blob: f3d9c9df820f921c4072a9ccc428cafe9c667ec5 [file] [log] [blame]
Damien Miller7acefbb2014-07-18 14:11:24 +10001/* $OpenBSD: auth-options.c,v 1.64 2014/07/15 15:54:14 millert Exp $ */
Damien Millere4340be2000-09-16 13:29:08 +11002/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
Damien Millere4340be2000-09-16 13:29:08 +11006 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
Damien Millerf6d9e222000-06-18 14:50:44 +100013#include "includes.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100014
Damien Miller9f2abc42006-07-10 20:53:08 +100015#include <sys/types.h>
16
Damien Millerb8fe89c2006-07-24 14:51:00 +100017#include <netdb.h>
Damien Miller9f2abc42006-07-10 20:53:08 +100018#include <pwd.h>
Damien Millere3476ed2006-07-24 14:13:33 +100019#include <string.h>
Damien Millerd7834352006-08-05 12:39:39 +100020#include <stdio.h>
21#include <stdarg.h>
Damien Miller9f2abc42006-07-10 20:53:08 +100022
Damien Millerb84886b2008-05-19 15:05:07 +100023#include "openbsd-compat/sys-queue.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100024#include "xmalloc.h"
25#include "match.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000026#include "log.h"
27#include "canohost.h"
Damien Millerd7834352006-08-05 12:39:39 +100028#include "buffer.h"
Damien Miller7acefbb2014-07-18 14:11:24 +100029#include "misc.h"
Ben Lindstromc7637672001-06-09 00:36:26 +000030#include "channels.h"
Damien Miller33804262001-02-04 23:20:18 +110031#include "servconf.h"
Damien Millerd7834352006-08-05 12:39:39 +100032#include "key.h"
Damien Miller4e270b02010-04-16 15:56:21 +100033#include "auth-options.h"
Damien Millerd7834352006-08-05 12:39:39 +100034#include "hostfile.h"
Ben Lindstroma574cda2002-05-15 16:16:14 +000035#include "auth.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100036
37/* Flags set authorized_keys flags */
38int no_port_forwarding_flag = 0;
39int no_agent_forwarding_flag = 0;
40int no_x11_forwarding_flag = 0;
41int no_pty_flag = 0;
Damien Miller95e80952008-03-27 11:03:05 +110042int no_user_rc = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +110043int key_is_cert_authority = 0;
Damien Millerf6d9e222000-06-18 14:50:44 +100044
45/* "command=" option. */
46char *forced_command = NULL;
47
48/* "environment=" options. */
49struct envstring *custom_environment = NULL;
50
Damien Millerd27b9472005-12-13 19:29:02 +110051/* "tunnel=" option. */
52int forced_tun_device = -1;
53
Damien Miller30da3442010-05-10 11:58:03 +100054/* "principals=" option. */
55char *authorized_principals = NULL;
56
Damien Miller33804262001-02-04 23:20:18 +110057extern ServerOptions options;
58
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000059void
Damien Miller874d77b2000-10-14 16:23:11 +110060auth_clear_options(void)
61{
62 no_agent_forwarding_flag = 0;
63 no_port_forwarding_flag = 0;
64 no_pty_flag = 0;
65 no_x11_forwarding_flag = 0;
Damien Miller95e80952008-03-27 11:03:05 +110066 no_user_rc = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +110067 key_is_cert_authority = 0;
Damien Miller874d77b2000-10-14 16:23:11 +110068 while (custom_environment) {
69 struct envstring *ce = custom_environment;
70 custom_environment = ce->next;
Darren Tuckera627d422013-06-02 07:31:17 +100071 free(ce->s);
72 free(ce);
Damien Miller874d77b2000-10-14 16:23:11 +110073 }
74 if (forced_command) {
Darren Tuckera627d422013-06-02 07:31:17 +100075 free(forced_command);
Damien Miller874d77b2000-10-14 16:23:11 +110076 forced_command = NULL;
77 }
Damien Miller30da3442010-05-10 11:58:03 +100078 if (authorized_principals) {
Darren Tuckera627d422013-06-02 07:31:17 +100079 free(authorized_principals);
Damien Miller30da3442010-05-10 11:58:03 +100080 authorized_principals = NULL;
81 }
Damien Millerd27b9472005-12-13 19:29:02 +110082 forced_tun_device = -1;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +000083 channel_clear_permitted_opens();
Damien Miller874d77b2000-10-14 16:23:11 +110084}
85
Ben Lindstrom226cfa02001-01-22 05:34:40 +000086/*
87 * return 1 if access is granted, 0 if not.
88 * side effect: sets key option flags
89 */
Damien Millerf6d9e222000-06-18 14:50:44 +100090int
Damien Miller33804262001-02-04 23:20:18 +110091auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
Damien Millerf6d9e222000-06-18 14:50:44 +100092{
93 const char *cp;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +000094 int i;
Damien Miller874d77b2000-10-14 16:23:11 +110095
96 /* reset options */
97 auth_clear_options();
98
Ben Lindstrom36d7bd02001-02-10 22:27:19 +000099 if (!opts)
100 return 1;
101
Damien Miller33804262001-02-04 23:20:18 +1100102 while (*opts && *opts != ' ' && *opts != '\t') {
Damien Miller0a80ca12010-02-27 07:55:05 +1100103 cp = "cert-authority";
104 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
105 key_is_cert_authority = 1;
106 opts += strlen(cp);
107 goto next_option;
108 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000109 cp = "no-port-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100110 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000111 auth_debug_add("Port forwarding disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000112 no_port_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100113 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000114 goto next_option;
115 }
116 cp = "no-agent-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100117 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000118 auth_debug_add("Agent forwarding disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000119 no_agent_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100120 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000121 goto next_option;
122 }
123 cp = "no-X11-forwarding";
Damien Miller33804262001-02-04 23:20:18 +1100124 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000125 auth_debug_add("X11 forwarding disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000126 no_x11_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100127 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000128 goto next_option;
129 }
130 cp = "no-pty";
Damien Miller33804262001-02-04 23:20:18 +1100131 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Ben Lindstroma574cda2002-05-15 16:16:14 +0000132 auth_debug_add("Pty allocation disabled.");
Damien Millerf6d9e222000-06-18 14:50:44 +1000133 no_pty_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +1100134 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000135 goto next_option;
136 }
Damien Miller95e80952008-03-27 11:03:05 +1100137 cp = "no-user-rc";
138 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
139 auth_debug_add("User rc file execution disabled.");
140 no_user_rc = 1;
141 opts += strlen(cp);
142 goto next_option;
143 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000144 cp = "command=\"";
Damien Miller33804262001-02-04 23:20:18 +1100145 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller33804262001-02-04 23:20:18 +1100146 opts += strlen(cp);
Damien Miller30da3442010-05-10 11:58:03 +1000147 if (forced_command != NULL)
Darren Tuckera627d422013-06-02 07:31:17 +1000148 free(forced_command);
Damien Miller33804262001-02-04 23:20:18 +1100149 forced_command = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000150 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100151 while (*opts) {
152 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000153 break;
Damien Miller33804262001-02-04 23:20:18 +1100154 if (*opts == '\\' && opts[1] == '"') {
155 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000156 forced_command[i++] = '"';
157 continue;
158 }
Damien Miller33804262001-02-04 23:20:18 +1100159 forced_command[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000160 }
Damien Miller33804262001-02-04 23:20:18 +1100161 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000162 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000163 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000164 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000165 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000166 free(forced_command);
Damien Miller056ddf72001-03-14 10:15:20 +1100167 forced_command = NULL;
168 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000169 }
Damien Miller98299262006-07-24 14:01:43 +1000170 forced_command[i] = '\0';
Damien Millerde53fd02011-01-06 22:44:18 +1100171 auth_debug_add("Forced command.");
Damien Miller33804262001-02-04 23:20:18 +1100172 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000173 goto next_option;
174 }
Damien Miller30da3442010-05-10 11:58:03 +1000175 cp = "principals=\"";
176 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
177 opts += strlen(cp);
178 if (authorized_principals != NULL)
Darren Tuckera627d422013-06-02 07:31:17 +1000179 free(authorized_principals);
Damien Miller30da3442010-05-10 11:58:03 +1000180 authorized_principals = xmalloc(strlen(opts) + 1);
181 i = 0;
182 while (*opts) {
183 if (*opts == '"')
184 break;
185 if (*opts == '\\' && opts[1] == '"') {
186 opts += 2;
187 authorized_principals[i++] = '"';
188 continue;
189 }
190 authorized_principals[i++] = *opts++;
191 }
192 if (!*opts) {
193 debug("%.100s, line %lu: missing end quote",
194 file, linenum);
195 auth_debug_add("%.100s, line %lu: missing end quote",
196 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000197 free(authorized_principals);
Damien Miller30da3442010-05-10 11:58:03 +1000198 authorized_principals = NULL;
199 goto bad_option;
200 }
201 authorized_principals[i] = '\0';
202 auth_debug_add("principals: %.900s",
203 authorized_principals);
204 opts++;
205 goto next_option;
206 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000207 cp = "environment=\"";
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000208 if (options.permit_user_env &&
209 strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000210 char *s;
211 struct envstring *new_envstring;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000212
Damien Miller33804262001-02-04 23:20:18 +1100213 opts += strlen(cp);
214 s = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000215 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100216 while (*opts) {
217 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000218 break;
Damien Miller33804262001-02-04 23:20:18 +1100219 if (*opts == '\\' && opts[1] == '"') {
220 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000221 s[i++] = '"';
222 continue;
223 }
Damien Miller33804262001-02-04 23:20:18 +1100224 s[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000225 }
Damien Miller33804262001-02-04 23:20:18 +1100226 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000227 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000228 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000229 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000230 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000231 free(s);
Damien Miller056ddf72001-03-14 10:15:20 +1100232 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000233 }
Damien Miller98299262006-07-24 14:01:43 +1000234 s[i] = '\0';
Ben Lindstroma574cda2002-05-15 16:16:14 +0000235 auth_debug_add("Adding to environment: %.900s", s);
Damien Millerf6d9e222000-06-18 14:50:44 +1000236 debug("Adding to environment: %.900s", s);
Damien Miller33804262001-02-04 23:20:18 +1100237 opts++;
Damien Miller6c81fee2013-11-08 12:19:55 +1100238 new_envstring = xcalloc(1, sizeof(struct envstring));
Damien Millerf6d9e222000-06-18 14:50:44 +1000239 new_envstring->s = s;
240 new_envstring->next = custom_environment;
241 custom_environment = new_envstring;
242 goto next_option;
243 }
244 cp = "from=\"";
Damien Miller33804262001-02-04 23:20:18 +1100245 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller33804262001-02-04 23:20:18 +1100246 const char *remote_ip = get_remote_ipaddr();
247 const char *remote_host = get_canonical_hostname(
Damien Miller3a961dc2003-06-03 10:25:48 +1000248 options.use_dns);
Damien Miller33804262001-02-04 23:20:18 +1100249 char *patterns = xmalloc(strlen(opts) + 1);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000250
Damien Miller33804262001-02-04 23:20:18 +1100251 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000252 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100253 while (*opts) {
254 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000255 break;
Damien Miller33804262001-02-04 23:20:18 +1100256 if (*opts == '\\' && opts[1] == '"') {
257 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000258 patterns[i++] = '"';
259 continue;
260 }
Damien Miller33804262001-02-04 23:20:18 +1100261 patterns[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000262 }
Damien Miller33804262001-02-04 23:20:18 +1100263 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000264 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000265 file, linenum);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000266 auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000267 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000268 free(patterns);
Damien Miller056ddf72001-03-14 10:15:20 +1100269 goto bad_option;
Damien Millerf6d9e222000-06-18 14:50:44 +1000270 }
Damien Miller98299262006-07-24 14:01:43 +1000271 patterns[i] = '\0';
Damien Miller33804262001-02-04 23:20:18 +1100272 opts++;
Darren Tucker896ad5a2008-06-11 09:34:46 +1000273 switch (match_host_and_ip(remote_host, remote_ip,
274 patterns)) {
275 case 1:
Darren Tuckera627d422013-06-02 07:31:17 +1000276 free(patterns);
Darren Tucker896ad5a2008-06-11 09:34:46 +1000277 /* Host name matches. */
278 goto next_option;
279 case -1:
280 debug("%.100s, line %lu: invalid criteria",
281 file, linenum);
282 auth_debug_add("%.100s, line %lu: "
283 "invalid criteria", file, linenum);
284 /* FALLTHROUGH */
285 case 0:
Darren Tuckera627d422013-06-02 07:31:17 +1000286 free(patterns);
Damien Miller996acd22003-04-09 20:59:48 +1000287 logit("Authentication tried for %.100s with "
Damien Miller33804262001-02-04 23:20:18 +1100288 "correct key but not from a permitted "
289 "host (host=%.200s, ip=%.200s).",
290 pw->pw_name, remote_host, remote_ip);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000291 auth_debug_add("Your host '%.200s' is not "
Damien Miller33804262001-02-04 23:20:18 +1100292 "permitted to use this key for login.",
293 remote_host);
Darren Tucker896ad5a2008-06-11 09:34:46 +1000294 break;
Damien Millerf6d9e222000-06-18 14:50:44 +1000295 }
Darren Tucker896ad5a2008-06-11 09:34:46 +1000296 /* deny access */
297 return 0;
Damien Millerf6d9e222000-06-18 14:50:44 +1000298 }
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000299 cp = "permitopen=\"";
300 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf91ee4c2005-03-01 21:24:33 +1100301 char *host, *p;
Damien Millere37dde02009-01-28 16:33:01 +1100302 int port;
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000303 char *patterns = xmalloc(strlen(opts) + 1);
304
305 opts += strlen(cp);
306 i = 0;
307 while (*opts) {
308 if (*opts == '"')
309 break;
310 if (*opts == '\\' && opts[1] == '"') {
311 opts += 2;
312 patterns[i++] = '"';
313 continue;
314 }
315 patterns[i++] = *opts++;
316 }
317 if (!*opts) {
318 debug("%.100s, line %lu: missing end quote",
319 file, linenum);
Damien Millerf91ee4c2005-03-01 21:24:33 +1100320 auth_debug_add("%.100s, line %lu: missing "
321 "end quote", file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000322 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000323 goto bad_option;
324 }
Damien Miller98299262006-07-24 14:01:43 +1000325 patterns[i] = '\0';
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000326 opts++;
Damien Millerf91ee4c2005-03-01 21:24:33 +1100327 p = patterns;
Damien Miller7acefbb2014-07-18 14:11:24 +1000328 /* XXX - add streamlocal support */
Damien Millerf91ee4c2005-03-01 21:24:33 +1100329 host = hpdelim(&p);
330 if (host == NULL || strlen(host) >= NI_MAXHOST) {
331 debug("%.100s, line %lu: Bad permitopen "
Darren Tucker90b9e022005-03-14 23:08:50 +1100332 "specification <%.100s>", file, linenum,
Damien Millerf91ee4c2005-03-01 21:24:33 +1100333 patterns);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000334 auth_debug_add("%.100s, line %lu: "
Damien Millerf91ee4c2005-03-01 21:24:33 +1100335 "Bad permitopen specification", file,
336 linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000337 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000338 goto bad_option;
339 }
Darren Tucker47eede72005-03-14 23:08:12 +1100340 host = cleanhostname(host);
Darren Tucker1338b9e2011-10-02 18:57:35 +1100341 if (p == NULL || (port = permitopen_port(p)) < 0) {
Damien Millerf91ee4c2005-03-01 21:24:33 +1100342 debug("%.100s, line %lu: Bad permitopen port "
343 "<%.100s>", file, linenum, p ? p : "");
Ben Lindstroma574cda2002-05-15 16:16:14 +0000344 auth_debug_add("%.100s, line %lu: "
Ben Lindstromd71ba572001-09-12 18:03:31 +0000345 "Bad permitopen port", file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000346 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000347 goto bad_option;
348 }
Damien Milleraa5b3f82012-12-03 09:50:54 +1100349 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
Ben Lindstromd71ba572001-09-12 18:03:31 +0000350 channel_add_permitted_opens(host, port);
Darren Tuckera627d422013-06-02 07:31:17 +1000351 free(patterns);
Ben Lindstrom7bb8b492001-03-17 00:47:54 +0000352 goto next_option;
353 }
Damien Millerd27b9472005-12-13 19:29:02 +1100354 cp = "tunnel=\"";
355 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
356 char *tun = NULL;
357 opts += strlen(cp);
358 tun = xmalloc(strlen(opts) + 1);
359 i = 0;
360 while (*opts) {
361 if (*opts == '"')
362 break;
363 tun[i++] = *opts++;
364 }
365 if (!*opts) {
366 debug("%.100s, line %lu: missing end quote",
367 file, linenum);
368 auth_debug_add("%.100s, line %lu: missing end quote",
369 file, linenum);
Darren Tuckera627d422013-06-02 07:31:17 +1000370 free(tun);
Damien Millerd27b9472005-12-13 19:29:02 +1100371 forced_tun_device = -1;
372 goto bad_option;
373 }
Damien Miller98299262006-07-24 14:01:43 +1000374 tun[i] = '\0';
Damien Millerd27b9472005-12-13 19:29:02 +1100375 forced_tun_device = a2tun(tun, NULL);
Darren Tuckera627d422013-06-02 07:31:17 +1000376 free(tun);
Damien Miller7b58e802005-12-13 19:33:19 +1100377 if (forced_tun_device == SSH_TUNID_ERR) {
Damien Millerd27b9472005-12-13 19:29:02 +1100378 debug("%.100s, line %lu: invalid tun device",
379 file, linenum);
380 auth_debug_add("%.100s, line %lu: invalid tun device",
381 file, linenum);
382 forced_tun_device = -1;
383 goto bad_option;
384 }
385 auth_debug_add("Forced tun device: %d", forced_tun_device);
386 opts++;
387 goto next_option;
388 }
Damien Millerf6d9e222000-06-18 14:50:44 +1000389next_option:
390 /*
391 * Skip the comma, and move to the next option
392 * (or break out if there are no more).
393 */
Damien Miller33804262001-02-04 23:20:18 +1100394 if (!*opts)
Damien Millerf6d9e222000-06-18 14:50:44 +1000395 fatal("Bugs in auth-options.c option processing.");
Damien Miller33804262001-02-04 23:20:18 +1100396 if (*opts == ' ' || *opts == '\t')
Damien Millerf6d9e222000-06-18 14:50:44 +1000397 break; /* End of options. */
Damien Miller33804262001-02-04 23:20:18 +1100398 if (*opts != ',')
Damien Millerf6d9e222000-06-18 14:50:44 +1000399 goto bad_option;
Damien Miller33804262001-02-04 23:20:18 +1100400 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000401 /* Process the next option. */
402 }
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000403
Damien Millerf6d9e222000-06-18 14:50:44 +1000404 /* grant access */
405 return 1;
406
407bad_option:
Damien Miller996acd22003-04-09 20:59:48 +1000408 logit("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100409 file, linenum, opts);
Ben Lindstroma574cda2002-05-15 16:16:14 +0000410 auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100411 file, linenum, opts);
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000412
Damien Millerf6d9e222000-06-18 14:50:44 +1000413 /* deny access */
414 return 0;
415}
Damien Miller0a80ca12010-02-27 07:55:05 +1100416
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000417#define OPTIONS_CRITICAL 1
418#define OPTIONS_EXTENSIONS 2
419static int
420parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
421 u_int which, int crit,
422 int *cert_no_port_forwarding_flag,
423 int *cert_no_agent_forwarding_flag,
424 int *cert_no_x11_forwarding_flag,
425 int *cert_no_pty_flag,
426 int *cert_no_user_rc,
427 char **cert_forced_command,
428 int *cert_source_address_done)
Damien Miller0a80ca12010-02-27 07:55:05 +1100429{
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000430 char *command, *allowed;
431 const char *remote_ip;
Damien Millerce986542013-07-18 16:12:44 +1000432 char *name = NULL;
433 u_char *data_blob = NULL;
Damien Miller41396572010-03-04 21:51:11 +1100434 u_int nlen, dlen, clen;
Damien Miller0a80ca12010-02-27 07:55:05 +1100435 Buffer c, data;
Damien Millerbf25d112013-12-29 17:44:56 +1100436 int ret = -1, result, found;
Damien Miller0a80ca12010-02-27 07:55:05 +1100437
438 buffer_init(&data);
439
440 /* Make copy to avoid altering original */
441 buffer_init(&c);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000442 buffer_append(&c, optblob, optblob_len);
Damien Miller0a80ca12010-02-27 07:55:05 +1100443
444 while (buffer_len(&c) > 0) {
Damien Millerda108ec2010-08-31 22:36:39 +1000445 if ((name = buffer_get_cstring_ret(&c, &nlen)) == NULL ||
Damien Miller41396572010-03-04 21:51:11 +1100446 (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) {
Damien Miller4e270b02010-04-16 15:56:21 +1000447 error("Certificate options corrupt");
Damien Miller0a80ca12010-02-27 07:55:05 +1100448 goto out;
449 }
Damien Miller41396572010-03-04 21:51:11 +1100450 buffer_append(&data, data_blob, dlen);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000451 debug3("found certificate option \"%.100s\" len %u",
Damien Miller41396572010-03-04 21:51:11 +1100452 name, dlen);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000453 found = 0;
454 if ((which & OPTIONS_EXTENSIONS) != 0) {
455 if (strcmp(name, "permit-X11-forwarding") == 0) {
456 *cert_no_x11_forwarding_flag = 0;
457 found = 1;
458 } else if (strcmp(name,
459 "permit-agent-forwarding") == 0) {
460 *cert_no_agent_forwarding_flag = 0;
461 found = 1;
462 } else if (strcmp(name,
463 "permit-port-forwarding") == 0) {
464 *cert_no_port_forwarding_flag = 0;
465 found = 1;
466 } else if (strcmp(name, "permit-pty") == 0) {
467 *cert_no_pty_flag = 0;
468 found = 1;
469 } else if (strcmp(name, "permit-user-rc") == 0) {
470 *cert_no_user_rc = 0;
471 found = 1;
Damien Miller0a80ca12010-02-27 07:55:05 +1100472 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000473 }
474 if (!found && (which & OPTIONS_CRITICAL) != 0) {
475 if (strcmp(name, "force-command") == 0) {
Damien Millerda108ec2010-08-31 22:36:39 +1000476 if ((command = buffer_get_cstring_ret(&data,
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000477 &clen)) == NULL) {
478 error("Certificate constraint \"%s\" "
479 "corrupt", name);
480 goto out;
481 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000482 if (*cert_forced_command != NULL) {
483 error("Certificate has multiple "
484 "force-command options");
Darren Tuckera627d422013-06-02 07:31:17 +1000485 free(command);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000486 goto out;
487 }
488 *cert_forced_command = command;
489 found = 1;
Damien Miller41396572010-03-04 21:51:11 +1100490 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000491 if (strcmp(name, "source-address") == 0) {
Damien Millerda108ec2010-08-31 22:36:39 +1000492 if ((allowed = buffer_get_cstring_ret(&data,
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000493 &clen)) == NULL) {
494 error("Certificate constraint "
495 "\"%s\" corrupt", name);
496 goto out;
497 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000498 if ((*cert_source_address_done)++) {
499 error("Certificate has multiple "
500 "source-address options");
Darren Tuckera627d422013-06-02 07:31:17 +1000501 free(allowed);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000502 goto out;
503 }
504 remote_ip = get_remote_ipaddr();
Damien Millerbf25d112013-12-29 17:44:56 +1100505 result = addr_match_cidr_list(remote_ip,
506 allowed);
507 free(allowed);
508 switch (result) {
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000509 case 1:
510 /* accepted */
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000511 break;
512 case 0:
513 /* no match */
514 logit("Authentication tried for %.100s "
515 "with valid certificate but not "
516 "from a permitted host "
517 "(ip=%.200s).", pw->pw_name,
518 remote_ip);
519 auth_debug_add("Your address '%.200s' "
520 "is not permitted to use this "
521 "certificate for login.",
522 remote_ip);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000523 goto out;
524 case -1:
Damien Millerbf25d112013-12-29 17:44:56 +1100525 default:
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000526 error("Certificate source-address "
527 "contents invalid");
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000528 goto out;
529 }
530 found = 1;
Damien Miller0a80ca12010-02-27 07:55:05 +1100531 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100532 }
533
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000534 if (!found) {
535 if (crit) {
536 error("Certificate critical option \"%s\" "
537 "is not supported", name);
538 goto out;
539 } else {
540 logit("Certificate extension \"%s\" "
541 "is not supported", name);
542 }
543 } else if (buffer_len(&data) != 0) {
544 error("Certificate option \"%s\" corrupt "
Damien Miller0a80ca12010-02-27 07:55:05 +1100545 "(extra data)", name);
546 goto out;
547 }
548 buffer_clear(&data);
Darren Tuckera627d422013-06-02 07:31:17 +1000549 free(name);
550 free(data_blob);
Damien Millerce986542013-07-18 16:12:44 +1000551 name = NULL;
552 data_blob = NULL;
Damien Miller0a80ca12010-02-27 07:55:05 +1100553 }
Damien Miller4e270b02010-04-16 15:56:21 +1000554 /* successfully parsed all options */
Damien Miller0a80ca12010-02-27 07:55:05 +1100555 ret = 0;
556
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000557 out:
558 if (ret != 0 &&
559 cert_forced_command != NULL &&
560 *cert_forced_command != NULL) {
Darren Tuckera627d422013-06-02 07:31:17 +1000561 free(*cert_forced_command);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000562 *cert_forced_command = NULL;
563 }
564 if (name != NULL)
Darren Tuckera627d422013-06-02 07:31:17 +1000565 free(name);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000566 if (data_blob != NULL)
Darren Tuckera627d422013-06-02 07:31:17 +1000567 free(data_blob);
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000568 buffer_free(&data);
569 buffer_free(&c);
570 return ret;
571}
572
573/*
574 * Set options from critical certificate options. These supersede user key
575 * options so this must be called after auth_parse_options().
576 */
577int
578auth_cert_options(Key *k, struct passwd *pw)
579{
580 int cert_no_port_forwarding_flag = 1;
581 int cert_no_agent_forwarding_flag = 1;
582 int cert_no_x11_forwarding_flag = 1;
583 int cert_no_pty_flag = 1;
584 int cert_no_user_rc = 1;
585 char *cert_forced_command = NULL;
586 int cert_source_address_done = 0;
587
588 if (key_cert_is_legacy(k)) {
589 /* All options are in the one field for v00 certs */
Damien Miller86687062014-07-02 15:28:02 +1000590 if (parse_option_list(buffer_ptr(k->cert->critical),
591 buffer_len(k->cert->critical), pw,
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000592 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
593 &cert_no_port_forwarding_flag,
594 &cert_no_agent_forwarding_flag,
595 &cert_no_x11_forwarding_flag,
596 &cert_no_pty_flag,
597 &cert_no_user_rc,
598 &cert_forced_command,
599 &cert_source_address_done) == -1)
600 return -1;
601 } else {
602 /* Separate options and extensions for v01 certs */
Damien Miller86687062014-07-02 15:28:02 +1000603 if (parse_option_list(buffer_ptr(k->cert->critical),
604 buffer_len(k->cert->critical), pw,
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000605 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
606 &cert_forced_command,
607 &cert_source_address_done) == -1)
608 return -1;
Damien Miller86687062014-07-02 15:28:02 +1000609 if (parse_option_list(buffer_ptr(k->cert->extensions),
610 buffer_len(k->cert->extensions), pw,
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000611 OPTIONS_EXTENSIONS, 1,
612 &cert_no_port_forwarding_flag,
613 &cert_no_agent_forwarding_flag,
614 &cert_no_x11_forwarding_flag,
615 &cert_no_pty_flag,
616 &cert_no_user_rc,
617 NULL, NULL) == -1)
618 return -1;
619 }
620
Damien Miller0a80ca12010-02-27 07:55:05 +1100621 no_port_forwarding_flag |= cert_no_port_forwarding_flag;
622 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
623 no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
624 no_pty_flag |= cert_no_pty_flag;
625 no_user_rc |= cert_no_user_rc;
626 /* CA-specified forced command supersedes key option */
627 if (cert_forced_command != NULL) {
628 if (forced_command != NULL)
Darren Tuckera627d422013-06-02 07:31:17 +1000629 free(forced_command);
Damien Miller0a80ca12010-02-27 07:55:05 +1100630 forced_command = cert_forced_command;
631 }
Damien Millerd0e4a8e2010-05-21 14:58:32 +1000632 return 0;
Damien Miller0a80ca12010-02-27 07:55:05 +1100633}
634