1 files changed, 361 insertions, 103 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f96e843c2..553144c7b 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.49 2015/05/04 06:10:48 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.50 2015/05/21 06:38:35 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -65,6 +65,9 @@
 #include "monitor_wrap.h"
 #include "authfile.h"
 #include "match.h"
+#include "ssherr.h"
+#include "channels.h" /* XXX for session.h */
+#include "session.h" /* XXX for child_set_env(); refactor? */
 /* import */
 extern ServerOptions options;
@@ -248,6 +251,288 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
        free(extra);
 }
+/*
+ * Splits 's' into an argument vector. Handles quoted string and basic
+ * escape characters (\\, \", \'). Caller must free the argument vector
+ * and its members.
+ */
+static int
+split_argv(const char *s, int *argcp, char ***argvp)
+{
+        int r = SSH_ERR_INTERNAL_ERROR;
+        int argc = 0, quote, i, j;
+        char *arg, **argv = xcalloc(1, sizeof(*argv));
+        *argvp = NULL;
+        *argcp = 0;
+        for (i = 0; s[i] != '\0'; i++) {
+                /* Skip leading whitespace */
+                if (s[i] == ' ' || s[i] == '\t')
+                        continue;
+                /* Start of a token */
+                quote = 0;
+                if (s[i] == '\\' &&
+                    (s[i + 1] == '\'' || s[i + 1] == '\"' || s[i + 1] == '\\'))
+                        i++;
+                else if (s[i] == '\'' || s[i] == '"')
+                        quote = s[i++];
+                argv = xreallocarray(argv, (argc + 2), sizeof(*argv));
+                arg = argv[argc++] = xcalloc(1, strlen(s + i) + 1);
+                argv[argc] = NULL;
+                /* Copy the token in, removing escapes */
+                for (j = 0; s[i] != '\0'; i++) {
+                        if (s[i] == '\\') {
+                                if (s[i + 1] == '\'' ||
+                                    s[i + 1] == '\"' ||
+                                    s[i + 1] == '\\') {
+                                        i++; /* Skip '\' */
+                                        arg[j++] = s[i];
+                                } else {
+                                        /* Unrecognised escape */
+                                        arg[j++] = s[i];
+                                }
+                        } else if (quote == 0 && (s[i] == ' ' || s[i] == '\t'))
+                                break; /* done */
+                        else if (quote != 0 && s[i] == quote)
+                                break; /* done */
+                        else
+                                arg[j++] = s[i];
+                }
+                if (s[i] == '\0') {
+                        if (quote != 0) {
+                                /* Ran out of string looking for close quote */
+                                r = SSH_ERR_INVALID_FORMAT;
+                                goto out;
+                        }
+                        break;
+                }
+        }
+        /* Success */
+        *argcp = argc;
+        *argvp = argv;
+        argc = 0;
+        argv = NULL;
+        r = 0;
+ out:
+        if (argc != 0 && argv != NULL) {
+                for (i = 0; i < argc; i++)
+                        free(argv[i]);
+                free(argv);
+        }
+        return r;
+}
+/*
+ * Reassemble an argument vector into a string, quoting and escaping as
+ * necessary. Caller must free returned string.
+ */
+static char *
+assemble_argv(int argc, char **argv)
+{
+        int i, j, ws, r;
+        char c, *ret;
+        struct sshbuf *buf, *arg;
+        if ((buf = sshbuf_new()) == NULL || (arg = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        for (i = 0; i < argc; i++) {
+                ws = 0;
+                sshbuf_reset(arg);
+                for (j = 0; argv[i][j] != '\0'; j++) {
+                        r = 0;
+                        c = argv[i][j];
+                        switch (c) {
+                        case ' ':
+                        case '\t':
+                                ws = 1;
+                                r = sshbuf_put_u8(arg, c);
+                                break;
+                        case '\\':
+                        case '\'':
+                        case '"':
+                                if ((r = sshbuf_put_u8(arg, '\\')) != 0)
+                                        break;
+                                /* FALLTHROUGH */
+                        default:
+                                r = sshbuf_put_u8(arg, c);
+                                break;
+                        }
+                        if (r != 0)
+                                fatal("%s: sshbuf_put_u8: %s",
+                                    __func__, ssh_err(r));
+                }
+                if ((i != 0 && (r = sshbuf_put_u8(buf, ' ')) != 0) ||
+                    (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0) ||
+                    (r = sshbuf_putb(buf, arg)) != 0 ||
+                    (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0))
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        }
+        if ((ret = malloc(sshbuf_len(buf) + 1)) == NULL)
+                fatal("%s: malloc failed", __func__);
+        memcpy(ret, sshbuf_ptr(buf), sshbuf_len(buf));
+        ret[sshbuf_len(buf)] = '\0';
+        sshbuf_free(buf);
+        sshbuf_free(arg);
+        return ret;
+}
+/*
+ * Runs command in a subprocess. Returns pid on success and a FILE* to the
+ * subprocess' stdout or 0 on failure.
+ * NB. "command" is only used for logging.
+ */
+static pid_t
+subprocess(const char *tag, struct passwd *pw, const char *command,
+    int ac, char **av, FILE **child)
+{
+        FILE *f;
+        struct stat st;
+        int devnull, p[2], i;
+        pid_t pid;
+        char *cp, errmsg[512];
+        u_int envsize;
+        char **child_env;
+        *child = NULL;
+        debug3("%s: %s command \"%s\" running as %s", __func__,
+            tag, command, pw->pw_name);
+        /* Verify the path exists and is safe-ish to execute */
+        if (*av[0] != '/') {
+                error("%s path is not absolute", tag);
+                return 0;
+        }
+        temporarily_use_uid(pw);
+        if (stat(av[0], &st) < 0) {
+                error("Could not stat %s \"%s\": %s", tag,
+                    av[0], strerror(errno));
+                restore_uid();
+                return 0;
+        }
+        if (auth_secure_path(av[0], &st, NULL, 0,
+            errmsg, sizeof(errmsg)) != 0) {
+                error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
+                restore_uid();
+                return 0;
+        }
+        /*
+         * Run the command; stderr is left in place, stdout is the
+         * authorized_keys output.
+         */
+        if (pipe(p) != 0) {
+                error("%s: pipe: %s", tag, strerror(errno));
+                restore_uid();
+                return 0;
+        }
+        /*
+         * Don't want to call this in the child, where it can fatal() and
+         * run cleanup_exit() code.
+         */
+        restore_uid();
+        switch ((pid = fork())) {
+        case -1: /* error */
+                error("%s: fork: %s", tag, strerror(errno));
+                close(p[0]);
+                close(p[1]);
+                return 0;
+        case 0: /* child */
+                /* Prepare a minimal environment for the child. */
+                envsize = 5;
+                child_env = xcalloc(sizeof(*child_env), envsize);
+                child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
+                child_set_env(&child_env, &envsize, "USER", pw->pw_name);
+                child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
+                child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
+                if ((cp = getenv("LANG")) != NULL)
+                        child_set_env(&child_env, &envsize, "LANG", cp);
+                for (i = 0; i < NSIG; i++)
+                        signal(i, SIG_DFL);
+                if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+                        error("%s: open %s: %s", tag, _PATH_DEVNULL,
+                            strerror(errno));
+                        _exit(1);
+                }
+                /* Keep stderr around a while longer to catch errors */
+                if (dup2(devnull, STDIN_FILENO) == -1 ||
+                    dup2(p[1], STDOUT_FILENO) == -1) {
+                        error("%s: dup2: %s", tag, strerror(errno));
+                        _exit(1);
+                }
+                closefrom(STDERR_FILENO + 1);
+                /* Don't use permanently_set_uid() here to avoid fatal() */
+                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
+                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+                            strerror(errno));
+                        _exit(1);
+                }
+                if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
+                        error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
+                            strerror(errno));
+                        _exit(1);
+                }
+                /* stdin is pointed to /dev/null at this point */
+                if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
+                        error("%s: dup2: %s", tag, strerror(errno));
+                        _exit(1);
+                }
+                execve(av[0], av, child_env);
+                error("%s exec \"%s\": %s", tag, command, strerror(errno));
+                _exit(127);
+        default: /* parent */
+                break;
+        }
+        close(p[1]);
+        if ((f = fdopen(p[0], "r")) == NULL) {
+                error("%s: fdopen: %s", tag, strerror(errno));
+                close(p[0]);
+                /* Don't leave zombie child */
+                kill(pid, SIGTERM);
+                while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
+                        ;
+                return 0;
+        }
+        /* Success */
+        debug3("%s: %s pid %ld", __func__, tag, (long)pid);
+        *child = f;
+        return pid;
+}
+/* Returns 0 if pid exited cleanly, non-zero otherwise */
+static int
+exited_cleanly(pid_t pid, const char *tag, const char *cmd)
+{
+        int status;
+        while (waitpid(pid, &status, 0) == -1) {
+                if (errno != EINTR) {
+                        error("%s: waitpid: %s", tag, strerror(errno));
+                        return -1;
+                }
+        }
+        if (WIFSIGNALED(status)) {
+                error("%s %s exited on signal %d", tag, cmd, WTERMSIG(status));
+                return -1;
+        } else if (WEXITSTATUS(status) != 0) {
+                error("%s %s failed, status %d", tag, cmd, WEXITSTATUS(status));
+                return -1;
+        }
+        return 0;
+}
 static int
 match_principals_option(const char *principal_list, struct sshkey_cert *cert)
 {
@@ -526,144 +811,117 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 static int
 user_key_command_allowed2(struct passwd *user_pw, Key *key)
 {
-        FILE *f;
+        FILE *f = NULL;
-        int ok, found_key = 0;
+        int r, ok, found_key = 0;
        struct passwd *pw;
-        struct stat st;
+        int i, uid_swapped = 0, ac = 0;
-        int status, devnull, p[2], i;
        pid_t pid;
-        char *username, errmsg[512];
+        char *username = NULL, *key_fp = NULL, *keytext = NULL;
+        char *tmp, *command = NULL, **av = NULL;
+        void (*osigchld)(int);
-        if (options.authorized_keys_command == NULL ||
+        if (options.authorized_keys_command == NULL)
-            options.authorized_keys_command[0] != '/')
                return 0;
        if (options.authorized_keys_command_user == NULL) {
                error("No user for AuthorizedKeysCommand specified, skipping");
                return 0;
        }
+        /*
+         * NB. all returns later this function should go via "out" to
+         * ensure the original SIGCHLD handler is restored properly.
+         */
+        osigchld = signal(SIGCHLD, SIG_DFL);
+        /* Prepare and verify the user for the command */
        username = percent_expand(options.authorized_keys_command_user,
            "u", user_pw->pw_name, (char *)NULL);
        pw = getpwnam(username);
        if (pw == NULL) {
                error("AuthorizedKeysCommandUser \"%s\" not found: %s",
                    username, strerror(errno));
-                free(username);
+                goto out;
-                return 0;
        }
-        free(username);
-        temporarily_use_uid(pw);
-        if (stat(options.authorized_keys_command, &st) < 0) {
+        /* Prepare AuthorizedKeysCommand */
-                error("Could not stat AuthorizedKeysCommand \"%s\": %s",
+        if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash,
-                    options.authorized_keys_command, strerror(errno));
+            SSH_FP_DEFAULT)) == NULL) {
+                error("%s: sshkey_fingerprint failed", __func__);
                goto out;
        }
-        if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
+        if ((r = sshkey_to_base64(key, &keytext)) != 0) {
-            errmsg, sizeof(errmsg)) != 0) {
+                error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
-                error("Unsafe AuthorizedKeysCommand: %s", errmsg);
                goto out;
        }
-        if (pipe(p) != 0) {
+        /* Turn the command into an argument vector */
-                error("%s: pipe: %s", __func__, strerror(errno));
+        if (split_argv(options.authorized_keys_command, &ac, &av) != 0) {
+                error("AuthorizedKeysCommand \"%s\" contains invalid quotes",
+                    command);
                goto out;
        }
+        if (ac == 0) {
-        debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
+                error("AuthorizedKeysCommand \"%s\" yielded no arguments",
-            options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
+                    command);
+                goto out;
+        }
+        for (i = 1; i < ac; i++) {
+                tmp = percent_expand(av[i],
+                    "u", user_pw->pw_name,
+                    "h", user_pw->pw_dir,
+                    "t", sshkey_ssh_name(key),
+                    "f", key_fp,
+                    "k", keytext,
+                    (char *)NULL);
+                if (tmp == NULL)
+                        fatal("%s: percent_expand failed", __func__);
+                free(av[i]);
+                av[i] = tmp;
+        }
+        /* Prepare a printable command for logs, etc. */
+        command = assemble_argv(ac, av);
        /*
-         * Don't want to call this in the child, where it can fatal() and
+         * If AuthorizedKeysCommand was run without arguments
-         * run cleanup_exit() code.
+         * then fall back to the old behaviour of passing the
+         * target username as a single argument.
         */
-        restore_uid();
+        if (ac == 1) {
+                av = xreallocarray(av, ac + 2, sizeof(*av));
-        switch ((pid = fork())) {
+                av[1] = xstrdup(user_pw->pw_name);
-        case -1: /* error */
+                av[2] = NULL;
-                error("%s: fork: %s", __func__, strerror(errno));
+                /* Fix up command too, since it is used in log messages */
-                close(p[0]);
+                free(command);
-                close(p[1]);
+                xasprintf(&command, "%s %s", av[0], av[1]);
-                return 0;
-        case 0: /* child */
-                for (i = 0; i < NSIG; i++)
-                        signal(i, SIG_DFL);
-                if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
-                        error("%s: open %s: %s", __func__, _PATH_DEVNULL,
-                            strerror(errno));
-                        _exit(1);
-                }
-                /* Keep stderr around a while longer to catch errors */
-                if (dup2(devnull, STDIN_FILENO) == -1 ||
-                    dup2(p[1], STDOUT_FILENO) == -1) {
-                        error("%s: dup2: %s", __func__, strerror(errno));
-                        _exit(1);
-                }
-                closefrom(STDERR_FILENO + 1);
-                /* Don't use permanently_set_uid() here to avoid fatal() */
-                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
-                        error("setresgid %u: %s", (u_int)pw->pw_gid,
-                            strerror(errno));
-                        _exit(1);
-                }
-                if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
-                        error("setresuid %u: %s", (u_int)pw->pw_uid,
-                            strerror(errno));
-                        _exit(1);
-                }
-                /* stdin is pointed to /dev/null at this point */
-                if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
-                        error("%s: dup2: %s", __func__, strerror(errno));
-                        _exit(1);
-                }
-                execl(options.authorized_keys_command,
-                    options.authorized_keys_command, user_pw->pw_name, NULL);
-                error("AuthorizedKeysCommand %s exec failed: %s",
-                    options.authorized_keys_command, strerror(errno));
-                _exit(127);
-        default: /* parent */
-                break;
        }
+        if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
+            ac, av, &f)) == 0)
+                goto out;
+        uid_swapped = 1;
        temporarily_use_uid(pw);
-        close(p[1]);
-        if ((f = fdopen(p[0], "r")) == NULL) {
-                error("%s: fdopen: %s", __func__, strerror(errno));
-                close(p[0]);
-                /* Don't leave zombie child */
-                kill(pid, SIGTERM);
-                while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
-                        ;
-                goto out;
-        }
        ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
-        fclose(f);
-        while (waitpid(pid, &status, 0) == -1) {
+        if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
-                if (errno != EINTR) {
-                        error("%s: waitpid: %s", __func__, strerror(errno));
-                        goto out;
-                }
-        }
-        if (WIFSIGNALED(status)) {
-                error("AuthorizedKeysCommand %s exited on signal %d",
-                    options.authorized_keys_command, WTERMSIG(status));
-                goto out;
-        } else if (WEXITSTATUS(status) != 0) {
-                error("AuthorizedKeysCommand %s returned status %d",
-                    options.authorized_keys_command, WEXITSTATUS(status));
                goto out;
-        }
+        /* Read completed successfully */
        found_key = ok;
 out:
-        restore_uid();
+        if (f != NULL)
+                fclose(f);
+        signal(SIGCHLD, osigchld);
+        for (i = 0; i < ac; i++)
+                free(av[i]);
+        free(av);
+        if (uid_swapped)
+                restore_uid();
+        free(command);
+        free(username);
+        free(key_fp);
+        free(keytext);
        return found_key;
 }

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f96e843c2..553144c7b 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.49 2015/05/04 06:10:48 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.50 2015/05/21 06:38:35 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -65,6 +65,9 @@
65	#include "monitor_wrap.h"	65	#include "monitor_wrap.h"
66	#include "authfile.h"	66	#include "authfile.h"
67	#include "match.h"	67	#include "match.h"
		68	#include "ssherr.h"
		69	#include "channels.h" /* XXX for session.h */
		70	#include "session.h" /* XXX for child_set_env(); refactor? */
68		71
69	/* import */	72	/* import */
70	extern ServerOptions options;	73	extern ServerOptions options;
@@ -248,6 +251,288 @@ pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)
248	free(extra);	251	free(extra);
249	}	252	}
250		253
		254	/*
		255	* Splits 's' into an argument vector. Handles quoted string and basic
		256	* escape characters (\\, \", \'). Caller must free the argument vector
		257	* and its members.
		258	*/
		259	static int
		260	split_argv(const char s, int argcp, char ***argvp)
		261	{
		262	int r = SSH_ERR_INTERNAL_ERROR;
		263	int argc = 0, quote, i, j;
		264	char arg, argv = xcalloc(1, sizeof(argv));
		265
		266	*argvp = NULL;
		267	*argcp = 0;
		268
		269	for (i = 0; s[i] != '\0'; i++) {
		270	/* Skip leading whitespace */
		271	if (s[i] == ' ' \|\| s[i] == '\t')
		272	continue;
		273
		274	/* Start of a token */
		275	quote = 0;
		276	if (s[i] == '\\' &&
		277	(s[i + 1] == '\'' \|\| s[i + 1] == '\"' \|\| s[i + 1] == '\\'))
		278	i++;
		279	else if (s[i] == '\'' \|\| s[i] == '"')
		280	quote = s[i++];
		281
		282	argv = xreallocarray(argv, (argc + 2), sizeof(*argv));
		283	arg = argv[argc++] = xcalloc(1, strlen(s + i) + 1);
		284	argv[argc] = NULL;
		285
		286	/* Copy the token in, removing escapes */
		287	for (j = 0; s[i] != '\0'; i++) {
		288	if (s[i] == '\\') {
		289	if (s[i + 1] == '\'' \|\|
		290	s[i + 1] == '\"' \|\|
		291	s[i + 1] == '\\') {
		292	i++; /* Skip '\' */
		293	arg[j++] = s[i];
		294	} else {
		295	/* Unrecognised escape */
		296	arg[j++] = s[i];
		297	}
		298	} else if (quote == 0 && (s[i] == ' ' \|\| s[i] == '\t'))
		299	break; /* done */
		300	else if (quote != 0 && s[i] == quote)
		301	break; /* done */
		302	else
		303	arg[j++] = s[i];
		304	}
		305	if (s[i] == '\0') {
		306	if (quote != 0) {
		307	/* Ran out of string looking for close quote */
		308	r = SSH_ERR_INVALID_FORMAT;
		309	goto out;
		310	}
		311	break;
		312	}
		313	}
		314	/* Success */
		315	*argcp = argc;
		316	*argvp = argv;
		317	argc = 0;
		318	argv = NULL;
		319	r = 0;
		320	out:
		321	if (argc != 0 && argv != NULL) {
		322	for (i = 0; i < argc; i++)
		323	free(argv[i]);
		324	free(argv);
		325	}
		326	return r;
		327	}
		328
		329	/*
		330	* Reassemble an argument vector into a string, quoting and escaping as
		331	* necessary. Caller must free returned string.
		332	*/
		333	static char *
		334	assemble_argv(int argc, char **argv)
		335	{
		336	int i, j, ws, r;
		337	char c, *ret;
		338	struct sshbuf buf, arg;
		339
		340	if ((buf = sshbuf_new()) == NULL \|\| (arg = sshbuf_new()) == NULL)
		341	fatal("%s: sshbuf_new failed", __func__);
		342
		343	for (i = 0; i < argc; i++) {
		344	ws = 0;
		345	sshbuf_reset(arg);
		346	for (j = 0; argv[i][j] != '\0'; j++) {
		347	r = 0;
		348	c = argv[i][j];
		349	switch (c) {
		350	case ' ':
		351	case '\t':
		352	ws = 1;
		353	r = sshbuf_put_u8(arg, c);
		354	break;
		355	case '\\':
		356	case '\'':
		357	case '"':
		358	if ((r = sshbuf_put_u8(arg, '\\')) != 0)
		359	break;
		360	/* FALLTHROUGH */
		361	default:
		362	r = sshbuf_put_u8(arg, c);
		363	break;
		364	}
		365	if (r != 0)
		366	fatal("%s: sshbuf_put_u8: %s",
		367	__func__, ssh_err(r));
		368	}
		369	if ((i != 0 && (r = sshbuf_put_u8(buf, ' ')) != 0) \|\|
		370	(ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0) \|\|
		371	(r = sshbuf_putb(buf, arg)) != 0 \|\|
		372	(ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0))
		373	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		374	}
		375	if ((ret = malloc(sshbuf_len(buf) + 1)) == NULL)
		376	fatal("%s: malloc failed", __func__);
		377	memcpy(ret, sshbuf_ptr(buf), sshbuf_len(buf));
		378	ret[sshbuf_len(buf)] = '\0';
		379	sshbuf_free(buf);
		380	sshbuf_free(arg);
		381	return ret;
		382	}
		383
		384	/*
		385	* Runs command in a subprocess. Returns pid on success and a FILE* to the
		386	* subprocess' stdout or 0 on failure.
		387	* NB. "command" is only used for logging.
		388	*/
		389	static pid_t
		390	subprocess(const char tag, struct passwd pw, const char *command,
		391	int ac, char av, FILE child)
		392	{
		393	FILE *f;
		394	struct stat st;
		395	int devnull, p[2], i;
		396	pid_t pid;
		397	char *cp, errmsg[512];
		398	u_int envsize;
		399	char **child_env;
		400
		401	*child = NULL;
		402
		403	debug3("%s: %s command \"%s\" running as %s", __func__,
		404	tag, command, pw->pw_name);
		405
		406	/* Verify the path exists and is safe-ish to execute */
		407	if (*av[0] != '/') {
		408	error("%s path is not absolute", tag);
		409	return 0;
		410	}
		411	temporarily_use_uid(pw);
		412	if (stat(av[0], &st) < 0) {
		413	error("Could not stat %s \"%s\": %s", tag,
		414	av[0], strerror(errno));
		415	restore_uid();
		416	return 0;
		417	}
		418	if (auth_secure_path(av[0], &st, NULL, 0,
		419	errmsg, sizeof(errmsg)) != 0) {
		420	error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
		421	restore_uid();
		422	return 0;
		423	}
		424
		425	/*
		426	* Run the command; stderr is left in place, stdout is the
		427	* authorized_keys output.
		428	*/
		429	if (pipe(p) != 0) {
		430	error("%s: pipe: %s", tag, strerror(errno));
		431	restore_uid();
		432	return 0;
		433	}
		434
		435	/*
		436	* Don't want to call this in the child, where it can fatal() and
		437	* run cleanup_exit() code.
		438	*/
		439	restore_uid();
		440
		441	switch ((pid = fork())) {
		442	case -1: /* error */
		443	error("%s: fork: %s", tag, strerror(errno));
		444	close(p[0]);
		445	close(p[1]);
		446	return 0;
		447	case 0: /* child */
		448	/* Prepare a minimal environment for the child. */
		449	envsize = 5;
		450	child_env = xcalloc(sizeof(*child_env), envsize);
		451	child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
		452	child_set_env(&child_env, &envsize, "USER", pw->pw_name);
		453	child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
		454	child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
		455	if ((cp = getenv("LANG")) != NULL)
		456	child_set_env(&child_env, &envsize, "LANG", cp);
		457
		458	for (i = 0; i < NSIG; i++)
		459	signal(i, SIG_DFL);
		460
		461	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
		462	error("%s: open %s: %s", tag, _PATH_DEVNULL,
		463	strerror(errno));
		464	_exit(1);
		465	}
		466	/* Keep stderr around a while longer to catch errors */
		467	if (dup2(devnull, STDIN_FILENO) == -1 \|\|
		468	dup2(p[1], STDOUT_FILENO) == -1) {
		469	error("%s: dup2: %s", tag, strerror(errno));
		470	_exit(1);
		471	}
		472	closefrom(STDERR_FILENO + 1);
		473
		474	/* Don't use permanently_set_uid() here to avoid fatal() */
		475	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
		476	error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
		477	strerror(errno));
		478	_exit(1);
		479	}
		480	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
		481	error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
		482	strerror(errno));
		483	_exit(1);
		484	}
		485	/* stdin is pointed to /dev/null at this point */
		486	if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
		487	error("%s: dup2: %s", tag, strerror(errno));
		488	_exit(1);
		489	}
		490
		491	execve(av[0], av, child_env);
		492	error("%s exec \"%s\": %s", tag, command, strerror(errno));
		493	_exit(127);
		494	default: /* parent */
		495	break;
		496	}
		497
		498	close(p[1]);
		499	if ((f = fdopen(p[0], "r")) == NULL) {
		500	error("%s: fdopen: %s", tag, strerror(errno));
		501	close(p[0]);
		502	/* Don't leave zombie child */
		503	kill(pid, SIGTERM);
		504	while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
		505	;
		506	return 0;
		507	}
		508	/* Success */
		509	debug3("%s: %s pid %ld", __func__, tag, (long)pid);
		510	*child = f;
		511	return pid;
		512	}
		513
		514	/* Returns 0 if pid exited cleanly, non-zero otherwise */
		515	static int
		516	exited_cleanly(pid_t pid, const char tag, const char cmd)
		517	{
		518	int status;
		519
		520	while (waitpid(pid, &status, 0) == -1) {
		521	if (errno != EINTR) {
		522	error("%s: waitpid: %s", tag, strerror(errno));
		523	return -1;
		524	}
		525	}
		526	if (WIFSIGNALED(status)) {
		527	error("%s %s exited on signal %d", tag, cmd, WTERMSIG(status));
		528	return -1;
		529	} else if (WEXITSTATUS(status) != 0) {
		530	error("%s %s failed, status %d", tag, cmd, WEXITSTATUS(status));
		531	return -1;
		532	}
		533	return 0;
		534	}
		535
251	static int	536	static int
252	match_principals_option(const char principal_list, struct sshkey_cert cert)	537	match_principals_option(const char principal_list, struct sshkey_cert cert)
253	{	538	{
@@ -526,144 +811,117 @@ user_key_allowed2(struct passwd pw, Key key, char *file)
526	static int	811	static int
527	user_key_command_allowed2(struct passwd user_pw, Key key)	812	user_key_command_allowed2(struct passwd user_pw, Key key)
528	{	813	{
529	FILE *f;	814	FILE *f = NULL;
530	int ok, found_key = 0;	815	int r, ok, found_key = 0;
531	struct passwd *pw;	816	struct passwd *pw;
532	struct stat st;	817	int i, uid_swapped = 0, ac = 0;
533	int status, devnull, p[2], i;
534	pid_t pid;	818	pid_t pid;
535	char *username, errmsg[512];	819	char username = NULL, key_fp = NULL, *keytext = NULL;
		820	char tmp, command = NULL, **av = NULL;
		821	void (*osigchld)(int);
536		822
537	if (options.authorized_keys_command == NULL \|\|	823	if (options.authorized_keys_command == NULL)
538	options.authorized_keys_command[0] != '/')
539	return 0;	824	return 0;
540
541	if (options.authorized_keys_command_user == NULL) {	825	if (options.authorized_keys_command_user == NULL) {
542	error("No user for AuthorizedKeysCommand specified, skipping");	826	error("No user for AuthorizedKeysCommand specified, skipping");
543	return 0;	827	return 0;
544	}	828	}
545		829
		830	/*
		831	* NB. all returns later this function should go via "out" to
		832	* ensure the original SIGCHLD handler is restored properly.
		833	*/
		834	osigchld = signal(SIGCHLD, SIG_DFL);
		835
		836	/* Prepare and verify the user for the command */
546	username = percent_expand(options.authorized_keys_command_user,	837	username = percent_expand(options.authorized_keys_command_user,
547	"u", user_pw->pw_name, (char *)NULL);	838	"u", user_pw->pw_name, (char *)NULL);
548	pw = getpwnam(username);	839	pw = getpwnam(username);
549	if (pw == NULL) {	840	if (pw == NULL) {
550	error("AuthorizedKeysCommandUser \"%s\" not found: %s",	841	error("AuthorizedKeysCommandUser \"%s\" not found: %s",
551	username, strerror(errno));	842	username, strerror(errno));
552	free(username);	843	goto out;
553	return 0;
554	}	844	}
555	free(username);
556
557	temporarily_use_uid(pw);
558		845
559	if (stat(options.authorized_keys_command, &st) < 0) {	846	/* Prepare AuthorizedKeysCommand */
560	error("Could not stat AuthorizedKeysCommand \"%s\": %s",	847	if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash,
561	options.authorized_keys_command, strerror(errno));	848	SSH_FP_DEFAULT)) == NULL) {
		849	error("%s: sshkey_fingerprint failed", __func__);
562	goto out;	850	goto out;
563	}	851	}
564	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,	852	if ((r = sshkey_to_base64(key, &keytext)) != 0) {
565	errmsg, sizeof(errmsg)) != 0) {	853	error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
566	error("Unsafe AuthorizedKeysCommand: %s", errmsg);
567	goto out;	854	goto out;
568	}	855	}
569		856
570	if (pipe(p) != 0) {	857	/* Turn the command into an argument vector */
571	error("%s: pipe: %s", __func__, strerror(errno));	858	if (split_argv(options.authorized_keys_command, &ac, &av) != 0) {
		859	error("AuthorizedKeysCommand \"%s\" contains invalid quotes",
		860	command);
572	goto out;	861	goto out;
573	}	862	}
574		863	if (ac == 0) {
575	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",	864	error("AuthorizedKeysCommand \"%s\" yielded no arguments",
576	options.authorized_keys_command, user_pw->pw_name, pw->pw_name);	865	command);
		866	goto out;
		867	}
		868	for (i = 1; i < ac; i++) {
		869	tmp = percent_expand(av[i],
		870	"u", user_pw->pw_name,
		871	"h", user_pw->pw_dir,
		872	"t", sshkey_ssh_name(key),
		873	"f", key_fp,
		874	"k", keytext,
		875	(char *)NULL);
		876	if (tmp == NULL)
		877	fatal("%s: percent_expand failed", __func__);
		878	free(av[i]);
		879	av[i] = tmp;
		880	}
		881	/* Prepare a printable command for logs, etc. */
		882	command = assemble_argv(ac, av);
577		883
578	/*	884	/*
579	* Don't want to call this in the child, where it can fatal() and	885	* If AuthorizedKeysCommand was run without arguments
580	* run cleanup_exit() code.	886	* then fall back to the old behaviour of passing the
		887	* target username as a single argument.
581	*/	888	*/
582	restore_uid();	889	if (ac == 1) {
583		890	av = xreallocarray(av, ac + 2, sizeof(*av));
584	switch ((pid = fork())) {	891	av[1] = xstrdup(user_pw->pw_name);
585	case -1: /* error */	892	av[2] = NULL;
586	error("%s: fork: %s", __func__, strerror(errno));	893	/* Fix up command too, since it is used in log messages */
587	close(p[0]);	894	free(command);
588	close(p[1]);	895	xasprintf(&command, "%s %s", av[0], av[1]);
589	return 0;
590	case 0: /* child */
591	for (i = 0; i < NSIG; i++)
592	signal(i, SIG_DFL);
593
594	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
595	error("%s: open %s: %s", __func__, _PATH_DEVNULL,
596	strerror(errno));
597	_exit(1);
598	}
599	/* Keep stderr around a while longer to catch errors */
600	if (dup2(devnull, STDIN_FILENO) == -1 \|\|
601	dup2(p[1], STDOUT_FILENO) == -1) {
602	error("%s: dup2: %s", __func__, strerror(errno));
603	_exit(1);
604	}
605	closefrom(STDERR_FILENO + 1);
606
607	/* Don't use permanently_set_uid() here to avoid fatal() */
608	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
609	error("setresgid %u: %s", (u_int)pw->pw_gid,
610	strerror(errno));
611	_exit(1);
612	}
613	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
614	error("setresuid %u: %s", (u_int)pw->pw_uid,
615	strerror(errno));
616	_exit(1);
617	}
618	/* stdin is pointed to /dev/null at this point */
619	if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
620	error("%s: dup2: %s", __func__, strerror(errno));
621	_exit(1);
622	}
623
624	execl(options.authorized_keys_command,
625	options.authorized_keys_command, user_pw->pw_name, NULL);
626
627	error("AuthorizedKeysCommand %s exec failed: %s",
628	options.authorized_keys_command, strerror(errno));
629	_exit(127);
630	default: /* parent */
631	break;
632	}	896	}
633		897
		898	if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
		899	ac, av, &f)) == 0)
		900	goto out;
		901
		902	uid_swapped = 1;
634	temporarily_use_uid(pw);	903	temporarily_use_uid(pw);
635		904
636	close(p[1]);
637	if ((f = fdopen(p[0], "r")) == NULL) {
638	error("%s: fdopen: %s", __func__, strerror(errno));
639	close(p[0]);
640	/* Don't leave zombie child */
641	kill(pid, SIGTERM);
642	while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
643	;
644	goto out;
645	}
646	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);	905	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
647	fclose(f);
648		906
649	while (waitpid(pid, &status, 0) == -1) {	907	if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
650	if (errno != EINTR) {
651	error("%s: waitpid: %s", __func__, strerror(errno));
652	goto out;
653	}
654	}
655	if (WIFSIGNALED(status)) {
656	error("AuthorizedKeysCommand %s exited on signal %d",
657	options.authorized_keys_command, WTERMSIG(status));
658	goto out;
659	} else if (WEXITSTATUS(status) != 0) {
660	error("AuthorizedKeysCommand %s returned status %d",
661	options.authorized_keys_command, WEXITSTATUS(status));
662	goto out;	908	goto out;
663	}	909
		910	/* Read completed successfully */
664	found_key = ok;	911	found_key = ok;
665	out:	912	out:
666	restore_uid();	913	if (f != NULL)
		914	fclose(f);
		915	signal(SIGCHLD, osigchld);
		916	for (i = 0; i < ac; i++)
		917	free(av[i]);
		918	free(av);
		919	if (uid_swapped)
		920	restore_uid();
		921	free(command);
		922	free(username);
		923	free(key_fp);
		924	free(keytext);
667	return found_key;	925	return found_key;
668	}	926	}
669		927