diff options
| author | Alistair Delva <adelva@google.com> | 2020-08-21 00:00:13 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2020-08-21 00:00:13 +0000 |
| commit | ed358b3546c776c1c677fd88eb8f716cf6187510 (patch) | |
| tree | 3c6134bcb2cda4b9dccc57b4a8b997a945aab62d /auth2-pubkey.c | |
| parent | 22246b08952d746a7cc5a292570636cf4277598f (diff) | |
| parent | 44a1065de8a58c51a021243a28bfa01e87822e4f (diff) | |
Merge changes I934c73d4,I28cdc9a0,I9e734da9,I3c079d86
* changes:
UPSTREAM: depend
UPSTREAM: upstream: avoid possible NULL deref; from Pedro Martelletto
Revert "upstream: fix compilation with DEBUG_KEXDH; bz#3160 ok dtucker@"
Merge upstream-master into master
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 1185 |
1 files changed, 754 insertions, 431 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index d943efa1..815ea0f2 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.47 2015/02/17 00:14:05 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -27,8 +27,8 @@ #include <sys/types.h> #include <sys/stat.h> -#include <sys/wait.h> +#include <stdlib.h> #include <errno.h> #include <fcntl.h> #ifdef HAVE_PATHS_H @@ -47,12 +47,12 @@ #include "ssh.h" #include "ssh2.h" #include "packet.h" -#include "buffer.h" +#include "sshbuf.h" #include "log.h" #include "misc.h" #include "servconf.h" #include "compat.h" -#include "key.h" +#include "sshkey.h" #include "hostfile.h" #include "auth.h" #include "pathnames.h" @@ -65,124 +65,196 @@ #include "monitor_wrap.h" #include "authfile.h" #include "match.h" +#include "ssherr.h" +#include "channels.h" /* XXX for session.h */ +#include "session.h" /* XXX for child_set_env(); refactor? */ +#include "sk-api.h" /* import */ extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +static char * +format_key(const struct sshkey *key) +{ + char *ret, *fp = sshkey_fingerprint(key, + options.fingerprint_hash, SSH_FP_DEFAULT); + + xasprintf(&ret, "%s %s", sshkey_type(key), fp); + free(fp); + return ret; +} + static int -userauth_pubkey(Authctxt *authctxt) +userauth_pubkey(struct ssh *ssh) { - Buffer b; - Key *key = NULL; - char *pkalg, *userstyle; - u_char *pkblob, *sig; - u_int alen, blen, slen; - int have_sig, pktype; - int authenticated = 0; - - if (!authctxt->valid) { - debug2("userauth_pubkey: disabled because of invalid user"); - return 0; - } - have_sig = packet_get_char(); - if (datafellows & SSH_BUG_PKAUTH) { - debug2("userauth_pubkey: SSH_BUG_PKAUTH"); - /* no explicit pkalg given */ - pkblob = packet_get_string(&blen); - buffer_init(&b); - buffer_append(&b, pkblob, blen); - /* so we have to extract the pkalg from the pkblob */ - pkalg = buffer_get_string(&b, &alen); - buffer_free(&b); - } else { - pkalg = packet_get_string(&alen); - pkblob = packet_get_string(&blen); + Authctxt *authctxt = ssh->authctxt; + struct passwd *pw = authctxt->pw; + struct sshbuf *b = NULL; + struct sshkey *key = NULL; + char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; + u_char *pkblob = NULL, *sig = NULL, have_sig; + size_t blen, slen; + int r, pktype; + int req_presence = 0, authenticated = 0; + struct sshauthopt *authopts = NULL; + struct sshkey_sig_details *sig_details = NULL; + + if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || + (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || + (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) + fatal("%s: parse request failed: %s", __func__, ssh_err(r)); + + if (log_level_get() >= SYSLOG_LEVEL_DEBUG2) { + char *keystring; + struct sshbuf *pkbuf; + + if ((pkbuf = sshbuf_from(pkblob, blen)) == NULL) + fatal("%s: sshbuf_from failed", __func__); + if ((keystring = sshbuf_dtob64_string(pkbuf, 0)) == NULL) + fatal("%s: sshbuf_dtob64 failed", __func__); + debug2("%s: %s user %s %s public key %s %s", __func__, + authctxt->valid ? "valid" : "invalid", authctxt->user, + have_sig ? "attempting" : "querying", pkalg, keystring); + sshbuf_free(pkbuf); + free(keystring); } - pktype = key_type_from_name(pkalg); + + pktype = sshkey_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ - logit("userauth_pubkey: unsupported public key algorithm: %s", - pkalg); + verbose("%s: unsupported public key algorithm: %s", + __func__, pkalg); + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { + error("%s: could not parse key: %s", __func__, ssh_err(r)); goto done; } - key = key_from_blob(pkblob, blen); if (key == NULL) { - error("userauth_pubkey: cannot decode key: %s", pkalg); + error("%s: cannot decode key: %s", __func__, pkalg); goto done; } if (key->type != pktype) { - error("userauth_pubkey: type mismatch for decoded key " - "(received %d, expected %d)", key->type, pktype); + error("%s: type mismatch for decoded key " + "(received %d, expected %d)", __func__, key->type, pktype); goto done; } - if (key_type_plain(key->type) == KEY_RSA && - (datafellows & SSH_BUG_RSASIGMD5) != 0) { + if (sshkey_type_plain(key->type) == KEY_RSA && + (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { logit("Refusing RSA key because client uses unsafe " "signature scheme"); goto done; } - if (auth2_userkey_already_used(authctxt, key)) { - logit("refusing previously-used %s key", key_type(key)); + if (auth2_key_already_used(authctxt, key)) { + logit("refusing previously-used %s key", sshkey_type(key)); goto done; } - if (match_pattern_list(sshkey_ssh_name(key), options.pubkey_key_types, - strlen(options.pubkey_key_types), 0) != 1) { + if (match_pattern_list(pkalg, options.pubkey_key_types, 0) != 1) { logit("%s: key type %s not in PubkeyAcceptedKeyTypes", __func__, sshkey_ssh_name(key)); goto done; } + if ((r = sshkey_check_cert_sigtype(key, + options.ca_sign_algorithms)) != 0) { + logit("%s: certificate signature algorithm %s: %s", __func__, + (key->cert == NULL || key->cert->signature_type == NULL) ? + "(null)" : key->cert->signature_type, ssh_err(r)); + goto done; + } + key_s = format_key(key); + if (sshkey_is_cert(key)) + ca_s = format_key(key->cert->signature_key); if (have_sig) { - sig = packet_get_string(&slen); - packet_check_eom(); - buffer_init(&b); - if (datafellows & SSH_OLD_SESSIONID) { - buffer_append(&b, session_id2, session_id2_len); + debug3("%s: have %s signature for %s%s%s", + __func__, pkalg, key_s, + ca_s == NULL ? "" : " CA ", + ca_s == NULL ? "" : ca_s); + if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 || + (r = sshpkt_get_end(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); + if ((b = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if (ssh->compat & SSH_OLD_SESSIONID) { + if ((r = sshbuf_put(b, session_id2, + session_id2_len)) != 0) + fatal("%s: sshbuf_put session id: %s", + __func__, ssh_err(r)); } else { - buffer_put_string(&b, session_id2, session_id2_len); + if ((r = sshbuf_put_string(b, session_id2, + session_id2_len)) != 0) + fatal("%s: sshbuf_put_string session id: %s", + __func__, ssh_err(r)); + } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; } /* reconstruct packet */ - buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); - buffer_put_cstring(&b, userstyle); - free(userstyle); - buffer_put_cstring(&b, - datafellows & SSH_BUG_PKSERVICE ? - "ssh-userauth" : - authctxt->service); - if (datafellows & SSH_BUG_PKAUTH) { - buffer_put_char(&b, have_sig); - } else { - buffer_put_cstring(&b, "publickey"); - buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, pkalg); - } - buffer_put_string(&b, pkblob, blen); + if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || + (r = sshbuf_put_cstring(b, userstyle)) != 0 || + (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || + (r = sshbuf_put_cstring(b, "publickey")) != 0 || + (r = sshbuf_put_u8(b, have_sig)) != 0 || + (r = sshbuf_put_cstring(b, pkalg)) != 0 || + (r = sshbuf_put_string(b, pkblob, blen)) != 0) + fatal("%s: build packet failed: %s", + __func__, ssh_err(r)); #ifdef DEBUG_PK - buffer_dump(&b); + sshbuf_dump(b, stderr); #endif - pubkey_auth_info(authctxt, key, NULL); - /* test for correct signature */ authenticated = 0; - if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && - PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), - buffer_len(&b))) == 1) { + if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && + PRIVSEP(sshkey_verify(key, sig, slen, + sshbuf_ptr(b), sshbuf_len(b), + (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, + ssh->compat, &sig_details)) == 0) { authenticated = 1; - /* Record the successful key to prevent reuse */ - auth2_record_userkey(authctxt, key); - key = NULL; /* Don't free below */ } - buffer_free(&b); - free(sig); + if (authenticated == 1 && sig_details != NULL) { + auth2_record_info(authctxt, "signature count = %u", + sig_details->sk_counter); + debug("%s: sk_counter = %u, sk_flags = 0x%02x", + __func__, sig_details->sk_counter, + sig_details->sk_flags); + req_presence = (options.pubkey_auth_options & + PUBKEYAUTH_TOUCH_REQUIRED) || + !authopts->no_require_user_presence; + if (req_presence && (sig_details->sk_flags & + SSH_SK_USER_PRESENCE_REQD) == 0) { + error("public key %s signature for %s%s from " + "%.128s port %d rejected: user presence " + "(authenticator touch) requirement " + "not met ", key_s, + authctxt->valid ? "" : "invalid user ", + authctxt->user, ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh)); + authenticated = 0; + goto done; + } + } + auth2_record_key(authctxt, authenticated, key); } else { - debug("test whether pkalg/pkblob are acceptable"); - packet_check_eom(); + debug("%s: test pkalg %s pkblob %s%s%s", + __func__, pkalg, key_s, + ca_s == NULL ? "" : " CA ", + ca_s == NULL ? "" : ca_s); + + if ((r = sshpkt_get_end(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -191,63 +263,37 @@ userauth_pubkey(Authctxt *authctxt) * if a user is not allowed to login. is this an * issue? -markus */ - if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { - packet_start(SSH2_MSG_USERAUTH_PK_OK); - packet_put_string(pkalg, alen); - packet_put_string(pkblob, blen); - packet_send(); - packet_write_wait(); + if (PRIVSEP(user_key_allowed(ssh, pw, key, 0, NULL))) { + if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK)) + != 0 || + (r = sshpkt_put_cstring(ssh, pkalg)) != 0 || + (r = sshpkt_put_string(ssh, pkblob, blen)) != 0 || + (r = sshpkt_send(ssh)) != 0 || + (r = ssh_packet_write_wait(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); authctxt->postponed = 1; } } - if (authenticated != 1) - auth_clear_options(); done: - debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); - if (key != NULL) - key_free(key); + if (authenticated == 1 && auth_activate_options(ssh, authopts) != 0) { + debug("%s: key options inconsistent with existing", __func__); + authenticated = 0; + } + debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg); + + sshbuf_free(b); + sshauthopt_free(authopts); + sshkey_free(key); + free(userstyle); free(pkalg); free(pkblob); + free(key_s); + free(ca_s); + free(sig); + sshkey_sig_details_free(sig_details); return authenticated; } -void -pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) -{ - char *fp, *extra; - va_list ap; - int i; - - extra = NULL; - if (fmt != NULL) { - va_start(ap, fmt); - i = vasprintf(&extra, fmt, ap); - va_end(ap); - if (i < 0 || extra == NULL) - fatal("%s: vasprintf failed", __func__); - } - - if (key_is_cert(key)) { - fp = sshkey_fingerprint(key->cert->signature_key, - options.fingerprint_hash, SSH_FP_DEFAULT); - auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", - key_type(key), key->cert->key_id, - (unsigned long long)key->cert->serial, - key_type(key->cert->signature_key), - fp == NULL ? "(null)" : fp, - extra == NULL ? "" : ", ", extra == NULL ? "" : extra); - free(fp); - } else { - fp = sshkey_fingerprint(key, options.fingerprint_hash, - SSH_FP_DEFAULT); - auth_info(authctxt, "%s %s%s%s", key_type(key), - fp == NULL ? "(null)" : fp, - extra == NULL ? "" : ", ", extra == NULL ? "" : extra); - free(fp); - } - free(extra); -} - static int match_principals_option(const char *principal_list, struct sshkey_cert *cert) { @@ -268,21 +314,79 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert) return 0; } +/* + * Process a single authorized_principals format line. Returns 0 and sets + * authoptsp is principal is authorised, -1 otherwise. "loc" is used as a + * log preamble for file/line information. + */ static int -match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) +check_principals_line(struct ssh *ssh, char *cp, const struct sshkey_cert *cert, + const char *loc, struct sshauthopt **authoptsp) { - FILE *f; - char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; - u_long linenum = 0; - u_int i; + u_int i, found = 0; + char *ep, *line_opts; + const char *reason = NULL; + struct sshauthopt *opts = NULL; - temporarily_use_uid(pw); - debug("trying authorized principals file %s", file); - if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { - restore_uid(); - return 0; + if (authoptsp != NULL) + *authoptsp = NULL; + + /* Trim trailing whitespace. */ + ep = cp + strlen(cp) - 1; + while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t')) + *ep-- = '\0'; + + /* + * If the line has internal whitespace then assume it has + * key options. + */ + line_opts = NULL; + if ((ep = strrchr(cp, ' ')) != NULL || + (ep = strrchr(cp, '\t')) != NULL) { + for (; *ep == ' ' || *ep == '\t'; ep++) + ; + line_opts = cp; + cp = ep; + } + if ((opts = sshauthopt_parse(line_opts, &reason)) == NULL) { + debug("%s: bad principals options: %s", loc, reason); + auth_debug_add("%s: bad principals options: %s", loc, reason); + return -1; + } + /* Check principals in cert against those on line */ + for (i = 0; i < cert->nprincipals; i++) { + if (strcmp(cp, cert->principals[i]) != 0) + continue; + debug3("%s: matched principal \"%.100s\"", + loc, cert->principals[i]); + found = 1; } - while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { + if (found && authoptsp != NULL) { + *authoptsp = opts; + opts = NULL; + } + sshauthopt_free(opts); + return found ? 0 : -1; +} + +static int +process_principals(struct ssh *ssh, FILE *f, const char *file, + const struct sshkey_cert *cert, struct sshauthopt **authoptsp) +{ + char loc[256], *line = NULL, *cp, *ep; + size_t linesize = 0; + u_long linenum = 0; + u_int found_principal = 0; + + if (authoptsp != NULL) + *authoptsp = NULL; + + while (getline(&line, &linesize, f) != -1) { + linenum++; + /* Always consume entire input */ + if (found_principal) + continue; + /* Skip leading whitespace. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; @@ -291,39 +395,313 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) *ep = '\0'; if (!*cp || *cp == '\n') continue; - /* Trim trailing whitespace. */ - ep = cp + strlen(cp) - 1; - while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t')) - *ep-- = '\0'; - /* - * If the line has internal whitespace then assume it has - * key options. - */ - line_opts = NULL; - if ((ep = strrchr(cp, ' ')) != NULL || - (ep = strrchr(cp, '\t')) != NULL) { - for (; *ep == ' ' || *ep == '\t'; ep++) - ; - line_opts = cp; - cp = ep; - } - for (i = 0; i < cert->nprincipals; i++) { - if (strcmp(cp, cert->principals[i]) == 0) { - debug3("matched principal \"%.100s\" " - "from file \"%s\" on line %lu", - cert->principals[i], file, linenum); - if (auth_parse_options(pw, line_opts, - file, linenum) != 1) - continue; - fclose(f); - restore_uid(); - return 1; - } - } + + snprintf(loc, sizeof(loc), "%.200s:%lu", file, linenum); + if (check_principals_line(ssh, cp, cert, loc, authoptsp) == 0) + found_principal = 1; } + free(line); + return found_principal; +} + +/* XXX remove pw args here and elsewhere once ssh->authctxt is guaranteed */ + +static int +match_principals_file(struct ssh *ssh, struct passwd *pw, char *file, + struct sshkey_cert *cert, struct sshauthopt **authoptsp) +{ + FILE *f; + int success; + + if (authoptsp != NULL) + *authoptsp = NULL; + + temporarily_use_uid(pw); + debug("trying authorized principals file %s", file); + if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { + restore_uid(); + return 0; + } + success = process_principals(ssh, f, file, cert, authoptsp); fclose(f); restore_uid(); - return 0; + return success; +} + +/* + * Checks whether principal is allowed in output of command. + * returns 1 if the principal is allowed or 0 otherwise. + */ +static int +match_principals_command(struct ssh *ssh, struct passwd *user_pw, + const struct sshkey *key, struct sshauthopt **authoptsp) +{ + struct passwd *runas_pw = NULL; + const struct sshkey_cert *cert = key->cert; + FILE *f = NULL; + int r, ok, found_principal = 0; + int i, ac = 0, uid_swapped = 0; + pid_t pid; + char *tmp, *username = NULL, *command = NULL, **av = NULL; + char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; + char serial_s[32], uidstr[32]; + void (*osigchld)(int); + + if (authoptsp != NULL) + *authoptsp = NULL; + if (options.authorized_principals_command == NULL) + return 0; + if (options.authorized_principals_command_user == NULL) { + error("No user for AuthorizedPrincipalsCommand specified, " + "skipping"); + return 0; + } + + /* + * NB. all returns later this function should go via "out" to + * ensure the original SIGCHLD handler is restored properly. + */ + osigchld = ssh_signal(SIGCHLD, SIG_DFL); + + /* Prepare and verify the user for the command */ + username = percent_expand(options.authorized_principals_command_user, + "u", user_pw->pw_name, (char *)NULL); + runas_pw = getpwnam(username); + if (runas_pw == NULL) { + error("AuthorizedPrincipalsCommandUser \"%s\" not found: %s", + username, strerror(errno)); + goto out; + } + + /* Turn the command into an argument vector */ + if (argv_split(options.authorized_principals_command, &ac, &av) != 0) { + error("AuthorizedPrincipalsCommand \"%s\" contains " + "invalid quotes", options.authorized_principals_command); + goto out; + } + if (ac == 0) { + error("AuthorizedPrincipalsCommand \"%s\" yielded no arguments", + options.authorized_principals_command); + goto out; + } + if ((ca_fp = sshkey_fingerprint(cert->signature_key, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { + error("%s: sshkey_fingerprint failed", __func__); + goto out; + } + if ((key_fp = sshkey_fingerprint(key, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { + error("%s: sshkey_fingerprint failed", __func__); + goto out; + } + if ((r = sshkey_to_base64(cert->signature_key, &catext)) != 0) { + error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); + goto out; + } + if ((r = sshkey_to_base64(key, &keytext)) != 0) { + error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); + goto out; + } + snprintf(serial_s, sizeof(serial_s), "%llu", + (unsigned long long)cert->serial); + snprintf(uidstr, sizeof(uidstr), "%llu", + (unsigned long long)user_pw->pw_uid); + for (i = 1; i < ac; i++) { + tmp = percent_expand(av[i], + "U", uidstr, + "u", user_pw->pw_name, + "h", user_pw->pw_dir, + "t", sshkey_ssh_name(key), + "T", sshkey_ssh_name(cert->signature_key), + "f", key_fp, + "F", ca_fp, + "k", keytext, + "K", catext, + "i", cert->key_id, + "s", serial_s, + (char *)NULL); + if (tmp == NULL) + fatal("%s: percent_expand failed", __func__); + free(av[i]); + av[i] = tmp; + } + /* Prepare a printable command for logs, etc. */ + command = argv_assemble(ac, av); + + if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command, + ac, av, &f, + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) + goto out; + + uid_swapped = 1; + temporarily_use_uid(runas_pw); + + ok = process_principals(ssh, f, "(command)", cert, authoptsp); + + fclose(f); + f = NULL; + + if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command, 0) != 0) + goto out; + + /* Read completed successfully */ + found_principal = ok; + out: + if (f != NULL) + fclose(f); + ssh_signal(SIGCHLD, osigchld); + for (i = 0; i < ac; i++) + free(av[i]); + free(av); + if (uid_swapped) + restore_uid(); + free(command); + free(username); + free(ca_fp); + free(key_fp); + free(catext); + free(keytext); + return found_principal; +} + +/* + * Check a single line of an authorized_keys-format file. Returns 0 if key + * matches, -1 otherwise. Will return key/cert options via *authoptsp + * on success. "loc" is used as file/line location in log messages. + */ +static int +check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + char *cp, const char *loc, struct sshauthopt **authoptsp) +{ + int want_keytype = sshkey_is_cert(key) ? KEY_UNSPEC : key->type; + struct sshkey *found = NULL; + struct sshauthopt *keyopts = NULL, *certopts = NULL, *finalopts = NULL; + char *key_options = NULL, *fp = NULL; + const char *reason = NULL; + int ret = -1; + + if (authoptsp != NULL) + *authoptsp = NULL; + + if ((found = sshkey_new(want_keytype)) == NULL) { + debug3("%s: keytype %d failed", __func__, want_keytype); + goto out; + } + + /* XXX djm: peek at key type in line and skip if unwanted */ + + if (sshkey_read(found, &cp) != 0) { + /* no key? check for options */ + debug2("%s: check options: '%s'", loc, cp); + key_options = cp; + if (sshkey_advance_past_options(&cp) != 0) { + reason = "invalid key option string"; + goto fail_reason; + } + skip_space(&cp); + if (sshkey_read(found, &cp) != 0) { + /* still no key? advance to next line*/ + debug2("%s: advance: '%s'", loc, cp); + goto out; + } + } + /* Parse key options now; we need to know if this is a CA key */ + if ((keyopts = sshauthopt_parse(key_options, &reason)) == NULL) { + debug("%s: bad key options: %s", loc, reason); + auth_debug_add("%s: bad key options: %s", loc, reason); + goto out; + } + /* Ignore keys that don't match or incorrectly marked as CAs */ + if (sshkey_is_cert(key)) { + /* Certificate; check signature key against CA */ + if (!sshkey_equal(found, key->cert->signature_key) || + !keyopts->cert_authority) + goto out; + } else { + /* Plain key: check it against key found in file */ + if (!sshkey_equal(found, key) || keyopts->cert_authority) + goto out; + } + + /* We have a candidate key, perform authorisation checks */ + if ((fp = sshkey_fingerprint(found, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) + fatal("%s: fingerprint failed", __func__); + + debug("%s: matching %s found: %s %s", loc, + sshkey_is_cert(key) ? "CA" : "key", sshkey_type(found), fp); + + if (auth_authorise_keyopts(ssh, pw, keyopts, + sshkey_is_cert(key), loc) != 0) { + reason = "Refused by key options"; + goto fail_reason; + } + /* That's all we need for plain keys. */ + if (!sshkey_is_cert(key)) { + verbose("Accepted key %s %s found at %s", + sshkey_type(found), fp, loc); + finalopts = keyopts; + keyopts = NULL; + goto success; + } + + /* + * Additional authorisation for certificates. + */ + + /* Parse and check options present in certificate */ + if ((certopts = sshauthopt_from_cert(key)) == NULL) { + reason = "Invalid certificate options"; + goto fail_reason; + } + if (auth_authorise_keyopts(ssh, pw, certopts, 0, loc) != 0) { + reason = "Refused by certificate options"; + goto fail_reason; + } + if ((finalopts = sshauthopt_merge(keyopts, certopts, &reason)) == NULL) + goto fail_reason; + + /* + * If the user has specified a list of principals as + * a key option, then prefer that list to matching + * their username in the certificate principals list. + */ + if (keyopts->cert_principals != NULL && + !match_principals_option(keyopts->cert_principals, key->cert)) { + reason = "Certificate does not contain an authorized principal"; + goto fail_reason; + } + if (sshkey_cert_check_authority(key, 0, 0, + keyopts->cert_principals == NULL ? pw->pw_name : NULL, &reason) != 0) + goto fail_reason; + + verbose("Accepted certificate ID \"%s\" (serial %llu) " + "signed by CA %s %s found at %s", + key->cert->key_id, + (unsigned long long)key->cert->serial, + sshkey_type(found), fp, loc); + + success: + if (finalopts == NULL) + fatal("%s: internal error: missing options", __func__); + if (authoptsp != NULL) { + *authoptsp = finalopts; + finalopts = NULL; + } + /* success */ + ret = 0; + goto out; + + fail_reason: + error("%s", reason); + auth_debug_add("%s", reason); + out: + free(fp); + sshauthopt_free(keyopts); + sshauthopt_free(certopts); + sshauthopt_free(finalopts); + sshkey_free(found); + return ret; } /* @@ -331,137 +709,62 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) * returns 1 if the key is allowed or 0 otherwise. */ static int -check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) +check_authkeys_file(struct ssh *ssh, struct passwd *pw, FILE *f, + char *file, struct sshkey *key, struct sshauthopt **authoptsp) { - char line[SSH_MAX_PUBKEY_BYTES]; - const char *reason; + char *cp, *line = NULL, loc[256]; + size_t linesize = 0; int found_key = 0; u_long linenum = 0; - Key *found; - char *fp; - found_key = 0; + if (authoptsp != NULL) + *authoptsp = NULL; - found = NULL; - while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { - char *cp, *key_options = NULL; - if (found != NULL) - key_free(found); - found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); - auth_clear_options(); + while (getline(&line, &linesize, f) != -1) { + linenum++; + /* Always consume entire file */ + if (found_key) + continue; /* Skip leading whitespace, empty and comment lines. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++) - ; + cp = line; + skip_space(&cp); if (!*cp || *cp == '\n' || *cp == '#') continue; - - if (key_read(found, &cp) != 1) { - /* no key? check if there are options for this key */ - int quoted = 0; - debug2("user_key_allowed: check options: '%s'", cp); - key_options = cp; - for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { - if (*cp == '\\' && cp[1] == '"') - cp++; /* Skip both */ - else if (*cp == '"') - quoted = !quoted; - } - /* Skip remaining whitespace. */ - for (; *cp == ' ' || *cp == '\t'; cp++) - ; - if (key_read(found, &cp) != 1) { - debug2("user_key_allowed: advance: '%s'", cp); - /* still no key? advance to next line*/ - continue; - } - } - if (key_is_cert(key)) { - if (!key_equal(found, key->cert->signature_key)) - continue; - if (auth_parse_options(pw, key_options, file, - linenum) != 1) - continue; - if (!key_is_cert_authority) - continue; - if ((fp = sshkey_fingerprint(found, - options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - continue; - debug("matching CA found: file %s, line %lu, %s %s", - file, linenum, key_type(found), fp); - /* - * If the user has specified a list of principals as - * a key option, then prefer that list to matching - * their username in the certificate principals list. - */ - if (authorized_principals != NULL && - !match_principals_option(authorized_principals, - key->cert)) { - reason = "Certificate does not contain an " - "authorized principal"; - fail_reason: - free(fp); - error("%s", reason); - auth_debug_add("%s", reason); - continue; - } - if (key_cert_check_authority(key, 0, 0, - authorized_principals == NULL ? pw->pw_name : NULL, - &reason) != 0) - goto fail_reason; - if (auth_cert_options(key, pw) != 0) { - free(fp); - continue; - } - verbose("Accepted certificate ID \"%s\" " - "signed by %s CA %s via %s", key->cert->key_id, - key_type(found), fp, file); - free(fp); - found_key = 1; - break; - } else if (key_equal(found, key)) { - if (auth_parse_options(pw, key_options, file, - linenum) != 1) - continue; - if (key_is_cert_authority) - continue; - if ((fp = sshkey_fingerprint(found, - options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - continue; - debug("matching key found: file %s, line %lu %s %s", - file, linenum, key_type(found), fp); - free(fp); + snprintf(loc, sizeof(loc), "%.200s:%lu", file, linenum); + if (check_authkey_line(ssh, pw, key, cp, loc, authoptsp) == 0) found_key = 1; - break; - } } - if (found != NULL) - key_free(found); - if (!found_key) - debug2("key not found"); + free(line); return found_key; } /* Authenticate a certificate key against TrustedUserCAKeys */ static int -user_cert_trusted_ca(struct passwd *pw, Key *key) +user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + struct sshauthopt **authoptsp) { char *ca_fp, *principals_file = NULL; const char *reason; - int ret = 0; + struct sshauthopt *principals_opts = NULL, *cert_opts = NULL; + struct sshauthopt *final_opts = NULL; + int r, ret = 0, found_principal = 0, use_authorized_principals; + + if (authoptsp != NULL) + *authoptsp = NULL; - if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) + if (!sshkey_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; if ((ca_fp = sshkey_fingerprint(key->cert->signature_key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) return 0; - if (sshkey_in_file(key->cert->signature_key, - options.trusted_user_ca_keys, 1, 0) != 0) { - debug2("%s: CA %s %s is not listed in %s", __func__, - key_type(key->cert->signature_key), ca_fp, - options.trusted_user_ca_keys); + if ((r = sshkey_in_file(key->cert->signature_key, + options.trusted_user_ca_keys, 1, 0)) != 0) { + debug2("%s: CA %s %s is not listed in %s: %s", __func__, + sshkey_type(key->cert->signature_key), ca_fp, + options.trusted_user_ca_keys, ssh_err(r)); goto out; } /* @@ -470,27 +773,69 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) * against the username. */ if ((principals_file = authorized_principals_file(pw)) != NULL) { - if (!match_principals_file(principals_file, pw, key->cert)) { - reason = "Certificate does not contain an " - "authorized principal"; + if (match_principals_file(ssh, pw, principals_file, + key->cert, &principals_opts)) + found_principal = 1; + } + /* Try querying command if specified */ + if (!found_principal && match_principals_command(ssh, pw, key, + &principals_opts)) + found_principal = 1; + /* If principals file or command is specified, then require a match */ + use_authorized_principals = principals_file != NULL || + options.authorized_principals_command != NULL; + if (!found_principal && use_authorized_principals) { + reason = "Certificate does not contain an authorized principal"; + goto fail_reason; + } + if (use_authorized_principals && principals_opts == NULL) + fatal("%s: internal error: missing principals_opts", __func__); + if (sshkey_cert_check_authority(key, 0, 1, + use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) + goto fail_reason; + + /* Check authority from options in key and from principals file/cmd */ + if ((cert_opts = sshauthopt_from_cert(key)) == NULL) { + reason = "Invalid certificate options"; + goto fail_reason; + } + if (auth_authorise_keyopts(ssh, pw, cert_opts, 0, "cert") != 0) { + reason = "Refused by certificate options"; + goto fail_reason; + } + if (principals_opts == NULL) { + final_opts = cert_opts; + cert_opts = NULL; + } else { + if (auth_authorise_keyopts(ssh, pw, principals_opts, 0, + "principals") != 0) { + reason = "Refused by certificate principals options"; + goto fail_reason; + } + if ((final_opts = sshauthopt_merge(principals_opts, + cert_opts, &reason)) == NULL) { fail_reason: error("%s", reason); auth_debug_add("%s", reason); goto out; } } - if (key_cert_check_authority(key, 0, 1, - principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) - goto fail_reason; - if (auth_cert_options(key, pw) != 0) - goto out; - verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", - key->cert->key_id, key_type(key->cert->signature_key), ca_fp, + /* Success */ + verbose("Accepted certificate ID \"%s\" (serial %llu) signed by " + "%s CA %s via %s", key->cert->key_id, + (unsigned long long)key->cert->serial, + sshkey_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); + if (authoptsp != NULL) { + *authoptsp = final_opts; + final_opts = NULL; + } ret = 1; - out: + sshauthopt_free(principals_opts); + sshauthopt_free(cert_opts); + sshauthopt_free(final_opts); free(principals_file); free(ca_fp); return ret; @@ -501,17 +846,22 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) * returns 1 if the key is allowed or 0 otherwise. */ static int -user_key_allowed2(struct passwd *pw, Key *key, char *file) +user_key_allowed2(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + char *file, struct sshauthopt **authoptsp) { FILE *f; int found_key = 0; + if (authoptsp != NULL) + *authoptsp = NULL; + /* Temporarily use the user's uid. */ temporarily_use_uid(pw); debug("trying public key file %s", file); if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) { - found_key = check_authkeys_file(f, file, key, pw); + found_key = check_authkeys_file(ssh, pw, f, file, + key, authoptsp); fclose(f); } @@ -524,146 +874,130 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) * returns 1 if the key is allowed or 0 otherwise. */ static int -user_key_command_allowed2(struct passwd *user_pw, Key *key) +user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, + struct sshkey *key, struct sshauthopt **authoptsp) { - FILE *f; - int ok, found_key = 0; - struct passwd *pw; - struct stat st; - int status, devnull, p[2], i; + struct passwd *runas_pw = NULL; + FILE *f = NULL; + int r, ok, found_key = 0; + int i, uid_swapped = 0, ac = 0; pid_t pid; - char *username, errmsg[512]; + char *username = NULL, *key_fp = NULL, *keytext = NULL; + char uidstr[32], *tmp, *command = NULL, **av = NULL; + void (*osigchld)(int); - if (options.authorized_keys_command == NULL || - options.authorized_keys_command[0] != '/') + if (authoptsp != NULL) + *authoptsp = NULL; + if (options.authorized_keys_command == NULL) return 0; - if (options.authorized_keys_command_user == NULL) { error("No user for AuthorizedKeysCommand specified, skipping"); return 0; } + /* + * NB. all returns later this function should go via "out" to + * ensure the original SIGCHLD handler is restored properly. + */ + osigchld = ssh_signal(SIGCHLD, SIG_DFL); + + /* Prepare and verify the user for the command */ username = percent_expand(options.authorized_keys_command_user, "u", user_pw->pw_name, (char *)NULL); - pw = getpwnam(username); - if (pw == NULL) { + runas_pw = getpwnam(username); + if (runas_pw == NULL) { error("AuthorizedKeysCommandUser \"%s\" not found: %s", username, strerror(errno)); - free(username); - return 0; + goto out; } - free(username); - - temporarily_use_uid(pw); - if (stat(options.authorized_keys_command, &st) < 0) { - error("Could not stat AuthorizedKeysCommand \"%s\": %s", - options.authorized_keys_command, strerror(errno)); + /* Prepare AuthorizedKeysCommand */ + if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) { + error("%s: sshkey_fingerprint failed", __func__); goto out; } - if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, - errmsg, sizeof(errmsg)) != 0) { - error("Unsafe AuthorizedKeysCommand: %s", errmsg); + if ((r = sshkey_to_base64(key, &keytext)) != 0) { + error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); goto out; } - if (pipe(p) != 0) { - error("%s: pipe: %s", __func__, strerror(errno)); + /* Turn the command into an argument vector */ + if (argv_split(options.authorized_keys_command, &ac, &av) != 0) { + error("AuthorizedKeysCommand \"%s\" contains invalid quotes", + command); goto out; } - - debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"", - options.authorized_keys_command, user_pw->pw_name, pw->pw_name); + if (ac == 0) { + error("AuthorizedKeysCommand \"%s\" yielded no arguments", + command); + goto out; + } + snprintf(uidstr, sizeof(uidstr), "%llu", + (unsigned long long)user_pw->pw_uid); + for (i = 1; i < ac; i++) { + tmp = percent_expand(av[i], + "U", uidstr, + "u", user_pw->pw_name, + "h", user_pw->pw_dir, + "t", sshkey_ssh_name(key), + "f", key_fp, + "k", keytext, + (char *)NULL); + if (tmp == NULL) + fatal("%s: percent_expand failed", __func__); + free(av[i]); + av[i] = tmp; + } + /* Prepare a printable command for logs, etc. */ + command = argv_assemble(ac, av); /* - * Don't want to call this in the child, where it can fatal() and - * run cleanup_exit() code. + * If AuthorizedKeysCommand was run without arguments + * then fall back to the old behaviour of passing the + * target username as a single argument. */ - restore_uid(); - - switch ((pid = fork())) { - case -1: /* error */ - error("%s: fork: %s", __func__, strerror(errno)); - close(p[0]); - close(p[1]); - return 0; - case 0: /* child */ - for (i = 0; i < NSIG; i++) - signal(i, SIG_DFL); - - if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { - error("%s: open %s: %s", __func__, _PATH_DEVNULL, - strerror(errno)); - _exit(1); - } - /* Keep stderr around a while longer to catch errors */ - if (dup2(devnull, STDIN_FILENO) == -1 || - dup2(p[1], STDOUT_FILENO) == -1) { - error("%s: dup2: %s", __func__, strerror(errno)); - _exit(1); - } - closefrom(STDERR_FILENO + 1); - - /* Don't use permanently_set_uid() here to avoid fatal() */ - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { - error("setresgid %u: %s", (u_int)pw->pw_gid, - strerror(errno)); - _exit(1); - } - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { - error("setresuid %u: %s", (u_int)pw->pw_uid, - strerror(errno)); - _exit(1); - } - /* stdin is pointed to /dev/null at this point */ - if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { - error("%s: dup2: %s", __func__, strerror(errno)); - _exit(1); - } + if (ac == 1) { + av = xreallocarray(av, ac + 2, sizeof(*av)); + av[1] = xstrdup(user_pw->pw_name); + av[2] = NULL; + /* Fix up command too, since it is used in log messages */ + free(command); + xasprintf(&command, "%s %s", av[0], av[1]); + } - execl(options.authorized_keys_command, - options.authorized_keys_command, user_pw->pw_name, NULL); + if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command, + ac, av, &f, + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) + goto out; - error("AuthorizedKeysCommand %s exec failed: %s", - options.authorized_keys_command, strerror(errno)); - _exit(127); - default: /* parent */ - break; - } + uid_swapped = 1; + temporarily_use_uid(runas_pw); - temporarily_use_uid(pw); + ok = check_authkeys_file(ssh, user_pw, f, + options.authorized_keys_command, key, authoptsp); - close(p[1]); - if ((f = fdopen(p[0], "r")) == NULL) { - error("%s: fdopen: %s", __func__, strerror(errno)); - close(p[0]); - /* Don't leave zombie child */ - kill(pid, SIGTERM); - while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) - ; - goto out; - } - ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); fclose(f); + f = NULL; - while (waitpid(pid, &status, 0) == -1) { - if (errno != EINTR) { - error("%s: waitpid: %s", __func__, strerror(errno)); - goto out; - } - } - if (WIFSIGNALED(status)) { - error("AuthorizedKeysCommand %s exited on signal %d", - options.authorized_keys_command, WTERMSIG(status)); + if (exited_cleanly(pid, "AuthorizedKeysCommand", command, 0) != 0) goto out; - } else if (WEXITSTATUS(status) != 0) { - error("AuthorizedKeysCommand %s returned status %d", - options.authorized_keys_command, WEXITSTATUS(status)); - goto out; - } + + /* Read completed successfully */ found_key = ok; out: - restore_uid(); + if (f != NULL) + fclose(f); + ssh_signal(SIGCHLD, osigchld); + for (i = 0; i < ac; i++) + free(av[i]); + free(av); + if (uid_swapped) + restore_uid(); + free(command); + free(username); + free(key_fp); + free(keytext); return found_key; } @@ -671,65 +1005,54 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) * Check whether key authenticates and authorises the user. */ int -user_key_allowed(struct passwd *pw, Key *key) +user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + int auth_attempt, struct sshauthopt **authoptsp) { - u_int success, i; + u_int success = 0, i; char *file; + struct sshauthopt *opts = NULL; + + if (authoptsp != NULL) + *authoptsp = NULL; if (auth_key_is_revoked(key)) return 0; - if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) + if (sshkey_is_cert(key) && + auth_key_is_revoked(key->cert->signature_key)) return 0; - success = user_cert_trusted_ca(pw, key); - if (success) - return success; - - success = user_key_command_allowed2(pw, key); - if (success > 0) - return success; - for (i = 0; !success && i < options.num_authkeys_files; i++) { - if (strcasecmp(options.authorized_keys_files[i], "none") == 0) continue; file = expand_authorized_keys( options.authorized_keys_files[i], pw); - - success = user_key_allowed2(pw, key, file); + success = user_key_allowed2(ssh, pw, key, file, &opts); free(file); + if (!success) { + sshauthopt_free(opts); + opts = NULL; + } } + if (success) + goto out; - return success; -} - -/* Records a public key in the list of previously-successful keys */ -void -auth2_record_userkey(Authctxt *authctxt, struct sshkey *key) -{ - struct sshkey **tmp; - - if (authctxt->nprev_userkeys >= INT_MAX || - (tmp = reallocarray(authctxt->prev_userkeys, - authctxt->nprev_userkeys + 1, sizeof(*tmp))) == NULL) - fatal("%s: reallocarray failed", __func__); - authctxt->prev_userkeys = tmp; - authctxt->prev_userkeys[authctxt->nprev_userkeys] = key; - authctxt->nprev_userkeys++; -} + if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0) + goto out; + sshauthopt_free(opts); + opts = NULL; -/* Checks whether a key has already been used successfully for authentication */ -int -auth2_userkey_already_used(Authctxt *authctxt, struct sshkey *key) -{ - u_int i; + if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0) + goto out; + sshauthopt_free(opts); + opts = NULL; - for (i = 0; i < authctxt->nprev_userkeys; i++) { - if (sshkey_equal_public(key, authctxt->prev_userkeys[i])) { - return 1; - } + out: + if (success && authoptsp != NULL) { + *authoptsp = opts; + opts = NULL; } - return 0; + sshauthopt_free(opts); + return success; } Authmethod method_pubkey = { |