version 1.78, 2001/04/15 21:28:35 |
version 1.78.2.2, 2001/11/15 22:51:15 |
|
|
#include "includes.h" |
#include "includes.h" |
RCSID("$OpenBSD$"); |
RCSID("$OpenBSD$"); |
|
|
#ifdef KRB4 |
#if defined(KRB4) || defined(KRB5) |
#include <krb.h> |
#include <krb.h> |
#endif |
#endif |
#ifdef AFS |
#ifdef AFS |
|
|
#include "kex.h" |
#include "kex.h" |
#include "mac.h" |
#include "mac.h" |
|
|
void add_listen_addr(ServerOptions *options, char *addr, u_short port); |
static void add_listen_addr(ServerOptions *, char *, u_short); |
void add_one_listen_addr(ServerOptions *options, char *addr, u_short port); |
static void add_one_listen_addr(ServerOptions *, char *, u_short); |
|
|
/* AF_UNSPEC or AF_INET or AF_INET6 */ |
/* AF_UNSPEC or AF_INET or AF_INET6 */ |
extern int IPv4or6; |
extern int IPv4or6; |
|
|
options->ignore_user_known_hosts = -1; |
options->ignore_user_known_hosts = -1; |
options->print_motd = -1; |
options->print_motd = -1; |
options->print_lastlog = -1; |
options->print_lastlog = -1; |
options->check_mail = -1; |
|
options->x11_forwarding = -1; |
options->x11_forwarding = -1; |
options->x11_display_offset = -1; |
options->x11_display_offset = -1; |
options->xauth_location = NULL; |
options->xauth_location = NULL; |
|
|
options->hostbased_uses_name_from_packet_only = -1; |
options->hostbased_uses_name_from_packet_only = -1; |
options->rsa_authentication = -1; |
options->rsa_authentication = -1; |
options->pubkey_authentication = -1; |
options->pubkey_authentication = -1; |
#ifdef KRB4 |
#if defined(KRB4) || defined(KRB5) |
options->kerberos_authentication = -1; |
options->kerberos_authentication = -1; |
options->kerberos_or_local_passwd = -1; |
options->kerberos_or_local_passwd = -1; |
options->kerberos_ticket_cleanup = -1; |
options->kerberos_ticket_cleanup = -1; |
#endif |
#endif |
#ifdef AFS |
#if defined(AFS) || defined(KRB5) |
options->kerberos_tgt_passing = -1; |
options->kerberos_tgt_passing = -1; |
|
#endif |
|
#ifdef AFS |
options->afs_token_passing = -1; |
options->afs_token_passing = -1; |
#endif |
#endif |
options->password_authentication = -1; |
options->password_authentication = -1; |
options->kbd_interactive_authentication = -1; |
options->kbd_interactive_authentication = -1; |
options->challenge_reponse_authentication = -1; |
options->challenge_response_authentication = -1; |
options->permit_empty_passwd = -1; |
options->permit_empty_passwd = -1; |
options->use_login = -1; |
options->use_login = -1; |
options->allow_tcp_forwarding = -1; |
options->allow_tcp_forwarding = -1; |
|
|
options->reverse_mapping_check = -1; |
options->reverse_mapping_check = -1; |
options->client_alive_interval = -1; |
options->client_alive_interval = -1; |
options->client_alive_count_max = -1; |
options->client_alive_count_max = -1; |
|
options->authorized_keys_file = NULL; |
|
options->authorized_keys_file2 = NULL; |
} |
} |
|
|
void |
void |
|
|
options->ignore_rhosts = 1; |
options->ignore_rhosts = 1; |
if (options->ignore_user_known_hosts == -1) |
if (options->ignore_user_known_hosts == -1) |
options->ignore_user_known_hosts = 0; |
options->ignore_user_known_hosts = 0; |
if (options->check_mail == -1) |
|
options->check_mail = 0; |
|
if (options->print_motd == -1) |
if (options->print_motd == -1) |
options->print_motd = 1; |
options->print_motd = 1; |
if (options->print_lastlog == -1) |
if (options->print_lastlog == -1) |
|
|
options->x11_forwarding = 0; |
options->x11_forwarding = 0; |
if (options->x11_display_offset == -1) |
if (options->x11_display_offset == -1) |
options->x11_display_offset = 10; |
options->x11_display_offset = 10; |
#ifdef XAUTH_PATH |
#ifdef _PATH_XAUTH |
if (options->xauth_location == NULL) |
if (options->xauth_location == NULL) |
options->xauth_location = XAUTH_PATH; |
options->xauth_location = _PATH_XAUTH; |
#endif /* XAUTH_PATH */ |
#endif |
if (options->strict_modes == -1) |
if (options->strict_modes == -1) |
options->strict_modes = 1; |
options->strict_modes = 1; |
if (options->keepalives == -1) |
if (options->keepalives == -1) |
|
|
options->rsa_authentication = 1; |
options->rsa_authentication = 1; |
if (options->pubkey_authentication == -1) |
if (options->pubkey_authentication == -1) |
options->pubkey_authentication = 1; |
options->pubkey_authentication = 1; |
#ifdef KRB4 |
#if defined(KRB4) || defined(KRB5) |
if (options->kerberos_authentication == -1) |
if (options->kerberos_authentication == -1) |
options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); |
options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); |
if (options->kerberos_or_local_passwd == -1) |
if (options->kerberos_or_local_passwd == -1) |
options->kerberos_or_local_passwd = 1; |
options->kerberos_or_local_passwd = 1; |
if (options->kerberos_ticket_cleanup == -1) |
if (options->kerberos_ticket_cleanup == -1) |
options->kerberos_ticket_cleanup = 1; |
options->kerberos_ticket_cleanup = 1; |
#endif /* KRB4 */ |
#endif |
#ifdef AFS |
#if defined(AFS) || defined(KRB5) |
if (options->kerberos_tgt_passing == -1) |
if (options->kerberos_tgt_passing == -1) |
options->kerberos_tgt_passing = 0; |
options->kerberos_tgt_passing = 0; |
|
#endif |
|
#ifdef AFS |
if (options->afs_token_passing == -1) |
if (options->afs_token_passing == -1) |
options->afs_token_passing = k_hasafs(); |
options->afs_token_passing = k_hasafs(); |
#endif /* AFS */ |
#endif |
if (options->password_authentication == -1) |
if (options->password_authentication == -1) |
options->password_authentication = 1; |
options->password_authentication = 1; |
if (options->kbd_interactive_authentication == -1) |
if (options->kbd_interactive_authentication == -1) |
options->kbd_interactive_authentication = 0; |
options->kbd_interactive_authentication = 0; |
if (options->challenge_reponse_authentication == -1) |
if (options->challenge_response_authentication == -1) |
options->challenge_reponse_authentication = 1; |
options->challenge_response_authentication = 1; |
if (options->permit_empty_passwd == -1) |
if (options->permit_empty_passwd == -1) |
options->permit_empty_passwd = 0; |
options->permit_empty_passwd = 0; |
if (options->use_login == -1) |
if (options->use_login == -1) |
|
|
options->client_alive_interval = 0; |
options->client_alive_interval = 0; |
if (options->client_alive_count_max == -1) |
if (options->client_alive_count_max == -1) |
options->client_alive_count_max = 3; |
options->client_alive_count_max = 3; |
|
if (options->authorized_keys_file2 == NULL) { |
|
/* authorized_keys_file2 falls back to authorized_keys_file */ |
|
if (options->authorized_keys_file != NULL) |
|
options->authorized_keys_file2 = options->authorized_keys_file; |
|
else |
|
options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; |
|
} |
|
if (options->authorized_keys_file == NULL) |
|
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; |
} |
} |
|
|
/* Keyword tokens. */ |
/* Keyword tokens. */ |
|
|
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
sPermitRootLogin, sLogFacility, sLogLevel, |
sPermitRootLogin, sLogFacility, sLogLevel, |
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, |
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, |
#ifdef KRB4 |
#if defined(KRB4) || defined(KRB5) |
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
#endif |
#endif |
|
#if defined(AFS) || defined(KRB5) |
|
sKerberosTgtPassing, |
|
#endif |
#ifdef AFS |
#ifdef AFS |
sKerberosTgtPassing, sAFSTokenPassing, |
sAFSTokenPassing, |
#endif |
#endif |
sChallengeResponseAuthentication, |
sChallengeResponseAuthentication, |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
sX11Forwarding, sX11DisplayOffset, |
sX11Forwarding, sX11DisplayOffset, |
sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail, |
sStrictModes, sEmptyPasswd, sKeepAlives, |
sUseLogin, sAllowTcpForwarding, |
sUseLogin, sAllowTcpForwarding, |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, |
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, |
sBanner, sReverseMappingCheck, sHostbasedAuthentication, |
sBanner, sReverseMappingCheck, sHostbasedAuthentication, |
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
sClientAliveCountMax |
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
|
sDeprecated |
} ServerOpCodes; |
} ServerOpCodes; |
|
|
/* Textual representation of the tokens. */ |
/* Textual representation of the tokens. */ |
|
|
{ "rsaauthentication", sRSAAuthentication }, |
{ "rsaauthentication", sRSAAuthentication }, |
{ "pubkeyauthentication", sPubkeyAuthentication }, |
{ "pubkeyauthentication", sPubkeyAuthentication }, |
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */ |
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */ |
#ifdef KRB4 |
#if defined(KRB4) || defined(KRB5) |
{ "kerberosauthentication", sKerberosAuthentication }, |
{ "kerberosauthentication", sKerberosAuthentication }, |
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
{ "kerberosticketcleanup", sKerberosTicketCleanup }, |
{ "kerberosticketcleanup", sKerberosTicketCleanup }, |
#endif |
#endif |
#ifdef AFS |
#if defined(AFS) || defined(KRB5) |
{ "kerberostgtpassing", sKerberosTgtPassing }, |
{ "kerberostgtpassing", sKerberosTgtPassing }, |
|
#endif |
|
#ifdef AFS |
{ "afstokenpassing", sAFSTokenPassing }, |
{ "afstokenpassing", sAFSTokenPassing }, |
#endif |
#endif |
{ "passwordauthentication", sPasswordAuthentication }, |
{ "passwordauthentication", sPasswordAuthentication }, |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, |
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, |
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ |
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ |
{ "checkmail", sCheckMail }, |
{ "checkmail", sDeprecated }, |
{ "listenaddress", sListenAddress }, |
{ "listenaddress", sListenAddress }, |
{ "printmotd", sPrintMotd }, |
{ "printmotd", sPrintMotd }, |
{ "printlastlog", sPrintLastLog }, |
{ "printlastlog", sPrintLastLog }, |
|
|
{ "reversemappingcheck", sReverseMappingCheck }, |
{ "reversemappingcheck", sReverseMappingCheck }, |
{ "clientaliveinterval", sClientAliveInterval }, |
{ "clientaliveinterval", sClientAliveInterval }, |
{ "clientalivecountmax", sClientAliveCountMax }, |
{ "clientalivecountmax", sClientAliveCountMax }, |
|
{ "authorizedkeysfile", sAuthorizedKeysFile }, |
|
{ "authorizedkeysfile2", sAuthorizedKeysFile2 }, |
{ NULL, 0 } |
{ NULL, 0 } |
}; |
}; |
|
|
|
|
return sBadOption; |
return sBadOption; |
} |
} |
|
|
void |
static void |
add_listen_addr(ServerOptions *options, char *addr, u_short port) |
add_listen_addr(ServerOptions *options, char *addr, u_short port) |
{ |
{ |
int i; |
int i; |
|
|
add_one_listen_addr(options, addr, port); |
add_one_listen_addr(options, addr, port); |
} |
} |
|
|
void |
static void |
add_one_listen_addr(ServerOptions *options, char *addr, u_short port) |
add_one_listen_addr(ServerOptions *options, char *addr, u_short port) |
{ |
{ |
struct addrinfo hints, *ai, *aitop; |
struct addrinfo hints, *ai, *aitop; |
|
|
int linenum, *intptr, value; |
int linenum, *intptr, value; |
int bad_options = 0; |
int bad_options = 0; |
ServerOpCodes opcode; |
ServerOpCodes opcode; |
int i; |
int i, n; |
|
|
f = fopen(filename, "r"); |
f = fopen(filename, "r"); |
if (!f) { |
if (!f) { |
|
|
continue; |
continue; |
if (options->listen_addrs != NULL) |
if (options->listen_addrs != NULL) |
fatal("%s line %d: ports must be specified before " |
fatal("%s line %d: ports must be specified before " |
"ListenAdress.\n", filename, linenum); |
"ListenAdress.", filename, linenum); |
if (options->num_ports >= MAX_PORTS) |
if (options->num_ports >= MAX_PORTS) |
fatal("%s line %d: too many ports.", |
fatal("%s line %d: too many ports.", |
filename, linenum); |
filename, linenum); |
|
|
|
|
case sLoginGraceTime: |
case sLoginGraceTime: |
intptr = &options->login_grace_time; |
intptr = &options->login_grace_time; |
goto parse_int; |
parse_time: |
|
arg = strdelim(&cp); |
|
if (!arg || *arg == '\0') |
|
fatal("%s line %d: missing time value.", |
|
filename, linenum); |
|
if ((value = convtime(arg)) == -1) |
|
fatal("%s line %d: invalid time value.", |
|
filename, linenum); |
|
if (*intptr == -1) |
|
*intptr = value; |
|
break; |
|
|
case sKeyRegenerationTime: |
case sKeyRegenerationTime: |
intptr = &options->key_regeneration_time; |
intptr = &options->key_regeneration_time; |
goto parse_int; |
goto parse_time; |
|
|
case sListenAddress: |
case sListenAddress: |
arg = strdelim(&cp); |
arg = strdelim(&cp); |
|
|
case sPubkeyAuthentication: |
case sPubkeyAuthentication: |
intptr = &options->pubkey_authentication; |
intptr = &options->pubkey_authentication; |
goto parse_flag; |
goto parse_flag; |
|
#if defined(KRB4) || defined(KRB5) |
#ifdef KRB4 |
|
case sKerberosAuthentication: |
case sKerberosAuthentication: |
intptr = &options->kerberos_authentication; |
intptr = &options->kerberos_authentication; |
goto parse_flag; |
goto parse_flag; |
|
|
intptr = &options->kerberos_ticket_cleanup; |
intptr = &options->kerberos_ticket_cleanup; |
goto parse_flag; |
goto parse_flag; |
#endif |
#endif |
|
#if defined(AFS) || defined(KRB5) |
#ifdef AFS |
|
case sKerberosTgtPassing: |
case sKerberosTgtPassing: |
intptr = &options->kerberos_tgt_passing; |
intptr = &options->kerberos_tgt_passing; |
goto parse_flag; |
goto parse_flag; |
|
#endif |
|
#ifdef AFS |
case sAFSTokenPassing: |
case sAFSTokenPassing: |
intptr = &options->afs_token_passing; |
intptr = &options->afs_token_passing; |
goto parse_flag; |
goto parse_flag; |
|
|
intptr = &options->kbd_interactive_authentication; |
intptr = &options->kbd_interactive_authentication; |
goto parse_flag; |
goto parse_flag; |
|
|
case sCheckMail: |
|
intptr = &options->check_mail; |
|
goto parse_flag; |
|
|
|
case sChallengeResponseAuthentication: |
case sChallengeResponseAuthentication: |
intptr = &options->challenge_reponse_authentication; |
intptr = &options->challenge_response_authentication; |
goto parse_flag; |
goto parse_flag; |
|
|
case sPrintMotd: |
case sPrintMotd: |
|
|
if (!arg || *arg == '\0') |
if (!arg || *arg == '\0') |
fatal("%s line %d: Missing MaxStartups spec.", |
fatal("%s line %d: Missing MaxStartups spec.", |
filename, linenum); |
filename, linenum); |
if (sscanf(arg, "%d:%d:%d", |
if ((n = sscanf(arg, "%d:%d:%d", |
&options->max_startups_begin, |
&options->max_startups_begin, |
&options->max_startups_rate, |
&options->max_startups_rate, |
&options->max_startups) == 3) { |
&options->max_startups)) == 3) { |
if (options->max_startups_begin > |
if (options->max_startups_begin > |
options->max_startups || |
options->max_startups || |
options->max_startups_rate > 100 || |
options->max_startups_rate > 100 || |
options->max_startups_rate < 1) |
options->max_startups_rate < 1) |
|
fatal("%s line %d: Illegal MaxStartups spec.", |
|
filename, linenum); |
|
} else if (n != 1) |
fatal("%s line %d: Illegal MaxStartups spec.", |
fatal("%s line %d: Illegal MaxStartups spec.", |
filename, linenum); |
filename, linenum); |
break; |
else |
} |
options->max_startups = options->max_startups_begin; |
intptr = &options->max_startups; |
break; |
goto parse_int; |
|
|
|
case sBanner: |
case sBanner: |
charptr = &options->banner; |
charptr = &options->banner; |
goto parse_filename; |
goto parse_filename; |
|
/* |
|
* These options can contain %X options expanded at |
|
* connect time, so that you can specify paths like: |
|
* |
|
* AuthorizedKeysFile /etc/ssh_keys/%u |
|
*/ |
|
case sAuthorizedKeysFile: |
|
case sAuthorizedKeysFile2: |
|
charptr = (opcode == sAuthorizedKeysFile ) ? |
|
&options->authorized_keys_file : |
|
&options->authorized_keys_file2; |
|
goto parse_filename; |
|
|
case sClientAliveInterval: |
case sClientAliveInterval: |
intptr = &options->client_alive_interval; |
intptr = &options->client_alive_interval; |
goto parse_int; |
goto parse_time; |
|
|
case sClientAliveCountMax: |
case sClientAliveCountMax: |
intptr = &options->client_alive_count_max; |
intptr = &options->client_alive_count_max; |
goto parse_int; |
goto parse_int; |
|
|
|
case sDeprecated: |
|
log("%s line %d: Deprecated option %s", |
|
filename, linenum, arg); |
|
while(arg) |
|
arg = strdelim(&cp); |
|
break; |
|
|
default: |
default: |
fatal("%s line %d: Missing handler for opcode %s (%d)", |
fatal("%s line %d: Missing handler for opcode %s (%d)", |
filename, linenum, arg, opcode); |
filename, linenum, arg, opcode); |