X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/1853d1ef0d12e0942aca46cf9e6af2c69804d0a7..00146caabf3f7e02f3349607dddef7b6384da468:/auth-options.c diff --git a/auth-options.c b/auth-options.c index 48be6d8e..33c62641 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,3 +1,4 @@ +/* $OpenBSD: auth-options.c,v 1.39 2006/07/22 20:48:22 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -10,9 +11,15 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.22 2002/03/18 17:50:31 provos Exp $"); -#include "packet.h" +#include + +#if defined(HAVE_NETDB_H) +# include +#endif +#include +#include + #include "xmalloc.h" #include "match.h" #include "log.h" @@ -20,13 +27,9 @@ RCSID("$OpenBSD: auth-options.c,v 1.22 2002/03/18 17:50:31 provos Exp $"); #include "channels.h" #include "auth-options.h" #include "servconf.h" -#include "bufaux.h" #include "misc.h" #include "monitor_wrap.h" - -/* Debugging messages */ -Buffer auth_debug; -int auth_debug_init; +#include "auth.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; @@ -40,30 +43,14 @@ char *forced_command = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; -extern ServerOptions options; +/* "tunnel=" option. */ +int forced_tun_device = -1; -void -auth_send_debug(Buffer *m) -{ - char *msg; - - while (buffer_len(m)) { - msg = buffer_get_string(m, NULL); - packet_send_debug("%s", msg); - xfree(msg); - } -} +extern ServerOptions options; void auth_clear_options(void) { - if (auth_debug_init) - buffer_clear(&auth_debug); - else { - buffer_init(&auth_debug); - auth_debug_init = 1; - } - no_agent_forwarding_flag = 0; no_port_forwarding_flag = 0; no_pty_flag = 0; @@ -78,7 +65,9 @@ auth_clear_options(void) xfree(forced_command); forced_command = NULL; } + forced_tun_device = -1; channel_clear_permitted_opens(); + auth_debug_reset(); } /* @@ -88,7 +77,6 @@ auth_clear_options(void) int auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) { - char tmp[1024]; const char *cp; int i; @@ -101,32 +89,28 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) while (*opts && *opts != ' ' && *opts != '\t') { cp = "no-port-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - snprintf(tmp, sizeof(tmp), "Port forwarding disabled."); - buffer_put_cstring(&auth_debug, tmp); + auth_debug_add("Port forwarding disabled."); no_port_forwarding_flag = 1; opts += strlen(cp); goto next_option; } cp = "no-agent-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - snprintf(tmp, sizeof(tmp), "Agent forwarding disabled."); - buffer_put_cstring(&auth_debug, tmp); + auth_debug_add("Agent forwarding disabled."); no_agent_forwarding_flag = 1; opts += strlen(cp); goto next_option; } cp = "no-X11-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - snprintf(tmp, sizeof(tmp), "X11 forwarding disabled."); - buffer_put_cstring(&auth_debug, tmp); + auth_debug_add("X11 forwarding disabled."); no_x11_forwarding_flag = 1; opts += strlen(cp); goto next_option; } cp = "no-pty"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - snprintf(tmp, sizeof(tmp), "Pty allocation disabled."); - buffer_put_cstring(&auth_debug, tmp); + auth_debug_add("Pty allocation disabled."); no_pty_flag = 1; opts += strlen(cp); goto next_option; @@ -149,21 +133,20 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", + auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - buffer_put_cstring(&auth_debug, tmp); xfree(forced_command); forced_command = NULL; goto bad_option; } - forced_command[i] = 0; - snprintf(tmp, sizeof(tmp), "Forced command: %.900s", forced_command); - buffer_put_cstring(&auth_debug, tmp); + forced_command[i] = '\0'; + auth_debug_add("Forced command: %.900s", forced_command); opts++; goto next_option; } cp = "environment=\""; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { + if (options.permit_user_env && + strncasecmp(opts, cp, strlen(cp)) == 0) { char *s; struct envstring *new_envstring; @@ -183,15 +166,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", + auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - buffer_put_cstring(&auth_debug, tmp); xfree(s); goto bad_option; } - s[i] = 0; - snprintf(tmp, sizeof(tmp), "Adding to environment: %.900s", s); - buffer_put_cstring(&auth_debug, tmp); + s[i] = '\0'; + auth_debug_add("Adding to environment: %.900s", s); debug("Adding to environment: %.900s", s); opts++; new_envstring = xmalloc(sizeof(struct envstring)); @@ -204,7 +185,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { const char *remote_ip = get_remote_ipaddr(); const char *remote_host = get_canonical_hostname( - options.verify_reverse_mapping); + options.use_dns); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -222,26 +203,23 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", + auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - buffer_put_cstring(&auth_debug, tmp); xfree(patterns); goto bad_option; } - patterns[i] = 0; + patterns[i] = '\0'; opts++; if (match_host_and_ip(remote_host, remote_ip, patterns) != 1) { xfree(patterns); - log("Authentication tried for %.100s with " + logit("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", pw->pw_name, remote_host, remote_ip); - snprintf(tmp, sizeof(tmp), - "Your host '%.200s' is not " + auth_debug_add("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); - buffer_put_cstring(&auth_debug, tmp); /* deny access */ return 0; } @@ -251,7 +229,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } cp = "permitopen=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - char host[256], sport[6]; + char *host, *p; u_short port; char *patterns = xmalloc(strlen(opts) + 1); @@ -270,30 +248,31 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (!*opts) { debug("%.100s, line %lu: missing end quote", file, linenum); - snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", - file, linenum); - buffer_put_cstring(&auth_debug, tmp); + auth_debug_add("%.100s, line %lu: missing " + "end quote", file, linenum); xfree(patterns); goto bad_option; } - patterns[i] = 0; + patterns[i] = '\0'; opts++; - if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 && - sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { - debug("%.100s, line %lu: Bad permitopen specification " - "<%.100s>", file, linenum, patterns); - snprintf(tmp, sizeof(tmp), "%.100s, line %lu: " - "Bad permitopen specification", file, linenum); - buffer_put_cstring(&auth_debug, tmp); + p = patterns; + host = hpdelim(&p); + if (host == NULL || strlen(host) >= NI_MAXHOST) { + debug("%.100s, line %lu: Bad permitopen " + "specification <%.100s>", file, linenum, + patterns); + auth_debug_add("%.100s, line %lu: " + "Bad permitopen specification", file, + linenum); xfree(patterns); goto bad_option; } - if ((port = a2port(sport)) == 0) { - debug("%.100s, line %lu: Bad permitopen port <%.100s>", - file, linenum, sport); - snprintf(tmp, sizeof(tmp), "%.100s, line %lu: " + host = cleanhostname(host); + if (p == NULL || (port = a2port(p)) == 0) { + debug("%.100s, line %lu: Bad permitopen port " + "<%.100s>", file, linenum, p ? p : ""); + auth_debug_add("%.100s, line %lu: " "Bad permitopen port", file, linenum); - buffer_put_cstring(&auth_debug, tmp); xfree(patterns); goto bad_option; } @@ -302,6 +281,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto next_option; } + cp = "tunnel=\""; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + char *tun = NULL; + opts += strlen(cp); + tun = xmalloc(strlen(opts) + 1); + i = 0; + while (*opts) { + if (*opts == '"') + break; + tun[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + auth_debug_add("%.100s, line %lu: missing end quote", + file, linenum); + xfree(tun); + forced_tun_device = -1; + goto bad_option; + } + tun[i] = '\0'; + forced_tun_device = a2tun(tun, NULL); + xfree(tun); + if (forced_tun_device == SSH_TUNID_ERR) { + debug("%.100s, line %lu: invalid tun device", + file, linenum); + auth_debug_add("%.100s, line %lu: invalid tun device", + file, linenum); + forced_tun_device = -1; + goto bad_option; + } + auth_debug_add("Forced tun device: %d", forced_tun_device); + opts++; + goto next_option; + } next_option: /* * Skip the comma, and move to the next option @@ -318,21 +332,19 @@ next_option: } if (!use_privsep) - auth_send_debug(&auth_debug); + auth_debug_send(); /* grant access */ return 1; bad_option: - log("Bad options in %.100s file, line %lu: %.50s", + logit("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); - snprintf(tmp, sizeof(tmp), - "Bad options in %.100s file, line %lu: %.50s", + auth_debug_add("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); - buffer_put_cstring(&auth_debug, tmp); if (!use_privsep) - auth_send_debug(&auth_debug); + auth_debug_send(); /* deny access */ return 0;