diff options
author | Darren Tucker <dtucker@zip.com.au> | 2008-06-11 09:34:46 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-11 09:34:46 +1000 |
commit | 896ad5a4e40c48fa9bea71624830cc9cc3ce4fe0 (patch) | |
tree | aa6eaa6f9ce31379b0843fed78b7487c87e0f7f3 | |
parent | 8901fa9c88d52ac1f099e7a3ce5bd75089e7e731 (diff) |
- djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | addrmatch.c | 11 | ||||
-rw-r--r-- | auth-options.c | 25 | ||||
-rw-r--r-- | match.c | 12 | ||||
-rw-r--r-- | servconf.c | 5 | ||||
-rw-r--r-- | sshd.8 | 30 |
6 files changed, 56 insertions, 33 deletions
@@ -51,6 +51,10 @@ | |||
51 | requests? It could have been attacked with something like SSH'jack: | 51 | requests? It could have been attacked with something like SSH'jack: |
52 | http://www.storm.net.nz/projects/7 | 52 | http://www.storm.net.nz/projects/7 |
53 | feedback & ok markus | 53 | feedback & ok markus |
54 | - djm@cvs.openbsd.org 2008/06/10 23:06:19 | ||
55 | [auth-options.c match.c servconf.c addrmatch.c sshd.8] | ||
56 | support CIDR address matching in .ssh/authorized_keys from="..." stanzas | ||
57 | ok and extensive testing dtucker@ | ||
54 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 | 58 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 |
55 | since the new CIDR code in addmatch.c references it. | 59 | since the new CIDR code in addmatch.c references it. |
56 | - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 | 60 | - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 |
@@ -4143,4 +4147,4 @@ | |||
4143 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 4147 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
4144 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 4148 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
4145 | 4149 | ||
4146 | $Id: ChangeLog,v 1.4962 2008/06/10 23:34:01 dtucker Exp $ | 4150 | $Id: ChangeLog,v 1.4963 2008/06/10 23:34:46 dtucker Exp $ |
diff --git a/addrmatch.c b/addrmatch.c index a0559efa0..2086afe84 100644 --- a/addrmatch.c +++ b/addrmatch.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */ | 1 | /* $OpenBSD: addrmatch.c,v 1.3 2008/06/10 23:06:19 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org> | 4 | * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org> |
@@ -366,7 +366,8 @@ addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen) | |||
366 | * | 366 | * |
367 | * Returns 1 on match found (never returned when addr == NULL). | 367 | * Returns 1 on match found (never returned when addr == NULL). |
368 | * Returns 0 on if no match found, or no errors found when addr == NULL. | 368 | * Returns 0 on if no match found, or no errors found when addr == NULL. |
369 | * Returns -1 on invalid list entry. | 369 | * Returns -1 on negated match found (never returned when addr == NULL). |
370 | * Returns -2 on invalid list entry. | ||
370 | */ | 371 | */ |
371 | int | 372 | int |
372 | addr_match_list(const char *addr, const char *_list) | 373 | addr_match_list(const char *addr, const char *_list) |
@@ -387,7 +388,7 @@ addr_match_list(const char *addr, const char *_list) | |||
387 | if (neg) | 388 | if (neg) |
388 | cp++; | 389 | cp++; |
389 | if (*cp == '\0') { | 390 | if (*cp == '\0') { |
390 | ret = -1; | 391 | ret = -2; |
391 | break; | 392 | break; |
392 | } | 393 | } |
393 | /* Prefer CIDR address matching */ | 394 | /* Prefer CIDR address matching */ |
@@ -395,14 +396,14 @@ addr_match_list(const char *addr, const char *_list) | |||
395 | if (r == -2) { | 396 | if (r == -2) { |
396 | error("Inconsistent mask length for " | 397 | error("Inconsistent mask length for " |
397 | "network \"%.100s\"", cp); | 398 | "network \"%.100s\"", cp); |
398 | ret = -1; | 399 | ret = -2; |
399 | break; | 400 | break; |
400 | } else if (r == 0) { | 401 | } else if (r == 0) { |
401 | if (addr != NULL && addr_netmatch(&try_addr, | 402 | if (addr != NULL && addr_netmatch(&try_addr, |
402 | &match_addr, masklen) == 0) { | 403 | &match_addr, masklen) == 0) { |
403 | foundit: | 404 | foundit: |
404 | if (neg) { | 405 | if (neg) { |
405 | ret = 0; | 406 | ret = -1; |
406 | break; | 407 | break; |
407 | } | 408 | } |
408 | ret = 1; | 409 | ret = 1; |
diff --git a/auth-options.c b/auth-options.c index 3a6c3c0f3..25361455e 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.42 2008/05/08 12:02:23 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.43 2008/06/10 23:06:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -226,8 +226,19 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
226 | } | 226 | } |
227 | patterns[i] = '\0'; | 227 | patterns[i] = '\0'; |
228 | opts++; | 228 | opts++; |
229 | if (match_host_and_ip(remote_host, remote_ip, | 229 | switch (match_host_and_ip(remote_host, remote_ip, |
230 | patterns) != 1) { | 230 | patterns)) { |
231 | case 1: | ||
232 | xfree(patterns); | ||
233 | /* Host name matches. */ | ||
234 | goto next_option; | ||
235 | case -1: | ||
236 | debug("%.100s, line %lu: invalid criteria", | ||
237 | file, linenum); | ||
238 | auth_debug_add("%.100s, line %lu: " | ||
239 | "invalid criteria", file, linenum); | ||
240 | /* FALLTHROUGH */ | ||
241 | case 0: | ||
231 | xfree(patterns); | 242 | xfree(patterns); |
232 | logit("Authentication tried for %.100s with " | 243 | logit("Authentication tried for %.100s with " |
233 | "correct key but not from a permitted " | 244 | "correct key but not from a permitted " |
@@ -236,12 +247,10 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
236 | auth_debug_add("Your host '%.200s' is not " | 247 | auth_debug_add("Your host '%.200s' is not " |
237 | "permitted to use this key for login.", | 248 | "permitted to use this key for login.", |
238 | remote_host); | 249 | remote_host); |
239 | /* deny access */ | 250 | break; |
240 | return 0; | ||
241 | } | 251 | } |
242 | xfree(patterns); | 252 | /* deny access */ |
243 | /* Host name matches. */ | 253 | return 0; |
244 | goto next_option; | ||
245 | } | 254 | } |
246 | cp = "permitopen=\""; | 255 | cp = "permitopen=\""; |
247 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 256 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: match.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -183,7 +183,8 @@ match_hostname(const char *host, const char *pattern, u_int len) | |||
183 | 183 | ||
184 | /* | 184 | /* |
185 | * returns 0 if we get a negative match for the hostname or the ip | 185 | * returns 0 if we get a negative match for the hostname or the ip |
186 | * or if we get no match at all. returns 1 otherwise. | 186 | * or if we get no match at all. returns -1 on error, or 1 on |
187 | * successful match. | ||
187 | */ | 188 | */ |
188 | int | 189 | int |
189 | match_host_and_ip(const char *host, const char *ipaddr, | 190 | match_host_and_ip(const char *host, const char *ipaddr, |
@@ -191,9 +192,12 @@ match_host_and_ip(const char *host, const char *ipaddr, | |||
191 | { | 192 | { |
192 | int mhost, mip; | 193 | int mhost, mip; |
193 | 194 | ||
194 | /* negative ipaddr match */ | 195 | /* error in ipaddr match */ |
195 | if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) | 196 | if ((mip = addr_match_list(ipaddr, patterns)) == -2) |
197 | return -1; | ||
198 | else if (mip == -1) /* negative ip address match */ | ||
196 | return 0; | 199 | return 0; |
200 | |||
197 | /* negative hostname match */ | 201 | /* negative hostname match */ |
198 | if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) | 202 | if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) |
199 | return 0; | 203 | return 0; |
diff --git a/servconf.c b/servconf.c index 63704fb33..8f5ddbd33 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.182 2008/06/10 04:50:25 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.183 2008/06/10 23:06:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -621,9 +621,10 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, | |||
621 | "%.100s' at line %d", address, arg, line); | 621 | "%.100s' at line %d", address, arg, line); |
622 | break; | 622 | break; |
623 | case 0: | 623 | case 0: |
624 | case -1: | ||
624 | result = 0; | 625 | result = 0; |
625 | break; | 626 | break; |
626 | case -1: | 627 | case -2: |
627 | return -1; | 628 | return -1; |
628 | } | 629 | } |
629 | } else { | 630 | } else { |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $ |
38 | .Dd $Mdocdate: June 10 2008 $ | 38 | .Dd $Mdocdate: June 10 2008 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -531,23 +531,27 @@ This option is automatically disabled if | |||
531 | .Cm UseLogin | 531 | .Cm UseLogin |
532 | is enabled. | 532 | is enabled. |
533 | .It Cm from="pattern-list" | 533 | .It Cm from="pattern-list" |
534 | Specifies that in addition to public key authentication, the canonical name | 534 | Specifies that in addition to public key authentication, either the canonical |
535 | of the remote host must be present in the comma-separated list of | 535 | name of the remote host or its IP address must be present in the |
536 | patterns. | 536 | comma-separated list of patterns. |
537 | The purpose | ||
538 | of this option is to optionally increase security: public key authentication | ||
539 | by itself does not trust the network or name servers or anything (but | ||
540 | the key); however, if somebody somehow steals the key, the key | ||
541 | permits an intruder to log in from anywhere in the world. | ||
542 | This additional option makes using a stolen key more difficult (name | ||
543 | servers and/or routers would have to be compromised in addition to | ||
544 | just the key). | ||
545 | .Pp | ||
546 | See | 537 | See |
547 | .Sx PATTERNS | 538 | .Sx PATTERNS |
548 | in | 539 | in |
549 | .Xr ssh_config 5 | 540 | .Xr ssh_config 5 |
550 | for more information on patterns. | 541 | for more information on patterns. |
542 | .Pp | ||
543 | In addition to the wildcard matching that may be applied to hostnames or | ||
544 | addresses, a | ||
545 | .Cm from | ||
546 | stanza may match IP addressess using CIDR address/masklen notation. | ||
547 | .Pp | ||
548 | The purpose of this option is to optionally increase security: public key | ||
549 | authentication by itself does not trust the network or name servers or | ||
550 | anything (but the key); however, if somebody somehow steals the key, the key | ||
551 | permits an intruder to log in from anywhere in the world. | ||
552 | This additional option makes using a stolen key more difficult (name | ||
553 | servers and/or routers would have to be compromised in addition to | ||
554 | just the key). | ||
551 | .It Cm no-agent-forwarding | 555 | .It Cm no-agent-forwarding |
552 | Forbids authentication agent forwarding when this key is used for | 556 | Forbids authentication agent forwarding when this key is used for |
553 | authentication. | 557 | authentication. |