summaryrefslogtreecommitdiff
path: root/auth-rsa.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-06-18 14:50:44 +1000
committerDamien Miller <djm@mindrot.org>2000-06-18 14:50:44 +1000
commitf6d9e2218998559cb67aad55d3f4a0bf53600c41 (patch)
tree87ea430020c66c697e065c164951b3f74b730b76 /auth-rsa.c
parent7b22d65034ac280e0b4eaa857c71b17ee3ad7d99 (diff)
- OpenBSD CVS updates:
- deraadt@cvs.openbsd.org 2000/06/17 09:58:46 [channels.c] everyone says "nix it" (remove protocol 2 debugging message) - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] allow extended server banners - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] missing atomicio, typo - jakob@cvs.openbsd.org 2000/06/17 16:52:34 [servconf.c servconf.h session.c sshd.8 sshd_config] add support for ssh v2 subsystems. ok markus@. - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 [readconf.c servconf.c] include = in WHITESPACE; markus ok - markus@cvs.openbsd.org 2000/06/17 19:09:10 [auth2.c] implement bug compatibility with ssh-2.0.13 pubkey, server side - markus@cvs.openbsd.org 2000/06/17 21:00:28 [compat.c] initial support for ssh.com's 2.2.0 - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] typo - markus@cvs.openbsd.org 2000/06/17 22:05:02 [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] split auth-rsa option parsing into auth-options add options support to authorized_keys2 - markus@cvs.openbsd.org 2000/06/17 22:42:54 [session.c] typo
Diffstat (limited to 'auth-rsa.c')
-rw-r--r--auth-rsa.c199
1 files changed, 3 insertions, 196 deletions
diff --git a/auth-rsa.c b/auth-rsa.c
index f01c5c920..546e1d845 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
16 */ 16 */
17 17
18#include "includes.h" 18#include "includes.h"
19RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $"); 19RCSID("$Id: auth-rsa.c,v 1.21 2000/06/18 04:50:44 djm Exp $");
20 20
21#include "rsa.h" 21#include "rsa.h"
22#include "packet.h" 22#include "packet.h"
@@ -26,18 +26,11 @@ RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
26#include "uidswap.h" 26#include "uidswap.h"
27#include "match.h" 27#include "match.h"
28#include "servconf.h" 28#include "servconf.h"
29#include "auth-options.h"
29 30
30#include <openssl/rsa.h> 31#include <openssl/rsa.h>
31#include <openssl/md5.h> 32#include <openssl/md5.h>
32 33
33/* Flags that may be set in authorized_keys options. */
34extern int no_port_forwarding_flag;
35extern int no_agent_forwarding_flag;
36extern int no_x11_forwarding_flag;
37extern int no_pty_flag;
38extern char *forced_command;
39extern struct envstring *custom_environment;
40
41/* 34/*
42 * Session identifier that is used to bind key exchange and authentication 35 * Session identifier that is used to bind key exchange and authentication
43 * responses to a particular session. 36 * responses to a particular session.
@@ -133,7 +126,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
133 unsigned long linenum = 0; 126 unsigned long linenum = 0;
134 struct stat st; 127 struct stat st;
135 RSA *pk; 128 RSA *pk;
136 int mname, mip;
137 129
138 /* Temporarily use the user's uid. */ 130 /* Temporarily use the user's uid. */
139 temporarily_use_uid(pw->pw_uid); 131 temporarily_use_uid(pw->pw_uid);
@@ -269,195 +261,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
269 * authenticated. Note that we have not yet processed the 261 * authenticated. Note that we have not yet processed the
270 * options; this will be reset if the options cause the 262 * options; this will be reset if the options cause the
271 * authentication to be rejected. 263 * authentication to be rejected.
272 */
273 authenticated = 1;
274
275 /* RSA part of authentication was accepted. Now process the options. */
276 if (options) {
277 while (*options && *options != ' ' && *options != '\t') {
278 cp = "no-port-forwarding";
279 if (strncmp(options, cp, strlen(cp)) == 0) {
280 packet_send_debug("Port forwarding disabled.");
281 no_port_forwarding_flag = 1;
282 options += strlen(cp);
283 goto next_option;
284 }
285 cp = "no-agent-forwarding";
286 if (strncmp(options, cp, strlen(cp)) == 0) {
287 packet_send_debug("Agent forwarding disabled.");
288 no_agent_forwarding_flag = 1;
289 options += strlen(cp);
290 goto next_option;
291 }
292 cp = "no-X11-forwarding";
293 if (strncmp(options, cp, strlen(cp)) == 0) {
294 packet_send_debug("X11 forwarding disabled.");
295 no_x11_forwarding_flag = 1;
296 options += strlen(cp);
297 goto next_option;
298 }
299 cp = "no-pty";
300 if (strncmp(options, cp, strlen(cp)) == 0) {
301 packet_send_debug("Pty allocation disabled.");
302 no_pty_flag = 1;
303 options += strlen(cp);
304 goto next_option;
305 }
306 cp = "command=\"";
307 if (strncmp(options, cp, strlen(cp)) == 0) {
308 int i;
309 options += strlen(cp);
310 forced_command = xmalloc(strlen(options) + 1);
311 i = 0;
312 while (*options) {
313 if (*options == '"')
314 break;
315 if (*options == '\\' && options[1] == '"') {
316 options += 2;
317 forced_command[i++] = '"';
318 continue;
319 }
320 forced_command[i++] = *options++;
321 }
322 if (!*options) {
323 debug("%.100s, line %lu: missing end quote",
324 SSH_USER_PERMITTED_KEYS, linenum);
325 packet_send_debug("%.100s, line %lu: missing end quote",
326 SSH_USER_PERMITTED_KEYS, linenum);
327 continue;
328 }
329 forced_command[i] = 0;
330 packet_send_debug("Forced command: %.900s", forced_command);
331 options++;
332 goto next_option;
333 }
334 cp = "environment=\"";
335 if (strncmp(options, cp, strlen(cp)) == 0) {
336 int i;
337 char *s;
338 struct envstring *new_envstring;
339 options += strlen(cp);
340 s = xmalloc(strlen(options) + 1);
341 i = 0;
342 while (*options) {
343 if (*options == '"')
344 break;
345 if (*options == '\\' && options[1] == '"') {
346 options += 2;
347 s[i++] = '"';
348 continue;
349 }
350 s[i++] = *options++;
351 }
352 if (!*options) {
353 debug("%.100s, line %lu: missing end quote",
354 SSH_USER_PERMITTED_KEYS, linenum);
355 packet_send_debug("%.100s, line %lu: missing end quote",
356 SSH_USER_PERMITTED_KEYS, linenum);
357 continue;
358 }
359 s[i] = 0;
360 packet_send_debug("Adding to environment: %.900s", s);
361 debug("Adding to environment: %.900s", s);
362 options++;
363 new_envstring = xmalloc(sizeof(struct envstring));
364 new_envstring->s = s;
365 new_envstring->next = custom_environment;
366 custom_environment = new_envstring;
367 goto next_option;
368 }
369 cp = "from=\"";
370 if (strncmp(options, cp, strlen(cp)) == 0) {
371 char *patterns = xmalloc(strlen(options) + 1);
372 int i;
373 options += strlen(cp);
374 i = 0;
375 while (*options) {
376 if (*options == '"')
377 break;
378 if (*options == '\\' && options[1] == '"') {
379 options += 2;
380 patterns[i++] = '"';
381 continue;
382 }
383 patterns[i++] = *options++;
384 }
385 if (!*options) {
386 debug("%.100s, line %lu: missing end quote",
387 SSH_USER_PERMITTED_KEYS, linenum);
388 packet_send_debug("%.100s, line %lu: missing end quote",
389 SSH_USER_PERMITTED_KEYS, linenum);
390 continue;
391 }
392 patterns[i] = 0;
393 options++;
394 /*
395 * Deny access if we get a negative
396 * match for the hostname or the ip
397 * or if we get not match at all
398 */
399 mname = match_hostname(get_canonical_hostname(),
400 patterns, strlen(patterns));
401 mip = match_hostname(get_remote_ipaddr(),
402 patterns, strlen(patterns));
403 if (mname == -1 || mip == -1 ||
404 (mname != 1 && mip != 1)) {
405 log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
406 pw->pw_name, get_canonical_hostname(),
407 get_remote_ipaddr());
408 packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
409 get_canonical_hostname());
410 xfree(patterns);
411 /* key invalid for this host, reset flags */
412 authenticated = 0;
413 no_agent_forwarding_flag = 0;
414 no_port_forwarding_flag = 0;
415 no_pty_flag = 0;
416 no_x11_forwarding_flag = 0;
417 while (custom_environment) {
418 struct envstring *ce = custom_environment;
419 custom_environment = ce->next;
420 xfree(ce->s);
421 xfree(ce);
422 }
423 if (forced_command) {
424 xfree(forced_command);
425 forced_command = NULL;
426 }
427 break;
428 }
429 xfree(patterns);
430 /* Host name matches. */
431 goto next_option;
432 }
433 bad_option:
434 log("Bad options in %.100s file, line %lu: %.50s",
435 SSH_USER_PERMITTED_KEYS, linenum, options);
436 packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
437 SSH_USER_PERMITTED_KEYS, linenum, options);
438 authenticated = 0;
439 break;
440
441 next_option:
442 /*
443 * Skip the comma, and move to the next option
444 * (or break out if there are no more).
445 */
446 if (!*options)
447 fatal("Bugs in auth-rsa.c option processing.");
448 if (*options == ' ' || *options == '\t')
449 break; /* End of options. */
450 if (*options != ',')
451 goto bad_option;
452 options++;
453 /* Process the next option. */
454 continue;
455 }
456 }
457 /*
458 * Break out of the loop if authentication was successful; 264 * Break out of the loop if authentication was successful;
459 * otherwise continue searching. 265 * otherwise continue searching.
460 */ 266 */
267 authenticated = auth_parse_options(pw, options, linenum);
461 if (authenticated) 268 if (authenticated)
462 break; 269 break;
463 } 270 }
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 12:30:50 +0000