diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-11-16 00:30:02 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-11-16 11:31:41 +1100 |
commit | 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 (patch) | |
tree | 5204277775a7cbd10a88c9645024958f4a120665 /auth-options.c | |
parent | e41a071f7bda6af1fb3f081bed0151235fa61f15 (diff) |
upstream commit
Add a new authorized_keys option "restrict" that
includes all current and future key restrictions (no-*-forwarding, etc). Also
add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
This simplifies the task of setting up restricted keys and ensures they are
maximally-restricted, regardless of any permissions we might implement in the
future.
Example:
restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
Idea from Jann Horn; ok markus@
Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 87 |
1 files changed, 57 insertions, 30 deletions
diff --git a/auth-options.c b/auth-options.c index e387697d3..cb68802de 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.69 2015/11/16 00:30:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -88,6 +88,36 @@ auth_clear_options(void) | |||
88 | } | 88 | } |
89 | 89 | ||
90 | /* | 90 | /* |
91 | * Match flag 'opt' in *optsp, and if allow_negate is set then also match | ||
92 | * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0 | ||
93 | * if negated option matches. | ||
94 | * If the option or negated option matches, then *optsp is updated to | ||
95 | * point to the first character after the option and, if 'msg' is not NULL | ||
96 | * then a message based on it added via auth_debug_add(). | ||
97 | */ | ||
98 | static int | ||
99 | match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) | ||
100 | { | ||
101 | size_t opt_len = strlen(opt); | ||
102 | char *opts = *optsp; | ||
103 | int negate = 0; | ||
104 | |||
105 | if (allow_negate && strncasecmp(opts, "no-", 3) == 0) { | ||
106 | opts += 3; | ||
107 | negate = 1; | ||
108 | } | ||
109 | if (strncasecmp(opts, opt, opt_len) == 0) { | ||
110 | *optsp = opts + opt_len; | ||
111 | if (msg != NULL) { | ||
112 | auth_debug_add("%s %s.", msg, | ||
113 | negate ? "disabled" : "enabled"); | ||
114 | } | ||
115 | return negate ? 0 : 1; | ||
116 | } | ||
117 | return -1; | ||
118 | } | ||
119 | |||
120 | /* | ||
91 | * return 1 if access is granted, 0 if not. | 121 | * return 1 if access is granted, 0 if not. |
92 | * side effect: sets key option flags | 122 | * side effect: sets key option flags |
93 | */ | 123 | */ |
@@ -95,7 +125,7 @@ int | |||
95 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 125 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
96 | { | 126 | { |
97 | const char *cp; | 127 | const char *cp; |
98 | int i; | 128 | int i, r; |
99 | 129 | ||
100 | /* reset options */ | 130 | /* reset options */ |
101 | auth_clear_options(); | 131 | auth_clear_options(); |
@@ -104,45 +134,42 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
104 | return 1; | 134 | return 1; |
105 | 135 | ||
106 | while (*opts && *opts != ' ' && *opts != '\t') { | 136 | while (*opts && *opts != ' ' && *opts != '\t') { |
107 | cp = "cert-authority"; | 137 | if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) { |
108 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 138 | key_is_cert_authority = r; |
109 | key_is_cert_authority = 1; | ||
110 | opts += strlen(cp); | ||
111 | goto next_option; | 139 | goto next_option; |
112 | } | 140 | } |
113 | cp = "no-port-forwarding"; | 141 | if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) { |
114 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 142 | auth_debug_add("Key is restricted."); |
115 | auth_debug_add("Port forwarding disabled."); | ||
116 | no_port_forwarding_flag = 1; | 143 | no_port_forwarding_flag = 1; |
117 | opts += strlen(cp); | 144 | no_agent_forwarding_flag = 1; |
145 | no_x11_forwarding_flag = 1; | ||
146 | no_pty_flag = 1; | ||
147 | no_user_rc = 1; | ||
118 | goto next_option; | 148 | goto next_option; |
119 | } | 149 | } |
120 | cp = "no-agent-forwarding"; | 150 | if ((r = match_flag("port-forwarding", 1, &opts, |
121 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 151 | "Port forwarding")) != -1) { |
122 | auth_debug_add("Agent forwarding disabled."); | 152 | no_port_forwarding_flag = r != 1; |
123 | no_agent_forwarding_flag = 1; | ||
124 | opts += strlen(cp); | ||
125 | goto next_option; | 153 | goto next_option; |
126 | } | 154 | } |
127 | cp = "no-X11-forwarding"; | 155 | if ((r = match_flag("agent-forwarding", 1, &opts, |
128 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 156 | "Agent forwarding")) != -1) { |
129 | auth_debug_add("X11 forwarding disabled."); | 157 | no_agent_forwarding_flag = r != 1; |
130 | no_x11_forwarding_flag = 1; | ||
131 | opts += strlen(cp); | ||
132 | goto next_option; | 158 | goto next_option; |
133 | } | 159 | } |
134 | cp = "no-pty"; | 160 | if ((r = match_flag("x11-forwarding", 1, &opts, |
135 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 161 | "X11 forwarding")) != -1) { |
136 | auth_debug_add("Pty allocation disabled."); | 162 | no_x11_forwarding_flag = r != 1; |
137 | no_pty_flag = 1; | ||
138 | opts += strlen(cp); | ||
139 | goto next_option; | 163 | goto next_option; |
140 | } | 164 | } |
141 | cp = "no-user-rc"; | 165 | if ((r = match_flag("pty", 1, &opts, |
142 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 166 | "PTY allocation")) != -1) { |
143 | auth_debug_add("User rc file execution disabled."); | 167 | no_pty_flag = r != 1; |
144 | no_user_rc = 1; | 168 | goto next_option; |
145 | opts += strlen(cp); | 169 | } |
170 | if ((r = match_flag("user-rc", 1, &opts, | ||
171 | "User rc execution")) != -1) { | ||
172 | no_user_rc = r != 1; | ||
146 | goto next_option; | 173 | goto next_option; |
147 | } | 174 | } |
148 | cp = "command=\""; | 175 | cp = "command=\""; |