X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/22616013c4eef383b19b8ad4f95780a316d0a51b..d76f17672018832a885e3ce6087123d85bda0bca:/openssh/auth-options.c diff --git a/openssh/auth-options.c b/openssh/auth-options.c index 2536145..9f90437 100644 --- a/openssh/auth-options.c +++ b/openssh/auth-options.c @@ -1,4 +1,3 @@ -/* $OpenBSD: auth-options.c,v 1.43 2008/06/10 23:06:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -11,39 +10,23 @@ */ #include "includes.h" +RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $"); -#include - -#include -#include -#include -#include -#include - -#include "openbsd-compat/sys-queue.h" +#include "packet.h" #include "xmalloc.h" #include "match.h" #include "log.h" #include "canohost.h" -#include "buffer.h" #include "channels.h" #include "auth-options.h" #include "servconf.h" #include "misc.h" -#include "key.h" -#include "hostfile.h" -#include "auth.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; int no_agent_forwarding_flag = 0; int no_x11_forwarding_flag = 0; int no_pty_flag = 0; -int no_user_rc = 0; /* "command=" option. */ char *forced_command = NULL; @@ -51,9 +34,6 @@ char *forced_command = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; -/* "tunnel=" option. */ -int forced_tun_device = -1; - extern ServerOptions options; void @@ -63,7 +43,6 @@ auth_clear_options(void) no_port_forwarding_flag = 0; no_pty_flag = 0; no_x11_forwarding_flag = 0; - no_user_rc = 0; while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; @@ -74,9 +53,7 @@ auth_clear_options(void) xfree(forced_command); forced_command = NULL; } - forced_tun_device = -1; channel_clear_permitted_opens(); - auth_debug_reset(); } /* @@ -98,39 +75,32 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) while (*opts && *opts != ' ' && *opts != '\t') { cp = "no-port-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("Port forwarding disabled."); + packet_send_debug("Port forwarding disabled."); no_port_forwarding_flag = 1; opts += strlen(cp); goto next_option; } cp = "no-agent-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("Agent forwarding disabled."); + packet_send_debug("Agent forwarding disabled."); no_agent_forwarding_flag = 1; opts += strlen(cp); goto next_option; } cp = "no-X11-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("X11 forwarding disabled."); + packet_send_debug("X11 forwarding disabled."); no_x11_forwarding_flag = 1; opts += strlen(cp); goto next_option; } cp = "no-pty"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("Pty allocation disabled."); + packet_send_debug("Pty allocation disabled."); no_pty_flag = 1; opts += strlen(cp); goto next_option; } - cp = "no-user-rc"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("User rc file execution disabled."); - no_user_rc = 1; - opts += strlen(cp); - goto next_option; - } cp = "command=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); @@ -149,20 +119,19 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - auth_debug_add("%.100s, line %lu: missing end quote", + packet_send_debug("%.100s, line %lu: missing end quote", file, linenum); xfree(forced_command); forced_command = NULL; goto bad_option; } - forced_command[i] = '\0'; - auth_debug_add("Forced command: %.900s", forced_command); + forced_command[i] = 0; + packet_send_debug("Forced command: %.900s", forced_command); opts++; goto next_option; } cp = "environment=\""; - if (options.permit_user_env && - strncasecmp(opts, cp, strlen(cp)) == 0) { + if (strncasecmp(opts, cp, strlen(cp)) == 0) { char *s; struct envstring *new_envstring; @@ -182,13 +151,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - auth_debug_add("%.100s, line %lu: missing end quote", + packet_send_debug("%.100s, line %lu: missing end quote", file, linenum); xfree(s); goto bad_option; } - s[i] = '\0'; - auth_debug_add("Adding to environment: %.900s", s); + s[i] = 0; + packet_send_debug("Adding to environment: %.900s", s); debug("Adding to environment: %.900s", s); opts++; new_envstring = xmalloc(sizeof(struct envstring)); @@ -201,7 +170,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { const char *remote_ip = get_remote_ipaddr(); const char *remote_host = get_canonical_hostname( - options.use_dns); + options.reverse_mapping_check); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -219,42 +188,33 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - auth_debug_add("%.100s, line %lu: missing end quote", + packet_send_debug("%.100s, line %lu: missing end quote", file, linenum); xfree(patterns); goto bad_option; } - patterns[i] = '\0'; + patterns[i] = 0; opts++; - switch (match_host_and_ip(remote_host, remote_ip, - patterns)) { - case 1: - xfree(patterns); - /* Host name matches. */ - goto next_option; - case -1: - debug("%.100s, line %lu: invalid criteria", - file, linenum); - auth_debug_add("%.100s, line %lu: " - "invalid criteria", file, linenum); - /* FALLTHROUGH */ - case 0: + if (match_host_and_ip(remote_host, remote_ip, + patterns) != 1) { xfree(patterns); - logit("Authentication tried for %.100s with " + log("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", pw->pw_name, remote_host, remote_ip); - auth_debug_add("Your host '%.200s' is not " + packet_send_debug("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); - break; + /* deny access */ + return 0; } - /* deny access */ - return 0; + xfree(patterns); + /* Host name matches. */ + goto next_option; } cp = "permitopen=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - char *host, *p; + char host[256], sport[6]; u_short port; char *patterns = xmalloc(strlen(opts) + 1); @@ -273,30 +233,26 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - auth_debug_add("%.100s, line %lu: missing " - "end quote", file, linenum); + packet_send_debug("%.100s, line %lu: missing end quote", + file, linenum); xfree(patterns); goto bad_option; } - patterns[i] = '\0'; + patterns[i] = 0; opts++; - p = patterns; - host = hpdelim(&p); - if (host == NULL || strlen(host) >= NI_MAXHOST) { - debug("%.100s, line %lu: Bad permitopen " - "specification <%.100s>", file, linenum, - patterns); - auth_debug_add("%.100s, line %lu: " - "Bad permitopen specification", file, - linenum); + if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 && + sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { + debug("%.100s, line %lu: Bad permitopen specification " + "<%.100s>", file, linenum, patterns); + packet_send_debug("%.100s, line %lu: " + "Bad permitopen specification", file, linenum); xfree(patterns); goto bad_option; } - host = cleanhostname(host); - if (p == NULL || (port = a2port(p)) == 0) { - debug("%.100s, line %lu: Bad permitopen port " - "<%.100s>", file, linenum, p ? p : ""); - auth_debug_add("%.100s, line %lu: " + if ((port = a2port(sport)) == 0) { + debug("%.100s, line %lu: Bad permitopen port <%.100s>", + file, linenum, sport); + packet_send_debug("%.100s, line %lu: " "Bad permitopen port", file, linenum); xfree(patterns); goto bad_option; @@ -306,41 +262,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto next_option; } - cp = "tunnel=\""; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - char *tun = NULL; - opts += strlen(cp); - tun = xmalloc(strlen(opts) + 1); - i = 0; - while (*opts) { - if (*opts == '"') - break; - tun[i++] = *opts++; - } - if (!*opts) { - debug("%.100s, line %lu: missing end quote", - file, linenum); - auth_debug_add("%.100s, line %lu: missing end quote", - file, linenum); - xfree(tun); - forced_tun_device = -1; - goto bad_option; - } - tun[i] = '\0'; - forced_tun_device = a2tun(tun, NULL); - xfree(tun); - if (forced_tun_device == SSH_TUNID_ERR) { - debug("%.100s, line %lu: invalid tun device", - file, linenum); - auth_debug_add("%.100s, line %lu: invalid tun device", - file, linenum); - forced_tun_device = -1; - goto bad_option; - } - auth_debug_add("Forced tun device: %d", forced_tun_device); - opts++; - goto next_option; - } next_option: /* * Skip the comma, and move to the next option @@ -355,22 +276,14 @@ next_option: opts++; /* Process the next option. */ } - - if (!use_privsep) - auth_debug_send(); - /* grant access */ return 1; bad_option: - logit("Bad options in %.100s file, line %lu: %.50s", + log("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); - auth_debug_add("Bad options in %.100s file, line %lu: %.50s", + packet_send_debug("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); - - if (!use_privsep) - auth_debug_send(); - /* deny access */ return 0; }