readconf.c revision 1.6.2.1
1 /* $NetBSD: readconf.c,v 1.6.2.1 2012/05/23 10:07:05 yamt Exp $ */ 2 /* $OpenBSD: readconf.c,v 1.194 2011/09/23 07:45:05 markus Exp $ */ 3 /* 4 * Author: Tatu Ylonen <ylo (at) cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * Functions for reading the configuration files. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 */ 15 16 #include "includes.h" 17 __RCSID("$NetBSD: readconf.c,v 1.6.2.1 2012/05/23 10:07:05 yamt Exp $"); 18 #include <sys/types.h> 19 #include <sys/stat.h> 20 #include <sys/socket.h> 21 22 #include <netinet/in.h> 23 #include <netinet/in_systm.h> 24 #include <netinet/ip.h> 25 26 #include <ctype.h> 27 #include <errno.h> 28 #include <netdb.h> 29 #include <signal.h> 30 #include <stdio.h> 31 #include <string.h> 32 #include <unistd.h> 33 #include <limits.h> 34 35 #include "xmalloc.h" 36 #include "ssh.h" 37 #include "compat.h" 38 #include "cipher.h" 39 #include "pathnames.h" 40 #include "log.h" 41 #include "key.h" 42 #include "readconf.h" 43 #include "match.h" 44 #include "misc.h" 45 #include "buffer.h" 46 #include "kex.h" 47 #include "mac.h" 48 49 /* Format of the configuration file: 50 51 # Configuration data is parsed as follows: 52 # 1. command line options 53 # 2. user-specific file 54 # 3. system-wide file 55 # Any configuration value is only changed the first time it is set. 56 # Thus, host-specific definitions should be at the beginning of the 57 # configuration file, and defaults at the end. 58 59 # Host-specific declarations. These may override anything above. A single 60 # host may match multiple declarations; these are processed in the order 61 # that they are given in. 62 63 Host *.ngs.fi ngs.fi 64 User foo 65 66 Host fake.com 67 HostName another.host.name.real.org 68 User blaah 69 Port 34289 70 ForwardX11 no 71 ForwardAgent no 72 73 Host books.com 74 RemoteForward 9999 shadows.cs.hut.fi:9999 75 Cipher 3des 76 77 Host fascist.blob.com 78 Port 23123 79 User tylonen 80 PasswordAuthentication no 81 82 Host puukko.hut.fi 83 User t35124p 84 ProxyCommand ssh-proxy %h %p 85 86 Host *.fr 87 PublicKeyAuthentication no 88 89 Host *.su 90 Cipher none 91 PasswordAuthentication no 92 93 Host vpn.fake.com 94 Tunnel yes 95 TunnelDevice 3 96 97 # Defaults for various options 98 Host * 99 ForwardAgent no 100 ForwardX11 no 101 PasswordAuthentication yes 102 RSAAuthentication yes 103 RhostsRSAAuthentication yes 104 StrictHostKeyChecking yes 105 TcpKeepAlive no 106 IdentityFile ~/.ssh/identity 107 Port 22 108 EscapeChar ~ 109 110 */ 111 112 /* Keyword tokens. */ 113 114 typedef enum { 115 oBadOption, 116 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, 117 oGatewayPorts, oExitOnForwardFailure, 118 oPasswordAuthentication, oRSAAuthentication, 119 oChallengeResponseAuthentication, oXAuthLocation, 120 #if defined(KRB4) || defined(KRB5) 121 oKerberosAuthentication, 122 #endif 123 #if defined(AFS) || defined(KRB5) 124 oKerberosTgtPassing, 125 #endif 126 #ifdef AFS 127 oAFSTokenPassing, 128 #endif 129 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, 130 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, 131 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, 132 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, 133 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, 134 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, 135 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 136 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 137 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 138 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 139 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 140 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 141 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 142 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 143 oSendEnv, oControlPath, oControlMaster, oControlPersist, 144 oHashKnownHosts, 145 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 146 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 147 oKexAlgorithms, oIPQoS, oRequestTTY, 148 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled, 149 oHPNBufferSize, 150 oSendVersionFirst, 151 oDeprecated, oUnsupported 152 } OpCodes; 153 154 /* Textual representations of the tokens. */ 155 156 static struct { 157 const char *name; 158 OpCodes opcode; 159 } keywords[] = { 160 { "forwardagent", oForwardAgent }, 161 { "forwardx11", oForwardX11 }, 162 { "forwardx11trusted", oForwardX11Trusted }, 163 { "forwardx11timeout", oForwardX11Timeout }, 164 { "exitonforwardfailure", oExitOnForwardFailure }, 165 { "xauthlocation", oXAuthLocation }, 166 { "gatewayports", oGatewayPorts }, 167 { "useprivilegedport", oUsePrivilegedPort }, 168 { "rhostsauthentication", oDeprecated }, 169 { "passwordauthentication", oPasswordAuthentication }, 170 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 171 { "kbdinteractivedevices", oKbdInteractiveDevices }, 172 { "rsaauthentication", oRSAAuthentication }, 173 { "pubkeyauthentication", oPubkeyAuthentication }, 174 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 175 { "rhostsrsaauthentication", oRhostsRSAAuthentication }, 176 { "hostbasedauthentication", oHostbasedAuthentication }, 177 { "challengeresponseauthentication", oChallengeResponseAuthentication }, 178 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ 179 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ 180 #if defined(KRB4) || defined(KRB5) 181 { "kerberosauthentication", oKerberosAuthentication }, 182 #endif 183 #if defined(AFS) || defined(KRB5) 184 { "kerberostgtpassing", oKerberosTgtPassing }, 185 { "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */ 186 { "kerberos4tgtpassing", oKerberosTgtPassing }, /* alias */ 187 #endif 188 #ifdef AFS 189 { "afstokenpassing", oAFSTokenPassing }, 190 #endif 191 #if defined(GSSAPI) 192 { "gssapiauthentication", oGssAuthentication }, 193 { "gssapidelegatecredentials", oGssDelegateCreds }, 194 #else 195 { "gssapiauthentication", oUnsupported }, 196 { "gssapidelegatecredentials", oUnsupported }, 197 #endif 198 { "fallbacktorsh", oDeprecated }, 199 { "usersh", oDeprecated }, 200 { "identityfile", oIdentityFile }, 201 { "identityfile2", oIdentityFile }, /* obsolete */ 202 { "identitiesonly", oIdentitiesOnly }, 203 { "hostname", oHostName }, 204 { "hostkeyalias", oHostKeyAlias }, 205 { "proxycommand", oProxyCommand }, 206 { "port", oPort }, 207 { "cipher", oCipher }, 208 { "ciphers", oCiphers }, 209 { "macs", oMacs }, 210 { "protocol", oProtocol }, 211 { "remoteforward", oRemoteForward }, 212 { "localforward", oLocalForward }, 213 { "user", oUser }, 214 { "host", oHost }, 215 { "escapechar", oEscapeChar }, 216 { "globalknownhostsfile", oGlobalKnownHostsFile }, 217 { "globalknownhostsfile2", oDeprecated }, 218 { "userknownhostsfile", oUserKnownHostsFile }, 219 { "userknownhostsfile2", oDeprecated }, 220 { "connectionattempts", oConnectionAttempts }, 221 { "batchmode", oBatchMode }, 222 { "checkhostip", oCheckHostIP }, 223 { "stricthostkeychecking", oStrictHostKeyChecking }, 224 { "compression", oCompression }, 225 { "compressionlevel", oCompressionLevel }, 226 { "tcpkeepalive", oTCPKeepAlive }, 227 { "keepalive", oTCPKeepAlive }, /* obsolete */ 228 { "numberofpasswordprompts", oNumberOfPasswordPrompts }, 229 { "loglevel", oLogLevel }, 230 { "dynamicforward", oDynamicForward }, 231 { "preferredauthentications", oPreferredAuthentications }, 232 { "hostkeyalgorithms", oHostKeyAlgorithms }, 233 { "bindaddress", oBindAddress }, 234 #ifdef ENABLE_PKCS11 235 { "smartcarddevice", oPKCS11Provider }, 236 { "pkcs11provider", oPKCS11Provider }, 237 #else 238 { "smartcarddevice", oUnsupported }, 239 { "pkcs11provider", oUnsupported }, 240 #endif 241 { "clearallforwardings", oClearAllForwardings }, 242 { "enablesshkeysign", oEnableSSHKeysign }, 243 { "verifyhostkeydns", oVerifyHostKeyDNS }, 244 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, 245 { "rekeylimit", oRekeyLimit }, 246 { "connecttimeout", oConnectTimeout }, 247 { "addressfamily", oAddressFamily }, 248 { "serveraliveinterval", oServerAliveInterval }, 249 { "serveralivecountmax", oServerAliveCountMax }, 250 { "sendenv", oSendEnv }, 251 { "controlpath", oControlPath }, 252 { "controlmaster", oControlMaster }, 253 { "controlpersist", oControlPersist }, 254 { "hashknownhosts", oHashKnownHosts }, 255 { "tunnel", oTunnel }, 256 { "tunneldevice", oTunnelDevice }, 257 { "localcommand", oLocalCommand }, 258 { "permitlocalcommand", oPermitLocalCommand }, 259 { "visualhostkey", oVisualHostKey }, 260 { "useroaming", oUseRoaming }, 261 #ifdef JPAKE 262 { "zeroknowledgepasswordauthentication", 263 oZeroKnowledgePasswordAuthentication }, 264 #else 265 { "zeroknowledgepasswordauthentication", oUnsupported }, 266 #endif 267 { "kexalgorithms", oKexAlgorithms }, 268 { "ipqos", oIPQoS }, 269 { "requesttty", oRequestTTY }, 270 { "noneenabled", oNoneEnabled }, 271 { "tcprcvbufpoll", oTcpRcvBufPoll }, 272 { "tcprcvbuf", oTcpRcvBuf }, 273 { "noneswitch", oNoneSwitch }, 274 { "hpndisabled", oHPNDisabled }, 275 { "hpnbuffersize", oHPNBufferSize }, 276 { "sendversionfirst", oSendVersionFirst }, 277 278 { NULL, oBadOption } 279 }; 280 281 /* 282 * Adds a local TCP/IP port forward to options. Never returns if there is an 283 * error. 284 */ 285 286 void 287 add_local_forward(Options *options, const Forward *newfwd) 288 { 289 Forward *fwd; 290 extern uid_t original_real_uid; 291 292 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) 293 fatal("Privileged ports can only be forwarded by root."); 294 options->local_forwards = xrealloc(options->local_forwards, 295 options->num_local_forwards + 1, 296 sizeof(*options->local_forwards)); 297 fwd = &options->local_forwards[options->num_local_forwards++]; 298 299 fwd->listen_host = newfwd->listen_host; 300 fwd->listen_port = newfwd->listen_port; 301 fwd->connect_host = newfwd->connect_host; 302 fwd->connect_port = newfwd->connect_port; 303 } 304 305 /* 306 * Adds a remote TCP/IP port forward to options. Never returns if there is 307 * an error. 308 */ 309 310 void 311 add_remote_forward(Options *options, const Forward *newfwd) 312 { 313 Forward *fwd; 314 315 options->remote_forwards = xrealloc(options->remote_forwards, 316 options->num_remote_forwards + 1, 317 sizeof(*options->remote_forwards)); 318 fwd = &options->remote_forwards[options->num_remote_forwards++]; 319 320 fwd->listen_host = newfwd->listen_host; 321 fwd->listen_port = newfwd->listen_port; 322 fwd->connect_host = newfwd->connect_host; 323 fwd->connect_port = newfwd->connect_port; 324 fwd->handle = newfwd->handle; 325 fwd->allocated_port = 0; 326 } 327 328 static void 329 clear_forwardings(Options *options) 330 { 331 int i; 332 333 for (i = 0; i < options->num_local_forwards; i++) { 334 if (options->local_forwards[i].listen_host != NULL) 335 xfree(options->local_forwards[i].listen_host); 336 xfree(options->local_forwards[i].connect_host); 337 } 338 if (options->num_local_forwards > 0) { 339 xfree(options->local_forwards); 340 options->local_forwards = NULL; 341 } 342 options->num_local_forwards = 0; 343 for (i = 0; i < options->num_remote_forwards; i++) { 344 if (options->remote_forwards[i].listen_host != NULL) 345 xfree(options->remote_forwards[i].listen_host); 346 xfree(options->remote_forwards[i].connect_host); 347 } 348 if (options->num_remote_forwards > 0) { 349 xfree(options->remote_forwards); 350 options->remote_forwards = NULL; 351 } 352 options->num_remote_forwards = 0; 353 options->tun_open = SSH_TUNMODE_NO; 354 } 355 356 /* 357 * Returns the number of the token pointed to by cp or oBadOption. 358 */ 359 360 static OpCodes 361 parse_token(const char *cp, const char *filename, int linenum) 362 { 363 u_int i; 364 365 for (i = 0; keywords[i].name; i++) 366 if (strcasecmp(cp, keywords[i].name) == 0) 367 return keywords[i].opcode; 368 369 error("%s: line %d: Bad configuration option: %s", 370 filename, linenum, cp); 371 return oBadOption; 372 } 373 374 /* 375 * Processes a single option line as used in the configuration files. This 376 * only sets those values that have not already been set. 377 */ 378 #define WHITESPACE " \t\r\n" 379 380 int 381 process_config_line(Options *options, const char *host, 382 char *line, const char *filename, int linenum, 383 int *activep) 384 { 385 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; 386 char **cpptr, fwdarg[256]; 387 u_int *uintptr, max_entries = 0; 388 int negated, opcode, *intptr, value, value2, scale; 389 LogLevel *log_level_ptr; 390 long long orig, val64; 391 size_t len; 392 Forward fwd; 393 394 /* Strip trailing whitespace */ 395 for (len = strlen(line) - 1; len > 0; len--) { 396 if (strchr(WHITESPACE, line[len]) == NULL) 397 break; 398 line[len] = '\0'; 399 } 400 401 s = line; 402 /* Get the keyword. (Each line is supposed to begin with a keyword). */ 403 if ((keyword = strdelim(&s)) == NULL) 404 return 0; 405 /* Ignore leading whitespace. */ 406 if (*keyword == '\0') 407 keyword = strdelim(&s); 408 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') 409 return 0; 410 411 opcode = parse_token(keyword, filename, linenum); 412 413 switch (opcode) { 414 case oBadOption: 415 /* don't panic, but count bad options */ 416 return -1; 417 /* NOTREACHED */ 418 case oConnectTimeout: 419 intptr = &options->connection_timeout; 420 parse_time: 421 arg = strdelim(&s); 422 if (!arg || *arg == '\0') 423 fatal("%s line %d: missing time value.", 424 filename, linenum); 425 if ((value = convtime(arg)) == -1) 426 fatal("%s line %d: invalid time value.", 427 filename, linenum); 428 if (*activep && *intptr == -1) 429 *intptr = value; 430 break; 431 432 case oForwardAgent: 433 intptr = &options->forward_agent; 434 parse_flag: 435 arg = strdelim(&s); 436 if (!arg || *arg == '\0') 437 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); 438 value = 0; /* To avoid compiler warning... */ 439 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 440 value = 1; 441 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 442 value = 0; 443 else 444 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum); 445 if (*activep && *intptr == -1) 446 *intptr = value; 447 break; 448 449 case oForwardX11: 450 intptr = &options->forward_x11; 451 goto parse_flag; 452 453 case oForwardX11Trusted: 454 intptr = &options->forward_x11_trusted; 455 goto parse_flag; 456 457 case oForwardX11Timeout: 458 intptr = &options->forward_x11_timeout; 459 goto parse_time; 460 461 case oGatewayPorts: 462 intptr = &options->gateway_ports; 463 goto parse_flag; 464 465 case oExitOnForwardFailure: 466 intptr = &options->exit_on_forward_failure; 467 goto parse_flag; 468 469 case oUsePrivilegedPort: 470 intptr = &options->use_privileged_port; 471 goto parse_flag; 472 473 case oPasswordAuthentication: 474 intptr = &options->password_authentication; 475 goto parse_flag; 476 477 case oZeroKnowledgePasswordAuthentication: 478 intptr = &options->zero_knowledge_password_authentication; 479 goto parse_flag; 480 481 case oKbdInteractiveAuthentication: 482 intptr = &options->kbd_interactive_authentication; 483 goto parse_flag; 484 485 case oKbdInteractiveDevices: 486 charptr = &options->kbd_interactive_devices; 487 goto parse_string; 488 489 case oPubkeyAuthentication: 490 intptr = &options->pubkey_authentication; 491 goto parse_flag; 492 493 case oRSAAuthentication: 494 intptr = &options->rsa_authentication; 495 goto parse_flag; 496 497 case oRhostsRSAAuthentication: 498 intptr = &options->rhosts_rsa_authentication; 499 goto parse_flag; 500 501 case oHostbasedAuthentication: 502 intptr = &options->hostbased_authentication; 503 goto parse_flag; 504 505 case oChallengeResponseAuthentication: 506 intptr = &options->challenge_response_authentication; 507 goto parse_flag; 508 509 #if defined(KRB4) || defined(KRB5) 510 case oKerberosAuthentication: 511 intptr = &options->kerberos_authentication; 512 goto parse_flag; 513 #endif 514 #if defined(AFS) || defined(KRB5) 515 case oKerberosTgtPassing: 516 intptr = &options->kerberos_tgt_passing; 517 goto parse_flag; 518 #endif 519 520 case oGssAuthentication: 521 intptr = &options->gss_authentication; 522 goto parse_flag; 523 524 #ifdef AFS 525 case oAFSTokenPassing: 526 intptr = &options->afs_token_passing; 527 goto parse_flag; 528 #endif 529 530 case oGssDelegateCreds: 531 intptr = &options->gss_deleg_creds; 532 goto parse_flag; 533 534 case oBatchMode: 535 intptr = &options->batch_mode; 536 goto parse_flag; 537 538 case oCheckHostIP: 539 intptr = &options->check_host_ip; 540 goto parse_flag; 541 542 case oNoneEnabled: 543 intptr = &options->none_enabled; 544 goto parse_flag; 545 546 /* we check to see if the command comes from the */ 547 /* command line or not. If it does then enable it */ 548 /* otherwise fail. NONE should never be a default configuration */ 549 case oNoneSwitch: 550 if(strcmp(filename,"command-line")==0) 551 { 552 intptr = &options->none_switch; 553 goto parse_flag; 554 } else { 555 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); 556 error("Continuing..."); 557 debug("NoneSwitch directive found in %.200s.", filename); 558 return 0; 559 } 560 561 case oHPNDisabled: 562 intptr = &options->hpn_disabled; 563 goto parse_flag; 564 565 case oHPNBufferSize: 566 intptr = &options->hpn_buffer_size; 567 goto parse_int; 568 569 case oTcpRcvBufPoll: 570 intptr = &options->tcp_rcv_buf_poll; 571 goto parse_flag; 572 573 case oVerifyHostKeyDNS: 574 intptr = &options->verify_host_key_dns; 575 goto parse_yesnoask; 576 577 case oStrictHostKeyChecking: 578 intptr = &options->strict_host_key_checking; 579 parse_yesnoask: 580 arg = strdelim(&s); 581 if (!arg || *arg == '\0') 582 fatal("%.200s line %d: Missing yes/no/ask argument.", 583 filename, linenum); 584 value = 0; /* To avoid compiler warning... */ 585 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 586 value = 1; 587 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 588 value = 0; 589 else if (strcmp(arg, "ask") == 0) 590 value = 2; 591 else 592 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum); 593 if (*activep && *intptr == -1) 594 *intptr = value; 595 break; 596 597 case oCompression: 598 intptr = &options->compression; 599 goto parse_flag; 600 601 case oTCPKeepAlive: 602 intptr = &options->tcp_keep_alive; 603 goto parse_flag; 604 605 case oNoHostAuthenticationForLocalhost: 606 intptr = &options->no_host_authentication_for_localhost; 607 goto parse_flag; 608 609 case oNumberOfPasswordPrompts: 610 intptr = &options->number_of_password_prompts; 611 goto parse_int; 612 613 case oCompressionLevel: 614 intptr = &options->compression_level; 615 goto parse_int; 616 617 case oRekeyLimit: 618 arg = strdelim(&s); 619 if (!arg || *arg == '\0') 620 fatal("%.200s line %d: Missing argument.", filename, linenum); 621 if (arg[0] < '0' || arg[0] > '9') 622 fatal("%.200s line %d: Bad number.", filename, linenum); 623 orig = val64 = strtoll(arg, &endofnumber, 10); 624 if (arg == endofnumber) 625 fatal("%.200s line %d: Bad number.", filename, linenum); 626 switch (toupper((unsigned char)*endofnumber)) { 627 case '\0': 628 scale = 1; 629 break; 630 case 'K': 631 scale = 1<<10; 632 break; 633 case 'M': 634 scale = 1<<20; 635 break; 636 case 'G': 637 scale = 1<<30; 638 break; 639 default: 640 scale = 0; 641 fatal("%.200s line %d: Invalid RekeyLimit suffix", 642 filename, linenum); 643 } 644 val64 *= scale; 645 /* detect integer wrap and too-large limits */ 646 if ((val64 / scale) != orig || val64 > UINT_MAX) 647 fatal("%.200s line %d: RekeyLimit too large", 648 filename, linenum); 649 if (val64 < 16) 650 fatal("%.200s line %d: RekeyLimit too small", 651 filename, linenum); 652 if (*activep && options->rekey_limit == -1) 653 options->rekey_limit = (u_int32_t)val64; 654 break; 655 656 case oIdentityFile: 657 arg = strdelim(&s); 658 if (!arg || *arg == '\0') 659 fatal("%.200s line %d: Missing argument.", filename, linenum); 660 if (*activep) { 661 intptr = &options->num_identity_files; 662 if (*intptr >= SSH_MAX_IDENTITY_FILES) 663 fatal("%.200s line %d: Too many identity files specified (max %d).", 664 filename, linenum, SSH_MAX_IDENTITY_FILES); 665 charptr = &options->identity_files[*intptr]; 666 *charptr = xstrdup(arg); 667 *intptr = *intptr + 1; 668 } 669 break; 670 671 case oXAuthLocation: 672 charptr=&options->xauth_location; 673 goto parse_string; 674 675 case oUser: 676 charptr = &options->user; 677 parse_string: 678 arg = strdelim(&s); 679 if (!arg || *arg == '\0') 680 fatal("%.200s line %d: Missing argument.", 681 filename, linenum); 682 if (*activep && *charptr == NULL) 683 *charptr = xstrdup(arg); 684 break; 685 686 case oGlobalKnownHostsFile: 687 cpptr = (char **)&options->system_hostfiles; 688 uintptr = &options->num_system_hostfiles; 689 max_entries = SSH_MAX_HOSTS_FILES; 690 parse_char_array: 691 if (*activep && *uintptr == 0) { 692 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 693 if ((*uintptr) >= max_entries) 694 fatal("%s line %d: " 695 "too many authorized keys files.", 696 filename, linenum); 697 cpptr[(*uintptr)++] = xstrdup(arg); 698 } 699 } 700 return 0; 701 702 case oUserKnownHostsFile: 703 cpptr = (char **)&options->user_hostfiles; 704 uintptr = &options->num_user_hostfiles; 705 max_entries = SSH_MAX_HOSTS_FILES; 706 goto parse_char_array; 707 708 case oHostName: 709 charptr = &options->hostname; 710 goto parse_string; 711 712 case oHostKeyAlias: 713 charptr = &options->host_key_alias; 714 goto parse_string; 715 716 case oPreferredAuthentications: 717 charptr = &options->preferred_authentications; 718 goto parse_string; 719 720 case oBindAddress: 721 charptr = &options->bind_address; 722 goto parse_string; 723 724 case oPKCS11Provider: 725 charptr = &options->pkcs11_provider; 726 goto parse_string; 727 728 case oProxyCommand: 729 charptr = &options->proxy_command; 730 parse_command: 731 if (s == NULL) 732 fatal("%.200s line %d: Missing argument.", filename, linenum); 733 len = strspn(s, WHITESPACE "="); 734 if (*activep && *charptr == NULL) 735 *charptr = xstrdup(s + len); 736 return 0; 737 738 case oPort: 739 intptr = &options->port; 740 parse_int: 741 arg = strdelim(&s); 742 if (!arg || *arg == '\0') 743 fatal("%.200s line %d: Missing argument.", filename, linenum); 744 if (arg[0] < '0' || arg[0] > '9') 745 fatal("%.200s line %d: Bad number.", filename, linenum); 746 747 /* Octal, decimal, or hex format? */ 748 value = strtol(arg, &endofnumber, 0); 749 if (arg == endofnumber) 750 fatal("%.200s line %d: Bad number.", filename, linenum); 751 if (*activep && *intptr == -1) 752 *intptr = value; 753 break; 754 755 case oConnectionAttempts: 756 intptr = &options->connection_attempts; 757 goto parse_int; 758 759 case oTcpRcvBuf: 760 intptr = &options->tcp_rcv_buf; 761 goto parse_int; 762 763 case oCipher: 764 intptr = &options->cipher; 765 arg = strdelim(&s); 766 if (!arg || *arg == '\0') 767 fatal("%.200s line %d: Missing argument.", filename, linenum); 768 value = cipher_number(arg); 769 if (value == -1) 770 fatal("%.200s line %d: Bad cipher '%s'.", 771 filename, linenum, arg ? arg : "<NONE>"); 772 if (*activep && *intptr == -1) 773 *intptr = value; 774 break; 775 776 case oCiphers: 777 arg = strdelim(&s); 778 if (!arg || *arg == '\0') 779 fatal("%.200s line %d: Missing argument.", filename, linenum); 780 if (!ciphers_valid(arg)) 781 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", 782 filename, linenum, arg ? arg : "<NONE>"); 783 if (*activep && options->ciphers == NULL) 784 options->ciphers = xstrdup(arg); 785 break; 786 787 case oMacs: 788 arg = strdelim(&s); 789 if (!arg || *arg == '\0') 790 fatal("%.200s line %d: Missing argument.", filename, linenum); 791 if (!mac_valid(arg)) 792 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", 793 filename, linenum, arg ? arg : "<NONE>"); 794 if (*activep && options->macs == NULL) 795 options->macs = xstrdup(arg); 796 break; 797 798 case oKexAlgorithms: 799 arg = strdelim(&s); 800 if (!arg || *arg == '\0') 801 fatal("%.200s line %d: Missing argument.", 802 filename, linenum); 803 if (!kex_names_valid(arg)) 804 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", 805 filename, linenum, arg ? arg : "<NONE>"); 806 if (*activep && options->kex_algorithms == NULL) 807 options->kex_algorithms = xstrdup(arg); 808 break; 809 810 case oHostKeyAlgorithms: 811 arg = strdelim(&s); 812 if (!arg || *arg == '\0') 813 fatal("%.200s line %d: Missing argument.", filename, linenum); 814 if (!key_names_valid2(arg)) 815 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", 816 filename, linenum, arg ? arg : "<NONE>"); 817 if (*activep && options->hostkeyalgorithms == NULL) 818 options->hostkeyalgorithms = xstrdup(arg); 819 break; 820 821 case oProtocol: 822 intptr = &options->protocol; 823 arg = strdelim(&s); 824 if (!arg || *arg == '\0') 825 fatal("%.200s line %d: Missing argument.", filename, linenum); 826 value = proto_spec(arg); 827 if (value == SSH_PROTO_UNKNOWN) 828 fatal("%.200s line %d: Bad protocol spec '%s'.", 829 filename, linenum, arg ? arg : "<NONE>"); 830 if (*activep && *intptr == SSH_PROTO_UNKNOWN) 831 *intptr = value; 832 break; 833 834 case oLogLevel: 835 log_level_ptr = &options->log_level; 836 arg = strdelim(&s); 837 value = log_level_number(arg); 838 if (value == SYSLOG_LEVEL_NOT_SET) 839 fatal("%.200s line %d: unsupported log level '%s'", 840 filename, linenum, arg ? arg : "<NONE>"); 841 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET) 842 *log_level_ptr = (LogLevel) value; 843 break; 844 845 case oLocalForward: 846 case oRemoteForward: 847 case oDynamicForward: 848 arg = strdelim(&s); 849 if (arg == NULL || *arg == '\0') 850 fatal("%.200s line %d: Missing port argument.", 851 filename, linenum); 852 853 if (opcode == oLocalForward || 854 opcode == oRemoteForward) { 855 arg2 = strdelim(&s); 856 if (arg2 == NULL || *arg2 == '\0') 857 fatal("%.200s line %d: Missing target argument.", 858 filename, linenum); 859 860 /* construct a string for parse_forward */ 861 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2); 862 } else if (opcode == oDynamicForward) { 863 strlcpy(fwdarg, arg, sizeof(fwdarg)); 864 } 865 866 if (parse_forward(&fwd, fwdarg, 867 opcode == oDynamicForward ? 1 : 0, 868 opcode == oRemoteForward ? 1 : 0) == 0) 869 fatal("%.200s line %d: Bad forwarding specification.", 870 filename, linenum); 871 872 if (*activep) { 873 if (opcode == oLocalForward || 874 opcode == oDynamicForward) 875 add_local_forward(options, &fwd); 876 else if (opcode == oRemoteForward) 877 add_remote_forward(options, &fwd); 878 } 879 break; 880 881 case oClearAllForwardings: 882 intptr = &options->clear_forwardings; 883 goto parse_flag; 884 885 case oHost: 886 *activep = 0; 887 arg2 = NULL; 888 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 889 negated = *arg == '!'; 890 if (negated) 891 arg++; 892 if (match_pattern(host, arg)) { 893 if (negated) { 894 debug("%.200s line %d: Skipping Host " 895 "block because of negated match " 896 "for %.100s", filename, linenum, 897 arg); 898 *activep = 0; 899 break; 900 } 901 if (!*activep) 902 arg2 = arg; /* logged below */ 903 *activep = 1; 904 } 905 } 906 if (*activep) 907 debug("%.200s line %d: Applying options for %.100s", 908 filename, linenum, arg2); 909 /* Avoid garbage check below, as strdelim is done. */ 910 return 0; 911 912 case oEscapeChar: 913 intptr = &options->escape_char; 914 arg = strdelim(&s); 915 if (!arg || *arg == '\0') 916 fatal("%.200s line %d: Missing argument.", filename, linenum); 917 value = 0; /* To avoid compiler warning... */ 918 if (arg[0] == '^' && arg[2] == 0 && 919 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) 920 value = (u_char) arg[1] & 31; 921 else if (strlen(arg) == 1) 922 value = (u_char) arg[0]; 923 else if (strcmp(arg, "none") == 0) 924 value = SSH_ESCAPECHAR_NONE; 925 else { 926 fatal("%.200s line %d: Bad escape character.", 927 filename, linenum); 928 /* NOTREACHED */ 929 value = 0; /* Avoid compiler warning. */ 930 } 931 if (*activep && *intptr == -1) 932 *intptr = value; 933 break; 934 935 case oAddressFamily: 936 arg = strdelim(&s); 937 if (!arg || *arg == '\0') 938 fatal("%s line %d: missing address family.", 939 filename, linenum); 940 intptr = &options->address_family; 941 value = 0; /* To avoid compiler warning... */ 942 if (strcasecmp(arg, "inet") == 0) 943 value = AF_INET; 944 else if (strcasecmp(arg, "inet6") == 0) 945 value = AF_INET6; 946 else if (strcasecmp(arg, "any") == 0) 947 value = AF_UNSPEC; 948 else 949 fatal("Unsupported AddressFamily \"%s\"", arg); 950 if (*activep && *intptr == -1) 951 *intptr = value; 952 break; 953 954 case oEnableSSHKeysign: 955 intptr = &options->enable_ssh_keysign; 956 goto parse_flag; 957 958 case oIdentitiesOnly: 959 intptr = &options->identities_only; 960 goto parse_flag; 961 962 case oServerAliveInterval: 963 intptr = &options->server_alive_interval; 964 goto parse_time; 965 966 case oServerAliveCountMax: 967 intptr = &options->server_alive_count_max; 968 goto parse_int; 969 970 case oSendEnv: 971 while ((arg = strdelim(&s)) != NULL && *arg != '\0') { 972 if (strchr(arg, '=') != NULL) 973 fatal("%s line %d: Invalid environment name.", 974 filename, linenum); 975 if (!*activep) 976 continue; 977 if (options->num_send_env >= MAX_SEND_ENV) 978 fatal("%s line %d: too many send env.", 979 filename, linenum); 980 options->send_env[options->num_send_env++] = 981 xstrdup(arg); 982 } 983 break; 984 985 case oControlPath: 986 charptr = &options->control_path; 987 goto parse_string; 988 989 case oControlMaster: 990 intptr = &options->control_master; 991 arg = strdelim(&s); 992 if (!arg || *arg == '\0') 993 fatal("%.200s line %d: Missing ControlMaster argument.", 994 filename, linenum); 995 value = 0; /* To avoid compiler warning... */ 996 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 997 value = SSHCTL_MASTER_YES; 998 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 999 value = SSHCTL_MASTER_NO; 1000 else if (strcmp(arg, "auto") == 0) 1001 value = SSHCTL_MASTER_AUTO; 1002 else if (strcmp(arg, "ask") == 0) 1003 value = SSHCTL_MASTER_ASK; 1004 else if (strcmp(arg, "autoask") == 0) 1005 value = SSHCTL_MASTER_AUTO_ASK; 1006 else 1007 fatal("%.200s line %d: Bad ControlMaster argument.", 1008 filename, linenum); 1009 if (*activep && *intptr == -1) 1010 *intptr = value; 1011 break; 1012 1013 case oControlPersist: 1014 /* no/false/yes/true, or a time spec */ 1015 intptr = &options->control_persist; 1016 arg = strdelim(&s); 1017 if (!arg || *arg == '\0') 1018 fatal("%.200s line %d: Missing ControlPersist" 1019 " argument.", filename, linenum); 1020 value = 0; 1021 value2 = 0; /* timeout */ 1022 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) 1023 value = 0; 1024 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) 1025 value = 1; 1026 else if ((value2 = convtime(arg)) >= 0) 1027 value = 1; 1028 else 1029 fatal("%.200s line %d: Bad ControlPersist argument.", 1030 filename, linenum); 1031 if (*activep && *intptr == -1) { 1032 *intptr = value; 1033 options->control_persist_timeout = value2; 1034 } 1035 break; 1036 1037 case oHashKnownHosts: 1038 intptr = &options->hash_known_hosts; 1039 goto parse_flag; 1040 1041 case oTunnel: 1042 intptr = &options->tun_open; 1043 arg = strdelim(&s); 1044 if (!arg || *arg == '\0') 1045 fatal("%s line %d: Missing yes/point-to-point/" 1046 "ethernet/no argument.", filename, linenum); 1047 value = 0; /* silence compiler */ 1048 if (strcasecmp(arg, "ethernet") == 0) 1049 value = SSH_TUNMODE_ETHERNET; 1050 else if (strcasecmp(arg, "point-to-point") == 0) 1051 value = SSH_TUNMODE_POINTOPOINT; 1052 else if (strcasecmp(arg, "yes") == 0) 1053 value = SSH_TUNMODE_DEFAULT; 1054 else if (strcasecmp(arg, "no") == 0) 1055 value = SSH_TUNMODE_NO; 1056 else 1057 fatal("%s line %d: Bad yes/point-to-point/ethernet/" 1058 "no argument: %s", filename, linenum, arg); 1059 if (*activep) 1060 *intptr = value; 1061 break; 1062 1063 case oTunnelDevice: 1064 arg = strdelim(&s); 1065 if (!arg || *arg == '\0') 1066 fatal("%.200s line %d: Missing argument.", filename, linenum); 1067 value = a2tun(arg, &value2); 1068 if (value == SSH_TUNID_ERR) 1069 fatal("%.200s line %d: Bad tun device.", filename, linenum); 1070 if (*activep) { 1071 options->tun_local = value; 1072 options->tun_remote = value2; 1073 } 1074 break; 1075 1076 case oLocalCommand: 1077 charptr = &options->local_command; 1078 goto parse_command; 1079 1080 case oPermitLocalCommand: 1081 intptr = &options->permit_local_command; 1082 goto parse_flag; 1083 1084 case oVisualHostKey: 1085 intptr = &options->visual_host_key; 1086 goto parse_flag; 1087 1088 case oIPQoS: 1089 arg = strdelim(&s); 1090 if ((value = parse_ipqos(arg)) == -1) 1091 fatal("%s line %d: Bad IPQoS value: %s", 1092 filename, linenum, arg); 1093 arg = strdelim(&s); 1094 if (arg == NULL) 1095 value2 = value; 1096 else if ((value2 = parse_ipqos(arg)) == -1) 1097 fatal("%s line %d: Bad IPQoS value: %s", 1098 filename, linenum, arg); 1099 if (*activep) { 1100 options->ip_qos_interactive = value; 1101 options->ip_qos_bulk = value2; 1102 } 1103 break; 1104 1105 case oUseRoaming: 1106 intptr = &options->use_roaming; 1107 goto parse_flag; 1108 1109 case oRequestTTY: 1110 arg = strdelim(&s); 1111 if (!arg || *arg == '\0') 1112 fatal("%s line %d: missing argument.", 1113 filename, linenum); 1114 intptr = &options->request_tty; 1115 if (strcasecmp(arg, "yes") == 0) 1116 value = REQUEST_TTY_YES; 1117 else if (strcasecmp(arg, "no") == 0) 1118 value = REQUEST_TTY_NO; 1119 else if (strcasecmp(arg, "force") == 0) 1120 value = REQUEST_TTY_FORCE; 1121 else if (strcasecmp(arg, "auto") == 0) 1122 value = REQUEST_TTY_AUTO; 1123 else 1124 fatal("Unsupported RequestTTY \"%s\"", arg); 1125 if (*activep && *intptr == -1) 1126 *intptr = value; 1127 break; 1128 1129 case oSendVersionFirst: 1130 intptr = &options->send_version_first; 1131 goto parse_flag; 1132 1133 case oDeprecated: 1134 debug("%s line %d: Deprecated option \"%s\"", 1135 filename, linenum, keyword); 1136 return 0; 1137 1138 case oUnsupported: 1139 error("%s line %d: Unsupported option \"%s\"", 1140 filename, linenum, keyword); 1141 return 0; 1142 1143 default: 1144 fatal("process_config_line: Unimplemented opcode %d", opcode); 1145 } 1146 1147 /* Check that there is no garbage at end of line. */ 1148 if ((arg = strdelim(&s)) != NULL && *arg != '\0') { 1149 fatal("%.200s line %d: garbage at end of line; \"%.200s\".", 1150 filename, linenum, arg); 1151 } 1152 return 0; 1153 } 1154 1155 1156 /* 1157 * Reads the config file and modifies the options accordingly. Options 1158 * should already be initialized before this call. This never returns if 1159 * there is an error. If the file does not exist, this returns 0. 1160 */ 1161 1162 int 1163 read_config_file(const char *filename, const char *host, Options *options, 1164 int checkperm) 1165 { 1166 FILE *f; 1167 char line[1024]; 1168 int active, linenum; 1169 int bad_options = 0; 1170 1171 if ((f = fopen(filename, "r")) == NULL) 1172 return 0; 1173 1174 if (checkperm) { 1175 struct stat sb; 1176 1177 if (fstat(fileno(f), &sb) == -1) 1178 fatal("fstat %s: %s", filename, strerror(errno)); 1179 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1180 (sb.st_mode & 022) != 0)) 1181 fatal("Bad owner or permissions on %s", filename); 1182 } 1183 1184 debug("Reading configuration data %.200s", filename); 1185 1186 /* 1187 * Mark that we are now processing the options. This flag is turned 1188 * on/off by Host specifications. 1189 */ 1190 active = 1; 1191 linenum = 0; 1192 while (fgets(line, sizeof(line), f)) { 1193 /* Update line number counter. */ 1194 linenum++; 1195 if (process_config_line(options, host, line, filename, linenum, &active) != 0) 1196 bad_options++; 1197 } 1198 fclose(f); 1199 if (bad_options > 0) 1200 fatal("%s: terminating, %d bad configuration options", 1201 filename, bad_options); 1202 return 1; 1203 } 1204 1205 /* 1206 * Initializes options to special values that indicate that they have not yet 1207 * been set. Read_config_file will only set options with this value. Options 1208 * are processed in the following order: command line, user config file, 1209 * system config file. Last, fill_default_options is called. 1210 */ 1211 1212 void 1213 initialize_options(Options * options) 1214 { 1215 memset(options, 'X', sizeof(*options)); 1216 options->forward_agent = -1; 1217 options->forward_x11 = -1; 1218 options->forward_x11_trusted = -1; 1219 options->forward_x11_timeout = -1; 1220 options->exit_on_forward_failure = -1; 1221 options->xauth_location = NULL; 1222 options->gateway_ports = -1; 1223 options->use_privileged_port = -1; 1224 options->rsa_authentication = -1; 1225 options->pubkey_authentication = -1; 1226 options->challenge_response_authentication = -1; 1227 #if defined(KRB4) || defined(KRB5) 1228 options->kerberos_authentication = -1; 1229 #endif 1230 #if defined(AFS) || defined(KRB5) 1231 options->kerberos_tgt_passing = -1; 1232 #endif 1233 #ifdef AFS 1234 options->afs_token_passing = -1; 1235 #endif 1236 options->gss_authentication = -1; 1237 options->gss_deleg_creds = -1; 1238 options->password_authentication = -1; 1239 options->kbd_interactive_authentication = -1; 1240 options->kbd_interactive_devices = NULL; 1241 options->rhosts_rsa_authentication = -1; 1242 options->hostbased_authentication = -1; 1243 options->batch_mode = -1; 1244 options->check_host_ip = -1; 1245 options->strict_host_key_checking = -1; 1246 options->compression = -1; 1247 options->tcp_keep_alive = -1; 1248 options->compression_level = -1; 1249 options->port = -1; 1250 options->address_family = -1; 1251 options->connection_attempts = -1; 1252 options->connection_timeout = -1; 1253 options->number_of_password_prompts = -1; 1254 options->cipher = -1; 1255 options->ciphers = NULL; 1256 options->macs = NULL; 1257 options->kex_algorithms = NULL; 1258 options->hostkeyalgorithms = NULL; 1259 options->protocol = SSH_PROTO_UNKNOWN; 1260 options->num_identity_files = 0; 1261 options->hostname = NULL; 1262 options->host_key_alias = NULL; 1263 options->proxy_command = NULL; 1264 options->user = NULL; 1265 options->escape_char = -1; 1266 options->num_system_hostfiles = 0; 1267 options->num_user_hostfiles = 0; 1268 options->local_forwards = NULL; 1269 options->num_local_forwards = 0; 1270 options->remote_forwards = NULL; 1271 options->num_remote_forwards = 0; 1272 options->clear_forwardings = -1; 1273 options->log_level = SYSLOG_LEVEL_NOT_SET; 1274 options->preferred_authentications = NULL; 1275 options->bind_address = NULL; 1276 options->pkcs11_provider = NULL; 1277 options->enable_ssh_keysign = - 1; 1278 options->no_host_authentication_for_localhost = - 1; 1279 options->identities_only = - 1; 1280 options->rekey_limit = - 1; 1281 options->verify_host_key_dns = -1; 1282 options->server_alive_interval = -1; 1283 options->server_alive_count_max = -1; 1284 options->num_send_env = 0; 1285 options->control_path = NULL; 1286 options->control_master = -1; 1287 options->control_persist = -1; 1288 options->control_persist_timeout = 0; 1289 options->hash_known_hosts = -1; 1290 options->tun_open = -1; 1291 options->tun_local = -1; 1292 options->tun_remote = -1; 1293 options->local_command = NULL; 1294 options->permit_local_command = -1; 1295 options->use_roaming = -1; 1296 options->visual_host_key = -1; 1297 options->zero_knowledge_password_authentication = -1; 1298 options->ip_qos_interactive = -1; 1299 options->ip_qos_bulk = -1; 1300 options->request_tty = -1; 1301 options->none_switch = -1; 1302 options->none_enabled = -1; 1303 options->hpn_disabled = -1; 1304 options->hpn_buffer_size = -1; 1305 options->tcp_rcv_buf_poll = -1; 1306 options->tcp_rcv_buf = -1; 1307 options->send_version_first = -1; 1308 } 1309 1310 /* 1311 * Called after processing other sources of option data, this fills those 1312 * options for which no value has been specified with their default values. 1313 */ 1314 1315 void 1316 fill_default_options(Options * options) 1317 { 1318 int len; 1319 1320 if (options->forward_agent == -1) 1321 options->forward_agent = 0; 1322 if (options->forward_x11 == -1) 1323 options->forward_x11 = 0; 1324 if (options->forward_x11_trusted == -1) 1325 options->forward_x11_trusted = 0; 1326 if (options->forward_x11_timeout == -1) 1327 options->forward_x11_timeout = 1200; 1328 if (options->exit_on_forward_failure == -1) 1329 options->exit_on_forward_failure = 0; 1330 if (options->xauth_location == NULL) 1331 options->xauth_location = __UNCONST(_PATH_XAUTH); 1332 if (options->gateway_ports == -1) 1333 options->gateway_ports = 0; 1334 if (options->use_privileged_port == -1) 1335 options->use_privileged_port = 0; 1336 if (options->rsa_authentication == -1) 1337 options->rsa_authentication = 1; 1338 if (options->pubkey_authentication == -1) 1339 options->pubkey_authentication = 1; 1340 if (options->challenge_response_authentication == -1) 1341 options->challenge_response_authentication = 1; 1342 #if defined(KRB4) || defined(KRB5) 1343 if (options->kerberos_authentication == -1) 1344 options->kerberos_authentication = 1; 1345 #endif 1346 #if defined(AFS) || defined(KRB5) 1347 if (options->kerberos_tgt_passing == -1) 1348 options->kerberos_tgt_passing = 1; 1349 #endif 1350 #ifdef AFS 1351 if (options->afs_token_passing == -1) 1352 options->afs_token_passing = 1; 1353 #endif 1354 if (options->gss_authentication == -1) 1355 options->gss_authentication = 0; 1356 if (options->gss_deleg_creds == -1) 1357 options->gss_deleg_creds = 0; 1358 if (options->password_authentication == -1) 1359 options->password_authentication = 1; 1360 if (options->kbd_interactive_authentication == -1) 1361 options->kbd_interactive_authentication = 1; 1362 if (options->rhosts_rsa_authentication == -1) 1363 options->rhosts_rsa_authentication = 0; 1364 if (options->hostbased_authentication == -1) 1365 options->hostbased_authentication = 0; 1366 if (options->batch_mode == -1) 1367 options->batch_mode = 0; 1368 if (options->check_host_ip == -1) 1369 options->check_host_ip = 1; 1370 if (options->strict_host_key_checking == -1) 1371 options->strict_host_key_checking = 2; /* 2 is default */ 1372 if (options->compression == -1) 1373 options->compression = 0; 1374 if (options->tcp_keep_alive == -1) 1375 options->tcp_keep_alive = 1; 1376 if (options->compression_level == -1) 1377 options->compression_level = 6; 1378 if (options->port == -1) 1379 options->port = 0; /* Filled in ssh_connect. */ 1380 if (options->address_family == -1) 1381 options->address_family = AF_UNSPEC; 1382 if (options->connection_attempts == -1) 1383 options->connection_attempts = 1; 1384 if (options->number_of_password_prompts == -1) 1385 options->number_of_password_prompts = 3; 1386 /* Selected in ssh_login(). */ 1387 if (options->cipher == -1) 1388 options->cipher = SSH_CIPHER_NOT_SET; 1389 /* options->ciphers, default set in myproposals.h */ 1390 /* options->macs, default set in myproposals.h */ 1391 /* options->kex_algorithms, default set in myproposals.h */ 1392 /* options->hostkeyalgorithms, default set in myproposals.h */ 1393 if (options->protocol == SSH_PROTO_UNKNOWN) 1394 options->protocol = SSH_PROTO_2; 1395 if (options->num_identity_files == 0) { 1396 if (options->protocol & SSH_PROTO_1) { 1397 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; 1398 options->identity_files[options->num_identity_files] = 1399 xmalloc(len); 1400 snprintf(options->identity_files[options->num_identity_files++], 1401 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); 1402 } 1403 if (options->protocol & SSH_PROTO_2) { 1404 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; 1405 options->identity_files[options->num_identity_files] = 1406 xmalloc(len); 1407 snprintf(options->identity_files[options->num_identity_files++], 1408 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); 1409 1410 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; 1411 options->identity_files[options->num_identity_files] = 1412 xmalloc(len); 1413 snprintf(options->identity_files[options->num_identity_files++], 1414 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); 1415 1416 len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1; 1417 options->identity_files[options->num_identity_files] = 1418 xmalloc(len); 1419 snprintf(options->identity_files[options->num_identity_files++], 1420 len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA); 1421 } 1422 } 1423 if (options->escape_char == -1) 1424 options->escape_char = '~'; 1425 if (options->num_system_hostfiles == 0) { 1426 options->system_hostfiles[options->num_system_hostfiles++] = 1427 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE); 1428 options->system_hostfiles[options->num_system_hostfiles++] = 1429 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); 1430 } 1431 if (options->num_user_hostfiles == 0) { 1432 options->user_hostfiles[options->num_user_hostfiles++] = 1433 xstrdup(_PATH_SSH_USER_HOSTFILE); 1434 options->user_hostfiles[options->num_user_hostfiles++] = 1435 xstrdup(_PATH_SSH_USER_HOSTFILE2); 1436 } 1437 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 1438 options->log_level = SYSLOG_LEVEL_INFO; 1439 if (options->clear_forwardings == 1) 1440 clear_forwardings(options); 1441 if (options->no_host_authentication_for_localhost == - 1) 1442 options->no_host_authentication_for_localhost = 0; 1443 if (options->identities_only == -1) 1444 options->identities_only = 0; 1445 if (options->enable_ssh_keysign == -1) 1446 options->enable_ssh_keysign = 0; 1447 if (options->rekey_limit == -1) 1448 options->rekey_limit = 0; 1449 if (options->verify_host_key_dns == -1) 1450 options->verify_host_key_dns = 0; 1451 if (options->server_alive_interval == -1) 1452 options->server_alive_interval = 0; 1453 if (options->server_alive_count_max == -1) 1454 options->server_alive_count_max = 3; 1455 if (options->none_switch == -1) 1456 options->none_switch = 0; 1457 if (options->hpn_disabled == -1) 1458 options->hpn_disabled = 0; 1459 if (options->hpn_buffer_size > -1) 1460 { 1461 /* if a user tries to set the size to 0 set it to 1KB */ 1462 if (options->hpn_buffer_size == 0) 1463 options->hpn_buffer_size = 1024; 1464 /*limit the buffer to 64MB*/ 1465 if (options->hpn_buffer_size > 65536) 1466 { 1467 options->hpn_buffer_size = 65536*1024; 1468 debug("User requested buffer larger than 64MB. Request reverted to 64MB"); 1469 } 1470 debug("hpn_buffer_size set to %d", options->hpn_buffer_size); 1471 } 1472 if (options->tcp_rcv_buf == 0) 1473 options->tcp_rcv_buf = 1; 1474 if (options->tcp_rcv_buf > -1) 1475 options->tcp_rcv_buf *=1024; 1476 if (options->tcp_rcv_buf_poll == -1) 1477 options->tcp_rcv_buf_poll = 1; 1478 if (options->control_master == -1) 1479 options->control_master = 0; 1480 if (options->control_persist == -1) { 1481 options->control_persist = 0; 1482 options->control_persist_timeout = 0; 1483 } 1484 if (options->hash_known_hosts == -1) 1485 options->hash_known_hosts = 0; 1486 if (options->tun_open == -1) 1487 options->tun_open = SSH_TUNMODE_NO; 1488 if (options->tun_local == -1) 1489 options->tun_local = SSH_TUNID_ANY; 1490 if (options->tun_remote == -1) 1491 options->tun_remote = SSH_TUNID_ANY; 1492 if (options->permit_local_command == -1) 1493 options->permit_local_command = 0; 1494 if (options->use_roaming == -1) 1495 options->use_roaming = 1; 1496 if (options->visual_host_key == -1) 1497 options->visual_host_key = 0; 1498 if (options->zero_knowledge_password_authentication == -1) 1499 options->zero_knowledge_password_authentication = 0; 1500 if (options->ip_qos_interactive == -1) 1501 options->ip_qos_interactive = IPTOS_LOWDELAY; 1502 if (options->ip_qos_bulk == -1) 1503 options->ip_qos_bulk = IPTOS_THROUGHPUT; 1504 if (options->request_tty == -1) 1505 options->request_tty = REQUEST_TTY_AUTO; 1506 if (options->send_version_first == -1) 1507 options->send_version_first = 1; 1508 /* options->local_command should not be set by default */ 1509 /* options->proxy_command should not be set by default */ 1510 /* options->user will be set in the main program if appropriate */ 1511 /* options->hostname will be set in the main program if appropriate */ 1512 /* options->host_key_alias should not be set by default */ 1513 /* options->preferred_authentications will be set in ssh */ 1514 } 1515 1516 /* 1517 * parse_forward 1518 * parses a string containing a port forwarding specification of the form: 1519 * dynamicfwd == 0 1520 * [listenhost:]listenport:connecthost:connectport 1521 * dynamicfwd == 1 1522 * [listenhost:]listenport 1523 * returns number of arguments parsed or zero on error 1524 */ 1525 int 1526 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) 1527 { 1528 int i; 1529 char *p, *cp, *fwdarg[4]; 1530 1531 memset(fwd, '\0', sizeof(*fwd)); 1532 1533 cp = p = xstrdup(fwdspec); 1534 1535 /* skip leading spaces */ 1536 while (isspace((unsigned char)*cp)) 1537 cp++; 1538 1539 for (i = 0; i < 4; ++i) 1540 if ((fwdarg[i] = hpdelim(&cp)) == NULL) 1541 break; 1542 1543 /* Check for trailing garbage */ 1544 if (cp != NULL) 1545 i = 0; /* failure */ 1546 1547 switch (i) { 1548 case 1: 1549 fwd->listen_host = NULL; 1550 fwd->listen_port = a2port(fwdarg[0]); 1551 fwd->connect_host = xstrdup("socks"); 1552 break; 1553 1554 case 2: 1555 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); 1556 fwd->listen_port = a2port(fwdarg[1]); 1557 fwd->connect_host = xstrdup("socks"); 1558 break; 1559 1560 case 3: 1561 fwd->listen_host = NULL; 1562 fwd->listen_port = a2port(fwdarg[0]); 1563 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1])); 1564 fwd->connect_port = a2port(fwdarg[2]); 1565 break; 1566 1567 case 4: 1568 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); 1569 fwd->listen_port = a2port(fwdarg[1]); 1570 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2])); 1571 fwd->connect_port = a2port(fwdarg[3]); 1572 break; 1573 default: 1574 i = 0; /* failure */ 1575 } 1576 1577 xfree(p); 1578 1579 if (dynamicfwd) { 1580 if (!(i == 1 || i == 2)) 1581 goto fail_free; 1582 } else { 1583 if (!(i == 3 || i == 4)) 1584 goto fail_free; 1585 if (fwd->connect_port <= 0) 1586 goto fail_free; 1587 } 1588 1589 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0)) 1590 goto fail_free; 1591 1592 if (fwd->connect_host != NULL && 1593 strlen(fwd->connect_host) >= NI_MAXHOST) 1594 goto fail_free; 1595 if (fwd->listen_host != NULL && 1596 strlen(fwd->listen_host) >= NI_MAXHOST) 1597 goto fail_free; 1598 1599 1600 return (i); 1601 1602 fail_free: 1603 if (fwd->connect_host != NULL) { 1604 xfree(fwd->connect_host); 1605 fwd->connect_host = NULL; 1606 } 1607 if (fwd->listen_host != NULL) { 1608 xfree(fwd->listen_host); 1609 fwd->listen_host = NULL; 1610 } 1611 return (0); 1612 } 1613
Indexes created Tue Apr 21 00:23:25 UTC 2026