Hello,
please find attached a patch against dropbear-0.51 adding support to
the following public key options in authorized_keys file
(ENABLE_SVR_PUBKEY_OPTIONS) :
* no-port-forwarding
* no-agent-forwarding
* no-X11-forwarding
* no-pty
* command
When the option ENABLE_SVR_PUBKEY_OPTIONS is not defined, options are
just ignored.
Parsing code of options string comes from OpenSSH.
I couldn't really test the option no-agent-forwarding, I hope it is
correct. It is very similar to the no-X11-forwarding option.
Regards
fred
On Mon, 26 May 2008 08:54:46 +0200
Frédéric Moulins <[EMAIL PROTECTED]> wrote:
> Hello,
>
> please find attached a new patch allowing to use the 'command' option
> with public keys in authorized_keys file.
>
> This patch include the one from my previous email :
> On Sun, 25 May 2008 11:50:29 +0200
> Frédéric Moulins <[EMAIL PROTECTED]> wrote:
>
> > Hello,
> >
> > the following patch allow to skip options of public keys in
> > authorized_keys file.
> >
> > authorized_keys file still must respect :
> > * no whitespace at the begining of a line.
> > * only one space or tab character between options and algorithm
> > type.
> >
> > Code has been copied and adapted from OpenSSH function
> > user_key_allowed2 in auth2-pubkey.c.
> >
>
> A PubKeyOptions structure is declared in auth.h. It contains the
> same parameters used in OpenSSH that I commented out except
> 'forced_command' that is used. This structure is used under
> ses.authstate.
>
> A new function 'addpubkeyoptions' in svr-authpubkey.c parse, validate
> and set options in the session structure. Code has been copied and
> adapted from the parsing function in OpenSSH. It only parses the
> 'command' option for the moment. Any other option will be taken as bad
> option and invalidate the key. In order to add support for other
> options, you can copy and slightly adapt (mallocS, freeS and gotoS)
> chunks of parsing code from OpenSSH function auth_parse_options in
> auth-options.c.
>
> What do you think of it ?
> Any feedback or suggestions is welcome (malloc/free, structures,
> corner cases,...).
>
>
> fred
>
> PS : patch is still against dropbear-0.50. Tell me if you prefer a
> patch against the latest development version.
diff -urN dropbear-0.51.orig/auth.h dropbear-0.51/auth.h
--- dropbear-0.51.orig/auth.h 2008-03-27 14:17:14.000000000 +0100
+++ dropbear-0.51/auth.h 2008-05-29 22:16:37.000000000 +0200
@@ -97,6 +97,10 @@
char *pw_shell;
char *pw_name;
char *pw_passwd;
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ struct PubKeyOptions* pubkey_options;
+#endif
+
};
struct SignKeyList;
@@ -111,4 +115,22 @@
};
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+struct PubKeyOptions;
+struct PubKeyOptions {
+ /* Flags */
+ int no_port_forwarding_flag;
+#ifdef ENABLE_AGENTFWD
+ int no_agent_forwarding_flag;
+#endif
+#ifdef ENABLE_X11FWD
+ int no_x11_forwarding_flag;
+#endif
+ int no_pty_flag;
+ /* "command=" option. */
+ char * forced_command;
+
+};
+#endif
+
#endif /* _AUTH_H_ */
diff -urN dropbear-0.51.orig/options.h dropbear-0.51/options.h
--- dropbear-0.51.orig/options.h 2008-03-27 14:34:39.000000000 +0100
+++ dropbear-0.51/options.h 2008-05-29 22:13:49.000000000 +0200
@@ -136,6 +136,9 @@
/*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
#define ENABLE_SVR_PUBKEY_AUTH
+/* Wether to ake public key options in authorized_keys file into account */
+#define ENABLE_SVR_PUBKEY_OPTIONS
+
#define ENABLE_CLI_PASSWORD_AUTH
#define ENABLE_CLI_PUBKEY_AUTH
#define ENABLE_CLI_INTERACT_AUTH
diff -urN dropbear-0.51.orig/svr-agentfwd.c dropbear-0.51/svr-agentfwd.c
--- dropbear-0.51.orig/svr-agentfwd.c 2008-03-27 14:17:16.000000000 +0100
+++ dropbear-0.51/svr-agentfwd.c 2008-05-29 22:13:50.000000000 +0200
@@ -52,6 +52,13 @@
int fd;
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ if (ses.authstate.pubkey_options
+ && ses.authstate.pubkey_options->no_agent_forwarding_flag) {
+ return DROPBEAR_FAILURE;
+ }
+#endif
+
if (chansess->agentlistener != NULL) {
return DROPBEAR_FAILURE;
}
diff -urN dropbear-0.51.orig/svr-authpubkey.c dropbear-0.51/svr-authpubkey.c
--- dropbear-0.51.orig/svr-authpubkey.c 2008-03-27 14:17:16.000000000 +0100
+++ dropbear-0.51/svr-authpubkey.c 2008-05-29 22:13:50.000000000 +0200
@@ -45,6 +45,9 @@
static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen,
unsigned char* keyblob, unsigned int keybloblen);
static int checkfileperm(char * filename);
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+static int addpubkeyoptions(const char* opts);
+#endif
/* process a pubkey auth request, sending success or failure message as
* appropriate */
@@ -158,8 +161,9 @@
char * filename = NULL;
int ret = DROPBEAR_FAILURE;
buffer * line = NULL;
- unsigned int len, pos;
-
+ unsigned int len, pos, quoted;
+ const char *options = NULL;
+
TRACE(("enter checkpubkey"))
/* check that we can use the algo */
@@ -196,6 +200,8 @@
/* iterate through the lines */
do {
+ /* new line : potentially new options */
+ options = NULL;
if (buf_getline(line, authfile) == DROPBEAR_FAILURE) {
/* EOF reached */
@@ -208,10 +214,39 @@
continue; /* line is too short for it to be a valid key */
}
- /* check the key type - this also stops us from using keys
- * which have options with them */
+ /* check the key type - will fail if there are options */
if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
- continue;
+ /* there may be options or a commented line */
+ if ('#' == line->data[line->pos]) continue;
+ /* no comment, skip to next space character */
+ len = 0;
+ pos = line->pos;
+ options = buf_getptr(line, 1);
+ quoted = 0;
+ while (line->data[pos]
+ && (quoted || (line->data[pos] != ' '
+ && line->data[pos] != '\t'
+ && line->data[pos] != '\n'
+ && line->data[pos] != '\r'))) {
+ pos++;
+ if (line->data[pos] == '\\'
+ && line->data[pos+1] == '"') {
+ pos++; /* skip both */
+ } else if (line->data[pos] == '"')
+ quoted = !quoted;
+ } /* line->data[pos] == ['\0'|' '|'\t'] */
+
+ /* skip line if there is nothing left */
+ if (pos >= line->len) continue;
+ /* skip line if it begins with a space or tab character */
+ if (pos == line->pos) continue;
+ /* set the position of the line after what we have read */
+ buf_setpos(line, pos+1);
+ /* give a second chance to the algo */
+ if (line->pos + algolen > line->len) continue;
+ if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
+ continue;
+ }
}
buf_incrpos(line, algolen);
@@ -232,6 +267,13 @@
TRACE(("checkpubkey: line pos = %d len = %d", line->pos, line->len))
ret = cmp_base64_key(keyblob, keybloblen, algo, algolen, line, NULL);
+
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+ if (ret == DROPBEAR_SUCCESS) {
+ ret = addpubkeyoptions(options);
+ }
+#endif
+
if (ret == DROPBEAR_SUCCESS) {
break;
}
@@ -343,5 +385,123 @@
return DROPBEAR_SUCCESS;
}
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+/* parse pubkey options and set ses.authstate.pubkey_options accordingly */
+static int addpubkeyoptions(const char* opts) {
+ const char *cp;
+ int i;
+ int ret = DROPBEAR_FAILURE;
+
+ TRACE(("enter addpubkeyoptions"))
+
+ if (!opts || *opts == ' ') {
+ /* no option, success */
+ ret = DROPBEAR_SUCCESS;
+ goto end;
+ }
+
+ ses.authstate.pubkey_options = (struct PubKeyOptions*)m_malloc(sizeof( struct PubKeyOptions ));
+
+ while (*opts && *opts != ' ' && *opts != '\t') {
+ cp = "no-port-forwarding";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ dropbear_log(LOG_WARNING, "Port forwarding disabled.");
+ ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
+ opts += strlen(cp);
+ goto next_option;
+ }
+#ifdef ENABLE_AGENTFWD
+ cp = "no-agent-forwarding";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
+ ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
+ opts += strlen(cp);
+ goto next_option;
+ }
+#endif
+#ifdef ENABLE_X11FWD
+ cp = "no-X11-forwarding";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
+ ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
+ opts += strlen(cp);
+ goto next_option;
+ }
+#endif
+ cp = "no-pty";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ dropbear_log(LOG_WARNING, "Pty allocation disabled.");
+ ses.authstate.pubkey_options->no_pty_flag = 1;
+ opts += strlen(cp);
+ goto next_option;
+ }
+ cp = "command=\"";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ opts += strlen(cp);
+ ses.authstate.pubkey_options->forced_command = (char*)m_malloc(strlen(opts) + 1);
+ i = 0;
+ while (*opts) {
+ if (*opts == '"')
+ break;
+ if (*opts == '\\' && opts[1] == '"') {
+ opts += 2;
+ ses.authstate.pubkey_options->forced_command[i++] = '"';
+ continue;
+ }
+ ses.authstate.pubkey_options->forced_command[i++] = *opts++;
+ }
+ if (!*opts) {
+ dropbear_log(LOG_WARNING,
+ "Missing end quote in public key command option");
+ m_free(ses.authstate.pubkey_options->forced_command);
+ ses.authstate.pubkey_options->forced_command = NULL;
+ goto bad_option;
+ }
+ ses.authstate.pubkey_options->forced_command[i] = '\0';
+ if (strlen(ses.authstate.pubkey_options->forced_command) > MAX_CMD_LEN) {
+ dropbear_log(LOG_WARNING,
+ "Public key option command too long (>MAX_CMD_LEN).");
+ m_free(ses.authstate.pubkey_options->forced_command);
+ ses.authstate.pubkey_options->forced_command = NULL;
+ goto bad_option;
+ }
+ dropbear_log(LOG_WARNING, "Forced command '%s'",
+ ses.authstate.pubkey_options->forced_command);
+ opts++;
+ goto next_option;
+ }
+ next_option:
+ /*
+ * Skip the comma, and move to the next option
+ * (or break out if there are no more).
+ */
+ if (!*opts) {
+ TRACE(("Bugs in svr-chansession.c pubkey option processing."))
+ }
+ if (*opts == ' ' || *opts == '\t') {
+ break; /* End of options. */
+ }
+ if (*opts != ',') {
+ goto bad_option;
+ }
+ opts++;
+ /* Process the next option. */
+ }
+ /* parsed all options with no problem */
+ ret = DROPBEAR_SUCCESS;
+ goto end;
+
+bad_option:
+ ret = DROPBEAR_FAILURE;
+ m_free(ses.authstate.pubkey_options);
+ ses.authstate.pubkey_options = NULL;
+ dropbear_log(LOG_WARNING, "Bad public key options : '%.50s'", opts);
+
+end:
+ TRACE(("leave addpubkeyoptions"))
+ return ret;
+
+}
+#endif
#endif
diff -urN dropbear-0.51.orig/svr-chansession.c dropbear-0.51/svr-chansession.c
--- dropbear-0.51.orig/svr-chansession.c 2008-03-27 14:17:16.000000000 +0100
+++ dropbear-0.51/svr-chansession.c 2008-05-29 22:24:31.000000000 +0200
@@ -527,6 +527,15 @@
struct passwd * pw = NULL;
TRACE(("enter sessionpty"))
+
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ if (ses.authstate.pubkey_options
+ && ses.authstate.pubkey_options->no_pty_flag) {
+ TRACE(("leave sessionpty : pty forbidden by public key option"))
+ return DROPBEAR_FAILURE;
+ }
+#endif
+
chansess->term = buf_getstring(ses.payload, &termlen);
if (termlen > MAX_TERM_LEN) {
/* TODO send disconnect ? */
@@ -582,14 +591,22 @@
return DROPBEAR_FAILURE;
}
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ /* take public key options into account */
+ if (ses.authstate.pubkey_options)
+ chansess->cmd = ses.authstate.pubkey_options->forced_command;
+#endif
+
if (iscmd) {
/* "exec" */
- chansess->cmd = buf_getstring(ses.payload, &cmdlen);
+ if (chansess->cmd == NULL) {
+ chansess->cmd = buf_getstring(ses.payload, &cmdlen);
- if (cmdlen > MAX_CMD_LEN) {
- m_free(chansess->cmd);
- /* TODO - send error - too long ? */
- return DROPBEAR_FAILURE;
+ if (cmdlen > MAX_CMD_LEN) {
+ m_free(chansess->cmd);
+ /* TODO - send error - too long ? */
+ return DROPBEAR_FAILURE;
+ }
}
if (issubsys) {
#ifdef SFTPSERVER_PATH
diff -urN dropbear-0.51.orig/svr-session.c dropbear-0.51/svr-session.c
--- dropbear-0.51.orig/svr-session.c 2008-03-27 14:17:16.000000000 +0100
+++ dropbear-0.51/svr-session.c 2008-05-29 22:13:50.000000000 +0200
@@ -144,6 +144,13 @@
_dropbear_log(LOG_INFO, fmtbuf, param);
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ /* free potential public key options */
+ if (ses.authstate.pubkey_options) {
+ m_free(ses.authstate.pubkey_options);
+ ses.authstate.pubkey_options = NULL;
+ }
+#endif
/* must be after we've done with username etc */
common_session_cleanup();
diff -urN dropbear-0.51.orig/svr-tcpfwd.c dropbear-0.51/svr-tcpfwd.c
--- dropbear-0.51.orig/svr-tcpfwd.c 2008-03-27 14:17:16.000000000 +0100
+++ dropbear-0.51/svr-tcpfwd.c 2008-05-29 22:13:50.000000000 +0200
@@ -72,7 +72,13 @@
TRACE(("enter recv_msg_global_request_remotetcp"))
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ if (svr_opts.noremotetcp
+ || (ses.authstate.pubkey_options
+ && ses.authstate.pubkey_options->no_port_forwarding_flag)) {
+#else
if (svr_opts.noremotetcp) {
+#endif
TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled"))
goto out;
}
@@ -236,7 +242,13 @@
int len;
int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ if (svr_opts.nolocaltcp
+ || (ses.authstate.pubkey_options
+ && ses.authstate.pubkey_options->no_port_forwarding_flag)) {
+#else
if (svr_opts.nolocaltcp) {
+#endif
TRACE(("leave newtcpdirect: local tcp forwarding disabled"))
goto out;
}
diff -urN dropbear-0.51.orig/svr-x11fwd.c dropbear-0.51/svr-x11fwd.c
--- dropbear-0.51.orig/svr-x11fwd.c 2008-03-27 14:17:16.000000000 +0100
+++ dropbear-0.51/svr-x11fwd.c 2008-05-29 22:13:50.000000000 +0200
@@ -47,6 +47,13 @@
int fd;
+#if defined(ENABLE_SVR_PUBKEY_AUTH) && defined(ENABLE_SVR_PUBKEY_OPTIONS)
+ if (ses.authstate.pubkey_options
+ && ses.authstate.pubkey_options->no_x11_forwarding_flag) {
+ return DROPBEAR_FAILURE;
+ }
+#endif
+
/* we already have an x11 connection */
if (chansess->x11listener != NULL) {
return DROPBEAR_FAILURE;
