diff options
author | Damien Miller <djm@mindrot.org> | 2000-06-18 14:50:44 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-06-18 14:50:44 +1000 |
commit | f6d9e2218998559cb67aad55d3f4a0bf53600c41 (patch) | |
tree | 87ea430020c66c697e065c164951b3f74b730b76 /auth-rsa.c | |
parent | 7b22d65034ac280e0b4eaa857c71b17ee3ad7d99 (diff) |
- OpenBSD CVS updates:
- deraadt@cvs.openbsd.org 2000/06/17 09:58:46
[channels.c]
everyone says "nix it" (remove protocol 2 debugging message)
- markus@cvs.openbsd.org 2000/06/17 13:24:34
[sshconnect.c]
allow extended server banners
- markus@cvs.openbsd.org 2000/06/17 14:30:10
[sshconnect.c]
missing atomicio, typo
- jakob@cvs.openbsd.org 2000/06/17 16:52:34
[servconf.c servconf.h session.c sshd.8 sshd_config]
add support for ssh v2 subsystems. ok markus@.
- deraadt@cvs.openbsd.org 2000/06/17 18:57:48
[readconf.c servconf.c]
include = in WHITESPACE; markus ok
- markus@cvs.openbsd.org 2000/06/17 19:09:10
[auth2.c]
implement bug compatibility with ssh-2.0.13 pubkey, server side
- markus@cvs.openbsd.org 2000/06/17 21:00:28
[compat.c]
initial support for ssh.com's 2.2.0
- markus@cvs.openbsd.org 2000/06/17 21:16:09
[scp.c]
typo
- markus@cvs.openbsd.org 2000/06/17 22:05:02
[auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h]
split auth-rsa option parsing into auth-options
add options support to authorized_keys2
- markus@cvs.openbsd.org 2000/06/17 22:42:54
[session.c]
typo
Diffstat (limited to 'auth-rsa.c')
-rw-r--r-- | auth-rsa.c | 199 |
1 files changed, 3 insertions, 196 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index f01c5c920..546e1d845 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -16,7 +16,7 @@ | |||
16 | */ | 16 | */ |
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $"); | 19 | RCSID("$Id: auth-rsa.c,v 1.21 2000/06/18 04:50:44 djm Exp $"); |
20 | 20 | ||
21 | #include "rsa.h" | 21 | #include "rsa.h" |
22 | #include "packet.h" | 22 | #include "packet.h" |
@@ -26,18 +26,11 @@ RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $"); | |||
26 | #include "uidswap.h" | 26 | #include "uidswap.h" |
27 | #include "match.h" | 27 | #include "match.h" |
28 | #include "servconf.h" | 28 | #include "servconf.h" |
29 | #include "auth-options.h" | ||
29 | 30 | ||
30 | #include <openssl/rsa.h> | 31 | #include <openssl/rsa.h> |
31 | #include <openssl/md5.h> | 32 | #include <openssl/md5.h> |
32 | 33 | ||
33 | /* Flags that may be set in authorized_keys options. */ | ||
34 | extern int no_port_forwarding_flag; | ||
35 | extern int no_agent_forwarding_flag; | ||
36 | extern int no_x11_forwarding_flag; | ||
37 | extern int no_pty_flag; | ||
38 | extern char *forced_command; | ||
39 | extern struct envstring *custom_environment; | ||
40 | |||
41 | /* | 34 | /* |
42 | * Session identifier that is used to bind key exchange and authentication | 35 | * Session identifier that is used to bind key exchange and authentication |
43 | * responses to a particular session. | 36 | * responses to a particular session. |
@@ -133,7 +126,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
133 | unsigned long linenum = 0; | 126 | unsigned long linenum = 0; |
134 | struct stat st; | 127 | struct stat st; |
135 | RSA *pk; | 128 | RSA *pk; |
136 | int mname, mip; | ||
137 | 129 | ||
138 | /* Temporarily use the user's uid. */ | 130 | /* Temporarily use the user's uid. */ |
139 | temporarily_use_uid(pw->pw_uid); | 131 | temporarily_use_uid(pw->pw_uid); |
@@ -269,195 +261,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
269 | * authenticated. Note that we have not yet processed the | 261 | * authenticated. Note that we have not yet processed the |
270 | * options; this will be reset if the options cause the | 262 | * options; this will be reset if the options cause the |
271 | * authentication to be rejected. | 263 | * authentication to be rejected. |
272 | */ | ||
273 | authenticated = 1; | ||
274 | |||
275 | /* RSA part of authentication was accepted. Now process the options. */ | ||
276 | if (options) { | ||
277 | while (*options && *options != ' ' && *options != '\t') { | ||
278 | cp = "no-port-forwarding"; | ||
279 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
280 | packet_send_debug("Port forwarding disabled."); | ||
281 | no_port_forwarding_flag = 1; | ||
282 | options += strlen(cp); | ||
283 | goto next_option; | ||
284 | } | ||
285 | cp = "no-agent-forwarding"; | ||
286 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
287 | packet_send_debug("Agent forwarding disabled."); | ||
288 | no_agent_forwarding_flag = 1; | ||
289 | options += strlen(cp); | ||
290 | goto next_option; | ||
291 | } | ||
292 | cp = "no-X11-forwarding"; | ||
293 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
294 | packet_send_debug("X11 forwarding disabled."); | ||
295 | no_x11_forwarding_flag = 1; | ||
296 | options += strlen(cp); | ||
297 | goto next_option; | ||
298 | } | ||
299 | cp = "no-pty"; | ||
300 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
301 | packet_send_debug("Pty allocation disabled."); | ||
302 | no_pty_flag = 1; | ||
303 | options += strlen(cp); | ||
304 | goto next_option; | ||
305 | } | ||
306 | cp = "command=\""; | ||
307 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
308 | int i; | ||
309 | options += strlen(cp); | ||
310 | forced_command = xmalloc(strlen(options) + 1); | ||
311 | i = 0; | ||
312 | while (*options) { | ||
313 | if (*options == '"') | ||
314 | break; | ||
315 | if (*options == '\\' && options[1] == '"') { | ||
316 | options += 2; | ||
317 | forced_command[i++] = '"'; | ||
318 | continue; | ||
319 | } | ||
320 | forced_command[i++] = *options++; | ||
321 | } | ||
322 | if (!*options) { | ||
323 | debug("%.100s, line %lu: missing end quote", | ||
324 | SSH_USER_PERMITTED_KEYS, linenum); | ||
325 | packet_send_debug("%.100s, line %lu: missing end quote", | ||
326 | SSH_USER_PERMITTED_KEYS, linenum); | ||
327 | continue; | ||
328 | } | ||
329 | forced_command[i] = 0; | ||
330 | packet_send_debug("Forced command: %.900s", forced_command); | ||
331 | options++; | ||
332 | goto next_option; | ||
333 | } | ||
334 | cp = "environment=\""; | ||
335 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
336 | int i; | ||
337 | char *s; | ||
338 | struct envstring *new_envstring; | ||
339 | options += strlen(cp); | ||
340 | s = xmalloc(strlen(options) + 1); | ||
341 | i = 0; | ||
342 | while (*options) { | ||
343 | if (*options == '"') | ||
344 | break; | ||
345 | if (*options == '\\' && options[1] == '"') { | ||
346 | options += 2; | ||
347 | s[i++] = '"'; | ||
348 | continue; | ||
349 | } | ||
350 | s[i++] = *options++; | ||
351 | } | ||
352 | if (!*options) { | ||
353 | debug("%.100s, line %lu: missing end quote", | ||
354 | SSH_USER_PERMITTED_KEYS, linenum); | ||
355 | packet_send_debug("%.100s, line %lu: missing end quote", | ||
356 | SSH_USER_PERMITTED_KEYS, linenum); | ||
357 | continue; | ||
358 | } | ||
359 | s[i] = 0; | ||
360 | packet_send_debug("Adding to environment: %.900s", s); | ||
361 | debug("Adding to environment: %.900s", s); | ||
362 | options++; | ||
363 | new_envstring = xmalloc(sizeof(struct envstring)); | ||
364 | new_envstring->s = s; | ||
365 | new_envstring->next = custom_environment; | ||
366 | custom_environment = new_envstring; | ||
367 | goto next_option; | ||
368 | } | ||
369 | cp = "from=\""; | ||
370 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
371 | char *patterns = xmalloc(strlen(options) + 1); | ||
372 | int i; | ||
373 | options += strlen(cp); | ||
374 | i = 0; | ||
375 | while (*options) { | ||
376 | if (*options == '"') | ||
377 | break; | ||
378 | if (*options == '\\' && options[1] == '"') { | ||
379 | options += 2; | ||
380 | patterns[i++] = '"'; | ||
381 | continue; | ||
382 | } | ||
383 | patterns[i++] = *options++; | ||
384 | } | ||
385 | if (!*options) { | ||
386 | debug("%.100s, line %lu: missing end quote", | ||
387 | SSH_USER_PERMITTED_KEYS, linenum); | ||
388 | packet_send_debug("%.100s, line %lu: missing end quote", | ||
389 | SSH_USER_PERMITTED_KEYS, linenum); | ||
390 | continue; | ||
391 | } | ||
392 | patterns[i] = 0; | ||
393 | options++; | ||
394 | /* | ||
395 | * Deny access if we get a negative | ||
396 | * match for the hostname or the ip | ||
397 | * or if we get not match at all | ||
398 | */ | ||
399 | mname = match_hostname(get_canonical_hostname(), | ||
400 | patterns, strlen(patterns)); | ||
401 | mip = match_hostname(get_remote_ipaddr(), | ||
402 | patterns, strlen(patterns)); | ||
403 | if (mname == -1 || mip == -1 || | ||
404 | (mname != 1 && mip != 1)) { | ||
405 | log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | ||
406 | pw->pw_name, get_canonical_hostname(), | ||
407 | get_remote_ipaddr()); | ||
408 | packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", | ||
409 | get_canonical_hostname()); | ||
410 | xfree(patterns); | ||
411 | /* key invalid for this host, reset flags */ | ||
412 | authenticated = 0; | ||
413 | no_agent_forwarding_flag = 0; | ||
414 | no_port_forwarding_flag = 0; | ||
415 | no_pty_flag = 0; | ||
416 | no_x11_forwarding_flag = 0; | ||
417 | while (custom_environment) { | ||
418 | struct envstring *ce = custom_environment; | ||
419 | custom_environment = ce->next; | ||
420 | xfree(ce->s); | ||
421 | xfree(ce); | ||
422 | } | ||
423 | if (forced_command) { | ||
424 | xfree(forced_command); | ||
425 | forced_command = NULL; | ||
426 | } | ||
427 | break; | ||
428 | } | ||
429 | xfree(patterns); | ||
430 | /* Host name matches. */ | ||
431 | goto next_option; | ||
432 | } | ||
433 | bad_option: | ||
434 | log("Bad options in %.100s file, line %lu: %.50s", | ||
435 | SSH_USER_PERMITTED_KEYS, linenum, options); | ||
436 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", | ||
437 | SSH_USER_PERMITTED_KEYS, linenum, options); | ||
438 | authenticated = 0; | ||
439 | break; | ||
440 | |||
441 | next_option: | ||
442 | /* | ||
443 | * Skip the comma, and move to the next option | ||
444 | * (or break out if there are no more). | ||
445 | */ | ||
446 | if (!*options) | ||
447 | fatal("Bugs in auth-rsa.c option processing."); | ||
448 | if (*options == ' ' || *options == '\t') | ||
449 | break; /* End of options. */ | ||
450 | if (*options != ',') | ||
451 | goto bad_option; | ||
452 | options++; | ||
453 | /* Process the next option. */ | ||
454 | continue; | ||
455 | } | ||
456 | } | ||
457 | /* | ||
458 | * Break out of the loop if authentication was successful; | 264 | * Break out of the loop if authentication was successful; |
459 | * otherwise continue searching. | 265 | * otherwise continue searching. |
460 | */ | 266 | */ |
267 | authenticated = auth_parse_options(pw, options, linenum); | ||
461 | if (authenticated) | 268 | if (authenticated) |
462 | break; | 269 | break; |
463 | } | 270 | } |