Annotation of src/usr.bin/ssh/auth-options.c, Revision 1.2.2.1
1.1 markus 1: #include "includes.h"
1.2.2.1 ! jason 2: RCSID("$OpenBSD: auth-options.c,v 1.2 2000/06/20 01:39:38 markus Exp $");
1.1 markus 3:
4: #include "ssh.h"
5: #include "packet.h"
6: #include "xmalloc.h"
7: #include "match.h"
8:
9: /* Flags set authorized_keys flags */
10: int no_port_forwarding_flag = 0;
11: int no_agent_forwarding_flag = 0;
12: int no_x11_forwarding_flag = 0;
13: int no_pty_flag = 0;
14:
15: /* "command=" option. */
16: char *forced_command = NULL;
17:
18: /* "environment=" options. */
19: struct envstring *custom_environment = NULL;
20:
21: /* return 1 if access is granted, 0 if not. side effect: sets key option flags */
22: int
23: auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
24: {
25: const char *cp;
26: if (!options)
27: return 1;
28: while (*options && *options != ' ' && *options != '\t') {
29: cp = "no-port-forwarding";
30: if (strncmp(options, cp, strlen(cp)) == 0) {
31: packet_send_debug("Port forwarding disabled.");
32: no_port_forwarding_flag = 1;
33: options += strlen(cp);
34: goto next_option;
35: }
36: cp = "no-agent-forwarding";
37: if (strncmp(options, cp, strlen(cp)) == 0) {
38: packet_send_debug("Agent forwarding disabled.");
39: no_agent_forwarding_flag = 1;
40: options += strlen(cp);
41: goto next_option;
42: }
43: cp = "no-X11-forwarding";
44: if (strncmp(options, cp, strlen(cp)) == 0) {
45: packet_send_debug("X11 forwarding disabled.");
46: no_x11_forwarding_flag = 1;
47: options += strlen(cp);
48: goto next_option;
49: }
50: cp = "no-pty";
51: if (strncmp(options, cp, strlen(cp)) == 0) {
52: packet_send_debug("Pty allocation disabled.");
53: no_pty_flag = 1;
54: options += strlen(cp);
55: goto next_option;
56: }
57: cp = "command=\"";
58: if (strncmp(options, cp, strlen(cp)) == 0) {
59: int i;
60: options += strlen(cp);
61: forced_command = xmalloc(strlen(options) + 1);
62: i = 0;
63: while (*options) {
64: if (*options == '"')
65: break;
66: if (*options == '\\' && options[1] == '"') {
67: options += 2;
68: forced_command[i++] = '"';
69: continue;
70: }
71: forced_command[i++] = *options++;
72: }
73: if (!*options) {
74: debug("%.100s, line %lu: missing end quote",
75: SSH_USER_PERMITTED_KEYS, linenum);
76: packet_send_debug("%.100s, line %lu: missing end quote",
77: SSH_USER_PERMITTED_KEYS, linenum);
78: continue;
79: }
80: forced_command[i] = 0;
81: packet_send_debug("Forced command: %.900s", forced_command);
82: options++;
83: goto next_option;
84: }
85: cp = "environment=\"";
86: if (strncmp(options, cp, strlen(cp)) == 0) {
87: int i;
88: char *s;
89: struct envstring *new_envstring;
90: options += strlen(cp);
91: s = xmalloc(strlen(options) + 1);
92: i = 0;
93: while (*options) {
94: if (*options == '"')
95: break;
96: if (*options == '\\' && options[1] == '"') {
97: options += 2;
98: s[i++] = '"';
99: continue;
100: }
101: s[i++] = *options++;
102: }
103: if (!*options) {
104: debug("%.100s, line %lu: missing end quote",
105: SSH_USER_PERMITTED_KEYS, linenum);
106: packet_send_debug("%.100s, line %lu: missing end quote",
107: SSH_USER_PERMITTED_KEYS, linenum);
108: continue;
109: }
110: s[i] = 0;
111: packet_send_debug("Adding to environment: %.900s", s);
112: debug("Adding to environment: %.900s", s);
113: options++;
114: new_envstring = xmalloc(sizeof(struct envstring));
115: new_envstring->s = s;
116: new_envstring->next = custom_environment;
117: custom_environment = new_envstring;
118: goto next_option;
119: }
120: cp = "from=\"";
121: if (strncmp(options, cp, strlen(cp)) == 0) {
122: int mname, mip;
123: char *patterns = xmalloc(strlen(options) + 1);
124: int i;
125: options += strlen(cp);
126: i = 0;
127: while (*options) {
128: if (*options == '"')
129: break;
130: if (*options == '\\' && options[1] == '"') {
131: options += 2;
132: patterns[i++] = '"';
133: continue;
134: }
135: patterns[i++] = *options++;
136: }
137: if (!*options) {
138: debug("%.100s, line %lu: missing end quote",
139: SSH_USER_PERMITTED_KEYS, linenum);
140: packet_send_debug("%.100s, line %lu: missing end quote",
141: SSH_USER_PERMITTED_KEYS, linenum);
142: continue;
143: }
144: patterns[i] = 0;
145: options++;
146: /*
147: * Deny access if we get a negative
148: * match for the hostname or the ip
149: * or if we get not match at all
150: */
151: mname = match_hostname(get_canonical_hostname(),
152: patterns, strlen(patterns));
153: mip = match_hostname(get_remote_ipaddr(),
154: patterns, strlen(patterns));
155: xfree(patterns);
156: if (mname == -1 || mip == -1 ||
157: (mname != 1 && mip != 1)) {
158: log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
159: pw->pw_name, get_canonical_hostname(),
160: get_remote_ipaddr());
161: packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
162: get_canonical_hostname());
163: /* key invalid for this host, reset flags */
164: no_agent_forwarding_flag = 0;
165: no_port_forwarding_flag = 0;
166: no_pty_flag = 0;
167: no_x11_forwarding_flag = 0;
168: while (custom_environment) {
169: struct envstring *ce = custom_environment;
170: custom_environment = ce->next;
171: xfree(ce->s);
172: xfree(ce);
173: }
174: if (forced_command) {
175: xfree(forced_command);
176: forced_command = NULL;
177: }
178: /* deny access */
179: return 0;
180: }
181: /* Host name matches. */
182: goto next_option;
183: }
184: next_option:
185: /*
186: * Skip the comma, and move to the next option
187: * (or break out if there are no more).
188: */
189: if (!*options)
190: fatal("Bugs in auth-options.c option processing.");
191: if (*options == ' ' || *options == '\t')
192: break; /* End of options. */
193: if (*options != ',')
194: goto bad_option;
195: options++;
196: /* Process the next option. */
197: }
198: /* grant access */
199: return 1;
200:
201: bad_option:
202: log("Bad options in %.100s file, line %lu: %.50s",
203: SSH_USER_PERMITTED_KEYS, linenum, options);
204: packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
205: SSH_USER_PERMITTED_KEYS, linenum, options);
206: /* deny access */
207: return 0;
208: }