]>
Commit | Line | Data |
---|---|---|
bcbf86ec | 1 | /* |
2 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
4 | * All rights reserved | |
bcbf86ec | 5 | * As far as I am concerned, the code I have written for this software |
6 | * can be used freely for any purpose. Any derived versions of this | |
7 | * software must be clearly marked as such, and if the derived work is | |
8 | * incompatible with the protocol description in the RFC file, it must be | |
9 | * called by a name other than "ssh" or "Secure Shell". | |
10 | */ | |
11 | ||
38c295d6 | 12 | #include "includes.h" |
42f11eb2 | 13 | RCSID("$OpenBSD: auth-options.c,v 1.11 2001/01/21 19:05:41 markus Exp $"); |
38c295d6 | 14 | |
38c295d6 | 15 | #include "packet.h" |
16 | #include "xmalloc.h" | |
17 | #include "match.h" | |
42f11eb2 | 18 | #include "log.h" |
19 | #include "canohost.h" | |
20 | #include "auth-options.h" | |
38c295d6 | 21 | |
22 | /* Flags set authorized_keys flags */ | |
23 | int no_port_forwarding_flag = 0; | |
24 | int no_agent_forwarding_flag = 0; | |
25 | int no_x11_forwarding_flag = 0; | |
26 | int no_pty_flag = 0; | |
27 | ||
28 | /* "command=" option. */ | |
29 | char *forced_command = NULL; | |
30 | ||
31 | /* "environment=" options. */ | |
32 | struct envstring *custom_environment = NULL; | |
33 | ||
94ec8c6b | 34 | void |
35 | auth_clear_options(void) | |
36 | { | |
37 | no_agent_forwarding_flag = 0; | |
38 | no_port_forwarding_flag = 0; | |
39 | no_pty_flag = 0; | |
40 | no_x11_forwarding_flag = 0; | |
41 | while (custom_environment) { | |
42 | struct envstring *ce = custom_environment; | |
43 | custom_environment = ce->next; | |
44 | xfree(ce->s); | |
45 | xfree(ce); | |
46 | } | |
47 | if (forced_command) { | |
48 | xfree(forced_command); | |
49 | forced_command = NULL; | |
50 | } | |
51 | } | |
52 | ||
42f11eb2 | 53 | /* |
54 | * return 1 if access is granted, 0 if not. | |
55 | * side effect: sets key option flags | |
56 | */ | |
38c295d6 | 57 | int |
42f11eb2 | 58 | auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) |
38c295d6 | 59 | { |
60 | const char *cp; | |
61 | if (!options) | |
62 | return 1; | |
94ec8c6b | 63 | |
64 | /* reset options */ | |
65 | auth_clear_options(); | |
66 | ||
38c295d6 | 67 | while (*options && *options != ' ' && *options != '\t') { |
68 | cp = "no-port-forwarding"; | |
d343d900 | 69 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 70 | packet_send_debug("Port forwarding disabled."); |
71 | no_port_forwarding_flag = 1; | |
72 | options += strlen(cp); | |
73 | goto next_option; | |
74 | } | |
75 | cp = "no-agent-forwarding"; | |
d343d900 | 76 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 77 | packet_send_debug("Agent forwarding disabled."); |
78 | no_agent_forwarding_flag = 1; | |
79 | options += strlen(cp); | |
80 | goto next_option; | |
81 | } | |
82 | cp = "no-X11-forwarding"; | |
d343d900 | 83 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 84 | packet_send_debug("X11 forwarding disabled."); |
85 | no_x11_forwarding_flag = 1; | |
86 | options += strlen(cp); | |
87 | goto next_option; | |
88 | } | |
89 | cp = "no-pty"; | |
d343d900 | 90 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 91 | packet_send_debug("Pty allocation disabled."); |
92 | no_pty_flag = 1; | |
93 | options += strlen(cp); | |
94 | goto next_option; | |
95 | } | |
96 | cp = "command=\""; | |
d343d900 | 97 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 98 | int i; |
99 | options += strlen(cp); | |
100 | forced_command = xmalloc(strlen(options) + 1); | |
101 | i = 0; | |
102 | while (*options) { | |
103 | if (*options == '"') | |
104 | break; | |
105 | if (*options == '\\' && options[1] == '"') { | |
106 | options += 2; | |
107 | forced_command[i++] = '"'; | |
108 | continue; | |
109 | } | |
110 | forced_command[i++] = *options++; | |
111 | } | |
112 | if (!*options) { | |
113 | debug("%.100s, line %lu: missing end quote", | |
42f11eb2 | 114 | file, linenum); |
38c295d6 | 115 | packet_send_debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 116 | file, linenum); |
38c295d6 | 117 | continue; |
118 | } | |
119 | forced_command[i] = 0; | |
120 | packet_send_debug("Forced command: %.900s", forced_command); | |
121 | options++; | |
122 | goto next_option; | |
123 | } | |
124 | cp = "environment=\""; | |
d343d900 | 125 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 126 | int i; |
127 | char *s; | |
128 | struct envstring *new_envstring; | |
129 | options += strlen(cp); | |
130 | s = xmalloc(strlen(options) + 1); | |
131 | i = 0; | |
132 | while (*options) { | |
133 | if (*options == '"') | |
134 | break; | |
135 | if (*options == '\\' && options[1] == '"') { | |
136 | options += 2; | |
137 | s[i++] = '"'; | |
138 | continue; | |
139 | } | |
140 | s[i++] = *options++; | |
141 | } | |
142 | if (!*options) { | |
143 | debug("%.100s, line %lu: missing end quote", | |
42f11eb2 | 144 | file, linenum); |
38c295d6 | 145 | packet_send_debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 146 | file, linenum); |
38c295d6 | 147 | continue; |
148 | } | |
149 | s[i] = 0; | |
150 | packet_send_debug("Adding to environment: %.900s", s); | |
151 | debug("Adding to environment: %.900s", s); | |
152 | options++; | |
153 | new_envstring = xmalloc(sizeof(struct envstring)); | |
154 | new_envstring->s = s; | |
155 | new_envstring->next = custom_environment; | |
156 | custom_environment = new_envstring; | |
157 | goto next_option; | |
158 | } | |
159 | cp = "from=\""; | |
d343d900 | 160 | if (strncasecmp(options, cp, strlen(cp)) == 0) { |
38c295d6 | 161 | int mname, mip; |
162 | char *patterns = xmalloc(strlen(options) + 1); | |
163 | int i; | |
164 | options += strlen(cp); | |
165 | i = 0; | |
166 | while (*options) { | |
167 | if (*options == '"') | |
168 | break; | |
169 | if (*options == '\\' && options[1] == '"') { | |
170 | options += 2; | |
171 | patterns[i++] = '"'; | |
172 | continue; | |
173 | } | |
174 | patterns[i++] = *options++; | |
175 | } | |
176 | if (!*options) { | |
177 | debug("%.100s, line %lu: missing end quote", | |
42f11eb2 | 178 | file, linenum); |
38c295d6 | 179 | packet_send_debug("%.100s, line %lu: missing end quote", |
42f11eb2 | 180 | file, linenum); |
38c295d6 | 181 | continue; |
182 | } | |
183 | patterns[i] = 0; | |
184 | options++; | |
185 | /* | |
186 | * Deny access if we get a negative | |
187 | * match for the hostname or the ip | |
188 | * or if we get not match at all | |
189 | */ | |
190 | mname = match_hostname(get_canonical_hostname(), | |
191 | patterns, strlen(patterns)); | |
192 | mip = match_hostname(get_remote_ipaddr(), | |
193 | patterns, strlen(patterns)); | |
194 | xfree(patterns); | |
195 | if (mname == -1 || mip == -1 || | |
196 | (mname != 1 && mip != 1)) { | |
197 | log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | |
198 | pw->pw_name, get_canonical_hostname(), | |
199 | get_remote_ipaddr()); | |
200 | packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", | |
201 | get_canonical_hostname()); | |
38c295d6 | 202 | /* deny access */ |
203 | return 0; | |
204 | } | |
205 | /* Host name matches. */ | |
206 | goto next_option; | |
207 | } | |
208 | next_option: | |
209 | /* | |
210 | * Skip the comma, and move to the next option | |
211 | * (or break out if there are no more). | |
212 | */ | |
213 | if (!*options) | |
214 | fatal("Bugs in auth-options.c option processing."); | |
215 | if (*options == ' ' || *options == '\t') | |
216 | break; /* End of options. */ | |
217 | if (*options != ',') | |
218 | goto bad_option; | |
219 | options++; | |
220 | /* Process the next option. */ | |
221 | } | |
222 | /* grant access */ | |
223 | return 1; | |
224 | ||
225 | bad_option: | |
226 | log("Bad options in %.100s file, line %lu: %.50s", | |
42f11eb2 | 227 | file, linenum, options); |
38c295d6 | 228 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", |
42f11eb2 | 229 | file, linenum, options); |
38c295d6 | 230 | /* deny access */ |
231 | return 0; | |
232 | } |