1 /* $NetBSD: monitor_wrap.c,v 1.35 2024/07/08 22:33:43 christos Exp $ */ 2 /* $OpenBSD: monitor_wrap.c,v 1.136 2024/06/19 23:24:47 djm Exp $ */ 3 4 /* 5 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 6 * Copyright 2002 Markus Friedl <markus@openbsd.org> 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include "includes.h" 31 __RCSID("$NetBSD: monitor_wrap.c,v 1.35 2024/07/08 22:33:43 christos Exp $"); 32 #include <sys/types.h> 33 #include <sys/uio.h> 34 #include <sys/queue.h> 35 #include <sys/wait.h> 36 37 #include <errno.h> 38 #include <pwd.h> 39 #include <signal.h> 40 #include <stdio.h> 41 #include <string.h> 42 #include <stdarg.h> 43 #include <unistd.h> 44 45 #ifdef WITH_OPENSSL 46 #include <openssl/bn.h> 47 #include <openssl/dh.h> 48 #endif 49 50 #include "xmalloc.h" 51 #include "ssh.h" 52 #ifdef WITH_OPENSSL 53 #include "dh.h" 54 #endif 55 #include "sshbuf.h" 56 #include "sshkey.h" 57 #include "cipher.h" 58 #include "kex.h" 59 #include "hostfile.h" 60 #include "auth.h" 61 #include "auth-options.h" 62 #include "packet.h" 63 #include "mac.h" 64 #include "log.h" 65 #include "monitor.h" 66 #ifdef GSSAPI 67 #include "ssh-gss.h" 68 #endif 69 #include "atomicio.h" 70 #include "monitor_fdpass.h" 71 #ifdef USE_PAM 72 #include "misc.h" 73 #include "servconf.h" 74 #include <security/pam_appl.h> 75 #endif 76 #include "misc.h" 77 78 #include "channels.h" 79 #include "session.h" 80 #include "servconf.h" 81 #include "monitor_wrap.h" 82 #include "srclimit.h" 83 84 #include "ssherr.h" 85 86 /* Imports */ 87 extern struct monitor *pmonitor; 88 extern struct sshbuf *loginmsg; 89 extern ServerOptions options; 90 91 void 92 mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) 93 { 94 struct sshbuf *log_msg; 95 struct monitor *mon = (struct monitor *)ctx; 96 int r; 97 size_t len; 98 99 if (mon->m_log_sendfd == -1) 100 fatal_f("no log channel"); 101 102 if ((log_msg = sshbuf_new()) == NULL) 103 fatal_f("sshbuf_new failed"); 104 105 if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ 106 (r = sshbuf_put_u32(log_msg, level)) != 0 || 107 (r = sshbuf_put_u32(log_msg, forced)) != 0 || 108 (r = sshbuf_put_cstring(log_msg, msg)) != 0) 109 fatal_fr(r, "assemble"); 110 if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff) 111 fatal_f("bad length %zu", len); 112 POKE_U32(sshbuf_mutable_ptr(log_msg), len - 4); 113 if (atomicio(vwrite, mon->m_log_sendfd, 114 sshbuf_mutable_ptr(log_msg), len) != len) 115 fatal_f("write: %s", strerror(errno)); 116 sshbuf_free(log_msg); 117 } 118 119 int 120 mm_is_monitor(void) 121 { 122 /* 123 * m_pid is only set in the privileged part, and 124 * points to the unprivileged child. 125 */ 126 return (pmonitor && pmonitor->m_pid > 0); 127 } 128 129 static void 130 mm_reap(void) 131 { 132 int status = -1; 133 134 if (!mm_is_monitor()) 135 return; 136 while (waitpid(pmonitor->m_pid, &status, 0) == -1) { 137 if (errno == EINTR) 138 continue; 139 pmonitor->m_pid = -1; 140 fatal_f("waitpid: %s", strerror(errno)); 141 } 142 if (WIFEXITED(status)) { 143 if (WEXITSTATUS(status) != 0) { 144 debug_f("preauth child exited with status %d", 145 WEXITSTATUS(status)); 146 cleanup_exit(255); 147 } 148 } else if (WIFSIGNALED(status)) { 149 error_f("preauth child terminated by signal %d", 150 WTERMSIG(status)); 151 cleanup_exit(signal_is_crash(WTERMSIG(status)) ? 152 EXIT_CHILD_CRASH : 255); 153 } else { 154 error_f("preauth child terminated abnormally (status=0x%x)", 155 status); 156 cleanup_exit(EXIT_CHILD_CRASH); 157 } 158 } 159 160 void 161 mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m) 162 { 163 size_t mlen = sshbuf_len(m); 164 u_char buf[5]; 165 166 debug3_f("entering, type %d", type); 167 168 if (mlen >= 0xffffffff) 169 fatal_f("bad length %zu", mlen); 170 POKE_U32(buf, mlen + 1); 171 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 172 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf) || 173 atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) { 174 if (errno == EPIPE) { 175 debug3_f("monitor fd closed"); 176 mm_reap(); 177 cleanup_exit(255); 178 } 179 fatal_f("write: %s", strerror(errno)); 180 } 181 } 182 183 void 184 mm_request_receive(int sock, struct sshbuf *m) 185 { 186 u_char buf[4], *p = NULL; 187 u_int msg_len; 188 int oerrno, r; 189 190 debug3_f("entering"); 191 192 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { 193 if (errno == EPIPE) { 194 debug3_f("monitor fd closed"); 195 mm_reap(); 196 cleanup_exit(255); 197 } 198 fatal_f("read: %s", strerror(errno)); 199 } 200 msg_len = PEEK_U32(buf); 201 if (msg_len > 256 * 1024) 202 fatal_f("read: bad msg_len %d", msg_len); 203 sshbuf_reset(m); 204 if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) 205 fatal_fr(r, "reserve"); 206 if (atomicio(read, sock, p, msg_len) != msg_len) { 207 oerrno = errno; 208 error_f("read: %s", strerror(errno)); 209 if (oerrno == EPIPE) 210 mm_reap(); 211 cleanup_exit(255); 212 } 213 } 214 215 void 216 mm_request_receive_expect(int sock, enum monitor_reqtype type, struct sshbuf *m) 217 { 218 u_char rtype; 219 int r; 220 221 debug3_f("entering, type %d", type); 222 223 mm_request_receive(sock, m); 224 if ((r = sshbuf_get_u8(m, &rtype)) != 0) 225 fatal_fr(r, "parse"); 226 if (rtype != type) 227 fatal_f("read: rtype %d != type %d", rtype, type); 228 } 229 230 #ifdef WITH_OPENSSL 231 DH * 232 mm_choose_dh(int min, int nbits, int max) 233 { 234 BIGNUM *p, *g; 235 int r; 236 u_char success = 0; 237 struct sshbuf *m; 238 239 if ((m = sshbuf_new()) == NULL) 240 fatal_f("sshbuf_new failed"); 241 if ((r = sshbuf_put_u32(m, min)) != 0 || 242 (r = sshbuf_put_u32(m, nbits)) != 0 || 243 (r = sshbuf_put_u32(m, max)) != 0) 244 fatal_fr(r, "assemble"); 245 246 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, m); 247 248 debug3_f("waiting for MONITOR_ANS_MODULI"); 249 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, m); 250 251 if ((r = sshbuf_get_u8(m, &success)) != 0) 252 fatal_fr(r, "parse success"); 253 if (success == 0) 254 fatal_f("MONITOR_ANS_MODULI failed"); 255 256 if ((r = sshbuf_get_bignum2(m, &p)) != 0 || 257 (r = sshbuf_get_bignum2(m, &g)) != 0) 258 fatal_fr(r, "parse group"); 259 260 debug3_f("remaining %zu", sshbuf_len(m)); 261 sshbuf_free(m); 262 263 return (dh_new_group(g, p)); 264 } 265 #endif 266 267 int 268 mm_sshkey_sign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, 269 const u_char *data, size_t datalen, const char *hostkey_alg, 270 const char *sk_provider, const char *sk_pin, u_int compat) 271 { 272 struct kex *kex = *pmonitor->m_pkex; 273 struct sshbuf *m; 274 u_int ndx = kex->host_key_index(key, 0, ssh); 275 int r; 276 277 debug3_f("entering"); 278 if ((m = sshbuf_new()) == NULL) 279 fatal_f("sshbuf_new failed"); 280 if ((r = sshbuf_put_u32(m, ndx)) != 0 || 281 (r = sshbuf_put_string(m, data, datalen)) != 0 || 282 (r = sshbuf_put_cstring(m, hostkey_alg)) != 0 || 283 (r = sshbuf_put_u32(m, compat)) != 0) 284 fatal_fr(r, "assemble"); 285 286 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, m); 287 288 debug3_f("waiting for MONITOR_ANS_SIGN"); 289 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, m); 290 if ((r = sshbuf_get_string(m, sigp, lenp)) != 0) 291 fatal_fr(r, "parse"); 292 sshbuf_free(m); 293 294 return (0); 295 } 296 297 void 298 mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m) 299 { 300 const u_char *p; 301 size_t len; 302 u_int i; 303 ServerOptions *newopts; 304 int r; 305 306 if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0) 307 fatal_fr(r, "parse opts"); 308 if (len != sizeof(*newopts)) 309 fatal_f("option block size mismatch"); 310 newopts = xcalloc(sizeof(*newopts), 1); 311 memcpy(newopts, p, sizeof(*newopts)); 312 313 #define M_CP_STROPT(x) do { \ 314 if (newopts->x != NULL && \ 315 (r = sshbuf_get_cstring(m, &newopts->x, NULL)) != 0) \ 316 fatal_fr(r, "parse %s", #x); \ 317 } while (0) 318 #define M_CP_STRARRAYOPT(x, nx) do { \ 319 newopts->x = newopts->nx == 0 ? \ 320 NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \ 321 for (i = 0; i < newopts->nx; i++) { \ 322 if ((r = sshbuf_get_cstring(m, \ 323 &newopts->x[i], NULL)) != 0) \ 324 fatal_fr(r, "parse %s", #x); \ 325 } \ 326 } while (0) 327 /* See comment in servconf.h */ 328 COPY_MATCH_STRING_OPTS(); 329 #undef M_CP_STROPT 330 #undef M_CP_STRARRAYOPT 331 332 copy_set_server_options(&options, newopts, 1); 333 log_change_level(options.log_level); 334 log_verbose_reset(); 335 for (i = 0; i < options.num_log_verbose; i++) 336 log_verbose_add(options.log_verbose[i]); 337 free(newopts); 338 } 339 340 #define GETPW(b, id) \ 341 do { \ 342 if ((r = sshbuf_get_string_direct(b, &p, &len)) != 0) \ 343 fatal_fr(r, "parse pw %s", #id); \ 344 if (len != sizeof(pw->id)) \ 345 fatal_fr(r, "bad length for %s", #id); \ 346 memcpy(&pw->id, p, len); \ 347 } while (0) 348 349 struct passwd * 350 mm_getpwnamallow(struct ssh *ssh, const char *username) 351 { 352 struct sshbuf *m; 353 struct passwd *pw; 354 size_t len; 355 int r; 356 u_char ok; 357 const u_char *p; 358 359 debug3_f("entering"); 360 361 if ((m = sshbuf_new()) == NULL) 362 fatal_f("sshbuf_new failed"); 363 if ((r = sshbuf_put_cstring(m, username)) != 0) 364 fatal_fr(r, "assemble"); 365 366 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, m); 367 368 debug3_f("waiting for MONITOR_ANS_PWNAM"); 369 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, m); 370 371 if ((r = sshbuf_get_u8(m, &ok)) != 0) 372 fatal_fr(r, "parse success"); 373 if (ok == 0) { 374 pw = NULL; 375 goto out; 376 } 377 378 pw = xcalloc(sizeof(*pw), 1); 379 GETPW(m, pw_uid); 380 GETPW(m, pw_gid); 381 GETPW(m, pw_change); 382 GETPW(m, pw_expire); 383 if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 || 384 (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 || 385 (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 || 386 (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 || 387 (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 || 388 (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0) 389 fatal_fr(r, "parse pw"); 390 391 out: 392 /* copy options block as a Match directive may have changed some */ 393 mm_decode_activate_server_options(ssh, m); 394 server_process_permitopen(ssh); 395 server_process_channel_timeouts(ssh); 396 kex_set_server_sig_algs(ssh, options.pubkey_accepted_algos); 397 sshbuf_free(m); 398 399 return (pw); 400 } 401 402 char * 403 mm_auth2_read_banner(void) 404 { 405 struct sshbuf *m; 406 char *banner; 407 int r; 408 409 debug3_f("entering"); 410 411 if ((m = sshbuf_new()) == NULL) 412 fatal_f("sshbuf_new failed"); 413 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, m); 414 sshbuf_reset(m); 415 416 mm_request_receive_expect(pmonitor->m_recvfd, 417 MONITOR_ANS_AUTH2_READ_BANNER, m); 418 if ((r = sshbuf_get_cstring(m, &banner, NULL)) != 0) 419 fatal_fr(r, "parse"); 420 sshbuf_free(m); 421 422 /* treat empty banner as missing banner */ 423 if (strlen(banner) == 0) { 424 free(banner); 425 banner = NULL; 426 } 427 return (banner); 428 } 429 430 /* Inform the privileged process about service and style */ 431 432 void 433 mm_inform_authserv(char *service, char *style) 434 { 435 struct sshbuf *m; 436 int r; 437 438 debug3_f("entering"); 439 440 if ((m = sshbuf_new()) == NULL) 441 fatal_f("sshbuf_new failed"); 442 if ((r = sshbuf_put_cstring(m, service)) != 0 || 443 (r = sshbuf_put_cstring(m, style ? style : "")) != 0) 444 fatal_fr(r, "assemble"); 445 446 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); 447 448 sshbuf_free(m); 449 } 450 451 /* Do the password authentication */ 452 int 453 mm_auth_password(struct ssh *ssh, const char *password) 454 { 455 struct sshbuf *m; 456 int r; 457 u_int authenticated = 0; 458 #ifdef USE_PAM 459 u_int maxtries = 0; 460 #endif 461 462 debug3_f("entering"); 463 464 if ((m = sshbuf_new()) == NULL) 465 fatal_f("sshbuf_new failed"); 466 if ((r = sshbuf_put_cstring(m, password)) != 0) 467 fatal_fr(r, "assemble"); 468 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, m); 469 470 debug3_f("waiting for MONITOR_ANS_AUTHPASSWORD"); 471 mm_request_receive_expect(pmonitor->m_recvfd, 472 MONITOR_ANS_AUTHPASSWORD, m); 473 474 if ((r = sshbuf_get_u32(m, &authenticated)) != 0) 475 fatal_fr(r, "parse"); 476 477 #ifdef USE_PAM 478 if ((r = sshbuf_get_u32(m, &maxtries)) != 0) 479 fatal_fr(r, "parse PAM"); 480 if (maxtries > INT_MAX) 481 fatal_fr(r, "bad maxtries"); 482 sshpam_set_maxtries_reached(maxtries); 483 #endif 484 485 sshbuf_free(m); 486 487 debug3_f("user %sauthenticated", authenticated ? "" : "not "); 488 return (authenticated); 489 } 490 491 int 492 mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, 493 int pubkey_auth_attempt, struct sshauthopt **authoptp) 494 { 495 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key, 496 pubkey_auth_attempt, authoptp)); 497 } 498 499 int 500 mm_hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, 501 const char *user, const char *host, struct sshkey *key) 502 { 503 return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL)); 504 } 505 506 int 507 mm_key_allowed(enum mm_keytype type, const char *user, const char *host, 508 struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp) 509 { 510 struct sshbuf *m; 511 int r; 512 u_int allowed = 0; 513 struct sshauthopt *opts = NULL; 514 515 debug3_f("entering"); 516 517 if (authoptp != NULL) 518 *authoptp = NULL; 519 520 if ((m = sshbuf_new()) == NULL) 521 fatal_f("sshbuf_new failed"); 522 if ((r = sshbuf_put_u32(m, type)) != 0 || 523 (r = sshbuf_put_cstring(m, user ? user : "")) != 0 || 524 (r = sshbuf_put_cstring(m, host ? host : "")) != 0 || 525 (r = sshkey_puts(key, m)) != 0 || 526 (r = sshbuf_put_u32(m, pubkey_auth_attempt)) != 0) 527 fatal_fr(r, "assemble"); 528 529 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, m); 530 531 debug3_f("waiting for MONITOR_ANS_KEYALLOWED"); 532 mm_request_receive_expect(pmonitor->m_recvfd, 533 MONITOR_ANS_KEYALLOWED, m); 534 535 if ((r = sshbuf_get_u32(m, &allowed)) != 0) 536 fatal_fr(r, "parse"); 537 if (allowed && type == MM_USERKEY && 538 (r = sshauthopt_deserialise(m, &opts)) != 0) 539 fatal_fr(r, "sshauthopt_deserialise"); 540 sshbuf_free(m); 541 542 if (authoptp != NULL) { 543 *authoptp = opts; 544 opts = NULL; 545 } 546 sshauthopt_free(opts); 547 548 return allowed; 549 } 550 551 /* 552 * This key verify needs to send the key type along, because the 553 * privileged parent makes the decision if the key is allowed 554 * for authentication. 555 */ 556 557 int 558 mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, 559 const u_char *data, size_t datalen, const char *sigalg, u_int compat, 560 struct sshkey_sig_details **sig_detailsp) 561 { 562 struct sshbuf *m; 563 u_int encoded_ret = 0; 564 int r; 565 u_char sig_details_present, flags; 566 u_int counter; 567 568 debug3_f("entering"); 569 570 if (sig_detailsp != NULL) 571 *sig_detailsp = NULL; 572 if ((m = sshbuf_new()) == NULL) 573 fatal_f("sshbuf_new failed"); 574 if ((r = sshkey_puts(key, m)) != 0 || 575 (r = sshbuf_put_string(m, sig, siglen)) != 0 || 576 (r = sshbuf_put_string(m, data, datalen)) != 0 || 577 (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) 578 fatal_fr(r, "assemble"); 579 580 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, m); 581 582 debug3_f("waiting for MONITOR_ANS_KEYVERIFY"); 583 mm_request_receive_expect(pmonitor->m_recvfd, 584 MONITOR_ANS_KEYVERIFY, m); 585 586 if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0 || 587 (r = sshbuf_get_u8(m, &sig_details_present)) != 0) 588 fatal_fr(r, "parse"); 589 if (sig_details_present && encoded_ret == 0) { 590 if ((r = sshbuf_get_u32(m, &counter)) != 0 || 591 (r = sshbuf_get_u8(m, &flags)) != 0) 592 fatal_fr(r, "parse sig_details"); 593 if (sig_detailsp != NULL) { 594 *sig_detailsp = xcalloc(1, sizeof(**sig_detailsp)); 595 (*sig_detailsp)->sk_counter = counter; 596 (*sig_detailsp)->sk_flags = flags; 597 } 598 } 599 600 sshbuf_free(m); 601 602 if (encoded_ret != 0) 603 return SSH_ERR_SIGNATURE_INVALID; 604 return 0; 605 } 606 607 void 608 mm_send_keystate(struct ssh *ssh, struct monitor *monitor) 609 { 610 struct sshbuf *m; 611 int r; 612 613 if ((m = sshbuf_new()) == NULL) 614 fatal_f("sshbuf_new failed"); 615 if ((r = ssh_packet_get_state(ssh, m)) != 0) 616 fatal_fr(r, "ssh_packet_get_state"); 617 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, m); 618 debug3_f("Finished sending state"); 619 sshbuf_free(m); 620 } 621 622 int 623 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) 624 { 625 struct sshbuf *m; 626 char *p, *msg; 627 u_int success = 0; 628 int tmp1 = -1, tmp2 = -1, r; 629 630 /* Kludge: ensure there are fds free to receive the pty/tty */ 631 if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || 632 (tmp2 = dup(pmonitor->m_recvfd)) == -1) { 633 error_f("cannot allocate fds for pty"); 634 if (tmp1 >= 0) 635 close(tmp1); 636 return 0; 637 } 638 close(tmp1); 639 close(tmp2); 640 641 if ((m = sshbuf_new()) == NULL) 642 fatal_f("sshbuf_new failed"); 643 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, m); 644 645 debug3_f("waiting for MONITOR_ANS_PTY"); 646 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, m); 647 648 if ((r = sshbuf_get_u32(m, &success)) != 0) 649 fatal_fr(r, "parse success"); 650 if (success == 0) { 651 debug3_f("pty alloc failed"); 652 sshbuf_free(m); 653 return (0); 654 } 655 if ((r = sshbuf_get_cstring(m, &p, NULL)) != 0 || 656 (r = sshbuf_get_cstring(m, &msg, NULL)) != 0) 657 fatal_fr(r, "parse"); 658 sshbuf_free(m); 659 660 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 661 free(p); 662 663 if ((r = sshbuf_put(loginmsg, msg, strlen(msg))) != 0) 664 fatal_fr(r, "put loginmsg"); 665 free(msg); 666 667 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || 668 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) 669 fatal_f("receive fds failed"); 670 671 /* Success */ 672 return (1); 673 } 674 675 void 676 mm_session_pty_cleanup2(Session *s) 677 { 678 struct sshbuf *m; 679 int r; 680 681 if (s->ttyfd == -1) 682 return; 683 if ((m = sshbuf_new()) == NULL) 684 fatal_f("sshbuf_new failed"); 685 if ((r = sshbuf_put_cstring(m, s->tty)) != 0) 686 fatal_fr(r, "assmble"); 687 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, m); 688 sshbuf_free(m); 689 690 /* closed dup'ed master */ 691 if (s->ptymaster != -1 && close(s->ptymaster) == -1) 692 error("close(s->ptymaster/%d): %s", 693 s->ptymaster, strerror(errno)); 694 695 /* unlink pty from session */ 696 s->ttyfd = -1; 697 } 698 699 #ifdef USE_PAM 700 void 701 mm_start_pam(struct ssh *ssh) 702 { 703 struct sshbuf *m; 704 705 debug3("%s entering", __func__); 706 if (!options.use_pam) 707 fatal("UsePAM=no, but ended up in %s anyway", __func__); 708 709 if ((m = sshbuf_new()) == NULL) 710 fatal("%s: sshbuf_new failed", __func__); 711 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, m); 712 713 sshbuf_free(m); 714 } 715 716 u_int 717 mm_do_pam_account(void) 718 { 719 struct sshbuf *m; 720 u_int ret; 721 size_t msglen; 722 char *msg; 723 int r; 724 725 debug3("%s entering", __func__); 726 if (!options.use_pam) 727 fatal("UsePAM=no, but ended up in %s anyway", __func__); 728 729 if ((m = sshbuf_new()) == NULL) 730 fatal("%s: sshbuf_new failed", __func__); 731 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, m); 732 733 mm_request_receive_expect(pmonitor->m_recvfd, 734 MONITOR_ANS_PAM_ACCOUNT, m); 735 if ((r = sshbuf_get_u32(m, &ret)) != 0 || 736 (r = sshbuf_get_cstring(m, &msg, &msglen)) != 0 || 737 (r = sshbuf_put(loginmsg, msg, msglen)) != 0) 738 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 739 740 free(msg); 741 sshbuf_free(m); 742 743 debug3("%s returning %d", __func__, ret); 744 745 return (ret); 746 } 747 748 void * 749 mm_sshpam_init_ctx(Authctxt *authctxt) 750 { 751 struct sshbuf *m; 752 u_int success; 753 int r; 754 755 debug3("%s", __func__); 756 if ((m = sshbuf_new()) == NULL) 757 fatal("%s: sshbuf_new failed", __func__); 758 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, m); 759 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 760 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, m); 761 if ((r = sshbuf_get_u32(m, &success)) != 0) 762 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 763 if (success == 0) { 764 debug3("%s: pam_init_ctx failed", __func__); 765 sshbuf_free(m); 766 return (NULL); 767 } 768 sshbuf_free(m); 769 return (authctxt); 770 } 771 772 int 773 mm_sshpam_query(void *ctx, char **name, char **info, 774 u_int *num, char ***prompts, u_int **echo_on) 775 { 776 struct sshbuf *m; 777 u_int i, n, ret; 778 int r; 779 780 debug3("%s", __func__); 781 if ((m = sshbuf_new()) == NULL) 782 fatal("%s: sshbuf_new failed", __func__); 783 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, m); 784 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); 785 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, m); 786 if ((r = sshbuf_get_u32(m, &ret)) != 0 || 787 (r = sshbuf_get_cstring(m, name, NULL)) != 0 || 788 (r = sshbuf_get_cstring(m, info, NULL)) != 0 || 789 (r = sshbuf_get_u32(m, &n)) != 0 || 790 (r = sshbuf_get_u32(m, num)) != 0) 791 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 792 debug3("%s: pam_query returned %d", __func__, ret); 793 sshpam_set_maxtries_reached(n); 794 if (*num > PAM_MAX_NUM_MSG) 795 fatal("%s: received %u PAM messages, expected <= %u", 796 __func__, *num, PAM_MAX_NUM_MSG); 797 *prompts = xcalloc((*num + 1), sizeof(char *)); 798 *echo_on = xcalloc((*num + 1), sizeof(u_int)); 799 for (i = 0; i < *num; ++i) { 800 if ((r = sshbuf_get_cstring(m, &((*prompts)[i]), NULL)) != 0 || 801 (r = sshbuf_get_u32(m, &((*echo_on)[i]))) != 0) 802 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 803 } 804 sshbuf_free(m); 805 return (ret); 806 } 807 808 int 809 mm_sshpam_respond(void *ctx, u_int num, char **resp) 810 { 811 struct sshbuf *m; 812 u_int n, i; 813 int r, ret; 814 815 debug3("%s", __func__); 816 if ((m = sshbuf_new()) == NULL) 817 fatal("%s: sshbuf_new failed", __func__); 818 if ((r = sshbuf_put_u32(m, num)) != 0) 819 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 820 for (i = 0; i < num; ++i) { 821 if ((r = sshbuf_put_cstring(m, resp[i])) != 0) 822 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 823 } 824 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, m); 825 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); 826 mm_request_receive_expect(pmonitor->m_recvfd, 827 MONITOR_ANS_PAM_RESPOND, m); 828 if ((r = sshbuf_get_u32(m, &n)) != 0) 829 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 830 ret = (int)n; /* XXX */ 831 debug3("%s: pam_respond returned %d", __func__, ret); 832 sshbuf_free(m); 833 return (ret); 834 } 835 836 void 837 mm_sshpam_free_ctx(void *ctxtp) 838 { 839 struct sshbuf *m; 840 841 debug3("%s", __func__); 842 if ((m = sshbuf_new()) == NULL) 843 fatal("%s: sshbuf_new failed", __func__); 844 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, m); 845 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); 846 mm_request_receive_expect(pmonitor->m_recvfd, 847 MONITOR_ANS_PAM_FREE_CTX, m); 848 sshbuf_free(m); 849 } 850 #endif /* USE_PAM */ 851 852 /* Request process termination */ 853 854 void 855 mm_terminate(void) 856 { 857 struct sshbuf *m; 858 859 if ((m = sshbuf_new()) == NULL) 860 fatal_f("sshbuf_new failed"); 861 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, m); 862 sshbuf_free(m); 863 } 864 865 #if defined(BSD_AUTH) || defined(SKEY) 866 static void 867 mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 868 char ***prompts, u_int **echo_on) 869 { 870 *name = xstrdup(""); 871 *infotxt = xstrdup(""); 872 *numprompts = 1; 873 *prompts = xcalloc(*numprompts, sizeof(char *)); 874 *echo_on = xcalloc(*numprompts, sizeof(u_int)); 875 (*echo_on)[0] = 0; 876 } 877 878 #ifdef BSD_AUTH 879 int 880 mm_bsdauth_query(void *ctx, char **name, char **infotxt, 881 u_int *numprompts, char ***prompts, u_int **echo_on) 882 { 883 struct sshbuf *m; 884 u_int success; 885 char *challenge; 886 int r; 887 888 debug3_f("entering"); 889 890 if ((m = sshbuf_new()) == NULL) 891 fatal_f("sshbuf_new failed"); 892 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, m); 893 894 mm_request_receive_expect(pmonitor->m_recvfd, 895 MONITOR_ANS_BSDAUTHQUERY, m); 896 if ((r = sshbuf_get_u32(m, &success)) != 0) 897 fatal_fr(r, "parse success"); 898 if (success == 0) { 899 debug3_f("no challenge"); 900 sshbuf_free(m); 901 return (-1); 902 } 903 904 /* Get the challenge, and format the response */ 905 if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0) 906 fatal_fr(r, "parse challenge"); 907 sshbuf_free(m); 908 909 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 910 (*prompts)[0] = challenge; 911 912 debug3_f("received challenge: %s", challenge); 913 914 return (0); 915 } 916 917 int 918 mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 919 { 920 struct sshbuf *m; 921 int r, authok; 922 923 debug3_f("entering"); 924 if (numresponses != 1) 925 return (-1); 926 927 if ((m = sshbuf_new()) == NULL) 928 fatal_f("sshbuf_new failed"); 929 if ((r = sshbuf_put_cstring(m, responses[0])) != 0) 930 fatal_fr(r, "assemble"); 931 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, m); 932 933 mm_request_receive_expect(pmonitor->m_recvfd, 934 MONITOR_ANS_BSDAUTHRESPOND, m); 935 936 if ((r = sshbuf_get_u32(m, &authok)) != 0) 937 fatal_fr(r, "parse"); 938 sshbuf_free(m); 939 940 return ((authok == 0) ? -1 : 0); 941 } 942 #endif 943 944 #ifdef SKEY 945 int 946 mm_skey_query(void *ctx, char **name, char **infotxt, 947 u_int *numprompts, char ***prompts, u_int **echo_on) 948 { 949 struct sshbuf m; 950 u_int success; 951 char *challenge; 952 953 debug3("%s: entering", __func__); 954 955 sshbuf_new(&m); 956 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m); 957 958 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, 959 &m); 960 success = sshbuf_get_int(&m); 961 if (success == 0) { 962 debug3("%s: no challenge", __func__); 963 sshbuf_free(&m); 964 return (-1); 965 } 966 967 /* Get the challenge, and format the response */ 968 challenge = sshbuf_get_string(&m, NULL); 969 sshbuf_free(&m); 970 971 debug3("%s: received challenge: %s", __func__, challenge); 972 973 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 974 975 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); 976 free(challenge); 977 978 return (0); 979 } 980 981 int 982 mm_skey_respond(void *ctx, u_int numresponses, char **responses) 983 { 984 struct sshbuf m; 985 int authok; 986 987 debug3("%s: entering", __func__); 988 if (numresponses != 1) 989 return (-1); 990 991 sshbuf_new(&m); 992 sshbuf_put_cstring(&m, responses[0]); 993 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m); 994 995 mm_request_receive_expect(pmonitor->m_recvfd, 996 MONITOR_ANS_SKEYRESPOND, &m); 997 998 authok = sshbuf_get_int(&m); 999 sshbuf_free(&m); 1000 1001 return ((authok == 0) ? -1 : 0); 1002 } 1003 #endif /* SKEY */ 1004 #endif /* BSDAUTH || SKEY */ 1005 1006 #ifdef GSSAPI 1007 OM_uint32 1008 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) 1009 { 1010 struct sshbuf *m; 1011 OM_uint32 major; 1012 int r; 1013 1014 /* Client doesn't get to see the context */ 1015 *ctx = NULL; 1016 1017 if ((m = sshbuf_new()) == NULL) 1018 fatal_f("sshbuf_new failed"); 1019 if ((r = sshbuf_put_string(m, goid->elements, goid->length)) != 0) 1020 fatal_fr(r, "assemble"); 1021 1022 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, m); 1023 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, m); 1024 1025 if ((r = sshbuf_get_u32(m, &major)) != 0) 1026 fatal_fr(r, "parse"); 1027 1028 sshbuf_free(m); 1029 return (major); 1030 } 1031 1032 OM_uint32 1033 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 1034 gss_buffer_desc *out, OM_uint32 *flagsp) 1035 { 1036 struct sshbuf *m; 1037 OM_uint32 major; 1038 u_int flags; 1039 int r; 1040 1041 if ((m = sshbuf_new()) == NULL) 1042 fatal_f("sshbuf_new failed"); 1043 if ((r = sshbuf_put_string(m, in->value, in->length)) != 0) 1044 fatal_fr(r, "assemble"); 1045 1046 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, m); 1047 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, m); 1048 1049 if ((r = sshbuf_get_u32(m, &major)) != 0 || 1050 (r = ssh_gssapi_get_buffer_desc(m, out)) != 0) 1051 fatal_fr(r, "parse"); 1052 if (flagsp != NULL) { 1053 if ((r = sshbuf_get_u32(m, &flags)) != 0) 1054 fatal_fr(r, "parse flags"); 1055 *flagsp = flags; 1056 } 1057 1058 sshbuf_free(m); 1059 1060 return (major); 1061 } 1062 1063 OM_uint32 1064 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 1065 { 1066 struct sshbuf *m; 1067 OM_uint32 major; 1068 int r; 1069 1070 if ((m = sshbuf_new()) == NULL) 1071 fatal_f("sshbuf_new failed"); 1072 if ((r = sshbuf_put_string(m, gssbuf->value, gssbuf->length)) != 0 || 1073 (r = sshbuf_put_string(m, gssmic->value, gssmic->length)) != 0) 1074 fatal_fr(r, "assemble"); 1075 1076 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, m); 1077 mm_request_receive_expect(pmonitor->m_recvfd, 1078 MONITOR_ANS_GSSCHECKMIC, m); 1079 1080 if ((r = sshbuf_get_u32(m, &major)) != 0) 1081 fatal_fr(r, "parse"); 1082 sshbuf_free(m); 1083 return(major); 1084 } 1085 1086 int 1087 mm_ssh_gssapi_userok(char *user) 1088 { 1089 struct sshbuf *m; 1090 int r; 1091 u_int authenticated = 0; 1092 1093 if ((m = sshbuf_new()) == NULL) 1094 fatal_f("sshbuf_new failed"); 1095 1096 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); 1097 mm_request_receive_expect(pmonitor->m_recvfd, 1098 MONITOR_ANS_GSSUSEROK, m); 1099 1100 if ((r = sshbuf_get_u32(m, &authenticated)) != 0) 1101 fatal_fr(r, "parse"); 1102 1103 sshbuf_free(m); 1104 debug3_f("user %sauthenticated", authenticated ? "" : "not "); 1105 return (authenticated); 1106 } 1107 #endif /* GSSAPI */ 1108 1109 #ifdef KRB5 1110 int 1111 mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) 1112 { 1113 krb5_data *tkt, *reply; 1114 struct sshbuf *m; 1115 u_int success; 1116 int r; 1117 1118 debug3("%s entering", __func__); 1119 tkt = (krb5_data *) argp; 1120 reply = (krb5_data *) resp; 1121 1122 if ((m = sshbuf_new()) == NULL) 1123 fatal("%s: sshbuf_new failed", __func__); 1124 sshbuf_put_string(m, tkt->data, tkt->length); 1125 1126 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, m); 1127 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, m); 1128 1129 if ((r = sshbuf_get_u32(m, &success)) != 0) 1130 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1131 if (success) { 1132 size_t len; 1133 u_char *data; 1134 1135 if ((r = sshbuf_get_cstring(m, userp, NULL)) != 0 || 1136 (r = sshbuf_get_string(m, &data, &len)) != 0) 1137 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1138 reply->data = data; 1139 reply->length = len; 1140 } else { 1141 memset(reply, 0, sizeof(*reply)); 1142 *userp = NULL; 1143 } 1144 1145 sshbuf_free(m); 1146 return (success); 1147 } 1148 #endif 1149 1150 /* 1151 * Inform channels layer of permitopen options for a single forwarding 1152 * direction (local/remote). 1153 */ 1154 static void 1155 server_process_permitopen_list(struct ssh *ssh, int listen, 1156 char **opens, u_int num_opens) 1157 { 1158 u_int i; 1159 int port; 1160 char *host, *arg, *oarg; 1161 int where = listen ? FORWARD_REMOTE : FORWARD_LOCAL; 1162 const char *what = listen ? "permitlisten" : "permitopen"; 1163 1164 channel_clear_permission(ssh, FORWARD_ADM, where); 1165 if (num_opens == 0) 1166 return; /* permit any */ 1167 1168 /* handle keywords: "any" / "none" */ 1169 if (num_opens == 1 && strcmp(opens[0], "any") == 0) 1170 return; 1171 if (num_opens == 1 && strcmp(opens[0], "none") == 0) { 1172 channel_disable_admin(ssh, where); 1173 return; 1174 } 1175 /* Otherwise treat it as a list of permitted host:port */ 1176 for (i = 0; i < num_opens; i++) { 1177 oarg = arg = xstrdup(opens[i]); 1178 host = hpdelim(&arg); 1179 if (host == NULL) 1180 fatal_f("missing host in %s", what); 1181 host = cleanhostname(host); 1182 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1183 fatal_f("bad port number in %s", what); 1184 /* Send it to channels layer */ 1185 channel_add_permission(ssh, FORWARD_ADM, 1186 where, host, port); 1187 free(oarg); 1188 } 1189 } 1190 1191 /* 1192 * Inform channels layer of permitopen options from configuration. 1193 */ 1194 void 1195 server_process_permitopen(struct ssh *ssh) 1196 { 1197 server_process_permitopen_list(ssh, 0, 1198 options.permitted_opens, options.num_permitted_opens); 1199 server_process_permitopen_list(ssh, 1, 1200 options.permitted_listens, options.num_permitted_listens); 1201 } 1202 1203 void 1204 server_process_channel_timeouts(struct ssh *ssh) 1205 { 1206 u_int i; 1207 int secs; 1208 char *type; 1209 1210 debug3_f("setting %u timeouts", options.num_channel_timeouts); 1211 channel_clear_timeouts(ssh); 1212 for (i = 0; i < options.num_channel_timeouts; i++) { 1213 if (parse_pattern_interval(options.channel_timeouts[i], 1214 &type, &secs) != 0) { 1215 fatal_f("internal error: bad timeout %s", 1216 options.channel_timeouts[i]); 1217 } 1218 channel_add_timeout(ssh, type, secs); 1219 free(type); 1220 } 1221 } 1222 1223 struct connection_info * 1224 server_get_connection_info(struct ssh *ssh, int populate, int use_dns) 1225 { 1226 static struct connection_info ci; 1227 1228 if (ssh == NULL || !populate) 1229 return &ci; 1230 ci.host = use_dns ? ssh_remote_hostname(ssh) : ssh_remote_ipaddr(ssh); 1231 ci.address = ssh_remote_ipaddr(ssh); 1232 ci.laddress = ssh_local_ipaddr(ssh); 1233 ci.lport = ssh_local_port(ssh); 1234 ci.rdomain = ssh_packet_rdomain_in(ssh); 1235 return &ci; 1236 } 1237 1238