Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 0a80ca190a39943029719facf7edb990def7ae62 / . / auth-options.c
blob: 396bda62f67c242efb4a53901b63b5b42b93c49d [file] [log] [blame]
Damien Miller0a80ca12010-02-27 07:55:05 +1100[diff] [blame^]1/* $OpenBSD: auth-options.c,v 1.45 2010/02/26 20:29:54 djm Exp $ */
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]13#include "includes.h"
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]14
Damien Miller9f2abc42006-07-10 20:53:08 +1000[diff] [blame]15#include <sys/types.h>
16
Damien Millerb8fe89c2006-07-24 14:51:00 +1000[diff] [blame]17#include <netdb.h>
Damien Miller9f2abc42006-07-10 20:53:08 +1000[diff] [blame]18#include <pwd.h>
Damien Millere3476ed2006-07-24 14:13:33 +1000[diff] [blame]19#include <string.h>
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]20#include <stdio.h>
21#include <stdarg.h>
Damien Miller9f2abc42006-07-10 20:53:08 +1000[diff] [blame]22
Damien Millerb84886b2008-05-19 15:05:07 +1000[diff] [blame]23#include "openbsd-compat/sys-queue.h"
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]24#include "xmalloc.h"
25#include "match.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]26#include "log.h"
27#include "canohost.h"
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]28#include "buffer.h"
Ben Lindstromc7637672001-06-09 00:36:26 +0000[diff] [blame]29#include "channels.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]30#include "auth-options.h"
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]31#include "servconf.h"
Ben Lindstromd71ba572001-09-12 18:03:31 +0000[diff] [blame]32#include "misc.h"
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]33#include "key.h"
34#include "hostfile.h"
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]35#include "auth.h"
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]36#ifdef GSSAPI
37#include "ssh-gss.h"
38#endif
39#include "monitor_wrap.h"
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]40
41/* Flags set authorized_keys flags */
42int no_port_forwarding_flag = 0;
43int no_agent_forwarding_flag = 0;
44int no_x11_forwarding_flag = 0;
45int no_pty_flag = 0;
Damien Miller95e80952008-03-27 11:03:05 +1100[diff] [blame]46int no_user_rc = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +1100[diff] [blame^]47int key_is_cert_authority = 0;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]48
49/* "command=" option. */
50char *forced_command = NULL;
51
52/* "environment=" options. */
53struct envstring *custom_environment = NULL;
54
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]55/* "tunnel=" option. */
56int forced_tun_device = -1;
57
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]58extern ServerOptions options;
59
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]60void
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]61auth_clear_options(void)
62{
63 no_agent_forwarding_flag = 0;
64 no_port_forwarding_flag = 0;
65 no_pty_flag = 0;
66 no_x11_forwarding_flag = 0;
Damien Miller95e80952008-03-27 11:03:05 +1100[diff] [blame]67 no_user_rc = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +1100[diff] [blame^]68 key_is_cert_authority = 0;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]69 while (custom_environment) {
70 struct envstring *ce = custom_environment;
71 custom_environment = ce->next;
72 xfree(ce->s);
73 xfree(ce);
74 }
75 if (forced_command) {
76 xfree(forced_command);
77 forced_command = NULL;
78 }
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]79 forced_tun_device = -1;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]80 channel_clear_permitted_opens();
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]81 auth_debug_reset();
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]82}
83
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]84/*
85 * return 1 if access is granted, 0 if not.
86 * side effect: sets key option flags
87 */
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]88int
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]89auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]90{
91 const char *cp;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]92 int i;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]93
94 /* reset options */
95 auth_clear_options();
96
Ben Lindstrom36d7bd02001-02-10 22:27:19 +0000[diff] [blame]97 if (!opts)
98 return 1;
99
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]100 while (*opts && *opts != ' ' && *opts != '\t') {
Damien Miller0a80ca12010-02-27 07:55:05 +1100[diff] [blame^]101 cp = "cert-authority";
102 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
103 key_is_cert_authority = 1;
104 opts += strlen(cp);
105 goto next_option;
106 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]107 cp = "no-port-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]108 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]109 auth_debug_add("Port forwarding disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]110 no_port_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]111 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]112 goto next_option;
113 }
114 cp = "no-agent-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]115 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]116 auth_debug_add("Agent forwarding disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]117 no_agent_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]118 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]119 goto next_option;
120 }
121 cp = "no-X11-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]122 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]123 auth_debug_add("X11 forwarding disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]124 no_x11_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]125 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]126 goto next_option;
127 }
128 cp = "no-pty";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]129 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]130 auth_debug_add("Pty allocation disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]131 no_pty_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]132 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]133 goto next_option;
134 }
Damien Miller95e80952008-03-27 11:03:05 +1100[diff] [blame]135 cp = "no-user-rc";
136 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
137 auth_debug_add("User rc file execution disabled.");
138 no_user_rc = 1;
139 opts += strlen(cp);
140 goto next_option;
141 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]142 cp = "command=\"";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]143 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]144 opts += strlen(cp);
145 forced_command = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]146 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]147 while (*opts) {
148 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]149 break;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]150 if (*opts == '\\' && opts[1] == '"') {
151 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]152 forced_command[i++] = '"';
153 continue;
154 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]155 forced_command[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]156 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]157 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]158 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]159 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]160 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]161 file, linenum);
Damien Miller056ddf72001-03-14 10:15:20 +1100[diff] [blame]162 xfree(forced_command);
163 forced_command = NULL;
164 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]165 }
Damien Miller98299262006-07-24 14:01:43 +1000[diff] [blame]166 forced_command[i] = '\0';
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]167 auth_debug_add("Forced command: %.900s", forced_command);
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]168 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]169 goto next_option;
170 }
171 cp = "environment=\"";
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000[diff] [blame]172 if (options.permit_user_env &&
173 strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]174 char *s;
175 struct envstring *new_envstring;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]176
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]177 opts += strlen(cp);
178 s = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]179 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]180 while (*opts) {
181 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]182 break;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]183 if (*opts == '\\' && opts[1] == '"') {
184 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]185 s[i++] = '"';
186 continue;
187 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]188 s[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]189 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]190 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]191 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]192 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]193 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]194 file, linenum);
Damien Miller056ddf72001-03-14 10:15:20 +1100[diff] [blame]195 xfree(s);
196 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]197 }
Damien Miller98299262006-07-24 14:01:43 +1000[diff] [blame]198 s[i] = '\0';
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]199 auth_debug_add("Adding to environment: %.900s", s);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]200 debug("Adding to environment: %.900s", s);
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]201 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]202 new_envstring = xmalloc(sizeof(struct envstring));
203 new_envstring->s = s;
204 new_envstring->next = custom_environment;
205 custom_environment = new_envstring;
206 goto next_option;
207 }
208 cp = "from=\"";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]209 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]210 const char *remote_ip = get_remote_ipaddr();
211 const char *remote_host = get_canonical_hostname(
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]212 options.use_dns);
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]213 char *patterns = xmalloc(strlen(opts) + 1);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]214
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]215 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]216 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]217 while (*opts) {
218 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]219 break;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]220 if (*opts == '\\' && opts[1] == '"') {
221 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]222 patterns[i++] = '"';
223 continue;
224 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]225 patterns[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]226 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]227 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]228 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]229 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]230 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]231 file, linenum);
Damien Miller056ddf72001-03-14 10:15:20 +1100[diff] [blame]232 xfree(patterns);
233 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]234 }
Damien Miller98299262006-07-24 14:01:43 +1000[diff] [blame]235 patterns[i] = '\0';
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]236 opts++;
Darren Tucker896ad5a2008-06-11 09:34:46 +1000[diff] [blame]237 switch (match_host_and_ip(remote_host, remote_ip,
238 patterns)) {
239 case 1:
240 xfree(patterns);
241 /* Host name matches. */
242 goto next_option;
243 case -1:
244 debug("%.100s, line %lu: invalid criteria",
245 file, linenum);
246 auth_debug_add("%.100s, line %lu: "
247 "invalid criteria", file, linenum);
248 /* FALLTHROUGH */
249 case 0:
Ben Lindstromf0c50292001-06-25 05:17:53 +0000[diff] [blame]250 xfree(patterns);
Damien Miller996acd22003-04-09 20:59:48 +1000[diff] [blame]251 logit("Authentication tried for %.100s with "
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]252 "correct key but not from a permitted "
253 "host (host=%.200s, ip=%.200s).",
254 pw->pw_name, remote_host, remote_ip);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]255 auth_debug_add("Your host '%.200s' is not "
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]256 "permitted to use this key for login.",
257 remote_host);
Darren Tucker896ad5a2008-06-11 09:34:46 +1000[diff] [blame]258 break;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]259 }
Darren Tucker896ad5a2008-06-11 09:34:46 +1000[diff] [blame]260 /* deny access */
261 return 0;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]262 }
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]263 cp = "permitopen=\"";
264 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]265 char *host, *p;
Damien Millere37dde02009-01-28 16:33:01 +1100[diff] [blame]266 int port;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]267 char *patterns = xmalloc(strlen(opts) + 1);
268
269 opts += strlen(cp);
270 i = 0;
271 while (*opts) {
272 if (*opts == '"')
273 break;
274 if (*opts == '\\' && opts[1] == '"') {
275 opts += 2;
276 patterns[i++] = '"';
277 continue;
278 }
279 patterns[i++] = *opts++;
280 }
281 if (!*opts) {
282 debug("%.100s, line %lu: missing end quote",
283 file, linenum);
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]284 auth_debug_add("%.100s, line %lu: missing "
285 "end quote", file, linenum);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]286 xfree(patterns);
287 goto bad_option;
288 }
Damien Miller98299262006-07-24 14:01:43 +1000[diff] [blame]289 patterns[i] = '\0';
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]290 opts++;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]291 p = patterns;
292 host = hpdelim(&p);
293 if (host == NULL || strlen(host) >= NI_MAXHOST) {
294 debug("%.100s, line %lu: Bad permitopen "
Darren Tucker90b9e022005-03-14 23:08:50 +1100[diff] [blame]295 "specification <%.100s>", file, linenum,
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]296 patterns);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]297 auth_debug_add("%.100s, line %lu: "
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]298 "Bad permitopen specification", file,
299 linenum);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]300 xfree(patterns);
301 goto bad_option;
302 }
Darren Tucker47eede72005-03-14 23:08:12 +1100[diff] [blame]303 host = cleanhostname(host);
Damien Millere37dde02009-01-28 16:33:01 +1100[diff] [blame]304 if (p == NULL || (port = a2port(p)) <= 0) {
Damien Millerf91ee4c2005-03-01 21:24:33 +1100[diff] [blame]305 debug("%.100s, line %lu: Bad permitopen port "
306 "<%.100s>", file, linenum, p ? p : "");
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]307 auth_debug_add("%.100s, line %lu: "
Ben Lindstromd71ba572001-09-12 18:03:31 +0000[diff] [blame]308 "Bad permitopen port", file, linenum);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]309 xfree(patterns);
310 goto bad_option;
311 }
Ben Lindstrom2d70f982001-03-19 00:13:46 +0000[diff] [blame]312 if (options.allow_tcp_forwarding)
Ben Lindstromd71ba572001-09-12 18:03:31 +0000[diff] [blame]313 channel_add_permitted_opens(host, port);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000[diff] [blame]314 xfree(patterns);
315 goto next_option;
316 }
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]317 cp = "tunnel=\"";
318 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
319 char *tun = NULL;
320 opts += strlen(cp);
321 tun = xmalloc(strlen(opts) + 1);
322 i = 0;
323 while (*opts) {
324 if (*opts == '"')
325 break;
326 tun[i++] = *opts++;
327 }
328 if (!*opts) {
329 debug("%.100s, line %lu: missing end quote",
330 file, linenum);
331 auth_debug_add("%.100s, line %lu: missing end quote",
332 file, linenum);
333 xfree(tun);
334 forced_tun_device = -1;
335 goto bad_option;
336 }
Damien Miller98299262006-07-24 14:01:43 +1000[diff] [blame]337 tun[i] = '\0';
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]338 forced_tun_device = a2tun(tun, NULL);
339 xfree(tun);
Damien Miller7b58e802005-12-13 19:33:19 +1100[diff] [blame]340 if (forced_tun_device == SSH_TUNID_ERR) {
Damien Millerd27b9472005-12-13 19:29:02 +1100[diff] [blame]341 debug("%.100s, line %lu: invalid tun device",
342 file, linenum);
343 auth_debug_add("%.100s, line %lu: invalid tun device",
344 file, linenum);
345 forced_tun_device = -1;
346 goto bad_option;
347 }
348 auth_debug_add("Forced tun device: %d", forced_tun_device);
349 opts++;
350 goto next_option;
351 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]352next_option:
353 /*
354 * Skip the comma, and move to the next option
355 * (or break out if there are no more).
356 */
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]357 if (!*opts)
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]358 fatal("Bugs in auth-options.c option processing.");
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]359 if (*opts == ' ' || *opts == '\t')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]360 break; /* End of options. */
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]361 if (*opts != ',')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]362 goto bad_option;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]363 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]364 /* Process the next option. */
365 }
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]366
367 if (!use_privsep)
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]368 auth_debug_send();
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]369
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]370 /* grant access */
371 return 1;
372
373bad_option:
Damien Miller996acd22003-04-09 20:59:48 +1000[diff] [blame]374 logit("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]375 file, linenum, opts);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]376 auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame]377 file, linenum, opts);
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]378
379 if (!use_privsep)
Ben Lindstroma574cda2002-05-15 16:16:14 +0000[diff] [blame]380 auth_debug_send();
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]381
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]382 /* deny access */
383 return 0;
384}
Damien Miller0a80ca12010-02-27 07:55:05 +1100[diff] [blame^]385
386/*
387 * Set options from certificate constraints. These supersede user key options
388 * so this must be called after auth_parse_options().
389 */
390int
391auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
392{
393 u_char *name = NULL, *data_blob = NULL;
394 u_int len;
395 Buffer c, data;
396 int ret = -1;
397
398 int cert_no_port_forwarding_flag = 1;
399 int cert_no_agent_forwarding_flag = 1;
400 int cert_no_x11_forwarding_flag = 1;
401 int cert_no_pty_flag = 1;
402 int cert_no_user_rc = 1;
403 char *cert_forced_command = NULL;
404 int cert_source_address_done = 0;
405
406 buffer_init(&data);
407
408 /* Make copy to avoid altering original */
409 buffer_init(&c);
410 buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig));
411
412 while (buffer_len(&c) > 0) {
413 if ((name = buffer_get_string_ret(&c, NULL)) == NULL ||
414 (data_blob = buffer_get_string_ret(&c, &len)) == NULL) {
415 error("Certificate constraints corrupt");
416 goto out;
417 }
418 buffer_append(&data, data_blob, len);
419 debug3("found certificate constraint \"%.100s\" len %u",
420 name, len);
421 if (strcmp(name, "permit-X11-forwarding") == 0)
422 cert_no_x11_forwarding_flag = 0;
423 else if (strcmp(name, "permit-agent-forwarding") == 0)
424 cert_no_agent_forwarding_flag = 0;
425 else if (strcmp(name, "permit-port-forwarding") == 0)
426 cert_no_port_forwarding_flag = 0;
427 else if (strcmp(name, "permit-pty") == 0)
428 cert_no_pty_flag = 0;
429 else if (strcmp(name, "permit-user-rc") == 0)
430 cert_no_user_rc = 0;
431 else if (strcmp(name, "force-command") == 0) {
432 char *command = buffer_get_string_ret(&data, NULL);
433
434 if (command == NULL) {
435 error("Certificate constraint \"%s\" corrupt",
436 name);
437 goto out;
438 }
439 if (cert_forced_command != NULL) {
440 error("Certificate has multiple "
441 "forced-command constraints");
442 xfree(command);
443 goto out;
444 }
445 cert_forced_command = command;
446 } else if (strcmp(name, "source-address") == 0) {
447 char *allowed = buffer_get_string_ret(&data, NULL);
448 const char *remote_ip = get_remote_ipaddr();
449
450 if (allowed == NULL) {
451 error("Certificate constraint \"%s\" corrupt",
452 name);
453 goto out;
454 }
455 if (cert_source_address_done++) {
456 error("Certificate has multiple "
457 "source-address constraints");
458 xfree(allowed);
459 goto out;
460 }
461 switch (addr_match_cidr_list(remote_ip, allowed)) {
462 case 1:
463 /* accepted */
464 xfree(allowed);
465 break;
466 case 0:
467 /* no match */
468 logit("Authentication tried for %.100s with "
469 "valid certificate but not from a "
470 "permitted host (ip=%.200s).",
471 pw->pw_name, remote_ip);
472 auth_debug_add("Your address '%.200s' is not "
473 "permitted to use this certificate for "
474 "login.", remote_ip);
475 xfree(allowed);
476 goto out;
477 case -1:
478 error("Certificate source-address contents "
479 "invalid");
480 xfree(allowed);
481 goto out;
482 }
483 } else {
484 error("Certificate constraint \"%s\" is not supported",
485 name);
486 goto out;
487 }
488
489 if (buffer_len(&data) != 0) {
490 error("Certificate constraint \"%s\" corrupt "
491 "(extra data)", name);
492 goto out;
493 }
494 buffer_clear(&data);
495 xfree(name);
496 xfree(data_blob);
497 name = data_blob = NULL;
498 }
499
500 /* successfully parsed all constraints */
501 ret = 0;
502
503 no_port_forwarding_flag |= cert_no_port_forwarding_flag;
504 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
505 no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
506 no_pty_flag |= cert_no_pty_flag;
507 no_user_rc |= cert_no_user_rc;
508 /* CA-specified forced command supersedes key option */
509 if (cert_forced_command != NULL) {
510 if (forced_command != NULL)
511 xfree(forced_command);
512 forced_command = cert_forced_command;
513 }
514
515 out:
516 if (name != NULL)
517 xfree(name);
518 if (data_blob != NULL)
519 xfree(data_blob);
520 buffer_free(&data);
521 buffer_free(&c);
522 return ret;
523}
524