Annotation of src/usr.bin/ssh/servconf.c, Revision 1.15
1.1 deraadt 1: /*
2:
3: servconf.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Mon Aug 21 15:48:58 1995 ylo
11:
12: */
13:
14: #include "includes.h"
1.15 ! markus 15: RCSID("$Id: servconf.c,v 1.14 1999/10/12 18:11:54 markus Exp $");
1.1 deraadt 16:
17: #include "ssh.h"
18: #include "servconf.h"
19: #include "xmalloc.h"
20:
21: /* Initializes the server options to their default values. */
22:
23: void initialize_server_options(ServerOptions *options)
24: {
25: memset(options, 0, sizeof(*options));
26: options->port = -1;
1.3 deraadt 27: options->listen_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 28: options->host_key_file = NULL;
29: options->server_key_bits = -1;
30: options->login_grace_time = -1;
31: options->key_regeneration_time = -1;
32: options->permit_root_login = -1;
33: options->ignore_rhosts = -1;
34: options->quiet_mode = -1;
35: options->fascist_logging = -1;
36: options->print_motd = -1;
1.11 markus 37: options->check_mail = -1;
1.1 deraadt 38: options->x11_forwarding = -1;
1.2 deraadt 39: options->x11_display_offset = -1;
1.1 deraadt 40: options->strict_modes = -1;
41: options->keepalives = -1;
42: options->log_facility = (SyslogFacility)-1;
43: options->rhosts_authentication = -1;
44: options->rhosts_rsa_authentication = -1;
45: options->rsa_authentication = -1;
46: #ifdef KRB4
47: options->kerberos_authentication = -1;
48: options->kerberos_or_local_passwd = -1;
49: options->kerberos_ticket_cleanup = -1;
50: #endif
1.4 dugsong 51: #ifdef AFS
1.1 deraadt 52: options->kerberos_tgt_passing = -1;
53: options->afs_token_passing = -1;
54: #endif
55: options->password_authentication = -1;
1.10 markus 56: #ifdef SKEY
57: options->skey_authentication = -1;
58: #endif
1.1 deraadt 59: options->permit_empty_passwd = -1;
1.12 markus 60: options->use_login = -1;
1.14 markus 61: options->silent_deny = -1;
1.1 deraadt 62: options->num_allow_hosts = 0;
63: options->num_deny_hosts = 0;
1.13 markus 64: options->num_allow_users = 0;
65: options->num_deny_users = 0;
66: options->num_allow_groups = 0;
67: options->num_deny_groups = 0;
1.1 deraadt 68: }
69:
70: void fill_default_server_options(ServerOptions *options)
71: {
72: if (options->port == -1)
73: {
74: struct servent *sp;
75:
76: sp = getservbyname(SSH_SERVICE_NAME, "tcp");
77: if (sp)
78: options->port = ntohs(sp->s_port);
79: else
80: options->port = SSH_DEFAULT_PORT;
81: endservent();
82: }
83: if (options->host_key_file == NULL)
84: options->host_key_file = HOST_KEY_FILE;
85: if (options->server_key_bits == -1)
86: options->server_key_bits = 768;
87: if (options->login_grace_time == -1)
88: options->login_grace_time = 600;
89: if (options->key_regeneration_time == -1)
90: options->key_regeneration_time = 3600;
91: if (options->permit_root_login == -1)
1.15 ! markus 92: options->permit_root_login = 1; /* yes */
1.1 deraadt 93: if (options->ignore_rhosts == -1)
94: options->ignore_rhosts = 0;
95: if (options->quiet_mode == -1)
96: options->quiet_mode = 0;
1.11 markus 97: if (options->check_mail == -1)
98: options->check_mail = 0;
1.1 deraadt 99: if (options->fascist_logging == -1)
100: options->fascist_logging = 1;
101: if (options->print_motd == -1)
102: options->print_motd = 1;
103: if (options->x11_forwarding == -1)
104: options->x11_forwarding = 1;
1.2 deraadt 105: if (options->x11_display_offset == -1)
106: options->x11_display_offset = 1;
1.1 deraadt 107: if (options->strict_modes == -1)
108: options->strict_modes = 1;
109: if (options->keepalives == -1)
110: options->keepalives = 1;
111: if (options->log_facility == (SyslogFacility)(-1))
112: options->log_facility = SYSLOG_FACILITY_DAEMON;
113: if (options->rhosts_authentication == -1)
114: options->rhosts_authentication = 0;
115: if (options->rhosts_rsa_authentication == -1)
116: options->rhosts_rsa_authentication = 1;
117: if (options->rsa_authentication == -1)
118: options->rsa_authentication = 1;
119: #ifdef KRB4
120: if (options->kerberos_authentication == -1)
1.5 dugsong 121: options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
1.1 deraadt 122: if (options->kerberos_or_local_passwd == -1)
123: options->kerberos_or_local_passwd = 0;
124: if (options->kerberos_ticket_cleanup == -1)
125: options->kerberos_ticket_cleanup = 1;
1.4 dugsong 126: #endif /* KRB4 */
127: #ifdef AFS
1.1 deraadt 128: if (options->kerberos_tgt_passing == -1)
129: options->kerberos_tgt_passing = 0;
130: if (options->afs_token_passing == -1)
1.5 dugsong 131: options->afs_token_passing = k_hasafs();
1.4 dugsong 132: #endif /* AFS */
1.1 deraadt 133: if (options->password_authentication == -1)
134: options->password_authentication = 1;
1.10 markus 135: #ifdef SKEY
136: if (options->skey_authentication == -1)
137: options->skey_authentication = 1;
138: #endif
1.1 deraadt 139: if (options->permit_empty_passwd == -1)
1.10 markus 140: options->permit_empty_passwd = 1;
1.12 markus 141: if (options->use_login == -1)
142: options->use_login = 0;
1.14 markus 143: if (options->silent_deny == -1)
144: options->silent_deny = 0;
1.1 deraadt 145: }
146:
147: #define WHITESPACE " \t\r\n"
148:
149: /* Keyword tokens. */
150: typedef enum
151: {
152: sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
153: sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
154: sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
155: #ifdef KRB4
1.4 dugsong 156: sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1.1 deraadt 157: #endif
158: #ifdef AFS
1.4 dugsong 159: sKerberosTgtPassing, sAFSTokenPassing,
1.1 deraadt 160: #endif
1.10 markus 161: #ifdef SKEY
162: sSkeyAuthentication,
163: #endif
1.1 deraadt 164: sPasswordAuthentication, sAllowHosts, sDenyHosts, sListenAddress,
1.2 deraadt 165: sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
1.12 markus 166: sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
1.14 markus 167: sUseLogin, sSilentDeny, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
1.13 markus 168:
1.1 deraadt 169: } ServerOpCodes;
170:
171: /* Textual representation of the tokens. */
172: static struct
173: {
174: const char *name;
175: ServerOpCodes opcode;
176: } keywords[] =
177: {
178: { "port", sPort },
179: { "hostkey", sHostKeyFile },
180: { "serverkeybits", sServerKeyBits },
181: { "logingracetime", sLoginGraceTime },
182: { "keyregenerationinterval", sKeyRegenerationTime },
183: { "permitrootlogin", sPermitRootLogin },
184: { "quietmode", sQuietMode },
185: { "fascistlogging", sFascistLogging },
186: { "syslogfacility", sLogFacility },
187: { "rhostsauthentication", sRhostsAuthentication },
188: { "rhostsrsaauthentication", sRhostsRSAAuthentication },
189: { "rsaauthentication", sRSAAuthentication },
190: #ifdef KRB4
191: { "kerberosauthentication", sKerberosAuthentication },
192: { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
193: { "kerberosticketcleanup", sKerberosTicketCleanup },
194: #endif
1.4 dugsong 195: #ifdef AFS
1.1 deraadt 196: { "kerberostgtpassing", sKerberosTgtPassing },
197: { "afstokenpassing", sAFSTokenPassing },
198: #endif
199: { "passwordauthentication", sPasswordAuthentication },
1.10 markus 200: #ifdef SKEY
201: { "skeyauthentication", sSkeyAuthentication },
202: #endif
1.1 deraadt 203: { "allowhosts", sAllowHosts },
1.11 markus 204: { "checkmail", sCheckMail },
1.1 deraadt 205: { "denyhosts", sDenyHosts },
206: { "listenaddress", sListenAddress },
207: { "printmotd", sPrintMotd },
208: { "ignorerhosts", sIgnoreRhosts },
209: { "x11forwarding", sX11Forwarding },
1.2 deraadt 210: { "x11displayoffset", sX11DisplayOffset },
1.1 deraadt 211: { "strictmodes", sStrictModes },
212: { "permitemptypasswords", sEmptyPasswd },
1.12 markus 213: { "uselogin", sUseLogin },
1.14 markus 214: { "silentdeny", sSilentDeny },
1.1 deraadt 215: { "randomseed", sRandomSeedFile },
216: { "keepalive", sKeepAlives },
1.13 markus 217: { "allowusers", sAllowUsers },
218: { "denyusers", sDenyUsers },
219: { "allowgroups", sAllowGroups },
220: { "denygroups", sDenyGroups },
1.1 deraadt 221: { NULL, 0 }
222: };
223:
224: static struct
225: {
226: const char *name;
227: SyslogFacility facility;
228: } log_facilities[] =
229: {
230: { "DAEMON", SYSLOG_FACILITY_DAEMON },
231: { "USER", SYSLOG_FACILITY_USER },
232: { "AUTH", SYSLOG_FACILITY_AUTH },
233: { "LOCAL0", SYSLOG_FACILITY_LOCAL0 },
234: { "LOCAL1", SYSLOG_FACILITY_LOCAL1 },
235: { "LOCAL2", SYSLOG_FACILITY_LOCAL2 },
236: { "LOCAL3", SYSLOG_FACILITY_LOCAL3 },
237: { "LOCAL4", SYSLOG_FACILITY_LOCAL4 },
238: { "LOCAL5", SYSLOG_FACILITY_LOCAL5 },
239: { "LOCAL6", SYSLOG_FACILITY_LOCAL6 },
240: { "LOCAL7", SYSLOG_FACILITY_LOCAL7 },
241: { NULL, 0 }
242: };
243:
244: /* Returns the number of the token pointed to by cp of length len.
245: Never returns if the token is not known. */
246:
247: static ServerOpCodes parse_token(const char *cp, const char *filename,
248: int linenum)
249: {
250: unsigned int i;
251:
252: for (i = 0; keywords[i].name; i++)
253: if (strcmp(cp, keywords[i].name) == 0)
254: return keywords[i].opcode;
255:
256: fprintf(stderr, "%s line %d: Bad configuration option: %s\n",
257: filename, linenum, cp);
258: exit(1);
259: }
260:
261: /* Reads the server configuration file. */
262:
263: void read_server_config(ServerOptions *options, const char *filename)
264: {
265: FILE *f;
266: char line[1024];
267: char *cp, **charptr;
268: int linenum, *intptr, i, value;
269: ServerOpCodes opcode;
270:
271: f = fopen(filename, "r");
272: if (!f)
273: {
274: perror(filename);
275: return;
276: }
277:
278: linenum = 0;
279: while (fgets(line, sizeof(line), f))
280: {
281: linenum++;
282: cp = line + strspn(line, WHITESPACE);
283: if (!*cp || *cp == '#')
284: continue;
285: cp = strtok(cp, WHITESPACE);
286: {
287: char *t = cp;
288: for (; *t != 0; t++)
289: if ('A' <= *t && *t <= 'Z')
290: *t = *t - 'A' + 'a'; /* tolower */
291:
292: }
293: opcode = parse_token(cp, filename, linenum);
294: switch (opcode)
295: {
296: case sPort:
297: intptr = &options->port;
298: parse_int:
299: cp = strtok(NULL, WHITESPACE);
300: if (!cp)
301: {
302: fprintf(stderr, "%s line %d: missing integer value.\n",
303: filename, linenum);
304: exit(1);
305: }
306: value = atoi(cp);
307: if (*intptr == -1)
308: *intptr = value;
309: break;
310:
311: case sServerKeyBits:
312: intptr = &options->server_key_bits;
313: goto parse_int;
314:
315: case sLoginGraceTime:
316: intptr = &options->login_grace_time;
317: goto parse_int;
318:
319: case sKeyRegenerationTime:
320: intptr = &options->key_regeneration_time;
321: goto parse_int;
322:
323: case sListenAddress:
324: cp = strtok(NULL, WHITESPACE);
325: if (!cp)
326: {
327: fprintf(stderr, "%s line %d: missing inet addr.\n",
328: filename, linenum);
329: exit(1);
330: }
331: options->listen_addr.s_addr = inet_addr(cp);
332: break;
333:
334: case sHostKeyFile:
335: charptr = &options->host_key_file;
336: cp = strtok(NULL, WHITESPACE);
337: if (!cp)
338: {
339: fprintf(stderr, "%s line %d: missing file name.\n",
340: filename, linenum);
341: exit(1);
342: }
343: if (*charptr == NULL)
344: *charptr = tilde_expand_filename(cp, getuid());
345: break;
346:
347: case sRandomSeedFile:
1.8 deraadt 348: fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
1.7 provos 349: filename, linenum);
350: cp = strtok(NULL, WHITESPACE);
351: break;
1.1 deraadt 352:
353: case sPermitRootLogin:
354: intptr = &options->permit_root_login;
1.15 ! markus 355: cp = strtok(NULL, WHITESPACE);
! 356: if (!cp)
! 357: {
! 358: fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
! 359: filename, linenum);
! 360: exit(1);
! 361: }
! 362: if (strcmp(cp, "without-password") == 0)
! 363: value = 2;
! 364: else if (strcmp(cp, "yes") == 0)
! 365: value = 1;
! 366: else if (strcmp(cp, "no") == 0)
! 367: value = 0;
! 368: else
! 369: {
! 370: fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
! 371: filename, linenum, cp);
! 372: exit(1);
! 373: }
! 374: if (*intptr == -1)
! 375: *intptr = value;
! 376: break;
! 377:
! 378: case sIgnoreRhosts:
! 379: intptr = &options->ignore_rhosts;
1.1 deraadt 380: parse_flag:
381: cp = strtok(NULL, WHITESPACE);
382: if (!cp)
383: {
384: fprintf(stderr, "%s line %d: missing yes/no argument.\n",
385: filename, linenum);
386: exit(1);
387: }
388: if (strcmp(cp, "yes") == 0)
389: value = 1;
390: else
391: if (strcmp(cp, "no") == 0)
392: value = 0;
393: else
394: {
395: fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
396: filename, linenum, cp);
397: exit(1);
398: }
399: if (*intptr == -1)
400: *intptr = value;
401: break;
402:
403: case sQuietMode:
404: intptr = &options->quiet_mode;
405: goto parse_flag;
406:
407: case sFascistLogging:
408: intptr = &options->fascist_logging;
409: goto parse_flag;
410:
411: case sRhostsAuthentication:
412: intptr = &options->rhosts_authentication;
413: goto parse_flag;
414:
415: case sRhostsRSAAuthentication:
416: intptr = &options->rhosts_rsa_authentication;
417: goto parse_flag;
418:
419: case sRSAAuthentication:
420: intptr = &options->rsa_authentication;
421: goto parse_flag;
422:
423: #ifdef KRB4
424: case sKerberosAuthentication:
425: intptr = &options->kerberos_authentication;
426: goto parse_flag;
427:
428: case sKerberosOrLocalPasswd:
429: intptr = &options->kerberos_or_local_passwd;
430: goto parse_flag;
431:
432: case sKerberosTicketCleanup:
433: intptr = &options->kerberos_ticket_cleanup;
434: goto parse_flag;
435: #endif
436:
1.4 dugsong 437: #ifdef AFS
1.1 deraadt 438: case sKerberosTgtPassing:
439: intptr = &options->kerberos_tgt_passing;
440: goto parse_flag;
441:
442: case sAFSTokenPassing:
443: intptr = &options->afs_token_passing;
444: goto parse_flag;
445: #endif
446:
447: case sPasswordAuthentication:
448: intptr = &options->password_authentication;
449: goto parse_flag;
1.11 markus 450:
451: case sCheckMail:
452: intptr = &options->check_mail;
453: goto parse_flag;
1.10 markus 454:
455: #ifdef SKEY
456: case sSkeyAuthentication:
457: intptr = &options->skey_authentication;
458: goto parse_flag;
459: #endif
1.1 deraadt 460:
461: case sPrintMotd:
462: intptr = &options->print_motd;
463: goto parse_flag;
464:
465: case sX11Forwarding:
466: intptr = &options->x11_forwarding;
467: goto parse_flag;
1.2 deraadt 468:
469: case sX11DisplayOffset:
470: intptr = &options->x11_display_offset;
471: goto parse_int;
1.1 deraadt 472:
473: case sStrictModes:
474: intptr = &options->strict_modes;
475: goto parse_flag;
476:
477: case sKeepAlives:
478: intptr = &options->keepalives;
479: goto parse_flag;
480:
481: case sEmptyPasswd:
482: intptr = &options->permit_empty_passwd;
483: goto parse_flag;
1.12 markus 484:
485: case sUseLogin:
486: intptr = &options->use_login;
1.14 markus 487: goto parse_flag;
488:
489: case sSilentDeny:
490: intptr = &options->silent_deny;
1.12 markus 491: goto parse_flag;
1.1 deraadt 492:
493: case sLogFacility:
494: cp = strtok(NULL, WHITESPACE);
495: if (!cp)
496: {
497: fprintf(stderr, "%s line %d: missing facility name.\n",
498: filename, linenum);
499: exit(1);
500: }
501: for (i = 0; log_facilities[i].name; i++)
502: if (strcmp(log_facilities[i].name, cp) == 0)
503: break;
504: if (!log_facilities[i].name)
505: {
506: fprintf(stderr, "%s line %d: unsupported log facility %s\n",
507: filename, linenum, cp);
508: exit(1);
509: }
510: if (options->log_facility == (SyslogFacility)(-1))
511: options->log_facility = log_facilities[i].facility;
512: break;
513:
514: case sAllowHosts:
515: while ((cp = strtok(NULL, WHITESPACE)))
516: {
517: if (options->num_allow_hosts >= MAX_ALLOW_HOSTS)
518: {
519: fprintf(stderr, "%s line %d: too many allow hosts.\n",
520: filename, linenum);
521: exit(1);
522: }
523: options->allow_hosts[options->num_allow_hosts++] = xstrdup(cp);
524: }
525: break;
526:
527: case sDenyHosts:
528: while ((cp = strtok(NULL, WHITESPACE)))
529: {
530: if (options->num_deny_hosts >= MAX_DENY_HOSTS)
531: {
532: fprintf(stderr, "%s line %d: too many deny hosts.\n",
533: filename, linenum);
534: exit(1);
535: }
536: options->deny_hosts[options->num_deny_hosts++] = xstrdup(cp);
1.13 markus 537: }
538: break;
539:
540: case sAllowUsers:
541: while ((cp = strtok(NULL, WHITESPACE)))
542: {
543: if (options->num_allow_users >= MAX_ALLOW_USERS)
544: {
545: fprintf(stderr, "%s line %d: too many allow users.\n",
546: filename, linenum);
547: exit(1);
548: }
549: options->allow_users[options->num_allow_users++] = xstrdup(cp);
550: }
551: break;
552:
553: case sDenyUsers:
554: while ((cp = strtok(NULL, WHITESPACE)))
555: {
556: if (options->num_deny_users >= MAX_DENY_USERS)
557: {
558: fprintf(stderr, "%s line %d: too many deny users.\n",
559: filename, linenum);
560: exit(1);
561: }
562: options->deny_users[options->num_deny_users++] = xstrdup(cp);
563: }
564: break;
565:
566: case sAllowGroups:
567: while ((cp = strtok(NULL, WHITESPACE)))
568: {
569: if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
570: {
571: fprintf(stderr, "%s line %d: too many allow groups.\n",
572: filename, linenum);
573: exit(1);
574: }
575: options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
576: }
577: break;
578:
579: case sDenyGroups:
580: while ((cp = strtok(NULL, WHITESPACE)))
581: {
582: if (options->num_deny_groups >= MAX_DENY_GROUPS)
583: {
584: fprintf(stderr, "%s line %d: too many deny groups.\n",
585: filename, linenum);
586: exit(1);
587: }
588: options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
1.1 deraadt 589: }
590: break;
591:
592: default:
593: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
594: filename, linenum, cp, opcode);
595: exit(1);
596: }
597: if (strtok(NULL, WHITESPACE) != NULL)
598: {
599: fprintf(stderr, "%s line %d: garbage at end of line.\n",
600: filename, linenum);
601: exit(1);
602: }
603: }
604: fclose(f);
605: }