Annotation of src/usr.bin/ssh/auth-options.c, Revision 1.1
1.1 ! markus 1: #include "includes.h"
! 2: RCSID("$Id: auth-rsa.c,v 1.24 2000/06/06 19:32:13 markus Exp $");
! 3:
! 4: #include "ssh.h"
! 5: #include "packet.h"
! 6: #include "xmalloc.h"
! 7: #include "match.h"
! 8:
! 9: /* Flags set authorized_keys flags */
! 10: int no_port_forwarding_flag = 0;
! 11: int no_agent_forwarding_flag = 0;
! 12: int no_x11_forwarding_flag = 0;
! 13: int no_pty_flag = 0;
! 14:
! 15: /* "command=" option. */
! 16: char *forced_command = NULL;
! 17:
! 18: /* "environment=" options. */
! 19: struct envstring *custom_environment = NULL;
! 20:
! 21: /* return 1 if access is granted, 0 if not. side effect: sets key option flags */
! 22: int
! 23: auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
! 24: {
! 25: const char *cp;
! 26: if (!options)
! 27: return 1;
! 28: while (*options && *options != ' ' && *options != '\t') {
! 29: cp = "no-port-forwarding";
! 30: if (strncmp(options, cp, strlen(cp)) == 0) {
! 31: packet_send_debug("Port forwarding disabled.");
! 32: no_port_forwarding_flag = 1;
! 33: options += strlen(cp);
! 34: goto next_option;
! 35: }
! 36: cp = "no-agent-forwarding";
! 37: if (strncmp(options, cp, strlen(cp)) == 0) {
! 38: packet_send_debug("Agent forwarding disabled.");
! 39: no_agent_forwarding_flag = 1;
! 40: options += strlen(cp);
! 41: goto next_option;
! 42: }
! 43: cp = "no-X11-forwarding";
! 44: if (strncmp(options, cp, strlen(cp)) == 0) {
! 45: packet_send_debug("X11 forwarding disabled.");
! 46: no_x11_forwarding_flag = 1;
! 47: options += strlen(cp);
! 48: goto next_option;
! 49: }
! 50: cp = "no-pty";
! 51: if (strncmp(options, cp, strlen(cp)) == 0) {
! 52: packet_send_debug("Pty allocation disabled.");
! 53: no_pty_flag = 1;
! 54: options += strlen(cp);
! 55: goto next_option;
! 56: }
! 57: cp = "command=\"";
! 58: if (strncmp(options, cp, strlen(cp)) == 0) {
! 59: int i;
! 60: options += strlen(cp);
! 61: forced_command = xmalloc(strlen(options) + 1);
! 62: i = 0;
! 63: while (*options) {
! 64: if (*options == '"')
! 65: break;
! 66: if (*options == '\\' && options[1] == '"') {
! 67: options += 2;
! 68: forced_command[i++] = '"';
! 69: continue;
! 70: }
! 71: forced_command[i++] = *options++;
! 72: }
! 73: if (!*options) {
! 74: debug("%.100s, line %lu: missing end quote",
! 75: SSH_USER_PERMITTED_KEYS, linenum);
! 76: packet_send_debug("%.100s, line %lu: missing end quote",
! 77: SSH_USER_PERMITTED_KEYS, linenum);
! 78: continue;
! 79: }
! 80: forced_command[i] = 0;
! 81: packet_send_debug("Forced command: %.900s", forced_command);
! 82: options++;
! 83: goto next_option;
! 84: }
! 85: cp = "environment=\"";
! 86: if (strncmp(options, cp, strlen(cp)) == 0) {
! 87: int i;
! 88: char *s;
! 89: struct envstring *new_envstring;
! 90: options += strlen(cp);
! 91: s = xmalloc(strlen(options) + 1);
! 92: i = 0;
! 93: while (*options) {
! 94: if (*options == '"')
! 95: break;
! 96: if (*options == '\\' && options[1] == '"') {
! 97: options += 2;
! 98: s[i++] = '"';
! 99: continue;
! 100: }
! 101: s[i++] = *options++;
! 102: }
! 103: if (!*options) {
! 104: debug("%.100s, line %lu: missing end quote",
! 105: SSH_USER_PERMITTED_KEYS, linenum);
! 106: packet_send_debug("%.100s, line %lu: missing end quote",
! 107: SSH_USER_PERMITTED_KEYS, linenum);
! 108: continue;
! 109: }
! 110: s[i] = 0;
! 111: packet_send_debug("Adding to environment: %.900s", s);
! 112: debug("Adding to environment: %.900s", s);
! 113: options++;
! 114: new_envstring = xmalloc(sizeof(struct envstring));
! 115: new_envstring->s = s;
! 116: new_envstring->next = custom_environment;
! 117: custom_environment = new_envstring;
! 118: goto next_option;
! 119: }
! 120: cp = "from=\"";
! 121: if (strncmp(options, cp, strlen(cp)) == 0) {
! 122: int mname, mip;
! 123: char *patterns = xmalloc(strlen(options) + 1);
! 124: int i;
! 125: options += strlen(cp);
! 126: i = 0;
! 127: while (*options) {
! 128: if (*options == '"')
! 129: break;
! 130: if (*options == '\\' && options[1] == '"') {
! 131: options += 2;
! 132: patterns[i++] = '"';
! 133: continue;
! 134: }
! 135: patterns[i++] = *options++;
! 136: }
! 137: if (!*options) {
! 138: debug("%.100s, line %lu: missing end quote",
! 139: SSH_USER_PERMITTED_KEYS, linenum);
! 140: packet_send_debug("%.100s, line %lu: missing end quote",
! 141: SSH_USER_PERMITTED_KEYS, linenum);
! 142: continue;
! 143: }
! 144: patterns[i] = 0;
! 145: options++;
! 146: /*
! 147: * Deny access if we get a negative
! 148: * match for the hostname or the ip
! 149: * or if we get not match at all
! 150: */
! 151: mname = match_hostname(get_canonical_hostname(),
! 152: patterns, strlen(patterns));
! 153: mip = match_hostname(get_remote_ipaddr(),
! 154: patterns, strlen(patterns));
! 155: xfree(patterns);
! 156: if (mname == -1 || mip == -1 ||
! 157: (mname != 1 && mip != 1)) {
! 158: log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
! 159: pw->pw_name, get_canonical_hostname(),
! 160: get_remote_ipaddr());
! 161: packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
! 162: get_canonical_hostname());
! 163: /* key invalid for this host, reset flags */
! 164: no_agent_forwarding_flag = 0;
! 165: no_port_forwarding_flag = 0;
! 166: no_pty_flag = 0;
! 167: no_x11_forwarding_flag = 0;
! 168: while (custom_environment) {
! 169: struct envstring *ce = custom_environment;
! 170: custom_environment = ce->next;
! 171: xfree(ce->s);
! 172: xfree(ce);
! 173: }
! 174: if (forced_command) {
! 175: xfree(forced_command);
! 176: forced_command = NULL;
! 177: }
! 178: /* deny access */
! 179: return 0;
! 180: }
! 181: /* Host name matches. */
! 182: goto next_option;
! 183: }
! 184: next_option:
! 185: /*
! 186: * Skip the comma, and move to the next option
! 187: * (or break out if there are no more).
! 188: */
! 189: if (!*options)
! 190: fatal("Bugs in auth-options.c option processing.");
! 191: if (*options == ' ' || *options == '\t')
! 192: break; /* End of options. */
! 193: if (*options != ',')
! 194: goto bad_option;
! 195: options++;
! 196: /* Process the next option. */
! 197: }
! 198: /* grant access */
! 199: return 1;
! 200:
! 201: bad_option:
! 202: log("Bad options in %.100s file, line %lu: %.50s",
! 203: SSH_USER_PERMITTED_KEYS, linenum, options);
! 204: packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
! 205: SSH_USER_PERMITTED_KEYS, linenum, options);
! 206: /* deny access */
! 207: return 0;
! 208: }