auth-options.c revision 1.4
1 1.4 christos /* $NetBSD: auth-options.c,v 1.4 2011/07/25 03:03:10 christos Exp $ */ 2 1.4 christos /* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */ 3 1.1 christos /* 4 1.1 christos * Author: Tatu Ylonen <ylo (at) cs.hut.fi> 5 1.1 christos * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 6 1.1 christos * All rights reserved 7 1.1 christos * As far as I am concerned, the code I have written for this software 8 1.1 christos * can be used freely for any purpose. Any derived versions of this 9 1.1 christos * software must be clearly marked as such, and if the derived work is 10 1.1 christos * incompatible with the protocol description in the RFC file, it must be 11 1.1 christos * called by a name other than "ssh" or "Secure Shell". 12 1.1 christos */ 13 1.1 christos 14 1.2 christos #include "includes.h" 15 1.4 christos __RCSID("$NetBSD: auth-options.c,v 1.4 2011/07/25 03:03:10 christos Exp $"); 16 1.1 christos #include <sys/types.h> 17 1.1 christos #include <sys/queue.h> 18 1.1 christos 19 1.1 christos #include <netdb.h> 20 1.1 christos #include <pwd.h> 21 1.1 christos #include <string.h> 22 1.1 christos #include <stdio.h> 23 1.1 christos #include <stdarg.h> 24 1.2 christos #include <time.h> 25 1.1 christos 26 1.1 christos #include "xmalloc.h" 27 1.1 christos #include "match.h" 28 1.1 christos #include "log.h" 29 1.1 christos #include "canohost.h" 30 1.1 christos #include "buffer.h" 31 1.1 christos #include "channels.h" 32 1.1 christos #include "servconf.h" 33 1.1 christos #include "misc.h" 34 1.1 christos #include "key.h" 35 1.3 adam #include "auth-options.h" 36 1.1 christos #include "hostfile.h" 37 1.1 christos #include "auth.h" 38 1.1 christos #ifdef GSSAPI 39 1.1 christos #include "ssh-gss.h" 40 1.1 christos #endif 41 1.1 christos #include "monitor_wrap.h" 42 1.1 christos 43 1.1 christos /* Flags set authorized_keys flags */ 44 1.1 christos int no_port_forwarding_flag = 0; 45 1.1 christos int no_agent_forwarding_flag = 0; 46 1.1 christos int no_x11_forwarding_flag = 0; 47 1.1 christos int no_pty_flag = 0; 48 1.1 christos int no_user_rc = 0; 49 1.3 adam int key_is_cert_authority = 0; 50 1.1 christos 51 1.1 christos /* "command=" option. */ 52 1.1 christos char *forced_command = NULL; 53 1.1 christos 54 1.1 christos /* "environment=" options. */ 55 1.1 christos struct envstring *custom_environment = NULL; 56 1.1 christos 57 1.1 christos /* "tunnel=" option. */ 58 1.1 christos int forced_tun_device = -1; 59 1.1 christos 60 1.3 adam /* "principals=" option. */ 61 1.3 adam char *authorized_principals = NULL; 62 1.3 adam 63 1.1 christos extern ServerOptions options; 64 1.1 christos 65 1.1 christos void 66 1.1 christos auth_clear_options(void) 67 1.1 christos { 68 1.1 christos no_agent_forwarding_flag = 0; 69 1.1 christos no_port_forwarding_flag = 0; 70 1.1 christos no_pty_flag = 0; 71 1.1 christos no_x11_forwarding_flag = 0; 72 1.1 christos no_user_rc = 0; 73 1.3 adam key_is_cert_authority = 0; 74 1.1 christos while (custom_environment) { 75 1.1 christos struct envstring *ce = custom_environment; 76 1.1 christos custom_environment = ce->next; 77 1.1 christos xfree(ce->s); 78 1.1 christos xfree(ce); 79 1.1 christos } 80 1.1 christos if (forced_command) { 81 1.1 christos xfree(forced_command); 82 1.1 christos forced_command = NULL; 83 1.1 christos } 84 1.3 adam if (authorized_principals) { 85 1.3 adam xfree(authorized_principals); 86 1.3 adam authorized_principals = NULL; 87 1.3 adam } 88 1.1 christos forced_tun_device = -1; 89 1.1 christos channel_clear_permitted_opens(); 90 1.1 christos } 91 1.1 christos 92 1.1 christos /* 93 1.1 christos * return 1 if access is granted, 0 if not. 94 1.1 christos * side effect: sets key option flags 95 1.1 christos */ 96 1.1 christos int 97 1.4 christos auth_parse_options(struct passwd *pw, const char *opts, const char *file, 98 1.4 christos u_long linenum) 99 1.1 christos { 100 1.1 christos const char *cp; 101 1.1 christos int i; 102 1.1 christos 103 1.1 christos /* reset options */ 104 1.1 christos auth_clear_options(); 105 1.1 christos 106 1.1 christos if (!opts) 107 1.1 christos return 1; 108 1.1 christos 109 1.1 christos while (*opts && *opts != ' ' && *opts != '\t') { 110 1.3 adam cp = "cert-authority"; 111 1.3 adam if (strncasecmp(opts, cp, strlen(cp)) == 0) { 112 1.3 adam key_is_cert_authority = 1; 113 1.3 adam opts += strlen(cp); 114 1.3 adam goto next_option; 115 1.3 adam } 116 1.1 christos cp = "no-port-forwarding"; 117 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 118 1.1 christos auth_debug_add("Port forwarding disabled."); 119 1.1 christos no_port_forwarding_flag = 1; 120 1.1 christos opts += strlen(cp); 121 1.1 christos goto next_option; 122 1.1 christos } 123 1.1 christos cp = "no-agent-forwarding"; 124 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 125 1.1 christos auth_debug_add("Agent forwarding disabled."); 126 1.1 christos no_agent_forwarding_flag = 1; 127 1.1 christos opts += strlen(cp); 128 1.1 christos goto next_option; 129 1.1 christos } 130 1.1 christos cp = "no-X11-forwarding"; 131 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 132 1.1 christos auth_debug_add("X11 forwarding disabled."); 133 1.1 christos no_x11_forwarding_flag = 1; 134 1.1 christos opts += strlen(cp); 135 1.1 christos goto next_option; 136 1.1 christos } 137 1.1 christos cp = "no-pty"; 138 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 139 1.1 christos auth_debug_add("Pty allocation disabled."); 140 1.1 christos no_pty_flag = 1; 141 1.1 christos opts += strlen(cp); 142 1.1 christos goto next_option; 143 1.1 christos } 144 1.1 christos cp = "no-user-rc"; 145 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 146 1.1 christos auth_debug_add("User rc file execution disabled."); 147 1.1 christos no_user_rc = 1; 148 1.1 christos opts += strlen(cp); 149 1.1 christos goto next_option; 150 1.1 christos } 151 1.1 christos cp = "command=\""; 152 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 153 1.1 christos opts += strlen(cp); 154 1.3 adam if (forced_command != NULL) 155 1.3 adam xfree(forced_command); 156 1.1 christos forced_command = xmalloc(strlen(opts) + 1); 157 1.1 christos i = 0; 158 1.1 christos while (*opts) { 159 1.1 christos if (*opts == '"') 160 1.1 christos break; 161 1.1 christos if (*opts == '\\' && opts[1] == '"') { 162 1.1 christos opts += 2; 163 1.1 christos forced_command[i++] = '"'; 164 1.1 christos continue; 165 1.1 christos } 166 1.1 christos forced_command[i++] = *opts++; 167 1.1 christos } 168 1.1 christos if (!*opts) { 169 1.1 christos debug("%.100s, line %lu: missing end quote", 170 1.1 christos file, linenum); 171 1.1 christos auth_debug_add("%.100s, line %lu: missing end quote", 172 1.1 christos file, linenum); 173 1.1 christos xfree(forced_command); 174 1.1 christos forced_command = NULL; 175 1.1 christos goto bad_option; 176 1.1 christos } 177 1.1 christos forced_command[i] = '\0'; 178 1.4 christos auth_debug_add("Forced command."); 179 1.1 christos opts++; 180 1.1 christos goto next_option; 181 1.1 christos } 182 1.3 adam cp = "principals=\""; 183 1.3 adam if (strncasecmp(opts, cp, strlen(cp)) == 0) { 184 1.3 adam opts += strlen(cp); 185 1.3 adam if (authorized_principals != NULL) 186 1.3 adam xfree(authorized_principals); 187 1.3 adam authorized_principals = xmalloc(strlen(opts) + 1); 188 1.3 adam i = 0; 189 1.3 adam while (*opts) { 190 1.3 adam if (*opts == '"') 191 1.3 adam break; 192 1.3 adam if (*opts == '\\' && opts[1] == '"') { 193 1.3 adam opts += 2; 194 1.3 adam authorized_principals[i++] = '"'; 195 1.3 adam continue; 196 1.3 adam } 197 1.3 adam authorized_principals[i++] = *opts++; 198 1.3 adam } 199 1.3 adam if (!*opts) { 200 1.3 adam debug("%.100s, line %lu: missing end quote", 201 1.3 adam file, linenum); 202 1.3 adam auth_debug_add("%.100s, line %lu: missing end quote", 203 1.3 adam file, linenum); 204 1.3 adam xfree(authorized_principals); 205 1.3 adam authorized_principals = NULL; 206 1.3 adam goto bad_option; 207 1.3 adam } 208 1.3 adam authorized_principals[i] = '\0'; 209 1.3 adam auth_debug_add("principals: %.900s", 210 1.3 adam authorized_principals); 211 1.3 adam opts++; 212 1.3 adam goto next_option; 213 1.3 adam } 214 1.1 christos cp = "environment=\""; 215 1.1 christos if (options.permit_user_env && 216 1.1 christos strncasecmp(opts, cp, strlen(cp)) == 0) { 217 1.1 christos char *s; 218 1.1 christos struct envstring *new_envstring; 219 1.1 christos 220 1.1 christos opts += strlen(cp); 221 1.1 christos s = xmalloc(strlen(opts) + 1); 222 1.1 christos i = 0; 223 1.1 christos while (*opts) { 224 1.1 christos if (*opts == '"') 225 1.1 christos break; 226 1.1 christos if (*opts == '\\' && opts[1] == '"') { 227 1.1 christos opts += 2; 228 1.1 christos s[i++] = '"'; 229 1.1 christos continue; 230 1.1 christos } 231 1.1 christos s[i++] = *opts++; 232 1.1 christos } 233 1.1 christos if (!*opts) { 234 1.1 christos debug("%.100s, line %lu: missing end quote", 235 1.1 christos file, linenum); 236 1.1 christos auth_debug_add("%.100s, line %lu: missing end quote", 237 1.1 christos file, linenum); 238 1.1 christos xfree(s); 239 1.1 christos goto bad_option; 240 1.1 christos } 241 1.1 christos s[i] = '\0'; 242 1.1 christos auth_debug_add("Adding to environment: %.900s", s); 243 1.1 christos debug("Adding to environment: %.900s", s); 244 1.1 christos opts++; 245 1.1 christos new_envstring = xmalloc(sizeof(struct envstring)); 246 1.1 christos new_envstring->s = s; 247 1.1 christos new_envstring->next = custom_environment; 248 1.1 christos custom_environment = new_envstring; 249 1.1 christos goto next_option; 250 1.1 christos } 251 1.1 christos cp = "from=\""; 252 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 253 1.1 christos const char *remote_ip = get_remote_ipaddr(); 254 1.1 christos const char *remote_host = get_canonical_hostname( 255 1.1 christos options.use_dns); 256 1.1 christos char *patterns = xmalloc(strlen(opts) + 1); 257 1.1 christos 258 1.1 christos opts += strlen(cp); 259 1.1 christos i = 0; 260 1.1 christos while (*opts) { 261 1.1 christos if (*opts == '"') 262 1.1 christos break; 263 1.1 christos if (*opts == '\\' && opts[1] == '"') { 264 1.1 christos opts += 2; 265 1.1 christos patterns[i++] = '"'; 266 1.1 christos continue; 267 1.1 christos } 268 1.1 christos patterns[i++] = *opts++; 269 1.1 christos } 270 1.1 christos if (!*opts) { 271 1.1 christos debug("%.100s, line %lu: missing end quote", 272 1.1 christos file, linenum); 273 1.1 christos auth_debug_add("%.100s, line %lu: missing end quote", 274 1.1 christos file, linenum); 275 1.1 christos xfree(patterns); 276 1.1 christos goto bad_option; 277 1.1 christos } 278 1.1 christos patterns[i] = '\0'; 279 1.1 christos opts++; 280 1.1 christos switch (match_host_and_ip(remote_host, remote_ip, 281 1.1 christos patterns)) { 282 1.1 christos case 1: 283 1.1 christos xfree(patterns); 284 1.1 christos /* Host name matches. */ 285 1.1 christos goto next_option; 286 1.1 christos case -1: 287 1.1 christos debug("%.100s, line %lu: invalid criteria", 288 1.1 christos file, linenum); 289 1.1 christos auth_debug_add("%.100s, line %lu: " 290 1.1 christos "invalid criteria", file, linenum); 291 1.1 christos /* FALLTHROUGH */ 292 1.1 christos case 0: 293 1.1 christos xfree(patterns); 294 1.1 christos logit("Authentication tried for %.100s with " 295 1.1 christos "correct key but not from a permitted " 296 1.1 christos "host (host=%.200s, ip=%.200s).", 297 1.1 christos pw->pw_name, remote_host, remote_ip); 298 1.1 christos auth_debug_add("Your host '%.200s' is not " 299 1.1 christos "permitted to use this key for login.", 300 1.1 christos remote_host); 301 1.1 christos break; 302 1.1 christos } 303 1.1 christos /* deny access */ 304 1.1 christos return 0; 305 1.1 christos } 306 1.1 christos cp = "permitopen=\""; 307 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 308 1.1 christos char *host, *p; 309 1.1 christos int port; 310 1.1 christos char *patterns = xmalloc(strlen(opts) + 1); 311 1.1 christos 312 1.1 christos opts += strlen(cp); 313 1.1 christos i = 0; 314 1.1 christos while (*opts) { 315 1.1 christos if (*opts == '"') 316 1.1 christos break; 317 1.1 christos if (*opts == '\\' && opts[1] == '"') { 318 1.1 christos opts += 2; 319 1.1 christos patterns[i++] = '"'; 320 1.1 christos continue; 321 1.1 christos } 322 1.1 christos patterns[i++] = *opts++; 323 1.1 christos } 324 1.1 christos if (!*opts) { 325 1.1 christos debug("%.100s, line %lu: missing end quote", 326 1.1 christos file, linenum); 327 1.1 christos auth_debug_add("%.100s, line %lu: missing " 328 1.1 christos "end quote", file, linenum); 329 1.1 christos xfree(patterns); 330 1.1 christos goto bad_option; 331 1.1 christos } 332 1.1 christos patterns[i] = '\0'; 333 1.1 christos opts++; 334 1.1 christos p = patterns; 335 1.1 christos host = hpdelim(&p); 336 1.1 christos if (host == NULL || strlen(host) >= NI_MAXHOST) { 337 1.1 christos debug("%.100s, line %lu: Bad permitopen " 338 1.1 christos "specification <%.100s>", file, linenum, 339 1.1 christos patterns); 340 1.1 christos auth_debug_add("%.100s, line %lu: " 341 1.1 christos "Bad permitopen specification", file, 342 1.1 christos linenum); 343 1.1 christos xfree(patterns); 344 1.1 christos goto bad_option; 345 1.1 christos } 346 1.1 christos host = cleanhostname(host); 347 1.1 christos if (p == NULL || (port = a2port(p)) <= 0) { 348 1.1 christos debug("%.100s, line %lu: Bad permitopen port " 349 1.1 christos "<%.100s>", file, linenum, p ? p : ""); 350 1.1 christos auth_debug_add("%.100s, line %lu: " 351 1.1 christos "Bad permitopen port", file, linenum); 352 1.1 christos xfree(patterns); 353 1.1 christos goto bad_option; 354 1.1 christos } 355 1.1 christos if (options.allow_tcp_forwarding) 356 1.1 christos channel_add_permitted_opens(host, port); 357 1.1 christos xfree(patterns); 358 1.1 christos goto next_option; 359 1.1 christos } 360 1.1 christos cp = "tunnel=\""; 361 1.1 christos if (strncasecmp(opts, cp, strlen(cp)) == 0) { 362 1.1 christos char *tun = NULL; 363 1.1 christos opts += strlen(cp); 364 1.1 christos tun = xmalloc(strlen(opts) + 1); 365 1.1 christos i = 0; 366 1.1 christos while (*opts) { 367 1.1 christos if (*opts == '"') 368 1.1 christos break; 369 1.1 christos tun[i++] = *opts++; 370 1.1 christos } 371 1.1 christos if (!*opts) { 372 1.1 christos debug("%.100s, line %lu: missing end quote", 373 1.1 christos file, linenum); 374 1.1 christos auth_debug_add("%.100s, line %lu: missing end quote", 375 1.1 christos file, linenum); 376 1.1 christos xfree(tun); 377 1.1 christos forced_tun_device = -1; 378 1.1 christos goto bad_option; 379 1.1 christos } 380 1.1 christos tun[i] = '\0'; 381 1.1 christos forced_tun_device = a2tun(tun, NULL); 382 1.1 christos xfree(tun); 383 1.1 christos if (forced_tun_device == SSH_TUNID_ERR) { 384 1.1 christos debug("%.100s, line %lu: invalid tun device", 385 1.1 christos file, linenum); 386 1.1 christos auth_debug_add("%.100s, line %lu: invalid tun device", 387 1.1 christos file, linenum); 388 1.1 christos forced_tun_device = -1; 389 1.1 christos goto bad_option; 390 1.1 christos } 391 1.1 christos auth_debug_add("Forced tun device: %d", forced_tun_device); 392 1.1 christos opts++; 393 1.1 christos goto next_option; 394 1.1 christos } 395 1.1 christos next_option: 396 1.1 christos /* 397 1.1 christos * Skip the comma, and move to the next option 398 1.1 christos * (or break out if there are no more). 399 1.1 christos */ 400 1.1 christos if (!*opts) 401 1.1 christos fatal("Bugs in auth-options.c option processing."); 402 1.1 christos if (*opts == ' ' || *opts == '\t') 403 1.1 christos break; /* End of options. */ 404 1.1 christos if (*opts != ',') 405 1.1 christos goto bad_option; 406 1.1 christos opts++; 407 1.1 christos /* Process the next option. */ 408 1.1 christos } 409 1.1 christos 410 1.1 christos /* grant access */ 411 1.1 christos return 1; 412 1.1 christos 413 1.1 christos bad_option: 414 1.1 christos logit("Bad options in %.100s file, line %lu: %.50s", 415 1.1 christos file, linenum, opts); 416 1.1 christos auth_debug_add("Bad options in %.100s file, line %lu: %.50s", 417 1.1 christos file, linenum, opts); 418 1.1 christos 419 1.3 adam /* deny access */ 420 1.3 adam return 0; 421 1.3 adam } 422 1.3 adam 423 1.3 adam #define OPTIONS_CRITICAL 1 424 1.3 adam #define OPTIONS_EXTENSIONS 2 425 1.3 adam static int 426 1.3 adam parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, 427 1.3 adam u_int which, int crit, 428 1.3 adam int *cert_no_port_forwarding_flag, 429 1.3 adam int *cert_no_agent_forwarding_flag, 430 1.3 adam int *cert_no_x11_forwarding_flag, 431 1.3 adam int *cert_no_pty_flag, 432 1.3 adam int *cert_no_user_rc, 433 1.3 adam char **cert_forced_command, 434 1.3 adam int *cert_source_address_done) 435 1.3 adam { 436 1.3 adam char *command, *allowed; 437 1.3 adam const char *remote_ip; 438 1.3 adam u_char *name = NULL, *data_blob = NULL; 439 1.3 adam u_int nlen, dlen, clen; 440 1.3 adam Buffer c, data; 441 1.3 adam int ret = -1, found; 442 1.3 adam 443 1.3 adam buffer_init(&data); 444 1.3 adam 445 1.3 adam /* Make copy to avoid altering original */ 446 1.3 adam buffer_init(&c); 447 1.3 adam buffer_append(&c, optblob, optblob_len); 448 1.3 adam 449 1.3 adam while (buffer_len(&c) > 0) { 450 1.4 christos if ((name = buffer_get_cstring_ret(&c, &nlen)) == NULL || 451 1.3 adam (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { 452 1.3 adam error("Certificate options corrupt"); 453 1.3 adam goto out; 454 1.3 adam } 455 1.3 adam buffer_append(&data, data_blob, dlen); 456 1.3 adam debug3("found certificate option \"%.100s\" len %u", 457 1.3 adam name, dlen); 458 1.3 adam if (strlen(name) != nlen) { 459 1.3 adam error("Certificate constraint name contains \\0"); 460 1.3 adam goto out; 461 1.3 adam } 462 1.3 adam found = 0; 463 1.3 adam if ((which & OPTIONS_EXTENSIONS) != 0) { 464 1.3 adam if (strcmp(name, "permit-X11-forwarding") == 0) { 465 1.3 adam *cert_no_x11_forwarding_flag = 0; 466 1.3 adam found = 1; 467 1.3 adam } else if (strcmp(name, 468 1.3 adam "permit-agent-forwarding") == 0) { 469 1.3 adam *cert_no_agent_forwarding_flag = 0; 470 1.3 adam found = 1; 471 1.3 adam } else if (strcmp(name, 472 1.3 adam "permit-port-forwarding") == 0) { 473 1.3 adam *cert_no_port_forwarding_flag = 0; 474 1.3 adam found = 1; 475 1.3 adam } else if (strcmp(name, "permit-pty") == 0) { 476 1.3 adam *cert_no_pty_flag = 0; 477 1.3 adam found = 1; 478 1.3 adam } else if (strcmp(name, "permit-user-rc") == 0) { 479 1.3 adam *cert_no_user_rc = 0; 480 1.3 adam found = 1; 481 1.3 adam } 482 1.3 adam } 483 1.3 adam if (!found && (which & OPTIONS_CRITICAL) != 0) { 484 1.3 adam if (strcmp(name, "force-command") == 0) { 485 1.4 christos if ((command = buffer_get_cstring_ret(&data, 486 1.3 adam &clen)) == NULL) { 487 1.3 adam error("Certificate constraint \"%s\" " 488 1.3 adam "corrupt", name); 489 1.3 adam goto out; 490 1.3 adam } 491 1.3 adam if (strlen(command) != clen) { 492 1.3 adam error("force-command constraint " 493 1.3 adam "contains \\0"); 494 1.3 adam goto out; 495 1.3 adam } 496 1.3 adam if (*cert_forced_command != NULL) { 497 1.3 adam error("Certificate has multiple " 498 1.3 adam "force-command options"); 499 1.3 adam xfree(command); 500 1.3 adam goto out; 501 1.3 adam } 502 1.3 adam *cert_forced_command = command; 503 1.3 adam found = 1; 504 1.3 adam } 505 1.3 adam if (strcmp(name, "source-address") == 0) { 506 1.4 christos if ((allowed = buffer_get_cstring_ret(&data, 507 1.3 adam &clen)) == NULL) { 508 1.3 adam error("Certificate constraint " 509 1.3 adam "\"%s\" corrupt", name); 510 1.3 adam goto out; 511 1.3 adam } 512 1.3 adam if (strlen(allowed) != clen) { 513 1.3 adam error("source-address constraint " 514 1.3 adam "contains \\0"); 515 1.3 adam goto out; 516 1.3 adam } 517 1.3 adam if ((*cert_source_address_done)++) { 518 1.3 adam error("Certificate has multiple " 519 1.3 adam "source-address options"); 520 1.3 adam xfree(allowed); 521 1.3 adam goto out; 522 1.3 adam } 523 1.3 adam remote_ip = get_remote_ipaddr(); 524 1.3 adam switch (addr_match_cidr_list(remote_ip, 525 1.3 adam allowed)) { 526 1.3 adam case 1: 527 1.3 adam /* accepted */ 528 1.3 adam xfree(allowed); 529 1.3 adam break; 530 1.3 adam case 0: 531 1.3 adam /* no match */ 532 1.3 adam logit("Authentication tried for %.100s " 533 1.3 adam "with valid certificate but not " 534 1.3 adam "from a permitted host " 535 1.3 adam "(ip=%.200s).", pw->pw_name, 536 1.3 adam remote_ip); 537 1.3 adam auth_debug_add("Your address '%.200s' " 538 1.3 adam "is not permitted to use this " 539 1.3 adam "certificate for login.", 540 1.3 adam remote_ip); 541 1.3 adam xfree(allowed); 542 1.3 adam goto out; 543 1.3 adam case -1: 544 1.3 adam error("Certificate source-address " 545 1.3 adam "contents invalid"); 546 1.3 adam xfree(allowed); 547 1.3 adam goto out; 548 1.3 adam } 549 1.3 adam found = 1; 550 1.3 adam } 551 1.3 adam } 552 1.3 adam 553 1.3 adam if (!found) { 554 1.3 adam if (crit) { 555 1.3 adam error("Certificate critical option \"%s\" " 556 1.3 adam "is not supported", name); 557 1.3 adam goto out; 558 1.3 adam } else { 559 1.3 adam logit("Certificate extension \"%s\" " 560 1.3 adam "is not supported", name); 561 1.3 adam } 562 1.3 adam } else if (buffer_len(&data) != 0) { 563 1.3 adam error("Certificate option \"%s\" corrupt " 564 1.3 adam "(extra data)", name); 565 1.3 adam goto out; 566 1.3 adam } 567 1.3 adam buffer_clear(&data); 568 1.3 adam xfree(name); 569 1.3 adam xfree(data_blob); 570 1.3 adam name = data_blob = NULL; 571 1.3 adam } 572 1.3 adam /* successfully parsed all options */ 573 1.3 adam ret = 0; 574 1.3 adam 575 1.3 adam out: 576 1.3 adam if (ret != 0 && 577 1.3 adam cert_forced_command != NULL && 578 1.3 adam *cert_forced_command != NULL) { 579 1.3 adam xfree(*cert_forced_command); 580 1.3 adam *cert_forced_command = NULL; 581 1.3 adam } 582 1.3 adam if (name != NULL) 583 1.3 adam xfree(name); 584 1.3 adam if (data_blob != NULL) 585 1.3 adam xfree(data_blob); 586 1.3 adam buffer_free(&data); 587 1.3 adam buffer_free(&c); 588 1.3 adam return ret; 589 1.3 adam } 590 1.3 adam 591 1.3 adam /* 592 1.3 adam * Set options from critical certificate options. These supersede user key 593 1.3 adam * options so this must be called after auth_parse_options(). 594 1.3 adam */ 595 1.3 adam int 596 1.3 adam auth_cert_options(Key *k, struct passwd *pw) 597 1.3 adam { 598 1.3 adam int cert_no_port_forwarding_flag = 1; 599 1.3 adam int cert_no_agent_forwarding_flag = 1; 600 1.3 adam int cert_no_x11_forwarding_flag = 1; 601 1.3 adam int cert_no_pty_flag = 1; 602 1.3 adam int cert_no_user_rc = 1; 603 1.3 adam char *cert_forced_command = NULL; 604 1.3 adam int cert_source_address_done = 0; 605 1.3 adam 606 1.3 adam if (key_cert_is_legacy(k)) { 607 1.3 adam /* All options are in the one field for v00 certs */ 608 1.3 adam if (parse_option_list(buffer_ptr(&k->cert->critical), 609 1.3 adam buffer_len(&k->cert->critical), pw, 610 1.3 adam OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, 611 1.3 adam &cert_no_port_forwarding_flag, 612 1.3 adam &cert_no_agent_forwarding_flag, 613 1.3 adam &cert_no_x11_forwarding_flag, 614 1.3 adam &cert_no_pty_flag, 615 1.3 adam &cert_no_user_rc, 616 1.3 adam &cert_forced_command, 617 1.3 adam &cert_source_address_done) == -1) 618 1.3 adam return -1; 619 1.3 adam } else { 620 1.3 adam /* Separate options and extensions for v01 certs */ 621 1.3 adam if (parse_option_list(buffer_ptr(&k->cert->critical), 622 1.3 adam buffer_len(&k->cert->critical), pw, 623 1.3 adam OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, 624 1.3 adam &cert_forced_command, 625 1.3 adam &cert_source_address_done) == -1) 626 1.3 adam return -1; 627 1.3 adam if (parse_option_list(buffer_ptr(&k->cert->extensions), 628 1.3 adam buffer_len(&k->cert->extensions), pw, 629 1.3 adam OPTIONS_EXTENSIONS, 1, 630 1.3 adam &cert_no_port_forwarding_flag, 631 1.3 adam &cert_no_agent_forwarding_flag, 632 1.3 adam &cert_no_x11_forwarding_flag, 633 1.3 adam &cert_no_pty_flag, 634 1.3 adam &cert_no_user_rc, 635 1.3 adam NULL, NULL) == -1) 636 1.3 adam return -1; 637 1.3 adam } 638 1.1 christos 639 1.3 adam no_port_forwarding_flag |= cert_no_port_forwarding_flag; 640 1.3 adam no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; 641 1.3 adam no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; 642 1.3 adam no_pty_flag |= cert_no_pty_flag; 643 1.3 adam no_user_rc |= cert_no_user_rc; 644 1.3 adam /* CA-specified forced command supersedes key option */ 645 1.3 adam if (cert_forced_command != NULL) { 646 1.3 adam if (forced_command != NULL) 647 1.3 adam xfree(forced_command); 648 1.3 adam forced_command = cert_forced_command; 649 1.3 adam } 650 1.1 christos return 0; 651 1.1 christos } 652 1.3 adam 653
Indexes created Fri Apr 24 00:22:58 UTC 2026