summaryrefslogtreecommitdiff
path: root/auth-options.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-options.c')
-rw-r--r--auth-options.c111
1 files changed, 65 insertions, 46 deletions
diff --git a/auth-options.c b/auth-options.c
index f1e3ddfdf..bda39df4e 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -86,19 +86,45 @@ auth_clear_options(void)
86 free(ce->s); 86 free(ce->s);
87 free(ce); 87 free(ce);
88 } 88 }
89 if (forced_command) { 89 free(forced_command);
90 free(forced_command); 90 forced_command = NULL;
91 forced_command = NULL; 91 free(authorized_principals);
92 } 92 authorized_principals = NULL;
93 if (authorized_principals) {
94 free(authorized_principals);
95 authorized_principals = NULL;
96 }
97 forced_tun_device = -1; 93 forced_tun_device = -1;
98 channel_clear_permitted_opens(); 94 channel_clear_permitted_opens();
99} 95}
100 96
101/* 97/*
98 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
99 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
100 * if negated option matches.
101 * If the option or negated option matches, then *optsp is updated to
102 * point to the first character after the option and, if 'msg' is not NULL
103 * then a message based on it added via auth_debug_add().
104 */
105static int
106match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
107{
108 size_t opt_len = strlen(opt);
109 char *opts = *optsp;
110 int negate = 0;
111
112 if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
113 opts += 3;
114 negate = 1;
115 }
116 if (strncasecmp(opts, opt, opt_len) == 0) {
117 *optsp = opts + opt_len;
118 if (msg != NULL) {
119 auth_debug_add("%s %s.", msg,
120 negate ? "disabled" : "enabled");
121 }
122 return negate ? 0 : 1;
123 }
124 return -1;
125}
126
127/*
102 * return 1 if access is granted, 0 if not. 128 * return 1 if access is granted, 0 if not.
103 * side effect: sets key option flags 129 * side effect: sets key option flags
104 */ 130 */
@@ -106,7 +132,7 @@ int
106auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 132auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
107{ 133{
108 const char *cp; 134 const char *cp;
109 int i; 135 int i, r;
110 136
111 /* reset options */ 137 /* reset options */
112 auth_clear_options(); 138 auth_clear_options();
@@ -115,52 +141,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
115 return 1; 141 return 1;
116 142
117 while (*opts && *opts != ' ' && *opts != '\t') { 143 while (*opts && *opts != ' ' && *opts != '\t') {
118 cp = "cert-authority"; 144 if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
119 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 145 key_is_cert_authority = r;
120 key_is_cert_authority = 1;
121 opts += strlen(cp);
122 goto next_option; 146 goto next_option;
123 } 147 }
124 cp = "no-port-forwarding"; 148 if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
125 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 149 auth_debug_add("Key is restricted.");
126 auth_debug_add("Port forwarding disabled.");
127 no_port_forwarding_flag = 1; 150 no_port_forwarding_flag = 1;
128 opts += strlen(cp); 151 no_agent_forwarding_flag = 1;
152 no_x11_forwarding_flag = 1;
153 no_pty_flag = 1;
154 no_user_rc = 1;
129 goto next_option; 155 goto next_option;
130 } 156 }
131 cp = "no-agent-forwarding"; 157 if ((r = match_flag("port-forwarding", 1, &opts,
132 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 158 "Port forwarding")) != -1) {
133 auth_debug_add("Agent forwarding disabled."); 159 no_port_forwarding_flag = r != 1;
134 no_agent_forwarding_flag = 1;
135 opts += strlen(cp);
136 goto next_option; 160 goto next_option;
137 } 161 }
138 cp = "no-X11-forwarding"; 162 if ((r = match_flag("agent-forwarding", 1, &opts,
139 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 163 "Agent forwarding")) != -1) {
140 auth_debug_add("X11 forwarding disabled."); 164 no_agent_forwarding_flag = r != 1;
141 no_x11_forwarding_flag = 1;
142 opts += strlen(cp);
143 goto next_option; 165 goto next_option;
144 } 166 }
145 cp = "no-pty"; 167 if ((r = match_flag("x11-forwarding", 1, &opts,
146 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 168 "X11 forwarding")) != -1) {
147 auth_debug_add("Pty allocation disabled."); 169 no_x11_forwarding_flag = r != 1;
148 no_pty_flag = 1;
149 opts += strlen(cp);
150 goto next_option; 170 goto next_option;
151 } 171 }
152 cp = "no-user-rc"; 172 if ((r = match_flag("pty", 1, &opts,
153 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 173 "PTY allocation")) != -1) {
154 auth_debug_add("User rc file execution disabled."); 174 no_pty_flag = r != 1;
155 no_user_rc = 1; 175 goto next_option;
156 opts += strlen(cp); 176 }
177 if ((r = match_flag("user-rc", 1, &opts,
178 "User rc execution")) != -1) {
179 no_user_rc = r != 1;
157 goto next_option; 180 goto next_option;
158 } 181 }
159 cp = "command=\""; 182 cp = "command=\"";
160 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 183 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
161 opts += strlen(cp); 184 opts += strlen(cp);
162 if (forced_command != NULL) 185 free(forced_command);
163 free(forced_command);
164 forced_command = xmalloc(strlen(opts) + 1); 186 forced_command = xmalloc(strlen(opts) + 1);
165 i = 0; 187 i = 0;
166 while (*opts) { 188 while (*opts) {
@@ -190,8 +212,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
190 cp = "principals=\""; 212 cp = "principals=\"";
191 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 213 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
192 opts += strlen(cp); 214 opts += strlen(cp);
193 if (authorized_principals != NULL) 215 free(authorized_principals);
194 free(authorized_principals);
195 authorized_principals = xmalloc(strlen(opts) + 1); 216 authorized_principals = xmalloc(strlen(opts) + 1);
196 i = 0; 217 i = 0;
197 while (*opts) { 218 while (*opts) {
@@ -583,8 +604,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
583 free(*cert_forced_command); 604 free(*cert_forced_command);
584 *cert_forced_command = NULL; 605 *cert_forced_command = NULL;
585 } 606 }
586 if (name != NULL) 607 free(name);
587 free(name);
588 sshbuf_free(data); 608 sshbuf_free(data);
589 sshbuf_free(c); 609 sshbuf_free(c);
590 return ret; 610 return ret;
@@ -628,8 +648,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
628 no_user_rc |= cert_no_user_rc; 648 no_user_rc |= cert_no_user_rc;
629 /* CA-specified forced command supersedes key option */ 649 /* CA-specified forced command supersedes key option */
630 if (cert_forced_command != NULL) { 650 if (cert_forced_command != NULL) {
631 if (forced_command != NULL) 651 free(forced_command);
632 free(forced_command);
633 forced_command = cert_forced_command; 652 forced_command = cert_forced_command;
634 } 653 }
635 return 0; 654 return 0;
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 21:02:40 +0000