]>
Commit | Line | Data |
---|---|---|
c8dfff33 | 1 | /* $OpenBSD: auth-options.c,v 1.37 2006/07/12 22:28:51 stevesk Exp $ */ |
bcbf86ec | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
5 | * All rights reserved | |
bcbf86ec | 6 | * As far as I am concerned, the code I have written for this software |
7 | * can be used freely for any purpose. Any derived versions of this | |
8 | * software must be clearly marked as such, and if the derived work is | |
9 | * incompatible with the protocol description in the RFC file, it must be | |
10 | * called by a name other than "ssh" or "Secure Shell". | |
11 | */ | |
12 | ||
38c295d6 | 13 | #include "includes.h" |
38c295d6 | 14 | |
b1842393 | 15 | #include <sys/types.h> |
16 | ||
c8dfff33 | 17 | #if defined(HAVE_NETDB_H) |
18 | # include <netdb.h> | |
19 | #endif | |
b1842393 | 20 | #include <pwd.h> |
21 | ||
38c295d6 | 22 | #include "xmalloc.h" |
23 | #include "match.h" | |
42f11eb2 | 24 | #include "log.h" |
25 | #include "canohost.h" | |
a5efa1bb | 26 | #include "channels.h" |
42f11eb2 | 27 | #include "auth-options.h" |
61e96248 | 28 | #include "servconf.h" |
ed787d14 | 29 | #include "misc.h" |
1853d1ef | 30 | #include "monitor_wrap.h" |
01dafcb5 | 31 | #include "auth.h" |
38c295d6 | 32 | |
33 | /* Flags set authorized_keys flags */ | |
34 | int no_port_forwarding_flag = 0; | |
35 | int no_agent_forwarding_flag = 0; | |
36 | int no_x11_forwarding_flag = 0; | |
37 | int no_pty_flag = 0; | |
38 | ||
39 | /* "command=" option. */ | |
40 | char *forced_command = NULL; | |
41 | ||
42 | /* "environment=" options. */ | |
43 | struct envstring *custom_environment = NULL; | |
44 | ||
d20f3c9e | 45 | /* "tunnel=" option. */ |
46 | int forced_tun_device = -1; | |
47 | ||
61e96248 | 48 | extern ServerOptions options; |
49 | ||
94ec8c6b | 50 | void |
51 | auth_clear_options(void) | |
52 | { | |
53 | no_agent_forwarding_flag = 0; | |
54 | no_port_forwarding_flag = 0; | |
55 | no_pty_flag = 0; | |
56 | no_x11_forwarding_flag = 0; | |
57 | while (custom_environment) { | |
58 | struct envstring *ce = custom_environment; | |
59 | custom_environment = ce->next; | |
60 | xfree(ce->s); | |
61 | xfree(ce); | |
62 | } | |
63 | if (forced_command) { | |
64 | xfree(forced_command); | |
65 | forced_command = NULL; | |
66 | } | |
d20f3c9e | 67 | forced_tun_device = -1; |
01794848 | 68 | channel_clear_permitted_opens(); |
01dafcb5 | 69 | auth_debug_reset(); |
94ec8c6b | 70 | } |
71 | ||
42f11eb2 | 72 | /* |
73 | * return 1 if access is granted, 0 if not. | |
74 | * side effect: sets key option flags | |
75 | */ | |
38c295d6 | 76 | int |
61e96248 | 77 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
38c295d6 | 78 | { |
79 | const char *cp; | |
01794848 | 80 | int i; |
94ec8c6b | 81 | |
82 | /* reset options */ | |
83 | auth_clear_options(); | |
84 | ||
e0b2cf6b | 85 | if (!opts) |
86 | return 1; | |
87 | ||
61e96248 | 88 | while (*opts && *opts != ' ' && *opts != '\t') { |
38c295d6 | 89 | cp = "no-port-forwarding"; |
61e96248 | 90 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 91 | auth_debug_add("Port forwarding disabled."); |
38c295d6 | 92 | no_port_forwarding_flag = 1; |
61e96248 | 93 | opts += strlen(cp); |
38c295d6 | 94 | goto next_option; |
95 | } | |
96 | cp = "no-agent-forwarding"; | |
61e96248 | 97 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 98 | auth_debug_add("Agent forwarding disabled."); |
38c295d6 | 99 | no_agent_forwarding_flag = 1; |
61e96248 | 100 | opts += strlen(cp); |
38c295d6 | 101 | goto next_option; |
102 | } | |
103 | cp = "no-X11-forwarding"; | |
61e96248 | 104 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 105 | auth_debug_add("X11 forwarding disabled."); |
38c295d6 | 106 | no_x11_forwarding_flag = 1; |
61e96248 | 107 | opts += strlen(cp); |
38c295d6 | 108 | goto next_option; |
109 | } | |
110 | cp = "no-pty"; | |
61e96248 | 111 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 112 | auth_debug_add("Pty allocation disabled."); |
38c295d6 | 113 | no_pty_flag = 1; |
61e96248 | 114 | opts += strlen(cp); |
38c295d6 | 115 | goto next_option; |
116 | } | |
117 | cp = "command=\""; | |
61e96248 | 118 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
61e96248 | 119 | opts += strlen(cp); |
120 | forced_command = xmalloc(strlen(opts) + 1); | |
38c295d6 | 121 | i = 0; |
61e96248 | 122 | while (*opts) { |
123 | if (*opts == '"') | |
38c295d6 | 124 | break; |
61e96248 | 125 | if (*opts == '\\' && opts[1] == '"') { |
126 | opts += 2; | |
38c295d6 | 127 | forced_command[i++] = '"'; |
128 | continue; | |
129 | } | |
61e96248 | 130 | forced_command[i++] = *opts++; |
38c295d6 | 131 | } |
61e96248 | 132 | if (!*opts) { |
38c295d6 | 133 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 134 | file, linenum); |
01dafcb5 | 135 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 136 | file, linenum); |
acc9d6d7 | 137 | xfree(forced_command); |
138 | forced_command = NULL; | |
139 | goto bad_option; | |
38c295d6 | 140 | } |
141 | forced_command[i] = 0; | |
01dafcb5 | 142 | auth_debug_add("Forced command: %.900s", forced_command); |
61e96248 | 143 | opts++; |
38c295d6 | 144 | goto next_option; |
145 | } | |
146 | cp = "environment=\""; | |
f00bab84 | 147 | if (options.permit_user_env && |
148 | strncasecmp(opts, cp, strlen(cp)) == 0) { | |
38c295d6 | 149 | char *s; |
150 | struct envstring *new_envstring; | |
01794848 | 151 | |
61e96248 | 152 | opts += strlen(cp); |
153 | s = xmalloc(strlen(opts) + 1); | |
38c295d6 | 154 | i = 0; |
61e96248 | 155 | while (*opts) { |
156 | if (*opts == '"') | |
38c295d6 | 157 | break; |
61e96248 | 158 | if (*opts == '\\' && opts[1] == '"') { |
159 | opts += 2; | |
38c295d6 | 160 | s[i++] = '"'; |
161 | continue; | |
162 | } | |
61e96248 | 163 | s[i++] = *opts++; |
38c295d6 | 164 | } |
61e96248 | 165 | if (!*opts) { |
38c295d6 | 166 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 167 | file, linenum); |
01dafcb5 | 168 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 169 | file, linenum); |
acc9d6d7 | 170 | xfree(s); |
171 | goto bad_option; | |
38c295d6 | 172 | } |
173 | s[i] = 0; | |
01dafcb5 | 174 | auth_debug_add("Adding to environment: %.900s", s); |
38c295d6 | 175 | debug("Adding to environment: %.900s", s); |
61e96248 | 176 | opts++; |
38c295d6 | 177 | new_envstring = xmalloc(sizeof(struct envstring)); |
178 | new_envstring->s = s; | |
179 | new_envstring->next = custom_environment; | |
180 | custom_environment = new_envstring; | |
181 | goto next_option; | |
182 | } | |
183 | cp = "from=\""; | |
61e96248 | 184 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
61e96248 | 185 | const char *remote_ip = get_remote_ipaddr(); |
186 | const char *remote_host = get_canonical_hostname( | |
c5a7d788 | 187 | options.use_dns); |
61e96248 | 188 | char *patterns = xmalloc(strlen(opts) + 1); |
01794848 | 189 | |
61e96248 | 190 | opts += strlen(cp); |
38c295d6 | 191 | i = 0; |
61e96248 | 192 | while (*opts) { |
193 | if (*opts == '"') | |
38c295d6 | 194 | break; |
61e96248 | 195 | if (*opts == '\\' && opts[1] == '"') { |
196 | opts += 2; | |
38c295d6 | 197 | patterns[i++] = '"'; |
198 | continue; | |
199 | } | |
61e96248 | 200 | patterns[i++] = *opts++; |
38c295d6 | 201 | } |
61e96248 | 202 | if (!*opts) { |
38c295d6 | 203 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 204 | file, linenum); |
01dafcb5 | 205 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 206 | file, linenum); |
acc9d6d7 | 207 | xfree(patterns); |
208 | goto bad_option; | |
38c295d6 | 209 | } |
210 | patterns[i] = 0; | |
61e96248 | 211 | opts++; |
2cee8a25 | 212 | if (match_host_and_ip(remote_host, remote_ip, |
213 | patterns) != 1) { | |
214 | xfree(patterns); | |
bbe88b6d | 215 | logit("Authentication tried for %.100s with " |
61e96248 | 216 | "correct key but not from a permitted " |
217 | "host (host=%.200s, ip=%.200s).", | |
218 | pw->pw_name, remote_host, remote_ip); | |
01dafcb5 | 219 | auth_debug_add("Your host '%.200s' is not " |
61e96248 | 220 | "permitted to use this key for login.", |
221 | remote_host); | |
38c295d6 | 222 | /* deny access */ |
223 | return 0; | |
224 | } | |
2cee8a25 | 225 | xfree(patterns); |
38c295d6 | 226 | /* Host name matches. */ |
227 | goto next_option; | |
228 | } | |
01794848 | 229 | cp = "permitopen=\""; |
230 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
3867aa0a | 231 | char *host, *p; |
01794848 | 232 | u_short port; |
01794848 | 233 | char *patterns = xmalloc(strlen(opts) + 1); |
234 | ||
235 | opts += strlen(cp); | |
236 | i = 0; | |
237 | while (*opts) { | |
238 | if (*opts == '"') | |
239 | break; | |
240 | if (*opts == '\\' && opts[1] == '"') { | |
241 | opts += 2; | |
242 | patterns[i++] = '"'; | |
243 | continue; | |
244 | } | |
245 | patterns[i++] = *opts++; | |
246 | } | |
247 | if (!*opts) { | |
248 | debug("%.100s, line %lu: missing end quote", | |
249 | file, linenum); | |
3867aa0a | 250 | auth_debug_add("%.100s, line %lu: missing " |
251 | "end quote", file, linenum); | |
01794848 | 252 | xfree(patterns); |
253 | goto bad_option; | |
254 | } | |
255 | patterns[i] = 0; | |
256 | opts++; | |
3867aa0a | 257 | p = patterns; |
258 | host = hpdelim(&p); | |
259 | if (host == NULL || strlen(host) >= NI_MAXHOST) { | |
260 | debug("%.100s, line %lu: Bad permitopen " | |
16d3d2bc | 261 | "specification <%.100s>", file, linenum, |
3867aa0a | 262 | patterns); |
01dafcb5 | 263 | auth_debug_add("%.100s, line %lu: " |
3867aa0a | 264 | "Bad permitopen specification", file, |
265 | linenum); | |
01794848 | 266 | xfree(patterns); |
267 | goto bad_option; | |
268 | } | |
f8cc7664 | 269 | host = cleanhostname(host); |
270 | if (p == NULL || (port = a2port(p)) == 0) { | |
3867aa0a | 271 | debug("%.100s, line %lu: Bad permitopen port " |
272 | "<%.100s>", file, linenum, p ? p : ""); | |
01dafcb5 | 273 | auth_debug_add("%.100s, line %lu: " |
ed787d14 | 274 | "Bad permitopen port", file, linenum); |
01794848 | 275 | xfree(patterns); |
276 | goto bad_option; | |
277 | } | |
b1ed8313 | 278 | if (options.allow_tcp_forwarding) |
ed787d14 | 279 | channel_add_permitted_opens(host, port); |
01794848 | 280 | xfree(patterns); |
281 | goto next_option; | |
282 | } | |
d20f3c9e | 283 | cp = "tunnel=\""; |
284 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
285 | char *tun = NULL; | |
286 | opts += strlen(cp); | |
287 | tun = xmalloc(strlen(opts) + 1); | |
288 | i = 0; | |
289 | while (*opts) { | |
290 | if (*opts == '"') | |
291 | break; | |
292 | tun[i++] = *opts++; | |
293 | } | |
294 | if (!*opts) { | |
295 | debug("%.100s, line %lu: missing end quote", | |
296 | file, linenum); | |
297 | auth_debug_add("%.100s, line %lu: missing end quote", | |
298 | file, linenum); | |
299 | xfree(tun); | |
300 | forced_tun_device = -1; | |
301 | goto bad_option; | |
302 | } | |
303 | tun[i] = 0; | |
304 | forced_tun_device = a2tun(tun, NULL); | |
305 | xfree(tun); | |
a4f24bf8 | 306 | if (forced_tun_device == SSH_TUNID_ERR) { |
d20f3c9e | 307 | debug("%.100s, line %lu: invalid tun device", |
308 | file, linenum); | |
309 | auth_debug_add("%.100s, line %lu: invalid tun device", | |
310 | file, linenum); | |
311 | forced_tun_device = -1; | |
312 | goto bad_option; | |
313 | } | |
314 | auth_debug_add("Forced tun device: %d", forced_tun_device); | |
315 | opts++; | |
316 | goto next_option; | |
317 | } | |
38c295d6 | 318 | next_option: |
319 | /* | |
320 | * Skip the comma, and move to the next option | |
321 | * (or break out if there are no more). | |
322 | */ | |
61e96248 | 323 | if (!*opts) |
38c295d6 | 324 | fatal("Bugs in auth-options.c option processing."); |
61e96248 | 325 | if (*opts == ' ' || *opts == '\t') |
38c295d6 | 326 | break; /* End of options. */ |
61e96248 | 327 | if (*opts != ',') |
38c295d6 | 328 | goto bad_option; |
61e96248 | 329 | opts++; |
38c295d6 | 330 | /* Process the next option. */ |
331 | } | |
1853d1ef | 332 | |
333 | if (!use_privsep) | |
01dafcb5 | 334 | auth_debug_send(); |
1853d1ef | 335 | |
38c295d6 | 336 | /* grant access */ |
337 | return 1; | |
338 | ||
339 | bad_option: | |
bbe88b6d | 340 | logit("Bad options in %.100s file, line %lu: %.50s", |
61e96248 | 341 | file, linenum, opts); |
01dafcb5 | 342 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", |
61e96248 | 343 | file, linenum, opts); |
1853d1ef | 344 | |
345 | if (!use_privsep) | |
01dafcb5 | 346 | auth_debug_send(); |
1853d1ef | 347 | |
38c295d6 | 348 | /* deny access */ |
349 | return 0; | |
350 | } |