1 /* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
23 #include "openbsd-compat/sys-queue.h"
25 #include "key.h" /* XXX for typedef */
26 #include "buffer.h" /* XXX for typedef */
38 #include "auth-options.h"
42 /* Flags set authorized_keys flags */
43 int no_port_forwarding_flag
= 0;
44 int no_agent_forwarding_flag
= 0;
45 int no_x11_forwarding_flag
= 0;
48 int key_is_cert_authority
= 0;
50 /* "command=" option. */
51 char *forced_command
= NULL
;
53 /* "environment=" options. */
54 struct envstring
*custom_environment
= NULL
;
56 /* "tunnel=" option. */
57 int forced_tun_device
= -1;
59 /* "principals=" option. */
60 char *authorized_principals
= NULL
;
62 extern ServerOptions options
;
65 auth_clear_options(void)
67 no_agent_forwarding_flag
= 0;
68 no_port_forwarding_flag
= 0;
70 no_x11_forwarding_flag
= 0;
72 key_is_cert_authority
= 0;
73 while (custom_environment
) {
74 struct envstring
*ce
= custom_environment
;
75 custom_environment
= ce
->next
;
80 forced_command
= NULL
;
81 free(authorized_principals
);
82 authorized_principals
= NULL
;
83 forced_tun_device
= -1;
84 channel_clear_permitted_opens();
88 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
89 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
90 * if negated option matches.
91 * If the option or negated option matches, then *optsp is updated to
92 * point to the first character after the option and, if 'msg' is not NULL
93 * then a message based on it added via auth_debug_add().
96 match_flag(const char *opt
, int allow_negate
, char **optsp
, const char *msg
)
98 size_t opt_len
= strlen(opt
);
102 if (allow_negate
&& strncasecmp(opts
, "no-", 3) == 0) {
106 if (strncasecmp(opts
, opt
, opt_len
) == 0) {
107 *optsp
= opts
+ opt_len
;
109 auth_debug_add("%s %s.", msg
,
110 negate
? "disabled" : "enabled");
112 return negate
? 0 : 1;
118 * return 1 if access is granted, 0 if not.
119 * side effect: sets key option flags
122 auth_parse_options(struct passwd
*pw
, char *opts
, char *file
, u_long linenum
)
124 struct ssh
*ssh
= active_state
; /* XXX */
129 auth_clear_options();
134 while (*opts
&& *opts
!= ' ' && *opts
!= '\t') {
135 if ((r
= match_flag("cert-authority", 0, &opts
, NULL
)) != -1) {
136 key_is_cert_authority
= r
;
139 if ((r
= match_flag("restrict", 0, &opts
, NULL
)) != -1) {
140 auth_debug_add("Key is restricted.");
141 no_port_forwarding_flag
= 1;
142 no_agent_forwarding_flag
= 1;
143 no_x11_forwarding_flag
= 1;
148 if ((r
= match_flag("port-forwarding", 1, &opts
,
149 "Port forwarding")) != -1) {
150 no_port_forwarding_flag
= r
!= 1;
153 if ((r
= match_flag("agent-forwarding", 1, &opts
,
154 "Agent forwarding")) != -1) {
155 no_agent_forwarding_flag
= r
!= 1;
158 if ((r
= match_flag("x11-forwarding", 1, &opts
,
159 "X11 forwarding")) != -1) {
160 no_x11_forwarding_flag
= r
!= 1;
163 if ((r
= match_flag("pty", 1, &opts
,
164 "PTY allocation")) != -1) {
165 no_pty_flag
= r
!= 1;
168 if ((r
= match_flag("user-rc", 1, &opts
,
169 "User rc execution")) != -1) {
174 if (strncasecmp(opts
, cp
, strlen(cp
)) == 0) {
176 free(forced_command
);
177 forced_command
= xmalloc(strlen(opts
) + 1);
182 if (*opts
== '\\' && opts
[1] == '"') {
184 forced_command
[i
++] = '"';
187 forced_command
[i
++] = *opts
++;
190 debug("%.100s, line %lu: missing end quote",
192 auth_debug_add("%.100s, line %lu: missing end quote",
194 free(forced_command
);
195 forced_command
= NULL
;
198 forced_command
[i
] = '\0';
199 auth_debug_add("Forced command.");
203 cp
= "principals=\"";
204 if (strncasecmp(opts
, cp
, strlen(cp
)) == 0) {
206 free(authorized_principals
);
207 authorized_principals
= xmalloc(strlen(opts
) + 1);
212 if (*opts
== '\\' && opts
[1] == '"') {
214 authorized_principals
[i
++] = '"';
217 authorized_principals
[i
++] = *opts
++;
220 debug("%.100s, line %lu: missing end quote",
222 auth_debug_add("%.100s, line %lu: missing end quote",
224 free(authorized_principals
);
225 authorized_principals
= NULL
;
228 authorized_principals
[i
] = '\0';
229 auth_debug_add("principals: %.900s",
230 authorized_principals
);
234 cp
= "environment=\"";
235 if (strncasecmp(opts
, cp
, strlen(cp
)) == 0) {
237 struct envstring
*new_envstring
;
240 s
= xmalloc(strlen(opts
) + 1);
245 if (*opts
== '\\' && opts
[1] == '"') {
253 debug("%.100s, line %lu: missing end quote",
255 auth_debug_add("%.100s, line %lu: missing end quote",
262 if (options
.permit_user_env
) {
263 auth_debug_add("Adding to environment: "
265 debug("Adding to environment: %.900s", s
);
266 new_envstring
= xcalloc(1,
267 sizeof(*new_envstring
));
268 new_envstring
->s
= s
;
269 new_envstring
->next
= custom_environment
;
270 custom_environment
= new_envstring
;
277 if (strncasecmp(opts
, cp
, strlen(cp
)) == 0) {
278 const char *remote_ip
= ssh_remote_ipaddr(ssh
);
279 const char *remote_host
= auth_get_canonical_hostname(
280 ssh
, options
.use_dns
);
281 char *patterns
= xmalloc(strlen(opts
) + 1);
288 if (*opts
== '\\' && opts
[1] == '"') {
293 patterns
[i
++] = *opts
++;
296 debug("%.100s, line %lu: missing end quote",
298 auth_debug_add("%.100s, line %lu: missing end quote",
305 switch (match_host_and_ip(remote_host
, remote_ip
,
309 /* Host name matches. */
312 debug("%.100s, line %lu: invalid criteria",
314 auth_debug_add("%.100s, line %lu: "
315 "invalid criteria", file
, linenum
);
319 logit("Authentication tried for %.100s with "
320 "correct key but not from a permitted "
321 "host (host=%.200s, ip=%.200s).",
322 pw
->pw_name
, remote_host
, remote_ip
);
323 auth_debug_add("Your host '%.200s' is not "
324 "permitted to use this key for login.",
331 cp
= "permitopen=\"";
332 if (strncasecmp(opts
, cp
, strlen(cp
)) == 0) {
335 char *patterns
= xmalloc(strlen(opts
) + 1);
342 if (*opts
== '\\' && opts
[1] == '"') {
347 patterns
[i
++] = *opts
++;
350 debug("%.100s, line %lu: missing end quote",
352 auth_debug_add("%.100s, line %lu: missing "
353 "end quote", file
, linenum
);
360 /* XXX - add streamlocal support */
362 if (host
== NULL
|| strlen(host
) >= NI_MAXHOST
) {
363 debug("%.100s, line %lu: Bad permitopen "
364 "specification <%.100s>", file
, linenum
,
366 auth_debug_add("%.100s, line %lu: "
367 "Bad permitopen specification", file
,
372 host
= cleanhostname(host
);
373 if (p
== NULL
|| (port
= permitopen_port(p
)) < 0) {
374 debug("%.100s, line %lu: Bad permitopen port "
375 "<%.100s>", file
, linenum
, p
? p
: "");
376 auth_debug_add("%.100s, line %lu: "
377 "Bad permitopen port", file
, linenum
);
381 if ((options
.allow_tcp_forwarding
& FORWARD_LOCAL
) != 0)
382 channel_add_permitted_opens(host
, port
);
387 if (strncasecmp(opts
, cp
, strlen(cp
)) == 0) {
390 tun
= xmalloc(strlen(opts
) + 1);
398 debug("%.100s, line %lu: missing end quote",
400 auth_debug_add("%.100s, line %lu: missing end quote",
403 forced_tun_device
= -1;
407 forced_tun_device
= a2tun(tun
, NULL
);
409 if (forced_tun_device
== SSH_TUNID_ERR
) {
410 debug("%.100s, line %lu: invalid tun device",
412 auth_debug_add("%.100s, line %lu: invalid tun device",
414 forced_tun_device
= -1;
417 auth_debug_add("Forced tun device: %d", forced_tun_device
);
423 * Skip the comma, and move to the next option
424 * (or break out if there are no more).
427 fatal("Bugs in auth-options.c option processing.");
428 if (*opts
== ' ' || *opts
== '\t')
429 break; /* End of options. */
433 /* Process the next option. */
440 logit("Bad options in %.100s file, line %lu: %.50s",
441 file
, linenum
, opts
);
442 auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
443 file
, linenum
, opts
);
449 #define OPTIONS_CRITICAL 1
450 #define OPTIONS_EXTENSIONS 2
452 parse_option_list(struct sshbuf
*oblob
, struct passwd
*pw
,
453 u_int which
, int crit
,
454 int *cert_no_port_forwarding_flag
,
455 int *cert_no_agent_forwarding_flag
,
456 int *cert_no_x11_forwarding_flag
,
457 int *cert_no_pty_flag
,
458 int *cert_no_user_rc
,
459 char **cert_forced_command
,
460 int *cert_source_address_done
)
462 struct ssh
*ssh
= active_state
; /* XXX */
463 char *command
, *allowed
;
464 const char *remote_ip
;
466 struct sshbuf
*c
= NULL
, *data
= NULL
;
467 int r
, ret
= -1, result
, found
;
469 if ((c
= sshbuf_fromb(oblob
)) == NULL
) {
470 error("%s: sshbuf_fromb failed", __func__
);
474 while (sshbuf_len(c
) > 0) {
477 if ((r
= sshbuf_get_cstring(c
, &name
, NULL
)) != 0 ||
478 (r
= sshbuf_froms(c
, &data
)) != 0) {
479 error("Unable to parse certificate options: %s",
483 debug3("found certificate option \"%.100s\" len %zu",
484 name
, sshbuf_len(data
));
486 if ((which
& OPTIONS_EXTENSIONS
) != 0) {
487 if (strcmp(name
, "permit-X11-forwarding") == 0) {
488 *cert_no_x11_forwarding_flag
= 0;
490 } else if (strcmp(name
,
491 "permit-agent-forwarding") == 0) {
492 *cert_no_agent_forwarding_flag
= 0;
494 } else if (strcmp(name
,
495 "permit-port-forwarding") == 0) {
496 *cert_no_port_forwarding_flag
= 0;
498 } else if (strcmp(name
, "permit-pty") == 0) {
499 *cert_no_pty_flag
= 0;
501 } else if (strcmp(name
, "permit-user-rc") == 0) {
502 *cert_no_user_rc
= 0;
506 if (!found
&& (which
& OPTIONS_CRITICAL
) != 0) {
507 if (strcmp(name
, "force-command") == 0) {
508 if ((r
= sshbuf_get_cstring(data
, &command
,
510 error("Unable to parse \"%s\" "
511 "section: %s", name
, ssh_err(r
));
514 if (*cert_forced_command
!= NULL
) {
515 error("Certificate has multiple "
516 "force-command options");
520 *cert_forced_command
= command
;
523 if (strcmp(name
, "source-address") == 0) {
524 if ((r
= sshbuf_get_cstring(data
, &allowed
,
526 error("Unable to parse \"%s\" "
527 "section: %s", name
, ssh_err(r
));
530 if ((*cert_source_address_done
)++) {
531 error("Certificate has multiple "
532 "source-address options");
536 remote_ip
= ssh_remote_ipaddr(ssh
);
537 result
= addr_match_cidr_list(remote_ip
,
546 logit("Authentication tried for %.100s "
547 "with valid certificate but not "
548 "from a permitted host "
549 "(ip=%.200s).", pw
->pw_name
,
551 auth_debug_add("Your address '%.200s' "
552 "is not permitted to use this "
553 "certificate for login.",
558 error("Certificate source-address "
568 error("Certificate critical option \"%s\" "
569 "is not supported", name
);
572 logit("Certificate extension \"%s\" "
573 "is not supported", name
);
575 } else if (sshbuf_len(data
) != 0) {
576 error("Certificate option \"%s\" corrupt "
577 "(extra data)", name
);
583 /* successfully parsed all options */
588 cert_forced_command
!= NULL
&&
589 *cert_forced_command
!= NULL
) {
590 free(*cert_forced_command
);
591 *cert_forced_command
= NULL
;
600 * Set options from critical certificate options. These supersede user key
601 * options so this must be called after auth_parse_options().
604 auth_cert_options(struct sshkey
*k
, struct passwd
*pw
)
606 int cert_no_port_forwarding_flag
= 1;
607 int cert_no_agent_forwarding_flag
= 1;
608 int cert_no_x11_forwarding_flag
= 1;
609 int cert_no_pty_flag
= 1;
610 int cert_no_user_rc
= 1;
611 char *cert_forced_command
= NULL
;
612 int cert_source_address_done
= 0;
614 /* Separate options and extensions for v01 certs */
615 if (parse_option_list(k
->cert
->critical
, pw
,
616 OPTIONS_CRITICAL
, 1, NULL
, NULL
, NULL
, NULL
, NULL
,
617 &cert_forced_command
,
618 &cert_source_address_done
) == -1)
620 if (parse_option_list(k
->cert
->extensions
, pw
,
621 OPTIONS_EXTENSIONS
, 0,
622 &cert_no_port_forwarding_flag
,
623 &cert_no_agent_forwarding_flag
,
624 &cert_no_x11_forwarding_flag
,
630 no_port_forwarding_flag
|= cert_no_port_forwarding_flag
;
631 no_agent_forwarding_flag
|= cert_no_agent_forwarding_flag
;
632 no_x11_forwarding_flag
|= cert_no_x11_forwarding_flag
;
633 no_pty_flag
|= cert_no_pty_flag
;
634 no_user_rc
|= cert_no_user_rc
;
635 /* CA-specified forced command supersedes key option */
636 if (cert_forced_command
!= NULL
) {
637 free(forced_command
);
638 forced_command
= cert_forced_command
;