1 /* $OpenBSD: monitor_wrap.c,v 1.136 2024/06/19 23:24:47 djm Exp $ */ 2 /* 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 30 #include <sys/types.h> 31 #include <sys/uio.h> 32 #include <sys/wait.h> 33 34 #include <errno.h> 35 #include <pwd.h> 36 #include <signal.h> 37 #include <stdarg.h> 38 #include <stdio.h> 39 #include <string.h> 40 #include <unistd.h> 41 42 #ifdef WITH_OPENSSL 43 #include <openssl/bn.h> 44 #include <openssl/dh.h> 45 #include <openssl/evp.h> 46 #endif 47 48 #include "openbsd-compat/sys-queue.h" 49 #include "xmalloc.h" 50 #include "ssh.h" 51 #ifdef WITH_OPENSSL 52 #include "dh.h" 53 #endif 54 #include "sshbuf.h" 55 #include "sshkey.h" 56 #include "cipher.h" 57 #include "kex.h" 58 #include "hostfile.h" 59 #include "auth.h" 60 #include "auth-options.h" 61 #include "packet.h" 62 #include "mac.h" 63 #include "log.h" 64 #include "auth-pam.h" 65 #include "monitor.h" 66 #ifdef GSSAPI 67 #include "ssh-gss.h" 68 #endif 69 #include "atomicio.h" 70 #include "monitor_fdpass.h" 71 #include "misc.h" 72 73 #include "channels.h" 74 #include "session.h" 75 #include "servconf.h" 76 #include "monitor_wrap.h" 77 #include "srclimit.h" 78 79 #include "ssherr.h" 80 81 /* Imports */ 82 extern struct monitor *pmonitor; 83 extern struct sshbuf *loginmsg; 84 extern ServerOptions options; 85 86 void 87 mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) 88 { 89 struct sshbuf *log_msg; 90 struct monitor *mon = (struct monitor *)ctx; 91 int r; 92 size_t len; 93 94 if (mon->m_log_sendfd == -1) 95 fatal_f("no log channel"); 96 97 if ((log_msg = sshbuf_new()) == NULL) 98 fatal_f("sshbuf_new failed"); 99 100 if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ 101 (r = sshbuf_put_u32(log_msg, level)) != 0 || 102 (r = sshbuf_put_u32(log_msg, forced)) != 0 || 103 (r = sshbuf_put_cstring(log_msg, msg)) != 0) 104 fatal_fr(r, "assemble"); 105 if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff) 106 fatal_f("bad length %zu", len); 107 POKE_U32(sshbuf_mutable_ptr(log_msg), len - 4); 108 if (atomicio(vwrite, mon->m_log_sendfd, 109 sshbuf_mutable_ptr(log_msg), len) != len) 110 fatal_f("write: %s", strerror(errno)); 111 sshbuf_free(log_msg); 112 } 113 114 int 115 mm_is_monitor(void) 116 { 117 /* 118 * m_pid is only set in the privileged part, and 119 * points to the unprivileged child. 120 */ 121 return (pmonitor && pmonitor->m_pid > 0); 122 } 123 124 static void 125 mm_reap(void) 126 { 127 int status = -1; 128 129 if (!mm_is_monitor()) 130 return; 131 while (waitpid(pmonitor->m_pid, &status, 0) == -1) { 132 if (errno == EINTR) 133 continue; 134 pmonitor->m_pid = -1; 135 fatal_f("waitpid: %s", strerror(errno)); 136 } 137 if (WIFEXITED(status)) { 138 if (WEXITSTATUS(status) != 0) { 139 debug_f("preauth child exited with status %d", 140 WEXITSTATUS(status)); 141 cleanup_exit(255); 142 } 143 } else if (WIFSIGNALED(status)) { 144 error_f("preauth child terminated by signal %d", 145 WTERMSIG(status)); 146 cleanup_exit(signal_is_crash(WTERMSIG(status)) ? 147 EXIT_CHILD_CRASH : 255); 148 } else { 149 error_f("preauth child terminated abnormally (status=0x%x)", 150 status); 151 cleanup_exit(EXIT_CHILD_CRASH); 152 } 153 } 154 155 void 156 mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m) 157 { 158 size_t mlen = sshbuf_len(m); 159 u_char buf[5]; 160 161 debug3_f("entering, type %d", type); 162 163 if (mlen >= 0xffffffff) 164 fatal_f("bad length %zu", mlen); 165 POKE_U32(buf, mlen + 1); 166 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 167 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf) || 168 atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) { 169 if (errno == EPIPE) { 170 debug3_f("monitor fd closed"); 171 mm_reap(); 172 cleanup_exit(255); 173 } 174 fatal_f("write: %s", strerror(errno)); 175 } 176 } 177 178 void 179 mm_request_receive(int sock, struct sshbuf *m) 180 { 181 u_char buf[4], *p = NULL; 182 u_int msg_len; 183 int oerrno, r; 184 185 debug3_f("entering"); 186 187 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { 188 if (errno == EPIPE) { 189 debug3_f("monitor fd closed"); 190 mm_reap(); 191 cleanup_exit(255); 192 } 193 fatal_f("read: %s", strerror(errno)); 194 } 195 msg_len = PEEK_U32(buf); 196 if (msg_len > 256 * 1024) 197 fatal_f("read: bad msg_len %d", msg_len); 198 sshbuf_reset(m); 199 if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) 200 fatal_fr(r, "reserve"); 201 if (atomicio(read, sock, p, msg_len) != msg_len) { 202 oerrno = errno; 203 error_f("read: %s", strerror(errno)); 204 if (oerrno == EPIPE) 205 mm_reap(); 206 cleanup_exit(255); 207 } 208 } 209 210 void 211 mm_request_receive_expect(int sock, enum monitor_reqtype type, struct sshbuf *m) 212 { 213 u_char rtype; 214 int r; 215 216 debug3_f("entering, type %d", type); 217 218 mm_request_receive(sock, m); 219 if ((r = sshbuf_get_u8(m, &rtype)) != 0) 220 fatal_fr(r, "parse"); 221 if (rtype != type) 222 fatal_f("read: rtype %d != type %d", rtype, type); 223 } 224 225 #ifdef WITH_OPENSSL 226 DH * 227 mm_choose_dh(int min, int nbits, int max) 228 { 229 BIGNUM *p, *g; 230 int r; 231 u_char success = 0; 232 struct sshbuf *m; 233 234 if ((m = sshbuf_new()) == NULL) 235 fatal_f("sshbuf_new failed"); 236 if ((r = sshbuf_put_u32(m, min)) != 0 || 237 (r = sshbuf_put_u32(m, nbits)) != 0 || 238 (r = sshbuf_put_u32(m, max)) != 0) 239 fatal_fr(r, "assemble"); 240 241 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, m); 242 243 debug3_f("waiting for MONITOR_ANS_MODULI"); 244 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, m); 245 246 if ((r = sshbuf_get_u8(m, &success)) != 0) 247 fatal_fr(r, "parse success"); 248 if (success == 0) 249 fatal_f("MONITOR_ANS_MODULI failed"); 250 251 if ((r = sshbuf_get_bignum2(m, &p)) != 0 || 252 (r = sshbuf_get_bignum2(m, &g)) != 0) 253 fatal_fr(r, "parse group"); 254 255 debug3_f("remaining %zu", sshbuf_len(m)); 256 sshbuf_free(m); 257 258 return (dh_new_group(g, p)); 259 } 260 #endif 261 262 int 263 mm_sshkey_sign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, 264 const u_char *data, size_t datalen, const char *hostkey_alg, 265 const char *sk_provider, const char *sk_pin, u_int compat) 266 { 267 struct kex *kex = *pmonitor->m_pkex; 268 struct sshbuf *m; 269 u_int ndx = kex->host_key_index(key, 0, ssh); 270 int r; 271 272 debug3_f("entering"); 273 if ((m = sshbuf_new()) == NULL) 274 fatal_f("sshbuf_new failed"); 275 if ((r = sshbuf_put_u32(m, ndx)) != 0 || 276 (r = sshbuf_put_string(m, data, datalen)) != 0 || 277 (r = sshbuf_put_cstring(m, hostkey_alg)) != 0 || 278 (r = sshbuf_put_u32(m, compat)) != 0) 279 fatal_fr(r, "assemble"); 280 281 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, m); 282 283 debug3_f("waiting for MONITOR_ANS_SIGN"); 284 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, m); 285 if ((r = sshbuf_get_string(m, sigp, lenp)) != 0) 286 fatal_fr(r, "parse"); 287 sshbuf_free(m); 288 289 return (0); 290 } 291 292 void 293 mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m) 294 { 295 const u_char *p; 296 size_t len; 297 u_int i; 298 ServerOptions *newopts; 299 int r; 300 301 if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0) 302 fatal_fr(r, "parse opts"); 303 if (len != sizeof(*newopts)) 304 fatal_f("option block size mismatch"); 305 newopts = xcalloc(sizeof(*newopts), 1); 306 memcpy(newopts, p, sizeof(*newopts)); 307 308 #define M_CP_STROPT(x) do { \ 309 if (newopts->x != NULL && \ 310 (r = sshbuf_get_cstring(m, &newopts->x, NULL)) != 0) \ 311 fatal_fr(r, "parse %s", #x); \ 312 } while (0) 313 #define M_CP_STRARRAYOPT(x, nx) do { \ 314 newopts->x = newopts->nx == 0 ? \ 315 NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \ 316 for (i = 0; i < newopts->nx; i++) { \ 317 if ((r = sshbuf_get_cstring(m, \ 318 &newopts->x[i], NULL)) != 0) \ 319 fatal_fr(r, "parse %s", #x); \ 320 } \ 321 } while (0) 322 /* See comment in servconf.h */ 323 COPY_MATCH_STRING_OPTS(); 324 #undef M_CP_STROPT 325 #undef M_CP_STRARRAYOPT 326 327 copy_set_server_options(&options, newopts, 1); 328 log_change_level(options.log_level); 329 log_verbose_reset(); 330 for (i = 0; i < options.num_log_verbose; i++) 331 log_verbose_add(options.log_verbose[i]); 332 free(newopts); 333 } 334 335 #define GETPW(b, id) \ 336 do { \ 337 if ((r = sshbuf_get_string_direct(b, &p, &len)) != 0) \ 338 fatal_fr(r, "parse pw %s", #id); \ 339 if (len != sizeof(pw->id)) \ 340 fatal_fr(r, "bad length for %s", #id); \ 341 memcpy(&pw->id, p, len); \ 342 } while (0) 343 344 struct passwd * 345 mm_getpwnamallow(struct ssh *ssh, const char *username) 346 { 347 struct sshbuf *m; 348 struct passwd *pw; 349 size_t len; 350 int r; 351 u_char ok; 352 const u_char *p; 353 354 debug3_f("entering"); 355 356 if ((m = sshbuf_new()) == NULL) 357 fatal_f("sshbuf_new failed"); 358 if ((r = sshbuf_put_cstring(m, username)) != 0) 359 fatal_fr(r, "assemble"); 360 361 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, m); 362 363 debug3_f("waiting for MONITOR_ANS_PWNAM"); 364 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, m); 365 366 if ((r = sshbuf_get_u8(m, &ok)) != 0) 367 fatal_fr(r, "parse success"); 368 if (ok == 0) { 369 pw = NULL; 370 goto out; 371 } 372 373 /* XXX don't like passing struct passwd like this */ 374 pw = xcalloc(sizeof(*pw), 1); 375 GETPW(m, pw_uid); 376 GETPW(m, pw_gid); 377 #ifdef HAVE_STRUCT_PASSWD_PW_CHANGE 378 GETPW(m, pw_change); 379 #endif 380 #ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE 381 GETPW(m, pw_expire); 382 #endif 383 if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 || 384 (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 || 385 #ifdef HAVE_STRUCT_PASSWD_PW_GECOS 386 (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 || 387 #endif 388 #ifdef HAVE_STRUCT_PASSWD_PW_CLASS 389 (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 || 390 #endif 391 (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 || 392 (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0) 393 fatal_fr(r, "parse pw"); 394 395 out: 396 /* copy options block as a Match directive may have changed some */ 397 mm_decode_activate_server_options(ssh, m); 398 server_process_permitopen(ssh); 399 server_process_channel_timeouts(ssh); 400 kex_set_server_sig_algs(ssh, options.pubkey_accepted_algos); 401 sshbuf_free(m); 402 403 return (pw); 404 } 405 406 char * 407 mm_auth2_read_banner(void) 408 { 409 struct sshbuf *m; 410 char *banner; 411 int r; 412 413 debug3_f("entering"); 414 415 if ((m = sshbuf_new()) == NULL) 416 fatal_f("sshbuf_new failed"); 417 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, m); 418 sshbuf_reset(m); 419 420 mm_request_receive_expect(pmonitor->m_recvfd, 421 MONITOR_ANS_AUTH2_READ_BANNER, m); 422 if ((r = sshbuf_get_cstring(m, &banner, NULL)) != 0) 423 fatal_fr(r, "parse"); 424 sshbuf_free(m); 425 426 /* treat empty banner as missing banner */ 427 if (strlen(banner) == 0) { 428 free(banner); 429 banner = NULL; 430 } 431 return (banner); 432 } 433 434 /* Inform the privileged process about service and style */ 435 436 void 437 mm_inform_authserv(char *service, char *style) 438 { 439 struct sshbuf *m; 440 int r; 441 442 debug3_f("entering"); 443 444 if ((m = sshbuf_new()) == NULL) 445 fatal_f("sshbuf_new failed"); 446 if ((r = sshbuf_put_cstring(m, service)) != 0 || 447 (r = sshbuf_put_cstring(m, style ? style : "")) != 0) 448 fatal_fr(r, "assemble"); 449 450 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); 451 452 sshbuf_free(m); 453 } 454 455 /* Do the password authentication */ 456 int 457 mm_auth_password(struct ssh *ssh, char *password) 458 { 459 struct sshbuf *m; 460 int r, authenticated = 0; 461 #ifdef USE_PAM 462 u_int maxtries = 0; 463 #endif 464 465 debug3_f("entering"); 466 467 if ((m = sshbuf_new()) == NULL) 468 fatal_f("sshbuf_new failed"); 469 if ((r = sshbuf_put_cstring(m, password)) != 0) 470 fatal_fr(r, "assemble"); 471 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, m); 472 473 debug3_f("waiting for MONITOR_ANS_AUTHPASSWORD"); 474 mm_request_receive_expect(pmonitor->m_recvfd, 475 MONITOR_ANS_AUTHPASSWORD, m); 476 477 if ((r = sshbuf_get_u32(m, &authenticated)) != 0) 478 fatal_fr(r, "parse"); 479 #ifdef USE_PAM 480 if ((r = sshbuf_get_u32(m, &maxtries)) != 0) 481 fatal_fr(r, "parse PAM"); 482 if (maxtries > INT_MAX) 483 fatal_fr(r, "bad maxtries"); 484 sshpam_set_maxtries_reached(maxtries); 485 #endif 486 487 sshbuf_free(m); 488 489 debug3_f("user %sauthenticated", authenticated ? "" : "not "); 490 return (authenticated); 491 } 492 493 int 494 mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, 495 int pubkey_auth_attempt, struct sshauthopt **authoptp) 496 { 497 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key, 498 pubkey_auth_attempt, authoptp)); 499 } 500 501 int 502 mm_hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, 503 const char *user, const char *host, struct sshkey *key) 504 { 505 return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL)); 506 } 507 508 int 509 mm_key_allowed(enum mm_keytype type, const char *user, const char *host, 510 struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp) 511 { 512 struct sshbuf *m; 513 int r, allowed = 0; 514 struct sshauthopt *opts = NULL; 515 516 debug3_f("entering"); 517 518 if (authoptp != NULL) 519 *authoptp = NULL; 520 521 if ((m = sshbuf_new()) == NULL) 522 fatal_f("sshbuf_new failed"); 523 if ((r = sshbuf_put_u32(m, type)) != 0 || 524 (r = sshbuf_put_cstring(m, user ? user : "")) != 0 || 525 (r = sshbuf_put_cstring(m, host ? host : "")) != 0 || 526 (r = sshkey_puts(key, m)) != 0 || 527 (r = sshbuf_put_u32(m, pubkey_auth_attempt)) != 0) 528 fatal_fr(r, "assemble"); 529 530 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, m); 531 532 debug3_f("waiting for MONITOR_ANS_KEYALLOWED"); 533 mm_request_receive_expect(pmonitor->m_recvfd, 534 MONITOR_ANS_KEYALLOWED, m); 535 536 if ((r = sshbuf_get_u32(m, &allowed)) != 0) 537 fatal_fr(r, "parse"); 538 if (allowed && type == MM_USERKEY && 539 (r = sshauthopt_deserialise(m, &opts)) != 0) 540 fatal_fr(r, "sshauthopt_deserialise"); 541 sshbuf_free(m); 542 543 if (authoptp != NULL) { 544 *authoptp = opts; 545 opts = NULL; 546 } 547 sshauthopt_free(opts); 548 549 return allowed; 550 } 551 552 /* 553 * This key verify needs to send the key type along, because the 554 * privileged parent makes the decision if the key is allowed 555 * for authentication. 556 */ 557 558 int 559 mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, 560 const u_char *data, size_t datalen, const char *sigalg, u_int compat, 561 struct sshkey_sig_details **sig_detailsp) 562 { 563 struct sshbuf *m; 564 u_int encoded_ret = 0; 565 int r; 566 u_char sig_details_present, flags; 567 u_int counter; 568 569 debug3_f("entering"); 570 571 if (sig_detailsp != NULL) 572 *sig_detailsp = NULL; 573 if ((m = sshbuf_new()) == NULL) 574 fatal_f("sshbuf_new failed"); 575 if ((r = sshkey_puts(key, m)) != 0 || 576 (r = sshbuf_put_string(m, sig, siglen)) != 0 || 577 (r = sshbuf_put_string(m, data, datalen)) != 0 || 578 (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) 579 fatal_fr(r, "assemble"); 580 581 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, m); 582 583 debug3_f("waiting for MONITOR_ANS_KEYVERIFY"); 584 mm_request_receive_expect(pmonitor->m_recvfd, 585 MONITOR_ANS_KEYVERIFY, m); 586 587 if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0 || 588 (r = sshbuf_get_u8(m, &sig_details_present)) != 0) 589 fatal_fr(r, "parse"); 590 if (sig_details_present && encoded_ret == 0) { 591 if ((r = sshbuf_get_u32(m, &counter)) != 0 || 592 (r = sshbuf_get_u8(m, &flags)) != 0) 593 fatal_fr(r, "parse sig_details"); 594 if (sig_detailsp != NULL) { 595 *sig_detailsp = xcalloc(1, sizeof(**sig_detailsp)); 596 (*sig_detailsp)->sk_counter = counter; 597 (*sig_detailsp)->sk_flags = flags; 598 } 599 } 600 601 sshbuf_free(m); 602 603 if (encoded_ret != 0) 604 return SSH_ERR_SIGNATURE_INVALID; 605 return 0; 606 } 607 608 void 609 mm_send_keystate(struct ssh *ssh, struct monitor *monitor) 610 { 611 struct sshbuf *m; 612 int r; 613 614 if ((m = sshbuf_new()) == NULL) 615 fatal_f("sshbuf_new failed"); 616 if ((r = ssh_packet_get_state(ssh, m)) != 0) 617 fatal_fr(r, "ssh_packet_get_state"); 618 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, m); 619 debug3_f("Finished sending state"); 620 sshbuf_free(m); 621 } 622 623 int 624 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) 625 { 626 struct sshbuf *m; 627 char *p, *msg; 628 int success = 0, tmp1 = -1, tmp2 = -1, r; 629 630 /* Kludge: ensure there are fds free to receive the pty/tty */ 631 if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || 632 (tmp2 = dup(pmonitor->m_recvfd)) == -1) { 633 error_f("cannot allocate fds for pty"); 634 if (tmp1 >= 0) 635 close(tmp1); 636 return 0; 637 } 638 close(tmp1); 639 close(tmp2); 640 641 if ((m = sshbuf_new()) == NULL) 642 fatal_f("sshbuf_new failed"); 643 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, m); 644 645 debug3_f("waiting for MONITOR_ANS_PTY"); 646 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, m); 647 648 if ((r = sshbuf_get_u32(m, &success)) != 0) 649 fatal_fr(r, "parse success"); 650 if (success == 0) { 651 debug3_f("pty alloc failed"); 652 sshbuf_free(m); 653 return (0); 654 } 655 if ((r = sshbuf_get_cstring(m, &p, NULL)) != 0 || 656 (r = sshbuf_get_cstring(m, &msg, NULL)) != 0) 657 fatal_fr(r, "parse"); 658 sshbuf_free(m); 659 660 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 661 free(p); 662 663 if ((r = sshbuf_put(loginmsg, msg, strlen(msg))) != 0) 664 fatal_fr(r, "put loginmsg"); 665 free(msg); 666 667 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || 668 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) 669 fatal_f("receive fds failed"); 670 671 /* Success */ 672 return (1); 673 } 674 675 void 676 mm_session_pty_cleanup2(Session *s) 677 { 678 struct sshbuf *m; 679 int r; 680 681 if (s->ttyfd == -1) 682 return; 683 if ((m = sshbuf_new()) == NULL) 684 fatal_f("sshbuf_new failed"); 685 if ((r = sshbuf_put_cstring(m, s->tty)) != 0) 686 fatal_fr(r, "assmble"); 687 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, m); 688 sshbuf_free(m); 689 690 /* closed dup'ed master */ 691 if (s->ptymaster != -1 && close(s->ptymaster) == -1) 692 error("close(s->ptymaster/%d): %s", 693 s->ptymaster, strerror(errno)); 694 695 /* unlink pty from session */ 696 s->ttyfd = -1; 697 } 698 699 #ifdef USE_PAM 700 void 701 mm_start_pam(struct ssh *ssh) 702 { 703 struct sshbuf *m; 704 705 debug3("%s entering", __func__); 706 if (!options.use_pam) 707 fatal("UsePAM=no, but ended up in %s anyway", __func__); 708 if ((m = sshbuf_new()) == NULL) 709 fatal("%s: sshbuf_new failed", __func__); 710 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, m); 711 712 sshbuf_free(m); 713 } 714 715 u_int 716 mm_do_pam_account(void) 717 { 718 struct sshbuf *m; 719 u_int ret; 720 char *msg; 721 size_t msglen; 722 int r; 723 724 debug3("%s entering", __func__); 725 if (!options.use_pam) 726 fatal("UsePAM=no, but ended up in %s anyway", __func__); 727 728 if ((m = sshbuf_new()) == NULL) 729 fatal("%s: sshbuf_new failed", __func__); 730 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, m); 731 732 mm_request_receive_expect(pmonitor->m_recvfd, 733 MONITOR_ANS_PAM_ACCOUNT, m); 734 if ((r = sshbuf_get_u32(m, &ret)) != 0 || 735 (r = sshbuf_get_cstring(m, &msg, &msglen)) != 0 || 736 (r = sshbuf_put(loginmsg, msg, msglen)) != 0) 737 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 738 739 free(msg); 740 sshbuf_free(m); 741 742 debug3("%s returning %d", __func__, ret); 743 744 return (ret); 745 } 746 747 void * 748 mm_sshpam_init_ctx(Authctxt *authctxt) 749 { 750 struct sshbuf *m; 751 int r, success; 752 753 debug3("%s", __func__); 754 if ((m = sshbuf_new()) == NULL) 755 fatal("%s: sshbuf_new failed", __func__); 756 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, m); 757 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 758 mm_request_receive_expect(pmonitor->m_recvfd, 759 MONITOR_ANS_PAM_INIT_CTX, m); 760 if ((r = sshbuf_get_u32(m, &success)) != 0) 761 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 762 if (success == 0) { 763 debug3("%s: pam_init_ctx failed", __func__); 764 sshbuf_free(m); 765 return (NULL); 766 } 767 sshbuf_free(m); 768 return (authctxt); 769 } 770 771 int 772 mm_sshpam_query(void *ctx, char **name, char **info, 773 u_int *num, char ***prompts, u_int **echo_on) 774 { 775 struct sshbuf *m; 776 u_int i, n; 777 int r, ret; 778 779 debug3("%s", __func__); 780 if ((m = sshbuf_new()) == NULL) 781 fatal("%s: sshbuf_new failed", __func__); 782 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, m); 783 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); 784 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, m); 785 if ((r = sshbuf_get_u32(m, &ret)) != 0 || 786 (r = sshbuf_get_cstring(m, name, NULL)) != 0 || 787 (r = sshbuf_get_cstring(m, info, NULL)) != 0 || 788 (r = sshbuf_get_u32(m, &n)) != 0 || 789 (r = sshbuf_get_u32(m, num)) != 0) 790 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 791 debug3("%s: pam_query returned %d", __func__, ret); 792 sshpam_set_maxtries_reached(n); 793 if (*num > PAM_MAX_NUM_MSG) 794 fatal("%s: received %u PAM messages, expected <= %u", 795 __func__, *num, PAM_MAX_NUM_MSG); 796 *prompts = xcalloc((*num + 1), sizeof(char *)); 797 *echo_on = xcalloc((*num + 1), sizeof(u_int)); 798 for (i = 0; i < *num; ++i) { 799 if ((r = sshbuf_get_cstring(m, &((*prompts)[i]), NULL)) != 0 || 800 (r = sshbuf_get_u32(m, &((*echo_on)[i]))) != 0) 801 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 802 } 803 sshbuf_free(m); 804 return (ret); 805 } 806 807 int 808 mm_sshpam_respond(void *ctx, u_int num, char **resp) 809 { 810 struct sshbuf *m; 811 u_int n, i; 812 int r, ret; 813 814 debug3("%s", __func__); 815 if ((m = sshbuf_new()) == NULL) 816 fatal("%s: sshbuf_new failed", __func__); 817 if ((r = sshbuf_put_u32(m, num)) != 0) 818 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 819 for (i = 0; i < num; ++i) { 820 if ((r = sshbuf_put_cstring(m, resp[i])) != 0) 821 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 822 } 823 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, m); 824 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); 825 mm_request_receive_expect(pmonitor->m_recvfd, 826 MONITOR_ANS_PAM_RESPOND, m); 827 if ((r = sshbuf_get_u32(m, &n)) != 0) 828 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 829 ret = (int)n; /* XXX */ 830 debug3("%s: pam_respond returned %d", __func__, ret); 831 sshbuf_free(m); 832 return (ret); 833 } 834 835 void 836 mm_sshpam_free_ctx(void *ctxtp) 837 { 838 struct sshbuf *m; 839 840 debug3("%s", __func__); 841 if ((m = sshbuf_new()) == NULL) 842 fatal("%s: sshbuf_new failed", __func__); 843 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, m); 844 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); 845 mm_request_receive_expect(pmonitor->m_recvfd, 846 MONITOR_ANS_PAM_FREE_CTX, m); 847 sshbuf_free(m); 848 } 849 #endif /* USE_PAM */ 850 851 /* Request process termination */ 852 853 void 854 mm_terminate(void) 855 { 856 struct sshbuf *m; 857 858 if ((m = sshbuf_new()) == NULL) 859 fatal_f("sshbuf_new failed"); 860 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, m); 861 sshbuf_free(m); 862 } 863 864 static void 865 mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 866 char ***prompts, u_int **echo_on) 867 { 868 *name = xstrdup(""); 869 *infotxt = xstrdup(""); 870 *numprompts = 1; 871 *prompts = xcalloc(*numprompts, sizeof(char *)); 872 *echo_on = xcalloc(*numprompts, sizeof(u_int)); 873 (*echo_on)[0] = 0; 874 } 875 876 int 877 mm_bsdauth_query(void *ctx, char **name, char **infotxt, 878 u_int *numprompts, char ***prompts, u_int **echo_on) 879 { 880 struct sshbuf *m; 881 u_int success; 882 char *challenge; 883 int r; 884 885 debug3_f("entering"); 886 887 if ((m = sshbuf_new()) == NULL) 888 fatal_f("sshbuf_new failed"); 889 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, m); 890 891 mm_request_receive_expect(pmonitor->m_recvfd, 892 MONITOR_ANS_BSDAUTHQUERY, m); 893 if ((r = sshbuf_get_u32(m, &success)) != 0) 894 fatal_fr(r, "parse success"); 895 if (success == 0) { 896 debug3_f("no challenge"); 897 sshbuf_free(m); 898 return (-1); 899 } 900 901 /* Get the challenge, and format the response */ 902 if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0) 903 fatal_fr(r, "parse challenge"); 904 sshbuf_free(m); 905 906 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 907 (*prompts)[0] = challenge; 908 909 debug3_f("received challenge: %s", challenge); 910 911 return (0); 912 } 913 914 int 915 mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 916 { 917 struct sshbuf *m; 918 int r, authok; 919 920 debug3_f("entering"); 921 if (numresponses != 1) 922 return (-1); 923 924 if ((m = sshbuf_new()) == NULL) 925 fatal_f("sshbuf_new failed"); 926 if ((r = sshbuf_put_cstring(m, responses[0])) != 0) 927 fatal_fr(r, "assemble"); 928 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, m); 929 930 mm_request_receive_expect(pmonitor->m_recvfd, 931 MONITOR_ANS_BSDAUTHRESPOND, m); 932 933 if ((r = sshbuf_get_u32(m, &authok)) != 0) 934 fatal_fr(r, "parse"); 935 sshbuf_free(m); 936 937 return ((authok == 0) ? -1 : 0); 938 } 939 940 #ifdef SSH_AUDIT_EVENTS 941 void 942 mm_audit_event(struct ssh *ssh, ssh_audit_event_t event) 943 { 944 struct sshbuf *m; 945 int r; 946 947 debug3("%s entering", __func__); 948 949 if ((m = sshbuf_new()) == NULL) 950 fatal("%s: sshbuf_new failed", __func__); 951 if ((r = sshbuf_put_u32(m, event)) != 0) 952 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 953 954 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, m); 955 sshbuf_free(m); 956 } 957 958 void 959 mm_audit_run_command(const char *command) 960 { 961 struct sshbuf *m; 962 int r; 963 964 debug3("%s entering command %s", __func__, command); 965 966 if ((m = sshbuf_new()) == NULL) 967 fatal("%s: sshbuf_new failed", __func__); 968 if ((r = sshbuf_put_cstring(m, command)) != 0) 969 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 970 971 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m); 972 sshbuf_free(m); 973 } 974 #endif /* SSH_AUDIT_EVENTS */ 975 976 #ifdef GSSAPI 977 OM_uint32 978 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) 979 { 980 struct sshbuf *m; 981 OM_uint32 major; 982 int r; 983 984 /* Client doesn't get to see the context */ 985 *ctx = NULL; 986 987 if ((m = sshbuf_new()) == NULL) 988 fatal_f("sshbuf_new failed"); 989 if ((r = sshbuf_put_string(m, goid->elements, goid->length)) != 0) 990 fatal_fr(r, "assemble"); 991 992 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, m); 993 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, m); 994 995 if ((r = sshbuf_get_u32(m, &major)) != 0) 996 fatal_fr(r, "parse"); 997 998 sshbuf_free(m); 999 return (major); 1000 } 1001 1002 OM_uint32 1003 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 1004 gss_buffer_desc *out, OM_uint32 *flagsp) 1005 { 1006 struct sshbuf *m; 1007 OM_uint32 major; 1008 u_int flags; 1009 int r; 1010 1011 if ((m = sshbuf_new()) == NULL) 1012 fatal_f("sshbuf_new failed"); 1013 if ((r = sshbuf_put_string(m, in->value, in->length)) != 0) 1014 fatal_fr(r, "assemble"); 1015 1016 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, m); 1017 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, m); 1018 1019 if ((r = sshbuf_get_u32(m, &major)) != 0 || 1020 (r = ssh_gssapi_get_buffer_desc(m, out)) != 0) 1021 fatal_fr(r, "parse"); 1022 if (flagsp != NULL) { 1023 if ((r = sshbuf_get_u32(m, &flags)) != 0) 1024 fatal_fr(r, "parse flags"); 1025 *flagsp = flags; 1026 } 1027 1028 sshbuf_free(m); 1029 1030 return (major); 1031 } 1032 1033 OM_uint32 1034 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 1035 { 1036 struct sshbuf *m; 1037 OM_uint32 major; 1038 int r; 1039 1040 if ((m = sshbuf_new()) == NULL) 1041 fatal_f("sshbuf_new failed"); 1042 if ((r = sshbuf_put_string(m, gssbuf->value, gssbuf->length)) != 0 || 1043 (r = sshbuf_put_string(m, gssmic->value, gssmic->length)) != 0) 1044 fatal_fr(r, "assemble"); 1045 1046 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, m); 1047 mm_request_receive_expect(pmonitor->m_recvfd, 1048 MONITOR_ANS_GSSCHECKMIC, m); 1049 1050 if ((r = sshbuf_get_u32(m, &major)) != 0) 1051 fatal_fr(r, "parse"); 1052 sshbuf_free(m); 1053 return(major); 1054 } 1055 1056 int 1057 mm_ssh_gssapi_userok(char *user) 1058 { 1059 struct sshbuf *m; 1060 int r, authenticated = 0; 1061 1062 if ((m = sshbuf_new()) == NULL) 1063 fatal_f("sshbuf_new failed"); 1064 1065 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); 1066 mm_request_receive_expect(pmonitor->m_recvfd, 1067 MONITOR_ANS_GSSUSEROK, m); 1068 1069 if ((r = sshbuf_get_u32(m, &authenticated)) != 0) 1070 fatal_fr(r, "parse"); 1071 1072 sshbuf_free(m); 1073 debug3_f("user %sauthenticated", authenticated ? "" : "not "); 1074 return (authenticated); 1075 } 1076 #endif /* GSSAPI */ 1077 1078 /* 1079 * Inform channels layer of permitopen options for a single forwarding 1080 * direction (local/remote). 1081 */ 1082 static void 1083 server_process_permitopen_list(struct ssh *ssh, int listen, 1084 char **opens, u_int num_opens) 1085 { 1086 u_int i; 1087 int port; 1088 char *host, *arg, *oarg; 1089 int where = listen ? FORWARD_REMOTE : FORWARD_LOCAL; 1090 const char *what = listen ? "permitlisten" : "permitopen"; 1091 1092 channel_clear_permission(ssh, FORWARD_ADM, where); 1093 if (num_opens == 0) 1094 return; /* permit any */ 1095 1096 /* handle keywords: "any" / "none" */ 1097 if (num_opens == 1 && strcmp(opens[0], "any") == 0) 1098 return; 1099 if (num_opens == 1 && strcmp(opens[0], "none") == 0) { 1100 channel_disable_admin(ssh, where); 1101 return; 1102 } 1103 /* Otherwise treat it as a list of permitted host:port */ 1104 for (i = 0; i < num_opens; i++) { 1105 oarg = arg = xstrdup(opens[i]); 1106 host = hpdelim(&arg); 1107 if (host == NULL) 1108 fatal_f("missing host in %s", what); 1109 host = cleanhostname(host); 1110 if (arg == NULL || ((port = permitopen_port(arg)) < 0)) 1111 fatal_f("bad port number in %s", what); 1112 /* Send it to channels layer */ 1113 channel_add_permission(ssh, FORWARD_ADM, 1114 where, host, port); 1115 free(oarg); 1116 } 1117 } 1118 1119 /* 1120 * Inform channels layer of permitopen options from configuration. 1121 */ 1122 void 1123 server_process_permitopen(struct ssh *ssh) 1124 { 1125 server_process_permitopen_list(ssh, 0, 1126 options.permitted_opens, options.num_permitted_opens); 1127 server_process_permitopen_list(ssh, 1, 1128 options.permitted_listens, options.num_permitted_listens); 1129 } 1130 1131 void 1132 server_process_channel_timeouts(struct ssh *ssh) 1133 { 1134 u_int i, secs; 1135 char *type; 1136 1137 debug3_f("setting %u timeouts", options.num_channel_timeouts); 1138 channel_clear_timeouts(ssh); 1139 for (i = 0; i < options.num_channel_timeouts; i++) { 1140 if (parse_pattern_interval(options.channel_timeouts[i], 1141 &type, &secs) != 0) { 1142 fatal_f("internal error: bad timeout %s", 1143 options.channel_timeouts[i]); 1144 } 1145 channel_add_timeout(ssh, type, secs); 1146 free(type); 1147 } 1148 } 1149 1150 struct connection_info * 1151 server_get_connection_info(struct ssh *ssh, int populate, int use_dns) 1152 { 1153 static struct connection_info ci; 1154 1155 if (ssh == NULL || !populate) 1156 return &ci; 1157 ci.host = use_dns ? ssh_remote_hostname(ssh) : ssh_remote_ipaddr(ssh); 1158 ci.address = ssh_remote_ipaddr(ssh); 1159 ci.laddress = ssh_local_ipaddr(ssh); 1160 ci.lport = ssh_local_port(ssh); 1161 ci.rdomain = ssh_packet_rdomain_in(ssh); 1162 return &ci; 1163 } 1164 1165