search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pfctl: Match prototype of pfctl_load_hostid.
[freebsd-src.git] / crypto / openssh / auth-options.c
blobedbaf80bbf0921b6597eb28c131e8fbef18a72ab
1 /* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
2 /*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
13 #include "includes.h"
14
15 #include <sys/types.h>
16
17 #include <netdb.h>
18 #include <pwd.h>
19 #include <string.h>
20 #include <stdio.h>
21 #include <stdarg.h>
22
23 #include "openbsd-compat/sys-queue.h"
24
25 #include "key.h" /* XXX for typedef */
26 #include "buffer.h" /* XXX for typedef */
27 #include "xmalloc.h"
28 #include "match.h"
29 #include "ssherr.h"
30 #include "log.h"
31 #include "canohost.h"
32 #include "sshbuf.h"
33 #include "misc.h"
34 #include "channels.h"
35 #include "servconf.h"
36 #include "sshkey.h"
37 #include "auth-options.h"
38 #include "hostfile.h"
39 #include "auth.h"
40
41 /* Flags set authorized_keys flags */
42 int no_port_forwarding_flag = 0;
43 int no_agent_forwarding_flag = 0;
44 int no_x11_forwarding_flag = 0;
45 int no_pty_flag = 0;
46 int no_user_rc = 0;
47 int key_is_cert_authority = 0;
48
49 /* "command=" option. */
50 char *forced_command = NULL;
51
52 /* "environment=" options. */
53 struct envstring *custom_environment = NULL;
54
55 /* "tunnel=" option. */
56 int forced_tun_device = -1;
57
58 /* "principals=" option. */
59 char *authorized_principals = NULL;
60
61 extern ServerOptions options;
62
63 void
64 auth_clear_options(void)
65 {
66 no_agent_forwarding_flag = 0;
67 no_port_forwarding_flag = 0;
68 no_pty_flag = 0;
69 no_x11_forwarding_flag = 0;
70 no_user_rc = 0;
71 key_is_cert_authority = 0;
72 while (custom_environment) {
73 struct envstring *ce = custom_environment;
74 custom_environment = ce->next;
75 free(ce->s);
76 free(ce);
77 }
78 free(forced_command);
79 forced_command = NULL;
80 free(authorized_principals);
81 authorized_principals = NULL;
82 forced_tun_device = -1;
83 channel_clear_permitted_opens();
84 }
85
86 /*
87 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
88 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
89 * if negated option matches.
90 * If the option or negated option matches, then *optsp is updated to
91 * point to the first character after the option and, if 'msg' is not NULL
92 * then a message based on it added via auth_debug_add().
93 */
94 static int
95 match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
96 {
97 size_t opt_len = strlen(opt);
98 char *opts = *optsp;
99 int negate = 0;
100
101 if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
102 opts += 3;
103 negate = 1;
104 }
105 if (strncasecmp(opts, opt, opt_len) == 0) {
106 *optsp = opts + opt_len;
107 if (msg != NULL) {
108 auth_debug_add("%s %s.", msg,
109 negate ? "disabled" : "enabled");
110 }
111 return negate ? 0 : 1;
112 }
113 return -1;
114 }
115
116 /*
117 * return 1 if access is granted, 0 if not.
118 * side effect: sets key option flags
119 */
120 int
121 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
122 {
123 const char *cp;
124 int i, r;
125
126 /* reset options */
127 auth_clear_options();
128
129 if (!opts)
130 return 1;
131
132 while (*opts && *opts != ' ' && *opts != '\t') {
133 if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
134 key_is_cert_authority = r;
135 goto next_option;
136 }
137 if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
138 auth_debug_add("Key is restricted.");
139 no_port_forwarding_flag = 1;
140 no_agent_forwarding_flag = 1;
141 no_x11_forwarding_flag = 1;
142 no_pty_flag = 1;
143 no_user_rc = 1;
144 goto next_option;
145 }
146 if ((r = match_flag("port-forwarding", 1, &opts,
147 "Port forwarding")) != -1) {
148 no_port_forwarding_flag = r != 1;
149 goto next_option;
150 }
151 if ((r = match_flag("agent-forwarding", 1, &opts,
152 "Agent forwarding")) != -1) {
153 no_agent_forwarding_flag = r != 1;
154 goto next_option;
155 }
156 if ((r = match_flag("x11-forwarding", 1, &opts,
157 "X11 forwarding")) != -1) {
158 no_x11_forwarding_flag = r != 1;
159 goto next_option;
160 }
161 if ((r = match_flag("pty", 1, &opts,
162 "PTY allocation")) != -1) {
163 no_pty_flag = r != 1;
164 goto next_option;
165 }
166 if ((r = match_flag("user-rc", 1, &opts,
167 "User rc execution")) != -1) {
168 no_user_rc = r != 1;
169 goto next_option;
170 }
171 cp = "command=\"";
172 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
173 opts += strlen(cp);
174 free(forced_command);
175 forced_command = xmalloc(strlen(opts) + 1);
176 i = 0;
177 while (*opts) {
178 if (*opts == '"')
179 break;
180 if (*opts == '\\' && opts[1] == '"') {
181 opts += 2;
182 forced_command[i++] = '"';
183 continue;
184 }
185 forced_command[i++] = *opts++;
186 }
187 if (!*opts) {
188 debug("%.100s, line %lu: missing end quote",
189 file, linenum);
190 auth_debug_add("%.100s, line %lu: missing end quote",
191 file, linenum);
192 free(forced_command);
193 forced_command = NULL;
194 goto bad_option;
195 }
196 forced_command[i] = '\0';
197 auth_debug_add("Forced command.");
198 opts++;
199 goto next_option;
200 }
201 cp = "principals=\"";
202 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
203 opts += strlen(cp);
204 free(authorized_principals);
205 authorized_principals = xmalloc(strlen(opts) + 1);
206 i = 0;
207 while (*opts) {
208 if (*opts == '"')
209 break;
210 if (*opts == '\\' && opts[1] == '"') {
211 opts += 2;
212 authorized_principals[i++] = '"';
213 continue;
214 }
215 authorized_principals[i++] = *opts++;
216 }
217 if (!*opts) {
218 debug("%.100s, line %lu: missing end quote",
219 file, linenum);
220 auth_debug_add("%.100s, line %lu: missing end quote",
221 file, linenum);
222 free(authorized_principals);
223 authorized_principals = NULL;
224 goto bad_option;
225 }
226 authorized_principals[i] = '\0';
227 auth_debug_add("principals: %.900s",
228 authorized_principals);
229 opts++;
230 goto next_option;
231 }
232 cp = "environment=\"";
233 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
234 char *s;
235 struct envstring *new_envstring;
236
237 opts += strlen(cp);
238 s = xmalloc(strlen(opts) + 1);
239 i = 0;
240 while (*opts) {
241 if (*opts == '"')
242 break;
243 if (*opts == '\\' && opts[1] == '"') {
244 opts += 2;
245 s[i++] = '"';
246 continue;
247 }
248 s[i++] = *opts++;
249 }
250 if (!*opts) {
251 debug("%.100s, line %lu: missing end quote",
252 file, linenum);
253 auth_debug_add("%.100s, line %lu: missing end quote",
254 file, linenum);
255 free(s);
256 goto bad_option;
257 }
258 s[i] = '\0';
259 opts++;
260 if (options.permit_user_env) {
261 auth_debug_add("Adding to environment: "
262 "%.900s", s);
263 debug("Adding to environment: %.900s", s);
264 new_envstring = xcalloc(1,
265 sizeof(*new_envstring));
266 new_envstring->s = s;
267 new_envstring->next = custom_environment;
268 custom_environment = new_envstring;
269 s = NULL;
270 }
271 free(s);
272 goto next_option;
273 }
274 cp = "from=\"";
275 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
276 const char *remote_ip = get_remote_ipaddr();
277 const char *remote_host = get_canonical_hostname(
278 options.use_dns);
279 char *patterns = xmalloc(strlen(opts) + 1);
280
281 opts += strlen(cp);
282 i = 0;
283 while (*opts) {
284 if (*opts == '"')
285 break;
286 if (*opts == '\\' && opts[1] == '"') {
287 opts += 2;
288 patterns[i++] = '"';
289 continue;
290 }
291 patterns[i++] = *opts++;
292 }
293 if (!*opts) {
294 debug("%.100s, line %lu: missing end quote",
295 file, linenum);
296 auth_debug_add("%.100s, line %lu: missing end quote",
297 file, linenum);
298 free(patterns);
299 goto bad_option;
300 }
301 patterns[i] = '\0';
302 opts++;
303 switch (match_host_and_ip(remote_host, remote_ip,
304 patterns)) {
305 case 1:
306 free(patterns);
307 /* Host name matches. */
308 goto next_option;
309 case -1:
310 debug("%.100s, line %lu: invalid criteria",
311 file, linenum);
312 auth_debug_add("%.100s, line %lu: "
313 "invalid criteria", file, linenum);
314 /* FALLTHROUGH */
315 case 0:
316 free(patterns);
317 logit("Authentication tried for %.100s with "
318 "correct key but not from a permitted "
319 "host (host=%.200s, ip=%.200s).",
320 pw->pw_name, remote_host, remote_ip);
321 auth_debug_add("Your host '%.200s' is not "
322 "permitted to use this key for login.",
323 remote_host);
324 break;
325 }
326 /* deny access */
327 return 0;
328 }
329 cp = "permitopen=\"";
330 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
331 char *host, *p;
332 int port;
333 char *patterns = xmalloc(strlen(opts) + 1);
334
335 opts += strlen(cp);
336 i = 0;
337 while (*opts) {
338 if (*opts == '"')
339 break;
340 if (*opts == '\\' && opts[1] == '"') {
341 opts += 2;
342 patterns[i++] = '"';
343 continue;
344 }
345 patterns[i++] = *opts++;
346 }
347 if (!*opts) {
348 debug("%.100s, line %lu: missing end quote",
349 file, linenum);
350 auth_debug_add("%.100s, line %lu: missing "
351 "end quote", file, linenum);
352 free(patterns);
353 goto bad_option;
354 }
355 patterns[i] = '\0';
356 opts++;
357 p = patterns;
358 /* XXX - add streamlocal support */
359 host = hpdelim(&p);
360 if (host == NULL || strlen(host) >= NI_MAXHOST) {
361 debug("%.100s, line %lu: Bad permitopen "
362 "specification <%.100s>", file, linenum,
363 patterns);
364 auth_debug_add("%.100s, line %lu: "
365 "Bad permitopen specification", file,
366 linenum);
367 free(patterns);
368 goto bad_option;
369 }
370 host = cleanhostname(host);
371 if (p == NULL || (port = permitopen_port(p)) < 0) {
372 debug("%.100s, line %lu: Bad permitopen port "
373 "<%.100s>", file, linenum, p ? p : "");
374 auth_debug_add("%.100s, line %lu: "
375 "Bad permitopen port", file, linenum);
376 free(patterns);
377 goto bad_option;
378 }
379 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
380 channel_add_permitted_opens(host, port);
381 free(patterns);
382 goto next_option;
383 }
384 cp = "tunnel=\"";
385 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
386 char *tun = NULL;
387 opts += strlen(cp);
388 tun = xmalloc(strlen(opts) + 1);
389 i = 0;
390 while (*opts) {
391 if (*opts == '"')
392 break;
393 tun[i++] = *opts++;
394 }
395 if (!*opts) {
396 debug("%.100s, line %lu: missing end quote",
397 file, linenum);
398 auth_debug_add("%.100s, line %lu: missing end quote",
399 file, linenum);
400 free(tun);
401 forced_tun_device = -1;
402 goto bad_option;
403 }
404 tun[i] = '\0';
405 forced_tun_device = a2tun(tun, NULL);
406 free(tun);
407 if (forced_tun_device == SSH_TUNID_ERR) {
408 debug("%.100s, line %lu: invalid tun device",
409 file, linenum);
410 auth_debug_add("%.100s, line %lu: invalid tun device",
411 file, linenum);
412 forced_tun_device = -1;
413 goto bad_option;
414 }
415 auth_debug_add("Forced tun device: %d", forced_tun_device);
416 opts++;
417 goto next_option;
418 }
419 next_option:
420 /*
421 * Skip the comma, and move to the next option
422 * (or break out if there are no more).
423 */
424 if (!*opts)
425 fatal("Bugs in auth-options.c option processing.");
426 if (*opts == ' ' || *opts == '\t')
427 break; /* End of options. */
428 if (*opts != ',')
429 goto bad_option;
430 opts++;
431 /* Process the next option. */
432 }
433
434 /* grant access */
435 return 1;
436
437 bad_option:
438 logit("Bad options in %.100s file, line %lu: %.50s",
439 file, linenum, opts);
440 auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
441 file, linenum, opts);
442
443 /* deny access */
444 return 0;
445 }
446
447 #define OPTIONS_CRITICAL 1
448 #define OPTIONS_EXTENSIONS 2
449 static int
450 parse_option_list(struct sshbuf *oblob, struct passwd *pw,
451 u_int which, int crit,
452 int *cert_no_port_forwarding_flag,
453 int *cert_no_agent_forwarding_flag,
454 int *cert_no_x11_forwarding_flag,
455 int *cert_no_pty_flag,
456 int *cert_no_user_rc,
457 char **cert_forced_command,
458 int *cert_source_address_done)
459 {
460 char *command, *allowed;
461 const char *remote_ip;
462 char *name = NULL;
463 struct sshbuf *c = NULL, *data = NULL;
464 int r, ret = -1, result, found;
465
466 if ((c = sshbuf_fromb(oblob)) == NULL) {
467 error("%s: sshbuf_fromb failed", __func__);
468 goto out;
469 }
470
471 while (sshbuf_len(c) > 0) {
472 sshbuf_free(data);
473 data = NULL;
474 if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
475 (r = sshbuf_froms(c, &data)) != 0) {
476 error("Unable to parse certificate options: %s",
477 ssh_err(r));
478 goto out;
479 }
480 debug3("found certificate option \"%.100s\" len %zu",
481 name, sshbuf_len(data));
482 found = 0;
483 if ((which & OPTIONS_EXTENSIONS) != 0) {
484 if (strcmp(name, "permit-X11-forwarding") == 0) {
485 *cert_no_x11_forwarding_flag = 0;
486 found = 1;
487 } else if (strcmp(name,
488 "permit-agent-forwarding") == 0) {
489 *cert_no_agent_forwarding_flag = 0;
490 found = 1;
491 } else if (strcmp(name,
492 "permit-port-forwarding") == 0) {
493 *cert_no_port_forwarding_flag = 0;
494 found = 1;
495 } else if (strcmp(name, "permit-pty") == 0) {
496 *cert_no_pty_flag = 0;
497 found = 1;
498 } else if (strcmp(name, "permit-user-rc") == 0) {
499 *cert_no_user_rc = 0;
500 found = 1;
501 }
502 }
503 if (!found && (which & OPTIONS_CRITICAL) != 0) {
504 if (strcmp(name, "force-command") == 0) {
505 if ((r = sshbuf_get_cstring(data, &command,
506 NULL)) != 0) {
507 error("Unable to parse \"%s\" "
508 "section: %s", name, ssh_err(r));
509 goto out;
510 }
511 if (*cert_forced_command != NULL) {
512 error("Certificate has multiple "
513 "force-command options");
514 free(command);
515 goto out;
516 }
517 *cert_forced_command = command;
518 found = 1;
519 }
520 if (strcmp(name, "source-address") == 0) {
521 if ((r = sshbuf_get_cstring(data, &allowed,
522 NULL)) != 0) {
523 error("Unable to parse \"%s\" "
524 "section: %s", name, ssh_err(r));
525 goto out;
526 }
527 if ((*cert_source_address_done)++) {
528 error("Certificate has multiple "
529 "source-address options");
530 free(allowed);
531 goto out;
532 }
533 remote_ip = get_remote_ipaddr();
534 result = addr_match_cidr_list(remote_ip,
535 allowed);
536 free(allowed);
537 switch (result) {
538 case 1:
539 /* accepted */
540 break;
541 case 0:
542 /* no match */
543 logit("Authentication tried for %.100s "
544 "with valid certificate but not "
545 "from a permitted host "
546 "(ip=%.200s).", pw->pw_name,
547 remote_ip);
548 auth_debug_add("Your address '%.200s' "
549 "is not permitted to use this "
550 "certificate for login.",
551 remote_ip);
552 goto out;
553 case -1:
554 default:
555 error("Certificate source-address "
556 "contents invalid");
557 goto out;
558 }
559 found = 1;
560 }
561 }
562
563 if (!found) {
564 if (crit) {
565 error("Certificate critical option \"%s\" "
566 "is not supported", name);
567 goto out;
568 } else {
569 logit("Certificate extension \"%s\" "
570 "is not supported", name);
571 }
572 } else if (sshbuf_len(data) != 0) {
573 error("Certificate option \"%s\" corrupt "
574 "(extra data)", name);
575 goto out;
576 }
577 free(name);
578 name = NULL;
579 }
580 /* successfully parsed all options */
581 ret = 0;
582
583 out:
584 if (ret != 0 &&
585 cert_forced_command != NULL &&
586 *cert_forced_command != NULL) {
587 free(*cert_forced_command);
588 *cert_forced_command = NULL;
589 }
590 free(name);
591 sshbuf_free(data);
592 sshbuf_free(c);
593 return ret;
594 }
595
596 /*
597 * Set options from critical certificate options. These supersede user key
598 * options so this must be called after auth_parse_options().
599 */
600 int
601 auth_cert_options(struct sshkey *k, struct passwd *pw)
602 {
603 int cert_no_port_forwarding_flag = 1;
604 int cert_no_agent_forwarding_flag = 1;
605 int cert_no_x11_forwarding_flag = 1;
606 int cert_no_pty_flag = 1;
607 int cert_no_user_rc = 1;
608 char *cert_forced_command = NULL;
609 int cert_source_address_done = 0;
610
611 /* Separate options and extensions for v01 certs */
612 if (parse_option_list(k->cert->critical, pw,
613 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
614 &cert_forced_command,
615 &cert_source_address_done) == -1)
616 return -1;
617 if (parse_option_list(k->cert->extensions, pw,
618 OPTIONS_EXTENSIONS, 0,
619 &cert_no_port_forwarding_flag,
620 &cert_no_agent_forwarding_flag,
621 &cert_no_x11_forwarding_flag,
622 &cert_no_pty_flag,
623 &cert_no_user_rc,
624 NULL, NULL) == -1)
625 return -1;
626
627 no_port_forwarding_flag |= cert_no_port_forwarding_flag;
628 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
629 no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
630 no_pty_flag |= cert_no_pty_flag;
631 no_user_rc |= cert_no_user_rc;
632 /* CA-specified forced command supersedes key option */
633 if (cert_forced_command != NULL) {
634 free(forced_command);
635 forced_command = cert_forced_command;
636 }
637 return 0;
638 }
639
FreeBSD src