]>
Commit | Line | Data |
---|---|---|
47686178 | 1 | /* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ |
3c0ef626 | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
5 | * All rights reserved | |
6 | * As far as I am concerned, the code I have written for this software | |
7 | * can be used freely for any purpose. Any derived versions of this | |
8 | * software must be clearly marked as such, and if the derived work is | |
9 | * incompatible with the protocol description in the RFC file, it must be | |
10 | * called by a name other than "ssh" or "Secure Shell". | |
11 | */ | |
12 | ||
13 | #include "includes.h" | |
9108f8d9 | 14 | |
15 | #include <sys/types.h> | |
16 | ||
17 | #include <netdb.h> | |
18 | #include <pwd.h> | |
19 | #include <string.h> | |
20 | #include <stdio.h> | |
21 | #include <stdarg.h> | |
3c0ef626 | 22 | |
3c0ef626 | 23 | #include "xmalloc.h" |
24 | #include "match.h" | |
25 | #include "log.h" | |
26 | #include "canohost.h" | |
9108f8d9 | 27 | #include "buffer.h" |
3c0ef626 | 28 | #include "channels.h" |
29 | #include "auth-options.h" | |
30 | #include "servconf.h" | |
31 | #include "misc.h" | |
9108f8d9 | 32 | #include "key.h" |
33 | #include "hostfile.h" | |
700318f3 | 34 | #include "auth.h" |
9108f8d9 | 35 | #ifdef GSSAPI |
36 | #include "ssh-gss.h" | |
37 | #endif | |
38 | #include "monitor_wrap.h" | |
3c0ef626 | 39 | |
40 | /* Flags set authorized_keys flags */ | |
41 | int no_port_forwarding_flag = 0; | |
42 | int no_agent_forwarding_flag = 0; | |
43 | int no_x11_forwarding_flag = 0; | |
44 | int no_pty_flag = 0; | |
47686178 | 45 | int no_user_rc = 0; |
3c0ef626 | 46 | |
47 | /* "command=" option. */ | |
48 | char *forced_command = NULL; | |
49 | ||
50 | /* "environment=" options. */ | |
51 | struct envstring *custom_environment = NULL; | |
52 | ||
2c06c99b | 53 | /* "tunnel=" option. */ |
54 | int forced_tun_device = -1; | |
55 | ||
3c0ef626 | 56 | extern ServerOptions options; |
57 | ||
58 | void | |
59 | auth_clear_options(void) | |
60 | { | |
61 | no_agent_forwarding_flag = 0; | |
62 | no_port_forwarding_flag = 0; | |
63 | no_pty_flag = 0; | |
64 | no_x11_forwarding_flag = 0; | |
47686178 | 65 | no_user_rc = 0; |
3c0ef626 | 66 | while (custom_environment) { |
67 | struct envstring *ce = custom_environment; | |
68 | custom_environment = ce->next; | |
69 | xfree(ce->s); | |
70 | xfree(ce); | |
71 | } | |
72 | if (forced_command) { | |
73 | xfree(forced_command); | |
74 | forced_command = NULL; | |
75 | } | |
2c06c99b | 76 | forced_tun_device = -1; |
3c0ef626 | 77 | channel_clear_permitted_opens(); |
700318f3 | 78 | auth_debug_reset(); |
3c0ef626 | 79 | } |
80 | ||
81 | /* | |
82 | * return 1 if access is granted, 0 if not. | |
83 | * side effect: sets key option flags | |
84 | */ | |
85 | int | |
86 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |
87 | { | |
88 | const char *cp; | |
89 | int i; | |
90 | ||
91 | /* reset options */ | |
92 | auth_clear_options(); | |
93 | ||
94 | if (!opts) | |
95 | return 1; | |
96 | ||
97 | while (*opts && *opts != ' ' && *opts != '\t') { | |
98 | cp = "no-port-forwarding"; | |
99 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
700318f3 | 100 | auth_debug_add("Port forwarding disabled."); |
3c0ef626 | 101 | no_port_forwarding_flag = 1; |
102 | opts += strlen(cp); | |
103 | goto next_option; | |
104 | } | |
105 | cp = "no-agent-forwarding"; | |
106 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
700318f3 | 107 | auth_debug_add("Agent forwarding disabled."); |
3c0ef626 | 108 | no_agent_forwarding_flag = 1; |
109 | opts += strlen(cp); | |
110 | goto next_option; | |
111 | } | |
112 | cp = "no-X11-forwarding"; | |
113 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
700318f3 | 114 | auth_debug_add("X11 forwarding disabled."); |
3c0ef626 | 115 | no_x11_forwarding_flag = 1; |
116 | opts += strlen(cp); | |
117 | goto next_option; | |
118 | } | |
119 | cp = "no-pty"; | |
120 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
700318f3 | 121 | auth_debug_add("Pty allocation disabled."); |
3c0ef626 | 122 | no_pty_flag = 1; |
123 | opts += strlen(cp); | |
124 | goto next_option; | |
125 | } | |
47686178 | 126 | cp = "no-user-rc"; |
127 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
128 | auth_debug_add("User rc file execution disabled."); | |
129 | no_user_rc = 1; | |
130 | opts += strlen(cp); | |
131 | goto next_option; | |
132 | } | |
3c0ef626 | 133 | cp = "command=\""; |
134 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
135 | opts += strlen(cp); | |
136 | forced_command = xmalloc(strlen(opts) + 1); | |
137 | i = 0; | |
138 | while (*opts) { | |
139 | if (*opts == '"') | |
140 | break; | |
141 | if (*opts == '\\' && opts[1] == '"') { | |
142 | opts += 2; | |
143 | forced_command[i++] = '"'; | |
144 | continue; | |
145 | } | |
146 | forced_command[i++] = *opts++; | |
147 | } | |
148 | if (!*opts) { | |
149 | debug("%.100s, line %lu: missing end quote", | |
150 | file, linenum); | |
700318f3 | 151 | auth_debug_add("%.100s, line %lu: missing end quote", |
3c0ef626 | 152 | file, linenum); |
153 | xfree(forced_command); | |
154 | forced_command = NULL; | |
155 | goto bad_option; | |
156 | } | |
9108f8d9 | 157 | forced_command[i] = '\0'; |
700318f3 | 158 | auth_debug_add("Forced command: %.900s", forced_command); |
3c0ef626 | 159 | opts++; |
160 | goto next_option; | |
161 | } | |
162 | cp = "environment=\""; | |
41b2f314 | 163 | if (options.permit_user_env && |
164 | strncasecmp(opts, cp, strlen(cp)) == 0) { | |
3c0ef626 | 165 | char *s; |
166 | struct envstring *new_envstring; | |
167 | ||
168 | opts += strlen(cp); | |
169 | s = xmalloc(strlen(opts) + 1); | |
170 | i = 0; | |
171 | while (*opts) { | |
172 | if (*opts == '"') | |
173 | break; | |
174 | if (*opts == '\\' && opts[1] == '"') { | |
175 | opts += 2; | |
176 | s[i++] = '"'; | |
177 | continue; | |
178 | } | |
179 | s[i++] = *opts++; | |
180 | } | |
181 | if (!*opts) { | |
182 | debug("%.100s, line %lu: missing end quote", | |
183 | file, linenum); | |
700318f3 | 184 | auth_debug_add("%.100s, line %lu: missing end quote", |
3c0ef626 | 185 | file, linenum); |
186 | xfree(s); | |
187 | goto bad_option; | |
188 | } | |
9108f8d9 | 189 | s[i] = '\0'; |
700318f3 | 190 | auth_debug_add("Adding to environment: %.900s", s); |
3c0ef626 | 191 | debug("Adding to environment: %.900s", s); |
192 | opts++; | |
193 | new_envstring = xmalloc(sizeof(struct envstring)); | |
194 | new_envstring->s = s; | |
195 | new_envstring->next = custom_environment; | |
196 | custom_environment = new_envstring; | |
197 | goto next_option; | |
198 | } | |
199 | cp = "from=\""; | |
200 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
201 | const char *remote_ip = get_remote_ipaddr(); | |
202 | const char *remote_host = get_canonical_hostname( | |
0fff78ff | 203 | options.use_dns); |
3c0ef626 | 204 | char *patterns = xmalloc(strlen(opts) + 1); |
205 | ||
206 | opts += strlen(cp); | |
207 | i = 0; | |
208 | while (*opts) { | |
209 | if (*opts == '"') | |
210 | break; | |
211 | if (*opts == '\\' && opts[1] == '"') { | |
212 | opts += 2; | |
213 | patterns[i++] = '"'; | |
214 | continue; | |
215 | } | |
216 | patterns[i++] = *opts++; | |
217 | } | |
218 | if (!*opts) { | |
219 | debug("%.100s, line %lu: missing end quote", | |
220 | file, linenum); | |
700318f3 | 221 | auth_debug_add("%.100s, line %lu: missing end quote", |
3c0ef626 | 222 | file, linenum); |
223 | xfree(patterns); | |
224 | goto bad_option; | |
225 | } | |
9108f8d9 | 226 | patterns[i] = '\0'; |
3c0ef626 | 227 | opts++; |
228 | if (match_host_and_ip(remote_host, remote_ip, | |
229 | patterns) != 1) { | |
230 | xfree(patterns); | |
0fff78ff | 231 | logit("Authentication tried for %.100s with " |
3c0ef626 | 232 | "correct key but not from a permitted " |
233 | "host (host=%.200s, ip=%.200s).", | |
234 | pw->pw_name, remote_host, remote_ip); | |
700318f3 | 235 | auth_debug_add("Your host '%.200s' is not " |
3c0ef626 | 236 | "permitted to use this key for login.", |
237 | remote_host); | |
238 | /* deny access */ | |
239 | return 0; | |
240 | } | |
241 | xfree(patterns); | |
242 | /* Host name matches. */ | |
243 | goto next_option; | |
244 | } | |
245 | cp = "permitopen=\""; | |
246 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
996d5e62 | 247 | char *host, *p; |
3c0ef626 | 248 | u_short port; |
249 | char *patterns = xmalloc(strlen(opts) + 1); | |
250 | ||
251 | opts += strlen(cp); | |
252 | i = 0; | |
253 | while (*opts) { | |
254 | if (*opts == '"') | |
255 | break; | |
256 | if (*opts == '\\' && opts[1] == '"') { | |
257 | opts += 2; | |
258 | patterns[i++] = '"'; | |
259 | continue; | |
260 | } | |
261 | patterns[i++] = *opts++; | |
262 | } | |
263 | if (!*opts) { | |
264 | debug("%.100s, line %lu: missing end quote", | |
265 | file, linenum); | |
996d5e62 | 266 | auth_debug_add("%.100s, line %lu: missing " |
267 | "end quote", file, linenum); | |
3c0ef626 | 268 | xfree(patterns); |
269 | goto bad_option; | |
270 | } | |
9108f8d9 | 271 | patterns[i] = '\0'; |
3c0ef626 | 272 | opts++; |
996d5e62 | 273 | p = patterns; |
274 | host = hpdelim(&p); | |
275 | if (host == NULL || strlen(host) >= NI_MAXHOST) { | |
276 | debug("%.100s, line %lu: Bad permitopen " | |
dec6d9fe | 277 | "specification <%.100s>", file, linenum, |
996d5e62 | 278 | patterns); |
700318f3 | 279 | auth_debug_add("%.100s, line %lu: " |
996d5e62 | 280 | "Bad permitopen specification", file, |
281 | linenum); | |
3c0ef626 | 282 | xfree(patterns); |
283 | goto bad_option; | |
284 | } | |
dec6d9fe | 285 | host = cleanhostname(host); |
286 | if (p == NULL || (port = a2port(p)) == 0) { | |
996d5e62 | 287 | debug("%.100s, line %lu: Bad permitopen port " |
288 | "<%.100s>", file, linenum, p ? p : ""); | |
700318f3 | 289 | auth_debug_add("%.100s, line %lu: " |
3c0ef626 | 290 | "Bad permitopen port", file, linenum); |
291 | xfree(patterns); | |
292 | goto bad_option; | |
293 | } | |
294 | if (options.allow_tcp_forwarding) | |
295 | channel_add_permitted_opens(host, port); | |
296 | xfree(patterns); | |
297 | goto next_option; | |
298 | } | |
2c06c99b | 299 | cp = "tunnel=\""; |
300 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
301 | char *tun = NULL; | |
302 | opts += strlen(cp); | |
303 | tun = xmalloc(strlen(opts) + 1); | |
304 | i = 0; | |
305 | while (*opts) { | |
306 | if (*opts == '"') | |
307 | break; | |
308 | tun[i++] = *opts++; | |
309 | } | |
310 | if (!*opts) { | |
311 | debug("%.100s, line %lu: missing end quote", | |
312 | file, linenum); | |
313 | auth_debug_add("%.100s, line %lu: missing end quote", | |
314 | file, linenum); | |
315 | xfree(tun); | |
316 | forced_tun_device = -1; | |
317 | goto bad_option; | |
318 | } | |
9108f8d9 | 319 | tun[i] = '\0'; |
2c06c99b | 320 | forced_tun_device = a2tun(tun, NULL); |
321 | xfree(tun); | |
322 | if (forced_tun_device == SSH_TUNID_ERR) { | |
323 | debug("%.100s, line %lu: invalid tun device", | |
324 | file, linenum); | |
325 | auth_debug_add("%.100s, line %lu: invalid tun device", | |
326 | file, linenum); | |
327 | forced_tun_device = -1; | |
328 | goto bad_option; | |
329 | } | |
330 | auth_debug_add("Forced tun device: %d", forced_tun_device); | |
331 | opts++; | |
332 | goto next_option; | |
333 | } | |
3c0ef626 | 334 | next_option: |
335 | /* | |
336 | * Skip the comma, and move to the next option | |
337 | * (or break out if there are no more). | |
338 | */ | |
339 | if (!*opts) | |
340 | fatal("Bugs in auth-options.c option processing."); | |
341 | if (*opts == ' ' || *opts == '\t') | |
342 | break; /* End of options. */ | |
343 | if (*opts != ',') | |
344 | goto bad_option; | |
345 | opts++; | |
346 | /* Process the next option. */ | |
347 | } | |
700318f3 | 348 | |
349 | if (!use_privsep) | |
350 | auth_debug_send(); | |
351 | ||
3c0ef626 | 352 | /* grant access */ |
353 | return 1; | |
354 | ||
355 | bad_option: | |
0fff78ff | 356 | logit("Bad options in %.100s file, line %lu: %.50s", |
3c0ef626 | 357 | file, linenum, opts); |
700318f3 | 358 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", |
3c0ef626 | 359 | file, linenum, opts); |
700318f3 | 360 | |
361 | if (!use_privsep) | |
362 | auth_debug_send(); | |
363 | ||
3c0ef626 | 364 | /* deny access */ |
365 | return 0; | |
366 | } |