summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c174
1 files changed, 57 insertions, 117 deletions
diff --git a/servconf.c b/servconf.c
index 873b0d02a..795ddbab7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -86,9 +86,7 @@ initialize_server_options(ServerOptions *options)
86 options->num_host_cert_files = 0; 86 options->num_host_cert_files = 0;
87 options->host_key_agent = NULL; 87 options->host_key_agent = NULL;
88 options->pid_file = NULL; 88 options->pid_file = NULL;
89 options->server_key_bits = -1;
90 options->login_grace_time = -1; 89 options->login_grace_time = -1;
91 options->key_regeneration_time = -1;
92 options->permit_root_login = PERMIT_NOT_SET; 90 options->permit_root_login = PERMIT_NOT_SET;
93 options->ignore_rhosts = -1; 91 options->ignore_rhosts = -1;
94 options->ignore_user_known_hosts = -1; 92 options->ignore_user_known_hosts = -1;
@@ -104,12 +102,10 @@ initialize_server_options(ServerOptions *options)
104 options->tcp_keep_alive = -1; 102 options->tcp_keep_alive = -1;
105 options->log_facility = SYSLOG_FACILITY_NOT_SET; 103 options->log_facility = SYSLOG_FACILITY_NOT_SET;
106 options->log_level = SYSLOG_LEVEL_NOT_SET; 104 options->log_level = SYSLOG_LEVEL_NOT_SET;
107 options->rhosts_rsa_authentication = -1;
108 options->hostbased_authentication = -1; 105 options->hostbased_authentication = -1;
109 options->hostbased_uses_name_from_packet_only = -1; 106 options->hostbased_uses_name_from_packet_only = -1;
110 options->hostbased_key_types = NULL; 107 options->hostbased_key_types = NULL;
111 options->hostkeyalgorithms = NULL; 108 options->hostkeyalgorithms = NULL;
112 options->rsa_authentication = -1;
113 options->pubkey_authentication = -1; 109 options->pubkey_authentication = -1;
114 options->pubkey_key_types = NULL; 110 options->pubkey_key_types = NULL;
115 options->kerberos_authentication = -1; 111 options->kerberos_authentication = -1;
@@ -124,7 +120,6 @@ initialize_server_options(ServerOptions *options)
124 options->challenge_response_authentication = -1; 120 options->challenge_response_authentication = -1;
125 options->permit_empty_passwd = -1; 121 options->permit_empty_passwd = -1;
126 options->permit_user_env = -1; 122 options->permit_user_env = -1;
127 options->use_login = -1;
128 options->compression = -1; 123 options->compression = -1;
129 options->rekey_limit = -1; 124 options->rekey_limit = -1;
130 options->rekey_interval = -1; 125 options->rekey_interval = -1;
@@ -138,7 +133,6 @@ initialize_server_options(ServerOptions *options)
138 options->ciphers = NULL; 133 options->ciphers = NULL;
139 options->macs = NULL; 134 options->macs = NULL;
140 options->kex_algorithms = NULL; 135 options->kex_algorithms = NULL;
141 options->protocol = SSH_PROTO_UNKNOWN;
142 options->fwd_opts.gateway_ports = -1; 136 options->fwd_opts.gateway_ports = -1;
143 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 137 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
144 options->fwd_opts.streamlocal_bind_unlink = -1; 138 options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -169,6 +163,7 @@ initialize_server_options(ServerOptions *options)
169 options->ip_qos_bulk = -1; 163 options->ip_qos_bulk = -1;
170 options->version_addendum = NULL; 164 options->version_addendum = NULL;
171 options->fingerprint_hash = -1; 165 options->fingerprint_hash = -1;
166 options->disable_forwarding = -1;
172} 167}
173 168
174/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 169/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -202,25 +197,18 @@ fill_default_server_options(ServerOptions *options)
202 options->use_pam = 0; 197 options->use_pam = 0;
203 198
204 /* Standard Options */ 199 /* Standard Options */
205 if (options->protocol == SSH_PROTO_UNKNOWN)
206 options->protocol = SSH_PROTO_2;
207 if (options->num_host_key_files == 0) { 200 if (options->num_host_key_files == 0) {
208 /* fill default hostkeys for protocols */ 201 /* fill default hostkeys for protocols */
209 if (options->protocol & SSH_PROTO_1) 202 options->host_key_files[options->num_host_key_files++] =
210 options->host_key_files[options->num_host_key_files++] = 203 _PATH_HOST_RSA_KEY_FILE;
211 _PATH_HOST_KEY_FILE; 204 options->host_key_files[options->num_host_key_files++] =
212 if (options->protocol & SSH_PROTO_2) { 205 _PATH_HOST_DSA_KEY_FILE;
213 options->host_key_files[options->num_host_key_files++] =
214 _PATH_HOST_RSA_KEY_FILE;
215 options->host_key_files[options->num_host_key_files++] =
216 _PATH_HOST_DSA_KEY_FILE;
217#ifdef OPENSSL_HAS_ECC 206#ifdef OPENSSL_HAS_ECC
218 options->host_key_files[options->num_host_key_files++] = 207 options->host_key_files[options->num_host_key_files++] =
219 _PATH_HOST_ECDSA_KEY_FILE; 208 _PATH_HOST_ECDSA_KEY_FILE;
220#endif 209#endif
221 options->host_key_files[options->num_host_key_files++] = 210 options->host_key_files[options->num_host_key_files++] =
222 _PATH_HOST_ED25519_KEY_FILE; 211 _PATH_HOST_ED25519_KEY_FILE;
223 }
224 } 212 }
225 /* No certificates by default */ 213 /* No certificates by default */
226 if (options->num_ports == 0) 214 if (options->num_ports == 0)
@@ -231,12 +219,8 @@ fill_default_server_options(ServerOptions *options)
231 add_listen_addr(options, NULL, 0); 219 add_listen_addr(options, NULL, 0);
232 if (options->pid_file == NULL) 220 if (options->pid_file == NULL)
233 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); 221 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
234 if (options->server_key_bits == -1)
235 options->server_key_bits = 1024;
236 if (options->login_grace_time == -1) 222 if (options->login_grace_time == -1)
237 options->login_grace_time = 120; 223 options->login_grace_time = 120;
238 if (options->key_regeneration_time == -1)
239 options->key_regeneration_time = 3600;
240 if (options->permit_root_login == PERMIT_NOT_SET) 224 if (options->permit_root_login == PERMIT_NOT_SET)
241 options->permit_root_login = PERMIT_NO_PASSWD; 225 options->permit_root_login = PERMIT_NO_PASSWD;
242 if (options->ignore_rhosts == -1) 226 if (options->ignore_rhosts == -1)
@@ -267,14 +251,10 @@ fill_default_server_options(ServerOptions *options)
267 options->log_facility = SYSLOG_FACILITY_AUTH; 251 options->log_facility = SYSLOG_FACILITY_AUTH;
268 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 252 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
269 options->log_level = SYSLOG_LEVEL_INFO; 253 options->log_level = SYSLOG_LEVEL_INFO;
270 if (options->rhosts_rsa_authentication == -1)
271 options->rhosts_rsa_authentication = 0;
272 if (options->hostbased_authentication == -1) 254 if (options->hostbased_authentication == -1)
273 options->hostbased_authentication = 0; 255 options->hostbased_authentication = 0;
274 if (options->hostbased_uses_name_from_packet_only == -1) 256 if (options->hostbased_uses_name_from_packet_only == -1)
275 options->hostbased_uses_name_from_packet_only = 0; 257 options->hostbased_uses_name_from_packet_only = 0;
276 if (options->rsa_authentication == -1)
277 options->rsa_authentication = 1;
278 if (options->pubkey_authentication == -1) 258 if (options->pubkey_authentication == -1)
279 options->pubkey_authentication = 1; 259 options->pubkey_authentication = 1;
280 if (options->kerberos_authentication == -1) 260 if (options->kerberos_authentication == -1)
@@ -301,8 +281,6 @@ fill_default_server_options(ServerOptions *options)
301 options->permit_empty_passwd = 0; 281 options->permit_empty_passwd = 0;
302 if (options->permit_user_env == -1) 282 if (options->permit_user_env == -1)
303 options->permit_user_env = 0; 283 options->permit_user_env = 0;
304 if (options->use_login == -1)
305 options->use_login = 0;
306 if (options->compression == -1) 284 if (options->compression == -1)
307 options->compression = COMP_DELAYED; 285 options->compression = COMP_DELAYED;
308 if (options->rekey_limit == -1) 286 if (options->rekey_limit == -1)
@@ -353,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
353 options->fwd_opts.streamlocal_bind_unlink = 0; 331 options->fwd_opts.streamlocal_bind_unlink = 0;
354 if (options->fingerprint_hash == -1) 332 if (options->fingerprint_hash == -1)
355 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 333 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
334 if (options->disable_forwarding == -1)
335 options->disable_forwarding = 0;
356 336
357 assemble_algorithms(options); 337 assemble_algorithms(options);
358 338
@@ -406,8 +386,8 @@ typedef enum {
406 /* Portable-specific options */ 386 /* Portable-specific options */
407 sUsePAM, 387 sUsePAM,
408 /* Standard Options */ 388 /* Standard Options */
409 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, 389 sPort, sHostKeyFile, sLoginGraceTime,
410 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, 390 sPermitRootLogin, sLogFacility, sLogLevel,
411 sRhostsRSAAuthentication, sRSAAuthentication, 391 sRhostsRSAAuthentication, sRSAAuthentication,
412 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 392 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
413 sKerberosGetAFSToken, 393 sKerberosGetAFSToken,
@@ -417,9 +397,9 @@ typedef enum {
417 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 397 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
418 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 398 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
419 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, 399 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
420 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 400 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
421 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 401 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
422 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 402 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
423 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, 403 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
424 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, 404 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
425 sBanner, sUseDNS, sHostbasedAuthentication, 405 sBanner, sUseDNS, sHostbasedAuthentication,
@@ -437,8 +417,8 @@ typedef enum {
437 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 417 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
438 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 418 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
439 sStreamLocalBindMask, sStreamLocalBindUnlink, 419 sStreamLocalBindMask, sStreamLocalBindUnlink,
440 sAllowStreamLocalForwarding, sFingerprintHash, 420 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
441 sDeprecated, sUnsupported 421 sDeprecated, sIgnore, sUnsupported
442} ServerOpCodes; 422} ServerOpCodes;
443 423
444#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 424#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
@@ -464,19 +444,19 @@ static struct {
464 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 444 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
465 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, 445 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
466 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 446 { "pidfile", sPidFile, SSHCFG_GLOBAL },
467 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 447 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
468 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 448 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
469 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, 449 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
470 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, 450 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
471 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, 451 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
472 { "loglevel", sLogLevel, SSHCFG_GLOBAL }, 452 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
473 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, 453 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
474 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, 454 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
475 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, 455 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
476 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, 456 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
477 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, 457 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
478 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, 458 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
479 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, 459 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
480 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 460 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
481 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 461 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
482 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 462 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
@@ -528,7 +508,7 @@ static struct {
528 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 508 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
529 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 509 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
530 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 510 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
531 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 511 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
532 { "compression", sCompression, SSHCFG_GLOBAL }, 512 { "compression", sCompression, SSHCFG_GLOBAL },
533 { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, 513 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
534 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 514 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
@@ -541,7 +521,7 @@ static struct {
541 { "denygroups", sDenyGroups, SSHCFG_ALL }, 521 { "denygroups", sDenyGroups, SSHCFG_ALL },
542 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 522 { "ciphers", sCiphers, SSHCFG_GLOBAL },
543 { "macs", sMacs, SSHCFG_GLOBAL }, 523 { "macs", sMacs, SSHCFG_GLOBAL },
544 { "protocol", sProtocol, SSHCFG_GLOBAL }, 524 { "protocol", sIgnore, SSHCFG_GLOBAL },
545 { "gatewayports", sGatewayPorts, SSHCFG_ALL }, 525 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
546 { "subsystem", sSubsystem, SSHCFG_GLOBAL }, 526 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
547 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, 527 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
@@ -551,8 +531,8 @@ static struct {
551 { "usedns", sUseDNS, SSHCFG_GLOBAL }, 531 { "usedns", sUseDNS, SSHCFG_GLOBAL },
552 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, 532 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
553 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, 533 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
554 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, 534 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
555 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, 535 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
556 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 536 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
557 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 537 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
558 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 538 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
@@ -580,6 +560,7 @@ static struct {
580 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 560 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
581 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 561 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
582 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 562 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
563 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
583 { NULL, sBadOption, 0 } 564 { NULL, sBadOption, 0 }
584}; 565};
585 566
@@ -742,7 +723,7 @@ get_connection_info(int populate, int use_dns)
742 * options set are copied into the main server config. 723 * options set are copied into the main server config.
743 * 724 *
744 * Potential additions/improvements: 725 * Potential additions/improvements:
745 * - Add Match support for pre-kex directives, eg Protocol, Ciphers. 726 * - Add Match support for pre-kex directives, eg. Ciphers.
746 * 727 *
747 * - Add a Tag directive (idea from David Leonard) ala pf, eg: 728 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
748 * Match Address 192.168.0.* 729 * Match Address 192.168.0.*
@@ -943,8 +924,8 @@ static const struct multistate multistate_permitrootlogin[] = {
943 { NULL, -1 } 924 { NULL, -1 }
944}; 925};
945static const struct multistate multistate_compression[] = { 926static const struct multistate multistate_compression[] = {
927 { "yes", COMP_DELAYED },
946 { "delayed", COMP_DELAYED }, 928 { "delayed", COMP_DELAYED },
947 { "yes", COMP_ZLIB },
948 { "no", COMP_NONE }, 929 { "no", COMP_NONE },
949 { NULL, -1 } 930 { NULL, -1 }
950}; 931};
@@ -1040,18 +1021,6 @@ process_server_config_line(ServerOptions *options, char *line,
1040 filename, linenum); 1021 filename, linenum);
1041 break; 1022 break;
1042 1023
1043 case sServerKeyBits:
1044 intptr = &options->server_key_bits;
1045 parse_int:
1046 arg = strdelim(&cp);
1047 if (!arg || *arg == '\0')
1048 fatal("%s line %d: missing integer value.",
1049 filename, linenum);
1050 value = atoi(arg);
1051 if (*activep && *intptr == -1)
1052 *intptr = value;
1053 break;
1054
1055 case sLoginGraceTime: 1024 case sLoginGraceTime:
1056 intptr = &options->login_grace_time; 1025 intptr = &options->login_grace_time;
1057 parse_time: 1026 parse_time:
@@ -1066,10 +1035,6 @@ process_server_config_line(ServerOptions *options, char *line,
1066 *intptr = value; 1035 *intptr = value;
1067 break; 1036 break;
1068 1037
1069 case sKeyRegenerationTime:
1070 intptr = &options->key_regeneration_time;
1071 goto parse_time;
1072
1073 case sListenAddress: 1038 case sListenAddress:
1074 arg = strdelim(&cp); 1039 arg = strdelim(&cp);
1075 if (arg == NULL || *arg == '\0') 1040 if (arg == NULL || *arg == '\0')
@@ -1155,7 +1120,6 @@ process_server_config_line(ServerOptions *options, char *line,
1155 MAX_HOSTCERTS); 1120 MAX_HOSTCERTS);
1156 charptr = &options->host_cert_files[*intptr]; 1121 charptr = &options->host_cert_files[*intptr];
1157 goto parse_filename; 1122 goto parse_filename;
1158 break;
1159 1123
1160 case sPidFile: 1124 case sPidFile:
1161 charptr = &options->pid_file; 1125 charptr = &options->pid_file;
@@ -1189,10 +1153,6 @@ process_server_config_line(ServerOptions *options, char *line,
1189 intptr = &options->ignore_user_known_hosts; 1153 intptr = &options->ignore_user_known_hosts;
1190 goto parse_flag; 1154 goto parse_flag;
1191 1155
1192 case sRhostsRSAAuthentication:
1193 intptr = &options->rhosts_rsa_authentication;
1194 goto parse_flag;
1195
1196 case sHostbasedAuthentication: 1156 case sHostbasedAuthentication:
1197 intptr = &options->hostbased_authentication; 1157 intptr = &options->hostbased_authentication;
1198 goto parse_flag; 1158 goto parse_flag;
@@ -1219,10 +1179,6 @@ process_server_config_line(ServerOptions *options, char *line,
1219 charptr = &options->hostkeyalgorithms; 1179 charptr = &options->hostkeyalgorithms;
1220 goto parse_keytypes; 1180 goto parse_keytypes;
1221 1181
1222 case sRSAAuthentication:
1223 intptr = &options->rsa_authentication;
1224 goto parse_flag;
1225
1226 case sPubkeyAuthentication: 1182 case sPubkeyAuthentication:
1227 intptr = &options->pubkey_authentication; 1183 intptr = &options->pubkey_authentication;
1228 goto parse_flag; 1184 goto parse_flag;
@@ -1285,7 +1241,15 @@ process_server_config_line(ServerOptions *options, char *line,
1285 1241
1286 case sX11DisplayOffset: 1242 case sX11DisplayOffset:
1287 intptr = &options->x11_display_offset; 1243 intptr = &options->x11_display_offset;
1288 goto parse_int; 1244 parse_int:
1245 arg = strdelim(&cp);
1246 if (!arg || *arg == '\0')
1247 fatal("%s line %d: missing integer value.",
1248 filename, linenum);
1249 value = atoi(arg);
1250 if (*activep && *intptr == -1)
1251 *intptr = value;
1252 break;
1289 1253
1290 case sX11UseLocalhost: 1254 case sX11UseLocalhost:
1291 intptr = &options->x11_use_localhost; 1255 intptr = &options->x11_use_localhost;
@@ -1319,10 +1283,6 @@ process_server_config_line(ServerOptions *options, char *line,
1319 intptr = &options->permit_user_env; 1283 intptr = &options->permit_user_env;
1320 goto parse_flag; 1284 goto parse_flag;
1321 1285
1322 case sUseLogin:
1323 intptr = &options->use_login;
1324 goto parse_flag;
1325
1326 case sCompression: 1286 case sCompression:
1327 intptr = &options->compression; 1287 intptr = &options->compression;
1328 multistate_ptr = multistate_compression; 1288 multistate_ptr = multistate_compression;
@@ -1400,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line,
1400 intptr = &options->allow_agent_forwarding; 1360 intptr = &options->allow_agent_forwarding;
1401 goto parse_flag; 1361 goto parse_flag;
1402 1362
1363 case sDisableForwarding:
1364 intptr = &options->disable_forwarding;
1365 goto parse_flag;
1366
1403 case sUsePrivilegeSeparation: 1367 case sUsePrivilegeSeparation:
1404 intptr = &use_privsep; 1368 intptr = &use_privsep;
1405 multistate_ptr = multistate_privsep; 1369 multistate_ptr = multistate_privsep;
@@ -1410,6 +1374,9 @@ process_server_config_line(ServerOptions *options, char *line,
1410 if (options->num_allow_users >= MAX_ALLOW_USERS) 1374 if (options->num_allow_users >= MAX_ALLOW_USERS)
1411 fatal("%s line %d: too many allow users.", 1375 fatal("%s line %d: too many allow users.",
1412 filename, linenum); 1376 filename, linenum);
1377 if (match_user(NULL, NULL, NULL, arg) == -1)
1378 fatal("%s line %d: invalid AllowUsers pattern: "
1379 "\"%.100s\"", filename, linenum, arg);
1413 if (!*activep) 1380 if (!*activep)
1414 continue; 1381 continue;
1415 options->allow_users[options->num_allow_users++] = 1382 options->allow_users[options->num_allow_users++] =
@@ -1422,6 +1389,9 @@ process_server_config_line(ServerOptions *options, char *line,
1422 if (options->num_deny_users >= MAX_DENY_USERS) 1389 if (options->num_deny_users >= MAX_DENY_USERS)
1423 fatal("%s line %d: too many deny users.", 1390 fatal("%s line %d: too many deny users.",
1424 filename, linenum); 1391 filename, linenum);
1392 if (match_user(NULL, NULL, NULL, arg) == -1)
1393 fatal("%s line %d: invalid DenyUsers pattern: "
1394 "\"%.100s\"", filename, linenum, arg);
1425 if (!*activep) 1395 if (!*activep)
1426 continue; 1396 continue;
1427 options->deny_users[options->num_deny_users++] = 1397 options->deny_users[options->num_deny_users++] =
@@ -1487,19 +1457,6 @@ process_server_config_line(ServerOptions *options, char *line,
1487 options->kex_algorithms = xstrdup(arg); 1457 options->kex_algorithms = xstrdup(arg);
1488 break; 1458 break;
1489 1459
1490 case sProtocol:
1491 intptr = &options->protocol;
1492 arg = strdelim(&cp);
1493 if (!arg || *arg == '\0')
1494 fatal("%s line %d: Missing argument.", filename, linenum);
1495 value = proto_spec(arg);
1496 if (value == SSH_PROTO_UNKNOWN)
1497 fatal("%s line %d: Bad protocol spec '%s'.",
1498 filename, linenum, arg ? arg : "<NONE>");
1499 if (*intptr == SSH_PROTO_UNKNOWN)
1500 *intptr = value;
1501 break;
1502
1503 case sSubsystem: 1460 case sSubsystem:
1504 if (options->num_subsystems >= MAX_SUBSYSTEMS) { 1461 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1505 fatal("%s line %d: too many subsystems defined.", 1462 fatal("%s line %d: too many subsystems defined.",
@@ -1880,15 +1837,12 @@ process_server_config_line(ServerOptions *options, char *line,
1880 break; 1837 break;
1881 1838
1882 case sDeprecated: 1839 case sDeprecated:
1883 logit("%s line %d: Deprecated option %s", 1840 case sIgnore:
1884 filename, linenum, arg);
1885 while (arg)
1886 arg = strdelim(&cp);
1887 break;
1888
1889 case sUnsupported: 1841 case sUnsupported:
1890 logit("%s line %d: Unsupported option %s", 1842 do_log2(opcode == sIgnore ?
1891 filename, linenum, arg); 1843 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
1844 "%s line %d: %s option %s", filename, linenum,
1845 opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
1892 while (arg) 1846 while (arg)
1893 arg = strdelim(&cp); 1847 arg = strdelim(&cp);
1894 break; 1848 break;
@@ -2008,7 +1962,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2008 1962
2009 M_CP_INTOPT(password_authentication); 1963 M_CP_INTOPT(password_authentication);
2010 M_CP_INTOPT(gss_authentication); 1964 M_CP_INTOPT(gss_authentication);
2011 M_CP_INTOPT(rsa_authentication);
2012 M_CP_INTOPT(pubkey_authentication); 1965 M_CP_INTOPT(pubkey_authentication);
2013 M_CP_INTOPT(kerberos_authentication); 1966 M_CP_INTOPT(kerberos_authentication);
2014 M_CP_INTOPT(hostbased_authentication); 1967 M_CP_INTOPT(hostbased_authentication);
@@ -2020,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2020 M_CP_INTOPT(allow_tcp_forwarding); 1973 M_CP_INTOPT(allow_tcp_forwarding);
2021 M_CP_INTOPT(allow_streamlocal_forwarding); 1974 M_CP_INTOPT(allow_streamlocal_forwarding);
2022 M_CP_INTOPT(allow_agent_forwarding); 1975 M_CP_INTOPT(allow_agent_forwarding);
1976 M_CP_INTOPT(disable_forwarding);
2023 M_CP_INTOPT(permit_tun); 1977 M_CP_INTOPT(permit_tun);
2024 M_CP_INTOPT(fwd_opts.gateway_ports); 1978 M_CP_INTOPT(fwd_opts.gateway_ports);
2025 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); 1979 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
@@ -2030,6 +1984,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2030 M_CP_INTOPT(permit_user_rc); 1984 M_CP_INTOPT(permit_user_rc);
2031 M_CP_INTOPT(max_sessions); 1985 M_CP_INTOPT(max_sessions);
2032 M_CP_INTOPT(max_authtries); 1986 M_CP_INTOPT(max_authtries);
1987 M_CP_INTOPT(client_alive_count_max);
1988 M_CP_INTOPT(client_alive_interval);
2033 M_CP_INTOPT(ip_qos_interactive); 1989 M_CP_INTOPT(ip_qos_interactive);
2034 M_CP_INTOPT(ip_qos_bulk); 1990 M_CP_INTOPT(ip_qos_bulk);
2035 M_CP_INTOPT(rekey_limit); 1991 M_CP_INTOPT(rekey_limit);
@@ -2148,17 +2104,6 @@ fmt_intarg(ServerOpCodes code, int val)
2148 return fmt_multistate_int(val, multistate_tcpfwd); 2104 return fmt_multistate_int(val, multistate_tcpfwd);
2149 case sFingerprintHash: 2105 case sFingerprintHash:
2150 return ssh_digest_alg_name(val); 2106 return ssh_digest_alg_name(val);
2151 case sProtocol:
2152 switch (val) {
2153 case SSH_PROTO_1:
2154 return "1";
2155 case SSH_PROTO_2:
2156 return "2";
2157 case (SSH_PROTO_1|SSH_PROTO_2):
2158 return "2,1";
2159 default:
2160 return "UNKNOWN";
2161 }
2162 default: 2107 default:
2163 switch (val) { 2108 switch (val) {
2164 case 0: 2109 case 0:
@@ -2245,7 +2190,6 @@ dump_config(ServerOptions *o)
2245 /* these are usually at the top of the config */ 2190 /* these are usually at the top of the config */
2246 for (i = 0; i < o->num_ports; i++) 2191 for (i = 0; i < o->num_ports; i++)
2247 printf("port %d\n", o->ports[i]); 2192 printf("port %d\n", o->ports[i]);
2248 dump_cfg_fmtint(sProtocol, o->protocol);
2249 dump_cfg_fmtint(sAddressFamily, o->address_family); 2193 dump_cfg_fmtint(sAddressFamily, o->address_family);
2250 2194
2251 /* 2195 /*
@@ -2278,9 +2222,7 @@ dump_config(ServerOptions *o)
2278#ifdef USE_PAM 2222#ifdef USE_PAM
2279 dump_cfg_fmtint(sUsePAM, o->use_pam); 2223 dump_cfg_fmtint(sUsePAM, o->use_pam);
2280#endif 2224#endif
2281 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2282 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 2225 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2283 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2284 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 2226 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2285 dump_cfg_int(sMaxAuthTries, o->max_authtries); 2227 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2286 dump_cfg_int(sMaxSessions, o->max_sessions); 2228 dump_cfg_int(sMaxSessions, o->max_sessions);
@@ -2292,11 +2234,9 @@ dump_config(ServerOptions *o)
2292 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); 2234 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2293 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); 2235 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2294 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); 2236 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2295 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2296 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); 2237 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2297 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, 2238 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2298 o->hostbased_uses_name_from_packet_only); 2239 o->hostbased_uses_name_from_packet_only);
2299 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2300 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 2240 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2301#ifdef KRB5 2241#ifdef KRB5
2302 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 2242 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
@@ -2327,12 +2267,12 @@ dump_config(ServerOptions *o)
2327 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2267 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2328 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2268 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2329 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2269 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2330 dump_cfg_fmtint(sUseLogin, o->use_login);
2331 dump_cfg_fmtint(sCompression, o->compression); 2270 dump_cfg_fmtint(sCompression, o->compression);
2332 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); 2271 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2333 dump_cfg_fmtint(sUseDNS, o->use_dns); 2272 dump_cfg_fmtint(sUseDNS, o->use_dns);
2334 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2273 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2335 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2274 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2275 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2336 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2276 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2337 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2277 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2338 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2278 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 11:21:38 +0000