Mercurial > dropbear

comparison svr-authpubkeyoptions.c @ 475:52a644e7b8e1 pubkey-options

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
* Patch from Frédéric Moulins adding options to authorized_keys. Needs review.
author Matt Johnston <matt@ucc.asn.au>
date Mon, 08 Sep 2008 15:14:02 +0000
parents
children df7f7da7f6e4
comparison
equal deleted inserted replaced
474:f33b0898aaa6 475:52a644e7b8e1
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2008 Frederic Moulins
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE.
24 *
25 * This file incorporates work covered by the following copyright and
26 * permission notice:
27 *
28 * Author: Tatu Ylonen <[email protected]>
29 * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
30 * All rights reserved
31 * As far as I am concerned, the code I have written for this software
32 * can be used freely for any purpose. Any derived versions of this
33 * software must be clearly marked as such, and if the derived work is
34 * incompatible with the protocol description in the RFC file, it must be
35 * called by a name other than "ssh" or "Secure Shell".
36 *
37 * This copyright and permission notice applies to the code parsing public keys
38 * options string which can also be found in OpenSSH auth-options.c file
39 * (auth_parse_options).
40 *
41 */
42
43 /* Process pubkey options during a pubkey auth request */
44 #include "includes.h"
45 #include "session.h"
46 #include "dbutil.h"
47 #include "signkey.h"
48 #include "auth.h"
49
50 #ifdef ENABLE_SVR_PUBKEY_OPTIONS
51
52 /* Returns 1 if pubkey allows agent forwarding,
53 * 0 otherwise */
54 int svr_pubkey_allows_agentfwd() {
55 if (ses.authstate.pubkey_options
56 && ses.authstate.pubkey_options->no_agent_forwarding_flag) {
57 return 0;
58 }
59 return 1;
60 }
61
62 /* Returns 1 if pubkey allows tcp forwarding,
63 * 0 otherwise */
64 int svr_pubkey_allows_tcpfwd() {
65 if (ses.authstate.pubkey_options
66 && ses.authstate.pubkey_options->no_port_forwarding_flag) {
67 return 0;
68 }
69 return 1;
70 }
71
72 /* Returns 1 if pubkey allows x11 forwarding,
73 * 0 otherwise */
74 int svr_pubkey_allows_x11fwd() {
75 if (ses.authstate.pubkey_options
76 && ses.authstate.pubkey_options->no_x11_forwarding_flag) {
77 return 0;
78 }
79 return 1;
80 }
81
82 /* Returns 1 if pubkey allows pty, 0 otherwise */
83 int svr_pubkey_allows_pty() {
84 if (ses.authstate.pubkey_options
85 && ses.authstate.pubkey_options->no_pty_flag) {
86 return 0;
87 }
88 return 1;
89 }
90
91 /* Set chansession command to the one forced by 'command' public key option */
92 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
93 if (ses.authstate.pubkey_options)
94 chansess->cmd = ses.authstate.pubkey_options->forced_command;
95 }
96
97 /* Free potential public key options */
98 void svr_pubkey_options_cleanup() {
99 if (ses.authstate.pubkey_options) {
100 m_free(ses.authstate.pubkey_options);
101 ses.authstate.pubkey_options = NULL;
102 }
103 }
104
105 /* Parse pubkey options and set ses.authstate.pubkey_options accordingly.
106 * Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
107 int svr_add_pubkey_options(const char* opts) {
108 const char *cp;
109 int i;
110 int ret = DROPBEAR_FAILURE;
111
112 TRACE(("enter addpubkeyoptions"))
113
114 if (!opts || *opts == ' ') {
115 /* no option, success */
116 ret = DROPBEAR_SUCCESS;
117 goto end;
118 }
119
120 ses.authstate.pubkey_options = (struct PubKeyOptions*)m_malloc(sizeof( struct PubKeyOptions ));
121
122 while (*opts && *opts != ' ' && *opts != '\t') {
123 cp = "no-port-forwarding";
124 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
125 dropbear_log(LOG_WARNING, "Port forwarding disabled.");
126 ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
127 opts += strlen(cp);
128 goto next_option;
129 }
130 #ifdef ENABLE_AGENTFWD
131 cp = "no-agent-forwarding";
132 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
133 dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
134 ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
135 opts += strlen(cp);
136 goto next_option;
137 }
138 #endif
139 #ifdef ENABLE_X11FWD
140 cp = "no-X11-forwarding";
141 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
142 dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
143 ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
144 opts += strlen(cp);
145 goto next_option;
146 }
147 #endif
148 cp = "no-pty";
149 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
150 dropbear_log(LOG_WARNING, "Pty allocation disabled.");
151 ses.authstate.pubkey_options->no_pty_flag = 1;
152 opts += strlen(cp);
153 goto next_option;
154 }
155 cp = "command=\"";
156 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
157 opts += strlen(cp);
158 ses.authstate.pubkey_options->forced_command = (char*)m_malloc(strlen(opts) + 1);
159 i = 0;
160 while (*opts) {
161 if (*opts == '"')
162 break;
163 if (*opts == '\\' && opts[1] == '"') {
164 opts += 2;
165 ses.authstate.pubkey_options->forced_command[i++] = '"';
166 continue;
167 }
168 ses.authstate.pubkey_options->forced_command[i++] = *opts++;
169 }
170 if (!*opts) {
171 dropbear_log(LOG_WARNING,
172 "Missing end quote in public key command option");
173 m_free(ses.authstate.pubkey_options->forced_command);
174 ses.authstate.pubkey_options->forced_command = NULL;
175 goto bad_option;
176 }
177 ses.authstate.pubkey_options->forced_command[i] = '\0';
178 if (strlen(ses.authstate.pubkey_options->forced_command) > MAX_CMD_LEN) {
179 dropbear_log(LOG_WARNING,
180 "Public key option command too long (>MAX_CMD_LEN).");
181 m_free(ses.authstate.pubkey_options->forced_command);
182 ses.authstate.pubkey_options->forced_command = NULL;
183 goto bad_option;
184 }
185 dropbear_log(LOG_WARNING, "Forced command '%s'",
186 ses.authstate.pubkey_options->forced_command);
187 opts++;
188 goto next_option;
189 }
190 next_option:
191 /*
192 * Skip the comma, and move to the next option
193 * (or break out if there are no more).
194 */
195 if (!*opts) {
196 TRACE(("Bugs in svr-chansession.c pubkey option processing."))
197 }
198 if (*opts == ' ' || *opts == '\t') {
199 break; /* End of options. */
200 }
201 if (*opts != ',') {
202 goto bad_option;
203 }
204 opts++;
205 /* Process the next option. */
206 }
207 /* parsed all options with no problem */
208 ret = DROPBEAR_SUCCESS;
209 goto end;
210
211 bad_option:
212 ret = DROPBEAR_FAILURE;
213 m_free(ses.authstate.pubkey_options);
214 ses.authstate.pubkey_options = NULL;
215 dropbear_log(LOG_WARNING, "Bad public key options : '%.50s'", opts);
216
217 end:
218 TRACE(("leave addpubkeyoptions"))
219 return ret;
220
221 }
222
223 #endif