blob: 04d2f085f62c58e6ad375bdac488db5e0fa7f43b [file] [log] [blame]
Damien Millere4340be2000-09-16 13:29:08 +11001/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Millere4340be2000-09-16 13:29:08 +11005 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
Damien Millerf6d9e222000-06-18 14:50:44 +100012#include "includes.h"
Damien Miller33804262001-02-04 23:20:18 +110013RCSID("$OpenBSD: auth-options.c,v 1.12 2001/02/03 10:08:36 markus Exp $");
Damien Millerf6d9e222000-06-18 14:50:44 +100014
Damien Millerf6d9e222000-06-18 14:50:44 +100015#include "packet.h"
16#include "xmalloc.h"
17#include "match.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000018#include "log.h"
19#include "canohost.h"
20#include "auth-options.h"
Damien Miller33804262001-02-04 23:20:18 +110021#include "servconf.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100022
23/* Flags set authorized_keys flags */
24int no_port_forwarding_flag = 0;
25int no_agent_forwarding_flag = 0;
26int no_x11_forwarding_flag = 0;
27int no_pty_flag = 0;
28
29/* "command=" option. */
30char *forced_command = NULL;
31
32/* "environment=" options. */
33struct envstring *custom_environment = NULL;
34
Damien Miller33804262001-02-04 23:20:18 +110035extern ServerOptions options;
36
Damien Miller874d77b2000-10-14 16:23:11 +110037void
38auth_clear_options(void)
39{
40 no_agent_forwarding_flag = 0;
41 no_port_forwarding_flag = 0;
42 no_pty_flag = 0;
43 no_x11_forwarding_flag = 0;
44 while (custom_environment) {
45 struct envstring *ce = custom_environment;
46 custom_environment = ce->next;
47 xfree(ce->s);
48 xfree(ce);
49 }
50 if (forced_command) {
51 xfree(forced_command);
52 forced_command = NULL;
53 }
54}
55
Ben Lindstrom226cfa02001-01-22 05:34:40 +000056/*
57 * return 1 if access is granted, 0 if not.
58 * side effect: sets key option flags
59 */
Damien Millerf6d9e222000-06-18 14:50:44 +100060int
Damien Miller33804262001-02-04 23:20:18 +110061auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
Damien Millerf6d9e222000-06-18 14:50:44 +100062{
63 const char *cp;
Damien Miller33804262001-02-04 23:20:18 +110064 if (!opts)
Damien Millerf6d9e222000-06-18 14:50:44 +100065 return 1;
Damien Miller874d77b2000-10-14 16:23:11 +110066
67 /* reset options */
68 auth_clear_options();
69
Damien Miller33804262001-02-04 23:20:18 +110070 while (*opts && *opts != ' ' && *opts != '\t') {
Damien Millerf6d9e222000-06-18 14:50:44 +100071 cp = "no-port-forwarding";
Damien Miller33804262001-02-04 23:20:18 +110072 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +100073 packet_send_debug("Port forwarding disabled.");
74 no_port_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +110075 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +100076 goto next_option;
77 }
78 cp = "no-agent-forwarding";
Damien Miller33804262001-02-04 23:20:18 +110079 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +100080 packet_send_debug("Agent forwarding disabled.");
81 no_agent_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +110082 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +100083 goto next_option;
84 }
85 cp = "no-X11-forwarding";
Damien Miller33804262001-02-04 23:20:18 +110086 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +100087 packet_send_debug("X11 forwarding disabled.");
88 no_x11_forwarding_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +110089 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +100090 goto next_option;
91 }
92 cp = "no-pty";
Damien Miller33804262001-02-04 23:20:18 +110093 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +100094 packet_send_debug("Pty allocation disabled.");
95 no_pty_flag = 1;
Damien Miller33804262001-02-04 23:20:18 +110096 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +100097 goto next_option;
98 }
99 cp = "command=\"";
Damien Miller33804262001-02-04 23:20:18 +1100100 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000101 int i;
Damien Miller33804262001-02-04 23:20:18 +1100102 opts += strlen(cp);
103 forced_command = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000104 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100105 while (*opts) {
106 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000107 break;
Damien Miller33804262001-02-04 23:20:18 +1100108 if (*opts == '\\' && opts[1] == '"') {
109 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000110 forced_command[i++] = '"';
111 continue;
112 }
Damien Miller33804262001-02-04 23:20:18 +1100113 forced_command[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000114 }
Damien Miller33804262001-02-04 23:20:18 +1100115 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000116 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000117 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000118 packet_send_debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000119 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000120 continue;
121 }
122 forced_command[i] = 0;
123 packet_send_debug("Forced command: %.900s", forced_command);
Damien Miller33804262001-02-04 23:20:18 +1100124 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000125 goto next_option;
126 }
127 cp = "environment=\"";
Damien Miller33804262001-02-04 23:20:18 +1100128 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000129 int i;
130 char *s;
131 struct envstring *new_envstring;
Damien Miller33804262001-02-04 23:20:18 +1100132 opts += strlen(cp);
133 s = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000134 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100135 while (*opts) {
136 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000137 break;
Damien Miller33804262001-02-04 23:20:18 +1100138 if (*opts == '\\' && opts[1] == '"') {
139 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000140 s[i++] = '"';
141 continue;
142 }
Damien Miller33804262001-02-04 23:20:18 +1100143 s[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000144 }
Damien Miller33804262001-02-04 23:20:18 +1100145 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000146 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000147 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000148 packet_send_debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000149 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000150 continue;
151 }
152 s[i] = 0;
153 packet_send_debug("Adding to environment: %.900s", s);
154 debug("Adding to environment: %.900s", s);
Damien Miller33804262001-02-04 23:20:18 +1100155 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000156 new_envstring = xmalloc(sizeof(struct envstring));
157 new_envstring->s = s;
158 new_envstring->next = custom_environment;
159 custom_environment = new_envstring;
160 goto next_option;
161 }
162 cp = "from=\"";
Damien Miller33804262001-02-04 23:20:18 +1100163 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000164 int mname, mip;
Damien Miller33804262001-02-04 23:20:18 +1100165 const char *remote_ip = get_remote_ipaddr();
166 const char *remote_host = get_canonical_hostname(
167 options.reverse_mapping_check);
168 char *patterns = xmalloc(strlen(opts) + 1);
Damien Millerf6d9e222000-06-18 14:50:44 +1000169 int i;
Damien Miller33804262001-02-04 23:20:18 +1100170 opts += strlen(cp);
Damien Millerf6d9e222000-06-18 14:50:44 +1000171 i = 0;
Damien Miller33804262001-02-04 23:20:18 +1100172 while (*opts) {
173 if (*opts == '"')
Damien Millerf6d9e222000-06-18 14:50:44 +1000174 break;
Damien Miller33804262001-02-04 23:20:18 +1100175 if (*opts == '\\' && opts[1] == '"') {
176 opts += 2;
Damien Millerf6d9e222000-06-18 14:50:44 +1000177 patterns[i++] = '"';
178 continue;
179 }
Damien Miller33804262001-02-04 23:20:18 +1100180 patterns[i++] = *opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000181 }
Damien Miller33804262001-02-04 23:20:18 +1100182 if (!*opts) {
Damien Millerf6d9e222000-06-18 14:50:44 +1000183 debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000184 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000185 packet_send_debug("%.100s, line %lu: missing end quote",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000186 file, linenum);
Damien Millerf6d9e222000-06-18 14:50:44 +1000187 continue;
188 }
189 patterns[i] = 0;
Damien Miller33804262001-02-04 23:20:18 +1100190 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000191 /*
192 * Deny access if we get a negative
193 * match for the hostname or the ip
194 * or if we get not match at all
195 */
Damien Miller33804262001-02-04 23:20:18 +1100196 mname = match_hostname(remote_host, patterns,
197 strlen(patterns));
198 mip = match_hostname(remote_ip, patterns,
199 strlen(patterns));
Damien Millerf6d9e222000-06-18 14:50:44 +1000200 xfree(patterns);
201 if (mname == -1 || mip == -1 ||
202 (mname != 1 && mip != 1)) {
Damien Miller33804262001-02-04 23:20:18 +1100203 log("Authentication tried for %.100s with "
204 "correct key but not from a permitted "
205 "host (host=%.200s, ip=%.200s).",
206 pw->pw_name, remote_host, remote_ip);
207 packet_send_debug("Your host '%.200s' is not "
208 "permitted to use this key for login.",
209 remote_host);
Damien Millerf6d9e222000-06-18 14:50:44 +1000210 /* deny access */
211 return 0;
212 }
213 /* Host name matches. */
214 goto next_option;
215 }
216next_option:
217 /*
218 * Skip the comma, and move to the next option
219 * (or break out if there are no more).
220 */
Damien Miller33804262001-02-04 23:20:18 +1100221 if (!*opts)
Damien Millerf6d9e222000-06-18 14:50:44 +1000222 fatal("Bugs in auth-options.c option processing.");
Damien Miller33804262001-02-04 23:20:18 +1100223 if (*opts == ' ' || *opts == '\t')
Damien Millerf6d9e222000-06-18 14:50:44 +1000224 break; /* End of options. */
Damien Miller33804262001-02-04 23:20:18 +1100225 if (*opts != ',')
Damien Millerf6d9e222000-06-18 14:50:44 +1000226 goto bad_option;
Damien Miller33804262001-02-04 23:20:18 +1100227 opts++;
Damien Millerf6d9e222000-06-18 14:50:44 +1000228 /* Process the next option. */
229 }
230 /* grant access */
231 return 1;
232
233bad_option:
234 log("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100235 file, linenum, opts);
Damien Millerf6d9e222000-06-18 14:50:44 +1000236 packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
Damien Miller33804262001-02-04 23:20:18 +1100237 file, linenum, opts);
Damien Millerf6d9e222000-06-18 14:50:44 +1000238 /* deny access */
239 return 0;
240}