1 /* $OpenBSD: auth-options.c,v 1.74 2017/09/12 06:32:07 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
23 #include "openbsd-compat/sys-queue.h"
25 #include "key.h" /* XXX for typedef */
26 #include "buffer.h" /* XXX for typedef */
38 #include "auth-options.h"
42 /* Flags set authorized_keys flags */
43 int no_port_forwarding_flag = 0;
44 int no_agent_forwarding_flag = 0;
45 int no_x11_forwarding_flag = 0;
48 int key_is_cert_authority = 0;
50 /* "command=" option. */
51 char *forced_command = NULL;
53 /* "environment=" options. */
54 struct envstring *custom_environment = NULL;
56 /* "tunnel=" option. */
57 int forced_tun_device = -1;
59 /* "principals=" option. */
60 char *authorized_principals = NULL;
62 extern ServerOptions options;
64 /* XXX refactor to be stateless */
67 auth_clear_options(void)
69 struct ssh *ssh = active_state; /* XXX */
71 no_agent_forwarding_flag = 0;
72 no_port_forwarding_flag = 0;
74 no_x11_forwarding_flag = 0;
76 key_is_cert_authority = 0;
77 while (custom_environment) {
78 struct envstring *ce = custom_environment;
79 custom_environment = ce->next;
84 forced_command = NULL;
85 free(authorized_principals);
86 authorized_principals = NULL;
87 forced_tun_device = -1;
88 channel_clear_permitted_opens(ssh);
92 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
93 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
94 * if negated option matches.
95 * If the option or negated option matches, then *optsp is updated to
96 * point to the first character after the option and, if 'msg' is not NULL
97 * then a message based on it added via auth_debug_add().
100 match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
102 size_t opt_len = strlen(opt);
106 if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
110 if (strncasecmp(opts, opt, opt_len) == 0) {
111 *optsp = opts + opt_len;
113 auth_debug_add("%s %s.", msg,
114 negate ? "disabled" : "enabled");
116 return negate ? 0 : 1;
122 * return 1 if access is granted, 0 if not.
123 * side effect: sets key option flags
124 * XXX remove side effects; fill structure instead.
127 auth_parse_options(struct passwd *pw, char *opts, const char *file,
130 struct ssh *ssh = active_state; /* XXX */
135 auth_clear_options();
140 while (*opts && *opts != ' ' && *opts != '\t') {
141 if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
142 key_is_cert_authority = r;
145 if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
146 auth_debug_add("Key is restricted.");
147 no_port_forwarding_flag = 1;
148 no_agent_forwarding_flag = 1;
149 no_x11_forwarding_flag = 1;
154 if ((r = match_flag("port-forwarding", 1, &opts,
155 "Port forwarding")) != -1) {
156 no_port_forwarding_flag = r != 1;
159 if ((r = match_flag("agent-forwarding", 1, &opts,
160 "Agent forwarding")) != -1) {
161 no_agent_forwarding_flag = r != 1;
164 if ((r = match_flag("x11-forwarding", 1, &opts,
165 "X11 forwarding")) != -1) {
166 no_x11_forwarding_flag = r != 1;
169 if ((r = match_flag("pty", 1, &opts,
170 "PTY allocation")) != -1) {
171 no_pty_flag = r != 1;
174 if ((r = match_flag("user-rc", 1, &opts,
175 "User rc execution")) != -1) {
180 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
182 free(forced_command);
183 forced_command = xmalloc(strlen(opts) + 1);
188 if (*opts == '\\' && opts[1] == '"') {
190 forced_command[i++] = '"';
193 forced_command[i++] = *opts++;
196 debug("%.100s, line %lu: missing end quote",
198 auth_debug_add("%.100s, line %lu: missing end quote",
200 free(forced_command);
201 forced_command = NULL;
204 forced_command[i] = '\0';
205 auth_debug_add("Forced command.");
209 cp = "principals=\"";
210 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
212 free(authorized_principals);
213 authorized_principals = xmalloc(strlen(opts) + 1);
218 if (*opts == '\\' && opts[1] == '"') {
220 authorized_principals[i++] = '"';
223 authorized_principals[i++] = *opts++;
226 debug("%.100s, line %lu: missing end quote",
228 auth_debug_add("%.100s, line %lu: missing end quote",
230 free(authorized_principals);
231 authorized_principals = NULL;
234 authorized_principals[i] = '\0';
235 auth_debug_add("principals: %.900s",
236 authorized_principals);
240 cp = "environment=\"";
241 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
243 struct envstring *new_envstring;
246 s = xmalloc(strlen(opts) + 1);
251 if (*opts == '\\' && opts[1] == '"') {
259 debug("%.100s, line %lu: missing end quote",
261 auth_debug_add("%.100s, line %lu: missing end quote",
268 if (options.permit_user_env) {
269 auth_debug_add("Adding to environment: "
271 debug("Adding to environment: %.900s", s);
272 new_envstring = xcalloc(1,
273 sizeof(*new_envstring));
274 new_envstring->s = s;
275 new_envstring->next = custom_environment;
276 custom_environment = new_envstring;
283 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
284 const char *remote_ip = ssh_remote_ipaddr(ssh);
285 const char *remote_host = auth_get_canonical_hostname(
286 ssh, options.use_dns);
287 char *patterns = xmalloc(strlen(opts) + 1);
294 if (*opts == '\\' && opts[1] == '"') {
299 patterns[i++] = *opts++;
302 debug("%.100s, line %lu: missing end quote",
304 auth_debug_add("%.100s, line %lu: missing end quote",
311 switch (match_host_and_ip(remote_host, remote_ip,
315 /* Host name matches. */
318 debug("%.100s, line %lu: invalid criteria",
320 auth_debug_add("%.100s, line %lu: "
321 "invalid criteria", file, linenum);
325 logit("Authentication tried for %.100s with "
326 "correct key but not from a permitted "
327 "host (host=%.200s, ip=%.200s).",
328 pw->pw_name, remote_host, remote_ip);
329 auth_debug_add("Your host '%.200s' is not "
330 "permitted to use this key for login.",
337 cp = "permitopen=\"";
338 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
341 char *patterns = xmalloc(strlen(opts) + 1);
348 if (*opts == '\\' && opts[1] == '"') {
353 patterns[i++] = *opts++;
356 debug("%.100s, line %lu: missing end quote",
358 auth_debug_add("%.100s, line %lu: missing "
359 "end quote", file, linenum);
366 /* XXX - add streamlocal support */
368 if (host == NULL || strlen(host) >= NI_MAXHOST) {
369 debug("%.100s, line %lu: Bad permitopen "
370 "specification <%.100s>", file, linenum,
372 auth_debug_add("%.100s, line %lu: "
373 "Bad permitopen specification", file,
378 host = cleanhostname(host);
379 if (p == NULL || (port = permitopen_port(p)) < 0) {
380 debug("%.100s, line %lu: Bad permitopen port "
381 "<%.100s>", file, linenum, p ? p : "");
382 auth_debug_add("%.100s, line %lu: "
383 "Bad permitopen port", file, linenum);
387 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
388 channel_add_permitted_opens(ssh, host, port);
393 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
396 tun = xmalloc(strlen(opts) + 1);
404 debug("%.100s, line %lu: missing end quote",
406 auth_debug_add("%.100s, line %lu: missing end quote",
409 forced_tun_device = -1;
413 forced_tun_device = a2tun(tun, NULL);
415 if (forced_tun_device == SSH_TUNID_ERR) {
416 debug("%.100s, line %lu: invalid tun device",
418 auth_debug_add("%.100s, line %lu: invalid tun device",
420 forced_tun_device = -1;
423 auth_debug_add("Forced tun device: %d", forced_tun_device);
429 * Skip the comma, and move to the next option
430 * (or break out if there are no more).
433 fatal("Bugs in auth-options.c option processing.");
434 if (*opts == ' ' || *opts == '\t')
435 break; /* End of options. */
439 /* Process the next option. */
446 logit("Bad options in %.100s file, line %lu: %.50s",
447 file, linenum, opts);
448 auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
449 file, linenum, opts);
455 #define OPTIONS_CRITICAL 1
456 #define OPTIONS_EXTENSIONS 2
458 parse_option_list(struct sshbuf *oblob, struct passwd *pw,
459 u_int which, int crit,
460 int *cert_no_port_forwarding_flag,
461 int *cert_no_agent_forwarding_flag,
462 int *cert_no_x11_forwarding_flag,
463 int *cert_no_pty_flag,
464 int *cert_no_user_rc,
465 char **cert_forced_command,
466 int *cert_source_address_done)
468 struct ssh *ssh = active_state; /* XXX */
469 char *command, *allowed;
470 const char *remote_ip;
472 struct sshbuf *c = NULL, *data = NULL;
473 int r, ret = -1, result, found;
475 if ((c = sshbuf_fromb(oblob)) == NULL) {
476 error("%s: sshbuf_fromb failed", __func__);
480 while (sshbuf_len(c) > 0) {
483 if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
484 (r = sshbuf_froms(c, &data)) != 0) {
485 error("Unable to parse certificate options: %s",
489 debug3("found certificate option \"%.100s\" len %zu",
490 name, sshbuf_len(data));
492 if ((which & OPTIONS_EXTENSIONS) != 0) {
493 if (strcmp(name, "permit-X11-forwarding") == 0) {
494 *cert_no_x11_forwarding_flag = 0;
496 } else if (strcmp(name,
497 "permit-agent-forwarding") == 0) {
498 *cert_no_agent_forwarding_flag = 0;
500 } else if (strcmp(name,
501 "permit-port-forwarding") == 0) {
502 *cert_no_port_forwarding_flag = 0;
504 } else if (strcmp(name, "permit-pty") == 0) {
505 *cert_no_pty_flag = 0;
507 } else if (strcmp(name, "permit-user-rc") == 0) {
508 *cert_no_user_rc = 0;
512 if (!found && (which & OPTIONS_CRITICAL) != 0) {
513 if (strcmp(name, "force-command") == 0) {
514 if ((r = sshbuf_get_cstring(data, &command,
516 error("Unable to parse \"%s\" "
517 "section: %s", name, ssh_err(r));
520 if (*cert_forced_command != NULL) {
521 error("Certificate has multiple "
522 "force-command options");
526 *cert_forced_command = command;
529 if (strcmp(name, "source-address") == 0) {
530 if ((r = sshbuf_get_cstring(data, &allowed,
532 error("Unable to parse \"%s\" "
533 "section: %s", name, ssh_err(r));
536 if ((*cert_source_address_done)++) {
537 error("Certificate has multiple "
538 "source-address options");
542 remote_ip = ssh_remote_ipaddr(ssh);
543 result = addr_match_cidr_list(remote_ip,
552 logit("Authentication tried for %.100s "
553 "with valid certificate but not "
554 "from a permitted host "
555 "(ip=%.200s).", pw->pw_name,
557 auth_debug_add("Your address '%.200s' "
558 "is not permitted to use this "
559 "certificate for login.",
564 error("Certificate source-address "
574 error("Certificate critical option \"%s\" "
575 "is not supported", name);
578 logit("Certificate extension \"%s\" "
579 "is not supported", name);
581 } else if (sshbuf_len(data) != 0) {
582 error("Certificate option \"%s\" corrupt "
583 "(extra data)", name);
589 /* successfully parsed all options */
594 cert_forced_command != NULL &&
595 *cert_forced_command != NULL) {
596 free(*cert_forced_command);
597 *cert_forced_command = NULL;
606 * Set options from critical certificate options. These supersede user key
607 * options so this must be called after auth_parse_options().
610 auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason)
612 int cert_no_port_forwarding_flag = 1;
613 int cert_no_agent_forwarding_flag = 1;
614 int cert_no_x11_forwarding_flag = 1;
615 int cert_no_pty_flag = 1;
616 int cert_no_user_rc = 1;
617 char *cert_forced_command = NULL;
618 int cert_source_address_done = 0;
620 *reason = "invalid certificate options";
622 /* Separate options and extensions for v01 certs */
623 if (parse_option_list(k->cert->critical, pw,
624 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
625 &cert_forced_command,
626 &cert_source_address_done) == -1)
628 if (parse_option_list(k->cert->extensions, pw,
629 OPTIONS_EXTENSIONS, 0,
630 &cert_no_port_forwarding_flag,
631 &cert_no_agent_forwarding_flag,
632 &cert_no_x11_forwarding_flag,
638 no_port_forwarding_flag |= cert_no_port_forwarding_flag;
639 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
640 no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
641 no_pty_flag |= cert_no_pty_flag;
642 no_user_rc |= cert_no_user_rc;
644 * Only permit both CA and key option forced-command if they match.
645 * Otherwise refuse the certificate.
647 if (cert_forced_command != NULL && forced_command != NULL) {
648 if (strcmp(forced_command, cert_forced_command) == 0) {
649 free(forced_command);
650 forced_command = cert_forced_command;
652 *reason = "certificate and key options forced command "
654 free(cert_forced_command);
657 } else if (cert_forced_command != NULL)
658 forced_command = cert_forced_command;