diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /auth-options.c | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 111 |
1 files changed, 65 insertions, 46 deletions
diff --git a/auth-options.c b/auth-options.c index f1e3ddfdf..bda39df4e 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -86,19 +86,45 @@ auth_clear_options(void) | |||
86 | free(ce->s); | 86 | free(ce->s); |
87 | free(ce); | 87 | free(ce); |
88 | } | 88 | } |
89 | if (forced_command) { | 89 | free(forced_command); |
90 | free(forced_command); | 90 | forced_command = NULL; |
91 | forced_command = NULL; | 91 | free(authorized_principals); |
92 | } | 92 | authorized_principals = NULL; |
93 | if (authorized_principals) { | ||
94 | free(authorized_principals); | ||
95 | authorized_principals = NULL; | ||
96 | } | ||
97 | forced_tun_device = -1; | 93 | forced_tun_device = -1; |
98 | channel_clear_permitted_opens(); | 94 | channel_clear_permitted_opens(); |
99 | } | 95 | } |
100 | 96 | ||
101 | /* | 97 | /* |
98 | * Match flag 'opt' in *optsp, and if allow_negate is set then also match | ||
99 | * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0 | ||
100 | * if negated option matches. | ||
101 | * If the option or negated option matches, then *optsp is updated to | ||
102 | * point to the first character after the option and, if 'msg' is not NULL | ||
103 | * then a message based on it added via auth_debug_add(). | ||
104 | */ | ||
105 | static int | ||
106 | match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) | ||
107 | { | ||
108 | size_t opt_len = strlen(opt); | ||
109 | char *opts = *optsp; | ||
110 | int negate = 0; | ||
111 | |||
112 | if (allow_negate && strncasecmp(opts, "no-", 3) == 0) { | ||
113 | opts += 3; | ||
114 | negate = 1; | ||
115 | } | ||
116 | if (strncasecmp(opts, opt, opt_len) == 0) { | ||
117 | *optsp = opts + opt_len; | ||
118 | if (msg != NULL) { | ||
119 | auth_debug_add("%s %s.", msg, | ||
120 | negate ? "disabled" : "enabled"); | ||
121 | } | ||
122 | return negate ? 0 : 1; | ||
123 | } | ||
124 | return -1; | ||
125 | } | ||
126 | |||
127 | /* | ||
102 | * return 1 if access is granted, 0 if not. | 128 | * return 1 if access is granted, 0 if not. |
103 | * side effect: sets key option flags | 129 | * side effect: sets key option flags |
104 | */ | 130 | */ |
@@ -106,7 +132,7 @@ int | |||
106 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 132 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
107 | { | 133 | { |
108 | const char *cp; | 134 | const char *cp; |
109 | int i; | 135 | int i, r; |
110 | 136 | ||
111 | /* reset options */ | 137 | /* reset options */ |
112 | auth_clear_options(); | 138 | auth_clear_options(); |
@@ -115,52 +141,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
115 | return 1; | 141 | return 1; |
116 | 142 | ||
117 | while (*opts && *opts != ' ' && *opts != '\t') { | 143 | while (*opts && *opts != ' ' && *opts != '\t') { |
118 | cp = "cert-authority"; | 144 | if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) { |
119 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 145 | key_is_cert_authority = r; |
120 | key_is_cert_authority = 1; | ||
121 | opts += strlen(cp); | ||
122 | goto next_option; | 146 | goto next_option; |
123 | } | 147 | } |
124 | cp = "no-port-forwarding"; | 148 | if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) { |
125 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 149 | auth_debug_add("Key is restricted."); |
126 | auth_debug_add("Port forwarding disabled."); | ||
127 | no_port_forwarding_flag = 1; | 150 | no_port_forwarding_flag = 1; |
128 | opts += strlen(cp); | 151 | no_agent_forwarding_flag = 1; |
152 | no_x11_forwarding_flag = 1; | ||
153 | no_pty_flag = 1; | ||
154 | no_user_rc = 1; | ||
129 | goto next_option; | 155 | goto next_option; |
130 | } | 156 | } |
131 | cp = "no-agent-forwarding"; | 157 | if ((r = match_flag("port-forwarding", 1, &opts, |
132 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 158 | "Port forwarding")) != -1) { |
133 | auth_debug_add("Agent forwarding disabled."); | 159 | no_port_forwarding_flag = r != 1; |
134 | no_agent_forwarding_flag = 1; | ||
135 | opts += strlen(cp); | ||
136 | goto next_option; | 160 | goto next_option; |
137 | } | 161 | } |
138 | cp = "no-X11-forwarding"; | 162 | if ((r = match_flag("agent-forwarding", 1, &opts, |
139 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 163 | "Agent forwarding")) != -1) { |
140 | auth_debug_add("X11 forwarding disabled."); | 164 | no_agent_forwarding_flag = r != 1; |
141 | no_x11_forwarding_flag = 1; | ||
142 | opts += strlen(cp); | ||
143 | goto next_option; | 165 | goto next_option; |
144 | } | 166 | } |
145 | cp = "no-pty"; | 167 | if ((r = match_flag("x11-forwarding", 1, &opts, |
146 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 168 | "X11 forwarding")) != -1) { |
147 | auth_debug_add("Pty allocation disabled."); | 169 | no_x11_forwarding_flag = r != 1; |
148 | no_pty_flag = 1; | ||
149 | opts += strlen(cp); | ||
150 | goto next_option; | 170 | goto next_option; |
151 | } | 171 | } |
152 | cp = "no-user-rc"; | 172 | if ((r = match_flag("pty", 1, &opts, |
153 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 173 | "PTY allocation")) != -1) { |
154 | auth_debug_add("User rc file execution disabled."); | 174 | no_pty_flag = r != 1; |
155 | no_user_rc = 1; | 175 | goto next_option; |
156 | opts += strlen(cp); | 176 | } |
177 | if ((r = match_flag("user-rc", 1, &opts, | ||
178 | "User rc execution")) != -1) { | ||
179 | no_user_rc = r != 1; | ||
157 | goto next_option; | 180 | goto next_option; |
158 | } | 181 | } |
159 | cp = "command=\""; | 182 | cp = "command=\""; |
160 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 183 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
161 | opts += strlen(cp); | 184 | opts += strlen(cp); |
162 | if (forced_command != NULL) | 185 | free(forced_command); |
163 | free(forced_command); | ||
164 | forced_command = xmalloc(strlen(opts) + 1); | 186 | forced_command = xmalloc(strlen(opts) + 1); |
165 | i = 0; | 187 | i = 0; |
166 | while (*opts) { | 188 | while (*opts) { |
@@ -190,8 +212,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
190 | cp = "principals=\""; | 212 | cp = "principals=\""; |
191 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 213 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
192 | opts += strlen(cp); | 214 | opts += strlen(cp); |
193 | if (authorized_principals != NULL) | 215 | free(authorized_principals); |
194 | free(authorized_principals); | ||
195 | authorized_principals = xmalloc(strlen(opts) + 1); | 216 | authorized_principals = xmalloc(strlen(opts) + 1); |
196 | i = 0; | 217 | i = 0; |
197 | while (*opts) { | 218 | while (*opts) { |
@@ -583,8 +604,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, | |||
583 | free(*cert_forced_command); | 604 | free(*cert_forced_command); |
584 | *cert_forced_command = NULL; | 605 | *cert_forced_command = NULL; |
585 | } | 606 | } |
586 | if (name != NULL) | 607 | free(name); |
587 | free(name); | ||
588 | sshbuf_free(data); | 608 | sshbuf_free(data); |
589 | sshbuf_free(c); | 609 | sshbuf_free(c); |
590 | return ret; | 610 | return ret; |
@@ -628,8 +648,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw) | |||
628 | no_user_rc |= cert_no_user_rc; | 648 | no_user_rc |= cert_no_user_rc; |
629 | /* CA-specified forced command supersedes key option */ | 649 | /* CA-specified forced command supersedes key option */ |
630 | if (cert_forced_command != NULL) { | 650 | if (cert_forced_command != NULL) { |
631 | if (forced_command != NULL) | 651 | free(forced_command); |
632 | free(forced_command); | ||
633 | forced_command = cert_forced_command; | 652 | forced_command = cert_forced_command; |
634 | } | 653 | } |
635 | return 0; | 654 | return 0; |