summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-03-03 03:15:51 +0000
committerDamien Miller <djm@mindrot.org>2018-03-03 14:37:16 +1100
commit7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (patch)
tree48c837fc9c9e11d64862d4f54c1a886b54d8721c /session.c
parent90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (diff)
upstream: switch over to the new authorized_keys options API and
remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
Diffstat (limited to 'session.c')
-rw-r--r--session.c85
1 files changed, 57 insertions, 28 deletions
diff --git a/session.c b/session.c
index 51c5ea0ec..58826db16 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.293 2017/10/23 05:08:00 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -140,6 +140,7 @@ extern u_int utmp_len;
140extern int startup_pipe; 140extern int startup_pipe;
141extern void destroy_sensitive_data(void); 141extern void destroy_sensitive_data(void);
142extern Buffer loginmsg; 142extern Buffer loginmsg;
143extern struct sshauthopt *auth_opts;
143char *tun_fwd_ifnames; /* serverloop.c */ 144char *tun_fwd_ifnames; /* serverloop.c */
144 145
145/* original command from peer. */ 146/* original command from peer. */
@@ -288,14 +289,42 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info)
288 restore_uid(); 289 restore_uid();
289} 290}
290 291
292static void
293set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
294{
295 char *tmp, *cp, *host;
296 int port;
297 size_t i;
298
299 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
300 return;
301 channel_clear_permitted_opens(ssh);
302 for (i = 0; i < auth_opts->npermitopen; i++) {
303 tmp = cp = xstrdup(auth_opts->permitopen[i]);
304 /* This shouldn't fail as it has already been checked */
305 if ((host = hpdelim(&cp)) == NULL)
306 fatal("%s: internal error: hpdelim", __func__);
307 host = cleanhostname(host);
308 if (cp == NULL || (port = permitopen_port(cp)) < 0)
309 fatal("%s: internal error: permitopen port",
310 __func__);
311 channel_add_permitted_opens(ssh, host, port);
312 free(tmp);
313 }
314}
315
291void 316void
292do_authenticated(struct ssh *ssh, Authctxt *authctxt) 317do_authenticated(struct ssh *ssh, Authctxt *authctxt)
293{ 318{
294 setproctitle("%s", authctxt->pw->pw_name); 319 setproctitle("%s", authctxt->pw->pw_name);
295 320
321 auth_log_authopts("active", auth_opts, 0);
322
296 /* setup the channel layer */ 323 /* setup the channel layer */
297 /* XXX - streamlocal? */ 324 /* XXX - streamlocal? */
298 if (no_port_forwarding_flag || options.disable_forwarding || 325 set_permitopen_from_authopts(ssh, auth_opts);
326 if (!auth_opts->permit_port_forwarding_flag ||
327 options.disable_forwarding ||
299 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) 328 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
300 channel_disable_adm_local_opens(ssh); 329 channel_disable_adm_local_opens(ssh);
301 else 330 else
@@ -642,9 +671,9 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
642 original_command = command; 671 original_command = command;
643 command = options.adm_forced_command; 672 command = options.adm_forced_command;
644 forced = "(config)"; 673 forced = "(config)";
645 } else if (forced_command) { 674 } else if (auth_opts->force_command != NULL) {
646 original_command = command; 675 original_command = command;
647 command = forced_command; 676 command = auth_opts->force_command;
648 forced = "(key-option)"; 677 forced = "(key-option)";
649 } 678 }
650 if (forced != NULL) { 679 if (forced != NULL) {
@@ -947,8 +976,9 @@ static char **
947do_setup_env(struct ssh *ssh, Session *s, const char *shell) 976do_setup_env(struct ssh *ssh, Session *s, const char *shell)
948{ 977{
949 char buf[256]; 978 char buf[256];
979 size_t n;
950 u_int i, envsize; 980 u_int i, envsize;
951 char **env, *laddr; 981 char *ocp, *cp, **env, *laddr;
952 struct passwd *pw = s->pw; 982 struct passwd *pw = s->pw;
953#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 983#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
954 char *path = NULL; 984 char *path = NULL;
@@ -1023,20 +1053,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
1023 if (getenv("TZ")) 1053 if (getenv("TZ"))
1024 child_set_env(&env, &envsize, "TZ", getenv("TZ")); 1054 child_set_env(&env, &envsize, "TZ", getenv("TZ"));
1025 1055
1026 /* Set custom environment options from RSA authentication. */ 1056 /* Set custom environment options from pubkey authentication. */
1027 while (custom_environment) { 1057 if (options.permit_user_env) {
1028 struct envstring *ce = custom_environment; 1058 for (n = 0 ; n < auth_opts->nenv; n++) {
1029 char *str = ce->s; 1059 ocp = xstrdup(auth_opts->env[n]);
1030 1060 cp = strchr(ocp, '=');
1031 for (i = 0; str[i] != '=' && str[i]; i++) 1061 if (*cp == '=') {
1032 ; 1062 *cp = '\0';
1033 if (str[i] == '=') { 1063 child_set_env(&env, &envsize, ocp, cp + 1);
1034 str[i] = 0; 1064 }
1035 child_set_env(&env, &envsize, str, str + i + 1); 1065 free(ocp);
1036 } 1066 }
1037 custom_environment = ce->next;
1038 free(ce->s);
1039 free(ce);
1040 } 1067 }
1041 1068
1042 /* SSH_CLIENT deprecated */ 1069 /* SSH_CLIENT deprecated */
@@ -1138,7 +1165,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
1138 * first in this order). 1165 * first in this order).
1139 */ 1166 */
1140static void 1167static void
1141do_rc_files(Session *s, const char *shell) 1168do_rc_files(struct ssh *ssh, Session *s, const char *shell)
1142{ 1169{
1143 FILE *f = NULL; 1170 FILE *f = NULL;
1144 char cmd[1024]; 1171 char cmd[1024];
@@ -1150,7 +1177,7 @@ do_rc_files(Session *s, const char *shell)
1150 1177
1151 /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ 1178 /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
1152 if (!s->is_subsystem && options.adm_forced_command == NULL && 1179 if (!s->is_subsystem && options.adm_forced_command == NULL &&
1153 !no_user_rc && options.permit_user_rc && 1180 auth_opts->permit_user_rc && options.permit_user_rc &&
1154 stat(_PATH_SSH_USER_RC, &st) >= 0) { 1181 stat(_PATH_SSH_USER_RC, &st) >= 0) {
1155 snprintf(cmd, sizeof cmd, "%s -c '%s %s'", 1182 snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1156 shell, _PATH_BSHELL, _PATH_SSH_USER_RC); 1183 shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
@@ -1570,7 +1597,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1570 1597
1571 closefrom(STDERR_FILENO + 1); 1598 closefrom(STDERR_FILENO + 1);
1572 1599
1573 do_rc_files(s, shell); 1600 do_rc_files(ssh, s, shell);
1574 1601
1575 /* restore SIGPIPE for child */ 1602 /* restore SIGPIPE for child */
1576 signal(SIGPIPE, SIG_DFL); 1603 signal(SIGPIPE, SIG_DFL);
@@ -1833,8 +1860,8 @@ session_pty_req(struct ssh *ssh, Session *s)
1833 u_int len; 1860 u_int len;
1834 int n_bytes; 1861 int n_bytes;
1835 1862
1836 if (no_pty_flag || !options.permit_tty) { 1863 if (!auth_opts->permit_pty_flag || !options.permit_tty) {
1837 debug("Allocating a pty not permitted for this authentication."); 1864 debug("Allocating a pty not permitted for this connection.");
1838 return 0; 1865 return 0;
1839 } 1866 }
1840 if (s->ttyfd != -1) { 1867 if (s->ttyfd != -1) {
@@ -2022,9 +2049,11 @@ static int
2022session_auth_agent_req(struct ssh *ssh, Session *s) 2049session_auth_agent_req(struct ssh *ssh, Session *s)
2023{ 2050{
2024 static int called = 0; 2051 static int called = 0;
2052
2025 packet_check_eom(); 2053 packet_check_eom();
2026 if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { 2054 if (!auth_opts->permit_agent_forwarding_flag ||
2027 debug("session_auth_agent_req: no_agent_forwarding_flag"); 2055 !options.allow_agent_forwarding) {
2056 debug("%s: agent forwarding disabled", __func__);
2028 return 0; 2057 return 0;
2029 } 2058 }
2030 if (called) { 2059 if (called) {
@@ -2402,8 +2431,8 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
2402 char hostname[NI_MAXHOST]; 2431 char hostname[NI_MAXHOST];
2403 u_int i; 2432 u_int i;
2404 2433
2405 if (no_x11_forwarding_flag) { 2434 if (!auth_opts->permit_x11_forwarding_flag) {
2406 packet_send_debug("X11 forwarding disabled in user configuration file."); 2435 packet_send_debug("X11 forwarding disabled by key options.");
2407 return 0; 2436 return 0;
2408 } 2437 }
2409 if (!options.x11_forwarding) { 2438 if (!options.x11_forwarding) {
@@ -2412,7 +2441,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
2412 } 2441 }
2413 if (options.xauth_location == NULL || 2442 if (options.xauth_location == NULL ||
2414 (stat(options.xauth_location, &st) == -1)) { 2443 (stat(options.xauth_location, &st) == -1)) {
2415 packet_send_debug("No xauth program; cannot forward with spoofing."); 2444 packet_send_debug("No xauth program; cannot forward X11.");
2416 return 0; 2445 return 0;
2417 } 2446 }
2418 if (s->display != NULL) { 2447 if (s->display != NULL) {