1 /*        $NetBSD: readconf.h,v 1.36 2025/04/09 15:49:32 christos Exp $         */
2 /* $OpenBSD: readconf.h,v 1.159 2025/02/15 01:48:30 djm Exp $ */
3 
4 /*
5  * Author: Tatu Ylonen <ylo@cs.hut.fi>
6  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7  *                    All rights reserved
8  * Functions for reading the configuration file.
9  *
10  * As far as I am concerned, the code I have written for this software
11  * can be used freely for any purpose.  Any derived versions of this
12  * software must be clearly marked as such, and if the derived work is
13  * incompatible with the protocol description in the RFC file, it must be
14  * called by a name other than "ssh" or "Secure Shell".
15  */
16 
17 #ifndef READCONF_H
18 #define READCONF_H
19 
20 /* Data structure for representing option data. */
21 
22 #define SSH_MAX_HOSTS_FILES   32
23 #define PATH_MAX_SUN                    (sizeof((struct sockaddr_un *)0)->sun_path)
24 
25 struct allowed_cname {
26           char *source_list;
27           char *target_list;
28 };
29 
30 typedef struct {
31           char   *host_arg;   /* Host arg as specified on command line. */
32           int     forward_agent;        /* Forward authentication agent. */
33           char   *forward_agent_sock_path; /* Optional path of the agent. */
34           int     forward_x11;          /* Forward X11 display. */
35           int     forward_x11_timeout;  /* Expiration for Cookies */
36           int     forward_x11_trusted;  /* Trust Forward X11 display. */
37           int     exit_on_forward_failure;        /* Exit if bind(2) fails for -L/-R */
38           char   *xauth_location;       /* Location for xauth program */
39           struct ForwardOptions fwd_opts;         /* forwarding options */
40           int     pubkey_authentication;          /* Try ssh2 pubkey authentication. */
41           int     hostbased_authentication;       /* ssh2's rhosts_rsa */
42 #if defined(KRB4) || defined(KRB5)
43           int     kerberos_authentication;        /* Try Kerberos authentication. */
44 #endif
45 #if defined(AFS) || defined(KRB5)
46           int     kerberos_tgt_passing; /* Try Kerberos TGT passing. */
47 #endif
48 #ifdef AFS
49           int     afs_token_passing;    /* Try AFS token passing. */
50 #endif
51                                                   /* Try S/Key or TIS, authentication. */
52           int     gss_authentication;   /* Try GSS authentication */
53           int     gss_deleg_creds;      /* Delegate GSS credentials */
54           int     password_authentication;        /* Try password
55                                                              * authentication. */
56           int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
57           char      *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
58           int     batch_mode; /* Batch mode: do not ask for passwords. */
59           int     check_host_ip;        /* Also keep track of keys for IP address */
60           int     strict_host_key_checking;       /* Strict host key checking. */
61           int     compression;          /* Compress packets in both directions. */
62           int     tcp_keep_alive;       /* Set SO_KEEPALIVE. */
63           int       ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
64           int       ip_qos_bulk;                  /* IP ToS/DSCP/class for bulk traffic */
65           int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
66           int       tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
67           int       hpn_disabled;        /* Switch to disable HPN buffer management */
68           int       hpn_buffer_size; /* User definable size for HPN buffer window */
69 
70           SyslogFacility log_facility;  /* Facility for system logging. */
71           LogLevel log_level; /* Level for logging. */
72           u_int     num_log_verbose;    /* Verbose log overrides */
73           char   **log_verbose;
74           int     port;                 /* Port to connect. */
75           int     address_family;
76           int     connection_attempts;  /* Max attempts (seconds) before
77                                                    * giving up */
78           int     connection_timeout;   /* Max time (seconds) before
79                                                    * aborting connection attempt */
80           int     number_of_password_prompts;     /* Max number of password
81                                                              * prompts. */
82           char   *ciphers;    /* SSH2 ciphers in order of preference. */
83           char   *macs;                 /* SSH2 macs in order of preference. */
84           char   *hostkeyalgorithms;    /* SSH2 server key types in order of preference. */
85           char   *kex_algorithms;       /* SSH2 kex methods in order of preference. */
86           char   *ca_sign_algorithms;   /* Allowed CA signature algorithms */
87           char   *hostname;   /* Real host to connect. */
88           char   *tag;                  /* Configuration tag name. */
89           char   *host_key_alias;       /* hostname alias for .ssh/known_hosts */
90           char   *proxy_command;        /* Proxy command for connecting the host. */
91           char   *user;                 /* User to log in as. */
92           int     escape_char;          /* Escape character; -2 = none */
93 
94           u_int     num_system_hostfiles;         /* Paths for /etc/ssh/ssh_known_hosts */
95           char   *system_hostfiles[SSH_MAX_HOSTS_FILES];
96           u_int     num_user_hostfiles; /* Path for $HOME/.ssh/known_hosts */
97           char   *user_hostfiles[SSH_MAX_HOSTS_FILES];
98           char   *preferred_authentications;
99           char   *bind_address;         /* local socket address for connection to sshd */
100           char   *bind_interface;       /* local interface for bind address */
101           int       ipv6_prefer_temporary; /* Prefer temporary IPv6 address */
102           char   *pkcs11_provider; /* PKCS#11 provider */
103           char   *sk_provider; /* Security key provider */
104           int       verify_host_key_dns;          /* Verify host key using DNS */
105 
106           int     num_identity_files;   /* Number of files for identities. */
107           char   *identity_files[SSH_MAX_IDENTITY_FILES];
108           int    identity_file_userprovided[SSH_MAX_IDENTITY_FILES];
109           struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];
110 
111           int       num_certificate_files; /* Number of extra certificates for ssh. */
112           char      *certificate_files[SSH_MAX_CERTIFICATE_FILES];
113           int       certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
114           struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
115 
116           int       add_keys_to_agent;
117           int       add_keys_to_agent_lifespan;
118           char   *identity_agent;                 /* Optional path to ssh-agent socket */
119 
120           /* Local TCP/IP forward requests. */
121           int     num_local_forwards;
122           struct Forward *local_forwards;
123 
124           /* Remote TCP/IP forward requests. */
125           int     num_remote_forwards;
126           struct Forward *remote_forwards;
127           int       clear_forwardings;
128 
129           /* Restrict remote dynamic forwarding */
130           char  **permitted_remote_opens;
131           u_int     num_permitted_remote_opens;
132 
133           /* stdio forwarding (-W) host and port */
134           char   *stdio_forward_host;
135           int       stdio_forward_port;
136 
137           int       enable_ssh_keysign;
138           int64_t rekey_limit;
139           int       rekey_interval;
140           int     none_switch;    /* Use none cipher */
141           int     none_enabled;   /* Allow none to be used */
142           int       no_host_authentication_for_localhost;
143           int       identities_only;
144           int       server_alive_interval;
145           int       server_alive_count_max;
146 
147           u_int     num_send_env;
148           char      **send_env;
149           u_int     num_setenv;
150           char      **setenv;
151 
152           char      *control_path;
153           int       control_master;
154           int     control_persist; /* ControlPersist flag */
155           int     control_persist_timeout; /* ControlPersist timeout (seconds) */
156 
157           int       hash_known_hosts;
158 
159           int       tun_open; /* tun(4) */
160           int     tun_local;  /* force tun device (optional) */
161           int     tun_remote; /* force tun device (optional) */
162 
163           char      *local_command;
164           int       permit_local_command;
165           char      *remote_command;
166           int       visual_host_key;
167 
168           int       request_tty;
169           int       send_version_first;
170           int       session_type;
171           int       stdin_null;
172           int       fork_after_authentication;
173 
174           int       proxy_use_fdpass;
175 
176           int       num_canonical_domains;
177           char      **canonical_domains;
178           int       canonicalize_hostname;
179           int       canonicalize_max_dots;
180           int       canonicalize_fallback_local;
181           int       num_permitted_cnames;
182           struct allowed_cname *permitted_cnames;
183 
184           char      *revoked_host_keys;
185 
186           int        fingerprint_hash;
187 
188           int        update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
189 
190           char   *hostbased_accepted_algos;
191           char   *pubkey_accepted_algos;
192 
193           char   *jump_user;
194           char   *jump_host;
195           int       jump_port;
196           char   *jump_extra;
197 
198           char   *known_hosts_command;
199 
200           int       required_rsa_size;  /* minimum size of RSA keys */
201           int       enable_escape_commandline;    /* ~C commandline */
202           int       obscure_keystroke_timing_interval;
203 
204           char      **channel_timeouts; /* inactivity timeout by channel type */
205           u_int     num_channel_timeouts;
206 
207           char      *version_addendum;
208 
209           char      *ignored_unknown; /* Pattern list of unknown tokens to ignore */
210 }       Options;
211 
212 #define SSH_PUBKEY_AUTH_NO    0x00
213 #define SSH_PUBKEY_AUTH_UNBOUND         0x01
214 #define SSH_PUBKEY_AUTH_HBOUND          0x02
215 #define SSH_PUBKEY_AUTH_ALL   0x03
216 
217 #define SSH_CANONICALISE_NO   0
218 #define SSH_CANONICALISE_YES  1
219 #define SSH_CANONICALISE_ALWAYS         2
220 
221 #define SSHCTL_MASTER_NO      0
222 #define SSHCTL_MASTER_YES     1
223 #define SSHCTL_MASTER_AUTO    2
224 #define SSHCTL_MASTER_ASK     3
225 #define SSHCTL_MASTER_AUTO_ASK          4
226 
227 #define REQUEST_TTY_AUTO      0
228 #define REQUEST_TTY_NO                  1
229 #define REQUEST_TTY_YES                 2
230 #define REQUEST_TTY_FORCE     3
231 
232 #define SESSION_TYPE_NONE     0
233 #define SESSION_TYPE_SUBSYSTEM          1
234 #define SESSION_TYPE_DEFAULT  2
235 
236 #define SSHCONF_CHECKPERM     1  /* check permissions on config file */
237 #define SSHCONF_USERCONF      2  /* user provided config file not system */
238 #define SSHCONF_FINAL                   4  /* Final pass over config, after canon. */
239 #define SSHCONF_NEVERMATCH    8  /* Match/Host never matches; internal only */
240 
241 #define SSH_UPDATE_HOSTKEYS_NO          0
242 #define SSH_UPDATE_HOSTKEYS_YES         1
243 #define SSH_UPDATE_HOSTKEYS_ASK         2
244 
245 #define SSH_STRICT_HOSTKEY_OFF          0
246 #define SSH_STRICT_HOSTKEY_NEW          1
247 #define SSH_STRICT_HOSTKEY_YES          2
248 #define SSH_STRICT_HOSTKEY_ASK          3
249 
250 /* ObscureKeystrokes parameters */
251 #define SSH_KEYSTROKE_DEFAULT_INTERVAL_MS         20
252 #define SSH_KEYSTROKE_CHAFF_MIN_MS                1024
253 #define SSH_KEYSTROKE_CHAFF_RNG_MS                2048
254 
255 const char *kex_default_pk_alg(void);
256 char      *ssh_connection_hash(const char *thishost, const char *host,
257     const char *portstr, const char *user, const char *jump_host);
258 void     initialize_options(Options *);
259 int      fill_default_options(Options *);
260 void       fill_default_options_for_canonicalization(Options *);
261 void       free_options(Options *o);
262 int        process_config_line(Options *, struct passwd *, const char *,
263     const char *, const char *, char *, const char *, int, int *, int);
264 int        read_config_file(const char *, struct passwd *, const char *,
265     const char *, const char *, Options *, int, int *);
266 int        parse_forward(struct Forward *, const char *, int, int);
267 int        parse_jump(const char *, Options *, int);
268 int        parse_ssh_uri(const char *, char **, char **, int *);
269 int        default_ssh_port(void);
270 int        option_clear_or_none(const char *);
271 int        config_has_permitted_cnames(Options *);
272 void       dump_client_config(Options *o, const char *host);
273 
274 void       add_local_forward(Options *, const struct Forward *);
275 void       add_remote_forward(Options *, const struct Forward *);
276 void       add_identity_file(Options *, const char *, const char *, int);
277 void       add_certificate_file(Options *, const char *, int);
278 
279 #endif                                  /* READCONF_H */
280