1 files changed, 3 insertions, 196 deletions
diff --git a/auth-rsa.c b/auth-rsa.c
index f01c5c92..546e1d84 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
+RCSID("$Id: auth-rsa.c,v 1.21 2000/06/18 04:50:44 djm Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -26,18 +26,11 @@ RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
 #include "uidswap.h"
 #include "match.h"
 #include "servconf.h"
+#include "auth-options.h"
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
 
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-
 /*
  * Session identifier that is used to bind key exchange and authentication
  * responses to a particular session.
@@ -133,7 +126,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	unsigned long linenum = 0;
 	struct stat st;
 	RSA *pk;
-	int mname, mip;
 
 	/* Temporarily use the user's uid. */
 	temporarily_use_uid(pw->pw_uid);
@@ -269,195 +261,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		 * authenticated. Note that we have not yet processed the
 		 * options; this will be reset if the options cause the
 		 * authentication to be rejected.
-		 */
-		authenticated = 1;
-
-		/* RSA part of authentication was accepted.  Now process the options. */
-		if (options) {
-			while (*options && *options != ' ' && *options != '\t') {
-				cp = "no-port-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Port forwarding disabled.");
-					no_port_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-agent-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Agent forwarding disabled.");
-					no_agent_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-X11-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("X11 forwarding disabled.");
-					no_x11_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-pty";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Pty allocation disabled.");
-					no_pty_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "command=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					int i;
-					options += strlen(cp);
-					forced_command = xmalloc(strlen(options) + 1);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							forced_command[i++] = '"';
-							continue;
-						}
-						forced_command[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					forced_command[i] = 0;
-					packet_send_debug("Forced command: %.900s", forced_command);
-					options++;
-					goto next_option;
-				}
-				cp = "environment=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					int i;
-					char *s;
-					struct envstring *new_envstring;
-					options += strlen(cp);
-					s = xmalloc(strlen(options) + 1);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							s[i++] = '"';
-							continue;
-						}
-						s[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					s[i] = 0;
-					packet_send_debug("Adding to environment: %.900s", s);
-					debug("Adding to environment: %.900s", s);
-					options++;
-					new_envstring = xmalloc(sizeof(struct envstring));
-					new_envstring->s = s;
-					new_envstring->next = custom_environment;
-					custom_environment = new_envstring;
-					goto next_option;
-				}
-				cp = "from=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					char *patterns = xmalloc(strlen(options) + 1);
-					int i;
-					options += strlen(cp);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							patterns[i++] = '"';
-							continue;
-						}
-						patterns[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					patterns[i] = 0;
-					options++;
-					/*
-					 * Deny access if we get a negative
-					 * match for the hostname or the ip
-					 * or if we get not match at all
-					 */
-					mname = match_hostname(get_canonical_hostname(),
-					    patterns, strlen(patterns));
-					mip = match_hostname(get_remote_ipaddr(),
-					    patterns, strlen(patterns));
-					if (mname == -1 || mip == -1 ||
-					    (mname != 1 && mip != 1)) {
-						log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
-						    pw->pw_name, get_canonical_hostname(),
-						    get_remote_ipaddr());
-						packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
-						get_canonical_hostname());
-						xfree(patterns);
-						/* key invalid for this host, reset flags */
-						authenticated = 0;
-						no_agent_forwarding_flag = 0;
-						no_port_forwarding_flag = 0;
-						no_pty_flag = 0;
-						no_x11_forwarding_flag = 0;
-						while (custom_environment) {
-							struct envstring *ce = custom_environment;
-							custom_environment = ce->next;
-							xfree(ce->s);
-							xfree(ce);
-						}
-						if (forced_command) {
-							xfree(forced_command);
-							forced_command = NULL;
-						}
-						break;
-					}
-					xfree(patterns);
-					/* Host name matches. */
-					goto next_option;
-				}
-		bad_option:
-				log("Bad options in %.100s file, line %lu: %.50s",
-				    SSH_USER_PERMITTED_KEYS, linenum, options);
-				packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
-						  SSH_USER_PERMITTED_KEYS, linenum, options);
-				authenticated = 0;
-				break;
-
-		next_option:
-				/*
-				 * Skip the comma, and move to the next option
-				 * (or break out if there are no more).
-				 */
-				if (!*options)
-					fatal("Bugs in auth-rsa.c option processing.");
-				if (*options == ' ' || *options == '\t')
-					break;		/* End of options. */
-				if (*options != ',')
-					goto bad_option;
-				options++;
-				/* Process the next option. */
-				continue;
-			}
-		}
-		/*
 		 * Break out of the loop if authentication was successful;
 		 * otherwise continue searching.
 		 */
+		authenticated = auth_parse_options(pw, options, linenum);
 		if (authenticated)
 			break;
 	}