1 /* $OpenBSD: auth-options.c,v 1.72 2016/11/30 02:57:40 djm Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * As far as I am concerned, the code I have written for this software
7  * can be used freely for any purpose.  Any derived versions of this
8  * software must be clearly marked as such, and if the derived work is
9  * incompatible with the protocol description in the RFC file, it must be
10  * called by a name other than "ssh" or "Secure Shell".
11  */
12 
13 #include "includes.h"
14 
15 #include <sys/types.h>
16 
17 #include <netdb.h>
18 #include <pwd.h>
19 #include <string.h>
20 #include <stdio.h>
21 #include <stdarg.h>
22 
23 #include "openbsd-compat/sys-queue.h"
24 
25 #include "key.h"	/* XXX for typedef */
26 #include "buffer.h"	/* XXX for typedef */
27 #include "xmalloc.h"
28 #include "match.h"
29 #include "ssherr.h"
30 #include "log.h"
31 #include "canohost.h"
32 #include "packet.h"
33 #include "sshbuf.h"
34 #include "misc.h"
35 #include "channels.h"
36 #include "servconf.h"
37 #include "sshkey.h"
38 #include "auth-options.h"
39 #include "hostfile.h"
40 #include "auth.h"
41 
42 /* Flags set authorized_keys flags */
43 int no_port_forwarding_flag = 0;
44 int no_agent_forwarding_flag = 0;
45 int no_x11_forwarding_flag = 0;
46 int no_pty_flag = 0;
47 int no_user_rc = 0;
48 int key_is_cert_authority = 0;
49 
50 /* "command=" option. */
51 char *forced_command = NULL;
52 
53 /* "environment=" options. */
54 struct envstring *custom_environment = NULL;
55 
56 /* "tunnel=" option. */
57 int forced_tun_device = -1;
58 
59 /* "principals=" option. */
60 char *authorized_principals = NULL;
61 
62 extern ServerOptions options;
63 
64 void
auth_clear_options(void)65 auth_clear_options(void)
66 {
67 	no_agent_forwarding_flag = 0;
68 	no_port_forwarding_flag = 0;
69 	no_pty_flag = 0;
70 	no_x11_forwarding_flag = 0;
71 	no_user_rc = 0;
72 	key_is_cert_authority = 0;
73 	while (custom_environment) {
74 		struct envstring *ce = custom_environment;
75 		custom_environment = ce->next;
76 		free(ce->s);
77 		free(ce);
78 	}
79 	free(forced_command);
80 	forced_command = NULL;
81 	free(authorized_principals);
82 	authorized_principals = NULL;
83 	forced_tun_device = -1;
84 	channel_clear_permitted_opens();
85 }
86 
87 /*
88  * Match flag 'opt' in *optsp, and if allow_negate is set then also match
89  * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
90  * if negated option matches.
91  * If the option or negated option matches, then *optsp is updated to
92  * point to the first character after the option and, if 'msg' is not NULL
93  * then a message based on it added via auth_debug_add().
94  */
95 static int
match_flag(const char * opt,int allow_negate,char ** optsp,const char * msg)96 match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
97 {
98 	size_t opt_len = strlen(opt);
99 	char *opts = *optsp;
100 	int negate = 0;
101 
102 	if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
103 		opts += 3;
104 		negate = 1;
105 	}
106 	if (strncasecmp(opts, opt, opt_len) == 0) {
107 		*optsp = opts + opt_len;
108 		if (msg != NULL) {
109 			auth_debug_add("%s %s.", msg,
110 			    negate ? "disabled" : "enabled");
111 		}
112 		return negate ? 0 : 1;
113 	}
114 	return -1;
115 }
116 
117 /*
118  * return 1 if access is granted, 0 if not.
119  * side effect: sets key option flags
120  */
121 int
auth_parse_options(struct passwd * pw,char * opts,char * file,u_long linenum)122 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
123 {
124 	struct ssh *ssh = active_state;		/* XXX */
125 	const char *cp;
126 	int i, r;
127 
128 	/* reset options */
129 	auth_clear_options();
130 
131 	if (!opts)
132 		return 1;
133 
134 	while (*opts && *opts != ' ' && *opts != '\t') {
135 		if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
136 			key_is_cert_authority = r;
137 			goto next_option;
138 		}
139 		if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
140 			auth_debug_add("Key is restricted.");
141 			no_port_forwarding_flag = 1;
142 			no_agent_forwarding_flag = 1;
143 			no_x11_forwarding_flag = 1;
144 			no_pty_flag = 1;
145 			no_user_rc = 1;
146 			goto next_option;
147 		}
148 		if ((r = match_flag("port-forwarding", 1, &opts,
149 		    "Port forwarding")) != -1) {
150 			no_port_forwarding_flag = r != 1;
151 			goto next_option;
152 		}
153 		if ((r = match_flag("agent-forwarding", 1, &opts,
154 		    "Agent forwarding")) != -1) {
155 			no_agent_forwarding_flag = r != 1;
156 			goto next_option;
157 		}
158 		if ((r = match_flag("x11-forwarding", 1, &opts,
159 		    "X11 forwarding")) != -1) {
160 			no_x11_forwarding_flag = r != 1;
161 			goto next_option;
162 		}
163 		if ((r = match_flag("pty", 1, &opts,
164 		    "PTY allocation")) != -1) {
165 			no_pty_flag = r != 1;
166 			goto next_option;
167 		}
168 		if ((r = match_flag("user-rc", 1, &opts,
169 		    "User rc execution")) != -1) {
170 			no_user_rc = r != 1;
171 			goto next_option;
172 		}
173 		cp = "command=\"";
174 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
175 			opts += strlen(cp);
176 			free(forced_command);
177 			forced_command = xmalloc(strlen(opts) + 1);
178 			i = 0;
179 			while (*opts) {
180 				if (*opts == '"')
181 					break;
182 				if (*opts == '\\' && opts[1] == '"') {
183 					opts += 2;
184 					forced_command[i++] = '"';
185 					continue;
186 				}
187 				forced_command[i++] = *opts++;
188 			}
189 			if (!*opts) {
190 				debug("%.100s, line %lu: missing end quote",
191 				    file, linenum);
192 				auth_debug_add("%.100s, line %lu: missing end quote",
193 				    file, linenum);
194 				free(forced_command);
195 				forced_command = NULL;
196 				goto bad_option;
197 			}
198 			forced_command[i] = '\0';
199 			auth_debug_add("Forced command.");
200 			opts++;
201 			goto next_option;
202 		}
203 		cp = "principals=\"";
204 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
205 			opts += strlen(cp);
206 			free(authorized_principals);
207 			authorized_principals = xmalloc(strlen(opts) + 1);
208 			i = 0;
209 			while (*opts) {
210 				if (*opts == '"')
211 					break;
212 				if (*opts == '\\' && opts[1] == '"') {
213 					opts += 2;
214 					authorized_principals[i++] = '"';
215 					continue;
216 				}
217 				authorized_principals[i++] = *opts++;
218 			}
219 			if (!*opts) {
220 				debug("%.100s, line %lu: missing end quote",
221 				    file, linenum);
222 				auth_debug_add("%.100s, line %lu: missing end quote",
223 				    file, linenum);
224 				free(authorized_principals);
225 				authorized_principals = NULL;
226 				goto bad_option;
227 			}
228 			authorized_principals[i] = '\0';
229 			auth_debug_add("principals: %.900s",
230 			    authorized_principals);
231 			opts++;
232 			goto next_option;
233 		}
234 		cp = "environment=\"";
235 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
236 			char *s;
237 			struct envstring *new_envstring;
238 
239 			opts += strlen(cp);
240 			s = xmalloc(strlen(opts) + 1);
241 			i = 0;
242 			while (*opts) {
243 				if (*opts == '"')
244 					break;
245 				if (*opts == '\\' && opts[1] == '"') {
246 					opts += 2;
247 					s[i++] = '"';
248 					continue;
249 				}
250 				s[i++] = *opts++;
251 			}
252 			if (!*opts) {
253 				debug("%.100s, line %lu: missing end quote",
254 				    file, linenum);
255 				auth_debug_add("%.100s, line %lu: missing end quote",
256 				    file, linenum);
257 				free(s);
258 				goto bad_option;
259 			}
260 			s[i] = '\0';
261 			opts++;
262 			if (options.permit_user_env) {
263 				auth_debug_add("Adding to environment: "
264 				    "%.900s", s);
265 				debug("Adding to environment: %.900s", s);
266 				new_envstring = xcalloc(1,
267 				    sizeof(*new_envstring));
268 				new_envstring->s = s;
269 				new_envstring->next = custom_environment;
270 				custom_environment = new_envstring;
271 				s = NULL;
272 			}
273 			free(s);
274 			goto next_option;
275 		}
276 		cp = "from=\"";
277 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
278 			const char *remote_ip = ssh_remote_ipaddr(ssh);
279 			const char *remote_host = auth_get_canonical_hostname(
280 			    ssh, options.use_dns);
281 			char *patterns = xmalloc(strlen(opts) + 1);
282 
283 			opts += strlen(cp);
284 			i = 0;
285 			while (*opts) {
286 				if (*opts == '"')
287 					break;
288 				if (*opts == '\\' && opts[1] == '"') {
289 					opts += 2;
290 					patterns[i++] = '"';
291 					continue;
292 				}
293 				patterns[i++] = *opts++;
294 			}
295 			if (!*opts) {
296 				debug("%.100s, line %lu: missing end quote",
297 				    file, linenum);
298 				auth_debug_add("%.100s, line %lu: missing end quote",
299 				    file, linenum);
300 				free(patterns);
301 				goto bad_option;
302 			}
303 			patterns[i] = '\0';
304 			opts++;
305 			switch (match_host_and_ip(remote_host, remote_ip,
306 			    patterns)) {
307 			case 1:
308 				free(patterns);
309 				/* Host name matches. */
310 				goto next_option;
311 			case -1:
312 				debug("%.100s, line %lu: invalid criteria",
313 				    file, linenum);
314 				auth_debug_add("%.100s, line %lu: "
315 				    "invalid criteria", file, linenum);
316 				/* FALLTHROUGH */
317 			case 0:
318 				free(patterns);
319 				logit("Authentication tried for %.100s with "
320 				    "correct key but not from a permitted "
321 				    "host (host=%.200s, ip=%.200s).",
322 				    pw->pw_name, remote_host, remote_ip);
323 				auth_debug_add("Your host '%.200s' is not "
324 				    "permitted to use this key for login.",
325 				    remote_host);
326 				break;
327 			}
328 			/* deny access */
329 			return 0;
330 		}
331 		cp = "permitopen=\"";
332 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
333 			char *host, *p;
334 			int port;
335 			char *patterns = xmalloc(strlen(opts) + 1);
336 
337 			opts += strlen(cp);
338 			i = 0;
339 			while (*opts) {
340 				if (*opts == '"')
341 					break;
342 				if (*opts == '\\' && opts[1] == '"') {
343 					opts += 2;
344 					patterns[i++] = '"';
345 					continue;
346 				}
347 				patterns[i++] = *opts++;
348 			}
349 			if (!*opts) {
350 				debug("%.100s, line %lu: missing end quote",
351 				    file, linenum);
352 				auth_debug_add("%.100s, line %lu: missing "
353 				    "end quote", file, linenum);
354 				free(patterns);
355 				goto bad_option;
356 			}
357 			patterns[i] = '\0';
358 			opts++;
359 			p = patterns;
360 			/* XXX - add streamlocal support */
361 			host = hpdelim(&p);
362 			if (host == NULL || strlen(host) >= NI_MAXHOST) {
363 				debug("%.100s, line %lu: Bad permitopen "
364 				    "specification <%.100s>", file, linenum,
365 				    patterns);
366 				auth_debug_add("%.100s, line %lu: "
367 				    "Bad permitopen specification", file,
368 				    linenum);
369 				free(patterns);
370 				goto bad_option;
371 			}
372 			host = cleanhostname(host);
373 			if (p == NULL || (port = permitopen_port(p)) < 0) {
374 				debug("%.100s, line %lu: Bad permitopen port "
375 				    "<%.100s>", file, linenum, p ? p : "");
376 				auth_debug_add("%.100s, line %lu: "
377 				    "Bad permitopen port", file, linenum);
378 				free(patterns);
379 				goto bad_option;
380 			}
381 			if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
382 				channel_add_permitted_opens(host, port);
383 			free(patterns);
384 			goto next_option;
385 		}
386 		cp = "tunnel=\"";
387 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
388 			char *tun = NULL;
389 			opts += strlen(cp);
390 			tun = xmalloc(strlen(opts) + 1);
391 			i = 0;
392 			while (*opts) {
393 				if (*opts == '"')
394 					break;
395 				tun[i++] = *opts++;
396 			}
397 			if (!*opts) {
398 				debug("%.100s, line %lu: missing end quote",
399 				    file, linenum);
400 				auth_debug_add("%.100s, line %lu: missing end quote",
401 				    file, linenum);
402 				free(tun);
403 				forced_tun_device = -1;
404 				goto bad_option;
405 			}
406 			tun[i] = '\0';
407 			forced_tun_device = a2tun(tun, NULL);
408 			free(tun);
409 			if (forced_tun_device == SSH_TUNID_ERR) {
410 				debug("%.100s, line %lu: invalid tun device",
411 				    file, linenum);
412 				auth_debug_add("%.100s, line %lu: invalid tun device",
413 				    file, linenum);
414 				forced_tun_device = -1;
415 				goto bad_option;
416 			}
417 			auth_debug_add("Forced tun device: %d", forced_tun_device);
418 			opts++;
419 			goto next_option;
420 		}
421 next_option:
422 		/*
423 		 * Skip the comma, and move to the next option
424 		 * (or break out if there are no more).
425 		 */
426 		if (!*opts)
427 			fatal("Bugs in auth-options.c option processing.");
428 		if (*opts == ' ' || *opts == '\t')
429 			break;		/* End of options. */
430 		if (*opts != ',')
431 			goto bad_option;
432 		opts++;
433 		/* Process the next option. */
434 	}
435 
436 	/* grant access */
437 	return 1;
438 
439 bad_option:
440 	logit("Bad options in %.100s file, line %lu: %.50s",
441 	    file, linenum, opts);
442 	auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
443 	    file, linenum, opts);
444 
445 	/* deny access */
446 	return 0;
447 }
448 
449 #define OPTIONS_CRITICAL	1
450 #define OPTIONS_EXTENSIONS	2
451 static int
parse_option_list(struct sshbuf * oblob,struct passwd * pw,u_int which,int crit,int * cert_no_port_forwarding_flag,int * cert_no_agent_forwarding_flag,int * cert_no_x11_forwarding_flag,int * cert_no_pty_flag,int * cert_no_user_rc,char ** cert_forced_command,int * cert_source_address_done)452 parse_option_list(struct sshbuf *oblob, struct passwd *pw,
453     u_int which, int crit,
454     int *cert_no_port_forwarding_flag,
455     int *cert_no_agent_forwarding_flag,
456     int *cert_no_x11_forwarding_flag,
457     int *cert_no_pty_flag,
458     int *cert_no_user_rc,
459     char **cert_forced_command,
460     int *cert_source_address_done)
461 {
462 	struct ssh *ssh = active_state;		/* XXX */
463 	char *command, *allowed;
464 	const char *remote_ip;
465 	char *name = NULL;
466 	struct sshbuf *c = NULL, *data = NULL;
467 	int r, ret = -1, result, found;
468 
469 	if ((c = sshbuf_fromb(oblob)) == NULL) {
470 		error("%s: sshbuf_fromb failed", __func__);
471 		goto out;
472 	}
473 
474 	while (sshbuf_len(c) > 0) {
475 		sshbuf_free(data);
476 		data = NULL;
477 		if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
478 		    (r = sshbuf_froms(c, &data)) != 0) {
479 			error("Unable to parse certificate options: %s",
480 			    ssh_err(r));
481 			goto out;
482 		}
483 		debug3("found certificate option \"%.100s\" len %zu",
484 		    name, sshbuf_len(data));
485 		found = 0;
486 		if ((which & OPTIONS_EXTENSIONS) != 0) {
487 			if (strcmp(name, "permit-X11-forwarding") == 0) {
488 				*cert_no_x11_forwarding_flag = 0;
489 				found = 1;
490 			} else if (strcmp(name,
491 			    "permit-agent-forwarding") == 0) {
492 				*cert_no_agent_forwarding_flag = 0;
493 				found = 1;
494 			} else if (strcmp(name,
495 			    "permit-port-forwarding") == 0) {
496 				*cert_no_port_forwarding_flag = 0;
497 				found = 1;
498 			} else if (strcmp(name, "permit-pty") == 0) {
499 				*cert_no_pty_flag = 0;
500 				found = 1;
501 			} else if (strcmp(name, "permit-user-rc") == 0) {
502 				*cert_no_user_rc = 0;
503 				found = 1;
504 			}
505 		}
506 		if (!found && (which & OPTIONS_CRITICAL) != 0) {
507 			if (strcmp(name, "force-command") == 0) {
508 				if ((r = sshbuf_get_cstring(data, &command,
509 				    NULL)) != 0) {
510 					error("Unable to parse \"%s\" "
511 					    "section: %s", name, ssh_err(r));
512 					goto out;
513 				}
514 				if (*cert_forced_command != NULL) {
515 					error("Certificate has multiple "
516 					    "force-command options");
517 					free(command);
518 					goto out;
519 				}
520 				*cert_forced_command = command;
521 				found = 1;
522 			}
523 			if (strcmp(name, "source-address") == 0) {
524 				if ((r = sshbuf_get_cstring(data, &allowed,
525 				    NULL)) != 0) {
526 					error("Unable to parse \"%s\" "
527 					    "section: %s", name, ssh_err(r));
528 					goto out;
529 				}
530 				if ((*cert_source_address_done)++) {
531 					error("Certificate has multiple "
532 					    "source-address options");
533 					free(allowed);
534 					goto out;
535 				}
536 				remote_ip = ssh_remote_ipaddr(ssh);
537 				result = addr_match_cidr_list(remote_ip,
538 				    allowed);
539 				free(allowed);
540 				switch (result) {
541 				case 1:
542 					/* accepted */
543 					break;
544 				case 0:
545 					/* no match */
546 					logit("Authentication tried for %.100s "
547 					    "with valid certificate but not "
548 					    "from a permitted host "
549 					    "(ip=%.200s).", pw->pw_name,
550 					    remote_ip);
551 					auth_debug_add("Your address '%.200s' "
552 					    "is not permitted to use this "
553 					    "certificate for login.",
554 					    remote_ip);
555 					goto out;
556 				case -1:
557 				default:
558 					error("Certificate source-address "
559 					    "contents invalid");
560 					goto out;
561 				}
562 				found = 1;
563 			}
564 		}
565 
566 		if (!found) {
567 			if (crit) {
568 				error("Certificate critical option \"%s\" "
569 				    "is not supported", name);
570 				goto out;
571 			} else {
572 				logit("Certificate extension \"%s\" "
573 				    "is not supported", name);
574 			}
575 		} else if (sshbuf_len(data) != 0) {
576 			error("Certificate option \"%s\" corrupt "
577 			    "(extra data)", name);
578 			goto out;
579 		}
580 		free(name);
581 		name = NULL;
582 	}
583 	/* successfully parsed all options */
584 	ret = 0;
585 
586  out:
587 	if (ret != 0 &&
588 	    cert_forced_command != NULL &&
589 	    *cert_forced_command != NULL) {
590 		free(*cert_forced_command);
591 		*cert_forced_command = NULL;
592 	}
593 	free(name);
594 	sshbuf_free(data);
595 	sshbuf_free(c);
596 	return ret;
597 }
598 
599 /*
600  * Set options from critical certificate options. These supersede user key
601  * options so this must be called after auth_parse_options().
602  */
603 int
auth_cert_options(struct sshkey * k,struct passwd * pw,const char ** reason)604 auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason)
605 {
606 	int cert_no_port_forwarding_flag = 1;
607 	int cert_no_agent_forwarding_flag = 1;
608 	int cert_no_x11_forwarding_flag = 1;
609 	int cert_no_pty_flag = 1;
610 	int cert_no_user_rc = 1;
611 	char *cert_forced_command = NULL;
612 	int cert_source_address_done = 0;
613 
614 	*reason = "invalid certificate options";
615 
616 	/* Separate options and extensions for v01 certs */
617 	if (parse_option_list(k->cert->critical, pw,
618 	    OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
619 	    &cert_forced_command,
620 	    &cert_source_address_done) == -1)
621 		return -1;
622 	if (parse_option_list(k->cert->extensions, pw,
623 	    OPTIONS_EXTENSIONS, 0,
624 	    &cert_no_port_forwarding_flag,
625 	    &cert_no_agent_forwarding_flag,
626 	    &cert_no_x11_forwarding_flag,
627 	    &cert_no_pty_flag,
628 	    &cert_no_user_rc,
629 	    NULL, NULL) == -1)
630 		return -1;
631 
632 	no_port_forwarding_flag |= cert_no_port_forwarding_flag;
633 	no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
634 	no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
635 	no_pty_flag |= cert_no_pty_flag;
636 	no_user_rc |= cert_no_user_rc;
637 	/*
638 	 * Only permit both CA and key option forced-command if they match.
639 	 * Otherwise refuse the certificate.
640 	 */
641 	if (cert_forced_command != NULL && forced_command != NULL) {
642 		if (strcmp(forced_command, cert_forced_command) == 0) {
643 			free(forced_command);
644 			forced_command = cert_forced_command;
645 		} else {
646 			*reason = "certificate and key options forced command "
647 			    "do not match";
648 			free(cert_forced_command);
649 			return -1;
650 		}
651 	} else if (cert_forced_command != NULL)
652 		forced_command = cert_forced_command;
653 	/* success */
654 	*reason = NULL;
655 	return 0;
656 }
657 
658