summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c351
1 files changed, 346 insertions, 5 deletions
diff --git a/auth.c b/auth.c
index a44906174..63366768a 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.124 2017/09/12 06:32:07 djm Exp $ */ 1/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -28,6 +28,7 @@
28#include <sys/types.h> 28#include <sys/types.h>
29#include <sys/stat.h> 29#include <sys/stat.h>
30#include <sys/socket.h> 30#include <sys/socket.h>
31#include <sys/wait.h>
31 32
32#include <netinet/in.h> 33#include <netinet/in.h>
33 34
@@ -73,12 +74,14 @@
73#include "authfile.h" 74#include "authfile.h"
74#include "ssherr.h" 75#include "ssherr.h"
75#include "compat.h" 76#include "compat.h"
77#include "channels.h"
76 78
77/* import */ 79/* import */
78extern ServerOptions options; 80extern ServerOptions options;
79extern int use_privsep; 81extern int use_privsep;
80extern Buffer loginmsg; 82extern Buffer loginmsg;
81extern struct passwd *privsep_pw; 83extern struct passwd *privsep_pw;
84extern struct sshauthopt *auth_opts;
82 85
83/* Debugging messages */ 86/* Debugging messages */
84Buffer auth_debug; 87Buffer auth_debug;
@@ -385,10 +388,8 @@ auth_maxtries_exceeded(Authctxt *authctxt)
385 * Check whether root logins are disallowed. 388 * Check whether root logins are disallowed.
386 */ 389 */
387int 390int
388auth_root_allowed(const char *method) 391auth_root_allowed(struct ssh *ssh, const char *method)
389{ 392{
390 struct ssh *ssh = active_state; /* XXX */
391
392 switch (options.permit_root_login) { 393 switch (options.permit_root_login) {
393 case PERMIT_YES: 394 case PERMIT_YES:
394 return 1; 395 return 1;
@@ -399,7 +400,7 @@ auth_root_allowed(const char *method)
399 return 1; 400 return 1;
400 break; 401 break;
401 case PERMIT_FORCED_ONLY: 402 case PERMIT_FORCED_ONLY:
402 if (forced_command) { 403 if (auth_opts->force_command != NULL) {
403 logit("Root login accepted for forced command."); 404 logit("Root login accepted for forced command.");
404 return 1; 405 return 1;
405 } 406 }
@@ -840,3 +841,343 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
840 return dnsname; 841 return dnsname;
841 } 842 }
842} 843}
844
845/*
846 * Runs command in a subprocess wuth a minimal environment.
847 * Returns pid on success, 0 on failure.
848 * The child stdout and stderr maybe captured, left attached or sent to
849 * /dev/null depending on the contents of flags.
850 * "tag" is prepended to log messages.
851 * NB. "command" is only used for logging; the actual command executed is
852 * av[0].
853 */
854pid_t
855subprocess(const char *tag, struct passwd *pw, const char *command,
856 int ac, char **av, FILE **child, u_int flags)
857{
858 FILE *f = NULL;
859 struct stat st;
860 int fd, devnull, p[2], i;
861 pid_t pid;
862 char *cp, errmsg[512];
863 u_int envsize;
864 char **child_env;
865
866 if (child != NULL)
867 *child = NULL;
868
869 debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__,
870 tag, command, pw->pw_name, flags);
871
872 /* Check consistency */
873 if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
874 (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) {
875 error("%s: inconsistent flags", __func__);
876 return 0;
877 }
878 if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) {
879 error("%s: inconsistent flags/output", __func__);
880 return 0;
881 }
882
883 /*
884 * If executing an explicit binary, then verify the it exists
885 * and appears safe-ish to execute
886 */
887 if (*av[0] != '/') {
888 error("%s path is not absolute", tag);
889 return 0;
890 }
891 temporarily_use_uid(pw);
892 if (stat(av[0], &st) < 0) {
893 error("Could not stat %s \"%s\": %s", tag,
894 av[0], strerror(errno));
895 restore_uid();
896 return 0;
897 }
898 if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
899 error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
900 restore_uid();
901 return 0;
902 }
903 /* Prepare to keep the child's stdout if requested */
904 if (pipe(p) != 0) {
905 error("%s: pipe: %s", tag, strerror(errno));
906 restore_uid();
907 return 0;
908 }
909 restore_uid();
910
911 switch ((pid = fork())) {
912 case -1: /* error */
913 error("%s: fork: %s", tag, strerror(errno));
914 close(p[0]);
915 close(p[1]);
916 return 0;
917 case 0: /* child */
918 /* Prepare a minimal environment for the child. */
919 envsize = 5;
920 child_env = xcalloc(sizeof(*child_env), envsize);
921 child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
922 child_set_env(&child_env, &envsize, "USER", pw->pw_name);
923 child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
924 child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
925 if ((cp = getenv("LANG")) != NULL)
926 child_set_env(&child_env, &envsize, "LANG", cp);
927
928 for (i = 0; i < NSIG; i++)
929 signal(i, SIG_DFL);
930
931 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
932 error("%s: open %s: %s", tag, _PATH_DEVNULL,
933 strerror(errno));
934 _exit(1);
935 }
936 if (dup2(devnull, STDIN_FILENO) == -1) {
937 error("%s: dup2: %s", tag, strerror(errno));
938 _exit(1);
939 }
940
941 /* Set up stdout as requested; leave stderr in place for now. */
942 fd = -1;
943 if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
944 fd = p[1];
945 else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
946 fd = devnull;
947 if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {
948 error("%s: dup2: %s", tag, strerror(errno));
949 _exit(1);
950 }
951 closefrom(STDERR_FILENO + 1);
952
953 /* Don't use permanently_set_uid() here to avoid fatal() */
954 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
955 error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
956 strerror(errno));
957 _exit(1);
958 }
959 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
960 error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
961 strerror(errno));
962 _exit(1);
963 }
964 /* stdin is pointed to /dev/null at this point */
965 if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
966 dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
967 error("%s: dup2: %s", tag, strerror(errno));
968 _exit(1);
969 }
970
971 execve(av[0], av, child_env);
972 error("%s exec \"%s\": %s", tag, command, strerror(errno));
973 _exit(127);
974 default: /* parent */
975 break;
976 }
977
978 close(p[1]);
979 if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0)
980 close(p[0]);
981 else if ((f = fdopen(p[0], "r")) == NULL) {
982 error("%s: fdopen: %s", tag, strerror(errno));
983 close(p[0]);
984 /* Don't leave zombie child */
985 kill(pid, SIGTERM);
986 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
987 ;
988 return 0;
989 }
990 /* Success */
991 debug3("%s: %s pid %ld", __func__, tag, (long)pid);
992 if (child != NULL)
993 *child = f;
994 return pid;
995}
996
997/* These functions link key/cert options to the auth framework */
998
999/* Log sshauthopt options locally and (optionally) for remote transmission */
1000void
1001auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
1002{
1003 int do_env = options.permit_user_env && opts->nenv > 0;
1004 int do_permitopen = opts->npermitopen > 0 &&
1005 (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;
1006 size_t i;
1007 char msg[1024], buf[64];
1008
1009 snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
1010 /* Try to keep this alphabetically sorted */
1011 snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s",
1012 opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
1013 opts->force_command == NULL ? "" : " command",
1014 do_env ? " environment" : "",
1015 opts->valid_before == 0 ? "" : "expires",
1016 do_permitopen ? " permitopen" : "",
1017 opts->permit_port_forwarding_flag ? " port-forwarding" : "",
1018 opts->cert_principals == NULL ? "" : " principals",
1019 opts->permit_pty_flag ? " pty" : "",
1020 opts->force_tun_device == -1 ? "" : " tun=",
1021 opts->force_tun_device == -1 ? "" : buf,
1022 opts->permit_user_rc ? " user-rc" : "",
1023 opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
1024
1025 debug("%s: %s", loc, msg);
1026 if (do_remote)
1027 auth_debug_add("%s: %s", loc, msg);
1028
1029 if (options.permit_user_env) {
1030 for (i = 0; i < opts->nenv; i++) {
1031 debug("%s: environment: %s", loc, opts->env[i]);
1032 if (do_remote) {
1033 auth_debug_add("%s: environment: %s",
1034 loc, opts->env[i]);
1035 }
1036 }
1037 }
1038
1039 /* Go into a little more details for the local logs. */
1040 if (opts->valid_before != 0) {
1041 format_absolute_time(opts->valid_before, buf, sizeof(buf));
1042 debug("%s: expires at %s", loc, buf);
1043 }
1044 if (opts->cert_principals != NULL) {
1045 debug("%s: authorized principals: \"%s\"",
1046 loc, opts->cert_principals);
1047 }
1048 if (opts->force_command != NULL)
1049 debug("%s: forced command: \"%s\"", loc, opts->force_command);
1050 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) {
1051 for (i = 0; i < opts->npermitopen; i++) {
1052 debug("%s: permitted open: %s",
1053 loc, opts->permitopen[i]);
1054 }
1055 }
1056}
1057
1058/* Activate a new set of key/cert options; merging with what is there. */
1059int
1060auth_activate_options(struct ssh *ssh, struct sshauthopt *opts)
1061{
1062 struct sshauthopt *old = auth_opts;
1063 const char *emsg = NULL;
1064
1065 debug("%s: setting new authentication options", __func__);
1066 if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {
1067 error("Inconsistent authentication options: %s", emsg);
1068 return -1;
1069 }
1070 return 0;
1071}
1072
1073/* Disable forwarding, etc for the session */
1074void
1075auth_restrict_session(struct ssh *ssh)
1076{
1077 struct sshauthopt *restricted;
1078
1079 debug("%s: restricting session", __func__);
1080
1081 /* A blank sshauthopt defaults to permitting nothing */
1082 restricted = sshauthopt_new();
1083 restricted->restricted = 1;
1084
1085 if (auth_activate_options(ssh, restricted) != 0)
1086 fatal("%s: failed to restrict session", __func__);
1087 sshauthopt_free(restricted);
1088}
1089
1090int
1091auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw,
1092 struct sshauthopt *opts, int allow_cert_authority, const char *loc)
1093{
1094 const char *remote_ip = ssh_remote_ipaddr(ssh);
1095 const char *remote_host = auth_get_canonical_hostname(ssh,
1096 options.use_dns);
1097 time_t now = time(NULL);
1098 char buf[64];
1099
1100 /*
1101 * Check keys/principals file expiry time.
1102 * NB. validity interval in certificate is handled elsewhere.
1103 */
1104 if (opts->valid_before && now > 0 &&
1105 opts->valid_before < (uint64_t)now) {
1106 format_absolute_time(opts->valid_before, buf, sizeof(buf));
1107 debug("%s: entry expired at %s", loc, buf);
1108 auth_debug_add("%s: entry expired at %s", loc, buf);
1109 return -1;
1110 }
1111 /* Consistency checks */
1112 if (opts->cert_principals != NULL && !opts->cert_authority) {
1113 debug("%s: principals on non-CA key", loc);
1114 auth_debug_add("%s: principals on non-CA key", loc);
1115 /* deny access */
1116 return -1;
1117 }
1118 /* cert-authority flag isn't valid in authorized_principals files */
1119 if (!allow_cert_authority && opts->cert_authority) {
1120 debug("%s: cert-authority flag invalid here", loc);
1121 auth_debug_add("%s: cert-authority flag invalid here", loc);
1122 /* deny access */
1123 return -1;
1124 }
1125
1126 /* Perform from= checks */
1127 if (opts->required_from_host_keys != NULL) {
1128 switch (match_host_and_ip(remote_host, remote_ip,
1129 opts->required_from_host_keys )) {
1130 case 1:
1131 /* Host name matches. */
1132 break;
1133 case -1:
1134 default:
1135 debug("%s: invalid from criteria", loc);
1136 auth_debug_add("%s: invalid from criteria", loc);
1137 /* FALLTHROUGH */
1138 case 0:
1139 logit("%s: Authentication tried for %.100s with "
1140 "correct key but not from a permitted "
1141 "host (host=%.200s, ip=%.200s, required=%.200s).",
1142 loc, pw->pw_name, remote_host, remote_ip,
1143 opts->required_from_host_keys);
1144 auth_debug_add("%s: Your host '%.200s' is not "
1145 "permitted to use this key for login.",
1146 loc, remote_host);
1147 /* deny access */
1148 return -1;
1149 }
1150 }
1151 /* Check source-address restriction from certificate */
1152 if (opts->required_from_host_cert != NULL) {
1153 switch (addr_match_cidr_list(remote_ip,
1154 opts->required_from_host_cert)) {
1155 case 1:
1156 /* accepted */
1157 break;
1158 case -1:
1159 default:
1160 /* invalid */
1161 error("%s: Certificate source-address invalid",
1162 loc);
1163 /* FALLTHROUGH */
1164 case 0:
1165 logit("%s: Authentication tried for %.100s with valid "
1166 "certificate but not from a permitted source "
1167 "address (%.200s).", loc, pw->pw_name, remote_ip);
1168 auth_debug_add("%s: Your address '%.200s' is not "
1169 "permitted to use this certificate for login.",
1170 loc, remote_ip);
1171 return -1;
1172 }
1173 }
1174 /*
1175 *
1176 * XXX this is spammy. We should report remotely only for keys
1177 * that are successful in actual auth attempts, and not PK_OK
1178 * tests.
1179 */
1180 auth_log_authopts(loc, opts, 1);
1181
1182 return 0;
1183}