version 1.44, 2009/01/22 10:09:16 |
version 1.45, 2010/02/26 20:29:54 |
|
|
int no_x11_forwarding_flag = 0; |
int no_x11_forwarding_flag = 0; |
int no_pty_flag = 0; |
int no_pty_flag = 0; |
int no_user_rc = 0; |
int no_user_rc = 0; |
|
int key_is_cert_authority = 0; |
|
|
/* "command=" option. */ |
/* "command=" option. */ |
char *forced_command = NULL; |
char *forced_command = NULL; |
|
|
no_pty_flag = 0; |
no_pty_flag = 0; |
no_x11_forwarding_flag = 0; |
no_x11_forwarding_flag = 0; |
no_user_rc = 0; |
no_user_rc = 0; |
|
key_is_cert_authority = 0; |
while (custom_environment) { |
while (custom_environment) { |
struct envstring *ce = custom_environment; |
struct envstring *ce = custom_environment; |
custom_environment = ce->next; |
custom_environment = ce->next; |
|
|
return 1; |
return 1; |
|
|
while (*opts && *opts != ' ' && *opts != '\t') { |
while (*opts && *opts != ' ' && *opts != '\t') { |
|
cp = "cert-authority"; |
|
if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
|
key_is_cert_authority = 1; |
|
opts += strlen(cp); |
|
goto next_option; |
|
} |
cp = "no-port-forwarding"; |
cp = "no-port-forwarding"; |
if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
auth_debug_add("Port forwarding disabled."); |
auth_debug_add("Port forwarding disabled."); |
|
|
/* deny access */ |
/* deny access */ |
return 0; |
return 0; |
} |
} |
|
|
|
/* |
|
* Set options from certificate constraints. These supersede user key options |
|
* so this must be called after auth_parse_options(). |
|
*/ |
|
int |
|
auth_cert_constraints(Buffer *c_orig, struct passwd *pw) |
|
{ |
|
u_char *name = NULL, *data_blob = NULL; |
|
u_int len; |
|
Buffer c, data; |
|
int ret = -1; |
|
|
|
int cert_no_port_forwarding_flag = 1; |
|
int cert_no_agent_forwarding_flag = 1; |
|
int cert_no_x11_forwarding_flag = 1; |
|
int cert_no_pty_flag = 1; |
|
int cert_no_user_rc = 1; |
|
char *cert_forced_command = NULL; |
|
int cert_source_address_done = 0; |
|
|
|
buffer_init(&data); |
|
|
|
/* Make copy to avoid altering original */ |
|
buffer_init(&c); |
|
buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); |
|
|
|
while (buffer_len(&c) > 0) { |
|
if ((name = buffer_get_string_ret(&c, NULL)) == NULL || |
|
(data_blob = buffer_get_string_ret(&c, &len)) == NULL) { |
|
error("Certificate constraints corrupt"); |
|
goto out; |
|
} |
|
buffer_append(&data, data_blob, len); |
|
debug3("found certificate constraint \"%.100s\" len %u", |
|
name, len); |
|
if (strcmp(name, "permit-X11-forwarding") == 0) |
|
cert_no_x11_forwarding_flag = 0; |
|
else if (strcmp(name, "permit-agent-forwarding") == 0) |
|
cert_no_agent_forwarding_flag = 0; |
|
else if (strcmp(name, "permit-port-forwarding") == 0) |
|
cert_no_port_forwarding_flag = 0; |
|
else if (strcmp(name, "permit-pty") == 0) |
|
cert_no_pty_flag = 0; |
|
else if (strcmp(name, "permit-user-rc") == 0) |
|
cert_no_user_rc = 0; |
|
else if (strcmp(name, "force-command") == 0) { |
|
char *command = buffer_get_string_ret(&data, NULL); |
|
|
|
if (command == NULL) { |
|
error("Certificate constraint \"%s\" corrupt", |
|
name); |
|
goto out; |
|
} |
|
if (cert_forced_command != NULL) { |
|
error("Certificate has multiple " |
|
"forced-command constraints"); |
|
xfree(command); |
|
goto out; |
|
} |
|
cert_forced_command = command; |
|
} else if (strcmp(name, "source-address") == 0) { |
|
char *allowed = buffer_get_string_ret(&data, NULL); |
|
const char *remote_ip = get_remote_ipaddr(); |
|
|
|
if (allowed == NULL) { |
|
error("Certificate constraint \"%s\" corrupt", |
|
name); |
|
goto out; |
|
} |
|
if (cert_source_address_done++) { |
|
error("Certificate has multiple " |
|
"source-address constraints"); |
|
xfree(allowed); |
|
goto out; |
|
} |
|
switch (addr_match_cidr_list(remote_ip, allowed)) { |
|
case 1: |
|
/* accepted */ |
|
xfree(allowed); |
|
break; |
|
case 0: |
|
/* no match */ |
|
logit("Authentication tried for %.100s with " |
|
"valid certificate but not from a " |
|
"permitted host (ip=%.200s).", |
|
pw->pw_name, remote_ip); |
|
auth_debug_add("Your address '%.200s' is not " |
|
"permitted to use this certificate for " |
|
"login.", remote_ip); |
|
xfree(allowed); |
|
goto out; |
|
case -1: |
|
error("Certificate source-address contents " |
|
"invalid"); |
|
xfree(allowed); |
|
goto out; |
|
} |
|
} else { |
|
error("Certificate constraint \"%s\" is not supported", |
|
name); |
|
goto out; |
|
} |
|
|
|
if (buffer_len(&data) != 0) { |
|
error("Certificate constraint \"%s\" corrupt " |
|
"(extra data)", name); |
|
goto out; |
|
} |
|
buffer_clear(&data); |
|
xfree(name); |
|
xfree(data_blob); |
|
name = data_blob = NULL; |
|
} |
|
|
|
/* successfully parsed all constraints */ |
|
ret = 0; |
|
|
|
no_port_forwarding_flag |= cert_no_port_forwarding_flag; |
|
no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; |
|
no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; |
|
no_pty_flag |= cert_no_pty_flag; |
|
no_user_rc |= cert_no_user_rc; |
|
/* CA-specified forced command supersedes key option */ |
|
if (cert_forced_command != NULL) { |
|
if (forced_command != NULL) |
|
xfree(forced_command); |
|
forced_command = cert_forced_command; |
|
} |
|
|
|
out: |
|
if (name != NULL) |
|
xfree(name); |
|
if (data_blob != NULL) |
|
xfree(data_blob); |
|
buffer_free(&data); |
|
buffer_free(&c); |
|
return ret; |
|
} |
|
|