blob: b399b91e3906384170443246436cb068641047e4 [file] [log] [blame]
djm@openbsd.org95767262016-03-07 19:02:43 +00001/* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */
Damien Millere4340be2000-09-16 13:29:08 +11002/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
Damien Millere4340be2000-09-16 13:29:08 +11006 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
Damien Millerf6d9e222000-06-18 14:50:44 +100013#include "includes.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100014
Damien Miller9f2abc42006-07-10 20:53:08 +100015#include <sys/types.h>
16
Damien Millerb8fe89c2006-07-24 14:51:00 +100017#include <netdb.h>
Damien Miller9f2abc42006-07-10 20:53:08 +100018#include <pwd.h>
Damien Millere3476ed2006-07-24 14:13:33 +100019#include <string.h>
Damien Millerd7834352006-08-05 12:39:39 +100020#include <stdio.h>
21#include <stdarg.h>
Damien Miller9f2abc42006-07-10 20:53:08 +100022
Damien Millerb84886b2008-05-19 15:05:07 +100023#include "openbsd-compat/sys-queue.h"
markus@openbsd.orgae8b4632015-01-14 10:30:34 +000024
25#include "key.h" /* XXX for typedef */
26#include "buffer.h" /* XXX for typedef */
Damien Millerf6d9e222000-06-18 14:50:44 +100027#include "xmalloc.h"
28#include "match.h"
markus@openbsd.orgae8b4632015-01-14 10:30:34 +000029#include "ssherr.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000030#include "log.h"
31#include "canohost.h"
djm@openbsd.org95767262016-03-07 19:02:43 +000032#include "packet.h"
markus@openbsd.orgae8b4632015-01-14 10:30:34 +000033#include "sshbuf.h"
Damien Miller7acefbb2014-07-18 14:11:24 +100034#include "misc.h"
Ben Lindstromc7637672001-06-09 00:36:26 +000035#include "channels.h"
Damien Miller33804262001-02-04 23:20:18 +110036#include "servconf.h"
markus@openbsd.orgae8b4632015-01-14 10:30:34 +000037#include "sshkey.h"
Damien Miller4e270b02010-04-16 15:56:21 +100038#include "auth-options.h"
Damien Millerd7834352006-08-05 12:39:39 +100039#include "hostfile.h"
Ben Lindstroma574cda2002-05-15 16:16:14 +000040#include "auth.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100041
42/* Flags set authorized_keys flags */
43int no_port_forwarding_flag = 0;
44int no_agent_forwarding_flag = 0;
45int no_x11_forwarding_flag = 0;
46int no_pty_flag = 0;
Damien Miller95e80952008-03-27 11:03:05 +110047int no_user_rc = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +110048int key_is_cert_authority = 0;
Damien Millerf6d9e222000-06-18 14:50:44 +100049
50/* "command=" option. */
51char *forced_command = NULL;
52
53/* "environment=" options. */
54struct envstring *custom_environment = NULL;
55
Damien Millerd27b9472005-12-13 19:29:02 +110056/* "tunnel=" option. */
57int forced_tun_device = -1;
58
Damien Miller30da3442010-05-10 11:58:03 +100059/* "principals=" option. */
60char *authorized_principals = NULL;
61
Damien Miller33804262001-02-04 23:20:18 +110062extern ServerOptions options;
63
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000064void
Damien Miller874d77b2000-10-14 16:23:11 +110065auth_clear_options(void)
66{
67 no_agent_forwarding_flag = 0;
68 no_port_forwarding_flag = 0;
69 no_pty_flag = 0;
70 no_x11_forwarding_flag = 0;
Damien Miller95e80952008-03-27 11:03:05 +110071 no_user_rc = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +110072 key_is_cert_authority = 0;
Damien Miller874d77b2000-10-14 16:23:11 +110073 while (custom_environment) {
74 struct envstring *ce = custom_environment;
75 custom_environment = ce->next;
Darren Tuckera627d422013-06-02 07:31:17 +100076 free(ce->s);
77 free(ce);
Damien Miller874d77b2000-10-14 16:23:11 +110078 }
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +000079 free(forced_command);
80 forced_command = NULL;
81 free(authorized_principals);
82 authorized_principals = NULL;
Damien Millerd27b9472005-12-13 19:29:02 +110083 forced_tun_device = -1;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +000084 channel_clear_permitted_opens();
Damien Miller874d77b2000-10-14 16:23:11 +110085}
86
Ben Lindstrom226cfa02001-01-22 05:34:40 +000087/*
djm@openbsd.org383f10f2015-11-16 00:30:02 +000088 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
89 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
90 * if negated option matches.
91 * If the option or negated option matches, then *optsp is updated to
92 * point to the first character after the option and, if 'msg' is not NULL
93 * then a message based on it added via auth_debug_add().
94 */
95static int
96match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
97{
98 size_t opt_len = strlen(opt);
99 char *opts = *optsp;
100 int negate = 0;
101
102 if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
103 opts += 3;
104 negate = 1;
105 }
106 if (strncasecmp(opts, opt, opt_len) == 0) {
107 *optsp = opts + opt_len;
108 if (msg != NULL) {
109 auth_debug_add("%s %s.", msg,
110 negate ? "disabled" : "enabled");
111 }
112 return negate ? 0 : 1;
113 }
114 return -1;
115}
116
117/*
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000118 * return 1 if access is granted, 0 if not.
119 * side effect: sets key option flags
120 */
Damien Millerf6d9e222000-06-18 14:50:44 +1000121int
Damien Miller33804262001-02-04 23:20:18 +1100122auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
Damien Millerf6d9e222000-06-18 14:50:44 +1000123{
djm@openbsd.org95767262016-03-07 19:02:43 +0000124 struct ssh *ssh = active_state; /* XXX */
Damien Millerf6d9e222000-06-18 14:50:44 +1000125 const char *cp;
djm@openbsd.org383f10f2015-11-16 00:30:02 +0000126 int i, r;
Damien Miller874d77b2000-10-14 16:23:11 +1100127
128 /* reset options */
129 auth_clear_options();
130
Ben Lindstrom36d7bd02001-02-10 22:27:19 +0000131 if (!opts)
132 return 1;
133
Damien Miller33804262001-02-04 23:20:18 +1100134 while (*opts && *opts != ' ' && *opts != '\t') {
djm@openbsd.org383f10f2015-11-16 00:30:02 +0000135 if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
136 key_is_cert_authority = r;
Damien Miller0a80ca12010-02-27 07:55:05 +1100137 goto next_option;
138 }
djm@openbsd.org383f10f2015-11-16 00:30:02 +0000139 if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
140 auth_debug_add("Key is restricted.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000141 no_port_forwarding_flag = 1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000142 no_agent_forwarding_flag = 1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000143 no_x11_forwarding_flag = 1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000144 no_pty_flag = 1;
djm@openbsd.org383f10f2015-11-16 00:30:02 +0000145 no_user_rc = 1;
Damien Millerf6d9e222000-06-18 14:50:44 +1000146 goto next_option;
147 }
djm@openbsd.org383f10f2015-11-16 00:30:02 +0000148 if ((r = match_flag("port-forwarding", 1, &opts,
149 "Port forwarding")) != -1) {
150 no_port_forwarding_flag = r != 1;
151 goto next_option;
152 }
153 if ((r = match_flag("agent-forwarding", 1, &opts,
154 "Agent forwarding")) != -1) {
155 no_agent_forwarding_flag = r != 1;
156 goto next_option;
157 }
158 if ((r = match_flag("x11-forwarding", 1, &opts,
159 "X11 forwarding")) != -1) {
160 no_x11_forwarding_flag = r != 1;
161 goto next_option;
162 }
163 if ((r = match_flag("pty", 1, &opts,
164 "PTY allocation")) != -1) {
165 no_pty_flag = r != 1;
166 goto next_option;
167 }
168 if ((r = match_flag("user-rc", 1, &opts,
169 "User rc execution")) != -1) {
170 no_user_rc = r != 1;
Damien Miller95e80952008-03-27 11:03:05 +1100171 goto next_option;
172 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000173 cp = "command=\"";
Damien Miller33804262001-02-04 23:20:18 +1100174 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller33804262001-02-04 23:20:18 +1100175 opts += strlen(cp);
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +0000176 free(forced_command);
Damien Miller33804262001-02-04 23:20:18 +1100177 forced_command = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000178 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100179 while (*opts) {
180 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000181 break;
Damien Miller33804262001-02-04 23:20:18 +1100182 if (*opts == '\\' && opts[1] == '"') {
183 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000184 forced_command[i++] = '"';
185 continue;
186 }
Damien Miller33804262001-02-04 23:20:18 +1100187 forced_command[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000188 }
Damien Miller33804262001-02-04 23:20:18 +1100189 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000190 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000191 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000192 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000193 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000194 free(forced_command);
Damien Miller056ddf72001-03-14 10:15:20 +1100195 forced_command = NULL;
196 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000197 }
Damien Miller98299262006-07-24 14:01:43 +1000198 forced_command[i] = '\0';
Damien Millerde53fd02011-01-06 22:44:18 +1100199 auth_debug_add("Forced command.");
Damien Miller33804262001-02-04 23:20:18 +1100200 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000201 goto next_option;
202 }
Damien Miller30da3442010-05-10 11:58:03 +1000203 cp = "principals=\"";
204 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
205 opts += strlen(cp);
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +0000206 free(authorized_principals);
Damien Miller30da3442010-05-10 11:58:03 +1000207 authorized_principals = xmalloc(strlen(opts) + 1);
208 i = 0;
209 while (*opts) {
210 if (*opts == '"')
211 break;
212 if (*opts == '\\' && opts[1] == '"') {
213 opts += 2;
214 authorized_principals[i++] = '"';
215 continue;
216 }
217 authorized_principals[i++] = *opts++;
218 }
219 if (!*opts) {
220 debug("%.100s, line %lu: missing end quote",
221 file, linenum);
222 auth_debug_add("%.100s, line %lu: missing end quote",
223 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000224 free(authorized_principals);
Damien Miller30da3442010-05-10 11:58:03 +1000225 authorized_principals = NULL;
226 goto bad_option;
227 }
228 authorized_principals[i] = '\0';
229 auth_debug_add("principals: %.900s",
230 authorized_principals);
231 opts++;
232 goto next_option;
233 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000234 cp = "environment=\"";
djm@openbsd.orga42d67b2015-05-01 03:20:54 +0000235 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000236 char *s;
237 struct envstring *new_envstring;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000238
Damien Miller33804262001-02-04 23:20:18 +1100239 opts += strlen(cp);
240 s = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000241 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100242 while (*opts) {
243 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000244 break;
Damien Miller33804262001-02-04 23:20:18 +1100245 if (*opts == '\\' && opts[1] == '"') {
246 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000247 s[i++] = '"';
248 continue;
249 }
Damien Miller33804262001-02-04 23:20:18 +1100250 s[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000251 }
Damien Miller33804262001-02-04 23:20:18 +1100252 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000253 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000254 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000255 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000256 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000257 free(s);
Damien Miller056ddf72001-03-14 10:15:20 +1100258 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000259 }
Damien Miller98299262006-07-24 14:01:43 +1000260 s[i] = '\0';
Damien Miller33804262001-02-04 23:20:18 +1100261 opts++;
djm@openbsd.orga42d67b2015-05-01 03:20:54 +0000262 if (options.permit_user_env) {
263 auth_debug_add("Adding to environment: "
264 "%.900s", s);
265 debug("Adding to environment: %.900s", s);
266 new_envstring = xcalloc(1,
267 sizeof(*new_envstring));
268 new_envstring->s = s;
269 new_envstring->next = custom_environment;
270 custom_environment = new_envstring;
271 s = NULL;
272 }
273 free(s);
Damien Millerf6d9e222000-06-18 14:50:44 +1000274 goto next_option;
275 }
276 cp = "from=\"";
Damien Miller33804262001-02-04 23:20:18 +1100277 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
djm@openbsd.org95767262016-03-07 19:02:43 +0000278 const char *remote_ip = ssh_remote_ipaddr(ssh);
279 const char *remote_host = auth_get_canonical_hostname(
280 ssh, options.use_dns);
Damien Miller33804262001-02-04 23:20:18 +1100281 char *patterns = xmalloc(strlen(opts) + 1);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000282
Damien Miller33804262001-02-04 23:20:18 +1100283 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000284 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100285 while (*opts) {
286 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000287 break;
Damien Miller33804262001-02-04 23:20:18 +1100288 if (*opts == '\\' && opts[1] == '"') {
289 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000290 patterns[i++] = '"';
291 continue;
292 }
Damien Miller33804262001-02-04 23:20:18 +1100293 patterns[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000294 }
Damien Miller33804262001-02-04 23:20:18 +1100295 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000296 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000297 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000298 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000299 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000300 free(patterns);
Damien Miller056ddf72001-03-14 10:15:20 +1100301 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000302 }
Damien Miller98299262006-07-24 14:01:43 +1000303 patterns[i] = '\0';
Damien Miller33804262001-02-04 23:20:18 +1100304 opts++;
Darren Tucker896ad5a2008-06-11 09:34:46 +1000305 switch (match_host_and_ip(remote_host, remote_ip,
306 patterns)) {
307 case 1:
Darren Tuckera627d422013-06-02 07:31:17 +1000308 free(patterns);
Darren Tucker896ad5a2008-06-11 09:34:46 +1000309 /* Host name matches. */
310 goto next_option;
311 case -1:
312 debug("%.100s, line %lu: invalid criteria",
313 file, linenum);
314 auth_debug_add("%.100s, line %lu: "
315 "invalid criteria", file, linenum);
316 /* FALLTHROUGH */
317 case 0:
Darren Tuckera627d422013-06-02 07:31:17 +1000318 free(patterns);
Damien Miller996acd22003-04-09 20:59:48 +1000319 logit("Authentication tried for %.100s with "
Damien Miller33804262001-02-04 23:20:18 +1100320 "correct key but not from a permitted "
321 "host (host=%.200s, ip=%.200s).",
322 pw->pw_name, remote_host, remote_ip);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000323 auth_debug_add("Your host '%.200s' is not "
Damien Miller33804262001-02-04 23:20:18 +1100324 "permitted to use this key for login.",
325 remote_host);
Darren Tucker896ad5a2008-06-11 09:34:46 +1000326 break;
Damien Millerf6d9e222000-06-18 14:50:44 +1000327 }
Darren Tucker896ad5a2008-06-11 09:34:46 +1000328 /* deny access */
329 return 0;
Damien Millerf6d9e222000-06-18 14:50:44 +1000330 }
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000331 cp = "permitopen=\"";
332 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf91ee4c2005-03-01 21:24:33 +1100333 char *host, *p;
Damien Millere37dde02009-01-28 16:33:01 +1100334 int port;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000335 char *patterns = xmalloc(strlen(opts) + 1);
336
337 opts += strlen(cp);
338 i = 0;
339 while (*opts) {
340 if (*opts == '"')
341 break;
342 if (*opts == '\\' && opts[1] == '"') {
343 opts += 2;
344 patterns[i++] = '"';
345 continue;
346 }
347 patterns[i++] = *opts++;
348 }
349 if (!*opts) {
350 debug("%.100s, line %lu: missing end quote",
351 file, linenum);
Damien Millerf91ee4c2005-03-01 21:24:33 +1100352 auth_debug_add("%.100s, line %lu: missing "
353 "end quote", file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000354 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000355 goto bad_option;
356 }
Damien Miller98299262006-07-24 14:01:43 +1000357 patterns[i] = '\0';
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000358 opts++;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100359 p = patterns;
Damien Miller7acefbb2014-07-18 14:11:24 +1000360 /* XXX - add streamlocal support */
Damien Millerf91ee4c2005-03-01 21:24:33 +1100361 host = hpdelim(&p);
362 if (host == NULL || strlen(host) >= NI_MAXHOST) {
363 debug("%.100s, line %lu: Bad permitopen "
Darren Tucker90b9e022005-03-14 23:08:50 +1100364 "specification <%.100s>", file, linenum,
Damien Millerf91ee4c2005-03-01 21:24:33 +1100365 patterns);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000366 auth_debug_add("%.100s, line %lu: "
Damien Millerf91ee4c2005-03-01 21:24:33 +1100367 "Bad permitopen specification", file,
368 linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000369 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000370 goto bad_option;
371 }
Darren Tucker47eede72005-03-14 23:08:12 +1100372 host = cleanhostname(host);
Darren Tucker1338b9e2011-10-02 18:57:35 +1100373 if (p == NULL || (port = permitopen_port(p)) < 0) {
Damien Millerf91ee4c2005-03-01 21:24:33 +1100374 debug("%.100s, line %lu: Bad permitopen port "
375 "<%.100s>", file, linenum, p ? p : "");
Ben Lindstroma574cda2002-05-15 16:16:14 +0000376 auth_debug_add("%.100s, line %lu: "
Ben Lindstromd71ba572001-09-12 18:03:31 +0000377 "Bad permitopen port", file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000378 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000379 goto bad_option;
380 }
Damien Milleraa5b3f82012-12-03 09:50:54 +1100381 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
Ben Lindstromd71ba572001-09-12 18:03:31 +0000382 channel_add_permitted_opens(host, port);
Darren Tuckera627d422013-06-02 07:31:17 +1000383 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000384 goto next_option;
385 }
Damien Millerd27b9472005-12-13 19:29:02 +1100386 cp = "tunnel=\"";
387 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
388 char *tun = NULL;
389 opts += strlen(cp);
390 tun = xmalloc(strlen(opts) + 1);
391 i = 0;
392 while (*opts) {
393 if (*opts == '"')
394 break;
395 tun[i++] = *opts++;
396 }
397 if (!*opts) {
398 debug("%.100s, line %lu: missing end quote",
399 file, linenum);
400 auth_debug_add("%.100s, line %lu: missing end quote",
401 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000402 free(tun);
Damien Millerd27b9472005-12-13 19:29:02 +1100403 forced_tun_device = -1;
404 goto bad_option;
405 }
Damien Miller98299262006-07-24 14:01:43 +1000406 tun[i] = '\0';
Damien Millerd27b9472005-12-13 19:29:02 +1100407 forced_tun_device = a2tun(tun, NULL);
Darren Tuckera627d422013-06-02 07:31:17 +1000408 free(tun);
Damien Miller7b58e802005-12-13 19:33:19 +1100409 if (forced_tun_device == SSH_TUNID_ERR) {
Damien Millerd27b9472005-12-13 19:29:02 +1100410 debug("%.100s, line %lu: invalid tun device",
411 file, linenum);
412 auth_debug_add("%.100s, line %lu: invalid tun device",
413 file, linenum);
414 forced_tun_device = -1;
415 goto bad_option;
416 }
417 auth_debug_add("Forced tun device: %d", forced_tun_device);
418 opts++;
419 goto next_option;
420 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000421next_option:
422 /*
423 * Skip the comma, and move to the next option
424 * (or break out if there are no more).
425 */
Damien Miller33804262001-02-04 23:20:18 +1100426 if (!*opts)
Damien Millerf6d9e222000-06-18 14:50:44 +1000427 fatal("Bugs in auth-options.c option processing.");
Damien Miller33804262001-02-04 23:20:18 +1100428 if (*opts == ' ' || *opts == '\t')
Damien Millerf6d9e222000-06-18 14:50:44 +1000429 break; /* End of options. */
Damien Miller33804262001-02-04 23:20:18 +1100430 if (*opts != ',')
Damien Millerf6d9e222000-06-18 14:50:44 +1000431 goto bad_option;
Damien Miller33804262001-02-04 23:20:18 +1100432 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000433 /* Process the next option. */
434 }
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000435
Damien Millerf6d9e222000-06-18 14:50:44 +1000436 /* grant access */
437 return 1;
438
439bad_option:
Damien Miller996acd22003-04-09 20:59:48 +1000440 logit("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100441 file, linenum, opts);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000442 auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100443 file, linenum, opts);
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000444
Damien Millerf6d9e222000-06-18 14:50:44 +1000445 /* deny access */
446 return 0;
447}
Damien Miller0a80ca12010-02-27 07:55:05 +1100448
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000449#define OPTIONS_CRITICAL 1
450#define OPTIONS_EXTENSIONS 2
451static int
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000452parse_option_list(struct sshbuf *oblob, struct passwd *pw,
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000453 u_int which, int crit,
454 int *cert_no_port_forwarding_flag,
455 int *cert_no_agent_forwarding_flag,
456 int *cert_no_x11_forwarding_flag,
457 int *cert_no_pty_flag,
458 int *cert_no_user_rc,
459 char **cert_forced_command,
460 int *cert_source_address_done)
Damien Miller0a80ca12010-02-27 07:55:05 +1100461{
djm@openbsd.org95767262016-03-07 19:02:43 +0000462 struct ssh *ssh = active_state; /* XXX */
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000463 char *command, *allowed;
464 const char *remote_ip;
Damien Millerce986542013-07-18 16:12:44 +1000465 char *name = NULL;
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000466 struct sshbuf *c = NULL, *data = NULL;
467 int r, ret = -1, result, found;
Damien Miller0a80ca12010-02-27 07:55:05 +1100468
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000469 if ((c = sshbuf_fromb(oblob)) == NULL) {
470 error("%s: sshbuf_fromb failed", __func__);
471 goto out;
472 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100473
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000474 while (sshbuf_len(c) > 0) {
475 sshbuf_free(data);
476 data = NULL;
477 if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
478 (r = sshbuf_froms(c, &data)) != 0) {
479 error("Unable to parse certificate options: %s",
480 ssh_err(r));
Damien Miller0a80ca12010-02-27 07:55:05 +1100481 goto out;
482 }
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000483 debug3("found certificate option \"%.100s\" len %zu",
484 name, sshbuf_len(data));
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000485 found = 0;
486 if ((which & OPTIONS_EXTENSIONS) != 0) {
487 if (strcmp(name, "permit-X11-forwarding") == 0) {
488 *cert_no_x11_forwarding_flag = 0;
489 found = 1;
490 } else if (strcmp(name,
491 "permit-agent-forwarding") == 0) {
492 *cert_no_agent_forwarding_flag = 0;
493 found = 1;
494 } else if (strcmp(name,
495 "permit-port-forwarding") == 0) {
496 *cert_no_port_forwarding_flag = 0;
497 found = 1;
498 } else if (strcmp(name, "permit-pty") == 0) {
499 *cert_no_pty_flag = 0;
500 found = 1;
501 } else if (strcmp(name, "permit-user-rc") == 0) {
502 *cert_no_user_rc = 0;
503 found = 1;
Damien Miller0a80ca12010-02-27 07:55:05 +1100504 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000505 }
506 if (!found && (which & OPTIONS_CRITICAL) != 0) {
507 if (strcmp(name, "force-command") == 0) {
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000508 if ((r = sshbuf_get_cstring(data, &command,
509 NULL)) != 0) {
510 error("Unable to parse \"%s\" "
511 "section: %s", name, ssh_err(r));
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000512 goto out;
513 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000514 if (*cert_forced_command != NULL) {
515 error("Certificate has multiple "
516 "force-command options");
Darren Tuckera627d422013-06-02 07:31:17 +1000517 free(command);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000518 goto out;
519 }
520 *cert_forced_command = command;
521 found = 1;
Damien Miller41396572010-03-04 21:51:11 +1100522 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000523 if (strcmp(name, "source-address") == 0) {
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000524 if ((r = sshbuf_get_cstring(data, &allowed,
525 NULL)) != 0) {
526 error("Unable to parse \"%s\" "
527 "section: %s", name, ssh_err(r));
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000528 goto out;
529 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000530 if ((*cert_source_address_done)++) {
531 error("Certificate has multiple "
532 "source-address options");
Darren Tuckera627d422013-06-02 07:31:17 +1000533 free(allowed);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000534 goto out;
535 }
djm@openbsd.org95767262016-03-07 19:02:43 +0000536 remote_ip = ssh_remote_ipaddr(ssh);
Damien Millerbf25d112013-12-29 17:44:56 +1100537 result = addr_match_cidr_list(remote_ip,
538 allowed);
539 free(allowed);
540 switch (result) {
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000541 case 1:
542 /* accepted */
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000543 break;
544 case 0:
545 /* no match */
546 logit("Authentication tried for %.100s "
547 "with valid certificate but not "
548 "from a permitted host "
549 "(ip=%.200s).", pw->pw_name,
550 remote_ip);
551 auth_debug_add("Your address '%.200s' "
552 "is not permitted to use this "
553 "certificate for login.",
554 remote_ip);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000555 goto out;
556 case -1:
Damien Millerbf25d112013-12-29 17:44:56 +1100557 default:
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000558 error("Certificate source-address "
559 "contents invalid");
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000560 goto out;
561 }
562 found = 1;
Damien Miller0a80ca12010-02-27 07:55:05 +1100563 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100564 }
565
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000566 if (!found) {
567 if (crit) {
568 error("Certificate critical option \"%s\" "
569 "is not supported", name);
570 goto out;
571 } else {
572 logit("Certificate extension \"%s\" "
573 "is not supported", name);
574 }
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000575 } else if (sshbuf_len(data) != 0) {
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000576 error("Certificate option \"%s\" corrupt "
Damien Miller0a80ca12010-02-27 07:55:05 +1100577 "(extra data)", name);
578 goto out;
579 }
Darren Tuckera627d422013-06-02 07:31:17 +1000580 free(name);
Damien Millerce986542013-07-18 16:12:44 +1000581 name = NULL;
Damien Miller0a80ca12010-02-27 07:55:05 +1100582 }
Damien Miller4e270b02010-04-16 15:56:21 +1000583 /* successfully parsed all options */
Damien Miller0a80ca12010-02-27 07:55:05 +1100584 ret = 0;
585
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000586 out:
587 if (ret != 0 &&
588 cert_forced_command != NULL &&
589 *cert_forced_command != NULL) {
Darren Tuckera627d422013-06-02 07:31:17 +1000590 free(*cert_forced_command);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000591 *cert_forced_command = NULL;
592 }
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +0000593 free(name);
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000594 sshbuf_free(data);
595 sshbuf_free(c);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000596 return ret;
597}
598
599/*
600 * Set options from critical certificate options. These supersede user key
601 * options so this must be called after auth_parse_options().
602 */
603int
markus@openbsd.orgae8b4632015-01-14 10:30:34 +0000604auth_cert_options(struct sshkey *k, struct passwd *pw)
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000605{
606 int cert_no_port_forwarding_flag = 1;
607 int cert_no_agent_forwarding_flag = 1;
608 int cert_no_x11_forwarding_flag = 1;
609 int cert_no_pty_flag = 1;
610 int cert_no_user_rc = 1;
611 char *cert_forced_command = NULL;
612 int cert_source_address_done = 0;
613
djm@openbsd.orgc28fc622015-07-03 03:43:18 +0000614 /* Separate options and extensions for v01 certs */
615 if (parse_option_list(k->cert->critical, pw,
616 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
617 &cert_forced_command,
618 &cert_source_address_done) == -1)
619 return -1;
620 if (parse_option_list(k->cert->extensions, pw,
621 OPTIONS_EXTENSIONS, 0,
622 &cert_no_port_forwarding_flag,
623 &cert_no_agent_forwarding_flag,
624 &cert_no_x11_forwarding_flag,
625 &cert_no_pty_flag,
626 &cert_no_user_rc,
627 NULL, NULL) == -1)
628 return -1;
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000629
Damien Miller0a80ca12010-02-27 07:55:05 +1100630 no_port_forwarding_flag |= cert_no_port_forwarding_flag;
631 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
632 no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
633 no_pty_flag |= cert_no_pty_flag;
634 no_user_rc |= cert_no_user_rc;
635 /* CA-specified forced command supersedes key option */
636 if (cert_forced_command != NULL) {
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +0000637 free(forced_command);
Damien Miller0a80ca12010-02-27 07:55:05 +1100638 forced_command = cert_forced_command;
639 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000640 return 0;
Damien Miller0a80ca12010-02-27 07:55:05 +1100641}
642