]>
Commit | Line | Data |
---|---|---|
bcbf86ec | 1 | /* |
2 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
4 | * All rights reserved | |
bcbf86ec | 5 | * As far as I am concerned, the code I have written for this software |
6 | * can be used freely for any purpose. Any derived versions of this | |
7 | * software must be clearly marked as such, and if the derived work is | |
8 | * incompatible with the protocol description in the RFC file, it must be | |
9 | * called by a name other than "ssh" or "Secure Shell". | |
10 | */ | |
11 | ||
38c295d6 | 12 | #include "includes.h" |
acc9d6d7 | 13 | RCSID("$OpenBSD: auth-options.c,v 1.14 2001/03/13 17:34:42 markus Exp $"); |
38c295d6 | 14 | |
38c295d6 | 15 | #include "packet.h" |
16 | #include "xmalloc.h" | |
17 | #include "match.h" | |
42f11eb2 | 18 | #include "log.h" |
19 | #include "canohost.h" | |
20 | #include "auth-options.h" | |
61e96248 | 21 | #include "servconf.h" |
38c295d6 | 22 | |
23 | /* Flags set authorized_keys flags */ | |
24 | int no_port_forwarding_flag = 0; | |
25 | int no_agent_forwarding_flag = 0; | |
26 | int no_x11_forwarding_flag = 0; | |
27 | int no_pty_flag = 0; | |
28 | ||
29 | /* "command=" option. */ | |
30 | char *forced_command = NULL; | |
31 | ||
32 | /* "environment=" options. */ | |
33 | struct envstring *custom_environment = NULL; | |
34 | ||
61e96248 | 35 | extern ServerOptions options; |
36 | ||
94ec8c6b | 37 | void |
38 | auth_clear_options(void) | |
39 | { | |
40 | no_agent_forwarding_flag = 0; | |
41 | no_port_forwarding_flag = 0; | |
42 | no_pty_flag = 0; | |
43 | no_x11_forwarding_flag = 0; | |
44 | while (custom_environment) { | |
45 | struct envstring *ce = custom_environment; | |
46 | custom_environment = ce->next; | |
47 | xfree(ce->s); | |
48 | xfree(ce); | |
49 | } | |
50 | if (forced_command) { | |
51 | xfree(forced_command); | |
52 | forced_command = NULL; | |
53 | } | |
54 | } | |
55 | ||
42f11eb2 | 56 | /* |
57 | * return 1 if access is granted, 0 if not. | |
58 | * side effect: sets key option flags | |
59 | */ | |
38c295d6 | 60 | int |
61e96248 | 61 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
38c295d6 | 62 | { |
63 | const char *cp; | |
94ec8c6b | 64 | |
65 | /* reset options */ | |
66 | auth_clear_options(); | |
67 | ||
e0b2cf6b | 68 | if (!opts) |
69 | return 1; | |
70 | ||
61e96248 | 71 | while (*opts && *opts != ' ' && *opts != '\t') { |
38c295d6 | 72 | cp = "no-port-forwarding"; |
61e96248 | 73 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 74 | packet_send_debug("Port forwarding disabled."); |
75 | no_port_forwarding_flag = 1; | |
61e96248 | 76 | opts += strlen(cp); |
38c295d6 | 77 | goto next_option; |
78 | } | |
79 | cp = "no-agent-forwarding"; | |
61e96248 | 80 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 81 | packet_send_debug("Agent forwarding disabled."); |
82 | no_agent_forwarding_flag = 1; | |
61e96248 | 83 | opts += strlen(cp); |
38c295d6 | 84 | goto next_option; |
85 | } | |
86 | cp = "no-X11-forwarding"; | |
61e96248 | 87 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 88 | packet_send_debug("X11 forwarding disabled."); |
89 | no_x11_forwarding_flag = 1; | |
61e96248 | 90 | opts += strlen(cp); |
38c295d6 | 91 | goto next_option; |
92 | } | |
93 | cp = "no-pty"; | |
61e96248 | 94 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 95 | packet_send_debug("Pty allocation disabled."); |
96 | no_pty_flag = 1; | |
61e96248 | 97 | opts += strlen(cp); |
38c295d6 | 98 | goto next_option; |
99 | } | |
100 | cp = "command=\""; | |
61e96248 | 101 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 102 | int i; |
61e96248 | 103 | opts += strlen(cp); |
104 | forced_command = xmalloc(strlen(opts) + 1); | |
38c295d6 | 105 | i = 0; |
61e96248 | 106 | while (*opts) { |
107 | if (*opts == '"') | |
38c295d6 | 108 | break; |
61e96248 | 109 | if (*opts == '\\' && opts[1] == '"') { |
110 | opts += 2; | |
38c295d6 | 111 | forced_command[i++] = '"'; |
112 | continue; | |
113 | } | |
61e96248 | 114 | forced_command[i++] = *opts++; |
38c295d6 | 115 | } |
61e96248 | 116 | if (!*opts) { |
38c295d6 | 117 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 118 | file, linenum); |
38c295d6 | 119 | packet_send_debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 120 | file, linenum); |
acc9d6d7 | 121 | xfree(forced_command); |
122 | forced_command = NULL; | |
123 | goto bad_option; | |
38c295d6 | 124 | } |
125 | forced_command[i] = 0; | |
126 | packet_send_debug("Forced command: %.900s", forced_command); | |
61e96248 | 127 | opts++; |
38c295d6 | 128 | goto next_option; |
129 | } | |
130 | cp = "environment=\""; | |
61e96248 | 131 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 132 | int i; |
133 | char *s; | |
134 | struct envstring *new_envstring; | |
61e96248 | 135 | opts += strlen(cp); |
136 | s = xmalloc(strlen(opts) + 1); | |
38c295d6 | 137 | i = 0; |
61e96248 | 138 | while (*opts) { |
139 | if (*opts == '"') | |
38c295d6 | 140 | break; |
61e96248 | 141 | if (*opts == '\\' && opts[1] == '"') { |
142 | opts += 2; | |
38c295d6 | 143 | s[i++] = '"'; |
144 | continue; | |
145 | } | |
61e96248 | 146 | s[i++] = *opts++; |
38c295d6 | 147 | } |
61e96248 | 148 | if (!*opts) { |
38c295d6 | 149 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 150 | file, linenum); |
38c295d6 | 151 | packet_send_debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 152 | file, linenum); |
acc9d6d7 | 153 | xfree(s); |
154 | goto bad_option; | |
38c295d6 | 155 | } |
156 | s[i] = 0; | |
157 | packet_send_debug("Adding to environment: %.900s", s); | |
158 | debug("Adding to environment: %.900s", s); | |
61e96248 | 159 | opts++; |
38c295d6 | 160 | new_envstring = xmalloc(sizeof(struct envstring)); |
161 | new_envstring->s = s; | |
162 | new_envstring->next = custom_environment; | |
163 | custom_environment = new_envstring; | |
164 | goto next_option; | |
165 | } | |
166 | cp = "from=\""; | |
61e96248 | 167 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
38c295d6 | 168 | int mname, mip; |
61e96248 | 169 | const char *remote_ip = get_remote_ipaddr(); |
170 | const char *remote_host = get_canonical_hostname( | |
171 | options.reverse_mapping_check); | |
172 | char *patterns = xmalloc(strlen(opts) + 1); | |
38c295d6 | 173 | int i; |
61e96248 | 174 | opts += strlen(cp); |
38c295d6 | 175 | i = 0; |
61e96248 | 176 | while (*opts) { |
177 | if (*opts == '"') | |
38c295d6 | 178 | break; |
61e96248 | 179 | if (*opts == '\\' && opts[1] == '"') { |
180 | opts += 2; | |
38c295d6 | 181 | patterns[i++] = '"'; |
182 | continue; | |
183 | } | |
61e96248 | 184 | patterns[i++] = *opts++; |
38c295d6 | 185 | } |
61e96248 | 186 | if (!*opts) { |
38c295d6 | 187 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 188 | file, linenum); |
38c295d6 | 189 | packet_send_debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 190 | file, linenum); |
acc9d6d7 | 191 | xfree(patterns); |
192 | goto bad_option; | |
38c295d6 | 193 | } |
194 | patterns[i] = 0; | |
61e96248 | 195 | opts++; |
38c295d6 | 196 | /* |
197 | * Deny access if we get a negative | |
198 | * match for the hostname or the ip | |
199 | * or if we get not match at all | |
200 | */ | |
61e96248 | 201 | mname = match_hostname(remote_host, patterns, |
202 | strlen(patterns)); | |
203 | mip = match_hostname(remote_ip, patterns, | |
204 | strlen(patterns)); | |
38c295d6 | 205 | xfree(patterns); |
206 | if (mname == -1 || mip == -1 || | |
207 | (mname != 1 && mip != 1)) { | |
61e96248 | 208 | log("Authentication tried for %.100s with " |
209 | "correct key but not from a permitted " | |
210 | "host (host=%.200s, ip=%.200s).", | |
211 | pw->pw_name, remote_host, remote_ip); | |
212 | packet_send_debug("Your host '%.200s' is not " | |
213 | "permitted to use this key for login.", | |
214 | remote_host); | |
38c295d6 | 215 | /* deny access */ |
216 | return 0; | |
217 | } | |
218 | /* Host name matches. */ | |
219 | goto next_option; | |
220 | } | |
221 | next_option: | |
222 | /* | |
223 | * Skip the comma, and move to the next option | |
224 | * (or break out if there are no more). | |
225 | */ | |
61e96248 | 226 | if (!*opts) |
38c295d6 | 227 | fatal("Bugs in auth-options.c option processing."); |
61e96248 | 228 | if (*opts == ' ' || *opts == '\t') |
38c295d6 | 229 | break; /* End of options. */ |
61e96248 | 230 | if (*opts != ',') |
38c295d6 | 231 | goto bad_option; |
61e96248 | 232 | opts++; |
38c295d6 | 233 | /* Process the next option. */ |
234 | } | |
235 | /* grant access */ | |
236 | return 1; | |
237 | ||
238 | bad_option: | |
239 | log("Bad options in %.100s file, line %lu: %.50s", | |
61e96248 | 240 | file, linenum, opts); |
38c295d6 | 241 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", |
61e96248 | 242 | file, linenum, opts); |
38c295d6 | 243 | /* deny access */ |
244 | return 0; | |
245 | } |