diff options
-rw-r--r-- | auth-options.c | 87 | ||||
-rw-r--r-- | sshd.8 | 36 |
2 files changed, 91 insertions, 32 deletions
diff --git a/auth-options.c b/auth-options.c index e387697d3..cb68802de 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.69 2015/11/16 00:30:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -88,6 +88,36 @@ auth_clear_options(void) | |||
88 | } | 88 | } |
89 | 89 | ||
90 | /* | 90 | /* |
91 | * Match flag 'opt' in *optsp, and if allow_negate is set then also match | ||
92 | * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0 | ||
93 | * if negated option matches. | ||
94 | * If the option or negated option matches, then *optsp is updated to | ||
95 | * point to the first character after the option and, if 'msg' is not NULL | ||
96 | * then a message based on it added via auth_debug_add(). | ||
97 | */ | ||
98 | static int | ||
99 | match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) | ||
100 | { | ||
101 | size_t opt_len = strlen(opt); | ||
102 | char *opts = *optsp; | ||
103 | int negate = 0; | ||
104 | |||
105 | if (allow_negate && strncasecmp(opts, "no-", 3) == 0) { | ||
106 | opts += 3; | ||
107 | negate = 1; | ||
108 | } | ||
109 | if (strncasecmp(opts, opt, opt_len) == 0) { | ||
110 | *optsp = opts + opt_len; | ||
111 | if (msg != NULL) { | ||
112 | auth_debug_add("%s %s.", msg, | ||
113 | negate ? "disabled" : "enabled"); | ||
114 | } | ||
115 | return negate ? 0 : 1; | ||
116 | } | ||
117 | return -1; | ||
118 | } | ||
119 | |||
120 | /* | ||
91 | * return 1 if access is granted, 0 if not. | 121 | * return 1 if access is granted, 0 if not. |
92 | * side effect: sets key option flags | 122 | * side effect: sets key option flags |
93 | */ | 123 | */ |
@@ -95,7 +125,7 @@ int | |||
95 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 125 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
96 | { | 126 | { |
97 | const char *cp; | 127 | const char *cp; |
98 | int i; | 128 | int i, r; |
99 | 129 | ||
100 | /* reset options */ | 130 | /* reset options */ |
101 | auth_clear_options(); | 131 | auth_clear_options(); |
@@ -104,45 +134,42 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
104 | return 1; | 134 | return 1; |
105 | 135 | ||
106 | while (*opts && *opts != ' ' && *opts != '\t') { | 136 | while (*opts && *opts != ' ' && *opts != '\t') { |
107 | cp = "cert-authority"; | 137 | if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) { |
108 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 138 | key_is_cert_authority = r; |
109 | key_is_cert_authority = 1; | ||
110 | opts += strlen(cp); | ||
111 | goto next_option; | 139 | goto next_option; |
112 | } | 140 | } |
113 | cp = "no-port-forwarding"; | 141 | if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) { |
114 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 142 | auth_debug_add("Key is restricted."); |
115 | auth_debug_add("Port forwarding disabled."); | ||
116 | no_port_forwarding_flag = 1; | 143 | no_port_forwarding_flag = 1; |
117 | opts += strlen(cp); | 144 | no_agent_forwarding_flag = 1; |
145 | no_x11_forwarding_flag = 1; | ||
146 | no_pty_flag = 1; | ||
147 | no_user_rc = 1; | ||
118 | goto next_option; | 148 | goto next_option; |
119 | } | 149 | } |
120 | cp = "no-agent-forwarding"; | 150 | if ((r = match_flag("port-forwarding", 1, &opts, |
121 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 151 | "Port forwarding")) != -1) { |
122 | auth_debug_add("Agent forwarding disabled."); | 152 | no_port_forwarding_flag = r != 1; |
123 | no_agent_forwarding_flag = 1; | ||
124 | opts += strlen(cp); | ||
125 | goto next_option; | 153 | goto next_option; |
126 | } | 154 | } |
127 | cp = "no-X11-forwarding"; | 155 | if ((r = match_flag("agent-forwarding", 1, &opts, |
128 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 156 | "Agent forwarding")) != -1) { |
129 | auth_debug_add("X11 forwarding disabled."); | 157 | no_agent_forwarding_flag = r != 1; |
130 | no_x11_forwarding_flag = 1; | ||
131 | opts += strlen(cp); | ||
132 | goto next_option; | 158 | goto next_option; |
133 | } | 159 | } |
134 | cp = "no-pty"; | 160 | if ((r = match_flag("x11-forwarding", 1, &opts, |
135 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 161 | "X11 forwarding")) != -1) { |
136 | auth_debug_add("Pty allocation disabled."); | 162 | no_x11_forwarding_flag = r != 1; |
137 | no_pty_flag = 1; | ||
138 | opts += strlen(cp); | ||
139 | goto next_option; | 163 | goto next_option; |
140 | } | 164 | } |
141 | cp = "no-user-rc"; | 165 | if ((r = match_flag("pty", 1, &opts, |
142 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 166 | "PTY allocation")) != -1) { |
143 | auth_debug_add("User rc file execution disabled."); | 167 | no_pty_flag = r != 1; |
144 | no_user_rc = 1; | 168 | goto next_option; |
145 | opts += strlen(cp); | 169 | } |
170 | if ((r = match_flag("user-rc", 1, &opts, | ||
171 | "User rc execution")) != -1) { | ||
172 | no_user_rc = r != 1; | ||
146 | goto next_option; | 173 | goto next_option; |
147 | } | 174 | } |
148 | cp = "command=\""; | 175 | cp = "command=\""; |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.281 2015/09/11 03:13:36 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.282 2015/11/16 00:30:02 djm Exp $ |
37 | .Dd $Mdocdate: September 11 2015 $ | 37 | .Dd $Mdocdate: November 16 2015 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -522,6 +522,10 @@ No spaces are permitted, except within double quotes. | |||
522 | The following option specifications are supported (note | 522 | The following option specifications are supported (note |
523 | that option keywords are case-insensitive): | 523 | that option keywords are case-insensitive): |
524 | .Bl -tag -width Ds | 524 | .Bl -tag -width Ds |
525 | .It Cm agent-forwarding | ||
526 | Enable authentication agent forwarding previously disabled by the | ||
527 | .Cm restrict | ||
528 | option. | ||
525 | .It Cm cert-authority | 529 | .It Cm cert-authority |
526 | Specifies that the listed key is a certification authority (CA) that is | 530 | Specifies that the listed key is a certification authority (CA) that is |
527 | trusted to validate signed certificates for user authentication. | 531 | trusted to validate signed certificates for user authentication. |
@@ -616,6 +620,9 @@ they must be literal domains or addresses. | |||
616 | A port specification of | 620 | A port specification of |
617 | .Cm * | 621 | .Cm * |
618 | matches any port. | 622 | matches any port. |
623 | .It Cm port-forwarding | ||
624 | Enable port forwarding previously disabled by the | ||
625 | .Cm restrict | ||
619 | .It Cm principals="principals" | 626 | .It Cm principals="principals" |
620 | On a | 627 | On a |
621 | .Cm cert-authority | 628 | .Cm cert-authority |
@@ -627,12 +634,33 @@ This option is ignored for keys that are not marked as trusted certificate | |||
627 | signers using the | 634 | signers using the |
628 | .Cm cert-authority | 635 | .Cm cert-authority |
629 | option. | 636 | option. |
637 | .It Cm pty | ||
638 | Permits tty allocation previously disabled by the | ||
639 | .Cm restrict | ||
640 | option. | ||
641 | .It Cm restrict | ||
642 | Enable all restrictions, i.e. disable port, agent and X11 forwarding, | ||
643 | as well as disabling PTY allocation | ||
644 | and execution of | ||
645 | .Pa ~/.ssh/rc . | ||
646 | If any future restriction capabilities are added to authorized_keys files | ||
647 | they will be included in this set. | ||
630 | .It Cm tunnel="n" | 648 | .It Cm tunnel="n" |
631 | Force a | 649 | Force a |
632 | .Xr tun 4 | 650 | .Xr tun 4 |
633 | device on the server. | 651 | device on the server. |
634 | Without this option, the next available device will be used if | 652 | Without this option, the next available device will be used if |
635 | the client requests a tunnel. | 653 | the client requests a tunnel. |
654 | .It Cm user-rc | ||
655 | Enables execution of | ||
656 | .Pa ~/.ssh/rc | ||
657 | previously disabled by the | ||
658 | .Cm restrict | ||
659 | option. | ||
660 | .It Cm X11-forwarding | ||
661 | Permits X11 forwarding previously disabled by the | ||
662 | .Cm restrict | ||
663 | option. | ||
636 | .El | 664 | .El |
637 | .Pp | 665 | .Pp |
638 | An example authorized_keys file: | 666 | An example authorized_keys file: |
@@ -647,6 +675,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | |||
647 | AAAAB5...21S== | 675 | AAAAB5...21S== |
648 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | 676 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
649 | jane@example.net | 677 | jane@example.net |
678 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | ||
679 | user@example.net | ||
680 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | ||
681 | user@example.net | ||
650 | .Ed | 682 | .Ed |
651 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | 683 | .Sh SSH_KNOWN_HOSTS FILE FORMAT |
652 | The | 684 | The |