]>
Commit | Line | Data |
---|---|---|
1 | /* $OpenBSD: auth-options.c,v 1.39 2006/07/22 20:48:22 stevesk Exp $ */ | |
2 | /* | |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
5 | * All rights reserved | |
6 | * As far as I am concerned, the code I have written for this software | |
7 | * can be used freely for any purpose. Any derived versions of this | |
8 | * software must be clearly marked as such, and if the derived work is | |
9 | * incompatible with the protocol description in the RFC file, it must be | |
10 | * called by a name other than "ssh" or "Secure Shell". | |
11 | */ | |
12 | ||
13 | #include "includes.h" | |
14 | ||
15 | #include <sys/types.h> | |
16 | ||
17 | #include <netdb.h> | |
18 | #include <pwd.h> | |
19 | #include <string.h> | |
20 | ||
21 | #include "xmalloc.h" | |
22 | #include "match.h" | |
23 | #include "log.h" | |
24 | #include "canohost.h" | |
25 | #include "channels.h" | |
26 | #include "auth-options.h" | |
27 | #include "servconf.h" | |
28 | #include "misc.h" | |
29 | #include "monitor_wrap.h" | |
30 | #include "auth.h" | |
31 | ||
32 | /* Flags set authorized_keys flags */ | |
33 | int no_port_forwarding_flag = 0; | |
34 | int no_agent_forwarding_flag = 0; | |
35 | int no_x11_forwarding_flag = 0; | |
36 | int no_pty_flag = 0; | |
37 | ||
38 | /* "command=" option. */ | |
39 | char *forced_command = NULL; | |
40 | ||
41 | /* "environment=" options. */ | |
42 | struct envstring *custom_environment = NULL; | |
43 | ||
44 | /* "tunnel=" option. */ | |
45 | int forced_tun_device = -1; | |
46 | ||
47 | extern ServerOptions options; | |
48 | ||
49 | void | |
50 | auth_clear_options(void) | |
51 | { | |
52 | no_agent_forwarding_flag = 0; | |
53 | no_port_forwarding_flag = 0; | |
54 | no_pty_flag = 0; | |
55 | no_x11_forwarding_flag = 0; | |
56 | while (custom_environment) { | |
57 | struct envstring *ce = custom_environment; | |
58 | custom_environment = ce->next; | |
59 | xfree(ce->s); | |
60 | xfree(ce); | |
61 | } | |
62 | if (forced_command) { | |
63 | xfree(forced_command); | |
64 | forced_command = NULL; | |
65 | } | |
66 | forced_tun_device = -1; | |
67 | channel_clear_permitted_opens(); | |
68 | auth_debug_reset(); | |
69 | } | |
70 | ||
71 | /* | |
72 | * return 1 if access is granted, 0 if not. | |
73 | * side effect: sets key option flags | |
74 | */ | |
75 | int | |
76 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |
77 | { | |
78 | const char *cp; | |
79 | int i; | |
80 | ||
81 | /* reset options */ | |
82 | auth_clear_options(); | |
83 | ||
84 | if (!opts) | |
85 | return 1; | |
86 | ||
87 | while (*opts && *opts != ' ' && *opts != '\t') { | |
88 | cp = "no-port-forwarding"; | |
89 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
90 | auth_debug_add("Port forwarding disabled."); | |
91 | no_port_forwarding_flag = 1; | |
92 | opts += strlen(cp); | |
93 | goto next_option; | |
94 | } | |
95 | cp = "no-agent-forwarding"; | |
96 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
97 | auth_debug_add("Agent forwarding disabled."); | |
98 | no_agent_forwarding_flag = 1; | |
99 | opts += strlen(cp); | |
100 | goto next_option; | |
101 | } | |
102 | cp = "no-X11-forwarding"; | |
103 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
104 | auth_debug_add("X11 forwarding disabled."); | |
105 | no_x11_forwarding_flag = 1; | |
106 | opts += strlen(cp); | |
107 | goto next_option; | |
108 | } | |
109 | cp = "no-pty"; | |
110 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
111 | auth_debug_add("Pty allocation disabled."); | |
112 | no_pty_flag = 1; | |
113 | opts += strlen(cp); | |
114 | goto next_option; | |
115 | } | |
116 | cp = "command=\""; | |
117 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
118 | opts += strlen(cp); | |
119 | forced_command = xmalloc(strlen(opts) + 1); | |
120 | i = 0; | |
121 | while (*opts) { | |
122 | if (*opts == '"') | |
123 | break; | |
124 | if (*opts == '\\' && opts[1] == '"') { | |
125 | opts += 2; | |
126 | forced_command[i++] = '"'; | |
127 | continue; | |
128 | } | |
129 | forced_command[i++] = *opts++; | |
130 | } | |
131 | if (!*opts) { | |
132 | debug("%.100s, line %lu: missing end quote", | |
133 | file, linenum); | |
134 | auth_debug_add("%.100s, line %lu: missing end quote", | |
135 | file, linenum); | |
136 | xfree(forced_command); | |
137 | forced_command = NULL; | |
138 | goto bad_option; | |
139 | } | |
140 | forced_command[i] = '\0'; | |
141 | auth_debug_add("Forced command: %.900s", forced_command); | |
142 | opts++; | |
143 | goto next_option; | |
144 | } | |
145 | cp = "environment=\""; | |
146 | if (options.permit_user_env && | |
147 | strncasecmp(opts, cp, strlen(cp)) == 0) { | |
148 | char *s; | |
149 | struct envstring *new_envstring; | |
150 | ||
151 | opts += strlen(cp); | |
152 | s = xmalloc(strlen(opts) + 1); | |
153 | i = 0; | |
154 | while (*opts) { | |
155 | if (*opts == '"') | |
156 | break; | |
157 | if (*opts == '\\' && opts[1] == '"') { | |
158 | opts += 2; | |
159 | s[i++] = '"'; | |
160 | continue; | |
161 | } | |
162 | s[i++] = *opts++; | |
163 | } | |
164 | if (!*opts) { | |
165 | debug("%.100s, line %lu: missing end quote", | |
166 | file, linenum); | |
167 | auth_debug_add("%.100s, line %lu: missing end quote", | |
168 | file, linenum); | |
169 | xfree(s); | |
170 | goto bad_option; | |
171 | } | |
172 | s[i] = '\0'; | |
173 | auth_debug_add("Adding to environment: %.900s", s); | |
174 | debug("Adding to environment: %.900s", s); | |
175 | opts++; | |
176 | new_envstring = xmalloc(sizeof(struct envstring)); | |
177 | new_envstring->s = s; | |
178 | new_envstring->next = custom_environment; | |
179 | custom_environment = new_envstring; | |
180 | goto next_option; | |
181 | } | |
182 | cp = "from=\""; | |
183 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
184 | const char *remote_ip = get_remote_ipaddr(); | |
185 | const char *remote_host = get_canonical_hostname( | |
186 | options.use_dns); | |
187 | char *patterns = xmalloc(strlen(opts) + 1); | |
188 | ||
189 | opts += strlen(cp); | |
190 | i = 0; | |
191 | while (*opts) { | |
192 | if (*opts == '"') | |
193 | break; | |
194 | if (*opts == '\\' && opts[1] == '"') { | |
195 | opts += 2; | |
196 | patterns[i++] = '"'; | |
197 | continue; | |
198 | } | |
199 | patterns[i++] = *opts++; | |
200 | } | |
201 | if (!*opts) { | |
202 | debug("%.100s, line %lu: missing end quote", | |
203 | file, linenum); | |
204 | auth_debug_add("%.100s, line %lu: missing end quote", | |
205 | file, linenum); | |
206 | xfree(patterns); | |
207 | goto bad_option; | |
208 | } | |
209 | patterns[i] = '\0'; | |
210 | opts++; | |
211 | if (match_host_and_ip(remote_host, remote_ip, | |
212 | patterns) != 1) { | |
213 | xfree(patterns); | |
214 | logit("Authentication tried for %.100s with " | |
215 | "correct key but not from a permitted " | |
216 | "host (host=%.200s, ip=%.200s).", | |
217 | pw->pw_name, remote_host, remote_ip); | |
218 | auth_debug_add("Your host '%.200s' is not " | |
219 | "permitted to use this key for login.", | |
220 | remote_host); | |
221 | /* deny access */ | |
222 | return 0; | |
223 | } | |
224 | xfree(patterns); | |
225 | /* Host name matches. */ | |
226 | goto next_option; | |
227 | } | |
228 | cp = "permitopen=\""; | |
229 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
230 | char *host, *p; | |
231 | u_short port; | |
232 | char *patterns = xmalloc(strlen(opts) + 1); | |
233 | ||
234 | opts += strlen(cp); | |
235 | i = 0; | |
236 | while (*opts) { | |
237 | if (*opts == '"') | |
238 | break; | |
239 | if (*opts == '\\' && opts[1] == '"') { | |
240 | opts += 2; | |
241 | patterns[i++] = '"'; | |
242 | continue; | |
243 | } | |
244 | patterns[i++] = *opts++; | |
245 | } | |
246 | if (!*opts) { | |
247 | debug("%.100s, line %lu: missing end quote", | |
248 | file, linenum); | |
249 | auth_debug_add("%.100s, line %lu: missing " | |
250 | "end quote", file, linenum); | |
251 | xfree(patterns); | |
252 | goto bad_option; | |
253 | } | |
254 | patterns[i] = '\0'; | |
255 | opts++; | |
256 | p = patterns; | |
257 | host = hpdelim(&p); | |
258 | if (host == NULL || strlen(host) >= NI_MAXHOST) { | |
259 | debug("%.100s, line %lu: Bad permitopen " | |
260 | "specification <%.100s>", file, linenum, | |
261 | patterns); | |
262 | auth_debug_add("%.100s, line %lu: " | |
263 | "Bad permitopen specification", file, | |
264 | linenum); | |
265 | xfree(patterns); | |
266 | goto bad_option; | |
267 | } | |
268 | host = cleanhostname(host); | |
269 | if (p == NULL || (port = a2port(p)) == 0) { | |
270 | debug("%.100s, line %lu: Bad permitopen port " | |
271 | "<%.100s>", file, linenum, p ? p : ""); | |
272 | auth_debug_add("%.100s, line %lu: " | |
273 | "Bad permitopen port", file, linenum); | |
274 | xfree(patterns); | |
275 | goto bad_option; | |
276 | } | |
277 | if (options.allow_tcp_forwarding) | |
278 | channel_add_permitted_opens(host, port); | |
279 | xfree(patterns); | |
280 | goto next_option; | |
281 | } | |
282 | cp = "tunnel=\""; | |
283 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | |
284 | char *tun = NULL; | |
285 | opts += strlen(cp); | |
286 | tun = xmalloc(strlen(opts) + 1); | |
287 | i = 0; | |
288 | while (*opts) { | |
289 | if (*opts == '"') | |
290 | break; | |
291 | tun[i++] = *opts++; | |
292 | } | |
293 | if (!*opts) { | |
294 | debug("%.100s, line %lu: missing end quote", | |
295 | file, linenum); | |
296 | auth_debug_add("%.100s, line %lu: missing end quote", | |
297 | file, linenum); | |
298 | xfree(tun); | |
299 | forced_tun_device = -1; | |
300 | goto bad_option; | |
301 | } | |
302 | tun[i] = '\0'; | |
303 | forced_tun_device = a2tun(tun, NULL); | |
304 | xfree(tun); | |
305 | if (forced_tun_device == SSH_TUNID_ERR) { | |
306 | debug("%.100s, line %lu: invalid tun device", | |
307 | file, linenum); | |
308 | auth_debug_add("%.100s, line %lu: invalid tun device", | |
309 | file, linenum); | |
310 | forced_tun_device = -1; | |
311 | goto bad_option; | |
312 | } | |
313 | auth_debug_add("Forced tun device: %d", forced_tun_device); | |
314 | opts++; | |
315 | goto next_option; | |
316 | } | |
317 | next_option: | |
318 | /* | |
319 | * Skip the comma, and move to the next option | |
320 | * (or break out if there are no more). | |
321 | */ | |
322 | if (!*opts) | |
323 | fatal("Bugs in auth-options.c option processing."); | |
324 | if (*opts == ' ' || *opts == '\t') | |
325 | break; /* End of options. */ | |
326 | if (*opts != ',') | |
327 | goto bad_option; | |
328 | opts++; | |
329 | /* Process the next option. */ | |
330 | } | |
331 | ||
332 | if (!use_privsep) | |
333 | auth_debug_send(); | |
334 | ||
335 | /* grant access */ | |
336 | return 1; | |
337 | ||
338 | bad_option: | |
339 | logit("Bad options in %.100s file, line %lu: %.50s", | |
340 | file, linenum, opts); | |
341 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", | |
342 | file, linenum, opts); | |
343 | ||
344 | if (!use_privsep) | |
345 | auth_debug_send(); | |
346 | ||
347 | /* deny access */ | |
348 | return 0; | |
349 | } |