Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 1 | /* $OpenBSD: auth-options.c,v 1.65 2015/01/14 10:30:34 markus Exp $ */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved |
| 6 | * As far as I am concerned, the code I have written for this software |
| 7 | * can be used freely for any purpose. Any derived versions of this |
| 8 | * software must be clearly marked as such, and if the derived work is |
| 9 | * incompatible with the protocol description in the RFC file, it must be |
| 10 | * called by a name other than "ssh" or "Secure Shell". |
| 11 | */ |
| 12 | |
| 13 | #include "includes.h" |
| 14 | |
| 15 | #include <sys/types.h> |
| 16 | |
| 17 | #include <netdb.h> |
| 18 | #include <pwd.h> |
| 19 | #include <string.h> |
| 20 | #include <stdio.h> |
| 21 | #include <stdarg.h> |
| 22 | |
| 23 | #include "openbsd-compat/sys-queue.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 24 | |
| 25 | #include "key.h" /* XXX for typedef */ |
| 26 | #include "buffer.h" /* XXX for typedef */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 27 | #include "xmalloc.h" |
| 28 | #include "match.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 29 | #include "ssherr.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 30 | #include "log.h" |
| 31 | #include "canohost.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 32 | #include "sshbuf.h" |
| 33 | #include "misc.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 34 | #include "channels.h" |
| 35 | #include "servconf.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 36 | #include "sshkey.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 37 | #include "auth-options.h" |
| 38 | #include "hostfile.h" |
| 39 | #include "auth.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 40 | |
| 41 | /* Flags set authorized_keys flags */ |
| 42 | int no_port_forwarding_flag = 0; |
| 43 | int no_agent_forwarding_flag = 0; |
| 44 | int no_x11_forwarding_flag = 0; |
| 45 | int no_pty_flag = 0; |
| 46 | int no_user_rc = 0; |
| 47 | int key_is_cert_authority = 0; |
| 48 | |
| 49 | /* "command=" option. */ |
| 50 | char *forced_command = NULL; |
| 51 | |
| 52 | /* "environment=" options. */ |
| 53 | struct envstring *custom_environment = NULL; |
| 54 | |
| 55 | /* "tunnel=" option. */ |
| 56 | int forced_tun_device = -1; |
| 57 | |
| 58 | /* "principals=" option. */ |
| 59 | char *authorized_principals = NULL; |
| 60 | |
| 61 | extern ServerOptions options; |
| 62 | |
| 63 | void |
| 64 | auth_clear_options(void) |
| 65 | { |
| 66 | no_agent_forwarding_flag = 0; |
| 67 | no_port_forwarding_flag = 0; |
| 68 | no_pty_flag = 0; |
| 69 | no_x11_forwarding_flag = 0; |
| 70 | no_user_rc = 0; |
| 71 | key_is_cert_authority = 0; |
| 72 | while (custom_environment) { |
| 73 | struct envstring *ce = custom_environment; |
| 74 | custom_environment = ce->next; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 75 | free(ce->s); |
| 76 | free(ce); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 77 | } |
| 78 | if (forced_command) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 79 | free(forced_command); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 80 | forced_command = NULL; |
| 81 | } |
| 82 | if (authorized_principals) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 83 | free(authorized_principals); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 84 | authorized_principals = NULL; |
| 85 | } |
| 86 | forced_tun_device = -1; |
| 87 | channel_clear_permitted_opens(); |
| 88 | } |
| 89 | |
| 90 | /* |
| 91 | * return 1 if access is granted, 0 if not. |
| 92 | * side effect: sets key option flags |
| 93 | */ |
| 94 | int |
| 95 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
| 96 | { |
| 97 | const char *cp; |
| 98 | int i; |
| 99 | |
| 100 | /* reset options */ |
| 101 | auth_clear_options(); |
| 102 | |
| 103 | if (!opts) |
| 104 | return 1; |
| 105 | |
| 106 | while (*opts && *opts != ' ' && *opts != '\t') { |
| 107 | cp = "cert-authority"; |
| 108 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 109 | key_is_cert_authority = 1; |
| 110 | opts += strlen(cp); |
| 111 | goto next_option; |
| 112 | } |
| 113 | cp = "no-port-forwarding"; |
| 114 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 115 | auth_debug_add("Port forwarding disabled."); |
| 116 | no_port_forwarding_flag = 1; |
| 117 | opts += strlen(cp); |
| 118 | goto next_option; |
| 119 | } |
| 120 | cp = "no-agent-forwarding"; |
| 121 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 122 | auth_debug_add("Agent forwarding disabled."); |
| 123 | no_agent_forwarding_flag = 1; |
| 124 | opts += strlen(cp); |
| 125 | goto next_option; |
| 126 | } |
| 127 | cp = "no-X11-forwarding"; |
| 128 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 129 | auth_debug_add("X11 forwarding disabled."); |
| 130 | no_x11_forwarding_flag = 1; |
| 131 | opts += strlen(cp); |
| 132 | goto next_option; |
| 133 | } |
| 134 | cp = "no-pty"; |
| 135 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 136 | auth_debug_add("Pty allocation disabled."); |
| 137 | no_pty_flag = 1; |
| 138 | opts += strlen(cp); |
| 139 | goto next_option; |
| 140 | } |
| 141 | cp = "no-user-rc"; |
| 142 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 143 | auth_debug_add("User rc file execution disabled."); |
| 144 | no_user_rc = 1; |
| 145 | opts += strlen(cp); |
| 146 | goto next_option; |
| 147 | } |
| 148 | cp = "command=\""; |
| 149 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 150 | opts += strlen(cp); |
| 151 | if (forced_command != NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 152 | free(forced_command); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 153 | forced_command = xmalloc(strlen(opts) + 1); |
| 154 | i = 0; |
| 155 | while (*opts) { |
| 156 | if (*opts == '"') |
| 157 | break; |
| 158 | if (*opts == '\\' && opts[1] == '"') { |
| 159 | opts += 2; |
| 160 | forced_command[i++] = '"'; |
| 161 | continue; |
| 162 | } |
| 163 | forced_command[i++] = *opts++; |
| 164 | } |
| 165 | if (!*opts) { |
| 166 | debug("%.100s, line %lu: missing end quote", |
| 167 | file, linenum); |
| 168 | auth_debug_add("%.100s, line %lu: missing end quote", |
| 169 | file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 170 | free(forced_command); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 171 | forced_command = NULL; |
| 172 | goto bad_option; |
| 173 | } |
| 174 | forced_command[i] = '\0'; |
| 175 | auth_debug_add("Forced command."); |
| 176 | opts++; |
| 177 | goto next_option; |
| 178 | } |
| 179 | cp = "principals=\""; |
| 180 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 181 | opts += strlen(cp); |
| 182 | if (authorized_principals != NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 183 | free(authorized_principals); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 184 | authorized_principals = xmalloc(strlen(opts) + 1); |
| 185 | i = 0; |
| 186 | while (*opts) { |
| 187 | if (*opts == '"') |
| 188 | break; |
| 189 | if (*opts == '\\' && opts[1] == '"') { |
| 190 | opts += 2; |
| 191 | authorized_principals[i++] = '"'; |
| 192 | continue; |
| 193 | } |
| 194 | authorized_principals[i++] = *opts++; |
| 195 | } |
| 196 | if (!*opts) { |
| 197 | debug("%.100s, line %lu: missing end quote", |
| 198 | file, linenum); |
| 199 | auth_debug_add("%.100s, line %lu: missing end quote", |
| 200 | file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 201 | free(authorized_principals); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 202 | authorized_principals = NULL; |
| 203 | goto bad_option; |
| 204 | } |
| 205 | authorized_principals[i] = '\0'; |
| 206 | auth_debug_add("principals: %.900s", |
| 207 | authorized_principals); |
| 208 | opts++; |
| 209 | goto next_option; |
| 210 | } |
| 211 | cp = "environment=\""; |
| 212 | if (options.permit_user_env && |
| 213 | strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 214 | char *s; |
| 215 | struct envstring *new_envstring; |
| 216 | |
| 217 | opts += strlen(cp); |
| 218 | s = xmalloc(strlen(opts) + 1); |
| 219 | i = 0; |
| 220 | while (*opts) { |
| 221 | if (*opts == '"') |
| 222 | break; |
| 223 | if (*opts == '\\' && opts[1] == '"') { |
| 224 | opts += 2; |
| 225 | s[i++] = '"'; |
| 226 | continue; |
| 227 | } |
| 228 | s[i++] = *opts++; |
| 229 | } |
| 230 | if (!*opts) { |
| 231 | debug("%.100s, line %lu: missing end quote", |
| 232 | file, linenum); |
| 233 | auth_debug_add("%.100s, line %lu: missing end quote", |
| 234 | file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 235 | free(s); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 236 | goto bad_option; |
| 237 | } |
| 238 | s[i] = '\0'; |
| 239 | auth_debug_add("Adding to environment: %.900s", s); |
| 240 | debug("Adding to environment: %.900s", s); |
| 241 | opts++; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 242 | new_envstring = xcalloc(1, sizeof(struct envstring)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 243 | new_envstring->s = s; |
| 244 | new_envstring->next = custom_environment; |
| 245 | custom_environment = new_envstring; |
| 246 | goto next_option; |
| 247 | } |
| 248 | cp = "from=\""; |
| 249 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 250 | const char *remote_ip = get_remote_ipaddr(); |
| 251 | const char *remote_host = get_canonical_hostname( |
| 252 | options.use_dns); |
| 253 | char *patterns = xmalloc(strlen(opts) + 1); |
| 254 | |
| 255 | opts += strlen(cp); |
| 256 | i = 0; |
| 257 | while (*opts) { |
| 258 | if (*opts == '"') |
| 259 | break; |
| 260 | if (*opts == '\\' && opts[1] == '"') { |
| 261 | opts += 2; |
| 262 | patterns[i++] = '"'; |
| 263 | continue; |
| 264 | } |
| 265 | patterns[i++] = *opts++; |
| 266 | } |
| 267 | if (!*opts) { |
| 268 | debug("%.100s, line %lu: missing end quote", |
| 269 | file, linenum); |
| 270 | auth_debug_add("%.100s, line %lu: missing end quote", |
| 271 | file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 272 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 273 | goto bad_option; |
| 274 | } |
| 275 | patterns[i] = '\0'; |
| 276 | opts++; |
| 277 | switch (match_host_and_ip(remote_host, remote_ip, |
| 278 | patterns)) { |
| 279 | case 1: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 280 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 281 | /* Host name matches. */ |
| 282 | goto next_option; |
| 283 | case -1: |
| 284 | debug("%.100s, line %lu: invalid criteria", |
| 285 | file, linenum); |
| 286 | auth_debug_add("%.100s, line %lu: " |
| 287 | "invalid criteria", file, linenum); |
| 288 | /* FALLTHROUGH */ |
| 289 | case 0: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 290 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 291 | logit("Authentication tried for %.100s with " |
| 292 | "correct key but not from a permitted " |
| 293 | "host (host=%.200s, ip=%.200s).", |
| 294 | pw->pw_name, remote_host, remote_ip); |
| 295 | auth_debug_add("Your host '%.200s' is not " |
| 296 | "permitted to use this key for login.", |
| 297 | remote_host); |
| 298 | break; |
| 299 | } |
| 300 | /* deny access */ |
| 301 | return 0; |
| 302 | } |
| 303 | cp = "permitopen=\""; |
| 304 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 305 | char *host, *p; |
| 306 | int port; |
| 307 | char *patterns = xmalloc(strlen(opts) + 1); |
| 308 | |
| 309 | opts += strlen(cp); |
| 310 | i = 0; |
| 311 | while (*opts) { |
| 312 | if (*opts == '"') |
| 313 | break; |
| 314 | if (*opts == '\\' && opts[1] == '"') { |
| 315 | opts += 2; |
| 316 | patterns[i++] = '"'; |
| 317 | continue; |
| 318 | } |
| 319 | patterns[i++] = *opts++; |
| 320 | } |
| 321 | if (!*opts) { |
| 322 | debug("%.100s, line %lu: missing end quote", |
| 323 | file, linenum); |
| 324 | auth_debug_add("%.100s, line %lu: missing " |
| 325 | "end quote", file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 326 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 327 | goto bad_option; |
| 328 | } |
| 329 | patterns[i] = '\0'; |
| 330 | opts++; |
| 331 | p = patterns; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 332 | /* XXX - add streamlocal support */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 333 | host = hpdelim(&p); |
| 334 | if (host == NULL || strlen(host) >= NI_MAXHOST) { |
| 335 | debug("%.100s, line %lu: Bad permitopen " |
| 336 | "specification <%.100s>", file, linenum, |
| 337 | patterns); |
| 338 | auth_debug_add("%.100s, line %lu: " |
| 339 | "Bad permitopen specification", file, |
| 340 | linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 341 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 342 | goto bad_option; |
| 343 | } |
| 344 | host = cleanhostname(host); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 345 | if (p == NULL || (port = permitopen_port(p)) < 0) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 346 | debug("%.100s, line %lu: Bad permitopen port " |
| 347 | "<%.100s>", file, linenum, p ? p : ""); |
| 348 | auth_debug_add("%.100s, line %lu: " |
| 349 | "Bad permitopen port", file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 350 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 351 | goto bad_option; |
| 352 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 353 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 354 | channel_add_permitted_opens(host, port); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 355 | free(patterns); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 356 | goto next_option; |
| 357 | } |
| 358 | cp = "tunnel=\""; |
| 359 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 360 | char *tun = NULL; |
| 361 | opts += strlen(cp); |
| 362 | tun = xmalloc(strlen(opts) + 1); |
| 363 | i = 0; |
| 364 | while (*opts) { |
| 365 | if (*opts == '"') |
| 366 | break; |
| 367 | tun[i++] = *opts++; |
| 368 | } |
| 369 | if (!*opts) { |
| 370 | debug("%.100s, line %lu: missing end quote", |
| 371 | file, linenum); |
| 372 | auth_debug_add("%.100s, line %lu: missing end quote", |
| 373 | file, linenum); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 374 | free(tun); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 375 | forced_tun_device = -1; |
| 376 | goto bad_option; |
| 377 | } |
| 378 | tun[i] = '\0'; |
| 379 | forced_tun_device = a2tun(tun, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 380 | free(tun); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 381 | if (forced_tun_device == SSH_TUNID_ERR) { |
| 382 | debug("%.100s, line %lu: invalid tun device", |
| 383 | file, linenum); |
| 384 | auth_debug_add("%.100s, line %lu: invalid tun device", |
| 385 | file, linenum); |
| 386 | forced_tun_device = -1; |
| 387 | goto bad_option; |
| 388 | } |
| 389 | auth_debug_add("Forced tun device: %d", forced_tun_device); |
| 390 | opts++; |
| 391 | goto next_option; |
| 392 | } |
| 393 | next_option: |
| 394 | /* |
| 395 | * Skip the comma, and move to the next option |
| 396 | * (or break out if there are no more). |
| 397 | */ |
| 398 | if (!*opts) |
| 399 | fatal("Bugs in auth-options.c option processing."); |
| 400 | if (*opts == ' ' || *opts == '\t') |
| 401 | break; /* End of options. */ |
| 402 | if (*opts != ',') |
| 403 | goto bad_option; |
| 404 | opts++; |
| 405 | /* Process the next option. */ |
| 406 | } |
| 407 | |
| 408 | /* grant access */ |
| 409 | return 1; |
| 410 | |
| 411 | bad_option: |
| 412 | logit("Bad options in %.100s file, line %lu: %.50s", |
| 413 | file, linenum, opts); |
| 414 | auth_debug_add("Bad options in %.100s file, line %lu: %.50s", |
| 415 | file, linenum, opts); |
| 416 | |
| 417 | /* deny access */ |
| 418 | return 0; |
| 419 | } |
| 420 | |
| 421 | #define OPTIONS_CRITICAL 1 |
| 422 | #define OPTIONS_EXTENSIONS 2 |
| 423 | static int |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 424 | parse_option_list(struct sshbuf *oblob, struct passwd *pw, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 425 | u_int which, int crit, |
| 426 | int *cert_no_port_forwarding_flag, |
| 427 | int *cert_no_agent_forwarding_flag, |
| 428 | int *cert_no_x11_forwarding_flag, |
| 429 | int *cert_no_pty_flag, |
| 430 | int *cert_no_user_rc, |
| 431 | char **cert_forced_command, |
| 432 | int *cert_source_address_done) |
| 433 | { |
| 434 | char *command, *allowed; |
| 435 | const char *remote_ip; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 436 | char *name = NULL; |
| 437 | struct sshbuf *c = NULL, *data = NULL; |
| 438 | int r, ret = -1, result, found; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 439 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 440 | if ((c = sshbuf_fromb(oblob)) == NULL) { |
| 441 | error("%s: sshbuf_fromb failed", __func__); |
| 442 | goto out; |
| 443 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 444 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 445 | while (sshbuf_len(c) > 0) { |
| 446 | sshbuf_free(data); |
| 447 | data = NULL; |
| 448 | if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 || |
| 449 | (r = sshbuf_froms(c, &data)) != 0) { |
| 450 | error("Unable to parse certificate options: %s", |
| 451 | ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 452 | goto out; |
| 453 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 454 | debug3("found certificate option \"%.100s\" len %zu", |
| 455 | name, sshbuf_len(data)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 456 | found = 0; |
| 457 | if ((which & OPTIONS_EXTENSIONS) != 0) { |
| 458 | if (strcmp(name, "permit-X11-forwarding") == 0) { |
| 459 | *cert_no_x11_forwarding_flag = 0; |
| 460 | found = 1; |
| 461 | } else if (strcmp(name, |
| 462 | "permit-agent-forwarding") == 0) { |
| 463 | *cert_no_agent_forwarding_flag = 0; |
| 464 | found = 1; |
| 465 | } else if (strcmp(name, |
| 466 | "permit-port-forwarding") == 0) { |
| 467 | *cert_no_port_forwarding_flag = 0; |
| 468 | found = 1; |
| 469 | } else if (strcmp(name, "permit-pty") == 0) { |
| 470 | *cert_no_pty_flag = 0; |
| 471 | found = 1; |
| 472 | } else if (strcmp(name, "permit-user-rc") == 0) { |
| 473 | *cert_no_user_rc = 0; |
| 474 | found = 1; |
| 475 | } |
| 476 | } |
| 477 | if (!found && (which & OPTIONS_CRITICAL) != 0) { |
| 478 | if (strcmp(name, "force-command") == 0) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 479 | if ((r = sshbuf_get_cstring(data, &command, |
| 480 | NULL)) != 0) { |
| 481 | error("Unable to parse \"%s\" " |
| 482 | "section: %s", name, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 483 | goto out; |
| 484 | } |
| 485 | if (*cert_forced_command != NULL) { |
| 486 | error("Certificate has multiple " |
| 487 | "force-command options"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 488 | free(command); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 489 | goto out; |
| 490 | } |
| 491 | *cert_forced_command = command; |
| 492 | found = 1; |
| 493 | } |
| 494 | if (strcmp(name, "source-address") == 0) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 495 | if ((r = sshbuf_get_cstring(data, &allowed, |
| 496 | NULL)) != 0) { |
| 497 | error("Unable to parse \"%s\" " |
| 498 | "section: %s", name, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 499 | goto out; |
| 500 | } |
| 501 | if ((*cert_source_address_done)++) { |
| 502 | error("Certificate has multiple " |
| 503 | "source-address options"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 504 | free(allowed); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 505 | goto out; |
| 506 | } |
| 507 | remote_ip = get_remote_ipaddr(); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 508 | result = addr_match_cidr_list(remote_ip, |
| 509 | allowed); |
| 510 | free(allowed); |
| 511 | switch (result) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 512 | case 1: |
| 513 | /* accepted */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 514 | break; |
| 515 | case 0: |
| 516 | /* no match */ |
| 517 | logit("Authentication tried for %.100s " |
| 518 | "with valid certificate but not " |
| 519 | "from a permitted host " |
| 520 | "(ip=%.200s).", pw->pw_name, |
| 521 | remote_ip); |
| 522 | auth_debug_add("Your address '%.200s' " |
| 523 | "is not permitted to use this " |
| 524 | "certificate for login.", |
| 525 | remote_ip); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 526 | goto out; |
| 527 | case -1: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 528 | default: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 529 | error("Certificate source-address " |
| 530 | "contents invalid"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 531 | goto out; |
| 532 | } |
| 533 | found = 1; |
| 534 | } |
| 535 | } |
| 536 | |
| 537 | if (!found) { |
| 538 | if (crit) { |
| 539 | error("Certificate critical option \"%s\" " |
| 540 | "is not supported", name); |
| 541 | goto out; |
| 542 | } else { |
| 543 | logit("Certificate extension \"%s\" " |
| 544 | "is not supported", name); |
| 545 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 546 | } else if (sshbuf_len(data) != 0) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 547 | error("Certificate option \"%s\" corrupt " |
| 548 | "(extra data)", name); |
| 549 | goto out; |
| 550 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 551 | free(name); |
| 552 | name = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 553 | } |
| 554 | /* successfully parsed all options */ |
| 555 | ret = 0; |
| 556 | |
| 557 | out: |
| 558 | if (ret != 0 && |
| 559 | cert_forced_command != NULL && |
| 560 | *cert_forced_command != NULL) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 561 | free(*cert_forced_command); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 562 | *cert_forced_command = NULL; |
| 563 | } |
| 564 | if (name != NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 565 | free(name); |
| 566 | sshbuf_free(data); |
| 567 | sshbuf_free(c); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 568 | return ret; |
| 569 | } |
| 570 | |
| 571 | /* |
| 572 | * Set options from critical certificate options. These supersede user key |
| 573 | * options so this must be called after auth_parse_options(). |
| 574 | */ |
| 575 | int |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 576 | auth_cert_options(struct sshkey *k, struct passwd *pw) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 577 | { |
| 578 | int cert_no_port_forwarding_flag = 1; |
| 579 | int cert_no_agent_forwarding_flag = 1; |
| 580 | int cert_no_x11_forwarding_flag = 1; |
| 581 | int cert_no_pty_flag = 1; |
| 582 | int cert_no_user_rc = 1; |
| 583 | char *cert_forced_command = NULL; |
| 584 | int cert_source_address_done = 0; |
| 585 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 586 | if (sshkey_cert_is_legacy(k)) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 587 | /* All options are in the one field for v00 certs */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 588 | if (parse_option_list(k->cert->critical, pw, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 589 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, |
| 590 | &cert_no_port_forwarding_flag, |
| 591 | &cert_no_agent_forwarding_flag, |
| 592 | &cert_no_x11_forwarding_flag, |
| 593 | &cert_no_pty_flag, |
| 594 | &cert_no_user_rc, |
| 595 | &cert_forced_command, |
| 596 | &cert_source_address_done) == -1) |
| 597 | return -1; |
| 598 | } else { |
| 599 | /* Separate options and extensions for v01 certs */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 600 | if (parse_option_list(k->cert->critical, pw, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 601 | OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, |
| 602 | &cert_forced_command, |
| 603 | &cert_source_address_done) == -1) |
| 604 | return -1; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 605 | if (parse_option_list(k->cert->extensions, pw, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 606 | OPTIONS_EXTENSIONS, 1, |
| 607 | &cert_no_port_forwarding_flag, |
| 608 | &cert_no_agent_forwarding_flag, |
| 609 | &cert_no_x11_forwarding_flag, |
| 610 | &cert_no_pty_flag, |
| 611 | &cert_no_user_rc, |
| 612 | NULL, NULL) == -1) |
| 613 | return -1; |
| 614 | } |
| 615 | |
| 616 | no_port_forwarding_flag |= cert_no_port_forwarding_flag; |
| 617 | no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; |
| 618 | no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; |
| 619 | no_pty_flag |= cert_no_pty_flag; |
| 620 | no_user_rc |= cert_no_user_rc; |
| 621 | /* CA-specified forced command supersedes key option */ |
| 622 | if (cert_forced_command != NULL) { |
| 623 | if (forced_command != NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame^] | 624 | free(forced_command); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 625 | forced_command = cert_forced_command; |
| 626 | } |
| 627 | return 0; |
| 628 | } |
| 629 | |