Mercurial > dropbear

comparison svr-authpubkeyoptions.c @ 496:9f583f4d59a6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.dropbear.pubkey-options' (head 537a6ebebb46424b967ffe787f0f8560e5f447e8) to branch 'au.asn.ucc.matt.dropbear' (head 10b2f286b9886364db39dfbb4f8f46e49e345d87)
author Matt Johnston <matt@ucc.asn.au>
date Tue, 23 Sep 2008 13:16:22 +0000
parents df7f7da7f6e4
children 43bbe17d6ba0
comparison
equal deleted inserted replaced
495:cd02449b709c 496:9f583f4d59a6
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2008 Frederic Moulins
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE.
24 *
25 * This file incorporates work covered by the following copyright and
26 * permission notice:
27 *
28 * Author: Tatu Ylonen <[email protected]>
29 * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
30 * All rights reserved
31 * As far as I am concerned, the code I have written for this software
32 * can be used freely for any purpose. Any derived versions of this
33 * software must be clearly marked as such, and if the derived work is
34 * incompatible with the protocol description in the RFC file, it must be
35 * called by a name other than "ssh" or "Secure Shell".
36 *
37 * This copyright and permission notice applies to the code parsing public keys
38 * options string which can also be found in OpenSSH auth-options.c file
39 * (auth_parse_options).
40 *
41 */
42
43 /* Process pubkey options during a pubkey auth request */
44 #include "includes.h"
45 #include "session.h"
46 #include "dbutil.h"
47 #include "signkey.h"
48 #include "auth.h"
49
50 #ifdef ENABLE_SVR_PUBKEY_OPTIONS
51
52 /* Returns 1 if pubkey allows agent forwarding,
53 * 0 otherwise */
54 int svr_pubkey_allows_agentfwd() {
55 if (ses.authstate.pubkey_options
56 && ses.authstate.pubkey_options->no_agent_forwarding_flag) {
57 return 0;
58 }
59 return 1;
60 }
61
62 /* Returns 1 if pubkey allows tcp forwarding,
63 * 0 otherwise */
64 int svr_pubkey_allows_tcpfwd() {
65 if (ses.authstate.pubkey_options
66 && ses.authstate.pubkey_options->no_port_forwarding_flag) {
67 return 0;
68 }
69 return 1;
70 }
71
72 /* Returns 1 if pubkey allows x11 forwarding,
73 * 0 otherwise */
74 int svr_pubkey_allows_x11fwd() {
75 if (ses.authstate.pubkey_options
76 && ses.authstate.pubkey_options->no_x11_forwarding_flag) {
77 return 0;
78 }
79 return 1;
80 }
81
82 /* Returns 1 if pubkey allows pty, 0 otherwise */
83 int svr_pubkey_allows_pty() {
84 if (ses.authstate.pubkey_options
85 && ses.authstate.pubkey_options->no_pty_flag) {
86 return 0;
87 }
88 return 1;
89 }
90
91 /* Set chansession command to the one forced by 'command' public key option */
92 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
93 if (ses.authstate.pubkey_options)
94 chansess->cmd = ses.authstate.pubkey_options->forced_command;
95 }
96
97 /* Free potential public key options */
98 void svr_pubkey_options_cleanup() {
99 if (ses.authstate.pubkey_options) {
100 m_free(ses.authstate.pubkey_options);
101 ses.authstate.pubkey_options = NULL;
102 }
103 }
104
105 /* helper for svr_add_pubkey_options. returns DROPBEAR_SUCCESS if the option is matched,
106 and increments the options_buf */
107 static int match_option(buffer *options_buf, const char *opt_name) {
108 const int len = strlen(opt_name);
109 if (options_buf->len - options_buf->pos < len) {
110 return DROPBEAR_FAILURE;
111 }
112 if (strncasecmp(buf_getptr(options_buf, len), opt_name, len) == 0) {
113 buf_incrpos(options_buf, len);
114 return DROPBEAR_SUCCESS;
115 }
116 return DROPBEAR_FAILURE;
117 }
118
119 /* Parse pubkey options and set ses.authstate.pubkey_options accordingly.
120 * Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
121 int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filename) {
122 int ret = DROPBEAR_FAILURE;
123
124 TRACE(("enter addpubkeyoptions"))
125
126 ses.authstate.pubkey_options = (struct PubKeyOptions*)m_malloc(sizeof( struct PubKeyOptions ));
127 memset(ses.authstate.pubkey_options, '\0', sizeof(*ses.authstate.pubkey_options));
128
129 buf_setpos(options_buf, 0);
130 while (options_buf->pos < options_buf->len) {
131 if (match_option(options_buf, "no-port-forwarding") == DROPBEAR_SUCCESS) {
132 dropbear_log(LOG_WARNING, "Port forwarding disabled.");
133 ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
134 goto next_option;
135 }
136 #ifdef ENABLE_AGENTFWD
137 if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) {
138 dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
139 ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
140 goto next_option;
141 }
142 #endif
143 #ifdef ENABLE_X11FWD
144 if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) {
145 dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
146 ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
147 goto next_option;
148 }
149 #endif
150 if (match_option(options_buf, "no-pty") == DROPBEAR_SUCCESS) {
151 dropbear_log(LOG_WARNING, "Pty allocation disabled.");
152 ses.authstate.pubkey_options->no_pty_flag = 1;
153 goto next_option;
154 }
155 if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
156 int escaped = 0;
157 const unsigned char* command_start = buf_getptr(options_buf, 0);
158 while (options_buf->pos < options_buf->len) {
159 const char c = buf_getbyte(options_buf);
160 if (!escaped && c == '"') {
161 const int command_len = buf_getptr(options_buf, 0) - command_start;
162 ses.authstate.pubkey_options->forced_command = m_malloc(command_len);
163 memcpy(ses.authstate.pubkey_options->forced_command,
164 command_start, command_len-1);
165 ses.authstate.pubkey_options->forced_command[command_len-1] = '\0';
166 dropbear_log(LOG_WARNING, "Forced command '%s'",
167 ses.authstate.pubkey_options->forced_command);
168 goto next_option;
169 }
170 escaped = (!escaped && c == '\\');
171 }
172 dropbear_log(LOG_WARNING, "Badly formatted command= authorized_keys option");
173 goto bad_option;
174 }
175
176 next_option:
177 /*
178 * Skip the comma, and move to the next option
179 * (or break out if there are no more).
180 */
181 if (options_buf->pos < options_buf->len
182 && buf_getbyte(options_buf) != ',') {
183 goto bad_option;
184 }
185 /* Process the next option. */
186 }
187 /* parsed all options with no problem */
188 ret = DROPBEAR_SUCCESS;
189 goto end;
190
191 bad_option:
192 ret = DROPBEAR_FAILURE;
193 m_free(ses.authstate.pubkey_options);
194 ses.authstate.pubkey_options = NULL;
195 dropbear_log(LOG_WARNING, "Bad public key options at %s:%d", filename, line_num);
196
197 end:
198 TRACE(("leave addpubkeyoptions"))
199 return ret;
200 }
201
202 #endif