1 /* 2 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $"); 29 RCSID("$FreeBSD$"); 30 31 #include <openssl/bn.h> 32 #include <openssl/dh.h> 33 34 #include "ssh.h" 35 #include "dh.h" 36 #include "kex.h" 37 #include "auth.h" 38 #include "auth-options.h" 39 #include "buffer.h" 40 #include "bufaux.h" 41 #include "packet.h" 42 #include "mac.h" 43 #include "log.h" 44 #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 45 #undef TARGET_OS_MAC 46 #include "zlib.h" 47 #define TARGET_OS_MAC 1 48 #else 49 #include "zlib.h" 50 #endif 51 #include "monitor.h" 52 #include "monitor_wrap.h" 53 #include "xmalloc.h" 54 #include "atomicio.h" 55 #include "monitor_fdpass.h" 56 #include "getput.h" 57 #include "servconf.h" 58 59 #include "auth.h" 60 #include "channels.h" 61 #include "session.h" 62 63 #ifdef GSSAPI 64 #include "ssh-gss.h" 65 #endif 66 67 /* Imports */ 68 extern int compat20; 69 extern Newkeys *newkeys[]; 70 extern z_stream incoming_stream; 71 extern z_stream outgoing_stream; 72 extern struct monitor *pmonitor; 73 extern Buffer input, output; 74 extern Buffer loginmsg; 75 extern ServerOptions options; 76 77 int 78 mm_is_monitor(void) 79 { 80 /* 81 * m_pid is only set in the privileged part, and 82 * points to the unprivileged child. 83 */ 84 return (pmonitor && pmonitor->m_pid > 0); 85 } 86 87 void 88 mm_request_send(int sock, enum monitor_reqtype type, Buffer *m) 89 { 90 u_int mlen = buffer_len(m); 91 u_char buf[5]; 92 93 debug3("%s entering: type %d", __func__, type); 94 95 PUT_32BIT(buf, mlen + 1); 96 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 97 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) 98 fatal("%s: write: %s", __func__, strerror(errno)); 99 if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) 100 fatal("%s: write: %s", __func__, strerror(errno)); 101 } 102 103 void 104 mm_request_receive(int sock, Buffer *m) 105 { 106 u_char buf[4]; 107 u_int msg_len; 108 109 debug3("%s entering", __func__); 110 111 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { 112 if (errno == EPIPE) 113 cleanup_exit(255); 114 fatal("%s: read: %s", __func__, strerror(errno)); 115 } 116 msg_len = GET_32BIT(buf); 117 if (msg_len > 256 * 1024) 118 fatal("%s: read: bad msg_len %d", __func__, msg_len); 119 buffer_clear(m); 120 buffer_append_space(m, msg_len); 121 if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len) 122 fatal("%s: read: %s", __func__, strerror(errno)); 123 } 124 125 void 126 mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) 127 { 128 u_char rtype; 129 130 debug3("%s entering: type %d", __func__, type); 131 132 mm_request_receive(sock, m); 133 rtype = buffer_get_char(m); 134 if (rtype != type) 135 fatal("%s: read: rtype %d != type %d", __func__, 136 rtype, type); 137 } 138 139 DH * 140 mm_choose_dh(int min, int nbits, int max) 141 { 142 BIGNUM *p, *g; 143 int success = 0; 144 Buffer m; 145 146 buffer_init(&m); 147 buffer_put_int(&m, min); 148 buffer_put_int(&m, nbits); 149 buffer_put_int(&m, max); 150 151 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m); 152 153 debug3("%s: waiting for MONITOR_ANS_MODULI", __func__); 154 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m); 155 156 success = buffer_get_char(&m); 157 if (success == 0) 158 fatal("%s: MONITOR_ANS_MODULI failed", __func__); 159 160 if ((p = BN_new()) == NULL) 161 fatal("%s: BN_new failed", __func__); 162 if ((g = BN_new()) == NULL) 163 fatal("%s: BN_new failed", __func__); 164 buffer_get_bignum2(&m, p); 165 buffer_get_bignum2(&m, g); 166 167 debug3("%s: remaining %d", __func__, buffer_len(&m)); 168 buffer_free(&m); 169 170 return (dh_new_group(g, p)); 171 } 172 173 int 174 mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) 175 { 176 Kex *kex = *pmonitor->m_pkex; 177 Buffer m; 178 179 debug3("%s entering", __func__); 180 181 buffer_init(&m); 182 buffer_put_int(&m, kex->host_key_index(key)); 183 buffer_put_string(&m, data, datalen); 184 185 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); 186 187 debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); 188 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); 189 *sigp = buffer_get_string(&m, lenp); 190 buffer_free(&m); 191 192 return (0); 193 } 194 195 struct passwd * 196 mm_getpwnamallow(const char *username) 197 { 198 Buffer m; 199 struct passwd *pw; 200 u_int pwlen; 201 202 debug3("%s entering", __func__); 203 204 buffer_init(&m); 205 buffer_put_cstring(&m, username); 206 207 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); 208 209 debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__); 210 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m); 211 212 if (buffer_get_char(&m) == 0) { 213 buffer_free(&m); 214 return (NULL); 215 } 216 pw = buffer_get_string(&m, &pwlen); 217 if (pwlen != sizeof(struct passwd)) 218 fatal("%s: struct passwd size mismatch", __func__); 219 pw->pw_name = buffer_get_string(&m, NULL); 220 pw->pw_passwd = buffer_get_string(&m, NULL); 221 pw->pw_gecos = buffer_get_string(&m, NULL); 222 #ifdef HAVE_PW_CLASS_IN_PASSWD 223 pw->pw_class = buffer_get_string(&m, NULL); 224 #endif 225 pw->pw_dir = buffer_get_string(&m, NULL); 226 pw->pw_shell = buffer_get_string(&m, NULL); 227 buffer_free(&m); 228 229 return (pw); 230 } 231 232 char * 233 mm_auth2_read_banner(void) 234 { 235 Buffer m; 236 char *banner; 237 238 debug3("%s entering", __func__); 239 240 buffer_init(&m); 241 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); 242 buffer_clear(&m); 243 244 mm_request_receive_expect(pmonitor->m_recvfd, 245 MONITOR_ANS_AUTH2_READ_BANNER, &m); 246 banner = buffer_get_string(&m, NULL); 247 buffer_free(&m); 248 249 /* treat empty banner as missing banner */ 250 if (strlen(banner) == 0) { 251 xfree(banner); 252 banner = NULL; 253 } 254 return (banner); 255 } 256 257 /* Inform the privileged process about service and style */ 258 259 void 260 mm_inform_authserv(char *service, char *style) 261 { 262 Buffer m; 263 264 debug3("%s entering", __func__); 265 266 buffer_init(&m); 267 buffer_put_cstring(&m, service); 268 buffer_put_cstring(&m, style ? style : ""); 269 270 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); 271 272 buffer_free(&m); 273 } 274 275 /* Do the password authentication */ 276 int 277 mm_auth_password(Authctxt *authctxt, char *password) 278 { 279 Buffer m; 280 int authenticated = 0; 281 282 debug3("%s entering", __func__); 283 284 buffer_init(&m); 285 buffer_put_cstring(&m, password); 286 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); 287 288 debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); 289 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); 290 291 authenticated = buffer_get_int(&m); 292 293 buffer_free(&m); 294 295 debug3("%s: user %sauthenticated", 296 __func__, authenticated ? "" : "not "); 297 return (authenticated); 298 } 299 300 int 301 mm_user_key_allowed(struct passwd *pw, Key *key) 302 { 303 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); 304 } 305 306 int 307 mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, 308 Key *key) 309 { 310 return (mm_key_allowed(MM_HOSTKEY, user, host, key)); 311 } 312 313 int 314 mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, 315 char *host, Key *key) 316 { 317 int ret; 318 319 key->type = KEY_RSA; /* XXX hack for key_to_blob */ 320 ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); 321 key->type = KEY_RSA1; 322 return (ret); 323 } 324 325 static void 326 mm_send_debug(Buffer *m) 327 { 328 char *msg; 329 330 while (buffer_len(m)) { 331 msg = buffer_get_string(m, NULL); 332 debug3("%s: Sending debug: %s", __func__, msg); 333 packet_send_debug("%s", msg); 334 xfree(msg); 335 } 336 } 337 338 int 339 mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) 340 { 341 Buffer m; 342 u_char *blob; 343 u_int len; 344 int allowed = 0, have_forced = 0; 345 346 debug3("%s entering", __func__); 347 348 /* Convert the key to a blob and the pass it over */ 349 if (!key_to_blob(key, &blob, &len)) 350 return (0); 351 352 buffer_init(&m); 353 buffer_put_int(&m, type); 354 buffer_put_cstring(&m, user ? user : ""); 355 buffer_put_cstring(&m, host ? host : ""); 356 buffer_put_string(&m, blob, len); 357 xfree(blob); 358 359 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 360 361 debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); 362 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m); 363 364 allowed = buffer_get_int(&m); 365 366 /* fake forced command */ 367 auth_clear_options(); 368 have_forced = buffer_get_int(&m); 369 forced_command = have_forced ? xstrdup("true") : NULL; 370 371 /* Send potential debug messages */ 372 mm_send_debug(&m); 373 374 buffer_free(&m); 375 376 return (allowed); 377 } 378 379 /* 380 * This key verify needs to send the key type along, because the 381 * privileged parent makes the decision if the key is allowed 382 * for authentication. 383 */ 384 385 int 386 mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) 387 { 388 Buffer m; 389 u_char *blob; 390 u_int len; 391 int verified = 0; 392 393 debug3("%s entering", __func__); 394 395 /* Convert the key to a blob and the pass it over */ 396 if (!key_to_blob(key, &blob, &len)) 397 return (0); 398 399 buffer_init(&m); 400 buffer_put_string(&m, blob, len); 401 buffer_put_string(&m, sig, siglen); 402 buffer_put_string(&m, data, datalen); 403 xfree(blob); 404 405 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 406 407 debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); 408 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m); 409 410 verified = buffer_get_int(&m); 411 412 buffer_free(&m); 413 414 return (verified); 415 } 416 417 /* Export key state after authentication */ 418 Newkeys * 419 mm_newkeys_from_blob(u_char *blob, int blen) 420 { 421 Buffer b; 422 u_int len; 423 Newkeys *newkey = NULL; 424 Enc *enc; 425 Mac *mac; 426 Comp *comp; 427 428 debug3("%s: %p(%d)", __func__, blob, blen); 429 #ifdef DEBUG_PK 430 dump_base64(stderr, blob, blen); 431 #endif 432 buffer_init(&b); 433 buffer_append(&b, blob, blen); 434 435 newkey = xmalloc(sizeof(*newkey)); 436 enc = &newkey->enc; 437 mac = &newkey->mac; 438 comp = &newkey->comp; 439 440 /* Enc structure */ 441 enc->name = buffer_get_string(&b, NULL); 442 buffer_get(&b, &enc->cipher, sizeof(enc->cipher)); 443 enc->enabled = buffer_get_int(&b); 444 enc->block_size = buffer_get_int(&b); 445 enc->key = buffer_get_string(&b, &enc->key_len); 446 enc->iv = buffer_get_string(&b, &len); 447 if (len != enc->block_size) 448 fatal("%s: bad ivlen: expected %u != %u", __func__, 449 enc->block_size, len); 450 451 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 452 fatal("%s: bad cipher name %s or pointer %p", __func__, 453 enc->name, enc->cipher); 454 455 /* Mac structure */ 456 mac->name = buffer_get_string(&b, NULL); 457 if (mac->name == NULL || mac_init(mac, mac->name) == -1) 458 fatal("%s: can not init mac %s", __func__, mac->name); 459 mac->enabled = buffer_get_int(&b); 460 mac->key = buffer_get_string(&b, &len); 461 if (len > mac->key_len) 462 fatal("%s: bad mac key length: %u > %d", __func__, len, 463 mac->key_len); 464 mac->key_len = len; 465 466 /* Comp structure */ 467 comp->type = buffer_get_int(&b); 468 comp->enabled = buffer_get_int(&b); 469 comp->name = buffer_get_string(&b, NULL); 470 471 len = buffer_len(&b); 472 if (len != 0) 473 error("newkeys_from_blob: remaining bytes in blob %u", len); 474 buffer_free(&b); 475 return (newkey); 476 } 477 478 int 479 mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) 480 { 481 Buffer b; 482 int len; 483 Enc *enc; 484 Mac *mac; 485 Comp *comp; 486 Newkeys *newkey = newkeys[mode]; 487 488 debug3("%s: converting %p", __func__, newkey); 489 490 if (newkey == NULL) { 491 error("%s: newkey == NULL", __func__); 492 return 0; 493 } 494 enc = &newkey->enc; 495 mac = &newkey->mac; 496 comp = &newkey->comp; 497 498 buffer_init(&b); 499 /* Enc structure */ 500 buffer_put_cstring(&b, enc->name); 501 /* The cipher struct is constant and shared, you export pointer */ 502 buffer_append(&b, &enc->cipher, sizeof(enc->cipher)); 503 buffer_put_int(&b, enc->enabled); 504 buffer_put_int(&b, enc->block_size); 505 buffer_put_string(&b, enc->key, enc->key_len); 506 packet_get_keyiv(mode, enc->iv, enc->block_size); 507 buffer_put_string(&b, enc->iv, enc->block_size); 508 509 /* Mac structure */ 510 buffer_put_cstring(&b, mac->name); 511 buffer_put_int(&b, mac->enabled); 512 buffer_put_string(&b, mac->key, mac->key_len); 513 514 /* Comp structure */ 515 buffer_put_int(&b, comp->type); 516 buffer_put_int(&b, comp->enabled); 517 buffer_put_cstring(&b, comp->name); 518 519 len = buffer_len(&b); 520 if (lenp != NULL) 521 *lenp = len; 522 if (blobp != NULL) { 523 *blobp = xmalloc(len); 524 memcpy(*blobp, buffer_ptr(&b), len); 525 } 526 memset(buffer_ptr(&b), 0, len); 527 buffer_free(&b); 528 return len; 529 } 530 531 static void 532 mm_send_kex(Buffer *m, Kex *kex) 533 { 534 buffer_put_string(m, kex->session_id, kex->session_id_len); 535 buffer_put_int(m, kex->we_need); 536 buffer_put_int(m, kex->hostkey_type); 537 buffer_put_int(m, kex->kex_type); 538 buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my)); 539 buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer)); 540 buffer_put_int(m, kex->flags); 541 buffer_put_cstring(m, kex->client_version_string); 542 buffer_put_cstring(m, kex->server_version_string); 543 } 544 545 void 546 mm_send_keystate(struct monitor *monitor) 547 { 548 Buffer m; 549 u_char *blob, *p; 550 u_int bloblen, plen; 551 u_int32_t seqnr, packets; 552 u_int64_t blocks; 553 554 buffer_init(&m); 555 556 if (!compat20) { 557 u_char iv[24]; 558 u_char *key; 559 u_int ivlen, keylen; 560 561 buffer_put_int(&m, packet_get_protocol_flags()); 562 563 buffer_put_int(&m, packet_get_ssh1_cipher()); 564 565 debug3("%s: Sending ssh1 KEY+IV", __func__); 566 keylen = packet_get_encryption_key(NULL); 567 key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ 568 keylen = packet_get_encryption_key(key); 569 buffer_put_string(&m, key, keylen); 570 memset(key, 0, keylen); 571 xfree(key); 572 573 ivlen = packet_get_keyiv_len(MODE_OUT); 574 packet_get_keyiv(MODE_OUT, iv, ivlen); 575 buffer_put_string(&m, iv, ivlen); 576 ivlen = packet_get_keyiv_len(MODE_OUT); 577 packet_get_keyiv(MODE_IN, iv, ivlen); 578 buffer_put_string(&m, iv, ivlen); 579 goto skip; 580 } else { 581 /* Kex for rekeying */ 582 mm_send_kex(&m, *monitor->m_pkex); 583 } 584 585 debug3("%s: Sending new keys: %p %p", 586 __func__, newkeys[MODE_OUT], newkeys[MODE_IN]); 587 588 /* Keys from Kex */ 589 if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen)) 590 fatal("%s: conversion of newkeys failed", __func__); 591 592 buffer_put_string(&m, blob, bloblen); 593 xfree(blob); 594 595 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 596 fatal("%s: conversion of newkeys failed", __func__); 597 598 buffer_put_string(&m, blob, bloblen); 599 xfree(blob); 600 601 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets); 602 buffer_put_int(&m, seqnr); 603 buffer_put_int64(&m, blocks); 604 buffer_put_int(&m, packets); 605 packet_get_state(MODE_IN, &seqnr, &blocks, &packets); 606 buffer_put_int(&m, seqnr); 607 buffer_put_int64(&m, blocks); 608 buffer_put_int(&m, packets); 609 610 debug3("%s: New keys have been sent", __func__); 611 skip: 612 /* More key context */ 613 plen = packet_get_keycontext(MODE_OUT, NULL); 614 p = xmalloc(plen+1); 615 packet_get_keycontext(MODE_OUT, p); 616 buffer_put_string(&m, p, plen); 617 xfree(p); 618 619 plen = packet_get_keycontext(MODE_IN, NULL); 620 p = xmalloc(plen+1); 621 packet_get_keycontext(MODE_IN, p); 622 buffer_put_string(&m, p, plen); 623 xfree(p); 624 625 /* Compression state */ 626 debug3("%s: Sending compression state", __func__); 627 buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); 628 buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); 629 630 /* Network I/O buffers */ 631 buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); 632 buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); 633 634 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); 635 debug3("%s: Finished sending state", __func__); 636 637 buffer_free(&m); 638 } 639 640 int 641 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) 642 { 643 Buffer m; 644 char *p, *msg; 645 int success = 0; 646 647 buffer_init(&m); 648 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); 649 650 debug3("%s: waiting for MONITOR_ANS_PTY", __func__); 651 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m); 652 653 success = buffer_get_int(&m); 654 if (success == 0) { 655 debug3("%s: pty alloc failed", __func__); 656 buffer_free(&m); 657 return (0); 658 } 659 p = buffer_get_string(&m, NULL); 660 msg = buffer_get_string(&m, NULL); 661 buffer_free(&m); 662 663 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 664 xfree(p); 665 666 buffer_append(&loginmsg, msg, strlen(msg)); 667 xfree(msg); 668 669 *ptyfd = mm_receive_fd(pmonitor->m_recvfd); 670 *ttyfd = mm_receive_fd(pmonitor->m_recvfd); 671 672 /* Success */ 673 return (1); 674 } 675 676 void 677 mm_session_pty_cleanup2(Session *s) 678 { 679 Buffer m; 680 681 if (s->ttyfd == -1) 682 return; 683 buffer_init(&m); 684 buffer_put_cstring(&m, s->tty); 685 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m); 686 buffer_free(&m); 687 688 /* closed dup'ed master */ 689 if (close(s->ptymaster) < 0) 690 error("close(s->ptymaster): %s", strerror(errno)); 691 692 /* unlink pty from session */ 693 s->ttyfd = -1; 694 } 695 696 #ifdef USE_PAM 697 void 698 mm_start_pam(Authctxt *authctxt) 699 { 700 Buffer m; 701 702 debug3("%s entering", __func__); 703 if (!options.use_pam) 704 fatal("UsePAM=no, but ended up in %s anyway", __func__); 705 706 buffer_init(&m); 707 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); 708 709 buffer_free(&m); 710 } 711 712 u_int 713 mm_do_pam_account(void) 714 { 715 Buffer m; 716 u_int ret; 717 char *msg; 718 719 debug3("%s entering", __func__); 720 if (!options.use_pam) 721 fatal("UsePAM=no, but ended up in %s anyway", __func__); 722 723 buffer_init(&m); 724 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); 725 726 mm_request_receive_expect(pmonitor->m_recvfd, 727 MONITOR_ANS_PAM_ACCOUNT, &m); 728 ret = buffer_get_int(&m); 729 msg = buffer_get_string(&m, NULL); 730 buffer_append(&loginmsg, msg, strlen(msg)); 731 xfree(msg); 732 733 buffer_free(&m); 734 735 debug3("%s returning %d", __func__, ret); 736 737 return (ret); 738 } 739 740 void * 741 mm_sshpam_init_ctx(Authctxt *authctxt) 742 { 743 Buffer m; 744 int success; 745 746 debug3("%s", __func__); 747 buffer_init(&m); 748 buffer_put_cstring(&m, authctxt->user); 749 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); 750 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 751 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); 752 success = buffer_get_int(&m); 753 if (success == 0) { 754 debug3("%s: pam_init_ctx failed", __func__); 755 buffer_free(&m); 756 return (NULL); 757 } 758 buffer_free(&m); 759 return (authctxt); 760 } 761 762 int 763 mm_sshpam_query(void *ctx, char **name, char **info, 764 u_int *num, char ***prompts, u_int **echo_on) 765 { 766 Buffer m; 767 u_int i; 768 int ret; 769 770 debug3("%s", __func__); 771 buffer_init(&m); 772 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); 773 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); 774 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); 775 ret = buffer_get_int(&m); 776 debug3("%s: pam_query returned %d", __func__, ret); 777 *name = buffer_get_string(&m, NULL); 778 *info = buffer_get_string(&m, NULL); 779 *num = buffer_get_int(&m); 780 *prompts = xmalloc((*num + 1) * sizeof(char *)); 781 *echo_on = xmalloc((*num + 1) * sizeof(u_int)); 782 for (i = 0; i < *num; ++i) { 783 (*prompts)[i] = buffer_get_string(&m, NULL); 784 (*echo_on)[i] = buffer_get_int(&m); 785 } 786 buffer_free(&m); 787 return (ret); 788 } 789 790 int 791 mm_sshpam_respond(void *ctx, u_int num, char **resp) 792 { 793 Buffer m; 794 u_int i; 795 int ret; 796 797 debug3("%s", __func__); 798 buffer_init(&m); 799 buffer_put_int(&m, num); 800 for (i = 0; i < num; ++i) 801 buffer_put_cstring(&m, resp[i]); 802 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); 803 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); 804 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); 805 ret = buffer_get_int(&m); 806 debug3("%s: pam_respond returned %d", __func__, ret); 807 buffer_free(&m); 808 return (ret); 809 } 810 811 void 812 mm_sshpam_free_ctx(void *ctxtp) 813 { 814 Buffer m; 815 816 debug3("%s", __func__); 817 buffer_init(&m); 818 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); 819 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); 820 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); 821 buffer_free(&m); 822 } 823 #endif /* USE_PAM */ 824 825 /* Request process termination */ 826 827 void 828 mm_terminate(void) 829 { 830 Buffer m; 831 832 buffer_init(&m); 833 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m); 834 buffer_free(&m); 835 } 836 837 int 838 mm_ssh1_session_key(BIGNUM *num) 839 { 840 int rsafail; 841 Buffer m; 842 843 buffer_init(&m); 844 buffer_put_bignum2(&m, num); 845 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m); 846 847 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m); 848 849 rsafail = buffer_get_int(&m); 850 buffer_get_bignum2(&m, num); 851 852 buffer_free(&m); 853 854 return (rsafail); 855 } 856 857 static void 858 mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 859 char ***prompts, u_int **echo_on) 860 { 861 *name = xstrdup(""); 862 *infotxt = xstrdup(""); 863 *numprompts = 1; 864 *prompts = xmalloc(*numprompts * sizeof(char *)); 865 *echo_on = xmalloc(*numprompts * sizeof(u_int)); 866 (*echo_on)[0] = 0; 867 } 868 869 int 870 mm_bsdauth_query(void *ctx, char **name, char **infotxt, 871 u_int *numprompts, char ***prompts, u_int **echo_on) 872 { 873 Buffer m; 874 u_int success; 875 char *challenge; 876 877 debug3("%s: entering", __func__); 878 879 buffer_init(&m); 880 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m); 881 882 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, 883 &m); 884 success = buffer_get_int(&m); 885 if (success == 0) { 886 debug3("%s: no challenge", __func__); 887 buffer_free(&m); 888 return (-1); 889 } 890 891 /* Get the challenge, and format the response */ 892 challenge = buffer_get_string(&m, NULL); 893 buffer_free(&m); 894 895 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 896 (*prompts)[0] = challenge; 897 898 debug3("%s: received challenge: %s", __func__, challenge); 899 900 return (0); 901 } 902 903 int 904 mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 905 { 906 Buffer m; 907 int authok; 908 909 debug3("%s: entering", __func__); 910 if (numresponses != 1) 911 return (-1); 912 913 buffer_init(&m); 914 buffer_put_cstring(&m, responses[0]); 915 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m); 916 917 mm_request_receive_expect(pmonitor->m_recvfd, 918 MONITOR_ANS_BSDAUTHRESPOND, &m); 919 920 authok = buffer_get_int(&m); 921 buffer_free(&m); 922 923 return ((authok == 0) ? -1 : 0); 924 } 925 926 #ifdef SKEY 927 int 928 mm_skey_query(void *ctx, char **name, char **infotxt, 929 u_int *numprompts, char ***prompts, u_int **echo_on) 930 { 931 Buffer m; 932 int len; 933 u_int success; 934 char *p, *challenge; 935 936 debug3("%s: entering", __func__); 937 938 buffer_init(&m); 939 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m); 940 941 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, 942 &m); 943 success = buffer_get_int(&m); 944 if (success == 0) { 945 debug3("%s: no challenge", __func__); 946 buffer_free(&m); 947 return (-1); 948 } 949 950 /* Get the challenge, and format the response */ 951 challenge = buffer_get_string(&m, NULL); 952 buffer_free(&m); 953 954 debug3("%s: received challenge: %s", __func__, challenge); 955 956 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 957 958 len = strlen(challenge) + strlen(SKEY_PROMPT) + 1; 959 p = xmalloc(len); 960 strlcpy(p, challenge, len); 961 strlcat(p, SKEY_PROMPT, len); 962 (*prompts)[0] = p; 963 xfree(challenge); 964 965 return (0); 966 } 967 968 int 969 mm_skey_respond(void *ctx, u_int numresponses, char **responses) 970 { 971 Buffer m; 972 int authok; 973 974 debug3("%s: entering", __func__); 975 if (numresponses != 1) 976 return (-1); 977 978 buffer_init(&m); 979 buffer_put_cstring(&m, responses[0]); 980 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m); 981 982 mm_request_receive_expect(pmonitor->m_recvfd, 983 MONITOR_ANS_SKEYRESPOND, &m); 984 985 authok = buffer_get_int(&m); 986 buffer_free(&m); 987 988 return ((authok == 0) ? -1 : 0); 989 } 990 #endif /* SKEY */ 991 992 void 993 mm_ssh1_session_id(u_char session_id[16]) 994 { 995 Buffer m; 996 int i; 997 998 debug3("%s entering", __func__); 999 1000 buffer_init(&m); 1001 for (i = 0; i < 16; i++) 1002 buffer_put_char(&m, session_id[i]); 1003 1004 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m); 1005 buffer_free(&m); 1006 } 1007 1008 int 1009 mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) 1010 { 1011 Buffer m; 1012 Key *key; 1013 u_char *blob; 1014 u_int blen; 1015 int allowed = 0, have_forced = 0; 1016 1017 debug3("%s entering", __func__); 1018 1019 buffer_init(&m); 1020 buffer_put_bignum2(&m, client_n); 1021 1022 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m); 1023 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m); 1024 1025 allowed = buffer_get_int(&m); 1026 1027 /* fake forced command */ 1028 auth_clear_options(); 1029 have_forced = buffer_get_int(&m); 1030 forced_command = have_forced ? xstrdup("true") : NULL; 1031 1032 if (allowed && rkey != NULL) { 1033 blob = buffer_get_string(&m, &blen); 1034 if ((key = key_from_blob(blob, blen)) == NULL) 1035 fatal("%s: key_from_blob failed", __func__); 1036 *rkey = key; 1037 xfree(blob); 1038 } 1039 mm_send_debug(&m); 1040 buffer_free(&m); 1041 1042 return (allowed); 1043 } 1044 1045 BIGNUM * 1046 mm_auth_rsa_generate_challenge(Key *key) 1047 { 1048 Buffer m; 1049 BIGNUM *challenge; 1050 u_char *blob; 1051 u_int blen; 1052 1053 debug3("%s entering", __func__); 1054 1055 if ((challenge = BN_new()) == NULL) 1056 fatal("%s: BN_new failed", __func__); 1057 1058 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1059 if (key_to_blob(key, &blob, &blen) == 0) 1060 fatal("%s: key_to_blob failed", __func__); 1061 key->type = KEY_RSA1; 1062 1063 buffer_init(&m); 1064 buffer_put_string(&m, blob, blen); 1065 xfree(blob); 1066 1067 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 1068 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 1069 1070 buffer_get_bignum2(&m, challenge); 1071 buffer_free(&m); 1072 1073 return (challenge); 1074 } 1075 1076 int 1077 mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) 1078 { 1079 Buffer m; 1080 u_char *blob; 1081 u_int blen; 1082 int success = 0; 1083 1084 debug3("%s entering", __func__); 1085 1086 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1087 if (key_to_blob(key, &blob, &blen) == 0) 1088 fatal("%s: key_to_blob failed", __func__); 1089 key->type = KEY_RSA1; 1090 1091 buffer_init(&m); 1092 buffer_put_string(&m, blob, blen); 1093 buffer_put_string(&m, response, 16); 1094 xfree(blob); 1095 1096 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 1097 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 1098 1099 success = buffer_get_int(&m); 1100 buffer_free(&m); 1101 1102 return (success); 1103 } 1104 1105 #ifdef SSH_AUDIT_EVENTS 1106 void 1107 mm_audit_event(ssh_audit_event_t event) 1108 { 1109 Buffer m; 1110 1111 debug3("%s entering", __func__); 1112 1113 buffer_init(&m); 1114 buffer_put_int(&m, event); 1115 1116 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); 1117 buffer_free(&m); 1118 } 1119 1120 void 1121 mm_audit_run_command(const char *command) 1122 { 1123 Buffer m; 1124 1125 debug3("%s entering command %s", __func__, command); 1126 1127 buffer_init(&m); 1128 buffer_put_cstring(&m, command); 1129 1130 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); 1131 buffer_free(&m); 1132 } 1133 #endif /* SSH_AUDIT_EVENTS */ 1134 1135 #ifdef GSSAPI 1136 OM_uint32 1137 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) 1138 { 1139 Buffer m; 1140 OM_uint32 major; 1141 1142 /* Client doesn't get to see the context */ 1143 *ctx = NULL; 1144 1145 buffer_init(&m); 1146 buffer_put_string(&m, goid->elements, goid->length); 1147 1148 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); 1149 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); 1150 1151 major = buffer_get_int(&m); 1152 1153 buffer_free(&m); 1154 return (major); 1155 } 1156 1157 OM_uint32 1158 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 1159 gss_buffer_desc *out, OM_uint32 *flags) 1160 { 1161 Buffer m; 1162 OM_uint32 major; 1163 u_int len; 1164 1165 buffer_init(&m); 1166 buffer_put_string(&m, in->value, in->length); 1167 1168 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); 1169 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); 1170 1171 major = buffer_get_int(&m); 1172 out->value = buffer_get_string(&m, &len); 1173 out->length = len; 1174 if (flags) 1175 *flags = buffer_get_int(&m); 1176 1177 buffer_free(&m); 1178 1179 return (major); 1180 } 1181 1182 OM_uint32 1183 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 1184 { 1185 Buffer m; 1186 OM_uint32 major; 1187 1188 buffer_init(&m); 1189 buffer_put_string(&m, gssbuf->value, gssbuf->length); 1190 buffer_put_string(&m, gssmic->value, gssmic->length); 1191 1192 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); 1193 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, 1194 &m); 1195 1196 major = buffer_get_int(&m); 1197 buffer_free(&m); 1198 return(major); 1199 } 1200 1201 int 1202 mm_ssh_gssapi_userok(char *user) 1203 { 1204 Buffer m; 1205 int authenticated = 0; 1206 1207 buffer_init(&m); 1208 1209 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); 1210 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, 1211 &m); 1212 1213 authenticated = buffer_get_int(&m); 1214 1215 buffer_free(&m); 1216 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 1217 return (authenticated); 1218 } 1219 #endif /* GSSAPI */ 1220