auth-options.c

   1 #include "includes.h"
   2 RCSID("$Id$");
   3
   4 #include "ssh.h"
   5 #include "packet.h"
   6 #include "xmalloc.h"
   7 #include "match.h"
   8
   9 /* Flags set authorized_keys flags */
  10 int no_port_forwarding_flag = 0;
  11 int no_agent_forwarding_flag = 0;
  12 int no_x11_forwarding_flag = 0;
  13 int no_pty_flag = 0;
  14
  15 /* "command=" option. */
  16 char *forced_command = NULL;
  17
  18 /* "environment=" options. */
  19 struct envstring *custom_environment = NULL;
  20
  21 /* return 1 if access is granted, 0 if not. side effect: sets key option flags */
  22 int
  23 auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
  24 {
  25         const char *cp;
  26         if (!options)
  27                 return 1;
  28         while (*options && *options != ' ' && *options != '\t') {
  29                 cp = "no-port-forwarding";
  30                 if (strncmp(options, cp, strlen(cp)) == 0) {
  31                         packet_send_debug("Port forwarding disabled.");
  32                         no_port_forwarding_flag = 1;
  33                         options += strlen(cp);
  34                         goto next_option;
  35                 }
  36                 cp = "no-agent-forwarding";
  37                 if (strncmp(options, cp, strlen(cp)) == 0) {
  38                         packet_send_debug("Agent forwarding disabled.");
  39                         no_agent_forwarding_flag = 1;
  40                         options += strlen(cp);
  41                         goto next_option;
  42                 }
  43                 cp = "no-X11-forwarding";
  44                 if (strncmp(options, cp, strlen(cp)) == 0) {
  45                         packet_send_debug("X11 forwarding disabled.");
  46                         no_x11_forwarding_flag = 1;
  47                         options += strlen(cp);
  48                         goto next_option;
  49                 }
  50                 cp = "no-pty";
  51                 if (strncmp(options, cp, strlen(cp)) == 0) {
  52                         packet_send_debug("Pty allocation disabled.");
  53                         no_pty_flag = 1;
  54                         options += strlen(cp);
  55                         goto next_option;
  56                 }
  57                 cp = "command=\"";
  58                 if (strncmp(options, cp, strlen(cp)) == 0) {
  59                         int i;
  60                         options += strlen(cp);
  61                         forced_command = xmalloc(strlen(options) + 1);
  62                         i = 0;
  63                         while (*options) {
  64                                 if (*options == '"')
  65                                         break;
  66                                 if (*options == '\\' && options[1] == '"') {
  67                                         options += 2;
  68                                         forced_command[i++] = '"';
  69                                         continue;
  70                                 }
  71                                 forced_command[i++] = *options++;
  72                         }
  73                         if (!*options) {
  74                                 debug("%.100s, line %lu: missing end quote",
  75                                       SSH_USER_PERMITTED_KEYS, linenum);
  76                                 packet_send_debug("%.100s, line %lu: missing end quote",
  77                                                   SSH_USER_PERMITTED_KEYS, linenum);
  78                                 continue;
  79                         }
  80                         forced_command[i] = 0;
  81                         packet_send_debug("Forced command: %.900s", forced_command);
  82                         options++;
  83                         goto next_option;
  84                 }
  85                 cp = "environment=\"";
  86                 if (strncmp(options, cp, strlen(cp)) == 0) {
  87                         int i;
  88                         char *s;
  89                         struct envstring *new_envstring;
  90                         options += strlen(cp);
  91                         s = xmalloc(strlen(options) + 1);
  92                         i = 0;
  93                         while (*options) {
  94                                 if (*options == '"')
  95                                         break;
  96                                 if (*options == '\\' && options[1] == '"') {
  97                                         options += 2;
  98                                         s[i++] = '"';
  99                                         continue;
 100                                 }
 101                                 s[i++] = *options++;
 102                         }
 103                         if (!*options) {
 104                                 debug("%.100s, line %lu: missing end quote",
 105                                       SSH_USER_PERMITTED_KEYS, linenum);
 106                                 packet_send_debug("%.100s, line %lu: missing end quote",
 107                                                   SSH_USER_PERMITTED_KEYS, linenum);
 108                                 continue;
 109                         }
 110                         s[i] = 0;
 111                         packet_send_debug("Adding to environment: %.900s", s);
 112                         debug("Adding to environment: %.900s", s);
 113                         options++;
 114                         new_envstring = xmalloc(sizeof(struct envstring));
 115                         new_envstring->s = s;
 116                         new_envstring->next = custom_environment;
 117                         custom_environment = new_envstring;
 118                         goto next_option;
 119                 }
 120                 cp = "from=\"";
 121                 if (strncmp(options, cp, strlen(cp)) == 0) {
 122                         int mname, mip;
 123                         char *patterns = xmalloc(strlen(options) + 1);
 124                         int i;
 125                         options += strlen(cp);
 126                         i = 0;
 127                         while (*options) {
 128                                 if (*options == '"')
 129                                         break;
 130                                 if (*options == '\\' && options[1] == '"') {
 131                                         options += 2;
 132                                         patterns[i++] = '"';
 133                                         continue;
 134                                 }
 135                                 patterns[i++] = *options++;
 136                         }
 137                         if (!*options) {
 138                                 debug("%.100s, line %lu: missing end quote",
 139                                     SSH_USER_PERMITTED_KEYS, linenum);
 140                                 packet_send_debug("%.100s, line %lu: missing end quote",
 141                                     SSH_USER_PERMITTED_KEYS, linenum);
 142                                 continue;
 143                         }
 144                         patterns[i] = 0;
 145                         options++;
 146                         /*
 147                          * Deny access if we get a negative
 148                          * match for the hostname or the ip
 149                          * or if we get not match at all
 150                          */
 151                         mname = match_hostname(get_canonical_hostname(),
 152                             patterns, strlen(patterns));
 153                         mip = match_hostname(get_remote_ipaddr(),
 154                             patterns, strlen(patterns));
 155                         xfree(patterns);
 156                         if (mname == -1 || mip == -1 ||
 157                             (mname != 1 && mip != 1)) {
 158                                 log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
 159                                     pw->pw_name, get_canonical_hostname(),
 160                                     get_remote_ipaddr());
 161                                 packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
 162                                 get_canonical_hostname());
 163                                 /* key invalid for this host, reset flags */
 164                                 no_agent_forwarding_flag = 0;
 165                                 no_port_forwarding_flag = 0;
 166                                 no_pty_flag = 0;
 167                                 no_x11_forwarding_flag = 0;
 168                                 while (custom_environment) {
 169                                         struct envstring *ce = custom_environment;
 170                                         custom_environment = ce->next;
 171                                         xfree(ce->s);
 172                                         xfree(ce);
 173                                 }
 174                                 if (forced_command) {
 175                                         xfree(forced_command);
 176                                         forced_command = NULL;
 177                                 }
 178                                 /* deny access */
 179                                 return 0;
 180                         }
 181                         /* Host name matches. */
 182                         goto next_option;
 183                 }
 184 next_option:
 185                 /*
 186                  * Skip the comma, and move to the next option
 187                  * (or break out if there are no more).
 188                  */
 189                 if (!*options)
 190                         fatal("Bugs in auth-options.c option processing.");
 191                 if (*options == ' ' || *options == '\t')
 192                         break;          /* End of options. */
 193                 if (*options != ',')
 194                         goto bad_option;
 195                 options++;
 196                 /* Process the next option. */
 197         }
 198         /* grant access */
 199         return 1;
 200
 201 bad_option:
 202         log("Bad options in %.100s file, line %lu: %.50s",
 203             SSH_USER_PERMITTED_KEYS, linenum, options);
 204         packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
 205             SSH_USER_PERMITTED_KEYS, linenum, options);
 206         /* deny access */
 207         return 0;
 208 }