- OpenBSD CVS Sync

- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2010-02-27 07:55:05 +1100
committer: Damien Miller <djm@mindrot.org> 2010-02-27 07:55:05 +1100
commit: 0a80ca190a39943029719facf7edb990def7ae62 (patch)
tree: e423e30d8412de67170b8240ba919df10ed8e391 /auth-options.c
parent: d27d85d5320bb946d4bb734dcf45a8d20bad6020 (diff)
1 files changed, 149 insertions, 1 deletions
diff --git a/auth-options.c b/auth-options.c
index ab085c233..396bda62f 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.44 2009/01/22 10:09:16 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.45 2010/02/26 20:29:54 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -44,6 +44,7 @@ int no_agent_forwarding_flag = 0;
 int no_x11_forwarding_flag = 0;
 int no_pty_flag = 0;
 int no_user_rc = 0;
+int key_is_cert_authority = 0;
 /* "command=" option. */
 char *forced_command = NULL;
@@ -64,6 +65,7 @@ auth_clear_options(void)
        no_pty_flag = 0;
        no_x11_forwarding_flag = 0;
        no_user_rc = 0;
+        key_is_cert_authority = 0;
        while (custom_environment) {
                struct envstring *ce = custom_environment;
                custom_environment = ce->next;
@@ -96,6 +98,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                return 1;
        while (*opts && *opts != ' ' && *opts != '\t') {
+                cp = "cert-authority";
+                if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+                        key_is_cert_authority = 1;
+                        opts += strlen(cp);
+                        goto next_option;
+                }
                cp = "no-port-forwarding";
                if (strncasecmp(opts, cp, strlen(cp)) == 0) {
                        auth_debug_add("Port forwarding disabled.");
@@ -374,3 +382,143 @@ bad_option:
        /* deny access */
        return 0;
 }
+/*
+ * Set options from certificate constraints. These supersede user key options
+ * so this must be called after auth_parse_options().
+ */
+int
+auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
+{
+        u_char *name = NULL, *data_blob = NULL;
+        u_int len;
+        Buffer c, data;
+        int ret = -1;
+        int cert_no_port_forwarding_flag = 1;
+        int cert_no_agent_forwarding_flag = 1;
+        int cert_no_x11_forwarding_flag = 1;
+        int cert_no_pty_flag = 1;
+        int cert_no_user_rc = 1;
+        char *cert_forced_command = NULL;
+        int cert_source_address_done = 0;
+        buffer_init(&data);
+        /* Make copy to avoid altering original */
+        buffer_init(&c);
+        buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig));
+        while (buffer_len(&c) > 0) {
+                if ((name = buffer_get_string_ret(&c, NULL)) == NULL ||
+                    (data_blob = buffer_get_string_ret(&c, &len)) == NULL) {
+                        error("Certificate constraints corrupt");
+                        goto out;
+                }
+                buffer_append(&data, data_blob, len);
+                debug3("found certificate constraint \"%.100s\" len %u",
+                    name, len);
+                if (strcmp(name, "permit-X11-forwarding") == 0)
+                        cert_no_x11_forwarding_flag = 0;
+                else if (strcmp(name, "permit-agent-forwarding") == 0)
+                        cert_no_agent_forwarding_flag = 0;
+                else if (strcmp(name, "permit-port-forwarding") == 0)
+                        cert_no_port_forwarding_flag = 0;
+                else if (strcmp(name, "permit-pty") == 0)
+                        cert_no_pty_flag = 0;
+                else if (strcmp(name, "permit-user-rc") == 0)
+                        cert_no_user_rc = 0;
+                else if (strcmp(name, "force-command") == 0) {
+                        char *command = buffer_get_string_ret(&data, NULL);
+                        if (command == NULL) {
+                                error("Certificate constraint \"%s\" corrupt",
+                                    name);
+                                goto out;
+                        }
+                        if (cert_forced_command != NULL) {
+                                error("Certificate has multiple "
+                                    "forced-command constraints");
+                                xfree(command);
+                                goto out;
+                        }
+                        cert_forced_command = command;
+                } else if (strcmp(name, "source-address") == 0) {
+                        char *allowed = buffer_get_string_ret(&data, NULL);
+                        const char *remote_ip = get_remote_ipaddr();
+                        
+                        if (allowed == NULL) {
+                                error("Certificate constraint \"%s\" corrupt",
+                                    name);
+                                goto out;
+                        }
+                        if (cert_source_address_done++) {
+                                error("Certificate has multiple "
+                                    "source-address constraints");
+                                xfree(allowed);
+                                goto out;
+                        }
+                        switch (addr_match_cidr_list(remote_ip, allowed)) {
+                        case 1:
+                                /* accepted */
+                                xfree(allowed);
+                                break;
+                        case 0:
+                                /* no match */
+                                logit("Authentication tried for %.100s with "
+                                    "valid certificate but not from a "
+                                    "permitted host (ip=%.200s).",
+                                    pw->pw_name, remote_ip);
+                                auth_debug_add("Your address '%.200s' is not "
+                                    "permitted to use this certificate for "
+                                    "login.", remote_ip);
+                                xfree(allowed);
+                                goto out;
+                        case -1:
+                                error("Certificate source-address contents "
+                                    "invalid");
+                                xfree(allowed);
+                                goto out;
+                        }
+                } else {
+                        error("Certificate constraint \"%s\" is not supported",
+                            name);
+                        goto out;
+                }
+                if (buffer_len(&data) != 0) {
+                        error("Certificate constraint \"%s\" corrupt "
+                            "(extra data)", name);
+                        goto out;
+                }
+                buffer_clear(&data);
+                xfree(name);
+                xfree(data_blob);
+                name = data_blob = NULL;
+        }
+        /* successfully parsed all constraints */
+        ret = 0;
+        no_port_forwarding_flag |= cert_no_port_forwarding_flag;
+        no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
+        no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
+        no_pty_flag |= cert_no_pty_flag;
+        no_user_rc |= cert_no_user_rc;
+        /* CA-specified forced command supersedes key option */
+        if (cert_forced_command != NULL) {
+                if (forced_command != NULL)
+                        xfree(forced_command);
+                forced_command = cert_forced_command;
+        }
+        
+ out:
+        if (name != NULL)
+                xfree(name);
+        if (data_blob != NULL)
+                xfree(data_blob);
+        buffer_free(&data);
+        buffer_free(&c);
+        return ret;
+}
author	Damien Miller <djm@mindrot.org>	2010-02-27 07:55:05 +1100
committer	Damien Miller <djm@mindrot.org>	2010-02-27 07:55:05 +1100
commit	0a80ca190a39943029719facf7edb990def7ae62 (patch)
tree	e423e30d8412de67170b8240ba919df10ed8e391 /auth-options.c
parent	d27d85d5320bb946d4bb734dcf45a8d20bad6020 (diff)

diff --git a/auth-options.c b/auth-options.c index ab085c233..396bda62f 100644 --- a/auth-options.c +++ b/auth-options.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth-options.c,v 1.44 2009/01/22 10:09:16 djm Exp $ */	1	/* $OpenBSD: auth-options.c,v 1.45 2010/02/26 20:29:54 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -44,6 +44,7 @@ int no_agent_forwarding_flag = 0;
44	int no_x11_forwarding_flag = 0;	44	int no_x11_forwarding_flag = 0;
45	int no_pty_flag = 0;	45	int no_pty_flag = 0;
46	int no_user_rc = 0;	46	int no_user_rc = 0;
		47	int key_is_cert_authority = 0;
47		48
48	/* "command=" option. */	49	/* "command=" option. */
49	char *forced_command = NULL;	50	char *forced_command = NULL;
@@ -64,6 +65,7 @@ auth_clear_options(void)
64	no_pty_flag = 0;	65	no_pty_flag = 0;
65	no_x11_forwarding_flag = 0;	66	no_x11_forwarding_flag = 0;
66	no_user_rc = 0;	67	no_user_rc = 0;
		68	key_is_cert_authority = 0;
67	while (custom_environment) {	69	while (custom_environment) {
68	struct envstring *ce = custom_environment;	70	struct envstring *ce = custom_environment;
69	custom_environment = ce->next;	71	custom_environment = ce->next;
@@ -96,6 +98,12 @@ auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum)
96	return 1;	98	return 1;
97		99
98	while (opts && opts != ' ' && *opts != '\t') {	100	while (opts && opts != ' ' && *opts != '\t') {
		101	cp = "cert-authority";
		102	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
		103	key_is_cert_authority = 1;
		104	opts += strlen(cp);
		105	goto next_option;
		106	}
99	cp = "no-port-forwarding";	107	cp = "no-port-forwarding";
100	if (strncasecmp(opts, cp, strlen(cp)) == 0) {	108	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
101	auth_debug_add("Port forwarding disabled.");	109	auth_debug_add("Port forwarding disabled.");
@@ -374,3 +382,143 @@ bad_option:
374	/* deny access */	382	/* deny access */
375	return 0;	383	return 0;
376	}	384	}
		385
		386	/*
		387	* Set options from certificate constraints. These supersede user key options
		388	* so this must be called after auth_parse_options().
		389	*/
		390	int
		391	auth_cert_constraints(Buffer c_orig, struct passwd pw)
		392	{
		393	u_char name = NULL, data_blob = NULL;
		394	u_int len;
		395	Buffer c, data;
		396	int ret = -1;
		397
		398	int cert_no_port_forwarding_flag = 1;
		399	int cert_no_agent_forwarding_flag = 1;
		400	int cert_no_x11_forwarding_flag = 1;
		401	int cert_no_pty_flag = 1;
		402	int cert_no_user_rc = 1;
		403	char *cert_forced_command = NULL;
		404	int cert_source_address_done = 0;
		405
		406	buffer_init(&data);
		407
		408	/* Make copy to avoid altering original */
		409	buffer_init(&c);
		410	buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig));
		411
		412	while (buffer_len(&c) > 0) {
		413	if ((name = buffer_get_string_ret(&c, NULL)) == NULL \|\|
		414	(data_blob = buffer_get_string_ret(&c, &len)) == NULL) {
		415	error("Certificate constraints corrupt");
		416	goto out;
		417	}
		418	buffer_append(&data, data_blob, len);
		419	debug3("found certificate constraint \"%.100s\" len %u",
		420	name, len);
		421	if (strcmp(name, "permit-X11-forwarding") == 0)
		422	cert_no_x11_forwarding_flag = 0;
		423	else if (strcmp(name, "permit-agent-forwarding") == 0)
		424	cert_no_agent_forwarding_flag = 0;
		425	else if (strcmp(name, "permit-port-forwarding") == 0)
		426	cert_no_port_forwarding_flag = 0;
		427	else if (strcmp(name, "permit-pty") == 0)
		428	cert_no_pty_flag = 0;
		429	else if (strcmp(name, "permit-user-rc") == 0)
		430	cert_no_user_rc = 0;
		431	else if (strcmp(name, "force-command") == 0) {
		432	char *command = buffer_get_string_ret(&data, NULL);
		433
		434	if (command == NULL) {
		435	error("Certificate constraint \"%s\" corrupt",
		436	name);
		437	goto out;
		438	}
		439	if (cert_forced_command != NULL) {
		440	error("Certificate has multiple "
		441	"forced-command constraints");
		442	xfree(command);
		443	goto out;
		444	}
		445	cert_forced_command = command;
		446	} else if (strcmp(name, "source-address") == 0) {
		447	char *allowed = buffer_get_string_ret(&data, NULL);
		448	const char *remote_ip = get_remote_ipaddr();
		449
		450	if (allowed == NULL) {
		451	error("Certificate constraint \"%s\" corrupt",
		452	name);
		453	goto out;
		454	}
		455	if (cert_source_address_done++) {
		456	error("Certificate has multiple "
		457	"source-address constraints");
		458	xfree(allowed);
		459	goto out;
		460	}
		461	switch (addr_match_cidr_list(remote_ip, allowed)) {
		462	case 1:
		463	/* accepted */
		464	xfree(allowed);
		465	break;
		466	case 0:
		467	/* no match */
		468	logit("Authentication tried for %.100s with "
		469	"valid certificate but not from a "
		470	"permitted host (ip=%.200s).",
		471	pw->pw_name, remote_ip);
		472	auth_debug_add("Your address '%.200s' is not "
		473	"permitted to use this certificate for "
		474	"login.", remote_ip);
		475	xfree(allowed);
		476	goto out;
		477	case -1:
		478	error("Certificate source-address contents "
		479	"invalid");
		480	xfree(allowed);
		481	goto out;
		482	}
		483	} else {
		484	error("Certificate constraint \"%s\" is not supported",
		485	name);
		486	goto out;
		487	}
		488
		489	if (buffer_len(&data) != 0) {
		490	error("Certificate constraint \"%s\" corrupt "
		491	"(extra data)", name);
		492	goto out;
		493	}
		494	buffer_clear(&data);
		495	xfree(name);
		496	xfree(data_blob);
		497	name = data_blob = NULL;
		498	}
		499
		500	/* successfully parsed all constraints */
		501	ret = 0;
		502
		503	no_port_forwarding_flag \|= cert_no_port_forwarding_flag;
		504	no_agent_forwarding_flag \|= cert_no_agent_forwarding_flag;
		505	no_x11_forwarding_flag \|= cert_no_x11_forwarding_flag;
		506	no_pty_flag \|= cert_no_pty_flag;
		507	no_user_rc \|= cert_no_user_rc;
		508	/* CA-specified forced command supersedes key option */
		509	if (cert_forced_command != NULL) {
		510	if (forced_command != NULL)
		511	xfree(forced_command);
		512	forced_command = cert_forced_command;
		513	}
		514
		515	out:
		516	if (name != NULL)
		517	xfree(name);
		518	if (data_blob != NULL)
		519	xfree(data_blob);
		520	buffer_free(&data);
		521	buffer_free(&c);
		522	return ret;
		523	}
		524