diff options
Diffstat (limited to 'auth-options.c')
-rw-r--r-- | auth-options.c | 208 |
1 files changed, 208 insertions, 0 deletions
diff --git a/auth-options.c b/auth-options.c new file mode 100644 index 000000000..7ebbb7661 --- /dev/null +++ b/auth-options.c | |||
@@ -0,0 +1,208 @@ | |||
1 | #include "includes.h" | ||
2 | RCSID("$Id: auth-options.c,v 1.1 2000/06/18 04:50:44 djm Exp $"); | ||
3 | |||
4 | #include "ssh.h" | ||
5 | #include "packet.h" | ||
6 | #include "xmalloc.h" | ||
7 | #include "match.h" | ||
8 | |||
9 | /* Flags set authorized_keys flags */ | ||
10 | int no_port_forwarding_flag = 0; | ||
11 | int no_agent_forwarding_flag = 0; | ||
12 | int no_x11_forwarding_flag = 0; | ||
13 | int no_pty_flag = 0; | ||
14 | |||
15 | /* "command=" option. */ | ||
16 | char *forced_command = NULL; | ||
17 | |||
18 | /* "environment=" options. */ | ||
19 | struct envstring *custom_environment = NULL; | ||
20 | |||
21 | /* return 1 if access is granted, 0 if not. side effect: sets key option flags */ | ||
22 | int | ||
23 | auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) | ||
24 | { | ||
25 | const char *cp; | ||
26 | if (!options) | ||
27 | return 1; | ||
28 | while (*options && *options != ' ' && *options != '\t') { | ||
29 | cp = "no-port-forwarding"; | ||
30 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
31 | packet_send_debug("Port forwarding disabled."); | ||
32 | no_port_forwarding_flag = 1; | ||
33 | options += strlen(cp); | ||
34 | goto next_option; | ||
35 | } | ||
36 | cp = "no-agent-forwarding"; | ||
37 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
38 | packet_send_debug("Agent forwarding disabled."); | ||
39 | no_agent_forwarding_flag = 1; | ||
40 | options += strlen(cp); | ||
41 | goto next_option; | ||
42 | } | ||
43 | cp = "no-X11-forwarding"; | ||
44 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
45 | packet_send_debug("X11 forwarding disabled."); | ||
46 | no_x11_forwarding_flag = 1; | ||
47 | options += strlen(cp); | ||
48 | goto next_option; | ||
49 | } | ||
50 | cp = "no-pty"; | ||
51 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
52 | packet_send_debug("Pty allocation disabled."); | ||
53 | no_pty_flag = 1; | ||
54 | options += strlen(cp); | ||
55 | goto next_option; | ||
56 | } | ||
57 | cp = "command=\""; | ||
58 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
59 | int i; | ||
60 | options += strlen(cp); | ||
61 | forced_command = xmalloc(strlen(options) + 1); | ||
62 | i = 0; | ||
63 | while (*options) { | ||
64 | if (*options == '"') | ||
65 | break; | ||
66 | if (*options == '\\' && options[1] == '"') { | ||
67 | options += 2; | ||
68 | forced_command[i++] = '"'; | ||
69 | continue; | ||
70 | } | ||
71 | forced_command[i++] = *options++; | ||
72 | } | ||
73 | if (!*options) { | ||
74 | debug("%.100s, line %lu: missing end quote", | ||
75 | SSH_USER_PERMITTED_KEYS, linenum); | ||
76 | packet_send_debug("%.100s, line %lu: missing end quote", | ||
77 | SSH_USER_PERMITTED_KEYS, linenum); | ||
78 | continue; | ||
79 | } | ||
80 | forced_command[i] = 0; | ||
81 | packet_send_debug("Forced command: %.900s", forced_command); | ||
82 | options++; | ||
83 | goto next_option; | ||
84 | } | ||
85 | cp = "environment=\""; | ||
86 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
87 | int i; | ||
88 | char *s; | ||
89 | struct envstring *new_envstring; | ||
90 | options += strlen(cp); | ||
91 | s = xmalloc(strlen(options) + 1); | ||
92 | i = 0; | ||
93 | while (*options) { | ||
94 | if (*options == '"') | ||
95 | break; | ||
96 | if (*options == '\\' && options[1] == '"') { | ||
97 | options += 2; | ||
98 | s[i++] = '"'; | ||
99 | continue; | ||
100 | } | ||
101 | s[i++] = *options++; | ||
102 | } | ||
103 | if (!*options) { | ||
104 | debug("%.100s, line %lu: missing end quote", | ||
105 | SSH_USER_PERMITTED_KEYS, linenum); | ||
106 | packet_send_debug("%.100s, line %lu: missing end quote", | ||
107 | SSH_USER_PERMITTED_KEYS, linenum); | ||
108 | continue; | ||
109 | } | ||
110 | s[i] = 0; | ||
111 | packet_send_debug("Adding to environment: %.900s", s); | ||
112 | debug("Adding to environment: %.900s", s); | ||
113 | options++; | ||
114 | new_envstring = xmalloc(sizeof(struct envstring)); | ||
115 | new_envstring->s = s; | ||
116 | new_envstring->next = custom_environment; | ||
117 | custom_environment = new_envstring; | ||
118 | goto next_option; | ||
119 | } | ||
120 | cp = "from=\""; | ||
121 | if (strncmp(options, cp, strlen(cp)) == 0) { | ||
122 | int mname, mip; | ||
123 | char *patterns = xmalloc(strlen(options) + 1); | ||
124 | int i; | ||
125 | options += strlen(cp); | ||
126 | i = 0; | ||
127 | while (*options) { | ||
128 | if (*options == '"') | ||
129 | break; | ||
130 | if (*options == '\\' && options[1] == '"') { | ||
131 | options += 2; | ||
132 | patterns[i++] = '"'; | ||
133 | continue; | ||
134 | } | ||
135 | patterns[i++] = *options++; | ||
136 | } | ||
137 | if (!*options) { | ||
138 | debug("%.100s, line %lu: missing end quote", | ||
139 | SSH_USER_PERMITTED_KEYS, linenum); | ||
140 | packet_send_debug("%.100s, line %lu: missing end quote", | ||
141 | SSH_USER_PERMITTED_KEYS, linenum); | ||
142 | continue; | ||
143 | } | ||
144 | patterns[i] = 0; | ||
145 | options++; | ||
146 | /* | ||
147 | * Deny access if we get a negative | ||
148 | * match for the hostname or the ip | ||
149 | * or if we get not match at all | ||
150 | */ | ||
151 | mname = match_hostname(get_canonical_hostname(), | ||
152 | patterns, strlen(patterns)); | ||
153 | mip = match_hostname(get_remote_ipaddr(), | ||
154 | patterns, strlen(patterns)); | ||
155 | xfree(patterns); | ||
156 | if (mname == -1 || mip == -1 || | ||
157 | (mname != 1 && mip != 1)) { | ||
158 | log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | ||
159 | pw->pw_name, get_canonical_hostname(), | ||
160 | get_remote_ipaddr()); | ||
161 | packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", | ||
162 | get_canonical_hostname()); | ||
163 | /* key invalid for this host, reset flags */ | ||
164 | no_agent_forwarding_flag = 0; | ||
165 | no_port_forwarding_flag = 0; | ||
166 | no_pty_flag = 0; | ||
167 | no_x11_forwarding_flag = 0; | ||
168 | while (custom_environment) { | ||
169 | struct envstring *ce = custom_environment; | ||
170 | custom_environment = ce->next; | ||
171 | xfree(ce->s); | ||
172 | xfree(ce); | ||
173 | } | ||
174 | if (forced_command) { | ||
175 | xfree(forced_command); | ||
176 | forced_command = NULL; | ||
177 | } | ||
178 | /* deny access */ | ||
179 | return 0; | ||
180 | } | ||
181 | /* Host name matches. */ | ||
182 | goto next_option; | ||
183 | } | ||
184 | next_option: | ||
185 | /* | ||
186 | * Skip the comma, and move to the next option | ||
187 | * (or break out if there are no more). | ||
188 | */ | ||
189 | if (!*options) | ||
190 | fatal("Bugs in auth-options.c option processing."); | ||
191 | if (*options == ' ' || *options == '\t') | ||
192 | break; /* End of options. */ | ||
193 | if (*options != ',') | ||
194 | goto bad_option; | ||
195 | options++; | ||
196 | /* Process the next option. */ | ||
197 | } | ||
198 | /* grant access */ | ||
199 | return 1; | ||
200 | |||
201 | bad_option: | ||
202 | log("Bad options in %.100s file, line %lu: %.50s", | ||
203 | SSH_USER_PERMITTED_KEYS, linenum, options); | ||
204 | packet_send_debug("Bad options in %.100s file, line %lu: %.50s", | ||
205 | SSH_USER_PERMITTED_KEYS, linenum, options); | ||
206 | /* deny access */ | ||
207 | return 0; | ||
208 | } | ||