Annotation of src/usr.bin/ssh/auth-options.c, Revision 1.11
1.3 deraadt 1: /*
2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * As far as I am concerned, the code I have written for this software
6: * can be used freely for any purpose. Any derived versions of this
7: * software must be clearly marked as such, and if the derived work is
8: * incompatible with the protocol description in the RFC file, it must be
9: * called by a name other than "ssh" or "Secure Shell".
10: */
11:
1.1 markus 12: #include "includes.h"
1.11 ! markus 13: RCSID("$OpenBSD: auth-options.c,v 1.10 2001/01/20 15:55:20 markus Exp $");
1.1 markus 14:
15: #include "packet.h"
16: #include "xmalloc.h"
17: #include "match.h"
1.11 ! markus 18: #include "log.h"
! 19: #include "canohost.h"
! 20: #include "auth-options.h"
1.1 markus 21:
22: /* Flags set authorized_keys flags */
23: int no_port_forwarding_flag = 0;
24: int no_agent_forwarding_flag = 0;
25: int no_x11_forwarding_flag = 0;
26: int no_pty_flag = 0;
27:
28: /* "command=" option. */
29: char *forced_command = NULL;
30:
31: /* "environment=" options. */
32: struct envstring *custom_environment = NULL;
33:
1.5 markus 34: void
35: auth_clear_options(void)
36: {
37: no_agent_forwarding_flag = 0;
38: no_port_forwarding_flag = 0;
39: no_pty_flag = 0;
40: no_x11_forwarding_flag = 0;
41: while (custom_environment) {
42: struct envstring *ce = custom_environment;
43: custom_environment = ce->next;
44: xfree(ce->s);
45: xfree(ce);
46: }
47: if (forced_command) {
48: xfree(forced_command);
49: forced_command = NULL;
50: }
51: }
52:
1.10 markus 53: /*
54: * return 1 if access is granted, 0 if not.
55: * side effect: sets key option flags
56: */
1.1 markus 57: int
1.10 markus 58: auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum)
1.1 markus 59: {
60: const char *cp;
61: if (!options)
62: return 1;
1.5 markus 63:
64: /* reset options */
65: auth_clear_options();
66:
1.1 markus 67: while (*options && *options != ' ' && *options != '\t') {
68: cp = "no-port-forwarding";
1.6 markus 69: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 70: packet_send_debug("Port forwarding disabled.");
71: no_port_forwarding_flag = 1;
72: options += strlen(cp);
73: goto next_option;
74: }
75: cp = "no-agent-forwarding";
1.6 markus 76: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 77: packet_send_debug("Agent forwarding disabled.");
78: no_agent_forwarding_flag = 1;
79: options += strlen(cp);
80: goto next_option;
81: }
82: cp = "no-X11-forwarding";
1.6 markus 83: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 84: packet_send_debug("X11 forwarding disabled.");
85: no_x11_forwarding_flag = 1;
86: options += strlen(cp);
87: goto next_option;
88: }
89: cp = "no-pty";
1.6 markus 90: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 91: packet_send_debug("Pty allocation disabled.");
92: no_pty_flag = 1;
93: options += strlen(cp);
94: goto next_option;
95: }
96: cp = "command=\"";
1.6 markus 97: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 98: int i;
99: options += strlen(cp);
100: forced_command = xmalloc(strlen(options) + 1);
101: i = 0;
102: while (*options) {
103: if (*options == '"')
104: break;
105: if (*options == '\\' && options[1] == '"') {
106: options += 2;
107: forced_command[i++] = '"';
108: continue;
109: }
110: forced_command[i++] = *options++;
111: }
112: if (!*options) {
113: debug("%.100s, line %lu: missing end quote",
1.10 markus 114: file, linenum);
1.1 markus 115: packet_send_debug("%.100s, line %lu: missing end quote",
1.10 markus 116: file, linenum);
1.1 markus 117: continue;
118: }
119: forced_command[i] = 0;
120: packet_send_debug("Forced command: %.900s", forced_command);
121: options++;
122: goto next_option;
123: }
124: cp = "environment=\"";
1.6 markus 125: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 126: int i;
127: char *s;
128: struct envstring *new_envstring;
129: options += strlen(cp);
130: s = xmalloc(strlen(options) + 1);
131: i = 0;
132: while (*options) {
133: if (*options == '"')
134: break;
135: if (*options == '\\' && options[1] == '"') {
136: options += 2;
137: s[i++] = '"';
138: continue;
139: }
140: s[i++] = *options++;
141: }
142: if (!*options) {
143: debug("%.100s, line %lu: missing end quote",
1.10 markus 144: file, linenum);
1.1 markus 145: packet_send_debug("%.100s, line %lu: missing end quote",
1.10 markus 146: file, linenum);
1.1 markus 147: continue;
148: }
149: s[i] = 0;
150: packet_send_debug("Adding to environment: %.900s", s);
151: debug("Adding to environment: %.900s", s);
152: options++;
153: new_envstring = xmalloc(sizeof(struct envstring));
154: new_envstring->s = s;
155: new_envstring->next = custom_environment;
156: custom_environment = new_envstring;
157: goto next_option;
158: }
159: cp = "from=\"";
1.6 markus 160: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 161: int mname, mip;
162: char *patterns = xmalloc(strlen(options) + 1);
163: int i;
164: options += strlen(cp);
165: i = 0;
166: while (*options) {
167: if (*options == '"')
168: break;
169: if (*options == '\\' && options[1] == '"') {
170: options += 2;
171: patterns[i++] = '"';
172: continue;
173: }
174: patterns[i++] = *options++;
175: }
176: if (!*options) {
177: debug("%.100s, line %lu: missing end quote",
1.10 markus 178: file, linenum);
1.1 markus 179: packet_send_debug("%.100s, line %lu: missing end quote",
1.10 markus 180: file, linenum);
1.1 markus 181: continue;
182: }
183: patterns[i] = 0;
184: options++;
185: /*
186: * Deny access if we get a negative
187: * match for the hostname or the ip
188: * or if we get not match at all
189: */
190: mname = match_hostname(get_canonical_hostname(),
191: patterns, strlen(patterns));
192: mip = match_hostname(get_remote_ipaddr(),
193: patterns, strlen(patterns));
194: xfree(patterns);
195: if (mname == -1 || mip == -1 ||
196: (mname != 1 && mip != 1)) {
197: log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
198: pw->pw_name, get_canonical_hostname(),
199: get_remote_ipaddr());
200: packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
201: get_canonical_hostname());
202: /* deny access */
203: return 0;
204: }
205: /* Host name matches. */
206: goto next_option;
207: }
208: next_option:
209: /*
210: * Skip the comma, and move to the next option
211: * (or break out if there are no more).
212: */
213: if (!*options)
214: fatal("Bugs in auth-options.c option processing.");
215: if (*options == ' ' || *options == '\t')
216: break; /* End of options. */
217: if (*options != ',')
218: goto bad_option;
219: options++;
220: /* Process the next option. */
221: }
222: /* grant access */
223: return 1;
224:
225: bad_option:
226: log("Bad options in %.100s file, line %lu: %.50s",
1.10 markus 227: file, linenum, options);
1.1 markus 228: packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
1.10 markus 229: file, linenum, options);
1.1 markus 230: /* deny access */
231: return 0;
232: }