]>
Commit | Line | Data |
---|---|---|
368e246f | 1 | /* $OpenBSD: auth-options.c,v 1.44 2009/01/22 10:09:16 djm Exp $ */ |
bcbf86ec | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
5 | * All rights reserved | |
bcbf86ec | 6 | * As far as I am concerned, the code I have written for this software |
7 | * can be used freely for any purpose. Any derived versions of this | |
8 | * software must be clearly marked as such, and if the derived work is | |
9 | * incompatible with the protocol description in the RFC file, it must be | |
10 | * called by a name other than "ssh" or "Secure Shell". | |
11 | */ | |
12 | ||
38c295d6 | 13 | #include "includes.h" |
38c295d6 | 14 | |
b1842393 | 15 | #include <sys/types.h> |
16 | ||
28cb0a43 | 17 | #include <netdb.h> |
b1842393 | 18 | #include <pwd.h> |
00146caa | 19 | #include <string.h> |
31652869 | 20 | #include <stdio.h> |
21 | #include <stdarg.h> | |
b1842393 | 22 | |
3593bdc0 | 23 | #include "openbsd-compat/sys-queue.h" |
38c295d6 | 24 | #include "xmalloc.h" |
25 | #include "match.h" | |
42f11eb2 | 26 | #include "log.h" |
27 | #include "canohost.h" | |
31652869 | 28 | #include "buffer.h" |
a5efa1bb | 29 | #include "channels.h" |
42f11eb2 | 30 | #include "auth-options.h" |
61e96248 | 31 | #include "servconf.h" |
ed787d14 | 32 | #include "misc.h" |
31652869 | 33 | #include "key.h" |
34 | #include "hostfile.h" | |
01dafcb5 | 35 | #include "auth.h" |
31652869 | 36 | #ifdef GSSAPI |
37 | #include "ssh-gss.h" | |
38 | #endif | |
39 | #include "monitor_wrap.h" | |
38c295d6 | 40 | |
41 | /* Flags set authorized_keys flags */ | |
42 | int no_port_forwarding_flag = 0; | |
43 | int no_agent_forwarding_flag = 0; | |
44 | int no_x11_forwarding_flag = 0; | |
45 | int no_pty_flag = 0; | |
8c03e768 | 46 | int no_user_rc = 0; |
38c295d6 | 47 | |
48 | /* "command=" option. */ | |
49 | char *forced_command = NULL; | |
50 | ||
51 | /* "environment=" options. */ | |
52 | struct envstring *custom_environment = NULL; | |
53 | ||
d20f3c9e | 54 | /* "tunnel=" option. */ |
55 | int forced_tun_device = -1; | |
56 | ||
61e96248 | 57 | extern ServerOptions options; |
58 | ||
94ec8c6b | 59 | void |
60 | auth_clear_options(void) | |
61 | { | |
62 | no_agent_forwarding_flag = 0; | |
63 | no_port_forwarding_flag = 0; | |
64 | no_pty_flag = 0; | |
65 | no_x11_forwarding_flag = 0; | |
8c03e768 | 66 | no_user_rc = 0; |
94ec8c6b | 67 | while (custom_environment) { |
68 | struct envstring *ce = custom_environment; | |
69 | custom_environment = ce->next; | |
70 | xfree(ce->s); | |
71 | xfree(ce); | |
72 | } | |
73 | if (forced_command) { | |
74 | xfree(forced_command); | |
75 | forced_command = NULL; | |
76 | } | |
d20f3c9e | 77 | forced_tun_device = -1; |
01794848 | 78 | channel_clear_permitted_opens(); |
01dafcb5 | 79 | auth_debug_reset(); |
94ec8c6b | 80 | } |
81 | ||
42f11eb2 | 82 | /* |
83 | * return 1 if access is granted, 0 if not. | |
84 | * side effect: sets key option flags | |
85 | */ | |
38c295d6 | 86 | int |
61e96248 | 87 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
38c295d6 | 88 | { |
89 | const char *cp; | |
01794848 | 90 | int i; |
94ec8c6b | 91 | |
92 | /* reset options */ | |
93 | auth_clear_options(); | |
94 | ||
e0b2cf6b | 95 | if (!opts) |
96 | return 1; | |
97 | ||
61e96248 | 98 | while (*opts && *opts != ' ' && *opts != '\t') { |
38c295d6 | 99 | cp = "no-port-forwarding"; |
61e96248 | 100 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 101 | auth_debug_add("Port forwarding disabled."); |
38c295d6 | 102 | no_port_forwarding_flag = 1; |
61e96248 | 103 | opts += strlen(cp); |
38c295d6 | 104 | goto next_option; |
105 | } | |
106 | cp = "no-agent-forwarding"; | |
61e96248 | 107 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 108 | auth_debug_add("Agent forwarding disabled."); |
38c295d6 | 109 | no_agent_forwarding_flag = 1; |
61e96248 | 110 | opts += strlen(cp); |
38c295d6 | 111 | goto next_option; |
112 | } | |
113 | cp = "no-X11-forwarding"; | |
61e96248 | 114 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 115 | auth_debug_add("X11 forwarding disabled."); |
38c295d6 | 116 | no_x11_forwarding_flag = 1; |
61e96248 | 117 | opts += strlen(cp); |
38c295d6 | 118 | goto next_option; |
119 | } | |
120 | cp = "no-pty"; | |
61e96248 | 121 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
01dafcb5 | 122 | auth_debug_add("Pty allocation disabled."); |
38c295d6 | 123 | no_pty_flag = 1; |
61e96248 | 124 | opts += strlen(cp); |
38c295d6 | 125 | goto next_option; |
126 | } | |
8c03e768 | 127 | cp = "no-user-rc"; |
128 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
129 | auth_debug_add("User rc file execution disabled."); | |
130 | no_user_rc = 1; | |
131 | opts += strlen(cp); | |
132 | goto next_option; | |
133 | } | |
38c295d6 | 134 | cp = "command=\""; |
61e96248 | 135 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
61e96248 | 136 | opts += strlen(cp); |
137 | forced_command = xmalloc(strlen(opts) + 1); | |
38c295d6 | 138 | i = 0; |
61e96248 | 139 | while (*opts) { |
140 | if (*opts == '"') | |
38c295d6 | 141 | break; |
61e96248 | 142 | if (*opts == '\\' && opts[1] == '"') { |
143 | opts += 2; | |
38c295d6 | 144 | forced_command[i++] = '"'; |
145 | continue; | |
146 | } | |
61e96248 | 147 | forced_command[i++] = *opts++; |
38c295d6 | 148 | } |
61e96248 | 149 | if (!*opts) { |
38c295d6 | 150 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 151 | file, linenum); |
01dafcb5 | 152 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 153 | file, linenum); |
acc9d6d7 | 154 | xfree(forced_command); |
155 | forced_command = NULL; | |
156 | goto bad_option; | |
38c295d6 | 157 | } |
774de098 | 158 | forced_command[i] = '\0'; |
01dafcb5 | 159 | auth_debug_add("Forced command: %.900s", forced_command); |
61e96248 | 160 | opts++; |
38c295d6 | 161 | goto next_option; |
162 | } | |
163 | cp = "environment=\""; | |
f00bab84 | 164 | if (options.permit_user_env && |
165 | strncasecmp(opts, cp, strlen(cp)) == 0) { | |
38c295d6 | 166 | char *s; |
167 | struct envstring *new_envstring; | |
01794848 | 168 | |
61e96248 | 169 | opts += strlen(cp); |
170 | s = xmalloc(strlen(opts) + 1); | |
38c295d6 | 171 | i = 0; |
61e96248 | 172 | while (*opts) { |
173 | if (*opts == '"') | |
38c295d6 | 174 | break; |
61e96248 | 175 | if (*opts == '\\' && opts[1] == '"') { |
176 | opts += 2; | |
38c295d6 | 177 | s[i++] = '"'; |
178 | continue; | |
179 | } | |
61e96248 | 180 | s[i++] = *opts++; |
38c295d6 | 181 | } |
61e96248 | 182 | if (!*opts) { |
38c295d6 | 183 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 184 | file, linenum); |
01dafcb5 | 185 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 186 | file, linenum); |
acc9d6d7 | 187 | xfree(s); |
188 | goto bad_option; | |
38c295d6 | 189 | } |
774de098 | 190 | s[i] = '\0'; |
01dafcb5 | 191 | auth_debug_add("Adding to environment: %.900s", s); |
38c295d6 | 192 | debug("Adding to environment: %.900s", s); |
61e96248 | 193 | opts++; |
38c295d6 | 194 | new_envstring = xmalloc(sizeof(struct envstring)); |
195 | new_envstring->s = s; | |
196 | new_envstring->next = custom_environment; | |
197 | custom_environment = new_envstring; | |
198 | goto next_option; | |
199 | } | |
200 | cp = "from=\""; | |
61e96248 | 201 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
61e96248 | 202 | const char *remote_ip = get_remote_ipaddr(); |
203 | const char *remote_host = get_canonical_hostname( | |
c5a7d788 | 204 | options.use_dns); |
61e96248 | 205 | char *patterns = xmalloc(strlen(opts) + 1); |
01794848 | 206 | |
61e96248 | 207 | opts += strlen(cp); |
38c295d6 | 208 | i = 0; |
61e96248 | 209 | while (*opts) { |
210 | if (*opts == '"') | |
38c295d6 | 211 | break; |
61e96248 | 212 | if (*opts == '\\' && opts[1] == '"') { |
213 | opts += 2; | |
38c295d6 | 214 | patterns[i++] = '"'; |
215 | continue; | |
216 | } | |
61e96248 | 217 | patterns[i++] = *opts++; |
38c295d6 | 218 | } |
61e96248 | 219 | if (!*opts) { |
38c295d6 | 220 | debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 221 | file, linenum); |
01dafcb5 | 222 | auth_debug_add("%.100s, line %lu: missing end quote", |
42f11eb2 | 223 | file, linenum); |
acc9d6d7 | 224 | xfree(patterns); |
225 | goto bad_option; | |
38c295d6 | 226 | } |
774de098 | 227 | patterns[i] = '\0'; |
61e96248 | 228 | opts++; |
b3b048d6 | 229 | switch (match_host_and_ip(remote_host, remote_ip, |
230 | patterns)) { | |
231 | case 1: | |
232 | xfree(patterns); | |
233 | /* Host name matches. */ | |
234 | goto next_option; | |
235 | case -1: | |
236 | debug("%.100s, line %lu: invalid criteria", | |
237 | file, linenum); | |
238 | auth_debug_add("%.100s, line %lu: " | |
239 | "invalid criteria", file, linenum); | |
240 | /* FALLTHROUGH */ | |
241 | case 0: | |
2cee8a25 | 242 | xfree(patterns); |
bbe88b6d | 243 | logit("Authentication tried for %.100s with " |
61e96248 | 244 | "correct key but not from a permitted " |
245 | "host (host=%.200s, ip=%.200s).", | |
246 | pw->pw_name, remote_host, remote_ip); | |
01dafcb5 | 247 | auth_debug_add("Your host '%.200s' is not " |
61e96248 | 248 | "permitted to use this key for login.", |
249 | remote_host); | |
b3b048d6 | 250 | break; |
38c295d6 | 251 | } |
b3b048d6 | 252 | /* deny access */ |
253 | return 0; | |
38c295d6 | 254 | } |
01794848 | 255 | cp = "permitopen=\""; |
256 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
3867aa0a | 257 | char *host, *p; |
368e246f | 258 | int port; |
01794848 | 259 | char *patterns = xmalloc(strlen(opts) + 1); |
260 | ||
261 | opts += strlen(cp); | |
262 | i = 0; | |
263 | while (*opts) { | |
264 | if (*opts == '"') | |
265 | break; | |
266 | if (*opts == '\\' && opts[1] == '"') { | |
267 | opts += 2; | |
268 | patterns[i++] = '"'; | |
269 | continue; | |
270 | } | |
271 | patterns[i++] = *opts++; | |
272 | } | |
273 | if (!*opts) { | |
274 | debug("%.100s, line %lu: missing end quote", | |
275 | file, linenum); | |
3867aa0a | 276 | auth_debug_add("%.100s, line %lu: missing " |
277 | "end quote", file, linenum); | |
01794848 | 278 | xfree(patterns); |
279 | goto bad_option; | |
280 | } | |
774de098 | 281 | patterns[i] = '\0'; |
01794848 | 282 | opts++; |
3867aa0a | 283 | p = patterns; |
284 | host = hpdelim(&p); | |
285 | if (host == NULL || strlen(host) >= NI_MAXHOST) { | |
286 | debug("%.100s, line %lu: Bad permitopen " | |
16d3d2bc | 287 | "specification <%.100s>", file, linenum, |
3867aa0a | 288 | patterns); |
01dafcb5 | 289 | auth_debug_add("%.100s, line %lu: " |
3867aa0a | 290 | "Bad permitopen specification", file, |
291 | linenum); | |
01794848 | 292 | xfree(patterns); |
293 | goto bad_option; | |
294 | } | |
f8cc7664 | 295 | host = cleanhostname(host); |
368e246f | 296 | if (p == NULL || (port = a2port(p)) <= 0) { |
3867aa0a | 297 | debug("%.100s, line %lu: Bad permitopen port " |
298 | "<%.100s>", file, linenum, p ? p : ""); | |
01dafcb5 | 299 | auth_debug_add("%.100s, line %lu: " |
ed787d14 | 300 | "Bad permitopen port", file, linenum); |
01794848 | 301 | xfree(patterns); |
302 | goto bad_option; | |
303 | } | |
b1ed8313 | 304 | if (options.allow_tcp_forwarding) |
ed787d14 | 305 | channel_add_permitted_opens(host, port); |
01794848 | 306 | xfree(patterns); |
307 | goto next_option; | |
308 | } | |
d20f3c9e | 309 | cp = "tunnel=\""; |
310 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
311 | char *tun = NULL; | |
312 | opts += strlen(cp); | |
313 | tun = xmalloc(strlen(opts) + 1); | |
314 | i = 0; | |
315 | while (*opts) { | |
316 | if (*opts == '"') | |
317 | break; | |
318 | tun[i++] = *opts++; | |
319 | } | |
320 | if (!*opts) { | |
321 | debug("%.100s, line %lu: missing end quote", | |
322 | file, linenum); | |
323 | auth_debug_add("%.100s, line %lu: missing end quote", | |
324 | file, linenum); | |
325 | xfree(tun); | |
326 | forced_tun_device = -1; | |
327 | goto bad_option; | |
328 | } | |
774de098 | 329 | tun[i] = '\0'; |
d20f3c9e | 330 | forced_tun_device = a2tun(tun, NULL); |
331 | xfree(tun); | |
a4f24bf8 | 332 | if (forced_tun_device == SSH_TUNID_ERR) { |
d20f3c9e | 333 | debug("%.100s, line %lu: invalid tun device", |
334 | file, linenum); | |
335 | auth_debug_add("%.100s, line %lu: invalid tun device", | |
336 | file, linenum); | |
337 | forced_tun_device = -1; | |
338 | goto bad_option; | |
339 | } | |
340 | auth_debug_add("Forced tun device: %d", forced_tun_device); | |
341 | opts++; | |
342 | goto next_option; | |
343 | } | |
38c295d6 | 344 | next_option: |
345 | /* | |
346 | * Skip the comma, and move to the next option | |
347 | * (or break out if there are no more). | |
348 | */ | |
61e96248 | 349 | if (!*opts) |
38c295d6 | 350 | fatal("Bugs in auth-options.c option processing."); |
61e96248 | 351 | if (*opts == ' ' || *opts == '\t') |
38c295d6 | 352 | break; /* End of options. */ |
61e96248 | 353 | if (*opts != ',') |
38c295d6 | 354 | goto bad_option; |
61e96248 | 355 | opts++; |
38c295d6 | 356 | /* Process the next option. */ |
357 | } | |
1853d1ef | 358 | |
359 | if (!use_privsep) | |
01dafcb5 | 360 | auth_debug_send(); |
1853d1ef | 361 | |
38c295d6 | 362 | /* grant access */ |
363 | return 1; | |
364 | ||
365 | bad_option: | |
bbe88b6d | 366 | logit("Bad options in %.100s file, line %lu: %.50s", |
61e96248 | 367 | file, linenum, opts); |
01dafcb5 | 368 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", |
61e96248 | 369 | file, linenum, opts); |
1853d1ef | 370 | |
371 | if (!use_privsep) | |
01dafcb5 | 372 | auth_debug_send(); |
1853d1ef | 373 | |
38c295d6 | 374 | /* deny access */ |
375 | return 0; | |
376 | } |