summaryrefslogtreecommitdiff
path: root/auth-options.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-options.c')
-rw-r--r--auth-options.c111
1 files changed, 65 insertions, 46 deletions
diff --git a/auth-options.c b/auth-options.c
index e387697d3..edbaf80bb 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -75,19 +75,45 @@ auth_clear_options(void)
75 free(ce->s); 75 free(ce->s);
76 free(ce); 76 free(ce);
77 } 77 }
78 if (forced_command) { 78 free(forced_command);
79 free(forced_command); 79 forced_command = NULL;
80 forced_command = NULL; 80 free(authorized_principals);
81 } 81 authorized_principals = NULL;
82 if (authorized_principals) {
83 free(authorized_principals);
84 authorized_principals = NULL;
85 }
86 forced_tun_device = -1; 82 forced_tun_device = -1;
87 channel_clear_permitted_opens(); 83 channel_clear_permitted_opens();
88} 84}
89 85
90/* 86/*
87 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
88 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
89 * if negated option matches.
90 * If the option or negated option matches, then *optsp is updated to
91 * point to the first character after the option and, if 'msg' is not NULL
92 * then a message based on it added via auth_debug_add().
93 */
94static int
95match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
96{
97 size_t opt_len = strlen(opt);
98 char *opts = *optsp;
99 int negate = 0;
100
101 if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
102 opts += 3;
103 negate = 1;
104 }
105 if (strncasecmp(opts, opt, opt_len) == 0) {
106 *optsp = opts + opt_len;
107 if (msg != NULL) {
108 auth_debug_add("%s %s.", msg,
109 negate ? "disabled" : "enabled");
110 }
111 return negate ? 0 : 1;
112 }
113 return -1;
114}
115
116/*
91 * return 1 if access is granted, 0 if not. 117 * return 1 if access is granted, 0 if not.
92 * side effect: sets key option flags 118 * side effect: sets key option flags
93 */ 119 */
@@ -95,7 +121,7 @@ int
95auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 121auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
96{ 122{
97 const char *cp; 123 const char *cp;
98 int i; 124 int i, r;
99 125
100 /* reset options */ 126 /* reset options */
101 auth_clear_options(); 127 auth_clear_options();
@@ -104,52 +130,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
104 return 1; 130 return 1;
105 131
106 while (*opts && *opts != ' ' && *opts != '\t') { 132 while (*opts && *opts != ' ' && *opts != '\t') {
107 cp = "cert-authority"; 133 if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
108 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 134 key_is_cert_authority = r;
109 key_is_cert_authority = 1;
110 opts += strlen(cp);
111 goto next_option; 135 goto next_option;
112 } 136 }
113 cp = "no-port-forwarding"; 137 if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
114 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 138 auth_debug_add("Key is restricted.");
115 auth_debug_add("Port forwarding disabled.");
116 no_port_forwarding_flag = 1; 139 no_port_forwarding_flag = 1;
117 opts += strlen(cp); 140 no_agent_forwarding_flag = 1;
141 no_x11_forwarding_flag = 1;
142 no_pty_flag = 1;
143 no_user_rc = 1;
118 goto next_option; 144 goto next_option;
119 } 145 }
120 cp = "no-agent-forwarding"; 146 if ((r = match_flag("port-forwarding", 1, &opts,
121 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 147 "Port forwarding")) != -1) {
122 auth_debug_add("Agent forwarding disabled."); 148 no_port_forwarding_flag = r != 1;
123 no_agent_forwarding_flag = 1;
124 opts += strlen(cp);
125 goto next_option; 149 goto next_option;
126 } 150 }
127 cp = "no-X11-forwarding"; 151 if ((r = match_flag("agent-forwarding", 1, &opts,
128 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 152 "Agent forwarding")) != -1) {
129 auth_debug_add("X11 forwarding disabled."); 153 no_agent_forwarding_flag = r != 1;
130 no_x11_forwarding_flag = 1;
131 opts += strlen(cp);
132 goto next_option; 154 goto next_option;
133 } 155 }
134 cp = "no-pty"; 156 if ((r = match_flag("x11-forwarding", 1, &opts,
135 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 157 "X11 forwarding")) != -1) {
136 auth_debug_add("Pty allocation disabled."); 158 no_x11_forwarding_flag = r != 1;
137 no_pty_flag = 1;
138 opts += strlen(cp);
139 goto next_option; 159 goto next_option;
140 } 160 }
141 cp = "no-user-rc"; 161 if ((r = match_flag("pty", 1, &opts,
142 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 162 "PTY allocation")) != -1) {
143 auth_debug_add("User rc file execution disabled."); 163 no_pty_flag = r != 1;
144 no_user_rc = 1; 164 goto next_option;
145 opts += strlen(cp); 165 }
166 if ((r = match_flag("user-rc", 1, &opts,
167 "User rc execution")) != -1) {
168 no_user_rc = r != 1;
146 goto next_option; 169 goto next_option;
147 } 170 }
148 cp = "command=\""; 171 cp = "command=\"";
149 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 172 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
150 opts += strlen(cp); 173 opts += strlen(cp);
151 if (forced_command != NULL) 174 free(forced_command);
152 free(forced_command);
153 forced_command = xmalloc(strlen(opts) + 1); 175 forced_command = xmalloc(strlen(opts) + 1);
154 i = 0; 176 i = 0;
155 while (*opts) { 177 while (*opts) {
@@ -179,8 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
179 cp = "principals=\""; 201 cp = "principals=\"";
180 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 202 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
181 opts += strlen(cp); 203 opts += strlen(cp);
182 if (authorized_principals != NULL) 204 free(authorized_principals);
183 free(authorized_principals);
184 authorized_principals = xmalloc(strlen(opts) + 1); 205 authorized_principals = xmalloc(strlen(opts) + 1);
185 i = 0; 206 i = 0;
186 while (*opts) { 207 while (*opts) {
@@ -566,8 +587,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
566 free(*cert_forced_command); 587 free(*cert_forced_command);
567 *cert_forced_command = NULL; 588 *cert_forced_command = NULL;
568 } 589 }
569 if (name != NULL) 590 free(name);
570 free(name);
571 sshbuf_free(data); 591 sshbuf_free(data);
572 sshbuf_free(c); 592 sshbuf_free(c);
573 return ret; 593 return ret;
@@ -611,8 +631,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
611 no_user_rc |= cert_no_user_rc; 631 no_user_rc |= cert_no_user_rc;
612 /* CA-specified forced command supersedes key option */ 632 /* CA-specified forced command supersedes key option */
613 if (cert_forced_command != NULL) { 633 if (cert_forced_command != NULL) {
614 if (forced_command != NULL) 634 free(forced_command);
615 free(forced_command);
616 forced_command = cert_forced_command; 635 forced_command = cert_forced_command;
617 } 636 }
618 return 0; 637 return 0;
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 07:53:56 +0000