Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09

1 files changed, 10 insertions, 197 deletions

diff --git a/crypto/openssh/auth-rsa.c b/crypto/openssh/auth-rsa.c
index 78d28f0..8aefc8f 100644
--- a/crypto/openssh/auth-rsa.c
+++ b/crypto/openssh/auth-rsa.c
@@ -1,22 +1,20 @@
 /*
- *
- * auth-rsa.c
- *
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
- *
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
- *
- * Created: Mon Mar 27 01:46:52 1995 ylo
- *
  * RSA-based authentication.  This code determines whether to admit a login
  * based on RSA authentication.  This file also contains functions to check
  * validity of the host key.
  *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.23 2000/04/29 18:11:51 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.29 2000/09/07 21:13:36 markus Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -26,18 +24,11 @@ RCSID("$Id: auth-rsa.c,v 1.23 2000/04/29 18:11:51 markus Exp $");
 #include "uidswap.h"
 #include "match.h"
 #include "servconf.h"
+#include "auth-options.h"
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
 
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-
 /*
  * Session identifier that is used to bind key exchange and authentication
  * responses to a particular session.
@@ -186,8 +177,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		}
 		if (fail) {
 			fclose(f);
-			log(buf);
-			packet_send_debug(buf);
+			log("%s",buf);
+			packet_send_debug("%s",buf);
 			restore_uid();
 			return 0;
 		}
@@ -268,188 +259,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		 * authenticated. Note that we have not yet processed the
 		 * options; this will be reset if the options cause the
 		 * authentication to be rejected.
-		 */
-		authenticated = 1;
-
-		/* RSA part of authentication was accepted.  Now process the options. */
-		if (options) {
-			while (*options && *options != ' ' && *options != '\t') {
-				cp = "no-port-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Port forwarding disabled.");
-					no_port_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-agent-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Agent forwarding disabled.");
-					no_agent_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-X11-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("X11 forwarding disabled.");
-					no_x11_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-pty";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Pty allocation disabled.");
-					no_pty_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "command=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					int i;
-					options += strlen(cp);
-					forced_command = xmalloc(strlen(options) + 1);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							forced_command[i++] = '"';
-							continue;
-						}
-						forced_command[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					forced_command[i] = 0;
-					packet_send_debug("Forced command: %.900s", forced_command);
-					options++;
-					goto next_option;
-				}
-				cp = "environment=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					int i;
-					char *s;
-					struct envstring *new_envstring;
-					options += strlen(cp);
-					s = xmalloc(strlen(options) + 1);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							s[i++] = '"';
-							continue;
-						}
-						s[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					s[i] = 0;
-					packet_send_debug("Adding to environment: %.900s", s);
-					debug("Adding to environment: %.900s", s);
-					options++;
-					new_envstring = xmalloc(sizeof(struct envstring));
-					new_envstring->s = s;
-					new_envstring->next = custom_environment;
-					custom_environment = new_envstring;
-					goto next_option;
-				}
-				cp = "from=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					char *patterns = xmalloc(strlen(options) + 1);
-					int i;
-					options += strlen(cp);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							patterns[i++] = '"';
-							continue;
-						}
-						patterns[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					patterns[i] = 0;
-					options++;
-					if (!match_hostname(get_canonical_hostname(), patterns,
-						     strlen(patterns)) &&
-					    !match_hostname(get_remote_ipaddr(), patterns,
-						     strlen(patterns))) {
-						log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
-						    pw->pw_name, get_canonical_hostname(),
-						    get_remote_ipaddr());
-						packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
-						get_canonical_hostname());
-						xfree(patterns);
-						/* key invalid for this host, reset flags */
-						authenticated = 0;
-						no_agent_forwarding_flag = 0;
-						no_port_forwarding_flag = 0;
-						no_pty_flag = 0;
-						no_x11_forwarding_flag = 0;
-						while (custom_environment) {
-							struct envstring *ce = custom_environment;
-							custom_environment = ce->next;
-							xfree(ce->s);
-							xfree(ce);
-						}
-						if (forced_command) {
-							xfree(forced_command);
-							forced_command = NULL;
-						}
-						break;
-					}
-					xfree(patterns);
-					/* Host name matches. */
-					goto next_option;
-				}
-		bad_option:
-				log("Bad options in %.100s file, line %lu: %.50s",
-				    SSH_USER_PERMITTED_KEYS, linenum, options);
-				packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
-						  SSH_USER_PERMITTED_KEYS, linenum, options);
-				authenticated = 0;
-				break;
-
-		next_option:
-				/*
-				 * Skip the comma, and move to the next option
-				 * (or break out if there are no more).
-				 */
-				if (!*options)
-					fatal("Bugs in auth-rsa.c option processing.");
-				if (*options == ' ' || *options == '\t')
-					break;		/* End of options. */
-				if (*options != ',')
-					goto bad_option;
-				options++;
-				/* Process the next option. */
-				continue;
-			}
-		}
-		/*
 		 * Break out of the loop if authentication was successful;
 		 * otherwise continue searching.
 		 */
+		authenticated = auth_parse_options(pw, options, linenum);
 		if (authenticated)
 			break;
 	}