Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 33804263583e82fb7e6e36477fe63ebd14f15ecb / . / auth-options.c
blob: 04d2f085f62c58e6ad375bdac488db5e0fa7f43b [file] [log] [blame]
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]1/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]12#include "includes.h"
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]13RCSID("$OpenBSD: auth-options.c,v 1.12 2001/02/03 10:08:36 markus Exp $");
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]14
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]15#include "packet.h"
16#include "xmalloc.h"
17#include "match.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]18#include "log.h"
19#include "canohost.h"
20#include "auth-options.h"
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]21#include "servconf.h"
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]22
23/* Flags set authorized_keys flags */
24int no_port_forwarding_flag = 0;
25int no_agent_forwarding_flag = 0;
26int no_x11_forwarding_flag = 0;
27int no_pty_flag = 0;
28
29/* "command=" option. */
30char *forced_command = NULL;
31
32/* "environment=" options. */
33struct envstring *custom_environment = NULL;
34
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]35extern ServerOptions options;
36
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]37void
38auth_clear_options(void)
39{
40 no_agent_forwarding_flag = 0;
41 no_port_forwarding_flag = 0;
42 no_pty_flag = 0;
43 no_x11_forwarding_flag = 0;
44 while (custom_environment) {
45 struct envstring *ce = custom_environment;
46 custom_environment = ce->next;
47 xfree(ce->s);
48 xfree(ce);
49 }
50 if (forced_command) {
51 xfree(forced_command);
52 forced_command = NULL;
53 }
54}
55
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]56/*
57 * return 1 if access is granted, 0 if not.
58 * side effect: sets key option flags
59 */
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]60int
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]61auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]62{
63 const char *cp;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]64 if (!opts)
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]65 return 1;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]66
67 /* reset options */
68 auth_clear_options();
69
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]70 while (*opts && *opts != ' ' && *opts != '\t') {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]71 cp = "no-port-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]72 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]73 packet_send_debug("Port forwarding disabled.");
74 no_port_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]75 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]76 goto next_option;
77 }
78 cp = "no-agent-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]79 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]80 packet_send_debug("Agent forwarding disabled.");
81 no_agent_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]82 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]83 goto next_option;
84 }
85 cp = "no-X11-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]86 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]87 packet_send_debug("X11 forwarding disabled.");
88 no_x11_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]89 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]90 goto next_option;
91 }
92 cp = "no-pty";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]93 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]94 packet_send_debug("Pty allocation disabled.");
95 no_pty_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]96 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]97 goto next_option;
98 }
99 cp = "command=\"";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]100 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]101 int i;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]102 opts += strlen(cp);
103 forced_command = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]104 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]105 while (*opts) {
106 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]107 break;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]108 if (*opts == '\\' && opts[1] == '"') {
109 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]110 forced_command[i++] = '"';
111 continue;
112 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]113 forced_command[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]114 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]115 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]116 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]117 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]118 packet_send_debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]119 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]120 continue;
121 }
122 forced_command[i] = 0;
123 packet_send_debug("Forced command: %.900s", forced_command);
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]124 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]125 goto next_option;
126 }
127 cp = "environment=\"";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]128 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]129 int i;
130 char *s;
131 struct envstring *new_envstring;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]132 opts += strlen(cp);
133 s = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]134 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]135 while (*opts) {
136 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]137 break;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]138 if (*opts == '\\' && opts[1] == '"') {
139 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]140 s[i++] = '"';
141 continue;
142 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]143 s[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]144 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]145 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]146 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]147 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]148 packet_send_debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]149 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]150 continue;
151 }
152 s[i] = 0;
153 packet_send_debug("Adding to environment: %.900s", s);
154 debug("Adding to environment: %.900s", s);
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]155 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]156 new_envstring = xmalloc(sizeof(struct envstring));
157 new_envstring->s = s;
158 new_envstring->next = custom_environment;
159 custom_environment = new_envstring;
160 goto next_option;
161 }
162 cp = "from=\"";
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]163 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]164 int mname, mip;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]165 const char *remote_ip = get_remote_ipaddr();
166 const char *remote_host = get_canonical_hostname(
167 options.reverse_mapping_check);
168 char *patterns = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]169 int i;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]170 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]171 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]172 while (*opts) {
173 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]174 break;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]175 if (*opts == '\\' && opts[1] == '"') {
176 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]177 patterns[i++] = '"';
178 continue;
179 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]180 patterns[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]181 }
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]182 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]183 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]184 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]185 packet_send_debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]186 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]187 continue;
188 }
189 patterns[i] = 0;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]190 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]191 /*
192 * Deny access if we get a negative
193 * match for the hostname or the ip
194 * or if we get not match at all
195 */
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]196 mname = match_hostname(remote_host, patterns,
197 strlen(patterns));
198 mip = match_hostname(remote_ip, patterns,
199 strlen(patterns));
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]200 xfree(patterns);
201 if (mname == -1 || mip == -1 ||
202 (mname != 1 && mip != 1)) {
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]203 log("Authentication tried for %.100s with "
204 "correct key but not from a permitted "
205 "host (host=%.200s, ip=%.200s).",
206 pw->pw_name, remote_host, remote_ip);
207 packet_send_debug("Your host '%.200s' is not "
208 "permitted to use this key for login.",
209 remote_host);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]210 /* deny access */
211 return 0;
212 }
213 /* Host name matches. */
214 goto next_option;
215 }
216next_option:
217 /*
218 * Skip the comma, and move to the next option
219 * (or break out if there are no more).
220 */
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]221 if (!*opts)
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]222 fatal("Bugs in auth-options.c option processing.");
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]223 if (*opts == ' ' || *opts == '\t')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]224 break; /* End of options. */
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]225 if (*opts != ',')
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]226 goto bad_option;
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]227 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]228 /* Process the next option. */
229 }
230 /* grant access */
231 return 1;
232
233bad_option:
234 log("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]235 file, linenum, opts);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]236 packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100[diff] [blame^]237 file, linenum, opts);
Damien Millerf6d9e222000-06-18 14:50:44 +1000[diff] [blame]238 /* deny access */
239 return 0;
240}