1 files changed, 346 insertions, 5 deletions
diff --git a/auth.c b/auth.c
index a44906174..63366768a 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.124 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
+#include <sys/wait.h>
 #include <netinet/in.h>
@@ -73,12 +74,14 @@
 #include "authfile.h"
 #include "ssherr.h"
 #include "compat.h"
+#include "channels.h"
 /* import */
 extern ServerOptions options;
 extern int use_privsep;
 extern Buffer loginmsg;
 extern struct passwd *privsep_pw;
+extern struct sshauthopt *auth_opts;
 /* Debugging messages */
 Buffer auth_debug;
@@ -385,10 +388,8 @@ auth_maxtries_exceeded(Authctxt *authctxt)
 * Check whether root logins are disallowed.
 */
 int
-auth_root_allowed(const char *method)
+auth_root_allowed(struct ssh *ssh, const char *method)
 {
-        struct ssh *ssh = active_state; /* XXX */
        switch (options.permit_root_login) {
        case PERMIT_YES:
                return 1;
@@ -399,7 +400,7 @@ auth_root_allowed(const char *method)
                        return 1;
                break;
        case PERMIT_FORCED_ONLY:
-                if (forced_command) {
+                if (auth_opts->force_command != NULL) {
                        logit("Root login accepted for forced command.");
                        return 1;
                }
@@ -840,3 +841,343 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
                return dnsname;
        }
 }
+/*
+ * Runs command in a subprocess wuth a minimal environment.
+ * Returns pid on success, 0 on failure.
+ * The child stdout and stderr maybe captured, left attached or sent to
+ * /dev/null depending on the contents of flags.
+ * "tag" is prepended to log messages.
+ * NB. "command" is only used for logging; the actual command executed is
+ * av[0].
+ */
+pid_t
+subprocess(const char *tag, struct passwd *pw, const char *command,
+    int ac, char **av, FILE **child, u_int flags)
+{
+        FILE *f = NULL;
+        struct stat st;
+        int fd, devnull, p[2], i;
+        pid_t pid;
+        char *cp, errmsg[512];
+        u_int envsize;
+        char **child_env;
+        if (child != NULL)
+                *child = NULL;
+        debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__,
+            tag, command, pw->pw_name, flags);
+        /* Check consistency */
+        if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
+            (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) {
+                error("%s: inconsistent flags", __func__);
+                return 0;
+        }
+        if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) {
+                error("%s: inconsistent flags/output", __func__);
+                return 0;
+        }
+        /*
+         * If executing an explicit binary, then verify the it exists
+         * and appears safe-ish to execute
+         */
+        if (*av[0] != '/') {
+                error("%s path is not absolute", tag);
+                return 0;
+        }
+        temporarily_use_uid(pw);
+        if (stat(av[0], &st) < 0) {
+                error("Could not stat %s \"%s\": %s", tag,
+                    av[0], strerror(errno));
+                restore_uid();
+                return 0;
+        }
+        if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
+                error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
+                restore_uid();
+                return 0;
+        }
+        /* Prepare to keep the child's stdout if requested */
+        if (pipe(p) != 0) {
+                error("%s: pipe: %s", tag, strerror(errno));
+                restore_uid();
+                return 0;
+        }
+        restore_uid();
+        switch ((pid = fork())) {
+        case -1: /* error */
+                error("%s: fork: %s", tag, strerror(errno));
+                close(p[0]);
+                close(p[1]);
+                return 0;
+        case 0: /* child */
+                /* Prepare a minimal environment for the child. */
+                envsize = 5;
+                child_env = xcalloc(sizeof(*child_env), envsize);
+                child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
+                child_set_env(&child_env, &envsize, "USER", pw->pw_name);
+                child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
+                child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
+                if ((cp = getenv("LANG")) != NULL)
+                        child_set_env(&child_env, &envsize, "LANG", cp);
+                for (i = 0; i < NSIG; i++)
+                        signal(i, SIG_DFL);
+                if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+                        error("%s: open %s: %s", tag, _PATH_DEVNULL,
+                            strerror(errno));
+                        _exit(1);
+                }
+                if (dup2(devnull, STDIN_FILENO) == -1) {
+                        error("%s: dup2: %s", tag, strerror(errno));
+                        _exit(1);
+                }
+                /* Set up stdout as requested; leave stderr in place for now. */
+                fd = -1;
+                if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
+                        fd = p[1];
+                else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
+                        fd = devnull;
+                if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {
+                        error("%s: dup2: %s", tag, strerror(errno));
+                        _exit(1);
+                }
+                closefrom(STDERR_FILENO + 1);
+                /* Don't use permanently_set_uid() here to avoid fatal() */
+                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
+                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+                            strerror(errno));
+                        _exit(1);
+                }
+                if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
+                        error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
+                            strerror(errno));
+                        _exit(1);
+                }
+                /* stdin is pointed to /dev/null at this point */
+                if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
+                    dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
+                        error("%s: dup2: %s", tag, strerror(errno));
+                        _exit(1);
+                }
+                execve(av[0], av, child_env);
+                error("%s exec \"%s\": %s", tag, command, strerror(errno));
+                _exit(127);
+        default: /* parent */
+                break;
+        }
+        close(p[1]);
+        if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0)
+                close(p[0]);
+        else if ((f = fdopen(p[0], "r")) == NULL) {
+                error("%s: fdopen: %s", tag, strerror(errno));
+                close(p[0]);
+                /* Don't leave zombie child */
+                kill(pid, SIGTERM);
+                while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
+                        ;
+                return 0;
+        }
+        /* Success */
+        debug3("%s: %s pid %ld", __func__, tag, (long)pid);
+        if (child != NULL)
+                *child = f;
+        return pid;
+}
+/* These functions link key/cert options to the auth framework */
+/* Log sshauthopt options locally and (optionally) for remote transmission */
+void
+auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
+{
+        int do_env = options.permit_user_env && opts->nenv > 0;
+        int do_permitopen = opts->npermitopen > 0 &&
+            (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;
+        size_t i;
+        char msg[1024], buf[64];
+        snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
+        /* Try to keep this alphabetically sorted */
+        snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s",
+            opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
+            opts->force_command == NULL ? "" : " command",
+            do_env ?  " environment" : "",
+            opts->valid_before == 0 ? "" : "expires",
+            do_permitopen ?  " permitopen" : "",
+            opts->permit_port_forwarding_flag ? " port-forwarding" : "",
+            opts->cert_principals == NULL ? "" : " principals",
+            opts->permit_pty_flag ? " pty" : "",
+            opts->force_tun_device == -1 ? "" : " tun=",
+            opts->force_tun_device == -1 ? "" : buf,
+            opts->permit_user_rc ? " user-rc" : "",
+            opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
+        debug("%s: %s", loc, msg);
+        if (do_remote)
+                auth_debug_add("%s: %s", loc, msg);
+        if (options.permit_user_env) {
+                for (i = 0; i < opts->nenv; i++) {
+                        debug("%s: environment: %s", loc, opts->env[i]);
+                        if (do_remote) {
+                                auth_debug_add("%s: environment: %s",
+                                    loc, opts->env[i]);
+                        }
+                }
+        }
+        /* Go into a little more details for the local logs. */
+        if (opts->valid_before != 0) {
+                format_absolute_time(opts->valid_before, buf, sizeof(buf));
+                debug("%s: expires at %s", loc, buf);
+        }
+        if (opts->cert_principals != NULL) {
+                debug("%s: authorized principals: \"%s\"",
+                    loc, opts->cert_principals);
+        }
+        if (opts->force_command != NULL)
+                debug("%s: forced command: \"%s\"", loc, opts->force_command);
+        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) {
+                for (i = 0; i < opts->npermitopen; i++) {
+                        debug("%s: permitted open: %s",
+                            loc, opts->permitopen[i]);
+                }
+        }
+}
+/* Activate a new set of key/cert options; merging with what is there. */
+int
+auth_activate_options(struct ssh *ssh, struct sshauthopt *opts)
+{
+        struct sshauthopt *old = auth_opts;
+        const char *emsg = NULL;
+        debug("%s: setting new authentication options", __func__);
+        if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {
+                error("Inconsistent authentication options: %s", emsg);
+                return -1;
+        }
+        return 0;
+}
+/* Disable forwarding, etc for the session */
+void
+auth_restrict_session(struct ssh *ssh)
+{
+        struct sshauthopt *restricted;
+        debug("%s: restricting session", __func__);
+        /* A blank sshauthopt defaults to permitting nothing */
+        restricted = sshauthopt_new();
+        restricted->restricted = 1;
+        if (auth_activate_options(ssh, restricted) != 0)
+                fatal("%s: failed to restrict session", __func__);
+        sshauthopt_free(restricted);
+}
+int
+auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw,
+    struct sshauthopt *opts, int allow_cert_authority, const char *loc)
+{
+        const char *remote_ip = ssh_remote_ipaddr(ssh);
+        const char *remote_host = auth_get_canonical_hostname(ssh,
+            options.use_dns);
+        time_t now = time(NULL);
+        char buf[64];
+        /*
+         * Check keys/principals file expiry time.
+         * NB. validity interval in certificate is handled elsewhere.
+         */
+        if (opts->valid_before && now > 0 &&
+            opts->valid_before < (uint64_t)now) {
+                format_absolute_time(opts->valid_before, buf, sizeof(buf));
+                debug("%s: entry expired at %s", loc, buf);
+                auth_debug_add("%s: entry expired at %s", loc, buf);
+                return -1;
+        }
+        /* Consistency checks */
+        if (opts->cert_principals != NULL && !opts->cert_authority) {
+                debug("%s: principals on non-CA key", loc);
+                auth_debug_add("%s: principals on non-CA key", loc);
+                /* deny access */
+                return -1;
+        }
+        /* cert-authority flag isn't valid in authorized_principals files */
+        if (!allow_cert_authority && opts->cert_authority) {
+                debug("%s: cert-authority flag invalid here", loc);
+                auth_debug_add("%s: cert-authority flag invalid here", loc);
+                /* deny access */
+                return -1;
+        }
+        /* Perform from= checks */
+        if (opts->required_from_host_keys != NULL) {
+                switch (match_host_and_ip(remote_host, remote_ip,
+                    opts->required_from_host_keys )) {
+                case 1:
+                        /* Host name matches. */
+                        break;
+                case -1:
+                default:
+                        debug("%s: invalid from criteria", loc);
+                        auth_debug_add("%s: invalid from criteria", loc);
+                        /* FALLTHROUGH */
+                case 0:
+                        logit("%s: Authentication tried for %.100s with "
+                            "correct key but not from a permitted "
+                            "host (host=%.200s, ip=%.200s, required=%.200s).",
+                            loc, pw->pw_name, remote_host, remote_ip,
+                            opts->required_from_host_keys);
+                        auth_debug_add("%s: Your host '%.200s' is not "
+                            "permitted to use this key for login.",
+                            loc, remote_host);
+                        /* deny access */
+                        return -1;
+                }
+        }
+        /* Check source-address restriction from certificate */
+        if (opts->required_from_host_cert != NULL) {
+                switch (addr_match_cidr_list(remote_ip,
+                    opts->required_from_host_cert)) {
+                case 1:
+                        /* accepted */
+                        break;
+                case -1:
+                default:
+                        /* invalid */
+                        error("%s: Certificate source-address invalid",
+                            loc);
+                        /* FALLTHROUGH */
+                case 0:
+                        logit("%s: Authentication tried for %.100s with valid "
+                            "certificate but not from a permitted source "
+                            "address (%.200s).", loc, pw->pw_name, remote_ip);
+                        auth_debug_add("%s: Your address '%.200s' is not "
+                            "permitted to use this certificate for login.",
+                            loc, remote_ip);
+                        return -1;
+                }
+        }
+        /*
+         *
+         * XXX this is spammy. We should report remotely only for keys
+         *     that are successful in actual auth attempts, and not PK_OK
+         *     tests.
+         */
+        auth_log_authopts(loc, opts, 1);
+        return 0;
+}

diff --git a/auth.c b/auth.c index a44906174..63366768a 100644 --- a/auth.c +++ b/auth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth.c,v 1.124 2017/09/12 06:32:07 djm Exp $ */	1	/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -28,6 +28,7 @@
28	#include <sys/types.h>	28	#include <sys/types.h>
29	#include <sys/stat.h>	29	#include <sys/stat.h>
30	#include <sys/socket.h>	30	#include <sys/socket.h>
		31	#include <sys/wait.h>
31		32
32	#include <netinet/in.h>	33	#include <netinet/in.h>
33		34
@@ -73,12 +74,14 @@
73	#include "authfile.h"	74	#include "authfile.h"
74	#include "ssherr.h"	75	#include "ssherr.h"
75	#include "compat.h"	76	#include "compat.h"
		77	#include "channels.h"
76		78
77	/* import */	79	/* import */
78	extern ServerOptions options;	80	extern ServerOptions options;
79	extern int use_privsep;	81	extern int use_privsep;
80	extern Buffer loginmsg;	82	extern Buffer loginmsg;
81	extern struct passwd *privsep_pw;	83	extern struct passwd *privsep_pw;
		84	extern struct sshauthopt *auth_opts;
82		85
83	/* Debugging messages */	86	/* Debugging messages */
84	Buffer auth_debug;	87	Buffer auth_debug;
@@ -385,10 +388,8 @@ auth_maxtries_exceeded(Authctxt *authctxt)
385	* Check whether root logins are disallowed.	388	* Check whether root logins are disallowed.
386	*/	389	*/
387	int	390	int
388	auth_root_allowed(const char *method)	391	auth_root_allowed(struct ssh ssh, const char method)
389	{	392	{
390	struct ssh ssh = active_state; / XXX */
391
392	switch (options.permit_root_login) {	393	switch (options.permit_root_login) {
393	case PERMIT_YES:	394	case PERMIT_YES:
394	return 1;	395	return 1;
@@ -399,7 +400,7 @@ auth_root_allowed(const char *method)
399	return 1;	400	return 1;
400	break;	401	break;
401	case PERMIT_FORCED_ONLY:	402	case PERMIT_FORCED_ONLY:
402	if (forced_command) {	403	if (auth_opts->force_command != NULL) {
403	logit("Root login accepted for forced command.");	404	logit("Root login accepted for forced command.");
404	return 1;	405	return 1;
405	}	406	}
@@ -840,3 +841,343 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
840	return dnsname;	841	return dnsname;
841	}	842	}
842	}	843	}
		844
		845	/*
		846	* Runs command in a subprocess wuth a minimal environment.
		847	* Returns pid on success, 0 on failure.
		848	* The child stdout and stderr maybe captured, left attached or sent to
		849	* /dev/null depending on the contents of flags.
		850	* "tag" is prepended to log messages.
		851	* NB. "command" is only used for logging; the actual command executed is
		852	* av[0].
		853	*/
		854	pid_t
		855	subprocess(const char tag, struct passwd pw, const char *command,
		856	int ac, char av, FILE child, u_int flags)
		857	{
		858	FILE *f = NULL;
		859	struct stat st;
		860	int fd, devnull, p[2], i;
		861	pid_t pid;
		862	char *cp, errmsg[512];
		863	u_int envsize;
		864	char **child_env;
		865
		866	if (child != NULL)
		867	*child = NULL;
		868
		869	debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__,
		870	tag, command, pw->pw_name, flags);
		871
		872	/* Check consistency */
		873	if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
		874	(flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) {
		875	error("%s: inconsistent flags", __func__);
		876	return 0;
		877	}
		878	if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) {
		879	error("%s: inconsistent flags/output", __func__);
		880	return 0;
		881	}
		882
		883	/*
		884	* If executing an explicit binary, then verify the it exists
		885	* and appears safe-ish to execute
		886	*/
		887	if (*av[0] != '/') {
		888	error("%s path is not absolute", tag);
		889	return 0;
		890	}
		891	temporarily_use_uid(pw);
		892	if (stat(av[0], &st) < 0) {
		893	error("Could not stat %s \"%s\": %s", tag,
		894	av[0], strerror(errno));
		895	restore_uid();
		896	return 0;
		897	}
		898	if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
		899	error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
		900	restore_uid();
		901	return 0;
		902	}
		903	/* Prepare to keep the child's stdout if requested */
		904	if (pipe(p) != 0) {
		905	error("%s: pipe: %s", tag, strerror(errno));
		906	restore_uid();
		907	return 0;
		908	}
		909	restore_uid();
		910
		911	switch ((pid = fork())) {
		912	case -1: /* error */
		913	error("%s: fork: %s", tag, strerror(errno));
		914	close(p[0]);
		915	close(p[1]);
		916	return 0;
		917	case 0: /* child */
		918	/* Prepare a minimal environment for the child. */
		919	envsize = 5;
		920	child_env = xcalloc(sizeof(*child_env), envsize);
		921	child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
		922	child_set_env(&child_env, &envsize, "USER", pw->pw_name);
		923	child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
		924	child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
		925	if ((cp = getenv("LANG")) != NULL)
		926	child_set_env(&child_env, &envsize, "LANG", cp);
		927
		928	for (i = 0; i < NSIG; i++)
		929	signal(i, SIG_DFL);
		930
		931	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
		932	error("%s: open %s: %s", tag, _PATH_DEVNULL,
		933	strerror(errno));
		934	_exit(1);
		935	}
		936	if (dup2(devnull, STDIN_FILENO) == -1) {
		937	error("%s: dup2: %s", tag, strerror(errno));
		938	_exit(1);
		939	}
		940
		941	/* Set up stdout as requested; leave stderr in place for now. */
		942	fd = -1;
		943	if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
		944	fd = p[1];
		945	else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
		946	fd = devnull;
		947	if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {
		948	error("%s: dup2: %s", tag, strerror(errno));
		949	_exit(1);
		950	}
		951	closefrom(STDERR_FILENO + 1);
		952
		953	/* Don't use permanently_set_uid() here to avoid fatal() */
		954	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
		955	error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
		956	strerror(errno));
		957	_exit(1);
		958	}
		959	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
		960	error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
		961	strerror(errno));
		962	_exit(1);
		963	}
		964	/* stdin is pointed to /dev/null at this point */
		965	if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
		966	dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
		967	error("%s: dup2: %s", tag, strerror(errno));
		968	_exit(1);
		969	}
		970
		971	execve(av[0], av, child_env);
		972	error("%s exec \"%s\": %s", tag, command, strerror(errno));
		973	_exit(127);
		974	default: /* parent */
		975	break;
		976	}
		977
		978	close(p[1]);
		979	if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0)
		980	close(p[0]);
		981	else if ((f = fdopen(p[0], "r")) == NULL) {
		982	error("%s: fdopen: %s", tag, strerror(errno));
		983	close(p[0]);
		984	/* Don't leave zombie child */
		985	kill(pid, SIGTERM);
		986	while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
		987	;
		988	return 0;
		989	}
		990	/* Success */
		991	debug3("%s: %s pid %ld", __func__, tag, (long)pid);
		992	if (child != NULL)
		993	*child = f;
		994	return pid;
		995	}
		996
		997	/* These functions link key/cert options to the auth framework */
		998
		999	/* Log sshauthopt options locally and (optionally) for remote transmission */
		1000	void
		1001	auth_log_authopts(const char loc, const struct sshauthopt opts, int do_remote)
		1002	{
		1003	int do_env = options.permit_user_env && opts->nenv > 0;
		1004	int do_permitopen = opts->npermitopen > 0 &&
		1005	(options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;
		1006	size_t i;
		1007	char msg[1024], buf[64];
		1008
		1009	snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
		1010	/* Try to keep this alphabetically sorted */
		1011	snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s",
		1012	opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
		1013	opts->force_command == NULL ? "" : " command",
		1014	do_env ? " environment" : "",
		1015	opts->valid_before == 0 ? "" : "expires",
		1016	do_permitopen ? " permitopen" : "",
		1017	opts->permit_port_forwarding_flag ? " port-forwarding" : "",
		1018	opts->cert_principals == NULL ? "" : " principals",
		1019	opts->permit_pty_flag ? " pty" : "",
		1020	opts->force_tun_device == -1 ? "" : " tun=",
		1021	opts->force_tun_device == -1 ? "" : buf,
		1022	opts->permit_user_rc ? " user-rc" : "",
		1023	opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
		1024
		1025	debug("%s: %s", loc, msg);
		1026	if (do_remote)
		1027	auth_debug_add("%s: %s", loc, msg);
		1028
		1029	if (options.permit_user_env) {
		1030	for (i = 0; i < opts->nenv; i++) {
		1031	debug("%s: environment: %s", loc, opts->env[i]);
		1032	if (do_remote) {
		1033	auth_debug_add("%s: environment: %s",
		1034	loc, opts->env[i]);
		1035	}
		1036	}
		1037	}
		1038
		1039	/* Go into a little more details for the local logs. */
		1040	if (opts->valid_before != 0) {
		1041	format_absolute_time(opts->valid_before, buf, sizeof(buf));
		1042	debug("%s: expires at %s", loc, buf);
		1043	}
		1044	if (opts->cert_principals != NULL) {
		1045	debug("%s: authorized principals: \"%s\"",
		1046	loc, opts->cert_principals);
		1047	}
		1048	if (opts->force_command != NULL)
		1049	debug("%s: forced command: \"%s\"", loc, opts->force_command);
		1050	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) {
		1051	for (i = 0; i < opts->npermitopen; i++) {
		1052	debug("%s: permitted open: %s",
		1053	loc, opts->permitopen[i]);
		1054	}
		1055	}
		1056	}
		1057
		1058	/* Activate a new set of key/cert options; merging with what is there. */
		1059	int
		1060	auth_activate_options(struct ssh ssh, struct sshauthopt opts)
		1061	{
		1062	struct sshauthopt *old = auth_opts;
		1063	const char *emsg = NULL;
		1064
		1065	debug("%s: setting new authentication options", __func__);
		1066	if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {
		1067	error("Inconsistent authentication options: %s", emsg);
		1068	return -1;
		1069	}
		1070	return 0;
		1071	}
		1072
		1073	/* Disable forwarding, etc for the session */
		1074	void
		1075	auth_restrict_session(struct ssh *ssh)
		1076	{
		1077	struct sshauthopt *restricted;
		1078
		1079	debug("%s: restricting session", __func__);
		1080
		1081	/* A blank sshauthopt defaults to permitting nothing */
		1082	restricted = sshauthopt_new();
		1083	restricted->restricted = 1;
		1084
		1085	if (auth_activate_options(ssh, restricted) != 0)
		1086	fatal("%s: failed to restrict session", __func__);
		1087	sshauthopt_free(restricted);
		1088	}
		1089
		1090	int
		1091	auth_authorise_keyopts(struct ssh ssh, struct passwd pw,
		1092	struct sshauthopt opts, int allow_cert_authority, const char loc)
		1093	{
		1094	const char *remote_ip = ssh_remote_ipaddr(ssh);
		1095	const char *remote_host = auth_get_canonical_hostname(ssh,
		1096	options.use_dns);
		1097	time_t now = time(NULL);
		1098	char buf[64];
		1099
		1100	/*
		1101	* Check keys/principals file expiry time.
		1102	* NB. validity interval in certificate is handled elsewhere.
		1103	*/
		1104	if (opts->valid_before && now > 0 &&
		1105	opts->valid_before < (uint64_t)now) {
		1106	format_absolute_time(opts->valid_before, buf, sizeof(buf));
		1107	debug("%s: entry expired at %s", loc, buf);
		1108	auth_debug_add("%s: entry expired at %s", loc, buf);
		1109	return -1;
		1110	}
		1111	/* Consistency checks */
		1112	if (opts->cert_principals != NULL && !opts->cert_authority) {
		1113	debug("%s: principals on non-CA key", loc);
		1114	auth_debug_add("%s: principals on non-CA key", loc);
		1115	/* deny access */
		1116	return -1;
		1117	}
		1118	/* cert-authority flag isn't valid in authorized_principals files */
		1119	if (!allow_cert_authority && opts->cert_authority) {
		1120	debug("%s: cert-authority flag invalid here", loc);
		1121	auth_debug_add("%s: cert-authority flag invalid here", loc);
		1122	/* deny access */
		1123	return -1;
		1124	}
		1125
		1126	/* Perform from= checks */
		1127	if (opts->required_from_host_keys != NULL) {
		1128	switch (match_host_and_ip(remote_host, remote_ip,
		1129	opts->required_from_host_keys )) {
		1130	case 1:
		1131	/* Host name matches. */
		1132	break;
		1133	case -1:
		1134	default:
		1135	debug("%s: invalid from criteria", loc);
		1136	auth_debug_add("%s: invalid from criteria", loc);
		1137	/* FALLTHROUGH */
		1138	case 0:
		1139	logit("%s: Authentication tried for %.100s with "
		1140	"correct key but not from a permitted "
		1141	"host (host=%.200s, ip=%.200s, required=%.200s).",
		1142	loc, pw->pw_name, remote_host, remote_ip,
		1143	opts->required_from_host_keys);
		1144	auth_debug_add("%s: Your host '%.200s' is not "
		1145	"permitted to use this key for login.",
		1146	loc, remote_host);
		1147	/* deny access */
		1148	return -1;
		1149	}
		1150	}
		1151	/* Check source-address restriction from certificate */
		1152	if (opts->required_from_host_cert != NULL) {
		1153	switch (addr_match_cidr_list(remote_ip,
		1154	opts->required_from_host_cert)) {
		1155	case 1:
		1156	/* accepted */
		1157	break;
		1158	case -1:
		1159	default:
		1160	/* invalid */
		1161	error("%s: Certificate source-address invalid",
		1162	loc);
		1163	/* FALLTHROUGH */
		1164	case 0:
		1165	logit("%s: Authentication tried for %.100s with valid "
		1166	"certificate but not from a permitted source "
		1167	"address (%.200s).", loc, pw->pw_name, remote_ip);
		1168	auth_debug_add("%s: Your address '%.200s' is not "
		1169	"permitted to use this certificate for login.",
		1170	loc, remote_ip);
		1171	return -1;
		1172	}
		1173	}
		1174	/*
		1175	*
		1176	* XXX this is spammy. We should report remotely only for keys
		1177	* that are successful in actual auth attempts, and not PK_OK
		1178	* tests.
		1179	*/
		1180	auth_log_authopts(loc, opts, 1);
		1181
		1182	return 0;
		1183	}