X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/01dafcb504c448f0d4d5834c21b99e025f492550..239542dc0f6f2d1aa27862c90e38316f48ebc563:/auth-options.c

diff --git a/auth-options.c b/auth-options.c
index 2787d294..ab085c23 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-options.c,v 1.44 2009/01/22 10:09:16 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -10,26 +11,39 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.24 2002/05/13 20:44:58 markus Exp $");
 
-#include "packet.h"
+#include <sys/types.h>
+
+#include <netdb.h>
+#include <pwd.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
 #include "match.h"
 #include "log.h"
 #include "canohost.h"
+#include "buffer.h"
 #include "channels.h"
 #include "auth-options.h"
 #include "servconf.h"
-#include "bufaux.h"
 #include "misc.h"
-#include "monitor_wrap.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#include "monitor_wrap.h"
 
 /* Flags set authorized_keys flags */
 int no_port_forwarding_flag = 0;
 int no_agent_forwarding_flag = 0;
 int no_x11_forwarding_flag = 0;
 int no_pty_flag = 0;
+int no_user_rc = 0;
 
 /* "command=" option. */
 char *forced_command = NULL;
@@ -37,6 +51,9 @@ char *forced_command = NULL;
 /* "environment=" options. */
 struct envstring *custom_environment = NULL;
 
+/* "tunnel=" option. */
+int forced_tun_device = -1;
+
 extern ServerOptions options;
 
 void
@@ -46,6 +63,7 @@ auth_clear_options(void)
 	no_port_forwarding_flag = 0;
 	no_pty_flag = 0;
 	no_x11_forwarding_flag = 0;
+	no_user_rc = 0;
 	while (custom_environment) {
 		struct envstring *ce = custom_environment;
 		custom_environment = ce->next;
@@ -56,6 +74,7 @@ auth_clear_options(void)
 		xfree(forced_command);
 		forced_command = NULL;
 	}
+	forced_tun_device = -1;
 	channel_clear_permitted_opens();
 	auth_debug_reset();
 }
@@ -105,6 +124,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			opts += strlen(cp);
 			goto next_option;
 		}
+		cp = "no-user-rc";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			auth_debug_add("User rc file execution disabled.");
+			no_user_rc = 1;
+			opts += strlen(cp);
+			goto next_option;
+		}
 		cp = "command=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
@@ -129,13 +155,14 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				forced_command = NULL;
 				goto bad_option;
 			}
-			forced_command[i] = 0;
+			forced_command[i] = '\0';
 			auth_debug_add("Forced command: %.900s", forced_command);
 			opts++;
 			goto next_option;
 		}
 		cp = "environment=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+		if (options.permit_user_env &&
+		    strncasecmp(opts, cp, strlen(cp)) == 0) {
 			char *s;
 			struct envstring *new_envstring;
 
@@ -160,7 +187,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				xfree(s);
 				goto bad_option;
 			}
-			s[i] = 0;
+			s[i] = '\0';
 			auth_debug_add("Adding to environment: %.900s", s);
 			debug("Adding to environment: %.900s", s);
 			opts++;
@@ -174,7 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			const char *remote_ip = get_remote_ipaddr();
 			const char *remote_host = get_canonical_hostname(
-			    options.verify_reverse_mapping);
+			    options.use_dns);
 			char *patterns = xmalloc(strlen(opts) + 1);
 
 			opts += strlen(cp);
@@ -197,29 +224,38 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				xfree(patterns);
 				goto bad_option;
 			}
-			patterns[i] = 0;
+			patterns[i] = '\0';
 			opts++;
-			if (match_host_and_ip(remote_host, remote_ip,
-			    patterns) != 1) {
+			switch (match_host_and_ip(remote_host, remote_ip,
+			    patterns)) {
+			case 1:
 				xfree(patterns);
-				log("Authentication tried for %.100s with "
+				/* Host name matches. */
+				goto next_option;
+			case -1:
+				debug("%.100s, line %lu: invalid criteria",
+				    file, linenum);
+				auth_debug_add("%.100s, line %lu: "
+				    "invalid criteria", file, linenum);
+				/* FALLTHROUGH */
+			case 0:
+				xfree(patterns);
+				logit("Authentication tried for %.100s with "
 				    "correct key but not from a permitted "
 				    "host (host=%.200s, ip=%.200s).",
 				    pw->pw_name, remote_host, remote_ip);
 				auth_debug_add("Your host '%.200s' is not "
 				    "permitted to use this key for login.",
 				    remote_host);
-				/* deny access */
-				return 0;
+				break;
 			}
-			xfree(patterns);
-			/* Host name matches. */
-			goto next_option;
+			/* deny access */
+			return 0;
 		}
 		cp = "permitopen=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char host[256], sport[6];
-			u_short port;
+			char *host, *p;
+			int port;
 			char *patterns = xmalloc(strlen(opts) + 1);
 
 			opts += strlen(cp);
@@ -237,25 +273,29 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			if (!*opts) {
 				debug("%.100s, line %lu: missing end quote",
 				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
+				auth_debug_add("%.100s, line %lu: missing "
+				    "end quote", file, linenum);
 				xfree(patterns);
 				goto bad_option;
 			}
-			patterns[i] = 0;
+			patterns[i] = '\0';
 			opts++;
-			if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 &&
-			    sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) {
-				debug("%.100s, line %lu: Bad permitopen specification "
-				    "<%.100s>", file, linenum, patterns);
+			p = patterns;
+			host = hpdelim(&p);
+			if (host == NULL || strlen(host) >= NI_MAXHOST) {
+				debug("%.100s, line %lu: Bad permitopen "
+				    "specification <%.100s>", file, linenum,
+				    patterns);
 				auth_debug_add("%.100s, line %lu: "
-				    "Bad permitopen specification", file, linenum);
+				    "Bad permitopen specification", file,
+				    linenum);
 				xfree(patterns);
 				goto bad_option;
 			}
-			if ((port = a2port(sport)) == 0) {
-				debug("%.100s, line %lu: Bad permitopen port <%.100s>",
-				    file, linenum, sport);
+			host = cleanhostname(host);
+			if (p == NULL || (port = a2port(p)) <= 0) {
+				debug("%.100s, line %lu: Bad permitopen port "
+				    "<%.100s>", file, linenum, p ? p : "");
 				auth_debug_add("%.100s, line %lu: "
 				    "Bad permitopen port", file, linenum);
 				xfree(patterns);
@@ -266,6 +306,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			xfree(patterns);
 			goto next_option;
 		}
+		cp = "tunnel=\"";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			char *tun = NULL;
+			opts += strlen(cp);
+			tun = xmalloc(strlen(opts) + 1);
+			i = 0;
+			while (*opts) {
+				if (*opts == '"')
+					break;
+				tun[i++] = *opts++;
+			}
+			if (!*opts) {
+				debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				auth_debug_add("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				xfree(tun);
+				forced_tun_device = -1;
+				goto bad_option;
+			}
+			tun[i] = '\0';
+			forced_tun_device = a2tun(tun, NULL);
+			xfree(tun);
+			if (forced_tun_device == SSH_TUNID_ERR) {
+				debug("%.100s, line %lu: invalid tun device",
+				    file, linenum);
+				auth_debug_add("%.100s, line %lu: invalid tun device",
+				    file, linenum);
+				forced_tun_device = -1;
+				goto bad_option;
+			}
+			auth_debug_add("Forced tun device: %d", forced_tun_device);
+			opts++;
+			goto next_option;
+		}
 next_option:
 		/*
 		 * Skip the comma, and move to the next option
@@ -288,7 +363,7 @@ next_option:
 	return 1;
 
 bad_option:
-	log("Bad options in %.100s file, line %lu: %.50s",
+	logit("Bad options in %.100s file, line %lu: %.50s",
 	    file, linenum, opts);
 	auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
 	    file, linenum, opts);