version 1.116, 2003/02/21 09:05:53 |
version 1.116.2.1, 2003/09/16 20:50:43 |
|
|
#include "includes.h" |
#include "includes.h" |
RCSID("$OpenBSD$"); |
RCSID("$OpenBSD$"); |
|
|
#if defined(KRB4) || defined(KRB5) |
|
#include <krb.h> |
|
#endif |
|
#ifdef AFS |
|
#include <kafs.h> |
|
#endif |
|
|
|
#include "ssh.h" |
#include "ssh.h" |
#include "log.h" |
#include "log.h" |
#include "servconf.h" |
#include "servconf.h" |
|
|
options->keepalives = -1; |
options->keepalives = -1; |
options->log_facility = SYSLOG_FACILITY_NOT_SET; |
options->log_facility = SYSLOG_FACILITY_NOT_SET; |
options->log_level = SYSLOG_LEVEL_NOT_SET; |
options->log_level = SYSLOG_LEVEL_NOT_SET; |
options->rhosts_authentication = -1; |
|
options->rhosts_rsa_authentication = -1; |
options->rhosts_rsa_authentication = -1; |
options->hostbased_authentication = -1; |
options->hostbased_authentication = -1; |
options->hostbased_uses_name_from_packet_only = -1; |
options->hostbased_uses_name_from_packet_only = -1; |
options->rsa_authentication = -1; |
options->rsa_authentication = -1; |
options->pubkey_authentication = -1; |
options->pubkey_authentication = -1; |
#if defined(KRB4) || defined(KRB5) |
|
options->kerberos_authentication = -1; |
options->kerberos_authentication = -1; |
options->kerberos_or_local_passwd = -1; |
options->kerberos_or_local_passwd = -1; |
options->kerberos_ticket_cleanup = -1; |
options->kerberos_ticket_cleanup = -1; |
#endif |
options->gss_authentication=-1; |
#if defined(AFS) || defined(KRB5) |
options->gss_cleanup_creds = -1; |
options->kerberos_tgt_passing = -1; |
|
#endif |
|
#ifdef AFS |
|
options->afs_token_passing = -1; |
|
#endif |
|
options->password_authentication = -1; |
options->password_authentication = -1; |
options->kbd_interactive_authentication = -1; |
options->kbd_interactive_authentication = -1; |
options->challenge_response_authentication = -1; |
options->challenge_response_authentication = -1; |
|
|
options->max_startups_rate = -1; |
options->max_startups_rate = -1; |
options->max_startups = -1; |
options->max_startups = -1; |
options->banner = NULL; |
options->banner = NULL; |
options->verify_reverse_mapping = -1; |
options->use_dns = -1; |
options->client_alive_interval = -1; |
options->client_alive_interval = -1; |
options->client_alive_count_max = -1; |
options->client_alive_count_max = -1; |
options->authorized_keys_file = NULL; |
options->authorized_keys_file = NULL; |
|
|
options->log_facility = SYSLOG_FACILITY_AUTH; |
options->log_facility = SYSLOG_FACILITY_AUTH; |
if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
options->log_level = SYSLOG_LEVEL_INFO; |
options->log_level = SYSLOG_LEVEL_INFO; |
if (options->rhosts_authentication == -1) |
|
options->rhosts_authentication = 0; |
|
if (options->rhosts_rsa_authentication == -1) |
if (options->rhosts_rsa_authentication == -1) |
options->rhosts_rsa_authentication = 0; |
options->rhosts_rsa_authentication = 0; |
if (options->hostbased_authentication == -1) |
if (options->hostbased_authentication == -1) |
|
|
options->rsa_authentication = 1; |
options->rsa_authentication = 1; |
if (options->pubkey_authentication == -1) |
if (options->pubkey_authentication == -1) |
options->pubkey_authentication = 1; |
options->pubkey_authentication = 1; |
#if defined(KRB4) || defined(KRB5) |
|
if (options->kerberos_authentication == -1) |
if (options->kerberos_authentication == -1) |
options->kerberos_authentication = 0; |
options->kerberos_authentication = 0; |
if (options->kerberos_or_local_passwd == -1) |
if (options->kerberos_or_local_passwd == -1) |
options->kerberos_or_local_passwd = 1; |
options->kerberos_or_local_passwd = 1; |
if (options->kerberos_ticket_cleanup == -1) |
if (options->kerberos_ticket_cleanup == -1) |
options->kerberos_ticket_cleanup = 1; |
options->kerberos_ticket_cleanup = 1; |
#endif |
if (options->gss_authentication == -1) |
#if defined(AFS) || defined(KRB5) |
options->gss_authentication = 0; |
if (options->kerberos_tgt_passing == -1) |
if (options->gss_cleanup_creds == -1) |
options->kerberos_tgt_passing = 0; |
options->gss_cleanup_creds = 1; |
#endif |
|
#ifdef AFS |
|
if (options->afs_token_passing == -1) |
|
options->afs_token_passing = 0; |
|
#endif |
|
if (options->password_authentication == -1) |
if (options->password_authentication == -1) |
options->password_authentication = 1; |
options->password_authentication = 1; |
if (options->kbd_interactive_authentication == -1) |
if (options->kbd_interactive_authentication == -1) |
|
|
options->max_startups_rate = 100; /* 100% */ |
options->max_startups_rate = 100; /* 100% */ |
if (options->max_startups_begin == -1) |
if (options->max_startups_begin == -1) |
options->max_startups_begin = options->max_startups; |
options->max_startups_begin = options->max_startups; |
if (options->verify_reverse_mapping == -1) |
if (options->use_dns == -1) |
options->verify_reverse_mapping = 0; |
options->use_dns = 1; |
if (options->client_alive_interval == -1) |
if (options->client_alive_interval == -1) |
options->client_alive_interval = 0; |
options->client_alive_interval = 0; |
if (options->client_alive_count_max == -1) |
if (options->client_alive_count_max == -1) |
|
|
sBadOption, /* == unknown option */ |
sBadOption, /* == unknown option */ |
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
sPermitRootLogin, sLogFacility, sLogLevel, |
sPermitRootLogin, sLogFacility, sLogLevel, |
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, |
sRhostsRSAAuthentication, sRSAAuthentication, |
#if defined(KRB4) || defined(KRB5) |
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
#endif |
sKerberosTgtPassing, sChallengeResponseAuthentication, |
#if defined(AFS) || defined(KRB5) |
|
sKerberosTgtPassing, |
|
#endif |
|
#ifdef AFS |
|
sAFSTokenPassing, |
|
#endif |
|
sChallengeResponseAuthentication, |
|
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
|
|
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, |
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, |
sBanner, sVerifyReverseMapping, sHostbasedAuthentication, |
sBanner, sUseDNS, sHostbasedAuthentication, |
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
|
sGssAuthentication, sGssCleanupCreds, |
sUsePrivilegeSeparation, |
sUsePrivilegeSeparation, |
sDeprecated |
sDeprecated, sUnsupported |
} ServerOpCodes; |
} ServerOpCodes; |
|
|
/* Textual representation of the tokens. */ |
/* Textual representation of the tokens. */ |
|
|
{ "permitrootlogin", sPermitRootLogin }, |
{ "permitrootlogin", sPermitRootLogin }, |
{ "syslogfacility", sLogFacility }, |
{ "syslogfacility", sLogFacility }, |
{ "loglevel", sLogLevel }, |
{ "loglevel", sLogLevel }, |
{ "rhostsauthentication", sRhostsAuthentication }, |
{ "rhostsauthentication", sDeprecated }, |
{ "rhostsrsaauthentication", sRhostsRSAAuthentication }, |
{ "rhostsrsaauthentication", sRhostsRSAAuthentication }, |
{ "hostbasedauthentication", sHostbasedAuthentication }, |
{ "hostbasedauthentication", sHostbasedAuthentication }, |
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, |
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, |
{ "rsaauthentication", sRSAAuthentication }, |
{ "rsaauthentication", sRSAAuthentication }, |
{ "pubkeyauthentication", sPubkeyAuthentication }, |
{ "pubkeyauthentication", sPubkeyAuthentication }, |
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */ |
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */ |
#if defined(KRB4) || defined(KRB5) |
#ifdef KRB5 |
{ "kerberosauthentication", sKerberosAuthentication }, |
{ "kerberosauthentication", sKerberosAuthentication }, |
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
{ "kerberosticketcleanup", sKerberosTicketCleanup }, |
{ "kerberosticketcleanup", sKerberosTicketCleanup }, |
|
#else |
|
{ "kerberosauthentication", sUnsupported }, |
|
{ "kerberosorlocalpasswd", sUnsupported }, |
|
{ "kerberosticketcleanup", sUnsupported }, |
#endif |
#endif |
#if defined(AFS) || defined(KRB5) |
{ "kerberostgtpassing", sUnsupported }, |
{ "kerberostgtpassing", sKerberosTgtPassing }, |
{ "afstokenpassing", sUnsupported }, |
|
#ifdef GSSAPI |
|
{ "gssapiauthentication", sGssAuthentication }, |
|
{ "gssapicleanupcreds", sGssCleanupCreds }, |
|
#else |
|
{ "gssapiauthentication", sUnsupported }, |
|
{ "gssapicleanupcreds", sUnsupported }, |
#endif |
#endif |
#ifdef AFS |
|
{ "afstokenpassing", sAFSTokenPassing }, |
|
#endif |
|
{ "passwordauthentication", sPasswordAuthentication }, |
{ "passwordauthentication", sPasswordAuthentication }, |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, |
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, |
|
|
{ "subsystem", sSubsystem }, |
{ "subsystem", sSubsystem }, |
{ "maxstartups", sMaxStartups }, |
{ "maxstartups", sMaxStartups }, |
{ "banner", sBanner }, |
{ "banner", sBanner }, |
{ "verifyreversemapping", sVerifyReverseMapping }, |
{ "usedns", sUseDNS }, |
{ "reversemappingcheck", sVerifyReverseMapping }, |
{ "verifyreversemapping", sDeprecated }, |
|
{ "reversemappingcheck", sDeprecated }, |
{ "clientaliveinterval", sClientAliveInterval }, |
{ "clientaliveinterval", sClientAliveInterval }, |
{ "clientalivecountmax", sClientAliveCountMax }, |
{ "clientalivecountmax", sClientAliveCountMax }, |
{ "authorizedkeysfile", sAuthorizedKeysFile }, |
{ "authorizedkeysfile", sAuthorizedKeysFile }, |
|
|
intptr = &options->ignore_user_known_hosts; |
intptr = &options->ignore_user_known_hosts; |
goto parse_flag; |
goto parse_flag; |
|
|
case sRhostsAuthentication: |
|
intptr = &options->rhosts_authentication; |
|
goto parse_flag; |
|
|
|
case sRhostsRSAAuthentication: |
case sRhostsRSAAuthentication: |
intptr = &options->rhosts_rsa_authentication; |
intptr = &options->rhosts_rsa_authentication; |
goto parse_flag; |
goto parse_flag; |
|
|
case sPubkeyAuthentication: |
case sPubkeyAuthentication: |
intptr = &options->pubkey_authentication; |
intptr = &options->pubkey_authentication; |
goto parse_flag; |
goto parse_flag; |
#if defined(KRB4) || defined(KRB5) |
|
case sKerberosAuthentication: |
case sKerberosAuthentication: |
intptr = &options->kerberos_authentication; |
intptr = &options->kerberos_authentication; |
goto parse_flag; |
goto parse_flag; |
|
|
case sKerberosTicketCleanup: |
case sKerberosTicketCleanup: |
intptr = &options->kerberos_ticket_cleanup; |
intptr = &options->kerberos_ticket_cleanup; |
goto parse_flag; |
goto parse_flag; |
#endif |
|
#if defined(AFS) || defined(KRB5) |
case sGssAuthentication: |
case sKerberosTgtPassing: |
intptr = &options->gss_authentication; |
intptr = &options->kerberos_tgt_passing; |
|
goto parse_flag; |
goto parse_flag; |
#endif |
|
#ifdef AFS |
case sGssCleanupCreds: |
case sAFSTokenPassing: |
intptr = &options->gss_cleanup_creds; |
intptr = &options->afs_token_passing; |
|
goto parse_flag; |
goto parse_flag; |
#endif |
|
|
|
case sPasswordAuthentication: |
case sPasswordAuthentication: |
intptr = &options->password_authentication; |
intptr = &options->password_authentication; |
|
|
intptr = &options->gateway_ports; |
intptr = &options->gateway_ports; |
goto parse_flag; |
goto parse_flag; |
|
|
case sVerifyReverseMapping: |
case sUseDNS: |
intptr = &options->verify_reverse_mapping; |
intptr = &options->use_dns; |
goto parse_flag; |
goto parse_flag; |
|
|
case sLogFacility: |
case sLogFacility: |
|
|
goto parse_int; |
goto parse_int; |
|
|
case sDeprecated: |
case sDeprecated: |
log("%s line %d: Deprecated option %s", |
logit("%s line %d: Deprecated option %s", |
|
filename, linenum, arg); |
|
while (arg) |
|
arg = strdelim(&cp); |
|
break; |
|
|
|
case sUnsupported: |
|
logit("%s line %d: Unsupported option %s", |
filename, linenum, arg); |
filename, linenum, arg); |
while (arg) |
while (arg) |
arg = strdelim(&cp); |
arg = strdelim(&cp); |