1 /* $OpenBSD: monitor.c,v 1.165 2016/09/05 13:57:31 djm Exp $ */ 2 /* 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <sys/wait.h> 30 #include <sys/socket.h> 31 #include <sys/tree.h> 32 #include <sys/queue.h> 33 34 #ifdef WITH_OPENSSL 35 #include <openssl/dh.h> 36 #endif 37 38 #include <errno.h> 39 #include <fcntl.h> 40 #include <limits.h> 41 #include <paths.h> 42 #include <poll.h> 43 #include <pwd.h> 44 #include <signal.h> 45 #include <stdarg.h> 46 #include <stdint.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 51 #include "atomicio.h" 52 #include "xmalloc.h" 53 #include "ssh.h" 54 #include "key.h" 55 #include "buffer.h" 56 #include "hostfile.h" 57 #include "auth.h" 58 #include "cipher.h" 59 #include "kex.h" 60 #include "dh.h" 61 #include <zlib.h> 62 #include "packet.h" 63 #include "auth-options.h" 64 #include "sshpty.h" 65 #include "channels.h" 66 #include "session.h" 67 #include "sshlogin.h" 68 #include "canohost.h" 69 #include "log.h" 70 #include "misc.h" 71 #include "servconf.h" 72 #include "monitor.h" 73 #include "monitor_mm.h" 74 #ifdef GSSAPI 75 #include "ssh-gss.h" 76 #endif 77 #include "monitor_wrap.h" 78 #include "monitor_fdpass.h" 79 #include "compat.h" 80 #include "ssh2.h" 81 #include "authfd.h" 82 #include "match.h" 83 #include "ssherr.h" 84 85 #ifdef GSSAPI 86 static Gssctxt *gsscontext = NULL; 87 #endif 88 89 /* Imports */ 90 extern ServerOptions options; 91 extern u_int utmp_len; 92 extern u_char session_id[]; 93 extern Buffer auth_debug; 94 extern int auth_debug_init; 95 extern Buffer loginmsg; 96 97 /* State exported from the child */ 98 static struct sshbuf *child_state; 99 100 /* Functions on the monitor that answer unprivileged requests */ 101 102 int mm_answer_moduli(int, Buffer *); 103 int mm_answer_sign(int, Buffer *); 104 int mm_answer_pwnamallow(int, Buffer *); 105 int mm_answer_auth2_read_banner(int, Buffer *); 106 int mm_answer_authserv(int, Buffer *); 107 int mm_answer_authpassword(int, Buffer *); 108 int mm_answer_bsdauthquery(int, Buffer *); 109 int mm_answer_bsdauthrespond(int, Buffer *); 110 int mm_answer_skeyquery(int, Buffer *); 111 int mm_answer_skeyrespond(int, Buffer *); 112 int mm_answer_keyallowed(int, Buffer *); 113 int mm_answer_keyverify(int, Buffer *); 114 int mm_answer_pty(int, Buffer *); 115 int mm_answer_pty_cleanup(int, Buffer *); 116 int mm_answer_term(int, Buffer *); 117 int mm_answer_rsa_keyallowed(int, Buffer *); 118 int mm_answer_rsa_challenge(int, Buffer *); 119 int mm_answer_rsa_response(int, Buffer *); 120 int mm_answer_sesskey(int, Buffer *); 121 int mm_answer_sessid(int, Buffer *); 122 123 #ifdef GSSAPI 124 int mm_answer_gss_setup_ctx(int, Buffer *); 125 int mm_answer_gss_accept_ctx(int, Buffer *); 126 int mm_answer_gss_userok(int, Buffer *); 127 int mm_answer_gss_checkmic(int, Buffer *); 128 #endif 129 130 static int monitor_read_log(struct monitor *); 131 132 static Authctxt *authctxt; 133 134 /* local state for key verify */ 135 static u_char *key_blob = NULL; 136 static u_int key_bloblen = 0; 137 static int key_blobtype = MM_NOKEY; 138 static char *hostbased_cuser = NULL; 139 static char *hostbased_chost = NULL; 140 static char *auth_method = "unknown"; 141 static char *auth_submethod = NULL; 142 static u_int session_id2_len = 0; 143 static u_char *session_id2 = NULL; 144 static pid_t monitor_child_pid; 145 146 struct mon_table { 147 enum monitor_reqtype type; 148 int flags; 149 int (*f)(int, Buffer *); 150 }; 151 152 #define MON_ISAUTH 0x0004 /* Required for Authentication */ 153 #define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ 154 #define MON_ONCE 0x0010 /* Disable after calling */ 155 #define MON_ALOG 0x0020 /* Log auth attempt without authenticating */ 156 157 #define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) 158 159 #define MON_PERMIT 0x1000 /* Request is permitted */ 160 161 struct mon_table mon_dispatch_proto20[] = { 162 #ifdef WITH_OPENSSL 163 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, 164 #endif 165 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 166 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 167 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 168 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 169 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 170 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, 171 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond}, 172 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, 173 {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, 174 #ifdef GSSAPI 175 {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, 176 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, 177 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, 178 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, 179 #endif 180 {0, 0, NULL} 181 }; 182 183 struct mon_table mon_dispatch_postauth20[] = { 184 #ifdef WITH_OPENSSL 185 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 186 #endif 187 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 188 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 189 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, 190 {MONITOR_REQ_TERM, 0, mm_answer_term}, 191 {0, 0, NULL} 192 }; 193 194 struct mon_table *mon_dispatch; 195 196 /* Specifies if a certain message is allowed at the moment */ 197 198 static void 199 monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit) 200 { 201 while (ent->f != NULL) { 202 if (ent->type == type) { 203 ent->flags &= ~MON_PERMIT; 204 ent->flags |= permit ? MON_PERMIT : 0; 205 return; 206 } 207 ent++; 208 } 209 } 210 211 static void 212 monitor_permit_authentications(int permit) 213 { 214 struct mon_table *ent = mon_dispatch; 215 216 while (ent->f != NULL) { 217 if (ent->flags & MON_AUTH) { 218 ent->flags &= ~MON_PERMIT; 219 ent->flags |= permit ? MON_PERMIT : 0; 220 } 221 ent++; 222 } 223 } 224 225 void 226 monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 227 { 228 struct mon_table *ent; 229 int authenticated = 0, partial = 0; 230 231 debug3("preauth child monitor started"); 232 233 close(pmonitor->m_recvfd); 234 close(pmonitor->m_log_sendfd); 235 pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; 236 237 authctxt = _authctxt; 238 memset(authctxt, 0, sizeof(*authctxt)); 239 240 mon_dispatch = mon_dispatch_proto20; 241 /* Permit requests for moduli and signatures */ 242 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 243 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 244 245 /* The first few requests do not require asynchronous access */ 246 while (!authenticated) { 247 partial = 0; 248 auth_method = "unknown"; 249 auth_submethod = NULL; 250 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); 251 252 /* Special handling for multiple required authentications */ 253 if (options.num_auth_methods != 0) { 254 if (authenticated && 255 !auth2_update_methods_lists(authctxt, 256 auth_method, auth_submethod)) { 257 debug3("%s: method %s: partial", __func__, 258 auth_method); 259 authenticated = 0; 260 partial = 1; 261 } 262 } 263 264 if (authenticated) { 265 if (!(ent->flags & MON_AUTHDECIDE)) 266 fatal("%s: unexpected authentication from %d", 267 __func__, ent->type); 268 if (authctxt->pw->pw_uid == 0 && 269 !auth_root_allowed(auth_method)) 270 authenticated = 0; 271 } 272 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 273 auth_log(authctxt, authenticated, partial, 274 auth_method, auth_submethod); 275 if (!partial && !authenticated) 276 authctxt->failures++; 277 } 278 } 279 280 if (!authctxt->valid) 281 fatal("%s: authenticated invalid user", __func__); 282 if (strcmp(auth_method, "unknown") == 0) 283 fatal("%s: authentication method name unknown", __func__); 284 285 debug("%s: %s has been authenticated by privileged process", 286 __func__, authctxt->user); 287 288 mm_get_keystate(pmonitor); 289 290 /* Drain any buffered messages from the child */ 291 while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) 292 ; 293 294 close(pmonitor->m_sendfd); 295 close(pmonitor->m_log_recvfd); 296 pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; 297 } 298 299 static void 300 monitor_set_child_handler(pid_t pid) 301 { 302 monitor_child_pid = pid; 303 } 304 305 static void 306 monitor_child_handler(int sig) 307 { 308 kill(monitor_child_pid, sig); 309 } 310 311 void 312 monitor_child_postauth(struct monitor *pmonitor) 313 { 314 close(pmonitor->m_recvfd); 315 pmonitor->m_recvfd = -1; 316 317 monitor_set_child_handler(pmonitor->m_pid); 318 signal(SIGHUP, &monitor_child_handler); 319 signal(SIGTERM, &monitor_child_handler); 320 signal(SIGINT, &monitor_child_handler); 321 322 mon_dispatch = mon_dispatch_postauth20; 323 324 /* Permit requests for moduli and signatures */ 325 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 326 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 327 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 328 329 if (!no_pty_flag) { 330 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 331 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 332 } 333 334 for (;;) 335 monitor_read(pmonitor, mon_dispatch, NULL); 336 } 337 338 void 339 monitor_sync(struct monitor *pmonitor) 340 { 341 if (options.compression) { 342 /* The member allocation is not visible, so sync it */ 343 mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback); 344 } 345 } 346 347 /* Allocation functions for zlib */ 348 static void * 349 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) 350 { 351 if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size) 352 fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); 353 354 return mm_malloc(mm, size * ncount); 355 } 356 357 static void 358 mm_zfree(struct mm_master *mm, void *address) 359 { 360 mm_free(mm, address); 361 } 362 363 static int 364 monitor_read_log(struct monitor *pmonitor) 365 { 366 Buffer logmsg; 367 u_int len, level; 368 char *msg; 369 370 buffer_init(&logmsg); 371 372 /* Read length */ 373 buffer_append_space(&logmsg, 4); 374 if (atomicio(read, pmonitor->m_log_recvfd, 375 buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) { 376 if (errno == EPIPE) { 377 buffer_free(&logmsg); 378 debug("%s: child log fd closed", __func__); 379 close(pmonitor->m_log_recvfd); 380 pmonitor->m_log_recvfd = -1; 381 return -1; 382 } 383 fatal("%s: log fd read: %s", __func__, strerror(errno)); 384 } 385 len = buffer_get_int(&logmsg); 386 if (len <= 4 || len > 8192) 387 fatal("%s: invalid log message length %u", __func__, len); 388 389 /* Read severity, message */ 390 buffer_clear(&logmsg); 391 buffer_append_space(&logmsg, len); 392 if (atomicio(read, pmonitor->m_log_recvfd, 393 buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) 394 fatal("%s: log fd read: %s", __func__, strerror(errno)); 395 396 /* Log it */ 397 level = buffer_get_int(&logmsg); 398 msg = buffer_get_string(&logmsg, NULL); 399 if (log_level_name(level) == NULL) 400 fatal("%s: invalid log level %u (corrupted message?)", 401 __func__, level); 402 do_log2(level, "%s [preauth]", msg); 403 404 buffer_free(&logmsg); 405 free(msg); 406 407 return 0; 408 } 409 410 int 411 monitor_read(struct monitor *pmonitor, struct mon_table *ent, 412 struct mon_table **pent) 413 { 414 Buffer m; 415 int ret; 416 u_char type; 417 struct pollfd pfd[2]; 418 419 for (;;) { 420 memset(&pfd, 0, sizeof(pfd)); 421 pfd[0].fd = pmonitor->m_sendfd; 422 pfd[0].events = POLLIN; 423 pfd[1].fd = pmonitor->m_log_recvfd; 424 pfd[1].events = pfd[1].fd == -1 ? 0 : POLLIN; 425 if (poll(pfd, pfd[1].fd == -1 ? 1 : 2, -1) == -1) { 426 if (errno == EINTR || errno == EAGAIN) 427 continue; 428 fatal("%s: poll: %s", __func__, strerror(errno)); 429 } 430 if (pfd[1].revents) { 431 /* 432 * Drain all log messages before processing next 433 * monitor request. 434 */ 435 monitor_read_log(pmonitor); 436 continue; 437 } 438 if (pfd[0].revents) 439 break; /* Continues below */ 440 } 441 442 buffer_init(&m); 443 444 mm_request_receive(pmonitor->m_sendfd, &m); 445 type = buffer_get_char(&m); 446 447 debug3("%s: checking request %d", __func__, type); 448 449 while (ent->f != NULL) { 450 if (ent->type == type) 451 break; 452 ent++; 453 } 454 455 if (ent->f != NULL) { 456 if (!(ent->flags & MON_PERMIT)) 457 fatal("%s: unpermitted request %d", __func__, 458 type); 459 ret = (*ent->f)(pmonitor->m_sendfd, &m); 460 buffer_free(&m); 461 462 /* The child may use this request only once, disable it */ 463 if (ent->flags & MON_ONCE) { 464 debug2("%s: %d used once, disabling now", __func__, 465 type); 466 ent->flags &= ~MON_PERMIT; 467 } 468 469 if (pent != NULL) 470 *pent = ent; 471 472 return ret; 473 } 474 475 fatal("%s: unsupported request: %d", __func__, type); 476 477 /* NOTREACHED */ 478 return (-1); 479 } 480 481 /* allowed key state */ 482 static int 483 monitor_allowed_key(u_char *blob, u_int bloblen) 484 { 485 /* make sure key is allowed */ 486 if (key_blob == NULL || key_bloblen != bloblen || 487 timingsafe_bcmp(key_blob, blob, key_bloblen)) 488 return (0); 489 return (1); 490 } 491 492 static void 493 monitor_reset_key_state(void) 494 { 495 /* reset state */ 496 free(key_blob); 497 free(hostbased_cuser); 498 free(hostbased_chost); 499 key_blob = NULL; 500 key_bloblen = 0; 501 key_blobtype = MM_NOKEY; 502 hostbased_cuser = NULL; 503 hostbased_chost = NULL; 504 } 505 506 #ifdef WITH_OPENSSL 507 int 508 mm_answer_moduli(int sock, Buffer *m) 509 { 510 DH *dh; 511 int min, want, max; 512 513 min = buffer_get_int(m); 514 want = buffer_get_int(m); 515 max = buffer_get_int(m); 516 517 debug3("%s: got parameters: %d %d %d", 518 __func__, min, want, max); 519 /* We need to check here, too, in case the child got corrupted */ 520 if (max < min || want < min || max < want) 521 fatal("%s: bad parameters: %d %d %d", 522 __func__, min, want, max); 523 524 buffer_clear(m); 525 526 dh = choose_dh(min, want, max); 527 if (dh == NULL) { 528 buffer_put_char(m, 0); 529 return (0); 530 } else { 531 /* Send first bignum */ 532 buffer_put_char(m, 1); 533 buffer_put_bignum2(m, dh->p); 534 buffer_put_bignum2(m, dh->g); 535 536 DH_free(dh); 537 } 538 mm_request_send(sock, MONITOR_ANS_MODULI, m); 539 return (0); 540 } 541 #endif 542 543 int 544 mm_answer_sign(int sock, Buffer *m) 545 { 546 struct ssh *ssh = active_state; /* XXX */ 547 extern int auth_sock; /* XXX move to state struct? */ 548 struct sshkey *key; 549 struct sshbuf *sigbuf = NULL; 550 u_char *p = NULL, *signature = NULL; 551 char *alg = NULL; 552 size_t datlen, siglen, alglen; 553 int r, is_proof = 0; 554 u_int keyid; 555 const char proof_req[] = "hostkeys-prove-00@openssh.com"; 556 557 debug3("%s", __func__); 558 559 if ((r = sshbuf_get_u32(m, &keyid)) != 0 || 560 (r = sshbuf_get_string(m, &p, &datlen)) != 0 || 561 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) 562 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 563 if (keyid > INT_MAX) 564 fatal("%s: invalid key ID", __func__); 565 566 /* 567 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), 568 * SHA384 (48 bytes) and SHA512 (64 bytes). 569 * 570 * Otherwise, verify the signature request is for a hostkey 571 * proof. 572 * 573 * XXX perform similar check for KEX signature requests too? 574 * it's not trivial, since what is signed is the hash, rather 575 * than the full kex structure... 576 */ 577 if (datlen != 20 && datlen != 32 && datlen != 48 && datlen != 64) { 578 /* 579 * Construct expected hostkey proof and compare it to what 580 * the client sent us. 581 */ 582 if (session_id2_len == 0) /* hostkeys is never first */ 583 fatal("%s: bad data length: %zu", __func__, datlen); 584 if ((key = get_hostkey_public_by_index(keyid, ssh)) == NULL) 585 fatal("%s: no hostkey for index %d", __func__, keyid); 586 if ((sigbuf = sshbuf_new()) == NULL) 587 fatal("%s: sshbuf_new", __func__); 588 if ((r = sshbuf_put_cstring(sigbuf, proof_req)) != 0 || 589 (r = sshbuf_put_string(sigbuf, session_id2, 590 session_id2_len)) != 0 || 591 (r = sshkey_puts(key, sigbuf)) != 0) 592 fatal("%s: couldn't prepare private key " 593 "proof buffer: %s", __func__, ssh_err(r)); 594 if (datlen != sshbuf_len(sigbuf) || 595 memcmp(p, sshbuf_ptr(sigbuf), sshbuf_len(sigbuf)) != 0) 596 fatal("%s: bad data length: %zu, hostkey proof len %zu", 597 __func__, datlen, sshbuf_len(sigbuf)); 598 sshbuf_free(sigbuf); 599 is_proof = 1; 600 } 601 602 /* save session id, it will be passed on the first call */ 603 if (session_id2_len == 0) { 604 session_id2_len = datlen; 605 session_id2 = xmalloc(session_id2_len); 606 memcpy(session_id2, p, session_id2_len); 607 } 608 609 if ((key = get_hostkey_by_index(keyid)) != NULL) { 610 if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, 611 datafellows)) != 0) 612 fatal("%s: sshkey_sign failed: %s", 613 __func__, ssh_err(r)); 614 } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && 615 auth_sock > 0) { 616 if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, 617 p, datlen, alg, datafellows)) != 0) { 618 fatal("%s: ssh_agent_sign failed: %s", 619 __func__, ssh_err(r)); 620 } 621 } else 622 fatal("%s: no hostkey from index %d", __func__, keyid); 623 624 debug3("%s: %s signature %p(%zu)", __func__, 625 is_proof ? "KEX" : "hostkey proof", signature, siglen); 626 627 sshbuf_reset(m); 628 if ((r = sshbuf_put_string(m, signature, siglen)) != 0) 629 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 630 631 free(alg); 632 free(p); 633 free(signature); 634 635 mm_request_send(sock, MONITOR_ANS_SIGN, m); 636 637 /* Turn on permissions for getpwnam */ 638 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); 639 640 return (0); 641 } 642 643 /* Retrieves the password entry and also checks if the user is permitted */ 644 645 int 646 mm_answer_pwnamallow(int sock, Buffer *m) 647 { 648 char *username; 649 struct passwd *pwent; 650 int allowed = 0; 651 u_int i; 652 653 debug3("%s", __func__); 654 655 if (authctxt->attempt++ != 0) 656 fatal("%s: multiple attempts for getpwnam", __func__); 657 658 username = buffer_get_string(m, NULL); 659 660 pwent = getpwnamallow(username); 661 662 authctxt->user = xstrdup(username); 663 setproctitle("%s [priv]", pwent ? username : "unknown"); 664 free(username); 665 666 buffer_clear(m); 667 668 if (pwent == NULL) { 669 buffer_put_char(m, 0); 670 authctxt->pw = fakepw(); 671 goto out; 672 } 673 674 allowed = 1; 675 authctxt->pw = pwent; 676 authctxt->valid = 1; 677 678 buffer_put_char(m, 1); 679 buffer_put_string(m, pwent, sizeof(struct passwd)); 680 buffer_put_cstring(m, pwent->pw_name); 681 buffer_put_cstring(m, "*"); 682 buffer_put_cstring(m, pwent->pw_gecos); 683 buffer_put_cstring(m, pwent->pw_class); 684 buffer_put_cstring(m, pwent->pw_dir); 685 buffer_put_cstring(m, pwent->pw_shell); 686 687 out: 688 buffer_put_string(m, &options, sizeof(options)); 689 690 #define M_CP_STROPT(x) do { \ 691 if (options.x != NULL) \ 692 buffer_put_cstring(m, options.x); \ 693 } while (0) 694 #define M_CP_STRARRAYOPT(x, nx) do { \ 695 for (i = 0; i < options.nx; i++) \ 696 buffer_put_cstring(m, options.x[i]); \ 697 } while (0) 698 /* See comment in servconf.h */ 699 COPY_MATCH_STRING_OPTS(); 700 #undef M_CP_STROPT 701 #undef M_CP_STRARRAYOPT 702 703 /* Create valid auth method lists */ 704 if (auth2_setup_methods_lists(authctxt) != 0) { 705 /* 706 * The monitor will continue long enough to let the child 707 * run to it's packet_disconnect(), but it must not allow any 708 * authentication to succeed. 709 */ 710 debug("%s: no valid authentication method lists", __func__); 711 } 712 713 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); 714 mm_request_send(sock, MONITOR_ANS_PWNAM, m); 715 716 /* Allow service/style information on the auth context */ 717 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 718 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 719 720 return (0); 721 } 722 723 int mm_answer_auth2_read_banner(int sock, Buffer *m) 724 { 725 char *banner; 726 727 buffer_clear(m); 728 banner = auth2_read_banner(); 729 buffer_put_cstring(m, banner != NULL ? banner : ""); 730 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); 731 free(banner); 732 733 return (0); 734 } 735 736 int 737 mm_answer_authserv(int sock, Buffer *m) 738 { 739 monitor_permit_authentications(1); 740 741 authctxt->service = buffer_get_string(m, NULL); 742 authctxt->style = buffer_get_string(m, NULL); 743 debug3("%s: service=%s, style=%s", 744 __func__, authctxt->service, authctxt->style); 745 746 if (strlen(authctxt->style) == 0) { 747 free(authctxt->style); 748 authctxt->style = NULL; 749 } 750 751 return (0); 752 } 753 754 int 755 mm_answer_authpassword(int sock, Buffer *m) 756 { 757 static int call_count; 758 char *passwd; 759 int authenticated; 760 u_int plen; 761 762 if (!options.password_authentication) 763 fatal("%s: password authentication not enabled", __func__); 764 passwd = buffer_get_string(m, &plen); 765 /* Only authenticate if the context is valid */ 766 authenticated = options.password_authentication && 767 auth_password(authctxt, passwd); 768 explicit_bzero(passwd, strlen(passwd)); 769 free(passwd); 770 771 buffer_clear(m); 772 buffer_put_int(m, authenticated); 773 774 debug3("%s: sending result %d", __func__, authenticated); 775 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m); 776 777 call_count++; 778 if (plen == 0 && call_count == 1) 779 auth_method = "none"; 780 else 781 auth_method = "password"; 782 783 /* Causes monitor loop to terminate if authenticated */ 784 return (authenticated); 785 } 786 787 int 788 mm_answer_bsdauthquery(int sock, Buffer *m) 789 { 790 char *name, *infotxt; 791 u_int numprompts; 792 u_int *echo_on; 793 char **prompts; 794 u_int success; 795 796 if (!options.kbd_interactive_authentication) 797 fatal("%s: kbd-int authentication not enabled", __func__); 798 success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, 799 &prompts, &echo_on) < 0 ? 0 : 1; 800 801 buffer_clear(m); 802 buffer_put_int(m, success); 803 if (success) 804 buffer_put_cstring(m, prompts[0]); 805 806 debug3("%s: sending challenge success: %u", __func__, success); 807 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); 808 809 if (success) { 810 free(name); 811 free(infotxt); 812 free(prompts); 813 free(echo_on); 814 } 815 816 return (0); 817 } 818 819 int 820 mm_answer_bsdauthrespond(int sock, Buffer *m) 821 { 822 char *response; 823 int authok; 824 825 if (!options.kbd_interactive_authentication) 826 fatal("%s: kbd-int authentication not enabled", __func__); 827 if (authctxt->as == NULL) 828 fatal("%s: no bsd auth session", __func__); 829 830 response = buffer_get_string(m, NULL); 831 authok = options.challenge_response_authentication && 832 auth_userresponse(authctxt->as, response, 0); 833 authctxt->as = NULL; 834 debug3("%s: <%s> = <%d>", __func__, response, authok); 835 free(response); 836 837 buffer_clear(m); 838 buffer_put_int(m, authok); 839 840 debug3("%s: sending authenticated: %d", __func__, authok); 841 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 842 843 auth_method = "keyboard-interactive"; 844 auth_submethod = "bsdauth"; 845 846 return (authok != 0); 847 } 848 849 int 850 mm_answer_keyallowed(int sock, Buffer *m) 851 { 852 Key *key; 853 char *cuser, *chost; 854 u_char *blob; 855 u_int bloblen, pubkey_auth_attempt; 856 enum mm_keytype type = 0; 857 int allowed = 0; 858 859 debug3("%s entering", __func__); 860 861 type = buffer_get_int(m); 862 cuser = buffer_get_string(m, NULL); 863 chost = buffer_get_string(m, NULL); 864 blob = buffer_get_string(m, &bloblen); 865 pubkey_auth_attempt = buffer_get_int(m); 866 867 key = key_from_blob(blob, bloblen); 868 869 debug3("%s: key_from_blob: %p", __func__, key); 870 871 if (key != NULL && authctxt->valid) { 872 /* These should not make it past the privsep child */ 873 if (key_type_plain(key->type) == KEY_RSA && 874 (datafellows & SSH_BUG_RSASIGMD5) != 0) 875 fatal("%s: passed a SSH_BUG_RSASIGMD5 key", __func__); 876 877 switch (type) { 878 case MM_USERKEY: 879 allowed = options.pubkey_authentication && 880 !auth2_userkey_already_used(authctxt, key) && 881 match_pattern_list(sshkey_ssh_name(key), 882 options.pubkey_key_types, 0) == 1 && 883 user_key_allowed(authctxt->pw, key, 884 pubkey_auth_attempt); 885 pubkey_auth_info(authctxt, key, NULL); 886 auth_method = "publickey"; 887 if (options.pubkey_authentication && 888 (!pubkey_auth_attempt || allowed != 1)) 889 auth_clear_options(); 890 break; 891 case MM_HOSTKEY: 892 allowed = options.hostbased_authentication && 893 match_pattern_list(sshkey_ssh_name(key), 894 options.hostbased_key_types, 0) == 1 && 895 hostbased_key_allowed(authctxt->pw, 896 cuser, chost, key); 897 pubkey_auth_info(authctxt, key, 898 "client user \"%.100s\", client host \"%.100s\"", 899 cuser, chost); 900 auth_method = "hostbased"; 901 break; 902 default: 903 fatal("%s: unknown key type %d", __func__, type); 904 break; 905 } 906 } 907 908 debug3("%s: key %p is %s", 909 __func__, key, allowed ? "allowed" : "not allowed"); 910 911 if (key != NULL) 912 key_free(key); 913 914 /* clear temporarily storage (used by verify) */ 915 monitor_reset_key_state(); 916 917 if (allowed) { 918 /* Save temporarily for comparison in verify */ 919 key_blob = blob; 920 key_bloblen = bloblen; 921 key_blobtype = type; 922 hostbased_cuser = cuser; 923 hostbased_chost = chost; 924 } else { 925 /* Log failed attempt */ 926 auth_log(authctxt, 0, 0, auth_method, NULL); 927 free(blob); 928 free(cuser); 929 free(chost); 930 } 931 932 buffer_clear(m); 933 buffer_put_int(m, allowed); 934 buffer_put_int(m, forced_command != NULL); 935 936 mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m); 937 938 return (0); 939 } 940 941 static int 942 monitor_valid_userblob(u_char *data, u_int datalen) 943 { 944 Buffer b; 945 u_char *p; 946 char *userstyle, *cp; 947 u_int len; 948 int fail = 0; 949 950 buffer_init(&b); 951 buffer_append(&b, data, datalen); 952 953 if (datafellows & SSH_OLD_SESSIONID) { 954 p = buffer_ptr(&b); 955 len = buffer_len(&b); 956 if ((session_id2 == NULL) || 957 (len < session_id2_len) || 958 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 959 fail++; 960 buffer_consume(&b, session_id2_len); 961 } else { 962 p = buffer_get_string(&b, &len); 963 if ((session_id2 == NULL) || 964 (len != session_id2_len) || 965 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 966 fail++; 967 free(p); 968 } 969 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 970 fail++; 971 cp = buffer_get_cstring(&b, NULL); 972 xasprintf(&userstyle, "%s%s%s", authctxt->user, 973 authctxt->style ? ":" : "", 974 authctxt->style ? authctxt->style : ""); 975 if (strcmp(userstyle, cp) != 0) { 976 logit("wrong user name passed to monitor: " 977 "expected %s != %.100s", userstyle, cp); 978 fail++; 979 } 980 free(userstyle); 981 free(cp); 982 buffer_skip_string(&b); 983 if (datafellows & SSH_BUG_PKAUTH) { 984 if (!buffer_get_char(&b)) 985 fail++; 986 } else { 987 cp = buffer_get_cstring(&b, NULL); 988 if (strcmp("publickey", cp) != 0) 989 fail++; 990 free(cp); 991 if (!buffer_get_char(&b)) 992 fail++; 993 buffer_skip_string(&b); 994 } 995 buffer_skip_string(&b); 996 if (buffer_len(&b) != 0) 997 fail++; 998 buffer_free(&b); 999 return (fail == 0); 1000 } 1001 1002 static int 1003 monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, 1004 char *chost) 1005 { 1006 Buffer b; 1007 char *p, *userstyle; 1008 u_int len; 1009 int fail = 0; 1010 1011 buffer_init(&b); 1012 buffer_append(&b, data, datalen); 1013 1014 p = buffer_get_string(&b, &len); 1015 if ((session_id2 == NULL) || 1016 (len != session_id2_len) || 1017 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1018 fail++; 1019 free(p); 1020 1021 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1022 fail++; 1023 p = buffer_get_cstring(&b, NULL); 1024 xasprintf(&userstyle, "%s%s%s", authctxt->user, 1025 authctxt->style ? ":" : "", 1026 authctxt->style ? authctxt->style : ""); 1027 if (strcmp(userstyle, p) != 0) { 1028 logit("wrong user name passed to monitor: expected %s != %.100s", 1029 userstyle, p); 1030 fail++; 1031 } 1032 free(userstyle); 1033 free(p); 1034 buffer_skip_string(&b); /* service */ 1035 p = buffer_get_cstring(&b, NULL); 1036 if (strcmp(p, "hostbased") != 0) 1037 fail++; 1038 free(p); 1039 buffer_skip_string(&b); /* pkalg */ 1040 buffer_skip_string(&b); /* pkblob */ 1041 1042 /* verify client host, strip trailing dot if necessary */ 1043 p = buffer_get_string(&b, NULL); 1044 if (((len = strlen(p)) > 0) && p[len - 1] == '.') 1045 p[len - 1] = '\0'; 1046 if (strcmp(p, chost) != 0) 1047 fail++; 1048 free(p); 1049 1050 /* verify client user */ 1051 p = buffer_get_string(&b, NULL); 1052 if (strcmp(p, cuser) != 0) 1053 fail++; 1054 free(p); 1055 1056 if (buffer_len(&b) != 0) 1057 fail++; 1058 buffer_free(&b); 1059 return (fail == 0); 1060 } 1061 1062 int 1063 mm_answer_keyverify(int sock, Buffer *m) 1064 { 1065 Key *key; 1066 u_char *signature, *data, *blob; 1067 u_int signaturelen, datalen, bloblen; 1068 int verified = 0; 1069 int valid_data = 0; 1070 1071 blob = buffer_get_string(m, &bloblen); 1072 signature = buffer_get_string(m, &signaturelen); 1073 data = buffer_get_string(m, &datalen); 1074 1075 if (hostbased_cuser == NULL || hostbased_chost == NULL || 1076 !monitor_allowed_key(blob, bloblen)) 1077 fatal("%s: bad key, not previously allowed", __func__); 1078 1079 key = key_from_blob(blob, bloblen); 1080 if (key == NULL) 1081 fatal("%s: bad public key blob", __func__); 1082 1083 switch (key_blobtype) { 1084 case MM_USERKEY: 1085 valid_data = monitor_valid_userblob(data, datalen); 1086 break; 1087 case MM_HOSTKEY: 1088 valid_data = monitor_valid_hostbasedblob(data, datalen, 1089 hostbased_cuser, hostbased_chost); 1090 break; 1091 default: 1092 valid_data = 0; 1093 break; 1094 } 1095 if (!valid_data) 1096 fatal("%s: bad signature data blob", __func__); 1097 1098 verified = key_verify(key, signature, signaturelen, data, datalen); 1099 debug3("%s: key %p signature %s", 1100 __func__, key, (verified == 1) ? "verified" : "unverified"); 1101 1102 /* If auth was successful then record key to ensure it isn't reused */ 1103 if (verified == 1 && key_blobtype == MM_USERKEY) 1104 auth2_record_userkey(authctxt, key); 1105 else 1106 key_free(key); 1107 1108 free(blob); 1109 free(signature); 1110 free(data); 1111 1112 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; 1113 1114 monitor_reset_key_state(); 1115 1116 buffer_clear(m); 1117 buffer_put_int(m, verified); 1118 mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); 1119 1120 return (verified == 1); 1121 } 1122 1123 static void 1124 mm_record_login(Session *s, struct passwd *pw) 1125 { 1126 struct ssh *ssh = active_state; /* XXX */ 1127 socklen_t fromlen; 1128 struct sockaddr_storage from; 1129 1130 /* 1131 * Get IP address of client. If the connection is not a socket, let 1132 * the address be 0.0.0.0. 1133 */ 1134 memset(&from, 0, sizeof(from)); 1135 fromlen = sizeof(from); 1136 if (packet_connection_is_on_socket()) { 1137 if (getpeername(packet_get_connection_in(), 1138 (struct sockaddr *)&from, &fromlen) < 0) { 1139 debug("getpeername: %.100s", strerror(errno)); 1140 cleanup_exit(255); 1141 } 1142 } 1143 /* Record that there was a login on that tty from the remote host. */ 1144 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, 1145 session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), 1146 (struct sockaddr *)&from, fromlen); 1147 } 1148 1149 static void 1150 mm_session_close(Session *s) 1151 { 1152 debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); 1153 if (s->ttyfd != -1) { 1154 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); 1155 session_pty_cleanup2(s); 1156 } 1157 session_unused(s->self); 1158 } 1159 1160 int 1161 mm_answer_pty(int sock, Buffer *m) 1162 { 1163 extern struct monitor *pmonitor; 1164 Session *s; 1165 int res, fd0; 1166 1167 debug3("%s entering", __func__); 1168 1169 buffer_clear(m); 1170 s = session_new(); 1171 if (s == NULL) 1172 goto error; 1173 s->authctxt = authctxt; 1174 s->pw = authctxt->pw; 1175 s->pid = pmonitor->m_pid; 1176 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1177 if (res == 0) 1178 goto error; 1179 pty_setowner(authctxt->pw, s->tty); 1180 1181 buffer_put_int(m, 1); 1182 buffer_put_cstring(m, s->tty); 1183 1184 /* We need to trick ttyslot */ 1185 if (dup2(s->ttyfd, 0) == -1) 1186 fatal("%s: dup2", __func__); 1187 1188 mm_record_login(s, authctxt->pw); 1189 1190 /* Now we can close the file descriptor again */ 1191 close(0); 1192 1193 /* send messages generated by record_login */ 1194 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg)); 1195 buffer_clear(&loginmsg); 1196 1197 mm_request_send(sock, MONITOR_ANS_PTY, m); 1198 1199 if (mm_send_fd(sock, s->ptyfd) == -1 || 1200 mm_send_fd(sock, s->ttyfd) == -1) 1201 fatal("%s: send fds failed", __func__); 1202 1203 /* make sure nothing uses fd 0 */ 1204 if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0) 1205 fatal("%s: open(/dev/null): %s", __func__, strerror(errno)); 1206 if (fd0 != 0) 1207 error("%s: fd0 %d != 0", __func__, fd0); 1208 1209 /* slave is not needed */ 1210 close(s->ttyfd); 1211 s->ttyfd = s->ptyfd; 1212 /* no need to dup() because nobody closes ptyfd */ 1213 s->ptymaster = s->ptyfd; 1214 1215 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd); 1216 1217 return (0); 1218 1219 error: 1220 if (s != NULL) 1221 mm_session_close(s); 1222 buffer_put_int(m, 0); 1223 mm_request_send(sock, MONITOR_ANS_PTY, m); 1224 return (0); 1225 } 1226 1227 int 1228 mm_answer_pty_cleanup(int sock, Buffer *m) 1229 { 1230 Session *s; 1231 char *tty; 1232 1233 debug3("%s entering", __func__); 1234 1235 tty = buffer_get_string(m, NULL); 1236 if ((s = session_by_tty(tty)) != NULL) 1237 mm_session_close(s); 1238 buffer_clear(m); 1239 free(tty); 1240 return (0); 1241 } 1242 1243 int 1244 mm_answer_term(int sock, Buffer *req) 1245 { 1246 extern struct monitor *pmonitor; 1247 int res, status; 1248 1249 debug3("%s: tearing down sessions", __func__); 1250 1251 /* The child is terminating */ 1252 session_destroy_all(&mm_session_close); 1253 1254 while (waitpid(pmonitor->m_pid, &status, 0) == -1) 1255 if (errno != EINTR) 1256 exit(1); 1257 1258 res = WIFEXITED(status) ? WEXITSTATUS(status) : 1; 1259 1260 /* Terminate process */ 1261 exit(res); 1262 } 1263 1264 void 1265 monitor_apply_keystate(struct monitor *pmonitor) 1266 { 1267 struct ssh *ssh = active_state; /* XXX */ 1268 struct kex *kex; 1269 int r; 1270 1271 debug3("%s: packet_set_state", __func__); 1272 if ((r = ssh_packet_set_state(ssh, child_state)) != 0) 1273 fatal("%s: packet_set_state: %s", __func__, ssh_err(r)); 1274 sshbuf_free(child_state); 1275 child_state = NULL; 1276 1277 if ((kex = ssh->kex) != NULL) { 1278 /* XXX set callbacks */ 1279 #ifdef WITH_OPENSSL 1280 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 1281 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 1282 kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; 1283 kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; 1284 kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; 1285 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1286 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1287 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 1288 #endif 1289 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 1290 kex->load_host_public_key=&get_hostkey_public_by_type; 1291 kex->load_host_private_key=&get_hostkey_private_by_type; 1292 kex->host_key_index=&get_hostkey_index; 1293 kex->sign = sshd_hostkey_sign; 1294 } 1295 1296 /* Update with new address */ 1297 if (options.compression) { 1298 ssh_packet_set_compress_hooks(ssh, pmonitor->m_zlib, 1299 (ssh_packet_comp_alloc_func *)mm_zalloc, 1300 (ssh_packet_comp_free_func *)mm_zfree); 1301 } 1302 } 1303 1304 /* This function requries careful sanity checking */ 1305 1306 void 1307 mm_get_keystate(struct monitor *pmonitor) 1308 { 1309 debug3("%s: Waiting for new keys", __func__); 1310 1311 if ((child_state = sshbuf_new()) == NULL) 1312 fatal("%s: sshbuf_new failed", __func__); 1313 mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, 1314 child_state); 1315 debug3("%s: GOT new keys", __func__); 1316 } 1317 1318 1319 /* XXX */ 1320 1321 #define FD_CLOSEONEXEC(x) do { \ 1322 if (fcntl(x, F_SETFD, FD_CLOEXEC) == -1) \ 1323 fatal("fcntl(%d, F_SETFD)", x); \ 1324 } while (0) 1325 1326 static void 1327 monitor_openfds(struct monitor *mon, int do_logfds) 1328 { 1329 int pair[2]; 1330 1331 if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) 1332 fatal("%s: socketpair: %s", __func__, strerror(errno)); 1333 FD_CLOSEONEXEC(pair[0]); 1334 FD_CLOSEONEXEC(pair[1]); 1335 mon->m_recvfd = pair[0]; 1336 mon->m_sendfd = pair[1]; 1337 1338 if (do_logfds) { 1339 if (pipe(pair) == -1) 1340 fatal("%s: pipe: %s", __func__, strerror(errno)); 1341 FD_CLOSEONEXEC(pair[0]); 1342 FD_CLOSEONEXEC(pair[1]); 1343 mon->m_log_recvfd = pair[0]; 1344 mon->m_log_sendfd = pair[1]; 1345 } else 1346 mon->m_log_recvfd = mon->m_log_sendfd = -1; 1347 } 1348 1349 #define MM_MEMSIZE 65536 1350 1351 struct monitor * 1352 monitor_init(void) 1353 { 1354 struct ssh *ssh = active_state; /* XXX */ 1355 struct monitor *mon; 1356 1357 mon = xcalloc(1, sizeof(*mon)); 1358 1359 monitor_openfds(mon, 1); 1360 1361 /* Used to share zlib space across processes */ 1362 if (options.compression) { 1363 mon->m_zback = mm_create(NULL, MM_MEMSIZE); 1364 mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE); 1365 1366 /* Compression needs to share state across borders */ 1367 ssh_packet_set_compress_hooks(ssh, mon->m_zlib, 1368 (ssh_packet_comp_alloc_func *)mm_zalloc, 1369 (ssh_packet_comp_free_func *)mm_zfree); 1370 } 1371 1372 return mon; 1373 } 1374 1375 void 1376 monitor_reinit(struct monitor *mon) 1377 { 1378 monitor_openfds(mon, 0); 1379 } 1380 1381 #ifdef GSSAPI 1382 int 1383 mm_answer_gss_setup_ctx(int sock, Buffer *m) 1384 { 1385 gss_OID_desc goid; 1386 OM_uint32 major; 1387 u_int len; 1388 1389 if (!options.gss_authentication) 1390 fatal("%s: GSSAPI authentication not enabled", __func__); 1391 1392 goid.elements = buffer_get_string(m, &len); 1393 goid.length = len; 1394 1395 major = ssh_gssapi_server_ctx(&gsscontext, &goid); 1396 1397 free(goid.elements); 1398 1399 buffer_clear(m); 1400 buffer_put_int(m, major); 1401 1402 mm_request_send(sock, MONITOR_ANS_GSSSETUP, m); 1403 1404 /* Now we have a context, enable the step */ 1405 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); 1406 1407 return (0); 1408 } 1409 1410 int 1411 mm_answer_gss_accept_ctx(int sock, Buffer *m) 1412 { 1413 gss_buffer_desc in; 1414 gss_buffer_desc out = GSS_C_EMPTY_BUFFER; 1415 OM_uint32 major, minor; 1416 OM_uint32 flags = 0; /* GSI needs this */ 1417 u_int len; 1418 1419 if (!options.gss_authentication) 1420 fatal("%s: GSSAPI authentication not enabled", __func__); 1421 1422 in.value = buffer_get_string(m, &len); 1423 in.length = len; 1424 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 1425 free(in.value); 1426 1427 buffer_clear(m); 1428 buffer_put_int(m, major); 1429 buffer_put_string(m, out.value, out.length); 1430 buffer_put_int(m, flags); 1431 mm_request_send(sock, MONITOR_ANS_GSSSTEP, m); 1432 1433 gss_release_buffer(&minor, &out); 1434 1435 if (major == GSS_S_COMPLETE) { 1436 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 1437 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 1438 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 1439 } 1440 return (0); 1441 } 1442 1443 int 1444 mm_answer_gss_checkmic(int sock, Buffer *m) 1445 { 1446 gss_buffer_desc gssbuf, mic; 1447 OM_uint32 ret; 1448 u_int len; 1449 1450 if (!options.gss_authentication) 1451 fatal("%s: GSSAPI authentication not enabled", __func__); 1452 1453 gssbuf.value = buffer_get_string(m, &len); 1454 gssbuf.length = len; 1455 mic.value = buffer_get_string(m, &len); 1456 mic.length = len; 1457 1458 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); 1459 1460 free(gssbuf.value); 1461 free(mic.value); 1462 1463 buffer_clear(m); 1464 buffer_put_int(m, ret); 1465 1466 mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m); 1467 1468 if (!GSS_ERROR(ret)) 1469 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 1470 1471 return (0); 1472 } 1473 1474 int 1475 mm_answer_gss_userok(int sock, Buffer *m) 1476 { 1477 int authenticated; 1478 1479 if (!options.gss_authentication) 1480 fatal("%s: GSSAPI authentication not enabled", __func__); 1481 1482 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); 1483 1484 buffer_clear(m); 1485 buffer_put_int(m, authenticated); 1486 1487 debug3("%s: sending result %d", __func__, authenticated); 1488 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); 1489 1490 auth_method = "gssapi-with-mic"; 1491 1492 /* Monitor loop will terminate if authenticated */ 1493 return (authenticated); 1494 } 1495 #endif /* GSSAPI */ 1496 1497