diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2002-03-22 02:30:41 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2002-03-22 02:30:41 +0000 |
| commit | 7a2073c50b92c053594d48a651ebafae052a71ed (patch) | |
| tree | 7cfceb925262a07a356b0667e19f33eec497b602 /auth-options.c | |
| parent | 0f345f5ee1e71e1e9f8780ec13b2da23b6a9f7f8 (diff) | |
- provos@cvs.openbsd.org 2002/03/18 17:50:31
[auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c auth-skey.c auth.h
auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c kexgex.c servconf.c
session.h servconf.h serverloop.c session.c sshd.c]
integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@
applied, but outside of ensure that smaller code bits migrated with
their owners.. no work was tried to 'fix' it to work. =) Later project!
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 80 |
1 files changed, 65 insertions, 15 deletions
diff --git a/auth-options.c b/auth-options.c index 8df6a6dfc..48be6d8e0 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include "includes.h" | 12 | #include "includes.h" |
| 13 | RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $"); | 13 | RCSID("$OpenBSD: auth-options.c,v 1.22 2002/03/18 17:50:31 provos Exp $"); |
| 14 | 14 | ||
| 15 | #include "packet.h" | 15 | #include "packet.h" |
| 16 | #include "xmalloc.h" | 16 | #include "xmalloc.h" |
| @@ -20,7 +20,13 @@ RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $"); | |||
| 20 | #include "channels.h" | 20 | #include "channels.h" |
| 21 | #include "auth-options.h" | 21 | #include "auth-options.h" |
| 22 | #include "servconf.h" | 22 | #include "servconf.h" |
| 23 | #include "bufaux.h" | ||
| 23 | #include "misc.h" | 24 | #include "misc.h" |
| 25 | #include "monitor_wrap.h" | ||
| 26 | |||
| 27 | /* Debugging messages */ | ||
| 28 | Buffer auth_debug; | ||
| 29 | int auth_debug_init; | ||
| 24 | 30 | ||
| 25 | /* Flags set authorized_keys flags */ | 31 | /* Flags set authorized_keys flags */ |
| 26 | int no_port_forwarding_flag = 0; | 32 | int no_port_forwarding_flag = 0; |
| @@ -37,8 +43,27 @@ struct envstring *custom_environment = NULL; | |||
| 37 | extern ServerOptions options; | 43 | extern ServerOptions options; |
| 38 | 44 | ||
| 39 | void | 45 | void |
| 46 | auth_send_debug(Buffer *m) | ||
| 47 | { | ||
| 48 | char *msg; | ||
| 49 | |||
| 50 | while (buffer_len(m)) { | ||
| 51 | msg = buffer_get_string(m, NULL); | ||
| 52 | packet_send_debug("%s", msg); | ||
| 53 | xfree(msg); | ||
| 54 | } | ||
| 55 | } | ||
| 56 | |||
| 57 | void | ||
| 40 | auth_clear_options(void) | 58 | auth_clear_options(void) |
| 41 | { | 59 | { |
| 60 | if (auth_debug_init) | ||
| 61 | buffer_clear(&auth_debug); | ||
| 62 | else { | ||
| 63 | buffer_init(&auth_debug); | ||
| 64 | auth_debug_init = 1; | ||
| 65 | } | ||
| 66 | |||
| 42 | no_agent_forwarding_flag = 0; | 67 | no_agent_forwarding_flag = 0; |
| 43 | no_port_forwarding_flag = 0; | 68 | no_port_forwarding_flag = 0; |
| 44 | no_pty_flag = 0; | 69 | no_pty_flag = 0; |
| @@ -63,6 +88,7 @@ auth_clear_options(void) | |||
| 63 | int | 88 | int |
| 64 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 89 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
| 65 | { | 90 | { |
| 91 | char tmp[1024]; | ||
| 66 | const char *cp; | 92 | const char *cp; |
| 67 | int i; | 93 | int i; |
| 68 | 94 | ||
| @@ -75,28 +101,32 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 75 | while (*opts && *opts != ' ' && *opts != '\t') { | 101 | while (*opts && *opts != ' ' && *opts != '\t') { |
| 76 | cp = "no-port-forwarding"; | 102 | cp = "no-port-forwarding"; |
| 77 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 103 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 78 | packet_send_debug("Port forwarding disabled."); | 104 | snprintf(tmp, sizeof(tmp), "Port forwarding disabled."); |
| 105 | buffer_put_cstring(&auth_debug, tmp); | ||
| 79 | no_port_forwarding_flag = 1; | 106 | no_port_forwarding_flag = 1; |
| 80 | opts += strlen(cp); | 107 | opts += strlen(cp); |
| 81 | goto next_option; | 108 | goto next_option; |
| 82 | } | 109 | } |
| 83 | cp = "no-agent-forwarding"; | 110 | cp = "no-agent-forwarding"; |
| 84 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 111 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 85 | packet_send_debug("Agent forwarding disabled."); | 112 | snprintf(tmp, sizeof(tmp), "Agent forwarding disabled."); |
| 113 | buffer_put_cstring(&auth_debug, tmp); | ||
| 86 | no_agent_forwarding_flag = 1; | 114 | no_agent_forwarding_flag = 1; |
| 87 | opts += strlen(cp); | 115 | opts += strlen(cp); |
| 88 | goto next_option; | 116 | goto next_option; |
| 89 | } | 117 | } |
| 90 | cp = "no-X11-forwarding"; | 118 | cp = "no-X11-forwarding"; |
| 91 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 119 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 92 | packet_send_debug("X11 forwarding disabled."); | 120 | snprintf(tmp, sizeof(tmp), "X11 forwarding disabled."); |
| 121 | buffer_put_cstring(&auth_debug, tmp); | ||
| 93 | no_x11_forwarding_flag = 1; | 122 | no_x11_forwarding_flag = 1; |
| 94 | opts += strlen(cp); | 123 | opts += strlen(cp); |
| 95 | goto next_option; | 124 | goto next_option; |
| 96 | } | 125 | } |
| 97 | cp = "no-pty"; | 126 | cp = "no-pty"; |
| 98 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 127 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 99 | packet_send_debug("Pty allocation disabled."); | 128 | snprintf(tmp, sizeof(tmp), "Pty allocation disabled."); |
| 129 | buffer_put_cstring(&auth_debug, tmp); | ||
| 100 | no_pty_flag = 1; | 130 | no_pty_flag = 1; |
| 101 | opts += strlen(cp); | 131 | opts += strlen(cp); |
| 102 | goto next_option; | 132 | goto next_option; |
| @@ -119,14 +149,16 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 119 | if (!*opts) { | 149 | if (!*opts) { |
| 120 | debug("%.100s, line %lu: missing end quote", | 150 | debug("%.100s, line %lu: missing end quote", |
| 121 | file, linenum); | 151 | file, linenum); |
| 122 | packet_send_debug("%.100s, line %lu: missing end quote", | 152 | snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", |
| 123 | file, linenum); | 153 | file, linenum); |
| 154 | buffer_put_cstring(&auth_debug, tmp); | ||
| 124 | xfree(forced_command); | 155 | xfree(forced_command); |
| 125 | forced_command = NULL; | 156 | forced_command = NULL; |
| 126 | goto bad_option; | 157 | goto bad_option; |
| 127 | } | 158 | } |
| 128 | forced_command[i] = 0; | 159 | forced_command[i] = 0; |
| 129 | packet_send_debug("Forced command: %.900s", forced_command); | 160 | snprintf(tmp, sizeof(tmp), "Forced command: %.900s", forced_command); |
| 161 | buffer_put_cstring(&auth_debug, tmp); | ||
| 130 | opts++; | 162 | opts++; |
| 131 | goto next_option; | 163 | goto next_option; |
| 132 | } | 164 | } |
| @@ -151,13 +183,15 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 151 | if (!*opts) { | 183 | if (!*opts) { |
| 152 | debug("%.100s, line %lu: missing end quote", | 184 | debug("%.100s, line %lu: missing end quote", |
| 153 | file, linenum); | 185 | file, linenum); |
| 154 | packet_send_debug("%.100s, line %lu: missing end quote", | 186 | snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", |
| 155 | file, linenum); | 187 | file, linenum); |
| 188 | buffer_put_cstring(&auth_debug, tmp); | ||
| 156 | xfree(s); | 189 | xfree(s); |
| 157 | goto bad_option; | 190 | goto bad_option; |
| 158 | } | 191 | } |
| 159 | s[i] = 0; | 192 | s[i] = 0; |
| 160 | packet_send_debug("Adding to environment: %.900s", s); | 193 | snprintf(tmp, sizeof(tmp), "Adding to environment: %.900s", s); |
| 194 | buffer_put_cstring(&auth_debug, tmp); | ||
| 161 | debug("Adding to environment: %.900s", s); | 195 | debug("Adding to environment: %.900s", s); |
| 162 | opts++; | 196 | opts++; |
| 163 | new_envstring = xmalloc(sizeof(struct envstring)); | 197 | new_envstring = xmalloc(sizeof(struct envstring)); |
| @@ -188,8 +222,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 188 | if (!*opts) { | 222 | if (!*opts) { |
| 189 | debug("%.100s, line %lu: missing end quote", | 223 | debug("%.100s, line %lu: missing end quote", |
| 190 | file, linenum); | 224 | file, linenum); |
| 191 | packet_send_debug("%.100s, line %lu: missing end quote", | 225 | snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", |
| 192 | file, linenum); | 226 | file, linenum); |
| 227 | buffer_put_cstring(&auth_debug, tmp); | ||
| 193 | xfree(patterns); | 228 | xfree(patterns); |
| 194 | goto bad_option; | 229 | goto bad_option; |
| 195 | } | 230 | } |
| @@ -202,9 +237,11 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 202 | "correct key but not from a permitted " | 237 | "correct key but not from a permitted " |
| 203 | "host (host=%.200s, ip=%.200s).", | 238 | "host (host=%.200s, ip=%.200s).", |
| 204 | pw->pw_name, remote_host, remote_ip); | 239 | pw->pw_name, remote_host, remote_ip); |
| 205 | packet_send_debug("Your host '%.200s' is not " | 240 | snprintf(tmp, sizeof(tmp), |
| 241 | "Your host '%.200s' is not " | ||
| 206 | "permitted to use this key for login.", | 242 | "permitted to use this key for login.", |
| 207 | remote_host); | 243 | remote_host); |
| 244 | buffer_put_cstring(&auth_debug, tmp); | ||
| 208 | /* deny access */ | 245 | /* deny access */ |
| 209 | return 0; | 246 | return 0; |
| 210 | } | 247 | } |
| @@ -233,8 +270,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 233 | if (!*opts) { | 270 | if (!*opts) { |
| 234 | debug("%.100s, line %lu: missing end quote", | 271 | debug("%.100s, line %lu: missing end quote", |
| 235 | file, linenum); | 272 | file, linenum); |
| 236 | packet_send_debug("%.100s, line %lu: missing end quote", | 273 | snprintf(tmp, sizeof(tmp), "%.100s, line %lu: missing end quote", |
| 237 | file, linenum); | 274 | file, linenum); |
| 275 | buffer_put_cstring(&auth_debug, tmp); | ||
| 238 | xfree(patterns); | 276 | xfree(patterns); |
| 239 | goto bad_option; | 277 | goto bad_option; |
| 240 | } | 278 | } |
| @@ -244,16 +282,18 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 244 | sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { | 282 | sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { |
| 245 | debug("%.100s, line %lu: Bad permitopen specification " | 283 | debug("%.100s, line %lu: Bad permitopen specification " |
| 246 | "<%.100s>", file, linenum, patterns); | 284 | "<%.100s>", file, linenum, patterns); |
| 247 | packet_send_debug("%.100s, line %lu: " | 285 | snprintf(tmp, sizeof(tmp), "%.100s, line %lu: " |
| 248 | "Bad permitopen specification", file, linenum); | 286 | "Bad permitopen specification", file, linenum); |
| 287 | buffer_put_cstring(&auth_debug, tmp); | ||
| 249 | xfree(patterns); | 288 | xfree(patterns); |
| 250 | goto bad_option; | 289 | goto bad_option; |
| 251 | } | 290 | } |
| 252 | if ((port = a2port(sport)) == 0) { | 291 | if ((port = a2port(sport)) == 0) { |
| 253 | debug("%.100s, line %lu: Bad permitopen port <%.100s>", | 292 | debug("%.100s, line %lu: Bad permitopen port <%.100s>", |
| 254 | file, linenum, sport); | 293 | file, linenum, sport); |
| 255 | packet_send_debug("%.100s, line %lu: " | 294 | snprintf(tmp, sizeof(tmp), "%.100s, line %lu: " |
| 256 | "Bad permitopen port", file, linenum); | 295 | "Bad permitopen port", file, linenum); |
| 296 | buffer_put_cstring(&auth_debug, tmp); | ||
| 257 | xfree(patterns); | 297 | xfree(patterns); |
| 258 | goto bad_option; | 298 | goto bad_option; |
| 259 | } | 299 | } |
| @@ -276,14 +316,24 @@ next_option: | |||
| 276 | opts++; | 316 | opts++; |
| 277 | /* Process the next option. */ | 317 | /* Process the next option. */ |
| 278 | } | 318 | } |
| 319 | |||
| 320 | if (!use_privsep) | ||
| 321 | auth_send_debug(&auth_debug); | ||
| 322 | |||
| 279 | /* grant access */ | 323 | /* grant access */ |
| 280 | return 1; | 324 | return 1; |
| 281 | 325 | ||
| 282 | bad_option: | 326 | bad_option: |
| 283 | log("Bad options in %.100s file, line %lu: %.50s", | 327 | log("Bad options in %.100s file, line %lu: %.50s", |
| 284 | file, linenum, opts); | 328 | file, linenum, opts); |
| 285 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", | 329 | snprintf(tmp, sizeof(tmp), |
| 330 | "Bad options in %.100s file, line %lu: %.50s", | ||
| 286 | file, linenum, opts); | 331 | file, linenum, opts); |
| 332 | buffer_put_cstring(&auth_debug, tmp); | ||
| 333 | |||
| 334 | if (!use_privsep) | ||
| 335 | auth_send_debug(&auth_debug); | ||
| 336 | |||
| 287 | /* deny access */ | 337 | /* deny access */ |
| 288 | return 0; | 338 | return 0; |
| 289 | } | 339 | } |