Blame - auth-options.c - platform/external/openssh

blob: edbaf80bbf0921b6597eb28c131e8fbef18a72ab [file] [log] [blame]

mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame^]	1	/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	2	/*
				3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
				4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
				5	* All rights reserved
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	6	* As far as I am concerned, the code I have written for this software
				7	* can be used freely for any purpose. Any derived versions of this
				8	* software must be clearly marked as such, and if the derived work is
				9	* incompatible with the protocol description in the RFC file, it must be
				10	* called by a name other than "ssh" or "Secure Shell".
				11	*/
				12
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	13	#include "includes.h"
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	14
Damien Miller	9f2abc4	2006-07-10 20:53:08 +1000	[diff] [blame]	15	#include <sys/types.h>
				16
Damien Miller	b8fe89c	2006-07-24 14:51:00 +1000	[diff] [blame]	17	#include <netdb.h>
Damien Miller	9f2abc4	2006-07-10 20:53:08 +1000	[diff] [blame]	18	#include <pwd.h>
Damien Miller	e3476ed	2006-07-24 14:13:33 +1000	[diff] [blame]	19	#include <string.h>
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	20	#include <stdio.h>
				21	#include <stdarg.h>
Damien Miller	9f2abc4	2006-07-10 20:53:08 +1000	[diff] [blame]	22
Damien Miller	b84886b	2008-05-19 15:05:07 +1000	[diff] [blame]	23	#include "openbsd-compat/sys-queue.h"
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	24
				25	#include "key.h" /* XXX for typedef */
				26	#include "buffer.h" /* XXX for typedef */
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	27	#include "xmalloc.h"
				28	#include "match.h"
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	29	#include "ssherr.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	30	#include "log.h"
				31	#include "canohost.h"
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	32	#include "sshbuf.h"
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	33	#include "misc.h"
Ben Lindstrom	c763767	2001-06-09 00:36:26 +0000	[diff] [blame]	34	#include "channels.h"
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	35	#include "servconf.h"
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	36	#include "sshkey.h"
Damien Miller	4e270b0	2010-04-16 15:56:21 +1000	[diff] [blame]	37	#include "auth-options.h"
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	38	#include "hostfile.h"
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	39	#include "auth.h"
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	40
				41	/* Flags set authorized_keys flags */
				42	int no_port_forwarding_flag = 0;
				43	int no_agent_forwarding_flag = 0;
				44	int no_x11_forwarding_flag = 0;
				45	int no_pty_flag = 0;
Damien Miller	95e8095	2008-03-27 11:03:05 +1100	[diff] [blame]	46	int no_user_rc = 0;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	47	int key_is_cert_authority = 0;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	48
				49	/* "command=" option. */
				50	char *forced_command = NULL;
				51
				52	/* "environment=" options. */
				53	struct envstring *custom_environment = NULL;
				54
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	55	/* "tunnel=" option. */
				56	int forced_tun_device = -1;
				57
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	58	/* "principals=" option. */
				59	char *authorized_principals = NULL;
				60
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	61	extern ServerOptions options;
				62
Ben Lindstrom	7a2073c	2002-03-22 02:30:41 +0000	[diff] [blame]	63	void
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	64	auth_clear_options(void)
				65	{
				66	no_agent_forwarding_flag = 0;
				67	no_port_forwarding_flag = 0;
				68	no_pty_flag = 0;
				69	no_x11_forwarding_flag = 0;
Damien Miller	95e8095	2008-03-27 11:03:05 +1100	[diff] [blame]	70	no_user_rc = 0;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	71	key_is_cert_authority = 0;
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	72	while (custom_environment) {
				73	struct envstring *ce = custom_environment;
				74	custom_environment = ce->next;
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	75	free(ce->s);
				76	free(ce);
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	77	}
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame^]	78	free(forced_command);
				79	forced_command = NULL;
				80	free(authorized_principals);
				81	authorized_principals = NULL;
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	82	forced_tun_device = -1;
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	83	channel_clear_permitted_opens();
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	84	}
				85
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	86	/*
djm@openbsd.org	383f10f	2015-11-16 00:30:02 +0000	[diff] [blame]	87	* Match flag 'opt' in *optsp, and if allow_negate is set then also match
				88	* 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
				89	* if negated option matches.
				90	* If the option or negated option matches, then *optsp is updated to
				91	* point to the first character after the option and, if 'msg' is not NULL
				92	* then a message based on it added via auth_debug_add().
				93	*/
				94	static int
				95	match_flag(const char opt, int allow_negate, char optsp, const char msg)
				96	{
				97	size_t opt_len = strlen(opt);
				98	char opts = optsp;
				99	int negate = 0;
				100
				101	if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
				102	opts += 3;
				103	negate = 1;
				104	}
				105	if (strncasecmp(opts, opt, opt_len) == 0) {
				106	*optsp = opts + opt_len;
				107	if (msg != NULL) {
				108	auth_debug_add("%s %s.", msg,
				109	negate ? "disabled" : "enabled");
				110	}
				111	return negate ? 0 : 1;
				112	}
				113	return -1;
				114	}
				115
				116	/*
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	117	* return 1 if access is granted, 0 if not.
				118	* side effect: sets key option flags
				119	*/
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	120	int
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	121	auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum)
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	122	{
				123	const char *cp;
djm@openbsd.org	383f10f	2015-11-16 00:30:02 +0000	[diff] [blame]	124	int i, r;
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	125
				126	/* reset options */
				127	auth_clear_options();
				128
Ben Lindstrom	36d7bd0	2001-02-10 22:27:19 +0000	[diff] [blame]	129	if (!opts)
				130	return 1;
				131
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	132	while (opts && opts != ' ' && *opts != '\t') {
djm@openbsd.org	383f10f	2015-11-16 00:30:02 +0000	[diff] [blame]	133	if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
				134	key_is_cert_authority = r;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	135	goto next_option;
				136	}
djm@openbsd.org	383f10f	2015-11-16 00:30:02 +0000	[diff] [blame]	137	if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
				138	auth_debug_add("Key is restricted.");
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	139	no_port_forwarding_flag = 1;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	140	no_agent_forwarding_flag = 1;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	141	no_x11_forwarding_flag = 1;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	142	no_pty_flag = 1;
djm@openbsd.org	383f10f	2015-11-16 00:30:02 +0000	[diff] [blame]	143	no_user_rc = 1;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	144	goto next_option;
				145	}
djm@openbsd.org	383f10f	2015-11-16 00:30:02 +0000	[diff] [blame]	146	if ((r = match_flag("port-forwarding", 1, &opts,
				147	"Port forwarding")) != -1) {
				148	no_port_forwarding_flag = r != 1;
				149	goto next_option;
				150	}
				151	if ((r = match_flag("agent-forwarding", 1, &opts,
				152	"Agent forwarding")) != -1) {
				153	no_agent_forwarding_flag = r != 1;
				154	goto next_option;
				155	}
				156	if ((r = match_flag("x11-forwarding", 1, &opts,
				157	"X11 forwarding")) != -1) {
				158	no_x11_forwarding_flag = r != 1;
				159	goto next_option;
				160	}
				161	if ((r = match_flag("pty", 1, &opts,
				162	"PTY allocation")) != -1) {
				163	no_pty_flag = r != 1;
				164	goto next_option;
				165	}
				166	if ((r = match_flag("user-rc", 1, &opts,
				167	"User rc execution")) != -1) {
				168	no_user_rc = r != 1;
Damien Miller	95e8095	2008-03-27 11:03:05 +1100	[diff] [blame]	169	goto next_option;
				170	}
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	171	cp = "command=\"";
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	172	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	173	opts += strlen(cp);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame^]	174	free(forced_command);
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	175	forced_command = xmalloc(strlen(opts) + 1);
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	176	i = 0;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	177	while (*opts) {
				178	if (*opts == '"')
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	179	break;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	180	if (*opts == '\\' && opts[1] == '"') {
				181	opts += 2;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	182	forced_command[i++] = '"';
				183	continue;
				184	}
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	185	forced_command[i++] = *opts++;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	186	}
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	187	if (!*opts) {
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	188	debug("%.100s, line %lu: missing end quote",
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	189	file, linenum);
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	190	auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	191	file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	192	free(forced_command);
Damien Miller	056ddf7	2001-03-14 10:15:20 +1100	[diff] [blame]	193	forced_command = NULL;
				194	goto bad_option;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	195	}
Damien Miller	9829926	2006-07-24 14:01:43 +1000	[diff] [blame]	196	forced_command[i] = '\0';
Damien Miller	de53fd0	2011-01-06 22:44:18 +1100	[diff] [blame]	197	auth_debug_add("Forced command.");
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	198	opts++;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	199	goto next_option;
				200	}
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	201	cp = "principals=\"";
				202	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
				203	opts += strlen(cp);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame^]	204	free(authorized_principals);
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	205	authorized_principals = xmalloc(strlen(opts) + 1);
				206	i = 0;
				207	while (*opts) {
				208	if (*opts == '"')
				209	break;
				210	if (*opts == '\\' && opts[1] == '"') {
				211	opts += 2;
				212	authorized_principals[i++] = '"';
				213	continue;
				214	}
				215	authorized_principals[i++] = *opts++;
				216	}
				217	if (!*opts) {
				218	debug("%.100s, line %lu: missing end quote",
				219	file, linenum);
				220	auth_debug_add("%.100s, line %lu: missing end quote",
				221	file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	222	free(authorized_principals);
Damien Miller	30da344	2010-05-10 11:58:03 +1000	[diff] [blame]	223	authorized_principals = NULL;
				224	goto bad_option;
				225	}
				226	authorized_principals[i] = '\0';
				227	auth_debug_add("principals: %.900s",
				228	authorized_principals);
				229	opts++;
				230	goto next_option;
				231	}
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	232	cp = "environment=\"";
djm@openbsd.org	a42d67b	2015-05-01 03:20:54 +0000	[diff] [blame]	233	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	234	char *s;
				235	struct envstring *new_envstring;
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	236
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	237	opts += strlen(cp);
				238	s = xmalloc(strlen(opts) + 1);
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	239	i = 0;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	240	while (*opts) {
				241	if (*opts == '"')
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	242	break;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	243	if (*opts == '\\' && opts[1] == '"') {
				244	opts += 2;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	245	s[i++] = '"';
				246	continue;
				247	}
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	248	s[i++] = *opts++;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	249	}
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	250	if (!*opts) {
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	251	debug("%.100s, line %lu: missing end quote",
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	252	file, linenum);
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	253	auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	254	file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	255	free(s);
Damien Miller	056ddf7	2001-03-14 10:15:20 +1100	[diff] [blame]	256	goto bad_option;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	257	}
Damien Miller	9829926	2006-07-24 14:01:43 +1000	[diff] [blame]	258	s[i] = '\0';
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	259	opts++;
djm@openbsd.org	a42d67b	2015-05-01 03:20:54 +0000	[diff] [blame]	260	if (options.permit_user_env) {
				261	auth_debug_add("Adding to environment: "
				262	"%.900s", s);
				263	debug("Adding to environment: %.900s", s);
				264	new_envstring = xcalloc(1,
				265	sizeof(*new_envstring));
				266	new_envstring->s = s;
				267	new_envstring->next = custom_environment;
				268	custom_environment = new_envstring;
				269	s = NULL;
				270	}
				271	free(s);
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	272	goto next_option;
				273	}
				274	cp = "from=\"";
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	275	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	276	const char *remote_ip = get_remote_ipaddr();
				277	const char *remote_host = get_canonical_hostname(
Damien Miller	3a961dc	2003-06-03 10:25:48 +1000	[diff] [blame]	278	options.use_dns);
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	279	char *patterns = xmalloc(strlen(opts) + 1);
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	280
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	281	opts += strlen(cp);
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	282	i = 0;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	283	while (*opts) {
				284	if (*opts == '"')
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	285	break;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	286	if (*opts == '\\' && opts[1] == '"') {
				287	opts += 2;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	288	patterns[i++] = '"';
				289	continue;
				290	}
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	291	patterns[i++] = *opts++;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	292	}
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	293	if (!*opts) {
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	294	debug("%.100s, line %lu: missing end quote",
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	295	file, linenum);
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	296	auth_debug_add("%.100s, line %lu: missing end quote",
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	297	file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	298	free(patterns);
Damien Miller	056ddf7	2001-03-14 10:15:20 +1100	[diff] [blame]	299	goto bad_option;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	300	}
Damien Miller	9829926	2006-07-24 14:01:43 +1000	[diff] [blame]	301	patterns[i] = '\0';
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	302	opts++;
Darren Tucker	896ad5a	2008-06-11 09:34:46 +1000	[diff] [blame]	303	switch (match_host_and_ip(remote_host, remote_ip,
				304	patterns)) {
				305	case 1:
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	306	free(patterns);
Darren Tucker	896ad5a	2008-06-11 09:34:46 +1000	[diff] [blame]	307	/* Host name matches. */
				308	goto next_option;
				309	case -1:
				310	debug("%.100s, line %lu: invalid criteria",
				311	file, linenum);
				312	auth_debug_add("%.100s, line %lu: "
				313	"invalid criteria", file, linenum);
				314	/* FALLTHROUGH */
				315	case 0:
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	316	free(patterns);
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	317	logit("Authentication tried for %.100s with "
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	318	"correct key but not from a permitted "
				319	"host (host=%.200s, ip=%.200s).",
				320	pw->pw_name, remote_host, remote_ip);
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	321	auth_debug_add("Your host '%.200s' is not "
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	322	"permitted to use this key for login.",
				323	remote_host);
Darren Tucker	896ad5a	2008-06-11 09:34:46 +1000	[diff] [blame]	324	break;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	325	}
Darren Tucker	896ad5a	2008-06-11 09:34:46 +1000	[diff] [blame]	326	/* deny access */
				327	return 0;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	328	}
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	329	cp = "permitopen=\"";
				330	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	331	char host, p;
Damien Miller	e37dde0	2009-01-28 16:33:01 +1100	[diff] [blame]	332	int port;
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	333	char *patterns = xmalloc(strlen(opts) + 1);
				334
				335	opts += strlen(cp);
				336	i = 0;
				337	while (*opts) {
				338	if (*opts == '"')
				339	break;
				340	if (*opts == '\\' && opts[1] == '"') {
				341	opts += 2;
				342	patterns[i++] = '"';
				343	continue;
				344	}
				345	patterns[i++] = *opts++;
				346	}
				347	if (!*opts) {
				348	debug("%.100s, line %lu: missing end quote",
				349	file, linenum);
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	350	auth_debug_add("%.100s, line %lu: missing "
				351	"end quote", file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	352	free(patterns);
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	353	goto bad_option;
				354	}
Damien Miller	9829926	2006-07-24 14:01:43 +1000	[diff] [blame]	355	patterns[i] = '\0';
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	356	opts++;
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	357	p = patterns;
Damien Miller	7acefbb	2014-07-18 14:11:24 +1000	[diff] [blame]	358	/* XXX - add streamlocal support */
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	359	host = hpdelim(&p);
				360	if (host == NULL \|\| strlen(host) >= NI_MAXHOST) {
				361	debug("%.100s, line %lu: Bad permitopen "
Darren Tucker	90b9e02	2005-03-14 23:08:50 +1100	[diff] [blame]	362	"specification <%.100s>", file, linenum,
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	363	patterns);
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	364	auth_debug_add("%.100s, line %lu: "
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	365	"Bad permitopen specification", file,
				366	linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	367	free(patterns);
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	368	goto bad_option;
				369	}
Darren Tucker	47eede7	2005-03-14 23:08:12 +1100	[diff] [blame]	370	host = cleanhostname(host);
Darren Tucker	1338b9e	2011-10-02 18:57:35 +1100	[diff] [blame]	371	if (p == NULL \|\| (port = permitopen_port(p)) < 0) {
Damien Miller	f91ee4c	2005-03-01 21:24:33 +1100	[diff] [blame]	372	debug("%.100s, line %lu: Bad permitopen port "
				373	"<%.100s>", file, linenum, p ? p : "");
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	374	auth_debug_add("%.100s, line %lu: "
Ben Lindstrom	d71ba57	2001-09-12 18:03:31 +0000	[diff] [blame]	375	"Bad permitopen port", file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	376	free(patterns);
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	377	goto bad_option;
				378	}
Damien Miller	aa5b3f8	2012-12-03 09:50:54 +1100	[diff] [blame]	379	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
Ben Lindstrom	d71ba57	2001-09-12 18:03:31 +0000	[diff] [blame]	380	channel_add_permitted_opens(host, port);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	381	free(patterns);
Ben Lindstrom	7bb8b49	2001-03-17 00:47:54 +0000	[diff] [blame]	382	goto next_option;
				383	}
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	384	cp = "tunnel=\"";
				385	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
				386	char *tun = NULL;
				387	opts += strlen(cp);
				388	tun = xmalloc(strlen(opts) + 1);
				389	i = 0;
				390	while (*opts) {
				391	if (*opts == '"')
				392	break;
				393	tun[i++] = *opts++;
				394	}
				395	if (!*opts) {
				396	debug("%.100s, line %lu: missing end quote",
				397	file, linenum);
				398	auth_debug_add("%.100s, line %lu: missing end quote",
				399	file, linenum);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	400	free(tun);
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	401	forced_tun_device = -1;
				402	goto bad_option;
				403	}
Damien Miller	9829926	2006-07-24 14:01:43 +1000	[diff] [blame]	404	tun[i] = '\0';
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	405	forced_tun_device = a2tun(tun, NULL);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	406	free(tun);
Damien Miller	7b58e80	2005-12-13 19:33:19 +1100	[diff] [blame]	407	if (forced_tun_device == SSH_TUNID_ERR) {
Damien Miller	d27b947	2005-12-13 19:29:02 +1100	[diff] [blame]	408	debug("%.100s, line %lu: invalid tun device",
				409	file, linenum);
				410	auth_debug_add("%.100s, line %lu: invalid tun device",
				411	file, linenum);
				412	forced_tun_device = -1;
				413	goto bad_option;
				414	}
				415	auth_debug_add("Forced tun device: %d", forced_tun_device);
				416	opts++;
				417	goto next_option;
				418	}
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	419	next_option:
				420	/*
				421	* Skip the comma, and move to the next option
				422	* (or break out if there are no more).
				423	*/
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	424	if (!*opts)
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	425	fatal("Bugs in auth-options.c option processing.");
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	426	if (opts == ' ' \|\| opts == '\t')
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	427	break; /* End of options. */
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	428	if (*opts != ',')
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	429	goto bad_option;
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	430	opts++;
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	431	/* Process the next option. */
				432	}
Ben Lindstrom	7a2073c	2002-03-22 02:30:41 +0000	[diff] [blame]	433
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	434	/* grant access */
				435	return 1;
				436
				437	bad_option:
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	438	logit("Bad options in %.100s file, line %lu: %.50s",
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	439	file, linenum, opts);
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	440	auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
Damien Miller	3380426	2001-02-04 23:20:18 +1100	[diff] [blame]	441	file, linenum, opts);
Ben Lindstrom	7a2073c	2002-03-22 02:30:41 +0000	[diff] [blame]	442
Damien Miller	f6d9e22	2000-06-18 14:50:44 +1000	[diff] [blame]	443	/* deny access */
				444	return 0;
				445	}
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	446
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	447	#define OPTIONS_CRITICAL 1
				448	#define OPTIONS_EXTENSIONS 2
				449	static int
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	450	parse_option_list(struct sshbuf oblob, struct passwd pw,
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	451	u_int which, int crit,
				452	int *cert_no_port_forwarding_flag,
				453	int *cert_no_agent_forwarding_flag,
				454	int *cert_no_x11_forwarding_flag,
				455	int *cert_no_pty_flag,
				456	int *cert_no_user_rc,
				457	char **cert_forced_command,
				458	int *cert_source_address_done)
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	459	{
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	460	char command, allowed;
				461	const char *remote_ip;
Damien Miller	ce98654	2013-07-18 16:12:44 +1000	[diff] [blame]	462	char *name = NULL;
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	463	struct sshbuf c = NULL, data = NULL;
				464	int r, ret = -1, result, found;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	465
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	466	if ((c = sshbuf_fromb(oblob)) == NULL) {
				467	error("%s: sshbuf_fromb failed", __func__);
				468	goto out;
				469	}
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	470
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	471	while (sshbuf_len(c) > 0) {
				472	sshbuf_free(data);
				473	data = NULL;
				474	if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 \|\|
				475	(r = sshbuf_froms(c, &data)) != 0) {
				476	error("Unable to parse certificate options: %s",
				477	ssh_err(r));
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	478	goto out;
				479	}
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	480	debug3("found certificate option \"%.100s\" len %zu",
				481	name, sshbuf_len(data));
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	482	found = 0;
				483	if ((which & OPTIONS_EXTENSIONS) != 0) {
				484	if (strcmp(name, "permit-X11-forwarding") == 0) {
				485	*cert_no_x11_forwarding_flag = 0;
				486	found = 1;
				487	} else if (strcmp(name,
				488	"permit-agent-forwarding") == 0) {
				489	*cert_no_agent_forwarding_flag = 0;
				490	found = 1;
				491	} else if (strcmp(name,
				492	"permit-port-forwarding") == 0) {
				493	*cert_no_port_forwarding_flag = 0;
				494	found = 1;
				495	} else if (strcmp(name, "permit-pty") == 0) {
				496	*cert_no_pty_flag = 0;
				497	found = 1;
				498	} else if (strcmp(name, "permit-user-rc") == 0) {
				499	*cert_no_user_rc = 0;
				500	found = 1;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	501	}
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	502	}
				503	if (!found && (which & OPTIONS_CRITICAL) != 0) {
				504	if (strcmp(name, "force-command") == 0) {
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	505	if ((r = sshbuf_get_cstring(data, &command,
				506	NULL)) != 0) {
				507	error("Unable to parse \"%s\" "
				508	"section: %s", name, ssh_err(r));
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	509	goto out;
				510	}
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	511	if (*cert_forced_command != NULL) {
				512	error("Certificate has multiple "
				513	"force-command options");
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	514	free(command);
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	515	goto out;
				516	}
				517	*cert_forced_command = command;
				518	found = 1;
Damien Miller	4139657	2010-03-04 21:51:11 +1100	[diff] [blame]	519	}
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	520	if (strcmp(name, "source-address") == 0) {
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	521	if ((r = sshbuf_get_cstring(data, &allowed,
				522	NULL)) != 0) {
				523	error("Unable to parse \"%s\" "
				524	"section: %s", name, ssh_err(r));
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	525	goto out;
				526	}
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	527	if ((*cert_source_address_done)++) {
				528	error("Certificate has multiple "
				529	"source-address options");
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	530	free(allowed);
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	531	goto out;
				532	}
				533	remote_ip = get_remote_ipaddr();
Damien Miller	bf25d11	2013-12-29 17:44:56 +1100	[diff] [blame]	534	result = addr_match_cidr_list(remote_ip,
				535	allowed);
				536	free(allowed);
				537	switch (result) {
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	538	case 1:
				539	/* accepted */
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	540	break;
				541	case 0:
				542	/* no match */
				543	logit("Authentication tried for %.100s "
				544	"with valid certificate but not "
				545	"from a permitted host "
				546	"(ip=%.200s).", pw->pw_name,
				547	remote_ip);
				548	auth_debug_add("Your address '%.200s' "
				549	"is not permitted to use this "
				550	"certificate for login.",
				551	remote_ip);
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	552	goto out;
				553	case -1:
Damien Miller	bf25d11	2013-12-29 17:44:56 +1100	[diff] [blame]	554	default:
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	555	error("Certificate source-address "
				556	"contents invalid");
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	557	goto out;
				558	}
				559	found = 1;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	560	}
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	561	}
				562
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	563	if (!found) {
				564	if (crit) {
				565	error("Certificate critical option \"%s\" "
				566	"is not supported", name);
				567	goto out;
				568	} else {
				569	logit("Certificate extension \"%s\" "
				570	"is not supported", name);
				571	}
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	572	} else if (sshbuf_len(data) != 0) {
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	573	error("Certificate option \"%s\" corrupt "
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	574	"(extra data)", name);
				575	goto out;
				576	}
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	577	free(name);
Damien Miller	ce98654	2013-07-18 16:12:44 +1000	[diff] [blame]	578	name = NULL;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	579	}
Damien Miller	4e270b0	2010-04-16 15:56:21 +1000	[diff] [blame]	580	/* successfully parsed all options */
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	581	ret = 0;
				582
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	583	out:
				584	if (ret != 0 &&
				585	cert_forced_command != NULL &&
				586	*cert_forced_command != NULL) {
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	587	free(*cert_forced_command);
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	588	*cert_forced_command = NULL;
				589	}
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame^]	590	free(name);
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	591	sshbuf_free(data);
				592	sshbuf_free(c);
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	593	return ret;
				594	}
				595
				596	/*
				597	* Set options from critical certificate options. These supersede user key
				598	* options so this must be called after auth_parse_options().
				599	*/
				600	int
markus@openbsd.org	ae8b463	2015-01-14 10:30:34 +0000	[diff] [blame]	601	auth_cert_options(struct sshkey k, struct passwd pw)
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	602	{
				603	int cert_no_port_forwarding_flag = 1;
				604	int cert_no_agent_forwarding_flag = 1;
				605	int cert_no_x11_forwarding_flag = 1;
				606	int cert_no_pty_flag = 1;
				607	int cert_no_user_rc = 1;
				608	char *cert_forced_command = NULL;
				609	int cert_source_address_done = 0;
				610
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	611	/* Separate options and extensions for v01 certs */
				612	if (parse_option_list(k->cert->critical, pw,
				613	OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
				614	&cert_forced_command,
				615	&cert_source_address_done) == -1)
				616	return -1;
				617	if (parse_option_list(k->cert->extensions, pw,
				618	OPTIONS_EXTENSIONS, 0,
				619	&cert_no_port_forwarding_flag,
				620	&cert_no_agent_forwarding_flag,
				621	&cert_no_x11_forwarding_flag,
				622	&cert_no_pty_flag,
				623	&cert_no_user_rc,
				624	NULL, NULL) == -1)
				625	return -1;
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	626
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	627	no_port_forwarding_flag \|= cert_no_port_forwarding_flag;
				628	no_agent_forwarding_flag \|= cert_no_agent_forwarding_flag;
				629	no_x11_forwarding_flag \|= cert_no_x11_forwarding_flag;
				630	no_pty_flag \|= cert_no_pty_flag;
				631	no_user_rc \|= cert_no_user_rc;
				632	/* CA-specified forced command supersedes key option */
				633	if (cert_forced_command != NULL) {
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame^]	634	free(forced_command);
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	635	forced_command = cert_forced_command;
				636	}
Damien Miller	d0e4a8e	2010-05-21 14:58:32 +1000	[diff] [blame]	637	return 0;
Damien Miller	0a80ca1	2010-02-27 07:55:05 +1100	[diff] [blame]	638	}
				639