1 /* $NetBSD: clientloop.c,v 1.28 2020/02/27 00:24:40 christos Exp $ */ 2 /* $OpenBSD: clientloop.c,v 1.340 2020/02/02 09:45:34 dtucker Exp $ */ 3 /* 4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * The main loop for the interactive session (client side). 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * 16 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37 * 38 * 39 * SSH2 support added by Markus Friedl. 40 * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. 41 * 42 * Redistribution and use in source and binary forms, with or without 43 * modification, are permitted provided that the following conditions 44 * are met: 45 * 1. Redistributions of source code must retain the above copyright 46 * notice, this list of conditions and the following disclaimer. 47 * 2. Redistributions in binary form must reproduce the above copyright 48 * notice, this list of conditions and the following disclaimer in the 49 * documentation and/or other materials provided with the distribution. 50 * 51 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 52 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 53 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 54 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 55 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 57 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 58 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 59 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 60 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 61 */ 62 63 #include "includes.h" 64 __RCSID("$NetBSD: clientloop.c,v 1.28 2020/02/27 00:24:40 christos Exp $"); 65 66 #include <sys/types.h> 67 #include <sys/ioctl.h> 68 #include <sys/stat.h> 69 #include <sys/socket.h> 70 #include <sys/time.h> 71 #include <sys/queue.h> 72 73 #include <ctype.h> 74 #include <errno.h> 75 #include <paths.h> 76 #include <signal.h> 77 #include <stdio.h> 78 #include <stdlib.h> 79 #include <string.h> 80 #include <stdarg.h> 81 #include <termios.h> 82 #include <pwd.h> 83 #include <unistd.h> 84 #include <limits.h> 85 86 #include "xmalloc.h" 87 #include "ssh.h" 88 #include "ssh2.h" 89 #include "packet.h" 90 #include "sshbuf.h" 91 #include "compat.h" 92 #include "channels.h" 93 #include "dispatch.h" 94 #include "sshkey.h" 95 #include "cipher.h" 96 #include "kex.h" 97 #include "myproposal.h" 98 #include "log.h" 99 #include "misc.h" 100 #include "readconf.h" 101 #include "clientloop.h" 102 #include "sshconnect.h" 103 #include "authfd.h" 104 #include "atomicio.h" 105 #include "sshpty.h" 106 #include "match.h" 107 #include "msg.h" 108 #include "getpeereid.h" 109 #include "ssherr.h" 110 #include "hostfile.h" 111 112 /* import options */ 113 extern Options options; 114 115 /* Flag indicating that stdin should be redirected from /dev/null. */ 116 extern int stdin_null_flag; 117 118 /* Flag indicating that no shell has been requested */ 119 extern int no_shell_flag; 120 121 /* Flag indicating that ssh should daemonise after authentication is complete */ 122 extern int fork_after_authentication_flag; 123 124 /* Control socket */ 125 extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */ 126 127 /* 128 * Name of the host we are connecting to. This is the name given on the 129 * command line, or the Hostname specified for the user-supplied name in a 130 * configuration file. 131 */ 132 extern char *host; 133 134 /* 135 * If this field is not NULL, the ForwardAgent socket is this path and different 136 * instead of SSH_AUTH_SOCK. 137 */ 138 extern char *forward_agent_sock_path; 139 140 /* 141 * Flag to indicate that we have received a window change signal which has 142 * not yet been processed. This will cause a message indicating the new 143 * window size to be sent to the server a little later. This is volatile 144 * because this is updated in a signal handler. 145 */ 146 static volatile sig_atomic_t received_window_change_signal = 0; 147 static volatile sig_atomic_t received_signal = 0; 148 149 /* Flag indicating whether the user's terminal is in non-blocking mode. */ 150 static int in_non_blocking_mode = 0; 151 152 /* Time when backgrounded control master using ControlPersist should exit */ 153 static time_t control_persist_exit_time = 0; 154 155 /* Common data for the client loop code. */ 156 volatile sig_atomic_t quit_pending; /* Set non-zero to quit the loop. */ 157 static int last_was_cr; /* Last character was a newline. */ 158 static int exit_status; /* Used to store the command exit status. */ 159 static struct sshbuf *stderr_buffer; /* Used for final exit message. */ 160 static int connection_in; /* Connection to server (input). */ 161 static int connection_out; /* Connection to server (output). */ 162 static int need_rekeying; /* Set to non-zero if rekeying is requested. */ 163 static int session_closed; /* In SSH2: login session closed. */ 164 static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ 165 166 static void client_init_dispatch(struct ssh *ssh); 167 int session_ident = -1; 168 169 /* Track escape per proto2 channel */ 170 struct escape_filter_ctx { 171 int escape_pending; 172 int escape_char; 173 }; 174 175 /* Context for channel confirmation replies */ 176 struct channel_reply_ctx { 177 const char *request_type; 178 int id; 179 enum confirm_action action; 180 }; 181 182 /* Global request success/failure callbacks */ 183 /* XXX move to struct ssh? */ 184 struct global_confirm { 185 TAILQ_ENTRY(global_confirm) entry; 186 global_confirm_cb *cb; 187 void *ctx; 188 int ref_count; 189 }; 190 TAILQ_HEAD(global_confirms, global_confirm); 191 static struct global_confirms global_confirms = 192 TAILQ_HEAD_INITIALIZER(global_confirms); 193 194 void ssh_process_session2_setup(int, int, int, struct sshbuf *); 195 196 /* Restores stdin to blocking mode. */ 197 198 static void 199 leave_non_blocking(void) 200 { 201 if (in_non_blocking_mode) { 202 unset_nonblock(fileno(stdin)); 203 in_non_blocking_mode = 0; 204 } 205 } 206 207 /* 208 * Signal handler for the window change signal (SIGWINCH). This just sets a 209 * flag indicating that the window has changed. 210 */ 211 /*ARGSUSED */ 212 static void 213 window_change_handler(int sig) 214 { 215 received_window_change_signal = 1; 216 } 217 218 /* 219 * Signal handler for signals that cause the program to terminate. These 220 * signals must be trapped to restore terminal modes. 221 */ 222 /*ARGSUSED */ 223 static void 224 signal_handler(int sig) 225 { 226 received_signal = sig; 227 quit_pending = 1; 228 } 229 230 /* 231 * Sets control_persist_exit_time to the absolute time when the 232 * backgrounded control master should exit due to expiry of the 233 * ControlPersist timeout. Sets it to 0 if we are not a backgrounded 234 * control master process, or if there is no ControlPersist timeout. 235 */ 236 static void 237 set_control_persist_exit_time(struct ssh *ssh) 238 { 239 if (muxserver_sock == -1 || !options.control_persist 240 || options.control_persist_timeout == 0) { 241 /* not using a ControlPersist timeout */ 242 control_persist_exit_time = 0; 243 } else if (channel_still_open(ssh)) { 244 /* some client connections are still open */ 245 if (control_persist_exit_time > 0) 246 debug2("%s: cancel scheduled exit", __func__); 247 control_persist_exit_time = 0; 248 } else if (control_persist_exit_time <= 0) { 249 /* a client connection has recently closed */ 250 control_persist_exit_time = monotime() + 251 (time_t)options.control_persist_timeout; 252 debug2("%s: schedule exit in %d seconds", __func__, 253 options.control_persist_timeout); 254 } 255 /* else we are already counting down to the timeout */ 256 } 257 258 #define SSH_X11_VALID_DISPLAY_CHARS ":/.-_" 259 static int 260 client_x11_display_valid(const char *display) 261 { 262 size_t i, dlen; 263 264 if (display == NULL) 265 return 0; 266 267 dlen = strlen(display); 268 for (i = 0; i < dlen; i++) { 269 if (!isalnum((u_char)display[i]) && 270 strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) { 271 debug("Invalid character '%c' in DISPLAY", display[i]); 272 return 0; 273 } 274 } 275 return 1; 276 } 277 278 #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" 279 #define X11_TIMEOUT_SLACK 60 280 int 281 client_x11_get_proto(struct ssh *ssh, const char *display, 282 const char *xauth_path, u_int trusted, u_int timeout, 283 char **_proto, char **_data) 284 { 285 char *cmd, line[512], xdisplay[512]; 286 char xauthfile[PATH_MAX], xauthdir[PATH_MAX]; 287 static char proto[512], data[512]; 288 FILE *f; 289 int got_data = 0, generated = 0, do_unlink = 0, r; 290 struct stat st; 291 u_int now, x11_timeout_real; 292 293 *_proto = proto; 294 *_data = data; 295 proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; 296 297 if (!client_x11_display_valid(display)) { 298 if (display != NULL) 299 logit("DISPLAY \"%s\" invalid; disabling X11 forwarding", 300 display); 301 return -1; 302 } 303 if (xauth_path != NULL && stat(xauth_path, &st) == -1) { 304 debug("No xauth program."); 305 xauth_path = NULL; 306 } 307 308 if (xauth_path != NULL) { 309 /* 310 * Handle FamilyLocal case where $DISPLAY does 311 * not match an authorization entry. For this we 312 * just try "xauth list unix:displaynum.screennum". 313 * XXX: "localhost" match to determine FamilyLocal 314 * is not perfect. 315 */ 316 if (strncmp(display, "localhost:", 10) == 0) { 317 if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s", 318 display + 10)) < 0 || 319 (size_t)r >= sizeof(xdisplay)) { 320 error("%s: display name too long", __func__); 321 return -1; 322 } 323 display = xdisplay; 324 } 325 if (trusted == 0) { 326 /* 327 * Generate an untrusted X11 auth cookie. 328 * 329 * The authentication cookie should briefly outlive 330 * ssh's willingness to forward X11 connections to 331 * avoid nasty fail-open behaviour in the X server. 332 */ 333 mktemp_proto(xauthdir, sizeof(xauthdir)); 334 if (mkdtemp(xauthdir) == NULL) { 335 error("%s: mkdtemp: %s", 336 __func__, strerror(errno)); 337 return -1; 338 } 339 do_unlink = 1; 340 if ((r = snprintf(xauthfile, sizeof(xauthfile), 341 "%s/xauthfile", xauthdir)) < 0 || 342 (size_t)r >= sizeof(xauthfile)) { 343 error("%s: xauthfile path too long", __func__); 344 rmdir(xauthdir); 345 return -1; 346 } 347 348 if (timeout == 0) { 349 /* auth doesn't time out */ 350 xasprintf(&cmd, "%s -f %s generate %s %s " 351 "untrusted 2>%s", 352 xauth_path, xauthfile, display, 353 SSH_X11_PROTO, _PATH_DEVNULL); 354 } else { 355 /* Add some slack to requested expiry */ 356 if (timeout < UINT_MAX - X11_TIMEOUT_SLACK) 357 x11_timeout_real = timeout + 358 X11_TIMEOUT_SLACK; 359 else { 360 /* Don't overflow on long timeouts */ 361 x11_timeout_real = UINT_MAX; 362 } 363 xasprintf(&cmd, "%s -f %s generate %s %s " 364 "untrusted timeout %u 2>%s", 365 xauth_path, xauthfile, display, 366 SSH_X11_PROTO, x11_timeout_real, 367 _PATH_DEVNULL); 368 } 369 debug2("%s: xauth command: %s", __func__, cmd); 370 371 if (timeout != 0 && x11_refuse_time == 0) { 372 now = monotime() + 1; 373 if (UINT_MAX - timeout < now) 374 x11_refuse_time = UINT_MAX; 375 else 376 x11_refuse_time = now + timeout; 377 channel_set_x11_refuse_time(ssh, 378 x11_refuse_time); 379 } 380 if (system(cmd) == 0) 381 generated = 1; 382 free(cmd); 383 } 384 385 /* 386 * When in untrusted mode, we read the cookie only if it was 387 * successfully generated as an untrusted one in the step 388 * above. 389 */ 390 if (trusted || generated) { 391 xasprintf(&cmd, 392 "%s %s%s list %s 2>" _PATH_DEVNULL, 393 xauth_path, 394 generated ? "-f " : "" , 395 generated ? xauthfile : "", 396 display); 397 debug2("x11_get_proto: %s", cmd); 398 f = popen(cmd, "r"); 399 if (f && fgets(line, sizeof(line), f) && 400 sscanf(line, "%*s %511s %511s", proto, data) == 2) 401 got_data = 1; 402 if (f) 403 pclose(f); 404 free(cmd); 405 } 406 } 407 408 if (do_unlink) { 409 unlink(xauthfile); 410 rmdir(xauthdir); 411 } 412 413 /* Don't fall back to fake X11 data for untrusted forwarding */ 414 if (!trusted && !got_data) { 415 error("Warning: untrusted X11 forwarding setup failed: " 416 "xauth key data not generated"); 417 return -1; 418 } 419 420 /* 421 * If we didn't get authentication data, just make up some 422 * data. The forwarding code will check the validity of the 423 * response anyway, and substitute this data. The X11 424 * server, however, will ignore this fake data and use 425 * whatever authentication mechanisms it was using otherwise 426 * for the local connection. 427 */ 428 if (!got_data) { 429 u_int8_t rnd[16]; 430 u_int i; 431 432 logit("Warning: No xauth data; " 433 "using fake authentication data for X11 forwarding."); 434 strlcpy(proto, SSH_X11_PROTO, sizeof proto); 435 arc4random_buf(rnd, sizeof(rnd)); 436 for (i = 0; i < sizeof(rnd); i++) { 437 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", 438 rnd[i]); 439 } 440 } 441 442 return 0; 443 } 444 445 /* 446 * Checks if the client window has changed, and sends a packet about it to 447 * the server if so. The actual change is detected elsewhere (by a software 448 * interrupt on Unix); this just checks the flag and sends a message if 449 * appropriate. 450 */ 451 452 static void 453 client_check_window_change(struct ssh *ssh) 454 { 455 if (!received_window_change_signal) 456 return; 457 /** XXX race */ 458 received_window_change_signal = 0; 459 460 debug2("%s: changed", __func__); 461 462 channel_send_window_changes(ssh); 463 } 464 465 static int 466 client_global_request_reply(int type, u_int32_t seq, struct ssh *ssh) 467 { 468 struct global_confirm *gc; 469 470 if ((gc = TAILQ_FIRST(&global_confirms)) == NULL) 471 return 0; 472 if (gc->cb != NULL) 473 gc->cb(ssh, type, seq, gc->ctx); 474 if (--gc->ref_count <= 0) { 475 TAILQ_REMOVE(&global_confirms, gc, entry); 476 explicit_bzero(gc, sizeof(*gc)); 477 free(gc); 478 } 479 480 ssh_packet_set_alive_timeouts(ssh, 0); 481 return 0; 482 } 483 484 static void 485 server_alive_check(struct ssh *ssh) 486 { 487 int r; 488 489 if (ssh_packet_inc_alive_timeouts(ssh) > options.server_alive_count_max) { 490 logit("Timeout, server %s not responding.", host); 491 cleanup_exit(255); 492 } 493 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 494 (r = sshpkt_put_cstring(ssh, "keepalive@openssh.com")) != 0 || 495 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* boolean: want reply */ 496 (r = sshpkt_send(ssh)) != 0) 497 fatal("%s: send packet: %s", __func__, ssh_err(r)); 498 /* Insert an empty placeholder to maintain ordering */ 499 client_register_global_confirm(NULL, NULL); 500 } 501 502 /* 503 * Waits until the client can do something (some data becomes available on 504 * one of the file descriptors). 505 */ 506 static void 507 client_wait_until_can_do_something(struct ssh *ssh, 508 fd_set **readsetp, fd_set **writesetp, 509 int *maxfdp, u_int *nallocp, int rekeying) 510 { 511 struct timeval tv, *tvp; 512 int timeout_secs; 513 time_t minwait_secs = 0, server_alive_time = 0, now = monotime(); 514 int r, ret; 515 516 /* Add any selections by the channel mechanism. */ 517 channel_prepare_select(ssh, readsetp, writesetp, maxfdp, 518 nallocp, &minwait_secs); 519 520 /* channel_prepare_select could have closed the last channel */ 521 if (session_closed && !channel_still_open(ssh) && 522 !ssh_packet_have_data_to_write(ssh)) { 523 /* clear mask since we did not call select() */ 524 memset(*readsetp, 0, *nallocp); 525 memset(*writesetp, 0, *nallocp); 526 return; 527 } 528 529 FD_SET(connection_in, *readsetp); 530 531 /* Select server connection if have data to write to the server. */ 532 if (ssh_packet_have_data_to_write(ssh)) 533 FD_SET(connection_out, *writesetp); 534 535 /* 536 * Wait for something to happen. This will suspend the process until 537 * some selected descriptor can be read, written, or has some other 538 * event pending, or a timeout expires. 539 */ 540 541 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 542 if (options.server_alive_interval > 0) { 543 timeout_secs = options.server_alive_interval; 544 server_alive_time = now + options.server_alive_interval; 545 } 546 if (options.rekey_interval > 0 && !rekeying) 547 timeout_secs = MINIMUM(timeout_secs, 548 ssh_packet_get_rekey_timeout(ssh)); 549 set_control_persist_exit_time(ssh); 550 if (control_persist_exit_time > 0) { 551 timeout_secs = MINIMUM(timeout_secs, 552 control_persist_exit_time - now); 553 if (timeout_secs < 0) 554 timeout_secs = 0; 555 } 556 if (minwait_secs != 0) 557 timeout_secs = MINIMUM(timeout_secs, (int)minwait_secs); 558 if (timeout_secs == INT_MAX) 559 tvp = NULL; 560 else { 561 tv.tv_sec = timeout_secs; 562 tv.tv_usec = 0; 563 tvp = &tv; 564 } 565 566 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); 567 if (ret == -1) { 568 /* 569 * We have to clear the select masks, because we return. 570 * We have to return, because the mainloop checks for the flags 571 * set by the signal handlers. 572 */ 573 memset(*readsetp, 0, *nallocp); 574 memset(*writesetp, 0, *nallocp); 575 576 if (errno == EINTR) 577 return; 578 /* Note: we might still have data in the buffers. */ 579 if ((r = sshbuf_putf(stderr_buffer, 580 "select: %s\r\n", strerror(errno))) != 0) 581 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 582 quit_pending = 1; 583 } else if (ret == 0) { 584 /* 585 * Timeout. Could have been either keepalive or rekeying. 586 * Keepalive we check here, rekeying is checked in clientloop. 587 */ 588 if (server_alive_time != 0 && server_alive_time <= monotime()) 589 server_alive_check(ssh); 590 } 591 592 } 593 594 static void 595 client_suspend_self(struct sshbuf *bin, struct sshbuf *bout, struct sshbuf *berr) 596 { 597 /* Flush stdout and stderr buffers. */ 598 if (sshbuf_len(bout) > 0) 599 atomicio(vwrite, fileno(stdout), sshbuf_mutable_ptr(bout), 600 sshbuf_len(bout)); 601 if (sshbuf_len(berr) > 0) 602 atomicio(vwrite, fileno(stderr), sshbuf_mutable_ptr(berr), 603 sshbuf_len(berr)); 604 605 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 606 607 sshbuf_reset(bin); 608 sshbuf_reset(bout); 609 sshbuf_reset(berr); 610 611 /* Send the suspend signal to the program itself. */ 612 kill(getpid(), SIGTSTP); 613 614 /* Reset window sizes in case they have changed */ 615 received_window_change_signal = 1; 616 617 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 618 } 619 620 static void 621 client_process_net_input(struct ssh *ssh, fd_set *readset) 622 { 623 char buf[8192]; 624 int r, len; 625 626 /* 627 * Read input from the server, and add any such data to the buffer of 628 * the packet subsystem. 629 */ 630 if (FD_ISSET(connection_in, readset)) { 631 /* Read as much as possible. */ 632 len = read(connection_in, buf, sizeof(buf)); 633 if (len == 0) { 634 /* 635 * Received EOF. The remote host has closed the 636 * connection. 637 */ 638 if ((r = sshbuf_putf(stderr_buffer, 639 "Connection to %.300s closed by remote host.\r\n", 640 host)) != 0) 641 fatal("%s: buffer error: %s", 642 __func__, ssh_err(r)); 643 quit_pending = 1; 644 return; 645 } 646 /* 647 * There is a kernel bug on Solaris that causes select to 648 * sometimes wake up even though there is no data available. 649 */ 650 if (len == -1 && (errno == EAGAIN || errno == EINTR)) 651 len = 0; 652 653 if (len == -1) { 654 /* 655 * An error has encountered. Perhaps there is a 656 * network problem. 657 */ 658 if ((r = sshbuf_putf(stderr_buffer, 659 "Read from remote host %.300s: %.100s\r\n", 660 host, strerror(errno))) != 0) 661 fatal("%s: buffer error: %s", 662 __func__, ssh_err(r)); 663 quit_pending = 1; 664 return; 665 } 666 ssh_packet_process_incoming(ssh, buf, len); 667 } 668 } 669 670 static void 671 client_status_confirm(struct ssh *ssh, int type, Channel *c, void *ctx) 672 { 673 struct channel_reply_ctx *cr = (struct channel_reply_ctx *)ctx; 674 char errmsg[256]; 675 int r, tochan; 676 677 /* 678 * If a TTY was explicitly requested, then a failure to allocate 679 * one is fatal. 680 */ 681 if (cr->action == CONFIRM_TTY && 682 (options.request_tty == REQUEST_TTY_FORCE || 683 options.request_tty == REQUEST_TTY_YES)) 684 cr->action = CONFIRM_CLOSE; 685 686 /* XXX suppress on mux _client_ quietmode */ 687 tochan = options.log_level >= SYSLOG_LEVEL_ERROR && 688 c->ctl_chan != -1 && c->extended_usage == CHAN_EXTENDED_WRITE; 689 690 if (type == SSH2_MSG_CHANNEL_SUCCESS) { 691 debug2("%s request accepted on channel %d", 692 cr->request_type, c->self); 693 } else if (type == SSH2_MSG_CHANNEL_FAILURE) { 694 if (tochan) { 695 snprintf(errmsg, sizeof(errmsg), 696 "%s request failed\r\n", cr->request_type); 697 } else { 698 snprintf(errmsg, sizeof(errmsg), 699 "%s request failed on channel %d", 700 cr->request_type, c->self); 701 } 702 /* If error occurred on primary session channel, then exit */ 703 if (cr->action == CONFIRM_CLOSE && c->self == session_ident) 704 fatal("%s", errmsg); 705 /* 706 * If error occurred on mux client, append to 707 * their stderr. 708 */ 709 if (tochan) { 710 if ((r = sshbuf_put(c->extended, errmsg, 711 strlen(errmsg))) != 0) 712 fatal("%s: buffer error %s", __func__, 713 ssh_err(r)); 714 } else 715 error("%s", errmsg); 716 if (cr->action == CONFIRM_TTY) { 717 /* 718 * If a TTY allocation error occurred, then arrange 719 * for the correct TTY to leave raw mode. 720 */ 721 if (c->self == session_ident) 722 leave_raw_mode(0); 723 else 724 mux_tty_alloc_failed(ssh, c); 725 } else if (cr->action == CONFIRM_CLOSE) { 726 chan_read_failed(ssh, c); 727 chan_write_failed(ssh, c); 728 } 729 } 730 free(cr); 731 } 732 733 static void 734 client_abandon_status_confirm(struct ssh *ssh, Channel *c, void *ctx) 735 { 736 free(ctx); 737 } 738 739 void 740 client_expect_confirm(struct ssh *ssh, int id, const char *request, 741 enum confirm_action action) 742 { 743 struct channel_reply_ctx *cr = xcalloc(1, sizeof(*cr)); 744 745 cr->request_type = request; 746 cr->action = action; 747 748 channel_register_status_confirm(ssh, id, client_status_confirm, 749 client_abandon_status_confirm, cr); 750 } 751 752 void 753 client_register_global_confirm(global_confirm_cb *cb, void *ctx) 754 { 755 struct global_confirm *gc, *last_gc; 756 757 /* Coalesce identical callbacks */ 758 last_gc = TAILQ_LAST(&global_confirms, global_confirms); 759 if (last_gc && last_gc->cb == cb && last_gc->ctx == ctx) { 760 if (++last_gc->ref_count >= INT_MAX) 761 fatal("%s: last_gc->ref_count = %d", 762 __func__, last_gc->ref_count); 763 return; 764 } 765 766 gc = xcalloc(1, sizeof(*gc)); 767 gc->cb = cb; 768 gc->ctx = ctx; 769 gc->ref_count = 1; 770 TAILQ_INSERT_TAIL(&global_confirms, gc, entry); 771 } 772 773 static void 774 process_cmdline(struct ssh *ssh) 775 { 776 void (*handler)(int); 777 char *s, *cmd; 778 int ok, delete = 0, local = 0, remote = 0, dynamic = 0; 779 struct Forward fwd; 780 781 memset(&fwd, 0, sizeof(fwd)); 782 783 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 784 handler = ssh_signal(SIGINT, SIG_IGN); 785 cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); 786 if (s == NULL) 787 goto out; 788 while (isspace((u_char)*s)) 789 s++; 790 if (*s == '-') 791 s++; /* Skip cmdline '-', if any */ 792 if (*s == '\0') 793 goto out; 794 795 if (*s == 'h' || *s == 'H' || *s == '?') { 796 logit("Commands:"); 797 logit(" -L[bind_address:]port:host:hostport " 798 "Request local forward"); 799 logit(" -R[bind_address:]port:host:hostport " 800 "Request remote forward"); 801 logit(" -D[bind_address:]port " 802 "Request dynamic forward"); 803 logit(" -KL[bind_address:]port " 804 "Cancel local forward"); 805 logit(" -KR[bind_address:]port " 806 "Cancel remote forward"); 807 logit(" -KD[bind_address:]port " 808 "Cancel dynamic forward"); 809 if (!options.permit_local_command) 810 goto out; 811 logit(" !args " 812 "Execute local command"); 813 goto out; 814 } 815 816 if (*s == '!' && options.permit_local_command) { 817 s++; 818 ssh_local_cmd(s); 819 goto out; 820 } 821 822 if (*s == 'K') { 823 delete = 1; 824 s++; 825 } 826 if (*s == 'L') 827 local = 1; 828 else if (*s == 'R') 829 remote = 1; 830 else if (*s == 'D') 831 dynamic = 1; 832 else { 833 logit("Invalid command."); 834 goto out; 835 } 836 837 while (isspace((u_char)*++s)) 838 ; 839 840 /* XXX update list of forwards in options */ 841 if (delete) { 842 /* We pass 1 for dynamicfwd to restrict to 1 or 2 fields. */ 843 if (!parse_forward(&fwd, s, 1, 0)) { 844 logit("Bad forwarding close specification."); 845 goto out; 846 } 847 if (remote) 848 ok = channel_request_rforward_cancel(ssh, &fwd) == 0; 849 else if (dynamic) 850 ok = channel_cancel_lport_listener(ssh, &fwd, 851 0, &options.fwd_opts) > 0; 852 else 853 ok = channel_cancel_lport_listener(ssh, &fwd, 854 CHANNEL_CANCEL_PORT_STATIC, 855 &options.fwd_opts) > 0; 856 if (!ok) { 857 logit("Unknown port forwarding."); 858 goto out; 859 } 860 logit("Canceled forwarding."); 861 } else { 862 if (!parse_forward(&fwd, s, dynamic, remote)) { 863 logit("Bad forwarding specification."); 864 goto out; 865 } 866 if (local || dynamic) { 867 if (!channel_setup_local_fwd_listener(ssh, &fwd, 868 &options.fwd_opts)) { 869 logit("Port forwarding failed."); 870 goto out; 871 } 872 } else { 873 if (channel_request_remote_forwarding(ssh, &fwd) < 0) { 874 logit("Port forwarding failed."); 875 goto out; 876 } 877 } 878 logit("Forwarding port."); 879 } 880 881 out: 882 ssh_signal(SIGINT, handler); 883 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 884 free(cmd); 885 free(fwd.listen_host); 886 free(fwd.listen_path); 887 free(fwd.connect_host); 888 free(fwd.connect_path); 889 } 890 891 /* reasons to suppress output of an escape command in help output */ 892 #define SUPPRESS_NEVER 0 /* never suppress, always show */ 893 #define SUPPRESS_MUXCLIENT 1 /* don't show in mux client sessions */ 894 #define SUPPRESS_MUXMASTER 2 /* don't show in mux master sessions */ 895 #define SUPPRESS_SYSLOG 4 /* don't show when logging to syslog */ 896 struct escape_help_text { 897 const char *cmd; 898 const char *text; 899 unsigned int flags; 900 }; 901 static struct escape_help_text esc_txt[] = { 902 {".", "terminate session", SUPPRESS_MUXMASTER}, 903 {".", "terminate connection (and any multiplexed sessions)", 904 SUPPRESS_MUXCLIENT}, 905 {"B", "send a BREAK to the remote system", SUPPRESS_NEVER}, 906 {"C", "open a command line", SUPPRESS_MUXCLIENT}, 907 {"R", "request rekey", SUPPRESS_NEVER}, 908 {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, 909 {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, 910 {"#", "list forwarded connections", SUPPRESS_NEVER}, 911 {"&", "background ssh (when waiting for connections to terminate)", 912 SUPPRESS_MUXCLIENT}, 913 {"?", "this message", SUPPRESS_NEVER}, 914 }; 915 916 static void 917 print_escape_help(struct sshbuf *b, int escape_char, int mux_client, 918 int using_stderr) 919 { 920 unsigned int i, suppress_flags; 921 int r; 922 923 if ((r = sshbuf_putf(b, 924 "%c?\r\nSupported escape sequences:\r\n", escape_char)) != 0) 925 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 926 927 suppress_flags = 928 (mux_client ? SUPPRESS_MUXCLIENT : 0) | 929 (mux_client ? 0 : SUPPRESS_MUXMASTER) | 930 (using_stderr ? 0 : SUPPRESS_SYSLOG); 931 932 for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { 933 if (esc_txt[i].flags & suppress_flags) 934 continue; 935 if ((r = sshbuf_putf(b, " %c%-3s - %s\r\n", 936 escape_char, esc_txt[i].cmd, esc_txt[i].text)) != 0) 937 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 938 } 939 940 if ((r = sshbuf_putf(b, 941 " %c%c - send the escape character by typing it twice\r\n" 942 "(Note that escapes are only recognized immediately after " 943 "newline.)\r\n", escape_char, escape_char)) != 0) 944 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 945 } 946 947 /* 948 * Process the characters one by one. 949 */ 950 static int 951 process_escapes(struct ssh *ssh, Channel *c, 952 struct sshbuf *bin, struct sshbuf *bout, struct sshbuf *berr, 953 const char *buf, int len) 954 { 955 pid_t pid; 956 int r, bytes = 0; 957 u_int i; 958 u_char ch; 959 char *s; 960 struct escape_filter_ctx *efc = c->filter_ctx == NULL ? 961 NULL : (struct escape_filter_ctx *)c->filter_ctx; 962 963 if (c->filter_ctx == NULL) 964 return 0; 965 966 if (len <= 0) 967 return (0); 968 969 for (i = 0; i < (u_int)len; i++) { 970 /* Get one character at a time. */ 971 ch = buf[i]; 972 973 if (efc->escape_pending) { 974 /* We have previously seen an escape character. */ 975 /* Clear the flag now. */ 976 efc->escape_pending = 0; 977 978 /* Process the escaped character. */ 979 switch (ch) { 980 case '.': 981 /* Terminate the connection. */ 982 if ((r = sshbuf_putf(berr, "%c.\r\n", 983 efc->escape_char)) != 0) 984 fatal("%s: buffer error: %s", 985 __func__, ssh_err(r)); 986 if (c && c->ctl_chan != -1) { 987 chan_read_failed(ssh, c); 988 chan_write_failed(ssh, c); 989 if (c->detach_user) { 990 c->detach_user(ssh, 991 c->self, NULL); 992 } 993 c->type = SSH_CHANNEL_ABANDONED; 994 sshbuf_reset(c->input); 995 chan_ibuf_empty(ssh, c); 996 return 0; 997 } else 998 quit_pending = 1; 999 return -1; 1000 1001 case 'Z' - 64: 1002 /* XXX support this for mux clients */ 1003 if (c && c->ctl_chan != -1) { 1004 char b[16]; 1005 noescape: 1006 if (ch == 'Z' - 64) 1007 snprintf(b, sizeof b, "^Z"); 1008 else 1009 snprintf(b, sizeof b, "%c", ch); 1010 if ((r = sshbuf_putf(berr, 1011 "%c%s escape not available to " 1012 "multiplexed sessions\r\n", 1013 efc->escape_char, b)) != 0) 1014 fatal("%s: buffer error: %s", 1015 __func__, ssh_err(r)); 1016 continue; 1017 } 1018 /* Suspend the program. Inform the user */ 1019 if ((r = sshbuf_putf(berr, 1020 "%c^Z [suspend ssh]\r\n", 1021 efc->escape_char)) != 0) 1022 fatal("%s: buffer error: %s", 1023 __func__, ssh_err(r)); 1024 1025 /* Restore terminal modes and suspend. */ 1026 client_suspend_self(bin, bout, berr); 1027 1028 /* We have been continued. */ 1029 continue; 1030 1031 case 'B': 1032 if ((r = sshbuf_putf(berr, 1033 "%cB\r\n", efc->escape_char)) != 0) 1034 fatal("%s: buffer error: %s", 1035 __func__, ssh_err(r)); 1036 channel_request_start(ssh, c->self, "break", 0); 1037 if ((r = sshpkt_put_u32(ssh, 1000)) != 0 || 1038 (r = sshpkt_send(ssh)) != 0) 1039 fatal("%s: send packet: %s", __func__, 1040 ssh_err(r)); 1041 continue; 1042 1043 case 'R': 1044 if (datafellows & SSH_BUG_NOREKEY) 1045 logit("Server does not " 1046 "support re-keying"); 1047 else 1048 need_rekeying = 1; 1049 continue; 1050 1051 case 'V': 1052 /* FALLTHROUGH */ 1053 case 'v': 1054 if (c && c->ctl_chan != -1) 1055 goto noescape; 1056 if (!log_is_on_stderr()) { 1057 if ((r = sshbuf_putf(berr, 1058 "%c%c [Logging to syslog]\r\n", 1059 efc->escape_char, ch)) != 0) 1060 fatal("%s: buffer error: %s", 1061 __func__, ssh_err(r)); 1062 continue; 1063 } 1064 if (ch == 'V' && options.log_level > 1065 SYSLOG_LEVEL_QUIET) 1066 log_change_level(--options.log_level); 1067 if (ch == 'v' && options.log_level < 1068 SYSLOG_LEVEL_DEBUG3) 1069 log_change_level(++options.log_level); 1070 if ((r = sshbuf_putf(berr, 1071 "%c%c [LogLevel %s]\r\n", 1072 efc->escape_char, ch, 1073 log_level_name(options.log_level))) != 0) 1074 fatal("%s: buffer error: %s", 1075 __func__, ssh_err(r)); 1076 continue; 1077 1078 case '&': 1079 if (c && c->ctl_chan != -1) 1080 goto noescape; 1081 /* 1082 * Detach the program (continue to serve 1083 * connections, but put in background and no 1084 * more new connections). 1085 */ 1086 /* Restore tty modes. */ 1087 leave_raw_mode( 1088 options.request_tty == REQUEST_TTY_FORCE); 1089 1090 /* Stop listening for new connections. */ 1091 channel_stop_listening(ssh); 1092 1093 if ((r = sshbuf_putf(berr, 1094 "%c& [backgrounded]\n", efc->escape_char)) 1095 != 0) 1096 fatal("%s: buffer error: %s", 1097 __func__, ssh_err(r)); 1098 1099 /* Fork into background. */ 1100 pid = fork(); 1101 if (pid == -1) { 1102 error("fork: %.100s", strerror(errno)); 1103 continue; 1104 } 1105 if (pid != 0) { /* This is the parent. */ 1106 /* The parent just exits. */ 1107 exit(0); 1108 } 1109 /* The child continues serving connections. */ 1110 /* fake EOF on stdin */ 1111 if ((r = sshbuf_put_u8(bin, 4)) != 0) 1112 fatal("%s: buffer error: %s", 1113 __func__, ssh_err(r)); 1114 return -1; 1115 case '?': 1116 print_escape_help(berr, efc->escape_char, 1117 (c && c->ctl_chan != -1), 1118 log_is_on_stderr()); 1119 continue; 1120 1121 case '#': 1122 if ((r = sshbuf_putf(berr, "%c#\r\n", 1123 efc->escape_char)) != 0) 1124 fatal("%s: buffer error: %s", 1125 __func__, ssh_err(r)); 1126 s = channel_open_message(ssh); 1127 if ((r = sshbuf_put(berr, s, strlen(s))) != 0) 1128 fatal("%s: buffer error: %s", 1129 __func__, ssh_err(r)); 1130 free(s); 1131 continue; 1132 1133 case 'C': 1134 if (c && c->ctl_chan != -1) 1135 goto noescape; 1136 process_cmdline(ssh); 1137 continue; 1138 1139 default: 1140 if (ch != efc->escape_char) { 1141 if ((r = sshbuf_put_u8(bin, 1142 efc->escape_char)) != 0) 1143 fatal("%s: buffer error: %s", 1144 __func__, ssh_err(r)); 1145 bytes++; 1146 } 1147 /* Escaped characters fall through here */ 1148 break; 1149 } 1150 } else { 1151 /* 1152 * The previous character was not an escape char. 1153 * Check if this is an escape. 1154 */ 1155 if (last_was_cr && ch == efc->escape_char) { 1156 /* 1157 * It is. Set the flag and continue to 1158 * next character. 1159 */ 1160 efc->escape_pending = 1; 1161 continue; 1162 } 1163 } 1164 1165 /* 1166 * Normal character. Record whether it was a newline, 1167 * and append it to the buffer. 1168 */ 1169 last_was_cr = (ch == '\r' || ch == '\n'); 1170 if ((r = sshbuf_put_u8(bin, ch)) != 0) 1171 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1172 bytes++; 1173 } 1174 return bytes; 1175 } 1176 1177 /* 1178 * Get packets from the connection input buffer, and process them as long as 1179 * there are packets available. 1180 * 1181 * Any unknown packets received during the actual 1182 * session cause the session to terminate. This is 1183 * intended to make debugging easier since no 1184 * confirmations are sent. Any compatible protocol 1185 * extensions must be negotiated during the 1186 * preparatory phase. 1187 */ 1188 1189 static void 1190 client_process_buffered_input_packets(struct ssh *ssh) 1191 { 1192 ssh_dispatch_run_fatal(ssh, DISPATCH_NONBLOCK, &quit_pending); 1193 } 1194 1195 /* scan buf[] for '~' before sending data to the peer */ 1196 1197 /* Helper: allocate a new escape_filter_ctx and fill in its escape char */ 1198 void * 1199 client_new_escape_filter_ctx(int escape_char) 1200 { 1201 struct escape_filter_ctx *ret; 1202 1203 ret = xcalloc(1, sizeof(*ret)); 1204 ret->escape_pending = 0; 1205 ret->escape_char = escape_char; 1206 return (void *)ret; 1207 } 1208 1209 /* Free the escape filter context on channel free */ 1210 void 1211 client_filter_cleanup(struct ssh *ssh, int cid, void *ctx) 1212 { 1213 free(ctx); 1214 } 1215 1216 int 1217 client_simple_escape_filter(struct ssh *ssh, Channel *c, const char *buf, 1218 int len) 1219 { 1220 if (c->extended_usage != CHAN_EXTENDED_WRITE) 1221 return 0; 1222 1223 return process_escapes(ssh, c, c->input, c->output, c->extended, 1224 buf, len); 1225 } 1226 1227 static void 1228 client_channel_closed(struct ssh *ssh, int id, void *arg) 1229 { 1230 channel_cancel_cleanup(ssh, id); 1231 session_closed = 1; 1232 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1233 } 1234 1235 /* 1236 * Implements the interactive session with the server. This is called after 1237 * the user has been authenticated, and a command has been started on the 1238 * remote host. If escape_char != SSH_ESCAPECHAR_NONE, it is the character 1239 * used as an escape character for terminating or suspending the session. 1240 */ 1241 int 1242 client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 1243 int ssh2_chan_id) 1244 { 1245 fd_set *readset = NULL, *writeset = NULL; 1246 double start_time, total_time; 1247 int r, max_fd = 0, max_fd2 = 0, len; 1248 u_int64_t ibytes, obytes; 1249 u_int nalloc = 0; 1250 char buf[100]; 1251 1252 debug("Entering interactive session."); 1253 1254 #ifdef __OpenBSD__ 1255 if (options.control_master && 1256 !option_clear_or_none(options.control_path)) { 1257 debug("pledge: id"); 1258 if (pledge("stdio rpath wpath cpath unix inet dns recvfd sendfd proc exec id tty", 1259 NULL) == -1) 1260 fatal("%s pledge(): %s", __func__, strerror(errno)); 1261 1262 } else if (options.forward_x11 || options.permit_local_command) { 1263 debug("pledge: exec"); 1264 if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty", 1265 NULL) == -1) 1266 fatal("%s pledge(): %s", __func__, strerror(errno)); 1267 1268 } else if (options.update_hostkeys) { 1269 debug("pledge: filesystem full"); 1270 if (pledge("stdio rpath wpath cpath unix inet dns proc tty", 1271 NULL) == -1) 1272 fatal("%s pledge(): %s", __func__, strerror(errno)); 1273 1274 } else if (!option_clear_or_none(options.proxy_command) || 1275 fork_after_authentication_flag) { 1276 debug("pledge: proc"); 1277 if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1) 1278 fatal("%s pledge(): %s", __func__, strerror(errno)); 1279 1280 } else { 1281 debug("pledge: network"); 1282 if (pledge("stdio unix inet dns proc tty", NULL) == -1) 1283 fatal("%s pledge(): %s", __func__, strerror(errno)); 1284 } 1285 #endif 1286 1287 start_time = monotime_double(); 1288 1289 /* Initialize variables. */ 1290 last_was_cr = 1; 1291 exit_status = -1; 1292 connection_in = ssh_packet_get_connection_in(ssh); 1293 connection_out = ssh_packet_get_connection_out(ssh); 1294 max_fd = MAXIMUM(connection_in, connection_out); 1295 1296 quit_pending = 0; 1297 1298 /* Initialize buffer. */ 1299 if ((stderr_buffer = sshbuf_new()) == NULL) 1300 fatal("%s: sshbuf_new failed", __func__); 1301 1302 client_init_dispatch(ssh); 1303 1304 /* 1305 * Set signal handlers, (e.g. to restore non-blocking mode) 1306 * but don't overwrite SIG_IGN, matches behaviour from rsh(1) 1307 */ 1308 if (ssh_signal(SIGHUP, SIG_IGN) != SIG_IGN) 1309 ssh_signal(SIGHUP, signal_handler); 1310 if (ssh_signal(SIGINT, SIG_IGN) != SIG_IGN) 1311 ssh_signal(SIGINT, signal_handler); 1312 if (ssh_signal(SIGQUIT, SIG_IGN) != SIG_IGN) 1313 ssh_signal(SIGQUIT, signal_handler); 1314 if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) 1315 ssh_signal(SIGTERM, signal_handler); 1316 ssh_signal(SIGWINCH, window_change_handler); 1317 1318 if (have_pty) 1319 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1320 1321 session_ident = ssh2_chan_id; 1322 if (session_ident != -1) { 1323 if (escape_char_arg != SSH_ESCAPECHAR_NONE) { 1324 channel_register_filter(ssh, session_ident, 1325 client_simple_escape_filter, NULL, 1326 client_filter_cleanup, 1327 client_new_escape_filter_ctx( 1328 escape_char_arg)); 1329 } 1330 channel_register_cleanup(ssh, session_ident, 1331 client_channel_closed, 0); 1332 } 1333 1334 /* Main loop of the client for the interactive session mode. */ 1335 while (!quit_pending) { 1336 1337 /* Process buffered packets sent by the server. */ 1338 client_process_buffered_input_packets(ssh); 1339 1340 if (session_closed && !channel_still_open(ssh)) 1341 break; 1342 1343 if (ssh_packet_is_rekeying(ssh)) { 1344 debug("rekeying in progress"); 1345 } else if (need_rekeying) { 1346 /* manual rekey request */ 1347 debug("need rekeying"); 1348 if ((r = kex_start_rekex(ssh)) != 0) 1349 fatal("%s: kex_start_rekex: %s", __func__, 1350 ssh_err(r)); 1351 need_rekeying = 0; 1352 } else { 1353 /* 1354 * Make packets from buffered channel data, and 1355 * enqueue them for sending to the server. 1356 */ 1357 if (ssh_packet_not_very_much_data_to_write(ssh)) 1358 channel_output_poll(ssh); 1359 1360 /* 1361 * Check if the window size has changed, and buffer a 1362 * message about it to the server if so. 1363 */ 1364 client_check_window_change(ssh); 1365 1366 if (quit_pending) 1367 break; 1368 } 1369 /* 1370 * Wait until we have something to do (something becomes 1371 * available on one of the descriptors). 1372 */ 1373 max_fd2 = max_fd; 1374 client_wait_until_can_do_something(ssh, &readset, &writeset, 1375 &max_fd2, &nalloc, ssh_packet_is_rekeying(ssh)); 1376 1377 if (quit_pending) 1378 break; 1379 1380 /* Do channel operations unless rekeying in progress. */ 1381 if (!ssh_packet_is_rekeying(ssh)) 1382 channel_after_select(ssh, readset, writeset); 1383 1384 /* Buffer input from the connection. */ 1385 client_process_net_input(ssh, readset); 1386 1387 if (quit_pending) 1388 break; 1389 1390 /* 1391 * Send as much buffered packet data as possible to the 1392 * sender. 1393 */ 1394 if (FD_ISSET(connection_out, writeset)) { 1395 if ((r = ssh_packet_write_poll(ssh)) < 0) { 1396 sshpkt_fatal(ssh, r, 1397 "%s: ssh_packet_write_poll", __func__); 1398 } 1399 } 1400 1401 /* 1402 * If we are a backgrounded control master, and the 1403 * timeout has expired without any active client 1404 * connections, then quit. 1405 */ 1406 if (control_persist_exit_time > 0) { 1407 if (monotime() >= control_persist_exit_time) { 1408 debug("ControlPersist timeout expired"); 1409 break; 1410 } 1411 } 1412 } 1413 free(readset); 1414 free(writeset); 1415 1416 /* Terminate the session. */ 1417 1418 /* Stop watching for window change. */ 1419 ssh_signal(SIGWINCH, SIG_DFL); 1420 1421 if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || 1422 (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_BY_APPLICATION)) != 0 || 1423 (r = sshpkt_put_cstring(ssh, "disconnected by user")) != 0 || 1424 (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language tag */ 1425 (r = sshpkt_send(ssh)) != 0 || 1426 (r = ssh_packet_write_wait(ssh)) < 0) 1427 fatal("%s: send disconnect: %s", __func__, ssh_err(r)); 1428 1429 channel_free_all(ssh); 1430 1431 if (have_pty) 1432 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1433 1434 /* restore blocking io */ 1435 if (!isatty(fileno(stdin))) 1436 unset_nonblock(fileno(stdin)); 1437 if (!isatty(fileno(stdout))) 1438 unset_nonblock(fileno(stdout)); 1439 if (!isatty(fileno(stderr))) 1440 unset_nonblock(fileno(stderr)); 1441 1442 /* 1443 * If there was no shell or command requested, there will be no remote 1444 * exit status to be returned. In that case, clear error code if the 1445 * connection was deliberately terminated at this end. 1446 */ 1447 if (no_shell_flag && received_signal == SIGTERM) { 1448 received_signal = 0; 1449 exit_status = 0; 1450 } 1451 1452 if (received_signal) { 1453 verbose("Killed by signal %d.", (int) received_signal); 1454 cleanup_exit(0); 1455 } 1456 1457 /* 1458 * In interactive mode (with pseudo tty) display a message indicating 1459 * that the connection has been closed. 1460 */ 1461 if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) { 1462 if ((r = sshbuf_putf(stderr_buffer, 1463 "Connection to %.64s closed.\r\n", host)) != 0) 1464 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1465 } 1466 1467 /* Output any buffered data for stderr. */ 1468 if (sshbuf_len(stderr_buffer) > 0) { 1469 len = atomicio(vwrite, fileno(stderr), 1470 sshbuf_mutable_ptr(stderr_buffer), 1471 sshbuf_len(stderr_buffer)); 1472 if (len < 0 || (u_int)len != sshbuf_len(stderr_buffer)) 1473 error("Write failed flushing stderr buffer."); 1474 else if ((r = sshbuf_consume(stderr_buffer, len)) != 0) 1475 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1476 } 1477 1478 /* Clear and free any buffers. */ 1479 explicit_bzero(buf, sizeof(buf)); 1480 sshbuf_free(stderr_buffer); 1481 1482 /* Report bytes transferred, and transfer rates. */ 1483 total_time = monotime_double() - start_time; 1484 ssh_packet_get_bytes(ssh, &ibytes, &obytes); 1485 verbose("Transferred: sent %llu, received %llu bytes, in %.1f seconds", 1486 (unsigned long long)obytes, (unsigned long long)ibytes, total_time); 1487 if (total_time > 0) 1488 verbose("Bytes per second: sent %.1f, received %.1f", 1489 obytes / total_time, ibytes / total_time); 1490 /* Return the exit status of the program. */ 1491 debug("Exit status %d", exit_status); 1492 return exit_status; 1493 } 1494 1495 /*********/ 1496 1497 static Channel * 1498 client_request_forwarded_tcpip(struct ssh *ssh, const char *request_type, 1499 int rchan, u_int rwindow, u_int rmaxpack) 1500 { 1501 Channel *c = NULL; 1502 struct sshbuf *b = NULL; 1503 char *listen_address, *originator_address; 1504 u_int listen_port, originator_port; 1505 int r; 1506 1507 /* Get rest of the packet */ 1508 if ((r = sshpkt_get_cstring(ssh, &listen_address, NULL)) != 0 || 1509 (r = sshpkt_get_u32(ssh, &listen_port)) != 0 || 1510 (r = sshpkt_get_cstring(ssh, &originator_address, NULL)) != 0 || 1511 (r = sshpkt_get_u32(ssh, &originator_port)) != 0 || 1512 (r = sshpkt_get_end(ssh)) != 0) 1513 fatal("%s: parse packet: %s", __func__, ssh_err(r)); 1514 1515 debug("%s: listen %s port %d, originator %s port %d", __func__, 1516 listen_address, listen_port, originator_address, originator_port); 1517 1518 if (listen_port > 0xffff) 1519 error("%s: invalid listen port", __func__); 1520 else if (originator_port > 0xffff) 1521 error("%s: invalid originator port", __func__); 1522 else { 1523 c = channel_connect_by_listen_address(ssh, 1524 listen_address, listen_port, "forwarded-tcpip", 1525 originator_address); 1526 } 1527 1528 if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) { 1529 if ((b = sshbuf_new()) == NULL) { 1530 error("%s: alloc reply", __func__); 1531 goto out; 1532 } 1533 /* reconstruct and send to muxclient */ 1534 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */ 1535 (r = sshbuf_put_u8(b, SSH2_MSG_CHANNEL_OPEN)) != 0 || 1536 (r = sshbuf_put_cstring(b, request_type)) != 0 || 1537 (r = sshbuf_put_u32(b, rchan)) != 0 || 1538 (r = sshbuf_put_u32(b, rwindow)) != 0 || 1539 (r = sshbuf_put_u32(b, rmaxpack)) != 0 || 1540 (r = sshbuf_put_cstring(b, listen_address)) != 0 || 1541 (r = sshbuf_put_u32(b, listen_port)) != 0 || 1542 (r = sshbuf_put_cstring(b, originator_address)) != 0 || 1543 (r = sshbuf_put_u32(b, originator_port)) != 0 || 1544 (r = sshbuf_put_stringb(c->output, b)) != 0) { 1545 error("%s: compose for muxclient %s", __func__, 1546 ssh_err(r)); 1547 goto out; 1548 } 1549 } 1550 1551 out: 1552 sshbuf_free(b); 1553 free(originator_address); 1554 free(listen_address); 1555 return c; 1556 } 1557 1558 static Channel * 1559 client_request_forwarded_streamlocal(struct ssh *ssh, 1560 const char *request_type, int rchan) 1561 { 1562 Channel *c = NULL; 1563 char *listen_path; 1564 int r; 1565 1566 /* Get the remote path. */ 1567 if ((r = sshpkt_get_cstring(ssh, &listen_path, NULL)) != 0 || 1568 (r = sshpkt_get_string(ssh, NULL, NULL)) != 0 || /* reserved */ 1569 (r = sshpkt_get_end(ssh)) != 0) 1570 fatal("%s: parse packet: %s", __func__, ssh_err(r)); 1571 1572 debug("%s: request: %s", __func__, listen_path); 1573 1574 c = channel_connect_by_listen_path(ssh, listen_path, 1575 "forwarded-streamlocal@openssh.com", "forwarded-streamlocal"); 1576 free(listen_path); 1577 return c; 1578 } 1579 1580 static Channel * 1581 client_request_x11(struct ssh *ssh, const char *request_type, int rchan) 1582 { 1583 Channel *c = NULL; 1584 char *originator; 1585 u_int originator_port; 1586 int r, sock; 1587 1588 if (!options.forward_x11) { 1589 error("Warning: ssh server tried X11 forwarding."); 1590 error("Warning: this is probably a break-in attempt by a " 1591 "malicious server."); 1592 return NULL; 1593 } 1594 if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { 1595 verbose("Rejected X11 connection after ForwardX11Timeout " 1596 "expired"); 1597 return NULL; 1598 } 1599 if ((r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 || 1600 (r = sshpkt_get_u32(ssh, &originator_port)) != 0 || 1601 (r = sshpkt_get_end(ssh)) != 0) 1602 fatal("%s: parse packet: %s", __func__, ssh_err(r)); 1603 /* XXX check permission */ 1604 /* XXX range check originator port? */ 1605 debug("client_request_x11: request from %s %u", originator, 1606 originator_port); 1607 free(originator); 1608 sock = x11_connect_display(ssh); 1609 if (sock < 0) 1610 return NULL; 1611 /* again is this really necessary for X11? */ 1612 if (options.hpn_disabled) 1613 c = channel_new(ssh, "x11", 1614 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 1615 CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); 1616 else 1617 c = channel_new(ssh, "x11", 1618 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 1619 options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); 1620 c->force_drain = 1; 1621 return c; 1622 } 1623 1624 static Channel * 1625 client_request_agent(struct ssh *ssh, const char *request_type, int rchan) 1626 { 1627 Channel *c = NULL; 1628 int r, sock; 1629 1630 if (!options.forward_agent) { 1631 error("Warning: ssh server tried agent forwarding."); 1632 error("Warning: this is probably a break-in attempt by a " 1633 "malicious server."); 1634 return NULL; 1635 } 1636 if (forward_agent_sock_path == NULL) { 1637 r = ssh_get_authentication_socket(&sock); 1638 } else { 1639 r = ssh_get_authentication_socket_path(forward_agent_sock_path, &sock); 1640 } 1641 if (r != 0) { 1642 if (r != SSH_ERR_AGENT_NOT_PRESENT) 1643 debug("%s: ssh_get_authentication_socket: %s", 1644 __func__, ssh_err(r)); 1645 return NULL; 1646 } 1647 if (options.hpn_disabled) 1648 c = channel_new(ssh, "authentication agent connection", 1649 SSH_CHANNEL_OPEN, sock, sock, -1, 1650 CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, 1651 "authentication agent connection", 1); 1652 else 1653 c = channel_new(ssh, "authentication agent connection", 1654 SSH_CHANNEL_OPEN, sock, sock, -1, 1655 options.hpn_buffer_size, options.hpn_buffer_size, 0, 1656 "authentication agent connection", 1); 1657 c->force_drain = 1; 1658 return c; 1659 } 1660 1661 char * 1662 client_request_tun_fwd(struct ssh *ssh, int tun_mode, 1663 int local_tun, int remote_tun) 1664 { 1665 Channel *c; 1666 int r, fd; 1667 char *ifname = NULL; 1668 1669 if (tun_mode == SSH_TUNMODE_NO) 1670 return 0; 1671 1672 debug("Requesting tun unit %d in mode %d", local_tun, tun_mode); 1673 1674 /* Open local tunnel device */ 1675 if ((fd = tun_open(local_tun, tun_mode, &ifname)) == -1) { 1676 error("Tunnel device open failed."); 1677 return NULL; 1678 } 1679 debug("Tunnel forwarding using interface %s", ifname); 1680 1681 if(options.hpn_disabled) 1682 c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, 1683 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); 1684 else 1685 c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, 1686 options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); 1687 c->datagram = 1; 1688 1689 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 || 1690 (r = sshpkt_put_cstring(ssh, "tun@openssh.com")) != 0 || 1691 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 1692 (r = sshpkt_put_u32(ssh, c->local_window_max)) != 0 || 1693 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 || 1694 (r = sshpkt_put_u32(ssh, tun_mode)) != 0 || 1695 (r = sshpkt_put_u32(ssh, remote_tun)) != 0 || 1696 (r = sshpkt_send(ssh)) != 0) 1697 sshpkt_fatal(ssh, r, "%s: send reply", __func__); 1698 1699 return ifname; 1700 } 1701 1702 /* XXXX move to generic input handler */ 1703 static int 1704 client_input_channel_open(int type, u_int32_t seq, struct ssh *ssh) 1705 { 1706 Channel *c = NULL; 1707 char *ctype = NULL; 1708 int r; 1709 u_int rchan; 1710 size_t len; 1711 u_int rmaxpack, rwindow; 1712 1713 if ((r = sshpkt_get_cstring(ssh, &ctype, &len)) != 0 || 1714 (r = sshpkt_get_u32(ssh, &rchan)) != 0 || 1715 (r = sshpkt_get_u32(ssh, &rwindow)) != 0 || 1716 (r = sshpkt_get_u32(ssh, &rmaxpack)) != 0) 1717 goto out; 1718 1719 debug("client_input_channel_open: ctype %s rchan %d win %d max %d", 1720 ctype, rchan, rwindow, rmaxpack); 1721 1722 if (strcmp(ctype, "forwarded-tcpip") == 0) { 1723 c = client_request_forwarded_tcpip(ssh, ctype, rchan, rwindow, 1724 rmaxpack); 1725 } else if (strcmp(ctype, "forwarded-streamlocal@openssh.com") == 0) { 1726 c = client_request_forwarded_streamlocal(ssh, ctype, rchan); 1727 } else if (strcmp(ctype, "x11") == 0) { 1728 c = client_request_x11(ssh, ctype, rchan); 1729 } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { 1730 c = client_request_agent(ssh, ctype, rchan); 1731 } 1732 if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) { 1733 debug3("proxied to downstream: %s", ctype); 1734 } else if (c != NULL) { 1735 debug("confirm %s", ctype); 1736 c->remote_id = rchan; 1737 c->have_remote_id = 1; 1738 c->remote_window = rwindow; 1739 c->remote_maxpacket = rmaxpack; 1740 if (c->type != SSH_CHANNEL_CONNECTING) { 1741 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 1742 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1743 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 1744 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 1745 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 || 1746 (r = sshpkt_send(ssh)) != 0) 1747 sshpkt_fatal(ssh, r, "%s: send reply", __func__); 1748 } 1749 } else { 1750 debug("failure %s", ctype); 1751 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 || 1752 (r = sshpkt_put_u32(ssh, rchan)) != 0 || 1753 (r = sshpkt_put_u32(ssh, SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED)) != 0 || 1754 (r = sshpkt_put_cstring(ssh, "open failed")) != 0 || 1755 (r = sshpkt_put_cstring(ssh, "")) != 0 || 1756 (r = sshpkt_send(ssh)) != 0) 1757 sshpkt_fatal(ssh, r, "%s: send failure", __func__); 1758 } 1759 r = 0; 1760 out: 1761 free(ctype); 1762 return r; 1763 } 1764 1765 static int 1766 client_input_channel_req(int type, u_int32_t seq, struct ssh *ssh) 1767 { 1768 Channel *c = NULL; 1769 char *rtype = NULL; 1770 u_char reply; 1771 u_int id, exitval; 1772 int r, success = 0; 1773 1774 if ((r = sshpkt_get_u32(ssh, &id)) != 0) 1775 return r; 1776 if (id <= INT_MAX) 1777 c = channel_lookup(ssh, id); 1778 if (channel_proxy_upstream(c, type, seq, ssh)) 1779 return 0; 1780 if ((r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 || 1781 (r = sshpkt_get_u8(ssh, &reply)) != 0) 1782 goto out; 1783 1784 debug("client_input_channel_req: channel %u rtype %s reply %d", 1785 id, rtype, reply); 1786 1787 if (c == NULL) { 1788 error("client_input_channel_req: channel %d: " 1789 "unknown channel", id); 1790 } else if (strcmp(rtype, "eow@openssh.com") == 0) { 1791 if ((r = sshpkt_get_end(ssh)) != 0) 1792 goto out; 1793 chan_rcvd_eow(ssh, c); 1794 } else if (strcmp(rtype, "exit-status") == 0) { 1795 if ((r = sshpkt_get_u32(ssh, &exitval)) != 0) 1796 goto out; 1797 if (c->ctl_chan != -1) { 1798 mux_exit_message(ssh, c, exitval); 1799 success = 1; 1800 } else if ((int)id == session_ident) { 1801 /* Record exit value of local session */ 1802 success = 1; 1803 exit_status = exitval; 1804 } else { 1805 /* Probably for a mux channel that has already closed */ 1806 debug("%s: no sink for exit-status on channel %d", 1807 __func__, id); 1808 } 1809 if ((r = sshpkt_get_end(ssh)) != 0) 1810 goto out; 1811 } 1812 if (reply && c != NULL && !(c->flags & CHAN_CLOSE_SENT)) { 1813 if (!c->have_remote_id) 1814 fatal("%s: channel %d: no remote_id", 1815 __func__, c->self); 1816 if ((r = sshpkt_start(ssh, success ? 1817 SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE)) != 0 || 1818 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1819 (r = sshpkt_send(ssh)) != 0) 1820 sshpkt_fatal(ssh, r, "%s: send failure", __func__); 1821 } 1822 r = 0; 1823 out: 1824 free(rtype); 1825 return r; 1826 } 1827 1828 struct hostkeys_update_ctx { 1829 /* The hostname and (optionally) IP address string for the server */ 1830 char *host_str, *ip_str; 1831 1832 /* 1833 * Keys received from the server and a flag for each indicating 1834 * whether they already exist in known_hosts. 1835 * keys_seen is filled in by hostkeys_find() and later (for new 1836 * keys) by client_global_hostkeys_private_confirm(). 1837 */ 1838 struct sshkey **keys; 1839 int *keys_seen; 1840 size_t nkeys, nnew; 1841 1842 /* 1843 * Keys that are in known_hosts, but were not present in the update 1844 * from the server (i.e. scheduled to be deleted). 1845 * Filled in by hostkeys_find(). 1846 */ 1847 struct sshkey **old_keys; 1848 size_t nold; 1849 }; 1850 1851 static void 1852 hostkeys_update_ctx_free(struct hostkeys_update_ctx *ctx) 1853 { 1854 size_t i; 1855 1856 if (ctx == NULL) 1857 return; 1858 for (i = 0; i < ctx->nkeys; i++) 1859 sshkey_free(ctx->keys[i]); 1860 free(ctx->keys); 1861 free(ctx->keys_seen); 1862 for (i = 0; i < ctx->nold; i++) 1863 sshkey_free(ctx->old_keys[i]); 1864 free(ctx->old_keys); 1865 free(ctx->host_str); 1866 free(ctx->ip_str); 1867 free(ctx); 1868 } 1869 1870 static int 1871 hostkeys_find(struct hostkey_foreach_line *l, void *_ctx) 1872 { 1873 struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx; 1874 size_t i; 1875 struct sshkey **tmp; 1876 1877 if (l->status != HKF_STATUS_MATCHED || l->key == NULL) 1878 return 0; 1879 1880 /* Mark off keys we've already seen for this host */ 1881 for (i = 0; i < ctx->nkeys; i++) { 1882 if (sshkey_equal(l->key, ctx->keys[i])) { 1883 debug3("%s: found %s key at %s:%ld", __func__, 1884 sshkey_ssh_name(ctx->keys[i]), l->path, l->linenum); 1885 ctx->keys_seen[i] = 1; 1886 return 0; 1887 } 1888 } 1889 /* This line contained a key that not offered by the server */ 1890 debug3("%s: deprecated %s key at %s:%ld", __func__, 1891 sshkey_ssh_name(l->key), l->path, l->linenum); 1892 if ((tmp = recallocarray(ctx->old_keys, ctx->nold, ctx->nold + 1, 1893 sizeof(*ctx->old_keys))) == NULL) 1894 fatal("%s: recallocarray failed nold = %zu", 1895 __func__, ctx->nold); 1896 ctx->old_keys = tmp; 1897 ctx->old_keys[ctx->nold++] = l->key; 1898 l->key = NULL; 1899 1900 return 0; 1901 } 1902 1903 static void 1904 hostkey_change_preamble(LogLevel loglevel) 1905 { 1906 do_log2(loglevel, "The server has updated its host keys."); 1907 do_log2(loglevel, "These changes were verified by the server's " 1908 "existing trusted key."); 1909 } 1910 1911 static void 1912 update_known_hosts(struct hostkeys_update_ctx *ctx) 1913 { 1914 int r, was_raw = 0, first = 1; 1915 int asking = options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK; 1916 LogLevel loglevel = asking ? SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE; 1917 char *fp, *response; 1918 size_t i; 1919 struct stat sb; 1920 1921 for (i = 0; i < ctx->nkeys; i++) { 1922 if (ctx->keys_seen[i] != 2) 1923 continue; 1924 if ((fp = sshkey_fingerprint(ctx->keys[i], 1925 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) 1926 fatal("%s: sshkey_fingerprint failed", __func__); 1927 if (first && asking) 1928 hostkey_change_preamble(loglevel); 1929 do_log2(loglevel, "Learned new hostkey: %s %s", 1930 sshkey_type(ctx->keys[i]), fp); 1931 first = 0; 1932 free(fp); 1933 } 1934 for (i = 0; i < ctx->nold; i++) { 1935 if ((fp = sshkey_fingerprint(ctx->old_keys[i], 1936 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) 1937 fatal("%s: sshkey_fingerprint failed", __func__); 1938 if (first && asking) 1939 hostkey_change_preamble(loglevel); 1940 do_log2(loglevel, "Deprecating obsolete hostkey: %s %s", 1941 sshkey_type(ctx->old_keys[i]), fp); 1942 first = 0; 1943 free(fp); 1944 } 1945 if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) { 1946 if (get_saved_tio() != NULL) { 1947 leave_raw_mode(1); 1948 was_raw = 1; 1949 } 1950 response = NULL; 1951 for (i = 0; !quit_pending && i < 3; i++) { 1952 free(response); 1953 response = read_passphrase("Accept updated hostkeys? " 1954 "(yes/no): ", RP_ECHO); 1955 if (strcasecmp(response, "yes") == 0) 1956 break; 1957 else if (quit_pending || response == NULL || 1958 strcasecmp(response, "no") == 0) { 1959 options.update_hostkeys = 0; 1960 break; 1961 } else { 1962 do_log2(loglevel, "Please enter " 1963 "\"yes\" or \"no\""); 1964 } 1965 } 1966 if (quit_pending || i >= 3 || response == NULL) 1967 options.update_hostkeys = 0; 1968 free(response); 1969 if (was_raw) 1970 enter_raw_mode(1); 1971 } 1972 if (options.update_hostkeys == 0) 1973 return; 1974 /* 1975 * Now that all the keys are verified, we can go ahead and replace 1976 * them in known_hosts (assuming SSH_UPDATE_HOSTKEYS_ASK didn't 1977 * cancel the operation). 1978 */ 1979 for (i = 0; i < options.num_user_hostfiles; i++) { 1980 /* 1981 * NB. keys are only added to hostfiles[0], for the rest we 1982 * just delete the hostname entries. 1983 */ 1984 if (stat(options.user_hostfiles[i], &sb) != 0) { 1985 if (errno == ENOENT) { 1986 debug("%s: known hosts file %s does not exist", 1987 __func__, strerror(errno)); 1988 } else { 1989 error("%s: known hosts file %s inaccessible", 1990 __func__, strerror(errno)); 1991 } 1992 continue; 1993 } 1994 if ((r = hostfile_replace_entries(options.user_hostfiles[i], 1995 ctx->host_str, ctx->ip_str, 1996 i == 0 ? ctx->keys : NULL, i == 0 ? ctx->nkeys : 0, 1997 options.hash_known_hosts, 0, 1998 options.fingerprint_hash)) != 0) { 1999 error("%s: hostfile_replace_entries failed for %s: %s", 2000 __func__, options.user_hostfiles[i], ssh_err(r)); 2001 } 2002 } 2003 } 2004 2005 static void 2006 client_global_hostkeys_private_confirm(struct ssh *ssh, int type, 2007 u_int32_t seq, void *_ctx) 2008 { 2009 struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx; 2010 size_t i, ndone; 2011 struct sshbuf *signdata; 2012 int r, kexsigtype, use_kexsigtype; 2013 const u_char *sig; 2014 size_t siglen; 2015 2016 if (ctx->nnew == 0) 2017 fatal("%s: ctx->nnew == 0", __func__); /* sanity */ 2018 if (type != SSH2_MSG_REQUEST_SUCCESS) { 2019 error("Server failed to confirm ownership of " 2020 "private host keys"); 2021 hostkeys_update_ctx_free(ctx); 2022 return; 2023 } 2024 kexsigtype = sshkey_type_plain( 2025 sshkey_type_from_name(ssh->kex->hostkey_alg)); 2026 2027 if ((signdata = sshbuf_new()) == NULL) 2028 fatal("%s: sshbuf_new failed", __func__); 2029 /* Don't want to accidentally accept an unbound signature */ 2030 if (ssh->kex->session_id_len == 0) 2031 fatal("%s: ssh->kex->session_id_len == 0", __func__); 2032 /* 2033 * Expect a signature for each of the ctx->nnew private keys we 2034 * haven't seen before. They will be in the same order as the 2035 * ctx->keys where the corresponding ctx->keys_seen[i] == 0. 2036 */ 2037 for (ndone = i = 0; i < ctx->nkeys; i++) { 2038 if (ctx->keys_seen[i]) 2039 continue; 2040 /* Prepare data to be signed: session ID, unique string, key */ 2041 sshbuf_reset(signdata); 2042 if ( (r = sshbuf_put_cstring(signdata, 2043 "hostkeys-prove-00@openssh.com")) != 0 || 2044 (r = sshbuf_put_string(signdata, ssh->kex->session_id, 2045 ssh->kex->session_id_len)) != 0 || 2046 (r = sshkey_puts(ctx->keys[i], signdata)) != 0) 2047 fatal("%s: failed to prepare signature: %s", 2048 __func__, ssh_err(r)); 2049 /* Extract and verify signature */ 2050 if ((r = sshpkt_get_string_direct(ssh, &sig, &siglen)) != 0) { 2051 error("%s: couldn't parse message: %s", 2052 __func__, ssh_err(r)); 2053 goto out; 2054 } 2055 /* 2056 * For RSA keys, prefer to use the signature type negotiated 2057 * during KEX to the default (SHA1). 2058 */ 2059 use_kexsigtype = kexsigtype == KEY_RSA && 2060 sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA; 2061 if ((r = sshkey_verify(ctx->keys[i], sig, siglen, 2062 sshbuf_ptr(signdata), sshbuf_len(signdata), 2063 use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0, 2064 NULL)) != 0) { 2065 error("%s: server gave bad signature for %s key %zu", 2066 __func__, sshkey_type(ctx->keys[i]), i); 2067 goto out; 2068 } 2069 /* Key is good. Mark it as 'seen' */ 2070 ctx->keys_seen[i] = 2; 2071 ndone++; 2072 } 2073 if (ndone != ctx->nnew) 2074 fatal("%s: ndone != ctx->nnew (%zu / %zu)", __func__, 2075 ndone, ctx->nnew); /* Shouldn't happen */ 2076 if ((r = sshpkt_get_end(ssh)) != 0) { 2077 error("%s: protocol error", __func__); 2078 goto out; 2079 } 2080 2081 /* Make the edits to known_hosts */ 2082 update_known_hosts(ctx); 2083 out: 2084 hostkeys_update_ctx_free(ctx); 2085 } 2086 2087 /* 2088 * Returns non-zero if the key is accepted by HostkeyAlgorithms. 2089 * Made slightly less trivial by the multiple RSA signature algorithm names. 2090 */ 2091 static int 2092 key_accepted_by_hostkeyalgs(const struct sshkey *key) 2093 { 2094 const char *ktype = sshkey_ssh_name(key); 2095 const char *hostkeyalgs = options.hostkeyalgorithms; 2096 2097 if (key == NULL || key->type == KEY_UNSPEC) 2098 return 0; 2099 if (key->type == KEY_RSA && 2100 (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 || 2101 match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1)) 2102 return 1; 2103 return match_pattern_list(ktype, hostkeyalgs, 0) == 1; 2104 } 2105 2106 /* 2107 * Handle hostkeys-00@openssh.com global request to inform the client of all 2108 * the server's hostkeys. The keys are checked against the user's 2109 * HostkeyAlgorithms preference before they are accepted. 2110 */ 2111 static int 2112 client_input_hostkeys(struct ssh *ssh) 2113 { 2114 const u_char *blob = NULL; 2115 size_t i, len = 0; 2116 struct sshbuf *buf = NULL; 2117 struct sshkey *key = NULL, **tmp; 2118 int r; 2119 char *fp; 2120 static int hostkeys_seen = 0; /* XXX use struct ssh */ 2121 extern struct sockaddr_storage hostaddr; /* XXX from ssh.c */ 2122 struct hostkeys_update_ctx *ctx = NULL; 2123 2124 if (hostkeys_seen) 2125 fatal("%s: server already sent hostkeys", __func__); 2126 if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK && 2127 options.batch_mode) 2128 return 1; /* won't ask in batchmode, so don't even try */ 2129 if (!options.update_hostkeys || options.num_user_hostfiles <= 0) 2130 return 1; 2131 2132 ctx = xcalloc(1, sizeof(*ctx)); 2133 while (ssh_packet_remaining(ssh) > 0) { 2134 sshkey_free(key); 2135 key = NULL; 2136 if ((r = sshpkt_get_string_direct(ssh, &blob, &len)) != 0) { 2137 error("%s: couldn't parse message: %s", 2138 __func__, ssh_err(r)); 2139 goto out; 2140 } 2141 if ((r = sshkey_from_blob(blob, len, &key)) != 0) { 2142 do_log2(r == SSH_ERR_KEY_TYPE_UNKNOWN ? 2143 SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_ERROR, 2144 "%s: parse key: %s", __func__, ssh_err(r)); 2145 continue; 2146 } 2147 fp = sshkey_fingerprint(key, options.fingerprint_hash, 2148 SSH_FP_DEFAULT); 2149 debug3("%s: received %s key %s", __func__, 2150 sshkey_type(key), fp); 2151 free(fp); 2152 2153 if (!key_accepted_by_hostkeyalgs(key)) { 2154 debug3("%s: %s key not permitted by HostkeyAlgorithms", 2155 __func__, sshkey_ssh_name(key)); 2156 continue; 2157 } 2158 /* Skip certs */ 2159 if (sshkey_is_cert(key)) { 2160 debug3("%s: %s key is a certificate; skipping", 2161 __func__, sshkey_ssh_name(key)); 2162 continue; 2163 } 2164 /* Ensure keys are unique */ 2165 for (i = 0; i < ctx->nkeys; i++) { 2166 if (sshkey_equal(key, ctx->keys[i])) { 2167 error("%s: received duplicated %s host key", 2168 __func__, sshkey_ssh_name(key)); 2169 goto out; 2170 } 2171 } 2172 /* Key is good, record it */ 2173 if ((tmp = recallocarray(ctx->keys, ctx->nkeys, ctx->nkeys + 1, 2174 sizeof(*ctx->keys))) == NULL) 2175 fatal("%s: recallocarray failed nkeys = %zu", 2176 __func__, ctx->nkeys); 2177 ctx->keys = tmp; 2178 ctx->keys[ctx->nkeys++] = key; 2179 key = NULL; 2180 } 2181 2182 if (ctx->nkeys == 0) { 2183 debug("%s: server sent no hostkeys", __func__); 2184 goto out; 2185 } 2186 2187 if ((ctx->keys_seen = calloc(ctx->nkeys, 2188 sizeof(*ctx->keys_seen))) == NULL) 2189 fatal("%s: calloc failed", __func__); 2190 2191 get_hostfile_hostname_ipaddr(host, 2192 options.check_host_ip ? (struct sockaddr *)&hostaddr : NULL, 2193 options.port, &ctx->host_str, 2194 options.check_host_ip ? &ctx->ip_str : NULL); 2195 2196 /* Find which keys we already know about. */ 2197 for (i = 0; i < options.num_user_hostfiles; i++) { 2198 debug("%s: searching %s for %s / %s", __func__, 2199 options.user_hostfiles[i], ctx->host_str, 2200 ctx->ip_str ? ctx->ip_str : "(none)"); 2201 if ((r = hostkeys_foreach(options.user_hostfiles[i], 2202 hostkeys_find, ctx, ctx->host_str, ctx->ip_str, 2203 HKF_WANT_PARSE_KEY|HKF_WANT_MATCH)) != 0) { 2204 if (r == SSH_ERR_SYSTEM_ERROR && errno == ENOENT) { 2205 debug("%s: hostkeys file %s does not exist", 2206 __func__, options.user_hostfiles[i]); 2207 continue; 2208 } 2209 error("%s: hostkeys_foreach failed for %s: %s", 2210 __func__, options.user_hostfiles[i], ssh_err(r)); 2211 goto out; 2212 } 2213 } 2214 2215 /* Figure out if we have any new keys to add */ 2216 ctx->nnew = 0; 2217 for (i = 0; i < ctx->nkeys; i++) { 2218 if (!ctx->keys_seen[i]) 2219 ctx->nnew++; 2220 } 2221 2222 debug3("%s: %zu keys from server: %zu new, %zu retained. %zu to remove", 2223 __func__, ctx->nkeys, ctx->nnew, ctx->nkeys - ctx->nnew, ctx->nold); 2224 2225 if (ctx->nnew == 0 && ctx->nold != 0) { 2226 /* We have some keys to remove. Just do it. */ 2227 update_known_hosts(ctx); 2228 } else if (ctx->nnew != 0) { 2229 /* 2230 * We have received hitherto-unseen keys from the server. 2231 * Ask the server to confirm ownership of the private halves. 2232 */ 2233 debug3("%s: asking server to prove ownership for %zu keys", 2234 __func__, ctx->nnew); 2235 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 2236 (r = sshpkt_put_cstring(ssh, 2237 "hostkeys-prove-00@openssh.com")) != 0 || 2238 (r = sshpkt_put_u8(ssh, 1)) != 0) /* bool: want reply */ 2239 fatal("%s: cannot prepare packet: %s", 2240 __func__, ssh_err(r)); 2241 if ((buf = sshbuf_new()) == NULL) 2242 fatal("%s: sshbuf_new", __func__); 2243 for (i = 0; i < ctx->nkeys; i++) { 2244 if (ctx->keys_seen[i]) 2245 continue; 2246 sshbuf_reset(buf); 2247 if ((r = sshkey_putb(ctx->keys[i], buf)) != 0) 2248 fatal("%s: sshkey_putb: %s", 2249 __func__, ssh_err(r)); 2250 if ((r = sshpkt_put_stringb(ssh, buf)) != 0) 2251 fatal("%s: sshpkt_put_string: %s", 2252 __func__, ssh_err(r)); 2253 } 2254 if ((r = sshpkt_send(ssh)) != 0) 2255 fatal("%s: sshpkt_send: %s", __func__, ssh_err(r)); 2256 client_register_global_confirm( 2257 client_global_hostkeys_private_confirm, ctx); 2258 ctx = NULL; /* will be freed in callback */ 2259 } 2260 2261 /* Success */ 2262 out: 2263 hostkeys_update_ctx_free(ctx); 2264 sshkey_free(key); 2265 sshbuf_free(buf); 2266 /* 2267 * NB. Return success for all cases. The server doesn't need to know 2268 * what the client does with its hosts file. 2269 */ 2270 return 1; 2271 } 2272 2273 static int 2274 client_input_global_request(int type, u_int32_t seq, struct ssh *ssh) 2275 { 2276 char *rtype; 2277 u_char want_reply; 2278 int r, success = 0; 2279 2280 if ((r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 || 2281 (r = sshpkt_get_u8(ssh, &want_reply)) != 0) 2282 goto out; 2283 debug("client_input_global_request: rtype %s want_reply %d", 2284 rtype, want_reply); 2285 if (strcmp(rtype, "hostkeys-00@openssh.com") == 0) 2286 success = client_input_hostkeys(ssh); 2287 if (want_reply) { 2288 if ((r = sshpkt_start(ssh, success ? SSH2_MSG_REQUEST_SUCCESS : 2289 SSH2_MSG_REQUEST_FAILURE)) != 0 || 2290 (r = sshpkt_send(ssh)) != 0 || 2291 (r = ssh_packet_write_wait(ssh)) != 0) 2292 goto out; 2293 } 2294 r = 0; 2295 out: 2296 free(rtype); 2297 return r; 2298 } 2299 2300 void 2301 client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem, 2302 const char *term, struct termios *tiop, int in_fd, struct sshbuf *cmd, 2303 char **env) 2304 { 2305 int i, j, matched, len, r; 2306 char *name, *val; 2307 Channel *c = NULL; 2308 2309 debug2("%s: id %d", __func__, id); 2310 2311 if ((c = channel_lookup(ssh, id)) == NULL) 2312 fatal("%s: channel %d: unknown channel", __func__, id); 2313 2314 ssh_packet_set_interactive(ssh, want_tty, 2315 options.ip_qos_interactive, options.ip_qos_bulk); 2316 2317 if (want_tty) { 2318 struct winsize ws; 2319 2320 /* Store window size in the packet. */ 2321 if (ioctl(in_fd, TIOCGWINSZ, &ws) == -1) 2322 memset(&ws, 0, sizeof(ws)); 2323 2324 channel_request_start(ssh, id, "pty-req", 1); 2325 client_expect_confirm(ssh, id, "PTY allocation", CONFIRM_TTY); 2326 if ((r = sshpkt_put_cstring(ssh, term != NULL ? term : "")) 2327 != 0 || 2328 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 || 2329 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 || 2330 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 || 2331 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0) 2332 fatal("%s: build packet: %s", __func__, ssh_err(r)); 2333 if (tiop == NULL) 2334 tiop = get_saved_tio(); 2335 ssh_tty_make_modes(ssh, -1, tiop); 2336 if ((r = sshpkt_send(ssh)) != 0) 2337 fatal("%s: send packet: %s", __func__, ssh_err(r)); 2338 /* XXX wait for reply */ 2339 c->client_tty = 1; 2340 } 2341 2342 /* Transfer any environment variables from client to server */ 2343 if (options.num_send_env != 0 && env != NULL) { 2344 debug("Sending environment."); 2345 for (i = 0; env[i] != NULL; i++) { 2346 /* Split */ 2347 name = xstrdup(env[i]); 2348 if ((val = strchr(name, '=')) == NULL) { 2349 free(name); 2350 continue; 2351 } 2352 *val++ = '\0'; 2353 2354 matched = 0; 2355 for (j = 0; j < options.num_send_env; j++) { 2356 if (match_pattern(name, options.send_env[j])) { 2357 matched = 1; 2358 break; 2359 } 2360 } 2361 if (!matched) { 2362 debug3("Ignored env %s", name); 2363 free(name); 2364 continue; 2365 } 2366 2367 debug("Sending env %s = %s", name, val); 2368 channel_request_start(ssh, id, "env", 0); 2369 if ((r = sshpkt_put_cstring(ssh, name)) != 0 || 2370 (r = sshpkt_put_cstring(ssh, val)) != 0 || 2371 (r = sshpkt_send(ssh)) != 0) { 2372 fatal("%s: send packet: %s", 2373 __func__, ssh_err(r)); 2374 } 2375 free(name); 2376 } 2377 } 2378 for (i = 0; i < options.num_setenv; i++) { 2379 /* Split */ 2380 name = xstrdup(options.setenv[i]); 2381 if ((val = strchr(name, '=')) == NULL) { 2382 free(name); 2383 continue; 2384 } 2385 *val++ = '\0'; 2386 2387 debug("Setting env %s = %s", name, val); 2388 channel_request_start(ssh, id, "env", 0); 2389 if ((r = sshpkt_put_cstring(ssh, name)) != 0 || 2390 (r = sshpkt_put_cstring(ssh, val)) != 0 || 2391 (r = sshpkt_send(ssh)) != 0) 2392 fatal("%s: send packet: %s", __func__, ssh_err(r)); 2393 free(name); 2394 } 2395 2396 len = sshbuf_len(cmd); 2397 if (len > 0) { 2398 if (len > 900) 2399 len = 900; 2400 if (want_subsystem) { 2401 debug("Sending subsystem: %.*s", 2402 len, (const u_char*)sshbuf_ptr(cmd)); 2403 channel_request_start(ssh, id, "subsystem", 1); 2404 client_expect_confirm(ssh, id, "subsystem", 2405 CONFIRM_CLOSE); 2406 } else { 2407 debug("Sending command: %.*s", 2408 len, (const u_char*)sshbuf_ptr(cmd)); 2409 channel_request_start(ssh, id, "exec", 1); 2410 client_expect_confirm(ssh, id, "exec", CONFIRM_CLOSE); 2411 } 2412 if ((r = sshpkt_put_stringb(ssh, cmd)) != 0 || 2413 (r = sshpkt_send(ssh)) != 0) 2414 fatal("%s: send command: %s", __func__, ssh_err(r)); 2415 } else { 2416 channel_request_start(ssh, id, "shell", 1); 2417 client_expect_confirm(ssh, id, "shell", CONFIRM_CLOSE); 2418 if ((r = sshpkt_send(ssh)) != 0) { 2419 fatal("%s: send shell request: %s", 2420 __func__, ssh_err(r)); 2421 } 2422 } 2423 } 2424 2425 static void 2426 client_init_dispatch(struct ssh *ssh) 2427 { 2428 ssh_dispatch_init(ssh, &dispatch_protocol_error); 2429 2430 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); 2431 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_DATA, &channel_input_data); 2432 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); 2433 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); 2434 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open); 2435 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 2436 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 2437 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); 2438 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); 2439 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_SUCCESS, &channel_input_status_confirm); 2440 ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_FAILURE, &channel_input_status_confirm); 2441 ssh_dispatch_set(ssh, SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request); 2442 2443 /* rekeying */ 2444 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 2445 2446 /* global request reply messages */ 2447 ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_FAILURE, &client_global_request_reply); 2448 ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_SUCCESS, &client_global_request_reply); 2449 } 2450 2451 void 2452 client_stop_mux(void) 2453 { 2454 if (options.control_path != NULL && muxserver_sock != -1) 2455 unlink(options.control_path); 2456 /* 2457 * If we are in persist mode, or don't have a shell, signal that we 2458 * should close when all active channels are closed. 2459 */ 2460 if (options.control_persist || no_shell_flag) { 2461 session_closed = 1; 2462 setproctitle("[stopped mux]"); 2463 } 2464 } 2465 2466 /* client specific fatal cleanup */ 2467 void 2468 cleanup_exit(int i) 2469 { 2470 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 2471 leave_non_blocking(); 2472 if (options.control_path != NULL && muxserver_sock != -1) 2473 unlink(options.control_path); 2474 ssh_kill_proxy_command(); 2475 _exit(i); 2476 } 2477