diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 625 |
1 files changed, 494 insertions, 131 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 0bda5c9dd..1eee16168 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.47 2015/02/17 00:14:05 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -65,6 +65,9 @@ | |||
65 | #include "monitor_wrap.h" | 65 | #include "monitor_wrap.h" |
66 | #include "authfile.h" | 66 | #include "authfile.h" |
67 | #include "match.h" | 67 | #include "match.h" |
68 | #include "ssherr.h" | ||
69 | #include "channels.h" /* XXX for session.h */ | ||
70 | #include "session.h" /* XXX for child_set_env(); refactor? */ | ||
68 | 71 | ||
69 | /* import */ | 72 | /* import */ |
70 | extern ServerOptions options; | 73 | extern ServerOptions options; |
@@ -127,8 +130,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
127 | logit("refusing previously-used %s key", key_type(key)); | 130 | logit("refusing previously-used %s key", key_type(key)); |
128 | goto done; | 131 | goto done; |
129 | } | 132 | } |
130 | if (match_pattern_list(sshkey_ssh_name(key), options.pubkey_key_types, | 133 | if (match_pattern_list(sshkey_ssh_name(key), |
131 | strlen(options.pubkey_key_types), 0) != 1) { | 134 | options.pubkey_key_types, 0) != 1) { |
132 | logit("%s: key type %s not in PubkeyAcceptedKeyTypes", | 135 | logit("%s: key type %s not in PubkeyAcceptedKeyTypes", |
133 | __func__, sshkey_ssh_name(key)); | 136 | __func__, sshkey_ssh_name(key)); |
134 | goto done; | 137 | goto done; |
@@ -169,7 +172,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
169 | 172 | ||
170 | /* test for correct signature */ | 173 | /* test for correct signature */ |
171 | authenticated = 0; | 174 | authenticated = 0; |
172 | if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && | 175 | if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && |
173 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | 176 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), |
174 | buffer_len(&b))) == 1) { | 177 | buffer_len(&b))) == 1) { |
175 | authenticated = 1; | 178 | authenticated = 1; |
@@ -191,7 +194,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
191 | * if a user is not allowed to login. is this an | 194 | * if a user is not allowed to login. is this an |
192 | * issue? -markus | 195 | * issue? -markus |
193 | */ | 196 | */ |
194 | if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { | 197 | if (PRIVSEP(user_key_allowed(authctxt->pw, key, 0))) { |
195 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 198 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
196 | packet_put_string(pkalg, alen); | 199 | packet_put_string(pkalg, alen); |
197 | packet_put_string(pkblob, blen); | 200 | packet_put_string(pkblob, blen); |
@@ -248,6 +251,288 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) | |||
248 | free(extra); | 251 | free(extra); |
249 | } | 252 | } |
250 | 253 | ||
254 | /* | ||
255 | * Splits 's' into an argument vector. Handles quoted string and basic | ||
256 | * escape characters (\\, \", \'). Caller must free the argument vector | ||
257 | * and its members. | ||
258 | */ | ||
259 | static int | ||
260 | split_argv(const char *s, int *argcp, char ***argvp) | ||
261 | { | ||
262 | int r = SSH_ERR_INTERNAL_ERROR; | ||
263 | int argc = 0, quote, i, j; | ||
264 | char *arg, **argv = xcalloc(1, sizeof(*argv)); | ||
265 | |||
266 | *argvp = NULL; | ||
267 | *argcp = 0; | ||
268 | |||
269 | for (i = 0; s[i] != '\0'; i++) { | ||
270 | /* Skip leading whitespace */ | ||
271 | if (s[i] == ' ' || s[i] == '\t') | ||
272 | continue; | ||
273 | |||
274 | /* Start of a token */ | ||
275 | quote = 0; | ||
276 | if (s[i] == '\\' && | ||
277 | (s[i + 1] == '\'' || s[i + 1] == '\"' || s[i + 1] == '\\')) | ||
278 | i++; | ||
279 | else if (s[i] == '\'' || s[i] == '"') | ||
280 | quote = s[i++]; | ||
281 | |||
282 | argv = xreallocarray(argv, (argc + 2), sizeof(*argv)); | ||
283 | arg = argv[argc++] = xcalloc(1, strlen(s + i) + 1); | ||
284 | argv[argc] = NULL; | ||
285 | |||
286 | /* Copy the token in, removing escapes */ | ||
287 | for (j = 0; s[i] != '\0'; i++) { | ||
288 | if (s[i] == '\\') { | ||
289 | if (s[i + 1] == '\'' || | ||
290 | s[i + 1] == '\"' || | ||
291 | s[i + 1] == '\\') { | ||
292 | i++; /* Skip '\' */ | ||
293 | arg[j++] = s[i]; | ||
294 | } else { | ||
295 | /* Unrecognised escape */ | ||
296 | arg[j++] = s[i]; | ||
297 | } | ||
298 | } else if (quote == 0 && (s[i] == ' ' || s[i] == '\t')) | ||
299 | break; /* done */ | ||
300 | else if (quote != 0 && s[i] == quote) | ||
301 | break; /* done */ | ||
302 | else | ||
303 | arg[j++] = s[i]; | ||
304 | } | ||
305 | if (s[i] == '\0') { | ||
306 | if (quote != 0) { | ||
307 | /* Ran out of string looking for close quote */ | ||
308 | r = SSH_ERR_INVALID_FORMAT; | ||
309 | goto out; | ||
310 | } | ||
311 | break; | ||
312 | } | ||
313 | } | ||
314 | /* Success */ | ||
315 | *argcp = argc; | ||
316 | *argvp = argv; | ||
317 | argc = 0; | ||
318 | argv = NULL; | ||
319 | r = 0; | ||
320 | out: | ||
321 | if (argc != 0 && argv != NULL) { | ||
322 | for (i = 0; i < argc; i++) | ||
323 | free(argv[i]); | ||
324 | free(argv); | ||
325 | } | ||
326 | return r; | ||
327 | } | ||
328 | |||
329 | /* | ||
330 | * Reassemble an argument vector into a string, quoting and escaping as | ||
331 | * necessary. Caller must free returned string. | ||
332 | */ | ||
333 | static char * | ||
334 | assemble_argv(int argc, char **argv) | ||
335 | { | ||
336 | int i, j, ws, r; | ||
337 | char c, *ret; | ||
338 | struct sshbuf *buf, *arg; | ||
339 | |||
340 | if ((buf = sshbuf_new()) == NULL || (arg = sshbuf_new()) == NULL) | ||
341 | fatal("%s: sshbuf_new failed", __func__); | ||
342 | |||
343 | for (i = 0; i < argc; i++) { | ||
344 | ws = 0; | ||
345 | sshbuf_reset(arg); | ||
346 | for (j = 0; argv[i][j] != '\0'; j++) { | ||
347 | r = 0; | ||
348 | c = argv[i][j]; | ||
349 | switch (c) { | ||
350 | case ' ': | ||
351 | case '\t': | ||
352 | ws = 1; | ||
353 | r = sshbuf_put_u8(arg, c); | ||
354 | break; | ||
355 | case '\\': | ||
356 | case '\'': | ||
357 | case '"': | ||
358 | if ((r = sshbuf_put_u8(arg, '\\')) != 0) | ||
359 | break; | ||
360 | /* FALLTHROUGH */ | ||
361 | default: | ||
362 | r = sshbuf_put_u8(arg, c); | ||
363 | break; | ||
364 | } | ||
365 | if (r != 0) | ||
366 | fatal("%s: sshbuf_put_u8: %s", | ||
367 | __func__, ssh_err(r)); | ||
368 | } | ||
369 | if ((i != 0 && (r = sshbuf_put_u8(buf, ' ')) != 0) || | ||
370 | (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0) || | ||
371 | (r = sshbuf_putb(buf, arg)) != 0 || | ||
372 | (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0)) | ||
373 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
374 | } | ||
375 | if ((ret = malloc(sshbuf_len(buf) + 1)) == NULL) | ||
376 | fatal("%s: malloc failed", __func__); | ||
377 | memcpy(ret, sshbuf_ptr(buf), sshbuf_len(buf)); | ||
378 | ret[sshbuf_len(buf)] = '\0'; | ||
379 | sshbuf_free(buf); | ||
380 | sshbuf_free(arg); | ||
381 | return ret; | ||
382 | } | ||
383 | |||
384 | /* | ||
385 | * Runs command in a subprocess. Returns pid on success and a FILE* to the | ||
386 | * subprocess' stdout or 0 on failure. | ||
387 | * NB. "command" is only used for logging. | ||
388 | */ | ||
389 | static pid_t | ||
390 | subprocess(const char *tag, struct passwd *pw, const char *command, | ||
391 | int ac, char **av, FILE **child) | ||
392 | { | ||
393 | FILE *f; | ||
394 | struct stat st; | ||
395 | int devnull, p[2], i; | ||
396 | pid_t pid; | ||
397 | char *cp, errmsg[512]; | ||
398 | u_int envsize; | ||
399 | char **child_env; | ||
400 | |||
401 | *child = NULL; | ||
402 | |||
403 | debug3("%s: %s command \"%s\" running as %s", __func__, | ||
404 | tag, command, pw->pw_name); | ||
405 | |||
406 | /* Verify the path exists and is safe-ish to execute */ | ||
407 | if (*av[0] != '/') { | ||
408 | error("%s path is not absolute", tag); | ||
409 | return 0; | ||
410 | } | ||
411 | temporarily_use_uid(pw); | ||
412 | if (stat(av[0], &st) < 0) { | ||
413 | error("Could not stat %s \"%s\": %s", tag, | ||
414 | av[0], strerror(errno)); | ||
415 | restore_uid(); | ||
416 | return 0; | ||
417 | } | ||
418 | if (auth_secure_path(av[0], &st, NULL, 0, | ||
419 | errmsg, sizeof(errmsg)) != 0) { | ||
420 | error("Unsafe %s \"%s\": %s", tag, av[0], errmsg); | ||
421 | restore_uid(); | ||
422 | return 0; | ||
423 | } | ||
424 | |||
425 | /* | ||
426 | * Run the command; stderr is left in place, stdout is the | ||
427 | * authorized_keys output. | ||
428 | */ | ||
429 | if (pipe(p) != 0) { | ||
430 | error("%s: pipe: %s", tag, strerror(errno)); | ||
431 | restore_uid(); | ||
432 | return 0; | ||
433 | } | ||
434 | |||
435 | /* | ||
436 | * Don't want to call this in the child, where it can fatal() and | ||
437 | * run cleanup_exit() code. | ||
438 | */ | ||
439 | restore_uid(); | ||
440 | |||
441 | switch ((pid = fork())) { | ||
442 | case -1: /* error */ | ||
443 | error("%s: fork: %s", tag, strerror(errno)); | ||
444 | close(p[0]); | ||
445 | close(p[1]); | ||
446 | return 0; | ||
447 | case 0: /* child */ | ||
448 | /* Prepare a minimal environment for the child. */ | ||
449 | envsize = 5; | ||
450 | child_env = xcalloc(sizeof(*child_env), envsize); | ||
451 | child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH); | ||
452 | child_set_env(&child_env, &envsize, "USER", pw->pw_name); | ||
453 | child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name); | ||
454 | child_set_env(&child_env, &envsize, "HOME", pw->pw_dir); | ||
455 | if ((cp = getenv("LANG")) != NULL) | ||
456 | child_set_env(&child_env, &envsize, "LANG", cp); | ||
457 | |||
458 | for (i = 0; i < NSIG; i++) | ||
459 | signal(i, SIG_DFL); | ||
460 | |||
461 | if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { | ||
462 | error("%s: open %s: %s", tag, _PATH_DEVNULL, | ||
463 | strerror(errno)); | ||
464 | _exit(1); | ||
465 | } | ||
466 | /* Keep stderr around a while longer to catch errors */ | ||
467 | if (dup2(devnull, STDIN_FILENO) == -1 || | ||
468 | dup2(p[1], STDOUT_FILENO) == -1) { | ||
469 | error("%s: dup2: %s", tag, strerror(errno)); | ||
470 | _exit(1); | ||
471 | } | ||
472 | closefrom(STDERR_FILENO + 1); | ||
473 | |||
474 | /* Don't use permanently_set_uid() here to avoid fatal() */ | ||
475 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { | ||
476 | error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, | ||
477 | strerror(errno)); | ||
478 | _exit(1); | ||
479 | } | ||
480 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { | ||
481 | error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid, | ||
482 | strerror(errno)); | ||
483 | _exit(1); | ||
484 | } | ||
485 | /* stdin is pointed to /dev/null at this point */ | ||
486 | if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { | ||
487 | error("%s: dup2: %s", tag, strerror(errno)); | ||
488 | _exit(1); | ||
489 | } | ||
490 | |||
491 | execve(av[0], av, child_env); | ||
492 | error("%s exec \"%s\": %s", tag, command, strerror(errno)); | ||
493 | _exit(127); | ||
494 | default: /* parent */ | ||
495 | break; | ||
496 | } | ||
497 | |||
498 | close(p[1]); | ||
499 | if ((f = fdopen(p[0], "r")) == NULL) { | ||
500 | error("%s: fdopen: %s", tag, strerror(errno)); | ||
501 | close(p[0]); | ||
502 | /* Don't leave zombie child */ | ||
503 | kill(pid, SIGTERM); | ||
504 | while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) | ||
505 | ; | ||
506 | return 0; | ||
507 | } | ||
508 | /* Success */ | ||
509 | debug3("%s: %s pid %ld", __func__, tag, (long)pid); | ||
510 | *child = f; | ||
511 | return pid; | ||
512 | } | ||
513 | |||
514 | /* Returns 0 if pid exited cleanly, non-zero otherwise */ | ||
515 | static int | ||
516 | exited_cleanly(pid_t pid, const char *tag, const char *cmd) | ||
517 | { | ||
518 | int status; | ||
519 | |||
520 | while (waitpid(pid, &status, 0) == -1) { | ||
521 | if (errno != EINTR) { | ||
522 | error("%s: waitpid: %s", tag, strerror(errno)); | ||
523 | return -1; | ||
524 | } | ||
525 | } | ||
526 | if (WIFSIGNALED(status)) { | ||
527 | error("%s %s exited on signal %d", tag, cmd, WTERMSIG(status)); | ||
528 | return -1; | ||
529 | } else if (WEXITSTATUS(status) != 0) { | ||
530 | error("%s %s failed, status %d", tag, cmd, WEXITSTATUS(status)); | ||
531 | return -1; | ||
532 | } | ||
533 | return 0; | ||
534 | } | ||
535 | |||
251 | static int | 536 | static int |
252 | match_principals_option(const char *principal_list, struct sshkey_cert *cert) | 537 | match_principals_option(const char *principal_list, struct sshkey_cert *cert) |
253 | { | 538 | { |
@@ -269,19 +554,13 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert) | |||
269 | } | 554 | } |
270 | 555 | ||
271 | static int | 556 | static int |
272 | match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | 557 | process_principals(FILE *f, char *file, struct passwd *pw, |
558 | struct sshkey_cert *cert) | ||
273 | { | 559 | { |
274 | FILE *f; | ||
275 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; | 560 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; |
276 | u_long linenum = 0; | 561 | u_long linenum = 0; |
277 | u_int i; | 562 | u_int i; |
278 | 563 | ||
279 | temporarily_use_uid(pw); | ||
280 | debug("trying authorized principals file %s", file); | ||
281 | if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { | ||
282 | restore_uid(); | ||
283 | return 0; | ||
284 | } | ||
285 | auth_start_parse_options(); | 564 | auth_start_parse_options(); |
286 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 565 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
287 | /* Skip leading whitespace. */ | 566 | /* Skip leading whitespace. */ |
@@ -310,24 +589,128 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | |||
310 | } | 589 | } |
311 | for (i = 0; i < cert->nprincipals; i++) { | 590 | for (i = 0; i < cert->nprincipals; i++) { |
312 | if (strcmp(cp, cert->principals[i]) == 0) { | 591 | if (strcmp(cp, cert->principals[i]) == 0) { |
313 | debug3("matched principal \"%.100s\" " | 592 | debug3("%s:%lu: matched principal \"%.100s\"", |
314 | "from file \"%s\" on line %lu", | 593 | file == NULL ? "(command)" : file, |
315 | cert->principals[i], file, linenum); | 594 | linenum, cert->principals[i]); |
316 | if (auth_parse_options(pw, line_opts, | 595 | if (auth_parse_options(pw, line_opts, |
317 | file, linenum) != 1) | 596 | file, linenum) != 1) |
318 | continue; | 597 | continue; |
319 | fclose(f); | ||
320 | restore_uid(); | ||
321 | return 1; | 598 | return 1; |
322 | } | 599 | } |
323 | } | 600 | } |
324 | } | 601 | } |
602 | return 0; | ||
603 | } | ||
604 | |||
605 | static int | ||
606 | match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | ||
607 | { | ||
608 | FILE *f; | ||
609 | int success; | ||
610 | |||
611 | temporarily_use_uid(pw); | ||
612 | debug("trying authorized principals file %s", file); | ||
613 | if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { | ||
614 | restore_uid(); | ||
615 | return 0; | ||
616 | } | ||
617 | success = process_principals(f, file, pw, cert); | ||
325 | fclose(f); | 618 | fclose(f); |
326 | restore_uid(); | 619 | restore_uid(); |
327 | return 0; | 620 | return success; |
328 | } | 621 | } |
329 | 622 | ||
330 | /* | 623 | /* |
624 | * Checks whether principal is allowed in output of command. | ||
625 | * returns 1 if the principal is allowed or 0 otherwise. | ||
626 | */ | ||
627 | static int | ||
628 | match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | ||
629 | { | ||
630 | FILE *f = NULL; | ||
631 | int ok, found_principal = 0; | ||
632 | struct passwd *pw; | ||
633 | int i, ac = 0, uid_swapped = 0; | ||
634 | pid_t pid; | ||
635 | char *tmp, *username = NULL, *command = NULL, **av = NULL; | ||
636 | void (*osigchld)(int); | ||
637 | |||
638 | if (options.authorized_principals_command == NULL) | ||
639 | return 0; | ||
640 | if (options.authorized_principals_command_user == NULL) { | ||
641 | error("No user for AuthorizedPrincipalsCommand specified, " | ||
642 | "skipping"); | ||
643 | return 0; | ||
644 | } | ||
645 | |||
646 | /* | ||
647 | * NB. all returns later this function should go via "out" to | ||
648 | * ensure the original SIGCHLD handler is restored properly. | ||
649 | */ | ||
650 | osigchld = signal(SIGCHLD, SIG_DFL); | ||
651 | |||
652 | /* Prepare and verify the user for the command */ | ||
653 | username = percent_expand(options.authorized_principals_command_user, | ||
654 | "u", user_pw->pw_name, (char *)NULL); | ||
655 | pw = getpwnam(username); | ||
656 | if (pw == NULL) { | ||
657 | error("AuthorizedPrincipalsCommandUser \"%s\" not found: %s", | ||
658 | username, strerror(errno)); | ||
659 | goto out; | ||
660 | } | ||
661 | |||
662 | /* Turn the command into an argument vector */ | ||
663 | if (split_argv(options.authorized_principals_command, &ac, &av) != 0) { | ||
664 | error("AuthorizedPrincipalsCommand \"%s\" contains " | ||
665 | "invalid quotes", command); | ||
666 | goto out; | ||
667 | } | ||
668 | if (ac == 0) { | ||
669 | error("AuthorizedPrincipalsCommand \"%s\" yielded no arguments", | ||
670 | command); | ||
671 | goto out; | ||
672 | } | ||
673 | for (i = 1; i < ac; i++) { | ||
674 | tmp = percent_expand(av[i], | ||
675 | "u", user_pw->pw_name, | ||
676 | "h", user_pw->pw_dir, | ||
677 | (char *)NULL); | ||
678 | if (tmp == NULL) | ||
679 | fatal("%s: percent_expand failed", __func__); | ||
680 | free(av[i]); | ||
681 | av[i] = tmp; | ||
682 | } | ||
683 | /* Prepare a printable command for logs, etc. */ | ||
684 | command = assemble_argv(ac, av); | ||
685 | |||
686 | if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command, | ||
687 | ac, av, &f)) == 0) | ||
688 | goto out; | ||
689 | |||
690 | uid_swapped = 1; | ||
691 | temporarily_use_uid(pw); | ||
692 | |||
693 | ok = process_principals(f, NULL, pw, cert); | ||
694 | |||
695 | if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0) | ||
696 | goto out; | ||
697 | |||
698 | /* Read completed successfully */ | ||
699 | found_principal = ok; | ||
700 | out: | ||
701 | if (f != NULL) | ||
702 | fclose(f); | ||
703 | signal(SIGCHLD, osigchld); | ||
704 | for (i = 0; i < ac; i++) | ||
705 | free(av[i]); | ||
706 | free(av); | ||
707 | if (uid_swapped) | ||
708 | restore_uid(); | ||
709 | free(command); | ||
710 | free(username); | ||
711 | return found_principal; | ||
712 | } | ||
713 | /* | ||
331 | * Checks whether key is allowed in authorized_keys-format file, | 714 | * Checks whether key is allowed in authorized_keys-format file, |
332 | * returns 1 if the key is allowed or 0 otherwise. | 715 | * returns 1 if the key is allowed or 0 otherwise. |
333 | */ | 716 | */ |
@@ -450,7 +833,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
450 | { | 833 | { |
451 | char *ca_fp, *principals_file = NULL; | 834 | char *ca_fp, *principals_file = NULL; |
452 | const char *reason; | 835 | const char *reason; |
453 | int ret = 0; | 836 | int ret = 0, found_principal = 0, use_authorized_principals; |
454 | 837 | ||
455 | if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) | 838 | if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) |
456 | return 0; | 839 | return 0; |
@@ -472,17 +855,24 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
472 | * against the username. | 855 | * against the username. |
473 | */ | 856 | */ |
474 | if ((principals_file = authorized_principals_file(pw)) != NULL) { | 857 | if ((principals_file = authorized_principals_file(pw)) != NULL) { |
475 | if (!match_principals_file(principals_file, pw, key->cert)) { | 858 | if (match_principals_file(principals_file, pw, key->cert)) |
476 | reason = "Certificate does not contain an " | 859 | found_principal = 1; |
477 | "authorized principal"; | 860 | } |
861 | /* Try querying command if specified */ | ||
862 | if (!found_principal && match_principals_command(pw, key->cert)) | ||
863 | found_principal = 1; | ||
864 | /* If principals file or command is specified, then require a match */ | ||
865 | use_authorized_principals = principals_file != NULL || | ||
866 | options.authorized_principals_command != NULL; | ||
867 | if (!found_principal && use_authorized_principals) { | ||
868 | reason = "Certificate does not contain an authorized principal"; | ||
478 | fail_reason: | 869 | fail_reason: |
479 | error("%s", reason); | 870 | error("%s", reason); |
480 | auth_debug_add("%s", reason); | 871 | auth_debug_add("%s", reason); |
481 | goto out; | 872 | goto out; |
482 | } | ||
483 | } | 873 | } |
484 | if (key_cert_check_authority(key, 0, 1, | 874 | if (key_cert_check_authority(key, 0, 1, |
485 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 875 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
486 | goto fail_reason; | 876 | goto fail_reason; |
487 | auth_start_parse_options(); | 877 | auth_start_parse_options(); |
488 | if (auth_cert_options(key, pw) != 0) | 878 | if (auth_cert_options(key, pw) != 0) |
@@ -529,144 +919,117 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
529 | static int | 919 | static int |
530 | user_key_command_allowed2(struct passwd *user_pw, Key *key) | 920 | user_key_command_allowed2(struct passwd *user_pw, Key *key) |
531 | { | 921 | { |
532 | FILE *f; | 922 | FILE *f = NULL; |
533 | int ok, found_key = 0; | 923 | int r, ok, found_key = 0; |
534 | struct passwd *pw; | 924 | struct passwd *pw; |
535 | struct stat st; | 925 | int i, uid_swapped = 0, ac = 0; |
536 | int status, devnull, p[2], i; | ||
537 | pid_t pid; | 926 | pid_t pid; |
538 | char *username, errmsg[512]; | 927 | char *username = NULL, *key_fp = NULL, *keytext = NULL; |
928 | char *tmp, *command = NULL, **av = NULL; | ||
929 | void (*osigchld)(int); | ||
539 | 930 | ||
540 | if (options.authorized_keys_command == NULL || | 931 | if (options.authorized_keys_command == NULL) |
541 | options.authorized_keys_command[0] != '/') | ||
542 | return 0; | 932 | return 0; |
543 | |||
544 | if (options.authorized_keys_command_user == NULL) { | 933 | if (options.authorized_keys_command_user == NULL) { |
545 | error("No user for AuthorizedKeysCommand specified, skipping"); | 934 | error("No user for AuthorizedKeysCommand specified, skipping"); |
546 | return 0; | 935 | return 0; |
547 | } | 936 | } |
548 | 937 | ||
938 | /* | ||
939 | * NB. all returns later this function should go via "out" to | ||
940 | * ensure the original SIGCHLD handler is restored properly. | ||
941 | */ | ||
942 | osigchld = signal(SIGCHLD, SIG_DFL); | ||
943 | |||
944 | /* Prepare and verify the user for the command */ | ||
549 | username = percent_expand(options.authorized_keys_command_user, | 945 | username = percent_expand(options.authorized_keys_command_user, |
550 | "u", user_pw->pw_name, (char *)NULL); | 946 | "u", user_pw->pw_name, (char *)NULL); |
551 | pw = getpwnam(username); | 947 | pw = getpwnam(username); |
552 | if (pw == NULL) { | 948 | if (pw == NULL) { |
553 | error("AuthorizedKeysCommandUser \"%s\" not found: %s", | 949 | error("AuthorizedKeysCommandUser \"%s\" not found: %s", |
554 | username, strerror(errno)); | 950 | username, strerror(errno)); |
555 | free(username); | 951 | goto out; |
556 | return 0; | ||
557 | } | 952 | } |
558 | free(username); | ||
559 | |||
560 | temporarily_use_uid(pw); | ||
561 | 953 | ||
562 | if (stat(options.authorized_keys_command, &st) < 0) { | 954 | /* Prepare AuthorizedKeysCommand */ |
563 | error("Could not stat AuthorizedKeysCommand \"%s\": %s", | 955 | if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash, |
564 | options.authorized_keys_command, strerror(errno)); | 956 | SSH_FP_DEFAULT)) == NULL) { |
957 | error("%s: sshkey_fingerprint failed", __func__); | ||
565 | goto out; | 958 | goto out; |
566 | } | 959 | } |
567 | if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, | 960 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { |
568 | errmsg, sizeof(errmsg)) != 0) { | 961 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); |
569 | error("Unsafe AuthorizedKeysCommand: %s", errmsg); | ||
570 | goto out; | 962 | goto out; |
571 | } | 963 | } |
572 | 964 | ||
573 | if (pipe(p) != 0) { | 965 | /* Turn the command into an argument vector */ |
574 | error("%s: pipe: %s", __func__, strerror(errno)); | 966 | if (split_argv(options.authorized_keys_command, &ac, &av) != 0) { |
967 | error("AuthorizedKeysCommand \"%s\" contains invalid quotes", | ||
968 | command); | ||
575 | goto out; | 969 | goto out; |
576 | } | 970 | } |
577 | 971 | if (ac == 0) { | |
578 | debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"", | 972 | error("AuthorizedKeysCommand \"%s\" yielded no arguments", |
579 | options.authorized_keys_command, user_pw->pw_name, pw->pw_name); | 973 | command); |
974 | goto out; | ||
975 | } | ||
976 | for (i = 1; i < ac; i++) { | ||
977 | tmp = percent_expand(av[i], | ||
978 | "u", user_pw->pw_name, | ||
979 | "h", user_pw->pw_dir, | ||
980 | "t", sshkey_ssh_name(key), | ||
981 | "f", key_fp, | ||
982 | "k", keytext, | ||
983 | (char *)NULL); | ||
984 | if (tmp == NULL) | ||
985 | fatal("%s: percent_expand failed", __func__); | ||
986 | free(av[i]); | ||
987 | av[i] = tmp; | ||
988 | } | ||
989 | /* Prepare a printable command for logs, etc. */ | ||
990 | command = assemble_argv(ac, av); | ||
580 | 991 | ||
581 | /* | 992 | /* |
582 | * Don't want to call this in the child, where it can fatal() and | 993 | * If AuthorizedKeysCommand was run without arguments |
583 | * run cleanup_exit() code. | 994 | * then fall back to the old behaviour of passing the |
995 | * target username as a single argument. | ||
584 | */ | 996 | */ |
585 | restore_uid(); | 997 | if (ac == 1) { |
586 | 998 | av = xreallocarray(av, ac + 2, sizeof(*av)); | |
587 | switch ((pid = fork())) { | 999 | av[1] = xstrdup(user_pw->pw_name); |
588 | case -1: /* error */ | 1000 | av[2] = NULL; |
589 | error("%s: fork: %s", __func__, strerror(errno)); | 1001 | /* Fix up command too, since it is used in log messages */ |
590 | close(p[0]); | 1002 | free(command); |
591 | close(p[1]); | 1003 | xasprintf(&command, "%s %s", av[0], av[1]); |
592 | return 0; | ||
593 | case 0: /* child */ | ||
594 | for (i = 0; i < NSIG; i++) | ||
595 | signal(i, SIG_DFL); | ||
596 | |||
597 | if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { | ||
598 | error("%s: open %s: %s", __func__, _PATH_DEVNULL, | ||
599 | strerror(errno)); | ||
600 | _exit(1); | ||
601 | } | ||
602 | /* Keep stderr around a while longer to catch errors */ | ||
603 | if (dup2(devnull, STDIN_FILENO) == -1 || | ||
604 | dup2(p[1], STDOUT_FILENO) == -1) { | ||
605 | error("%s: dup2: %s", __func__, strerror(errno)); | ||
606 | _exit(1); | ||
607 | } | ||
608 | closefrom(STDERR_FILENO + 1); | ||
609 | |||
610 | /* Don't use permanently_set_uid() here to avoid fatal() */ | ||
611 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { | ||
612 | error("setresgid %u: %s", (u_int)pw->pw_gid, | ||
613 | strerror(errno)); | ||
614 | _exit(1); | ||
615 | } | ||
616 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { | ||
617 | error("setresuid %u: %s", (u_int)pw->pw_uid, | ||
618 | strerror(errno)); | ||
619 | _exit(1); | ||
620 | } | ||
621 | /* stdin is pointed to /dev/null at this point */ | ||
622 | if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { | ||
623 | error("%s: dup2: %s", __func__, strerror(errno)); | ||
624 | _exit(1); | ||
625 | } | ||
626 | |||
627 | execl(options.authorized_keys_command, | ||
628 | options.authorized_keys_command, user_pw->pw_name, NULL); | ||
629 | |||
630 | error("AuthorizedKeysCommand %s exec failed: %s", | ||
631 | options.authorized_keys_command, strerror(errno)); | ||
632 | _exit(127); | ||
633 | default: /* parent */ | ||
634 | break; | ||
635 | } | 1004 | } |
636 | 1005 | ||
1006 | if ((pid = subprocess("AuthorizedKeysCommand", pw, command, | ||
1007 | ac, av, &f)) == 0) | ||
1008 | goto out; | ||
1009 | |||
1010 | uid_swapped = 1; | ||
637 | temporarily_use_uid(pw); | 1011 | temporarily_use_uid(pw); |
638 | 1012 | ||
639 | close(p[1]); | ||
640 | if ((f = fdopen(p[0], "r")) == NULL) { | ||
641 | error("%s: fdopen: %s", __func__, strerror(errno)); | ||
642 | close(p[0]); | ||
643 | /* Don't leave zombie child */ | ||
644 | kill(pid, SIGTERM); | ||
645 | while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) | ||
646 | ; | ||
647 | goto out; | ||
648 | } | ||
649 | ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); | 1013 | ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); |
650 | fclose(f); | ||
651 | 1014 | ||
652 | while (waitpid(pid, &status, 0) == -1) { | 1015 | if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0) |
653 | if (errno != EINTR) { | ||
654 | error("%s: waitpid: %s", __func__, strerror(errno)); | ||
655 | goto out; | ||
656 | } | ||
657 | } | ||
658 | if (WIFSIGNALED(status)) { | ||
659 | error("AuthorizedKeysCommand %s exited on signal %d", | ||
660 | options.authorized_keys_command, WTERMSIG(status)); | ||
661 | goto out; | 1016 | goto out; |
662 | } else if (WEXITSTATUS(status) != 0) { | 1017 | |
663 | error("AuthorizedKeysCommand %s returned status %d", | 1018 | /* Read completed successfully */ |
664 | options.authorized_keys_command, WEXITSTATUS(status)); | ||
665 | goto out; | ||
666 | } | ||
667 | found_key = ok; | 1019 | found_key = ok; |
668 | out: | 1020 | out: |
669 | restore_uid(); | 1021 | if (f != NULL) |
1022 | fclose(f); | ||
1023 | signal(SIGCHLD, osigchld); | ||
1024 | for (i = 0; i < ac; i++) | ||
1025 | free(av[i]); | ||
1026 | free(av); | ||
1027 | if (uid_swapped) | ||
1028 | restore_uid(); | ||
1029 | free(command); | ||
1030 | free(username); | ||
1031 | free(key_fp); | ||
1032 | free(keytext); | ||
670 | return found_key; | 1033 | return found_key; |
671 | } | 1034 | } |
672 | 1035 | ||
@@ -674,7 +1037,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) | |||
674 | * Check whether key authenticates and authorises the user. | 1037 | * Check whether key authenticates and authorises the user. |
675 | */ | 1038 | */ |
676 | int | 1039 | int |
677 | user_key_allowed(struct passwd *pw, Key *key) | 1040 | user_key_allowed(struct passwd *pw, Key *key, int auth_attempt) |
678 | { | 1041 | { |
679 | u_int success, i; | 1042 | u_int success, i; |
680 | char *file; | 1043 | char *file; |