diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 63 |
1 files changed, 39 insertions, 24 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.132 2018/07/11 08:19:35 martijn Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -55,10 +55,10 @@ | |||
| 55 | #include "match.h" | 55 | #include "match.h" |
| 56 | #include "groupaccess.h" | 56 | #include "groupaccess.h" |
| 57 | #include "log.h" | 57 | #include "log.h" |
| 58 | #include "buffer.h" | 58 | #include "sshbuf.h" |
| 59 | #include "misc.h" | 59 | #include "misc.h" |
| 60 | #include "servconf.h" | 60 | #include "servconf.h" |
| 61 | #include "key.h" | 61 | #include "sshkey.h" |
| 62 | #include "hostfile.h" | 62 | #include "hostfile.h" |
| 63 | #include "auth.h" | 63 | #include "auth.h" |
| 64 | #include "auth-options.h" | 64 | #include "auth-options.h" |
| @@ -79,13 +79,12 @@ | |||
| 79 | /* import */ | 79 | /* import */ |
| 80 | extern ServerOptions options; | 80 | extern ServerOptions options; |
| 81 | extern int use_privsep; | 81 | extern int use_privsep; |
| 82 | extern Buffer loginmsg; | 82 | extern struct sshbuf *loginmsg; |
| 83 | extern struct passwd *privsep_pw; | 83 | extern struct passwd *privsep_pw; |
| 84 | extern struct sshauthopt *auth_opts; | 84 | extern struct sshauthopt *auth_opts; |
| 85 | 85 | ||
| 86 | /* Debugging messages */ | 86 | /* Debugging messages */ |
| 87 | Buffer auth_debug; | 87 | static struct sshbuf *auth_debug; |
| 88 | int auth_debug_init; | ||
| 89 | 88 | ||
| 90 | /* | 89 | /* |
| 91 | * Check if the user is allowed to log in via ssh. If user is listed | 90 | * Check if the user is allowed to log in via ssh. If user is listed |
| @@ -281,7 +280,7 @@ format_method_key(Authctxt *authctxt) | |||
| 281 | if (key == NULL) | 280 | if (key == NULL) |
| 282 | return NULL; | 281 | return NULL; |
| 283 | 282 | ||
| 284 | if (key_is_cert(key)) { | 283 | if (sshkey_is_cert(key)) { |
| 285 | fp = sshkey_fingerprint(key->cert->signature_key, | 284 | fp = sshkey_fingerprint(key->cert->signature_key, |
| 286 | options.fingerprint_hash, SSH_FP_DEFAULT); | 285 | options.fingerprint_hash, SSH_FP_DEFAULT); |
| 287 | xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s", | 286 | xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s", |
| @@ -423,11 +422,13 @@ auth_root_allowed(struct ssh *ssh, const char *method) | |||
| 423 | char * | 422 | char * |
| 424 | expand_authorized_keys(const char *filename, struct passwd *pw) | 423 | expand_authorized_keys(const char *filename, struct passwd *pw) |
| 425 | { | 424 | { |
| 426 | char *file, ret[PATH_MAX]; | 425 | char *file, uidstr[32], ret[PATH_MAX]; |
| 427 | int i; | 426 | int i; |
| 428 | 427 | ||
| 428 | snprintf(uidstr, sizeof(uidstr), "%llu", | ||
| 429 | (unsigned long long)pw->pw_uid); | ||
| 429 | file = percent_expand(filename, "h", pw->pw_dir, | 430 | file = percent_expand(filename, "h", pw->pw_dir, |
| 430 | "u", pw->pw_name, (char *)NULL); | 431 | "u", pw->pw_name, "U", uidstr, (char *)NULL); |
| 431 | 432 | ||
| 432 | /* | 433 | /* |
| 433 | * Ensure that filename starts anchored. If not, be backward | 434 | * Ensure that filename starts anchored. If not, be backward |
| @@ -670,26 +671,32 @@ auth_debug_add(const char *fmt,...) | |||
| 670 | { | 671 | { |
| 671 | char buf[1024]; | 672 | char buf[1024]; |
| 672 | va_list args; | 673 | va_list args; |
| 674 | int r; | ||
| 673 | 675 | ||
| 674 | if (!auth_debug_init) | 676 | if (auth_debug == NULL) |
| 675 | return; | 677 | return; |
| 676 | 678 | ||
| 677 | va_start(args, fmt); | 679 | va_start(args, fmt); |
| 678 | vsnprintf(buf, sizeof(buf), fmt, args); | 680 | vsnprintf(buf, sizeof(buf), fmt, args); |
| 679 | va_end(args); | 681 | va_end(args); |
| 680 | buffer_put_cstring(&auth_debug, buf); | 682 | if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0) |
| 683 | fatal("%s: sshbuf_put_cstring: %s", __func__, ssh_err(r)); | ||
| 681 | } | 684 | } |
| 682 | 685 | ||
| 683 | void | 686 | void |
| 684 | auth_debug_send(void) | 687 | auth_debug_send(void) |
| 685 | { | 688 | { |
| 689 | struct ssh *ssh = active_state; /* XXX */ | ||
| 686 | char *msg; | 690 | char *msg; |
| 691 | int r; | ||
| 687 | 692 | ||
| 688 | if (!auth_debug_init) | 693 | if (auth_debug == NULL) |
| 689 | return; | 694 | return; |
| 690 | while (buffer_len(&auth_debug)) { | 695 | while (sshbuf_len(auth_debug) != 0) { |
| 691 | msg = buffer_get_string(&auth_debug, NULL); | 696 | if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0) |
| 692 | packet_send_debug("%s", msg); | 697 | fatal("%s: sshbuf_get_cstring: %s", |
| 698 | __func__, ssh_err(r)); | ||
| 699 | ssh_packet_send_debug(ssh, "%s", msg); | ||
| 693 | free(msg); | 700 | free(msg); |
| 694 | } | 701 | } |
| 695 | } | 702 | } |
| @@ -697,12 +704,10 @@ auth_debug_send(void) | |||
| 697 | void | 704 | void |
| 698 | auth_debug_reset(void) | 705 | auth_debug_reset(void) |
| 699 | { | 706 | { |
| 700 | if (auth_debug_init) | 707 | if (auth_debug != NULL) |
| 701 | buffer_clear(&auth_debug); | 708 | sshbuf_reset(auth_debug); |
| 702 | else { | 709 | else if ((auth_debug = sshbuf_new()) == NULL) |
| 703 | buffer_init(&auth_debug); | 710 | fatal("%s: sshbuf_new failed", __func__); |
| 704 | auth_debug_init = 1; | ||
| 705 | } | ||
| 706 | } | 711 | } |
| 707 | 712 | ||
| 708 | struct passwd * | 713 | struct passwd * |
| @@ -750,7 +755,7 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns) | |||
| 750 | } | 755 | } |
| 751 | 756 | ||
| 752 | /* | 757 | /* |
| 753 | * Runs command in a subprocess wuth a minimal environment. | 758 | * Runs command in a subprocess with a minimal environment. |
| 754 | * Returns pid on success, 0 on failure. | 759 | * Returns pid on success, 0 on failure. |
| 755 | * The child stdout and stderr maybe captured, left attached or sent to | 760 | * The child stdout and stderr maybe captured, left attached or sent to |
| 756 | * /dev/null depending on the contents of flags. | 761 | * /dev/null depending on the contents of flags. |
| @@ -910,17 +915,20 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) | |||
| 910 | int do_env = options.permit_user_env && opts->nenv > 0; | 915 | int do_env = options.permit_user_env && opts->nenv > 0; |
| 911 | int do_permitopen = opts->npermitopen > 0 && | 916 | int do_permitopen = opts->npermitopen > 0 && |
| 912 | (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; | 917 | (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; |
| 918 | int do_permitlisten = opts->npermitlisten > 0 && | ||
| 919 | (options.allow_tcp_forwarding & FORWARD_REMOTE) != 0; | ||
| 913 | size_t i; | 920 | size_t i; |
| 914 | char msg[1024], buf[64]; | 921 | char msg[1024], buf[64]; |
| 915 | 922 | ||
| 916 | snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); | 923 | snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); |
| 917 | /* Try to keep this alphabetically sorted */ | 924 | /* Try to keep this alphabetically sorted */ |
| 918 | snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s", | 925 | snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s", |
| 919 | opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", | 926 | opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", |
| 920 | opts->force_command == NULL ? "" : " command", | 927 | opts->force_command == NULL ? "" : " command", |
| 921 | do_env ? " environment" : "", | 928 | do_env ? " environment" : "", |
| 922 | opts->valid_before == 0 ? "" : "expires", | 929 | opts->valid_before == 0 ? "" : "expires", |
| 923 | do_permitopen ? " permitopen" : "", | 930 | do_permitopen ? " permitopen" : "", |
| 931 | do_permitlisten ? " permitlisten" : "", | ||
| 924 | opts->permit_port_forwarding_flag ? " port-forwarding" : "", | 932 | opts->permit_port_forwarding_flag ? " port-forwarding" : "", |
| 925 | opts->cert_principals == NULL ? "" : " principals", | 933 | opts->cert_principals == NULL ? "" : " principals", |
| 926 | opts->permit_pty_flag ? " pty" : "", | 934 | opts->permit_pty_flag ? " pty" : "", |
| @@ -954,12 +962,18 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) | |||
| 954 | } | 962 | } |
| 955 | if (opts->force_command != NULL) | 963 | if (opts->force_command != NULL) |
| 956 | debug("%s: forced command: \"%s\"", loc, opts->force_command); | 964 | debug("%s: forced command: \"%s\"", loc, opts->force_command); |
| 957 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) { | 965 | if (do_permitopen) { |
| 958 | for (i = 0; i < opts->npermitopen; i++) { | 966 | for (i = 0; i < opts->npermitopen; i++) { |
| 959 | debug("%s: permitted open: %s", | 967 | debug("%s: permitted open: %s", |
| 960 | loc, opts->permitopen[i]); | 968 | loc, opts->permitopen[i]); |
| 961 | } | 969 | } |
| 962 | } | 970 | } |
| 971 | if (do_permitlisten) { | ||
| 972 | for (i = 0; i < opts->npermitlisten; i++) { | ||
| 973 | debug("%s: permitted listen: %s", | ||
| 974 | loc, opts->permitlisten[i]); | ||
| 975 | } | ||
| 976 | } | ||
| 963 | } | 977 | } |
| 964 | 978 | ||
| 965 | /* Activate a new set of key/cert options; merging with what is there. */ | 979 | /* Activate a new set of key/cert options; merging with what is there. */ |
| @@ -987,6 +1001,7 @@ auth_restrict_session(struct ssh *ssh) | |||
| 987 | 1001 | ||
| 988 | /* A blank sshauthopt defaults to permitting nothing */ | 1002 | /* A blank sshauthopt defaults to permitting nothing */ |
| 989 | restricted = sshauthopt_new(); | 1003 | restricted = sshauthopt_new(); |
| 1004 | restricted->permit_pty_flag = 1; | ||
| 990 | restricted->restricted = 1; | 1005 | restricted->restricted = 1; |
| 991 | 1006 | ||
| 992 | if (auth_activate_options(ssh, restricted) != 0) | 1007 | if (auth_activate_options(ssh, restricted) != 0) |