1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * The main loop for the interactive session (client side). 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * 14 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 * 36 * 37 * SSH2 support added by Markus Friedl. 38 * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. 39 * 40 * Redistribution and use in source and binary forms, with or without 41 * modification, are permitted provided that the following conditions 42 * are met: 43 * 1. Redistributions of source code must retain the above copyright 44 * notice, this list of conditions and the following disclaimer. 45 * 2. Redistributions in binary form must reproduce the above copyright 46 * notice, this list of conditions and the following disclaimer in the 47 * documentation and/or other materials provided with the distribution. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 50 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 51 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 52 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 53 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 54 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 55 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 56 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 57 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 58 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 59 */ 60 61 #include "includes.h" 62 RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $"); 63 64 #include "ssh.h" 65 #include "ssh1.h" 66 #include "ssh2.h" 67 #include "xmalloc.h" 68 #include "packet.h" 69 #include "buffer.h" 70 #include "compat.h" 71 #include "channels.h" 72 #include "dispatch.h" 73 #include "buffer.h" 74 #include "bufaux.h" 75 #include "key.h" 76 #include "kex.h" 77 #include "log.h" 78 #include "readconf.h" 79 #include "clientloop.h" 80 #include "authfd.h" 81 #include "atomicio.h" 82 #include "sshpty.h" 83 #include "misc.h" 84 #include "monitor_fdpass.h" 85 #include "match.h" 86 #include "msg.h" 87 88 /* import options */ 89 extern Options options; 90 91 /* Flag indicating that stdin should be redirected from /dev/null. */ 92 extern int stdin_null_flag; 93 94 /* Flag indicating that no shell has been requested */ 95 extern int no_shell_flag; 96 97 /* Control socket */ 98 extern int control_fd; 99 100 /* 101 * Name of the host we are connecting to. This is the name given on the 102 * command line, or the HostName specified for the user-supplied name in a 103 * configuration file. 104 */ 105 extern char *host; 106 107 /* 108 * Flag to indicate that we have received a window change signal which has 109 * not yet been processed. This will cause a message indicating the new 110 * window size to be sent to the server a little later. This is volatile 111 * because this is updated in a signal handler. 112 */ 113 static volatile sig_atomic_t received_window_change_signal = 0; 114 static volatile sig_atomic_t received_signal = 0; 115 116 /* Flag indicating whether the user\'s terminal is in non-blocking mode. */ 117 static int in_non_blocking_mode = 0; 118 119 /* Common data for the client loop code. */ 120 static int quit_pending; /* Set to non-zero to quit the client loop. */ 121 static int escape_char; /* Escape character. */ 122 static int escape_pending; /* Last character was the escape character */ 123 static int last_was_cr; /* Last character was a newline. */ 124 static int exit_status; /* Used to store the exit status of the command. */ 125 static int stdin_eof; /* EOF has been encountered on standard error. */ 126 static Buffer stdin_buffer; /* Buffer for stdin data. */ 127 static Buffer stdout_buffer; /* Buffer for stdout data. */ 128 static Buffer stderr_buffer; /* Buffer for stderr data. */ 129 static u_long stdin_bytes, stdout_bytes, stderr_bytes; 130 static u_int buffer_high;/* Soft max buffer size. */ 131 static int connection_in; /* Connection to server (input). */ 132 static int connection_out; /* Connection to server (output). */ 133 static int need_rekeying; /* Set to non-zero if rekeying is requested. */ 134 static int session_closed = 0; /* In SSH2: login session closed. */ 135 static int server_alive_timeouts = 0; 136 137 static void client_init_dispatch(void); 138 int session_ident = -1; 139 140 struct confirm_ctx { 141 int want_tty; 142 int want_subsys; 143 int want_x_fwd; 144 int want_agent_fwd; 145 Buffer cmd; 146 char *term; 147 struct termios tio; 148 char **env; 149 }; 150 151 /*XXX*/ 152 extern Kex *xxx_kex; 153 154 void ssh_process_session2_setup(int, int, int, Buffer *); 155 156 /* Restores stdin to blocking mode. */ 157 158 static void 159 leave_non_blocking(void) 160 { 161 if (in_non_blocking_mode) { 162 unset_nonblock(fileno(stdin)); 163 in_non_blocking_mode = 0; 164 } 165 } 166 167 /* Puts stdin terminal in non-blocking mode. */ 168 169 static void 170 enter_non_blocking(void) 171 { 172 in_non_blocking_mode = 1; 173 set_nonblock(fileno(stdin)); 174 } 175 176 /* 177 * Signal handler for the window change signal (SIGWINCH). This just sets a 178 * flag indicating that the window has changed. 179 */ 180 181 static void 182 window_change_handler(int sig) 183 { 184 received_window_change_signal = 1; 185 signal(SIGWINCH, window_change_handler); 186 } 187 188 /* 189 * Signal handler for signals that cause the program to terminate. These 190 * signals must be trapped to restore terminal modes. 191 */ 192 193 static void 194 signal_handler(int sig) 195 { 196 received_signal = sig; 197 quit_pending = 1; 198 } 199 200 /* 201 * Returns current time in seconds from Jan 1, 1970 with the maximum 202 * available resolution. 203 */ 204 205 static double 206 get_current_time(void) 207 { 208 struct timeval tv; 209 gettimeofday(&tv, NULL); 210 return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0; 211 } 212 213 #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" 214 void 215 client_x11_get_proto(const char *display, const char *xauth_path, 216 u_int trusted, char **_proto, char **_data) 217 { 218 char cmd[1024]; 219 char line[512]; 220 char xdisplay[512]; 221 static char proto[512], data[512]; 222 FILE *f; 223 int got_data = 0, generated = 0, do_unlink = 0, i; 224 char *xauthdir, *xauthfile; 225 struct stat st; 226 227 xauthdir = xauthfile = NULL; 228 *_proto = proto; 229 *_data = data; 230 proto[0] = data[0] = '\0'; 231 232 if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { 233 debug("No xauth program."); 234 } else { 235 if (display == NULL) { 236 debug("x11_get_proto: DISPLAY not set"); 237 return; 238 } 239 /* 240 * Handle FamilyLocal case where $DISPLAY does 241 * not match an authorization entry. For this we 242 * just try "xauth list unix:displaynum.screennum". 243 * XXX: "localhost" match to determine FamilyLocal 244 * is not perfect. 245 */ 246 if (strncmp(display, "localhost:", 10) == 0) { 247 snprintf(xdisplay, sizeof(xdisplay), "unix:%s", 248 display + 10); 249 display = xdisplay; 250 } 251 if (trusted == 0) { 252 xauthdir = xmalloc(MAXPATHLEN); 253 xauthfile = xmalloc(MAXPATHLEN); 254 strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); 255 if (mkdtemp(xauthdir) != NULL) { 256 do_unlink = 1; 257 snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", 258 xauthdir); 259 snprintf(cmd, sizeof(cmd), 260 "%s -f %s generate %s " SSH_X11_PROTO 261 " untrusted timeout 1200 2>" _PATH_DEVNULL, 262 xauth_path, xauthfile, display); 263 debug2("x11_get_proto: %s", cmd); 264 if (system(cmd) == 0) 265 generated = 1; 266 } 267 } 268 snprintf(cmd, sizeof(cmd), 269 "%s %s%s list %s . 2>" _PATH_DEVNULL, 270 xauth_path, 271 generated ? "-f " : "" , 272 generated ? xauthfile : "", 273 display); 274 debug2("x11_get_proto: %s", cmd); 275 f = popen(cmd, "r"); 276 if (f && fgets(line, sizeof(line), f) && 277 sscanf(line, "%*s %511s %511s", proto, data) == 2) 278 got_data = 1; 279 if (f) 280 pclose(f); 281 } 282 283 if (do_unlink) { 284 unlink(xauthfile); 285 rmdir(xauthdir); 286 } 287 if (xauthdir) 288 xfree(xauthdir); 289 if (xauthfile) 290 xfree(xauthfile); 291 292 /* 293 * If we didn't get authentication data, just make up some 294 * data. The forwarding code will check the validity of the 295 * response anyway, and substitute this data. The X11 296 * server, however, will ignore this fake data and use 297 * whatever authentication mechanisms it was using otherwise 298 * for the local connection. 299 */ 300 if (!got_data) { 301 u_int32_t rnd = 0; 302 303 logit("Warning: No xauth data; " 304 "using fake authentication data for X11 forwarding."); 305 strlcpy(proto, SSH_X11_PROTO, sizeof proto); 306 for (i = 0; i < 16; i++) { 307 if (i % 4 == 0) 308 rnd = arc4random(); 309 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", 310 rnd & 0xff); 311 rnd >>= 8; 312 } 313 } 314 } 315 316 /* 317 * This is called when the interactive is entered. This checks if there is 318 * an EOF coming on stdin. We must check this explicitly, as select() does 319 * not appear to wake up when redirecting from /dev/null. 320 */ 321 322 static void 323 client_check_initial_eof_on_stdin(void) 324 { 325 int len; 326 char buf[1]; 327 328 /* 329 * If standard input is to be "redirected from /dev/null", we simply 330 * mark that we have seen an EOF and send an EOF message to the 331 * server. Otherwise, we try to read a single character; it appears 332 * that for some files, such /dev/null, select() never wakes up for 333 * read for this descriptor, which means that we never get EOF. This 334 * way we will get the EOF if stdin comes from /dev/null or similar. 335 */ 336 if (stdin_null_flag) { 337 /* Fake EOF on stdin. */ 338 debug("Sending eof."); 339 stdin_eof = 1; 340 packet_start(SSH_CMSG_EOF); 341 packet_send(); 342 } else { 343 enter_non_blocking(); 344 345 /* Check for immediate EOF on stdin. */ 346 len = read(fileno(stdin), buf, 1); 347 if (len == 0) { 348 /* EOF. Record that we have seen it and send EOF to server. */ 349 debug("Sending eof."); 350 stdin_eof = 1; 351 packet_start(SSH_CMSG_EOF); 352 packet_send(); 353 } else if (len > 0) { 354 /* 355 * Got data. We must store the data in the buffer, 356 * and also process it as an escape character if 357 * appropriate. 358 */ 359 if ((u_char) buf[0] == escape_char) 360 escape_pending = 1; 361 else 362 buffer_append(&stdin_buffer, buf, 1); 363 } 364 leave_non_blocking(); 365 } 366 } 367 368 369 /* 370 * Make packets from buffered stdin data, and buffer them for sending to the 371 * connection. 372 */ 373 374 static void 375 client_make_packets_from_stdin_data(void) 376 { 377 u_int len; 378 379 /* Send buffered stdin data to the server. */ 380 while (buffer_len(&stdin_buffer) > 0 && 381 packet_not_very_much_data_to_write()) { 382 len = buffer_len(&stdin_buffer); 383 /* Keep the packets at reasonable size. */ 384 if (len > packet_get_maxsize()) 385 len = packet_get_maxsize(); 386 packet_start(SSH_CMSG_STDIN_DATA); 387 packet_put_string(buffer_ptr(&stdin_buffer), len); 388 packet_send(); 389 buffer_consume(&stdin_buffer, len); 390 stdin_bytes += len; 391 /* If we have a pending EOF, send it now. */ 392 if (stdin_eof && buffer_len(&stdin_buffer) == 0) { 393 packet_start(SSH_CMSG_EOF); 394 packet_send(); 395 } 396 } 397 } 398 399 /* 400 * Checks if the client window has changed, and sends a packet about it to 401 * the server if so. The actual change is detected elsewhere (by a software 402 * interrupt on Unix); this just checks the flag and sends a message if 403 * appropriate. 404 */ 405 406 static void 407 client_check_window_change(void) 408 { 409 struct winsize ws; 410 411 if (! received_window_change_signal) 412 return; 413 /** XXX race */ 414 received_window_change_signal = 0; 415 416 debug2("client_check_window_change: changed"); 417 418 if (compat20) { 419 channel_send_window_changes(); 420 } else { 421 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 422 return; 423 packet_start(SSH_CMSG_WINDOW_SIZE); 424 packet_put_int(ws.ws_row); 425 packet_put_int(ws.ws_col); 426 packet_put_int(ws.ws_xpixel); 427 packet_put_int(ws.ws_ypixel); 428 packet_send(); 429 } 430 } 431 432 static void 433 client_global_request_reply(int type, u_int32_t seq, void *ctxt) 434 { 435 server_alive_timeouts = 0; 436 client_global_request_reply_fwd(type, seq, ctxt); 437 } 438 439 static void 440 server_alive_check(void) 441 { 442 if (++server_alive_timeouts > options.server_alive_count_max) 443 packet_disconnect("Timeout, server not responding."); 444 packet_start(SSH2_MSG_GLOBAL_REQUEST); 445 packet_put_cstring("keepalive@openssh.com"); 446 packet_put_char(1); /* boolean: want reply */ 447 packet_send(); 448 } 449 450 /* 451 * Waits until the client can do something (some data becomes available on 452 * one of the file descriptors). 453 */ 454 static void 455 client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, 456 int *maxfdp, u_int *nallocp, int rekeying) 457 { 458 struct timeval tv, *tvp; 459 int ret; 460 461 /* Add any selections by the channel mechanism. */ 462 channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); 463 464 if (!compat20) { 465 /* Read from the connection, unless our buffers are full. */ 466 if (buffer_len(&stdout_buffer) < buffer_high && 467 buffer_len(&stderr_buffer) < buffer_high && 468 channel_not_very_much_buffered_data()) 469 FD_SET(connection_in, *readsetp); 470 /* 471 * Read from stdin, unless we have seen EOF or have very much 472 * buffered data to send to the server. 473 */ 474 if (!stdin_eof && packet_not_very_much_data_to_write()) 475 FD_SET(fileno(stdin), *readsetp); 476 477 /* Select stdout/stderr if have data in buffer. */ 478 if (buffer_len(&stdout_buffer) > 0) 479 FD_SET(fileno(stdout), *writesetp); 480 if (buffer_len(&stderr_buffer) > 0) 481 FD_SET(fileno(stderr), *writesetp); 482 } else { 483 /* channel_prepare_select could have closed the last channel */ 484 if (session_closed && !channel_still_open() && 485 !packet_have_data_to_write()) { 486 /* clear mask since we did not call select() */ 487 memset(*readsetp, 0, *nallocp); 488 memset(*writesetp, 0, *nallocp); 489 return; 490 } else { 491 FD_SET(connection_in, *readsetp); 492 } 493 } 494 495 /* Select server connection if have data to write to the server. */ 496 if (packet_have_data_to_write()) 497 FD_SET(connection_out, *writesetp); 498 499 if (control_fd != -1) 500 FD_SET(control_fd, *readsetp); 501 502 /* 503 * Wait for something to happen. This will suspend the process until 504 * some selected descriptor can be read, written, or has some other 505 * event pending. 506 */ 507 508 if (options.server_alive_interval == 0 || !compat20) 509 tvp = NULL; 510 else { 511 tv.tv_sec = options.server_alive_interval; 512 tv.tv_usec = 0; 513 tvp = &tv; 514 } 515 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); 516 if (ret < 0) { 517 char buf[100]; 518 519 /* 520 * We have to clear the select masks, because we return. 521 * We have to return, because the mainloop checks for the flags 522 * set by the signal handlers. 523 */ 524 memset(*readsetp, 0, *nallocp); 525 memset(*writesetp, 0, *nallocp); 526 527 if (errno == EINTR) 528 return; 529 /* Note: we might still have data in the buffers. */ 530 snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); 531 buffer_append(&stderr_buffer, buf, strlen(buf)); 532 quit_pending = 1; 533 } else if (ret == 0) 534 server_alive_check(); 535 } 536 537 static void 538 client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr) 539 { 540 /* Flush stdout and stderr buffers. */ 541 if (buffer_len(bout) > 0) 542 atomicio(vwrite, fileno(stdout), buffer_ptr(bout), buffer_len(bout)); 543 if (buffer_len(berr) > 0) 544 atomicio(vwrite, fileno(stderr), buffer_ptr(berr), buffer_len(berr)); 545 546 leave_raw_mode(); 547 548 /* 549 * Free (and clear) the buffer to reduce the amount of data that gets 550 * written to swap. 551 */ 552 buffer_free(bin); 553 buffer_free(bout); 554 buffer_free(berr); 555 556 /* Send the suspend signal to the program itself. */ 557 kill(getpid(), SIGTSTP); 558 559 /* Reset window sizes in case they have changed */ 560 received_window_change_signal = 1; 561 562 /* OK, we have been continued by the user. Reinitialize buffers. */ 563 buffer_init(bin); 564 buffer_init(bout); 565 buffer_init(berr); 566 567 enter_raw_mode(); 568 } 569 570 static void 571 client_process_net_input(fd_set * readset) 572 { 573 int len; 574 char buf[8192]; 575 576 /* 577 * Read input from the server, and add any such data to the buffer of 578 * the packet subsystem. 579 */ 580 if (FD_ISSET(connection_in, readset)) { 581 /* Read as much as possible. */ 582 len = read(connection_in, buf, sizeof(buf)); 583 if (len == 0) { 584 /* Received EOF. The remote host has closed the connection. */ 585 snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", 586 host); 587 buffer_append(&stderr_buffer, buf, strlen(buf)); 588 quit_pending = 1; 589 return; 590 } 591 /* 592 * There is a kernel bug on Solaris that causes select to 593 * sometimes wake up even though there is no data available. 594 */ 595 if (len < 0 && (errno == EAGAIN || errno == EINTR)) 596 len = 0; 597 598 if (len < 0) { 599 /* An error has encountered. Perhaps there is a network problem. */ 600 snprintf(buf, sizeof buf, "Read from remote host %.300s: %.100s\r\n", 601 host, strerror(errno)); 602 buffer_append(&stderr_buffer, buf, strlen(buf)); 603 quit_pending = 1; 604 return; 605 } 606 packet_process_incoming(buf, len); 607 } 608 } 609 610 static void 611 client_subsystem_reply(int type, u_int32_t seq, void *ctxt) 612 { 613 int id; 614 Channel *c; 615 616 id = packet_get_int(); 617 packet_check_eom(); 618 619 if ((c = channel_lookup(id)) == NULL) { 620 error("%s: no channel for id %d", __func__, id); 621 return; 622 } 623 624 if (type == SSH2_MSG_CHANNEL_SUCCESS) 625 debug2("Request suceeded on channel %d", id); 626 else if (type == SSH2_MSG_CHANNEL_FAILURE) { 627 error("Request failed on channel %d", id); 628 channel_free(c); 629 } 630 } 631 632 static void 633 client_extra_session2_setup(int id, void *arg) 634 { 635 struct confirm_ctx *cctx = arg; 636 const char *display; 637 Channel *c; 638 int i; 639 640 if (cctx == NULL) 641 fatal("%s: cctx == NULL", __func__); 642 if ((c = channel_lookup(id)) == NULL) 643 fatal("%s: no channel for id %d", __func__, id); 644 645 display = getenv("DISPLAY"); 646 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 647 char *proto, *data; 648 /* Get reasonable local authentication information. */ 649 client_x11_get_proto(display, options.xauth_location, 650 options.forward_x11_trusted, &proto, &data); 651 /* Request forwarding with authentication spoofing. */ 652 debug("Requesting X11 forwarding with authentication spoofing."); 653 x11_request_forwarding_with_spoofing(id, display, proto, data); 654 /* XXX wait for reply */ 655 } 656 657 if (cctx->want_agent_fwd && options.forward_agent) { 658 debug("Requesting authentication agent forwarding."); 659 channel_request_start(id, "auth-agent-req@openssh.com", 0); 660 packet_send(); 661 } 662 663 client_session2_setup(id, cctx->want_tty, cctx->want_subsys, 664 cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env, 665 client_subsystem_reply); 666 667 c->confirm_ctx = NULL; 668 buffer_free(&cctx->cmd); 669 xfree(cctx->term); 670 if (cctx->env != NULL) { 671 for (i = 0; cctx->env[i] != NULL; i++) 672 xfree(cctx->env[i]); 673 xfree(cctx->env); 674 } 675 xfree(cctx); 676 } 677 678 static void 679 client_process_control(fd_set * readset) 680 { 681 Buffer m; 682 Channel *c; 683 int client_fd, new_fd[3], ver, allowed; 684 socklen_t addrlen; 685 struct sockaddr_storage addr; 686 struct confirm_ctx *cctx; 687 char *cmd; 688 u_int i, len, env_len, command, flags; 689 uid_t euid; 690 gid_t egid; 691 692 /* 693 * Accept connection on control socket 694 */ 695 if (control_fd == -1 || !FD_ISSET(control_fd, readset)) 696 return; 697 698 memset(&addr, 0, sizeof(addr)); 699 addrlen = sizeof(addr); 700 if ((client_fd = accept(control_fd, 701 (struct sockaddr*)&addr, &addrlen)) == -1) { 702 error("%s accept: %s", __func__, strerror(errno)); 703 return; 704 } 705 706 if (getpeereid(client_fd, &euid, &egid) < 0) { 707 error("%s getpeereid failed: %s", __func__, strerror(errno)); 708 close(client_fd); 709 return; 710 } 711 if ((euid != 0) && (getuid() != euid)) { 712 error("control mode uid mismatch: peer euid %u != uid %u", 713 (u_int) euid, (u_int) getuid()); 714 close(client_fd); 715 return; 716 } 717 718 unset_nonblock(client_fd); 719 720 /* Read command */ 721 buffer_init(&m); 722 if (ssh_msg_recv(client_fd, &m) == -1) { 723 error("%s: client msg_recv failed", __func__); 724 close(client_fd); 725 buffer_free(&m); 726 return; 727 } 728 if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { 729 error("%s: wrong client version %d", __func__, ver); 730 buffer_free(&m); 731 close(client_fd); 732 return; 733 } 734 735 allowed = 1; 736 command = buffer_get_int(&m); 737 flags = buffer_get_int(&m); 738 739 buffer_clear(&m); 740 741 switch (command) { 742 case SSHMUX_COMMAND_OPEN: 743 if (options.control_master == SSHCTL_MASTER_ASK || 744 options.control_master == SSHCTL_MASTER_AUTO_ASK) 745 allowed = ask_permission("Allow shared connection " 746 "to %s? ", host); 747 /* continue below */ 748 break; 749 case SSHMUX_COMMAND_TERMINATE: 750 if (options.control_master == SSHCTL_MASTER_ASK || 751 options.control_master == SSHCTL_MASTER_AUTO_ASK) 752 allowed = ask_permission("Terminate shared connection " 753 "to %s? ", host); 754 if (allowed) 755 quit_pending = 1; 756 /* FALLTHROUGH */ 757 case SSHMUX_COMMAND_ALIVE_CHECK: 758 /* Reply for SSHMUX_COMMAND_TERMINATE and ALIVE_CHECK */ 759 buffer_clear(&m); 760 buffer_put_int(&m, allowed); 761 buffer_put_int(&m, getpid()); 762 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { 763 error("%s: client msg_send failed", __func__); 764 close(client_fd); 765 buffer_free(&m); 766 return; 767 } 768 buffer_free(&m); 769 close(client_fd); 770 return; 771 default: 772 error("Unsupported command %d", command); 773 buffer_free(&m); 774 close(client_fd); 775 return; 776 } 777 778 /* Reply for SSHMUX_COMMAND_OPEN */ 779 buffer_clear(&m); 780 buffer_put_int(&m, allowed); 781 buffer_put_int(&m, getpid()); 782 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { 783 error("%s: client msg_send failed", __func__); 784 close(client_fd); 785 buffer_free(&m); 786 return; 787 } 788 789 if (!allowed) { 790 error("Refused control connection"); 791 close(client_fd); 792 buffer_free(&m); 793 return; 794 } 795 796 buffer_clear(&m); 797 if (ssh_msg_recv(client_fd, &m) == -1) { 798 error("%s: client msg_recv failed", __func__); 799 close(client_fd); 800 buffer_free(&m); 801 return; 802 } 803 if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { 804 error("%s: wrong client version %d", __func__, ver); 805 buffer_free(&m); 806 close(client_fd); 807 return; 808 } 809 810 cctx = xmalloc(sizeof(*cctx)); 811 memset(cctx, 0, sizeof(*cctx)); 812 cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0; 813 cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0; 814 cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0; 815 cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0; 816 cctx->term = buffer_get_string(&m, &len); 817 818 cmd = buffer_get_string(&m, &len); 819 buffer_init(&cctx->cmd); 820 buffer_append(&cctx->cmd, cmd, strlen(cmd)); 821 822 env_len = buffer_get_int(&m); 823 env_len = MIN(env_len, 4096); 824 debug3("%s: receiving %d env vars", __func__, env_len); 825 if (env_len != 0) { 826 cctx->env = xmalloc(sizeof(*cctx->env) * (env_len + 1)); 827 for (i = 0; i < env_len; i++) 828 cctx->env[i] = buffer_get_string(&m, &len); 829 cctx->env[i] = NULL; 830 } 831 832 debug2("%s: accepted tty %d, subsys %d, cmd %s", __func__, 833 cctx->want_tty, cctx->want_subsys, cmd); 834 835 /* Gather fds from client */ 836 new_fd[0] = mm_receive_fd(client_fd); 837 new_fd[1] = mm_receive_fd(client_fd); 838 new_fd[2] = mm_receive_fd(client_fd); 839 840 debug2("%s: got fds stdin %d, stdout %d, stderr %d", __func__, 841 new_fd[0], new_fd[1], new_fd[2]); 842 843 /* Try to pick up ttymodes from client before it goes raw */ 844 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 845 error("%s: tcgetattr: %s", __func__, strerror(errno)); 846 847 /* This roundtrip is just for synchronisation of ttymodes */ 848 buffer_clear(&m); 849 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { 850 error("%s: client msg_send failed", __func__); 851 close(client_fd); 852 close(new_fd[0]); 853 close(new_fd[1]); 854 close(new_fd[2]); 855 buffer_free(&m); 856 xfree(cctx->term); 857 if (env_len != 0) { 858 for (i = 0; i < env_len; i++) 859 xfree(cctx->env[i]); 860 xfree(cctx->env); 861 } 862 return; 863 } 864 buffer_free(&m); 865 866 /* enable nonblocking unless tty */ 867 if (!isatty(new_fd[0])) 868 set_nonblock(new_fd[0]); 869 if (!isatty(new_fd[1])) 870 set_nonblock(new_fd[1]); 871 if (!isatty(new_fd[2])) 872 set_nonblock(new_fd[2]); 873 874 set_nonblock(client_fd); 875 876 c = channel_new("session", SSH_CHANNEL_OPENING, 877 new_fd[0], new_fd[1], new_fd[2], 878 CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT, 879 CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); 880 881 /* XXX */ 882 c->ctl_fd = client_fd; 883 884 debug3("%s: channel_new: %d", __func__, c->self); 885 886 channel_send_open(c->self); 887 channel_register_confirm(c->self, client_extra_session2_setup, cctx); 888 } 889 890 static void 891 process_cmdline(void) 892 { 893 void (*handler)(int); 894 char *s, *cmd, *cancel_host; 895 int delete = 0; 896 int local = 0; 897 u_short cancel_port; 898 Forward fwd; 899 900 leave_raw_mode(); 901 handler = signal(SIGINT, SIG_IGN); 902 cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); 903 if (s == NULL) 904 goto out; 905 while (*s && isspace(*s)) 906 s++; 907 if (*s == '-') 908 s++; /* Skip cmdline '-', if any */ 909 if (*s == '\0') 910 goto out; 911 912 if (*s == 'h' || *s == 'H' || *s == '?') { 913 logit("Commands:"); 914 logit(" -Lport:host:hostport Request local forward"); 915 logit(" -Rport:host:hostport Request remote forward"); 916 logit(" -KRhostport Cancel remote forward"); 917 goto out; 918 } 919 920 if (*s == 'K') { 921 delete = 1; 922 s++; 923 } 924 if (*s != 'L' && *s != 'R') { 925 logit("Invalid command."); 926 goto out; 927 } 928 if (*s == 'L') 929 local = 1; 930 if (local && delete) { 931 logit("Not supported."); 932 goto out; 933 } 934 if ((!local || delete) && !compat20) { 935 logit("Not supported for SSH protocol version 1."); 936 goto out; 937 } 938 939 s++; 940 while (*s && isspace(*s)) 941 s++; 942 943 if (delete) { 944 cancel_port = 0; 945 cancel_host = hpdelim(&s); /* may be NULL */ 946 if (s != NULL) { 947 cancel_port = a2port(s); 948 cancel_host = cleanhostname(cancel_host); 949 } else { 950 cancel_port = a2port(cancel_host); 951 cancel_host = NULL; 952 } 953 if (cancel_port == 0) { 954 logit("Bad forwarding close port"); 955 goto out; 956 } 957 channel_request_rforward_cancel(cancel_host, cancel_port); 958 } else { 959 if (!parse_forward(&fwd, s)) { 960 logit("Bad forwarding specification."); 961 goto out; 962 } 963 if (local) { 964 if (channel_setup_local_fwd_listener(fwd.listen_host, 965 fwd.listen_port, fwd.connect_host, 966 fwd.connect_port, options.gateway_ports) < 0) { 967 logit("Port forwarding failed."); 968 goto out; 969 } 970 } else { 971 channel_request_remote_forwarding(fwd.listen_host, 972 fwd.listen_port, fwd.connect_host, 973 fwd.connect_port); 974 } 975 976 logit("Forwarding port."); 977 } 978 979 out: 980 signal(SIGINT, handler); 981 enter_raw_mode(); 982 if (cmd) 983 xfree(cmd); 984 } 985 986 /* process the characters one by one */ 987 static int 988 process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len) 989 { 990 char string[1024]; 991 pid_t pid; 992 int bytes = 0; 993 u_int i; 994 u_char ch; 995 char *s; 996 997 if (len <= 0) 998 return (0); 999 1000 for (i = 0; i < (u_int)len; i++) { 1001 /* Get one character at a time. */ 1002 ch = buf[i]; 1003 1004 if (escape_pending) { 1005 /* We have previously seen an escape character. */ 1006 /* Clear the flag now. */ 1007 escape_pending = 0; 1008 1009 /* Process the escaped character. */ 1010 switch (ch) { 1011 case '.': 1012 /* Terminate the connection. */ 1013 snprintf(string, sizeof string, "%c.\r\n", escape_char); 1014 buffer_append(berr, string, strlen(string)); 1015 1016 quit_pending = 1; 1017 return -1; 1018 1019 case 'Z' - 64: 1020 /* Suspend the program. */ 1021 /* Print a message to that effect to the user. */ 1022 snprintf(string, sizeof string, "%c^Z [suspend ssh]\r\n", escape_char); 1023 buffer_append(berr, string, strlen(string)); 1024 1025 /* Restore terminal modes and suspend. */ 1026 client_suspend_self(bin, bout, berr); 1027 1028 /* We have been continued. */ 1029 continue; 1030 1031 case 'B': 1032 if (compat20) { 1033 snprintf(string, sizeof string, 1034 "%cB\r\n", escape_char); 1035 buffer_append(berr, string, 1036 strlen(string)); 1037 channel_request_start(session_ident, 1038 "break", 0); 1039 packet_put_int(1000); 1040 packet_send(); 1041 } 1042 continue; 1043 1044 case 'R': 1045 if (compat20) { 1046 if (datafellows & SSH_BUG_NOREKEY) 1047 logit("Server does not support re-keying"); 1048 else 1049 need_rekeying = 1; 1050 } 1051 continue; 1052 1053 case '&': 1054 /* 1055 * Detach the program (continue to serve connections, 1056 * but put in background and no more new connections). 1057 */ 1058 /* Restore tty modes. */ 1059 leave_raw_mode(); 1060 1061 /* Stop listening for new connections. */ 1062 channel_stop_listening(); 1063 1064 snprintf(string, sizeof string, 1065 "%c& [backgrounded]\n", escape_char); 1066 buffer_append(berr, string, strlen(string)); 1067 1068 /* Fork into background. */ 1069 pid = fork(); 1070 if (pid < 0) { 1071 error("fork: %.100s", strerror(errno)); 1072 continue; 1073 } 1074 if (pid != 0) { /* This is the parent. */ 1075 /* The parent just exits. */ 1076 exit(0); 1077 } 1078 /* The child continues serving connections. */ 1079 if (compat20) { 1080 buffer_append(bin, "\004", 1); 1081 /* fake EOF on stdin */ 1082 return -1; 1083 } else if (!stdin_eof) { 1084 /* 1085 * Sending SSH_CMSG_EOF alone does not always appear 1086 * to be enough. So we try to send an EOF character 1087 * first. 1088 */ 1089 packet_start(SSH_CMSG_STDIN_DATA); 1090 packet_put_string("\004", 1); 1091 packet_send(); 1092 /* Close stdin. */ 1093 stdin_eof = 1; 1094 if (buffer_len(bin) == 0) { 1095 packet_start(SSH_CMSG_EOF); 1096 packet_send(); 1097 } 1098 } 1099 continue; 1100 1101 case '?': 1102 snprintf(string, sizeof string, 1103 "%c?\r\n\ 1104 Supported escape sequences:\r\n\ 1105 %c. - terminate connection\r\n\ 1106 %cB - send a BREAK to the remote system\r\n\ 1107 %cC - open a command line\r\n\ 1108 %cR - Request rekey (SSH protocol 2 only)\r\n\ 1109 %c^Z - suspend ssh\r\n\ 1110 %c# - list forwarded connections\r\n\ 1111 %c& - background ssh (when waiting for connections to terminate)\r\n\ 1112 %c? - this message\r\n\ 1113 %c%c - send the escape character by typing it twice\r\n\ 1114 (Note that escapes are only recognized immediately after newline.)\r\n", 1115 escape_char, escape_char, escape_char, escape_char, 1116 escape_char, escape_char, escape_char, escape_char, 1117 escape_char, escape_char, escape_char); 1118 buffer_append(berr, string, strlen(string)); 1119 continue; 1120 1121 case '#': 1122 snprintf(string, sizeof string, "%c#\r\n", escape_char); 1123 buffer_append(berr, string, strlen(string)); 1124 s = channel_open_message(); 1125 buffer_append(berr, s, strlen(s)); 1126 xfree(s); 1127 continue; 1128 1129 case 'C': 1130 process_cmdline(); 1131 continue; 1132 1133 default: 1134 if (ch != escape_char) { 1135 buffer_put_char(bin, escape_char); 1136 bytes++; 1137 } 1138 /* Escaped characters fall through here */ 1139 break; 1140 } 1141 } else { 1142 /* 1143 * The previous character was not an escape char. Check if this 1144 * is an escape. 1145 */ 1146 if (last_was_cr && ch == escape_char) { 1147 /* It is. Set the flag and continue to next character. */ 1148 escape_pending = 1; 1149 continue; 1150 } 1151 } 1152 1153 /* 1154 * Normal character. Record whether it was a newline, 1155 * and append it to the buffer. 1156 */ 1157 last_was_cr = (ch == '\r' || ch == '\n'); 1158 buffer_put_char(bin, ch); 1159 bytes++; 1160 } 1161 return bytes; 1162 } 1163 1164 static void 1165 client_process_input(fd_set * readset) 1166 { 1167 int len; 1168 char buf[8192]; 1169 1170 /* Read input from stdin. */ 1171 if (FD_ISSET(fileno(stdin), readset)) { 1172 /* Read as much as possible. */ 1173 len = read(fileno(stdin), buf, sizeof(buf)); 1174 if (len < 0 && (errno == EAGAIN || errno == EINTR)) 1175 return; /* we'll try again later */ 1176 if (len <= 0) { 1177 /* 1178 * Received EOF or error. They are treated 1179 * similarly, except that an error message is printed 1180 * if it was an error condition. 1181 */ 1182 if (len < 0) { 1183 snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); 1184 buffer_append(&stderr_buffer, buf, strlen(buf)); 1185 } 1186 /* Mark that we have seen EOF. */ 1187 stdin_eof = 1; 1188 /* 1189 * Send an EOF message to the server unless there is 1190 * data in the buffer. If there is data in the 1191 * buffer, no message will be sent now. Code 1192 * elsewhere will send the EOF when the buffer 1193 * becomes empty if stdin_eof is set. 1194 */ 1195 if (buffer_len(&stdin_buffer) == 0) { 1196 packet_start(SSH_CMSG_EOF); 1197 packet_send(); 1198 } 1199 } else if (escape_char == SSH_ESCAPECHAR_NONE) { 1200 /* 1201 * Normal successful read, and no escape character. 1202 * Just append the data to buffer. 1203 */ 1204 buffer_append(&stdin_buffer, buf, len); 1205 } else { 1206 /* 1207 * Normal, successful read. But we have an escape character 1208 * and have to process the characters one by one. 1209 */ 1210 if (process_escapes(&stdin_buffer, &stdout_buffer, 1211 &stderr_buffer, buf, len) == -1) 1212 return; 1213 } 1214 } 1215 } 1216 1217 static void 1218 client_process_output(fd_set * writeset) 1219 { 1220 int len; 1221 char buf[100]; 1222 1223 /* Write buffered output to stdout. */ 1224 if (FD_ISSET(fileno(stdout), writeset)) { 1225 /* Write as much data as possible. */ 1226 len = write(fileno(stdout), buffer_ptr(&stdout_buffer), 1227 buffer_len(&stdout_buffer)); 1228 if (len <= 0) { 1229 if (errno == EINTR || errno == EAGAIN) 1230 len = 0; 1231 else { 1232 /* 1233 * An error or EOF was encountered. Put an 1234 * error message to stderr buffer. 1235 */ 1236 snprintf(buf, sizeof buf, "write stdout: %.50s\r\n", strerror(errno)); 1237 buffer_append(&stderr_buffer, buf, strlen(buf)); 1238 quit_pending = 1; 1239 return; 1240 } 1241 } 1242 /* Consume printed data from the buffer. */ 1243 buffer_consume(&stdout_buffer, len); 1244 stdout_bytes += len; 1245 } 1246 /* Write buffered output to stderr. */ 1247 if (FD_ISSET(fileno(stderr), writeset)) { 1248 /* Write as much data as possible. */ 1249 len = write(fileno(stderr), buffer_ptr(&stderr_buffer), 1250 buffer_len(&stderr_buffer)); 1251 if (len <= 0) { 1252 if (errno == EINTR || errno == EAGAIN) 1253 len = 0; 1254 else { 1255 /* EOF or error, but can't even print error message. */ 1256 quit_pending = 1; 1257 return; 1258 } 1259 } 1260 /* Consume printed characters from the buffer. */ 1261 buffer_consume(&stderr_buffer, len); 1262 stderr_bytes += len; 1263 } 1264 } 1265 1266 /* 1267 * Get packets from the connection input buffer, and process them as long as 1268 * there are packets available. 1269 * 1270 * Any unknown packets received during the actual 1271 * session cause the session to terminate. This is 1272 * intended to make debugging easier since no 1273 * confirmations are sent. Any compatible protocol 1274 * extensions must be negotiated during the 1275 * preparatory phase. 1276 */ 1277 1278 static void 1279 client_process_buffered_input_packets(void) 1280 { 1281 dispatch_run(DISPATCH_NONBLOCK, &quit_pending, compat20 ? xxx_kex : NULL); 1282 } 1283 1284 /* scan buf[] for '~' before sending data to the peer */ 1285 1286 static int 1287 simple_escape_filter(Channel *c, char *buf, int len) 1288 { 1289 /* XXX we assume c->extended is writeable */ 1290 return process_escapes(&c->input, &c->output, &c->extended, buf, len); 1291 } 1292 1293 static void 1294 client_channel_closed(int id, void *arg) 1295 { 1296 channel_cancel_cleanup(id); 1297 session_closed = 1; 1298 leave_raw_mode(); 1299 } 1300 1301 /* 1302 * Implements the interactive session with the server. This is called after 1303 * the user has been authenticated, and a command has been started on the 1304 * remote host. If escape_char != SSH_ESCAPECHAR_NONE, it is the character 1305 * used as an escape character for terminating or suspending the session. 1306 */ 1307 1308 int 1309 client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 1310 { 1311 fd_set *readset = NULL, *writeset = NULL; 1312 double start_time, total_time; 1313 int max_fd = 0, max_fd2 = 0, len, rekeying = 0; 1314 u_int nalloc = 0; 1315 char buf[100]; 1316 1317 debug("Entering interactive session."); 1318 1319 start_time = get_current_time(); 1320 1321 /* Initialize variables. */ 1322 escape_pending = 0; 1323 last_was_cr = 1; 1324 exit_status = -1; 1325 stdin_eof = 0; 1326 buffer_high = 64 * 1024; 1327 connection_in = packet_get_connection_in(); 1328 connection_out = packet_get_connection_out(); 1329 max_fd = MAX(connection_in, connection_out); 1330 if (control_fd != -1) 1331 max_fd = MAX(max_fd, control_fd); 1332 1333 if (!compat20) { 1334 /* enable nonblocking unless tty */ 1335 if (!isatty(fileno(stdin))) 1336 set_nonblock(fileno(stdin)); 1337 if (!isatty(fileno(stdout))) 1338 set_nonblock(fileno(stdout)); 1339 if (!isatty(fileno(stderr))) 1340 set_nonblock(fileno(stderr)); 1341 max_fd = MAX(max_fd, fileno(stdin)); 1342 max_fd = MAX(max_fd, fileno(stdout)); 1343 max_fd = MAX(max_fd, fileno(stderr)); 1344 } 1345 stdin_bytes = 0; 1346 stdout_bytes = 0; 1347 stderr_bytes = 0; 1348 quit_pending = 0; 1349 escape_char = escape_char_arg; 1350 1351 /* Initialize buffers. */ 1352 buffer_init(&stdin_buffer); 1353 buffer_init(&stdout_buffer); 1354 buffer_init(&stderr_buffer); 1355 1356 client_init_dispatch(); 1357 1358 /* 1359 * Set signal handlers, (e.g. to restore non-blocking mode) 1360 * but don't overwrite SIG_IGN, matches behaviour from rsh(1) 1361 */ 1362 if (signal(SIGHUP, SIG_IGN) != SIG_IGN) 1363 signal(SIGHUP, signal_handler); 1364 if (signal(SIGINT, SIG_IGN) != SIG_IGN) 1365 signal(SIGINT, signal_handler); 1366 if (signal(SIGQUIT, SIG_IGN) != SIG_IGN) 1367 signal(SIGQUIT, signal_handler); 1368 if (signal(SIGTERM, SIG_IGN) != SIG_IGN) 1369 signal(SIGTERM, signal_handler); 1370 signal(SIGWINCH, window_change_handler); 1371 1372 if (have_pty) 1373 enter_raw_mode(); 1374 1375 if (compat20) { 1376 session_ident = ssh2_chan_id; 1377 if (escape_char != SSH_ESCAPECHAR_NONE) 1378 channel_register_filter(session_ident, 1379 simple_escape_filter); 1380 if (session_ident != -1) 1381 channel_register_cleanup(session_ident, 1382 client_channel_closed); 1383 } else { 1384 /* Check if we should immediately send eof on stdin. */ 1385 client_check_initial_eof_on_stdin(); 1386 } 1387 1388 /* Main loop of the client for the interactive session mode. */ 1389 while (!quit_pending) { 1390 1391 /* Process buffered packets sent by the server. */ 1392 client_process_buffered_input_packets(); 1393 1394 if (compat20 && session_closed && !channel_still_open()) 1395 break; 1396 1397 rekeying = (xxx_kex != NULL && !xxx_kex->done); 1398 1399 if (rekeying) { 1400 debug("rekeying in progress"); 1401 } else { 1402 /* 1403 * Make packets of buffered stdin data, and buffer 1404 * them for sending to the server. 1405 */ 1406 if (!compat20) 1407 client_make_packets_from_stdin_data(); 1408 1409 /* 1410 * Make packets from buffered channel data, and 1411 * enqueue them for sending to the server. 1412 */ 1413 if (packet_not_very_much_data_to_write()) 1414 channel_output_poll(); 1415 1416 /* 1417 * Check if the window size has changed, and buffer a 1418 * message about it to the server if so. 1419 */ 1420 client_check_window_change(); 1421 1422 if (quit_pending) 1423 break; 1424 } 1425 /* 1426 * Wait until we have something to do (something becomes 1427 * available on one of the descriptors). 1428 */ 1429 max_fd2 = max_fd; 1430 client_wait_until_can_do_something(&readset, &writeset, 1431 &max_fd2, &nalloc, rekeying); 1432 1433 if (quit_pending) 1434 break; 1435 1436 /* Do channel operations unless rekeying in progress. */ 1437 if (!rekeying) { 1438 channel_after_select(readset, writeset); 1439 if (need_rekeying || packet_need_rekeying()) { 1440 debug("need rekeying"); 1441 xxx_kex->done = 0; 1442 kex_send_kexinit(xxx_kex); 1443 need_rekeying = 0; 1444 } 1445 } 1446 1447 /* Buffer input from the connection. */ 1448 client_process_net_input(readset); 1449 1450 /* Accept control connections. */ 1451 client_process_control(readset); 1452 1453 if (quit_pending) 1454 break; 1455 1456 if (!compat20) { 1457 /* Buffer data from stdin */ 1458 client_process_input(readset); 1459 /* 1460 * Process output to stdout and stderr. Output to 1461 * the connection is processed elsewhere (above). 1462 */ 1463 client_process_output(writeset); 1464 } 1465 1466 /* Send as much buffered packet data as possible to the sender. */ 1467 if (FD_ISSET(connection_out, writeset)) 1468 packet_write_poll(); 1469 } 1470 if (readset) 1471 xfree(readset); 1472 if (writeset) 1473 xfree(writeset); 1474 1475 /* Terminate the session. */ 1476 1477 /* Stop watching for window change. */ 1478 signal(SIGWINCH, SIG_DFL); 1479 1480 channel_free_all(); 1481 1482 if (have_pty) 1483 leave_raw_mode(); 1484 1485 /* restore blocking io */ 1486 if (!isatty(fileno(stdin))) 1487 unset_nonblock(fileno(stdin)); 1488 if (!isatty(fileno(stdout))) 1489 unset_nonblock(fileno(stdout)); 1490 if (!isatty(fileno(stderr))) 1491 unset_nonblock(fileno(stderr)); 1492 1493 /* 1494 * If there was no shell or command requested, there will be no remote 1495 * exit status to be returned. In that case, clear error code if the 1496 * connection was deliberately terminated at this end. 1497 */ 1498 if (no_shell_flag && received_signal == SIGTERM) { 1499 received_signal = 0; 1500 exit_status = 0; 1501 } 1502 1503 if (received_signal) 1504 fatal("Killed by signal %d.", (int) received_signal); 1505 1506 /* 1507 * In interactive mode (with pseudo tty) display a message indicating 1508 * that the connection has been closed. 1509 */ 1510 if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) { 1511 snprintf(buf, sizeof buf, "Connection to %.64s closed.\r\n", host); 1512 buffer_append(&stderr_buffer, buf, strlen(buf)); 1513 } 1514 1515 /* Output any buffered data for stdout. */ 1516 while (buffer_len(&stdout_buffer) > 0) { 1517 len = write(fileno(stdout), buffer_ptr(&stdout_buffer), 1518 buffer_len(&stdout_buffer)); 1519 if (len <= 0) { 1520 error("Write failed flushing stdout buffer."); 1521 break; 1522 } 1523 buffer_consume(&stdout_buffer, len); 1524 stdout_bytes += len; 1525 } 1526 1527 /* Output any buffered data for stderr. */ 1528 while (buffer_len(&stderr_buffer) > 0) { 1529 len = write(fileno(stderr), buffer_ptr(&stderr_buffer), 1530 buffer_len(&stderr_buffer)); 1531 if (len <= 0) { 1532 error("Write failed flushing stderr buffer."); 1533 break; 1534 } 1535 buffer_consume(&stderr_buffer, len); 1536 stderr_bytes += len; 1537 } 1538 1539 /* Clear and free any buffers. */ 1540 memset(buf, 0, sizeof(buf)); 1541 buffer_free(&stdin_buffer); 1542 buffer_free(&stdout_buffer); 1543 buffer_free(&stderr_buffer); 1544 1545 /* Report bytes transferred, and transfer rates. */ 1546 total_time = get_current_time() - start_time; 1547 debug("Transferred: stdin %lu, stdout %lu, stderr %lu bytes in %.1f seconds", 1548 stdin_bytes, stdout_bytes, stderr_bytes, total_time); 1549 if (total_time > 0) 1550 debug("Bytes per second: stdin %.1f, stdout %.1f, stderr %.1f", 1551 stdin_bytes / total_time, stdout_bytes / total_time, 1552 stderr_bytes / total_time); 1553 1554 /* Return the exit status of the program. */ 1555 debug("Exit status %d", exit_status); 1556 return exit_status; 1557 } 1558 1559 /*********/ 1560 1561 static void 1562 client_input_stdout_data(int type, u_int32_t seq, void *ctxt) 1563 { 1564 u_int data_len; 1565 char *data = packet_get_string(&data_len); 1566 packet_check_eom(); 1567 buffer_append(&stdout_buffer, data, data_len); 1568 memset(data, 0, data_len); 1569 xfree(data); 1570 } 1571 static void 1572 client_input_stderr_data(int type, u_int32_t seq, void *ctxt) 1573 { 1574 u_int data_len; 1575 char *data = packet_get_string(&data_len); 1576 packet_check_eom(); 1577 buffer_append(&stderr_buffer, data, data_len); 1578 memset(data, 0, data_len); 1579 xfree(data); 1580 } 1581 static void 1582 client_input_exit_status(int type, u_int32_t seq, void *ctxt) 1583 { 1584 exit_status = packet_get_int(); 1585 packet_check_eom(); 1586 /* Acknowledge the exit. */ 1587 packet_start(SSH_CMSG_EXIT_CONFIRMATION); 1588 packet_send(); 1589 /* 1590 * Must wait for packet to be sent since we are 1591 * exiting the loop. 1592 */ 1593 packet_write_wait(); 1594 /* Flag that we want to exit. */ 1595 quit_pending = 1; 1596 } 1597 static void 1598 client_input_agent_open(int type, u_int32_t seq, void *ctxt) 1599 { 1600 Channel *c = NULL; 1601 int remote_id, sock; 1602 1603 /* Read the remote channel number from the message. */ 1604 remote_id = packet_get_int(); 1605 packet_check_eom(); 1606 1607 /* 1608 * Get a connection to the local authentication agent (this may again 1609 * get forwarded). 1610 */ 1611 sock = ssh_get_authentication_socket(); 1612 1613 /* 1614 * If we could not connect the agent, send an error message back to 1615 * the server. This should never happen unless the agent dies, 1616 * because authentication forwarding is only enabled if we have an 1617 * agent. 1618 */ 1619 if (sock >= 0) { 1620 c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, 1621 -1, 0, 0, 0, "authentication agent connection", 1); 1622 c->remote_id = remote_id; 1623 c->force_drain = 1; 1624 } 1625 if (c == NULL) { 1626 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1627 packet_put_int(remote_id); 1628 } else { 1629 /* Send a confirmation to the remote host. */ 1630 debug("Forwarding authentication connection."); 1631 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1632 packet_put_int(remote_id); 1633 packet_put_int(c->self); 1634 } 1635 packet_send(); 1636 } 1637 1638 static Channel * 1639 client_request_forwarded_tcpip(const char *request_type, int rchan) 1640 { 1641 Channel *c = NULL; 1642 char *listen_address, *originator_address; 1643 int listen_port, originator_port; 1644 int sock; 1645 1646 /* Get rest of the packet */ 1647 listen_address = packet_get_string(NULL); 1648 listen_port = packet_get_int(); 1649 originator_address = packet_get_string(NULL); 1650 originator_port = packet_get_int(); 1651 packet_check_eom(); 1652 1653 debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d", 1654 listen_address, listen_port, originator_address, originator_port); 1655 1656 sock = channel_connect_by_listen_address(listen_port); 1657 if (sock < 0) { 1658 xfree(originator_address); 1659 xfree(listen_address); 1660 return NULL; 1661 } 1662 c = channel_new("forwarded-tcpip", 1663 SSH_CHANNEL_CONNECTING, sock, sock, -1, 1664 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, 1665 originator_address, 1); 1666 xfree(originator_address); 1667 xfree(listen_address); 1668 return c; 1669 } 1670 1671 static Channel * 1672 client_request_x11(const char *request_type, int rchan) 1673 { 1674 Channel *c = NULL; 1675 char *originator; 1676 int originator_port; 1677 int sock; 1678 1679 if (!options.forward_x11) { 1680 error("Warning: ssh server tried X11 forwarding."); 1681 error("Warning: this is probably a break in attempt by a malicious server."); 1682 return NULL; 1683 } 1684 originator = packet_get_string(NULL); 1685 if (datafellows & SSH_BUG_X11FWD) { 1686 debug2("buggy server: x11 request w/o originator_port"); 1687 originator_port = 0; 1688 } else { 1689 originator_port = packet_get_int(); 1690 } 1691 packet_check_eom(); 1692 /* XXX check permission */ 1693 debug("client_request_x11: request from %s %d", originator, 1694 originator_port); 1695 xfree(originator); 1696 sock = x11_connect_display(); 1697 if (sock < 0) 1698 return NULL; 1699 c = channel_new("x11", 1700 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 1701 CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); 1702 c->force_drain = 1; 1703 return c; 1704 } 1705 1706 static Channel * 1707 client_request_agent(const char *request_type, int rchan) 1708 { 1709 Channel *c = NULL; 1710 int sock; 1711 1712 if (!options.forward_agent) { 1713 error("Warning: ssh server tried agent forwarding."); 1714 error("Warning: this is probably a break in attempt by a malicious server."); 1715 return NULL; 1716 } 1717 sock = ssh_get_authentication_socket(); 1718 if (sock < 0) 1719 return NULL; 1720 c = channel_new("authentication agent connection", 1721 SSH_CHANNEL_OPEN, sock, sock, -1, 1722 CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, 1723 "authentication agent connection", 1); 1724 c->force_drain = 1; 1725 return c; 1726 } 1727 1728 /* XXXX move to generic input handler */ 1729 static void 1730 client_input_channel_open(int type, u_int32_t seq, void *ctxt) 1731 { 1732 Channel *c = NULL; 1733 char *ctype; 1734 int rchan; 1735 u_int rmaxpack, rwindow, len; 1736 1737 ctype = packet_get_string(&len); 1738 rchan = packet_get_int(); 1739 rwindow = packet_get_int(); 1740 rmaxpack = packet_get_int(); 1741 1742 debug("client_input_channel_open: ctype %s rchan %d win %d max %d", 1743 ctype, rchan, rwindow, rmaxpack); 1744 1745 if (strcmp(ctype, "forwarded-tcpip") == 0) { 1746 c = client_request_forwarded_tcpip(ctype, rchan); 1747 } else if (strcmp(ctype, "x11") == 0) { 1748 c = client_request_x11(ctype, rchan); 1749 } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { 1750 c = client_request_agent(ctype, rchan); 1751 } 1752 /* XXX duplicate : */ 1753 if (c != NULL) { 1754 debug("confirm %s", ctype); 1755 c->remote_id = rchan; 1756 c->remote_window = rwindow; 1757 c->remote_maxpacket = rmaxpack; 1758 if (c->type != SSH_CHANNEL_CONNECTING) { 1759 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1760 packet_put_int(c->remote_id); 1761 packet_put_int(c->self); 1762 packet_put_int(c->local_window); 1763 packet_put_int(c->local_maxpacket); 1764 packet_send(); 1765 } 1766 } else { 1767 debug("failure %s", ctype); 1768 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1769 packet_put_int(rchan); 1770 packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); 1771 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1772 packet_put_cstring("open failed"); 1773 packet_put_cstring(""); 1774 } 1775 packet_send(); 1776 } 1777 xfree(ctype); 1778 } 1779 static void 1780 client_input_channel_req(int type, u_int32_t seq, void *ctxt) 1781 { 1782 Channel *c = NULL; 1783 int exitval, id, reply, success = 0; 1784 char *rtype; 1785 1786 id = packet_get_int(); 1787 rtype = packet_get_string(NULL); 1788 reply = packet_get_char(); 1789 1790 debug("client_input_channel_req: channel %d rtype %s reply %d", 1791 id, rtype, reply); 1792 1793 if (id == -1) { 1794 error("client_input_channel_req: request for channel -1"); 1795 } else if ((c = channel_lookup(id)) == NULL) { 1796 error("client_input_channel_req: channel %d: unknown channel", id); 1797 } else if (strcmp(rtype, "exit-status") == 0) { 1798 exitval = packet_get_int(); 1799 if (id == session_ident) { 1800 success = 1; 1801 exit_status = exitval; 1802 } else if (c->ctl_fd == -1) { 1803 error("client_input_channel_req: unexpected channel %d", 1804 session_ident); 1805 } else { 1806 atomicio(vwrite, c->ctl_fd, &exitval, sizeof(exitval)); 1807 success = 1; 1808 } 1809 packet_check_eom(); 1810 } 1811 if (reply) { 1812 packet_start(success ? 1813 SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); 1814 packet_put_int(id); 1815 packet_send(); 1816 } 1817 xfree(rtype); 1818 } 1819 static void 1820 client_input_global_request(int type, u_int32_t seq, void *ctxt) 1821 { 1822 char *rtype; 1823 int want_reply; 1824 int success = 0; 1825 1826 rtype = packet_get_string(NULL); 1827 want_reply = packet_get_char(); 1828 debug("client_input_global_request: rtype %s want_reply %d", 1829 rtype, want_reply); 1830 if (want_reply) { 1831 packet_start(success ? 1832 SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); 1833 packet_send(); 1834 packet_write_wait(); 1835 } 1836 xfree(rtype); 1837 } 1838 1839 void 1840 client_session2_setup(int id, int want_tty, int want_subsystem, 1841 const char *term, struct termios *tiop, int in_fd, Buffer *cmd, char **env, 1842 dispatch_fn *subsys_repl) 1843 { 1844 int len; 1845 Channel *c = NULL; 1846 1847 debug2("%s: id %d", __func__, id); 1848 1849 if ((c = channel_lookup(id)) == NULL) 1850 fatal("client_session2_setup: channel %d: unknown channel", id); 1851 1852 if (want_tty) { 1853 struct winsize ws; 1854 struct termios tio; 1855 1856 /* Store window size in the packet. */ 1857 if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0) 1858 memset(&ws, 0, sizeof(ws)); 1859 1860 channel_request_start(id, "pty-req", 0); 1861 packet_put_cstring(term != NULL ? term : ""); 1862 packet_put_int(ws.ws_col); 1863 packet_put_int(ws.ws_row); 1864 packet_put_int(ws.ws_xpixel); 1865 packet_put_int(ws.ws_ypixel); 1866 tio = get_saved_tio(); 1867 tty_make_modes(-1, tiop != NULL ? tiop : &tio); 1868 packet_send(); 1869 /* XXX wait for reply */ 1870 c->client_tty = 1; 1871 } 1872 1873 /* Transfer any environment variables from client to server */ 1874 if (options.num_send_env != 0 && env != NULL) { 1875 int i, j, matched; 1876 char *name, *val; 1877 1878 debug("Sending environment."); 1879 for (i = 0; env[i] != NULL; i++) { 1880 /* Split */ 1881 name = xstrdup(env[i]); 1882 if ((val = strchr(name, '=')) == NULL) { 1883 free(name); 1884 continue; 1885 } 1886 *val++ = '\0'; 1887 1888 matched = 0; 1889 for (j = 0; j < options.num_send_env; j++) { 1890 if (match_pattern(name, options.send_env[j])) { 1891 matched = 1; 1892 break; 1893 } 1894 } 1895 if (!matched) { 1896 debug3("Ignored env %s", name); 1897 free(name); 1898 continue; 1899 } 1900 1901 debug("Sending env %s = %s", name, val); 1902 channel_request_start(id, "env", 0); 1903 packet_put_cstring(name); 1904 packet_put_cstring(val); 1905 packet_send(); 1906 free(name); 1907 } 1908 } 1909 1910 len = buffer_len(cmd); 1911 if (len > 0) { 1912 if (len > 900) 1913 len = 900; 1914 if (want_subsystem) { 1915 debug("Sending subsystem: %.*s", len, (u_char*)buffer_ptr(cmd)); 1916 channel_request_start(id, "subsystem", subsys_repl != NULL); 1917 if (subsys_repl != NULL) { 1918 /* register callback for reply */ 1919 /* XXX we assume that client_loop has already been called */ 1920 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, subsys_repl); 1921 dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, subsys_repl); 1922 } 1923 } else { 1924 debug("Sending command: %.*s", len, (u_char*)buffer_ptr(cmd)); 1925 channel_request_start(id, "exec", 0); 1926 } 1927 packet_put_string(buffer_ptr(cmd), buffer_len(cmd)); 1928 packet_send(); 1929 } else { 1930 channel_request_start(id, "shell", 0); 1931 packet_send(); 1932 } 1933 } 1934 1935 static void 1936 client_init_dispatch_20(void) 1937 { 1938 dispatch_init(&dispatch_protocol_error); 1939 1940 dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); 1941 dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); 1942 dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); 1943 dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); 1944 dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open); 1945 dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1946 dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1947 dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); 1948 dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); 1949 dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request); 1950 1951 /* rekeying */ 1952 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 1953 1954 /* global request reply messages */ 1955 dispatch_set(SSH2_MSG_REQUEST_FAILURE, &client_global_request_reply); 1956 dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &client_global_request_reply); 1957 } 1958 static void 1959 client_init_dispatch_13(void) 1960 { 1961 dispatch_init(NULL); 1962 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close); 1963 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation); 1964 dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); 1965 dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1966 dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1967 dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); 1968 dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); 1969 dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); 1970 dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); 1971 1972 dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? 1973 &client_input_agent_open : &deny_input_open); 1974 dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? 1975 &x11_input_open : &deny_input_open); 1976 } 1977 static void 1978 client_init_dispatch_15(void) 1979 { 1980 client_init_dispatch_13(); 1981 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof); 1982 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, & channel_input_oclose); 1983 } 1984 static void 1985 client_init_dispatch(void) 1986 { 1987 if (compat20) 1988 client_init_dispatch_20(); 1989 else if (compat13) 1990 client_init_dispatch_13(); 1991 else 1992 client_init_dispatch_15(); 1993 } 1994 1995 /* client specific fatal cleanup */ 1996 void 1997 cleanup_exit(int i) 1998 { 1999 leave_raw_mode(); 2000 leave_non_blocking(); 2001 if (options.control_path != NULL && control_fd != -1) 2002 unlink(options.control_path); 2003 _exit(i); 2004 } 2005