xref: /openssh-portable/servconf.c (revision b9225c3a)
1 
2 /* $OpenBSD: servconf.c,v 1.377 2021/02/24 01:18:08 dtucker Exp $ */
3 /*
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  */
13 
14 #include "includes.h"
15 
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <sys/stat.h>
19 #ifdef __OpenBSD__
20 #include <sys/sysctl.h>
21 #endif
22 
23 #include <netinet/in.h>
24 #include <netinet/in_systm.h>
25 #include <netinet/ip.h>
26 #ifdef HAVE_NET_ROUTE_H
27 #include <net/route.h>
28 #endif
29 
30 #include <ctype.h>
31 #include <netdb.h>
32 #include <pwd.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include <signal.h>
37 #include <unistd.h>
38 #include <limits.h>
39 #include <stdarg.h>
40 #include <errno.h>
41 #ifdef HAVE_UTIL_H
42 #include <util.h>
43 #endif
44 #ifdef USE_SYSTEM_GLOB
45 # include <glob.h>
46 #else
47 # include "openbsd-compat/glob.h"
48 #endif
49 
50 #include "openbsd-compat/sys-queue.h"
51 #include "xmalloc.h"
52 #include "ssh.h"
53 #include "log.h"
54 #include "sshbuf.h"
55 #include "misc.h"
56 #include "servconf.h"
57 #include "compat.h"
58 #include "pathnames.h"
59 #include "cipher.h"
60 #include "sshkey.h"
61 #include "kex.h"
62 #include "mac.h"
63 #include "match.h"
64 #include "channels.h"
65 #include "groupaccess.h"
66 #include "canohost.h"
67 #include "packet.h"
68 #include "ssherr.h"
69 #include "hostfile.h"
70 #include "auth.h"
71 #include "myproposal.h"
72 #include "digest.h"
73 
74 static void add_listen_addr(ServerOptions *, const char *,
75     const char *, int);
76 static void add_one_listen_addr(ServerOptions *, const char *,
77     const char *, int);
78 static void parse_server_config_depth(ServerOptions *options,
79     const char *filename, struct sshbuf *conf, struct include_list *includes,
80     struct connection_info *connectinfo, int flags, int *activep, int depth);
81 
82 /* Use of privilege separation or not */
83 extern int use_privsep;
84 extern struct sshbuf *cfg;
85 
86 /* Initializes the server options to their default values. */
87 
88 void
89 initialize_server_options(ServerOptions *options)
90 {
91 	memset(options, 0, sizeof(*options));
92 
93 	/* Portable-specific options */
94 	options->use_pam = -1;
95 
96 	/* Standard Options */
97 	options->num_ports = 0;
98 	options->ports_from_cmdline = 0;
99 	options->queued_listen_addrs = NULL;
100 	options->num_queued_listens = 0;
101 	options->listen_addrs = NULL;
102 	options->num_listen_addrs = 0;
103 	options->address_family = -1;
104 	options->routing_domain = NULL;
105 	options->num_host_key_files = 0;
106 	options->num_host_cert_files = 0;
107 	options->host_key_agent = NULL;
108 	options->pid_file = NULL;
109 	options->login_grace_time = -1;
110 	options->permit_root_login = PERMIT_NOT_SET;
111 	options->ignore_rhosts = -1;
112 	options->ignore_user_known_hosts = -1;
113 	options->print_motd = -1;
114 	options->print_lastlog = -1;
115 	options->x11_forwarding = -1;
116 	options->x11_display_offset = -1;
117 	options->x11_use_localhost = -1;
118 	options->permit_tty = -1;
119 	options->permit_user_rc = -1;
120 	options->xauth_location = NULL;
121 	options->strict_modes = -1;
122 	options->tcp_keep_alive = -1;
123 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
124 	options->log_level = SYSLOG_LEVEL_NOT_SET;
125 	options->num_log_verbose = 0;
126 	options->log_verbose = NULL;
127 	options->hostbased_authentication = -1;
128 	options->hostbased_uses_name_from_packet_only = -1;
129 	options->hostbased_accepted_algos = NULL;
130 	options->hostkeyalgorithms = NULL;
131 	options->pubkey_authentication = -1;
132 	options->pubkey_auth_options = -1;
133 	options->pubkey_accepted_algos = NULL;
134 	options->kerberos_authentication = -1;
135 	options->kerberos_or_local_passwd = -1;
136 	options->kerberos_ticket_cleanup = -1;
137 	options->kerberos_get_afs_token = -1;
138 	options->gss_authentication=-1;
139 	options->gss_cleanup_creds = -1;
140 	options->gss_strict_acceptor = -1;
141 	options->password_authentication = -1;
142 	options->kbd_interactive_authentication = -1;
143 	options->challenge_response_authentication = -1;
144 	options->permit_empty_passwd = -1;
145 	options->permit_user_env = -1;
146 	options->permit_user_env_allowlist = NULL;
147 	options->compression = -1;
148 	options->rekey_limit = -1;
149 	options->rekey_interval = -1;
150 	options->allow_tcp_forwarding = -1;
151 	options->allow_streamlocal_forwarding = -1;
152 	options->allow_agent_forwarding = -1;
153 	options->num_allow_users = 0;
154 	options->num_deny_users = 0;
155 	options->num_allow_groups = 0;
156 	options->num_deny_groups = 0;
157 	options->ciphers = NULL;
158 	options->macs = NULL;
159 	options->kex_algorithms = NULL;
160 	options->ca_sign_algorithms = NULL;
161 	options->fwd_opts.gateway_ports = -1;
162 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
163 	options->fwd_opts.streamlocal_bind_unlink = -1;
164 	options->num_subsystems = 0;
165 	options->max_startups_begin = -1;
166 	options->max_startups_rate = -1;
167 	options->max_startups = -1;
168 	options->per_source_max_startups = -1;
169 	options->per_source_masklen_ipv4 = -1;
170 	options->per_source_masklen_ipv6 = -1;
171 	options->max_authtries = -1;
172 	options->max_sessions = -1;
173 	options->banner = NULL;
174 	options->use_dns = -1;
175 	options->client_alive_interval = -1;
176 	options->client_alive_count_max = -1;
177 	options->num_authkeys_files = 0;
178 	options->num_accept_env = 0;
179 	options->num_setenv = 0;
180 	options->permit_tun = -1;
181 	options->permitted_opens = NULL;
182 	options->permitted_listens = NULL;
183 	options->adm_forced_command = NULL;
184 	options->chroot_directory = NULL;
185 	options->authorized_keys_command = NULL;
186 	options->authorized_keys_command_user = NULL;
187 	options->revoked_keys_file = NULL;
188 	options->sk_provider = NULL;
189 	options->trusted_user_ca_keys = NULL;
190 	options->authorized_principals_file = NULL;
191 	options->authorized_principals_command = NULL;
192 	options->authorized_principals_command_user = NULL;
193 	options->ip_qos_interactive = -1;
194 	options->ip_qos_bulk = -1;
195 	options->version_addendum = NULL;
196 	options->fingerprint_hash = -1;
197 	options->disable_forwarding = -1;
198 	options->expose_userauth_info = -1;
199 }
200 
201 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
202 static int
203 option_clear_or_none(const char *o)
204 {
205 	return o == NULL || strcasecmp(o, "none") == 0;
206 }
207 
208 static void
209 assemble_algorithms(ServerOptions *o)
210 {
211 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
212 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
213 	int r;
214 
215 	all_cipher = cipher_alg_list(',', 0);
216 	all_mac = mac_alg_list(',');
217 	all_kex = kex_alg_list(',');
218 	all_key = sshkey_alg_list(0, 0, 1, ',');
219 	all_sig = sshkey_alg_list(0, 1, 1, ',');
220 	/* remove unsupported algos from default lists */
221 	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
222 	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
223 	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
224 	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
225 	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
226 #define ASSEMBLE(what, defaults, all) \
227 	do { \
228 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
229 			fatal_fr(r, "%s", #what); \
230 	} while (0)
231 	ASSEMBLE(ciphers, def_cipher, all_cipher);
232 	ASSEMBLE(macs, def_mac, all_mac);
233 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
234 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
235 	ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
236 	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
237 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
238 #undef ASSEMBLE
239 	free(all_cipher);
240 	free(all_mac);
241 	free(all_kex);
242 	free(all_key);
243 	free(all_sig);
244 	free(def_cipher);
245 	free(def_mac);
246 	free(def_kex);
247 	free(def_key);
248 	free(def_sig);
249 }
250 
251 void
252 servconf_add_hostkey(const char *file, const int line,
253     ServerOptions *options, const char *path, int userprovided)
254 {
255 	char *apath = derelativise_path(path);
256 
257 	opt_array_append2(file, line, "HostKey",
258 	    &options->host_key_files, &options->host_key_file_userprovided,
259 	    &options->num_host_key_files, apath, userprovided);
260 	free(apath);
261 }
262 
263 void
264 servconf_add_hostcert(const char *file, const int line,
265     ServerOptions *options, const char *path)
266 {
267 	char *apath = derelativise_path(path);
268 
269 	opt_array_append(file, line, "HostCertificate",
270 	    &options->host_cert_files, &options->num_host_cert_files, apath);
271 	free(apath);
272 }
273 
274 void
275 fill_default_server_options(ServerOptions *options)
276 {
277 	u_int i;
278 
279 	/* Portable-specific options */
280 	if (options->use_pam == -1)
281 		options->use_pam = 0;
282 
283 	/* Standard Options */
284 	if (options->num_host_key_files == 0) {
285 		/* fill default hostkeys for protocols */
286 		servconf_add_hostkey("[default]", 0, options,
287 		    _PATH_HOST_RSA_KEY_FILE, 0);
288 #ifdef OPENSSL_HAS_ECC
289 		servconf_add_hostkey("[default]", 0, options,
290 		    _PATH_HOST_ECDSA_KEY_FILE, 0);
291 #endif
292 		servconf_add_hostkey("[default]", 0, options,
293 		    _PATH_HOST_ED25519_KEY_FILE, 0);
294 #ifdef WITH_XMSS
295 		servconf_add_hostkey("[default]", 0, options,
296 		    _PATH_HOST_XMSS_KEY_FILE, 0);
297 #endif /* WITH_XMSS */
298 	}
299 	/* No certificates by default */
300 	if (options->num_ports == 0)
301 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
302 	if (options->address_family == -1)
303 		options->address_family = AF_UNSPEC;
304 	if (options->listen_addrs == NULL)
305 		add_listen_addr(options, NULL, NULL, 0);
306 	if (options->pid_file == NULL)
307 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
308 	if (options->login_grace_time == -1)
309 		options->login_grace_time = 120;
310 	if (options->permit_root_login == PERMIT_NOT_SET)
311 		options->permit_root_login = PERMIT_NO_PASSWD;
312 	if (options->ignore_rhosts == -1)
313 		options->ignore_rhosts = 1;
314 	if (options->ignore_user_known_hosts == -1)
315 		options->ignore_user_known_hosts = 0;
316 	if (options->print_motd == -1)
317 		options->print_motd = 1;
318 	if (options->print_lastlog == -1)
319 		options->print_lastlog = 1;
320 	if (options->x11_forwarding == -1)
321 		options->x11_forwarding = 0;
322 	if (options->x11_display_offset == -1)
323 		options->x11_display_offset = 10;
324 	if (options->x11_use_localhost == -1)
325 		options->x11_use_localhost = 1;
326 	if (options->xauth_location == NULL)
327 		options->xauth_location = xstrdup(_PATH_XAUTH);
328 	if (options->permit_tty == -1)
329 		options->permit_tty = 1;
330 	if (options->permit_user_rc == -1)
331 		options->permit_user_rc = 1;
332 	if (options->strict_modes == -1)
333 		options->strict_modes = 1;
334 	if (options->tcp_keep_alive == -1)
335 		options->tcp_keep_alive = 1;
336 	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
337 		options->log_facility = SYSLOG_FACILITY_AUTH;
338 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
339 		options->log_level = SYSLOG_LEVEL_INFO;
340 	if (options->hostbased_authentication == -1)
341 		options->hostbased_authentication = 0;
342 	if (options->hostbased_uses_name_from_packet_only == -1)
343 		options->hostbased_uses_name_from_packet_only = 0;
344 	if (options->pubkey_authentication == -1)
345 		options->pubkey_authentication = 1;
346 	if (options->pubkey_auth_options == -1)
347 		options->pubkey_auth_options = 0;
348 	if (options->kerberos_authentication == -1)
349 		options->kerberos_authentication = 0;
350 	if (options->kerberos_or_local_passwd == -1)
351 		options->kerberos_or_local_passwd = 1;
352 	if (options->kerberos_ticket_cleanup == -1)
353 		options->kerberos_ticket_cleanup = 1;
354 	if (options->kerberos_get_afs_token == -1)
355 		options->kerberos_get_afs_token = 0;
356 	if (options->gss_authentication == -1)
357 		options->gss_authentication = 0;
358 	if (options->gss_cleanup_creds == -1)
359 		options->gss_cleanup_creds = 1;
360 	if (options->gss_strict_acceptor == -1)
361 		options->gss_strict_acceptor = 1;
362 	if (options->password_authentication == -1)
363 		options->password_authentication = 1;
364 	if (options->kbd_interactive_authentication == -1)
365 		options->kbd_interactive_authentication = 0;
366 	if (options->challenge_response_authentication == -1)
367 		options->challenge_response_authentication = 1;
368 	if (options->permit_empty_passwd == -1)
369 		options->permit_empty_passwd = 0;
370 	if (options->permit_user_env == -1) {
371 		options->permit_user_env = 0;
372 		options->permit_user_env_allowlist = NULL;
373 	}
374 	if (options->compression == -1)
375 #ifdef WITH_ZLIB
376 		options->compression = COMP_DELAYED;
377 #else
378 		options->compression = COMP_NONE;
379 #endif
380 
381 	if (options->rekey_limit == -1)
382 		options->rekey_limit = 0;
383 	if (options->rekey_interval == -1)
384 		options->rekey_interval = 0;
385 	if (options->allow_tcp_forwarding == -1)
386 		options->allow_tcp_forwarding = FORWARD_ALLOW;
387 	if (options->allow_streamlocal_forwarding == -1)
388 		options->allow_streamlocal_forwarding = FORWARD_ALLOW;
389 	if (options->allow_agent_forwarding == -1)
390 		options->allow_agent_forwarding = 1;
391 	if (options->fwd_opts.gateway_ports == -1)
392 		options->fwd_opts.gateway_ports = 0;
393 	if (options->max_startups == -1)
394 		options->max_startups = 100;
395 	if (options->max_startups_rate == -1)
396 		options->max_startups_rate = 30;		/* 30% */
397 	if (options->max_startups_begin == -1)
398 		options->max_startups_begin = 10;
399 	if (options->per_source_max_startups == -1)
400 		options->per_source_max_startups = INT_MAX;
401 	if (options->per_source_masklen_ipv4 == -1)
402 		options->per_source_masklen_ipv4 = 32;
403 	if (options->per_source_masklen_ipv6 == -1)
404 		options->per_source_masklen_ipv6 = 128;
405 	if (options->max_authtries == -1)
406 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
407 	if (options->max_sessions == -1)
408 		options->max_sessions = DEFAULT_SESSIONS_MAX;
409 	if (options->use_dns == -1)
410 		options->use_dns = 0;
411 	if (options->client_alive_interval == -1)
412 		options->client_alive_interval = 0;
413 	if (options->client_alive_count_max == -1)
414 		options->client_alive_count_max = 3;
415 	if (options->num_authkeys_files == 0) {
416 		opt_array_append("[default]", 0, "AuthorizedKeysFiles",
417 		    &options->authorized_keys_files,
418 		    &options->num_authkeys_files,
419 		    _PATH_SSH_USER_PERMITTED_KEYS);
420 		opt_array_append("[default]", 0, "AuthorizedKeysFiles",
421 		    &options->authorized_keys_files,
422 		    &options->num_authkeys_files,
423 		    _PATH_SSH_USER_PERMITTED_KEYS2);
424 	}
425 	if (options->permit_tun == -1)
426 		options->permit_tun = SSH_TUNMODE_NO;
427 	if (options->ip_qos_interactive == -1)
428 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
429 	if (options->ip_qos_bulk == -1)
430 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
431 	if (options->version_addendum == NULL)
432 		options->version_addendum = xstrdup("");
433 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
434 		options->fwd_opts.streamlocal_bind_mask = 0177;
435 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
436 		options->fwd_opts.streamlocal_bind_unlink = 0;
437 	if (options->fingerprint_hash == -1)
438 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
439 	if (options->disable_forwarding == -1)
440 		options->disable_forwarding = 0;
441 	if (options->expose_userauth_info == -1)
442 		options->expose_userauth_info = 0;
443 	if (options->sk_provider == NULL)
444 		options->sk_provider = xstrdup("internal");
445 
446 	assemble_algorithms(options);
447 
448 	/* Turn privilege separation and sandboxing on by default */
449 	if (use_privsep == -1)
450 		use_privsep = PRIVSEP_ON;
451 
452 #define CLEAR_ON_NONE(v) \
453 	do { \
454 		if (option_clear_or_none(v)) { \
455 			free(v); \
456 			v = NULL; \
457 		} \
458 	} while(0)
459 	CLEAR_ON_NONE(options->pid_file);
460 	CLEAR_ON_NONE(options->xauth_location);
461 	CLEAR_ON_NONE(options->banner);
462 	CLEAR_ON_NONE(options->trusted_user_ca_keys);
463 	CLEAR_ON_NONE(options->revoked_keys_file);
464 	CLEAR_ON_NONE(options->sk_provider);
465 	CLEAR_ON_NONE(options->authorized_principals_file);
466 	CLEAR_ON_NONE(options->adm_forced_command);
467 	CLEAR_ON_NONE(options->chroot_directory);
468 	CLEAR_ON_NONE(options->routing_domain);
469 	CLEAR_ON_NONE(options->host_key_agent);
470 	for (i = 0; i < options->num_host_key_files; i++)
471 		CLEAR_ON_NONE(options->host_key_files[i]);
472 	for (i = 0; i < options->num_host_cert_files; i++)
473 		CLEAR_ON_NONE(options->host_cert_files[i]);
474 #undef CLEAR_ON_NONE
475 
476 	/* Similar handling for AuthenticationMethods=any */
477 	if (options->num_auth_methods == 1 &&
478 	    strcmp(options->auth_methods[0], "any") == 0) {
479 		free(options->auth_methods[0]);
480 		options->auth_methods[0] = NULL;
481 		options->num_auth_methods = 0;
482 	}
483 }
484 
485 /* Keyword tokens. */
486 typedef enum {
487 	sBadOption,		/* == unknown option */
488 	/* Portable-specific options */
489 	sUsePAM,
490 	/* Standard Options */
491 	sPort, sHostKeyFile, sLoginGraceTime,
492 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
493 	sRhostsRSAAuthentication, sRSAAuthentication,
494 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
495 	sKerberosGetAFSToken, sChallengeResponseAuthentication,
496 	sPasswordAuthentication, sKbdInteractiveAuthentication,
497 	sListenAddress, sAddressFamily,
498 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
499 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
500 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
501 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
502 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
503 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
504 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
505 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
506 	sBanner, sUseDNS, sHostbasedAuthentication,
507 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
508 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
509 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
510 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
511 	sAcceptEnv, sSetEnv, sPermitTunnel,
512 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
513 	sUsePrivilegeSeparation, sAllowAgentForwarding,
514 	sHostCertificate, sInclude,
515 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
516 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
517 	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
518 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
519 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
520 	sStreamLocalBindMask, sStreamLocalBindUnlink,
521 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
522 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
523 	sDeprecated, sIgnore, sUnsupported
524 } ServerOpCodes;
525 
526 #define SSHCFG_GLOBAL		0x01	/* allowed in main section of config */
527 #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
528 #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
529 #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
530 #define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
531 
532 /* Textual representation of the tokens. */
533 static struct {
534 	const char *name;
535 	ServerOpCodes opcode;
536 	u_int flags;
537 } keywords[] = {
538 	/* Portable-specific options */
539 #ifdef USE_PAM
540 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
541 #else
542 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
543 #endif
544 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
545 	/* Standard Options */
546 	{ "port", sPort, SSHCFG_GLOBAL },
547 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
548 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
549 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
550 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
551 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
552 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
553 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
554 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
555 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
556 	{ "loglevel", sLogLevel, SSHCFG_ALL },
557 	{ "logverbose", sLogVerbose, SSHCFG_ALL },
558 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
559 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
560 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
561 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
562 	{ "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
563 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
564 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
565 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
566 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
567 	{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
568 	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
569 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
570 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
571 #ifdef KRB5
572 	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
573 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
574 	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
575 #ifdef USE_AFS
576 	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
577 #else
578 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
579 #endif
580 #else
581 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
582 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
583 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
584 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
585 #endif
586 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
587 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
588 #ifdef GSSAPI
589 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
590 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
591 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
592 #else
593 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
594 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
595 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
596 #endif
597 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
598 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
599 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
600 	{ "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
601 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
602 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
603 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
604 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
605 #ifdef DISABLE_LASTLOG
606 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
607 #else
608 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
609 #endif
610 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
611 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
612 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
613 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
614 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
615 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
616 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
617 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
618 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
619 	{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
620 	{ "compression", sCompression, SSHCFG_GLOBAL },
621 	{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
622 	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
623 	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
624 	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
625 	{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
626 	{ "allowusers", sAllowUsers, SSHCFG_ALL },
627 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
628 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
629 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
630 	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
631 	{ "macs", sMacs, SSHCFG_GLOBAL },
632 	{ "protocol", sIgnore, SSHCFG_GLOBAL },
633 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
634 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
635 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
636 	{ "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
637 	{ "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
638 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
639 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
640 	{ "banner", sBanner, SSHCFG_ALL },
641 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
642 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
643 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
644 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
645 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
646 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
647 	{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
648 	{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
649 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
650 	{ "setenv", sSetEnv, SSHCFG_ALL },
651 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
652 	{ "permittty", sPermitTTY, SSHCFG_ALL },
653 	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
654 	{ "match", sMatch, SSHCFG_ALL },
655 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
656 	{ "permitlisten", sPermitListen, SSHCFG_ALL },
657 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
658 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
659 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
660 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
661 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
662 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
663 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
664 	{ "include", sInclude, SSHCFG_ALL },
665 	{ "ipqos", sIPQoS, SSHCFG_ALL },
666 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
667 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
668 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
669 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
670 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
671 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
672 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
673 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
674 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
675 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
676 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
677 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
678 	{ "rdomain", sRDomain, SSHCFG_ALL },
679 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
680 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
681 	{ NULL, sBadOption, 0 }
682 };
683 
684 static struct {
685 	int val;
686 	char *text;
687 } tunmode_desc[] = {
688 	{ SSH_TUNMODE_NO, "no" },
689 	{ SSH_TUNMODE_POINTOPOINT, "point-to-point" },
690 	{ SSH_TUNMODE_ETHERNET, "ethernet" },
691 	{ SSH_TUNMODE_YES, "yes" },
692 	{ -1, NULL }
693 };
694 
695 /* Returns an opcode name from its number */
696 
697 static const char *
698 lookup_opcode_name(ServerOpCodes code)
699 {
700 	u_int i;
701 
702 	for (i = 0; keywords[i].name != NULL; i++)
703 		if (keywords[i].opcode == code)
704 			return(keywords[i].name);
705 	return "UNKNOWN";
706 }
707 
708 
709 /*
710  * Returns the number of the token pointed to by cp or sBadOption.
711  */
712 
713 static ServerOpCodes
714 parse_token(const char *cp, const char *filename,
715 	    int linenum, u_int *flags)
716 {
717 	u_int i;
718 
719 	for (i = 0; keywords[i].name; i++)
720 		if (strcasecmp(cp, keywords[i].name) == 0) {
721 			*flags = keywords[i].flags;
722 			return keywords[i].opcode;
723 		}
724 
725 	error("%s: line %d: Bad configuration option: %s",
726 	    filename, linenum, cp);
727 	return sBadOption;
728 }
729 
730 char *
731 derelativise_path(const char *path)
732 {
733 	char *expanded, *ret, cwd[PATH_MAX];
734 
735 	if (strcasecmp(path, "none") == 0)
736 		return xstrdup("none");
737 	expanded = tilde_expand_filename(path, getuid());
738 	if (path_absolute(expanded))
739 		return expanded;
740 	if (getcwd(cwd, sizeof(cwd)) == NULL)
741 		fatal_f("getcwd: %s", strerror(errno));
742 	xasprintf(&ret, "%s/%s", cwd, expanded);
743 	free(expanded);
744 	return ret;
745 }
746 
747 static void
748 add_listen_addr(ServerOptions *options, const char *addr,
749     const char *rdomain, int port)
750 {
751 	u_int i;
752 
753 	if (port > 0)
754 		add_one_listen_addr(options, addr, rdomain, port);
755 	else {
756 		for (i = 0; i < options->num_ports; i++) {
757 			add_one_listen_addr(options, addr, rdomain,
758 			    options->ports[i]);
759 		}
760 	}
761 }
762 
763 static void
764 add_one_listen_addr(ServerOptions *options, const char *addr,
765     const char *rdomain, int port)
766 {
767 	struct addrinfo hints, *ai, *aitop;
768 	char strport[NI_MAXSERV];
769 	int gaierr;
770 	u_int i;
771 
772 	/* Find listen_addrs entry for this rdomain */
773 	for (i = 0; i < options->num_listen_addrs; i++) {
774 		if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
775 			break;
776 		if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
777 			continue;
778 		if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
779 			break;
780 	}
781 	if (i >= options->num_listen_addrs) {
782 		/* No entry for this rdomain; allocate one */
783 		if (i >= INT_MAX)
784 			fatal_f("too many listen addresses");
785 		options->listen_addrs = xrecallocarray(options->listen_addrs,
786 		    options->num_listen_addrs, options->num_listen_addrs + 1,
787 		    sizeof(*options->listen_addrs));
788 		i = options->num_listen_addrs++;
789 		if (rdomain != NULL)
790 			options->listen_addrs[i].rdomain = xstrdup(rdomain);
791 	}
792 	/* options->listen_addrs[i] points to the addresses for this rdomain */
793 
794 	memset(&hints, 0, sizeof(hints));
795 	hints.ai_family = options->address_family;
796 	hints.ai_socktype = SOCK_STREAM;
797 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
798 	snprintf(strport, sizeof strport, "%d", port);
799 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
800 		fatal("bad addr or host: %s (%s)",
801 		    addr ? addr : "<NULL>",
802 		    ssh_gai_strerror(gaierr));
803 	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
804 		;
805 	ai->ai_next = options->listen_addrs[i].addrs;
806 	options->listen_addrs[i].addrs = aitop;
807 }
808 
809 /* Returns nonzero if the routing domain name is valid */
810 static int
811 valid_rdomain(const char *name)
812 {
813 #if defined(HAVE_SYS_VALID_RDOMAIN)
814 	return sys_valid_rdomain(name);
815 #elif defined(__OpenBSD__)
816 	const char *errstr;
817 	long long num;
818 	struct rt_tableinfo info;
819 	int mib[6];
820 	size_t miblen = sizeof(mib);
821 
822 	if (name == NULL)
823 		return 1;
824 
825 	num = strtonum(name, 0, 255, &errstr);
826 	if (errstr != NULL)
827 		return 0;
828 
829 	/* Check whether the table actually exists */
830 	memset(mib, 0, sizeof(mib));
831 	mib[0] = CTL_NET;
832 	mib[1] = PF_ROUTE;
833 	mib[4] = NET_RT_TABLE;
834 	mib[5] = (int)num;
835 	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
836 		return 0;
837 
838 	return 1;
839 #else /* defined(__OpenBSD__) */
840 	error("Routing domains are not supported on this platform");
841 	return 0;
842 #endif
843 }
844 
845 /*
846  * Queue a ListenAddress to be processed once we have all of the Ports
847  * and AddressFamily options.
848  */
849 static void
850 queue_listen_addr(ServerOptions *options, const char *addr,
851     const char *rdomain, int port)
852 {
853 	struct queued_listenaddr *qla;
854 
855 	options->queued_listen_addrs = xrecallocarray(
856 	    options->queued_listen_addrs,
857 	    options->num_queued_listens, options->num_queued_listens + 1,
858 	    sizeof(*options->queued_listen_addrs));
859 	qla = &options->queued_listen_addrs[options->num_queued_listens++];
860 	qla->addr = xstrdup(addr);
861 	qla->port = port;
862 	qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
863 }
864 
865 /*
866  * Process queued (text) ListenAddress entries.
867  */
868 static void
869 process_queued_listen_addrs(ServerOptions *options)
870 {
871 	u_int i;
872 	struct queued_listenaddr *qla;
873 
874 	if (options->num_ports == 0)
875 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
876 	if (options->address_family == -1)
877 		options->address_family = AF_UNSPEC;
878 
879 	for (i = 0; i < options->num_queued_listens; i++) {
880 		qla = &options->queued_listen_addrs[i];
881 		add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
882 		free(qla->addr);
883 		free(qla->rdomain);
884 	}
885 	free(options->queued_listen_addrs);
886 	options->queued_listen_addrs = NULL;
887 	options->num_queued_listens = 0;
888 }
889 
890 /*
891  * Inform channels layer of permitopen options for a single forwarding
892  * direction (local/remote).
893  */
894 static void
895 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
896     char **opens, u_int num_opens)
897 {
898 	u_int i;
899 	int port;
900 	char *host, *arg, *oarg, ch;
901 	int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
902 	const char *what = lookup_opcode_name(opcode);
903 
904 	channel_clear_permission(ssh, FORWARD_ADM, where);
905 	if (num_opens == 0)
906 		return; /* permit any */
907 
908 	/* handle keywords: "any" / "none" */
909 	if (num_opens == 1 && strcmp(opens[0], "any") == 0)
910 		return;
911 	if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
912 		channel_disable_admin(ssh, where);
913 		return;
914 	}
915 	/* Otherwise treat it as a list of permitted host:port */
916 	for (i = 0; i < num_opens; i++) {
917 		oarg = arg = xstrdup(opens[i]);
918 		ch = '\0';
919 		host = hpdelim2(&arg, &ch);
920 		if (host == NULL || ch == '/')
921 			fatal_f("missing host in %s", what);
922 		host = cleanhostname(host);
923 		if (arg == NULL || ((port = permitopen_port(arg)) < 0))
924 			fatal_f("bad port number in %s", what);
925 		/* Send it to channels layer */
926 		channel_add_permission(ssh, FORWARD_ADM,
927 		    where, host, port);
928 		free(oarg);
929 	}
930 }
931 
932 /*
933  * Inform channels layer of permitopen options from configuration.
934  */
935 void
936 process_permitopen(struct ssh *ssh, ServerOptions *options)
937 {
938 	process_permitopen_list(ssh, sPermitOpen,
939 	    options->permitted_opens, options->num_permitted_opens);
940 	process_permitopen_list(ssh, sPermitListen,
941 	    options->permitted_listens,
942 	    options->num_permitted_listens);
943 }
944 
945 struct connection_info *
946 get_connection_info(struct ssh *ssh, int populate, int use_dns)
947 {
948 	static struct connection_info ci;
949 
950 	if (ssh == NULL || !populate)
951 		return &ci;
952 	ci.host = auth_get_canonical_hostname(ssh, use_dns);
953 	ci.address = ssh_remote_ipaddr(ssh);
954 	ci.laddress = ssh_local_ipaddr(ssh);
955 	ci.lport = ssh_local_port(ssh);
956 	ci.rdomain = ssh_packet_rdomain_in(ssh);
957 	return &ci;
958 }
959 
960 /*
961  * The strategy for the Match blocks is that the config file is parsed twice.
962  *
963  * The first time is at startup.  activep is initialized to 1 and the
964  * directives in the global context are processed and acted on.  Hitting a
965  * Match directive unsets activep and the directives inside the block are
966  * checked for syntax only.
967  *
968  * The second time is after a connection has been established but before
969  * authentication.  activep is initialized to 2 and global config directives
970  * are ignored since they have already been processed.  If the criteria in a
971  * Match block is met, activep is set and the subsequent directives
972  * processed and actioned until EOF or another Match block unsets it.  Any
973  * options set are copied into the main server config.
974  *
975  * Potential additions/improvements:
976  *  - Add Match support for pre-kex directives, eg. Ciphers.
977  *
978  *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
979  *	Match Address 192.168.0.*
980  *		Tag trusted
981  *	Match Group wheel
982  *		Tag trusted
983  *	Match Tag trusted
984  *		AllowTcpForwarding yes
985  *		GatewayPorts clientspecified
986  *		[...]
987  *
988  *  - Add a PermittedChannelRequests directive
989  *	Match Group shell
990  *		PermittedChannelRequests session,forwarded-tcpip
991  */
992 
993 static int
994 match_cfg_line_group(const char *grps, int line, const char *user)
995 {
996 	int result = 0;
997 	struct passwd *pw;
998 
999 	if (user == NULL)
1000 		goto out;
1001 
1002 	if ((pw = getpwnam(user)) == NULL) {
1003 		debug("Can't match group at line %d because user %.100s does "
1004 		    "not exist", line, user);
1005 	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1006 		debug("Can't Match group because user %.100s not in any group "
1007 		    "at line %d", user, line);
1008 	} else if (ga_match_pattern_list(grps) != 1) {
1009 		debug("user %.100s does not match group list %.100s at line %d",
1010 		    user, grps, line);
1011 	} else {
1012 		debug("user %.100s matched group list %.100s at line %d", user,
1013 		    grps, line);
1014 		result = 1;
1015 	}
1016 out:
1017 	ga_free();
1018 	return result;
1019 }
1020 
1021 static void
1022 match_test_missing_fatal(const char *criteria, const char *attrib)
1023 {
1024 	fatal("'Match %s' in configuration but '%s' not in connection "
1025 	    "test specification.", criteria, attrib);
1026 }
1027 
1028 /*
1029  * All of the attributes on a single Match line are ANDed together, so we need
1030  * to check every attribute and set the result to zero if any attribute does
1031  * not match.
1032  */
1033 static int
1034 match_cfg_line(char **condition, int line, struct connection_info *ci)
1035 {
1036 	int result = 1, attributes = 0, port;
1037 	char *arg, *attrib, *cp = *condition;
1038 
1039 	if (ci == NULL)
1040 		debug3("checking syntax for 'Match %s'", cp);
1041 	else
1042 		debug3("checking match for '%s' user %s host %s addr %s "
1043 		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1044 		    ci->host ? ci->host : "(null)",
1045 		    ci->address ? ci->address : "(null)",
1046 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
1047 
1048 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1049 		attributes++;
1050 		if (strcasecmp(attrib, "all") == 0) {
1051 			if (attributes != 1 ||
1052 			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
1053 				error("'all' cannot be combined with other "
1054 				    "Match attributes");
1055 				return -1;
1056 			}
1057 			*condition = cp;
1058 			return 1;
1059 		}
1060 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
1061 			error("Missing Match criteria for %s", attrib);
1062 			return -1;
1063 		}
1064 		if (strcasecmp(attrib, "user") == 0) {
1065 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1066 				result = 0;
1067 				continue;
1068 			}
1069 			if (ci->user == NULL)
1070 				match_test_missing_fatal("User", "user");
1071 			if (match_usergroup_pattern_list(ci->user, arg) != 1)
1072 				result = 0;
1073 			else
1074 				debug("user %.100s matched 'User %.100s' at "
1075 				    "line %d", ci->user, arg, line);
1076 		} else if (strcasecmp(attrib, "group") == 0) {
1077 			if (ci == NULL || (ci->test && ci->user == NULL)) {
1078 				result = 0;
1079 				continue;
1080 			}
1081 			if (ci->user == NULL)
1082 				match_test_missing_fatal("Group", "user");
1083 			switch (match_cfg_line_group(arg, line, ci->user)) {
1084 			case -1:
1085 				return -1;
1086 			case 0:
1087 				result = 0;
1088 			}
1089 		} else if (strcasecmp(attrib, "host") == 0) {
1090 			if (ci == NULL || (ci->test && ci->host == NULL)) {
1091 				result = 0;
1092 				continue;
1093 			}
1094 			if (ci->host == NULL)
1095 				match_test_missing_fatal("Host", "host");
1096 			if (match_hostname(ci->host, arg) != 1)
1097 				result = 0;
1098 			else
1099 				debug("connection from %.100s matched 'Host "
1100 				    "%.100s' at line %d", ci->host, arg, line);
1101 		} else if (strcasecmp(attrib, "address") == 0) {
1102 			if (ci == NULL || (ci->test && ci->address == NULL)) {
1103 				if (addr_match_list(NULL, arg) != 0)
1104 					fatal("Invalid Match address argument "
1105 					    "'%s' at line %d", arg, line);
1106 				result = 0;
1107 				continue;
1108 			}
1109 			if (ci->address == NULL)
1110 				match_test_missing_fatal("Address", "addr");
1111 			switch (addr_match_list(ci->address, arg)) {
1112 			case 1:
1113 				debug("connection from %.100s matched 'Address "
1114 				    "%.100s' at line %d", ci->address, arg, line);
1115 				break;
1116 			case 0:
1117 			case -1:
1118 				result = 0;
1119 				break;
1120 			case -2:
1121 				return -1;
1122 			}
1123 		} else if (strcasecmp(attrib, "localaddress") == 0){
1124 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1125 				if (addr_match_list(NULL, arg) != 0)
1126 					fatal("Invalid Match localaddress "
1127 					    "argument '%s' at line %d", arg,
1128 					    line);
1129 				result = 0;
1130 				continue;
1131 			}
1132 			if (ci->laddress == NULL)
1133 				match_test_missing_fatal("LocalAddress",
1134 				    "laddr");
1135 			switch (addr_match_list(ci->laddress, arg)) {
1136 			case 1:
1137 				debug("connection from %.100s matched "
1138 				    "'LocalAddress %.100s' at line %d",
1139 				    ci->laddress, arg, line);
1140 				break;
1141 			case 0:
1142 			case -1:
1143 				result = 0;
1144 				break;
1145 			case -2:
1146 				return -1;
1147 			}
1148 		} else if (strcasecmp(attrib, "localport") == 0) {
1149 			if ((port = a2port(arg)) == -1) {
1150 				error("Invalid LocalPort '%s' on Match line",
1151 				    arg);
1152 				return -1;
1153 			}
1154 			if (ci == NULL || (ci->test && ci->lport == -1)) {
1155 				result = 0;
1156 				continue;
1157 			}
1158 			if (ci->lport == 0)
1159 				match_test_missing_fatal("LocalPort", "lport");
1160 			/* TODO support port lists */
1161 			if (port == ci->lport)
1162 				debug("connection from %.100s matched "
1163 				    "'LocalPort %d' at line %d",
1164 				    ci->laddress, port, line);
1165 			else
1166 				result = 0;
1167 		} else if (strcasecmp(attrib, "rdomain") == 0) {
1168 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1169 				result = 0;
1170 				continue;
1171 			}
1172 			if (ci->rdomain == NULL)
1173 				match_test_missing_fatal("RDomain", "rdomain");
1174 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1175 				result = 0;
1176 			else
1177 				debug("user %.100s matched 'RDomain %.100s' at "
1178 				    "line %d", ci->rdomain, arg, line);
1179 		} else {
1180 			error("Unsupported Match attribute %s", attrib);
1181 			return -1;
1182 		}
1183 	}
1184 	if (attributes == 0) {
1185 		error("One or more attributes required for Match");
1186 		return -1;
1187 	}
1188 	if (ci != NULL)
1189 		debug3("match %sfound", result ? "" : "not ");
1190 	*condition = cp;
1191 	return result;
1192 }
1193 
1194 #define WHITESPACE " \t\r\n"
1195 
1196 /* Multistate option parsing */
1197 struct multistate {
1198 	char *key;
1199 	int value;
1200 };
1201 static const struct multistate multistate_flag[] = {
1202 	{ "yes",			1 },
1203 	{ "no",				0 },
1204 	{ NULL, -1 }
1205 };
1206 static const struct multistate multistate_ignore_rhosts[] = {
1207 	{ "yes",			IGNORE_RHOSTS_YES },
1208 	{ "no",				IGNORE_RHOSTS_NO },
1209 	{ "shosts-only",		IGNORE_RHOSTS_SHOSTS },
1210 	{ NULL, -1 }
1211 };
1212 static const struct multistate multistate_addressfamily[] = {
1213 	{ "inet",			AF_INET },
1214 	{ "inet6",			AF_INET6 },
1215 	{ "any",			AF_UNSPEC },
1216 	{ NULL, -1 }
1217 };
1218 static const struct multistate multistate_permitrootlogin[] = {
1219 	{ "without-password",		PERMIT_NO_PASSWD },
1220 	{ "prohibit-password",		PERMIT_NO_PASSWD },
1221 	{ "forced-commands-only",	PERMIT_FORCED_ONLY },
1222 	{ "yes",			PERMIT_YES },
1223 	{ "no",				PERMIT_NO },
1224 	{ NULL, -1 }
1225 };
1226 static const struct multistate multistate_compression[] = {
1227 #ifdef WITH_ZLIB
1228 	{ "yes",			COMP_DELAYED },
1229 	{ "delayed",			COMP_DELAYED },
1230 #endif
1231 	{ "no",				COMP_NONE },
1232 	{ NULL, -1 }
1233 };
1234 static const struct multistate multistate_gatewayports[] = {
1235 	{ "clientspecified",		2 },
1236 	{ "yes",			1 },
1237 	{ "no",				0 },
1238 	{ NULL, -1 }
1239 };
1240 static const struct multistate multistate_tcpfwd[] = {
1241 	{ "yes",			FORWARD_ALLOW },
1242 	{ "all",			FORWARD_ALLOW },
1243 	{ "no",				FORWARD_DENY },
1244 	{ "remote",			FORWARD_REMOTE },
1245 	{ "local",			FORWARD_LOCAL },
1246 	{ NULL, -1 }
1247 };
1248 
1249 static int
1250 process_server_config_line_depth(ServerOptions *options, char *line,
1251     const char *filename, int linenum, int *activep,
1252     struct connection_info *connectinfo, int *inc_flags, int depth,
1253     struct include_list *includes)
1254 {
1255 	char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
1256 	int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1257 	SyslogFacility *log_facility_ptr;
1258 	LogLevel *log_level_ptr;
1259 	ServerOpCodes opcode;
1260 	u_int i, *uintptr, uvalue, flags = 0;
1261 	size_t len;
1262 	long long val64;
1263 	const struct multistate *multistate_ptr;
1264 	const char *errstr;
1265 	struct include_item *item;
1266 	glob_t gbuf;
1267 
1268 	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1269 	if ((len = strlen(line)) == 0)
1270 		return 0;
1271 	for (len--; len > 0; len--) {
1272 		if (strchr(WHITESPACE "\f", line[len]) == NULL)
1273 			break;
1274 		line[len] = '\0';
1275 	}
1276 
1277 	cp = line;
1278 	if ((arg = strdelim(&cp)) == NULL)
1279 		return 0;
1280 	/* Ignore leading whitespace */
1281 	if (*arg == '\0')
1282 		arg = strdelim(&cp);
1283 	if (!arg || !*arg || *arg == '#')
1284 		return 0;
1285 	intptr = NULL;
1286 	charptr = NULL;
1287 	opcode = parse_token(arg, filename, linenum, &flags);
1288 
1289 	if (activep == NULL) { /* We are processing a command line directive */
1290 		cmdline = 1;
1291 		activep = &cmdline;
1292 	}
1293 	if (*activep && opcode != sMatch && opcode != sInclude)
1294 		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1295 	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1296 		if (connectinfo == NULL) {
1297 			fatal("%s line %d: Directive '%s' is not allowed "
1298 			    "within a Match block", filename, linenum, arg);
1299 		} else { /* this is a directive we have already processed */
1300 			while (arg)
1301 				arg = strdelim(&cp);
1302 			return 0;
1303 		}
1304 	}
1305 
1306 	switch (opcode) {
1307 	/* Portable-specific options */
1308 	case sUsePAM:
1309 		intptr = &options->use_pam;
1310 		goto parse_flag;
1311 
1312 	/* Standard Options */
1313 	case sBadOption:
1314 		return -1;
1315 	case sPort:
1316 		/* ignore ports from configfile if cmdline specifies ports */
1317 		if (options->ports_from_cmdline)
1318 			return 0;
1319 		if (options->num_ports >= MAX_PORTS)
1320 			fatal("%s line %d: too many ports.",
1321 			    filename, linenum);
1322 		arg = strdelim(&cp);
1323 		if (!arg || *arg == '\0')
1324 			fatal("%s line %d: missing port number.",
1325 			    filename, linenum);
1326 		options->ports[options->num_ports++] = a2port(arg);
1327 		if (options->ports[options->num_ports-1] <= 0)
1328 			fatal("%s line %d: Badly formatted port number.",
1329 			    filename, linenum);
1330 		break;
1331 
1332 	case sLoginGraceTime:
1333 		intptr = &options->login_grace_time;
1334  parse_time:
1335 		arg = strdelim(&cp);
1336 		if (!arg || *arg == '\0')
1337 			fatal("%s line %d: missing time value.",
1338 			    filename, linenum);
1339 		if ((value = convtime(arg)) == -1)
1340 			fatal("%s line %d: invalid time value.",
1341 			    filename, linenum);
1342 		if (*activep && *intptr == -1)
1343 			*intptr = value;
1344 		break;
1345 
1346 	case sListenAddress:
1347 		arg = strdelim(&cp);
1348 		if (arg == NULL || *arg == '\0')
1349 			fatal("%s line %d: missing address",
1350 			    filename, linenum);
1351 		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
1352 		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1353 		    && strchr(p+1, ':') != NULL) {
1354 			port = 0;
1355 			p = arg;
1356 		} else {
1357 			arg2 = NULL;
1358 			ch = '\0';
1359 			p = hpdelim2(&arg, &ch);
1360 			if (p == NULL || ch == '/')
1361 				fatal("%s line %d: bad address:port usage",
1362 				    filename, linenum);
1363 			p = cleanhostname(p);
1364 			if (arg == NULL)
1365 				port = 0;
1366 			else if ((port = a2port(arg)) <= 0)
1367 				fatal("%s line %d: bad port number",
1368 				    filename, linenum);
1369 		}
1370 		/* Optional routing table */
1371 		arg2 = NULL;
1372 		if ((arg = strdelim(&cp)) != NULL) {
1373 			if (strcmp(arg, "rdomain") != 0 ||
1374 			    (arg2 = strdelim(&cp)) == NULL)
1375 				fatal("%s line %d: bad ListenAddress syntax",
1376 				    filename, linenum);
1377 			if (!valid_rdomain(arg2))
1378 				fatal("%s line %d: bad routing domain",
1379 				    filename, linenum);
1380 		}
1381 
1382 		queue_listen_addr(options, p, arg2, port);
1383 
1384 		break;
1385 
1386 	case sAddressFamily:
1387 		intptr = &options->address_family;
1388 		multistate_ptr = multistate_addressfamily;
1389  parse_multistate:
1390 		arg = strdelim(&cp);
1391 		if (!arg || *arg == '\0')
1392 			fatal("%s line %d: missing argument.",
1393 			    filename, linenum);
1394 		value = -1;
1395 		for (i = 0; multistate_ptr[i].key != NULL; i++) {
1396 			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1397 				value = multistate_ptr[i].value;
1398 				break;
1399 			}
1400 		}
1401 		if (value == -1)
1402 			fatal("%s line %d: unsupported option \"%s\".",
1403 			    filename, linenum, arg);
1404 		if (*activep && *intptr == -1)
1405 			*intptr = value;
1406 		break;
1407 
1408 	case sHostKeyFile:
1409 		arg = strdelim(&cp);
1410 		if (!arg || *arg == '\0')
1411 			fatal("%s line %d: missing file name.",
1412 			    filename, linenum);
1413 		if (*activep) {
1414 			servconf_add_hostkey(filename, linenum,
1415 			    options, arg, 1);
1416 		}
1417 		break;
1418 
1419 	case sHostKeyAgent:
1420 		charptr = &options->host_key_agent;
1421 		arg = strdelim(&cp);
1422 		if (!arg || *arg == '\0')
1423 			fatal("%s line %d: missing socket name.",
1424 			    filename, linenum);
1425 		if (*activep && *charptr == NULL)
1426 			*charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1427 			    xstrdup(arg) : derelativise_path(arg);
1428 		break;
1429 
1430 	case sHostCertificate:
1431 		arg = strdelim(&cp);
1432 		if (!arg || *arg == '\0')
1433 			fatal("%s line %d: missing file name.",
1434 			    filename, linenum);
1435 		if (*activep)
1436 			servconf_add_hostcert(filename, linenum, options, arg);
1437 		break;
1438 
1439 	case sPidFile:
1440 		charptr = &options->pid_file;
1441  parse_filename:
1442 		arg = strdelim(&cp);
1443 		if (!arg || *arg == '\0')
1444 			fatal("%s line %d: missing file name.",
1445 			    filename, linenum);
1446 		if (*activep && *charptr == NULL) {
1447 			*charptr = derelativise_path(arg);
1448 			/* increase optional counter */
1449 			if (intptr != NULL)
1450 				*intptr = *intptr + 1;
1451 		}
1452 		break;
1453 
1454 	case sPermitRootLogin:
1455 		intptr = &options->permit_root_login;
1456 		multistate_ptr = multistate_permitrootlogin;
1457 		goto parse_multistate;
1458 
1459 	case sIgnoreRhosts:
1460 		intptr = &options->ignore_rhosts;
1461 		multistate_ptr = multistate_ignore_rhosts;
1462 		goto parse_multistate;
1463 
1464 	case sIgnoreUserKnownHosts:
1465 		intptr = &options->ignore_user_known_hosts;
1466  parse_flag:
1467 		multistate_ptr = multistate_flag;
1468 		goto parse_multistate;
1469 
1470 	case sHostbasedAuthentication:
1471 		intptr = &options->hostbased_authentication;
1472 		goto parse_flag;
1473 
1474 	case sHostbasedUsesNameFromPacketOnly:
1475 		intptr = &options->hostbased_uses_name_from_packet_only;
1476 		goto parse_flag;
1477 
1478 	case sHostbasedAcceptedAlgorithms:
1479 		charptr = &options->hostbased_accepted_algos;
1480  parse_pubkey_algos:
1481 		arg = strdelim(&cp);
1482 		if (!arg || *arg == '\0')
1483 			fatal("%s line %d: Missing argument.",
1484 			    filename, linenum);
1485 		if (*arg != '-' &&
1486 		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1487 		    arg + 1 : arg, 1))
1488 			fatal("%s line %d: Bad key types '%s'.",
1489 			    filename, linenum, arg ? arg : "<NONE>");
1490 		if (*activep && *charptr == NULL)
1491 			*charptr = xstrdup(arg);
1492 		break;
1493 
1494 	case sHostKeyAlgorithms:
1495 		charptr = &options->hostkeyalgorithms;
1496 		goto parse_pubkey_algos;
1497 
1498 	case sCASignatureAlgorithms:
1499 		charptr = &options->ca_sign_algorithms;
1500 		goto parse_pubkey_algos;
1501 
1502 	case sPubkeyAuthentication:
1503 		intptr = &options->pubkey_authentication;
1504 		goto parse_flag;
1505 
1506 	case sPubkeyAcceptedAlgorithms:
1507 		charptr = &options->pubkey_accepted_algos;
1508 		goto parse_pubkey_algos;
1509 
1510 	case sPubkeyAuthOptions:
1511 		intptr = &options->pubkey_auth_options;
1512 		value = 0;
1513 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1514 			if (strcasecmp(arg, "none") == 0)
1515 				continue;
1516 			if (strcasecmp(arg, "touch-required") == 0)
1517 				value |= PUBKEYAUTH_TOUCH_REQUIRED;
1518 			else if (strcasecmp(arg, "verify-required") == 0)
1519 				value |= PUBKEYAUTH_VERIFY_REQUIRED;
1520 			else {
1521 				fatal("%s line %d: unsupported "
1522 				    "PubkeyAuthOptions option %s",
1523 				    filename, linenum, arg);
1524 			}
1525 		}
1526 		if (*activep && *intptr == -1)
1527 			*intptr = value;
1528 		break;
1529 
1530 	case sKerberosAuthentication:
1531 		intptr = &options->kerberos_authentication;
1532 		goto parse_flag;
1533 
1534 	case sKerberosOrLocalPasswd:
1535 		intptr = &options->kerberos_or_local_passwd;
1536 		goto parse_flag;
1537 
1538 	case sKerberosTicketCleanup:
1539 		intptr = &options->kerberos_ticket_cleanup;
1540 		goto parse_flag;
1541 
1542 	case sKerberosGetAFSToken:
1543 		intptr = &options->kerberos_get_afs_token;
1544 		goto parse_flag;
1545 
1546 	case sGssAuthentication:
1547 		intptr = &options->gss_authentication;
1548 		goto parse_flag;
1549 
1550 	case sGssCleanupCreds:
1551 		intptr = &options->gss_cleanup_creds;
1552 		goto parse_flag;
1553 
1554 	case sGssStrictAcceptor:
1555 		intptr = &options->gss_strict_acceptor;
1556 		goto parse_flag;
1557 
1558 	case sPasswordAuthentication:
1559 		intptr = &options->password_authentication;
1560 		goto parse_flag;
1561 
1562 	case sKbdInteractiveAuthentication:
1563 		intptr = &options->kbd_interactive_authentication;
1564 		goto parse_flag;
1565 
1566 	case sChallengeResponseAuthentication:
1567 		intptr = &options->challenge_response_authentication;
1568 		goto parse_flag;
1569 
1570 	case sPrintMotd:
1571 		intptr = &options->print_motd;
1572 		goto parse_flag;
1573 
1574 	case sPrintLastLog:
1575 		intptr = &options->print_lastlog;
1576 		goto parse_flag;
1577 
1578 	case sX11Forwarding:
1579 		intptr = &options->x11_forwarding;
1580 		goto parse_flag;
1581 
1582 	case sX11DisplayOffset:
1583 		intptr = &options->x11_display_offset;
1584  parse_int:
1585 		arg = strdelim(&cp);
1586 		if ((errstr = atoi_err(arg, &value)) != NULL)
1587 			fatal("%s line %d: integer value %s.",
1588 			    filename, linenum, errstr);
1589 		if (*activep && *intptr == -1)
1590 			*intptr = value;
1591 		break;
1592 
1593 	case sX11UseLocalhost:
1594 		intptr = &options->x11_use_localhost;
1595 		goto parse_flag;
1596 
1597 	case sXAuthLocation:
1598 		charptr = &options->xauth_location;
1599 		goto parse_filename;
1600 
1601 	case sPermitTTY:
1602 		intptr = &options->permit_tty;
1603 		goto parse_flag;
1604 
1605 	case sPermitUserRC:
1606 		intptr = &options->permit_user_rc;
1607 		goto parse_flag;
1608 
1609 	case sStrictModes:
1610 		intptr = &options->strict_modes;
1611 		goto parse_flag;
1612 
1613 	case sTCPKeepAlive:
1614 		intptr = &options->tcp_keep_alive;
1615 		goto parse_flag;
1616 
1617 	case sEmptyPasswd:
1618 		intptr = &options->permit_empty_passwd;
1619 		goto parse_flag;
1620 
1621 	case sPermitUserEnvironment:
1622 		intptr = &options->permit_user_env;
1623 		charptr = &options->permit_user_env_allowlist;
1624 		arg = strdelim(&cp);
1625 		if (!arg || *arg == '\0')
1626 			fatal("%s line %d: missing argument.",
1627 			    filename, linenum);
1628 		value = 0;
1629 		p = NULL;
1630 		if (strcmp(arg, "yes") == 0)
1631 			value = 1;
1632 		else if (strcmp(arg, "no") == 0)
1633 			value = 0;
1634 		else {
1635 			/* Pattern-list specified */
1636 			value = 1;
1637 			p = xstrdup(arg);
1638 		}
1639 		if (*activep && *intptr == -1) {
1640 			*intptr = value;
1641 			*charptr = p;
1642 			p = NULL;
1643 		}
1644 		free(p);
1645 		break;
1646 
1647 	case sCompression:
1648 		intptr = &options->compression;
1649 		multistate_ptr = multistate_compression;
1650 		goto parse_multistate;
1651 
1652 	case sRekeyLimit:
1653 		arg = strdelim(&cp);
1654 		if (!arg || *arg == '\0')
1655 			fatal("%.200s line %d: Missing argument.", filename,
1656 			    linenum);
1657 		if (strcmp(arg, "default") == 0) {
1658 			val64 = 0;
1659 		} else {
1660 			if (scan_scaled(arg, &val64) == -1)
1661 				fatal("%.200s line %d: Bad number '%s': %s",
1662 				    filename, linenum, arg, strerror(errno));
1663 			if (val64 != 0 && val64 < 16)
1664 				fatal("%.200s line %d: RekeyLimit too small",
1665 				    filename, linenum);
1666 		}
1667 		if (*activep && options->rekey_limit == -1)
1668 			options->rekey_limit = val64;
1669 		if (cp != NULL) { /* optional rekey interval present */
1670 			if (strcmp(cp, "none") == 0) {
1671 				(void)strdelim(&cp);	/* discard */
1672 				break;
1673 			}
1674 			intptr = &options->rekey_interval;
1675 			goto parse_time;
1676 		}
1677 		break;
1678 
1679 	case sGatewayPorts:
1680 		intptr = &options->fwd_opts.gateway_ports;
1681 		multistate_ptr = multistate_gatewayports;
1682 		goto parse_multistate;
1683 
1684 	case sUseDNS:
1685 		intptr = &options->use_dns;
1686 		goto parse_flag;
1687 
1688 	case sLogFacility:
1689 		log_facility_ptr = &options->log_facility;
1690 		arg = strdelim(&cp);
1691 		value = log_facility_number(arg);
1692 		if (value == SYSLOG_FACILITY_NOT_SET)
1693 			fatal("%.200s line %d: unsupported log facility '%s'",
1694 			    filename, linenum, arg ? arg : "<NONE>");
1695 		if (*log_facility_ptr == -1)
1696 			*log_facility_ptr = (SyslogFacility) value;
1697 		break;
1698 
1699 	case sLogLevel:
1700 		log_level_ptr = &options->log_level;
1701 		arg = strdelim(&cp);
1702 		value = log_level_number(arg);
1703 		if (value == SYSLOG_LEVEL_NOT_SET)
1704 			fatal("%.200s line %d: unsupported log level '%s'",
1705 			    filename, linenum, arg ? arg : "<NONE>");
1706 		if (*activep && *log_level_ptr == -1)
1707 			*log_level_ptr = (LogLevel) value;
1708 		break;
1709 
1710 	case sLogVerbose:
1711 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1712 			if (!*activep)
1713 				continue;
1714 			opt_array_append(filename, linenum, "oLogVerbose",
1715 			    &options->log_verbose, &options->num_log_verbose,
1716 			    arg);
1717 		}
1718 		break;
1719 
1720 	case sAllowTcpForwarding:
1721 		intptr = &options->allow_tcp_forwarding;
1722 		multistate_ptr = multistate_tcpfwd;
1723 		goto parse_multistate;
1724 
1725 	case sAllowStreamLocalForwarding:
1726 		intptr = &options->allow_streamlocal_forwarding;
1727 		multistate_ptr = multistate_tcpfwd;
1728 		goto parse_multistate;
1729 
1730 	case sAllowAgentForwarding:
1731 		intptr = &options->allow_agent_forwarding;
1732 		goto parse_flag;
1733 
1734 	case sDisableForwarding:
1735 		intptr = &options->disable_forwarding;
1736 		goto parse_flag;
1737 
1738 	case sAllowUsers:
1739 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1740 			if (match_user(NULL, NULL, NULL, arg) == -1)
1741 				fatal("%s line %d: invalid AllowUsers pattern: "
1742 				    "\"%.100s\"", filename, linenum, arg);
1743 			if (!*activep)
1744 				continue;
1745 			opt_array_append(filename, linenum, "AllowUsers",
1746 			    &options->allow_users, &options->num_allow_users,
1747 			    arg);
1748 		}
1749 		break;
1750 
1751 	case sDenyUsers:
1752 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1753 			if (match_user(NULL, NULL, NULL, arg) == -1)
1754 				fatal("%s line %d: invalid DenyUsers pattern: "
1755 				    "\"%.100s\"", filename, linenum, arg);
1756 			if (!*activep)
1757 				continue;
1758 			opt_array_append(filename, linenum, "DenyUsers",
1759 			    &options->deny_users, &options->num_deny_users,
1760 			    arg);
1761 		}
1762 		break;
1763 
1764 	case sAllowGroups:
1765 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1766 			if (!*activep)
1767 				continue;
1768 			opt_array_append(filename, linenum, "AllowGroups",
1769 			    &options->allow_groups, &options->num_allow_groups,
1770 			    arg);
1771 		}
1772 		break;
1773 
1774 	case sDenyGroups:
1775 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1776 			if (!*activep)
1777 				continue;
1778 			opt_array_append(filename, linenum, "DenyGroups",
1779 			    &options->deny_groups, &options->num_deny_groups,
1780 			    arg);
1781 		}
1782 		break;
1783 
1784 	case sCiphers:
1785 		arg = strdelim(&cp);
1786 		if (!arg || *arg == '\0')
1787 			fatal("%s line %d: Missing argument.", filename, linenum);
1788 		if (*arg != '-' &&
1789 		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1790 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1791 			    filename, linenum, arg ? arg : "<NONE>");
1792 		if (options->ciphers == NULL)
1793 			options->ciphers = xstrdup(arg);
1794 		break;
1795 
1796 	case sMacs:
1797 		arg = strdelim(&cp);
1798 		if (!arg || *arg == '\0')
1799 			fatal("%s line %d: Missing argument.", filename, linenum);
1800 		if (*arg != '-' &&
1801 		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1802 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1803 			    filename, linenum, arg ? arg : "<NONE>");
1804 		if (options->macs == NULL)
1805 			options->macs = xstrdup(arg);
1806 		break;
1807 
1808 	case sKexAlgorithms:
1809 		arg = strdelim(&cp);
1810 		if (!arg || *arg == '\0')
1811 			fatal("%s line %d: Missing argument.",
1812 			    filename, linenum);
1813 		if (*arg != '-' &&
1814 		    !kex_names_valid(*arg == '+' || *arg == '^' ?
1815 		    arg + 1 : arg))
1816 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1817 			    filename, linenum, arg ? arg : "<NONE>");
1818 		if (options->kex_algorithms == NULL)
1819 			options->kex_algorithms = xstrdup(arg);
1820 		break;
1821 
1822 	case sSubsystem:
1823 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1824 			fatal("%s line %d: too many subsystems defined.",
1825 			    filename, linenum);
1826 		}
1827 		arg = strdelim(&cp);
1828 		if (!arg || *arg == '\0')
1829 			fatal("%s line %d: Missing subsystem name.",
1830 			    filename, linenum);
1831 		if (!*activep) {
1832 			arg = strdelim(&cp);
1833 			break;
1834 		}
1835 		for (i = 0; i < options->num_subsystems; i++)
1836 			if (strcmp(arg, options->subsystem_name[i]) == 0)
1837 				fatal("%s line %d: Subsystem '%s' already defined.",
1838 				    filename, linenum, arg);
1839 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1840 		arg = strdelim(&cp);
1841 		if (!arg || *arg == '\0')
1842 			fatal("%s line %d: Missing subsystem command.",
1843 			    filename, linenum);
1844 		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1845 
1846 		/* Collect arguments (separate to executable) */
1847 		p = xstrdup(arg);
1848 		len = strlen(p) + 1;
1849 		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1850 			len += 1 + strlen(arg);
1851 			p = xreallocarray(p, 1, len);
1852 			strlcat(p, " ", len);
1853 			strlcat(p, arg, len);
1854 		}
1855 		options->subsystem_args[options->num_subsystems] = p;
1856 		options->num_subsystems++;
1857 		break;
1858 
1859 	case sMaxStartups:
1860 		arg = strdelim(&cp);
1861 		if (!arg || *arg == '\0')
1862 			fatal("%s line %d: Missing MaxStartups spec.",
1863 			    filename, linenum);
1864 		if ((n = sscanf(arg, "%d:%d:%d",
1865 		    &options->max_startups_begin,
1866 		    &options->max_startups_rate,
1867 		    &options->max_startups)) == 3) {
1868 			if (options->max_startups_begin >
1869 			    options->max_startups ||
1870 			    options->max_startups_rate > 100 ||
1871 			    options->max_startups_rate < 1)
1872 				fatal("%s line %d: Illegal MaxStartups spec.",
1873 				    filename, linenum);
1874 		} else if (n != 1)
1875 			fatal("%s line %d: Illegal MaxStartups spec.",
1876 			    filename, linenum);
1877 		else
1878 			options->max_startups = options->max_startups_begin;
1879 		break;
1880 
1881 	case sPerSourceNetBlockSize:
1882 		arg = strdelim(&cp);
1883 		if (!arg || *arg == '\0')
1884 			fatal("%s line %d: Missing PerSourceNetBlockSize spec.",
1885 			    filename, linenum);
1886 		switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
1887 		case 2:
1888 			if (value2 < 0 || value2 > 128)
1889 				n = -1;
1890 			/* FALLTHROUGH */
1891 		case 1:
1892 			if (value < 0 || value > 32)
1893 				n = -1;
1894 		}
1895 		if (n != 1 && n != 2)
1896 			fatal("%s line %d: Invalid PerSourceNetBlockSize"
1897 			    " spec.", filename, linenum);
1898 		if (*activep) {
1899 			options->per_source_masklen_ipv4 = value;
1900 			options->per_source_masklen_ipv6 = value2;
1901 		}
1902 		break;
1903 
1904 	case sPerSourceMaxStartups:
1905 		arg = strdelim(&cp);
1906 		if (!arg || *arg == '\0')
1907 			fatal("%s line %d: Missing PerSourceMaxStartups spec.",
1908 			    filename, linenum);
1909 		if (strcmp(arg, "none") == 0) { /* no limit */
1910 			value = INT_MAX;
1911 		} else {
1912 			if ((errstr = atoi_err(arg, &value)) != NULL)
1913 				fatal("%s line %d: integer value %s.",
1914 				    filename, linenum, errstr);
1915 		}
1916 		if (*activep)
1917 			options->per_source_max_startups = value;
1918 		break;
1919 
1920 	case sMaxAuthTries:
1921 		intptr = &options->max_authtries;
1922 		goto parse_int;
1923 
1924 	case sMaxSessions:
1925 		intptr = &options->max_sessions;
1926 		goto parse_int;
1927 
1928 	case sBanner:
1929 		charptr = &options->banner;
1930 		goto parse_filename;
1931 
1932 	/*
1933 	 * These options can contain %X options expanded at
1934 	 * connect time, so that you can specify paths like:
1935 	 *
1936 	 * AuthorizedKeysFile	/etc/ssh_keys/%u
1937 	 */
1938 	case sAuthorizedKeysFile:
1939 		if (*activep && options->num_authkeys_files == 0) {
1940 			while ((arg = strdelim(&cp)) && *arg != '\0') {
1941 				arg = tilde_expand_filename(arg, getuid());
1942 				opt_array_append(filename, linenum,
1943 				    "AuthorizedKeysFile",
1944 				    &options->authorized_keys_files,
1945 				    &options->num_authkeys_files, arg);
1946 				free(arg);
1947 			}
1948 		}
1949 		return 0;
1950 
1951 	case sAuthorizedPrincipalsFile:
1952 		charptr = &options->authorized_principals_file;
1953 		arg = strdelim(&cp);
1954 		if (!arg || *arg == '\0')
1955 			fatal("%s line %d: missing file name.",
1956 			    filename, linenum);
1957 		if (*activep && *charptr == NULL) {
1958 			*charptr = tilde_expand_filename(arg, getuid());
1959 			/* increase optional counter */
1960 			if (intptr != NULL)
1961 				*intptr = *intptr + 1;
1962 		}
1963 		break;
1964 
1965 	case sClientAliveInterval:
1966 		intptr = &options->client_alive_interval;
1967 		goto parse_time;
1968 
1969 	case sClientAliveCountMax:
1970 		intptr = &options->client_alive_count_max;
1971 		goto parse_int;
1972 
1973 	case sAcceptEnv:
1974 		while ((arg = strdelim(&cp)) && *arg != '\0') {
1975 			if (strchr(arg, '=') != NULL)
1976 				fatal("%s line %d: Invalid environment name.",
1977 				    filename, linenum);
1978 			if (!*activep)
1979 				continue;
1980 			opt_array_append(filename, linenum, "AcceptEnv",
1981 			    &options->accept_env, &options->num_accept_env,
1982 			    arg);
1983 		}
1984 		break;
1985 
1986 	case sSetEnv:
1987 		uvalue = options->num_setenv;
1988 		while ((arg = strdelimw(&cp)) && *arg != '\0') {
1989 			if (strchr(arg, '=') == NULL)
1990 				fatal("%s line %d: Invalid environment.",
1991 				    filename, linenum);
1992 			if (!*activep || uvalue != 0)
1993 				continue;
1994 			opt_array_append(filename, linenum, "SetEnv",
1995 			    &options->setenv, &options->num_setenv, arg);
1996 		}
1997 		break;
1998 
1999 	case sPermitTunnel:
2000 		intptr = &options->permit_tun;
2001 		arg = strdelim(&cp);
2002 		if (!arg || *arg == '\0')
2003 			fatal("%s line %d: Missing yes/point-to-point/"
2004 			    "ethernet/no argument.", filename, linenum);
2005 		value = -1;
2006 		for (i = 0; tunmode_desc[i].val != -1; i++)
2007 			if (strcmp(tunmode_desc[i].text, arg) == 0) {
2008 				value = tunmode_desc[i].val;
2009 				break;
2010 			}
2011 		if (value == -1)
2012 			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
2013 			    "no argument: %s", filename, linenum, arg);
2014 		if (*activep && *intptr == -1)
2015 			*intptr = value;
2016 		break;
2017 
2018 	case sInclude:
2019 		if (cmdline) {
2020 			fatal("Include directive not supported as a "
2021 			    "command-line option");
2022 		}
2023 		value = 0;
2024 		while ((arg2 = strdelim(&cp)) != NULL && *arg2 != '\0') {
2025 			value++;
2026 			found = 0;
2027 			if (*arg2 != '/' && *arg2 != '~') {
2028 				xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2029 			} else
2030 				arg = xstrdup(arg2);
2031 
2032 			/*
2033 			 * Don't let included files clobber the containing
2034 			 * file's Match state.
2035 			 */
2036 			oactive = *activep;
2037 
2038 			/* consult cache of include files */
2039 			TAILQ_FOREACH(item, includes, entry) {
2040 				if (strcmp(item->selector, arg) != 0)
2041 					continue;
2042 				if (item->filename != NULL) {
2043 					parse_server_config_depth(options,
2044 					    item->filename, item->contents,
2045 					    includes, connectinfo,
2046 					    (*inc_flags & SSHCFG_MATCH_ONLY
2047 					        ? SSHCFG_MATCH_ONLY : (oactive
2048 					            ? 0 : SSHCFG_NEVERMATCH)),
2049 					    activep, depth + 1);
2050 				}
2051 				found = 1;
2052 				*activep = oactive;
2053 			}
2054 			if (found != 0) {
2055 				free(arg);
2056 				continue;
2057 			}
2058 
2059 			/* requested glob was not in cache */
2060 			debug2("%s line %d: new include %s",
2061 			    filename, linenum, arg);
2062 			if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2063 				if (r != GLOB_NOMATCH) {
2064 					fatal("%s line %d: include \"%s\" "
2065 					    "glob failed", filename,
2066 					    linenum, arg);
2067 				}
2068 				/*
2069 				 * If no entry matched then record a
2070 				 * placeholder to skip later glob calls.
2071 				 */
2072 				debug2("%s line %d: no match for %s",
2073 				    filename, linenum, arg);
2074 				item = xcalloc(1, sizeof(*item));
2075 				item->selector = strdup(arg);
2076 				TAILQ_INSERT_TAIL(includes,
2077 				    item, entry);
2078 			}
2079 			if (gbuf.gl_pathc > INT_MAX)
2080 				fatal_f("too many glob results");
2081 			for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2082 				debug2("%s line %d: including %s",
2083 				    filename, linenum, gbuf.gl_pathv[n]);
2084 				item = xcalloc(1, sizeof(*item));
2085 				item->selector = strdup(arg);
2086 				item->filename = strdup(gbuf.gl_pathv[n]);
2087 				if ((item->contents = sshbuf_new()) == NULL)
2088 					fatal_f("sshbuf_new failed");
2089 				load_server_config(item->filename,
2090 				    item->contents);
2091 				parse_server_config_depth(options,
2092 				    item->filename, item->contents,
2093 				    includes, connectinfo,
2094 				    (*inc_flags & SSHCFG_MATCH_ONLY
2095 				        ? SSHCFG_MATCH_ONLY : (oactive
2096 				            ? 0 : SSHCFG_NEVERMATCH)),
2097 				    activep, depth + 1);
2098 				*activep = oactive;
2099 				TAILQ_INSERT_TAIL(includes, item, entry);
2100 			}
2101 			globfree(&gbuf);
2102 			free(arg);
2103 		}
2104 		if (value == 0) {
2105 			fatal("%s line %d: Include missing filename argument",
2106 			    filename, linenum);
2107 		}
2108 		break;
2109 
2110 	case sMatch:
2111 		if (cmdline)
2112 			fatal("Match directive not supported as a command-line "
2113 			   "option");
2114 		value = match_cfg_line(&cp, linenum,
2115 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2116 		if (value < 0)
2117 			fatal("%s line %d: Bad Match condition", filename,
2118 			    linenum);
2119 		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2120 		/* The MATCH_ONLY is applicable only until the first match block */
2121 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
2122 		break;
2123 
2124 	case sPermitListen:
2125 	case sPermitOpen:
2126 		if (opcode == sPermitListen) {
2127 			uintptr = &options->num_permitted_listens;
2128 			chararrayptr = &options->permitted_listens;
2129 		} else {
2130 			uintptr = &options->num_permitted_opens;
2131 			chararrayptr = &options->permitted_opens;
2132 		}
2133 		arg = strdelim(&cp);
2134 		if (!arg || *arg == '\0')
2135 			fatal("%s line %d: missing %s specification",
2136 			    filename, linenum, lookup_opcode_name(opcode));
2137 		uvalue = *uintptr;	/* modified later */
2138 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2139 			if (*activep && uvalue == 0) {
2140 				*uintptr = 1;
2141 				*chararrayptr = xcalloc(1,
2142 				    sizeof(**chararrayptr));
2143 				(*chararrayptr)[0] = xstrdup(arg);
2144 			}
2145 			break;
2146 		}
2147 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
2148 			if (opcode == sPermitListen &&
2149 			    strchr(arg, ':') == NULL) {
2150 				/*
2151 				 * Allow bare port number for PermitListen
2152 				 * to indicate a wildcard listen host.
2153 				 */
2154 				xasprintf(&arg2, "*:%s", arg);
2155 			} else {
2156 				arg2 = xstrdup(arg);
2157 				ch = '\0';
2158 				p = hpdelim2(&arg, &ch);
2159 				if (p == NULL || ch == '/') {
2160 					fatal("%s line %d: missing host in %s",
2161 					    filename, linenum,
2162 					    lookup_opcode_name(opcode));
2163 				}
2164 				p = cleanhostname(p);
2165 			}
2166 			if (arg == NULL ||
2167 			    ((port = permitopen_port(arg)) < 0)) {
2168 				fatal("%s line %d: bad port number in %s",
2169 				    filename, linenum,
2170 				    lookup_opcode_name(opcode));
2171 			}
2172 			if (*activep && uvalue == 0) {
2173 				opt_array_append(filename, linenum,
2174 				    lookup_opcode_name(opcode),
2175 				    chararrayptr, uintptr, arg2);
2176 			}
2177 			free(arg2);
2178 		}
2179 		break;
2180 
2181 	case sForceCommand:
2182 		if (cp == NULL || *cp == '\0')
2183 			fatal("%.200s line %d: Missing argument.", filename,
2184 			    linenum);
2185 		len = strspn(cp, WHITESPACE);
2186 		if (*activep && options->adm_forced_command == NULL)
2187 			options->adm_forced_command = xstrdup(cp + len);
2188 		return 0;
2189 
2190 	case sChrootDirectory:
2191 		charptr = &options->chroot_directory;
2192 
2193 		arg = strdelim(&cp);
2194 		if (!arg || *arg == '\0')
2195 			fatal("%s line %d: missing file name.",
2196 			    filename, linenum);
2197 		if (*activep && *charptr == NULL)
2198 			*charptr = xstrdup(arg);
2199 		break;
2200 
2201 	case sTrustedUserCAKeys:
2202 		charptr = &options->trusted_user_ca_keys;
2203 		goto parse_filename;
2204 
2205 	case sRevokedKeys:
2206 		charptr = &options->revoked_keys_file;
2207 		goto parse_filename;
2208 
2209 	case sSecurityKeyProvider:
2210 		charptr = &options->sk_provider;
2211 		arg = strdelim(&cp);
2212 		if (!arg || *arg == '\0')
2213 			fatal("%s line %d: missing file name.",
2214 			    filename, linenum);
2215 		if (*activep && *charptr == NULL) {
2216 			*charptr = strcasecmp(arg, "internal") == 0 ?
2217 			    xstrdup(arg) : derelativise_path(arg);
2218 			/* increase optional counter */
2219 			if (intptr != NULL)
2220 				*intptr = *intptr + 1;
2221 		}
2222 		break;
2223 
2224 	case sIPQoS:
2225 		arg = strdelim(&cp);
2226 		if ((value = parse_ipqos(arg)) == -1)
2227 			fatal("%s line %d: Bad IPQoS value: %s",
2228 			    filename, linenum, arg);
2229 		arg = strdelim(&cp);
2230 		if (arg == NULL)
2231 			value2 = value;
2232 		else if ((value2 = parse_ipqos(arg)) == -1)
2233 			fatal("%s line %d: Bad IPQoS value: %s",
2234 			    filename, linenum, arg);
2235 		if (*activep) {
2236 			options->ip_qos_interactive = value;
2237 			options->ip_qos_bulk = value2;
2238 		}
2239 		break;
2240 
2241 	case sVersionAddendum:
2242 		if (cp == NULL || *cp == '\0')
2243 			fatal("%.200s line %d: Missing argument.", filename,
2244 			    linenum);
2245 		len = strspn(cp, WHITESPACE);
2246 		if (*activep && options->version_addendum == NULL) {
2247 			if (strcasecmp(cp + len, "none") == 0)
2248 				options->version_addendum = xstrdup("");
2249 			else if (strchr(cp + len, '\r') != NULL)
2250 				fatal("%.200s line %d: Invalid argument",
2251 				    filename, linenum);
2252 			else
2253 				options->version_addendum = xstrdup(cp + len);
2254 		}
2255 		return 0;
2256 
2257 	case sAuthorizedKeysCommand:
2258 		if (cp == NULL)
2259 			fatal("%.200s line %d: Missing argument.", filename,
2260 			    linenum);
2261 		len = strspn(cp, WHITESPACE);
2262 		if (*activep && options->authorized_keys_command == NULL) {
2263 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
2264 				fatal("%.200s line %d: AuthorizedKeysCommand "
2265 				    "must be an absolute path",
2266 				    filename, linenum);
2267 			options->authorized_keys_command = xstrdup(cp + len);
2268 		}
2269 		return 0;
2270 
2271 	case sAuthorizedKeysCommandUser:
2272 		charptr = &options->authorized_keys_command_user;
2273 
2274 		arg = strdelim(&cp);
2275 		if (!arg || *arg == '\0')
2276 			fatal("%s line %d: missing AuthorizedKeysCommandUser "
2277 			    "argument.", filename, linenum);
2278 		if (*activep && *charptr == NULL)
2279 			*charptr = xstrdup(arg);
2280 		break;
2281 
2282 	case sAuthorizedPrincipalsCommand:
2283 		if (cp == NULL)
2284 			fatal("%.200s line %d: Missing argument.", filename,
2285 			    linenum);
2286 		len = strspn(cp, WHITESPACE);
2287 		if (*activep &&
2288 		    options->authorized_principals_command == NULL) {
2289 			if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
2290 				fatal("%.200s line %d: "
2291 				    "AuthorizedPrincipalsCommand must be "
2292 				    "an absolute path", filename, linenum);
2293 			options->authorized_principals_command =
2294 			    xstrdup(cp + len);
2295 		}
2296 		return 0;
2297 
2298 	case sAuthorizedPrincipalsCommandUser:
2299 		charptr = &options->authorized_principals_command_user;
2300 
2301 		arg = strdelim(&cp);
2302 		if (!arg || *arg == '\0')
2303 			fatal("%s line %d: missing "
2304 			    "AuthorizedPrincipalsCommandUser argument.",
2305 			    filename, linenum);
2306 		if (*activep && *charptr == NULL)
2307 			*charptr = xstrdup(arg);
2308 		break;
2309 
2310 	case sAuthenticationMethods:
2311 		if (options->num_auth_methods == 0) {
2312 			value = 0; /* seen "any" pseudo-method */
2313 			value2 = 0; /* successfully parsed any method */
2314 			while ((arg = strdelim(&cp)) && *arg != '\0') {
2315 				if (strcmp(arg, "any") == 0) {
2316 					if (options->num_auth_methods > 0) {
2317 						fatal("%s line %d: \"any\" "
2318 						    "must appear alone in "
2319 						    "AuthenticationMethods",
2320 						    filename, linenum);
2321 					}
2322 					value = 1;
2323 				} else if (value) {
2324 					fatal("%s line %d: \"any\" must appear "
2325 					    "alone in AuthenticationMethods",
2326 					    filename, linenum);
2327 				} else if (auth2_methods_valid(arg, 0) != 0) {
2328 					fatal("%s line %d: invalid "
2329 					    "authentication method list.",
2330 					    filename, linenum);
2331 				}
2332 				value2 = 1;
2333 				if (!*activep)
2334 					continue;
2335 				opt_array_append(filename, linenum,
2336 				    "AuthenticationMethods",
2337 				    &options->auth_methods,
2338 				    &options->num_auth_methods, arg);
2339 			}
2340 			if (value2 == 0) {
2341 				fatal("%s line %d: no AuthenticationMethods "
2342 				    "specified", filename, linenum);
2343 			}
2344 		}
2345 		return 0;
2346 
2347 	case sStreamLocalBindMask:
2348 		arg = strdelim(&cp);
2349 		if (!arg || *arg == '\0')
2350 			fatal("%s line %d: missing StreamLocalBindMask "
2351 			    "argument.", filename, linenum);
2352 		/* Parse mode in octal format */
2353 		value = strtol(arg, &p, 8);
2354 		if (arg == p || value < 0 || value > 0777)
2355 			fatal("%s line %d: Bad mask.", filename, linenum);
2356 		if (*activep)
2357 			options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2358 		break;
2359 
2360 	case sStreamLocalBindUnlink:
2361 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
2362 		goto parse_flag;
2363 
2364 	case sFingerprintHash:
2365 		arg = strdelim(&cp);
2366 		if (!arg || *arg == '\0')
2367 			fatal("%.200s line %d: Missing argument.",
2368 			    filename, linenum);
2369 		if ((value = ssh_digest_alg_by_name(arg)) == -1)
2370 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
2371 			    filename, linenum, arg);
2372 		if (*activep)
2373 			options->fingerprint_hash = value;
2374 		break;
2375 
2376 	case sExposeAuthInfo:
2377 		intptr = &options->expose_userauth_info;
2378 		goto parse_flag;
2379 
2380 	case sRDomain:
2381 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2382 		fatal("%s line %d: setting RDomain not supported on this "
2383 		    "platform.", filename, linenum);
2384 #endif
2385 		charptr = &options->routing_domain;
2386 		arg = strdelim(&cp);
2387 		if (!arg || *arg == '\0')
2388 			fatal("%.200s line %d: Missing argument.",
2389 			    filename, linenum);
2390 		if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2391 		    !valid_rdomain(arg))
2392 			fatal("%s line %d: bad routing domain",
2393 			    filename, linenum);
2394 		if (*activep && *charptr == NULL)
2395 			*charptr = xstrdup(arg);
2396 		break;
2397 
2398 	case sDeprecated:
2399 	case sIgnore:
2400 	case sUnsupported:
2401 		do_log2(opcode == sIgnore ?
2402 		    SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2403 		    "%s line %d: %s option %s", filename, linenum,
2404 		    opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
2405 		while (arg)
2406 		    arg = strdelim(&cp);
2407 		break;
2408 
2409 	default:
2410 		fatal("%s line %d: Missing handler for opcode %s (%d)",
2411 		    filename, linenum, arg, opcode);
2412 	}
2413 	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
2414 		fatal("%s line %d: garbage at end of line; \"%.200s\".",
2415 		    filename, linenum, arg);
2416 	return 0;
2417 }
2418 
2419 int
2420 process_server_config_line(ServerOptions *options, char *line,
2421     const char *filename, int linenum, int *activep,
2422     struct connection_info *connectinfo, struct include_list *includes)
2423 {
2424 	int inc_flags = 0;
2425 
2426 	return process_server_config_line_depth(options, line, filename,
2427 	    linenum, activep, connectinfo, &inc_flags, 0, includes);
2428 }
2429 
2430 
2431 /* Reads the server configuration file. */
2432 
2433 void
2434 load_server_config(const char *filename, struct sshbuf *conf)
2435 {
2436 	struct stat st;
2437 	char *line = NULL, *cp;
2438 	size_t linesize = 0;
2439 	FILE *f;
2440 	int r, lineno = 0;
2441 
2442 	debug2_f("filename %s", filename);
2443 	if ((f = fopen(filename, "r")) == NULL) {
2444 		perror(filename);
2445 		exit(1);
2446 	}
2447 	sshbuf_reset(conf);
2448 	/* grow buffer, so realloc is avoided for large config files */
2449 	if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2450             (r = sshbuf_allocate(conf, st.st_size)) != 0)
2451 		fatal_fr(r, "allocate");
2452 	while (getline(&line, &linesize, f) != -1) {
2453 		lineno++;
2454 		/*
2455 		 * Trim out comments and strip whitespace
2456 		 * NB - preserve newlines, they are needed to reproduce
2457 		 * line numbers later for error messages
2458 		 */
2459 		if ((cp = strchr(line, '#')) != NULL)
2460 			memcpy(cp, "\n", 2);
2461 		cp = line + strspn(line, " \t\r");
2462 		if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2463 			fatal_fr(r, "sshbuf_put");
2464 	}
2465 	free(line);
2466 	if ((r = sshbuf_put_u8(conf, 0)) != 0)
2467 		fatal_fr(r, "sshbuf_put_u8");
2468 	fclose(f);
2469 	debug2_f("done config len = %zu", sshbuf_len(conf));
2470 }
2471 
2472 void
2473 parse_server_match_config(ServerOptions *options,
2474    struct include_list *includes, struct connection_info *connectinfo)
2475 {
2476 	ServerOptions mo;
2477 
2478 	initialize_server_options(&mo);
2479 	parse_server_config(&mo, "reprocess config", cfg, includes,
2480 	    connectinfo);
2481 	copy_set_server_options(options, &mo, 0);
2482 }
2483 
2484 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2485 {
2486 	char *p;
2487 
2488 	while ((p = strsep(&spec, ",")) && *p != '\0') {
2489 		if (strncmp(p, "addr=", 5) == 0) {
2490 			ci->address = xstrdup(p + 5);
2491 		} else if (strncmp(p, "host=", 5) == 0) {
2492 			ci->host = xstrdup(p + 5);
2493 		} else if (strncmp(p, "user=", 5) == 0) {
2494 			ci->user = xstrdup(p + 5);
2495 		} else if (strncmp(p, "laddr=", 6) == 0) {
2496 			ci->laddress = xstrdup(p + 6);
2497 		} else if (strncmp(p, "rdomain=", 8) == 0) {
2498 			ci->rdomain = xstrdup(p + 8);
2499 		} else if (strncmp(p, "lport=", 6) == 0) {
2500 			ci->lport = a2port(p + 6);
2501 			if (ci->lport == -1) {
2502 				fprintf(stderr, "Invalid port '%s' in test mode"
2503 				   " specification %s\n", p+6, p);
2504 				return -1;
2505 			}
2506 		} else {
2507 			fprintf(stderr, "Invalid test mode specification %s\n",
2508 			   p);
2509 			return -1;
2510 		}
2511 	}
2512 	return 0;
2513 }
2514 
2515 /*
2516  * Copy any supported values that are set.
2517  *
2518  * If the preauth flag is set, we do not bother copying the string or
2519  * array values that are not used pre-authentication, because any that we
2520  * do use must be explicitly sent in mm_getpwnamallow().
2521  */
2522 void
2523 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2524 {
2525 #define M_CP_INTOPT(n) do {\
2526 	if (src->n != -1) \
2527 		dst->n = src->n; \
2528 } while (0)
2529 
2530 	M_CP_INTOPT(password_authentication);
2531 	M_CP_INTOPT(gss_authentication);
2532 	M_CP_INTOPT(pubkey_authentication);
2533 	M_CP_INTOPT(pubkey_auth_options);
2534 	M_CP_INTOPT(kerberos_authentication);
2535 	M_CP_INTOPT(hostbased_authentication);
2536 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2537 	M_CP_INTOPT(kbd_interactive_authentication);
2538 	M_CP_INTOPT(permit_root_login);
2539 	M_CP_INTOPT(permit_empty_passwd);
2540 	M_CP_INTOPT(ignore_rhosts);
2541 
2542 	M_CP_INTOPT(allow_tcp_forwarding);
2543 	M_CP_INTOPT(allow_streamlocal_forwarding);
2544 	M_CP_INTOPT(allow_agent_forwarding);
2545 	M_CP_INTOPT(disable_forwarding);
2546 	M_CP_INTOPT(expose_userauth_info);
2547 	M_CP_INTOPT(permit_tun);
2548 	M_CP_INTOPT(fwd_opts.gateway_ports);
2549 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2550 	M_CP_INTOPT(x11_display_offset);
2551 	M_CP_INTOPT(x11_forwarding);
2552 	M_CP_INTOPT(x11_use_localhost);
2553 	M_CP_INTOPT(permit_tty);
2554 	M_CP_INTOPT(permit_user_rc);
2555 	M_CP_INTOPT(max_sessions);
2556 	M_CP_INTOPT(max_authtries);
2557 	M_CP_INTOPT(client_alive_count_max);
2558 	M_CP_INTOPT(client_alive_interval);
2559 	M_CP_INTOPT(ip_qos_interactive);
2560 	M_CP_INTOPT(ip_qos_bulk);
2561 	M_CP_INTOPT(rekey_limit);
2562 	M_CP_INTOPT(rekey_interval);
2563 	M_CP_INTOPT(log_level);
2564 
2565 	/*
2566 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2567 	 * M_CP_INTOPT - it does a signed comparison that causes compiler
2568 	 * warnings.
2569 	 */
2570 	if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2571 		dst->fwd_opts.streamlocal_bind_mask =
2572 		    src->fwd_opts.streamlocal_bind_mask;
2573 	}
2574 
2575 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2576 #define M_CP_STROPT(n) do {\
2577 	if (src->n != NULL && dst->n != src->n) { \
2578 		free(dst->n); \
2579 		dst->n = src->n; \
2580 	} \
2581 } while(0)
2582 #define M_CP_STRARRAYOPT(s, num_s) do {\
2583 	u_int i; \
2584 	if (src->num_s != 0) { \
2585 		for (i = 0; i < dst->num_s; i++) \
2586 			free(dst->s[i]); \
2587 		free(dst->s); \
2588 		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2589 		for (i = 0; i < src->num_s; i++) \
2590 			dst->s[i] = xstrdup(src->s[i]); \
2591 		dst->num_s = src->num_s; \
2592 	} \
2593 } while(0)
2594 
2595 	/* See comment in servconf.h */
2596 	COPY_MATCH_STRING_OPTS();
2597 
2598 	/* Arguments that accept '+...' need to be expanded */
2599 	assemble_algorithms(dst);
2600 
2601 	/*
2602 	 * The only things that should be below this point are string options
2603 	 * which are only used after authentication.
2604 	 */
2605 	if (preauth)
2606 		return;
2607 
2608 	/* These options may be "none" to clear a global setting */
2609 	M_CP_STROPT(adm_forced_command);
2610 	if (option_clear_or_none(dst->adm_forced_command)) {
2611 		free(dst->adm_forced_command);
2612 		dst->adm_forced_command = NULL;
2613 	}
2614 	M_CP_STROPT(chroot_directory);
2615 	if (option_clear_or_none(dst->chroot_directory)) {
2616 		free(dst->chroot_directory);
2617 		dst->chroot_directory = NULL;
2618 	}
2619 }
2620 
2621 #undef M_CP_INTOPT
2622 #undef M_CP_STROPT
2623 #undef M_CP_STRARRAYOPT
2624 
2625 #define SERVCONF_MAX_DEPTH	16
2626 static void
2627 parse_server_config_depth(ServerOptions *options, const char *filename,
2628     struct sshbuf *conf, struct include_list *includes,
2629     struct connection_info *connectinfo, int flags, int *activep, int depth)
2630 {
2631 	int linenum, bad_options = 0;
2632 	char *cp, *obuf, *cbuf;
2633 
2634 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2635 		fatal("Too many recursive configuration includes");
2636 
2637 	debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2638 	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2639 
2640 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2641 		fatal_f("sshbuf_dup_string failed");
2642 	linenum = 1;
2643 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2644 		if (process_server_config_line_depth(options, cp,
2645 		    filename, linenum++, activep, connectinfo, &flags,
2646 		    depth, includes) != 0)
2647 			bad_options++;
2648 	}
2649 	free(obuf);
2650 	if (bad_options > 0)
2651 		fatal("%s: terminating, %d bad configuration options",
2652 		    filename, bad_options);
2653 }
2654 
2655 void
2656 parse_server_config(ServerOptions *options, const char *filename,
2657     struct sshbuf *conf, struct include_list *includes,
2658     struct connection_info *connectinfo)
2659 {
2660 	int active = connectinfo ? 0 : 1;
2661 	parse_server_config_depth(options, filename, conf, includes,
2662 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2663 	process_queued_listen_addrs(options);
2664 }
2665 
2666 static const char *
2667 fmt_multistate_int(int val, const struct multistate *m)
2668 {
2669 	u_int i;
2670 
2671 	for (i = 0; m[i].key != NULL; i++) {
2672 		if (m[i].value == val)
2673 			return m[i].key;
2674 	}
2675 	return "UNKNOWN";
2676 }
2677 
2678 static const char *
2679 fmt_intarg(ServerOpCodes code, int val)
2680 {
2681 	if (val == -1)
2682 		return "unset";
2683 	switch (code) {
2684 	case sAddressFamily:
2685 		return fmt_multistate_int(val, multistate_addressfamily);
2686 	case sPermitRootLogin:
2687 		return fmt_multistate_int(val, multistate_permitrootlogin);
2688 	case sGatewayPorts:
2689 		return fmt_multistate_int(val, multistate_gatewayports);
2690 	case sCompression:
2691 		return fmt_multistate_int(val, multistate_compression);
2692 	case sAllowTcpForwarding:
2693 		return fmt_multistate_int(val, multistate_tcpfwd);
2694 	case sAllowStreamLocalForwarding:
2695 		return fmt_multistate_int(val, multistate_tcpfwd);
2696 	case sIgnoreRhosts:
2697 		return fmt_multistate_int(val, multistate_ignore_rhosts);
2698 	case sFingerprintHash:
2699 		return ssh_digest_alg_name(val);
2700 	default:
2701 		switch (val) {
2702 		case 0:
2703 			return "no";
2704 		case 1:
2705 			return "yes";
2706 		default:
2707 			return "UNKNOWN";
2708 		}
2709 	}
2710 }
2711 
2712 static void
2713 dump_cfg_int(ServerOpCodes code, int val)
2714 {
2715 	printf("%s %d\n", lookup_opcode_name(code), val);
2716 }
2717 
2718 static void
2719 dump_cfg_oct(ServerOpCodes code, int val)
2720 {
2721 	printf("%s 0%o\n", lookup_opcode_name(code), val);
2722 }
2723 
2724 static void
2725 dump_cfg_fmtint(ServerOpCodes code, int val)
2726 {
2727 	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2728 }
2729 
2730 static void
2731 dump_cfg_string(ServerOpCodes code, const char *val)
2732 {
2733 	printf("%s %s\n", lookup_opcode_name(code),
2734 	    val == NULL ? "none" : val);
2735 }
2736 
2737 static void
2738 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2739 {
2740 	u_int i;
2741 
2742 	for (i = 0; i < count; i++)
2743 		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2744 }
2745 
2746 static void
2747 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2748 {
2749 	u_int i;
2750 
2751 	if (count <= 0 && code != sAuthenticationMethods)
2752 		return;
2753 	printf("%s", lookup_opcode_name(code));
2754 	for (i = 0; i < count; i++)
2755 		printf(" %s",  vals[i]);
2756 	if (code == sAuthenticationMethods && count == 0)
2757 		printf(" any");
2758 	printf("\n");
2759 }
2760 
2761 static char *
2762 format_listen_addrs(struct listenaddr *la)
2763 {
2764 	int r;
2765 	struct addrinfo *ai;
2766 	char addr[NI_MAXHOST], port[NI_MAXSERV];
2767 	char *laddr1 = xstrdup(""), *laddr2 = NULL;
2768 
2769 	/*
2770 	 * ListenAddress must be after Port.  add_one_listen_addr pushes
2771 	 * addresses onto a stack, so to maintain ordering we need to
2772 	 * print these in reverse order.
2773 	 */
2774 	for (ai = la->addrs; ai; ai = ai->ai_next) {
2775 		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2776 		    sizeof(addr), port, sizeof(port),
2777 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2778 			error("getnameinfo: %.100s", ssh_gai_strerror(r));
2779 			continue;
2780 		}
2781 		laddr2 = laddr1;
2782 		if (ai->ai_family == AF_INET6) {
2783 			xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2784 			    addr, port,
2785 			    la->rdomain == NULL ? "" : " rdomain ",
2786 			    la->rdomain == NULL ? "" : la->rdomain,
2787 			    laddr2);
2788 		} else {
2789 			xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2790 			    addr, port,
2791 			    la->rdomain == NULL ? "" : " rdomain ",
2792 			    la->rdomain == NULL ? "" : la->rdomain,
2793 			    laddr2);
2794 		}
2795 		free(laddr2);
2796 	}
2797 	return laddr1;
2798 }
2799 
2800 void
2801 dump_config(ServerOptions *o)
2802 {
2803 	char *s;
2804 	u_int i;
2805 
2806 	/* these are usually at the top of the config */
2807 	for (i = 0; i < o->num_ports; i++)
2808 		printf("port %d\n", o->ports[i]);
2809 	dump_cfg_fmtint(sAddressFamily, o->address_family);
2810 
2811 	for (i = 0; i < o->num_listen_addrs; i++) {
2812 		s = format_listen_addrs(&o->listen_addrs[i]);
2813 		printf("%s", s);
2814 		free(s);
2815 	}
2816 
2817 	/* integer arguments */
2818 #ifdef USE_PAM
2819 	dump_cfg_fmtint(sUsePAM, o->use_pam);
2820 #endif
2821 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2822 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2823 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
2824 	dump_cfg_int(sMaxSessions, o->max_sessions);
2825 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2826 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2827 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2828 
2829 	/* formatted integer arguments */
2830 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2831 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2832 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2833 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2834 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2835 	    o->hostbased_uses_name_from_packet_only);
2836 	dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2837 #ifdef KRB5
2838 	dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2839 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2840 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2841 # ifdef USE_AFS
2842 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2843 # endif
2844 #endif
2845 #ifdef GSSAPI
2846 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2847 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2848 #endif
2849 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2850 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2851 	    o->kbd_interactive_authentication);
2852 	dump_cfg_fmtint(sChallengeResponseAuthentication,
2853 	    o->challenge_response_authentication);
2854 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
2855 #ifndef DISABLE_LASTLOG
2856 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2857 #endif
2858 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2859 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2860 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2861 	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2862 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
2863 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2864 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2865 	dump_cfg_fmtint(sCompression, o->compression);
2866 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2867 	dump_cfg_fmtint(sUseDNS, o->use_dns);
2868 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2869 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2870 	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2871 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2872 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2873 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2874 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2875 
2876 	/* string arguments */
2877