diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 351 |
1 files changed, 346 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.124 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -28,6 +28,7 @@ | |||
28 | #include <sys/types.h> | 28 | #include <sys/types.h> |
29 | #include <sys/stat.h> | 29 | #include <sys/stat.h> |
30 | #include <sys/socket.h> | 30 | #include <sys/socket.h> |
31 | #include <sys/wait.h> | ||
31 | 32 | ||
32 | #include <netinet/in.h> | 33 | #include <netinet/in.h> |
33 | 34 | ||
@@ -73,12 +74,14 @@ | |||
73 | #include "authfile.h" | 74 | #include "authfile.h" |
74 | #include "ssherr.h" | 75 | #include "ssherr.h" |
75 | #include "compat.h" | 76 | #include "compat.h" |
77 | #include "channels.h" | ||
76 | 78 | ||
77 | /* import */ | 79 | /* import */ |
78 | extern ServerOptions options; | 80 | extern ServerOptions options; |
79 | extern int use_privsep; | 81 | extern int use_privsep; |
80 | extern Buffer loginmsg; | 82 | extern Buffer loginmsg; |
81 | extern struct passwd *privsep_pw; | 83 | extern struct passwd *privsep_pw; |
84 | extern struct sshauthopt *auth_opts; | ||
82 | 85 | ||
83 | /* Debugging messages */ | 86 | /* Debugging messages */ |
84 | Buffer auth_debug; | 87 | Buffer auth_debug; |
@@ -385,10 +388,8 @@ auth_maxtries_exceeded(Authctxt *authctxt) | |||
385 | * Check whether root logins are disallowed. | 388 | * Check whether root logins are disallowed. |
386 | */ | 389 | */ |
387 | int | 390 | int |
388 | auth_root_allowed(const char *method) | 391 | auth_root_allowed(struct ssh *ssh, const char *method) |
389 | { | 392 | { |
390 | struct ssh *ssh = active_state; /* XXX */ | ||
391 | |||
392 | switch (options.permit_root_login) { | 393 | switch (options.permit_root_login) { |
393 | case PERMIT_YES: | 394 | case PERMIT_YES: |
394 | return 1; | 395 | return 1; |
@@ -399,7 +400,7 @@ auth_root_allowed(const char *method) | |||
399 | return 1; | 400 | return 1; |
400 | break; | 401 | break; |
401 | case PERMIT_FORCED_ONLY: | 402 | case PERMIT_FORCED_ONLY: |
402 | if (forced_command) { | 403 | if (auth_opts->force_command != NULL) { |
403 | logit("Root login accepted for forced command."); | 404 | logit("Root login accepted for forced command."); |
404 | return 1; | 405 | return 1; |
405 | } | 406 | } |
@@ -840,3 +841,343 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns) | |||
840 | return dnsname; | 841 | return dnsname; |
841 | } | 842 | } |
842 | } | 843 | } |
844 | |||
845 | /* | ||
846 | * Runs command in a subprocess wuth a minimal environment. | ||
847 | * Returns pid on success, 0 on failure. | ||
848 | * The child stdout and stderr maybe captured, left attached or sent to | ||
849 | * /dev/null depending on the contents of flags. | ||
850 | * "tag" is prepended to log messages. | ||
851 | * NB. "command" is only used for logging; the actual command executed is | ||
852 | * av[0]. | ||
853 | */ | ||
854 | pid_t | ||
855 | subprocess(const char *tag, struct passwd *pw, const char *command, | ||
856 | int ac, char **av, FILE **child, u_int flags) | ||
857 | { | ||
858 | FILE *f = NULL; | ||
859 | struct stat st; | ||
860 | int fd, devnull, p[2], i; | ||
861 | pid_t pid; | ||
862 | char *cp, errmsg[512]; | ||
863 | u_int envsize; | ||
864 | char **child_env; | ||
865 | |||
866 | if (child != NULL) | ||
867 | *child = NULL; | ||
868 | |||
869 | debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__, | ||
870 | tag, command, pw->pw_name, flags); | ||
871 | |||
872 | /* Check consistency */ | ||
873 | if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && | ||
874 | (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) { | ||
875 | error("%s: inconsistent flags", __func__); | ||
876 | return 0; | ||
877 | } | ||
878 | if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) { | ||
879 | error("%s: inconsistent flags/output", __func__); | ||
880 | return 0; | ||
881 | } | ||
882 | |||
883 | /* | ||
884 | * If executing an explicit binary, then verify the it exists | ||
885 | * and appears safe-ish to execute | ||
886 | */ | ||
887 | if (*av[0] != '/') { | ||
888 | error("%s path is not absolute", tag); | ||
889 | return 0; | ||
890 | } | ||
891 | temporarily_use_uid(pw); | ||
892 | if (stat(av[0], &st) < 0) { | ||
893 | error("Could not stat %s \"%s\": %s", tag, | ||
894 | av[0], strerror(errno)); | ||
895 | restore_uid(); | ||
896 | return 0; | ||
897 | } | ||
898 | if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) { | ||
899 | error("Unsafe %s \"%s\": %s", tag, av[0], errmsg); | ||
900 | restore_uid(); | ||
901 | return 0; | ||
902 | } | ||
903 | /* Prepare to keep the child's stdout if requested */ | ||
904 | if (pipe(p) != 0) { | ||
905 | error("%s: pipe: %s", tag, strerror(errno)); | ||
906 | restore_uid(); | ||
907 | return 0; | ||
908 | } | ||
909 | restore_uid(); | ||
910 | |||
911 | switch ((pid = fork())) { | ||
912 | case -1: /* error */ | ||
913 | error("%s: fork: %s", tag, strerror(errno)); | ||
914 | close(p[0]); | ||
915 | close(p[1]); | ||
916 | return 0; | ||
917 | case 0: /* child */ | ||
918 | /* Prepare a minimal environment for the child. */ | ||
919 | envsize = 5; | ||
920 | child_env = xcalloc(sizeof(*child_env), envsize); | ||
921 | child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH); | ||
922 | child_set_env(&child_env, &envsize, "USER", pw->pw_name); | ||
923 | child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name); | ||
924 | child_set_env(&child_env, &envsize, "HOME", pw->pw_dir); | ||
925 | if ((cp = getenv("LANG")) != NULL) | ||
926 | child_set_env(&child_env, &envsize, "LANG", cp); | ||
927 | |||
928 | for (i = 0; i < NSIG; i++) | ||
929 | signal(i, SIG_DFL); | ||
930 | |||
931 | if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { | ||
932 | error("%s: open %s: %s", tag, _PATH_DEVNULL, | ||
933 | strerror(errno)); | ||
934 | _exit(1); | ||
935 | } | ||
936 | if (dup2(devnull, STDIN_FILENO) == -1) { | ||
937 | error("%s: dup2: %s", tag, strerror(errno)); | ||
938 | _exit(1); | ||
939 | } | ||
940 | |||
941 | /* Set up stdout as requested; leave stderr in place for now. */ | ||
942 | fd = -1; | ||
943 | if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) | ||
944 | fd = p[1]; | ||
945 | else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0) | ||
946 | fd = devnull; | ||
947 | if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) { | ||
948 | error("%s: dup2: %s", tag, strerror(errno)); | ||
949 | _exit(1); | ||
950 | } | ||
951 | closefrom(STDERR_FILENO + 1); | ||
952 | |||
953 | /* Don't use permanently_set_uid() here to avoid fatal() */ | ||
954 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { | ||
955 | error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, | ||
956 | strerror(errno)); | ||
957 | _exit(1); | ||
958 | } | ||
959 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { | ||
960 | error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid, | ||
961 | strerror(errno)); | ||
962 | _exit(1); | ||
963 | } | ||
964 | /* stdin is pointed to /dev/null at this point */ | ||
965 | if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && | ||
966 | dup2(STDIN_FILENO, STDERR_FILENO) == -1) { | ||
967 | error("%s: dup2: %s", tag, strerror(errno)); | ||
968 | _exit(1); | ||
969 | } | ||
970 | |||
971 | execve(av[0], av, child_env); | ||
972 | error("%s exec \"%s\": %s", tag, command, strerror(errno)); | ||
973 | _exit(127); | ||
974 | default: /* parent */ | ||
975 | break; | ||
976 | } | ||
977 | |||
978 | close(p[1]); | ||
979 | if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) | ||
980 | close(p[0]); | ||
981 | else if ((f = fdopen(p[0], "r")) == NULL) { | ||
982 | error("%s: fdopen: %s", tag, strerror(errno)); | ||
983 | close(p[0]); | ||
984 | /* Don't leave zombie child */ | ||
985 | kill(pid, SIGTERM); | ||
986 | while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) | ||
987 | ; | ||
988 | return 0; | ||
989 | } | ||
990 | /* Success */ | ||
991 | debug3("%s: %s pid %ld", __func__, tag, (long)pid); | ||
992 | if (child != NULL) | ||
993 | *child = f; | ||
994 | return pid; | ||
995 | } | ||
996 | |||
997 | /* These functions link key/cert options to the auth framework */ | ||
998 | |||
999 | /* Log sshauthopt options locally and (optionally) for remote transmission */ | ||
1000 | void | ||
1001 | auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) | ||
1002 | { | ||
1003 | int do_env = options.permit_user_env && opts->nenv > 0; | ||
1004 | int do_permitopen = opts->npermitopen > 0 && | ||
1005 | (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; | ||
1006 | size_t i; | ||
1007 | char msg[1024], buf[64]; | ||
1008 | |||
1009 | snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); | ||
1010 | /* Try to keep this alphabetically sorted */ | ||
1011 | snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s", | ||
1012 | opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", | ||
1013 | opts->force_command == NULL ? "" : " command", | ||
1014 | do_env ? " environment" : "", | ||
1015 | opts->valid_before == 0 ? "" : "expires", | ||
1016 | do_permitopen ? " permitopen" : "", | ||
1017 | opts->permit_port_forwarding_flag ? " port-forwarding" : "", | ||
1018 | opts->cert_principals == NULL ? "" : " principals", | ||
1019 | opts->permit_pty_flag ? " pty" : "", | ||
1020 | opts->force_tun_device == -1 ? "" : " tun=", | ||
1021 | opts->force_tun_device == -1 ? "" : buf, | ||
1022 | opts->permit_user_rc ? " user-rc" : "", | ||
1023 | opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); | ||
1024 | |||
1025 | debug("%s: %s", loc, msg); | ||
1026 | if (do_remote) | ||
1027 | auth_debug_add("%s: %s", loc, msg); | ||
1028 | |||
1029 | if (options.permit_user_env) { | ||
1030 | for (i = 0; i < opts->nenv; i++) { | ||
1031 | debug("%s: environment: %s", loc, opts->env[i]); | ||
1032 | if (do_remote) { | ||
1033 | auth_debug_add("%s: environment: %s", | ||
1034 | loc, opts->env[i]); | ||
1035 | } | ||
1036 | } | ||
1037 | } | ||
1038 | |||
1039 | /* Go into a little more details for the local logs. */ | ||
1040 | if (opts->valid_before != 0) { | ||
1041 | format_absolute_time(opts->valid_before, buf, sizeof(buf)); | ||
1042 | debug("%s: expires at %s", loc, buf); | ||
1043 | } | ||
1044 | if (opts->cert_principals != NULL) { | ||
1045 | debug("%s: authorized principals: \"%s\"", | ||
1046 | loc, opts->cert_principals); | ||
1047 | } | ||
1048 | if (opts->force_command != NULL) | ||
1049 | debug("%s: forced command: \"%s\"", loc, opts->force_command); | ||
1050 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) { | ||
1051 | for (i = 0; i < opts->npermitopen; i++) { | ||
1052 | debug("%s: permitted open: %s", | ||
1053 | loc, opts->permitopen[i]); | ||
1054 | } | ||
1055 | } | ||
1056 | } | ||
1057 | |||
1058 | /* Activate a new set of key/cert options; merging with what is there. */ | ||
1059 | int | ||
1060 | auth_activate_options(struct ssh *ssh, struct sshauthopt *opts) | ||
1061 | { | ||
1062 | struct sshauthopt *old = auth_opts; | ||
1063 | const char *emsg = NULL; | ||
1064 | |||
1065 | debug("%s: setting new authentication options", __func__); | ||
1066 | if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) { | ||
1067 | error("Inconsistent authentication options: %s", emsg); | ||
1068 | return -1; | ||
1069 | } | ||
1070 | return 0; | ||
1071 | } | ||
1072 | |||
1073 | /* Disable forwarding, etc for the session */ | ||
1074 | void | ||
1075 | auth_restrict_session(struct ssh *ssh) | ||
1076 | { | ||
1077 | struct sshauthopt *restricted; | ||
1078 | |||
1079 | debug("%s: restricting session", __func__); | ||
1080 | |||
1081 | /* A blank sshauthopt defaults to permitting nothing */ | ||
1082 | restricted = sshauthopt_new(); | ||
1083 | restricted->restricted = 1; | ||
1084 | |||
1085 | if (auth_activate_options(ssh, restricted) != 0) | ||
1086 | fatal("%s: failed to restrict session", __func__); | ||
1087 | sshauthopt_free(restricted); | ||
1088 | } | ||
1089 | |||
1090 | int | ||
1091 | auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw, | ||
1092 | struct sshauthopt *opts, int allow_cert_authority, const char *loc) | ||
1093 | { | ||
1094 | const char *remote_ip = ssh_remote_ipaddr(ssh); | ||
1095 | const char *remote_host = auth_get_canonical_hostname(ssh, | ||
1096 | options.use_dns); | ||
1097 | time_t now = time(NULL); | ||
1098 | char buf[64]; | ||
1099 | |||
1100 | /* | ||
1101 | * Check keys/principals file expiry time. | ||
1102 | * NB. validity interval in certificate is handled elsewhere. | ||
1103 | */ | ||
1104 | if (opts->valid_before && now > 0 && | ||
1105 | opts->valid_before < (uint64_t)now) { | ||
1106 | format_absolute_time(opts->valid_before, buf, sizeof(buf)); | ||
1107 | debug("%s: entry expired at %s", loc, buf); | ||
1108 | auth_debug_add("%s: entry expired at %s", loc, buf); | ||
1109 | return -1; | ||
1110 | } | ||
1111 | /* Consistency checks */ | ||
1112 | if (opts->cert_principals != NULL && !opts->cert_authority) { | ||
1113 | debug("%s: principals on non-CA key", loc); | ||
1114 | auth_debug_add("%s: principals on non-CA key", loc); | ||
1115 | /* deny access */ | ||
1116 | return -1; | ||
1117 | } | ||
1118 | /* cert-authority flag isn't valid in authorized_principals files */ | ||
1119 | if (!allow_cert_authority && opts->cert_authority) { | ||
1120 | debug("%s: cert-authority flag invalid here", loc); | ||
1121 | auth_debug_add("%s: cert-authority flag invalid here", loc); | ||
1122 | /* deny access */ | ||
1123 | return -1; | ||
1124 | } | ||
1125 | |||
1126 | /* Perform from= checks */ | ||
1127 | if (opts->required_from_host_keys != NULL) { | ||
1128 | switch (match_host_and_ip(remote_host, remote_ip, | ||
1129 | opts->required_from_host_keys )) { | ||
1130 | case 1: | ||
1131 | /* Host name matches. */ | ||
1132 | break; | ||
1133 | case -1: | ||
1134 | default: | ||
1135 | debug("%s: invalid from criteria", loc); | ||
1136 | auth_debug_add("%s: invalid from criteria", loc); | ||
1137 | /* FALLTHROUGH */ | ||
1138 | case 0: | ||
1139 | logit("%s: Authentication tried for %.100s with " | ||
1140 | "correct key but not from a permitted " | ||
1141 | "host (host=%.200s, ip=%.200s, required=%.200s).", | ||
1142 | loc, pw->pw_name, remote_host, remote_ip, | ||
1143 | opts->required_from_host_keys); | ||
1144 | auth_debug_add("%s: Your host '%.200s' is not " | ||
1145 | "permitted to use this key for login.", | ||
1146 | loc, remote_host); | ||
1147 | /* deny access */ | ||
1148 | return -1; | ||
1149 | } | ||
1150 | } | ||
1151 | /* Check source-address restriction from certificate */ | ||
1152 | if (opts->required_from_host_cert != NULL) { | ||
1153 | switch (addr_match_cidr_list(remote_ip, | ||
1154 | opts->required_from_host_cert)) { | ||
1155 | case 1: | ||
1156 | /* accepted */ | ||
1157 | break; | ||
1158 | case -1: | ||
1159 | default: | ||
1160 | /* invalid */ | ||
1161 | error("%s: Certificate source-address invalid", | ||
1162 | loc); | ||
1163 | /* FALLTHROUGH */ | ||
1164 | case 0: | ||
1165 | logit("%s: Authentication tried for %.100s with valid " | ||
1166 | "certificate but not from a permitted source " | ||
1167 | "address (%.200s).", loc, pw->pw_name, remote_ip); | ||
1168 | auth_debug_add("%s: Your address '%.200s' is not " | ||
1169 | "permitted to use this certificate for login.", | ||
1170 | loc, remote_ip); | ||
1171 | return -1; | ||
1172 | } | ||
1173 | } | ||
1174 | /* | ||
1175 | * | ||
1176 | * XXX this is spammy. We should report remotely only for keys | ||
1177 | * that are successful in actual auth attempts, and not PK_OK | ||
1178 | * tests. | ||
1179 | */ | ||
1180 | auth_log_authopts(loc, opts, 1); | ||
1181 | |||
1182 | return 0; | ||
1183 | } | ||