]>
Commit | Line | Data |
---|---|---|
bcbf86ec | 1 | /* |
2 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
4 | * All rights reserved | |
bcbf86ec | 5 | * As far as I am concerned, the code I have written for this software |
6 | * can be used freely for any purpose. Any derived versions of this | |
7 | * software must be clearly marked as such, and if the derived work is | |
8 | * incompatible with the protocol description in the RFC file, it must be | |
9 | * called by a name other than "ssh" or "Secure Shell". | |
10 | */ | |
11 | ||
38c295d6 | 12 | #include "includes.h" |
01dafcb5 | 13 | RCSID("$OpenBSD: auth-options.c,v 1.24 2002/05/13 20:44:58 markus Exp $"); |
38c295d6 | 14 | |
38c295d6 | 15 | #include "packet.h" |
16 | #include "xmalloc.h" | |
17 | #include "match.h" | |
42f11eb2 | 18 | #include "log.h" |
19 | #include "canohost.h" | |
a5efa1bb | 20 | #include "channels.h" |
42f11eb2 | 21 | #include "auth-options.h" |
61e96248 | 22 | #include "servconf.h" |
1853d1ef | 23 | #include "bufaux.h" |
ed787d14 | 24 | #include "misc.h" |
1853d1ef | 25 | #include "monitor_wrap.h" |
01dafcb5 | 26 | #include "auth.h" |
38c295d6 | 27 | |
28 | /* Flags set authorized_keys flags */ | |
29 | int no_port_forwarding_flag = 0; | |
30 | int no_agent_forwarding_flag = 0; | |
31 | int no_x11_forwarding_flag = 0; | |
32 | int no_pty_flag = 0; | |
33 | ||
34 | /* "command=" option. */ | |
35 | char *forced_command = NULL; | |
36 | ||
37 | /* "environment=" options. */ | |
38 | struct envstring *custom_environment = NULL; | |
39 | ||
61e96248 | 40 | extern ServerOptions options; |
41 | ||
94ec8c6b | 42 | void |
43 | auth_clear_options(void) | |
44 | { | |
45 | no_agent_forwarding_flag = 0; | |
46 | no_port_forwarding_flag = 0; | |
47 | no_pty_flag = 0; | |
48 | no_x11_forwarding_flag = 0; | |
49 | while (custom_environment) { | |
50 | struct envstring *ce = custom_environment; | |
51 | custom_environment = ce->next; | |
52 | xfree(ce->s); | |
53 | xfree(ce); | |
54 | } | |
55 | if (forced_command) { | |
56 | xfree(forced_command); | |
57 | forced_command = NULL; | |
58 | } | |
01794848 | 59 | channel_clear_permitted_opens(); |
01dafcb5 | 60 | auth_debug_reset(); |
94ec8c6b | 61 | } |
62 | ||
42f11eb2 | 63 | /* |
64 | * return 1 if access is granted, 0 if not. | |
65 | * side effect: sets key option flags | |
66 | */ | |
38c295d6 | 67 | int |
61e96248 | 68 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
38c295d6 | 69 | { |
70 | const char *cp; | |
01794848 | 71 | int i; |
94ec8c6b | 72 | |
73 | /* reset options */ | |
74 | auth_clear_options(); | |
75 | ||
e0b2cf6b | 76 | if (!opts) |
77 | return 1; | |
78 | ||
61e96248 | 79 | while (*opts && *opts != ' ' && *opts != '\t') { |
38c295d6 | 80 | cp = "no-port-forwarding"; |
61e96248 | 81 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 82 | auth_debug_add("Port forwarding disabled."); |
38c295d6 | 83 | no_port_forwarding_flag = 1; |
61e96248 | 84 | opts += strlen(cp); |
38c295d6 | 85 | goto next_option; |
86 | } | |
87 | cp = "no-agent-forwarding"; | |
61e96248 | 88 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 89 | auth_debug_add("Agent forwarding disabled."); |
38c295d6 | 90 | no_agent_forwarding_flag = 1; |
61e96248 | 91 | opts += strlen(cp); |
38c295d6 | 92 | goto next_option; |
93 | } | |
94 | cp = "no-X11-forwarding"; | |
61e96248 | 95 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 96 | auth_debug_add("X11 forwarding disabled."); |
38c295d6 | 97 | no_x11_forwarding_flag = 1; |
61e96248 | 98 | opts += strlen(cp); |
38c295d6 | 99 | goto next_option; |
100 | } | |
101 | cp = "no-pty"; | |
61e96248 | 102 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 103 | auth_debug_add("Pty allocation disabled."); |
38c295d6 | 104 | no_pty_flag = 1; |
61e96248 | 105 | opts += strlen(cp); |
38c295d6 | 106 | goto next_option; |
107 | } | |
108 | cp = "command=\""; | |
61e96248 | 109 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
61e96248 | 110 | opts += strlen(cp); |
111 | forced_command = xmalloc(strlen(opts) + 1); | |
38c295d6 | 112 | i = 0; |
61e96248 | 113 | while (*opts) { |
114 | if (*opts == '"') | |
38c295d6 | 115 | break; |
61e96248 | 116 | if (*opts == '\\' && opts[1] == '"') { |
117 | opts += 2; | |
38c295d6 | 118 | forced_command[i++] = '"'; |
119 | continue; | |
120 | } | |
61e96248 | 121 | forced_command[i++] = *opts++; |
38c295d6 | 122 | } |
61e96248 | 123 | if (!*opts) { |
38c295d6 | 124 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 125 | file, linenum); |
01dafcb5 | 126 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 127 | file, linenum); |
acc9d6d7 | 128 | xfree(forced_command); |
129 | forced_command = NULL; | |
130 | goto bad_option; | |
38c295d6 | 131 | } |
132 | forced_command[i] = 0; | |
01dafcb5 | 133 | auth_debug_add("Forced command: %.900s", forced_command); |
61e96248 | 134 | opts++; |
38c295d6 | 135 | goto next_option; |
136 | } | |
137 | cp = "environment=\""; | |
61e96248 | 138 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 139 | char *s; |
140 | struct envstring *new_envstring; | |
01794848 | 141 | |
61e96248 | 142 | opts += strlen(cp); |
143 | s = xmalloc(strlen(opts) + 1); | |
38c295d6 | 144 | i = 0; |
61e96248 | 145 | while (*opts) { |
146 | if (*opts == '"') | |
38c295d6 | 147 | break; |
61e96248 | 148 | if (*opts == '\\' && opts[1] == '"') { |
149 | opts += 2; | |
38c295d6 | 150 | s[i++] = '"'; |
151 | continue; | |
152 | } | |
61e96248 | 153 | s[i++] = *opts++; |
38c295d6 | 154 | } |
61e96248 | 155 | if (!*opts) { |
38c295d6 | 156 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 157 | file, linenum); |
01dafcb5 | 158 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 159 | file, linenum); |
acc9d6d7 | 160 | xfree(s); |
161 | goto bad_option; | |
38c295d6 | 162 | } |
163 | s[i] = 0; | |
01dafcb5 | 164 | auth_debug_add("Adding to environment: %.900s", s); |
38c295d6 | 165 | debug("Adding to environment: %.900s", s); |
61e96248 | 166 | opts++; |
38c295d6 | 167 | new_envstring = xmalloc(sizeof(struct envstring)); |
168 | new_envstring->s = s; | |
169 | new_envstring->next = custom_environment; | |
170 | custom_environment = new_envstring; | |
171 | goto next_option; | |
172 | } | |
173 | cp = "from=\""; | |
61e96248 | 174 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
61e96248 | 175 | const char *remote_ip = get_remote_ipaddr(); |
176 | const char *remote_host = get_canonical_hostname( | |
bf4c5edc | 177 | options.verify_reverse_mapping); |
61e96248 | 178 | char *patterns = xmalloc(strlen(opts) + 1); |
01794848 | 179 | |
61e96248 | 180 | opts += strlen(cp); |
38c295d6 | 181 | i = 0; |
61e96248 | 182 | while (*opts) { |
183 | if (*opts == '"') | |
38c295d6 | 184 | break; |
61e96248 | 185 | if (*opts == '\\' && opts[1] == '"') { |
186 | opts += 2; | |
38c295d6 | 187 | patterns[i++] = '"'; |
188 | continue; | |
189 | } | |
61e96248 | 190 | patterns[i++] = *opts++; |
38c295d6 | 191 | } |
61e96248 | 192 | if (!*opts) { |
38c295d6 | 193 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 194 | file, linenum); |
01dafcb5 | 195 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 196 | file, linenum); |
acc9d6d7 | 197 | xfree(patterns); |
198 | goto bad_option; | |
38c295d6 | 199 | } |
200 | patterns[i] = 0; | |
61e96248 | 201 | opts++; |
2cee8a25 | 202 | if (match_host_and_ip(remote_host, remote_ip, |
203 | patterns) != 1) { | |
204 | xfree(patterns); | |
61e96248 | 205 | log("Authentication tried for %.100s with " |
206 | "correct key but not from a permitted " | |
207 | "host (host=%.200s, ip=%.200s).", | |
208 | pw->pw_name, remote_host, remote_ip); | |
01dafcb5 | 209 | auth_debug_add("Your host '%.200s' is not " |
61e96248 | 210 | "permitted to use this key for login.", |
211 | remote_host); | |
38c295d6 | 212 | /* deny access */ |
213 | return 0; | |
214 | } | |
2cee8a25 | 215 | xfree(patterns); |
38c295d6 | 216 | /* Host name matches. */ |
217 | goto next_option; | |
218 | } | |
01794848 | 219 | cp = "permitopen=\""; |
220 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
ed787d14 | 221 | char host[256], sport[6]; |
01794848 | 222 | u_short port; |
01794848 | 223 | char *patterns = xmalloc(strlen(opts) + 1); |
224 | ||
225 | opts += strlen(cp); | |
226 | i = 0; | |
227 | while (*opts) { | |
228 | if (*opts == '"') | |
229 | break; | |
230 | if (*opts == '\\' && opts[1] == '"') { | |
231 | opts += 2; | |
232 | patterns[i++] = '"'; | |
233 | continue; | |
234 | } | |
235 | patterns[i++] = *opts++; | |
236 | } | |
237 | if (!*opts) { | |
238 | debug("%.100s, line %lu: missing end quote", | |
239 | file, linenum); | |
01dafcb5 | 240 | auth_debug_add("%.100s, line %lu: missing end quote", |
01794848 | 241 | file, linenum); |
242 | xfree(patterns); | |
243 | goto bad_option; | |
244 | } | |
245 | patterns[i] = 0; | |
246 | opts++; | |
ed787d14 | 247 | if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 && |
248 | sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { | |
249 | debug("%.100s, line %lu: Bad permitopen specification " | |
250 | "<%.100s>", file, linenum, patterns); | |
01dafcb5 | 251 | auth_debug_add("%.100s, line %lu: " |
ed787d14 | 252 | "Bad permitopen specification", file, linenum); |
01794848 | 253 | xfree(patterns); |
254 | goto bad_option; | |
255 | } | |
ed787d14 | 256 | if ((port = a2port(sport)) == 0) { |
257 | debug("%.100s, line %lu: Bad permitopen port <%.100s>", | |
258 | file, linenum, sport); | |
01dafcb5 | 259 | auth_debug_add("%.100s, line %lu: " |
ed787d14 | 260 | "Bad permitopen port", file, linenum); |
01794848 | 261 | xfree(patterns); |
262 | goto bad_option; | |
263 | } | |
b1ed8313 | 264 | if (options.allow_tcp_forwarding) |
ed787d14 | 265 | channel_add_permitted_opens(host, port); |
01794848 | 266 | xfree(patterns); |
267 | goto next_option; | |
268 | } | |
38c295d6 | 269 | next_option: |
270 | /* | |
271 | * Skip the comma, and move to the next option | |
272 | * (or break out if there are no more). | |
273 | */ | |
61e96248 | 274 | if (!*opts) |
38c295d6 | 275 | fatal("Bugs in auth-options.c option processing."); |
61e96248 | 276 | if (*opts == ' ' || *opts == '\t') |
38c295d6 | 277 | break; /* End of options. */ |
61e96248 | 278 | if (*opts != ',') |
38c295d6 | 279 | goto bad_option; |
61e96248 | 280 | opts++; |
38c295d6 | 281 | /* Process the next option. */ |
282 | } | |
1853d1ef | 283 | |
284 | if (!use_privsep) | |
01dafcb5 | 285 | auth_debug_send(); |
1853d1ef | 286 | |
38c295d6 | 287 | /* grant access */ |
288 | return 1; | |
289 | ||
290 | bad_option: | |
291 | log("Bad options in %.100s file, line %lu: %.50s", | |
61e96248 | 292 | file, linenum, opts); |
01dafcb5 | 293 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", |
61e96248 | 294 | file, linenum, opts); |
1853d1ef | 295 | |
296 | if (!use_privsep) | |
01dafcb5 | 297 | auth_debug_send(); |
1853d1ef | 298 | |
38c295d6 | 299 | /* deny access */ |
300 | return 0; | |
301 | } |