Mercurial > dropbear
annotate svr-authpubkeyoptions.c @ 1629:258b57b208ae
Fix for issue successfull login of disabled user (#78)
This commit introduces fix for scenario:
1. Root login disabled on dropbear
2. PAM authentication model enabled
While login as root user, after prompt for password
user is being notified about login failrue, but
after second attempt of prompt for password within
same session, login becames succesfull.
Signed-off-by: Pawel Rapkiewicz <[email protected]>
| author | vincentto13 <33652988+vincentto13@users.noreply.github.com> |
|---|---|
| date | Wed, 20 Mar 2019 15:03:40 +0100 |
| parents | e37f98ea4f24 |
| children | 6a6a0bac52f4 |
| rev | line source |
|---|---|
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2008 Frederic Moulins |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 * This file incorporates work covered by the following copyright and |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 * permission notice: |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
28 * Author: Tatu Ylonen <[email protected]> |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
29 * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 * All rights reserved |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 * As far as I am concerned, the code I have written for this software |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 * can be used freely for any purpose. Any derived versions of this |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 * software must be clearly marked as such, and if the derived work is |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 * incompatible with the protocol description in the RFC file, it must be |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 * called by a name other than "ssh" or "Secure Shell". |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
37 * This copyright and permission notice applies to the code parsing public keys |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 * options string which can also be found in OpenSSH auth-options.c file |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
39 * (auth_parse_options). |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
40 * |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
42 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
43 /* Process pubkey options during a pubkey auth request */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
44 #include "includes.h" |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
45 #include "session.h" |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
46 #include "dbutil.h" |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
47 #include "signkey.h" |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
48 #include "auth.h" |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
49 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1145
diff
changeset
|
50 #if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
52 /* Returns 1 if pubkey allows agent forwarding, |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 * 0 otherwise */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
54 int svr_pubkey_allows_agentfwd() { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 if (ses.authstate.pubkey_options |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 && ses.authstate.pubkey_options->no_agent_forwarding_flag) { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 return 0; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 return 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 /* Returns 1 if pubkey allows tcp forwarding, |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 * 0 otherwise */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
64 int svr_pubkey_allows_tcpfwd() { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 if (ses.authstate.pubkey_options |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 && ses.authstate.pubkey_options->no_port_forwarding_flag) { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 return 0; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
68 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 return 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
71 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 /* Returns 1 if pubkey allows x11 forwarding, |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 * 0 otherwise */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
74 int svr_pubkey_allows_x11fwd() { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
75 if (ses.authstate.pubkey_options |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
76 && ses.authstate.pubkey_options->no_x11_forwarding_flag) { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
77 return 0; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 return 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
82 /* Returns 1 if pubkey allows pty, 0 otherwise */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
83 int svr_pubkey_allows_pty() { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
84 if (ses.authstate.pubkey_options |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
85 && ses.authstate.pubkey_options->no_pty_flag) { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
86 return 0; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
87 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
88 return 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
89 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 |
|
566
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
502
diff
changeset
|
91 /* Set chansession command to the one forced |
|
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
502
diff
changeset
|
92 * by any 'command' public key option. */ |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
93 void svr_pubkey_set_forced_command(struct ChanSess *chansess) { |
|
1145
5709b15a1b57
Fix segfault with restricted authorized_key files without forced command
Guilhem Moulin <guilhem@fripost.org>
parents:
1094
diff
changeset
|
94 if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->forced_command) { |
|
654
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
95 if (chansess->cmd) { |
|
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
96 /* original_command takes ownership */ |
|
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
97 chansess->original_command = chansess->cmd; |
| 1331 | 98 chansess->cmd = NULL; |
|
654
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
99 } else { |
|
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
100 chansess->original_command = m_strdup(""); |
|
566
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
502
diff
changeset
|
101 } |
|
654
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
102 chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1342
diff
changeset
|
103 #if LOG_COMMANDS |
|
654
818108bf7749
- Fix use-after-free if multiple command requests were sent. Move
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
104 dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command); |
|
566
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
502
diff
changeset
|
105 #endif |
|
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
502
diff
changeset
|
106 } |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
107 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
108 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
109 /* Free potential public key options */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
110 void svr_pubkey_options_cleanup() { |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
111 if (ses.authstate.pubkey_options) { |
| 1331 | 112 if (ses.authstate.pubkey_options->forced_command) { |
| 113 m_free(ses.authstate.pubkey_options->forced_command); | |
| 114 } | |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
115 m_free(ses.authstate.pubkey_options); |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
116 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
117 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
118 |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
119 /* helper for svr_add_pubkey_options. returns DROPBEAR_SUCCESS if the option is matched, |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
120 and increments the options_buf */ |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
121 static int match_option(buffer *options_buf, const char *opt_name) { |
| 502 | 122 const unsigned int len = strlen(opt_name); |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
123 if (options_buf->len - options_buf->pos < len) { |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
124 return DROPBEAR_FAILURE; |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
125 } |
|
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
668
diff
changeset
|
126 if (strncasecmp((const char *) buf_getptr(options_buf, len), opt_name, len) == 0) { |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
127 buf_incrpos(options_buf, len); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
128 return DROPBEAR_SUCCESS; |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
129 } |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
130 return DROPBEAR_FAILURE; |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
131 } |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
132 |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
133 /* Parse pubkey options and set ses.authstate.pubkey_options accordingly. |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
134 * Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */ |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
135 int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filename) { |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
136 int ret = DROPBEAR_FAILURE; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
137 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
138 TRACE(("enter addpubkeyoptions")) |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
139 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
140 ses.authstate.pubkey_options = (struct PubKeyOptions*)m_malloc(sizeof( struct PubKeyOptions )); |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
141 |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
142 buf_setpos(options_buf, 0); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
143 while (options_buf->pos < options_buf->len) { |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
144 if (match_option(options_buf, "no-port-forwarding") == DROPBEAR_SUCCESS) { |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
145 dropbear_log(LOG_WARNING, "Port forwarding disabled."); |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
146 ses.authstate.pubkey_options->no_port_forwarding_flag = 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
147 goto next_option; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
148 } |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1145
diff
changeset
|
149 #if DROPBEAR_SVR_AGENTFWD |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
150 if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) { |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 dropbear_log(LOG_WARNING, "Agent forwarding disabled."); |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 ses.authstate.pubkey_options->no_agent_forwarding_flag = 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 goto next_option; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
154 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
155 #endif |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1145
diff
changeset
|
156 #if DROPBEAR_X11FWD |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
157 if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) { |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 dropbear_log(LOG_WARNING, "X11 forwarding disabled."); |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 ses.authstate.pubkey_options->no_x11_forwarding_flag = 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
160 goto next_option; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
161 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
162 #endif |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
163 if (match_option(options_buf, "no-pty") == DROPBEAR_SUCCESS) { |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
164 dropbear_log(LOG_WARNING, "Pty allocation disabled."); |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
165 ses.authstate.pubkey_options->no_pty_flag = 1; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
166 goto next_option; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
167 } |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
168 if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) { |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
169 int escaped = 0; |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
170 const unsigned char* command_start = buf_getptr(options_buf, 0); |
|
1599
e37f98ea4f24
fix leak in option handling
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
171 |
|
e37f98ea4f24
fix leak in option handling
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
172 if (ses.authstate.pubkey_options->forced_command) { |
|
e37f98ea4f24
fix leak in option handling
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
173 /* multiple command= options */ |
|
e37f98ea4f24
fix leak in option handling
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
174 goto bad_option; |
|
e37f98ea4f24
fix leak in option handling
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
175 } |
|
e37f98ea4f24
fix leak in option handling
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
176 |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
177 while (options_buf->pos < options_buf->len) { |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
178 const char c = buf_getbyte(options_buf); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
179 if (!escaped && c == '"') { |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
180 const int command_len = buf_getptr(options_buf, 0) - command_start; |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
181 ses.authstate.pubkey_options->forced_command = m_malloc(command_len); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
182 memcpy(ses.authstate.pubkey_options->forced_command, |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
183 command_start, command_len-1); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
184 ses.authstate.pubkey_options->forced_command[command_len-1] = '\0'; |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
185 dropbear_log(LOG_WARNING, "Forced command '%s'", |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
186 ses.authstate.pubkey_options->forced_command); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
187 goto next_option; |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 } |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
189 escaped = (!escaped && c == '\\'); |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 } |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
191 dropbear_log(LOG_WARNING, "Badly formatted command= authorized_keys option"); |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
192 goto bad_option; |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
193 } |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
194 |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
195 next_option: |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
196 /* |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
197 * Skip the comma, and move to the next option |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
198 * (or break out if there are no more). |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
199 */ |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
200 if (options_buf->pos < options_buf->len |
|
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
201 && buf_getbyte(options_buf) != ',') { |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
202 goto bad_option; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
203 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
204 /* Process the next option. */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
205 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
206 /* parsed all options with no problem */ |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
207 ret = DROPBEAR_SUCCESS; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
208 goto end; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
209 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
210 bad_option: |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
211 ret = DROPBEAR_FAILURE; |
| 1331 | 212 svr_pubkey_options_cleanup(); |
|
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
213 dropbear_log(LOG_WARNING, "Bad public key options at %s:%d", filename, line_num); |
|
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
214 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
215 end: |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
216 TRACE(("leave addpubkeyoptions")) |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
217 return ret; |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
218 } |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
219 |
|
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
220 #endif |