summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c174
1 files changed, 57 insertions, 117 deletions
diff --git a/servconf.c b/servconf.c
index 873b0d02a08ca..795ddbab7b8d7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -86,9 +86,7 @@ initialize_server_options(ServerOptions *options)
options->num_host_cert_files = 0;
options->host_key_agent = NULL;
options->pid_file = NULL;
- options->server_key_bits = -1;
options->login_grace_time = -1;
- options->key_regeneration_time = -1;
options->permit_root_login = PERMIT_NOT_SET;
options->ignore_rhosts = -1;
options->ignore_user_known_hosts = -1;
@@ -104,12 +102,10 @@ initialize_server_options(ServerOptions *options)
options->tcp_keep_alive = -1;
options->log_facility = SYSLOG_FACILITY_NOT_SET;
options->log_level = SYSLOG_LEVEL_NOT_SET;
- options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
options->hostbased_uses_name_from_packet_only = -1;
options->hostbased_key_types = NULL;
options->hostkeyalgorithms = NULL;
- options->rsa_authentication = -1;
options->pubkey_authentication = -1;
options->pubkey_key_types = NULL;
options->kerberos_authentication = -1;
@@ -124,7 +120,6 @@ initialize_server_options(ServerOptions *options)
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
- options->use_login = -1;
options->compression = -1;
options->rekey_limit = -1;
options->rekey_interval = -1;
@@ -138,7 +133,6 @@ initialize_server_options(ServerOptions *options)
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
- options->protocol = SSH_PROTO_UNKNOWN;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -169,6 +163,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
options->fingerprint_hash = -1;
+ options->disable_forwarding = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -202,25 +197,18 @@ fill_default_server_options(ServerOptions *options)
options->use_pam = 0;
/* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
- options->protocol = SSH_PROTO_2;
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
- if (options->protocol & SSH_PROTO_1)
- options->host_key_files[options->num_host_key_files++] =
- _PATH_HOST_KEY_FILE;
- if (options->protocol & SSH_PROTO_2) {
- options->host_key_files[options->num_host_key_files++] =
- _PATH_HOST_RSA_KEY_FILE;
- options->host_key_files[options->num_host_key_files++] =
- _PATH_HOST_DSA_KEY_FILE;
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_RSA_KEY_FILE;
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_DSA_KEY_FILE;
#ifdef OPENSSL_HAS_ECC
- options->host_key_files[options->num_host_key_files++] =
- _PATH_HOST_ECDSA_KEY_FILE;
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_ECDSA_KEY_FILE;
#endif
- options->host_key_files[options->num_host_key_files++] =
- _PATH_HOST_ED25519_KEY_FILE;
- }
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_ED25519_KEY_FILE;
}
/* No certificates by default */
if (options->num_ports == 0)
@@ -231,12 +219,8 @@ fill_default_server_options(ServerOptions *options)
add_listen_addr(options, NULL, 0);
if (options->pid_file == NULL)
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
- if (options->server_key_bits == -1)
- options->server_key_bits = 1024;
if (options->login_grace_time == -1)
options->login_grace_time = 120;
- if (options->key_regeneration_time == -1)
- options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
options->permit_root_login = PERMIT_NO_PASSWD;
if (options->ignore_rhosts == -1)
@@ -267,14 +251,10 @@ fill_default_server_options(ServerOptions *options)
options->log_facility = SYSLOG_FACILITY_AUTH;
if (options->log_level == SYSLOG_LEVEL_NOT_SET)
options->log_level = SYSLOG_LEVEL_INFO;
- if (options->rhosts_rsa_authentication == -1)
- options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
if (options->hostbased_uses_name_from_packet_only == -1)
options->hostbased_uses_name_from_packet_only = 0;
- if (options->rsa_authentication == -1)
- options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
if (options->kerberos_authentication == -1)
@@ -301,8 +281,6 @@ fill_default_server_options(ServerOptions *options)
options->permit_empty_passwd = 0;
if (options->permit_user_env == -1)
options->permit_user_env = 0;
- if (options->use_login == -1)
- options->use_login = 0;
if (options->compression == -1)
options->compression = COMP_DELAYED;
if (options->rekey_limit == -1)
@@ -353,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->disable_forwarding == -1)
+ options->disable_forwarding = 0;
assemble_algorithms(options);
@@ -406,8 +386,8 @@ typedef enum {
/* Portable-specific options */
sUsePAM,
/* Standard Options */
- sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
- sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
+ sPort, sHostKeyFile, sLoginGraceTime,
+ sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosGetAFSToken,
@@ -417,9 +397,9 @@ typedef enum {
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
- sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
+ sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
- sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
+ sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication,
@@ -437,8 +417,8 @@ typedef enum {
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
- sAllowStreamLocalForwarding, sFingerprintHash,
- sDeprecated, sUnsupported
+ sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+ sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
@@ -464,19 +444,19 @@ static struct {
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
- { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
+ { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
- { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
+ { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
- { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
+ { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
- { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
+ { "rsaauthentication", sDeprecated, SSHCFG_ALL },
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
@@ -528,7 +508,7 @@ static struct {
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
- { "uselogin", sUseLogin, SSHCFG_GLOBAL },
+ { "uselogin", sDeprecated, SSHCFG_GLOBAL },
{ "compression", sCompression, SSHCFG_GLOBAL },
{ "rekeylimit", sRekeyLimit, SSHCFG_ALL },
{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
@@ -541,7 +521,7 @@ static struct {
{ "denygroups", sDenyGroups, SSHCFG_ALL },
{ "ciphers", sCiphers, SSHCFG_GLOBAL },
{ "macs", sMacs, SSHCFG_GLOBAL },
- { "protocol", sProtocol, SSHCFG_GLOBAL },
+ { "protocol", sIgnore, SSHCFG_GLOBAL },
{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
@@ -551,8 +531,8 @@ static struct {
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
- { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
- { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
+ { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
+ { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
@@ -580,6 +560,7 @@ static struct {
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+ { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -742,7 +723,7 @@ get_connection_info(int populate, int use_dns)
* options set are copied into the main server config.
*
* Potential additions/improvements:
- * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
+ * - Add Match support for pre-kex directives, eg. Ciphers.
*
* - Add a Tag directive (idea from David Leonard) ala pf, eg:
* Match Address 192.168.0.*
@@ -943,8 +924,8 @@ static const struct multistate multistate_permitrootlogin[] = {
{ NULL, -1 }
};
static const struct multistate multistate_compression[] = {
+ { "yes", COMP_DELAYED },
{ "delayed", COMP_DELAYED },
- { "yes", COMP_ZLIB },
{ "no", COMP_NONE },
{ NULL, -1 }
};
@@ -1040,18 +1021,6 @@ process_server_config_line(ServerOptions *options, char *line,
filename, linenum);
break;
- case sServerKeyBits:
- intptr = &options->server_key_bits;
- parse_int:
- arg = strdelim(&cp);
- if (!arg || *arg == '\0')
- fatal("%s line %d: missing integer value.",
- filename, linenum);
- value = atoi(arg);
- if (*activep && *intptr == -1)
- *intptr = value;
- break;
-
case sLoginGraceTime:
intptr = &options->login_grace_time;
parse_time:
@@ -1066,10 +1035,6 @@ process_server_config_line(ServerOptions *options, char *line,
*intptr = value;
break;
- case sKeyRegenerationTime:
- intptr = &options->key_regeneration_time;
- goto parse_time;
-
case sListenAddress:
arg = strdelim(&cp);
if (arg == NULL || *arg == '\0')
@@ -1155,7 +1120,6 @@ process_server_config_line(ServerOptions *options, char *line,
MAX_HOSTCERTS);
charptr = &options->host_cert_files[*intptr];
goto parse_filename;
- break;
case sPidFile:
charptr = &options->pid_file;
@@ -1189,10 +1153,6 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
- case sRhostsRSAAuthentication:
- intptr = &options->rhosts_rsa_authentication;
- goto parse_flag;
-
case sHostbasedAuthentication:
intptr = &options->hostbased_authentication;
goto parse_flag;
@@ -1219,10 +1179,6 @@ process_server_config_line(ServerOptions *options, char *line,
charptr = &options->hostkeyalgorithms;
goto parse_keytypes;
- case sRSAAuthentication:
- intptr = &options->rsa_authentication;
- goto parse_flag;
-
case sPubkeyAuthentication:
intptr = &options->pubkey_authentication;
goto parse_flag;
@@ -1285,7 +1241,15 @@ process_server_config_line(ServerOptions *options, char *line,
case sX11DisplayOffset:
intptr = &options->x11_display_offset;
- goto parse_int;
+ parse_int:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing integer value.",
+ filename, linenum);
+ value = atoi(arg);
+ if (*activep && *intptr == -1)
+ *intptr = value;
+ break;
case sX11UseLocalhost:
intptr = &options->x11_use_localhost;
@@ -1319,10 +1283,6 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->permit_user_env;
goto parse_flag;
- case sUseLogin:
- intptr = &options->use_login;
- goto parse_flag;
-
case sCompression:
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -1400,6 +1360,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->allow_agent_forwarding;
goto parse_flag;
+ case sDisableForwarding:
+ intptr = &options->disable_forwarding;
+ goto parse_flag;
+
case sUsePrivilegeSeparation:
intptr = &use_privsep;
multistate_ptr = multistate_privsep;
@@ -1410,6 +1374,9 @@ process_server_config_line(ServerOptions *options, char *line,
if (options->num_allow_users >= MAX_ALLOW_USERS)
fatal("%s line %d: too many allow users.",
filename, linenum);
+ if (match_user(NULL, NULL, NULL, arg) == -1)
+ fatal("%s line %d: invalid AllowUsers pattern: "
+ "\"%.100s\"", filename, linenum, arg);
if (!*activep)
continue;
options->allow_users[options->num_allow_users++] =
@@ -1422,6 +1389,9 @@ process_server_config_line(ServerOptions *options, char *line,
if (options->num_deny_users >= MAX_DENY_USERS)
fatal("%s line %d: too many deny users.",
filename, linenum);
+ if (match_user(NULL, NULL, NULL, arg) == -1)
+ fatal("%s line %d: invalid DenyUsers pattern: "
+ "\"%.100s\"", filename, linenum, arg);
if (!*activep)
continue;
options->deny_users[options->num_deny_users++] =
@@ -1487,19 +1457,6 @@ process_server_config_line(ServerOptions *options, char *line,
options->kex_algorithms = xstrdup(arg);
break;
- case sProtocol:
- intptr = &options->protocol;
- arg = strdelim(&cp);
- if (!arg || *arg == '\0')
- fatal("%s line %d: Missing argument.", filename, linenum);
- value = proto_spec(arg);
- if (value == SSH_PROTO_UNKNOWN)
- fatal("%s line %d: Bad protocol spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
- if (*intptr == SSH_PROTO_UNKNOWN)
- *intptr = value;
- break;
-
case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.",
@@ -1880,15 +1837,12 @@ process_server_config_line(ServerOptions *options, char *line,
break;
case sDeprecated:
- logit("%s line %d: Deprecated option %s",
- filename, linenum, arg);
- while (arg)
- arg = strdelim(&cp);
- break;
-
+ case sIgnore:
case sUnsupported:
- logit("%s line %d: Unsupported option %s",
- filename, linenum, arg);
+ do_log2(opcode == sIgnore ?
+ SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
+ "%s line %d: %s option %s", filename, linenum,
+ opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
while (arg)
arg = strdelim(&cp);
break;
@@ -2008,7 +1962,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
- M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
@@ -2020,6 +1973,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(allow_tcp_forwarding);
M_CP_INTOPT(allow_streamlocal_forwarding);
M_CP_INTOPT(allow_agent_forwarding);
+ M_CP_INTOPT(disable_forwarding);
M_CP_INTOPT(permit_tun);
M_CP_INTOPT(fwd_opts.gateway_ports);
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
@@ -2030,6 +1984,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(permit_user_rc);
M_CP_INTOPT(max_sessions);
M_CP_INTOPT(max_authtries);
+ M_CP_INTOPT(client_alive_count_max);
+ M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(rekey_limit);
@@ -2148,17 +2104,6 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd);
case sFingerprintHash:
return ssh_digest_alg_name(val);
- case sProtocol:
- switch (val) {
- case SSH_PROTO_1:
- return "1";
- case SSH_PROTO_2:
- return "2";
- case (SSH_PROTO_1|SSH_PROTO_2):
- return "2,1";
- default:
- return "UNKNOWN";
- }
default:
switch (val) {
case 0:
@@ -2245,7 +2190,6 @@ dump_config(ServerOptions *o)
/* these are usually at the top of the config */
for (i = 0; i < o->num_ports; i++)
printf("port %d\n", o->ports[i]);
- dump_cfg_fmtint(sProtocol, o->protocol);
dump_cfg_fmtint(sAddressFamily, o->address_family);
/*
@@ -2278,9 +2222,7 @@ dump_config(ServerOptions *o)
#ifdef USE_PAM
dump_cfg_fmtint(sUsePAM, o->use_pam);
#endif
- dump_cfg_int(sServerKeyBits, o->server_key_bits);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
- dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
@@ -2292,11 +2234,9 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
- dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
o->hostbased_uses_name_from_packet_only);
- dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
#ifdef KRB5
dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
@@ -2327,12 +2267,12 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
- dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
+ dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-01 22:02:14 +0000