Lines Matching +full:ports +full:- +full:block +full:- +full:pack +full:- +full:mode
1 /* $OpenBSD: sshd-session.c,v 1.12 2025/03/12 22:43:44 djm Exp $ */
41 #include "openbsd-compat/sys-tree.h"
42 #include "openbsd-compat/sys-queue.h"
65 #include "openbsd-compat/openssl-compat.h"
102 #include "ssh-gss.h"
105 #include "auth-options.h"
108 #include "sk-api.h"
113 /* Re-exec fds */
132 * Debug mode flag. This can be set on the command line. If debug
133 * mode is enabled, extra debugging output will be sent to the system
150 int auth_sock = -1;
171 static int startup_pipe = -1; /* in child */
185 /* global key/cert auth options. XXX move to permanent ssh->authctxt? */
209 return (pmonitor && pmonitor->m_pid > 0); in mm_is_monitor()
214 * As usual, this may only take signal-safe actions, even though it is
310 /* pack hostkeys into a string. Empty key slots get empty strings */ in pack_hostkeys()
346 pmonitor->m_pkex = &ssh->kex; in privsep_preauth()
348 if ((pid = fork()) == -1) in privsep_preauth()
353 pmonitor->m_pid = pid; in privsep_preauth()
364 while (waitpid(pid, &status, 0) == -1) { in privsep_preauth()
367 pmonitor->m_pid = -1; in privsep_preauth()
371 pmonitor->m_pid = -1; in privsep_preauth()
382 close(pmonitor->m_sendfd); in privsep_preauth()
383 close(pmonitor->m_log_recvfd); in privsep_preauth()
386 * Arrange unpriv-preauth child process fds: in privsep_preauth()
398 dup2(ssh_packet_get_connection_in(ssh), STDIN_FILENO) == -1) in privsep_preauth()
402 STDOUT_FILENO) == -1) in privsep_preauth()
404 /* leave stderr as-is */ in privsep_preauth()
406 if (pmonitor->m_recvfd != PRIVSEP_MONITOR_FD && in privsep_preauth()
407 dup2(pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) == -1) in privsep_preauth()
409 if (pmonitor->m_log_sendfd != PRIVSEP_LOG_FD && in privsep_preauth()
410 dup2(pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) == -1) in privsep_preauth()
429 * in the post-auth privsep process so it can allocate PTYs directly. in privsep_postauth()
431 * disable post-auth privsep entriely. in privsep_postauth()
443 pmonitor->m_pid = fork(); in privsep_postauth()
444 if (pmonitor->m_pid == -1) in privsep_postauth()
446 else if (pmonitor->m_pid != 0) { in privsep_postauth()
447 verbose("User child is on pid %ld", (long)pmonitor->m_pid); in privsep_postauth()
458 close(pmonitor->m_sendfd); in privsep_postauth()
459 pmonitor->m_sendfd = -1; in privsep_postauth()
468 do_setusercontext(authctxt->pw); in privsep_postauth()
503 if (key == NULL || key->type != type) in get_hostkey_by_type()
510 if (key->ecdsa_nid != nid) in get_hostkey_by_type()
572 return (-1); in get_hostkey_index()
586 if (ssh->compat & SSH_BUG_HOSTKEYS) in notify_hostkeys()
593 if (key == NULL || key->type == KEY_UNSPEC || in notify_hostkeys()
606 (r = sshpkt_put_cstring(ssh, "hostkeys-00@openssh.com")) != 0 || in notify_hostkeys()
631 "usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file]\n" in usage()
632 " [-E log_file] [-f config_file] [-g login_grace_time]\n" in usage()
633 " [-h host_key_file] [-o option] [-p port] [-u len]\n" in usage()
709 if (ssh_msg_recv(fd, m) == -1) in recv_rexec_state()
725 if ((item->contents = sshbuf_new()) == NULL) in recv_rexec_state()
727 if ((r = sshbuf_get_cstring(inc, &item->selector, NULL)) != 0 || in recv_rexec_state()
728 (r = sshbuf_get_cstring(inc, &item->filename, NULL)) != 0 || in recv_rexec_state()
729 (r = sshbuf_get_stringb(inc, item->contents)) != 0) in recv_rexec_state()
736 if (ssh_msg_recv(fd, m) == -1) in recv_rexec_state()
755 * (ip-address) you are not. That itself may be "almost acceptable"
774 &fromlen) == -1) in check_ip_options()
784 snprintf(text + i*3, sizeof(text) - i*3, in check_ip_options()
842 int sock_in = -1, sock_out = -1, rexeced_flag = 0, have_key = 0; in main()
881 /* Parse command-line arguments. */ in main()
883 "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) { in main()
895 servconf_add_hostcert("[command-line]", 0, in main()
935 fprintf(stderr, "too many ports.\n"); in main()
938 options.ports[options.num_ports++] = a2port(optarg); in main()
939 if (options.ports[options.num_ports-1] <= 0) { in main()
945 if ((options.login_grace_time = convtime(optarg)) == -1) { in main()
954 servconf_add_hostkey("[command-line]", 0, in main()
965 optarg) == -1) in main()
978 "command-line", 0, NULL, NULL, &includes) != 0) in main()
999 fatal("sshd-session should not be executed directly"); in main()
1006 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) in main()
1009 if ((devnull = dup(devnull)) == -1) in main()
1022 "P", "sshd-session", in main()
1053 debug("sshd-session version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION); in main()
1063 freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd)); in main()
1064 privsep_pw->pw_passwd = xstrdup("*"); in main()
1069 if ((startup_pipe = dup(REEXEC_CONFIG_PASS_FD)) == -1) in main()
1079 if (dup2(devnull, REEXEC_CONFIG_PASS_FD) == -1) in main()
1080 fatal("dup2 devnull->config fd: %s", strerror(errno)); in main()
1097 * daemonisation in the presence of Match block, but this catches in main()
1161 if (chdir("/") == -1) in main()
1185 if (stdfd_devnull(1, 1, !log_stderr) == -1) in main()
1223 setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) == -1) in main()
1263 * mode; it is just annoying to have the server exit just when you in main()
1275 if (setitimer(ITIMER_REAL, &itv, NULL) == -1) in main()
1279 if ((r = kex_exchange_identification(ssh, -1, in main()
1287 ssh->authctxt = authctxt; in main()
1314 if (setitimer(ITIMER_REAL, &itv, NULL) == -1) in main()
1317 authctxt->authenticated = 1; in main()
1318 if (startup_pipe != -1) { in main()
1322 startup_pipe = -1; in main()
1334 temporarily_use_uid(authctxt->pw); in main()
1393 ssh->compat) < 0) in sshd_hostkey_sign()
1398 ssh->compat) < 0) in sshd_hostkey_sign()
1413 pmonitor != NULL && pmonitor->m_pid > 1) { in cleanup_exit()
1414 debug("Killing privsep child %d", pmonitor->m_pid); in cleanup_exit()
1415 if (kill(pmonitor->m_pid, SIGKILL) != 0 && in cleanup_exit()
1417 error_f("kill(%d): %s", pmonitor->m_pid, in cleanup_exit()