auth-options.c

   1 /*
   2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
   3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   4  *                    All rights reserved
   5  * As far as I am concerned, the code I have written for this software
   6  * can be used freely for any purpose.  Any derived versions of this
   7  * software must be clearly marked as such, and if the derived work is
   8  * incompatible with the protocol description in the RFC file, it must be
   9  * called by a name other than "ssh" or "Secure Shell".
  10  */
  11
  12 #include "includes.h"
  13 RCSID("$OpenBSD: auth-options.c,v 1.11 2001/01/21 19:05:41 markus Exp $");
  14
  15 #include "packet.h"
  16 #include "xmalloc.h"
  17 #include "match.h"
  18 #include "log.h"
  19 #include "canohost.h"
  20 #include "auth-options.h"
  21
  22 /* Flags set authorized_keys flags */
  23 int no_port_forwarding_flag = 0;
  24 int no_agent_forwarding_flag = 0;
  25 int no_x11_forwarding_flag = 0;
  26 int no_pty_flag = 0;
  27
  28 /* "command=" option. */
  29 char *forced_command = NULL;
  30
  31 /* "environment=" options. */
  32 struct envstring *custom_environment = NULL;
  33
  34 void
  35 auth_clear_options(void)
  36 {
  37         no_agent_forwarding_flag = 0;
  38         no_port_forwarding_flag = 0;
  39         no_pty_flag = 0;
  40         no_x11_forwarding_flag = 0;
  41         while (custom_environment) {
  42                 struct envstring *ce = custom_environment;
  43                 custom_environment = ce->next;
  44                 xfree(ce->s);
  45                 xfree(ce);
  46         }
  47         if (forced_command) {
  48                 xfree(forced_command);
  49                 forced_command = NULL;
  50         }
  51 }
  52
  53 /*
  54  * return 1 if access is granted, 0 if not.
  55  * side effect: sets key option flags
  56  */
  57 int
  58 auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum)
  59 {
  60         const char *cp;
  61         if (!options)
  62                 return 1;
  63
  64         /* reset options */
  65         auth_clear_options();
  66
  67         while (*options && *options != ' ' && *options != '\t') {
  68                 cp = "no-port-forwarding";
  69                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  70                         packet_send_debug("Port forwarding disabled.");
  71                         no_port_forwarding_flag = 1;
  72                         options += strlen(cp);
  73                         goto next_option;
  74                 }
  75                 cp = "no-agent-forwarding";
  76                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  77                         packet_send_debug("Agent forwarding disabled.");
  78                         no_agent_forwarding_flag = 1;
  79                         options += strlen(cp);
  80                         goto next_option;
  81                 }
  82                 cp = "no-X11-forwarding";
  83                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  84                         packet_send_debug("X11 forwarding disabled.");
  85                         no_x11_forwarding_flag = 1;
  86                         options += strlen(cp);
  87                         goto next_option;
  88                 }
  89                 cp = "no-pty";
  90                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  91                         packet_send_debug("Pty allocation disabled.");
  92                         no_pty_flag = 1;
  93                         options += strlen(cp);
  94                         goto next_option;
  95                 }
  96                 cp = "command=\"";
  97                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  98                         int i;
  99                         options += strlen(cp);
 100                         forced_command = xmalloc(strlen(options) + 1);
 101                         i = 0;
 102                         while (*options) {
 103                                 if (*options == '"')
 104                                         break;
 105                                 if (*options == '\\' && options[1] == '"') {
 106                                         options += 2;
 107                                         forced_command[i++] = '"';
 108                                         continue;
 109                                 }
 110                                 forced_command[i++] = *options++;
 111                         }
 112                         if (!*options) {
 113                                 debug("%.100s, line %lu: missing end quote",
 114                                     file, linenum);
 115                                 packet_send_debug("%.100s, line %lu: missing end quote",
 116                                     file, linenum);
 117                                 continue;
 118                         }
 119                         forced_command[i] = 0;
 120                         packet_send_debug("Forced command: %.900s", forced_command);
 121                         options++;
 122                         goto next_option;
 123                 }
 124                 cp = "environment=\"";
 125                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
 126                         int i;
 127                         char *s;
 128                         struct envstring *new_envstring;
 129                         options += strlen(cp);
 130                         s = xmalloc(strlen(options) + 1);
 131                         i = 0;
 132                         while (*options) {
 133                                 if (*options == '"')
 134                                         break;
 135                                 if (*options == '\\' && options[1] == '"') {
 136                                         options += 2;
 137                                         s[i++] = '"';
 138                                         continue;
 139                                 }
 140                                 s[i++] = *options++;
 141                         }
 142                         if (!*options) {
 143                                 debug("%.100s, line %lu: missing end quote",
 144                                     file, linenum);
 145                                 packet_send_debug("%.100s, line %lu: missing end quote",
 146                                     file, linenum);
 147                                 continue;
 148                         }
 149                         s[i] = 0;
 150                         packet_send_debug("Adding to environment: %.900s", s);
 151                         debug("Adding to environment: %.900s", s);
 152                         options++;
 153                         new_envstring = xmalloc(sizeof(struct envstring));
 154                         new_envstring->s = s;
 155                         new_envstring->next = custom_environment;
 156                         custom_environment = new_envstring;
 157                         goto next_option;
 158                 }
 159                 cp = "from=\"";
 160                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
 161                         int mname, mip;
 162                         char *patterns = xmalloc(strlen(options) + 1);
 163                         int i;
 164                         options += strlen(cp);
 165                         i = 0;
 166                         while (*options) {
 167                                 if (*options == '"')
 168                                         break;
 169                                 if (*options == '\\' && options[1] == '"') {
 170                                         options += 2;
 171                                         patterns[i++] = '"';
 172                                         continue;
 173                                 }
 174                                 patterns[i++] = *options++;
 175                         }
 176                         if (!*options) {
 177                                 debug("%.100s, line %lu: missing end quote",
 178                                     file, linenum);
 179                                 packet_send_debug("%.100s, line %lu: missing end quote",
 180                                     file, linenum);
 181                                 continue;
 182                         }
 183                         patterns[i] = 0;
 184                         options++;
 185                         /*
 186                          * Deny access if we get a negative
 187                          * match for the hostname or the ip
 188                          * or if we get not match at all
 189                          */
 190                         mname = match_hostname(get_canonical_hostname(),
 191                             patterns, strlen(patterns));
 192                         mip = match_hostname(get_remote_ipaddr(),
 193                             patterns, strlen(patterns));
 194                         xfree(patterns);
 195                         if (mname == -1 || mip == -1 ||
 196                             (mname != 1 && mip != 1)) {
 197                                 log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
 198                                     pw->pw_name, get_canonical_hostname(),
 199                                     get_remote_ipaddr());
 200                                 packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
 201                                 get_canonical_hostname());
 202                                 /* deny access */
 203                                 return 0;
 204                         }
 205                         /* Host name matches. */
 206                         goto next_option;
 207                 }
 208 next_option:
 209                 /*
 210                  * Skip the comma, and move to the next option
 211                  * (or break out if there are no more).
 212                  */
 213                 if (!*options)
 214                         fatal("Bugs in auth-options.c option processing.");
 215                 if (*options == ' ' || *options == '\t')
 216                         break;          /* End of options. */
 217                 if (*options != ',')
 218                         goto bad_option;
 219                 options++;
 220                 /* Process the next option. */
 221         }
 222         /* grant access */
 223         return 1;
 224
 225 bad_option:
 226         log("Bad options in %.100s file, line %lu: %.50s",
 227             file, linenum, options);
 228         packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
 229             file, linenum, options);
 230         /* deny access */
 231         return 0;
 232 }