replace statically-sized arrays in ServerOptions with dynamic ones

managed by xrecallocarray, removing some arbitrary (though large)
limits and saving a bit of memory; "much nicer" markus@

5 files changed, 167 insertions, 163 deletions

diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index f30ba5afb43..a6d5087656b 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.174 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.175 2017/10/05 15:52:03 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -680,12 +680,10 @@ mm_answer_pwnamallow(int sock, Buffer *m)
 		for (i = 0; i < options.nx; i++) \
 			buffer_put_cstring(m, options.x[i]); \
 	} while (0)
-#define M_CP_STRARRAYOPT_ALLOC(x, nx) M_CP_STRARRAYOPT(x, nx)
 	/* See comment in servconf.h */
 	COPY_MATCH_STRING_OPTS();
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-#undef M_CP_STRARRAYOPT_ALLOC
 
 	/* Create valid auth method lists */
 	if (auth2_setup_methods_lists(authctxt) != 0) {
diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c
index a9e88d55e06..c3ad9b0c96d 100644
--- a/usr.bin/ssh/monitor_wrap.c
+++ b/usr.bin/ssh/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.94 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.95 2017/10/05 15:52:03 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -272,19 +272,15 @@ out:
 			newopts->x = buffer_get_string(&m, NULL); \
 	} while (0)
 #define M_CP_STRARRAYOPT(x, nx) do { \
-		for (i = 0; i < newopts->nx; i++) \
-			newopts->x[i] = buffer_get_string(&m, NULL); \
-	} while (0)
-#define M_CP_STRARRAYOPT_ALLOC(x, nx) do { \
 		newopts->x = newopts->nx == 0 ? \
 		    NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \
-		M_CP_STRARRAYOPT(x, nx); \
+		for (i = 0; i < newopts->nx; i++) \
+			newopts->x[i] = buffer_get_string(&m, NULL); \
 	} while (0)
 	/* See comment in servconf.h */
 	COPY_MATCH_STRING_OPTS();
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-#undef M_CP_STRARRAYOPT_ALLOC
 
 	copy_set_server_options(&options, newopts, 1);
 	log_change_level(options.log_level);
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index a2f7d55f355..c37563ae217 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.314 2017/10/05 15:52:03 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -178,21 +178,56 @@ assemble_algorithms(ServerOptions *o)
 		fatal("kex_assemble_names failed");
 }
 
+static void
+array_append(const char *file, const int line, const char *directive,
+    char ***array, u_int *lp, const char *s)
+{
+
+	if (*lp >= INT_MAX)
+		fatal("%s line %d: Too many %s entries", file, line, directive);
+
+	*array = xrecallocarray(*array, *lp, *lp + 1, sizeof(**array));
+	(*array)[*lp] = xstrdup(s);
+	(*lp)++;
+}
+
+void
+servconf_add_hostkey(const char *file, const int line,
+    ServerOptions *options, const char *path)
+{
+	char *apath = derelativise_path(path);
+
+	array_append(file, line, "HostKey",
+	    &options->host_key_files, &options->num_host_key_files, apath);
+	free(apath);
+}
+
+void
+servconf_add_hostcert(const char *file, const int line,
+    ServerOptions *options, const char *path)
+{
+	char *apath = derelativise_path(path);
+
+	array_append(file, line, "HostCertificate",
+	    &options->host_cert_files, &options->num_host_cert_files, apath);
+	free(apath);
+}
+
 void
 fill_default_server_options(ServerOptions *options)
 {
-	int i;
+	u_int i;
 
 	if (options->num_host_key_files == 0) {
 		/* fill default hostkeys */
-		options->host_key_files[options->num_host_key_files++] =
-		    _PATH_HOST_RSA_KEY_FILE;
-		options->host_key_files[options->num_host_key_files++] =
-		    _PATH_HOST_DSA_KEY_FILE;
-		options->host_key_files[options->num_host_key_files++] =
-		    _PATH_HOST_ECDSA_KEY_FILE;
-		options->host_key_files[options->num_host_key_files++] =
-		    _PATH_HOST_ED25519_KEY_FILE;
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_RSA_KEY_FILE);
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_DSA_KEY_FILE);
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_ECDSA_KEY_FILE);
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_ED25519_KEY_FILE);
 	}
 	/* No certificates by default */
 	if (options->num_ports == 0)
@@ -296,10 +331,14 @@ fill_default_server_options(ServerOptions *options)
 	if (options->client_alive_count_max == -1)
 		options->client_alive_count_max = 3;
 	if (options->num_authkeys_files == 0) {
-		options->authorized_keys_files[options->num_authkeys_files++] =
-		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
-		options->authorized_keys_files[options->num_authkeys_files++] =
-		    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
+		array_append("[default]", 0, "AuthorizedKeysFiles",
+		    &options->authorized_keys_files,
+		    &options->num_authkeys_files,
+		    _PATH_SSH_USER_PERMITTED_KEYS);
+		array_append("[default]", 0, "AuthorizedKeysFiles",
+		    &options->authorized_keys_files,
+		    &options->num_authkeys_files,
+		    _PATH_SSH_USER_PERMITTED_KEYS2);
 	}
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
@@ -1076,22 +1115,12 @@ process_server_config_line(ServerOptions *options, char *line,
 		break;
 
 	case sHostKeyFile:
-		intptr = &options->num_host_key_files;
-		if (*intptr >= MAX_HOSTKEYS)
-			fatal("%s line %d: too many host keys specified (max %d).",
-			    filename, linenum, MAX_HOSTKEYS);
-		charptr = &options->host_key_files[*intptr];
- parse_filename:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: missing file name.",
 			    filename, linenum);
-		if (*activep && *charptr == NULL) {
-			*charptr = derelativise_path(arg);
-			/* increase optional counter */
-			if (intptr != NULL)
-				*intptr = *intptr + 1;
-		}
+		if (*activep)
+			servconf_add_hostkey(filename, linenum, options, arg);
 		break;
 
 	case sHostKeyAgent:
@@ -1106,17 +1135,28 @@ process_server_config_line(ServerOptions *options, char *line,
 		break;
 
 	case sHostCertificate:
-		intptr = &options->num_host_cert_files;
-		if (*intptr >= MAX_HOSTKEYS)
-			fatal("%s line %d: too many host certificates "
-			    "specified (max %d).", filename, linenum,
-			    MAX_HOSTCERTS);
-		charptr = &options->host_cert_files[*intptr];
-		goto parse_filename;
+		arg = strdelim(&cp);
+		if (!arg || *arg == '\0')
+			fatal("%s line %d: missing file name.",
+			    filename, linenum);
+		if (*activep)
+			servconf_add_hostcert(filename, linenum, options, arg);
+		break;
 
 	case sPidFile:
 		charptr = &options->pid_file;
-		goto parse_filename;
+ parse_filename:
+		arg = strdelim(&cp);
+		if (!arg || *arg == '\0')
+			fatal("%s line %d: missing file name.",
+			    filename, linenum);
+		if (*activep && *charptr == NULL) {
+			*charptr = derelativise_path(arg);
+			/* increase optional counter */
+			if (intptr != NULL)
+				*intptr = *intptr + 1;
+		}
+		break;
 
 	case sPermitRootLogin:
 		intptr = &options->permit_root_login;
@@ -1360,55 +1400,47 @@ process_server_config_line(ServerOptions *options, char *line,
 
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_allow_users >= MAX_ALLOW_USERS)
-				fatal("%s line %d: too many allow users.",
-				    filename, linenum);
 			if (match_user(NULL, NULL, NULL, arg) == -1)
 				fatal("%s line %d: invalid AllowUsers pattern: "
 				    "\"%.100s\"", filename, linenum, arg);
 			if (!*activep)
 				continue;
-			options->allow_users[options->num_allow_users++] =
-			    xstrdup(arg);
+			array_append(filename, linenum, "AllowUsers",
+			    &options->allow_users, &options->num_allow_users,
+			    arg);
 		}
 		break;
 
 	case sDenyUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_deny_users >= MAX_DENY_USERS)
-				fatal("%s line %d: too many deny users.",
-				    filename, linenum);
 			if (match_user(NULL, NULL, NULL, arg) == -1)
 				fatal("%s line %d: invalid DenyUsers pattern: "
 				    "\"%.100s\"", filename, linenum, arg);
 			if (!*activep)
 				continue;
-			options->deny_users[options->num_deny_users++] =
-			    xstrdup(arg);
+			array_append(filename, linenum, "DenyUsers",
+			    &options->deny_users, &options->num_deny_users,
+			    arg);
 		}
 		break;
 
 	case sAllowGroups:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
-				fatal("%s line %d: too many allow groups.",
-				    filename, linenum);
 			if (!*activep)
 				continue;
-			options->allow_groups[options->num_allow_groups++] =
-			    xstrdup(arg);
+			array_append(filename, linenum, "AllowGroups",
+			    &options->allow_groups, &options->num_allow_groups,
+			    arg);
 		}
 		break;
 
 	case sDenyGroups:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_deny_groups >= MAX_DENY_GROUPS)
-				fatal("%s line %d: too many deny groups.",
-				    filename, linenum);
 			if (!*activep)
 				continue;
-			options->deny_groups[options->num_deny_groups++] =
-			    xstrdup(arg);
+			array_append(filename, linenum, "DenyGroups",
+			    &options->deny_groups, &options->num_deny_groups,
+			    arg);
 		}
 		break;
 
@@ -1527,14 +1559,12 @@ process_server_config_line(ServerOptions *options, char *line,
 	case sAuthorizedKeysFile:
 		if (*activep && options->num_authkeys_files == 0) {
 			while ((arg = strdelim(&cp)) && *arg != '\0') {
-				if (options->num_authkeys_files >=
-				    MAX_AUTHKEYS_FILES)
-					fatal("%s line %d: "
-					    "too many authorized keys files.",
-					    filename, linenum);
-				options->authorized_keys_files[
-				    options->num_authkeys_files++] =
-				    tilde_expand_filename(arg, getuid());
+				arg = tilde_expand_filename(arg, getuid());
+				array_append(filename, linenum,
+				    "AuthorizedKeysFile",
+				    &options->authorized_keys_files,
+				    &options->num_authkeys_files, arg);
+				free(arg);
 			}
 		}
 		return 0;
@@ -1566,13 +1596,11 @@ process_server_config_line(ServerOptions *options, char *line,
 			if (strchr(arg, '=') != NULL)
 				fatal("%s line %d: Invalid environment name.",
 				    filename, linenum);
-			if (options->num_accept_env >= MAX_ACCEPT_ENV)
-				fatal("%s line %d: too many allow env.",
-				    filename, linenum);
 			if (!*activep)
 				continue;
-			options->accept_env[options->num_accept_env++] =
-			    xstrdup(arg);
+			array_append(filename, linenum, "AcceptEnv",
+			    &options->accept_env, &options->num_accept_env,
+			    arg);
 		}
 		break;
 
@@ -1632,15 +1660,12 @@ process_server_config_line(ServerOptions *options, char *line,
 				fatal("%s line %d: bad port number in "
 				    "PermitOpen", filename, linenum);
 			if (*activep && value == 0) {
-				options->permitted_opens = xrecallocarray(
-				    options->permitted_opens,
-				    options->num_permitted_opens,
-				    options->num_permitted_opens + 1,
-				    sizeof(*options->permitted_opens));
-				i = options->num_permitted_opens++;
-				options->permitted_opens[i] = arg2;
-			} else
-				free(arg2);
+				array_append(filename, linenum,
+				    "PermitOpen",
+				    &options->permitted_opens,
+				    &options->num_permitted_opens, arg2);
+			}
+			free(arg2);
 		}
 		break;
 
@@ -1763,11 +1788,6 @@ process_server_config_line(ServerOptions *options, char *line,
 			value = 0; /* seen "any" pseudo-method */
 			value2 = 0; /* sucessfully parsed any method */
 			while ((arg = strdelim(&cp)) && *arg != '\0') {
-				if (options->num_auth_methods >=
-				    MAX_AUTH_METHODS)
-					fatal("%s line %d: "
-					    "too many authentication methods.",
-					    filename, linenum);
 				if (strcmp(arg, "any") == 0) {
 					if (options->num_auth_methods > 0) {
 						fatal("%s line %d: \"any\" "
@@ -1788,8 +1808,10 @@ process_server_config_line(ServerOptions *options, char *line,
 				value2 = 1;
 				if (!*activep)
 					continue;
-				options->auth_methods[
-				    options->num_auth_methods++] = xstrdup(arg);
+				array_append(filename, linenum,
+				    "AuthenticationMethods",
+				    &options->auth_methods,
+				    &options->num_auth_methods, arg);
 			}
 			if (value2 == 0) {
 				fatal("%s line %d: no AuthenticationMethods "
@@ -2005,17 +2027,16 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 		dst->n = src->n; \
 	} \
 } while(0)
-#define M_CP_STRARRAYOPT(n, num_n) do {\
-	if (src->num_n != 0) { \
-		for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
-			dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
-	} \
-} while(0)
-#define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
-	if (src->num_n != 0) { \
-		dst->n = xcalloc(src->num_n, sizeof(*dst->n)); \
-		M_CP_STRARRAYOPT(n, num_n); \
-		dst->num_n = src->num_n; \
+#define M_CP_STRARRAYOPT(s, num_s) do {\
+	u_int i; \
+	if (src->num_s != 0) { \
+		for (i = 0; i < dst->num_s; i++) \
+			free(dst->s[i]); \
+		free(dst->s); \
+		dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
+		for (i = 0; i < src->num_s; i++) \
+			dst->s[i] = xstrdup(src->s[i]); \
+		dst->num_s = src->num_s; \
 	} \
 } while(0)
 
@@ -2048,7 +2069,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 #undef M_CP_INTOPT
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-#undef M_CP_STRARRAYOPT_ALLOC
 
 void
 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 367094791e1..ea381e2df2c 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.126 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.127 2017/10/05 15:52:03 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -18,17 +18,7 @@
 
 #define MAX_PORTS		256	/* Max # ports. */
 
-#define MAX_ALLOW_USERS		256	/* Max # users on allow list. */
-#define MAX_DENY_USERS		256	/* Max # users on deny list. */
-#define MAX_ALLOW_GROUPS	256	/* Max # groups on allow list. */
-#define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
 #define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
-#define MAX_HOSTKEYS		256	/* Max # hostkeys. */
-#define MAX_HOSTCERTS		256	/* Max # host certificates. */
-#define MAX_ACCEPT_ENV		256	/* Max # of env vars. */
-#define MAX_MATCH_GROUPS	256	/* Max # of groups for Match. */
-#define MAX_AUTHKEYS_FILES	256	/* Max # of authorized_keys files. */
-#define MAX_AUTH_METHODS	256	/* Max # of AuthenticationMethods. */
 
 /* permit_root_login */
 #define	PERMIT_NOT_SET		-1
@@ -68,14 +58,16 @@ typedef struct {
 	u_int	num_queued_listens;
 	char   **queued_listen_addrs;
 	int    *queued_listen_ports;
-	struct addrinfo *listen_addrs;	/* Addresses on which the server listens. */
-	int     address_family;		/* Address family used by the server. */
-	char   *host_key_files[MAX_HOSTKEYS];	/* Files containing host keys. */
-	int     num_host_key_files;     /* Number of files for host keys. */
-	char   *host_cert_files[MAX_HOSTCERTS];	/* Files containing host certs. */
-	int     num_host_cert_files;     /* Number of files for host certs. */
-	char   *host_key_agent;		 /* ssh-agent socket for host keys. */
-	char   *pid_file;	/* Where to put our pid */
+	struct addrinfo *listen_addrs;	/* Addresses for server to listen. */
+	int	address_family;		/* Address family used by the server. */
+
+	char   **host_key_files;	/* Files containing host keys. */
+	u_int	num_host_key_files;     /* Number of files for host keys. */
+	char   **host_cert_files;	/* Files containing host certs. */
+	u_int	num_host_cert_files;	/* Number of files for host certs. */
+
+	char   *host_key_agent;		/* ssh-agent socket for host keys. */
+	char   *pid_file;		/* Where to put our pid */
 	int     login_grace_time;	/* Disconnect if no auth in this time
 					 * (sec). */
 	int     permit_root_login;	/* PERMIT_*, see above */
@@ -134,13 +126,13 @@ typedef struct {
 	int	allow_agent_forwarding;
 	int	disable_forwarding;
 	u_int num_allow_users;
-	char   *allow_users[MAX_ALLOW_USERS];
+	char   **allow_users;
 	u_int num_deny_users;
-	char   *deny_users[MAX_DENY_USERS];
+	char   **deny_users;
 	u_int num_allow_groups;
-	char   *allow_groups[MAX_ALLOW_GROUPS];
+	char   **allow_groups;
 	u_int num_deny_groups;
-	char   *deny_groups[MAX_DENY_GROUPS];
+	char   **deny_groups;
 
 	u_int num_subsystems;
 	char   *subsystem_name[MAX_SUBSYSTEMS];
@@ -148,7 +140,7 @@ typedef struct {
 	char   *subsystem_args[MAX_SUBSYSTEMS];
 
 	u_int num_accept_env;
-	char   *accept_env[MAX_ACCEPT_ENV];
+	char   **accept_env;
 
 	int	max_startups_begin;
 	int	max_startups_rate;
@@ -167,8 +159,8 @@ typedef struct {
 					 * disconnect the session
 					 */
 
-	u_int num_authkeys_files;	/* Files containing public keys */
-	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
+	u_int	num_authkeys_files;	/* Files containing public keys */
+	char   **authorized_keys_files;
 
 	char   *adm_forced_command;
 
@@ -192,7 +184,7 @@ typedef struct {
 	char   *version_addendum;	/* Appended to SSH banner */
 
 	u_int	num_auth_methods;
-	char   *auth_methods[MAX_AUTH_METHODS];
+	char   **auth_methods;
 
 	int	fingerprint_hash;
 	int	expose_userauth_info;
@@ -235,7 +227,7 @@ struct connection_info {
 		M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
 		M_CP_STRARRAYOPT(accept_env, num_accept_env); \
 		M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
-		M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \
+		M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
 	} while (0)
 
 struct connection_info *get_connection_info(int, int);
@@ -253,5 +245,9 @@ int	 server_match_spec_complete(struct connection_info *);
 void	 copy_set_server_options(ServerOptions *, ServerOptions *, int);
 void	 dump_config(ServerOptions *);
 char	*derelativise_path(const char *);
+void	 servconf_add_hostkey(const char *, const int,
+	    ServerOptions *, const char *path);
+void	 servconf_add_hostcert(const char *, const int,
+	    ServerOptions *, const char *path);
 
 #endif				/* SERVCONF_H */
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 8551198829a..72e6d871204 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.492 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.493 2017/10/05 15:52:03 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -443,7 +443,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
 void
 destroy_sensitive_data(void)
 {
-	int i;
+	u_int i;
 
 	for (i = 0; i < options.num_host_key_files; i++) {
 		if (sensitive_data.host_keys[i]) {
@@ -462,7 +462,7 @@ void
 demote_sensitive_data(void)
 {
 	struct sshkey *tmp;
-	int i;
+	u_int i;
 
 	for (i = 0; i < options.num_host_key_files; i++) {
 		if (sensitive_data.host_keys[i]) {
@@ -642,7 +642,7 @@ list_hostkey_types(void)
 	Buffer b;
 	const char *p;
 	char *ret;
-	int i;
+	u_int i;
 	struct sshkey *key;
 
 	buffer_init(&b);
@@ -702,7 +702,7 @@ list_hostkey_types(void)
 static struct sshkey *
 get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
 {
-	int i;
+	u_int i;
 	struct sshkey *key;
 
 	for (i = 0; i < options.num_host_key_files; i++) {
@@ -742,7 +742,7 @@ get_hostkey_private_by_type(int type, int nid, struct ssh *ssh)
 struct sshkey *
 get_hostkey_by_index(int ind)
 {
-	if (ind < 0 || ind >= options.num_host_key_files)
+	if (ind < 0 || (u_int)ind >= options.num_host_key_files)
 		return (NULL);
 	return (sensitive_data.host_keys[ind]);
 }
@@ -750,7 +750,7 @@ get_hostkey_by_index(int ind)
 struct sshkey *
 get_hostkey_public_by_index(int ind, struct ssh *ssh)
 {
-	if (ind < 0 || ind >= options.num_host_key_files)
+	if (ind < 0 || (u_int)ind >= options.num_host_key_files)
 		return (NULL);
 	return (sensitive_data.host_pubkeys[ind]);
 }
@@ -758,7 +758,7 @@ get_hostkey_public_by_index(int ind, struct ssh *ssh)
 int
 get_hostkey_index(struct sshkey *key, int compare, struct ssh *ssh)
 {
-	int i;
+	u_int i;
 
 	for (i = 0; i < options.num_host_key_files; i++) {
 		if (key_is_cert(key)) {
@@ -787,7 +787,8 @@ notify_hostkeys(struct ssh *ssh)
 {
 	struct sshbuf *buf;
 	struct sshkey *key;
-	int i, nkeys, r;
+	u_int i, nkeys;
+	int r;
 	char *fp;
 
 	/* Some clients cannot cope with the hostkeys message, skip those. */
@@ -818,7 +819,7 @@ notify_hostkeys(struct ssh *ssh)
 		packet_put_string(sshbuf_ptr(buf), sshbuf_len(buf));
 		nkeys++;
 	}
-	debug3("%s: sent %d hostkeys", __func__, nkeys);
+	debug3("%s: sent %u hostkeys", __func__, nkeys);
 	if (nkeys == 0)
 		fatal("%s: no hostkeys", __func__);
 	packet_send();
@@ -1281,13 +1282,12 @@ main(int ac, char **av)
 	struct ssh *ssh = NULL;
 	extern char *optarg;
 	extern int optind;
-	int r, opt, i, j, on = 1, already_daemon;
+	int r, opt, on = 1, already_daemon, remote_port;
 	int sock_in = -1, sock_out = -1, newsock = -1;
 	const char *remote_ip;
-	int remote_port;
 	char *fp, *line, *laddr, *logfile = NULL;
 	int config_s[2] = { -1 , -1 };
-	u_int n;
+	u_int i, j;
 	u_int64_t ibytes, obytes;
 	mode_t new_umask;
 	struct sshkey *key;
@@ -1321,12 +1321,8 @@ main(int ac, char **av)
 			config_file_name = optarg;
 			break;
 		case 'c':
-			if (options.num_host_cert_files >= MAX_HOSTCERTS) {
-				fprintf(stderr, "too many host certificates.\n");
-				exit(1);
-			}
-			options.host_cert_files[options.num_host_cert_files++] =
-			   derelativise_path(optarg);
+			servconf_add_hostcert("[command-line]", 0,
+			    &options, optarg);
 			break;
 		case 'd':
 			if (debug_flag == 0) {
@@ -1385,12 +1381,8 @@ main(int ac, char **av)
 			/* protocol 1, ignored */
 			break;
 		case 'h':
-			if (options.num_host_key_files >= MAX_HOSTKEYS) {
-				fprintf(stderr, "too many host keys.\n");
-				exit(1);
-			}
-			options.host_key_files[options.num_host_key_files++] = 
-			   derelativise_path(optarg);
+			servconf_add_hostkey("[command-line]", 0,
+			    &options, optarg);
 			break;
 		case 't':
 			test_flag = 1;
@@ -1500,12 +1492,12 @@ main(int ac, char **av)
 	 * and warns for trivial misconfigurations that could break login.
 	 */
 	if (options.num_auth_methods != 0) {
-		for (n = 0; n < options.num_auth_methods; n++) {
-			if (auth2_methods_valid(options.auth_methods[n],
+		for (i = 0; i < options.num_auth_methods; i++) {
+			if (auth2_methods_valid(options.auth_methods[i],
 			    1) == 0)
 				break;
 		}
-		if (n >= options.num_auth_methods)
+		if (i >= options.num_auth_methods)
 			fatal("AuthenticationMethods cannot be satisfied by "
 			    "enabled authentication methods");
 	}
@@ -1626,7 +1618,7 @@ main(int ac, char **av)
 			continue;
 		}
 		sensitive_data.host_certificates[j] = key;
-		debug("host certificate: #%d type %d %s", j, key->type,
+		debug("host certificate: #%u type %d %s", j, key->type,
 		    key_type(key));
 	}
 
@@ -1656,8 +1648,10 @@ main(int ac, char **av)
 		exit(0);
 
 	if (rexec_flag) {
+		if (rexec_argc < 0)
+			fatal("rexec_argc %d < 0", rexec_argc);
 		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-		for (i = 0; i < rexec_argc; i++) {
+		for (i = 0; i < (u_int)rexec_argc; i++) {
 			debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
 			rexec_argv[i] = saved_argv[i];
 		}