1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * The main loop for the interactive session (client side). 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * 14 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 * 36 * 37 * SSH2 support added by Markus Friedl. 38 * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. 39 * 40 * Redistribution and use in source and binary forms, with or without 41 * modification, are permitted provided that the following conditions 42 * are met: 43 * 1. Redistributions of source code must retain the above copyright 44 * notice, this list of conditions and the following disclaimer. 45 * 2. Redistributions in binary form must reproduce the above copyright 46 * notice, this list of conditions and the following disclaimer in the 47 * documentation and/or other materials provided with the distribution. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 50 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 51 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 52 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 53 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 54 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 55 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 56 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 57 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 58 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 59 */ 60 61 #include "includes.h" 62 RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $"); 63 64 #include "ssh.h" 65 #include "ssh1.h" 66 #include "ssh2.h" 67 #include "xmalloc.h" 68 #include "packet.h" 69 #include "buffer.h" 70 #include "compat.h" 71 #include "channels.h" 72 #include "dispatch.h" 73 #include "buffer.h" 74 #include "bufaux.h" 75 #include "key.h" 76 #include "kex.h" 77 #include "log.h" 78 #include "readconf.h" 79 #include "clientloop.h" 80 #include "sshconnect.h" 81 #include "authfd.h" 82 #include "atomicio.h" 83 #include "sshpty.h" 84 #include "misc.h" 85 #include "monitor_fdpass.h" 86 #include "match.h" 87 #include "msg.h" 88 89 /* import options */ 90 extern Options options; 91 92 /* Flag indicating that stdin should be redirected from /dev/null. */ 93 extern int stdin_null_flag; 94 95 /* Flag indicating that no shell has been requested */ 96 extern int no_shell_flag; 97 98 /* Control socket */ 99 extern int control_fd; 100 101 /* 102 * Name of the host we are connecting to. This is the name given on the 103 * command line, or the HostName specified for the user-supplied name in a 104 * configuration file. 105 */ 106 extern char *host; 107 108 /* 109 * Flag to indicate that we have received a window change signal which has 110 * not yet been processed. This will cause a message indicating the new 111 * window size to be sent to the server a little later. This is volatile 112 * because this is updated in a signal handler. 113 */ 114 static volatile sig_atomic_t received_window_change_signal = 0; 115 static volatile sig_atomic_t received_signal = 0; 116 117 /* Flag indicating whether the user's terminal is in non-blocking mode. */ 118 static int in_non_blocking_mode = 0; 119 120 /* Common data for the client loop code. */ 121 static int quit_pending; /* Set to non-zero to quit the client loop. */ 122 static int escape_char; /* Escape character. */ 123 static int escape_pending; /* Last character was the escape character */ 124 static int last_was_cr; /* Last character was a newline. */ 125 static int exit_status; /* Used to store the exit status of the command. */ 126 static int stdin_eof; /* EOF has been encountered on standard error. */ 127 static Buffer stdin_buffer; /* Buffer for stdin data. */ 128 static Buffer stdout_buffer; /* Buffer for stdout data. */ 129 static Buffer stderr_buffer; /* Buffer for stderr data. */ 130 static u_long stdin_bytes, stdout_bytes, stderr_bytes; 131 static u_int buffer_high;/* Soft max buffer size. */ 132 static int connection_in; /* Connection to server (input). */ 133 static int connection_out; /* Connection to server (output). */ 134 static int need_rekeying; /* Set to non-zero if rekeying is requested. */ 135 static int session_closed = 0; /* In SSH2: login session closed. */ 136 static int server_alive_timeouts = 0; 137 138 static void client_init_dispatch(void); 139 int session_ident = -1; 140 141 struct confirm_ctx { 142 int want_tty; 143 int want_subsys; 144 int want_x_fwd; 145 int want_agent_fwd; 146 Buffer cmd; 147 char *term; 148 struct termios tio; 149 char **env; 150 }; 151 152 /*XXX*/ 153 extern Kex *xxx_kex; 154 155 void ssh_process_session2_setup(int, int, int, Buffer *); 156 157 /* Restores stdin to blocking mode. */ 158 159 static void 160 leave_non_blocking(void) 161 { 162 if (in_non_blocking_mode) { 163 unset_nonblock(fileno(stdin)); 164 in_non_blocking_mode = 0; 165 } 166 } 167 168 /* Puts stdin terminal in non-blocking mode. */ 169 170 static void 171 enter_non_blocking(void) 172 { 173 in_non_blocking_mode = 1; 174 set_nonblock(fileno(stdin)); 175 } 176 177 /* 178 * Signal handler for the window change signal (SIGWINCH). This just sets a 179 * flag indicating that the window has changed. 180 */ 181 182 static void 183 window_change_handler(int sig) 184 { 185 received_window_change_signal = 1; 186 signal(SIGWINCH, window_change_handler); 187 } 188 189 /* 190 * Signal handler for signals that cause the program to terminate. These 191 * signals must be trapped to restore terminal modes. 192 */ 193 194 static void 195 signal_handler(int sig) 196 { 197 received_signal = sig; 198 quit_pending = 1; 199 } 200 201 /* 202 * Returns current time in seconds from Jan 1, 1970 with the maximum 203 * available resolution. 204 */ 205 206 static double 207 get_current_time(void) 208 { 209 struct timeval tv; 210 gettimeofday(&tv, NULL); 211 return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0; 212 } 213 214 #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" 215 void 216 client_x11_get_proto(const char *display, const char *xauth_path, 217 u_int trusted, char **_proto, char **_data) 218 { 219 char cmd[1024]; 220 char line[512]; 221 char xdisplay[512]; 222 static char proto[512], data[512]; 223 FILE *f; 224 int got_data = 0, generated = 0, do_unlink = 0, i; 225 char *xauthdir, *xauthfile; 226 struct stat st; 227 228 xauthdir = xauthfile = NULL; 229 *_proto = proto; 230 *_data = data; 231 proto[0] = data[0] = '\0'; 232 233 if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { 234 debug("No xauth program."); 235 } else { 236 if (display == NULL) { 237 debug("x11_get_proto: DISPLAY not set"); 238 return; 239 } 240 /* 241 * Handle FamilyLocal case where $DISPLAY does 242 * not match an authorization entry. For this we 243 * just try "xauth list unix:displaynum.screennum". 244 * XXX: "localhost" match to determine FamilyLocal 245 * is not perfect. 246 */ 247 if (strncmp(display, "localhost:", 10) == 0) { 248 snprintf(xdisplay, sizeof(xdisplay), "unix:%s", 249 display + 10); 250 display = xdisplay; 251 } 252 if (trusted == 0) { 253 xauthdir = xmalloc(MAXPATHLEN); 254 xauthfile = xmalloc(MAXPATHLEN); 255 strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); 256 if (mkdtemp(xauthdir) != NULL) { 257 do_unlink = 1; 258 snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", 259 xauthdir); 260 snprintf(cmd, sizeof(cmd), 261 "%s -f %s generate %s " SSH_X11_PROTO 262 " untrusted timeout 1200 2>" _PATH_DEVNULL, 263 xauth_path, xauthfile, display); 264 debug2("x11_get_proto: %s", cmd); 265 if (system(cmd) == 0) 266 generated = 1; 267 } 268 } 269 snprintf(cmd, sizeof(cmd), 270 "%s %s%s list %s 2>" _PATH_DEVNULL, 271 xauth_path, 272 generated ? "-f " : "" , 273 generated ? xauthfile : "", 274 display); 275 debug2("x11_get_proto: %s", cmd); 276 f = popen(cmd, "r"); 277 if (f && fgets(line, sizeof(line), f) && 278 sscanf(line, "%*s %511s %511s", proto, data) == 2) 279 got_data = 1; 280 if (f) 281 pclose(f); 282 } 283 284 if (do_unlink) { 285 unlink(xauthfile); 286 rmdir(xauthdir); 287 } 288 if (xauthdir) 289 xfree(xauthdir); 290 if (xauthfile) 291 xfree(xauthfile); 292 293 /* 294 * If we didn't get authentication data, just make up some 295 * data. The forwarding code will check the validity of the 296 * response anyway, and substitute this data. The X11 297 * server, however, will ignore this fake data and use 298 * whatever authentication mechanisms it was using otherwise 299 * for the local connection. 300 */ 301 if (!got_data) { 302 u_int32_t rnd = 0; 303 304 logit("Warning: No xauth data; " 305 "using fake authentication data for X11 forwarding."); 306 strlcpy(proto, SSH_X11_PROTO, sizeof proto); 307 for (i = 0; i < 16; i++) { 308 if (i % 4 == 0) 309 rnd = arc4random(); 310 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", 311 rnd & 0xff); 312 rnd >>= 8; 313 } 314 } 315 } 316 317 /* 318 * This is called when the interactive is entered. This checks if there is 319 * an EOF coming on stdin. We must check this explicitly, as select() does 320 * not appear to wake up when redirecting from /dev/null. 321 */ 322 323 static void 324 client_check_initial_eof_on_stdin(void) 325 { 326 int len; 327 char buf[1]; 328 329 /* 330 * If standard input is to be "redirected from /dev/null", we simply 331 * mark that we have seen an EOF and send an EOF message to the 332 * server. Otherwise, we try to read a single character; it appears 333 * that for some files, such /dev/null, select() never wakes up for 334 * read for this descriptor, which means that we never get EOF. This 335 * way we will get the EOF if stdin comes from /dev/null or similar. 336 */ 337 if (stdin_null_flag) { 338 /* Fake EOF on stdin. */ 339 debug("Sending eof."); 340 stdin_eof = 1; 341 packet_start(SSH_CMSG_EOF); 342 packet_send(); 343 } else { 344 enter_non_blocking(); 345 346 /* Check for immediate EOF on stdin. */ 347 len = read(fileno(stdin), buf, 1); 348 if (len == 0) { 349 /* EOF. Record that we have seen it and send EOF to server. */ 350 debug("Sending eof."); 351 stdin_eof = 1; 352 packet_start(SSH_CMSG_EOF); 353 packet_send(); 354 } else if (len > 0) { 355 /* 356 * Got data. We must store the data in the buffer, 357 * and also process it as an escape character if 358 * appropriate. 359 */ 360 if ((u_char) buf[0] == escape_char) 361 escape_pending = 1; 362 else 363 buffer_append(&stdin_buffer, buf, 1); 364 } 365 leave_non_blocking(); 366 } 367 } 368 369 370 /* 371 * Make packets from buffered stdin data, and buffer them for sending to the 372 * connection. 373 */ 374 375 static void 376 client_make_packets_from_stdin_data(void) 377 { 378 u_int len; 379 380 /* Send buffered stdin data to the server. */ 381 while (buffer_len(&stdin_buffer) > 0 && 382 packet_not_very_much_data_to_write()) { 383 len = buffer_len(&stdin_buffer); 384 /* Keep the packets at reasonable size. */ 385 if (len > packet_get_maxsize()) 386 len = packet_get_maxsize(); 387 packet_start(SSH_CMSG_STDIN_DATA); 388 packet_put_string(buffer_ptr(&stdin_buffer), len); 389 packet_send(); 390 buffer_consume(&stdin_buffer, len); 391 stdin_bytes += len; 392 /* If we have a pending EOF, send it now. */ 393 if (stdin_eof && buffer_len(&stdin_buffer) == 0) { 394 packet_start(SSH_CMSG_EOF); 395 packet_send(); 396 } 397 } 398 } 399 400 /* 401 * Checks if the client window has changed, and sends a packet about it to 402 * the server if so. The actual change is detected elsewhere (by a software 403 * interrupt on Unix); this just checks the flag and sends a message if 404 * appropriate. 405 */ 406 407 static void 408 client_check_window_change(void) 409 { 410 struct winsize ws; 411 412 if (! received_window_change_signal) 413 return; 414 /** XXX race */ 415 received_window_change_signal = 0; 416 417 debug2("client_check_window_change: changed"); 418 419 if (compat20) { 420 channel_send_window_changes(); 421 } else { 422 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 423 return; 424 packet_start(SSH_CMSG_WINDOW_SIZE); 425 packet_put_int(ws.ws_row); 426 packet_put_int(ws.ws_col); 427 packet_put_int(ws.ws_xpixel); 428 packet_put_int(ws.ws_ypixel); 429 packet_send(); 430 } 431 } 432 433 static void 434 client_global_request_reply(int type, u_int32_t seq, void *ctxt) 435 { 436 server_alive_timeouts = 0; 437 client_global_request_reply_fwd(type, seq, ctxt); 438 } 439 440 static void 441 server_alive_check(void) 442 { 443 if (++server_alive_timeouts > options.server_alive_count_max) 444 packet_disconnect("Timeout, server not responding."); 445 packet_start(SSH2_MSG_GLOBAL_REQUEST); 446 packet_put_cstring("keepalive@openssh.com"); 447 packet_put_char(1); /* boolean: want reply */ 448 packet_send(); 449 } 450 451 /* 452 * Waits until the client can do something (some data becomes available on 453 * one of the file descriptors). 454 */ 455 static void 456 client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, 457 int *maxfdp, u_int *nallocp, int rekeying) 458 { 459 struct timeval tv, *tvp; 460 int ret; 461 462 /* Add any selections by the channel mechanism. */ 463 channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); 464 465 if (!compat20) { 466 /* Read from the connection, unless our buffers are full. */ 467 if (buffer_len(&stdout_buffer) < buffer_high && 468 buffer_len(&stderr_buffer) < buffer_high && 469 channel_not_very_much_buffered_data()) 470 FD_SET(connection_in, *readsetp); 471 /* 472 * Read from stdin, unless we have seen EOF or have very much 473 * buffered data to send to the server. 474 */ 475 if (!stdin_eof && packet_not_very_much_data_to_write()) 476 FD_SET(fileno(stdin), *readsetp); 477 478 /* Select stdout/stderr if have data in buffer. */ 479 if (buffer_len(&stdout_buffer) > 0) 480 FD_SET(fileno(stdout), *writesetp); 481 if (buffer_len(&stderr_buffer) > 0) 482 FD_SET(fileno(stderr), *writesetp); 483 } else { 484 /* channel_prepare_select could have closed the last channel */ 485 if (session_closed && !channel_still_open() && 486 !packet_have_data_to_write()) { 487 /* clear mask since we did not call select() */ 488 memset(*readsetp, 0, *nallocp); 489 memset(*writesetp, 0, *nallocp); 490 return; 491 } else { 492 FD_SET(connection_in, *readsetp); 493 } 494 } 495 496 /* Select server connection if have data to write to the server. */ 497 if (packet_have_data_to_write()) 498 FD_SET(connection_out, *writesetp); 499 500 if (control_fd != -1) 501 FD_SET(control_fd, *readsetp); 502 503 /* 504 * Wait for something to happen. This will suspend the process until 505 * some selected descriptor can be read, written, or has some other 506 * event pending. 507 */ 508 509 if (options.server_alive_interval == 0 || !compat20) 510 tvp = NULL; 511 else { 512 tv.tv_sec = options.server_alive_interval; 513 tv.tv_usec = 0; 514 tvp = &tv; 515 } 516 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); 517 if (ret < 0) { 518 char buf[100]; 519 520 /* 521 * We have to clear the select masks, because we return. 522 * We have to return, because the mainloop checks for the flags 523 * set by the signal handlers. 524 */ 525 memset(*readsetp, 0, *nallocp); 526 memset(*writesetp, 0, *nallocp); 527 528 if (errno == EINTR) 529 return; 530 /* Note: we might still have data in the buffers. */ 531 snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); 532 buffer_append(&stderr_buffer, buf, strlen(buf)); 533 quit_pending = 1; 534 } else if (ret == 0) 535 server_alive_check(); 536 } 537 538 static void 539 client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr) 540 { 541 /* Flush stdout and stderr buffers. */ 542 if (buffer_len(bout) > 0) 543 atomicio(vwrite, fileno(stdout), buffer_ptr(bout), buffer_len(bout)); 544 if (buffer_len(berr) > 0) 545 atomicio(vwrite, fileno(stderr), buffer_ptr(berr), buffer_len(berr)); 546 547 leave_raw_mode(); 548 549 /* 550 * Free (and clear) the buffer to reduce the amount of data that gets 551 * written to swap. 552 */ 553 buffer_free(bin); 554 buffer_free(bout); 555 buffer_free(berr); 556 557 /* Send the suspend signal to the program itself. */ 558 kill(getpid(), SIGTSTP); 559 560 /* Reset window sizes in case they have changed */ 561 received_window_change_signal = 1; 562 563 /* OK, we have been continued by the user. Reinitialize buffers. */ 564 buffer_init(bin); 565 buffer_init(bout); 566 buffer_init(berr); 567 568 enter_raw_mode(); 569 } 570 571 static void 572 client_process_net_input(fd_set * readset) 573 { 574 int len; 575 char buf[8192]; 576 577 /* 578 * Read input from the server, and add any such data to the buffer of 579 * the packet subsystem. 580 */ 581 if (FD_ISSET(connection_in, readset)) { 582 /* Read as much as possible. */ 583 len = read(connection_in, buf, sizeof(buf)); 584 if (len == 0) { 585 /* Received EOF. The remote host has closed the connection. */ 586 snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", 587 host); 588 buffer_append(&stderr_buffer, buf, strlen(buf)); 589 quit_pending = 1; 590 return; 591 } 592 /* 593 * There is a kernel bug on Solaris that causes select to 594 * sometimes wake up even though there is no data available. 595 */ 596 if (len < 0 && (errno == EAGAIN || errno == EINTR)) 597 len = 0; 598 599 if (len < 0) { 600 /* An error has encountered. Perhaps there is a network problem. */ 601 snprintf(buf, sizeof buf, "Read from remote host %.300s: %.100s\r\n", 602 host, strerror(errno)); 603 buffer_append(&stderr_buffer, buf, strlen(buf)); 604 quit_pending = 1; 605 return; 606 } 607 packet_process_incoming(buf, len); 608 } 609 } 610 611 static void 612 client_subsystem_reply(int type, u_int32_t seq, void *ctxt) 613 { 614 int id; 615 Channel *c; 616 617 id = packet_get_int(); 618 packet_check_eom(); 619 620 if ((c = channel_lookup(id)) == NULL) { 621 error("%s: no channel for id %d", __func__, id); 622 return; 623 } 624 625 if (type == SSH2_MSG_CHANNEL_SUCCESS) 626 debug2("Request suceeded on channel %d", id); 627 else if (type == SSH2_MSG_CHANNEL_FAILURE) { 628 error("Request failed on channel %d", id); 629 channel_free(c); 630 } 631 } 632 633 static void 634 client_extra_session2_setup(int id, void *arg) 635 { 636 struct confirm_ctx *cctx = arg; 637 const char *display; 638 Channel *c; 639 int i; 640 641 if (cctx == NULL) 642 fatal("%s: cctx == NULL", __func__); 643 if ((c = channel_lookup(id)) == NULL) 644 fatal("%s: no channel for id %d", __func__, id); 645 646 display = getenv("DISPLAY"); 647 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 648 char *proto, *data; 649 /* Get reasonable local authentication information. */ 650 client_x11_get_proto(display, options.xauth_location, 651 options.forward_x11_trusted, &proto, &data); 652 /* Request forwarding with authentication spoofing. */ 653 debug("Requesting X11 forwarding with authentication spoofing."); 654 x11_request_forwarding_with_spoofing(id, display, proto, data); 655 /* XXX wait for reply */ 656 } 657 658 if (cctx->want_agent_fwd && options.forward_agent) { 659 debug("Requesting authentication agent forwarding."); 660 channel_request_start(id, "auth-agent-req@openssh.com", 0); 661 packet_send(); 662 } 663 664 client_session2_setup(id, cctx->want_tty, cctx->want_subsys, 665 cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env, 666 client_subsystem_reply); 667 668 c->confirm_ctx = NULL; 669 buffer_free(&cctx->cmd); 670 xfree(cctx->term); 671 if (cctx->env != NULL) { 672 for (i = 0; cctx->env[i] != NULL; i++) 673 xfree(cctx->env[i]); 674 xfree(cctx->env); 675 } 676 xfree(cctx); 677 } 678 679 static void 680 client_process_control(fd_set * readset) 681 { 682 Buffer m; 683 Channel *c; 684 int client_fd, new_fd[3], ver, allowed; 685 socklen_t addrlen; 686 struct sockaddr_storage addr; 687 struct confirm_ctx *cctx; 688 char *cmd; 689 u_int i, len, env_len, command, flags; 690 uid_t euid; 691 gid_t egid; 692 693 /* 694 * Accept connection on control socket 695 */ 696 if (control_fd == -1 || !FD_ISSET(control_fd, readset)) 697 return; 698 699 memset(&addr, 0, sizeof(addr)); 700 addrlen = sizeof(addr); 701 if ((client_fd = accept(control_fd, 702 (struct sockaddr*)&addr, &addrlen)) == -1) { 703 error("%s accept: %s", __func__, strerror(errno)); 704 return; 705 } 706 707 if (getpeereid(client_fd, &euid, &egid) < 0) { 708 error("%s getpeereid failed: %s", __func__, strerror(errno)); 709 close(client_fd); 710 return; 711 } 712 if ((euid != 0) && (getuid() != euid)) { 713 error("control mode uid mismatch: peer euid %u != uid %u", 714 (u_int) euid, (u_int) getuid()); 715 close(client_fd); 716 return; 717 } 718 719 unset_nonblock(client_fd); 720 721 /* Read command */ 722 buffer_init(&m); 723 if (ssh_msg_recv(client_fd, &m) == -1) { 724 error("%s: client msg_recv failed", __func__); 725 close(client_fd); 726 buffer_free(&m); 727 return; 728 } 729 if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { 730 error("%s: wrong client version %d", __func__, ver); 731 buffer_free(&m); 732 close(client_fd); 733 return; 734 } 735 736 allowed = 1; 737 command = buffer_get_int(&m); 738 flags = buffer_get_int(&m); 739 740 buffer_clear(&m); 741 742 switch (command) { 743 case SSHMUX_COMMAND_OPEN: 744 if (options.control_master == SSHCTL_MASTER_ASK || 745 options.control_master == SSHCTL_MASTER_AUTO_ASK) 746 allowed = ask_permission("Allow shared connection " 747 "to %s? ", host); 748 /* continue below */ 749 break; 750 case SSHMUX_COMMAND_TERMINATE: 751 if (options.control_master == SSHCTL_MASTER_ASK || 752 options.control_master == SSHCTL_MASTER_AUTO_ASK) 753 allowed = ask_permission("Terminate shared connection " 754 "to %s? ", host); 755 if (allowed) 756 quit_pending = 1; 757 /* FALLTHROUGH */ 758 case SSHMUX_COMMAND_ALIVE_CHECK: 759 /* Reply for SSHMUX_COMMAND_TERMINATE and ALIVE_CHECK */ 760 buffer_clear(&m); 761 buffer_put_int(&m, allowed); 762 buffer_put_int(&m, getpid()); 763 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { 764 error("%s: client msg_send failed", __func__); 765 close(client_fd); 766 buffer_free(&m); 767 return; 768 } 769 buffer_free(&m); 770 close(client_fd); 771 return; 772 default: 773 error("Unsupported command %d", command); 774 buffer_free(&m); 775 close(client_fd); 776 return; 777 } 778 779 /* Reply for SSHMUX_COMMAND_OPEN */ 780 buffer_clear(&m); 781 buffer_put_int(&m, allowed); 782 buffer_put_int(&m, getpid()); 783 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { 784 error("%s: client msg_send failed", __func__); 785 close(client_fd); 786 buffer_free(&m); 787 return; 788 } 789 790 if (!allowed) { 791 error("Refused control connection"); 792 close(client_fd); 793 buffer_free(&m); 794 return; 795 } 796 797 buffer_clear(&m); 798 if (ssh_msg_recv(client_fd, &m) == -1) { 799 error("%s: client msg_recv failed", __func__); 800 close(client_fd); 801 buffer_free(&m); 802 return; 803 } 804 if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { 805 error("%s: wrong client version %d", __func__, ver); 806 buffer_free(&m); 807 close(client_fd); 808 return; 809 } 810 811 cctx = xmalloc(sizeof(*cctx)); 812 memset(cctx, 0, sizeof(*cctx)); 813 cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0; 814 cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0; 815 cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0; 816 cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0; 817 cctx->term = buffer_get_string(&m, &len); 818 819 cmd = buffer_get_string(&m, &len); 820 buffer_init(&cctx->cmd); 821 buffer_append(&cctx->cmd, cmd, strlen(cmd)); 822 823 env_len = buffer_get_int(&m); 824 env_len = MIN(env_len, 4096); 825 debug3("%s: receiving %d env vars", __func__, env_len); 826 if (env_len != 0) { 827 cctx->env = xmalloc(sizeof(*cctx->env) * (env_len + 1)); 828 for (i = 0; i < env_len; i++) 829 cctx->env[i] = buffer_get_string(&m, &len); 830 cctx->env[i] = NULL; 831 } 832 833 debug2("%s: accepted tty %d, subsys %d, cmd %s", __func__, 834 cctx->want_tty, cctx->want_subsys, cmd); 835 836 /* Gather fds from client */ 837 new_fd[0] = mm_receive_fd(client_fd); 838 new_fd[1] = mm_receive_fd(client_fd); 839 new_fd[2] = mm_receive_fd(client_fd); 840 841 debug2("%s: got fds stdin %d, stdout %d, stderr %d", __func__, 842 new_fd[0], new_fd[1], new_fd[2]); 843 844 /* Try to pick up ttymodes from client before it goes raw */ 845 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 846 error("%s: tcgetattr: %s", __func__, strerror(errno)); 847 848 /* This roundtrip is just for synchronisation of ttymodes */ 849 buffer_clear(&m); 850 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { 851 error("%s: client msg_send failed", __func__); 852 close(client_fd); 853 close(new_fd[0]); 854 close(new_fd[1]); 855 close(new_fd[2]); 856 buffer_free(&m); 857 xfree(cctx->term); 858 if (env_len != 0) { 859 for (i = 0; i < env_len; i++) 860 xfree(cctx->env[i]); 861 xfree(cctx->env); 862 } 863 return; 864 } 865 buffer_free(&m); 866 867 /* enable nonblocking unless tty */ 868 if (!isatty(new_fd[0])) 869 set_nonblock(new_fd[0]); 870 if (!isatty(new_fd[1])) 871 set_nonblock(new_fd[1]); 872 if (!isatty(new_fd[2])) 873 set_nonblock(new_fd[2]); 874 875 set_nonblock(client_fd); 876 877 c = channel_new("session", SSH_CHANNEL_OPENING, 878 new_fd[0], new_fd[1], new_fd[2], 879 CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT, 880 CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); 881 882 /* XXX */ 883 c->ctl_fd = client_fd; 884 885 debug3("%s: channel_new: %d", __func__, c->self); 886 887 channel_send_open(c->self); 888 channel_register_confirm(c->self, client_extra_session2_setup, cctx); 889 } 890 891 static void 892 process_cmdline(void) 893 { 894 void (*handler)(int); 895 char *s, *cmd, *cancel_host; 896 int delete = 0; 897 int local = 0; 898 u_short cancel_port; 899 Forward fwd; 900 901 leave_raw_mode(); 902 handler = signal(SIGINT, SIG_IGN); 903 cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); 904 if (s == NULL) 905 goto out; 906 while (*s && isspace(*s)) 907 s++; 908 if (*s == '-') 909 s++; /* Skip cmdline '-', if any */ 910 if (*s == '\0') 911 goto out; 912 913 if (*s == 'h' || *s == 'H' || *s == '?') { 914 logit("Commands:"); 915 logit(" -Lport:host:hostport Request local forward"); 916 logit(" -Rport:host:hostport Request remote forward"); 917 logit(" -KRhostport Cancel remote forward"); 918 if (!options.permit_local_command) 919 goto out; 920 logit(" !args Execute local command"); 921 goto out; 922 } 923 924 if (*s == '!' && options.permit_local_command) { 925 s++; 926 ssh_local_cmd(s); 927 goto out; 928 } 929 930 if (*s == 'K') { 931 delete = 1; 932 s++; 933 } 934 if (*s != 'L' && *s != 'R') { 935 logit("Invalid command."); 936 goto out; 937 } 938 if (*s == 'L') 939 local = 1; 940 if (local && delete) { 941 logit("Not supported."); 942 goto out; 943 } 944 if ((!local || delete) && !compat20) { 945 logit("Not supported for SSH protocol version 1."); 946 goto out; 947 } 948 949 s++; 950 while (*s && isspace(*s)) 951 s++; 952 953 if (delete) { 954 cancel_port = 0; 955 cancel_host = hpdelim(&s); /* may be NULL */ 956 if (s != NULL) { 957 cancel_port = a2port(s); 958 cancel_host = cleanhostname(cancel_host); 959 } else { 960 cancel_port = a2port(cancel_host); 961 cancel_host = NULL; 962 } 963 if (cancel_port == 0) { 964 logit("Bad forwarding close port"); 965 goto out; 966 } 967 channel_request_rforward_cancel(cancel_host, cancel_port); 968 } else { 969 if (!parse_forward(&fwd, s)) { 970 logit("Bad forwarding specification."); 971 goto out; 972 } 973 if (local) { 974 if (channel_setup_local_fwd_listener(fwd.listen_host, 975 fwd.listen_port, fwd.connect_host, 976 fwd.connect_port, options.gateway_ports) < 0) { 977 logit("Port forwarding failed."); 978 goto out; 979 } 980 } else { 981 channel_request_remote_forwarding(fwd.listen_host, 982 fwd.listen_port, fwd.connect_host, 983 fwd.connect_port); 984 } 985 986 logit("Forwarding port."); 987 } 988 989 out: 990 signal(SIGINT, handler); 991 enter_raw_mode(); 992 if (cmd) 993 xfree(cmd); 994 } 995 996 /* process the characters one by one */ 997 static int 998 process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len) 999 { 1000 char string[1024]; 1001 pid_t pid; 1002 int bytes = 0; 1003 u_int i; 1004 u_char ch; 1005 char *s; 1006 1007 if (len <= 0) 1008 return (0); 1009 1010 for (i = 0; i < (u_int)len; i++) { 1011 /* Get one character at a time. */ 1012 ch = buf[i]; 1013 1014 if (escape_pending) { 1015 /* We have previously seen an escape character. */ 1016 /* Clear the flag now. */ 1017 escape_pending = 0; 1018 1019 /* Process the escaped character. */ 1020 switch (ch) { 1021 case '.': 1022 /* Terminate the connection. */ 1023 snprintf(string, sizeof string, "%c.\r\n", escape_char); 1024 buffer_append(berr, string, strlen(string)); 1025 1026 quit_pending = 1; 1027 return -1; 1028 1029 case 'Z' - 64: 1030 /* Suspend the program. */ 1031 /* Print a message to that effect to the user. */ 1032 snprintf(string, sizeof string, "%c^Z [suspend ssh]\r\n", escape_char); 1033 buffer_append(berr, string, strlen(string)); 1034 1035 /* Restore terminal modes and suspend. */ 1036 client_suspend_self(bin, bout, berr); 1037 1038 /* We have been continued. */ 1039 continue; 1040 1041 case 'B': 1042 if (compat20) { 1043 snprintf(string, sizeof string, 1044 "%cB\r\n", escape_char); 1045 buffer_append(berr, string, 1046 strlen(string)); 1047 channel_request_start(session_ident, 1048 "break", 0); 1049 packet_put_int(1000); 1050 packet_send(); 1051 } 1052 continue; 1053 1054 case 'R': 1055 if (compat20) { 1056 if (datafellows & SSH_BUG_NOREKEY) 1057 logit("Server does not support re-keying"); 1058 else 1059 need_rekeying = 1; 1060 } 1061 continue; 1062 1063 case '&': 1064 /* 1065 * Detach the program (continue to serve connections, 1066 * but put in background and no more new connections). 1067 */ 1068 /* Restore tty modes. */ 1069 leave_raw_mode(); 1070 1071 /* Stop listening for new connections. */ 1072 channel_stop_listening(); 1073 1074 snprintf(string, sizeof string, 1075 "%c& [backgrounded]\n", escape_char); 1076 buffer_append(berr, string, strlen(string)); 1077 1078 /* Fork into background. */ 1079 pid = fork(); 1080 if (pid < 0) { 1081 error("fork: %.100s", strerror(errno)); 1082 continue; 1083 } 1084 if (pid != 0) { /* This is the parent. */ 1085 /* The parent just exits. */ 1086 exit(0); 1087 } 1088 /* The child continues serving connections. */ 1089 if (compat20) { 1090 buffer_append(bin, "\004", 1); 1091 /* fake EOF on stdin */ 1092 return -1; 1093 } else if (!stdin_eof) { 1094 /* 1095 * Sending SSH_CMSG_EOF alone does not always appear 1096 * to be enough. So we try to send an EOF character 1097 * first. 1098 */ 1099 packet_start(SSH_CMSG_STDIN_DATA); 1100 packet_put_string("\004", 1); 1101 packet_send(); 1102 /* Close stdin. */ 1103 stdin_eof = 1; 1104 if (buffer_len(bin) == 0) { 1105 packet_start(SSH_CMSG_EOF); 1106 packet_send(); 1107 } 1108 } 1109 continue; 1110 1111 case '?': 1112 snprintf(string, sizeof string, 1113 "%c?\r\n\ 1114 Supported escape sequences:\r\n\ 1115 %c. - terminate connection\r\n\ 1116 %cB - send a BREAK to the remote system\r\n\ 1117 %cC - open a command line\r\n\ 1118 %cR - Request rekey (SSH protocol 2 only)\r\n\ 1119 %c^Z - suspend ssh\r\n\ 1120 %c# - list forwarded connections\r\n\ 1121 %c& - background ssh (when waiting for connections to terminate)\r\n\ 1122 %c? - this message\r\n\ 1123 %c%c - send the escape character by typing it twice\r\n\ 1124 (Note that escapes are only recognized immediately after newline.)\r\n", 1125 escape_char, escape_char, escape_char, escape_char, 1126 escape_char, escape_char, escape_char, escape_char, 1127 escape_char, escape_char, escape_char); 1128 buffer_append(berr, string, strlen(string)); 1129 continue; 1130 1131 case '#': 1132 snprintf(string, sizeof string, "%c#\r\n", escape_char); 1133 buffer_append(berr, string, strlen(string)); 1134 s = channel_open_message(); 1135 buffer_append(berr, s, strlen(s)); 1136 xfree(s); 1137 continue; 1138 1139 case 'C': 1140 process_cmdline(); 1141 continue; 1142 1143 default: 1144 if (ch != escape_char) { 1145 buffer_put_char(bin, escape_char); 1146 bytes++; 1147 } 1148 /* Escaped characters fall through here */ 1149 break; 1150 } 1151 } else { 1152 /* 1153 * The previous character was not an escape char. Check if this 1154 * is an escape. 1155 */ 1156 if (last_was_cr && ch == escape_char) { 1157 /* It is. Set the flag and continue to next character. */ 1158 escape_pending = 1; 1159 continue; 1160 } 1161 } 1162 1163 /* 1164 * Normal character. Record whether it was a newline, 1165 * and append it to the buffer. 1166 */ 1167 last_was_cr = (ch == '\r' || ch == '\n'); 1168 buffer_put_char(bin, ch); 1169 bytes++; 1170 } 1171 return bytes; 1172 } 1173 1174 static void 1175 client_process_input(fd_set * readset) 1176 { 1177 int len; 1178 char buf[8192]; 1179 1180 /* Read input from stdin. */ 1181 if (FD_ISSET(fileno(stdin), readset)) { 1182 /* Read as much as possible. */ 1183 len = read(fileno(stdin), buf, sizeof(buf)); 1184 if (len < 0 && (errno == EAGAIN || errno == EINTR)) 1185 return; /* we'll try again later */ 1186 if (len <= 0) { 1187 /* 1188 * Received EOF or error. They are treated 1189 * similarly, except that an error message is printed 1190 * if it was an error condition. 1191 */ 1192 if (len < 0) { 1193 snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); 1194 buffer_append(&stderr_buffer, buf, strlen(buf)); 1195 } 1196 /* Mark that we have seen EOF. */ 1197 stdin_eof = 1; 1198 /* 1199 * Send an EOF message to the server unless there is 1200 * data in the buffer. If there is data in the 1201 * buffer, no message will be sent now. Code 1202 * elsewhere will send the EOF when the buffer 1203 * becomes empty if stdin_eof is set. 1204 */ 1205 if (buffer_len(&stdin_buffer) == 0) { 1206 packet_start(SSH_CMSG_EOF); 1207 packet_send(); 1208 } 1209 } else if (escape_char == SSH_ESCAPECHAR_NONE) { 1210 /* 1211 * Normal successful read, and no escape character. 1212 * Just append the data to buffer. 1213 */ 1214 buffer_append(&stdin_buffer, buf, len); 1215 } else { 1216 /* 1217 * Normal, successful read. But we have an escape character 1218 * and have to process the characters one by one. 1219 */ 1220 if (process_escapes(&stdin_buffer, &stdout_buffer, 1221 &stderr_buffer, buf, len) == -1) 1222 return; 1223 } 1224 } 1225 } 1226 1227 static void 1228 client_process_output(fd_set * writeset) 1229 { 1230 int len; 1231 char buf[100]; 1232 1233 /* Write buffered output to stdout. */ 1234 if (FD_ISSET(fileno(stdout), writeset)) { 1235 /* Write as much data as possible. */ 1236 len = write(fileno(stdout), buffer_ptr(&stdout_buffer), 1237 buffer_len(&stdout_buffer)); 1238 if (len <= 0) { 1239 if (errno == EINTR || errno == EAGAIN) 1240 len = 0; 1241 else { 1242 /* 1243 * An error or EOF was encountered. Put an 1244 * error message to stderr buffer. 1245 */ 1246 snprintf(buf, sizeof buf, "write stdout: %.50s\r\n", strerror(errno)); 1247 buffer_append(&stderr_buffer, buf, strlen(buf)); 1248 quit_pending = 1; 1249 return; 1250 } 1251 } 1252 /* Consume printed data from the buffer. */ 1253 buffer_consume(&stdout_buffer, len); 1254 stdout_bytes += len; 1255 } 1256 /* Write buffered output to stderr. */ 1257 if (FD_ISSET(fileno(stderr), writeset)) { 1258 /* Write as much data as possible. */ 1259 len = write(fileno(stderr), buffer_ptr(&stderr_buffer), 1260 buffer_len(&stderr_buffer)); 1261 if (len <= 0) { 1262 if (errno == EINTR || errno == EAGAIN) 1263 len = 0; 1264 else { 1265 /* EOF or error, but can't even print error message. */ 1266 quit_pending = 1; 1267 return; 1268 } 1269 } 1270 /* Consume printed characters from the buffer. */ 1271 buffer_consume(&stderr_buffer, len); 1272 stderr_bytes += len; 1273 } 1274 } 1275 1276 /* 1277 * Get packets from the connection input buffer, and process them as long as 1278 * there are packets available. 1279 * 1280 * Any unknown packets received during the actual 1281 * session cause the session to terminate. This is 1282 * intended to make debugging easier since no 1283 * confirmations are sent. Any compatible protocol 1284 * extensions must be negotiated during the 1285 * preparatory phase. 1286 */ 1287 1288 static void 1289 client_process_buffered_input_packets(void) 1290 { 1291 dispatch_run(DISPATCH_NONBLOCK, &quit_pending, compat20 ? xxx_kex : NULL); 1292 } 1293 1294 /* scan buf[] for '~' before sending data to the peer */ 1295 1296 static int 1297 simple_escape_filter(Channel *c, char *buf, int len) 1298 { 1299 /* XXX we assume c->extended is writeable */ 1300 return process_escapes(&c->input, &c->output, &c->extended, buf, len); 1301 } 1302 1303 static void 1304 client_channel_closed(int id, void *arg) 1305 { 1306 channel_cancel_cleanup(id); 1307 session_closed = 1; 1308 leave_raw_mode(); 1309 } 1310 1311 /* 1312 * Implements the interactive session with the server. This is called after 1313 * the user has been authenticated, and a command has been started on the 1314 * remote host. If escape_char != SSH_ESCAPECHAR_NONE, it is the character 1315 * used as an escape character for terminating or suspending the session. 1316 */ 1317 1318 int 1319 client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 1320 { 1321 fd_set *readset = NULL, *writeset = NULL; 1322 double start_time, total_time; 1323 int max_fd = 0, max_fd2 = 0, len, rekeying = 0; 1324 u_int nalloc = 0; 1325 char buf[100]; 1326 1327 debug("Entering interactive session."); 1328 1329 start_time = get_current_time(); 1330 1331 /* Initialize variables. */ 1332 escape_pending = 0; 1333 last_was_cr = 1; 1334 exit_status = -1; 1335 stdin_eof = 0; 1336 buffer_high = 64 * 1024; 1337 connection_in = packet_get_connection_in(); 1338 connection_out = packet_get_connection_out(); 1339 max_fd = MAX(connection_in, connection_out); 1340 if (control_fd != -1) 1341 max_fd = MAX(max_fd, control_fd); 1342 1343 if (!compat20) { 1344 /* enable nonblocking unless tty */ 1345 if (!isatty(fileno(stdin))) 1346 set_nonblock(fileno(stdin)); 1347 if (!isatty(fileno(stdout))) 1348 set_nonblock(fileno(stdout)); 1349 if (!isatty(fileno(stderr))) 1350 set_nonblock(fileno(stderr)); 1351 max_fd = MAX(max_fd, fileno(stdin)); 1352 max_fd = MAX(max_fd, fileno(stdout)); 1353 max_fd = MAX(max_fd, fileno(stderr)); 1354 } 1355 stdin_bytes = 0; 1356 stdout_bytes = 0; 1357 stderr_bytes = 0; 1358 quit_pending = 0; 1359 escape_char = escape_char_arg; 1360 1361 /* Initialize buffers. */ 1362 buffer_init(&stdin_buffer); 1363 buffer_init(&stdout_buffer); 1364 buffer_init(&stderr_buffer); 1365 1366 client_init_dispatch(); 1367 1368 /* 1369 * Set signal handlers, (e.g. to restore non-blocking mode) 1370 * but don't overwrite SIG_IGN, matches behaviour from rsh(1) 1371 */ 1372 if (signal(SIGHUP, SIG_IGN) != SIG_IGN) 1373 signal(SIGHUP, signal_handler); 1374 if (signal(SIGINT, SIG_IGN) != SIG_IGN) 1375 signal(SIGINT, signal_handler); 1376 if (signal(SIGQUIT, SIG_IGN) != SIG_IGN) 1377 signal(SIGQUIT, signal_handler); 1378 if (signal(SIGTERM, SIG_IGN) != SIG_IGN) 1379 signal(SIGTERM, signal_handler); 1380 signal(SIGWINCH, window_change_handler); 1381 1382 if (have_pty) 1383 enter_raw_mode(); 1384 1385 if (compat20) { 1386 session_ident = ssh2_chan_id; 1387 if (escape_char != SSH_ESCAPECHAR_NONE) 1388 channel_register_filter(session_ident, 1389 simple_escape_filter, NULL); 1390 if (session_ident != -1) 1391 channel_register_cleanup(session_ident, 1392 client_channel_closed, 0); 1393 } else { 1394 /* Check if we should immediately send eof on stdin. */ 1395 client_check_initial_eof_on_stdin(); 1396 } 1397 1398 /* Main loop of the client for the interactive session mode. */ 1399 while (!quit_pending) { 1400 1401 /* Process buffered packets sent by the server. */ 1402 client_process_buffered_input_packets(); 1403 1404 if (compat20 && session_closed && !channel_still_open()) 1405 break; 1406 1407 rekeying = (xxx_kex != NULL && !xxx_kex->done); 1408 1409 if (rekeying) { 1410 debug("rekeying in progress"); 1411 } else { 1412 /* 1413 * Make packets of buffered stdin data, and buffer 1414 * them for sending to the server. 1415 */ 1416 if (!compat20) 1417 client_make_packets_from_stdin_data(); 1418 1419 /* 1420 * Make packets from buffered channel data, and 1421 * enqueue them for sending to the server. 1422 */ 1423 if (packet_not_very_much_data_to_write()) 1424 channel_output_poll(); 1425 1426 /* 1427 * Check if the window size has changed, and buffer a 1428 * message about it to the server if so. 1429 */ 1430 client_check_window_change(); 1431 1432 if (quit_pending) 1433 break; 1434 } 1435 /* 1436 * Wait until we have something to do (something becomes 1437 * available on one of the descriptors). 1438 */ 1439 max_fd2 = max_fd; 1440 client_wait_until_can_do_something(&readset, &writeset, 1441 &max_fd2, &nalloc, rekeying); 1442 1443 if (quit_pending) 1444 break; 1445 1446 /* Do channel operations unless rekeying in progress. */ 1447 if (!rekeying) { 1448 channel_after_select(readset, writeset); 1449 if (need_rekeying || packet_need_rekeying()) { 1450 debug("need rekeying"); 1451 xxx_kex->done = 0; 1452 kex_send_kexinit(xxx_kex); 1453 need_rekeying = 0; 1454 } 1455 } 1456 1457 /* Buffer input from the connection. */ 1458 client_process_net_input(readset); 1459 1460 /* Accept control connections. */ 1461 client_process_control(readset); 1462 1463 if (quit_pending) 1464 break; 1465 1466 if (!compat20) { 1467 /* Buffer data from stdin */ 1468 client_process_input(readset); 1469 /* 1470 * Process output to stdout and stderr. Output to 1471 * the connection is processed elsewhere (above). 1472 */ 1473 client_process_output(writeset); 1474 } 1475 1476 /* Send as much buffered packet data as possible to the sender. */ 1477 if (FD_ISSET(connection_out, writeset)) 1478 packet_write_poll(); 1479 } 1480 if (readset) 1481 xfree(readset); 1482 if (writeset) 1483 xfree(writeset); 1484 1485 /* Terminate the session. */ 1486 1487 /* Stop watching for window change. */ 1488 signal(SIGWINCH, SIG_DFL); 1489 1490 channel_free_all(); 1491 1492 if (have_pty) 1493 leave_raw_mode(); 1494 1495 /* restore blocking io */ 1496 if (!isatty(fileno(stdin))) 1497 unset_nonblock(fileno(stdin)); 1498 if (!isatty(fileno(stdout))) 1499 unset_nonblock(fileno(stdout)); 1500 if (!isatty(fileno(stderr))) 1501 unset_nonblock(fileno(stderr)); 1502 1503 /* 1504 * If there was no shell or command requested, there will be no remote 1505 * exit status to be returned. In that case, clear error code if the 1506 * connection was deliberately terminated at this end. 1507 */ 1508 if (no_shell_flag && received_signal == SIGTERM) { 1509 received_signal = 0; 1510 exit_status = 0; 1511 } 1512 1513 if (received_signal) 1514 fatal("Killed by signal %d.", (int) received_signal); 1515 1516 /* 1517 * In interactive mode (with pseudo tty) display a message indicating 1518 * that the connection has been closed. 1519 */ 1520 if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) { 1521 snprintf(buf, sizeof buf, "Connection to %.64s closed.\r\n", host); 1522 buffer_append(&stderr_buffer, buf, strlen(buf)); 1523 } 1524 1525 /* Output any buffered data for stdout. */ 1526 while (buffer_len(&stdout_buffer) > 0) { 1527 len = write(fileno(stdout), buffer_ptr(&stdout_buffer), 1528 buffer_len(&stdout_buffer)); 1529 if (len <= 0) { 1530 error("Write failed flushing stdout buffer."); 1531 break; 1532 } 1533 buffer_consume(&stdout_buffer, len); 1534 stdout_bytes += len; 1535 } 1536 1537 /* Output any buffered data for stderr. */ 1538 while (buffer_len(&stderr_buffer) > 0) { 1539 len = write(fileno(stderr), buffer_ptr(&stderr_buffer), 1540 buffer_len(&stderr_buffer)); 1541 if (len <= 0) { 1542 error("Write failed flushing stderr buffer."); 1543 break; 1544 } 1545 buffer_consume(&stderr_buffer, len); 1546 stderr_bytes += len; 1547 } 1548 1549 /* Clear and free any buffers. */ 1550 memset(buf, 0, sizeof(buf)); 1551 buffer_free(&stdin_buffer); 1552 buffer_free(&stdout_buffer); 1553 buffer_free(&stderr_buffer); 1554 1555 /* Report bytes transferred, and transfer rates. */ 1556 total_time = get_current_time() - start_time; 1557 debug("Transferred: stdin %lu, stdout %lu, stderr %lu bytes in %.1f seconds", 1558 stdin_bytes, stdout_bytes, stderr_bytes, total_time); 1559 if (total_time > 0) 1560 debug("Bytes per second: stdin %.1f, stdout %.1f, stderr %.1f", 1561 stdin_bytes / total_time, stdout_bytes / total_time, 1562 stderr_bytes / total_time); 1563 1564 /* Return the exit status of the program. */ 1565 debug("Exit status %d", exit_status); 1566 return exit_status; 1567 } 1568 1569 /*********/ 1570 1571 static void 1572 client_input_stdout_data(int type, u_int32_t seq, void *ctxt) 1573 { 1574 u_int data_len; 1575 char *data = packet_get_string(&data_len); 1576 packet_check_eom(); 1577 buffer_append(&stdout_buffer, data, data_len); 1578 memset(data, 0, data_len); 1579 xfree(data); 1580 } 1581 static void 1582 client_input_stderr_data(int type, u_int32_t seq, void *ctxt) 1583 { 1584 u_int data_len; 1585 char *data = packet_get_string(&data_len); 1586 packet_check_eom(); 1587 buffer_append(&stderr_buffer, data, data_len); 1588 memset(data, 0, data_len); 1589 xfree(data); 1590 } 1591 static void 1592 client_input_exit_status(int type, u_int32_t seq, void *ctxt) 1593 { 1594 exit_status = packet_get_int(); 1595 packet_check_eom(); 1596 /* Acknowledge the exit. */ 1597 packet_start(SSH_CMSG_EXIT_CONFIRMATION); 1598 packet_send(); 1599 /* 1600 * Must wait for packet to be sent since we are 1601 * exiting the loop. 1602 */ 1603 packet_write_wait(); 1604 /* Flag that we want to exit. */ 1605 quit_pending = 1; 1606 } 1607 static void 1608 client_input_agent_open(int type, u_int32_t seq, void *ctxt) 1609 { 1610 Channel *c = NULL; 1611 int remote_id, sock; 1612 1613 /* Read the remote channel number from the message. */ 1614 remote_id = packet_get_int(); 1615 packet_check_eom(); 1616 1617 /* 1618 * Get a connection to the local authentication agent (this may again 1619 * get forwarded). 1620 */ 1621 sock = ssh_get_authentication_socket(); 1622 1623 /* 1624 * If we could not connect the agent, send an error message back to 1625 * the server. This should never happen unless the agent dies, 1626 * because authentication forwarding is only enabled if we have an 1627 * agent. 1628 */ 1629 if (sock >= 0) { 1630 c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, 1631 -1, 0, 0, 0, "authentication agent connection", 1); 1632 c->remote_id = remote_id; 1633 c->force_drain = 1; 1634 } 1635 if (c == NULL) { 1636 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1637 packet_put_int(remote_id); 1638 } else { 1639 /* Send a confirmation to the remote host. */ 1640 debug("Forwarding authentication connection."); 1641 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1642 packet_put_int(remote_id); 1643 packet_put_int(c->self); 1644 } 1645 packet_send(); 1646 } 1647 1648 static Channel * 1649 client_request_forwarded_tcpip(const char *request_type, int rchan) 1650 { 1651 Channel *c = NULL; 1652 char *listen_address, *originator_address; 1653 int listen_port, originator_port; 1654 int sock; 1655 1656 /* Get rest of the packet */ 1657 listen_address = packet_get_string(NULL); 1658 listen_port = packet_get_int(); 1659 originator_address = packet_get_string(NULL); 1660 originator_port = packet_get_int(); 1661 packet_check_eom(); 1662 1663 debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d", 1664 listen_address, listen_port, originator_address, originator_port); 1665 1666 sock = channel_connect_by_listen_address(listen_port); 1667 if (sock < 0) { 1668 xfree(originator_address); 1669 xfree(listen_address); 1670 return NULL; 1671 } 1672 c = channel_new("forwarded-tcpip", 1673 SSH_CHANNEL_CONNECTING, sock, sock, -1, 1674 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, 1675 originator_address, 1); 1676 xfree(originator_address); 1677 xfree(listen_address); 1678 return c; 1679 } 1680 1681 static Channel * 1682 client_request_x11(const char *request_type, int rchan) 1683 { 1684 Channel *c = NULL; 1685 char *originator; 1686 int originator_port; 1687 int sock; 1688 1689 if (!options.forward_x11) { 1690 error("Warning: ssh server tried X11 forwarding."); 1691 error("Warning: this is probably a break-in attempt by a malicious server."); 1692 return NULL; 1693 } 1694 originator = packet_get_string(NULL); 1695 if (datafellows & SSH_BUG_X11FWD) { 1696 debug2("buggy server: x11 request w/o originator_port"); 1697 originator_port = 0; 1698 } else { 1699 originator_port = packet_get_int(); 1700 } 1701 packet_check_eom(); 1702 /* XXX check permission */ 1703 debug("client_request_x11: request from %s %d", originator, 1704 originator_port); 1705 xfree(originator); 1706 sock = x11_connect_display(); 1707 if (sock < 0) 1708 return NULL; 1709 c = channel_new("x11", 1710 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 1711 CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); 1712 c->force_drain = 1; 1713 return c; 1714 } 1715 1716 static Channel * 1717 client_request_agent(const char *request_type, int rchan) 1718 { 1719 Channel *c = NULL; 1720 int sock; 1721 1722 if (!options.forward_agent) { 1723 error("Warning: ssh server tried agent forwarding."); 1724 error("Warning: this is probably a break-in attempt by a malicious server."); 1725 return NULL; 1726 } 1727 sock = ssh_get_authentication_socket(); 1728 if (sock < 0) 1729 return NULL; 1730 c = channel_new("authentication agent connection", 1731 SSH_CHANNEL_OPEN, sock, sock, -1, 1732 CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, 1733 "authentication agent connection", 1); 1734 c->force_drain = 1; 1735 return c; 1736 } 1737 1738 /* XXXX move to generic input handler */ 1739 static void 1740 client_input_channel_open(int type, u_int32_t seq, void *ctxt) 1741 { 1742 Channel *c = NULL; 1743 char *ctype; 1744 int rchan; 1745 u_int rmaxpack, rwindow, len; 1746 1747 ctype = packet_get_string(&len); 1748 rchan = packet_get_int(); 1749 rwindow = packet_get_int(); 1750 rmaxpack = packet_get_int(); 1751 1752 debug("client_input_channel_open: ctype %s rchan %d win %d max %d", 1753 ctype, rchan, rwindow, rmaxpack); 1754 1755 if (strcmp(ctype, "forwarded-tcpip") == 0) { 1756 c = client_request_forwarded_tcpip(ctype, rchan); 1757 } else if (strcmp(ctype, "x11") == 0) { 1758 c = client_request_x11(ctype, rchan); 1759 } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { 1760 c = client_request_agent(ctype, rchan); 1761 } 1762 /* XXX duplicate : */ 1763 if (c != NULL) { 1764 debug("confirm %s", ctype); 1765 c->remote_id = rchan; 1766 c->remote_window = rwindow; 1767 c->remote_maxpacket = rmaxpack; 1768 if (c->type != SSH_CHANNEL_CONNECTING) { 1769 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1770 packet_put_int(c->remote_id); 1771 packet_put_int(c->self); 1772 packet_put_int(c->local_window); 1773 packet_put_int(c->local_maxpacket); 1774 packet_send(); 1775 } 1776 } else { 1777 debug("failure %s", ctype); 1778 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1779 packet_put_int(rchan); 1780 packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); 1781 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1782 packet_put_cstring("open failed"); 1783 packet_put_cstring(""); 1784 } 1785 packet_send(); 1786 } 1787 xfree(ctype); 1788 } 1789 static void 1790 client_input_channel_req(int type, u_int32_t seq, void *ctxt) 1791 { 1792 Channel *c = NULL; 1793 int exitval, id, reply, success = 0; 1794 char *rtype; 1795 1796 id = packet_get_int(); 1797 rtype = packet_get_string(NULL); 1798 reply = packet_get_char(); 1799 1800 debug("client_input_channel_req: channel %d rtype %s reply %d", 1801 id, rtype, reply); 1802 1803 if (id == -1) { 1804 error("client_input_channel_req: request for channel -1"); 1805 } else if ((c = channel_lookup(id)) == NULL) { 1806 error("client_input_channel_req: channel %d: unknown channel", id); 1807 } else if (strcmp(rtype, "exit-status") == 0) { 1808 exitval = packet_get_int(); 1809 if (id == session_ident) { 1810 success = 1; 1811 exit_status = exitval; 1812 } else if (c->ctl_fd == -1) { 1813 error("client_input_channel_req: unexpected channel %d", 1814 session_ident); 1815 } else { 1816 atomicio(vwrite, c->ctl_fd, &exitval, sizeof(exitval)); 1817 success = 1; 1818 } 1819 packet_check_eom(); 1820 } 1821 if (reply) { 1822 packet_start(success ? 1823 SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); 1824 packet_put_int(id); 1825 packet_send(); 1826 } 1827 xfree(rtype); 1828 } 1829 static void 1830 client_input_global_request(int type, u_int32_t seq, void *ctxt) 1831 { 1832 char *rtype; 1833 int want_reply; 1834 int success = 0; 1835 1836 rtype = packet_get_string(NULL); 1837 want_reply = packet_get_char(); 1838 debug("client_input_global_request: rtype %s want_reply %d", 1839 rtype, want_reply); 1840 if (want_reply) { 1841 packet_start(success ? 1842 SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); 1843 packet_send(); 1844 packet_write_wait(); 1845 } 1846 xfree(rtype); 1847 } 1848 1849 void 1850 client_session2_setup(int id, int want_tty, int want_subsystem, 1851 const char *term, struct termios *tiop, int in_fd, Buffer *cmd, char **env, 1852 dispatch_fn *subsys_repl) 1853 { 1854 int len; 1855 Channel *c = NULL; 1856 1857 debug2("%s: id %d", __func__, id); 1858 1859 if ((c = channel_lookup(id)) == NULL) 1860 fatal("client_session2_setup: channel %d: unknown channel", id); 1861 1862 if (want_tty) { 1863 struct winsize ws; 1864 struct termios tio; 1865 1866 /* Store window size in the packet. */ 1867 if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0) 1868 memset(&ws, 0, sizeof(ws)); 1869 1870 channel_request_start(id, "pty-req", 0); 1871 packet_put_cstring(term != NULL ? term : ""); 1872 packet_put_int(ws.ws_col); 1873 packet_put_int(ws.ws_row); 1874 packet_put_int(ws.ws_xpixel); 1875 packet_put_int(ws.ws_ypixel); 1876 tio = get_saved_tio(); 1877 tty_make_modes(-1, tiop != NULL ? tiop : &tio); 1878 packet_send(); 1879 /* XXX wait for reply */ 1880 c->client_tty = 1; 1881 } 1882 1883 /* Transfer any environment variables from client to server */ 1884 if (options.num_send_env != 0 && env != NULL) { 1885 int i, j, matched; 1886 char *name, *val; 1887 1888 debug("Sending environment."); 1889 for (i = 0; env[i] != NULL; i++) { 1890 /* Split */ 1891 name = xstrdup(env[i]); 1892 if ((val = strchr(name, '=')) == NULL) { 1893 xfree(name); 1894 continue; 1895 } 1896 *val++ = '\0'; 1897 1898 matched = 0; 1899 for (j = 0; j < options.num_send_env; j++) { 1900 if (match_pattern(name, options.send_env[j])) { 1901 matched = 1; 1902 break; 1903 } 1904 } 1905 if (!matched) { 1906 debug3("Ignored env %s", name); 1907 xfree(name); 1908 continue; 1909 } 1910 1911 debug("Sending env %s = %s", name, val); 1912 channel_request_start(id, "env", 0); 1913 packet_put_cstring(name); 1914 packet_put_cstring(val); 1915 packet_send(); 1916 xfree(name); 1917 } 1918 } 1919 1920 len = buffer_len(cmd); 1921 if (len > 0) { 1922 if (len > 900) 1923 len = 900; 1924 if (want_subsystem) { 1925 debug("Sending subsystem: %.*s", len, (u_char*)buffer_ptr(cmd)); 1926 channel_request_start(id, "subsystem", subsys_repl != NULL); 1927 if (subsys_repl != NULL) { 1928 /* register callback for reply */ 1929 /* XXX we assume that client_loop has already been called */ 1930 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, subsys_repl); 1931 dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, subsys_repl); 1932 } 1933 } else { 1934 debug("Sending command: %.*s", len, (u_char*)buffer_ptr(cmd)); 1935 channel_request_start(id, "exec", 0); 1936 } 1937 packet_put_string(buffer_ptr(cmd), buffer_len(cmd)); 1938 packet_send(); 1939 } else { 1940 channel_request_start(id, "shell", 0); 1941 packet_send(); 1942 } 1943 } 1944 1945 static void 1946 client_init_dispatch_20(void) 1947 { 1948 dispatch_init(&dispatch_protocol_error); 1949 1950 dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); 1951 dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); 1952 dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); 1953 dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); 1954 dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open); 1955 dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1956 dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1957 dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); 1958 dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); 1959 dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request); 1960 1961 /* rekeying */ 1962 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 1963 1964 /* global request reply messages */ 1965 dispatch_set(SSH2_MSG_REQUEST_FAILURE, &client_global_request_reply); 1966 dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &client_global_request_reply); 1967 } 1968 static void 1969 client_init_dispatch_13(void) 1970 { 1971 dispatch_init(NULL); 1972 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close); 1973 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation); 1974 dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); 1975 dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1976 dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1977 dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); 1978 dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); 1979 dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); 1980 dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); 1981 1982 dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? 1983 &client_input_agent_open : &deny_input_open); 1984 dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? 1985 &x11_input_open : &deny_input_open); 1986 } 1987 static void 1988 client_init_dispatch_15(void) 1989 { 1990 client_init_dispatch_13(); 1991 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof); 1992 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, & channel_input_oclose); 1993 } 1994 static void 1995 client_init_dispatch(void) 1996 { 1997 if (compat20) 1998 client_init_dispatch_20(); 1999 else if (compat13) 2000 client_init_dispatch_13(); 2001 else 2002 client_init_dispatch_15(); 2003 } 2004 2005 /* client specific fatal cleanup */ 2006 void 2007 cleanup_exit(int i) 2008 { 2009 leave_raw_mode(); 2010 leave_non_blocking(); 2011 if (options.control_path != NULL && control_fd != -1) 2012 unlink(options.control_path); 2013 _exit(i); 2014 } 2015