xref: /openssh-portable/servconf.c (revision 250246fe)
1 
2 /* $OpenBSD: servconf.c,v 1.366 2020/06/24 15:09:53 markus Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/stat.h>
19 #ifdef __OpenBSD__
20 #include <sys/sysctl.h>
21 #endif
22 
23 #include <netinet/in.h>
24 #include <netinet/in_systm.h>
25 #include <netinet/ip.h>
26 #ifdef HAVE_NET_ROUTE_H
27 #include <net/route.h>
28 #endif
29 
30 #include <ctype.h>
31 #include <netdb.h>
32 #include <pwd.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include <signal.h>
37 #include <unistd.h>
38 #include <limits.h>
39 #include <stdarg.h>
40 #include <errno.h>
41 #ifdef HAVE_UTIL_H
42 #include <util.h>
43 #endif
44 #ifdef USE_SYSTEM_GLOB
45 # include <glob.h>
46 #else
47 # include "openbsd-compat/glob.h"
48 #endif
49 
50 #include "openbsd-compat/sys-queue.h"
51 #include "xmalloc.h"
52 #include "ssh.h"
53 #include "log.h"
54 #include "sshbuf.h"
55 #include "misc.h"
56 #include "servconf.h"
57 #include "compat.h"
58 #include "pathnames.h"
59 #include "cipher.h"
60 #include "sshkey.h"
61 #include "kex.h"
62 #include "mac.h"
63 #include "match.h"
64 #include "channels.h"
65 #include "groupaccess.h"
66 #include "canohost.h"
67 #include "packet.h"
68 #include "ssherr.h"
69 #include "hostfile.h"
70 #include "auth.h"
71 #include "myproposal.h"
72 #include "digest.h"
73 
74 static void add_listen_addr(ServerOptions *, const char *,
75     const char *, int);
76 static void add_one_listen_addr(ServerOptions *, const char *,
77     const char *, int);
78 static void parse_server_config_depth(ServerOptions *options,
79     const char *filename, struct sshbuf *conf, struct include_list *includes,
80     struct connection_info *connectinfo, int flags, int *activep, int depth);
81 
82 /* Use of privilege separation or not */
83 extern int use_privsep;
84 extern struct sshbuf *cfg;
85 
86 /* Initializes the server options to their default values. */
87 
88 void
89 initialize_server_options(ServerOptions *options)
90 {
91 	memset(options, 0, sizeof(*options));
92 
93 	/* Portable-specific options */
94 	options->use_pam = -1;
95 
96 	/* Standard Options */
97 	options->num_ports = 0;
98 	options->ports_from_cmdline = 0;
99 	options->queued_listen_addrs = NULL;
100 	options->num_queued_listens = 0;
101 	options->listen_addrs = NULL;
102 	options->num_listen_addrs = 0;
103 	options->address_family = -1;
104 	options->routing_domain = NULL;
105 	options->num_host_key_files = 0;
106 	options->num_host_cert_files = 0;
107 	options->host_key_agent = NULL;
108 	options->pid_file = NULL;
109 	options->login_grace_time = -1;
110 	options->permit_root_login = PERMIT_NOT_SET;
111 	options->ignore_rhosts = -1;
112 	options->ignore_user_known_hosts = -1;
113 	options->print_motd = -1;
114 	options->print_lastlog = -1;
115 	options->x11_forwarding = -1;
116 	options->x11_display_offset = -1;
117 	options->x11_use_localhost = -1;
118 	options->permit_tty = -1;
119 	options->permit_user_rc = -1;
120 	options->xauth_location = NULL;
121 	options->strict_modes = -1;
122 	options->tcp_keep_alive = -1;
123 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
124 	options->log_level = SYSLOG_LEVEL_NOT_SET;
125 	options->hostbased_authentication = -1;
126 	options->hostbased_uses_name_from_packet_only = -1;
127 	options->hostbased_key_types = NULL;
128 	options->hostkeyalgorithms = NULL;
129 	options->pubkey_authentication = -1;
130 	options->pubkey_auth_options = -1;
131 	options->pubkey_key_types = NULL;
132 	options->kerberos_authentication = -1;
133 	options->kerberos_or_local_passwd = -1;
134 	options->kerberos_ticket_cleanup = -1;
135 	options->kerberos_get_afs_token = -1;
136 	options->gss_authentication=-1;
137 	options->gss_cleanup_creds = -1;
138 	options->gss_strict_acceptor = -1;
139 	options->password_authentication = -1;
140 	options->kbd_interactive_authentication = -1;
141 	options->challenge_response_authentication = -1;
142 	options->permit_empty_passwd = -1;
143 	options->permit_user_env = -1;
144 	options->permit_user_env_whitelist = NULL;
145 	options->compression = -1;
146 	options->rekey_limit = -1;
147 	options->rekey_interval = -1;
148 	options->allow_tcp_forwarding = -1;
149 	options->allow_streamlocal_forwarding = -1;
150 	options->allow_agent_forwarding = -1;
151 	options->num_allow_users = 0;
152 	options->num_deny_users = 0;
153 	options->num_allow_groups = 0;
154 	options->num_deny_groups = 0;
155 	options->ciphers = NULL;
156 	options->macs = NULL;
157 	options->kex_algorithms = NULL;
158 	options->ca_sign_algorithms = NULL;
159 	options->fwd_opts.gateway_ports = -1;
160 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
161 	options->fwd_opts.streamlocal_bind_unlink = -1;
162 	options->num_subsystems = 0;
163 	options->max_startups_begin = -1;
164 	options->max_startups_rate = -1;
165 	options->max_startups = -1;
166 	options->max_authtries = -1;
167 	options->max_sessions = -1;
168 	options->banner = NULL;
169 	options->use_dns = -1;
170 	options->client_alive_interval = -1;
171 	options->client_alive_count_max = -1;
172 	options->num_authkeys_files = 0;
173 	options->num_accept_env = 0;
174 	options->num_setenv = 0;
175 	options->permit_tun = -1;
176 	options->permitted_opens = NULL;
177 	options->permitted_listens = NULL;
178 	options->adm_forced_command = NULL;
179 	options->chroot_directory = NULL;
180 	options->authorized_keys_command = NULL;
181 	options->authorized_keys_command_user = NULL;
182 	options->revoked_keys_file = NULL;
183 	options->sk_provider = NULL;
184 	options->trusted_user_ca_keys = NULL;
185 	options->authorized_principals_file = NULL;
186 	options->authorized_principals_command = NULL;
187 	options->authorized_principals_command_user = NULL;
188 	options->ip_qos_interactive = -1;
189 	options->ip_qos_bulk = -1;
190 	options->version_addendum = NULL;
191 	options->fingerprint_hash = -1;
192 	options->disable_forwarding = -1;
193 	options->expose_userauth_info = -1;
194 }
195 
196 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
197 static int
198 option_clear_or_none(const char *o)
199 {
200 	return o == NULL || strcasecmp(o, "none") == 0;
201 }
202 
203 static void
204 assemble_algorithms(ServerOptions *o)
205 {
206 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
207 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
208 	int r;
209 
210 	all_cipher = cipher_alg_list(',', 0);
211 	all_mac = mac_alg_list(',');
212 	all_kex = kex_alg_list(',');
213 	all_key = sshkey_alg_list(0, 0, 1, ',');
214 	all_sig = sshkey_alg_list(0, 1, 1, ',');
215 	/* remove unsupported algos from default lists */
216 	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
217 	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
218 	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
219 	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
220 	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
221 #define ASSEMBLE(what, defaults, all) \
222 	do { \
223 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
224 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
225 	} while (0)
226 	ASSEMBLE(ciphers, def_cipher, all_cipher);
227 	ASSEMBLE(macs, def_mac, all_mac);
228 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
229 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
230 	ASSEMBLE(hostbased_key_types, def_key, all_key);
231 	ASSEMBLE(pubkey_key_types, def_key, all_key);
232 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
233 #undef ASSEMBLE
234 	free(all_cipher);
235 	free(all_mac);
236 	free(all_kex);
237 	free(all_key);
238 	free(all_sig);
239 	free(def_cipher);
240 	free(def_mac);
241 	free(def_kex);
242 	free(def_key);
243 	free(def_sig);
244 }
245 
246 static void
247 array_append2(const char *file, const int line, const char *directive,
248     char ***array, int **iarray, u_int *lp, const char *s, int i)
249 {
250 
251 	if (*lp >= INT_MAX)
252 		fatal("%s line %d: Too many %s entries", file, line, directive);
253 
254 	if (iarray != NULL) {
255 		*iarray = xrecallocarray(*iarray, *lp, *lp + 1,
256 		    sizeof(**iarray));
257 		(*iarray)[*lp] = i;
258 	}
259 
260 	*array = xrecallocarray(*array, *lp, *lp + 1, sizeof(**array));
261 	(*array)[*lp] = xstrdup(s);
262 	(*lp)++;
263 }
264 
265 static void
266 array_append(const char *file, const int line, const char *directive,
267     char ***array, u_int *lp, const char *s)
268 {
269 	array_append2(file, line, directive, array, NULL, lp, s, 0);
270 }
271 
272 void
273 servconf_add_hostkey(const char *file, const int line,
274     ServerOptions *options, const char *path, int userprovided)
275 {
276 	char *apath = derelativise_path(path);
277 
278 	array_append2(file, line, "HostKey",
279 	    &options->host_key_files, &options->host_key_file_userprovided,
280 	    &options->num_host_key_files, apath, userprovided);
281 	free(apath);
282 }
283 
284 void
285 servconf_add_hostcert(const char *file, const int line,
286     ServerOptions *options, const char *path)
287 {
288 	char *apath = derelativise_path(path);
289 
290 	array_append(file, line, "HostCertificate",
291 	    &options->host_cert_files, &options->num_host_cert_files, apath);
292 	free(apath);
293 }
294 
295 void
296 fill_default_server_options(ServerOptions *options)
297 {
298 	u_int i;
299 
300 	/* Portable-specific options */
301 	if (options->use_pam == -1)
302 		options->use_pam = 0;
303 
304 	/* Standard Options */
305 	if (options->num_host_key_files == 0) {
306 		/* fill default hostkeys for protocols */
307 		servconf_add_hostkey("[default]", 0, options,
308 		    _PATH_HOST_RSA_KEY_FILE, 0);
309 #ifdef OPENSSL_HAS_ECC
310 		servconf_add_hostkey("[default]", 0, options,
311 		    _PATH_HOST_ECDSA_KEY_FILE, 0);
312 #endif
313 		servconf_add_hostkey("[default]", 0, options,
314 		    _PATH_HOST_ED25519_KEY_FILE, 0);
315 #ifdef WITH_XMSS
316 		servconf_add_hostkey("[default]", 0, options,
317 		    _PATH_HOST_XMSS_KEY_FILE, 0);
318 #endif /* WITH_XMSS */
319 	}
320 	/* No certificates by default */
321 	if (options->num_ports == 0)
322 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
323 	if (options->address_family == -1)
324 		options->address_family = AF_UNSPEC;
325 	if (options->listen_addrs == NULL)
326 		add_listen_addr(options, NULL, NULL, 0);
327 	if (options->pid_file == NULL)
328 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
329 	if (options->login_grace_time == -1)
330 		options->login_grace_time = 120;
331 	if (options->permit_root_login == PERMIT_NOT_SET)
332 		options->permit_root_login = PERMIT_NO_PASSWD;
333 	if (options->ignore_rhosts == -1)
334 		options->ignore_rhosts = 1;
335 	if (options->ignore_user_known_hosts == -1)
336 		options->ignore_user_known_hosts = 0;
337 	if (options->print_motd == -1)
338 		options->print_motd = 1;
339 	if (options->print_lastlog == -1)
340 		options->print_lastlog = 1;
341 	if (options->x11_forwarding == -1)
342 		options->x11_forwarding = 0;
343 	if (options->x11_display_offset == -1)
344 		options->x11_display_offset = 10;
345 	if (options->x11_use_localhost == -1)
346 		options->x11_use_localhost = 1;
347 	if (options->xauth_location == NULL)
348 		options->xauth_location = xstrdup(_PATH_XAUTH);
349 	if (options->permit_tty == -1)
350 		options->permit_tty = 1;
351 	if (options->permit_user_rc == -1)
352 		options->permit_user_rc = 1;
353 	if (options->strict_modes == -1)
354 		options->strict_modes = 1;
355 	if (options->tcp_keep_alive == -1)
356 		options->tcp_keep_alive = 1;
357 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
358 		options->log_facility = SYSLOG_FACILITY_AUTH;
359 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
360 		options->log_level = SYSLOG_LEVEL_INFO;
361 	if (options->hostbased_authentication == -1)
362 		options->hostbased_authentication = 0;
363 	if (options->hostbased_uses_name_from_packet_only == -1)
364 		options->hostbased_uses_name_from_packet_only = 0;
365 	if (options->pubkey_authentication == -1)
366 		options->pubkey_authentication = 1;
367 	if (options->pubkey_auth_options == -1)
368 		options->pubkey_auth_options = 0;
369 	if (options->kerberos_authentication == -1)
370 		options->kerberos_authentication = 0;
371 	if (options->kerberos_or_local_passwd == -1)
372 		options->kerberos_or_local_passwd = 1;
373 	if (options->kerberos_ticket_cleanup == -1)
374 		options->kerberos_ticket_cleanup = 1;
375 	if (options->kerberos_get_afs_token == -1)
376 		options->kerberos_get_afs_token = 0;
377 	if (options->gss_authentication == -1)
378 		options->gss_authentication = 0;
379 	if (options->gss_cleanup_creds == -1)
380 		options->gss_cleanup_creds = 1;
381 	if (options->gss_strict_acceptor == -1)
382 		options->gss_strict_acceptor = 1;
383 	if (options->password_authentication == -1)
384 		options->password_authentication = 1;
385 	if (options->kbd_interactive_authentication == -1)
386 		options->kbd_interactive_authentication = 0;
387 	if (options->challenge_response_authentication == -1)
388 		options->challenge_response_authentication = 1;
389 	if (options->permit_empty_passwd == -1)
390 		options->permit_empty_passwd = 0;
391 	if (options->permit_user_env == -1) {
392 		options->permit_user_env = 0;
393 		options->permit_user_env_whitelist = NULL;
394 	}
395 	if (options->compression == -1)
396 #ifdef WITH_ZLIB
397 		options->compression = COMP_DELAYED;
398 #else
399 		options->compression = COMP_NONE;
400 #endif
401 
402 	if (options->rekey_limit == -1)
403 		options->rekey_limit = 0;
404 	if (options->rekey_interval == -1)
405 		options->rekey_interval = 0;
406 	if (options->allow_tcp_forwarding == -1)
407 		options->allow_tcp_forwarding = FORWARD_ALLOW;
408 	if (options->allow_streamlocal_forwarding == -1)
409 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
410 	if (options->allow_agent_forwarding == -1)
411 		options->allow_agent_forwarding = 1;
412 	if (options->fwd_opts.gateway_ports == -1)
413 		options->fwd_opts.gateway_ports = 0;
414 	if (options->max_startups == -1)
415 		options->max_startups = 100;
416 	if (options->max_startups_rate == -1)
417 		options->max_startups_rate = 30;		/* 30% */
418 	if (options->max_startups_begin == -1)
419 		options->max_startups_begin = 10;
420 	if (options->max_authtries == -1)
421 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
422 	if (options->max_sessions == -1)
423 		options->max_sessions = DEFAULT_SESSIONS_MAX;
424 	if (options->use_dns == -1)
425 		options->use_dns = 0;
426 	if (options->client_alive_interval == -1)
427 		options->client_alive_interval = 0;
428 	if (options->client_alive_count_max == -1)
429 		options->client_alive_count_max = 3;
430 	if (options->num_authkeys_files == 0) {
431 		array_append("[default]", 0, "AuthorizedKeysFiles",
432 		    &options->authorized_keys_files,
433 		    &options->num_authkeys_files,
434 		    _PATH_SSH_USER_PERMITTED_KEYS);
435 		array_append("[default]", 0, "AuthorizedKeysFiles",
436 		    &options->authorized_keys_files,
437 		    &options->num_authkeys_files,
438 		    _PATH_SSH_USER_PERMITTED_KEYS2);
439 	}
440 	if (options->permit_tun == -1)
441 		options->permit_tun = SSH_TUNMODE_NO;
442 	if (options->ip_qos_interactive == -1)
443 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
444 	if (options->ip_qos_bulk == -1)
445 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
446 	if (options->version_addendum == NULL)
447 		options->version_addendum = xstrdup("");
448 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
449 		options->fwd_opts.streamlocal_bind_mask = 0177;
450 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
451 		options->fwd_opts.streamlocal_bind_unlink = 0;
452 	if (options->fingerprint_hash == -1)
453 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
454 	if (options->disable_forwarding == -1)
455 		options->disable_forwarding = 0;
456 	if (options->expose_userauth_info == -1)
457 		options->expose_userauth_info = 0;
458 	if (options->sk_provider == NULL)
459 		options->sk_provider = xstrdup("internal");
460 
461 	assemble_algorithms(options);
462 
463 	/* Turn privilege separation and sandboxing on by default */
464 	if (use_privsep == -1)
465 		use_privsep = PRIVSEP_ON;
466 
467 #define CLEAR_ON_NONE(v) \
468 	do { \
469 		if (option_clear_or_none(v)) { \
470 			free(v); \
471 			v = NULL; \
472 		} \
473 	} while(0)
474 	CLEAR_ON_NONE(options->pid_file);
475 	CLEAR_ON_NONE(options->xauth_location);
476 	CLEAR_ON_NONE(options->banner);
477 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
478 	CLEAR_ON_NONE(options->revoked_keys_file);
479 	CLEAR_ON_NONE(options->sk_provider);
480 	CLEAR_ON_NONE(options->authorized_principals_file);
481 	CLEAR_ON_NONE(options->adm_forced_command);
482 	CLEAR_ON_NONE(options->chroot_directory);
483 	CLEAR_ON_NONE(options->routing_domain);
484 	CLEAR_ON_NONE(options->host_key_agent);
485 	for (i = 0; i < options->num_host_key_files; i++)
486 		CLEAR_ON_NONE(options->host_key_files[i]);
487 	for (i = 0; i < options->num_host_cert_files; i++)
488 		CLEAR_ON_NONE(options->host_cert_files[i]);
489 #undef CLEAR_ON_NONE
490 
491 	/* Similar handling for AuthenticationMethods=any */
492 	if (options->num_auth_methods == 1 &&
493 	    strcmp(options->auth_methods[0], "any") == 0) {
494 		free(options->auth_methods[0]);
495 		options->auth_methods[0] = NULL;
496 		options->num_auth_methods = 0;
497 	}
498 
499 #ifndef HAVE_MMAP
500 	if (use_privsep && options->compression == 1) {
501 		error("This platform does not support both privilege "
502 		    "separation and compression");
503 		error("Compression disabled");
504 		options->compression = 0;
505 	}
506 #endif
507 }
508 
509 /* Keyword tokens. */
510 typedef enum {
511 	sBadOption,		/* == unknown option */
512 	/* Portable-specific options */
513 	sUsePAM,
514 	/* Standard Options */
515 	sPort, sHostKeyFile, sLoginGraceTime,
516 	sPermitRootLogin, sLogFacility, sLogLevel,
517 	sRhostsRSAAuthentication, sRSAAuthentication,
518 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
519 	sKerberosGetAFSToken, sChallengeResponseAuthentication,
520 	sPasswordAuthentication, sKbdInteractiveAuthentication,
521 	sListenAddress, sAddressFamily,
522 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
523 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
524 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
525 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
526 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
527 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
528 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
529 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
530 	sBanner, sUseDNS, sHostbasedAuthentication,
531 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
532 	sHostKeyAlgorithms,
533 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
534 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
535 	sAcceptEnv, sSetEnv, sPermitTunnel,
536 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
537 	sUsePrivilegeSeparation, sAllowAgentForwarding,
538 	sHostCertificate, sInclude,
539 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
540 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
541 	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
542 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
543 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
544 	sStreamLocalBindMask, sStreamLocalBindUnlink,
545 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
546 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
547 	sDeprecated, sIgnore, sUnsupported
548 } ServerOpCodes;
549 
550 #define SSHCFG_GLOBAL		0x01	/* allowed in main section of config */
551 #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
552 #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
553 #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
554 #define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
555 
556 /* Textual representation of the tokens. */
557 static struct {
558 	const char *name;
559 	ServerOpCodes opcode;
560 	u_int flags;
561 } keywords[] = {
562 	/* Portable-specific options */
563 #ifdef USE_PAM
564 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
565 #else
566 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
567 #endif
568 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
569 	/* Standard Options */
570 	{ "port", sPort, SSHCFG_GLOBAL },
571 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
572 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
573 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
574 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
575 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
576 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
577 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
578 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
579 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
580 	{ "loglevel", sLogLevel, SSHCFG_ALL },
581 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
582 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
583 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
584 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
585 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
586 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
587 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
588 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
589 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
590 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
591 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
592 #ifdef KRB5
593 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
594 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
595 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
596 #ifdef USE_AFS
597 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
598 #else
599 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
600 #endif
601 #else
602 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
603 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
604 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
605 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
606 #endif
607 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
608 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
609 #ifdef GSSAPI
610 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
611 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
612 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
613 #else
614 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
615 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
616 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
617 #endif
618 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
619 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
620 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
621 	{ "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
622 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
623 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
624 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
625 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
626 #ifdef DISABLE_LASTLOG
627 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
628 #else
629 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
630 #endif
631 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
632 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
633 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
634 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
635 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
636 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
637 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
638 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
639 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
640 	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
641 	{ "compression", sCompression, SSHCFG_GLOBAL },
642 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
643 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
644 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
645 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
646 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
647 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
648 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
649 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
650 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
651 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
652 	{ "macs", sMacs, SSHCFG_GLOBAL },
653 	{ "protocol", sIgnore, SSHCFG_GLOBAL },
654 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
655 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
656 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
657 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
658 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
659 	{ "banner", sBanner, SSHCFG_ALL },
660 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
661 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
662 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
663 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
664 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
665 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
666 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
667 	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
668 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
669 	{ "setenv", sSetEnv, SSHCFG_ALL },
670 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
671 	{ "permittty", sPermitTTY, SSHCFG_ALL },
672 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
673 	{ "match", sMatch, SSHCFG_ALL },
674 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
675 	{ "permitlisten", sPermitListen, SSHCFG_ALL },
676 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
677 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
678 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
679 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
680 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
681 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
682 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
683 	{ "include", sInclude, SSHCFG_ALL },
684 	{ "ipqos", sIPQoS, SSHCFG_ALL },
685 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
686 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
687 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
688 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
689 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
690 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
691 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
692 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
693 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
694 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
695 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
696 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
697 	{ "rdomain", sRDomain, SSHCFG_ALL },
698 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
699 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
700 	{ NULL, sBadOption, 0 }
701 };
702 
703 static struct {
704 	int val;
705 	char *text;
706 } tunmode_desc[] = {
707 	{ SSH_TUNMODE_NO, "no" },
708 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
709 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
710 	{ SSH_TUNMODE_YES, "yes" },
711 	{ -1, NULL }
712 };
713 
714 /* Returns an opcode name from its number */
715 
716 static const char *
717 lookup_opcode_name(ServerOpCodes code)
718 {
719 	u_int i;
720 
721 	for (i = 0; keywords[i].name != NULL; i++)
722 		if (keywords[i].opcode == code)
723 			return(keywords[i].name);
724 	return "UNKNOWN";
725 }
726 
727 
728 /*
729  * Returns the number of the token pointed to by cp or sBadOption.
730  */
731 
732 static ServerOpCodes
733 parse_token(const char *cp, const char *filename,
734 	    int linenum, u_int *flags)
735 {
736 	u_int i;
737 
738 	for (i = 0; keywords[i].name; i++)
739 		if (strcasecmp(cp, keywords[i].name) == 0) {
740 			*flags = keywords[i].flags;
741 			return keywords[i].opcode;
742 		}
743 
744 	error("%s: line %d: Bad configuration option: %s",
745 	    filename, linenum, cp);
746 	return sBadOption;
747 }
748 
749 char *
750 derelativise_path(const char *path)
751 {
752 	char *expanded, *ret, cwd[PATH_MAX];
753 
754 	if (strcasecmp(path, "none") == 0)
755 		return xstrdup("none");
756 	expanded = tilde_expand_filename(path, getuid());
757 	if (path_absolute(expanded))
758 		return expanded;
759 	if (getcwd(cwd, sizeof(cwd)) == NULL)
760 		fatal("%s: getcwd: %s", __func__, strerror(errno));
761 	xasprintf(&ret, "%s/%s", cwd, expanded);
762 	free(expanded);
763 	return ret;
764 }
765 
766 static void
767 add_listen_addr(ServerOptions *options, const char *addr,
768     const char *rdomain, int port)
769 {
770 	u_int i;
771 
772 	if (port > 0)
773 		add_one_listen_addr(options, addr, rdomain, port);
774 	else {
775 		for (i = 0; i < options->num_ports; i++) {
776 			add_one_listen_addr(options, addr, rdomain,
777 			    options->ports[i]);
778 		}
779 	}
780 }
781 
782 static void
783 add_one_listen_addr(ServerOptions *options, const char *addr,
784     const char *rdomain, int port)
785 {
786 	struct addrinfo hints, *ai, *aitop;
787 	char strport[NI_MAXSERV];
788 	int gaierr;
789 	u_int i;
790 
791 	/* Find listen_addrs entry for this rdomain */
792 	for (i = 0; i < options->num_listen_addrs; i++) {
793 		if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
794 			break;
795 		if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
796 			continue;
797 		if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
798 			break;
799 	}
800 	if (i >= options->num_listen_addrs) {
801 		/* No entry for this rdomain; allocate one */
802 		if (i >= INT_MAX)
803 			fatal("%s: too many listen addresses", __func__);
804 		options->listen_addrs = xrecallocarray(options->listen_addrs,
805 		    options->num_listen_addrs, options->num_listen_addrs + 1,
806 		    sizeof(*options->listen_addrs));
807 		i = options->num_listen_addrs++;
808 		if (rdomain != NULL)
809 			options->listen_addrs[i].rdomain = xstrdup(rdomain);
810 	}
811 	/* options->listen_addrs[i] points to the addresses for this rdomain */
812 
813 	memset(&hints, 0, sizeof(hints));
814 	hints.ai_family = options->address_family;
815 	hints.ai_socktype = SOCK_STREAM;
816 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
817 	snprintf(strport, sizeof strport, "%d", port);
818 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
819 		fatal("bad addr or host: %s (%s)",
820 		    addr ? addr : "<NULL>",
821 		    ssh_gai_strerror(gaierr));
822 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
823 		;
824 	ai->ai_next = options->listen_addrs[i].addrs;
825 	options->listen_addrs[i].addrs = aitop;
826 }
827 
828 /* Returns nonzero if the routing domain name is valid */
829 static int
830 valid_rdomain(const char *name)
831 {
832 #if defined(HAVE_SYS_VALID_RDOMAIN)
833 	return sys_valid_rdomain(name);
834 #elif defined(__OpenBSD__)
835 	const char *errstr;
836 	long long num;
837 	struct rt_tableinfo info;
838 	int mib[6];
839 	size_t miblen = sizeof(mib);
840 
841 	if (name == NULL)
842 		return 1;
843 
844 	num = strtonum(name, 0, 255, &errstr);
845 	if (errstr != NULL)
846 		return 0;
847 
848 	/* Check whether the table actually exists */
849 	memset(mib, 0, sizeof(mib));
850 	mib[0] = CTL_NET;
851 	mib[1] = PF_ROUTE;
852 	mib[4] = NET_RT_TABLE;
853 	mib[5] = (int)num;
854 	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
855 		return 0;
856 
857 	return 1;
858 #else /* defined(__OpenBSD__) */
859 	error("Routing domains are not supported on this platform");
860 	return 0;
861 #endif
862 }
863 
864 /*
865  * Queue a ListenAddress to be processed once we have all of the Ports
866  * and AddressFamily options.
867  */
868 static void
869 queue_listen_addr(ServerOptions *options, const char *addr,
870     const char *rdomain, int port)
871 {
872 	struct queued_listenaddr *qla;
873 
874 	options->queued_listen_addrs = xrecallocarray(
875 	    options->queued_listen_addrs,
876 	    options->num_queued_listens, options->num_queued_listens + 1,
877 	    sizeof(*options->queued_listen_addrs));
878 	qla = &options->queued_listen_addrs[options->num_queued_listens++];
879 	qla->addr = xstrdup(addr);
880 	qla->port = port;
881 	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
882 }
883 
884 /*
885  * Process queued (text) ListenAddress entries.
886  */
887 static void
888 process_queued_listen_addrs(ServerOptions *options)
889 {
890 	u_int i;
891 	struct queued_listenaddr *qla;
892 
893 	if (options->num_ports == 0)
894 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
895 	if (options->address_family == -1)
896 		options->address_family = AF_UNSPEC;
897 
898 	for (i = 0; i < options->num_queued_listens; i++) {
899 		qla = &options->queued_listen_addrs[i];
900 		add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
901 		free(qla->addr);
902 		free(qla->rdomain);
903 	}
904 	free(options->queued_listen_addrs);
905 	options->queued_listen_addrs = NULL;
906 	options->num_queued_listens = 0;
907 }
908 
909 /*
910  * Inform channels layer of permitopen options for a single forwarding
911  * direction (local/remote).
912  */
913 static void
914 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
915     char **opens, u_int num_opens)
916 {
917 	u_int i;
918 	int port;
919 	char *host, *arg, *oarg, ch;
920 	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
921 	const char *what = lookup_opcode_name(opcode);
922 
923 	channel_clear_permission(ssh, FORWARD_ADM, where);
924 	if (num_opens == 0)
925 		return; /* permit any */
926 
927 	/* handle keywords: "any" / "none" */
928 	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
929 		return;
930 	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
931 		channel_disable_admin(ssh, where);
932 		return;
933 	}
934 	/* Otherwise treat it as a list of permitted host:port */
935 	for (i = 0; i < num_opens; i++) {
936 		oarg = arg = xstrdup(opens[i]);
937 		ch = '\0';
938 		host = hpdelim2(&arg, &ch);
939 		if (host == NULL || ch == '/')
940 			fatal("%s: missing host in %s", __func__, what);
941 		host = cleanhostname(host);
942 		if (arg == NULL || ((port = permitopen_port(arg)) < 0))
943 			fatal("%s: bad port number in %s", __func__, what);
944 		/* Send it to channels layer */
945 		channel_add_permission(ssh, FORWARD_ADM,
946 		    where, host, port);
947 		free(oarg);
948 	}
949 }
950 
951 /*
952  * Inform channels layer of permitopen options from configuration.
953  */
954 void
955 process_permitopen(struct ssh *ssh, ServerOptions *options)
956 {
957 	process_permitopen_list(ssh, sPermitOpen,
958 	    options->permitted_opens, options->num_permitted_opens);
959 	process_permitopen_list(ssh, sPermitListen,
960 	    options->permitted_listens,
961 	    options->num_permitted_listens);
962 }
963 
964 struct connection_info *
965 get_connection_info(struct ssh *ssh, int populate, int use_dns)
966 {
967 	static struct connection_info ci;
968 
969 	if (ssh == NULL || !populate)
970 		return &ci;
971 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
972 	ci.address = ssh_remote_ipaddr(ssh);
973 	ci.laddress = ssh_local_ipaddr(ssh);
974 	ci.lport = ssh_local_port(ssh);
975 	ci.rdomain = ssh_packet_rdomain_in(ssh);
976 	return &ci;
977 }
978 
979 /*
980  * The strategy for the Match blocks is that the config file is parsed twice.
981  *
982  * The first time is at startup.  activep is initialized to 1 and the
983  * directives in the global context are processed and acted on.  Hitting a
984  * Match directive unsets activep and the directives inside the block are
985  * checked for syntax only.
986  *
987  * The second time is after a connection has been established but before
988  * authentication.  activep is initialized to 2 and global config directives
989  * are ignored since they have already been processed.  If the criteria in a
990  * Match block is met, activep is set and the subsequent directives
991  * processed and actioned until EOF or another Match block unsets it.  Any
992  * options set are copied into the main server config.
993  *
994  * Potential additions/improvements:
995  *  - Add Match support for pre-kex directives, eg. Ciphers.
996  *
997  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
998  *	Match Address 192.168.0.*
999  *		Tag trusted
1000  *	Match Group wheel
1001  *		Tag trusted
1002  *	Match Tag trusted
1003  *		AllowTcpForwarding yes
1004  *		GatewayPorts clientspecified
1005  *		[...]
1006  *
1007  *  - Add a PermittedChannelRequests directive
1008  *	Match Group shell
1009  *		PermittedChannelRequests session,forwarded-tcpip
1010  */
1011 
1012 static int
1013 match_cfg_line_group(const char *grps, int line, const char *user)
1014 {
1015 	int result = 0;
1016 	struct passwd *pw;
1017 
1018 	if (user == NULL)
1019 		goto out;
1020 
1021 	if ((pw = getpwnam(user)) == NULL) {
1022 		debug("Can't match group at line %d because user %.100s does "
1023 		    "not exist", line, user);
1024 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1025 		debug("Can't Match group because user %.100s not in any group "
1026 		    "at line %d", user, line);
1027 	} else if (ga_match_pattern_list(grps) != 1) {
1028 		debug("user %.100s does not match group list %.100s at line %d",
1029 		    user, grps, line);
1030 	} else {
1031 		debug("user %.100s matched group list %.100s at line %d", user,
1032 		    grps, line);
1033 		result = 1;
1034 	}
1035 out:
1036 	ga_free();
1037 	return result;
1038 }
1039 
1040 static void
1041 match_test_missing_fatal(const char *criteria, const char *attrib)
1042 {
1043 	fatal("'Match %s' in configuration but '%s' not in connection "
1044 	    "test specification.", criteria, attrib);
1045 }
1046 
1047 /*
1048  * All of the attributes on a single Match line are ANDed together, so we need
1049  * to check every attribute and set the result to zero if any attribute does
1050  * not match.
1051  */
1052 static int
1053 match_cfg_line(char **condition, int line, struct connection_info *ci)
1054 {
1055 	int result = 1, attributes = 0, port;
1056 	char *arg, *attrib, *cp = *condition;
1057 
1058 	if (ci == NULL)
1059 		debug3("checking syntax for 'Match %s'", cp);
1060 	else
1061 		debug3("checking match for '%s' user %s host %s addr %s "
1062 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1063 		    ci->host ? ci->host : "(null)",
1064 		    ci->address ? ci->address : "(null)",
1065 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
1066 
1067 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1068 		attributes++;
1069 		if (strcasecmp(attrib, "all") == 0) {
1070 			if (attributes != 1 ||
1071 			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
1072 				error("'all' cannot be combined with other "
1073 				    "Match attributes");
1074 				return -1;
1075 			}
1076 			*condition = cp;
1077 			return 1;
1078 		}
1079 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
1080 			error("Missing Match criteria for %s", attrib);
1081 			return -1;
1082 		}
1083 		if (strcasecmp(attrib, "user") == 0) {
1084 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1085 				result = 0;
1086 				continue;
1087 			}
1088 			if (ci->user == NULL)
1089 				match_test_missing_fatal("User", "user");
1090 			if (match_usergroup_pattern_list(ci->user, arg) != 1)
1091 				result = 0;
1092 			else
1093 				debug("user %.100s matched 'User %.100s' at "
1094 				    "line %d", ci->user, arg, line);
1095 		} else if (strcasecmp(attrib, "group") == 0) {
1096 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1097 				result = 0;
1098 				continue;
1099 			}
1100 			if (ci->user == NULL)
1101 				match_test_missing_fatal("Group", "user");
1102 			switch (match_cfg_line_group(arg, line, ci->user)) {
1103 			case -1:
1104 				return -1;
1105 			case 0:
1106 				result = 0;
1107 			}
1108 		} else if (strcasecmp(attrib, "host") == 0) {
1109 			if (ci == NULL || (ci->test && ci->host == NULL)) {
1110 				result = 0;
1111 				continue;
1112 			}
1113 			if (ci->host == NULL)
1114 				match_test_missing_fatal("Host", "host");
1115 			if (match_hostname(ci->host, arg) != 1)
1116 				result = 0;
1117 			else
1118 				debug("connection from %.100s matched 'Host "
1119 				    "%.100s' at line %d", ci->host, arg, line);
1120 		} else if (strcasecmp(attrib, "address") == 0) {
1121 			if (ci == NULL || (ci->test && ci->address == NULL)) {
1122 				result = 0;
1123 				continue;
1124 			}
1125 			if (ci->address == NULL)
1126 				match_test_missing_fatal("Address", "addr");
1127 			switch (addr_match_list(ci->address, arg)) {
1128 			case 1:
1129 				debug("connection from %.100s matched 'Address "
1130 				    "%.100s' at line %d", ci->address, arg, line);
1131 				break;
1132 			case 0:
1133 			case -1:
1134 				result = 0;
1135 				break;
1136 			case -2:
1137 				return -1;
1138 			}
1139 		} else if (strcasecmp(attrib, "localaddress") == 0){
1140 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1141 				result = 0;
1142 				continue;
1143 			}
1144 			if (ci->laddress == NULL)
1145 				match_test_missing_fatal("LocalAddress",
1146 				    "laddr");
1147 			switch (addr_match_list(ci->laddress, arg)) {
1148 			case 1:
1149 				debug("connection from %.100s matched "
1150 				    "'LocalAddress %.100s' at line %d",
1151 				    ci->laddress, arg, line);
1152 				break;
1153 			case 0:
1154 			case -1:
1155 				result = 0;
1156 				break;
1157 			case -2:
1158 				return -1;
1159 			}
1160 		} else if (strcasecmp(attrib, "localport") == 0) {
1161 			if ((port = a2port(arg)) == -1) {
1162 				error("Invalid LocalPort '%s' on Match line",
1163 				    arg);
1164 				return -1;
1165 			}
1166 			if (ci == NULL || (ci->test && ci->lport == -1)) {
1167 				result = 0;
1168 				continue;
1169 			}
1170 			if (ci->lport == 0)
1171 				match_test_missing_fatal("LocalPort", "lport");
1172 			/* TODO support port lists */
1173 			if (port == ci->lport)
1174 				debug("connection from %.100s matched "
1175 				    "'LocalPort %d' at line %d",
1176 				    ci->laddress, port, line);
1177 			else
1178 				result = 0;
1179 		} else if (strcasecmp(attrib, "rdomain") == 0) {
1180 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1181 				result = 0;
1182 				continue;
1183 			}
1184 			if (ci->rdomain == NULL)
1185 				match_test_missing_fatal("RDomain", "rdomain");
1186 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1187 				result = 0;
1188 			else
1189 				debug("user %.100s matched 'RDomain %.100s' at "
1190 				    "line %d", ci->rdomain, arg, line);
1191 		} else {
1192 			error("Unsupported Match attribute %s", attrib);
1193 			return -1;
1194 		}
1195 	}
1196 	if (attributes == 0) {
1197 		error("One or more attributes required for Match");
1198 		return -1;
1199 	}
1200 	if (ci != NULL)
1201 		debug3("match %sfound", result ? "" : "not ");
1202 	*condition = cp;
1203 	return result;
1204 }
1205 
1206 #define WHITESPACE " \t\r\n"
1207 
1208 /* Multistate option parsing */
1209 struct multistate {
1210 	char *key;
1211 	int value;
1212 };
1213 static const struct multistate multistate_flag[] = {
1214 	{ "yes",			1 },
1215 	{ "no",				0 },
1216 	{ NULL, -1 }
1217 };
1218 static const struct multistate multistate_ignore_rhosts[] = {
1219 	{ "yes",			IGNORE_RHOSTS_YES },
1220 	{ "no",				IGNORE_RHOSTS_NO },
1221 	{ "shosts-only",		IGNORE_RHOSTS_SHOSTS },
1222 	{ NULL, -1 }
1223 };
1224 static const struct multistate multistate_addressfamily[] = {
1225 	{ "inet",			AF_INET },
1226 	{ "inet6",			AF_INET6 },
1227 	{ "any",			AF_UNSPEC },
1228 	{ NULL, -1 }
1229 };
1230 static const struct multistate multistate_permitrootlogin[] = {
1231 	{ "without-password",		PERMIT_NO_PASSWD },
1232 	{ "prohibit-password",		PERMIT_NO_PASSWD },
1233 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
1234 	{ "yes",			PERMIT_YES },
1235 	{ "no",				PERMIT_NO },
1236 	{ NULL, -1 }
1237 };
1238 static const struct multistate multistate_compression[] = {
1239 #ifdef WITH_ZLIB
1240 	{ "yes",			COMP_DELAYED },
1241 	{ "delayed",			COMP_DELAYED },
1242 #endif
1243 	{ "no",				COMP_NONE },
1244 	{ NULL, -1 }
1245 };
1246 static const struct multistate multistate_gatewayports[] = {
1247 	{ "clientspecified",		2 },
1248 	{ "yes",			1 },
1249 	{ "no",				0 },
1250 	{ NULL, -1 }
1251 };
1252 static const struct multistate multistate_tcpfwd[] = {
1253 	{ "yes",			FORWARD_ALLOW },
1254 	{ "all",			FORWARD_ALLOW },
1255 	{ "no",				FORWARD_DENY },
1256 	{ "remote",			FORWARD_REMOTE },
1257 	{ "local",			FORWARD_LOCAL },
1258 	{ NULL, -1 }
1259 };
1260 
1261 static int
1262 process_server_config_line_depth(ServerOptions *options, char *line,
1263     const char *filename, int linenum, int *activep,
1264     struct connection_info *connectinfo, int *inc_flags, int depth,
1265     struct include_list *includes)
1266 {
1267 	char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
1268 	int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1269 	SyslogFacility *log_facility_ptr;
1270 	LogLevel *log_level_ptr;
1271 	ServerOpCodes opcode;
1272 	u_int i, *uintptr, uvalue, flags = 0;
1273 	size_t len;
1274 	long long val64;
1275 	const struct multistate *multistate_ptr;
1276 	const char *errstr;
1277 	struct include_item *item;
1278 	glob_t gbuf;
1279 
1280 	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1281 	if ((len = strlen(line)) == 0)
1282 		return 0;
1283 	for (len--; len > 0; len--) {
1284 		if (strchr(WHITESPACE "\f", line[len]) == NULL)
1285 			break;
1286 		line[len] = '\0';
1287 	}
1288 
1289 	cp = line;
1290 	if ((arg = strdelim(&cp)) == NULL)
1291 		return 0;
1292 	/* Ignore leading whitespace */
1293 	if (*arg == '\0')
1294 		arg = strdelim(&cp);
1295 	if (!arg || !*arg || *arg == '#')
1296 		return 0;
1297 	intptr = NULL;
1298 	charptr = NULL;
1299 	opcode = parse_token(arg, filename, linenum, &flags);
1300 
1301 	if (activep == NULL) { /* We are processing a command line directive */
1302 		cmdline = 1;
1303 		activep = &cmdline;
1304 	}
1305 	if (*activep && opcode != sMatch && opcode != sInclude)
1306 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1307 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1308 		if (connectinfo == NULL) {
1309 			fatal("%s line %d: Directive '%s' is not allowed "
1310 			    "within a Match block", filename, linenum, arg);
1311 		} else { /* this is a directive we have already processed */
1312 			while (arg)
1313 				arg = strdelim(&cp);
1314 			return 0;
1315 		}
1316 	}
1317 
1318 	switch (opcode) {
1319 	/* Portable-specific options */
1320 	case sUsePAM:
1321 		intptr = &options->use_pam;
1322 		goto parse_flag;
1323 
1324 	/* Standard Options */
1325 	case sBadOption:
1326 		return -1;
1327 	case sPort:
1328 		/* ignore ports from configfile if cmdline specifies ports */
1329 		if (options->ports_from_cmdline)
1330 			return 0;
1331 		if (options->num_ports >= MAX_PORTS)
1332 			fatal("%s line %d: too many ports.",
1333 			    filename, linenum);
1334 		arg = strdelim(&cp);
1335 		if (!arg || *arg == '\0')
1336 			fatal("%s line %d: missing port number.",
1337 			    filename, linenum);
1338 		options->ports[options->num_ports++] = a2port(arg);
1339 		if (options->ports[options->num_ports-1] <= 0)
1340 			fatal("%s line %d: Badly formatted port number.",
1341 			    filename, linenum);
1342 		break;
1343 
1344 	case sLoginGraceTime:
1345 		intptr = &options->login_grace_time;
1346  parse_time:
1347 		arg = strdelim(&cp);
1348 		if (!arg || *arg == '\0')
1349 			fatal("%s line %d: missing time value.",
1350 			    filename, linenum);
1351 		if ((value = convtime(arg)) == -1)
1352 			fatal("%s line %d: invalid time value.",
1353 			    filename, linenum);
1354 		if (*activep && *intptr == -1)
1355 			*intptr = value;
1356 		break;
1357 
1358 	case sListenAddress:
1359 		arg = strdelim(&cp);
1360 		if (arg == NULL || *arg == '\0')
1361 			fatal("%s line %d: missing address",
1362 			    filename, linenum);
1363 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1364 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1365 		    && strchr(p+1, ':') != NULL) {
1366 			port = 0;
1367 			p = arg;
1368 		} else {
1369 			arg2 = NULL;
1370 			ch = '\0';
1371 			p = hpdelim2(&arg, &ch);
1372 			if (p == NULL || ch == '/')
1373 				fatal("%s line %d: bad address:port usage",
1374 				    filename, linenum);
1375 			p = cleanhostname(p);
1376 			if (arg == NULL)
1377 				port = 0;
1378 			else if ((port = a2port(arg)) <= 0)
1379 				fatal("%s line %d: bad port number",
1380 				    filename, linenum);
1381 		}
1382 		/* Optional routing table */
1383 		arg2 = NULL;
1384 		if ((arg = strdelim(&cp)) != NULL) {
1385 			if (strcmp(arg, "rdomain") != 0 ||
1386 			    (arg2 = strdelim(&cp)) == NULL)
1387 				fatal("%s line %d: bad ListenAddress syntax",
1388 				    filename, linenum);
1389 			if (!valid_rdomain(arg2))
1390 				fatal("%s line %d: bad routing domain",
1391 				    filename, linenum);
1392 		}
1393 
1394 		queue_listen_addr(options, p, arg2, port);
1395 
1396 		break;
1397 
1398 	case sAddressFamily:
1399 		intptr = &options->address_family;
1400 		multistate_ptr = multistate_addressfamily;
1401  parse_multistate:
1402 		arg = strdelim(&cp);
1403 		if (!arg || *arg == '\0')
1404 			fatal("%s line %d: missing argument.",
1405 			    filename, linenum);
1406 		value = -1;
1407 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1408 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1409 				value = multistate_ptr[i].value;
1410 				break;
1411 			}
1412 		}
1413 		if (value == -1)
1414 			fatal("%s line %d: unsupported option \"%s\".",
1415 			    filename, linenum, arg);
1416 		if (*activep && *intptr == -1)
1417 			*intptr = value;
1418 		break;
1419 
1420 	case sHostKeyFile:
1421 		arg = strdelim(&cp);
1422 		if (!arg || *arg == '\0')
1423 			fatal("%s line %d: missing file name.",
1424 			    filename, linenum);
1425 		if (*activep) {
1426 			servconf_add_hostkey(filename, linenum,
1427 			    options, arg, 1);
1428 		}
1429 		break;
1430 
1431 	case sHostKeyAgent:
1432 		charptr = &options->host_key_agent;
1433 		arg = strdelim(&cp);
1434 		if (!arg || *arg == '\0')
1435 			fatal("%s line %d: missing socket name.",
1436 			    filename, linenum);
1437 		if (*activep && *charptr == NULL)
1438 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1439 			    xstrdup(arg) : derelativise_path(arg);
1440 		break;
1441 
1442 	case sHostCertificate:
1443 		arg = strdelim(&cp);
1444 		if (!arg || *arg == '\0')
1445 			fatal("%s line %d: missing file name.",
1446 			    filename, linenum);
1447 		if (*activep)
1448 			servconf_add_hostcert(filename, linenum, options, arg);
1449 		break;
1450 
1451 	case sPidFile:
1452 		charptr = &options->pid_file;
1453  parse_filename:
1454 		arg = strdelim(&cp);
1455 		if (!arg || *arg == '\0')
1456 			fatal("%s line %d: missing file name.",
1457 			    filename, linenum);
1458 		if (*activep && *charptr == NULL) {
1459 			*charptr = derelativise_path(arg);
1460 			/* increase optional counter */
1461 			if (intptr != NULL)
1462 				*intptr = *intptr + 1;
1463 		}
1464 		break;
1465 
1466 	case sPermitRootLogin:
1467 		intptr = &options->permit_root_login;
1468 		multistate_ptr = multistate_permitrootlogin;
1469 		goto parse_multistate;
1470 
1471 	case sIgnoreRhosts:
1472 		intptr = &options->ignore_rhosts;
1473 		multistate_ptr = multistate_ignore_rhosts;
1474 		goto parse_multistate;
1475 
1476 	case sIgnoreUserKnownHosts:
1477 		intptr = &options->ignore_user_known_hosts;
1478  parse_flag:
1479 		multistate_ptr = multistate_flag;
1480 		goto parse_multistate;
1481 
1482 	case sHostbasedAuthentication:
1483 		intptr = &options->hostbased_authentication;
1484 		goto parse_flag;
1485 
1486 	case sHostbasedUsesNameFromPacketOnly:
1487 		intptr = &options->hostbased_uses_name_from_packet_only;
1488 		goto parse_flag;
1489 
1490 	case sHostbasedAcceptedKeyTypes:
1491 		charptr = &options->hostbased_key_types;
1492  parse_keytypes:
1493 		arg = strdelim(&cp);
1494 		if (!arg || *arg == '\0')
1495 			fatal("%s line %d: Missing argument.",
1496 			    filename, linenum);
1497 		if (*arg != '-' &&
1498 		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1499 		    arg + 1 : arg, 1))
1500 			fatal("%s line %d: Bad key types '%s'.",
1501 			    filename, linenum, arg ? arg : "<NONE>");
1502 		if (*activep && *charptr == NULL)
1503 			*charptr = xstrdup(arg);
1504 		break;
1505 
1506 	case sHostKeyAlgorithms:
1507 		charptr = &options->hostkeyalgorithms;
1508 		goto parse_keytypes;
1509 
1510 	case sCASignatureAlgorithms:
1511 		charptr = &options->ca_sign_algorithms;
1512 		goto parse_keytypes;
1513 
1514 	case sPubkeyAuthentication:
1515 		intptr = &options->pubkey_authentication;
1516 		goto parse_flag;
1517 
1518 	case sPubkeyAcceptedKeyTypes:
1519 		charptr = &options->pubkey_key_types;
1520 		goto parse_keytypes;
1521 
1522 	case sPubkeyAuthOptions:
1523 		intptr = &options->pubkey_auth_options;
1524 		value = 0;
1525 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1526 			if (strcasecmp(arg, "none") == 0)
1527 				continue;
1528 			if (strcasecmp(arg, "touch-required") == 0)
1529 				value |= PUBKEYAUTH_TOUCH_REQUIRED;
1530 			else {
1531 				fatal("%s line %d: unsupported "
1532 				    "PubkeyAuthOptions option %s",
1533 				    filename, linenum, arg);
1534 			}
1535 		}
1536 		if (*activep && *intptr == -1)
1537 			*intptr = value;
1538 		break;
1539 
1540 	case sKerberosAuthentication:
1541 		intptr = &options->kerberos_authentication;
1542 		goto parse_flag;
1543 
1544 	case sKerberosOrLocalPasswd:
1545 		intptr = &options->kerberos_or_local_passwd;
1546 		goto parse_flag;
1547 
1548 	case sKerberosTicketCleanup:
1549 		intptr = &options->kerberos_ticket_cleanup;
1550 		goto parse_flag;
1551 
1552 	case sKerberosGetAFSToken:
1553 		intptr = &options->kerberos_get_afs_token;
1554 		goto parse_flag;
1555 
1556 	case sGssAuthentication:
1557 		intptr = &options->gss_authentication;
1558 		goto parse_flag;
1559 
1560 	case sGssCleanupCreds:
1561 		intptr = &options->gss_cleanup_creds;
1562 		goto parse_flag;
1563 
1564 	case sGssStrictAcceptor:
1565 		intptr = &options->gss_strict_acceptor;
1566 		goto parse_flag;
1567 
1568 	case sPasswordAuthentication:
1569 		intptr = &options->password_authentication;
1570 		goto parse_flag;
1571 
1572 	case sKbdInteractiveAuthentication:
1573 		intptr = &options->kbd_interactive_authentication;
1574 		goto parse_flag;
1575 
1576 	case sChallengeResponseAuthentication:
1577 		intptr = &options->challenge_response_authentication;
1578 		goto parse_flag;
1579 
1580 	case sPrintMotd:
1581 		intptr = &options->print_motd;
1582 		goto parse_flag;
1583 
1584 	case sPrintLastLog:
1585 		intptr = &options->print_lastlog;
1586 		goto parse_flag;
1587 
1588 	case sX11Forwarding:
1589 		intptr = &options->x11_forwarding;
1590 		goto parse_flag;
1591 
1592 	case sX11DisplayOffset:
1593 		intptr = &options->x11_display_offset;
1594  parse_int:
1595 		arg = strdelim(&cp);
1596 		if ((errstr = atoi_err(arg, &value)) != NULL)
1597 			fatal("%s line %d: integer value %s.",
1598 			    filename, linenum, errstr);
1599 		if (*activep && *intptr == -1)
1600 			*intptr = value;
1601 		break;
1602 
1603 	case sX11UseLocalhost:
1604 		intptr = &options->x11_use_localhost;
1605 		goto parse_flag;
1606 
1607 	case sXAuthLocation:
1608 		charptr = &options->xauth_location;
1609 		goto parse_filename;
1610 
1611 	case sPermitTTY:
1612 		intptr = &options->permit_tty;
1613 		goto parse_flag;
1614 
1615 	case sPermitUserRC:
1616 		intptr = &options->permit_user_rc;
1617 		goto parse_flag;
1618 
1619 	case sStrictModes:
1620 		intptr = &options->strict_modes;
1621 		goto parse_flag;
1622 
1623 	case sTCPKeepAlive:
1624 		intptr = &options->tcp_keep_alive;
1625 		goto parse_flag;
1626 
1627 	case sEmptyPasswd:
1628 		intptr = &options->permit_empty_passwd;
1629 		goto parse_flag;
1630 
1631 	case sPermitUserEnvironment:
1632 		intptr = &options->permit_user_env;
1633 		charptr = &options->permit_user_env_whitelist;
1634 		arg = strdelim(&cp);
1635 		if (!arg || *arg == '\0')
1636 			fatal("%s line %d: missing argument.",
1637 			    filename, linenum);
1638 		value = 0;
1639 		p = NULL;
1640 		if (strcmp(arg, "yes") == 0)
1641 			value = 1;
1642 		else if (strcmp(arg, "no") == 0)
1643 			value = 0;
1644 		else {
1645 			/* Pattern-list specified */
1646 			value = 1;
1647 			p = xstrdup(arg);
1648 		}
1649 		if (*activep && *intptr == -1) {
1650 			*intptr = value;
1651 			*charptr = p;
1652 			p = NULL;
1653 		}
1654 		free(p);
1655 		break;
1656 
1657 	case sCompression:
1658 		intptr = &options->compression;
1659 		multistate_ptr = multistate_compression;
1660 		goto parse_multistate;
1661 
1662 	case sRekeyLimit:
1663 		arg = strdelim(&cp);
1664 		if (!arg || *arg == '\0')
1665 			fatal("%.200s line %d: Missing argument.", filename,
1666 			    linenum);
1667 		if (strcmp(arg, "default") == 0) {
1668 			val64 = 0;
1669 		} else {
1670 			if (scan_scaled(arg, &val64) == -1)
1671 				fatal("%.200s line %d: Bad number '%s': %s",
1672 				    filename, linenum, arg, strerror(errno));
1673 			if (val64 != 0 && val64 < 16)
1674 				fatal("%.200s line %d: RekeyLimit too small",
1675 				    filename, linenum);
1676 		}
1677 		if (*activep && options->rekey_limit == -1)
1678 			options->rekey_limit = val64;
1679 		if (cp != NULL) { /* optional rekey interval present */
1680 			if (strcmp(cp, "none") == 0) {
1681 				(void)strdelim(&cp);	/* discard */
1682 				break;
1683 			}
1684 			intptr = &options->rekey_interval;
1685 			goto parse_time;
1686 		}
1687 		break;
1688 
1689 	case sGatewayPorts:
1690 		intptr = &options->fwd_opts.gateway_ports;
1691 		multistate_ptr = multistate_gatewayports;
1692 		goto parse_multistate;
1693 
1694 	case sUseDNS:
1695 		intptr = &options->use_dns;
1696 		goto parse_flag;
1697 
1698 	case sLogFacility:
1699 		log_facility_ptr = &options->log_facility;
1700 		arg = strdelim(&cp);
1701 		value = log_facility_number(arg);
1702 		if (value == SYSLOG_FACILITY_NOT_SET)
1703 			fatal("%.200s line %d: unsupported log facility '%s'",
1704 			    filename, linenum, arg ? arg : "<NONE>");
1705 		if (*log_facility_ptr == -1)
1706 			*log_facility_ptr = (SyslogFacility) value;
1707 		break;
1708 
1709 	case sLogLevel:
1710 		log_level_ptr = &options->log_level;
1711 		arg = strdelim(&cp);
1712 		value = log_level_number(arg);
1713 		if (value == SYSLOG_LEVEL_NOT_SET)
1714 			fatal("%.200s line %d: unsupported log level '%s'",
1715 			    filename, linenum, arg ? arg : "<NONE>");
1716 		if (*activep && *log_level_ptr == -1)
1717 			*log_level_ptr = (LogLevel) value;
1718 		break;
1719 
1720 	case sAllowTcpForwarding:
1721 		intptr = &options->allow_tcp_forwarding;
1722 		multistate_ptr = multistate_tcpfwd;
1723 		goto parse_multistate;
1724 
1725 	case sAllowStreamLocalForwarding:
1726 		intptr = &options->allow_streamlocal_forwarding;
1727 		multistate_ptr = multistate_tcpfwd;
1728 		goto parse_multistate;
1729 
1730 	case sAllowAgentForwarding:
1731 		intptr = &options->allow_agent_forwarding;
1732 		goto parse_flag;
1733 
1734 	case sDisableForwarding:
1735 		intptr = &options->disable_forwarding;
1736 		goto parse_flag;
1737 
1738 	case sAllowUsers:
1739 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1740 			if (match_user(NULL, NULL, NULL, arg) == -1)
1741 				fatal("%s line %d: invalid AllowUsers pattern: "
1742 				    "\"%.100s\"", filename, linenum, arg);
1743 			if (!*activep)
1744 				continue;
1745 			array_append(filename, linenum, "AllowUsers",
1746 			    &options->allow_users, &options->num_allow_users,
1747 			    arg);
1748 		}
1749 		break;
1750 
1751 	case sDenyUsers:
1752 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1753 			if (match_user(NULL, NULL, NULL, arg) == -1)
1754 				fatal("%s line %d: invalid DenyUsers pattern: "
1755 				    "\"%.100s\"", filename, linenum, arg);
1756 			if (!*activep)
1757 				continue;
1758 			array_append(filename, linenum, "DenyUsers",
1759 			    &options->deny_users, &options->num_deny_users,
1760 			    arg);
1761 		}
1762 		break;
1763 
1764 	case sAllowGroups:
1765 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1766 			if (!*activep)
1767 				continue;
1768 			array_append(filename, linenum, "AllowGroups",
1769 			    &options->allow_groups, &options->num_allow_groups,
1770 			    arg);
1771 		}
1772 		break;
1773 
1774 	case sDenyGroups:
1775 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1776 			if (!*activep)
1777 				continue;
1778 			array_append(filename, linenum, "DenyGroups",
1779 			    &options->deny_groups, &options->num_deny_groups,
1780 			    arg);
1781 		}
1782 		break;
1783 
1784 	case sCiphers:
1785 		arg = strdelim(&cp);
1786 		if (!arg || *arg == '\0')
1787 			fatal("%s line %d: Missing argument.", filename, linenum);
1788 		if (*arg != '-' &&
1789 		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1790 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1791 			    filename, linenum, arg ? arg : "<NONE>");
1792 		if (options->ciphers == NULL)
1793 			options->ciphers = xstrdup(arg);
1794 		break;
1795 
1796 	case sMacs:
1797 		arg = strdelim(&cp);
1798 		if (!arg || *arg == '\0')
1799 			fatal("%s line %d: Missing argument.", filename, linenum);
1800 		if (*arg != '-' &&
1801 		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1802 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1803 			    filename, linenum, arg ? arg : "<NONE>");
1804 		if (options->macs == NULL)
1805 			options->macs = xstrdup(arg);
1806 		break;
1807 
1808 	case sKexAlgorithms:
1809 		arg = strdelim(&cp);
1810 		if (!arg || *arg == '\0')
1811 			fatal("%s line %d: Missing argument.",
1812 			    filename, linenum);
1813 		if (*arg != '-' &&
1814 		    !kex_names_valid(*arg == '+' || *arg == '^' ?
1815 		    arg + 1 : arg))
1816 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1817 			    filename, linenum, arg ? arg : "<NONE>");
1818 		if (options->kex_algorithms == NULL)
1819 			options->kex_algorithms = xstrdup(arg);
1820 		break;
1821 
1822 	case sSubsystem:
1823 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1824 			fatal("%s line %d: too many subsystems defined.",
1825 			    filename, linenum);
1826 		}
1827 		arg = strdelim(&cp);
1828 		if (!arg || *arg == '\0')
1829 			fatal("%s line %d: Missing subsystem name.",
1830 			    filename, linenum);
1831 		if (!*activep) {
1832 			arg = strdelim(&cp);
1833 			break;
1834 		}
1835 		for (i = 0; i < options->num_subsystems; i++)
1836 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1837 				fatal("%s line %d: Subsystem '%s' already defined.",
1838 				    filename, linenum, arg);
1839 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1840 		arg = strdelim(&cp);
1841 		if (!arg || *arg == '\0')
1842 			fatal("%s line %d: Missing subsystem command.",
1843 			    filename, linenum);
1844 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1845 
1846 		/* Collect arguments (separate to executable) */
1847 		p = xstrdup(arg);
1848 		len = strlen(p) + 1;
1849 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1850 			len += 1 + strlen(arg);
1851 			p = xreallocarray(p, 1, len);
1852 			strlcat(p, " ", len);
1853 			strlcat(p, arg, len);
1854 		}
1855 		options->subsystem_args[options->num_subsystems] = p;
1856 		options->num_subsystems++;
1857 		break;
1858 
1859 	case sMaxStartups:
1860 		arg = strdelim(&cp);
1861 		if (!arg || *arg == '\0')
1862 			fatal("%s line %d: Missing MaxStartups spec.",
1863 			    filename, linenum);
1864 		if ((n = sscanf(arg, "%d:%d:%d",
1865 		    &options->max_startups_begin,
1866 		    &options->max_startups_rate,
1867 		    &options->max_startups)) == 3) {
1868 			if (options->max_startups_begin >
1869 			    options->max_startups ||
1870 			    options->max_startups_rate > 100 ||
1871 			    options->max_startups_rate < 1)
1872 				fatal("%s line %d: Illegal MaxStartups spec.",
1873 				    filename, linenum);
1874 		} else if (n != 1)
1875 			fatal("%s line %d: Illegal MaxStartups spec.",
1876 			    filename, linenum);
1877 		else
1878 			options->max_startups = options->max_startups_begin;
1879 		break;
1880 
1881 	case sMaxAuthTries:
1882 		intptr = &options->max_authtries;
1883 		goto parse_int;
1884 
1885 	case sMaxSessions:
1886 		intptr = &options->max_sessions;
1887 		goto parse_int;
1888 
1889 	case sBanner:
1890 		charptr = &options->banner;
1891 		goto parse_filename;
1892 
1893 	/*
1894 	 * These options can contain %X options expanded at
1895 	 * connect time, so that you can specify paths like:
1896 	 *
1897 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1898 	 */
1899 	case sAuthorizedKeysFile:
1900 		if (*activep && options->num_authkeys_files == 0) {
1901 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1902 				arg = tilde_expand_filename(arg, getuid());
1903 				array_append(filename, linenum,
1904 				    "AuthorizedKeysFile",
1905 				    &options->authorized_keys_files,
1906 				    &options->num_authkeys_files, arg);
1907 				free(arg);
1908 			}
1909 		}
1910 		return 0;
1911 
1912 	case sAuthorizedPrincipalsFile:
1913 		charptr = &options->authorized_principals_file;
1914 		arg = strdelim(&cp);
1915 		if (!arg || *arg == '\0')
1916 			fatal("%s line %d: missing file name.",
1917 			    filename, linenum);
1918 		if (*activep && *charptr == NULL) {
1919 			*charptr = tilde_expand_filename(arg, getuid());
1920 			/* increase optional counter */
1921 			if (intptr != NULL)
1922 				*intptr = *intptr + 1;
1923 		}
1924 		break;
1925 
1926 	case sClientAliveInterval:
1927 		intptr = &options->client_alive_interval;
1928 		goto parse_time;
1929 
1930 	case sClientAliveCountMax:
1931 		intptr = &options->client_alive_count_max;
1932 		goto parse_int;
1933 
1934 	case sAcceptEnv:
1935 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1936 			if (strchr(arg, '=') != NULL)
1937 				fatal("%s line %d: Invalid environment name.",
1938 				    filename, linenum);
1939 			if (!*activep)
1940 				continue;
1941 			array_append(filename, linenum, "AcceptEnv",
1942 			    &options->accept_env, &options->num_accept_env,
1943 			    arg);
1944 		}
1945 		break;
1946 
1947 	case sSetEnv:
1948 		uvalue = options->num_setenv;
1949 		while ((arg = strdelimw(&cp)) && *arg != '\0') {
1950 			if (strchr(arg, '=') == NULL)
1951 				fatal("%s line %d: Invalid environment.",
1952 				    filename, linenum);
1953 			if (!*activep || uvalue != 0)
1954 				continue;
1955 			array_append(filename, linenum, "SetEnv",
1956 			    &options->setenv, &options->num_setenv, arg);
1957 		}
1958 		break;
1959 
1960 	case sPermitTunnel:
1961 		intptr = &options->permit_tun;
1962 		arg = strdelim(&cp);
1963 		if (!arg || *arg == '\0')
1964 			fatal("%s line %d: Missing yes/point-to-point/"
1965 			    "ethernet/no argument.", filename, linenum);
1966 		value = -1;
1967 		for (i = 0; tunmode_desc[i].val != -1; i++)
1968 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
1969 				value = tunmode_desc[i].val;
1970 				break;
1971 			}
1972 		if (value == -1)
1973 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1974 			    "no argument: %s", filename, linenum, arg);
1975 		if (*activep && *intptr == -1)
1976 			*intptr = value;
1977 		break;
1978 
1979 	case sInclude:
1980 		if (cmdline) {
1981 			fatal("Include directive not supported as a "
1982 			    "command-line option");
1983 		}
1984 		value = 0;
1985 		while ((arg2 = strdelim(&cp)) != NULL && *arg2 != '\0') {
1986 			value++;
1987 			found = 0;
1988 			if (*arg2 != '/' && *arg2 != '~') {
1989 				xasprintf(&arg, "%s/%s", SSHDIR, arg2);
1990 			} else
1991 				arg = xstrdup(arg2);
1992 
1993 			/*
1994 			 * Don't let included files clobber the containing
1995 			 * file's Match state.
1996 			 */
1997 			oactive = *activep;
1998 
1999 			/* consult cache of include files */
2000 			TAILQ_FOREACH(item, includes, entry) {
2001 				if (strcmp(item->selector, arg) != 0)
2002 					continue;
2003 				if (item->filename != NULL) {
2004 					parse_server_config_depth(options,
2005 					    item->filename, item->contents,
2006 					    includes, connectinfo,
2007 					    (*inc_flags & SSHCFG_MATCH_ONLY
2008 					        ? SSHCFG_MATCH_ONLY : (oactive
2009 					            ? 0 : SSHCFG_NEVERMATCH)),
2010 					    activep, depth + 1);
2011 				}
2012 				found = 1;
2013 				*activep = oactive;
2014 			}
2015 			if (found != 0) {
2016 				free(arg);
2017 				continue;
2018 			}
2019 
2020 			/* requested glob was not in cache */
2021 			debug2("%s line %d: new include %s",
2022 			    filename, linenum, arg);
2023 			if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2024 				if (r != GLOB_NOMATCH) {
2025 					fatal("%s line %d: include \"%s\" "
2026 					    "glob failed", filename,
2027 					    linenum, arg);
2028 				}
2029 				/*
2030 				 * If no entry matched then record a
2031 				 * placeholder to skip later glob calls.
2032 				 */
2033 				debug2("%s line %d: no match for %s",
2034 				    filename, linenum, arg);
2035 				item = xcalloc(1, sizeof(*item));
2036 				item->selector = strdup(arg);
2037 				TAILQ_INSERT_TAIL(includes,
2038 				    item, entry);
2039 			}
2040 			if (gbuf.gl_pathc > INT_MAX)
2041 				fatal("%s: too many glob results", __func__);
2042 			for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2043 				debug2("%s line %d: including %s",
2044 				    filename, linenum, gbuf.gl_pathv[n]);
2045 				item = xcalloc(1, sizeof(*item));
2046 				item->selector = strdup(arg);
2047 				item->filename = strdup(gbuf.gl_pathv[n]);
2048 				if ((item->contents = sshbuf_new()) == NULL) {
2049 					fatal("%s: sshbuf_new failed",
2050 					    __func__);
2051 				}
2052 				load_server_config(item->filename,
2053 				    item->contents);
2054 				parse_server_config_depth(options,
2055 				    item->filename, item->contents,
2056 				    includes, connectinfo,
2057 				    (*inc_flags & SSHCFG_MATCH_ONLY
2058 				        ? SSHCFG_MATCH_ONLY : (oactive
2059 				            ? 0 : SSHCFG_NEVERMATCH)),
2060 				    activep, depth + 1);
2061 				*activep = oactive;
2062 				TAILQ_INSERT_TAIL(includes, item, entry);
2063 			}
2064 			globfree(&gbuf);
2065 			free(arg);
2066 		}
2067 		if (value == 0) {
2068 			fatal("%s line %d: Include missing filename argument",
2069 			    filename, linenum);
2070 		}
2071 		break;
2072 
2073 	case sMatch:
2074 		if (cmdline)
2075 			fatal("Match directive not supported as a command-line "
2076 			   "option");
2077 		value = match_cfg_line(&cp, linenum,
2078 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2079 		if (value < 0)
2080 			fatal("%s line %d: Bad Match condition", filename,
2081 			    linenum);
2082 		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2083 		/* The MATCH_ONLY is applicable only until the first match block */
2084 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
2085 		break;
2086 
2087 	case sPermitListen:
2088 	case sPermitOpen:
2089 		if (opcode == sPermitListen) {
2090 			uintptr = &options->num_permitted_listens;
2091 			chararrayptr = &options->permitted_listens;
2092 		} else {
2093 			uintptr = &options->num_permitted_opens;
2094 			chararrayptr = &options->permitted_opens;
2095 		}
2096 		arg = strdelim(&cp);
2097 		if (!arg || *arg == '\0')
2098 			fatal("%s line %d: missing %s specification",
2099 			    filename, linenum, lookup_opcode_name(opcode));
2100 		uvalue = *uintptr;	/* modified later */
2101 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2102 			if (*activep && uvalue == 0) {
2103 				*uintptr = 1;
2104 				*chararrayptr = xcalloc(1,
2105 				    sizeof(**chararrayptr));
2106 				(*chararrayptr)[0] = xstrdup(arg);
2107 			}
2108 			break;
2109 		}
2110 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
2111 			if (opcode == sPermitListen &&
2112 			    strchr(arg, ':') == NULL) {
2113 				/*
2114 				 * Allow bare port number for PermitListen
2115 				 * to indicate a wildcard listen host.
2116 				 */
2117 				xasprintf(&arg2, "*:%s", arg);
2118 			} else {
2119 				arg2 = xstrdup(arg);
2120 				ch = '\0';
2121 				p = hpdelim2(&arg, &ch);
2122 				if (p == NULL || ch == '/') {
2123 					fatal("%s line %d: missing host in %s",
2124 					    filename, linenum,
2125 					    lookup_opcode_name(opcode));
2126 				}
2127 				p = cleanhostname(p);
2128 			}
2129 			if (arg == NULL ||
2130 			    ((port = permitopen_port(arg)) < 0)) {
2131 				fatal("%s line %d: bad port number in %s",
2132 				    filename, linenum,
2133 				    lookup_opcode_name(opcode));
2134 			}
2135 			if (*activep && uvalue == 0) {
2136 				array_append(filename, linenum,
2137 				    lookup_opcode_name(opcode),
2138 				    chararrayptr, uintptr, arg2);
2139 			}
2140 			free(arg2);
2141 		}
2142 		break;
2143 
2144 	case sForceCommand:
2145 		if (cp == NULL || *cp == '\0')
2146 			fatal("%.200s line %d: Missing argument.", filename,
2147 			    linenum);
2148 		len = strspn(cp, WHITESPACE);
2149 		if (*activep && options->adm_forced_command == NULL)
2150 			options->adm_forced_command = xstrdup(cp + len);
2151 		return 0;
2152 
2153 	case sChrootDirectory:
2154 		charptr = &options->chroot_directory;
2155 
2156 		arg = strdelim(&cp);
2157 		if (!arg || *arg == '\0')
2158 			fatal("%s line %d: missing file name.",
2159 			    filename, linenum);
2160 		if (*activep && *charptr == NULL)
2161 			*charptr = xstrdup(arg);
2162 		break;
2163 
2164 	case sTrustedUserCAKeys:
2165 		charptr = &options->trusted_user_ca_keys;
2166 		goto parse_filename;
2167 
2168 	case sRevokedKeys:
2169 		charptr = &options->revoked_keys_file;
2170 		goto parse_filename;
2171 
2172 	case sSecurityKeyProvider:
2173 		charptr = &options->sk_provider;
2174 		arg = strdelim(&cp);
2175 		if (!arg || *arg == '\0')
2176 			fatal("%s line %d: missing file name.",
2177 			    filename, linenum);
2178 		if (*activep && *charptr == NULL) {
2179 			*charptr = strcasecmp(arg, "internal") == 0 ?
2180 			    xstrdup(arg) : derelativise_path(arg);
2181 			/* increase optional counter */
2182 			if (intptr != NULL)
2183 				*intptr = *intptr + 1;
2184 		}
2185 		break;
2186 
2187 	case sIPQoS:
2188 		arg = strdelim(&cp);
2189 		if ((value = parse_ipqos(arg)) == -1)
2190 			fatal("%s line %d: Bad IPQoS value: %s",
2191 			    filename, linenum, arg);
2192 		arg = strdelim(&cp);
2193 		if (arg == NULL)
2194 			value2 = value;
2195 		else if ((value2 = parse_ipqos(arg)) == -1)
2196 			fatal("%s line %d: Bad IPQoS value: %s",
2197 			    filename, linenum, arg);
2198 		if (*activep) {
2199 			options->ip_qos_interactive = value;
2200 			options->ip_qos_bulk = value2;
2201 		}
2202 		break;
2203 
2204 	case sVersionAddendum:
2205 		if (cp == NULL || *cp == '\0')
2206 			fatal("%.200s line %d: Missing argument.", filename,
2207 			    linenum);
2208 		len = strspn(cp, WHITESPACE);
2209 		if (*activep && options->version_addendum == NULL) {
2210 			if (strcasecmp(cp + len, "none") == 0)
2211 				options->version_addendum = xstrdup("");
2212 			else if (strchr(cp + len, '\r') != NULL)
2213 				fatal("%.200s line %d: Invalid argument",
2214 				    filename, linenum);
2215 			else
2216 				options->version_addendum = xstrdup(cp + len);
2217 		}
2218 		return 0;
2219 
2220 	case sAuthorizedKeysCommand:
2221 		if (cp == NULL)
2222 			fatal("%.200s line %d: Missing argument.", filename,
2223 			    linenum);
2224 		len = strspn(cp, WHITESPACE);
2225 		if (*activep && options->authorized_keys_command == NULL) {
2226 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
2227 				fatal("%.200s line %d: AuthorizedKeysCommand "
2228 				    "must be an absolute path",
2229 				    filename, linenum);
2230 			options->authorized_keys_command = xstrdup(cp + len);
2231 		}
2232 		return 0;
2233 
2234 	case sAuthorizedKeysCommandUser:
2235 		charptr = &options->authorized_keys_command_user;
2236 
2237 		arg = strdelim(&cp);
2238 		if (!arg || *arg == '\0')
2239 			fatal("%s line %d: missing AuthorizedKeysCommandUser "
2240 			    "argument.", filename, linenum);
2241 		if (*activep && *charptr == NULL)
2242 			*charptr = xstrdup(arg);
2243 		break;
2244 
2245 	case sAuthorizedPrincipalsCommand:
2246 		if (cp == NULL)
2247 			fatal("%.200s line %d: Missing argument.", filename,
2248 			    linenum);
2249 		len = strspn(cp, WHITESPACE);
2250 		if (*activep &&
2251 		    options->authorized_principals_command == NULL) {
2252 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
2253 				fatal("%.200s line %d: "
2254 				    "AuthorizedPrincipalsCommand must be "
2255 				    "an absolute path", filename, linenum);
2256 			options->authorized_principals_command =
2257 			    xstrdup(cp + len);
2258 		}
2259 		return 0;
2260 
2261 	case sAuthorizedPrincipalsCommandUser:
2262 		charptr = &options->authorized_principals_command_user;
2263 
2264 		arg = strdelim(&cp);
2265 		if (!arg || *arg == '\0')
2266 			fatal("%s line %d: missing "
2267 			    "AuthorizedPrincipalsCommandUser argument.",
2268 			    filename, linenum);
2269 		if (*activep && *charptr == NULL)
2270 			*charptr = xstrdup(arg);
2271 		break;
2272 
2273 	case sAuthenticationMethods:
2274 		if (options->num_auth_methods == 0) {
2275 			value = 0; /* seen "any" pseudo-method */
2276 			value2 = 0; /* successfully parsed any method */
2277 			while ((arg = strdelim(&cp)) && *arg != '\0') {
2278 				if (strcmp(arg, "any") == 0) {
2279 					if (options->num_auth_methods > 0) {
2280 						fatal("%s line %d: \"any\" "
2281 						    "must appear alone in "
2282 						    "AuthenticationMethods",
2283 						    filename, linenum);
2284 					}
2285 					value = 1;
2286 				} else if (value) {
2287 					fatal("%s line %d: \"any\" must appear "
2288 					    "alone in AuthenticationMethods",
2289 					    filename, linenum);
2290 				} else if (auth2_methods_valid(arg, 0) != 0) {
2291 					fatal("%s line %d: invalid "
2292 					    "authentication method list.",
2293 					    filename, linenum);
2294 				}
2295 				value2 = 1;
2296 				if (!*activep)
2297 					continue;
2298 				array_append(filename, linenum,
2299 				    "AuthenticationMethods",
2300 				    &options->auth_methods,
2301 				    &options->num_auth_methods, arg);
2302 			}
2303 			if (value2 == 0) {
2304 				fatal("%s line %d: no AuthenticationMethods "
2305 				    "specified", filename, linenum);
2306 			}
2307 		}
2308 		return 0;
2309 
2310 	case sStreamLocalBindMask:
2311 		arg = strdelim(&cp);
2312 		if (!arg || *arg == '\0')
2313 			fatal("%s line %d: missing StreamLocalBindMask "
2314 			    "argument.", filename, linenum);
2315 		/* Parse mode in octal format */
2316 		value = strtol(arg, &p, 8);
2317 		if (arg == p || value < 0 || value > 0777)
2318 			fatal("%s line %d: Bad mask.", filename, linenum);
2319 		if (*activep)
2320 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2321 		break;
2322 
2323 	case sStreamLocalBindUnlink:
2324 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
2325 		goto parse_flag;
2326 
2327 	case sFingerprintHash:
2328 		arg = strdelim(&cp);
2329 		if (!arg || *arg == '\0')
2330 			fatal("%.200s line %d: Missing argument.",
2331 			    filename, linenum);
2332 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
2333 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
2334 			    filename, linenum, arg);
2335 		if (*activep)
2336 			options->fingerprint_hash = value;
2337 		break;
2338 
2339 	case sExposeAuthInfo:
2340 		intptr = &options->expose_userauth_info;
2341 		goto parse_flag;
2342 
2343 	case sRDomain:
2344 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2345 		fatal("%s line %d: setting RDomain not supported on this "
2346 		    "platform.", filename, linenum);
2347 #endif
2348 		charptr = &options->routing_domain;
2349 		arg = strdelim(&cp);
2350 		if (!arg || *arg == '\0')
2351 			fatal("%.200s line %d: Missing argument.",
2352 			    filename, linenum);
2353 		if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2354 		    !valid_rdomain(arg))
2355 			fatal("%s line %d: bad routing domain",
2356 			    filename, linenum);
2357 		if (*activep && *charptr == NULL)
2358 			*charptr = xstrdup(arg);
2359 		break;
2360 
2361 	case sDeprecated:
2362 	case sIgnore:
2363 	case sUnsupported:
2364 		do_log2(opcode == sIgnore ?
2365 		    SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2366 		    "%s line %d: %s option %s", filename, linenum,
2367 		    opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
2368 		while (arg)
2369 		    arg = strdelim(&cp);
2370 		break;
2371 
2372 	default:
2373 		fatal("%s line %d: Missing handler for opcode %s (%d)",
2374 		    filename, linenum, arg, opcode);
2375 	}
2376 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
2377 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
2378 		    filename, linenum, arg);
2379 	return 0;
2380 }
2381 
2382 int
2383 process_server_config_line(ServerOptions *options, char *line,
2384     const char *filename, int linenum, int *activep,
2385     struct connection_info *connectinfo, struct include_list *includes)
2386 {
2387 	int inc_flags = 0;
2388 
2389 	return process_server_config_line_depth(options, line, filename,
2390 	    linenum, activep, connectinfo, &inc_flags, 0, includes);
2391 }
2392 
2393 
2394 /* Reads the server configuration file. */
2395 
2396 void
2397 load_server_config(const char *filename, struct sshbuf *conf)
2398 {
2399 	struct stat st;
2400 	char *line = NULL, *cp;
2401 	size_t linesize = 0;
2402 	FILE *f;
2403 	int r, lineno = 0;
2404 
2405 	debug2("%s: filename %s", __func__, filename);
2406 	if ((f = fopen(filename, "r")) == NULL) {
2407 		perror(filename);
2408 		exit(1);
2409 	}
2410 	sshbuf_reset(conf);
2411 	/* grow buffer, so realloc is avoided for large config files */
2412 	if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2413             (r = sshbuf_allocate(conf, st.st_size)) != 0)
2414 		fatal("%s: allocate failed: %s", __func__, ssh_err(r));
2415 	while (getline(&line, &linesize, f) != -1) {
2416 		lineno++;
2417 		/*
2418 		 * Trim out comments and strip whitespace
2419 		 * NB - preserve newlines, they are needed to reproduce
2420 		 * line numbers later for error messages
2421 		 */
2422 		if ((cp = strchr(line, '#')) != NULL)
2423 			memcpy(cp, "\n", 2);
2424 		cp = line + strspn(line, " \t\r");
2425 		if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2426 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
2427 	}
2428 	free(line);
2429 	if ((r = sshbuf_put_u8(conf, 0)) != 0)
2430 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
2431 	fclose(f);
2432 	debug2("%s: done config len = %zu", __func__, sshbuf_len(conf));
2433 }
2434 
2435 void
2436 parse_server_match_config(ServerOptions *options,
2437    struct include_list *includes, struct connection_info *connectinfo)
2438 {
2439 	ServerOptions mo;
2440 
2441 	initialize_server_options(&mo);
2442 	parse_server_config(&mo, "reprocess config", cfg, includes,
2443 	    connectinfo);
2444 	copy_set_server_options(options, &mo, 0);
2445 }
2446 
2447 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2448 {
2449 	char *p;
2450 
2451 	while ((p = strsep(&spec, ",")) && *p != '\0') {
2452 		if (strncmp(p, "addr=", 5) == 0) {
2453 			ci->address = xstrdup(p + 5);
2454 		} else if (strncmp(p, "host=", 5) == 0) {
2455 			ci->host = xstrdup(p + 5);
2456 		} else if (strncmp(p, "user=", 5) == 0) {
2457 			ci->user = xstrdup(p + 5);
2458 		} else if (strncmp(p, "laddr=", 6) == 0) {
2459 			ci->laddress = xstrdup(p + 6);
2460 		} else if (strncmp(p, "rdomain=", 8) == 0) {
2461 			ci->rdomain = xstrdup(p + 8);
2462 		} else if (strncmp(p, "lport=", 6) == 0) {
2463 			ci->lport = a2port(p + 6);
2464 			if (ci->lport == -1) {
2465 				fprintf(stderr, "Invalid port '%s' in test mode"
2466 				   " specification %s\n", p+6, p);
2467 				return -1;
2468 			}
2469 		} else {
2470 			fprintf(stderr, "Invalid test mode specification %s\n",
2471 			   p);
2472 			return -1;
2473 		}
2474 	}
2475 	return 0;
2476 }
2477 
2478 /*
2479  * Copy any supported values that are set.
2480  *
2481  * If the preauth flag is set, we do not bother copying the string or
2482  * array values that are not used pre-authentication, because any that we
2483  * do use must be explicitly sent in mm_getpwnamallow().
2484  */
2485 void
2486 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2487 {
2488 #define M_CP_INTOPT(n) do {\
2489 	if (src->n != -1) \
2490 		dst->n = src->n; \
2491 } while (0)
2492 
2493 	M_CP_INTOPT(password_authentication);
2494 	M_CP_INTOPT(gss_authentication);
2495 	M_CP_INTOPT(pubkey_authentication);
2496 	M_CP_INTOPT(pubkey_auth_options);
2497 	M_CP_INTOPT(kerberos_authentication);
2498 	M_CP_INTOPT(hostbased_authentication);
2499 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2500 	M_CP_INTOPT(kbd_interactive_authentication);
2501 	M_CP_INTOPT(permit_root_login);
2502 	M_CP_INTOPT(permit_empty_passwd);
2503 	M_CP_INTOPT(ignore_rhosts);
2504 
2505 	M_CP_INTOPT(allow_tcp_forwarding);
2506 	M_CP_INTOPT(allow_streamlocal_forwarding);
2507 	M_CP_INTOPT(allow_agent_forwarding);
2508 	M_CP_INTOPT(disable_forwarding);
2509 	M_CP_INTOPT(expose_userauth_info);
2510 	M_CP_INTOPT(permit_tun);
2511 	M_CP_INTOPT(fwd_opts.gateway_ports);
2512 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2513 	M_CP_INTOPT(x11_display_offset);
2514 	M_CP_INTOPT(x11_forwarding);
2515 	M_CP_INTOPT(x11_use_localhost);
2516 	M_CP_INTOPT(permit_tty);
2517 	M_CP_INTOPT(permit_user_rc);
2518 	M_CP_INTOPT(max_sessions);
2519 	M_CP_INTOPT(max_authtries);
2520 	M_CP_INTOPT(client_alive_count_max);
2521 	M_CP_INTOPT(client_alive_interval);
2522 	M_CP_INTOPT(ip_qos_interactive);
2523 	M_CP_INTOPT(ip_qos_bulk);
2524 	M_CP_INTOPT(rekey_limit);
2525 	M_CP_INTOPT(rekey_interval);
2526 	M_CP_INTOPT(log_level);
2527 
2528 	/*
2529 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2530 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2531 	 * warnings.
2532 	 */
2533 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2534 		dst->fwd_opts.streamlocal_bind_mask =
2535 		    src->fwd_opts.streamlocal_bind_mask;
2536 	}
2537 
2538 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2539 #define M_CP_STROPT(n) do {\
2540 	if (src->n != NULL && dst->n != src->n) { \
2541 		free(dst->n); \
2542 		dst->n = src->n; \
2543 	} \
2544 } while(0)
2545 #define M_CP_STRARRAYOPT(s, num_s) do {\
2546 	u_int i; \
2547 	if (src->num_s != 0) { \
2548 		for (i = 0; i < dst->num_s; i++) \
2549 			free(dst->s[i]); \
2550 		free(dst->s); \
2551 		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2552 		for (i = 0; i < src->num_s; i++) \
2553 			dst->s[i] = xstrdup(src->s[i]); \
2554 		dst->num_s = src->num_s; \
2555 	} \
2556 } while(0)
2557 
2558 	/* See comment in servconf.h */
2559 	COPY_MATCH_STRING_OPTS();
2560 
2561 	/* Arguments that accept '+...' need to be expanded */
2562 	assemble_algorithms(dst);
2563 
2564 	/*
2565 	 * The only things that should be below this point are string options
2566 	 * which are only used after authentication.
2567 	 */
2568 	if (preauth)
2569 		return;
2570 
2571 	/* These options may be "none" to clear a global setting */
2572 	M_CP_STROPT(adm_forced_command);
2573 	if (option_clear_or_none(dst->adm_forced_command)) {
2574 		free(dst->adm_forced_command);
2575 		dst->adm_forced_command = NULL;
2576 	}
2577 	M_CP_STROPT(chroot_directory);
2578 	if (option_clear_or_none(dst->chroot_directory)) {
2579 		free(dst->chroot_directory);
2580 		dst->chroot_directory = NULL;
2581 	}
2582 }
2583 
2584 #undef M_CP_INTOPT
2585 #undef M_CP_STROPT
2586 #undef M_CP_STRARRAYOPT
2587 
2588 #define SERVCONF_MAX_DEPTH	16
2589 static void
2590 parse_server_config_depth(ServerOptions *options, const char *filename,
2591     struct sshbuf *conf, struct include_list *includes,
2592     struct connection_info *connectinfo, int flags, int *activep, int depth)
2593 {
2594 	int linenum, bad_options = 0;
2595 	char *cp, *obuf, *cbuf;
2596 
2597 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2598 		fatal("Too many recursive configuration includes");
2599 
2600 	debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
2601 	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2602 
2603 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2604 		fatal("%s: sshbuf_dup_string failed", __func__);
2605 	linenum = 1;
2606 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2607 		if (process_server_config_line_depth(options, cp,
2608 		    filename, linenum++, activep, connectinfo, &flags,
2609 		    depth, includes) != 0)
2610 			bad_options++;
2611 	}
2612 	free(obuf);
2613 	if (bad_options > 0)
2614 		fatal("%s: terminating, %d bad configuration options",
2615 		    filename, bad_options);
2616 }
2617 
2618 void
2619 parse_server_config(ServerOptions *options, const char *filename,
2620     struct sshbuf *conf, struct include_list *includes,
2621     struct connection_info *connectinfo)
2622 {
2623 	int active = connectinfo ? 0 : 1;
2624 	parse_server_config_depth(options, filename, conf, includes,
2625 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2626 	process_queued_listen_addrs(options);
2627 }
2628 
2629 static const char *
2630 fmt_multistate_int(int val, const struct multistate *m)
2631 {
2632 	u_int i;
2633 
2634 	for (i = 0; m[i].key != NULL; i++) {
2635 		if (m[i].value == val)
2636 			return m[i].key;
2637 	}
2638 	return "UNKNOWN";
2639 }
2640 
2641 static const char *
2642 fmt_intarg(ServerOpCodes code, int val)
2643 {
2644 	if (val == -1)
2645 		return "unset";
2646 	switch (code) {
2647 	case sAddressFamily:
2648 		return fmt_multistate_int(val, multistate_addressfamily);
2649 	case sPermitRootLogin:
2650 		return fmt_multistate_int(val, multistate_permitrootlogin);
2651 	case sGatewayPorts:
2652 		return fmt_multistate_int(val, multistate_gatewayports);
2653 	case sCompression:
2654 		return fmt_multistate_int(val, multistate_compression);
2655 	case sAllowTcpForwarding:
2656 		return fmt_multistate_int(val, multistate_tcpfwd);
2657 	case sAllowStreamLocalForwarding:
2658 		return fmt_multistate_int(val, multistate_tcpfwd);
2659 	case sIgnoreRhosts:
2660 		return fmt_multistate_int(val, multistate_ignore_rhosts);
2661 	case sFingerprintHash:
2662 		return ssh_digest_alg_name(val);
2663 	default:
2664 		switch (val) {
2665 		case 0:
2666 			return "no";
2667 		case 1:
2668 			return "yes";
2669 		default:
2670 			return "UNKNOWN";
2671 		}
2672 	}
2673 }
2674 
2675 static void
2676 dump_cfg_int(ServerOpCodes code, int val)
2677 {
2678 	printf("%s %d\n", lookup_opcode_name(code), val);
2679 }
2680 
2681 static void
2682 dump_cfg_oct(ServerOpCodes code, int val)
2683 {
2684 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2685 }
2686 
2687 static void
2688 dump_cfg_fmtint(ServerOpCodes code, int val)
2689 {
2690 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2691 }
2692 
2693 static void
2694 dump_cfg_string(ServerOpCodes code, const char *val)
2695 {
2696 	printf("%s %s\n", lookup_opcode_name(code),
2697 	    val == NULL ? "none" : val);
2698 }
2699 
2700 static void
2701 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2702 {
2703 	u_int i;
2704 
2705 	for (i = 0; i < count; i++)
2706 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2707 }
2708 
2709 static void
2710 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2711 {
2712 	u_int i;
2713 
2714 	if (count <= 0 && code != sAuthenticationMethods)
2715 		return;
2716 	printf("%s", lookup_opcode_name(code));
2717 	for (i = 0; i < count; i++)
2718 		printf(" %s",  vals[i]);
2719 	if (code == sAuthenticationMethods && count == 0)
2720 		printf(" any");
2721 	printf("\n");
2722 }
2723 
2724 static char *
2725 format_listen_addrs(struct listenaddr *la)
2726 {
2727 	int r;
2728 	struct addrinfo *ai;
2729 	char addr[NI_MAXHOST], port[NI_MAXSERV];
2730 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2731 
2732 	/*
2733 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2734 	 * addresses onto a stack, so to maintain ordering we need to
2735 	 * print these in reverse order.
2736 	 */
2737 	for (ai = la->addrs; ai; ai = ai->ai_next) {
2738 		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2739 		    sizeof(addr), port, sizeof(port),
2740 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2741 			error("getnameinfo: %.100s", ssh_gai_strerror(r));
2742 			continue;
2743 		}
2744 		laddr2 = laddr1;
2745 		if (ai->ai_family == AF_INET6) {
2746 			xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2747 			    addr, port,
2748 			    la->rdomain == NULL ? "" : " rdomain ",
2749 			    la->rdomain == NULL ? "" : la->rdomain,
2750 			    laddr2);
2751 		} else {
2752 			xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2753 			    addr, port,
2754 			    la->rdomain == NULL ? "" : " rdomain ",
2755 			    la->rdomain == NULL ? "" : la->rdomain,
2756 			    laddr2);
2757 		}
2758 		free(laddr2);
2759 	}
2760 	return laddr1;
2761 }
2762 
2763 void
2764 dump_config(ServerOptions *o)
2765 {
2766 	char *s;
2767 	u_int i;
2768 
2769 	/* these are usually at the top of the config */
2770 	for (i = 0; i < o->num_ports; i++)
2771 		printf("port %d\n", o->ports[i]);
2772 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2773 
2774 	for (i = 0; i < o->num_listen_addrs; i++) {
2775 		s = format_listen_addrs(&o->listen_addrs[i]);
2776 		printf("%s", s);
2777 		free(s);
2778 	}
2779 
2780 	/* integer arguments */
2781 #ifdef USE_PAM
2782 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2783 #endif
2784 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2785 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2786 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2787 	dump_cfg_int(sMaxSessions, o->max_sessions);
2788 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2789 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2790 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2791 
2792 	/* formatted integer arguments */
2793 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2794 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2795 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2796 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2797 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2798 	    o->hostbased_uses_name_from_packet_only);
2799 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2800 #ifdef KRB5
2801 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2802 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2803 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2804 # ifdef USE_AFS
2805 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2806 # endif
2807 #endif
2808 #ifdef GSSAPI
2809 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2810 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2811 #endif
2812 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2813 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2814 	    o->kbd_interactive_authentication);
2815 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2816 	    o->challenge_response_authentication);
2817 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2818 #ifndef DISABLE_LASTLOG
2819 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2820 #endif
2821 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2822 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2823 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2824 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2825 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2826 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2827 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2828 	dump_cfg_fmtint(sCompression, o->compression);
2829 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2830 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2831 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2832 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2833 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2834 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2835 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2836 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2837 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2838 
2839 	/* string arguments */
2840 	dump_cfg_string(sPidFile, o->pid_file);
2841 	dump_cfg_string(sXAuthLocation, o->xauth_location);
2842 	dump_cfg_string(sCiphers, o->ciphers);
2843 	dump_cfg_string(sMacs, o->macs);
2844 	dump_cfg_string(sBanner, o->banner);
2845 	dump_cfg_string(sForceCommand, o->adm_forced_command);
2846 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
2847 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2848 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2849 	dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
2850 	dump_cfg_string(sAuthorizedPrincipalsFile,
2851 	    o->authorized_principals_file);
2852 	dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2853 	    ? "none" : o->version_addendum);
2854 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2855 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2856 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2857 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2858 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2859 	dump_cfg_string