auth-options.c revision 258343
1228690Sdes/* $OpenBSD: auth-options.c,v 1.61 2013/11/08 00:39:14 djm Exp $ */ 2228690Sdes/* 3228690Sdes * Author: Tatu Ylonen <ylo@cs.hut.fi> 4228690Sdes * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5228690Sdes * All rights reserved 6228690Sdes * As far as I am concerned, the code I have written for this software 7228690Sdes * can be used freely for any purpose. Any derived versions of this 8228690Sdes * software must be clearly marked as such, and if the derived work is 9228690Sdes * incompatible with the protocol description in the RFC file, it must be 10228690Sdes * called by a name other than "ssh" or "Secure Shell". 11228690Sdes */ 12228690Sdes 13236109Sdes#include "includes.h" 14236109Sdes 15236109Sdes#include <sys/types.h> 16228690Sdes 17228690Sdes#include <netdb.h> 18228690Sdes#include <pwd.h> 19228690Sdes#include <string.h> 20228690Sdes#include <stdio.h> 21228690Sdes#include <stdarg.h> 22228690Sdes 23228690Sdes#include "openbsd-compat/sys-queue.h" 24228690Sdes#include "xmalloc.h" 25228690Sdes#include "match.h" 26228690Sdes#include "log.h" 27228690Sdes#include "canohost.h" 28228690Sdes#include "buffer.h" 29271947Sdes#include "channels.h" 30228690Sdes#include "servconf.h" 31271947Sdes#include "misc.h" 32228690Sdes#include "key.h" 33228690Sdes#include "auth-options.h" 34228690Sdes#include "hostfile.h" 35228690Sdes#include "auth.h" 36228690Sdes#ifdef GSSAPI 37271947Sdes#include "ssh-gss.h" 38228690Sdes#endif 39228690Sdes#include "monitor_wrap.h" 40228690Sdes 41228690Sdes/* Flags set authorized_keys flags */ 42228690Sdesint no_port_forwarding_flag = 0; 43228690Sdesint no_agent_forwarding_flag = 0; 44228690Sdesint no_x11_forwarding_flag = 0; 45228690Sdesint no_pty_flag = 0; 46228690Sdesint no_user_rc = 0; 47228690Sdesint key_is_cert_authority = 0; 48228690Sdes 49228690Sdes/* "command=" option. */ 50228690Sdeschar *forced_command = NULL; 51228690Sdes 52228690Sdes/* "environment=" options. */ 53228690Sdesstruct envstring *custom_environment = NULL; 54228690Sdes 55228690Sdes/* "tunnel=" option. */ 56228690Sdesint forced_tun_device = -1; 57228690Sdes 58228690Sdes/* "principals=" option. */ 59236109Sdeschar *authorized_principals = NULL; 60228690Sdes 61228690Sdesextern ServerOptions options; 62228690Sdes 63228690Sdesvoid 64228690Sdesauth_clear_options(void) 65236109Sdes{ 66 no_agent_forwarding_flag = 0; 67 no_port_forwarding_flag = 0; 68 no_pty_flag = 0; 69 no_x11_forwarding_flag = 0; 70 no_user_rc = 0; 71 key_is_cert_authority = 0; 72 while (custom_environment) { 73 struct envstring *ce = custom_environment; 74 custom_environment = ce->next; 75 free(ce->s); 76 free(ce); 77 } 78 if (forced_command) { 79 free(forced_command); 80 forced_command = NULL; 81 } 82 if (authorized_principals) { 83 free(authorized_principals); 84 authorized_principals = NULL; 85 } 86 forced_tun_device = -1; 87 channel_clear_permitted_opens(); 88} 89 90/* 91 * return 1 if access is granted, 0 if not. 92 * side effect: sets key option flags 93 */ 94int 95auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 96{ 97 const char *cp; 98 int i; 99 100 /* reset options */ 101 auth_clear_options(); 102 103 if (!opts) 104 return 1; 105 106 while (*opts && *opts != ' ' && *opts != '\t') { 107 cp = "cert-authority"; 108 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 109 key_is_cert_authority = 1; 110 opts += strlen(cp); 111 goto next_option; 112 } 113 cp = "no-port-forwarding"; 114 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 115 auth_debug_add("Port forwarding disabled."); 116 no_port_forwarding_flag = 1; 117 opts += strlen(cp); 118 goto next_option; 119 } 120 cp = "no-agent-forwarding"; 121 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 122 auth_debug_add("Agent forwarding disabled."); 123 no_agent_forwarding_flag = 1; 124 opts += strlen(cp); 125 goto next_option; 126 } 127 cp = "no-X11-forwarding"; 128 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 129 auth_debug_add("X11 forwarding disabled."); 130 no_x11_forwarding_flag = 1; 131 opts += strlen(cp); 132 goto next_option; 133 } 134 cp = "no-pty"; 135 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 136 auth_debug_add("Pty allocation disabled."); 137 no_pty_flag = 1; 138 opts += strlen(cp); 139 goto next_option; 140 } 141 cp = "no-user-rc"; 142 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 143 auth_debug_add("User rc file execution disabled."); 144 no_user_rc = 1; 145 opts += strlen(cp); 146 goto next_option; 147 } 148 cp = "command=\""; 149 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 150 opts += strlen(cp); 151 if (forced_command != NULL) 152 free(forced_command); 153 forced_command = xmalloc(strlen(opts) + 1); 154 i = 0; 155 while (*opts) { 156 if (*opts == '"') 157 break; 158 if (*opts == '\\' && opts[1] == '"') { 159 opts += 2; 160 forced_command[i++] = '"'; 161 continue; 162 } 163 forced_command[i++] = *opts++; 164 } 165 if (!*opts) { 166 debug("%.100s, line %lu: missing end quote", 167 file, linenum); 168 auth_debug_add("%.100s, line %lu: missing end quote", 169 file, linenum); 170 free(forced_command); 171 forced_command = NULL; 172 goto bad_option; 173 } 174 forced_command[i] = '\0'; 175 auth_debug_add("Forced command."); 176 opts++; 177 goto next_option; 178 } 179 cp = "principals=\""; 180 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 181 opts += strlen(cp); 182 if (authorized_principals != NULL) 183 free(authorized_principals); 184 authorized_principals = xmalloc(strlen(opts) + 1); 185 i = 0; 186 while (*opts) { 187 if (*opts == '"') 188 break; 189 if (*opts == '\\' && opts[1] == '"') { 190 opts += 2; 191 authorized_principals[i++] = '"'; 192 continue; 193 } 194 authorized_principals[i++] = *opts++; 195 } 196 if (!*opts) { 197 debug("%.100s, line %lu: missing end quote", 198 file, linenum); 199 auth_debug_add("%.100s, line %lu: missing end quote", 200 file, linenum); 201 free(authorized_principals); 202 authorized_principals = NULL; 203 goto bad_option; 204 } 205 authorized_principals[i] = '\0'; 206 auth_debug_add("principals: %.900s", 207 authorized_principals); 208 opts++; 209 goto next_option; 210 } 211 cp = "environment=\""; 212 if (options.permit_user_env && 213 strncasecmp(opts, cp, strlen(cp)) == 0) { 214 char *s; 215 struct envstring *new_envstring; 216 217 opts += strlen(cp); 218 s = xmalloc(strlen(opts) + 1); 219 i = 0; 220 while (*opts) { 221 if (*opts == '"') 222 break; 223 if (*opts == '\\' && opts[1] == '"') { 224 opts += 2; 225 s[i++] = '"'; 226 continue; 227 } 228 s[i++] = *opts++; 229 } 230 if (!*opts) { 231 debug("%.100s, line %lu: missing end quote", 232 file, linenum); 233 auth_debug_add("%.100s, line %lu: missing end quote", 234 file, linenum); 235 free(s); 236 goto bad_option; 237 } 238 s[i] = '\0'; 239 auth_debug_add("Adding to environment: %.900s", s); 240 debug("Adding to environment: %.900s", s); 241 opts++; 242 new_envstring = xcalloc(1, sizeof(struct envstring)); 243 new_envstring->s = s; 244 new_envstring->next = custom_environment; 245 custom_environment = new_envstring; 246 goto next_option; 247 } 248 cp = "from=\""; 249 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 250 const char *remote_ip = get_remote_ipaddr(); 251 const char *remote_host = get_canonical_hostname( 252 options.use_dns); 253 char *patterns = xmalloc(strlen(opts) + 1); 254 255 opts += strlen(cp); 256 i = 0; 257 while (*opts) { 258 if (*opts == '"') 259 break; 260 if (*opts == '\\' && opts[1] == '"') { 261 opts += 2; 262 patterns[i++] = '"'; 263 continue; 264 } 265 patterns[i++] = *opts++; 266 } 267 if (!*opts) { 268 debug("%.100s, line %lu: missing end quote", 269 file, linenum); 270 auth_debug_add("%.100s, line %lu: missing end quote", 271 file, linenum); 272 free(patterns); 273 goto bad_option; 274 } 275 patterns[i] = '\0'; 276 opts++; 277 switch (match_host_and_ip(remote_host, remote_ip, 278 patterns)) { 279 case 1: 280 free(patterns); 281 /* Host name matches. */ 282 goto next_option; 283 case -1: 284 debug("%.100s, line %lu: invalid criteria", 285 file, linenum); 286 auth_debug_add("%.100s, line %lu: " 287 "invalid criteria", file, linenum); 288 /* FALLTHROUGH */ 289 case 0: 290 free(patterns); 291 logit("Authentication tried for %.100s with " 292 "correct key but not from a permitted " 293 "host (host=%.200s, ip=%.200s).", 294 pw->pw_name, remote_host, remote_ip); 295 auth_debug_add("Your host '%.200s' is not " 296 "permitted to use this key for login.", 297 remote_host); 298 break; 299 } 300 /* deny access */ 301 return 0; 302 } 303 cp = "permitopen=\""; 304 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 305 char *host, *p; 306 int port; 307 char *patterns = xmalloc(strlen(opts) + 1); 308 309 opts += strlen(cp); 310 i = 0; 311 while (*opts) { 312 if (*opts == '"') 313 break; 314 if (*opts == '\\' && opts[1] == '"') { 315 opts += 2; 316 patterns[i++] = '"'; 317 continue; 318 } 319 patterns[i++] = *opts++; 320 } 321 if (!*opts) { 322 debug("%.100s, line %lu: missing end quote", 323 file, linenum); 324 auth_debug_add("%.100s, line %lu: missing " 325 "end quote", file, linenum); 326 free(patterns); 327 goto bad_option; 328 } 329 patterns[i] = '\0'; 330 opts++; 331 p = patterns; 332 host = hpdelim(&p); 333 if (host == NULL || strlen(host) >= NI_MAXHOST) { 334 debug("%.100s, line %lu: Bad permitopen " 335 "specification <%.100s>", file, linenum, 336 patterns); 337 auth_debug_add("%.100s, line %lu: " 338 "Bad permitopen specification", file, 339 linenum); 340 free(patterns); 341 goto bad_option; 342 } 343 host = cleanhostname(host); 344 if (p == NULL || (port = permitopen_port(p)) < 0) { 345 debug("%.100s, line %lu: Bad permitopen port " 346 "<%.100s>", file, linenum, p ? p : ""); 347 auth_debug_add("%.100s, line %lu: " 348 "Bad permitopen port", file, linenum); 349 free(patterns); 350 goto bad_option; 351 } 352 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) 353 channel_add_permitted_opens(host, port); 354 free(patterns); 355 goto next_option; 356 } 357 cp = "tunnel=\""; 358 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 359 char *tun = NULL; 360 opts += strlen(cp); 361 tun = xmalloc(strlen(opts) + 1); 362 i = 0; 363 while (*opts) { 364 if (*opts == '"') 365 break; 366 tun[i++] = *opts++; 367 } 368 if (!*opts) { 369 debug("%.100s, line %lu: missing end quote", 370 file, linenum); 371 auth_debug_add("%.100s, line %lu: missing end quote", 372 file, linenum); 373 free(tun); 374 forced_tun_device = -1; 375 goto bad_option; 376 } 377 tun[i] = '\0'; 378 forced_tun_device = a2tun(tun, NULL); 379 free(tun); 380 if (forced_tun_device == SSH_TUNID_ERR) { 381 debug("%.100s, line %lu: invalid tun device", 382 file, linenum); 383 auth_debug_add("%.100s, line %lu: invalid tun device", 384 file, linenum); 385 forced_tun_device = -1; 386 goto bad_option; 387 } 388 auth_debug_add("Forced tun device: %d", forced_tun_device); 389 opts++; 390 goto next_option; 391 } 392next_option: 393 /* 394 * Skip the comma, and move to the next option 395 * (or break out if there are no more). 396 */ 397 if (!*opts) 398 fatal("Bugs in auth-options.c option processing."); 399 if (*opts == ' ' || *opts == '\t') 400 break; /* End of options. */ 401 if (*opts != ',') 402 goto bad_option; 403 opts++; 404 /* Process the next option. */ 405 } 406 407 /* grant access */ 408 return 1; 409 410bad_option: 411 logit("Bad options in %.100s file, line %lu: %.50s", 412 file, linenum, opts); 413 auth_debug_add("Bad options in %.100s file, line %lu: %.50s", 414 file, linenum, opts); 415 416 /* deny access */ 417 return 0; 418} 419 420#define OPTIONS_CRITICAL 1 421#define OPTIONS_EXTENSIONS 2 422static int 423parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, 424 u_int which, int crit, 425 int *cert_no_port_forwarding_flag, 426 int *cert_no_agent_forwarding_flag, 427 int *cert_no_x11_forwarding_flag, 428 int *cert_no_pty_flag, 429 int *cert_no_user_rc, 430 char **cert_forced_command, 431 int *cert_source_address_done) 432{ 433 char *command, *allowed; 434 const char *remote_ip; 435 char *name = NULL; 436 u_char *data_blob = NULL; 437 u_int nlen, dlen, clen; 438 Buffer c, data; 439 int ret = -1, found; 440 441 buffer_init(&data); 442 443 /* Make copy to avoid altering original */ 444 buffer_init(&c); 445 buffer_append(&c, optblob, optblob_len); 446 447 while (buffer_len(&c) > 0) { 448 if ((name = buffer_get_cstring_ret(&c, &nlen)) == NULL || 449 (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { 450 error("Certificate options corrupt"); 451 goto out; 452 } 453 buffer_append(&data, data_blob, dlen); 454 debug3("found certificate option \"%.100s\" len %u", 455 name, dlen); 456 found = 0; 457 if ((which & OPTIONS_EXTENSIONS) != 0) { 458 if (strcmp(name, "permit-X11-forwarding") == 0) { 459 *cert_no_x11_forwarding_flag = 0; 460 found = 1; 461 } else if (strcmp(name, 462 "permit-agent-forwarding") == 0) { 463 *cert_no_agent_forwarding_flag = 0; 464 found = 1; 465 } else if (strcmp(name, 466 "permit-port-forwarding") == 0) { 467 *cert_no_port_forwarding_flag = 0; 468 found = 1; 469 } else if (strcmp(name, "permit-pty") == 0) { 470 *cert_no_pty_flag = 0; 471 found = 1; 472 } else if (strcmp(name, "permit-user-rc") == 0) { 473 *cert_no_user_rc = 0; 474 found = 1; 475 } 476 } 477 if (!found && (which & OPTIONS_CRITICAL) != 0) { 478 if (strcmp(name, "force-command") == 0) { 479 if ((command = buffer_get_cstring_ret(&data, 480 &clen)) == NULL) { 481 error("Certificate constraint \"%s\" " 482 "corrupt", name); 483 goto out; 484 } 485 if (*cert_forced_command != NULL) { 486 error("Certificate has multiple " 487 "force-command options"); 488 free(command); 489 goto out; 490 } 491 *cert_forced_command = command; 492 found = 1; 493 } 494 if (strcmp(name, "source-address") == 0) { 495 if ((allowed = buffer_get_cstring_ret(&data, 496 &clen)) == NULL) { 497 error("Certificate constraint " 498 "\"%s\" corrupt", name); 499 goto out; 500 } 501 if ((*cert_source_address_done)++) { 502 error("Certificate has multiple " 503 "source-address options"); 504 free(allowed); 505 goto out; 506 } 507 remote_ip = get_remote_ipaddr(); 508 switch (addr_match_cidr_list(remote_ip, 509 allowed)) { 510 case 1: 511 /* accepted */ 512 free(allowed); 513 break; 514 case 0: 515 /* no match */ 516 logit("Authentication tried for %.100s " 517 "with valid certificate but not " 518 "from a permitted host " 519 "(ip=%.200s).", pw->pw_name, 520 remote_ip); 521 auth_debug_add("Your address '%.200s' " 522 "is not permitted to use this " 523 "certificate for login.", 524 remote_ip); 525 free(allowed); 526 goto out; 527 case -1: 528 error("Certificate source-address " 529 "contents invalid"); 530 free(allowed); 531 goto out; 532 } 533 found = 1; 534 } 535 } 536 537 if (!found) { 538 if (crit) { 539 error("Certificate critical option \"%s\" " 540 "is not supported", name); 541 goto out; 542 } else { 543 logit("Certificate extension \"%s\" " 544 "is not supported", name); 545 } 546 } else if (buffer_len(&data) != 0) { 547 error("Certificate option \"%s\" corrupt " 548 "(extra data)", name); 549 goto out; 550 } 551 buffer_clear(&data); 552 free(name); 553 free(data_blob); 554 name = NULL; 555 data_blob = NULL; 556 } 557 /* successfully parsed all options */ 558 ret = 0; 559 560 out: 561 if (ret != 0 && 562 cert_forced_command != NULL && 563 *cert_forced_command != NULL) { 564 free(*cert_forced_command); 565 *cert_forced_command = NULL; 566 } 567 if (name != NULL) 568 free(name); 569 if (data_blob != NULL) 570 free(data_blob); 571 buffer_free(&data); 572 buffer_free(&c); 573 return ret; 574} 575 576/* 577 * Set options from critical certificate options. These supersede user key 578 * options so this must be called after auth_parse_options(). 579 */ 580int 581auth_cert_options(Key *k, struct passwd *pw) 582{ 583 int cert_no_port_forwarding_flag = 1; 584 int cert_no_agent_forwarding_flag = 1; 585 int cert_no_x11_forwarding_flag = 1; 586 int cert_no_pty_flag = 1; 587 int cert_no_user_rc = 1; 588 char *cert_forced_command = NULL; 589 int cert_source_address_done = 0; 590 591 if (key_cert_is_legacy(k)) { 592 /* All options are in the one field for v00 certs */ 593 if (parse_option_list(buffer_ptr(&k->cert->critical), 594 buffer_len(&k->cert->critical), pw, 595 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, 596 &cert_no_port_forwarding_flag, 597 &cert_no_agent_forwarding_flag, 598 &cert_no_x11_forwarding_flag, 599 &cert_no_pty_flag, 600 &cert_no_user_rc, 601 &cert_forced_command, 602 &cert_source_address_done) == -1) 603 return -1; 604 } else { 605 /* Separate options and extensions for v01 certs */ 606 if (parse_option_list(buffer_ptr(&k->cert->critical), 607 buffer_len(&k->cert->critical), pw, 608 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, 609 &cert_forced_command, 610 &cert_source_address_done) == -1) 611 return -1; 612 if (parse_option_list(buffer_ptr(&k->cert->extensions), 613 buffer_len(&k->cert->extensions), pw, 614 OPTIONS_EXTENSIONS, 1, 615 &cert_no_port_forwarding_flag, 616 &cert_no_agent_forwarding_flag, 617 &cert_no_x11_forwarding_flag, 618 &cert_no_pty_flag, 619 &cert_no_user_rc, 620 NULL, NULL) == -1) 621 return -1; 622 } 623 624 no_port_forwarding_flag |= cert_no_port_forwarding_flag; 625 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; 626 no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; 627 no_pty_flag |= cert_no_pty_flag; 628 no_user_rc |= cert_no_user_rc; 629 /* CA-specified forced command supersedes key option */ 630 if (cert_forced_command != NULL) { 631 if (forced_command != NULL) 632 free(forced_command); 633 forced_command = cert_forced_command; 634 } 635 return 0; 636} 637 638