svr-authpubkeyoptions.c

   1 /*
   2  * Dropbear - a SSH2 server
   3  *
   4  * Copyright (c) 2008 Frederic Moulins
   5  * All rights reserved.
   6  *
   7  * Permission is hereby granted, free of charge, to any person obtaining a copy
   8  * of this software and associated documentation files (the "Software"), to deal
   9  * in the Software without restriction, including without limitation the rights
  10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  11  * copies of the Software, and to permit persons to whom the Software is
  12  * furnished to do so, subject to the following conditions:
  13  *
  14  * The above copyright notice and this permission notice shall be included in
  15  * all copies or substantial portions of the Software.
  16  *
  17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  20  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  23  * SOFTWARE.
  24  *
  25  * This file incorporates work covered by the following copyright and
  26  * permission notice:
  27  *
  28  *      Author: Tatu Ylonen <ylo@cs.hut.fi>
  29  *      Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  30  *                    All rights reserved
  31  *      As far as I am concerned, the code I have written for this software
  32  *      can be used freely for any purpose.  Any derived versions of this
  33  *      software must be clearly marked as such, and if the derived work is
  34  *      incompatible with the protocol description in the RFC file, it must be
  35  *      called by a name other than "ssh" or "Secure Shell".
  36  *
  37  * This copyright and permission notice applies to the code parsing public keys
  38  * options string which can also be found in OpenSSH auth-options.c file
  39  * (auth_parse_options).
  40  *
  41  */
  42
  43 /* Process pubkey options during a pubkey auth request */
  44 #include "includes.h"
  45 #include "session.h"
  46 #include "dbutil.h"
  47 #include "signkey.h"
  48 #include "auth.h"
  49
  50 #ifdef ENABLE_SVR_PUBKEY_OPTIONS
  51
  52 /* Returns 1 if pubkey allows agent forwarding,
  53  * 0 otherwise */
  54 int svr_pubkey_allows_agentfwd() {
  55         if (ses.authstate.pubkey_options
  56                 && ses.authstate.pubkey_options->no_agent_forwarding_flag) {
  57                 return 0;
  58         }
  59         return 1;
  60 }
  61
  62 /* Returns 1 if pubkey allows tcp forwarding,
  63  * 0 otherwise */
  64 int svr_pubkey_allows_tcpfwd() {
  65         if (ses.authstate.pubkey_options
  66                 && ses.authstate.pubkey_options->no_port_forwarding_flag) {
  67                 return 0;
  68         }
  69         return 1;
  70 }
  71
  72 /* Returns 1 if pubkey allows x11 forwarding,
  73  * 0 otherwise */
  74 int svr_pubkey_allows_x11fwd() {
  75         if (ses.authstate.pubkey_options
  76                 && ses.authstate.pubkey_options->no_x11_forwarding_flag) {
  77                 return 0;
  78         }
  79         return 1;
  80 }
  81
  82 /* Returns 1 if pubkey allows pty, 0 otherwise */
  83 int svr_pubkey_allows_pty() {
  84         if (ses.authstate.pubkey_options
  85                 && ses.authstate.pubkey_options->no_pty_flag) {
  86                 return 0;
  87         }
  88         return 1;
  89 }
  90
  91 /* Set chansession command to the one forced
  92  * by any 'command' public key option. */
  93 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
  94         if (ses.authstate.pubkey_options) {
  95                 ses.authstate.pubkey_options->original_command = chansess->cmd;
  96                 if (!chansess->cmd)
  97                 {
  98                         ses.authstate.pubkey_options->original_command = m_strdup("");
  99                 }
 100                 chansess->cmd = ses.authstate.pubkey_options->forced_command;
 101 #ifdef LOG_COMMANDS
 102                 dropbear_log(LOG_INFO, "command forced to '%s'", ses.authstate.pubkey_options->original_command);
 103 #endif
 104         }
 105 }
 106
 107 /* Free potential public key options */
 108 void svr_pubkey_options_cleanup() {
 109         if (ses.authstate.pubkey_options) {
 110                 m_free(ses.authstate.pubkey_options);
 111                 ses.authstate.pubkey_options = NULL;
 112         }
 113 }
 114
 115 /* helper for svr_add_pubkey_options. returns DROPBEAR_SUCCESS if the option is matched,
 116    and increments the options_buf */
 117 static int match_option(buffer *options_buf, const char *opt_name) {
 118         const unsigned int len = strlen(opt_name);
 119         if (options_buf->len - options_buf->pos < len) {
 120                 return DROPBEAR_FAILURE;
 121         }
 122         if (strncasecmp(buf_getptr(options_buf, len), opt_name, len) == 0) {
 123                 buf_incrpos(options_buf, len);
 124                 return DROPBEAR_SUCCESS;
 125         }
 126         return DROPBEAR_FAILURE;
 127 }
 128
 129 /* Parse pubkey options and set ses.authstate.pubkey_options accordingly.
 130  * Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
 131 int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filename) {
 132         int ret = DROPBEAR_FAILURE;
 133
 134         TRACE(("enter addpubkeyoptions"))
 135
 136         ses.authstate.pubkey_options = (struct PubKeyOptions*)m_malloc(sizeof( struct PubKeyOptions ));
 137
 138         buf_setpos(options_buf, 0);
 139         while (options_buf->pos < options_buf->len) {
 140                 if (match_option(options_buf, "no-port-forwarding") == DROPBEAR_SUCCESS) {
 141                         dropbear_log(LOG_WARNING, "Port forwarding disabled.");
 142                         ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
 143                         goto next_option;
 144                 }
 145 #ifdef ENABLE_AGENTFWD
 146                 if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) {
 147                         dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
 148                         ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
 149                         goto next_option;
 150                 }
 151 #endif
 152 #ifdef ENABLE_X11FWD
 153                 if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) {
 154                         dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
 155                         ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
 156                         goto next_option;
 157                 }
 158 #endif
 159                 if (match_option(options_buf, "no-pty") == DROPBEAR_SUCCESS) {
 160                         dropbear_log(LOG_WARNING, "Pty allocation disabled.");
 161                         ses.authstate.pubkey_options->no_pty_flag = 1;
 162                         goto next_option;
 163                 }
 164                 if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
 165                         int escaped = 0;
 166                         const unsigned char* command_start = buf_getptr(options_buf, 0);
 167                         while (options_buf->pos < options_buf->len) {
 168                                 const char c = buf_getbyte(options_buf);
 169                                 if (!escaped && c == '"') {
 170                                         const int command_len = buf_getptr(options_buf, 0) - command_start;
 171                                         ses.authstate.pubkey_options->forced_command = m_malloc(command_len);
 172                                         memcpy(ses.authstate.pubkey_options->forced_command,
 173                                                         command_start, command_len-1);
 174                                         ses.authstate.pubkey_options->forced_command[command_len-1] = '\0';
 175                                         dropbear_log(LOG_WARNING, "Forced command '%s'",
 176                                                 ses.authstate.pubkey_options->forced_command);
 177                                         goto next_option;
 178                                 }
 179                                 escaped = (!escaped && c == '\\');
 180                         }
 181                         dropbear_log(LOG_WARNING, "Badly formatted command= authorized_keys option");
 182                         goto bad_option;
 183                 }
 184
 185 next_option:
 186                 /*
 187                  * Skip the comma, and move to the next option
 188                  * (or break out if there are no more).
 189                  */
 190                 if (options_buf->pos < options_buf->len
 191                                 && buf_getbyte(options_buf) != ',') {
 192                         goto bad_option;
 193                 }
 194                 /* Process the next option. */
 195         }
 196         /* parsed all options with no problem */
 197         ret = DROPBEAR_SUCCESS;
 198         goto end;
 199
 200 bad_option:
 201         ret = DROPBEAR_FAILURE;
 202         m_free(ses.authstate.pubkey_options);
 203         ses.authstate.pubkey_options = NULL;
 204         dropbear_log(LOG_WARNING, "Bad public key options at %s:%d", filename, line_num);
 205
 206 end:
 207         TRACE(("leave addpubkeyoptions"))
 208         return ret;
 209 }
 210
 211 #endif