1 files changed, 57 insertions, 28 deletions
diff --git a/session.c b/session.c
index 51c5ea0ec..58826db16 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.293 2017/10/23 05:08:00 djm Exp $ */
+/* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -140,6 +140,7 @@ extern u_int utmp_len;
 extern int startup_pipe;
 extern void destroy_sensitive_data(void);
 extern Buffer loginmsg;
+extern struct sshauthopt *auth_opts;
 char *tun_fwd_ifnames; /* serverloop.c */
 /* original command from peer. */
@@ -288,14 +289,42 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info)
        restore_uid();
 }
+static void
+set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
+{
+        char *tmp, *cp, *host;
+        int port;
+        size_t i;
+        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+                return;
+        channel_clear_permitted_opens(ssh);
+        for (i = 0; i < auth_opts->npermitopen; i++) {
+                tmp = cp = xstrdup(auth_opts->permitopen[i]);
+                /* This shouldn't fail as it has already been checked */
+                if ((host = hpdelim(&cp)) == NULL)
+                        fatal("%s: internal error: hpdelim", __func__);
+                host = cleanhostname(host);
+                if (cp == NULL || (port = permitopen_port(cp)) < 0)
+                        fatal("%s: internal error: permitopen port",
+                            __func__);
+                channel_add_permitted_opens(ssh, host, port);
+                free(tmp);
+        }
+}
 void
 do_authenticated(struct ssh *ssh, Authctxt *authctxt)
 {
        setproctitle("%s", authctxt->pw->pw_name);
+        auth_log_authopts("active", auth_opts, 0);
        /* setup the channel layer */
        /* XXX - streamlocal? */
-        if (no_port_forwarding_flag || options.disable_forwarding ||
+        set_permitopen_from_authopts(ssh, auth_opts);
+        if (!auth_opts->permit_port_forwarding_flag ||
+            options.disable_forwarding ||
            (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
                channel_disable_adm_local_opens(ssh);
        else
@@ -642,9 +671,9 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
                original_command = command;
                command = options.adm_forced_command;
                forced = "(config)";
-        } else if (forced_command) {
+        } else if (auth_opts->force_command != NULL) {
                original_command = command;
-                command = forced_command;
+                command = auth_opts->force_command;
                forced = "(key-option)";
        }
        if (forced != NULL) {
@@ -947,8 +976,9 @@ static char **
 do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 {
        char buf[256];
+        size_t n;
        u_int i, envsize;
-        char **env, *laddr;
+        char *ocp, *cp, **env, *laddr;
        struct passwd *pw = s->pw;
 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
        char *path = NULL;
@@ -1023,20 +1053,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
        if (getenv("TZ"))
                child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-        /* Set custom environment options from RSA authentication. */
+        /* Set custom environment options from pubkey authentication. */
-        while (custom_environment) {
+        if (options.permit_user_env) {
-                struct envstring *ce = custom_environment;
+                for (n = 0 ; n < auth_opts->nenv; n++) {
-                char *str = ce->s;
+                        ocp = xstrdup(auth_opts->env[n]);
+                        cp = strchr(ocp, '=');
-                for (i = 0; str[i] != '=' && str[i]; i++)
+                        if (*cp == '=') {
-                        ;
+                                *cp = '\0';
-                if (str[i] == '=') {
+                                child_set_env(&env, &envsize, ocp, cp + 1);
-                        str[i] = 0;
+                        }
-                        child_set_env(&env, &envsize, str, str + i + 1);
+                        free(ocp);
                }
-                custom_environment = ce->next;
-                free(ce->s);
-                free(ce);
        }
        /* SSH_CLIENT deprecated */
@@ -1138,7 +1165,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 * first in this order).
 */
 static void
-do_rc_files(Session *s, const char *shell)
+do_rc_files(struct ssh *ssh, Session *s, const char *shell)
 {
        FILE *f = NULL;
        char cmd[1024];
@@ -1150,7 +1177,7 @@ do_rc_files(Session *s, const char *shell)
        /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
        if (!s->is_subsystem && options.adm_forced_command == NULL &&
-            !no_user_rc && options.permit_user_rc &&
+            auth_opts->permit_user_rc && options.permit_user_rc &&
            stat(_PATH_SSH_USER_RC, &st) >= 0) {
                snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
                    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
@@ -1570,7 +1597,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
        closefrom(STDERR_FILENO + 1);
-        do_rc_files(s, shell);
+        do_rc_files(ssh, s, shell);
        /* restore SIGPIPE for child */
        signal(SIGPIPE, SIG_DFL);
@@ -1833,8 +1860,8 @@ session_pty_req(struct ssh *ssh, Session *s)
        u_int len;
        int n_bytes;
-        if (no_pty_flag || !options.permit_tty) {
+        if (!auth_opts->permit_pty_flag || !options.permit_tty) {
-                debug("Allocating a pty not permitted for this authentication.");
+                debug("Allocating a pty not permitted for this connection.");
                return 0;
        }
        if (s->ttyfd != -1) {
@@ -2022,9 +2049,11 @@ static int
 session_auth_agent_req(struct ssh *ssh, Session *s)
 {
        static int called = 0;
        packet_check_eom();
-        if (no_agent_forwarding_flag || !options.allow_agent_forwarding) {
+        if (!auth_opts->permit_agent_forwarding_flag ||
-                debug("session_auth_agent_req: no_agent_forwarding_flag");
+            !options.allow_agent_forwarding) {
+                debug("%s: agent forwarding disabled", __func__);
                return 0;
        }
        if (called) {
@@ -2402,8 +2431,8 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
        char hostname[NI_MAXHOST];
        u_int i;
-        if (no_x11_forwarding_flag) {
+        if (!auth_opts->permit_x11_forwarding_flag) {
-                packet_send_debug("X11 forwarding disabled in user configuration file.");
+                packet_send_debug("X11 forwarding disabled by key options.");
                return 0;
        }
        if (!options.x11_forwarding) {
@@ -2412,7 +2441,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
        }
        if (options.xauth_location == NULL ||
            (stat(options.xauth_location, &st) == -1)) {
-                packet_send_debug("No xauth program; cannot forward with spoofing.");
+                packet_send_debug("No xauth program; cannot forward X11.");
                return 0;
        }
        if (s->display != NULL) {

diff --git a/session.c b/session.c index 51c5ea0ec..58826db16 100644 --- a/session.c +++ b/session.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: session.c,v 1.293 2017/10/23 05:08:00 djm Exp $ */	1	/* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -140,6 +140,7 @@ extern u_int utmp_len;
140	extern int startup_pipe;	140	extern int startup_pipe;
141	extern void destroy_sensitive_data(void);	141	extern void destroy_sensitive_data(void);
142	extern Buffer loginmsg;	142	extern Buffer loginmsg;
		143	extern struct sshauthopt *auth_opts;
143	char tun_fwd_ifnames; / serverloop.c */	144	char tun_fwd_ifnames; / serverloop.c */
144		145
145	/* original command from peer. */	146	/* original command from peer. */
@@ -288,14 +289,42 @@ prepare_auth_info_file(struct passwd pw, struct sshbuf info)
288	restore_uid();	289	restore_uid();
289	}	290	}
290		291
		292	static void
		293	set_permitopen_from_authopts(struct ssh ssh, const struct sshauthopt opts)
		294	{
		295	char tmp, cp, *host;
		296	int port;
		297	size_t i;
		298
		299	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
		300	return;
		301	channel_clear_permitted_opens(ssh);
		302	for (i = 0; i < auth_opts->npermitopen; i++) {
		303	tmp = cp = xstrdup(auth_opts->permitopen[i]);
		304	/* This shouldn't fail as it has already been checked */
		305	if ((host = hpdelim(&cp)) == NULL)
		306	fatal("%s: internal error: hpdelim", __func__);
		307	host = cleanhostname(host);
		308	if (cp == NULL \|\| (port = permitopen_port(cp)) < 0)
		309	fatal("%s: internal error: permitopen port",
		310	__func__);
		311	channel_add_permitted_opens(ssh, host, port);
		312	free(tmp);
		313	}
		314	}
		315
291	void	316	void
292	do_authenticated(struct ssh ssh, Authctxt authctxt)	317	do_authenticated(struct ssh ssh, Authctxt authctxt)
293	{	318	{
294	setproctitle("%s", authctxt->pw->pw_name);	319	setproctitle("%s", authctxt->pw->pw_name);
295		320
		321	auth_log_authopts("active", auth_opts, 0);
		322
296	/* setup the channel layer */	323	/* setup the channel layer */
297	/* XXX - streamlocal? */	324	/* XXX - streamlocal? */
298	if (no_port_forwarding_flag \|\| options.disable_forwarding \|\|	325	set_permitopen_from_authopts(ssh, auth_opts);
		326	if (!auth_opts->permit_port_forwarding_flag \|\|
		327	options.disable_forwarding \|\|
299	(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)	328	(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
300	channel_disable_adm_local_opens(ssh);	329	channel_disable_adm_local_opens(ssh);
301	else	330	else
@@ -642,9 +671,9 @@ do_exec(struct ssh ssh, Session s, const char *command)
642	original_command = command;	671	original_command = command;
643	command = options.adm_forced_command;	672	command = options.adm_forced_command;
644	forced = "(config)";	673	forced = "(config)";
645	} else if (forced_command) {	674	} else if (auth_opts->force_command != NULL) {
646	original_command = command;	675	original_command = command;
647	command = forced_command;	676	command = auth_opts->force_command;
648	forced = "(key-option)";	677	forced = "(key-option)";
649	}	678	}
650	if (forced != NULL) {	679	if (forced != NULL) {
@@ -947,8 +976,9 @@ static char **
947	do_setup_env(struct ssh ssh, Session s, const char *shell)	976	do_setup_env(struct ssh ssh, Session s, const char *shell)
948	{	977	{
949	char buf[256];	978	char buf[256];
		979	size_t n;
950	u_int i, envsize;	980	u_int i, envsize;
951	char *env, laddr;	981	char ocp, cp, *env, laddr;
952	struct passwd *pw = s->pw;	982	struct passwd *pw = s->pw;
953	#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)	983	#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
954	char *path = NULL;	984	char *path = NULL;
@@ -1023,20 +1053,17 @@ do_setup_env(struct ssh ssh, Session s, const char *shell)
1023	if (getenv("TZ"))	1053	if (getenv("TZ"))
1024	child_set_env(&env, &envsize, "TZ", getenv("TZ"));	1054	child_set_env(&env, &envsize, "TZ", getenv("TZ"));
1025		1055
1026	/* Set custom environment options from RSA authentication. */	1056	/* Set custom environment options from pubkey authentication. */
1027	while (custom_environment) {	1057	if (options.permit_user_env) {
1028	struct envstring *ce = custom_environment;	1058	for (n = 0 ; n < auth_opts->nenv; n++) {
1029	char *str = ce->s;	1059	ocp = xstrdup(auth_opts->env[n]);
1030		1060	cp = strchr(ocp, '=');
1031	for (i = 0; str[i] != '=' && str[i]; i++)	1061	if (*cp == '=') {
1032	;	1062	*cp = '\0';
1033	if (str[i] == '=') {	1063	child_set_env(&env, &envsize, ocp, cp + 1);
1034	str[i] = 0;	1064	}
1035	child_set_env(&env, &envsize, str, str + i + 1);	1065	free(ocp);
1036	}	1066	}
1037	custom_environment = ce->next;
1038	free(ce->s);
1039	free(ce);
1040	}	1067	}
1041		1068
1042	/* SSH_CLIENT deprecated */	1069	/* SSH_CLIENT deprecated */
@@ -1138,7 +1165,7 @@ do_setup_env(struct ssh ssh, Session s, const char *shell)
1138	* first in this order).	1165	* first in this order).
1139	*/	1166	*/
1140	static void	1167	static void
1141	do_rc_files(Session s, const char shell)	1168	do_rc_files(struct ssh ssh, Session s, const char *shell)
1142	{	1169	{
1143	FILE *f = NULL;	1170	FILE *f = NULL;
1144	char cmd[1024];	1171	char cmd[1024];
@@ -1150,7 +1177,7 @@ do_rc_files(Session s, const char shell)
1150		1177
1151	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */	1178	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
1152	if (!s->is_subsystem && options.adm_forced_command == NULL &&	1179	if (!s->is_subsystem && options.adm_forced_command == NULL &&
1153	!no_user_rc && options.permit_user_rc &&	1180	auth_opts->permit_user_rc && options.permit_user_rc &&
1154	stat(_PATH_SSH_USER_RC, &st) >= 0) {	1181	stat(_PATH_SSH_USER_RC, &st) >= 0) {
1155	snprintf(cmd, sizeof cmd, "%s -c '%s %s'",	1182	snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1156	shell, _PATH_BSHELL, _PATH_SSH_USER_RC);	1183	shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
@@ -1570,7 +1597,7 @@ do_child(struct ssh ssh, Session s, const char *command)
1570		1597
1571	closefrom(STDERR_FILENO + 1);	1598	closefrom(STDERR_FILENO + 1);
1572		1599
1573	do_rc_files(s, shell);	1600	do_rc_files(ssh, s, shell);
1574		1601
1575	/* restore SIGPIPE for child */	1602	/* restore SIGPIPE for child */
1576	signal(SIGPIPE, SIG_DFL);	1603	signal(SIGPIPE, SIG_DFL);
@@ -1833,8 +1860,8 @@ session_pty_req(struct ssh ssh, Session s)
1833	u_int len;	1860	u_int len;
1834	int n_bytes;	1861	int n_bytes;
1835		1862
1836	if (no_pty_flag \|\| !options.permit_tty) {	1863	if (!auth_opts->permit_pty_flag \|\| !options.permit_tty) {
1837	debug("Allocating a pty not permitted for this authentication.");	1864	debug("Allocating a pty not permitted for this connection.");
1838	return 0;	1865	return 0;
1839	}	1866	}
1840	if (s->ttyfd != -1) {	1867	if (s->ttyfd != -1) {
@@ -2022,9 +2049,11 @@ static int
2022	session_auth_agent_req(struct ssh ssh, Session s)	2049	session_auth_agent_req(struct ssh ssh, Session s)
2023	{	2050	{
2024	static int called = 0;	2051	static int called = 0;
		2052
2025	packet_check_eom();	2053	packet_check_eom();
2026	if (no_agent_forwarding_flag \|\| !options.allow_agent_forwarding) {	2054	if (!auth_opts->permit_agent_forwarding_flag \|\|
2027	debug("session_auth_agent_req: no_agent_forwarding_flag");	2055	!options.allow_agent_forwarding) {
		2056	debug("%s: agent forwarding disabled", __func__);
2028	return 0;	2057	return 0;
2029	}	2058	}
2030	if (called) {	2059	if (called) {
@@ -2402,8 +2431,8 @@ session_setup_x11fwd(struct ssh ssh, Session s)
2402	char hostname[NI_MAXHOST];	2431	char hostname[NI_MAXHOST];
2403	u_int i;	2432	u_int i;
2404		2433
2405	if (no_x11_forwarding_flag) {	2434	if (!auth_opts->permit_x11_forwarding_flag) {
2406	packet_send_debug("X11 forwarding disabled in user configuration file.");	2435	packet_send_debug("X11 forwarding disabled by key options.");
2407	return 0;	2436	return 0;
2408	}	2437	}
2409	if (!options.x11_forwarding) {	2438	if (!options.x11_forwarding) {
@@ -2412,7 +2441,7 @@ session_setup_x11fwd(struct ssh ssh, Session s)
2412	}	2441	}
2413	if (options.xauth_location == NULL \|\|	2442	if (options.xauth_location == NULL \|\|
2414	(stat(options.xauth_location, &st) == -1)) {	2443	(stat(options.xauth_location, &st) == -1)) {
2415	packet_send_debug("No xauth program; cannot forward with spoofing.");	2444	packet_send_debug("No xauth program; cannot forward X11.");
2416	return 0;	2445	return 0;
2417	}	2446	}
2418	if (s->display != NULL) {	2447	if (s->display != NULL) {