auth-options.c

   1 /*
   2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
   3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   4  *                    All rights reserved
   5  * As far as I am concerned, the code I have written for this software
   6  * can be used freely for any purpose.  Any derived versions of this
   7  * software must be clearly marked as such, and if the derived work is
   8  * incompatible with the protocol description in the RFC file, it must be
   9  * called by a name other than "ssh" or "Secure Shell".
  10  */
  11
  12 #include "includes.h"
  13 RCSID("$OpenBSD: auth-options.c,v 1.8 2001/01/13 18:38:00 markus Exp $");
  14
  15 #include "ssh.h"
  16 #include "packet.h"
  17 #include "xmalloc.h"
  18 #include "match.h"
  19
  20 /* Flags set authorized_keys flags */
  21 int no_port_forwarding_flag = 0;
  22 int no_agent_forwarding_flag = 0;
  23 int no_x11_forwarding_flag = 0;
  24 int no_pty_flag = 0;
  25
  26 /* "command=" option. */
  27 char *forced_command = NULL;
  28
  29 /* "environment=" options. */
  30 struct envstring *custom_environment = NULL;
  31
  32 void
  33 auth_clear_options(void)
  34 {
  35         no_agent_forwarding_flag = 0;
  36         no_port_forwarding_flag = 0;
  37         no_pty_flag = 0;
  38         no_x11_forwarding_flag = 0;
  39         while (custom_environment) {
  40                 struct envstring *ce = custom_environment;
  41                 custom_environment = ce->next;
  42                 xfree(ce->s);
  43                 xfree(ce);
  44         }
  45         if (forced_command) {
  46                 xfree(forced_command);
  47                 forced_command = NULL;
  48         }
  49 }
  50
  51 /* return 1 if access is granted, 0 if not. side effect: sets key option flags */
  52 int
  53 auth_parse_options(struct passwd *pw, char *options, u_long linenum)
  54 {
  55         const char *cp;
  56         if (!options)
  57                 return 1;
  58
  59         /* reset options */
  60         auth_clear_options();
  61
  62         while (*options && *options != ' ' && *options != '\t') {
  63                 cp = "no-port-forwarding";
  64                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  65                         packet_send_debug("Port forwarding disabled.");
  66                         no_port_forwarding_flag = 1;
  67                         options += strlen(cp);
  68                         goto next_option;
  69                 }
  70                 cp = "no-agent-forwarding";
  71                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  72                         packet_send_debug("Agent forwarding disabled.");
  73                         no_agent_forwarding_flag = 1;
  74                         options += strlen(cp);
  75                         goto next_option;
  76                 }
  77                 cp = "no-X11-forwarding";
  78                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  79                         packet_send_debug("X11 forwarding disabled.");
  80                         no_x11_forwarding_flag = 1;
  81                         options += strlen(cp);
  82                         goto next_option;
  83                 }
  84                 cp = "no-pty";
  85                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  86                         packet_send_debug("Pty allocation disabled.");
  87                         no_pty_flag = 1;
  88                         options += strlen(cp);
  89                         goto next_option;
  90                 }
  91                 cp = "command=\"";
  92                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
  93                         int i;
  94                         options += strlen(cp);
  95                         forced_command = xmalloc(strlen(options) + 1);
  96                         i = 0;
  97                         while (*options) {
  98                                 if (*options == '"')
  99                                         break;
 100                                 if (*options == '\\' && options[1] == '"') {
 101                                         options += 2;
 102                                         forced_command[i++] = '"';
 103                                         continue;
 104                                 }
 105                                 forced_command[i++] = *options++;
 106                         }
 107                         if (!*options) {
 108                                 debug("%.100s, line %lu: missing end quote",
 109                                     SSH_USER_PERMITTED_KEYS, linenum);
 110                                 packet_send_debug("%.100s, line %lu: missing end quote",
 111                                     SSH_USER_PERMITTED_KEYS, linenum);
 112                                 continue;
 113                         }
 114                         forced_command[i] = 0;
 115                         packet_send_debug("Forced command: %.900s", forced_command);
 116                         options++;
 117                         goto next_option;
 118                 }
 119                 cp = "environment=\"";
 120                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
 121                         int i;
 122                         char *s;
 123                         struct envstring *new_envstring;
 124                         options += strlen(cp);
 125                         s = xmalloc(strlen(options) + 1);
 126                         i = 0;
 127                         while (*options) {
 128                                 if (*options == '"')
 129                                         break;
 130                                 if (*options == '\\' && options[1] == '"') {
 131                                         options += 2;
 132                                         s[i++] = '"';
 133                                         continue;
 134                                 }
 135                                 s[i++] = *options++;
 136                         }
 137                         if (!*options) {
 138                                 debug("%.100s, line %lu: missing end quote",
 139                                     SSH_USER_PERMITTED_KEYS, linenum);
 140                                 packet_send_debug("%.100s, line %lu: missing end quote",
 141                                     SSH_USER_PERMITTED_KEYS, linenum);
 142                                 continue;
 143                         }
 144                         s[i] = 0;
 145                         packet_send_debug("Adding to environment: %.900s", s);
 146                         debug("Adding to environment: %.900s", s);
 147                         options++;
 148                         new_envstring = xmalloc(sizeof(struct envstring));
 149                         new_envstring->s = s;
 150                         new_envstring->next = custom_environment;
 151                         custom_environment = new_envstring;
 152                         goto next_option;
 153                 }
 154                 cp = "from=\"";
 155                 if (strncasecmp(options, cp, strlen(cp)) == 0) {
 156                         int mname, mip;
 157                         char *patterns = xmalloc(strlen(options) + 1);
 158                         int i;
 159                         options += strlen(cp);
 160                         i = 0;
 161                         while (*options) {
 162                                 if (*options == '"')
 163                                         break;
 164                                 if (*options == '\\' && options[1] == '"') {
 165                                         options += 2;
 166                                         patterns[i++] = '"';
 167                                         continue;
 168                                 }
 169                                 patterns[i++] = *options++;
 170                         }
 171                         if (!*options) {
 172                                 debug("%.100s, line %lu: missing end quote",
 173                                     SSH_USER_PERMITTED_KEYS, linenum);
 174                                 packet_send_debug("%.100s, line %lu: missing end quote",
 175                                     SSH_USER_PERMITTED_KEYS, linenum);
 176                                 continue;
 177                         }
 178                         patterns[i] = 0;
 179                         options++;
 180                         /*
 181                          * Deny access if we get a negative
 182                          * match for the hostname or the ip
 183                          * or if we get not match at all
 184                          */
 185                         mname = match_hostname(get_canonical_hostname(),
 186                             patterns, strlen(patterns));
 187                         mip = match_hostname(get_remote_ipaddr(),
 188                             patterns, strlen(patterns));
 189                         xfree(patterns);
 190                         if (mname == -1 || mip == -1 ||
 191                             (mname != 1 && mip != 1)) {
 192                                 log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
 193                                     pw->pw_name, get_canonical_hostname(),
 194                                     get_remote_ipaddr());
 195                                 packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
 196                                 get_canonical_hostname());
 197                                 /* deny access */
 198                                 return 0;
 199                         }
 200                         /* Host name matches. */
 201                         goto next_option;
 202                 }
 203 next_option:
 204                 /*
 205                  * Skip the comma, and move to the next option
 206                  * (or break out if there are no more).
 207                  */
 208                 if (!*options)
 209                         fatal("Bugs in auth-options.c option processing.");
 210                 if (*options == ' ' || *options == '\t')
 211                         break;          /* End of options. */
 212                 if (*options != ',')
 213                         goto bad_option;
 214                 options++;
 215                 /* Process the next option. */
 216         }
 217         /* grant access */
 218         return 1;
 219
 220 bad_option:
 221         log("Bad options in %.100s file, line %lu: %.50s",
 222             SSH_USER_PERMITTED_KEYS, linenum, options);
 223         packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
 224             SSH_USER_PERMITTED_KEYS, linenum, options);
 225         /* deny access */
 226         return 0;
 227 }