1 
2 /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
22 
23 #include <ctype.h>
24 #include <netdb.h>
25 #include <pwd.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <signal.h>
30 #include <unistd.h>
31 #include <limits.h>
32 #include <stdarg.h>
33 #include <errno.h>
34 #ifdef HAVE_UTIL_H
35 #include <util.h>
36 #endif
37 
38 #include "openbsd-compat/sys-queue.h"
39 #include "xmalloc.h"
40 #include "ssh.h"
41 #include "log.h"
42 #include "buffer.h"
43 #include "misc.h"
44 #include "servconf.h"
45 #include "compat.h"
46 #include "pathnames.h"
47 #include "cipher.h"
48 #include "key.h"
49 #include "kex.h"
50 #include "mac.h"
51 #include "match.h"
52 #include "channels.h"
53 #include "groupaccess.h"
54 #include "canohost.h"
55 #include "packet.h"
56 #include "hostfile.h"
57 #include "auth.h"
58 #include "myproposal.h"
59 #include "digest.h"
60 
61 #ifdef ANDROID
62 #include <cutils/properties.h>
63 #endif
64 
65 static void add_listen_addr(ServerOptions *, char *, int);
66 static void add_one_listen_addr(ServerOptions *, char *, int);
67 
68 /* Use of privilege separation or not */
69 extern int use_privsep;
70 extern Buffer cfg;
71 
72 /* Initializes the server options to their default values. */
73 
74 void
initialize_server_options(ServerOptions * options)75 initialize_server_options(ServerOptions *options)
76 {
77 	memset(options, 0, sizeof(*options));
78 
79 	/* Portable-specific options */
80 	options->use_pam = -1;
81 
82 	/* Standard Options */
83 	options->num_ports = 0;
84 	options->ports_from_cmdline = 0;
85 	options->queued_listen_addrs = NULL;
86 	options->num_queued_listens = 0;
87 	options->listen_addrs = NULL;
88 	options->address_family = -1;
89 	options->num_host_key_files = 0;
90 	options->num_host_cert_files = 0;
91 	options->host_key_agent = NULL;
92 	options->pid_file = NULL;
93 	options->server_key_bits = -1;
94 	options->login_grace_time = -1;
95 	options->key_regeneration_time = -1;
96 	options->permit_root_login = PERMIT_NOT_SET;
97 	options->ignore_rhosts = -1;
98 	options->ignore_user_known_hosts = -1;
99 	options->print_motd = -1;
100 	options->print_lastlog = -1;
101 	options->x11_forwarding = -1;
102 	options->x11_display_offset = -1;
103 	options->x11_use_localhost = -1;
104 	options->permit_tty = -1;
105 	options->permit_user_rc = -1;
106 	options->xauth_location = NULL;
107 	options->strict_modes = -1;
108 	options->tcp_keep_alive = -1;
109 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
110 	options->log_level = SYSLOG_LEVEL_NOT_SET;
111 	options->rhosts_rsa_authentication = -1;
112 	options->hostbased_authentication = -1;
113 	options->hostbased_uses_name_from_packet_only = -1;
114 	options->hostbased_key_types = NULL;
115 	options->hostkeyalgorithms = NULL;
116 	options->rsa_authentication = -1;
117 	options->pubkey_authentication = -1;
118 	options->pubkey_key_types = NULL;
119 	options->kerberos_authentication = -1;
120 	options->kerberos_or_local_passwd = -1;
121 	options->kerberos_ticket_cleanup = -1;
122 	options->kerberos_get_afs_token = -1;
123 	options->gss_authentication=-1;
124 	options->gss_cleanup_creds = -1;
125 	options->gss_strict_acceptor = -1;
126 	options->password_authentication = -1;
127 	options->kbd_interactive_authentication = -1;
128 	options->challenge_response_authentication = -1;
129 	options->permit_empty_passwd = -1;
130 	options->permit_user_env = -1;
131 	options->use_login = -1;
132 	options->compression = -1;
133 	options->rekey_limit = -1;
134 	options->rekey_interval = -1;
135 	options->allow_tcp_forwarding = -1;
136 	options->allow_streamlocal_forwarding = -1;
137 	options->allow_agent_forwarding = -1;
138 	options->num_allow_users = 0;
139 	options->num_deny_users = 0;
140 	options->num_allow_groups = 0;
141 	options->num_deny_groups = 0;
142 	options->ciphers = NULL;
143 	options->macs = NULL;
144 	options->kex_algorithms = NULL;
145 	options->protocol = SSH_PROTO_UNKNOWN;
146 	options->fwd_opts.gateway_ports = -1;
147 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
148 	options->fwd_opts.streamlocal_bind_unlink = -1;
149 	options->num_subsystems = 0;
150 	options->max_startups_begin = -1;
151 	options->max_startups_rate = -1;
152 	options->max_startups = -1;
153 	options->max_authtries = -1;
154 	options->max_sessions = -1;
155 	options->banner = NULL;
156 	options->use_dns = -1;
157 	options->client_alive_interval = -1;
158 	options->client_alive_count_max = -1;
159 	options->num_authkeys_files = 0;
160 	options->num_accept_env = 0;
161 	options->permit_tun = -1;
162 	options->num_permitted_opens = -1;
163 	options->adm_forced_command = NULL;
164 	options->chroot_directory = NULL;
165 	options->authorized_keys_command = NULL;
166 	options->authorized_keys_command_user = NULL;
167 	options->revoked_keys_file = NULL;
168 	options->trusted_user_ca_keys = NULL;
169 	options->authorized_principals_file = NULL;
170 	options->authorized_principals_command = NULL;
171 	options->authorized_principals_command_user = NULL;
172 	options->ip_qos_interactive = -1;
173 	options->ip_qos_bulk = -1;
174 	options->version_addendum = NULL;
175 	options->fingerprint_hash = -1;
176 }
177 
178 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
179 static int
option_clear_or_none(const char * o)180 option_clear_or_none(const char *o)
181 {
182 	return o == NULL || strcasecmp(o, "none") == 0;
183 }
184 
185 void
fill_default_server_options(ServerOptions * options)186 fill_default_server_options(ServerOptions *options)
187 {
188 	int i;
189 
190 	/* Portable-specific options */
191 	if (options->use_pam == -1)
192 		options->use_pam = 0;
193 
194 	/* Standard Options */
195 	if (options->protocol == SSH_PROTO_UNKNOWN)
196 		options->protocol = SSH_PROTO_2;
197 	if (options->num_host_key_files == 0) {
198 		/* fill default hostkeys for protocols */
199 		if (options->protocol & SSH_PROTO_1)
200 			options->host_key_files[options->num_host_key_files++] =
201 			    _PATH_HOST_KEY_FILE;
202 		if (options->protocol & SSH_PROTO_2) {
203 			options->host_key_files[options->num_host_key_files++] =
204 			    _PATH_HOST_RSA_KEY_FILE;
205 			options->host_key_files[options->num_host_key_files++] =
206 			    _PATH_HOST_DSA_KEY_FILE;
207 #ifdef OPENSSL_HAS_ECC
208 			options->host_key_files[options->num_host_key_files++] =
209 			    _PATH_HOST_ECDSA_KEY_FILE;
210 #endif
211 			options->host_key_files[options->num_host_key_files++] =
212 			    _PATH_HOST_ED25519_KEY_FILE;
213 		}
214 	}
215 	/* No certificates by default */
216 	if (options->num_ports == 0)
217 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
218 	if (options->address_family == -1)
219 		options->address_family = AF_UNSPEC;
220 	if (options->listen_addrs == NULL)
221 		add_listen_addr(options, NULL, 0);
222 	if (options->pid_file == NULL)
223 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
224 	if (options->server_key_bits == -1)
225 		options->server_key_bits = 1024;
226 	if (options->login_grace_time == -1)
227 		options->login_grace_time = 120;
228 	if (options->key_regeneration_time == -1)
229 		options->key_regeneration_time = 3600;
230 	if (options->permit_root_login == PERMIT_NOT_SET)
231 		options->permit_root_login = PERMIT_NO_PASSWD;
232 	if (options->ignore_rhosts == -1)
233 		options->ignore_rhosts = 1;
234 	if (options->ignore_user_known_hosts == -1)
235 		options->ignore_user_known_hosts = 0;
236 	if (options->print_motd == -1)
237 		options->print_motd = 1;
238 	if (options->print_lastlog == -1)
239 		options->print_lastlog = 1;
240 	if (options->x11_forwarding == -1)
241 		options->x11_forwarding = 0;
242 	if (options->x11_display_offset == -1)
243 		options->x11_display_offset = 10;
244 	if (options->x11_use_localhost == -1)
245 		options->x11_use_localhost = 1;
246 	if (options->xauth_location == NULL)
247 		options->xauth_location = xstrdup(_PATH_XAUTH);
248 	if (options->permit_tty == -1)
249 		options->permit_tty = 1;
250 	if (options->permit_user_rc == -1)
251 		options->permit_user_rc = 1;
252 	if (options->strict_modes == -1)
253 		options->strict_modes = 1;
254 	if (options->tcp_keep_alive == -1)
255 		options->tcp_keep_alive = 1;
256 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
257 		options->log_facility = SYSLOG_FACILITY_AUTH;
258 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
259 		options->log_level = SYSLOG_LEVEL_INFO;
260 	if (options->rhosts_rsa_authentication == -1)
261 		options->rhosts_rsa_authentication = 0;
262 	if (options->hostbased_authentication == -1)
263 		options->hostbased_authentication = 0;
264 	if (options->hostbased_uses_name_from_packet_only == -1)
265 		options->hostbased_uses_name_from_packet_only = 0;
266 	if (options->hostkeyalgorithms == NULL)
267 		options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
268 	if (options->rsa_authentication == -1)
269 		options->rsa_authentication = 1;
270 	if (options->pubkey_authentication == -1)
271 		options->pubkey_authentication = 1;
272 	if (options->kerberos_authentication == -1)
273 		options->kerberos_authentication = 0;
274 	if (options->kerberos_or_local_passwd == -1)
275 		options->kerberos_or_local_passwd = 1;
276 	if (options->kerberos_ticket_cleanup == -1)
277 		options->kerberos_ticket_cleanup = 1;
278 	if (options->kerberos_get_afs_token == -1)
279 		options->kerberos_get_afs_token = 0;
280 	if (options->gss_authentication == -1)
281 		options->gss_authentication = 0;
282 	if (options->gss_cleanup_creds == -1)
283 		options->gss_cleanup_creds = 1;
284 	if (options->gss_strict_acceptor == -1)
285 		options->gss_strict_acceptor = 0;
286 	if (options->password_authentication == -1)
287 		options->password_authentication = 1;
288 	if (options->kbd_interactive_authentication == -1)
289 		options->kbd_interactive_authentication = 0;
290 	if (options->challenge_response_authentication == -1)
291 		options->challenge_response_authentication = 1;
292 	if (options->permit_empty_passwd == -1)
293 		options->permit_empty_passwd = 0;
294 	if (options->permit_user_env == -1)
295 		options->permit_user_env = 0;
296 	if (options->use_login == -1)
297 		options->use_login = 0;
298 	if (options->compression == -1)
299 		options->compression = COMP_DELAYED;
300 	if (options->rekey_limit == -1)
301 		options->rekey_limit = 0;
302 	if (options->rekey_interval == -1)
303 		options->rekey_interval = 0;
304 	if (options->allow_tcp_forwarding == -1)
305 		options->allow_tcp_forwarding = FORWARD_ALLOW;
306 	if (options->allow_streamlocal_forwarding == -1)
307 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
308 	if (options->allow_agent_forwarding == -1)
309 		options->allow_agent_forwarding = 1;
310 	if (options->fwd_opts.gateway_ports == -1)
311 		options->fwd_opts.gateway_ports = 0;
312 	if (options->max_startups == -1)
313 		options->max_startups = 100;
314 	if (options->max_startups_rate == -1)
315 		options->max_startups_rate = 30;		/* 30% */
316 	if (options->max_startups_begin == -1)
317 		options->max_startups_begin = 10;
318 	if (options->max_authtries == -1)
319 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
320 	if (options->max_sessions == -1)
321 		options->max_sessions = DEFAULT_SESSIONS_MAX;
322 	if (options->use_dns == -1)
323 		options->use_dns = 0;
324 	if (options->client_alive_interval == -1)
325 		options->client_alive_interval = 0;
326 	if (options->client_alive_count_max == -1)
327 		options->client_alive_count_max = 3;
328 	if (options->num_authkeys_files == 0) {
329 		options->authorized_keys_files[options->num_authkeys_files++] =
330 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
331 		options->authorized_keys_files[options->num_authkeys_files++] =
332 		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
333 	}
334 	if (options->permit_tun == -1)
335 		options->permit_tun = SSH_TUNMODE_NO;
336 	if (options->ip_qos_interactive == -1)
337 		options->ip_qos_interactive = IPTOS_LOWDELAY;
338 	if (options->ip_qos_bulk == -1)
339 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
340 	if (options->version_addendum == NULL)
341 		options->version_addendum = xstrdup("");
342 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
343 		options->fwd_opts.streamlocal_bind_mask = 0177;
344 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
345 		options->fwd_opts.streamlocal_bind_unlink = 0;
346 	if (options->fingerprint_hash == -1)
347 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
348 
349 	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
350 	    kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
351 	    kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
352 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
353 	    &options->hostbased_key_types) != 0 ||
354 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
355 	    &options->pubkey_key_types) != 0)
356 		fatal("%s: kex_assemble_names failed", __func__);
357 
358 	/* Turn privilege separation on by default */
359 	if (use_privsep == -1)
360 		use_privsep = PRIVSEP_NOSANDBOX;
361 
362 #define CLEAR_ON_NONE(v) \
363 	do { \
364 		if (option_clear_or_none(v)) { \
365 			free(v); \
366 			v = NULL; \
367 		} \
368 	} while(0)
369 	CLEAR_ON_NONE(options->pid_file);
370 	CLEAR_ON_NONE(options->xauth_location);
371 	CLEAR_ON_NONE(options->banner);
372 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
373 	CLEAR_ON_NONE(options->revoked_keys_file);
374 	CLEAR_ON_NONE(options->authorized_principals_file);
375 	for (i = 0; i < options->num_host_key_files; i++)
376 		CLEAR_ON_NONE(options->host_key_files[i]);
377 	for (i = 0; i < options->num_host_cert_files; i++)
378 		CLEAR_ON_NONE(options->host_cert_files[i]);
379 #undef CLEAR_ON_NONE
380 
381 #ifndef HAVE_MMAP
382 	if (use_privsep && options->compression == 1) {
383 		error("This platform does not support both privilege "
384 		    "separation and compression");
385 		error("Compression disabled");
386 		options->compression = 0;
387 	}
388 #endif
389 
390 }
391 
392 /* Keyword tokens. */
393 typedef enum {
394 	sBadOption,		/* == unknown option */
395 	/* Portable-specific options */
396 	sUsePAM,
397 	/* Standard Options */
398 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
399 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
400 	sRhostsRSAAuthentication, sRSAAuthentication,
401 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
402 	sKerberosGetAFSToken,
403 	sKerberosTgtPassing, sChallengeResponseAuthentication,
404 	sPasswordAuthentication, sKbdInteractiveAuthentication,
405 	sListenAddress, sAddressFamily,
406 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
407 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
408 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
409 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
410 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
411 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
412 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
413 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
414 	sBanner, sUseDNS, sHostbasedAuthentication,
415 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
416 	sHostKeyAlgorithms,
417 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
418 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
419 	sAcceptEnv, sPermitTunnel,
420 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
421 	sUsePrivilegeSeparation, sAllowAgentForwarding,
422 	sHostCertificate,
423 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
424 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
425 	sKexAlgorithms, sIPQoS, sVersionAddendum,
426 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
427 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
428 	sStreamLocalBindMask, sStreamLocalBindUnlink,
429 	sAllowStreamLocalForwarding, sFingerprintHash,
430 	sDeprecated, sUnsupported
431 } ServerOpCodes;
432 
433 #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
434 #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
435 #define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
436 
437 /* Textual representation of the tokens. */
438 static struct {
439 	const char *name;
440 	ServerOpCodes opcode;
441 	u_int flags;
442 } keywords[] = {
443 	/* Portable-specific options */
444 #ifdef USE_PAM
445 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
446 #else
447 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
448 #endif
449 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
450 	/* Standard Options */
451 	{ "port", sPort, SSHCFG_GLOBAL },
452 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
453 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
454 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
455 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
456 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
457 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
458 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
459 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
460 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
461 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
462 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
463 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
464 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
465 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
466 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
467 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
468 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
469 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
470 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
471 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
472 #ifdef KRB5
473 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
474 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
475 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
476 #ifdef USE_AFS
477 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
478 #else
479 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
480 #endif
481 #else
482 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
483 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
484 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
485 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
486 #endif
487 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
488 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
489 #ifdef GSSAPI
490 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
491 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
492 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
493 #else
494 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
495 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
496 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
497 #endif
498 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
499 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
500 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
501 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
502 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
503 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
504 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
505 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
506 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
507 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
508 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
509 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
510 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
511 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
512 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
513 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
514 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
515 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
516 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
517 	{ "compression", sCompression, SSHCFG_GLOBAL },
518 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
519 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
520 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
521 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
522 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
523 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
524 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
525 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
526 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
527 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
528 	{ "macs", sMacs, SSHCFG_GLOBAL },
529 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
530 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
531 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
532 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
533 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
534 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
535 	{ "banner", sBanner, SSHCFG_ALL },
536 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
537 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
538 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
539 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
540 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
541 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
542 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
543 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
544 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
545 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
546 	{ "permittty", sPermitTTY, SSHCFG_ALL },
547 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
548 	{ "match", sMatch, SSHCFG_ALL },
549 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
550 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
551 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
552 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
553 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
554 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
555 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
556 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
557 	{ "ipqos", sIPQoS, SSHCFG_ALL },
558 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
559 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
560 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
561 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
562 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
563 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
564 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
565 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
566 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
567 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
568 	{ NULL, sBadOption, 0 }
569 };
570 
571 static struct {
572 	int val;
573 	char *text;
574 } tunmode_desc[] = {
575 	{ SSH_TUNMODE_NO, "no" },
576 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
577 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
578 	{ SSH_TUNMODE_YES, "yes" },
579 	{ -1, NULL }
580 };
581 
582 /*
583  * Returns the number of the token pointed to by cp or sBadOption.
584  */
585 
586 static ServerOpCodes
parse_token(const char * cp,const char * filename,int linenum,u_int * flags)587 parse_token(const char *cp, const char *filename,
588 	    int linenum, u_int *flags)
589 {
590 	u_int i;
591 
592 	for (i = 0; keywords[i].name; i++)
593 		if (strcasecmp(cp, keywords[i].name) == 0) {
594 			*flags = keywords[i].flags;
595 			return keywords[i].opcode;
596 		}
597 
598 	error("%s: line %d: Bad configuration option: %s",
599 	    filename, linenum, cp);
600 	return sBadOption;
601 }
602 
603 char *
derelativise_path(const char * path)604 derelativise_path(const char *path)
605 {
606 	char *expanded, *ret, cwd[PATH_MAX];
607 
608 	if (strcasecmp(path, "none") == 0)
609 		return xstrdup("none");
610 	expanded = tilde_expand_filename(path, getuid());
611 	if (*expanded == '/')
612 		return expanded;
613 	if (getcwd(cwd, sizeof(cwd)) == NULL)
614 		fatal("%s: getcwd: %s", __func__, strerror(errno));
615 	xasprintf(&ret, "%s/%s", cwd, expanded);
616 	free(expanded);
617 	return ret;
618 }
619 
620 static void
add_listen_addr(ServerOptions * options,char * addr,int port)621 add_listen_addr(ServerOptions *options, char *addr, int port)
622 {
623 	u_int i;
624 
625 	if (port == 0)
626 		for (i = 0; i < options->num_ports; i++)
627 			add_one_listen_addr(options, addr, options->ports[i]);
628 	else
629 		add_one_listen_addr(options, addr, port);
630 }
631 
632 static void
add_one_listen_addr(ServerOptions * options,char * addr,int port)633 add_one_listen_addr(ServerOptions *options, char *addr, int port)
634 {
635 	struct addrinfo hints, *ai, *aitop;
636 	char strport[NI_MAXSERV];
637 	int gaierr;
638 
639 	memset(&hints, 0, sizeof(hints));
640 	hints.ai_family = options->address_family;
641 	hints.ai_socktype = SOCK_STREAM;
642 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
643 	snprintf(strport, sizeof strport, "%d", port);
644 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
645 		fatal("bad addr or host: %s (%s)",
646 		    addr ? addr : "<NULL>",
647 		    ssh_gai_strerror(gaierr));
648 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
649 		;
650 	ai->ai_next = options->listen_addrs;
651 	options->listen_addrs = aitop;
652 }
653 
654 /*
655  * Queue a ListenAddress to be processed once we have all of the Ports
656  * and AddressFamily options.
657  */
658 static void
queue_listen_addr(ServerOptions * options,char * addr,int port)659 queue_listen_addr(ServerOptions *options, char *addr, int port)
660 {
661 	options->queued_listen_addrs = xreallocarray(
662 	    options->queued_listen_addrs, options->num_queued_listens + 1,
663 	    sizeof(addr));
664 	options->queued_listen_ports = xreallocarray(
665 	    options->queued_listen_ports, options->num_queued_listens + 1,
666 	    sizeof(port));
667 	options->queued_listen_addrs[options->num_queued_listens] =
668 	    xstrdup(addr);
669 	options->queued_listen_ports[options->num_queued_listens] = port;
670 	options->num_queued_listens++;
671 }
672 
673 /*
674  * Process queued (text) ListenAddress entries.
675  */
676 static void
process_queued_listen_addrs(ServerOptions * options)677 process_queued_listen_addrs(ServerOptions *options)
678 {
679 	u_int i;
680 
681 	if (options->num_ports == 0)
682 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
683 	if (options->address_family == -1)
684 		options->address_family = AF_UNSPEC;
685 
686 	for (i = 0; i < options->num_queued_listens; i++) {
687 		add_listen_addr(options, options->queued_listen_addrs[i],
688 		    options->queued_listen_ports[i]);
689 		free(options->queued_listen_addrs[i]);
690 		options->queued_listen_addrs[i] = NULL;
691 	}
692 	free(options->queued_listen_addrs);
693 	options->queued_listen_addrs = NULL;
694 	free(options->queued_listen_ports);
695 	options->queued_listen_ports = NULL;
696 	options->num_queued_listens = 0;
697 }
698 
699 struct connection_info *
get_connection_info(int populate,int use_dns)700 get_connection_info(int populate, int use_dns)
701 {
702 	static struct connection_info ci;
703 
704 	if (!populate)
705 		return &ci;
706 	ci.host = get_canonical_hostname(use_dns);
707 	ci.address = get_remote_ipaddr();
708 	ci.laddress = get_local_ipaddr(packet_get_connection_in());
709 	ci.lport = get_local_port();
710 	return &ci;
711 }
712 
713 /*
714  * The strategy for the Match blocks is that the config file is parsed twice.
715  *
716  * The first time is at startup.  activep is initialized to 1 and the
717  * directives in the global context are processed and acted on.  Hitting a
718  * Match directive unsets activep and the directives inside the block are
719  * checked for syntax only.
720  *
721  * The second time is after a connection has been established but before
722  * authentication.  activep is initialized to 2 and global config directives
723  * are ignored since they have already been processed.  If the criteria in a
724  * Match block is met, activep is set and the subsequent directives
725  * processed and actioned until EOF or another Match block unsets it.  Any
726  * options set are copied into the main server config.
727  *
728  * Potential additions/improvements:
729  *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
730  *
731  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
732  *	Match Address 192.168.0.*
733  *		Tag trusted
734  *	Match Group wheel
735  *		Tag trusted
736  *	Match Tag trusted
737  *		AllowTcpForwarding yes
738  *		GatewayPorts clientspecified
739  *		[...]
740  *
741  *  - Add a PermittedChannelRequests directive
742  *	Match Group shell
743  *		PermittedChannelRequests session,forwarded-tcpip
744  */
745 
746 static int
match_cfg_line_group(const char * grps,int line,const char * user)747 match_cfg_line_group(const char *grps, int line, const char *user)
748 {
749 	int result = 0;
750 	struct passwd *pw;
751 
752 	if (user == NULL)
753 		goto out;
754 
755 	if ((pw = getpwnam(user)) == NULL) {
756 		debug("Can't match group at line %d because user %.100s does "
757 		    "not exist", line, user);
758 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
759 		debug("Can't Match group because user %.100s not in any group "
760 		    "at line %d", user, line);
761 	} else if (ga_match_pattern_list(grps) != 1) {
762 		debug("user %.100s does not match group list %.100s at line %d",
763 		    user, grps, line);
764 	} else {
765 		debug("user %.100s matched group list %.100s at line %d", user,
766 		    grps, line);
767 		result = 1;
768 	}
769 out:
770 	ga_free();
771 	return result;
772 }
773 
774 /*
775  * All of the attributes on a single Match line are ANDed together, so we need
776  * to check every attribute and set the result to zero if any attribute does
777  * not match.
778  */
779 static int
match_cfg_line(char ** condition,int line,struct connection_info * ci)780 match_cfg_line(char **condition, int line, struct connection_info *ci)
781 {
782 	int result = 1, attributes = 0, port;
783 	char *arg, *attrib, *cp = *condition;
784 
785 	if (ci == NULL)
786 		debug3("checking syntax for 'Match %s'", cp);
787 	else
788 		debug3("checking match for '%s' user %s host %s addr %s "
789 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
790 		    ci->host ? ci->host : "(null)",
791 		    ci->address ? ci->address : "(null)",
792 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
793 
794 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
795 		attributes++;
796 		if (strcasecmp(attrib, "all") == 0) {
797 			if (attributes != 1 ||
798 			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
799 				error("'all' cannot be combined with other "
800 				    "Match attributes");
801 				return -1;
802 			}
803 			*condition = cp;
804 			return 1;
805 		}
806 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
807 			error("Missing Match criteria for %s", attrib);
808 			return -1;
809 		}
810 		if (strcasecmp(attrib, "user") == 0) {
811 			if (ci == NULL || ci->user == NULL) {
812 				result = 0;
813 				continue;
814 			}
815 			if (match_pattern_list(ci->user, arg, 0) != 1)
816 				result = 0;
817 			else
818 				debug("user %.100s matched 'User %.100s' at "
819 				    "line %d", ci->user, arg, line);
820 		} else if (strcasecmp(attrib, "group") == 0) {
821 			if (ci == NULL || ci->user == NULL) {
822 				result = 0;
823 				continue;
824 			}
825 			switch (match_cfg_line_group(arg, line, ci->user)) {
826 			case -1:
827 				return -1;
828 			case 0:
829 				result = 0;
830 			}
831 		} else if (strcasecmp(attrib, "host") == 0) {
832 			if (ci == NULL || ci->host == NULL) {
833 				result = 0;
834 				continue;
835 			}
836 			if (match_hostname(ci->host, arg) != 1)
837 				result = 0;
838 			else
839 				debug("connection from %.100s matched 'Host "
840 				    "%.100s' at line %d", ci->host, arg, line);
841 		} else if (strcasecmp(attrib, "address") == 0) {
842 			if (ci == NULL || ci->address == NULL) {
843 				result = 0;
844 				continue;
845 			}
846 			switch (addr_match_list(ci->address, arg)) {
847 			case 1:
848 				debug("connection from %.100s matched 'Address "
849 				    "%.100s' at line %d", ci->address, arg, line);
850 				break;
851 			case 0:
852 			case -1:
853 				result = 0;
854 				break;
855 			case -2:
856 				return -1;
857 			}
858 		} else if (strcasecmp(attrib, "localaddress") == 0){
859 			if (ci == NULL || ci->laddress == NULL) {
860 				result = 0;
861 				continue;
862 			}
863 			switch (addr_match_list(ci->laddress, arg)) {
864 			case 1:
865 				debug("connection from %.100s matched "
866 				    "'LocalAddress %.100s' at line %d",
867 				    ci->laddress, arg, line);
868 				break;
869 			case 0:
870 			case -1:
871 				result = 0;
872 				break;
873 			case -2:
874 				return -1;
875 			}
876 		} else if (strcasecmp(attrib, "localport") == 0) {
877 			if ((port = a2port(arg)) == -1) {
878 				error("Invalid LocalPort '%s' on Match line",
879 				    arg);
880 				return -1;
881 			}
882 			if (ci == NULL || ci->lport == 0) {
883 				result = 0;
884 				continue;
885 			}
886 			/* TODO support port lists */
887 			if (port == ci->lport)
888 				debug("connection from %.100s matched "
889 				    "'LocalPort %d' at line %d",
890 				    ci->laddress, port, line);
891 			else
892 				result = 0;
893 		} else {
894 			error("Unsupported Match attribute %s", attrib);
895 			return -1;
896 		}
897 	}
898 	if (attributes == 0) {
899 		error("One or more attributes required for Match");
900 		return -1;
901 	}
902 	if (ci != NULL)
903 		debug3("match %sfound", result ? "" : "not ");
904 	*condition = cp;
905 	return result;
906 }
907 
908 #define WHITESPACE " \t\r\n"
909 
910 /* Multistate option parsing */
911 struct multistate {
912 	char *key;
913 	int value;
914 };
915 static const struct multistate multistate_addressfamily[] = {
916 	{ "inet",			AF_INET },
917 	{ "inet6",			AF_INET6 },
918 	{ "any",			AF_UNSPEC },
919 	{ NULL, -1 }
920 };
921 static const struct multistate multistate_permitrootlogin[] = {
922 	{ "without-password",		PERMIT_NO_PASSWD },
923 	{ "prohibit-password",		PERMIT_NO_PASSWD },
924 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
925 	{ "yes",			PERMIT_YES },
926 	{ "no",				PERMIT_NO },
927 	{ NULL, -1 }
928 };
929 static const struct multistate multistate_compression[] = {
930 	{ "delayed",			COMP_DELAYED },
931 	{ "yes",			COMP_ZLIB },
932 	{ "no",				COMP_NONE },
933 	{ NULL, -1 }
934 };
935 static const struct multistate multistate_gatewayports[] = {
936 	{ "clientspecified",		2 },
937 	{ "yes",			1 },
938 	{ "no",				0 },
939 	{ NULL, -1 }
940 };
941 static const struct multistate multistate_privsep[] = {
942 	{ "yes",			PRIVSEP_NOSANDBOX },
943 	{ "sandbox",			PRIVSEP_ON },
944 	{ "nosandbox",			PRIVSEP_NOSANDBOX },
945 	{ "no",				PRIVSEP_OFF },
946 	{ NULL, -1 }
947 };
948 static const struct multistate multistate_tcpfwd[] = {
949 	{ "yes",			FORWARD_ALLOW },
950 	{ "all",			FORWARD_ALLOW },
951 	{ "no",				FORWARD_DENY },
952 	{ "remote",			FORWARD_REMOTE },
953 	{ "local",			FORWARD_LOCAL },
954 	{ NULL, -1 }
955 };
956 
957 int
process_server_config_line(ServerOptions * options,char * line,const char * filename,int linenum,int * activep,struct connection_info * connectinfo)958 process_server_config_line(ServerOptions *options, char *line,
959     const char *filename, int linenum, int *activep,
960     struct connection_info *connectinfo)
961 {
962 	char *cp, **charptr, *arg, *p;
963 	int cmdline = 0, *intptr, value, value2, n, port;
964 	SyslogFacility *log_facility_ptr;
965 	LogLevel *log_level_ptr;
966 	ServerOpCodes opcode;
967 	u_int i, flags = 0;
968 	size_t len;
969 	long long val64;
970 	const struct multistate *multistate_ptr;
971 
972 	cp = line;
973 	if ((arg = strdelim(&cp)) == NULL)
974 		return 0;
975 	/* Ignore leading whitespace */
976 	if (*arg == '\0')
977 		arg = strdelim(&cp);
978 	if (!arg || !*arg || *arg == '#')
979 		return 0;
980 	intptr = NULL;
981 	charptr = NULL;
982 	opcode = parse_token(arg, filename, linenum, &flags);
983 
984 	if (activep == NULL) { /* We are processing a command line directive */
985 		cmdline = 1;
986 		activep = &cmdline;
987 	}
988 	if (*activep && opcode != sMatch)
989 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
990 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
991 		if (connectinfo == NULL) {
992 			fatal("%s line %d: Directive '%s' is not allowed "
993 			    "within a Match block", filename, linenum, arg);
994 		} else { /* this is a directive we have already processed */
995 			while (arg)
996 				arg = strdelim(&cp);
997 			return 0;
998 		}
999 	}
1000 
1001 	switch (opcode) {
1002 	/* Portable-specific options */
1003 	case sUsePAM:
1004 		intptr = &options->use_pam;
1005 		goto parse_flag;
1006 
1007 	/* Standard Options */
1008 	case sBadOption:
1009 		return -1;
1010 	case sPort:
1011 		/* ignore ports from configfile if cmdline specifies ports */
1012 		if (options->ports_from_cmdline)
1013 			return 0;
1014 		if (options->num_ports >= MAX_PORTS)
1015 			fatal("%s line %d: too many ports.",
1016 			    filename, linenum);
1017 		arg = strdelim(&cp);
1018 		if (!arg || *arg == '\0')
1019 			fatal("%s line %d: missing port number.",
1020 			    filename, linenum);
1021 		options->ports[options->num_ports++] = a2port(arg);
1022 		if (options->ports[options->num_ports-1] <= 0)
1023 			fatal("%s line %d: Badly formatted port number.",
1024 			    filename, linenum);
1025 		break;
1026 
1027 	case sServerKeyBits:
1028 		intptr = &options->server_key_bits;
1029  parse_int:
1030 		arg = strdelim(&cp);
1031 		if (!arg || *arg == '\0')
1032 			fatal("%s line %d: missing integer value.",
1033 			    filename, linenum);
1034 		value = atoi(arg);
1035 		if (*activep && *intptr == -1)
1036 			*intptr = value;
1037 		break;
1038 
1039 	case sLoginGraceTime:
1040 		intptr = &options->login_grace_time;
1041  parse_time:
1042 		arg = strdelim(&cp);
1043 		if (!arg || *arg == '\0')
1044 			fatal("%s line %d: missing time value.",
1045 			    filename, linenum);
1046 		if ((value = convtime(arg)) == -1)
1047 			fatal("%s line %d: invalid time value.",
1048 			    filename, linenum);
1049 		if (*activep && *intptr == -1)
1050 			*intptr = value;
1051 		break;
1052 
1053 	case sKeyRegenerationTime:
1054 		intptr = &options->key_regeneration_time;
1055 		goto parse_time;
1056 
1057 	case sListenAddress:
1058 		arg = strdelim(&cp);
1059 		if (arg == NULL || *arg == '\0')
1060 			fatal("%s line %d: missing address",
1061 			    filename, linenum);
1062 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1063 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1064 		    && strchr(p+1, ':') != NULL) {
1065 			queue_listen_addr(options, arg, 0);
1066 			break;
1067 		}
1068 		p = hpdelim(&arg);
1069 		if (p == NULL)
1070 			fatal("%s line %d: bad address:port usage",
1071 			    filename, linenum);
1072 		p = cleanhostname(p);
1073 		if (arg == NULL)
1074 			port = 0;
1075 		else if ((port = a2port(arg)) <= 0)
1076 			fatal("%s line %d: bad port number", filename, linenum);
1077 
1078 		queue_listen_addr(options, p, port);
1079 
1080 		break;
1081 
1082 	case sAddressFamily:
1083 		intptr = &options->address_family;
1084 		multistate_ptr = multistate_addressfamily;
1085  parse_multistate:
1086 		arg = strdelim(&cp);
1087 		if (!arg || *arg == '\0')
1088 			fatal("%s line %d: missing argument.",
1089 			    filename, linenum);
1090 		value = -1;
1091 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1092 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1093 				value = multistate_ptr[i].value;
1094 				break;
1095 			}
1096 		}
1097 		if (value == -1)
1098 			fatal("%s line %d: unsupported option \"%s\".",
1099 			    filename, linenum, arg);
1100 		if (*activep && *intptr == -1)
1101 			*intptr = value;
1102 		break;
1103 
1104 	case sHostKeyFile:
1105 		intptr = &options->num_host_key_files;
1106 		if (*intptr >= MAX_HOSTKEYS)
1107 			fatal("%s line %d: too many host keys specified (max %d).",
1108 			    filename, linenum, MAX_HOSTKEYS);
1109 		charptr = &options->host_key_files[*intptr];
1110  parse_filename:
1111 		arg = strdelim(&cp);
1112 		if (!arg || *arg == '\0')
1113 			fatal("%s line %d: missing file name.",
1114 			    filename, linenum);
1115 		if (*activep && *charptr == NULL) {
1116 			*charptr = derelativise_path(arg);
1117 			/* increase optional counter */
1118 			if (intptr != NULL)
1119 				*intptr = *intptr + 1;
1120 		}
1121 		break;
1122 
1123 	case sHostKeyAgent:
1124 		charptr = &options->host_key_agent;
1125 		arg = strdelim(&cp);
1126 		if (!arg || *arg == '\0')
1127 			fatal("%s line %d: missing socket name.",
1128 			    filename, linenum);
1129 		if (*activep && *charptr == NULL)
1130 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1131 			    xstrdup(arg) : derelativise_path(arg);
1132 		break;
1133 
1134 	case sHostCertificate:
1135 		intptr = &options->num_host_cert_files;
1136 		if (*intptr >= MAX_HOSTKEYS)
1137 			fatal("%s line %d: too many host certificates "
1138 			    "specified (max %d).", filename, linenum,
1139 			    MAX_HOSTCERTS);
1140 		charptr = &options->host_cert_files[*intptr];
1141 		goto parse_filename;
1142 		break;
1143 
1144 	case sPidFile:
1145 		charptr = &options->pid_file;
1146 		goto parse_filename;
1147 
1148 	case sPermitRootLogin:
1149 		intptr = &options->permit_root_login;
1150 		multistate_ptr = multistate_permitrootlogin;
1151 		goto parse_multistate;
1152 
1153 	case sIgnoreRhosts:
1154 		intptr = &options->ignore_rhosts;
1155  parse_flag:
1156 		arg = strdelim(&cp);
1157 		if (!arg || *arg == '\0')
1158 			fatal("%s line %d: missing yes/no argument.",
1159 			    filename, linenum);
1160 		value = 0;	/* silence compiler */
1161 		if (strcmp(arg, "yes") == 0)
1162 			value = 1;
1163 		else if (strcmp(arg, "no") == 0)
1164 			value = 0;
1165 		else
1166 			fatal("%s line %d: Bad yes/no argument: %s",
1167 				filename, linenum, arg);
1168 		if (*activep && *intptr == -1)
1169 			*intptr = value;
1170 		break;
1171 
1172 	case sIgnoreUserKnownHosts:
1173 		intptr = &options->ignore_user_known_hosts;
1174 		goto parse_flag;
1175 
1176 	case sRhostsRSAAuthentication:
1177 		intptr = &options->rhosts_rsa_authentication;
1178 		goto parse_flag;
1179 
1180 	case sHostbasedAuthentication:
1181 		intptr = &options->hostbased_authentication;
1182 		goto parse_flag;
1183 
1184 	case sHostbasedUsesNameFromPacketOnly:
1185 		intptr = &options->hostbased_uses_name_from_packet_only;
1186 		goto parse_flag;
1187 
1188 	case sHostbasedAcceptedKeyTypes:
1189 		charptr = &options->hostbased_key_types;
1190  parse_keytypes:
1191 		arg = strdelim(&cp);
1192 		if (!arg || *arg == '\0')
1193 			fatal("%s line %d: Missing argument.",
1194 			    filename, linenum);
1195 		if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1196 			fatal("%s line %d: Bad key types '%s'.",
1197 			    filename, linenum, arg ? arg : "<NONE>");
1198 		if (*activep && *charptr == NULL)
1199 			*charptr = xstrdup(arg);
1200 		break;
1201 
1202 	case sHostKeyAlgorithms:
1203 		charptr = &options->hostkeyalgorithms;
1204 		goto parse_keytypes;
1205 
1206 	case sRSAAuthentication:
1207 		intptr = &options->rsa_authentication;
1208 		goto parse_flag;
1209 
1210 	case sPubkeyAuthentication:
1211 		intptr = &options->pubkey_authentication;
1212 		goto parse_flag;
1213 
1214 	case sPubkeyAcceptedKeyTypes:
1215 		charptr = &options->pubkey_key_types;
1216 		goto parse_keytypes;
1217 
1218 	case sKerberosAuthentication:
1219 		intptr = &options->kerberos_authentication;
1220 		goto parse_flag;
1221 
1222 	case sKerberosOrLocalPasswd:
1223 		intptr = &options->kerberos_or_local_passwd;
1224 		goto parse_flag;
1225 
1226 	case sKerberosTicketCleanup:
1227 		intptr = &options->kerberos_ticket_cleanup;
1228 		goto parse_flag;
1229 
1230 	case sKerberosGetAFSToken:
1231 		intptr = &options->kerberos_get_afs_token;
1232 		goto parse_flag;
1233 
1234 	case sGssAuthentication:
1235 		intptr = &options->gss_authentication;
1236 		goto parse_flag;
1237 
1238 	case sGssCleanupCreds:
1239 		intptr = &options->gss_cleanup_creds;
1240 		goto parse_flag;
1241 
1242 	case sGssStrictAcceptor:
1243 		intptr = &options->gss_strict_acceptor;
1244 		goto parse_flag;
1245 
1246 	case sPasswordAuthentication:
1247 		intptr = &options->password_authentication;
1248 		goto parse_flag;
1249 
1250 	case sKbdInteractiveAuthentication:
1251 		intptr = &options->kbd_interactive_authentication;
1252 		goto parse_flag;
1253 
1254 	case sChallengeResponseAuthentication:
1255 		intptr = &options->challenge_response_authentication;
1256 		goto parse_flag;
1257 
1258 	case sPrintMotd:
1259 		intptr = &options->print_motd;
1260 		goto parse_flag;
1261 
1262 	case sPrintLastLog:
1263 		intptr = &options->print_lastlog;
1264 		goto parse_flag;
1265 
1266 	case sX11Forwarding:
1267 		intptr = &options->x11_forwarding;
1268 		goto parse_flag;
1269 
1270 	case sX11DisplayOffset:
1271 		intptr = &options->x11_display_offset;
1272 		goto parse_int;
1273 
1274 	case sX11UseLocalhost:
1275 		intptr = &options->x11_use_localhost;
1276 		goto parse_flag;
1277 
1278 	case sXAuthLocation:
1279 		charptr = &options->xauth_location;
1280 		goto parse_filename;
1281 
1282 	case sPermitTTY:
1283 		intptr = &options->permit_tty;
1284 		goto parse_flag;
1285 
1286 	case sPermitUserRC:
1287 		intptr = &options->permit_user_rc;
1288 		goto parse_flag;
1289 
1290 	case sStrictModes:
1291 		intptr = &options->strict_modes;
1292 		goto parse_flag;
1293 
1294 	case sTCPKeepAlive:
1295 		intptr = &options->tcp_keep_alive;
1296 		goto parse_flag;
1297 
1298 	case sEmptyPasswd:
1299 		intptr = &options->permit_empty_passwd;
1300 		goto parse_flag;
1301 
1302 	case sPermitUserEnvironment:
1303 		intptr = &options->permit_user_env;
1304 		goto parse_flag;
1305 
1306 	case sUseLogin:
1307 		intptr = &options->use_login;
1308 		goto parse_flag;
1309 
1310 	case sCompression:
1311 		intptr = &options->compression;
1312 		multistate_ptr = multistate_compression;
1313 		goto parse_multistate;
1314 
1315 	case sRekeyLimit:
1316 		arg = strdelim(&cp);
1317 		if (!arg || *arg == '\0')
1318 			fatal("%.200s line %d: Missing argument.", filename,
1319 			    linenum);
1320 		if (strcmp(arg, "default") == 0) {
1321 			val64 = 0;
1322 		} else {
1323 			if (scan_scaled(arg, &val64) == -1)
1324 				fatal("%.200s line %d: Bad number '%s': %s",
1325 				    filename, linenum, arg, strerror(errno));
1326 			/* check for too-large or too-small limits */
1327 			if (val64 > UINT_MAX)
1328 				fatal("%.200s line %d: RekeyLimit too large",
1329 				    filename, linenum);
1330 			if (val64 != 0 && val64 < 16)
1331 				fatal("%.200s line %d: RekeyLimit too small",
1332 				    filename, linenum);
1333 		}
1334 		if (*activep && options->rekey_limit == -1)
1335 			options->rekey_limit = (u_int32_t)val64;
1336 		if (cp != NULL) { /* optional rekey interval present */
1337 			if (strcmp(cp, "none") == 0) {
1338 				(void)strdelim(&cp);	/* discard */
1339 				break;
1340 			}
1341 			intptr = &options->rekey_interval;
1342 			goto parse_time;
1343 		}
1344 		break;
1345 
1346 	case sGatewayPorts:
1347 		intptr = &options->fwd_opts.gateway_ports;
1348 		multistate_ptr = multistate_gatewayports;
1349 		goto parse_multistate;
1350 
1351 	case sUseDNS:
1352 		intptr = &options->use_dns;
1353 		goto parse_flag;
1354 
1355 	case sLogFacility:
1356 		log_facility_ptr = &options->log_facility;
1357 		arg = strdelim(&cp);
1358 		value = log_facility_number(arg);
1359 		if (value == SYSLOG_FACILITY_NOT_SET)
1360 			fatal("%.200s line %d: unsupported log facility '%s'",
1361 			    filename, linenum, arg ? arg : "<NONE>");
1362 		if (*log_facility_ptr == -1)
1363 			*log_facility_ptr = (SyslogFacility) value;
1364 		break;
1365 
1366 	case sLogLevel:
1367 		log_level_ptr = &options->log_level;
1368 		arg = strdelim(&cp);
1369 		value = log_level_number(arg);
1370 		if (value == SYSLOG_LEVEL_NOT_SET)
1371 			fatal("%.200s line %d: unsupported log level '%s'",
1372 			    filename, linenum, arg ? arg : "<NONE>");
1373 		if (*log_level_ptr == -1)
1374 			*log_level_ptr = (LogLevel) value;
1375 		break;
1376 
1377 	case sAllowTcpForwarding:
1378 		intptr = &options->allow_tcp_forwarding;
1379 		multistate_ptr = multistate_tcpfwd;
1380 		goto parse_multistate;
1381 
1382 	case sAllowStreamLocalForwarding:
1383 		intptr = &options->allow_streamlocal_forwarding;
1384 		multistate_ptr = multistate_tcpfwd;
1385 		goto parse_multistate;
1386 
1387 	case sAllowAgentForwarding:
1388 		intptr = &options->allow_agent_forwarding;
1389 		goto parse_flag;
1390 
1391 	case sUsePrivilegeSeparation:
1392 		intptr = &use_privsep;
1393 		multistate_ptr = multistate_privsep;
1394 		goto parse_multistate;
1395 
1396 	case sAllowUsers:
1397 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1398 			if (options->num_allow_users >= MAX_ALLOW_USERS)
1399 				fatal("%s line %d: too many allow users.",
1400 				    filename, linenum);
1401 			if (!*activep)
1402 				continue;
1403 			options->allow_users[options->num_allow_users++] =
1404 			    xstrdup(arg);
1405 		}
1406 		break;
1407 
1408 	case sDenyUsers:
1409 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1410 			if (options->num_deny_users >= MAX_DENY_USERS)
1411 				fatal("%s line %d: too many deny users.",
1412 				    filename, linenum);
1413 			if (!*activep)
1414 				continue;
1415 			options->deny_users[options->num_deny_users++] =
1416 			    xstrdup(arg);
1417 		}
1418 		break;
1419 
1420 	case sAllowGroups:
1421 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1422 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1423 				fatal("%s line %d: too many allow groups.",
1424 				    filename, linenum);
1425 			if (!*activep)
1426 				continue;
1427 			options->allow_groups[options->num_allow_groups++] =
1428 			    xstrdup(arg);
1429 		}
1430 		break;
1431 
1432 	case sDenyGroups:
1433 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1434 			if (options->num_deny_groups >= MAX_DENY_GROUPS)
1435 				fatal("%s line %d: too many deny groups.",
1436 				    filename, linenum);
1437 			if (!*activep)
1438 				continue;
1439 			options->deny_groups[options->num_deny_groups++] =
1440 			    xstrdup(arg);
1441 		}
1442 		break;
1443 
1444 	case sCiphers:
1445 		arg = strdelim(&cp);
1446 		if (!arg || *arg == '\0')
1447 			fatal("%s line %d: Missing argument.", filename, linenum);
1448 		if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1449 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1450 			    filename, linenum, arg ? arg : "<NONE>");
1451 		if (options->ciphers == NULL)
1452 			options->ciphers = xstrdup(arg);
1453 		break;
1454 
1455 	case sMacs:
1456 		arg = strdelim(&cp);
1457 		if (!arg || *arg == '\0')
1458 			fatal("%s line %d: Missing argument.", filename, linenum);
1459 		if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1460 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1461 			    filename, linenum, arg ? arg : "<NONE>");
1462 		if (options->macs == NULL)
1463 			options->macs = xstrdup(arg);
1464 		break;
1465 
1466 	case sKexAlgorithms:
1467 		arg = strdelim(&cp);
1468 		if (!arg || *arg == '\0')
1469 			fatal("%s line %d: Missing argument.",
1470 			    filename, linenum);
1471 		if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1472 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1473 			    filename, linenum, arg ? arg : "<NONE>");
1474 		if (options->kex_algorithms == NULL)
1475 			options->kex_algorithms = xstrdup(arg);
1476 		break;
1477 
1478 	case sProtocol:
1479 		intptr = &options->protocol;
1480 		arg = strdelim(&cp);
1481 		if (!arg || *arg == '\0')
1482 			fatal("%s line %d: Missing argument.", filename, linenum);
1483 		value = proto_spec(arg);
1484 		if (value == SSH_PROTO_UNKNOWN)
1485 			fatal("%s line %d: Bad protocol spec '%s'.",
1486 			    filename, linenum, arg ? arg : "<NONE>");
1487 		if (*intptr == SSH_PROTO_UNKNOWN)
1488 			*intptr = value;
1489 		break;
1490 
1491 	case sSubsystem:
1492 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1493 			fatal("%s line %d: too many subsystems defined.",
1494 			    filename, linenum);
1495 		}
1496 		arg = strdelim(&cp);
1497 		if (!arg || *arg == '\0')
1498 			fatal("%s line %d: Missing subsystem name.",
1499 			    filename, linenum);
1500 		if (!*activep) {
1501 			arg = strdelim(&cp);
1502 			break;
1503 		}
1504 		for (i = 0; i < options->num_subsystems; i++)
1505 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1506 				fatal("%s line %d: Subsystem '%s' already defined.",
1507 				    filename, linenum, arg);
1508 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1509 		arg = strdelim(&cp);
1510 		if (!arg || *arg == '\0')
1511 			fatal("%s line %d: Missing subsystem command.",
1512 			    filename, linenum);
1513 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1514 
1515 		/* Collect arguments (separate to executable) */
1516 		p = xstrdup(arg);
1517 		len = strlen(p) + 1;
1518 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1519 			len += 1 + strlen(arg);
1520 			p = xreallocarray(p, 1, len);
1521 			strlcat(p, " ", len);
1522 			strlcat(p, arg, len);
1523 		}
1524 		options->subsystem_args[options->num_subsystems] = p;
1525 		options->num_subsystems++;
1526 		break;
1527 
1528 	case sMaxStartups:
1529 		arg = strdelim(&cp);
1530 		if (!arg || *arg == '\0')
1531 			fatal("%s line %d: Missing MaxStartups spec.",
1532 			    filename, linenum);
1533 		if ((n = sscanf(arg, "%d:%d:%d",
1534 		    &options->max_startups_begin,
1535 		    &options->max_startups_rate,
1536 		    &options->max_startups)) == 3) {
1537 			if (options->max_startups_begin >
1538 			    options->max_startups ||
1539 			    options->max_startups_rate > 100 ||
1540 			    options->max_startups_rate < 1)
1541 				fatal("%s line %d: Illegal MaxStartups spec.",
1542 				    filename, linenum);
1543 		} else if (n != 1)
1544 			fatal("%s line %d: Illegal MaxStartups spec.",
1545 			    filename, linenum);
1546 		else
1547 			options->max_startups = options->max_startups_begin;
1548 		break;
1549 
1550 	case sMaxAuthTries:
1551 		intptr = &options->max_authtries;
1552 		goto parse_int;
1553 
1554 	case sMaxSessions:
1555 		intptr = &options->max_sessions;
1556 		goto parse_int;
1557 
1558 	case sBanner:
1559 		charptr = &options->banner;
1560 		goto parse_filename;
1561 
1562 	/*
1563 	 * These options can contain %X options expanded at
1564 	 * connect time, so that you can specify paths like:
1565 	 *
1566 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1567 	 */
1568 	case sAuthorizedKeysFile:
1569 		if (*activep && options->num_authkeys_files == 0) {
1570 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1571 				if (options->num_authkeys_files >=
1572 				    MAX_AUTHKEYS_FILES)
1573 					fatal("%s line %d: "
1574 					    "too many authorized keys files.",
1575 					    filename, linenum);
1576 				options->authorized_keys_files[
1577 				    options->num_authkeys_files++] =
1578 				    tilde_expand_filename(arg, getuid());
1579 			}
1580 		}
1581 		return 0;
1582 
1583 	case sAuthorizedPrincipalsFile:
1584 		charptr = &options->authorized_principals_file;
1585 		arg = strdelim(&cp);
1586 		if (!arg || *arg == '\0')
1587 			fatal("%s line %d: missing file name.",
1588 			    filename, linenum);
1589 		if (*activep && *charptr == NULL) {
1590 			*charptr = tilde_expand_filename(arg, getuid());
1591 			/* increase optional counter */
1592 			if (intptr != NULL)
1593 				*intptr = *intptr + 1;
1594 		}
1595 		break;
1596 
1597 	case sClientAliveInterval:
1598 		intptr = &options->client_alive_interval;
1599 		goto parse_time;
1600 
1601 	case sClientAliveCountMax:
1602 		intptr = &options->client_alive_count_max;
1603 		goto parse_int;
1604 
1605 	case sAcceptEnv:
1606 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1607 			if (strchr(arg, '=') != NULL)
1608 				fatal("%s line %d: Invalid environment name.",
1609 				    filename, linenum);
1610 			if (options->num_accept_env >= MAX_ACCEPT_ENV)
1611 				fatal("%s line %d: too many allow env.",
1612 				    filename, linenum);
1613 			if (!*activep)
1614 				continue;
1615 			options->accept_env[options->num_accept_env++] =
1616 			    xstrdup(arg);
1617 		}
1618 		break;
1619 
1620 	case sPermitTunnel:
1621 		intptr = &options->permit_tun;
1622 		arg = strdelim(&cp);
1623 		if (!arg || *arg == '\0')
1624 			fatal("%s line %d: Missing yes/point-to-point/"
1625 			    "ethernet/no argument.", filename, linenum);
1626 		value = -1;
1627 		for (i = 0; tunmode_desc[i].val != -1; i++)
1628 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1629 				value = tunmode_desc[i].val;
1630 				break;
1631 			}
1632 		if (value == -1)
1633 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1634 			    "no argument: %s", filename, linenum, arg);
1635 		if (*activep && *intptr == -1)
1636 			*intptr = value;
1637 		break;
1638 
1639 	case sMatch:
1640 		if (cmdline)
1641 			fatal("Match directive not supported as a command-line "
1642 			   "option");
1643 		value = match_cfg_line(&cp, linenum, connectinfo);
1644 		if (value < 0)
1645 			fatal("%s line %d: Bad Match condition", filename,
1646 			    linenum);
1647 		*activep = value;
1648 		break;
1649 
1650 	case sPermitOpen:
1651 		arg = strdelim(&cp);
1652 		if (!arg || *arg == '\0')
1653 			fatal("%s line %d: missing PermitOpen specification",
1654 			    filename, linenum);
1655 		n = options->num_permitted_opens;	/* modified later */
1656 		if (strcmp(arg, "any") == 0) {
1657 			if (*activep && n == -1) {
1658 				channel_clear_adm_permitted_opens();
1659 				options->num_permitted_opens = 0;
1660 			}
1661 			break;
1662 		}
1663 		if (strcmp(arg, "none") == 0) {
1664 			if (*activep && n == -1) {
1665 				options->num_permitted_opens = 1;
1666 				channel_disable_adm_local_opens();
1667 			}
1668 			break;
1669 		}
1670 		if (*activep && n == -1)
1671 			channel_clear_adm_permitted_opens();
1672 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1673 			p = hpdelim(&arg);
1674 			if (p == NULL)
1675 				fatal("%s line %d: missing host in PermitOpen",
1676 				    filename, linenum);
1677 			p = cleanhostname(p);
1678 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1679 				fatal("%s line %d: bad port number in "
1680 				    "PermitOpen", filename, linenum);
1681 			if (*activep && n == -1)
1682 				options->num_permitted_opens =
1683 				    channel_add_adm_permitted_opens(p, port);
1684 		}
1685 		break;
1686 
1687 	case sForceCommand:
1688 		if (cp == NULL || *cp == '\0')
1689 			fatal("%.200s line %d: Missing argument.", filename,
1690 			    linenum);
1691 		len = strspn(cp, WHITESPACE);
1692 		if (*activep && options->adm_forced_command == NULL)
1693 			options->adm_forced_command = xstrdup(cp + len);
1694 		return 0;
1695 
1696 	case sChrootDirectory:
1697 		charptr = &options->chroot_directory;
1698 
1699 		arg = strdelim(&cp);
1700 		if (!arg || *arg == '\0')
1701 			fatal("%s line %d: missing file name.",
1702 			    filename, linenum);
1703 		if (*activep && *charptr == NULL)
1704 			*charptr = xstrdup(arg);
1705 		break;
1706 
1707 	case sTrustedUserCAKeys:
1708 		charptr = &options->trusted_user_ca_keys;
1709 		goto parse_filename;
1710 
1711 	case sRevokedKeys:
1712 		charptr = &options->revoked_keys_file;
1713 		goto parse_filename;
1714 
1715 	case sIPQoS:
1716 		arg = strdelim(&cp);
1717 		if ((value = parse_ipqos(arg)) == -1)
1718 			fatal("%s line %d: Bad IPQoS value: %s",
1719 			    filename, linenum, arg);
1720 		arg = strdelim(&cp);
1721 		if (arg == NULL)
1722 			value2 = value;
1723 		else if ((value2 = parse_ipqos(arg)) == -1)
1724 			fatal("%s line %d: Bad IPQoS value: %s",
1725 			    filename, linenum, arg);
1726 		if (*activep) {
1727 			options->ip_qos_interactive = value;
1728 			options->ip_qos_bulk = value2;
1729 		}
1730 		break;
1731 
1732 	case sVersionAddendum:
1733 		if (cp == NULL || *cp == '\0')
1734 			fatal("%.200s line %d: Missing argument.", filename,
1735 			    linenum);
1736 		len = strspn(cp, WHITESPACE);
1737 		if (*activep && options->version_addendum == NULL) {
1738 			if (strcasecmp(cp + len, "none") == 0)
1739 				options->version_addendum = xstrdup("");
1740 			else if (strchr(cp + len, '\r') != NULL)
1741 				fatal("%.200s line %d: Invalid argument",
1742 				    filename, linenum);
1743 			else
1744 				options->version_addendum = xstrdup(cp + len);
1745 		}
1746 		return 0;
1747 
1748 	case sAuthorizedKeysCommand:
1749 		if (cp == NULL)
1750 			fatal("%.200s line %d: Missing argument.", filename,
1751 			    linenum);
1752 		len = strspn(cp, WHITESPACE);
1753 		if (*activep && options->authorized_keys_command == NULL) {
1754 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1755 				fatal("%.200s line %d: AuthorizedKeysCommand "
1756 				    "must be an absolute path",
1757 				    filename, linenum);
1758 			options->authorized_keys_command = xstrdup(cp + len);
1759 		}
1760 		return 0;
1761 
1762 	case sAuthorizedKeysCommandUser:
1763 		charptr = &options->authorized_keys_command_user;
1764 
1765 		arg = strdelim(&cp);
1766 		if (!arg || *arg == '\0')
1767 			fatal("%s line %d: missing AuthorizedKeysCommandUser "
1768 			    "argument.", filename, linenum);
1769 		if (*activep && *charptr == NULL)
1770 			*charptr = xstrdup(arg);
1771 		break;
1772 
1773 	case sAuthorizedPrincipalsCommand:
1774 		if (cp == NULL)
1775 			fatal("%.200s line %d: Missing argument.", filename,
1776 			    linenum);
1777 		len = strspn(cp, WHITESPACE);
1778 		if (*activep &&
1779 		    options->authorized_principals_command == NULL) {
1780 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1781 				fatal("%.200s line %d: "
1782 				    "AuthorizedPrincipalsCommand must be "
1783 				    "an absolute path", filename, linenum);
1784 			options->authorized_principals_command =
1785 			    xstrdup(cp + len);
1786 		}
1787 		return 0;
1788 
1789 	case sAuthorizedPrincipalsCommandUser:
1790 		charptr = &options->authorized_principals_command_user;
1791 
1792 		arg = strdelim(&cp);
1793 		if (!arg || *arg == '\0')
1794 			fatal("%s line %d: missing "
1795 			    "AuthorizedPrincipalsCommandUser argument.",
1796 			    filename, linenum);
1797 		if (*activep && *charptr == NULL)
1798 			*charptr = xstrdup(arg);
1799 		break;
1800 
1801 	case sAuthenticationMethods:
1802 		if (options->num_auth_methods == 0) {
1803 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1804 				if (options->num_auth_methods >=
1805 				    MAX_AUTH_METHODS)
1806 					fatal("%s line %d: "
1807 					    "too many authentication methods.",
1808 					    filename, linenum);
1809 				if (auth2_methods_valid(arg, 0) != 0)
1810 					fatal("%s line %d: invalid "
1811 					    "authentication method list.",
1812 					    filename, linenum);
1813 				if (!*activep)
1814 					continue;
1815 				options->auth_methods[
1816 				    options->num_auth_methods++] = xstrdup(arg);
1817 			}
1818 		}
1819 		return 0;
1820 
1821 	case sStreamLocalBindMask:
1822 		arg = strdelim(&cp);
1823 		if (!arg || *arg == '\0')
1824 			fatal("%s line %d: missing StreamLocalBindMask "
1825 			    "argument.", filename, linenum);
1826 		/* Parse mode in octal format */
1827 		value = strtol(arg, &p, 8);
1828 		if (arg == p || value < 0 || value > 0777)
1829 			fatal("%s line %d: Bad mask.", filename, linenum);
1830 		if (*activep)
1831 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1832 		break;
1833 
1834 	case sStreamLocalBindUnlink:
1835 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
1836 		goto parse_flag;
1837 
1838 	case sFingerprintHash:
1839 		arg = strdelim(&cp);
1840 		if (!arg || *arg == '\0')
1841 			fatal("%.200s line %d: Missing argument.",
1842 			    filename, linenum);
1843 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
1844 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1845 			    filename, linenum, arg);
1846 		if (*activep)
1847 			options->fingerprint_hash = value;
1848 		break;
1849 
1850 	case sDeprecated:
1851 		logit("%s line %d: Deprecated option %s",
1852 		    filename, linenum, arg);
1853 		while (arg)
1854 		    arg = strdelim(&cp);
1855 		break;
1856 
1857 	case sUnsupported:
1858 		logit("%s line %d: Unsupported option %s",
1859 		    filename, linenum, arg);
1860 		while (arg)
1861 		    arg = strdelim(&cp);
1862 		break;
1863 
1864 	default:
1865 		fatal("%s line %d: Missing handler for opcode %s (%d)",
1866 		    filename, linenum, arg, opcode);
1867 	}
1868 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1869 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
1870 		    filename, linenum, arg);
1871 	return 0;
1872 }
1873 
1874 /* Reads the server configuration file. */
1875 
1876 void
load_server_config(const char * filename,Buffer * conf)1877 load_server_config(const char *filename, Buffer *conf)
1878 {
1879 	char line[4096], *cp;
1880 	FILE *f;
1881 	int lineno = 0;
1882 
1883 	debug2("%s: filename %s", __func__, filename);
1884 	if ((f = fopen(filename, "r")) == NULL) {
1885 		perror(filename);
1886 		exit(1);
1887 	}
1888 	buffer_clear(conf);
1889 	while (fgets(line, sizeof(line), f)) {
1890 		lineno++;
1891 		if (strlen(line) == sizeof(line) - 1)
1892 			fatal("%s line %d too long", filename, lineno);
1893 		/*
1894 		 * Trim out comments and strip whitespace
1895 		 * NB - preserve newlines, they are needed to reproduce
1896 		 * line numbers later for error messages
1897 		 */
1898 		if ((cp = strchr(line, '#')) != NULL)
1899 			memcpy(cp, "\n", 2);
1900 		cp = line + strspn(line, " \t\r");
1901 
1902 		buffer_append(conf, cp, strlen(cp));
1903 	}
1904 	buffer_append(conf, "\0", 1);
1905 	fclose(f);
1906 	debug2("%s: done config len = %d", __func__, buffer_len(conf));
1907 }
1908 
1909 void
parse_server_match_config(ServerOptions * options,struct connection_info * connectinfo)1910 parse_server_match_config(ServerOptions *options,
1911    struct connection_info *connectinfo)
1912 {
1913 	ServerOptions mo;
1914 #if defined(ANDROID)
1915 	char value[PROPERTY_VALUE_MAX];
1916 #endif
1917 
1918 	initialize_server_options(&mo);
1919 	parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1920 #if defined(ANDROID)
1921 	/* Allow root login if ro.debuggable is set. */
1922 	property_get("ro.debuggable", value, "");
1923 	if (strcmp(value, "1") == 0) {
1924 		mo.permit_root_login = PERMIT_YES;
1925 	}
1926 #endif
1927 	copy_set_server_options(options, &mo, 0);
1928 }
1929 
parse_server_match_testspec(struct connection_info * ci,char * spec)1930 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1931 {
1932 	char *p;
1933 
1934 	while ((p = strsep(&spec, ",")) && *p != '\0') {
1935 		if (strncmp(p, "addr=", 5) == 0) {
1936 			ci->address = xstrdup(p + 5);
1937 		} else if (strncmp(p, "host=", 5) == 0) {
1938 			ci->host = xstrdup(p + 5);
1939 		} else if (strncmp(p, "user=", 5) == 0) {
1940 			ci->user = xstrdup(p + 5);
1941 		} else if (strncmp(p, "laddr=", 6) == 0) {
1942 			ci->laddress = xstrdup(p + 6);
1943 		} else if (strncmp(p, "lport=", 6) == 0) {
1944 			ci->lport = a2port(p + 6);
1945 			if (ci->lport == -1) {
1946 				fprintf(stderr, "Invalid port '%s' in test mode"
1947 				   " specification %s\n", p+6, p);
1948 				return -1;
1949 			}
1950 		} else {
1951 			fprintf(stderr, "Invalid test mode specification %s\n",
1952 			   p);
1953 			return -1;
1954 		}
1955 	}
1956 	return 0;
1957 }
1958 
1959 /*
1960  * returns 1 for a complete spec, 0 for partial spec and -1 for an
1961  * empty spec.
1962  */
server_match_spec_complete(struct connection_info * ci)1963 int server_match_spec_complete(struct connection_info *ci)
1964 {
1965 	if (ci->user && ci->host && ci->address)
1966 		return 1;	/* complete */
1967 	if (!ci->user && !ci->host && !ci->address)
1968 		return -1;	/* empty */
1969 	return 0;	/* partial */
1970 }
1971 
1972 /*
1973  * Copy any supported values that are set.
1974  *
1975  * If the preauth flag is set, we do not bother copying the string or
1976  * array values that are not used pre-authentication, because any that we
1977  * do use must be explictly sent in mm_getpwnamallow().
1978  */
1979 void
copy_set_server_options(ServerOptions * dst,ServerOptions * src,int preauth)1980 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1981 {
1982 #define M_CP_INTOPT(n) do {\
1983 	if (src->n != -1) \
1984 		dst->n = src->n; \
1985 } while (0)
1986 
1987 	M_CP_INTOPT(password_authentication);
1988 	M_CP_INTOPT(gss_authentication);
1989 	M_CP_INTOPT(rsa_authentication);
1990 	M_CP_INTOPT(pubkey_authentication);
1991 	M_CP_INTOPT(kerberos_authentication);
1992 	M_CP_INTOPT(hostbased_authentication);
1993 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1994 	M_CP_INTOPT(kbd_interactive_authentication);
1995 	M_CP_INTOPT(permit_root_login);
1996 	M_CP_INTOPT(permit_empty_passwd);
1997 
1998 	M_CP_INTOPT(allow_tcp_forwarding);
1999 	M_CP_INTOPT(allow_streamlocal_forwarding);
2000 	M_CP_INTOPT(allow_agent_forwarding);
2001 	M_CP_INTOPT(permit_tun);
2002 	M_CP_INTOPT(fwd_opts.gateway_ports);
2003 	M_CP_INTOPT(x11_display_offset);
2004 	M_CP_INTOPT(x11_forwarding);
2005 	M_CP_INTOPT(x11_use_localhost);
2006 	M_CP_INTOPT(permit_tty);
2007 	M_CP_INTOPT(permit_user_rc);
2008 	M_CP_INTOPT(max_sessions);
2009 	M_CP_INTOPT(max_authtries);
2010 	M_CP_INTOPT(ip_qos_interactive);
2011 	M_CP_INTOPT(ip_qos_bulk);
2012 	M_CP_INTOPT(rekey_limit);
2013 	M_CP_INTOPT(rekey_interval);
2014 
2015 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2016 #define M_CP_STROPT(n) do {\
2017 	if (src->n != NULL && dst->n != src->n) { \
2018 		free(dst->n); \
2019 		dst->n = src->n; \
2020 	} \
2021 } while(0)
2022 #define M_CP_STRARRAYOPT(n, num_n) do {\
2023 	if (src->num_n != 0) { \
2024 		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2025 			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2026 	} \
2027 } while(0)
2028 
2029 	/* See comment in servconf.h */
2030 	COPY_MATCH_STRING_OPTS();
2031 
2032 	/*
2033 	 * The only things that should be below this point are string options
2034 	 * which are only used after authentication.
2035 	 */
2036 	if (preauth)
2037 		return;
2038 
2039 	M_CP_STROPT(adm_forced_command);
2040 	M_CP_STROPT(chroot_directory);
2041 }
2042 
2043 #undef M_CP_INTOPT
2044 #undef M_CP_STROPT
2045 #undef M_CP_STRARRAYOPT
2046 
2047 void
parse_server_config(ServerOptions * options,const char * filename,Buffer * conf,struct connection_info * connectinfo)2048 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2049     struct connection_info *connectinfo)
2050 {
2051 	int active, linenum, bad_options = 0;
2052 	char *cp, *obuf, *cbuf;
2053 
2054 	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2055 
2056 	obuf = cbuf = xstrdup(buffer_ptr(conf));
2057 	active = connectinfo ? 0 : 1;
2058 	linenum = 1;
2059 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2060 		if (process_server_config_line(options, cp, filename,
2061 		    linenum++, &active, connectinfo) != 0)
2062 			bad_options++;
2063 	}
2064 	free(obuf);
2065 	if (bad_options > 0)
2066 		fatal("%s: terminating, %d bad configuration options",
2067 		    filename, bad_options);
2068 	process_queued_listen_addrs(options);
2069 }
2070 
2071 static const char *
fmt_multistate_int(int val,const struct multistate * m)2072 fmt_multistate_int(int val, const struct multistate *m)
2073 {
2074 	u_int i;
2075 
2076 	for (i = 0; m[i].key != NULL; i++) {
2077 		if (m[i].value == val)
2078 			return m[i].key;
2079 	}
2080 	return "UNKNOWN";
2081 }
2082 
2083 static const char *
fmt_intarg(ServerOpCodes code,int val)2084 fmt_intarg(ServerOpCodes code, int val)
2085 {
2086 	if (val == -1)
2087 		return "unset";
2088 	switch (code) {
2089 	case sAddressFamily:
2090 		return fmt_multistate_int(val, multistate_addressfamily);
2091 	case sPermitRootLogin:
2092 		return fmt_multistate_int(val, multistate_permitrootlogin);
2093 	case sGatewayPorts:
2094 		return fmt_multistate_int(val, multistate_gatewayports);
2095 	case sCompression:
2096 		return fmt_multistate_int(val, multistate_compression);
2097 	case sUsePrivilegeSeparation:
2098 		return fmt_multistate_int(val, multistate_privsep);
2099 	case sAllowTcpForwarding:
2100 		return fmt_multistate_int(val, multistate_tcpfwd);
2101 	case sAllowStreamLocalForwarding:
2102 		return fmt_multistate_int(val, multistate_tcpfwd);
2103 	case sFingerprintHash:
2104 		return ssh_digest_alg_name(val);
2105 	case sProtocol:
2106 		switch (val) {
2107 		case SSH_PROTO_1:
2108 			return "1";
2109 		case SSH_PROTO_2:
2110 			return "2";
2111 		case (SSH_PROTO_1|SSH_PROTO_2):
2112 			return "2,1";
2113 		default:
2114 			return "UNKNOWN";
2115 		}
2116 	default:
2117 		switch (val) {
2118 		case 0:
2119 			return "no";
2120 		case 1:
2121 			return "yes";
2122 		default:
2123 			return "UNKNOWN";
2124 		}
2125 	}
2126 }
2127 
2128 static const char *
lookup_opcode_name(ServerOpCodes code)2129 lookup_opcode_name(ServerOpCodes code)
2130 {
2131 	u_int i;
2132 
2133 	for (i = 0; keywords[i].name != NULL; i++)
2134 		if (keywords[i].opcode == code)
2135 			return(keywords[i].name);
2136 	return "UNKNOWN";
2137 }
2138 
2139 static void
dump_cfg_int(ServerOpCodes code,int val)2140 dump_cfg_int(ServerOpCodes code, int val)
2141 {
2142 	printf("%s %d\n", lookup_opcode_name(code), val);
2143 }
2144 
2145 static void
dump_cfg_oct(ServerOpCodes code,int val)2146 dump_cfg_oct(ServerOpCodes code, int val)
2147 {
2148 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2149 }
2150 
2151 static void
dump_cfg_fmtint(ServerOpCodes code,int val)2152 dump_cfg_fmtint(ServerOpCodes code, int val)
2153 {
2154 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2155 }
2156 
2157 static void
dump_cfg_string(ServerOpCodes code,const char * val)2158 dump_cfg_string(ServerOpCodes code, const char *val)
2159 {
2160 	if (val == NULL)
2161 		return;
2162 	printf("%s %s\n", lookup_opcode_name(code),
2163 	    val == NULL ? "none" : val);
2164 }
2165 
2166 static void
dump_cfg_strarray(ServerOpCodes code,u_int count,char ** vals)2167 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2168 {
2169 	u_int i;
2170 
2171 	for (i = 0; i < count; i++)
2172 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2173 }
2174 
2175 static void
dump_cfg_strarray_oneline(ServerOpCodes code,u_int count,char ** vals)2176 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2177 {
2178 	u_int i;
2179 
2180 	if (count <= 0)
2181 		return;
2182 	printf("%s", lookup_opcode_name(code));
2183 	for (i = 0; i < count; i++)
2184 		printf(" %s",  vals[i]);
2185 	printf("\n");
2186 }
2187 
2188 void
dump_config(ServerOptions * o)2189 dump_config(ServerOptions *o)
2190 {
2191 	u_int i;
2192 	int ret;
2193 	struct addrinfo *ai;
2194 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2195 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2196 
2197 	/* these are usually at the top of the config */
2198 	for (i = 0; i < o->num_ports; i++)
2199 		printf("port %d\n", o->ports[i]);
2200 	dump_cfg_fmtint(sProtocol, o->protocol);
2201 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2202 
2203 	/*
2204 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2205 	 * addresses onto a stack, so to maintain ordering we need to
2206 	 * print these in reverse order.
2207 	 */
2208 	for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2209 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2210 		    sizeof(addr), port, sizeof(port),
2211 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2212 			error("getnameinfo failed: %.100s",
2213 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2214 			    strerror(errno));
2215 		} else {
2216 			laddr2 = laddr1;
2217 			if (ai->ai_family == AF_INET6)
2218 				xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2219 				    addr, port, laddr2);
2220 			else
2221 				xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2222 				    addr, port, laddr2);
2223 			free(laddr2);
2224 		}
2225 	}
2226 	printf("%s", laddr1);
2227 	free(laddr1);
2228 
2229 	/* integer arguments */
2230 #ifdef USE_PAM
2231 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2232 #endif
2233 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
2234 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2235 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2236 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2237 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2238 	dump_cfg_int(sMaxSessions, o->max_sessions);
2239 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2240 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2241 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2242 
2243 	/* formatted integer arguments */
2244 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2245 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2246 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2247 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2248 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2249 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2250 	    o->hostbased_uses_name_from_packet_only);
2251 	dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2252 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2253 #ifdef KRB5
2254 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2255 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2256 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2257 # ifdef USE_AFS
2258 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2259 # endif
2260 #endif
2261 #ifdef GSSAPI
2262 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2263 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2264 #endif
2265 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2266 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2267 	    o->kbd_interactive_authentication);
2268 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2269 	    o->challenge_response_authentication);
2270 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2271 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2272 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2273 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2274 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2275 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2276 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2277 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2278 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2279 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2280 	dump_cfg_fmtint(sUseLogin, o->use_login);
2281 	dump_cfg_fmtint(sCompression, o->compression);
2282 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2283 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2284 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2285 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2286 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2287 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2288 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2289 
2290 	/* string arguments */
2291 	dump_cfg_string(sPidFile, o->pid_file);
2292 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2293 	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2294 	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2295 	dump_cfg_string(sBanner, o->banner);
2296 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2297 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2298 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2299 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2300 	dump_cfg_string(sAuthorizedPrincipalsFile,
2301 	    o->authorized_principals_file);
2302 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2303 	    ? "none" : o->version_addendum);
2304 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2305 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2306 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2307 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2308 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2309 	dump_cfg_string(sKexAlgorithms,
2310 	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2311 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2312 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2313 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2314 	    o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2315 	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2316 	    o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2317 
2318 	/* string arguments requiring a lookup */
2319 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2320 	dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2321 
2322 	/* string array arguments */
2323 	dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2324 	    o->authorized_keys_files);
2325 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2326 	     o->host_key_files);
2327 	dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2328 	     o->host_cert_files);
2329 	dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2330 	dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2331 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2332 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2333 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2334 	dump_cfg_strarray_oneline(sAuthenticationMethods,
2335 	    o->num_auth_methods, o->auth_methods);
2336 
2337 	/* other arguments */
2338 	for (i = 0; i < o->num_subsystems; i++)
2339 		printf("subsystem %s %s\n", o->subsystem_name[i],
2340 		    o->subsystem_args[i]);
2341 
2342 	printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2343 	    o->max_startups_rate, o->max_startups);
2344 
2345 	for (i = 0; tunmode_desc[i].val != -1; i++)
2346 		if (tunmode_desc[i].val == o->permit_tun) {
2347 			s = tunmode_desc[i].text;
2348 			break;
2349 		}
2350 	dump_cfg_string(sPermitTunnel, s);
2351 
2352 	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2353 	printf("%s\n", iptos2str(o->ip_qos_bulk));
2354 
2355 	printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2356 	    o->rekey_interval);
2357 
2358 	channel_print_adm_permitted_opens();
2359 }
2360