version 1.71, 2016/03/07 19:02:43 |
version 1.72, 2016/11/30 02:57:40 |
|
|
* options so this must be called after auth_parse_options(). |
* options so this must be called after auth_parse_options(). |
*/ |
*/ |
int |
int |
auth_cert_options(struct sshkey *k, struct passwd *pw) |
auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason) |
{ |
{ |
int cert_no_port_forwarding_flag = 1; |
int cert_no_port_forwarding_flag = 1; |
int cert_no_agent_forwarding_flag = 1; |
int cert_no_agent_forwarding_flag = 1; |
|
|
char *cert_forced_command = NULL; |
char *cert_forced_command = NULL; |
int cert_source_address_done = 0; |
int cert_source_address_done = 0; |
|
|
|
*reason = "invalid certificate options"; |
|
|
/* Separate options and extensions for v01 certs */ |
/* Separate options and extensions for v01 certs */ |
if (parse_option_list(k->cert->critical, pw, |
if (parse_option_list(k->cert->critical, pw, |
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, |
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, |
|
|
no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; |
no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; |
no_pty_flag |= cert_no_pty_flag; |
no_pty_flag |= cert_no_pty_flag; |
no_user_rc |= cert_no_user_rc; |
no_user_rc |= cert_no_user_rc; |
/* CA-specified forced command supersedes key option */ |
/* |
if (cert_forced_command != NULL) { |
* Only permit both CA and key option forced-command if they match. |
free(forced_command); |
* Otherwise refuse the certificate. |
|
*/ |
|
if (cert_forced_command != NULL && forced_command != NULL) { |
|
if (strcmp(forced_command, cert_forced_command) == 0) { |
|
free(forced_command); |
|
forced_command = cert_forced_command; |
|
} else { |
|
*reason = "certificate and key options forced command " |
|
"do not match"; |
|
free(cert_forced_command); |
|
return -1; |
|
} |
|
} else if (cert_forced_command != NULL) |
forced_command = cert_forced_command; |
forced_command = cert_forced_command; |
} |
/* success */ |
|
*reason = NULL; |
return 0; |
return 0; |
} |
} |
|
|