Annotation of src/usr.bin/ssh/servconf.c, Revision 1.13
1.1 deraadt 1: /*
2:
3: servconf.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Mon Aug 21 15:48:58 1995 ylo
11:
12: */
13:
14: #include "includes.h"
1.13 ! markus 15: RCSID("$Id: servconf.c,v 1.12 1999/10/11 21:07:37 markus Exp $");
1.1 deraadt 16:
17: #include "ssh.h"
18: #include "servconf.h"
19: #include "xmalloc.h"
20:
21: /* Initializes the server options to their default values. */
22:
23: void initialize_server_options(ServerOptions *options)
24: {
25: memset(options, 0, sizeof(*options));
26: options->port = -1;
1.3 deraadt 27: options->listen_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 28: options->host_key_file = NULL;
29: options->server_key_bits = -1;
30: options->login_grace_time = -1;
31: options->key_regeneration_time = -1;
32: options->permit_root_login = -1;
33: options->ignore_rhosts = -1;
34: options->quiet_mode = -1;
35: options->fascist_logging = -1;
36: options->print_motd = -1;
1.11 markus 37: options->check_mail = -1;
1.1 deraadt 38: options->x11_forwarding = -1;
1.2 deraadt 39: options->x11_display_offset = -1;
1.1 deraadt 40: options->strict_modes = -1;
41: options->keepalives = -1;
42: options->log_facility = (SyslogFacility)-1;
43: options->rhosts_authentication = -1;
44: options->rhosts_rsa_authentication = -1;
45: options->rsa_authentication = -1;
46: #ifdef KRB4
47: options->kerberos_authentication = -1;
48: options->kerberos_or_local_passwd = -1;
49: options->kerberos_ticket_cleanup = -1;
50: #endif
1.4 dugsong 51: #ifdef AFS
1.1 deraadt 52: options->kerberos_tgt_passing = -1;
53: options->afs_token_passing = -1;
54: #endif
55: options->password_authentication = -1;
1.10 markus 56: #ifdef SKEY
57: options->skey_authentication = -1;
58: #endif
1.1 deraadt 59: options->permit_empty_passwd = -1;
1.12 markus 60: options->use_login = -1;
1.1 deraadt 61: options->num_allow_hosts = 0;
62: options->num_deny_hosts = 0;
1.13 ! markus 63: options->num_allow_users = 0;
! 64: options->num_deny_users = 0;
! 65: options->num_allow_groups = 0;
! 66: options->num_deny_groups = 0;
1.1 deraadt 67: }
68:
69: void fill_default_server_options(ServerOptions *options)
70: {
71: if (options->port == -1)
72: {
73: struct servent *sp;
74:
75: sp = getservbyname(SSH_SERVICE_NAME, "tcp");
76: if (sp)
77: options->port = ntohs(sp->s_port);
78: else
79: options->port = SSH_DEFAULT_PORT;
80: endservent();
81: }
82: if (options->host_key_file == NULL)
83: options->host_key_file = HOST_KEY_FILE;
84: if (options->server_key_bits == -1)
85: options->server_key_bits = 768;
86: if (options->login_grace_time == -1)
87: options->login_grace_time = 600;
88: if (options->key_regeneration_time == -1)
89: options->key_regeneration_time = 3600;
90: if (options->permit_root_login == -1)
91: options->permit_root_login = 1;
92: if (options->ignore_rhosts == -1)
93: options->ignore_rhosts = 0;
94: if (options->quiet_mode == -1)
95: options->quiet_mode = 0;
1.11 markus 96: if (options->check_mail == -1)
97: options->check_mail = 0;
1.1 deraadt 98: if (options->fascist_logging == -1)
99: options->fascist_logging = 1;
100: if (options->print_motd == -1)
101: options->print_motd = 1;
102: if (options->x11_forwarding == -1)
103: options->x11_forwarding = 1;
1.2 deraadt 104: if (options->x11_display_offset == -1)
105: options->x11_display_offset = 1;
1.1 deraadt 106: if (options->strict_modes == -1)
107: options->strict_modes = 1;
108: if (options->keepalives == -1)
109: options->keepalives = 1;
110: if (options->log_facility == (SyslogFacility)(-1))
111: options->log_facility = SYSLOG_FACILITY_DAEMON;
112: if (options->rhosts_authentication == -1)
113: options->rhosts_authentication = 0;
114: if (options->rhosts_rsa_authentication == -1)
115: options->rhosts_rsa_authentication = 1;
116: if (options->rsa_authentication == -1)
117: options->rsa_authentication = 1;
118: #ifdef KRB4
119: if (options->kerberos_authentication == -1)
1.5 dugsong 120: options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
1.1 deraadt 121: if (options->kerberos_or_local_passwd == -1)
122: options->kerberos_or_local_passwd = 0;
123: if (options->kerberos_ticket_cleanup == -1)
124: options->kerberos_ticket_cleanup = 1;
1.4 dugsong 125: #endif /* KRB4 */
126: #ifdef AFS
1.1 deraadt 127: if (options->kerberos_tgt_passing == -1)
128: options->kerberos_tgt_passing = 0;
129: if (options->afs_token_passing == -1)
1.5 dugsong 130: options->afs_token_passing = k_hasafs();
1.4 dugsong 131: #endif /* AFS */
1.1 deraadt 132: if (options->password_authentication == -1)
133: options->password_authentication = 1;
1.10 markus 134: #ifdef SKEY
135: if (options->skey_authentication == -1)
136: options->skey_authentication = 1;
137: #endif
1.1 deraadt 138: if (options->permit_empty_passwd == -1)
1.10 markus 139: options->permit_empty_passwd = 1;
1.12 markus 140: if (options->use_login == -1)
141: options->use_login = 0;
1.1 deraadt 142: }
143:
144: #define WHITESPACE " \t\r\n"
145:
146: /* Keyword tokens. */
147: typedef enum
148: {
149: sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
150: sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
151: sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
152: #ifdef KRB4
1.4 dugsong 153: sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1.1 deraadt 154: #endif
155: #ifdef AFS
1.4 dugsong 156: sKerberosTgtPassing, sAFSTokenPassing,
1.1 deraadt 157: #endif
1.10 markus 158: #ifdef SKEY
159: sSkeyAuthentication,
160: #endif
1.1 deraadt 161: sPasswordAuthentication, sAllowHosts, sDenyHosts, sListenAddress,
1.2 deraadt 162: sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
1.12 markus 163: sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
1.13 ! markus 164: sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
! 165:
1.1 deraadt 166: } ServerOpCodes;
167:
168: /* Textual representation of the tokens. */
169: static struct
170: {
171: const char *name;
172: ServerOpCodes opcode;
173: } keywords[] =
174: {
175: { "port", sPort },
176: { "hostkey", sHostKeyFile },
177: { "serverkeybits", sServerKeyBits },
178: { "logingracetime", sLoginGraceTime },
179: { "keyregenerationinterval", sKeyRegenerationTime },
180: { "permitrootlogin", sPermitRootLogin },
181: { "quietmode", sQuietMode },
182: { "fascistlogging", sFascistLogging },
183: { "syslogfacility", sLogFacility },
184: { "rhostsauthentication", sRhostsAuthentication },
185: { "rhostsrsaauthentication", sRhostsRSAAuthentication },
186: { "rsaauthentication", sRSAAuthentication },
187: #ifdef KRB4
188: { "kerberosauthentication", sKerberosAuthentication },
189: { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
190: { "kerberosticketcleanup", sKerberosTicketCleanup },
191: #endif
1.4 dugsong 192: #ifdef AFS
1.1 deraadt 193: { "kerberostgtpassing", sKerberosTgtPassing },
194: { "afstokenpassing", sAFSTokenPassing },
195: #endif
196: { "passwordauthentication", sPasswordAuthentication },
1.10 markus 197: #ifdef SKEY
198: { "skeyauthentication", sSkeyAuthentication },
199: #endif
1.1 deraadt 200: { "allowhosts", sAllowHosts },
1.11 markus 201: { "checkmail", sCheckMail },
1.1 deraadt 202: { "denyhosts", sDenyHosts },
203: { "listenaddress", sListenAddress },
204: { "printmotd", sPrintMotd },
205: { "ignorerhosts", sIgnoreRhosts },
206: { "x11forwarding", sX11Forwarding },
1.2 deraadt 207: { "x11displayoffset", sX11DisplayOffset },
1.1 deraadt 208: { "strictmodes", sStrictModes },
209: { "permitemptypasswords", sEmptyPasswd },
1.12 markus 210: { "uselogin", sUseLogin },
1.1 deraadt 211: { "randomseed", sRandomSeedFile },
212: { "keepalive", sKeepAlives },
1.13 ! markus 213: { "allowusers", sAllowUsers },
! 214: { "denyusers", sDenyUsers },
! 215: { "allowgroups", sAllowGroups },
! 216: { "denygroups", sDenyGroups },
1.1 deraadt 217: { NULL, 0 }
218: };
219:
220: static struct
221: {
222: const char *name;
223: SyslogFacility facility;
224: } log_facilities[] =
225: {
226: { "DAEMON", SYSLOG_FACILITY_DAEMON },
227: { "USER", SYSLOG_FACILITY_USER },
228: { "AUTH", SYSLOG_FACILITY_AUTH },
229: { "LOCAL0", SYSLOG_FACILITY_LOCAL0 },
230: { "LOCAL1", SYSLOG_FACILITY_LOCAL1 },
231: { "LOCAL2", SYSLOG_FACILITY_LOCAL2 },
232: { "LOCAL3", SYSLOG_FACILITY_LOCAL3 },
233: { "LOCAL4", SYSLOG_FACILITY_LOCAL4 },
234: { "LOCAL5", SYSLOG_FACILITY_LOCAL5 },
235: { "LOCAL6", SYSLOG_FACILITY_LOCAL6 },
236: { "LOCAL7", SYSLOG_FACILITY_LOCAL7 },
237: { NULL, 0 }
238: };
239:
240: /* Returns the number of the token pointed to by cp of length len.
241: Never returns if the token is not known. */
242:
243: static ServerOpCodes parse_token(const char *cp, const char *filename,
244: int linenum)
245: {
246: unsigned int i;
247:
248: for (i = 0; keywords[i].name; i++)
249: if (strcmp(cp, keywords[i].name) == 0)
250: return keywords[i].opcode;
251:
252: fprintf(stderr, "%s line %d: Bad configuration option: %s\n",
253: filename, linenum, cp);
254: exit(1);
255: }
256:
257: /* Reads the server configuration file. */
258:
259: void read_server_config(ServerOptions *options, const char *filename)
260: {
261: FILE *f;
262: char line[1024];
263: char *cp, **charptr;
264: int linenum, *intptr, i, value;
265: ServerOpCodes opcode;
266:
267: f = fopen(filename, "r");
268: if (!f)
269: {
270: perror(filename);
271: return;
272: }
273:
274: linenum = 0;
275: while (fgets(line, sizeof(line), f))
276: {
277: linenum++;
278: cp = line + strspn(line, WHITESPACE);
279: if (!*cp || *cp == '#')
280: continue;
281: cp = strtok(cp, WHITESPACE);
282: {
283: char *t = cp;
284: for (; *t != 0; t++)
285: if ('A' <= *t && *t <= 'Z')
286: *t = *t - 'A' + 'a'; /* tolower */
287:
288: }
289: opcode = parse_token(cp, filename, linenum);
290: switch (opcode)
291: {
292: case sPort:
293: intptr = &options->port;
294: parse_int:
295: cp = strtok(NULL, WHITESPACE);
296: if (!cp)
297: {
298: fprintf(stderr, "%s line %d: missing integer value.\n",
299: filename, linenum);
300: exit(1);
301: }
302: value = atoi(cp);
303: if (*intptr == -1)
304: *intptr = value;
305: break;
306:
307: case sServerKeyBits:
308: intptr = &options->server_key_bits;
309: goto parse_int;
310:
311: case sLoginGraceTime:
312: intptr = &options->login_grace_time;
313: goto parse_int;
314:
315: case sKeyRegenerationTime:
316: intptr = &options->key_regeneration_time;
317: goto parse_int;
318:
319: case sListenAddress:
320: cp = strtok(NULL, WHITESPACE);
321: if (!cp)
322: {
323: fprintf(stderr, "%s line %d: missing inet addr.\n",
324: filename, linenum);
325: exit(1);
326: }
327: options->listen_addr.s_addr = inet_addr(cp);
328: break;
329:
330: case sHostKeyFile:
331: charptr = &options->host_key_file;
332: cp = strtok(NULL, WHITESPACE);
333: if (!cp)
334: {
335: fprintf(stderr, "%s line %d: missing file name.\n",
336: filename, linenum);
337: exit(1);
338: }
339: if (*charptr == NULL)
340: *charptr = tilde_expand_filename(cp, getuid());
341: break;
342:
343: case sRandomSeedFile:
1.8 deraadt 344: fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
1.7 provos 345: filename, linenum);
346: cp = strtok(NULL, WHITESPACE);
347: break;
1.1 deraadt 348:
349: case sPermitRootLogin:
350: intptr = &options->permit_root_login;
351: parse_flag:
352: cp = strtok(NULL, WHITESPACE);
353: if (!cp)
354: {
355: fprintf(stderr, "%s line %d: missing yes/no argument.\n",
356: filename, linenum);
357: exit(1);
358: }
359: if (strcmp(cp, "yes") == 0)
360: value = 1;
361: else
362: if (strcmp(cp, "no") == 0)
363: value = 0;
364: else
365: {
366: fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
367: filename, linenum, cp);
368: exit(1);
369: }
370: if (*intptr == -1)
371: *intptr = value;
372: break;
373:
374: case sIgnoreRhosts:
375: intptr = &options->ignore_rhosts;
376: goto parse_flag;
377:
378: case sQuietMode:
379: intptr = &options->quiet_mode;
380: goto parse_flag;
381:
382: case sFascistLogging:
383: intptr = &options->fascist_logging;
384: goto parse_flag;
385:
386: case sRhostsAuthentication:
387: intptr = &options->rhosts_authentication;
388: goto parse_flag;
389:
390: case sRhostsRSAAuthentication:
391: intptr = &options->rhosts_rsa_authentication;
392: goto parse_flag;
393:
394: case sRSAAuthentication:
395: intptr = &options->rsa_authentication;
396: goto parse_flag;
397:
398: #ifdef KRB4
399: case sKerberosAuthentication:
400: intptr = &options->kerberos_authentication;
401: goto parse_flag;
402:
403: case sKerberosOrLocalPasswd:
404: intptr = &options->kerberos_or_local_passwd;
405: goto parse_flag;
406:
407: case sKerberosTicketCleanup:
408: intptr = &options->kerberos_ticket_cleanup;
409: goto parse_flag;
410: #endif
411:
1.4 dugsong 412: #ifdef AFS
1.1 deraadt 413: case sKerberosTgtPassing:
414: intptr = &options->kerberos_tgt_passing;
415: goto parse_flag;
416:
417: case sAFSTokenPassing:
418: intptr = &options->afs_token_passing;
419: goto parse_flag;
420: #endif
421:
422: case sPasswordAuthentication:
423: intptr = &options->password_authentication;
424: goto parse_flag;
1.11 markus 425:
426: case sCheckMail:
427: intptr = &options->check_mail;
428: goto parse_flag;
1.10 markus 429:
430: #ifdef SKEY
431: case sSkeyAuthentication:
432: intptr = &options->skey_authentication;
433: goto parse_flag;
434: #endif
1.1 deraadt 435:
436: case sPrintMotd:
437: intptr = &options->print_motd;
438: goto parse_flag;
439:
440: case sX11Forwarding:
441: intptr = &options->x11_forwarding;
442: goto parse_flag;
1.2 deraadt 443:
444: case sX11DisplayOffset:
445: intptr = &options->x11_display_offset;
446: goto parse_int;
1.1 deraadt 447:
448: case sStrictModes:
449: intptr = &options->strict_modes;
450: goto parse_flag;
451:
452: case sKeepAlives:
453: intptr = &options->keepalives;
454: goto parse_flag;
455:
456: case sEmptyPasswd:
457: intptr = &options->permit_empty_passwd;
458: goto parse_flag;
1.12 markus 459:
460: case sUseLogin:
461: intptr = &options->use_login;
462: goto parse_flag;
1.1 deraadt 463:
464: case sLogFacility:
465: cp = strtok(NULL, WHITESPACE);
466: if (!cp)
467: {
468: fprintf(stderr, "%s line %d: missing facility name.\n",
469: filename, linenum);
470: exit(1);
471: }
472: for (i = 0; log_facilities[i].name; i++)
473: if (strcmp(log_facilities[i].name, cp) == 0)
474: break;
475: if (!log_facilities[i].name)
476: {
477: fprintf(stderr, "%s line %d: unsupported log facility %s\n",
478: filename, linenum, cp);
479: exit(1);
480: }
481: if (options->log_facility == (SyslogFacility)(-1))
482: options->log_facility = log_facilities[i].facility;
483: break;
484:
485: case sAllowHosts:
486: while ((cp = strtok(NULL, WHITESPACE)))
487: {
488: if (options->num_allow_hosts >= MAX_ALLOW_HOSTS)
489: {
490: fprintf(stderr, "%s line %d: too many allow hosts.\n",
491: filename, linenum);
492: exit(1);
493: }
494: options->allow_hosts[options->num_allow_hosts++] = xstrdup(cp);
495: }
496: break;
497:
498: case sDenyHosts:
499: while ((cp = strtok(NULL, WHITESPACE)))
500: {
501: if (options->num_deny_hosts >= MAX_DENY_HOSTS)
502: {
503: fprintf(stderr, "%s line %d: too many deny hosts.\n",
504: filename, linenum);
505: exit(1);
506: }
507: options->deny_hosts[options->num_deny_hosts++] = xstrdup(cp);
1.13 ! markus 508: }
! 509: break;
! 510:
! 511: case sAllowUsers:
! 512: while ((cp = strtok(NULL, WHITESPACE)))
! 513: {
! 514: if (options->num_allow_users >= MAX_ALLOW_USERS)
! 515: {
! 516: fprintf(stderr, "%s line %d: too many allow users.\n",
! 517: filename, linenum);
! 518: exit(1);
! 519: }
! 520: options->allow_users[options->num_allow_users++] = xstrdup(cp);
! 521: }
! 522: break;
! 523:
! 524: case sDenyUsers:
! 525: while ((cp = strtok(NULL, WHITESPACE)))
! 526: {
! 527: if (options->num_deny_users >= MAX_DENY_USERS)
! 528: {
! 529: fprintf(stderr, "%s line %d: too many deny users.\n",
! 530: filename, linenum);
! 531: exit(1);
! 532: }
! 533: options->deny_users[options->num_deny_users++] = xstrdup(cp);
! 534: }
! 535: break;
! 536:
! 537: case sAllowGroups:
! 538: while ((cp = strtok(NULL, WHITESPACE)))
! 539: {
! 540: if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
! 541: {
! 542: fprintf(stderr, "%s line %d: too many allow groups.\n",
! 543: filename, linenum);
! 544: exit(1);
! 545: }
! 546: options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
! 547: }
! 548: break;
! 549:
! 550: case sDenyGroups:
! 551: while ((cp = strtok(NULL, WHITESPACE)))
! 552: {
! 553: if (options->num_deny_groups >= MAX_DENY_GROUPS)
! 554: {
! 555: fprintf(stderr, "%s line %d: too many deny groups.\n",
! 556: filename, linenum);
! 557: exit(1);
! 558: }
! 559: options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
1.1 deraadt 560: }
561: break;
562:
563: default:
564: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
565: filename, linenum, cp, opcode);
566: exit(1);
567: }
568: if (strtok(NULL, WHITESPACE) != NULL)
569: {
570: fprintf(stderr, "%s line %d: garbage at end of line.\n",
571: filename, linenum);
572: exit(1);
573: }
574: }
575: fclose(f);
576: }