(ServerOpCodes code, const char *val)
2162 printf("%s %s\n", lookup_opcode_name(code),
2163 val == NULL ? "none" : val);
2167 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2171 for (i = 0; i < count; i++)
2172 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2176 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2182 printf("%s", lookup_opcode_name(code));
2183 for (i = 0; i < count; i++)
2184 printf(" %s", vals[i]);
2189 dump_config(ServerOptions *o)
2193 struct addrinfo *ai;
2194 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2195 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2197 /* these are usually at the top of the config */
2198 for (i = 0; i < o->num_ports; i++)
2199 printf("port %d\n", o->ports[i]);
2200 dump_cfg_fmtint(sProtocol, o->protocol);
2201 dump_cfg_fmtint(sAddressFamily, o->address_family);
2204 * ListenAddress must be after Port. add_one_listen_addr pushes
2205 * addresses onto a stack, so to maintain ordering we need to
2206 * print these in reverse order.
2208 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2209 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2210 sizeof(addr), port, sizeof(port),
2211 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2212 error("getnameinfo failed: %.100s",
2213 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2217 if (ai->ai_family == AF_INET6)
2218 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2219 addr, port, laddr2);
2221 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2222 addr, port, laddr2);
2226 printf("%s", laddr1);
2229 /* integer arguments */
2231 dump_cfg_fmtint(sUsePAM, o->use_pam);
2233 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2234 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2235 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2236 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2237 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2238 dump_cfg_int(sMaxSessions, o->max_sessions);
2239 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2240 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2241 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2243 /* formatted integer arguments */
2244 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2245 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2246 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2247 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2248 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2249 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2250 o->hostbased_uses_name_from_packet_only);
2251 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2252 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2254 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2255 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2256 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2258 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2262 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2263 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2265 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2266 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2267 o->kbd_interactive_authentication);
2268 dump_cfg_fmtint(sChallengeResponseAuthentication,
2269 o->challenge_response_authentication);
2270 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2271 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2272 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2273 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2274 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2275 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2276 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2277 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2278 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2279 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2280 dump_cfg_fmtint(sUseLogin, o->use_login);
2281 dump_cfg_fmtint(sCompression, o->compression);
2282 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2283 dump_cfg_fmtint(sUseDNS, o->use_dns);
2284 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2285 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2286 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2287 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2288 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2290 /* string arguments */
2291 dump_cfg_string(sPidFile, o->pid_file);
2292 dump_cfg_string(sXAuthLocation, o->xauth_location);
2293 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2294 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2295 dump_cfg_string(sBanner, o->banner);
2296 dump_cfg_string(sForceCommand, o->adm_forced_command);
2297 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2298 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2299 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2300 dump_cfg_string(sAuthorizedPrincipalsFile,
2301 o->authorized_principals_file);
2302 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2303 ? "none" : o->version_addendum);
2304 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2305 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2306 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2307 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2308 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2309 dump_cfg_string(sKexAlgorithms,
2310 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2311 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2312 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2313 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2314 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2315 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2316 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2318 /* string arguments requiring a lookup */
2319 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2320 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2322 /* string array arguments */
2323 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2324 o->authorized_keys_files);
2325 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2327 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2328 o->host_cert_files);
2329 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2330 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2331 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2332 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2333 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2334 dump_cfg_strarray_oneline(sAuthenticationMethods,
2335 o->num_auth_methods, o->auth_methods);
2337 /* other arguments */
2338 for (i = 0; i < o->num_subsystems; i++)
2339 printf("subsystem %s %s\n", o->subsystem_name[i],
2340 o->subsystem_args[i]);
2342 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2343 o->max_startups_rate, o->max_startups);
2345 for (i = 0; tunmode_desc[i].val != -1; i++)
2346 if (tunmode_desc[i].val == o->permit_tun) {
2347 s = tunmode_desc[i].text;
2350 dump_cfg_string(sPermitTunnel, s);
2352 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2353 printf("%s\n", iptos2str(o->ip_qos_bulk));
2355 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2358 channel_print_adm_permitted_opens();