diff options
Diffstat (limited to 'crypto/openssh/auth-options.c')
| -rw-r--r-- | crypto/openssh/auth-options.c | 51 |
1 files changed, 20 insertions, 31 deletions
diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c index 443f541..8df6a6d 100644 --- a/crypto/openssh/auth-options.c +++ b/crypto/openssh/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.16 2001/03/18 12:07:52 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -20,6 +20,7 @@ RCSID("$OpenBSD: auth-options.c,v 1.16 2001/03/18 12:07:52 markus Exp $"); #include "channels.h" #include "auth-options.h" #include "servconf.h" +#include "misc.h" /* Flags set authorized_keys flags */ int no_port_forwarding_flag = 0; @@ -167,10 +168,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } cp = "from=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - int mname, mip; const char *remote_ip = get_remote_ipaddr(); const char *remote_host = get_canonical_hostname( - options.reverse_mapping_check); + options.verify_reverse_mapping); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -195,18 +195,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } patterns[i] = 0; opts++; - /* - * Deny access if we get a negative - * match for the hostname or the ip - * or if we get not match at all - */ - mname = match_hostname(remote_host, patterns, - strlen(patterns)); - mip = match_hostname(remote_ip, patterns, - strlen(patterns)); - xfree(patterns); - if (mname == -1 || mip == -1 || - (mname != 1 && mip != 1)) { + if (match_host_and_ip(remote_host, remote_ip, + patterns) != 1) { + xfree(patterns); log("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", @@ -217,13 +208,14 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) /* deny access */ return 0; } + xfree(patterns); /* Host name matches. */ goto next_option; } cp = "permitopen=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { + char host[256], sport[6]; u_short port; - char *c, *ep; char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -248,28 +240,25 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } patterns[i] = 0; opts++; - c = strchr(patterns, ':'); - if (c == NULL) { - debug("%.100s, line %lu: permitopen: missing colon <%.100s>", - file, linenum, patterns); - packet_send_debug("%.100s, line %lu: missing colon", - file, linenum); + if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 && + sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { + debug("%.100s, line %lu: Bad permitopen specification " + "<%.100s>", file, linenum, patterns); + packet_send_debug("%.100s, line %lu: " + "Bad permitopen specification", file, linenum); xfree(patterns); goto bad_option; } - *c = 0; - c++; - port = strtol(c, &ep, 0); - if (c == ep) { - debug("%.100s, line %lu: permitopen: missing port <%.100s>", - file, linenum, patterns); - packet_send_debug("%.100s, line %lu: missing port", - file, linenum); + if ((port = a2port(sport)) == 0) { + debug("%.100s, line %lu: Bad permitopen port <%.100s>", + file, linenum, sport); + packet_send_debug("%.100s, line %lu: " + "Bad permitopen port", file, linenum); xfree(patterns); goto bad_option; } if (options.allow_tcp_forwarding) - channel_add_permitted_opens(patterns, port); + channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; } |
