Annotation of src/usr.bin/ssh/servconf.c, Revision 1.21
1.1 deraadt 1: /*
2:
3: servconf.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Mon Aug 21 15:48:58 1995 ylo
11:
12: */
13:
14: #include "includes.h"
1.21 ! markus 15: RCSID("$Id: servconf.c,v 1.20 1999/11/10 23:36:44 markus Exp $");
1.1 deraadt 16:
17: #include "ssh.h"
18: #include "servconf.h"
19: #include "xmalloc.h"
20:
21: /* Initializes the server options to their default values. */
22:
23: void initialize_server_options(ServerOptions *options)
24: {
25: memset(options, 0, sizeof(*options));
26: options->port = -1;
1.3 deraadt 27: options->listen_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 28: options->host_key_file = NULL;
29: options->server_key_bits = -1;
30: options->login_grace_time = -1;
31: options->key_regeneration_time = -1;
32: options->permit_root_login = -1;
33: options->ignore_rhosts = -1;
1.21 ! markus 34: options->ignore_user_known_hosts = -1;
1.1 deraadt 35: options->print_motd = -1;
1.11 markus 36: options->check_mail = -1;
1.1 deraadt 37: options->x11_forwarding = -1;
1.2 deraadt 38: options->x11_display_offset = -1;
1.1 deraadt 39: options->strict_modes = -1;
40: options->keepalives = -1;
41: options->log_facility = (SyslogFacility)-1;
1.20 markus 42: options->log_level = (LogLevel)-1;
1.1 deraadt 43: options->rhosts_authentication = -1;
44: options->rhosts_rsa_authentication = -1;
45: options->rsa_authentication = -1;
46: #ifdef KRB4
47: options->kerberos_authentication = -1;
48: options->kerberos_or_local_passwd = -1;
49: options->kerberos_ticket_cleanup = -1;
50: #endif
1.4 dugsong 51: #ifdef AFS
1.1 deraadt 52: options->kerberos_tgt_passing = -1;
53: options->afs_token_passing = -1;
54: #endif
55: options->password_authentication = -1;
1.10 markus 56: #ifdef SKEY
57: options->skey_authentication = -1;
58: #endif
1.1 deraadt 59: options->permit_empty_passwd = -1;
1.12 markus 60: options->use_login = -1;
1.13 markus 61: options->num_allow_users = 0;
62: options->num_deny_users = 0;
63: options->num_allow_groups = 0;
64: options->num_deny_groups = 0;
1.1 deraadt 65: }
66:
67: void fill_default_server_options(ServerOptions *options)
68: {
69: if (options->port == -1)
70: {
71: struct servent *sp;
72:
73: sp = getservbyname(SSH_SERVICE_NAME, "tcp");
74: if (sp)
75: options->port = ntohs(sp->s_port);
76: else
77: options->port = SSH_DEFAULT_PORT;
78: endservent();
79: }
80: if (options->host_key_file == NULL)
81: options->host_key_file = HOST_KEY_FILE;
82: if (options->server_key_bits == -1)
83: options->server_key_bits = 768;
84: if (options->login_grace_time == -1)
85: options->login_grace_time = 600;
86: if (options->key_regeneration_time == -1)
87: options->key_regeneration_time = 3600;
88: if (options->permit_root_login == -1)
1.15 markus 89: options->permit_root_login = 1; /* yes */
1.1 deraadt 90: if (options->ignore_rhosts == -1)
91: options->ignore_rhosts = 0;
1.21 ! markus 92: if (options->ignore_user_known_hosts == -1)
! 93: options->ignore_user_known_hosts = 0;
1.11 markus 94: if (options->check_mail == -1)
95: options->check_mail = 0;
1.1 deraadt 96: if (options->print_motd == -1)
97: options->print_motd = 1;
98: if (options->x11_forwarding == -1)
99: options->x11_forwarding = 1;
1.2 deraadt 100: if (options->x11_display_offset == -1)
101: options->x11_display_offset = 1;
1.1 deraadt 102: if (options->strict_modes == -1)
103: options->strict_modes = 1;
104: if (options->keepalives == -1)
105: options->keepalives = 1;
106: if (options->log_facility == (SyslogFacility)(-1))
1.19 markus 107: options->log_facility = SYSLOG_FACILITY_AUTH;
1.20 markus 108: if (options->log_level == (LogLevel)(-1))
109: options->log_level = SYSLOG_LEVEL_INFO;
1.1 deraadt 110: if (options->rhosts_authentication == -1)
111: options->rhosts_authentication = 0;
112: if (options->rhosts_rsa_authentication == -1)
113: options->rhosts_rsa_authentication = 1;
114: if (options->rsa_authentication == -1)
115: options->rsa_authentication = 1;
116: #ifdef KRB4
117: if (options->kerberos_authentication == -1)
1.5 dugsong 118: options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
1.1 deraadt 119: if (options->kerberos_or_local_passwd == -1)
1.18 dugsong 120: options->kerberos_or_local_passwd = 1;
1.1 deraadt 121: if (options->kerberos_ticket_cleanup == -1)
122: options->kerberos_ticket_cleanup = 1;
1.4 dugsong 123: #endif /* KRB4 */
124: #ifdef AFS
1.1 deraadt 125: if (options->kerberos_tgt_passing == -1)
126: options->kerberos_tgt_passing = 0;
127: if (options->afs_token_passing == -1)
1.5 dugsong 128: options->afs_token_passing = k_hasafs();
1.4 dugsong 129: #endif /* AFS */
1.1 deraadt 130: if (options->password_authentication == -1)
131: options->password_authentication = 1;
1.10 markus 132: #ifdef SKEY
133: if (options->skey_authentication == -1)
134: options->skey_authentication = 1;
135: #endif
1.1 deraadt 136: if (options->permit_empty_passwd == -1)
1.10 markus 137: options->permit_empty_passwd = 1;
1.12 markus 138: if (options->use_login == -1)
139: options->use_login = 0;
1.1 deraadt 140: }
141:
142: #define WHITESPACE " \t\r\n"
143:
144: /* Keyword tokens. */
145: typedef enum
146: {
147: sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
1.20 markus 148: sPermitRootLogin, sLogFacility, sLogLevel,
1.1 deraadt 149: sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
150: #ifdef KRB4
1.4 dugsong 151: sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1.1 deraadt 152: #endif
153: #ifdef AFS
1.4 dugsong 154: sKerberosTgtPassing, sAFSTokenPassing,
1.1 deraadt 155: #endif
1.10 markus 156: #ifdef SKEY
157: sSkeyAuthentication,
158: #endif
1.17 dugsong 159: sPasswordAuthentication, sListenAddress,
1.2 deraadt 160: sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
1.12 markus 161: sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
1.21 ! markus 162: sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
! 163: sIgnoreUserKnownHosts
1.1 deraadt 164: } ServerOpCodes;
165:
166: /* Textual representation of the tokens. */
167: static struct
168: {
169: const char *name;
170: ServerOpCodes opcode;
171: } keywords[] =
172: {
173: { "port", sPort },
174: { "hostkey", sHostKeyFile },
175: { "serverkeybits", sServerKeyBits },
176: { "logingracetime", sLoginGraceTime },
177: { "keyregenerationinterval", sKeyRegenerationTime },
178: { "permitrootlogin", sPermitRootLogin },
179: { "syslogfacility", sLogFacility },
1.20 markus 180: { "loglevel", sLogLevel },
1.1 deraadt 181: { "rhostsauthentication", sRhostsAuthentication },
182: { "rhostsrsaauthentication", sRhostsRSAAuthentication },
183: { "rsaauthentication", sRSAAuthentication },
184: #ifdef KRB4
185: { "kerberosauthentication", sKerberosAuthentication },
186: { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
187: { "kerberosticketcleanup", sKerberosTicketCleanup },
188: #endif
1.4 dugsong 189: #ifdef AFS
1.1 deraadt 190: { "kerberostgtpassing", sKerberosTgtPassing },
191: { "afstokenpassing", sAFSTokenPassing },
192: #endif
193: { "passwordauthentication", sPasswordAuthentication },
1.10 markus 194: #ifdef SKEY
195: { "skeyauthentication", sSkeyAuthentication },
196: #endif
1.11 markus 197: { "checkmail", sCheckMail },
1.1 deraadt 198: { "listenaddress", sListenAddress },
199: { "printmotd", sPrintMotd },
200: { "ignorerhosts", sIgnoreRhosts },
1.21 ! markus 201: { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
1.1 deraadt 202: { "x11forwarding", sX11Forwarding },
1.2 deraadt 203: { "x11displayoffset", sX11DisplayOffset },
1.1 deraadt 204: { "strictmodes", sStrictModes },
205: { "permitemptypasswords", sEmptyPasswd },
1.12 markus 206: { "uselogin", sUseLogin },
1.1 deraadt 207: { "randomseed", sRandomSeedFile },
208: { "keepalive", sKeepAlives },
1.13 markus 209: { "allowusers", sAllowUsers },
210: { "denyusers", sDenyUsers },
211: { "allowgroups", sAllowGroups },
212: { "denygroups", sDenyGroups },
1.1 deraadt 213: { NULL, 0 }
214: };
215:
216: static struct
217: {
218: const char *name;
219: SyslogFacility facility;
220: } log_facilities[] =
221: {
222: { "DAEMON", SYSLOG_FACILITY_DAEMON },
223: { "USER", SYSLOG_FACILITY_USER },
224: { "AUTH", SYSLOG_FACILITY_AUTH },
225: { "LOCAL0", SYSLOG_FACILITY_LOCAL0 },
226: { "LOCAL1", SYSLOG_FACILITY_LOCAL1 },
227: { "LOCAL2", SYSLOG_FACILITY_LOCAL2 },
228: { "LOCAL3", SYSLOG_FACILITY_LOCAL3 },
229: { "LOCAL4", SYSLOG_FACILITY_LOCAL4 },
230: { "LOCAL5", SYSLOG_FACILITY_LOCAL5 },
231: { "LOCAL6", SYSLOG_FACILITY_LOCAL6 },
232: { "LOCAL7", SYSLOG_FACILITY_LOCAL7 },
233: { NULL, 0 }
234: };
235:
1.20 markus 236: static struct
237: {
238: const char *name;
239: LogLevel level;
240: } log_levels[] =
241: {
242: { "QUIET", SYSLOG_LEVEL_QUIET },
243: { "FATAL", SYSLOG_LEVEL_FATAL },
244: { "ERROR", SYSLOG_LEVEL_ERROR },
245: { "INFO", SYSLOG_LEVEL_INFO },
246: { "CHAT", SYSLOG_LEVEL_CHAT },
247: { "DEBUG", SYSLOG_LEVEL_DEBUG },
248: { NULL, 0 }
249: };
250:
1.1 deraadt 251: /* Returns the number of the token pointed to by cp of length len.
252: Never returns if the token is not known. */
253:
254: static ServerOpCodes parse_token(const char *cp, const char *filename,
255: int linenum)
256: {
257: unsigned int i;
258:
259: for (i = 0; keywords[i].name; i++)
260: if (strcmp(cp, keywords[i].name) == 0)
261: return keywords[i].opcode;
262:
263: fprintf(stderr, "%s line %d: Bad configuration option: %s\n",
264: filename, linenum, cp);
265: exit(1);
266: }
267:
268: /* Reads the server configuration file. */
269:
270: void read_server_config(ServerOptions *options, const char *filename)
271: {
272: FILE *f;
273: char line[1024];
274: char *cp, **charptr;
275: int linenum, *intptr, i, value;
276: ServerOpCodes opcode;
277:
278: f = fopen(filename, "r");
279: if (!f)
280: {
281: perror(filename);
1.16 markus 282: exit(1);
1.1 deraadt 283: }
284:
285: linenum = 0;
286: while (fgets(line, sizeof(line), f))
287: {
288: linenum++;
289: cp = line + strspn(line, WHITESPACE);
290: if (!*cp || *cp == '#')
291: continue;
292: cp = strtok(cp, WHITESPACE);
293: {
294: char *t = cp;
295: for (; *t != 0; t++)
296: if ('A' <= *t && *t <= 'Z')
297: *t = *t - 'A' + 'a'; /* tolower */
298:
299: }
300: opcode = parse_token(cp, filename, linenum);
301: switch (opcode)
302: {
303: case sPort:
304: intptr = &options->port;
305: parse_int:
306: cp = strtok(NULL, WHITESPACE);
307: if (!cp)
308: {
309: fprintf(stderr, "%s line %d: missing integer value.\n",
310: filename, linenum);
311: exit(1);
312: }
313: value = atoi(cp);
314: if (*intptr == -1)
315: *intptr = value;
316: break;
317:
318: case sServerKeyBits:
319: intptr = &options->server_key_bits;
320: goto parse_int;
321:
322: case sLoginGraceTime:
323: intptr = &options->login_grace_time;
324: goto parse_int;
325:
326: case sKeyRegenerationTime:
327: intptr = &options->key_regeneration_time;
328: goto parse_int;
329:
330: case sListenAddress:
331: cp = strtok(NULL, WHITESPACE);
332: if (!cp)
333: {
334: fprintf(stderr, "%s line %d: missing inet addr.\n",
335: filename, linenum);
336: exit(1);
337: }
338: options->listen_addr.s_addr = inet_addr(cp);
339: break;
340:
341: case sHostKeyFile:
342: charptr = &options->host_key_file;
343: cp = strtok(NULL, WHITESPACE);
344: if (!cp)
345: {
346: fprintf(stderr, "%s line %d: missing file name.\n",
347: filename, linenum);
348: exit(1);
349: }
350: if (*charptr == NULL)
351: *charptr = tilde_expand_filename(cp, getuid());
352: break;
353:
354: case sRandomSeedFile:
1.8 deraadt 355: fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
1.7 provos 356: filename, linenum);
357: cp = strtok(NULL, WHITESPACE);
358: break;
1.1 deraadt 359:
360: case sPermitRootLogin:
361: intptr = &options->permit_root_login;
1.15 markus 362: cp = strtok(NULL, WHITESPACE);
363: if (!cp)
364: {
365: fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
366: filename, linenum);
367: exit(1);
368: }
369: if (strcmp(cp, "without-password") == 0)
370: value = 2;
371: else if (strcmp(cp, "yes") == 0)
372: value = 1;
373: else if (strcmp(cp, "no") == 0)
374: value = 0;
375: else
376: {
377: fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
378: filename, linenum, cp);
379: exit(1);
380: }
381: if (*intptr == -1)
382: *intptr = value;
383: break;
384:
385: case sIgnoreRhosts:
386: intptr = &options->ignore_rhosts;
1.1 deraadt 387: parse_flag:
388: cp = strtok(NULL, WHITESPACE);
389: if (!cp)
390: {
391: fprintf(stderr, "%s line %d: missing yes/no argument.\n",
392: filename, linenum);
393: exit(1);
394: }
395: if (strcmp(cp, "yes") == 0)
396: value = 1;
397: else
398: if (strcmp(cp, "no") == 0)
399: value = 0;
400: else
401: {
402: fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
403: filename, linenum, cp);
404: exit(1);
405: }
406: if (*intptr == -1)
407: *intptr = value;
408: break;
1.21 ! markus 409:
! 410: case sIgnoreUserKnownHosts:
! 411: intptr = &options->ignore_user_known_hosts;
! 412: goto parse_int;
! 413:
1.1 deraadt 414: case sRhostsAuthentication:
415: intptr = &options->rhosts_authentication;
416: goto parse_flag;
417:
418: case sRhostsRSAAuthentication:
419: intptr = &options->rhosts_rsa_authentication;
420: goto parse_flag;
421:
422: case sRSAAuthentication:
423: intptr = &options->rsa_authentication;
424: goto parse_flag;
425:
426: #ifdef KRB4
427: case sKerberosAuthentication:
428: intptr = &options->kerberos_authentication;
429: goto parse_flag;
430:
431: case sKerberosOrLocalPasswd:
432: intptr = &options->kerberos_or_local_passwd;
433: goto parse_flag;
434:
435: case sKerberosTicketCleanup:
436: intptr = &options->kerberos_ticket_cleanup;
437: goto parse_flag;
438: #endif
439:
1.4 dugsong 440: #ifdef AFS
1.1 deraadt 441: case sKerberosTgtPassing:
442: intptr = &options->kerberos_tgt_passing;
443: goto parse_flag;
444:
445: case sAFSTokenPassing:
446: intptr = &options->afs_token_passing;
447: goto parse_flag;
448: #endif
449:
450: case sPasswordAuthentication:
451: intptr = &options->password_authentication;
452: goto parse_flag;
1.11 markus 453:
454: case sCheckMail:
455: intptr = &options->check_mail;
456: goto parse_flag;
1.10 markus 457:
458: #ifdef SKEY
459: case sSkeyAuthentication:
460: intptr = &options->skey_authentication;
461: goto parse_flag;
462: #endif
1.1 deraadt 463:
464: case sPrintMotd:
465: intptr = &options->print_motd;
466: goto parse_flag;
467:
468: case sX11Forwarding:
469: intptr = &options->x11_forwarding;
470: goto parse_flag;
1.2 deraadt 471:
472: case sX11DisplayOffset:
473: intptr = &options->x11_display_offset;
474: goto parse_int;
1.1 deraadt 475:
476: case sStrictModes:
477: intptr = &options->strict_modes;
478: goto parse_flag;
479:
480: case sKeepAlives:
481: intptr = &options->keepalives;
482: goto parse_flag;
483:
484: case sEmptyPasswd:
485: intptr = &options->permit_empty_passwd;
486: goto parse_flag;
1.12 markus 487:
488: case sUseLogin:
489: intptr = &options->use_login;
1.14 markus 490: goto parse_flag;
491:
1.1 deraadt 492: case sLogFacility:
493: cp = strtok(NULL, WHITESPACE);
494: if (!cp)
495: {
496: fprintf(stderr, "%s line %d: missing facility name.\n",
497: filename, linenum);
498: exit(1);
499: }
500: for (i = 0; log_facilities[i].name; i++)
1.20 markus 501: if (strcasecmp(log_facilities[i].name, cp) == 0)
1.1 deraadt 502: break;
503: if (!log_facilities[i].name)
504: {
505: fprintf(stderr, "%s line %d: unsupported log facility %s\n",
506: filename, linenum, cp);
507: exit(1);
508: }
509: if (options->log_facility == (SyslogFacility)(-1))
510: options->log_facility = log_facilities[i].facility;
1.20 markus 511: break;
512:
513: case sLogLevel:
514: cp = strtok(NULL, WHITESPACE);
515: if (!cp)
516: {
517: fprintf(stderr, "%s line %d: missing level name.\n",
518: filename, linenum);
519: exit(1);
520: }
521: for (i = 0; log_levels[i].name; i++)
522: if (strcasecmp(log_levels[i].name, cp) == 0)
523: break;
524: if (!log_levels[i].name)
525: {
526: fprintf(stderr, "%s line %d: unsupported log level %s\n",
527: filename, linenum, cp);
528: exit(1);
529: }
530: if (options->log_level == (LogLevel)(-1))
531: options->log_level = log_levels[i].level;
1.1 deraadt 532: break;
533:
1.13 markus 534: case sAllowUsers:
535: while ((cp = strtok(NULL, WHITESPACE)))
536: {
537: if (options->num_allow_users >= MAX_ALLOW_USERS)
538: {
539: fprintf(stderr, "%s line %d: too many allow users.\n",
540: filename, linenum);
541: exit(1);
542: }
543: options->allow_users[options->num_allow_users++] = xstrdup(cp);
544: }
545: break;
546:
547: case sDenyUsers:
548: while ((cp = strtok(NULL, WHITESPACE)))
549: {
550: if (options->num_deny_users >= MAX_DENY_USERS)
551: {
552: fprintf(stderr, "%s line %d: too many deny users.\n",
553: filename, linenum);
554: exit(1);
555: }
556: options->deny_users[options->num_deny_users++] = xstrdup(cp);
557: }
558: break;
559:
560: case sAllowGroups:
561: while ((cp = strtok(NULL, WHITESPACE)))
562: {
563: if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
564: {
565: fprintf(stderr, "%s line %d: too many allow groups.\n",
566: filename, linenum);
567: exit(1);
568: }
569: options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
570: }
571: break;
572:
573: case sDenyGroups:
574: while ((cp = strtok(NULL, WHITESPACE)))
575: {
576: if (options->num_deny_groups >= MAX_DENY_GROUPS)
577: {
578: fprintf(stderr, "%s line %d: too many deny groups.\n",
579: filename, linenum);
580: exit(1);
581: }
582: options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
1.1 deraadt 583: }
584: break;
585:
586: default:
587: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
588: filename, linenum, cp, opcode);
589: exit(1);
590: }
591: if (strtok(NULL, WHITESPACE) != NULL)
592: {
593: fprintf(stderr, "%s line %d: garbage at end of line.\n",
594: filename, linenum);
595: exit(1);
596: }
597: }
598: fclose(f);
599: }