diff options
| author | Damien Miller <djm@mindrot.org> | 2001-02-04 23:20:18 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2001-02-04 23:20:18 +1100 |
| commit | 33804263583e82fb7e6e36477fe63ebd14f15ecb (patch) | |
| tree | 90d891bedf231b49acdd91f456d58a4142070bd6 /auth-options.c | |
| parent | 45cb2937bc8a74c1e1f7da3b35ad4319d3033baf (diff) | |
NB: big update - may break stuff. Please test!
- (djm) OpenBSD CVS sync:
- markus@cvs.openbsd.org 2001/02/03 03:08:38
[auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c]
[canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8]
[sshd_config]
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
- markus@cvs.openbsd.org 2001/02/03 03:19:51
[ssh.1 sshd.8 sshd_config]
Skey is now called ChallengeResponse
- markus@cvs.openbsd.org 2001/02/03 03:43:09
[sshd.8]
use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean
channel. note from Erik.Anggard@cygate.se (pr/1659)
- stevesk@cvs.openbsd.org 2001/02/03 10:03:06
[ssh.1]
typos; ok markus@
- djm@cvs.openbsd.org 2001/02/04 04:11:56
[scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h]
[sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c]
Basic interactive sftp client; ok theo@
- (djm) Update RPM specs for new sftp binary
- (djm) Update several bits for new optional reverse lookup stuff. I
think I got them all.
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 122 |
1 files changed, 65 insertions, 57 deletions
diff --git a/auth-options.c b/auth-options.c index 5457d9b14..04d2f085f 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include "includes.h" | 12 | #include "includes.h" |
| 13 | RCSID("$OpenBSD: auth-options.c,v 1.11 2001/01/21 19:05:41 markus Exp $"); | 13 | RCSID("$OpenBSD: auth-options.c,v 1.12 2001/02/03 10:08:36 markus Exp $"); |
| 14 | 14 | ||
| 15 | #include "packet.h" | 15 | #include "packet.h" |
| 16 | #include "xmalloc.h" | 16 | #include "xmalloc.h" |
| @@ -18,6 +18,7 @@ RCSID("$OpenBSD: auth-options.c,v 1.11 2001/01/21 19:05:41 markus Exp $"); | |||
| 18 | #include "log.h" | 18 | #include "log.h" |
| 19 | #include "canohost.h" | 19 | #include "canohost.h" |
| 20 | #include "auth-options.h" | 20 | #include "auth-options.h" |
| 21 | #include "servconf.h" | ||
| 21 | 22 | ||
| 22 | /* Flags set authorized_keys flags */ | 23 | /* Flags set authorized_keys flags */ |
| 23 | int no_port_forwarding_flag = 0; | 24 | int no_port_forwarding_flag = 0; |
| @@ -31,6 +32,8 @@ char *forced_command = NULL; | |||
| 31 | /* "environment=" options. */ | 32 | /* "environment=" options. */ |
| 32 | struct envstring *custom_environment = NULL; | 33 | struct envstring *custom_environment = NULL; |
| 33 | 34 | ||
| 35 | extern ServerOptions options; | ||
| 36 | |||
| 34 | void | 37 | void |
| 35 | auth_clear_options(void) | 38 | auth_clear_options(void) |
| 36 | { | 39 | { |
| @@ -55,61 +58,61 @@ auth_clear_options(void) | |||
| 55 | * side effect: sets key option flags | 58 | * side effect: sets key option flags |
| 56 | */ | 59 | */ |
| 57 | int | 60 | int |
| 58 | auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | 61 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
| 59 | { | 62 | { |
| 60 | const char *cp; | 63 | const char *cp; |
| 61 | if (!options) | 64 | if (!opts) |
| 62 | return 1; | 65 | return 1; |
| 63 | 66 | ||
| 64 | /* reset options */ | 67 | /* reset options */ |
| 65 | auth_clear_options(); | 68 | auth_clear_options(); |
| 66 | 69 | ||
| 67 | while (*options && *options != ' ' && *options != '\t') { | 70 | while (*opts && *opts != ' ' && *opts != '\t') { |
| 68 | cp = "no-port-forwarding"; | 71 | cp = "no-port-forwarding"; |
| 69 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 72 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 70 | packet_send_debug("Port forwarding disabled."); | 73 | packet_send_debug("Port forwarding disabled."); |
| 71 | no_port_forwarding_flag = 1; | 74 | no_port_forwarding_flag = 1; |
| 72 | options += strlen(cp); | 75 | opts += strlen(cp); |
| 73 | goto next_option; | 76 | goto next_option; |
| 74 | } | 77 | } |
| 75 | cp = "no-agent-forwarding"; | 78 | cp = "no-agent-forwarding"; |
| 76 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 79 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 77 | packet_send_debug("Agent forwarding disabled."); | 80 | packet_send_debug("Agent forwarding disabled."); |
| 78 | no_agent_forwarding_flag = 1; | 81 | no_agent_forwarding_flag = 1; |
| 79 | options += strlen(cp); | 82 | opts += strlen(cp); |
| 80 | goto next_option; | 83 | goto next_option; |
| 81 | } | 84 | } |
| 82 | cp = "no-X11-forwarding"; | 85 | cp = "no-X11-forwarding"; |
| 83 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 86 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 84 | packet_send_debug("X11 forwarding disabled."); | 87 | packet_send_debug("X11 forwarding disabled."); |
| 85 | no_x11_forwarding_flag = 1; | 88 | no_x11_forwarding_flag = 1; |
| 86 | options += strlen(cp); | 89 | opts += strlen(cp); |
| 87 | goto next_option; | 90 | goto next_option; |
| 88 | } | 91 | } |
| 89 | cp = "no-pty"; | 92 | cp = "no-pty"; |
| 90 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 93 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 91 | packet_send_debug("Pty allocation disabled."); | 94 | packet_send_debug("Pty allocation disabled."); |
| 92 | no_pty_flag = 1; | 95 | no_pty_flag = 1; |
| 93 | options += strlen(cp); | 96 | opts += strlen(cp); |
| 94 | goto next_option; | 97 | goto next_option; |
| 95 | } | 98 | } |
| 96 | cp = "command=\""; | 99 | cp = "command=\""; |
| 97 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 100 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 98 | int i; | 101 | int i; |
| 99 | options += strlen(cp); | 102 | opts += strlen(cp); |
| 100 | forced_command = xmalloc(strlen(options) + 1); | 103 | forced_command = xmalloc(strlen(opts) + 1); |
| 101 | i = 0; | 104 | i = 0; |
| 102 | while (*options) { | 105 | while (*opts) { |
| 103 | if (*options == '"') | 106 | if (*opts == '"') |
| 104 | break; | 107 | break; |
| 105 | if (*options == '\\' && options[1] == '"') { | 108 | if (*opts == '\\' && opts[1] == '"') { |
| 106 | options += 2; | 109 | opts += 2; |
| 107 | forced_command[i++] = '"'; | 110 | forced_command[i++] = '"'; |
| 108 | continue; | 111 | continue; |
| 109 | } | 112 | } |
| 110 | forced_command[i++] = *options++; | 113 | forced_command[i++] = *opts++; |
| 111 | } | 114 | } |
| 112 | if (!*options) { | 115 | if (!*opts) { |
| 113 | debug("%.100s, line %lu: missing end quote", | 116 | debug("%.100s, line %lu: missing end quote", |
| 114 | file, linenum); | 117 | file, linenum); |
| 115 | packet_send_debug("%.100s, line %lu: missing end quote", | 118 | packet_send_debug("%.100s, line %lu: missing end quote", |
| @@ -118,28 +121,28 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
| 118 | } | 121 | } |
| 119 | forced_command[i] = 0; | 122 | forced_command[i] = 0; |
| 120 | packet_send_debug("Forced command: %.900s", forced_command); | 123 | packet_send_debug("Forced command: %.900s", forced_command); |
| 121 | options++; | 124 | opts++; |
| 122 | goto next_option; | 125 | goto next_option; |
| 123 | } | 126 | } |
| 124 | cp = "environment=\""; | 127 | cp = "environment=\""; |
| 125 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 128 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 126 | int i; | 129 | int i; |
| 127 | char *s; | 130 | char *s; |
| 128 | struct envstring *new_envstring; | 131 | struct envstring *new_envstring; |
| 129 | options += strlen(cp); | 132 | opts += strlen(cp); |
| 130 | s = xmalloc(strlen(options) + 1); | 133 | s = xmalloc(strlen(opts) + 1); |
| 131 | i = 0; | 134 | i = 0; |
| 132 | while (*options) { | 135 | while (*opts) { |
| 133 | if (*options == '"') | 136 | if (*opts == '"') |
| 134 | break; | 137 | break; |
| 135 | if (*options == '\\' && options[1] == '"') { | 138 | if (*opts == '\\' && opts[1] == '"') { |
| 136 | options += 2; | 139 | opts += 2; |
| 137 | s[i++] = '"'; | 140 | s[i++] = '"'; |
| 138 | continue; | 141 | continue; |
| 139 | } | 142 | } |
| 140 | s[i++] = *options++; | 143 | s[i++] = *opts++; |
| 141 | } | 144 | } |
| 142 | if (!*options) { | 145 | if (!*opts) { |
| 143 | debug("%.100s, line %lu: missing end quote", | 146 | debug("%.100s, line %lu: missing end quote", |
| 144 | file, linenum); | 147 | file, linenum); |
| 145 | packet_send_debug("%.100s, line %lu: missing end quote", | 148 | packet_send_debug("%.100s, line %lu: missing end quote", |
| @@ -149,7 +152,7 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
| 149 | s[i] = 0; | 152 | s[i] = 0; |
| 150 | packet_send_debug("Adding to environment: %.900s", s); | 153 | packet_send_debug("Adding to environment: %.900s", s); |
| 151 | debug("Adding to environment: %.900s", s); | 154 | debug("Adding to environment: %.900s", s); |
| 152 | options++; | 155 | opts++; |
| 153 | new_envstring = xmalloc(sizeof(struct envstring)); | 156 | new_envstring = xmalloc(sizeof(struct envstring)); |
| 154 | new_envstring->s = s; | 157 | new_envstring->s = s; |
| 155 | new_envstring->next = custom_environment; | 158 | new_envstring->next = custom_environment; |
| @@ -157,23 +160,26 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
| 157 | goto next_option; | 160 | goto next_option; |
| 158 | } | 161 | } |
| 159 | cp = "from=\""; | 162 | cp = "from=\""; |
| 160 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 163 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 161 | int mname, mip; | 164 | int mname, mip; |
| 162 | char *patterns = xmalloc(strlen(options) + 1); | 165 | const char *remote_ip = get_remote_ipaddr(); |
| 166 | const char *remote_host = get_canonical_hostname( | ||
| 167 | options.reverse_mapping_check); | ||
| 168 | char *patterns = xmalloc(strlen(opts) + 1); | ||
| 163 | int i; | 169 | int i; |
| 164 | options += strlen(cp); | 170 | opts += strlen(cp); |
| 165 | i = 0; | 171 | i = 0; |
| 166 | while (*options) { | 172 | while (*opts) { |
| 167 | if (*options == '"') | 173 | if (*opts == '"') |
| 168 | break; | 174 | break; |
| 169 | if (*options == '\\' && options[1] == '"') { | 175 | if (*opts == '\\' && opts[1] == '"') { |
| 170 | options += 2; | 176 | opts += 2; |
| 171 | patterns[i++] = '"'; | 177 | patterns[i++] = '"'; |
| 172 | continue; | 178 | continue; |
| 173 | } | 179 | } |
| 174 | patterns[i++] = *options++; | 180 | patterns[i++] = *opts++; |
| 175 | } | 181 | } |
| 176 | if (!*options) { | 182 | if (!*opts) { |
| 177 | debug("%.100s, line %lu: missing end quote", | 183 | debug("%.100s, line %lu: missing end quote", |
| 178 | file, linenum); | 184 | file, linenum); |
| 179 | packet_send_debug("%.100s, line %lu: missing end quote", | 185 | packet_send_debug("%.100s, line %lu: missing end quote", |
| @@ -181,24 +187,26 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
| 181 | continue; | 187 | continue; |
| 182 | } | 188 | } |
| 183 | patterns[i] = 0; | 189 | patterns[i] = 0; |
| 184 | options++; | 190 | opts++; |
| 185 | /* | 191 | /* |
| 186 | * Deny access if we get a negative | 192 | * Deny access if we get a negative |
| 187 | * match for the hostname or the ip | 193 | * match for the hostname or the ip |
| 188 | * or if we get not match at all | 194 | * or if we get not match at all |
| 189 | */ | 195 | */ |
| 190 | mname = match_hostname(get_canonical_hostname(), | 196 | mname = match_hostname(remote_host, patterns, |
| 191 | patterns, strlen(patterns)); | 197 | strlen(patterns)); |
| 192 | mip = match_hostname(get_remote_ipaddr(), | 198 | mip = match_hostname(remote_ip, patterns, |
| 193 | patterns, strlen(patterns)); | 199 | strlen(patterns)); |
| 194 | xfree(patterns); | 200 | xfree(patterns); |
| 195 | if (mname == -1 || mip == -1 || | 201 | if (mname == -1 || mip == -1 || |
| 196 | (mname != 1 && mip != 1)) { | 202 | (mname != 1 && mip != 1)) { |
| 197 | log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | 203 | log("Authentication tried for %.100s with " |
| 198 | pw->pw_name, get_canonical_hostname(), | 204 | "correct key but not from a permitted " |
| 199 | get_remote_ipaddr()); | 205 | "host (host=%.200s, ip=%.200s).", |
| 200 | packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", | 206 | pw->pw_name, remote_host, remote_ip); |
| 201 | get_canonical_hostname()); | 207 | packet_send_debug("Your host '%.200s' is not " |
| 208 | "permitted to use this key for login.", | ||
| 209 | remote_host); | ||
| 202 | /* deny access */ | 210 | /* deny access */ |
| 203 | return 0; | 211 | return 0; |
| 204 | } | 212 | } |
| @@ -210,13 +218,13 @@ next_option: | |||
| 210 | * Skip the comma, and move to the next option | 218 | * Skip the comma, and move to the next option |
| 211 | * (or break out if there are no more). | 219 | * (or break out if there are no more). |
| 212 | */ | 220 | */ |
| 213 | if (!*options) | 221 | if (!*opts) |
| 214 | fatal("Bugs in auth-options.c option processing."); | 222 | fatal("Bugs in auth-options.c option processing."); |
| 215 | if (*options == ' ' || *options == '\t') | 223 | if (*opts == ' ' || *opts == '\t') |
| 216 | break; /* End of options. */ | 224 | break; /* End of options. */ |
| 217 | if (*options != ',') | 225 | if (*opts != ',') |
| 218 | goto bad_option; | 226 | goto bad_option; |
| 219 | options++; | 227 | opts++; |
| 220 | /* Process the next option. */ | 228 | /* Process the next option. */ |
| 221 | } | 229 | } |
| 222 | /* grant access */ | 230 | /* grant access */ |
| @@ -224,9 +232,9 @@ next_option: | |||
| 224 | 232 | ||
| 225 | bad_option: | 233 | bad_option: |
| 226 | log("Bad options in %.100s file, line %lu: %.50s", | 234 | log("Bad options in %.100s file, line %lu: %.50s", |
| 227 | file, linenum, options); | 235 | file, linenum, opts); |
| 228 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", | 236 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", |
| 229 | file, linenum, options); | 237 | file, linenum, opts); |
| 230 | /* deny access */ | 238 | /* deny access */ |
| 231 | return 0; | 239 | return 0; |
| 232 | } | 240 | } |