summaryrefslogtreecommitdiff
path: root/auth-options.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-11-16 00:30:02 +0000
committerDamien Miller <djm@mindrot.org>2015-11-16 11:31:41 +1100
commit383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 (patch)
tree5204277775a7cbd10a88c9645024958f4a120665 /auth-options.c
parente41a071f7bda6af1fb3f081bed0151235fa61f15 (diff)
upstream commit
Add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. Example: restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... Idea from Jann Horn; ok markus@ Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
Diffstat (limited to 'auth-options.c')
-rw-r--r--auth-options.c87
1 files changed, 57 insertions, 30 deletions
diff --git a/auth-options.c b/auth-options.c
index e387697d3..cb68802de 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.69 2015/11/16 00:30:02 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -88,6 +88,36 @@ auth_clear_options(void)
88} 88}
89 89
90/* 90/*
91 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
92 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
93 * if negated option matches.
94 * If the option or negated option matches, then *optsp is updated to
95 * point to the first character after the option and, if 'msg' is not NULL
96 * then a message based on it added via auth_debug_add().
97 */
98static int
99match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
100{
101 size_t opt_len = strlen(opt);
102 char *opts = *optsp;
103 int negate = 0;
104
105 if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
106 opts += 3;
107 negate = 1;
108 }
109 if (strncasecmp(opts, opt, opt_len) == 0) {
110 *optsp = opts + opt_len;
111 if (msg != NULL) {
112 auth_debug_add("%s %s.", msg,
113 negate ? "disabled" : "enabled");
114 }
115 return negate ? 0 : 1;
116 }
117 return -1;
118}
119
120/*
91 * return 1 if access is granted, 0 if not. 121 * return 1 if access is granted, 0 if not.
92 * side effect: sets key option flags 122 * side effect: sets key option flags
93 */ 123 */
@@ -95,7 +125,7 @@ int
95auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 125auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
96{ 126{
97 const char *cp; 127 const char *cp;
98 int i; 128 int i, r;
99 129
100 /* reset options */ 130 /* reset options */
101 auth_clear_options(); 131 auth_clear_options();
@@ -104,45 +134,42 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
104 return 1; 134 return 1;
105 135
106 while (*opts && *opts != ' ' && *opts != '\t') { 136 while (*opts && *opts != ' ' && *opts != '\t') {
107 cp = "cert-authority"; 137 if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
108 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 138 key_is_cert_authority = r;
109 key_is_cert_authority = 1;
110 opts += strlen(cp);
111 goto next_option; 139 goto next_option;
112 } 140 }
113 cp = "no-port-forwarding"; 141 if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
114 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 142 auth_debug_add("Key is restricted.");
115 auth_debug_add("Port forwarding disabled.");
116 no_port_forwarding_flag = 1; 143 no_port_forwarding_flag = 1;
117 opts += strlen(cp); 144 no_agent_forwarding_flag = 1;
145 no_x11_forwarding_flag = 1;
146 no_pty_flag = 1;
147 no_user_rc = 1;
118 goto next_option; 148 goto next_option;
119 } 149 }
120 cp = "no-agent-forwarding"; 150 if ((r = match_flag("port-forwarding", 1, &opts,
121 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 151 "Port forwarding")) != -1) {
122 auth_debug_add("Agent forwarding disabled."); 152 no_port_forwarding_flag = r != 1;
123 no_agent_forwarding_flag = 1;
124 opts += strlen(cp);
125 goto next_option; 153 goto next_option;
126 } 154 }
127 cp = "no-X11-forwarding"; 155 if ((r = match_flag("agent-forwarding", 1, &opts,
128 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 156 "Agent forwarding")) != -1) {
129 auth_debug_add("X11 forwarding disabled."); 157 no_agent_forwarding_flag = r != 1;
130 no_x11_forwarding_flag = 1;
131 opts += strlen(cp);
132 goto next_option; 158 goto next_option;
133 } 159 }
134 cp = "no-pty"; 160 if ((r = match_flag("x11-forwarding", 1, &opts,
135 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 161 "X11 forwarding")) != -1) {
136 auth_debug_add("Pty allocation disabled."); 162 no_x11_forwarding_flag = r != 1;
137 no_pty_flag = 1;
138 opts += strlen(cp);
139 goto next_option; 163 goto next_option;
140 } 164 }
141 cp = "no-user-rc"; 165 if ((r = match_flag("pty", 1, &opts,
142 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 166 "PTY allocation")) != -1) {
143 auth_debug_add("User rc file execution disabled."); 167 no_pty_flag = r != 1;
144 no_user_rc = 1; 168 goto next_option;
145 opts += strlen(cp); 169 }
170 if ((r = match_flag("user-rc", 1, &opts,
171 "User rc execution")) != -1) {
172 no_user_rc = r != 1;
146 goto next_option; 173 goto next_option;
147 } 174 }
148 cp = "command=\""; 175 cp = "command=\"";