| version 1.44, 2009/01/22 10:09:16 |
version 1.45, 2010/02/26 20:29:54 |
|
|
| int no_x11_forwarding_flag = 0; |
int no_x11_forwarding_flag = 0; |
| int no_pty_flag = 0; |
int no_pty_flag = 0; |
| int no_user_rc = 0; |
int no_user_rc = 0; |
| |
int key_is_cert_authority = 0; |
| |
|
| /* "command=" option. */ |
/* "command=" option. */ |
| char *forced_command = NULL; |
char *forced_command = NULL; |
|
|
| no_pty_flag = 0; |
no_pty_flag = 0; |
| no_x11_forwarding_flag = 0; |
no_x11_forwarding_flag = 0; |
| no_user_rc = 0; |
no_user_rc = 0; |
| |
key_is_cert_authority = 0; |
| while (custom_environment) { |
while (custom_environment) { |
| struct envstring *ce = custom_environment; |
struct envstring *ce = custom_environment; |
| custom_environment = ce->next; |
custom_environment = ce->next; |
|
|
| return 1; |
return 1; |
| |
|
| while (*opts && *opts != ' ' && *opts != '\t') { |
while (*opts && *opts != ' ' && *opts != '\t') { |
| |
cp = "cert-authority"; |
| |
if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| |
key_is_cert_authority = 1; |
| |
opts += strlen(cp); |
| |
goto next_option; |
| |
} |
| cp = "no-port-forwarding"; |
cp = "no-port-forwarding"; |
| if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| auth_debug_add("Port forwarding disabled."); |
auth_debug_add("Port forwarding disabled."); |
|
|
| /* deny access */ |
/* deny access */ |
| return 0; |
return 0; |
| } |
} |
| |
|
| |
/* |
| |
* Set options from certificate constraints. These supersede user key options |
| |
* so this must be called after auth_parse_options(). |
| |
*/ |
| |
int |
| |
auth_cert_constraints(Buffer *c_orig, struct passwd *pw) |
| |
{ |
| |
u_char *name = NULL, *data_blob = NULL; |
| |
u_int len; |
| |
Buffer c, data; |
| |
int ret = -1; |
| |
|
| |
int cert_no_port_forwarding_flag = 1; |
| |
int cert_no_agent_forwarding_flag = 1; |
| |
int cert_no_x11_forwarding_flag = 1; |
| |
int cert_no_pty_flag = 1; |
| |
int cert_no_user_rc = 1; |
| |
char *cert_forced_command = NULL; |
| |
int cert_source_address_done = 0; |
| |
|
| |
buffer_init(&data); |
| |
|
| |
/* Make copy to avoid altering original */ |
| |
buffer_init(&c); |
| |
buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); |
| |
|
| |
while (buffer_len(&c) > 0) { |
| |
if ((name = buffer_get_string_ret(&c, NULL)) == NULL || |
| |
(data_blob = buffer_get_string_ret(&c, &len)) == NULL) { |
| |
error("Certificate constraints corrupt"); |
| |
goto out; |
| |
} |
| |
buffer_append(&data, data_blob, len); |
| |
debug3("found certificate constraint \"%.100s\" len %u", |
| |
name, len); |
| |
if (strcmp(name, "permit-X11-forwarding") == 0) |
| |
cert_no_x11_forwarding_flag = 0; |
| |
else if (strcmp(name, "permit-agent-forwarding") == 0) |
| |
cert_no_agent_forwarding_flag = 0; |
| |
else if (strcmp(name, "permit-port-forwarding") == 0) |
| |
cert_no_port_forwarding_flag = 0; |
| |
else if (strcmp(name, "permit-pty") == 0) |
| |
cert_no_pty_flag = 0; |
| |
else if (strcmp(name, "permit-user-rc") == 0) |
| |
cert_no_user_rc = 0; |
| |
else if (strcmp(name, "force-command") == 0) { |
| |
char *command = buffer_get_string_ret(&data, NULL); |
| |
|
| |
if (command == NULL) { |
| |
error("Certificate constraint \"%s\" corrupt", |
| |
name); |
| |
goto out; |
| |
} |
| |
if (cert_forced_command != NULL) { |
| |
error("Certificate has multiple " |
| |
"forced-command constraints"); |
| |
xfree(command); |
| |
goto out; |
| |
} |
| |
cert_forced_command = command; |
| |
} else if (strcmp(name, "source-address") == 0) { |
| |
char *allowed = buffer_get_string_ret(&data, NULL); |
| |
const char *remote_ip = get_remote_ipaddr(); |
| |
|
| |
if (allowed == NULL) { |
| |
error("Certificate constraint \"%s\" corrupt", |
| |
name); |
| |
goto out; |
| |
} |
| |
if (cert_source_address_done++) { |
| |
error("Certificate has multiple " |
| |
"source-address constraints"); |
| |
xfree(allowed); |
| |
goto out; |
| |
} |
| |
switch (addr_match_cidr_list(remote_ip, allowed)) { |
| |
case 1: |
| |
/* accepted */ |
| |
xfree(allowed); |
| |
break; |
| |
case 0: |
| |
/* no match */ |
| |
logit("Authentication tried for %.100s with " |
| |
"valid certificate but not from a " |
| |
"permitted host (ip=%.200s).", |
| |
pw->pw_name, remote_ip); |
| |
auth_debug_add("Your address '%.200s' is not " |
| |
"permitted to use this certificate for " |
| |
"login.", remote_ip); |
| |
xfree(allowed); |
| |
goto out; |
| |
case -1: |
| |
error("Certificate source-address contents " |
| |
"invalid"); |
| |
xfree(allowed); |
| |
goto out; |
| |
} |
| |
} else { |
| |
error("Certificate constraint \"%s\" is not supported", |
| |
name); |
| |
goto out; |
| |
} |
| |
|
| |
if (buffer_len(&data) != 0) { |
| |
error("Certificate constraint \"%s\" corrupt " |
| |
"(extra data)", name); |
| |
goto out; |
| |
} |
| |
buffer_clear(&data); |
| |
xfree(name); |
| |
xfree(data_blob); |
| |
name = data_blob = NULL; |
| |
} |
| |
|
| |
/* successfully parsed all constraints */ |
| |
ret = 0; |
| |
|
| |
no_port_forwarding_flag |= cert_no_port_forwarding_flag; |
| |
no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; |
| |
no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; |
| |
no_pty_flag |= cert_no_pty_flag; |
| |
no_user_rc |= cert_no_user_rc; |
| |
/* CA-specified forced command supersedes key option */ |
| |
if (cert_forced_command != NULL) { |
| |
if (forced_command != NULL) |
| |
xfree(forced_command); |
| |
forced_command = cert_forced_command; |
| |
} |
| |
|
| |
out: |
| |
if (name != NULL) |
| |
xfree(name); |
| |
if (data_blob != NULL) |
| |
xfree(data_blob); |
| |
buffer_free(&data); |
| |
buffer_free(&c); |
| |
return ret; |
| |
} |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to auth-options.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh