diff options
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 122 |
1 files changed, 65 insertions, 57 deletions
diff --git a/auth-options.c b/auth-options.c index 5457d9b14..04d2f085f 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: auth-options.c,v 1.11 2001/01/21 19:05:41 markus Exp $"); | 13 | RCSID("$OpenBSD: auth-options.c,v 1.12 2001/02/03 10:08:36 markus Exp $"); |
14 | 14 | ||
15 | #include "packet.h" | 15 | #include "packet.h" |
16 | #include "xmalloc.h" | 16 | #include "xmalloc.h" |
@@ -18,6 +18,7 @@ RCSID("$OpenBSD: auth-options.c,v 1.11 2001/01/21 19:05:41 markus Exp $"); | |||
18 | #include "log.h" | 18 | #include "log.h" |
19 | #include "canohost.h" | 19 | #include "canohost.h" |
20 | #include "auth-options.h" | 20 | #include "auth-options.h" |
21 | #include "servconf.h" | ||
21 | 22 | ||
22 | /* Flags set authorized_keys flags */ | 23 | /* Flags set authorized_keys flags */ |
23 | int no_port_forwarding_flag = 0; | 24 | int no_port_forwarding_flag = 0; |
@@ -31,6 +32,8 @@ char *forced_command = NULL; | |||
31 | /* "environment=" options. */ | 32 | /* "environment=" options. */ |
32 | struct envstring *custom_environment = NULL; | 33 | struct envstring *custom_environment = NULL; |
33 | 34 | ||
35 | extern ServerOptions options; | ||
36 | |||
34 | void | 37 | void |
35 | auth_clear_options(void) | 38 | auth_clear_options(void) |
36 | { | 39 | { |
@@ -55,61 +58,61 @@ auth_clear_options(void) | |||
55 | * side effect: sets key option flags | 58 | * side effect: sets key option flags |
56 | */ | 59 | */ |
57 | int | 60 | int |
58 | auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | 61 | auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
59 | { | 62 | { |
60 | const char *cp; | 63 | const char *cp; |
61 | if (!options) | 64 | if (!opts) |
62 | return 1; | 65 | return 1; |
63 | 66 | ||
64 | /* reset options */ | 67 | /* reset options */ |
65 | auth_clear_options(); | 68 | auth_clear_options(); |
66 | 69 | ||
67 | while (*options && *options != ' ' && *options != '\t') { | 70 | while (*opts && *opts != ' ' && *opts != '\t') { |
68 | cp = "no-port-forwarding"; | 71 | cp = "no-port-forwarding"; |
69 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 72 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
70 | packet_send_debug("Port forwarding disabled."); | 73 | packet_send_debug("Port forwarding disabled."); |
71 | no_port_forwarding_flag = 1; | 74 | no_port_forwarding_flag = 1; |
72 | options += strlen(cp); | 75 | opts += strlen(cp); |
73 | goto next_option; | 76 | goto next_option; |
74 | } | 77 | } |
75 | cp = "no-agent-forwarding"; | 78 | cp = "no-agent-forwarding"; |
76 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 79 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
77 | packet_send_debug("Agent forwarding disabled."); | 80 | packet_send_debug("Agent forwarding disabled."); |
78 | no_agent_forwarding_flag = 1; | 81 | no_agent_forwarding_flag = 1; |
79 | options += strlen(cp); | 82 | opts += strlen(cp); |
80 | goto next_option; | 83 | goto next_option; |
81 | } | 84 | } |
82 | cp = "no-X11-forwarding"; | 85 | cp = "no-X11-forwarding"; |
83 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 86 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
84 | packet_send_debug("X11 forwarding disabled."); | 87 | packet_send_debug("X11 forwarding disabled."); |
85 | no_x11_forwarding_flag = 1; | 88 | no_x11_forwarding_flag = 1; |
86 | options += strlen(cp); | 89 | opts += strlen(cp); |
87 | goto next_option; | 90 | goto next_option; |
88 | } | 91 | } |
89 | cp = "no-pty"; | 92 | cp = "no-pty"; |
90 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 93 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
91 | packet_send_debug("Pty allocation disabled."); | 94 | packet_send_debug("Pty allocation disabled."); |
92 | no_pty_flag = 1; | 95 | no_pty_flag = 1; |
93 | options += strlen(cp); | 96 | opts += strlen(cp); |
94 | goto next_option; | 97 | goto next_option; |
95 | } | 98 | } |
96 | cp = "command=\""; | 99 | cp = "command=\""; |
97 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 100 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
98 | int i; | 101 | int i; |
99 | options += strlen(cp); | 102 | opts += strlen(cp); |
100 | forced_command = xmalloc(strlen(options) + 1); | 103 | forced_command = xmalloc(strlen(opts) + 1); |
101 | i = 0; | 104 | i = 0; |
102 | while (*options) { | 105 | while (*opts) { |
103 | if (*options == '"') | 106 | if (*opts == '"') |
104 | break; | 107 | break; |
105 | if (*options == '\\' && options[1] == '"') { | 108 | if (*opts == '\\' && opts[1] == '"') { |
106 | options += 2; | 109 | opts += 2; |
107 | forced_command[i++] = '"'; | 110 | forced_command[i++] = '"'; |
108 | continue; | 111 | continue; |
109 | } | 112 | } |
110 | forced_command[i++] = *options++; | 113 | forced_command[i++] = *opts++; |
111 | } | 114 | } |
112 | if (!*options) { | 115 | if (!*opts) { |
113 | debug("%.100s, line %lu: missing end quote", | 116 | debug("%.100s, line %lu: missing end quote", |
114 | file, linenum); | 117 | file, linenum); |
115 | packet_send_debug("%.100s, line %lu: missing end quote", | 118 | packet_send_debug("%.100s, line %lu: missing end quote", |
@@ -118,28 +121,28 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
118 | } | 121 | } |
119 | forced_command[i] = 0; | 122 | forced_command[i] = 0; |
120 | packet_send_debug("Forced command: %.900s", forced_command); | 123 | packet_send_debug("Forced command: %.900s", forced_command); |
121 | options++; | 124 | opts++; |
122 | goto next_option; | 125 | goto next_option; |
123 | } | 126 | } |
124 | cp = "environment=\""; | 127 | cp = "environment=\""; |
125 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 128 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
126 | int i; | 129 | int i; |
127 | char *s; | 130 | char *s; |
128 | struct envstring *new_envstring; | 131 | struct envstring *new_envstring; |
129 | options += strlen(cp); | 132 | opts += strlen(cp); |
130 | s = xmalloc(strlen(options) + 1); | 133 | s = xmalloc(strlen(opts) + 1); |
131 | i = 0; | 134 | i = 0; |
132 | while (*options) { | 135 | while (*opts) { |
133 | if (*options == '"') | 136 | if (*opts == '"') |
134 | break; | 137 | break; |
135 | if (*options == '\\' && options[1] == '"') { | 138 | if (*opts == '\\' && opts[1] == '"') { |
136 | options += 2; | 139 | opts += 2; |
137 | s[i++] = '"'; | 140 | s[i++] = '"'; |
138 | continue; | 141 | continue; |
139 | } | 142 | } |
140 | s[i++] = *options++; | 143 | s[i++] = *opts++; |
141 | } | 144 | } |
142 | if (!*options) { | 145 | if (!*opts) { |
143 | debug("%.100s, line %lu: missing end quote", | 146 | debug("%.100s, line %lu: missing end quote", |
144 | file, linenum); | 147 | file, linenum); |
145 | packet_send_debug("%.100s, line %lu: missing end quote", | 148 | packet_send_debug("%.100s, line %lu: missing end quote", |
@@ -149,7 +152,7 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
149 | s[i] = 0; | 152 | s[i] = 0; |
150 | packet_send_debug("Adding to environment: %.900s", s); | 153 | packet_send_debug("Adding to environment: %.900s", s); |
151 | debug("Adding to environment: %.900s", s); | 154 | debug("Adding to environment: %.900s", s); |
152 | options++; | 155 | opts++; |
153 | new_envstring = xmalloc(sizeof(struct envstring)); | 156 | new_envstring = xmalloc(sizeof(struct envstring)); |
154 | new_envstring->s = s; | 157 | new_envstring->s = s; |
155 | new_envstring->next = custom_environment; | 158 | new_envstring->next = custom_environment; |
@@ -157,23 +160,26 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
157 | goto next_option; | 160 | goto next_option; |
158 | } | 161 | } |
159 | cp = "from=\""; | 162 | cp = "from=\""; |
160 | if (strncasecmp(options, cp, strlen(cp)) == 0) { | 163 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
161 | int mname, mip; | 164 | int mname, mip; |
162 | char *patterns = xmalloc(strlen(options) + 1); | 165 | const char *remote_ip = get_remote_ipaddr(); |
166 | const char *remote_host = get_canonical_hostname( | ||
167 | options.reverse_mapping_check); | ||
168 | char *patterns = xmalloc(strlen(opts) + 1); | ||
163 | int i; | 169 | int i; |
164 | options += strlen(cp); | 170 | opts += strlen(cp); |
165 | i = 0; | 171 | i = 0; |
166 | while (*options) { | 172 | while (*opts) { |
167 | if (*options == '"') | 173 | if (*opts == '"') |
168 | break; | 174 | break; |
169 | if (*options == '\\' && options[1] == '"') { | 175 | if (*opts == '\\' && opts[1] == '"') { |
170 | options += 2; | 176 | opts += 2; |
171 | patterns[i++] = '"'; | 177 | patterns[i++] = '"'; |
172 | continue; | 178 | continue; |
173 | } | 179 | } |
174 | patterns[i++] = *options++; | 180 | patterns[i++] = *opts++; |
175 | } | 181 | } |
176 | if (!*options) { | 182 | if (!*opts) { |
177 | debug("%.100s, line %lu: missing end quote", | 183 | debug("%.100s, line %lu: missing end quote", |
178 | file, linenum); | 184 | file, linenum); |
179 | packet_send_debug("%.100s, line %lu: missing end quote", | 185 | packet_send_debug("%.100s, line %lu: missing end quote", |
@@ -181,24 +187,26 @@ auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum) | |||
181 | continue; | 187 | continue; |
182 | } | 188 | } |
183 | patterns[i] = 0; | 189 | patterns[i] = 0; |
184 | options++; | 190 | opts++; |
185 | /* | 191 | /* |
186 | * Deny access if we get a negative | 192 | * Deny access if we get a negative |
187 | * match for the hostname or the ip | 193 | * match for the hostname or the ip |
188 | * or if we get not match at all | 194 | * or if we get not match at all |
189 | */ | 195 | */ |
190 | mname = match_hostname(get_canonical_hostname(), | 196 | mname = match_hostname(remote_host, patterns, |
191 | patterns, strlen(patterns)); | 197 | strlen(patterns)); |
192 | mip = match_hostname(get_remote_ipaddr(), | 198 | mip = match_hostname(remote_ip, patterns, |
193 | patterns, strlen(patterns)); | 199 | strlen(patterns)); |
194 | xfree(patterns); | 200 | xfree(patterns); |
195 | if (mname == -1 || mip == -1 || | 201 | if (mname == -1 || mip == -1 || |
196 | (mname != 1 && mip != 1)) { | 202 | (mname != 1 && mip != 1)) { |
197 | log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | 203 | log("Authentication tried for %.100s with " |
198 | pw->pw_name, get_canonical_hostname(), | 204 | "correct key but not from a permitted " |
199 | get_remote_ipaddr()); | 205 | "host (host=%.200s, ip=%.200s).", |
200 | packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", | 206 | pw->pw_name, remote_host, remote_ip); |
201 | get_canonical_hostname()); | 207 | packet_send_debug("Your host '%.200s' is not " |
208 | "permitted to use this key for login.", | ||
209 | remote_host); | ||
202 | /* deny access */ | 210 | /* deny access */ |
203 | return 0; | 211 | return 0; |
204 | } | 212 | } |
@@ -210,13 +218,13 @@ next_option: | |||
210 | * Skip the comma, and move to the next option | 218 | * Skip the comma, and move to the next option |
211 | * (or break out if there are no more). | 219 | * (or break out if there are no more). |
212 | */ | 220 | */ |
213 | if (!*options) | 221 | if (!*opts) |
214 | fatal("Bugs in auth-options.c option processing."); | 222 | fatal("Bugs in auth-options.c option processing."); |
215 | if (*options == ' ' || *options == '\t') | 223 | if (*opts == ' ' || *opts == '\t') |
216 | break; /* End of options. */ | 224 | break; /* End of options. */ |
217 | if (*options != ',') | 225 | if (*opts != ',') |
218 | goto bad_option; | 226 | goto bad_option; |
219 | options++; | 227 | opts++; |
220 | /* Process the next option. */ | 228 | /* Process the next option. */ |
221 | } | 229 | } |
222 | /* grant access */ | 230 | /* grant access */ |
@@ -224,9 +232,9 @@ next_option: | |||
224 | 232 | ||
225 | bad_option: | 233 | bad_option: |
226 | log("Bad options in %.100s file, line %lu: %.50s", | 234 | log("Bad options in %.100s file, line %lu: %.50s", |
227 | file, linenum, options); | 235 | file, linenum, opts); |
228 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", | 236 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", |
229 | file, linenum, options); | 237 | file, linenum, opts); |
230 | /* deny access */ | 238 | /* deny access */ |
231 | return 0; | 239 | return 0; |
232 | } | 240 | } |