1 /* $OpenBSD: ssh.c,v 1.326 2009/07/02 02:11:47 dtucker Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Ssh client program. This program can be used to log into a remote machine. 7 * The software supports strong authentication, encryption, and forwarding 8 * of X11, TCP/IP, and authentication connections. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * Copyright (c) 1999 Niels Provos. All rights reserved. 17 * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved. 18 * 19 * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> 20 * in Canada (German citizen). 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the above copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 31 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 32 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 34 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 35 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 36 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 37 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 38 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 39 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 40 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 41 */ 42 43 #include "includes.h" 44 45 #include <sys/types.h> 46 #ifdef HAVE_SYS_STAT_H 47 # include <sys/stat.h> 48 #endif 49 #include <sys/resource.h> 50 #include <sys/ioctl.h> 51 #include <sys/param.h> 52 #include <sys/socket.h> 53 54 #include <ctype.h> 55 #include <errno.h> 56 #include <fcntl.h> 57 #include <netdb.h> 58 #ifdef HAVE_PATHS_H 59 #include <paths.h> 60 #endif 61 #include <pwd.h> 62 #include <signal.h> 63 #include <stdarg.h> 64 #include <stddef.h> 65 #include <stdio.h> 66 #include <stdlib.h> 67 #include <string.h> 68 #include <unistd.h> 69 70 #include <netinet/in.h> 71 #include <arpa/inet.h> 72 73 #include <openssl/evp.h> 74 #include <openssl/err.h> 75 #include "openbsd-compat/openssl-compat.h" 76 #include "openbsd-compat/sys-queue.h" 77 78 #include "xmalloc.h" 79 #include "ssh.h" 80 #include "ssh1.h" 81 #include "ssh2.h" 82 #include "compat.h" 83 #include "cipher.h" 84 #include "packet.h" 85 #include "buffer.h" 86 #include "channels.h" 87 #include "key.h" 88 #include "authfd.h" 89 #include "authfile.h" 90 #include "pathnames.h" 91 #include "dispatch.h" 92 #include "clientloop.h" 93 #include "log.h" 94 #include "readconf.h" 95 #include "sshconnect.h" 96 #include "misc.h" 97 #include "kex.h" 98 #include "mac.h" 99 #include "sshpty.h" 100 #include "match.h" 101 #include "msg.h" 102 #include "uidswap.h" 103 #include "version.h" 104 105 #ifdef SMARTCARD 106 #include "scard.h" 107 #endif 108 109 extern char *__progname; 110 111 /* Flag indicating whether debug mode is on. May be set on the command line. */ 112 int debug_flag = 0; 113 114 /* Flag indicating whether a tty should be allocated */ 115 int tty_flag = 0; 116 int no_tty_flag = 0; 117 int force_tty_flag = 0; 118 119 /* don't exec a shell */ 120 int no_shell_flag = 0; 121 122 /* 123 * Flag indicating that nothing should be read from stdin. This can be set 124 * on the command line. 125 */ 126 int stdin_null_flag = 0; 127 128 /* 129 * Flag indicating that ssh should fork after authentication. This is useful 130 * so that the passphrase can be entered manually, and then ssh goes to the 131 * background. 132 */ 133 int fork_after_authentication_flag = 0; 134 135 /* 136 * General data structure for command line options and options configurable 137 * in configuration files. See readconf.h. 138 */ 139 Options options; 140 141 /* optional user configfile */ 142 char *config = NULL; 143 144 /* 145 * Name of the host we are connecting to. This is the name given on the 146 * command line, or the HostName specified for the user-supplied name in a 147 * configuration file. 148 */ 149 char *host; 150 151 /* socket address the host resolves to */ 152 struct sockaddr_storage hostaddr; 153 154 /* Private host keys. */ 155 Sensitive sensitive_data; 156 157 /* Original real UID. */ 158 uid_t original_real_uid; 159 uid_t original_effective_uid; 160 161 /* command to be executed */ 162 Buffer command; 163 164 /* Should we execute a command or invoke a subsystem? */ 165 int subsystem_flag = 0; 166 167 /* # of replies received for global requests */ 168 static int remote_forward_confirms_received = 0; 169 170 /* pid of proxycommand child process */ 171 pid_t proxy_command_pid = 0; 172 173 /* mux.c */ 174 extern int muxserver_sock; 175 extern u_int muxclient_command; 176 177 /* Prints a help message to the user. This function never returns. */ 178 179 static void 180 usage(void) 181 { 182 fprintf(stderr, 183 "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" 184 " [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" 185 " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" 186 " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 187 " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" 188 " [-w local_tun[:remote_tun]] [user@]hostname [command]\n" 189 ); 190 exit(255); 191 } 192 193 static int ssh_session(void); 194 static int ssh_session2(void); 195 static void load_public_identity_files(void); 196 197 /* from muxclient.c */ 198 void muxclient(const char *); 199 void muxserver_listen(void); 200 201 /* 202 * Main program for the ssh client. 203 */ 204 int 205 main(int ac, char **av) 206 { 207 int i, r, opt, exit_status, use_syslog; 208 char *p, *cp, *line, *argv0, buf[MAXPATHLEN]; 209 struct stat st; 210 struct passwd *pw; 211 int dummy, timeout_ms; 212 extern int optind, optreset; 213 extern char *optarg; 214 struct servent *sp; 215 Forward fwd; 216 217 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ 218 sanitise_stdfd(); 219 220 __progname = ssh_get_progname(av[0]); 221 init_rng(); 222 223 /* 224 * Save the original real uid. It will be needed later (uid-swapping 225 * may clobber the real uid). 226 */ 227 original_real_uid = getuid(); 228 original_effective_uid = geteuid(); 229 230 /* 231 * Use uid-swapping to give up root privileges for the duration of 232 * option processing. We will re-instantiate the rights when we are 233 * ready to create the privileged port, and will permanently drop 234 * them when the port has been created (actually, when the connection 235 * has been made, as we may need to create the port several times). 236 */ 237 PRIV_END; 238 239 #ifdef HAVE_SETRLIMIT 240 /* If we are installed setuid root be careful to not drop core. */ 241 if (original_real_uid != original_effective_uid) { 242 struct rlimit rlim; 243 rlim.rlim_cur = rlim.rlim_max = 0; 244 if (setrlimit(RLIMIT_CORE, &rlim) < 0) 245 fatal("setrlimit failed: %.100s", strerror(errno)); 246 } 247 #endif 248 /* Get user data. */ 249 pw = getpwuid(original_real_uid); 250 if (!pw) { 251 logit("You don't exist, go away!"); 252 exit(255); 253 } 254 /* Take a copy of the returned structure. */ 255 pw = pwcopy(pw); 256 257 /* 258 * Set our umask to something reasonable, as some files are created 259 * with the default umask. This will make them world-readable but 260 * writable only by the owner, which is ok for all files for which we 261 * don't set the modes explicitly. 262 */ 263 umask(022); 264 265 /* 266 * Initialize option structure to indicate that no values have been 267 * set. 268 */ 269 initialize_options(&options); 270 271 /* Parse command-line arguments. */ 272 host = NULL; 273 use_syslog = 0; 274 argv0 = av[0]; 275 276 again: 277 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 278 "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) { 279 switch (opt) { 280 case '1': 281 options.protocol = SSH_PROTO_1; 282 break; 283 case '2': 284 options.protocol = SSH_PROTO_2; 285 break; 286 case '4': 287 options.address_family = AF_INET; 288 break; 289 case '6': 290 options.address_family = AF_INET6; 291 break; 292 case 'n': 293 stdin_null_flag = 1; 294 break; 295 case 'f': 296 fork_after_authentication_flag = 1; 297 stdin_null_flag = 1; 298 break; 299 case 'x': 300 options.forward_x11 = 0; 301 break; 302 case 'X': 303 options.forward_x11 = 1; 304 break; 305 case 'y': 306 use_syslog = 1; 307 break; 308 case 'Y': 309 options.forward_x11 = 1; 310 options.forward_x11_trusted = 1; 311 break; 312 case 'g': 313 options.gateway_ports = 1; 314 break; 315 case 'O': 316 if (strcmp(optarg, "check") == 0) 317 muxclient_command = SSHMUX_COMMAND_ALIVE_CHECK; 318 else if (strcmp(optarg, "exit") == 0) 319 muxclient_command = SSHMUX_COMMAND_TERMINATE; 320 else 321 fatal("Invalid multiplex command."); 322 break; 323 case 'P': /* deprecated */ 324 options.use_privileged_port = 0; 325 break; 326 case 'a': 327 options.forward_agent = 0; 328 break; 329 case 'A': 330 options.forward_agent = 1; 331 break; 332 case 'k': 333 options.gss_deleg_creds = 0; 334 break; 335 case 'K': 336 options.gss_authentication = 1; 337 options.gss_deleg_creds = 1; 338 break; 339 case 'i': 340 if (stat(optarg, &st) < 0) { 341 fprintf(stderr, "Warning: Identity file %s " 342 "not accessible: %s.\n", optarg, 343 strerror(errno)); 344 break; 345 } 346 if (options.num_identity_files >= 347 SSH_MAX_IDENTITY_FILES) 348 fatal("Too many identity files specified " 349 "(max %d)", SSH_MAX_IDENTITY_FILES); 350 options.identity_files[options.num_identity_files++] = 351 xstrdup(optarg); 352 break; 353 case 'I': 354 #ifdef SMARTCARD 355 options.smartcard_device = xstrdup(optarg); 356 #else 357 fprintf(stderr, "no support for smartcards.\n"); 358 #endif 359 break; 360 case 't': 361 if (tty_flag) 362 force_tty_flag = 1; 363 tty_flag = 1; 364 break; 365 case 'v': 366 if (debug_flag == 0) { 367 debug_flag = 1; 368 options.log_level = SYSLOG_LEVEL_DEBUG1; 369 } else { 370 if (options.log_level < SYSLOG_LEVEL_DEBUG3) 371 options.log_level++; 372 break; 373 } 374 /* FALLTHROUGH */ 375 case 'V': 376 fprintf(stderr, "%s, %s\n", 377 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); 378 if (opt == 'V') 379 exit(0); 380 break; 381 case 'w': 382 if (options.tun_open == -1) 383 options.tun_open = SSH_TUNMODE_DEFAULT; 384 options.tun_local = a2tun(optarg, &options.tun_remote); 385 if (options.tun_local == SSH_TUNID_ERR) { 386 fprintf(stderr, 387 "Bad tun device '%s'\n", optarg); 388 exit(255); 389 } 390 break; 391 case 'q': 392 options.log_level = SYSLOG_LEVEL_QUIET; 393 break; 394 case 'e': 395 if (optarg[0] == '^' && optarg[2] == 0 && 396 (u_char) optarg[1] >= 64 && 397 (u_char) optarg[1] < 128) 398 options.escape_char = (u_char) optarg[1] & 31; 399 else if (strlen(optarg) == 1) 400 options.escape_char = (u_char) optarg[0]; 401 else if (strcmp(optarg, "none") == 0) 402 options.escape_char = SSH_ESCAPECHAR_NONE; 403 else { 404 fprintf(stderr, "Bad escape character '%s'.\n", 405 optarg); 406 exit(255); 407 } 408 break; 409 case 'c': 410 if (ciphers_valid(optarg)) { 411 /* SSH2 only */ 412 options.ciphers = xstrdup(optarg); 413 options.cipher = SSH_CIPHER_INVALID; 414 } else { 415 /* SSH1 only */ 416 options.cipher = cipher_number(optarg); 417 if (options.cipher == -1) { 418 fprintf(stderr, 419 "Unknown cipher type '%s'\n", 420 optarg); 421 exit(255); 422 } 423 if (options.cipher == SSH_CIPHER_3DES) 424 options.ciphers = "3des-cbc"; 425 else if (options.cipher == SSH_CIPHER_BLOWFISH) 426 options.ciphers = "blowfish-cbc"; 427 else 428 options.ciphers = (char *)-1; 429 } 430 break; 431 case 'm': 432 if (mac_valid(optarg)) 433 options.macs = xstrdup(optarg); 434 else { 435 fprintf(stderr, "Unknown mac type '%s'\n", 436 optarg); 437 exit(255); 438 } 439 break; 440 case 'M': 441 if (options.control_master == SSHCTL_MASTER_YES) 442 options.control_master = SSHCTL_MASTER_ASK; 443 else 444 options.control_master = SSHCTL_MASTER_YES; 445 break; 446 case 'p': 447 options.port = a2port(optarg); 448 if (options.port <= 0) { 449 fprintf(stderr, "Bad port '%s'\n", optarg); 450 exit(255); 451 } 452 break; 453 case 'l': 454 options.user = optarg; 455 break; 456 457 case 'L': 458 if (parse_forward(&fwd, optarg, 0, 0)) 459 add_local_forward(&options, &fwd); 460 else { 461 fprintf(stderr, 462 "Bad local forwarding specification '%s'\n", 463 optarg); 464 exit(255); 465 } 466 break; 467 468 case 'R': 469 if (parse_forward(&fwd, optarg, 0, 1)) { 470 add_remote_forward(&options, &fwd); 471 } else { 472 fprintf(stderr, 473 "Bad remote forwarding specification " 474 "'%s'\n", optarg); 475 exit(255); 476 } 477 break; 478 479 case 'D': 480 if (parse_forward(&fwd, optarg, 1, 0)) { 481 add_local_forward(&options, &fwd); 482 } else { 483 fprintf(stderr, 484 "Bad dynamic forwarding specification " 485 "'%s'\n", optarg); 486 exit(255); 487 } 488 break; 489 490 case 'C': 491 options.compression = 1; 492 break; 493 case 'N': 494 no_shell_flag = 1; 495 no_tty_flag = 1; 496 break; 497 case 'o': 498 dummy = 1; 499 line = xstrdup(optarg); 500 if (process_config_line(&options, host ? host : "", 501 line, "command-line", 0, &dummy) != 0) 502 exit(255); 503 xfree(line); 504 break; 505 case 'T': 506 no_tty_flag = 1; 507 /* ensure that the user doesn't try to backdoor a */ 508 /* null cipher switch on an interactive session */ 509 /* so explicitly disable it no matter what */ 510 options.none_switch=0; 511 break; 512 case 's': 513 subsystem_flag = 1; 514 break; 515 case 'S': 516 if (options.control_path != NULL) 517 free(options.control_path); 518 options.control_path = xstrdup(optarg); 519 break; 520 case 'b': 521 options.bind_address = optarg; 522 break; 523 case 'F': 524 config = optarg; 525 break; 526 default: 527 usage(); 528 } 529 } 530 531 ac -= optind; 532 av += optind; 533 534 if (ac > 0 && !host && **av != '-') { 535 if (strrchr(*av, '@')) { 536 p = xstrdup(*av); 537 cp = strrchr(p, '@'); 538 if (cp == NULL || cp == p) 539 usage(); 540 options.user = p; 541 *cp = '\0'; 542 host = ++cp; 543 } else 544 host = *av; 545 if (ac > 1) { 546 optind = optreset = 1; 547 goto again; 548 } 549 ac--, av++; 550 } 551 552 /* Check that we got a host name. */ 553 if (!host) 554 usage(); 555 556 SSLeay_add_all_algorithms(); 557 ERR_load_crypto_strings(); 558 559 /* Initialize the command to execute on remote host. */ 560 buffer_init(&command); 561 562 /* 563 * Save the command to execute on the remote host in a buffer. There 564 * is no limit on the length of the command, except by the maximum 565 * packet size. Also sets the tty flag if there is no command. 566 */ 567 if (!ac) { 568 /* No command specified - execute shell on a tty. */ 569 tty_flag = 1; 570 if (subsystem_flag) { 571 fprintf(stderr, 572 "You must specify a subsystem to invoke.\n"); 573 usage(); 574 } 575 } else { 576 /* A command has been specified. Store it into the buffer. */ 577 for (i = 0; i < ac; i++) { 578 if (i) 579 buffer_append(&command, " ", 1); 580 buffer_append(&command, av[i], strlen(av[i])); 581 } 582 } 583 584 /* Cannot fork to background if no command. */ 585 if (fork_after_authentication_flag && buffer_len(&command) == 0 && 586 !no_shell_flag) 587 fatal("Cannot fork into background without a command " 588 "to execute."); 589 590 /* Allocate a tty by default if no command specified. */ 591 if (buffer_len(&command) == 0) 592 tty_flag = 1; 593 594 /* Force no tty */ 595 if (no_tty_flag) 596 tty_flag = 0; 597 /* Do not allocate a tty if stdin is not a tty. */ 598 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { 599 if (tty_flag) 600 logit("Pseudo-terminal will not be allocated because " 601 "stdin is not a terminal."); 602 tty_flag = 0; 603 } 604 605 /* 606 * Initialize "log" output. Since we are the client all output 607 * actually goes to stderr. 608 */ 609 log_init(argv0, 610 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, 611 SYSLOG_FACILITY_USER, !use_syslog); 612 613 /* 614 * Read per-user configuration file. Ignore the system wide config 615 * file if the user specifies a config file on the command line. 616 */ 617 if (config != NULL) { 618 if (!read_config_file(config, host, &options, 0)) 619 fatal("Can't open user config file %.100s: " 620 "%.100s", config, strerror(errno)); 621 } else { 622 r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, 623 _PATH_SSH_USER_CONFFILE); 624 if (r > 0 && (size_t)r < sizeof(buf)) 625 (void)read_config_file(buf, host, &options, 1); 626 627 /* Read systemwide configuration file after use config. */ 628 (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, 629 &options, 0); 630 } 631 632 /* Fill configuration defaults. */ 633 fill_default_options(&options); 634 635 channel_set_af(options.address_family); 636 637 /* reinit */ 638 log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog); 639 640 seed_rng(); 641 642 if (options.user == NULL) 643 options.user = xstrdup(pw->pw_name); 644 645 /* Get default port if port has not been set. */ 646 if (options.port == 0) { 647 sp = getservbyname(SSH_SERVICE_NAME, "tcp"); 648 options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT; 649 } 650 651 if (options.local_command != NULL) { 652 char thishost[NI_MAXHOST]; 653 654 if (gethostname(thishost, sizeof(thishost)) == -1) 655 fatal("gethostname: %s", strerror(errno)); 656 snprintf(buf, sizeof(buf), "%d", options.port); 657 debug3("expanding LocalCommand: %s", options.local_command); 658 cp = options.local_command; 659 options.local_command = percent_expand(cp, "d", pw->pw_dir, 660 "h", options.hostname? options.hostname : host, 661 "l", thishost, "n", host, "r", options.user, "p", buf, 662 "u", pw->pw_name, (char *)NULL); 663 debug3("expanded LocalCommand: %s", options.local_command); 664 xfree(cp); 665 } 666 667 if (options.hostname != NULL) 668 host = options.hostname; 669 670 /* Find canonic host name. */ 671 if (strchr(host, '.') == 0) { 672 struct addrinfo hints; 673 struct addrinfo *ai = NULL; 674 int errgai; 675 memset(&hints, 0, sizeof(hints)); 676 hints.ai_family = options.address_family; 677 hints.ai_flags = AI_CANONNAME; 678 hints.ai_socktype = SOCK_STREAM; 679 errgai = getaddrinfo(host, NULL, &hints, &ai); 680 if (errgai == 0) { 681 if (ai->ai_canonname != NULL) 682 host = xstrdup(ai->ai_canonname); 683 freeaddrinfo(ai); 684 } 685 } 686 687 /* force lowercase for hostkey matching */ 688 if (options.host_key_alias != NULL) { 689 for (p = options.host_key_alias; *p; p++) 690 if (isupper(*p)) 691 *p = (char)tolower(*p); 692 } 693 694 if (options.proxy_command != NULL && 695 strcmp(options.proxy_command, "none") == 0) { 696 xfree(options.proxy_command); 697 options.proxy_command = NULL; 698 } 699 if (options.control_path != NULL && 700 strcmp(options.control_path, "none") == 0) { 701 xfree(options.control_path); 702 options.control_path = NULL; 703 } 704 705 if (options.control_path != NULL) { 706 char thishost[NI_MAXHOST]; 707 708 if (gethostname(thishost, sizeof(thishost)) == -1) 709 fatal("gethostname: %s", strerror(errno)); 710 snprintf(buf, sizeof(buf), "%d", options.port); 711 cp = tilde_expand_filename(options.control_path, 712 original_real_uid); 713 xfree(options.control_path); 714 options.control_path = percent_expand(cp, "p", buf, "h", host, 715 "r", options.user, "l", thishost, (char *)NULL); 716 xfree(cp); 717 } 718 if (muxclient_command != 0 && options.control_path == NULL) 719 fatal("No ControlPath specified for \"-O\" command"); 720 if (options.control_path != NULL) 721 muxclient(options.control_path); 722 723 timeout_ms = options.connection_timeout * 1000; 724 725 /* Open a connection to the remote host. */ 726 if (ssh_connect(host, &hostaddr, options.port, 727 options.address_family, options.connection_attempts, &timeout_ms, 728 options.tcp_keep_alive, 729 #ifdef HAVE_CYGWIN 730 options.use_privileged_port, 731 #else 732 original_effective_uid == 0 && options.use_privileged_port, 733 #endif 734 options.proxy_command) != 0) 735 exit(255); 736 737 if (timeout_ms > 0) 738 debug3("timeout: %d ms remain after connect", timeout_ms); 739 740 /* 741 * If we successfully made the connection, load the host private key 742 * in case we will need it later for combined rsa-rhosts 743 * authentication. This must be done before releasing extra 744 * privileges, because the file is only readable by root. 745 * If we cannot access the private keys, load the public keys 746 * instead and try to execute the ssh-keysign helper instead. 747 */ 748 sensitive_data.nkeys = 0; 749 sensitive_data.keys = NULL; 750 sensitive_data.external_keysign = 0; 751 if (options.rhosts_rsa_authentication || 752 options.hostbased_authentication) { 753 sensitive_data.nkeys = 3; 754 sensitive_data.keys = xcalloc(sensitive_data.nkeys, 755 sizeof(Key)); 756 757 PRIV_START; 758 sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, 759 _PATH_HOST_KEY_FILE, "", NULL, NULL); 760 sensitive_data.keys[1] = key_load_private_type(KEY_DSA, 761 _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); 762 sensitive_data.keys[2] = key_load_private_type(KEY_RSA, 763 _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); 764 PRIV_END; 765 766 if (options.hostbased_authentication == 1 && 767 sensitive_data.keys[0] == NULL && 768 sensitive_data.keys[1] == NULL && 769 sensitive_data.keys[2] == NULL) { 770 sensitive_data.keys[1] = key_load_public( 771 _PATH_HOST_DSA_KEY_FILE, NULL); 772 sensitive_data.keys[2] = key_load_public( 773 _PATH_HOST_RSA_KEY_FILE, NULL); 774 sensitive_data.external_keysign = 1; 775 } 776 } 777 /* 778 * Get rid of any extra privileges that we may have. We will no 779 * longer need them. Also, extra privileges could make it very hard 780 * to read identity files and other non-world-readable files from the 781 * user's home directory if it happens to be on a NFS volume where 782 * root is mapped to nobody. 783 */ 784 if (original_effective_uid == 0) { 785 PRIV_START; 786 permanently_set_uid(pw); 787 } 788 789 /* 790 * Now that we are back to our own permissions, create ~/.ssh 791 * directory if it doesn't already exist. 792 */ 793 r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, 794 strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); 795 if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) 796 if (mkdir(buf, 0700) < 0) 797 error("Could not create directory '%.200s'.", buf); 798 799 /* load options.identity_files */ 800 load_public_identity_files(); 801 802 /* Expand ~ in known host file names. */ 803 /* XXX mem-leaks: */ 804 options.system_hostfile = 805 tilde_expand_filename(options.system_hostfile, original_real_uid); 806 options.user_hostfile = 807 tilde_expand_filename(options.user_hostfile, original_real_uid); 808 options.system_hostfile2 = 809 tilde_expand_filename(options.system_hostfile2, original_real_uid); 810 options.user_hostfile2 = 811 tilde_expand_filename(options.user_hostfile2, original_real_uid); 812 813 signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ 814 815 /* Log into the remote system. Never returns if the login fails. */ 816 ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, 817 pw, timeout_ms); 818 819 /* We no longer need the private host keys. Clear them now. */ 820 if (sensitive_data.nkeys != 0) { 821 for (i = 0; i < sensitive_data.nkeys; i++) { 822 if (sensitive_data.keys[i] != NULL) { 823 /* Destroys contents safely */ 824 debug3("clear hostkey %d", i); 825 key_free(sensitive_data.keys[i]); 826 sensitive_data.keys[i] = NULL; 827 } 828 } 829 xfree(sensitive_data.keys); 830 } 831 for (i = 0; i < options.num_identity_files; i++) { 832 if (options.identity_files[i]) { 833 xfree(options.identity_files[i]); 834 options.identity_files[i] = NULL; 835 } 836 if (options.identity_keys[i]) { 837 key_free(options.identity_keys[i]); 838 options.identity_keys[i] = NULL; 839 } 840 } 841 842 exit_status = compat20 ? ssh_session2() : ssh_session(); 843 packet_close(); 844 845 if (options.control_path != NULL && muxserver_sock != -1) 846 unlink(options.control_path); 847 848 /* 849 * Send SIGHUP to proxy command if used. We don't wait() in 850 * case it hangs and instead rely on init to reap the child 851 */ 852 if (proxy_command_pid > 1) 853 kill(proxy_command_pid, SIGHUP); 854 855 return exit_status; 856 } 857 858 /* Callback for remote forward global requests */ 859 static void 860 ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) 861 { 862 Forward *rfwd = (Forward *)ctxt; 863 864 /* XXX verbose() on failure? */ 865 debug("remote forward %s for: listen %d, connect %s:%d", 866 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 867 rfwd->listen_port, rfwd->connect_host, rfwd->connect_port); 868 if (type == SSH2_MSG_REQUEST_SUCCESS && rfwd->listen_port == 0) { 869 logit("Allocated port %u for remote forward to %s:%d", 870 packet_get_int(), 871 rfwd->connect_host, rfwd->connect_port); 872 } 873 874 if (type == SSH2_MSG_REQUEST_FAILURE) { 875 if (options.exit_on_forward_failure) 876 fatal("Error: remote port forwarding failed for " 877 "listen port %d", rfwd->listen_port); 878 else 879 logit("Warning: remote port forwarding failed for " 880 "listen port %d", rfwd->listen_port); 881 } 882 if (++remote_forward_confirms_received == options.num_remote_forwards) { 883 debug("All remote forwarding requests processed"); 884 if (fork_after_authentication_flag) { 885 fork_after_authentication_flag = 0; 886 if (daemon(1, 1) < 0) 887 fatal("daemon() failed: %.200s", 888 strerror(errno)); 889 } 890 } 891 } 892 893 static void 894 ssh_init_forwarding(void) 895 { 896 int success = 0; 897 int i; 898 899 /* Initiate local TCP/IP port forwardings. */ 900 for (i = 0; i < options.num_local_forwards; i++) { 901 debug("Local connections to %.200s:%d forwarded to remote " 902 "address %.200s:%d", 903 (options.local_forwards[i].listen_host == NULL) ? 904 (options.gateway_ports ? "*" : "LOCALHOST") : 905 options.local_forwards[i].listen_host, 906 options.local_forwards[i].listen_port, 907 options.local_forwards[i].connect_host, 908 options.local_forwards[i].connect_port); 909 success += channel_setup_local_fwd_listener( 910 options.local_forwards[i].listen_host, 911 options.local_forwards[i].listen_port, 912 options.local_forwards[i].connect_host, 913 options.local_forwards[i].connect_port, 914 options.gateway_ports); 915 } 916 if (i > 0 && success != i && options.exit_on_forward_failure) 917 fatal("Could not request local forwarding."); 918 if (i > 0 && success == 0) 919 error("Could not request local forwarding."); 920 921 /* Initiate remote TCP/IP port forwardings. */ 922 for (i = 0; i < options.num_remote_forwards; i++) { 923 debug("Remote connections from %.200s:%d forwarded to " 924 "local address %.200s:%d", 925 (options.remote_forwards[i].listen_host == NULL) ? 926 "LOCALHOST" : options.remote_forwards[i].listen_host, 927 options.remote_forwards[i].listen_port, 928 options.remote_forwards[i].connect_host, 929 options.remote_forwards[i].connect_port); 930 if (channel_request_remote_forwarding( 931 options.remote_forwards[i].listen_host, 932 options.remote_forwards[i].listen_port, 933 options.remote_forwards[i].connect_host, 934 options.remote_forwards[i].connect_port) < 0) { 935 if (options.exit_on_forward_failure) 936 fatal("Could not request remote forwarding."); 937 else 938 logit("Warning: Could not request remote " 939 "forwarding."); 940 } 941 client_register_global_confirm(ssh_confirm_remote_forward, 942 &options.remote_forwards[i]); 943 } 944 945 /* Initiate tunnel forwarding. */ 946 if (options.tun_open != SSH_TUNMODE_NO) { 947 if (client_request_tun_fwd(options.tun_open, 948 options.tun_local, options.tun_remote) == -1) { 949 if (options.exit_on_forward_failure) 950 fatal("Could not request tunnel forwarding."); 951 else 952 error("Could not request tunnel forwarding."); 953 } 954 } 955 } 956 957 static void 958 check_agent_present(void) 959 { 960 if (options.forward_agent) { 961 /* Clear agent forwarding if we don't have an agent. */ 962 if (!ssh_agent_present()) 963 options.forward_agent = 0; 964 } 965 } 966 967 static int 968 ssh_session(void) 969 { 970 int type; 971 int interactive = 0; 972 int have_tty = 0; 973 struct winsize ws; 974 char *cp; 975 const char *display; 976 977 /* Enable compression if requested. */ 978 if (options.compression) { 979 debug("Requesting compression at level %d.", 980 options.compression_level); 981 982 if (options.compression_level < 1 || 983 options.compression_level > 9) 984 fatal("Compression level must be from 1 (fast) to " 985 "9 (slow, best)."); 986 987 /* Send the request. */ 988 packet_start(SSH_CMSG_REQUEST_COMPRESSION); 989 packet_put_int(options.compression_level); 990 packet_send(); 991 packet_write_wait(); 992 type = packet_read(); 993 if (type == SSH_SMSG_SUCCESS) 994 packet_start_compression(options.compression_level); 995 else if (type == SSH_SMSG_FAILURE) 996 logit("Warning: Remote host refused compression."); 997 else 998 packet_disconnect("Protocol error waiting for " 999 "compression response."); 1000 } 1001 /* Allocate a pseudo tty if appropriate. */ 1002 if (tty_flag) { 1003 debug("Requesting pty."); 1004 1005 /* Start the packet. */ 1006 packet_start(SSH_CMSG_REQUEST_PTY); 1007 1008 /* Store TERM in the packet. There is no limit on the 1009 length of the string. */ 1010 cp = getenv("TERM"); 1011 if (!cp) 1012 cp = ""; 1013 packet_put_cstring(cp); 1014 1015 /* Store window size in the packet. */ 1016 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 1017 memset(&ws, 0, sizeof(ws)); 1018 packet_put_int((u_int)ws.ws_row); 1019 packet_put_int((u_int)ws.ws_col); 1020 packet_put_int((u_int)ws.ws_xpixel); 1021 packet_put_int((u_int)ws.ws_ypixel); 1022 1023 /* Store tty modes in the packet. */ 1024 tty_make_modes(fileno(stdin), NULL); 1025 1026 /* Send the packet, and wait for it to leave. */ 1027 packet_send(); 1028 packet_write_wait(); 1029 1030 /* Read response from the server. */ 1031 type = packet_read(); 1032 if (type == SSH_SMSG_SUCCESS) { 1033 interactive = 1; 1034 have_tty = 1; 1035 } else if (type == SSH_SMSG_FAILURE) 1036 logit("Warning: Remote host failed or refused to " 1037 "allocate a pseudo tty."); 1038 else 1039 packet_disconnect("Protocol error waiting for pty " 1040 "request response."); 1041 } 1042 /* Request X11 forwarding if enabled and DISPLAY is set. */ 1043 display = getenv("DISPLAY"); 1044 if (options.forward_x11 && display != NULL) { 1045 char *proto, *data; 1046 /* Get reasonable local authentication information. */ 1047 client_x11_get_proto(display, options.xauth_location, 1048 options.forward_x11_trusted, &proto, &data); 1049 /* Request forwarding with authentication spoofing. */ 1050 debug("Requesting X11 forwarding with authentication " 1051 "spoofing."); 1052 x11_request_forwarding_with_spoofing(0, display, proto, data); 1053 1054 /* Read response from the server. */ 1055 type = packet_read(); 1056 if (type == SSH_SMSG_SUCCESS) { 1057 interactive = 1; 1058 } else if (type == SSH_SMSG_FAILURE) { 1059 logit("Warning: Remote host denied X11 forwarding."); 1060 } else { 1061 packet_disconnect("Protocol error waiting for X11 " 1062 "forwarding"); 1063 } 1064 } 1065 /* Tell the packet module whether this is an interactive session. */ 1066 packet_set_interactive(interactive); 1067 1068 /* Request authentication agent forwarding if appropriate. */ 1069 check_agent_present(); 1070 1071 if (options.forward_agent) { 1072 debug("Requesting authentication agent forwarding."); 1073 auth_request_forwarding(); 1074 1075 /* Read response from the server. */ 1076 type = packet_read(); 1077 packet_check_eom(); 1078 if (type != SSH_SMSG_SUCCESS) 1079 logit("Warning: Remote host denied authentication agent forwarding."); 1080 } 1081 1082 /* Initiate port forwardings. */ 1083 ssh_init_forwarding(); 1084 1085 /* Execute a local command */ 1086 if (options.local_command != NULL && 1087 options.permit_local_command) 1088 ssh_local_cmd(options.local_command); 1089 1090 /* 1091 * If requested and we are not interested in replies to remote 1092 * forwarding requests, then let ssh continue in the background. 1093 */ 1094 if (fork_after_authentication_flag && 1095 (!options.exit_on_forward_failure || 1096 options.num_remote_forwards == 0)) { 1097 fork_after_authentication_flag = 0; 1098 if (daemon(1, 1) < 0) 1099 fatal("daemon() failed: %.200s", strerror(errno)); 1100 } 1101 1102 /* 1103 * If a command was specified on the command line, execute the 1104 * command now. Otherwise request the server to start a shell. 1105 */ 1106 if (buffer_len(&command) > 0) { 1107 int len = buffer_len(&command); 1108 if (len > 900) 1109 len = 900; 1110 debug("Sending command: %.*s", len, 1111 (u_char *)buffer_ptr(&command)); 1112 packet_start(SSH_CMSG_EXEC_CMD); 1113 packet_put_string(buffer_ptr(&command), buffer_len(&command)); 1114 packet_send(); 1115 packet_write_wait(); 1116 } else { 1117 debug("Requesting shell."); 1118 packet_start(SSH_CMSG_EXEC_SHELL); 1119 packet_send(); 1120 packet_write_wait(); 1121 } 1122 1123 /* Enter the interactive session. */ 1124 return client_loop(have_tty, tty_flag ? 1125 options.escape_char : SSH_ESCAPECHAR_NONE, 0); 1126 } 1127 1128 /* request pty/x11/agent/tcpfwd/shell for channel */ 1129 static void 1130 ssh_session2_setup(int id, void *arg) 1131 { 1132 extern char **environ; 1133 const char *display; 1134 int interactive = tty_flag; 1135 1136 display = getenv("DISPLAY"); 1137 if (options.forward_x11 && display != NULL) { 1138 char *proto, *data; 1139 /* Get reasonable local authentication information. */ 1140 client_x11_get_proto(display, options.xauth_location, 1141 options.forward_x11_trusted, &proto, &data); 1142 /* Request forwarding with authentication spoofing. */ 1143 debug("Requesting X11 forwarding with authentication " 1144 "spoofing."); 1145 x11_request_forwarding_with_spoofing(id, display, proto, data); 1146 interactive = 1; 1147 /* XXX wait for reply */ 1148 } 1149 1150 check_agent_present(); 1151 if (options.forward_agent) { 1152 debug("Requesting authentication agent forwarding."); 1153 channel_request_start(id, "auth-agent-req@openssh.com", 0); 1154 packet_send(); 1155 } 1156 1157 client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), 1158 NULL, fileno(stdin), &command, environ); 1159 1160 packet_set_interactive(interactive); 1161 } 1162 1163 /* open new channel for a session */ 1164 static int 1165 ssh_session2_open(void) 1166 { 1167 Channel *c; 1168 int window, packetmax, in, out, err; 1169 int sock; 1170 int socksize; 1171 int socksizelen = sizeof(int); 1172 1173 if (stdin_null_flag) { 1174 in = open(_PATH_DEVNULL, O_RDONLY); 1175 } else { 1176 in = dup(STDIN_FILENO); 1177 } 1178 out = dup(STDOUT_FILENO); 1179 err = dup(STDERR_FILENO); 1180 1181 if (in < 0 || out < 0 || err < 0) 1182 fatal("dup() in/out/err failed"); 1183 1184 /* enable nonblocking unless tty */ 1185 if (!isatty(in)) 1186 set_nonblock(in); 1187 if (!isatty(out)) 1188 set_nonblock(out); 1189 if (!isatty(err)) 1190 set_nonblock(err); 1191 1192 /* we need to check to see if what they want to do about buffer */ 1193 /* sizes here. In a hpn to nonhpn connection we want to limit */ 1194 /* the window size to something reasonable in case the far side */ 1195 /* has the large window bug. In hpn to hpn connection we want to */ 1196 /* use the max window size but allow the user to override it */ 1197 /* lastly if they disabled hpn then use the ssh std window size */ 1198 1199 /* so why don't we just do a getsockopt() here and set the */ 1200 /* ssh window to that? In the case of a autotuning receive */ 1201 /* window the window would get stuck at the initial buffer */ 1202 /* size generally less than 96k. Therefore we need to set the */ 1203 /* maximum ssh window size to the maximum hpn buffer size */ 1204 /* unless the user has specifically set the tcprcvbufpoll */ 1205 /* to no. In which case we *can* just set the window to the */ 1206 /* minimum of the hpn buffer size and tcp receive buffer size */ 1207 1208 if (tty_flag) 1209 options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; 1210 else 1211 options.hpn_buffer_size = 2*1024*1024; 1212 1213 if (datafellows & SSH_BUG_LARGEWINDOW) 1214 { 1215 debug("HPN to Non-HPN Connection"); 1216 } 1217 else 1218 { 1219 if (options.tcp_rcv_buf_poll <= 0) 1220 { 1221 sock = socket(AF_INET, SOCK_STREAM, 0); 1222 getsockopt(sock, SOL_SOCKET, SO_RCVBUF, 1223 &socksize, &socksizelen); 1224 close(sock); 1225 debug("socksize %d", socksize); 1226 options.hpn_buffer_size = socksize; 1227 debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size); 1228 } 1229 else 1230 { 1231 if (options.tcp_rcv_buf > 0) 1232 { 1233 /*create a socket but don't connect it */ 1234 /* we use that the get the rcv socket size */ 1235 sock = socket(AF_INET, SOCK_STREAM, 0); 1236 /* if they are using the tcp_rcv_buf option */ 1237 /* attempt to set the buffer size to that */ 1238 if (options.tcp_rcv_buf) 1239 setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf, 1240 sizeof(options.tcp_rcv_buf)); 1241 getsockopt(sock, SOL_SOCKET, SO_RCVBUF, 1242 &socksize, &socksizelen); 1243 close(sock); 1244 debug("socksize %d", socksize); 1245 options.hpn_buffer_size = socksize; 1246 debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size); 1247 } 1248 } 1249 1250 } 1251 1252 debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); 1253 1254 window = options.hpn_buffer_size; 1255 1256 channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); 1257 1258 packetmax = CHAN_SES_PACKET_DEFAULT; 1259 if (tty_flag) { 1260 window = 4*CHAN_SES_PACKET_DEFAULT; 1261 window >>= 1; 1262 packetmax >>= 1; 1263 } 1264 c = channel_new( 1265 "session", SSH_CHANNEL_OPENING, in, out, err, 1266 window, packetmax, CHAN_EXTENDED_WRITE, 1267 "client-session", /*nonblock*/0); 1268 if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) { 1269 c->dynamic_window = 1; 1270 debug ("Enabled Dynamic Window Scaling\n"); 1271 } 1272 debug3("ssh_session2_open: channel_new: %d", c->self); 1273 1274 channel_send_open(c->self); 1275 if (!no_shell_flag) 1276 channel_register_open_confirm(c->self, 1277 ssh_session2_setup, NULL); 1278 1279 return c->self; 1280 } 1281 1282 static int 1283 ssh_session2(void) 1284 { 1285 int id = -1; 1286 1287 /* XXX should be pre-session */ 1288 ssh_init_forwarding(); 1289 1290 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) 1291 id = ssh_session2_open(); 1292 1293 /* If we don't expect to open a new session, then disallow it */ 1294 if (options.control_master == SSHCTL_MASTER_NO && 1295 (datafellows & SSH_NEW_OPENSSH)) { 1296 debug("Requesting no-more-sessions@openssh.com"); 1297 packet_start(SSH2_MSG_GLOBAL_REQUEST); 1298 packet_put_cstring("no-more-sessions@openssh.com"); 1299 packet_put_char(0); 1300 packet_send(); 1301 } 1302 1303 /* Execute a local command */ 1304 if (options.local_command != NULL && 1305 options.permit_local_command) 1306 ssh_local_cmd(options.local_command); 1307 1308 /* Start listening for multiplex clients */ 1309 muxserver_listen(); 1310 1311 /* If requested, let ssh continue in the background. */ 1312 if (fork_after_authentication_flag) { 1313 fork_after_authentication_flag = 0; 1314 if (daemon(1, 1) < 0) 1315 fatal("daemon() failed: %.200s", strerror(errno)); 1316 } 1317 1318 return client_loop(tty_flag, tty_flag ? 1319 options.escape_char : SSH_ESCAPECHAR_NONE, id); 1320 } 1321 1322 static void 1323 load_public_identity_files(void) 1324 { 1325 char *filename, *cp, thishost[NI_MAXHOST]; 1326 char *pwdir = NULL, *pwname = NULL; 1327 int i = 0; 1328 Key *public; 1329 struct passwd *pw; 1330 #ifdef SMARTCARD 1331 Key **keys; 1332 1333 if (options.smartcard_device != NULL && 1334 options.num_identity_files < SSH_MAX_IDENTITY_FILES && 1335 (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { 1336 int count = 0; 1337 for (i = 0; keys[i] != NULL; i++) { 1338 count++; 1339 memmove(&options.identity_files[1], 1340 &options.identity_files[0], 1341 sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); 1342 memmove(&options.identity_keys[1], 1343 &options.identity_keys[0], 1344 sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); 1345 options.num_identity_files++; 1346 options.identity_keys[0] = keys[i]; 1347 options.identity_files[0] = sc_get_key_label(keys[i]); 1348 } 1349 if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) 1350 options.num_identity_files = SSH_MAX_IDENTITY_FILES; 1351 i = count; 1352 xfree(keys); 1353 } 1354 #endif /* SMARTCARD */ 1355 if ((pw = getpwuid(original_real_uid)) == NULL) 1356 fatal("load_public_identity_files: getpwuid failed"); 1357 pwname = xstrdup(pw->pw_name); 1358 pwdir = xstrdup(pw->pw_dir); 1359 if (gethostname(thishost, sizeof(thishost)) == -1) 1360 fatal("load_public_identity_files: gethostname: %s", 1361 strerror(errno)); 1362 for (; i < options.num_identity_files; i++) { 1363 cp = tilde_expand_filename(options.identity_files[i], 1364 original_real_uid); 1365 filename = percent_expand(cp, "d", pwdir, 1366 "u", pwname, "l", thishost, "h", host, 1367 "r", options.user, (char *)NULL); 1368 xfree(cp); 1369 public = key_load_public(filename, NULL); 1370 debug("identity file %s type %d", filename, 1371 public ? public->type : -1); 1372 xfree(options.identity_files[i]); 1373 options.identity_files[i] = filename; 1374 options.identity_keys[i] = public; 1375 } 1376 bzero(pwname, strlen(pwname)); 1377 xfree(pwname); 1378 bzero(pwdir, strlen(pwdir)); 1379 xfree(pwdir); 1380 } 1381