version 1.127, 2003/09/01 18:15:50 |
version 1.127.2.2, 2004/08/19 22:37:32 |
|
|
#include "xmalloc.h" |
#include "xmalloc.h" |
#include "compat.h" |
#include "compat.h" |
#include "pathnames.h" |
#include "pathnames.h" |
#include "tildexpand.h" |
|
#include "misc.h" |
#include "misc.h" |
#include "cipher.h" |
#include "cipher.h" |
#include "kex.h" |
#include "kex.h" |
|
|
options->x11_use_localhost = -1; |
options->x11_use_localhost = -1; |
options->xauth_location = NULL; |
options->xauth_location = NULL; |
options->strict_modes = -1; |
options->strict_modes = -1; |
options->keepalives = -1; |
options->tcp_keep_alive = -1; |
options->log_facility = SYSLOG_FACILITY_NOT_SET; |
options->log_facility = SYSLOG_FACILITY_NOT_SET; |
options->log_level = SYSLOG_LEVEL_NOT_SET; |
options->log_level = SYSLOG_LEVEL_NOT_SET; |
options->rhosts_rsa_authentication = -1; |
options->rhosts_rsa_authentication = -1; |
|
|
options->kerberos_authentication = -1; |
options->kerberos_authentication = -1; |
options->kerberos_or_local_passwd = -1; |
options->kerberos_or_local_passwd = -1; |
options->kerberos_ticket_cleanup = -1; |
options->kerberos_ticket_cleanup = -1; |
|
options->kerberos_get_afs_token = -1; |
options->gss_authentication=-1; |
options->gss_authentication=-1; |
options->gss_cleanup_creds = -1; |
options->gss_cleanup_creds = -1; |
options->password_authentication = -1; |
options->password_authentication = -1; |
|
|
options->max_startups_begin = -1; |
options->max_startups_begin = -1; |
options->max_startups_rate = -1; |
options->max_startups_rate = -1; |
options->max_startups = -1; |
options->max_startups = -1; |
|
options->max_authtries = -1; |
options->banner = NULL; |
options->banner = NULL; |
options->use_dns = -1; |
options->use_dns = -1; |
options->client_alive_interval = -1; |
options->client_alive_interval = -1; |
options->client_alive_count_max = -1; |
options->client_alive_count_max = -1; |
options->authorized_keys_file = NULL; |
options->authorized_keys_file = NULL; |
options->authorized_keys_file2 = NULL; |
options->authorized_keys_file2 = NULL; |
|
options->num_accept_env = 0; |
|
|
/* Needs to be accessable in many places */ |
/* Needs to be accessable in many places */ |
use_privsep = -1; |
use_privsep = -1; |
|
|
options->xauth_location = _PATH_XAUTH; |
options->xauth_location = _PATH_XAUTH; |
if (options->strict_modes == -1) |
if (options->strict_modes == -1) |
options->strict_modes = 1; |
options->strict_modes = 1; |
if (options->keepalives == -1) |
if (options->tcp_keep_alive == -1) |
options->keepalives = 1; |
options->tcp_keep_alive = 1; |
if (options->log_facility == SYSLOG_FACILITY_NOT_SET) |
if (options->log_facility == SYSLOG_FACILITY_NOT_SET) |
options->log_facility = SYSLOG_FACILITY_AUTH; |
options->log_facility = SYSLOG_FACILITY_AUTH; |
if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
|
|
options->kerberos_or_local_passwd = 1; |
options->kerberos_or_local_passwd = 1; |
if (options->kerberos_ticket_cleanup == -1) |
if (options->kerberos_ticket_cleanup == -1) |
options->kerberos_ticket_cleanup = 1; |
options->kerberos_ticket_cleanup = 1; |
|
if (options->kerberos_get_afs_token == -1) |
|
options->kerberos_get_afs_token = 0; |
if (options->gss_authentication == -1) |
if (options->gss_authentication == -1) |
options->gss_authentication = 0; |
options->gss_authentication = 0; |
if (options->gss_cleanup_creds == -1) |
if (options->gss_cleanup_creds == -1) |
|
|
options->max_startups_rate = 100; /* 100% */ |
options->max_startups_rate = 100; /* 100% */ |
if (options->max_startups_begin == -1) |
if (options->max_startups_begin == -1) |
options->max_startups_begin = options->max_startups; |
options->max_startups_begin = options->max_startups; |
|
if (options->max_authtries == -1) |
|
options->max_authtries = DEFAULT_AUTH_FAIL_MAX; |
if (options->use_dns == -1) |
if (options->use_dns == -1) |
options->use_dns = 1; |
options->use_dns = 1; |
if (options->client_alive_interval == -1) |
if (options->client_alive_interval == -1) |
|
|
sPermitRootLogin, sLogFacility, sLogLevel, |
sPermitRootLogin, sLogFacility, sLogLevel, |
sRhostsRSAAuthentication, sRSAAuthentication, |
sRhostsRSAAuthentication, sRSAAuthentication, |
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
|
sKerberosGetAFSToken, |
sKerberosTgtPassing, sChallengeResponseAuthentication, |
sKerberosTgtPassing, sChallengeResponseAuthentication, |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
sStrictModes, sEmptyPasswd, sKeepAlives, |
sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, |
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
|
sMaxStartups, sMaxAuthTries, |
sBanner, sUseDNS, sHostbasedAuthentication, |
sBanner, sUseDNS, sHostbasedAuthentication, |
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
sGssAuthentication, sGssCleanupCreds, |
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, |
sUsePrivilegeSeparation, |
sUsePrivilegeSeparation, |
sDeprecated, sUnsupported |
sDeprecated, sUnsupported |
} ServerOpCodes; |
} ServerOpCodes; |
|
|
{ "kerberosauthentication", sKerberosAuthentication }, |
{ "kerberosauthentication", sKerberosAuthentication }, |
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
{ "kerberosticketcleanup", sKerberosTicketCleanup }, |
{ "kerberosticketcleanup", sKerberosTicketCleanup }, |
|
{ "kerberosgetafstoken", sKerberosGetAFSToken }, |
#else |
#else |
{ "kerberosauthentication", sUnsupported }, |
{ "kerberosauthentication", sUnsupported }, |
{ "kerberosorlocalpasswd", sUnsupported }, |
{ "kerberosorlocalpasswd", sUnsupported }, |
{ "kerberosticketcleanup", sUnsupported }, |
{ "kerberosticketcleanup", sUnsupported }, |
|
{ "kerberosgetafstoken", sUnsupported }, |
#endif |
#endif |
{ "kerberostgtpassing", sUnsupported }, |
{ "kerberostgtpassing", sUnsupported }, |
{ "afstokenpassing", sUnsupported }, |
{ "afstokenpassing", sUnsupported }, |
#ifdef GSSAPI |
#ifdef GSSAPI |
{ "gssapiauthentication", sGssAuthentication }, |
{ "gssapiauthentication", sGssAuthentication }, |
{ "gssapicleanupcreds", sGssCleanupCreds }, |
{ "gssapicleanupcredentials", sGssCleanupCreds }, |
#else |
#else |
{ "gssapiauthentication", sUnsupported }, |
{ "gssapiauthentication", sUnsupported }, |
{ "gssapicleanupcreds", sUnsupported }, |
{ "gssapicleanupcredentials", sUnsupported }, |
#endif |
#endif |
{ "passwordauthentication", sPasswordAuthentication }, |
{ "passwordauthentication", sPasswordAuthentication }, |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
|
|
{ "permituserenvironment", sPermitUserEnvironment }, |
{ "permituserenvironment", sPermitUserEnvironment }, |
{ "uselogin", sUseLogin }, |
{ "uselogin", sUseLogin }, |
{ "compression", sCompression }, |
{ "compression", sCompression }, |
{ "keepalive", sKeepAlives }, |
{ "tcpkeepalive", sTCPKeepAlive }, |
|
{ "keepalive", sTCPKeepAlive }, /* obsolete alias */ |
{ "allowtcpforwarding", sAllowTcpForwarding }, |
{ "allowtcpforwarding", sAllowTcpForwarding }, |
{ "allowusers", sAllowUsers }, |
{ "allowusers", sAllowUsers }, |
{ "denyusers", sDenyUsers }, |
{ "denyusers", sDenyUsers }, |
|
|
{ "gatewayports", sGatewayPorts }, |
{ "gatewayports", sGatewayPorts }, |
{ "subsystem", sSubsystem }, |
{ "subsystem", sSubsystem }, |
{ "maxstartups", sMaxStartups }, |
{ "maxstartups", sMaxStartups }, |
|
{ "maxauthtries", sMaxAuthTries }, |
{ "banner", sBanner }, |
{ "banner", sBanner }, |
{ "usedns", sUseDNS }, |
{ "usedns", sUseDNS }, |
{ "verifyreversemapping", sDeprecated }, |
{ "verifyreversemapping", sDeprecated }, |
|
|
{ "authorizedkeysfile", sAuthorizedKeysFile }, |
{ "authorizedkeysfile", sAuthorizedKeysFile }, |
{ "authorizedkeysfile2", sAuthorizedKeysFile2 }, |
{ "authorizedkeysfile2", sAuthorizedKeysFile2 }, |
{ "useprivilegeseparation", sUsePrivilegeSeparation}, |
{ "useprivilegeseparation", sUsePrivilegeSeparation}, |
|
{ "acceptenv", sAcceptEnv }, |
{ NULL, sBadOption } |
{ NULL, sBadOption } |
}; |
}; |
|
|
|
|
intptr = &options->kerberos_ticket_cleanup; |
intptr = &options->kerberos_ticket_cleanup; |
goto parse_flag; |
goto parse_flag; |
|
|
|
case sKerberosGetAFSToken: |
|
intptr = &options->kerberos_get_afs_token; |
|
goto parse_flag; |
|
|
case sGssAuthentication: |
case sGssAuthentication: |
intptr = &options->gss_authentication; |
intptr = &options->gss_authentication; |
goto parse_flag; |
goto parse_flag; |
|
|
intptr = &options->strict_modes; |
intptr = &options->strict_modes; |
goto parse_flag; |
goto parse_flag; |
|
|
case sKeepAlives: |
case sTCPKeepAlive: |
intptr = &options->keepalives; |
intptr = &options->tcp_keep_alive; |
goto parse_flag; |
goto parse_flag; |
|
|
case sEmptyPasswd: |
case sEmptyPasswd: |
|
|
options->max_startups = options->max_startups_begin; |
options->max_startups = options->max_startups_begin; |
break; |
break; |
|
|
|
case sMaxAuthTries: |
|
intptr = &options->max_authtries; |
|
goto parse_int; |
|
|
case sBanner: |
case sBanner: |
charptr = &options->banner; |
charptr = &options->banner; |
goto parse_filename; |
goto parse_filename; |
|
|
intptr = &options->client_alive_count_max; |
intptr = &options->client_alive_count_max; |
goto parse_int; |
goto parse_int; |
|
|
|
case sAcceptEnv: |
|
while ((arg = strdelim(&cp)) && *arg != '\0') { |
|
if (strchr(arg, '=') != NULL) |
|
fatal("%s line %d: Invalid environment name.", |
|
filename, linenum); |
|
if (options->num_accept_env >= MAX_ACCEPT_ENV) |
|
fatal("%s line %d: too many allow env.", |
|
filename, linenum); |
|
options->accept_env[options->num_accept_env++] = |
|
xstrdup(arg); |
|
} |
|
break; |
|
|
case sDeprecated: |
case sDeprecated: |
logit("%s line %d: Deprecated option %s", |
logit("%s line %d: Deprecated option %s", |
filename, linenum, arg); |
filename, linenum, arg); |
|
|
/* Reads the server configuration file. */ |
/* Reads the server configuration file. */ |
|
|
void |
void |
read_server_config(ServerOptions *options, const char *filename) |
load_server_config(const char *filename, Buffer *conf) |
{ |
{ |
int linenum, bad_options = 0; |
char line[1024], *cp; |
char line[1024]; |
|
FILE *f; |
FILE *f; |
|
|
debug2("read_server_config: filename %s", filename); |
debug2("%s: filename %s", __func__, filename); |
f = fopen(filename, "r"); |
if ((f = fopen(filename, "r")) == NULL) { |
if (!f) { |
|
perror(filename); |
perror(filename); |
exit(1); |
exit(1); |
} |
} |
linenum = 0; |
buffer_clear(conf); |
while (fgets(line, sizeof(line), f)) { |
while (fgets(line, sizeof(line), f)) { |
/* Update line number counter. */ |
/* |
linenum++; |
* Trim out comments and strip whitespace |
if (process_server_config_line(options, line, filename, linenum) != 0) |
* NB - preserve newlines, they are needed to reproduce |
bad_options++; |
* line numbers later for error messages |
|
*/ |
|
if ((cp = strchr(line, '#')) != NULL) |
|
memcpy(cp, "\n", 2); |
|
cp = line + strspn(line, " \t\r"); |
|
|
|
buffer_append(conf, cp, strlen(cp)); |
} |
} |
|
buffer_append(conf, "\0", 1); |
fclose(f); |
fclose(f); |
|
debug2("%s: done config len = %d", __func__, buffer_len(conf)); |
|
} |
|
|
|
void |
|
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf) |
|
{ |
|
int linenum, bad_options = 0; |
|
char *cp, *obuf, *cbuf; |
|
|
|
debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); |
|
|
|
obuf = cbuf = xstrdup(buffer_ptr(conf)); |
|
linenum = 1; |
|
while((cp = strsep(&cbuf, "\n")) != NULL) { |
|
if (process_server_config_line(options, cp, filename, |
|
linenum++) != 0) |
|
bad_options++; |
|
} |
|
xfree(obuf); |
if (bad_options > 0) |
if (bad_options > 0) |
fatal("%s: terminating, %d bad configuration options", |
fatal("%s: terminating, %d bad configuration options", |
filename, bad_options); |
filename, bad_options); |