![[BACK]](/icons/back.gif){kind=icon}
Return to auth-options.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh|
Return to auth-options.c CVS log | Up to [local] / src / usr.bin / ssh |
1.59.2.1! djm 1: /* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
1.3 deraadt 2: /*
3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
11: */
12:
1.36 stevesk 13: #include <sys/types.h>
1.42 djm 14: #include <sys/queue.h>
1.36 stevesk 15:
1.37 stevesk 16: #include <netdb.h>
1.36 stevesk 17: #include <pwd.h>
1.39 stevesk 18: #include <string.h>
1.40 deraadt 19: #include <stdio.h>
20: #include <stdarg.h>
1.1 markus 21:
22: #include "xmalloc.h"
23: #include "match.h"
1.11 markus 24: #include "log.h"
25: #include "canohost.h"
1.40 deraadt 26: #include "buffer.h"
1.18 markus 27: #include "channels.h"
1.12 markus 28: #include "servconf.h"
1.20 stevesk 29: #include "misc.h"
1.40 deraadt 30: #include "key.h"
1.50 djm 31: #include "auth-options.h"
1.40 deraadt 32: #include "hostfile.h"
33: #include "auth.h"
34: #ifdef GSSAPI
35: #include "ssh-gss.h"
36: #endif
1.22 provos 37: #include "monitor_wrap.h"
1.1 markus 38:
39: /* Flags set authorized_keys flags */
40: int no_port_forwarding_flag = 0;
41: int no_agent_forwarding_flag = 0;
42: int no_x11_forwarding_flag = 0;
43: int no_pty_flag = 0;
1.41 djm 44: int no_user_rc = 0;
1.45 djm 45: int key_is_cert_authority = 0;
1.1 markus 46:
47: /* "command=" option. */
48: char *forced_command = NULL;
49:
50: /* "environment=" options. */
51: struct envstring *custom_environment = NULL;
52:
1.32 reyk 53: /* "tunnel=" option. */
54: int forced_tun_device = -1;
55:
1.51 djm 56: /* "principals=" option. */
57: char *authorized_principals = NULL;
58:
1.12 markus 59: extern ServerOptions options;
60:
1.22 provos 61: void
1.5 markus 62: auth_clear_options(void)
63: {
64: no_agent_forwarding_flag = 0;
65: no_port_forwarding_flag = 0;
66: no_pty_flag = 0;
67: no_x11_forwarding_flag = 0;
1.41 djm 68: no_user_rc = 0;
1.45 djm 69: key_is_cert_authority = 0;
1.5 markus 70: while (custom_environment) {
71: struct envstring *ce = custom_environment;
72: custom_environment = ce->next;
1.58 djm 73: free(ce->s);
74: free(ce);
1.5 markus 75: }
76: if (forced_command) {
1.58 djm 77: free(forced_command);
1.5 markus 78: forced_command = NULL;
79: }
1.51 djm 80: if (authorized_principals) {
1.58 djm 81: free(authorized_principals);
1.51 djm 82: authorized_principals = NULL;
83: }
1.32 reyk 84: forced_tun_device = -1;
1.15 markus 85: channel_clear_permitted_opens();
1.5 markus 86: }
87:
1.10 markus 88: /*
89: * return 1 if access is granted, 0 if not.
90: * side effect: sets key option flags
91: */
1.1 markus 92: int
1.12 markus 93: auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
1.1 markus 94: {
95: const char *cp;
1.15 markus 96: int i;
1.5 markus 97:
98: /* reset options */
99: auth_clear_options();
1.13 markus 100:
101: if (!opts)
102: return 1;
1.5 markus 103:
1.12 markus 104: while (*opts && *opts != ' ' && *opts != '\t') {
1.45 djm 105: cp = "cert-authority";
106: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
107: key_is_cert_authority = 1;
108: opts += strlen(cp);
109: goto next_option;
110: }
1.1 markus 111: cp = "no-port-forwarding";
1.12 markus 112: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
1.24 markus 113: auth_debug_add("Port forwarding disabled.");
1.1 markus 114: no_port_forwarding_flag = 1;
1.12 markus 115: opts += strlen(cp);
1.1 markus 116: goto next_option;
117: }
118: cp = "no-agent-forwarding";
1.12 markus 119: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
1.24 markus 120: auth_debug_add("Agent forwarding disabled.");
1.1 markus 121: no_agent_forwarding_flag = 1;
1.12 markus 122: opts += strlen(cp);
1.1 markus 123: goto next_option;
124: }
125: cp = "no-X11-forwarding";
1.12 markus 126: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
1.24 markus 127: auth_debug_add("X11 forwarding disabled.");
1.1 markus 128: no_x11_forwarding_flag = 1;
1.12 markus 129: opts += strlen(cp);
1.1 markus 130: goto next_option;
131: }
132: cp = "no-pty";
1.12 markus 133: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
1.24 markus 134: auth_debug_add("Pty allocation disabled.");
1.1 markus 135: no_pty_flag = 1;
1.41 djm 136: opts += strlen(cp);
137: goto next_option;
138: }
139: cp = "no-user-rc";
140: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
141: auth_debug_add("User rc file execution disabled.");
142: no_user_rc = 1;
1.12 markus 143: opts += strlen(cp);
1.1 markus 144: goto next_option;
145: }
146: cp = "command=\"";
1.12 markus 147: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
148: opts += strlen(cp);
1.51 djm 149: if (forced_command != NULL)
1.58 djm 150: free(forced_command);
1.12 markus 151: forced_command = xmalloc(strlen(opts) + 1);
1.1 markus 152: i = 0;
1.12 markus 153: while (*opts) {
154: if (*opts == '"')
1.1 markus 155: break;
1.12 markus 156: if (*opts == '\\' && opts[1] == '"') {
157: opts += 2;
1.1 markus 158: forced_command[i++] = '"';
159: continue;
160: }
1.12 markus 161: forced_command[i++] = *opts++;
1.1 markus 162: }
1.12 markus 163: if (!*opts) {
1.1 markus 164: debug("%.100s, line %lu: missing end quote",
1.10 markus 165: file, linenum);
1.24 markus 166: auth_debug_add("%.100s, line %lu: missing end quote",
1.10 markus 167: file, linenum);
1.58 djm 168: free(forced_command);
1.14 markus 169: forced_command = NULL;
170: goto bad_option;
1.1 markus 171: }
1.38 dtucker 172: forced_command[i] = '\0';
1.54 djm 173: auth_debug_add("Forced command.");
1.51 djm 174: opts++;
175: goto next_option;
176: }
177: cp = "principals=\"";
178: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
179: opts += strlen(cp);
180: if (authorized_principals != NULL)
1.58 djm 181: free(authorized_principals);
1.51 djm 182: authorized_principals = xmalloc(strlen(opts) + 1);
183: i = 0;
184: while (*opts) {
185: if (*opts == '"')
186: break;
187: if (*opts == '\\' && opts[1] == '"') {
188: opts += 2;
189: authorized_principals[i++] = '"';
190: continue;
191: }
192: authorized_principals[i++] = *opts++;
193: }
194: if (!*opts) {
195: debug("%.100s, line %lu: missing end quote",
196: file, linenum);
197: auth_debug_add("%.100s, line %lu: missing end quote",
198: file, linenum);
1.58 djm 199: free(authorized_principals);
1.51 djm 200: authorized_principals = NULL;
201: goto bad_option;
202: }
203: authorized_principals[i] = '\0';
204: auth_debug_add("principals: %.900s",
205: authorized_principals);
1.12 markus 206: opts++;
1.1 markus 207: goto next_option;
208: }
209: cp = "environment=\"";
1.26 markus 210: if (options.permit_user_env &&
211: strncasecmp(opts, cp, strlen(cp)) == 0) {
1.1 markus 212: char *s;
213: struct envstring *new_envstring;
1.15 markus 214:
1.12 markus 215: opts += strlen(cp);
216: s = xmalloc(strlen(opts) + 1);
1.1 markus 217: i = 0;
1.12 markus 218: while (*opts) {
219: if (*opts == '"')
1.1 markus 220: break;
1.12 markus 221: if (*opts == '\\' && opts[1] == '"') {
222: opts += 2;
1.1 markus 223: s[i++] = '"';
224: continue;
225: }
1.12 markus 226: s[i++] = *opts++;
1.1 markus 227: }
1.12 markus 228: if (!*opts) {
1.1 markus 229: debug("%.100s, line %lu: missing end quote",
1.10 markus 230: file, linenum);
1.24 markus 231: auth_debug_add("%.100s, line %lu: missing end quote",
1.10 markus 232: file, linenum);
1.58 djm 233: free(s);
1.14 markus 234: goto bad_option;
1.1 markus 235: }
1.38 dtucker 236: s[i] = '\0';
1.24 markus 237: auth_debug_add("Adding to environment: %.900s", s);
1.1 markus 238: debug("Adding to environment: %.900s", s);
1.12 markus 239: opts++;
1.59.2.1! djm 240: new_envstring = xcalloc(1, sizeof(struct envstring));
1.1 markus 241: new_envstring->s = s;
242: new_envstring->next = custom_environment;
243: custom_environment = new_envstring;
244: goto next_option;
245: }
246: cp = "from=\"";
1.12 markus 247: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
248: const char *remote_ip = get_remote_ipaddr();
249: const char *remote_host = get_canonical_hostname(
1.28 markus 250: options.use_dns);
1.12 markus 251: char *patterns = xmalloc(strlen(opts) + 1);
1.15 markus 252:
1.12 markus 253: opts += strlen(cp);
1.1 markus 254: i = 0;
1.12 markus 255: while (*opts) {
256: if (*opts == '"')
1.1 markus 257: break;
1.12 markus 258: if (*opts == '\\' && opts[1] == '"') {
259: opts += 2;
1.1 markus 260: patterns[i++] = '"';
261: continue;
262: }
1.12 markus 263: patterns[i++] = *opts++;
1.1 markus 264: }
1.12 markus 265: if (!*opts) {
1.1 markus 266: debug("%.100s, line %lu: missing end quote",
1.10 markus 267: file, linenum);
1.24 markus 268: auth_debug_add("%.100s, line %lu: missing end quote",
1.10 markus 269: file, linenum);
1.58 djm 270: free(patterns);
1.14 markus 271: goto bad_option;
1.1 markus 272: }
1.38 dtucker 273: patterns[i] = '\0';
1.12 markus 274: opts++;
1.43 djm 275: switch (match_host_and_ip(remote_host, remote_ip,
276: patterns)) {
277: case 1:
1.58 djm 278: free(patterns);
1.43 djm 279: /* Host name matches. */
280: goto next_option;
281: case -1:
282: debug("%.100s, line %lu: invalid criteria",
283: file, linenum);
284: auth_debug_add("%.100s, line %lu: "
285: "invalid criteria", file, linenum);
286: /* FALLTHROUGH */
287: case 0:
1.58 djm 288: free(patterns);
1.27 itojun 289: logit("Authentication tried for %.100s with "
1.12 markus 290: "correct key but not from a permitted "
291: "host (host=%.200s, ip=%.200s).",
292: pw->pw_name, remote_host, remote_ip);
1.24 markus 293: auth_debug_add("Your host '%.200s' is not "
1.12 markus 294: "permitted to use this key for login.",
295: remote_host);
1.43 djm 296: break;
1.1 markus 297: }
1.43 djm 298: /* deny access */
299: return 0;
1.15 markus 300: }
301: cp = "permitopen=\"";
302: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
1.29 djm 303: char *host, *p;
1.44 djm 304: int port;
1.15 markus 305: char *patterns = xmalloc(strlen(opts) + 1);
306:
307: opts += strlen(cp);
308: i = 0;
309: while (*opts) {
310: if (*opts == '"')
311: break;
312: if (*opts == '\\' && opts[1] == '"') {
313: opts += 2;
314: patterns[i++] = '"';
315: continue;
316: }
317: patterns[i++] = *opts++;
318: }
319: if (!*opts) {
320: debug("%.100s, line %lu: missing end quote",
321: file, linenum);
1.29 djm 322: auth_debug_add("%.100s, line %lu: missing "
323: "end quote", file, linenum);
1.58 djm 324: free(patterns);
1.15 markus 325: goto bad_option;
326: }
1.38 dtucker 327: patterns[i] = '\0';
1.15 markus 328: opts++;
1.29 djm 329: p = patterns;
330: host = hpdelim(&p);
331: if (host == NULL || strlen(host) >= NI_MAXHOST) {
332: debug("%.100s, line %lu: Bad permitopen "
1.31 deraadt 333: "specification <%.100s>", file, linenum,
1.29 djm 334: patterns);
1.24 markus 335: auth_debug_add("%.100s, line %lu: "
1.29 djm 336: "Bad permitopen specification", file,
337: linenum);
1.58 djm 338: free(patterns);
1.15 markus 339: goto bad_option;
340: }
1.30 deraadt 341: host = cleanhostname(host);
1.55 dtucker 342: if (p == NULL || (port = permitopen_port(p)) < 0) {
1.29 djm 343: debug("%.100s, line %lu: Bad permitopen port "
344: "<%.100s>", file, linenum, p ? p : "");
1.24 markus 345: auth_debug_add("%.100s, line %lu: "
1.20 stevesk 346: "Bad permitopen port", file, linenum);
1.58 djm 347: free(patterns);
1.15 markus 348: goto bad_option;
349: }
1.57 djm 350: if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
1.20 stevesk 351: channel_add_permitted_opens(host, port);
1.58 djm 352: free(patterns);
1.32 reyk 353: goto next_option;
354: }
355: cp = "tunnel=\"";
356: if (strncasecmp(opts, cp, strlen(cp)) == 0) {
357: char *tun = NULL;
358: opts += strlen(cp);
359: tun = xmalloc(strlen(opts) + 1);
360: i = 0;
361: while (*opts) {
362: if (*opts == '"')
363: break;
364: tun[i++] = *opts++;
365: }
366: if (!*opts) {
367: debug("%.100s, line %lu: missing end quote",
368: file, linenum);
369: auth_debug_add("%.100s, line %lu: missing end quote",
370: file, linenum);
1.58 djm 371: free(tun);
1.32 reyk 372: forced_tun_device = -1;
373: goto bad_option;
374: }
1.38 dtucker 375: tun[i] = '\0';
1.32 reyk 376: forced_tun_device = a2tun(tun, NULL);
1.58 djm 377: free(tun);
1.33 reyk 378: if (forced_tun_device == SSH_TUNID_ERR) {
1.32 reyk 379: debug("%.100s, line %lu: invalid tun device",
380: file, linenum);
381: auth_debug_add("%.100s, line %lu: invalid tun device",
382: file, linenum);
383: forced_tun_device = -1;
384: goto bad_option;
385: }
386: auth_debug_add("Forced tun device: %d", forced_tun_device);
387: opts++;
1.1 markus 388: goto next_option;
389: }
390: next_option:
391: /*
392: * Skip the comma, and move to the next option
393: * (or break out if there are no more).
394: */
1.12 markus 395: if (!*opts)
1.1 markus 396: fatal("Bugs in auth-options.c option processing.");
1.12 markus 397: if (*opts == ' ' || *opts == '\t')
1.1 markus 398: break; /* End of options. */
1.12 markus 399: if (*opts != ',')
1.1 markus 400: goto bad_option;
1.12 markus 401: opts++;
1.1 markus 402: /* Process the next option. */
403: }
1.22 provos 404:
1.1 markus 405: /* grant access */
406: return 1;
407:
408: bad_option:
1.27 itojun 409: logit("Bad options in %.100s file, line %lu: %.50s",
1.12 markus 410: file, linenum, opts);
1.24 markus 411: auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
1.12 markus 412: file, linenum, opts);
1.22 provos 413:
1.1 markus 414: /* deny access */
415: return 0;
416: }
1.45 djm 417:
1.52 djm 418: #define OPTIONS_CRITICAL 1
419: #define OPTIONS_EXTENSIONS 2
420: static int
421: parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
422: u_int which, int crit,
423: int *cert_no_port_forwarding_flag,
424: int *cert_no_agent_forwarding_flag,
425: int *cert_no_x11_forwarding_flag,
426: int *cert_no_pty_flag,
427: int *cert_no_user_rc,
428: char **cert_forced_command,
429: int *cert_source_address_done)
1.45 djm 430: {
1.52 djm 431: char *command, *allowed;
432: const char *remote_ip;
1.59 djm 433: char *name = NULL;
434: u_char *data_blob = NULL;
1.46 djm 435: u_int nlen, dlen, clen;
1.45 djm 436: Buffer c, data;
1.52 djm 437: int ret = -1, found;
1.45 djm 438:
439: buffer_init(&data);
440:
441: /* Make copy to avoid altering original */
442: buffer_init(&c);
1.52 djm 443: buffer_append(&c, optblob, optblob_len);
1.45 djm 444:
445: while (buffer_len(&c) > 0) {
1.53 djm 446: if ((name = buffer_get_cstring_ret(&c, &nlen)) == NULL ||
1.46 djm 447: (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) {
1.50 djm 448: error("Certificate options corrupt");
1.45 djm 449: goto out;
450: }
1.46 djm 451: buffer_append(&data, data_blob, dlen);
1.52 djm 452: debug3("found certificate option \"%.100s\" len %u",
1.46 djm 453: name, dlen);
1.52 djm 454: found = 0;
455: if ((which & OPTIONS_EXTENSIONS) != 0) {
456: if (strcmp(name, "permit-X11-forwarding") == 0) {
457: *cert_no_x11_forwarding_flag = 0;
458: found = 1;
459: } else if (strcmp(name,
460: "permit-agent-forwarding") == 0) {
461: *cert_no_agent_forwarding_flag = 0;
462: found = 1;
463: } else if (strcmp(name,
464: "permit-port-forwarding") == 0) {
465: *cert_no_port_forwarding_flag = 0;
466: found = 1;
467: } else if (strcmp(name, "permit-pty") == 0) {
468: *cert_no_pty_flag = 0;
469: found = 1;
470: } else if (strcmp(name, "permit-user-rc") == 0) {
471: *cert_no_user_rc = 0;
472: found = 1;
473: }
474: }
475: if (!found && (which & OPTIONS_CRITICAL) != 0) {
476: if (strcmp(name, "force-command") == 0) {
1.53 djm 477: if ((command = buffer_get_cstring_ret(&data,
1.52 djm 478: &clen)) == NULL) {
479: error("Certificate constraint \"%s\" "
480: "corrupt", name);
481: goto out;
482: }
483: if (*cert_forced_command != NULL) {
484: error("Certificate has multiple "
485: "force-command options");
1.58 djm 486: free(command);
1.52 djm 487: goto out;
488: }
489: *cert_forced_command = command;
490: found = 1;
1.45 djm 491: }
1.52 djm 492: if (strcmp(name, "source-address") == 0) {
1.53 djm 493: if ((allowed = buffer_get_cstring_ret(&data,
1.52 djm 494: &clen)) == NULL) {
495: error("Certificate constraint "
496: "\"%s\" corrupt", name);
497: goto out;
498: }
499: if ((*cert_source_address_done)++) {
500: error("Certificate has multiple "
501: "source-address options");
1.58 djm 502: free(allowed);
1.52 djm 503: goto out;
504: }
505: remote_ip = get_remote_ipaddr();
506: switch (addr_match_cidr_list(remote_ip,
507: allowed)) {
508: case 1:
509: /* accepted */
1.58 djm 510: free(allowed);
1.52 djm 511: break;
512: case 0:
513: /* no match */
514: logit("Authentication tried for %.100s "
515: "with valid certificate but not "
516: "from a permitted host "
517: "(ip=%.200s).", pw->pw_name,
518: remote_ip);
519: auth_debug_add("Your address '%.200s' "
520: "is not permitted to use this "
521: "certificate for login.",
522: remote_ip);
1.58 djm 523: free(allowed);
1.52 djm 524: goto out;
525: case -1:
526: error("Certificate source-address "
527: "contents invalid");
1.58 djm 528: free(allowed);
1.52 djm 529: goto out;
530: }
531: found = 1;
1.46 djm 532: }
1.52 djm 533: }
534:
535: if (!found) {
536: if (crit) {
537: error("Certificate critical option \"%s\" "
538: "is not supported", name);
1.45 djm 539: goto out;
1.52 djm 540: } else {
541: logit("Certificate extension \"%s\" "
542: "is not supported", name);
1.45 djm 543: }
1.52 djm 544: } else if (buffer_len(&data) != 0) {
545: error("Certificate option \"%s\" corrupt "
1.45 djm 546: "(extra data)", name);
547: goto out;
548: }
549: buffer_clear(&data);
1.58 djm 550: free(name);
551: free(data_blob);
1.59 djm 552: name = NULL;
553: data_blob = NULL;
1.45 djm 554: }
1.50 djm 555: /* successfully parsed all options */
1.45 djm 556: ret = 0;
557:
1.52 djm 558: out:
559: if (ret != 0 &&
560: cert_forced_command != NULL &&
561: *cert_forced_command != NULL) {
1.58 djm 562: free(*cert_forced_command);
1.52 djm 563: *cert_forced_command = NULL;
564: }
565: if (name != NULL)
1.58 djm 566: free(name);
1.52 djm 567: if (data_blob != NULL)
1.58 djm 568: free(data_blob);
1.52 djm 569: buffer_free(&data);
570: buffer_free(&c);
571: return ret;
572: }
573:
574: /*
575: * Set options from critical certificate options. These supersede user key
576: * options so this must be called after auth_parse_options().
577: */
578: int
579: auth_cert_options(Key *k, struct passwd *pw)
580: {
581: int cert_no_port_forwarding_flag = 1;
582: int cert_no_agent_forwarding_flag = 1;
583: int cert_no_x11_forwarding_flag = 1;
584: int cert_no_pty_flag = 1;
585: int cert_no_user_rc = 1;
586: char *cert_forced_command = NULL;
587: int cert_source_address_done = 0;
588:
589: if (key_cert_is_legacy(k)) {
590: /* All options are in the one field for v00 certs */
591: if (parse_option_list(buffer_ptr(&k->cert->critical),
592: buffer_len(&k->cert->critical), pw,
593: OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
594: &cert_no_port_forwarding_flag,
595: &cert_no_agent_forwarding_flag,
596: &cert_no_x11_forwarding_flag,
597: &cert_no_pty_flag,
598: &cert_no_user_rc,
599: &cert_forced_command,
600: &cert_source_address_done) == -1)
601: return -1;
602: } else {
603: /* Separate options and extensions for v01 certs */
604: if (parse_option_list(buffer_ptr(&k->cert->critical),
605: buffer_len(&k->cert->critical), pw,
606: OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
607: &cert_forced_command,
608: &cert_source_address_done) == -1)
609: return -1;
610: if (parse_option_list(buffer_ptr(&k->cert->extensions),
611: buffer_len(&k->cert->extensions), pw,
612: OPTIONS_EXTENSIONS, 1,
613: &cert_no_port_forwarding_flag,
614: &cert_no_agent_forwarding_flag,
615: &cert_no_x11_forwarding_flag,
616: &cert_no_pty_flag,
617: &cert_no_user_rc,
618: NULL, NULL) == -1)
619: return -1;
620: }
621:
1.45 djm 622: no_port_forwarding_flag |= cert_no_port_forwarding_flag;
623: no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
624: no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
625: no_pty_flag |= cert_no_pty_flag;
626: no_user_rc |= cert_no_user_rc;
627: /* CA-specified forced command supersedes key option */
628: if (cert_forced_command != NULL) {
629: if (forced_command != NULL)
1.58 djm 630: free(forced_command);
1.45 djm 631: forced_command = cert_forced_command;
632: }
1.52 djm 633: return 0;
1.45 djm 634: }
635: