1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Ssh client program. This program can be used to log into a remote machine. 6 * The software supports strong authentication, encryption, and forwarding 7 * of X11, TCP/IP, and authentication connections. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * Copyright (c) 1999 Niels Provos. All rights reserved. 16 * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. 17 * 18 * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> 19 * in Canada (German citizen). 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $"); 44 RCSID("$FreeBSD$"); 45 46 #include <openssl/evp.h> 47 #include <openssl/err.h> 48 49 #include "ssh.h" 50 #include "ssh1.h" 51 #include "ssh2.h" 52 #include "compat.h" 53 #include "cipher.h" 54 #include "xmalloc.h" 55 #include "packet.h" 56 #include "buffer.h" 57 #include "channels.h" 58 #include "key.h" 59 #include "authfd.h" 60 #include "authfile.h" 61 #include "pathnames.h" 62 #include "clientloop.h" 63 #include "log.h" 64 #include "readconf.h" 65 #include "sshconnect.h" 66 #include "tildexpand.h" 67 #include "dispatch.h" 68 #include "misc.h" 69 #include "kex.h" 70 #include "mac.h" 71 #include "sshtty.h" 72 73 #ifdef SMARTCARD 74 #include "scard.h" 75 #endif 76 77 #ifdef HAVE___PROGNAME 78 extern char *__progname; 79 #else 80 char *__progname; 81 #endif 82 83 /* Flag indicating whether debug mode is on. This can be set on the command line. */ 84 int debug_flag = 0; 85 86 /* Flag indicating whether a tty should be allocated */ 87 int tty_flag = 0; 88 int no_tty_flag = 0; 89 int force_tty_flag = 0; 90 91 /* don't exec a shell */ 92 int no_shell_flag = 0; 93 94 /* 95 * Flag indicating that nothing should be read from stdin. This can be set 96 * on the command line. 97 */ 98 int stdin_null_flag = 0; 99 100 /* 101 * Flag indicating that ssh should fork after authentication. This is useful 102 * so that the passphrase can be entered manually, and then ssh goes to the 103 * background. 104 */ 105 int fork_after_authentication_flag = 0; 106 107 /* 108 * General data structure for command line options and options configurable 109 * in configuration files. See readconf.h. 110 */ 111 Options options; 112 113 /* optional user configfile */ 114 char *config = NULL; 115 116 /* 117 * Name of the host we are connecting to. This is the name given on the 118 * command line, or the HostName specified for the user-supplied name in a 119 * configuration file. 120 */ 121 char *host; 122 123 /* socket address the host resolves to */ 124 struct sockaddr_storage hostaddr; 125 126 /* Private host keys. */ 127 Sensitive sensitive_data; 128 129 /* Original real UID. */ 130 uid_t original_real_uid; 131 uid_t original_effective_uid; 132 133 /* command to be executed */ 134 Buffer command; 135 136 /* Should we execute a command or invoke a subsystem? */ 137 int subsystem_flag = 0; 138 139 /* # of replies received for global requests */ 140 static int client_global_request_id = 0; 141 142 /* pid of proxycommand child process */ 143 pid_t proxy_command_pid = 0; 144 145 /* Prints a help message to the user. This function never returns. */ 146 147 static void 148 usage(void) 149 { 150 fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); 151 fprintf(stderr, "Options:\n"); 152 fprintf(stderr, " -l user Log in using this user name.\n"); 153 fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); 154 fprintf(stderr, " -F config Config file (default: ~/%s).\n", 155 _PATH_SSH_USER_CONFFILE); 156 fprintf(stderr, " -A Enable authentication agent forwarding.\n"); 157 fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); 158 fprintf(stderr, " -X Enable X11 connection forwarding.\n"); 159 fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); 160 fprintf(stderr, " -i file Identity for public key authentication " 161 "(default: ~/.ssh/identity)\n"); 162 #ifdef SMARTCARD 163 fprintf(stderr, " -I reader Set smartcard reader.\n"); 164 #endif 165 fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); 166 fprintf(stderr, " -T Do not allocate a tty.\n"); 167 fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); 168 fprintf(stderr, " Multiple -v increases verbosity.\n"); 169 fprintf(stderr, " -V Display version number only.\n"); 170 fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); 171 fprintf(stderr, " -f Fork into background after authentication.\n"); 172 fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); 173 174 fprintf(stderr, " -c cipher Select encryption algorithm\n"); 175 fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); 176 fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); 177 fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); 178 fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); 179 fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); 180 fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); 181 fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n"); 182 fprintf(stderr, " -C Enable compression.\n"); 183 fprintf(stderr, " -N Do not execute a shell or command.\n"); 184 fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); 185 fprintf(stderr, " -1 Force protocol version 1.\n"); 186 fprintf(stderr, " -2 Force protocol version 2.\n"); 187 fprintf(stderr, " -4 Use IPv4 only.\n"); 188 fprintf(stderr, " -6 Use IPv6 only.\n"); 189 fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); 190 fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); 191 fprintf(stderr, " -b addr Local IP address.\n"); 192 exit(1); 193 } 194 195 static int ssh_session(void); 196 static int ssh_session2(void); 197 static void load_public_identity_files(void); 198 199 /* 200 * Main program for the ssh client. 201 */ 202 int 203 main(int ac, char **av) 204 { 205 int i, opt, exit_status; 206 u_short fwd_port, fwd_host_port; 207 char sfwd_port[6], sfwd_host_port[6]; 208 char *p, *cp, buf[256]; 209 struct stat st; 210 struct passwd *pw; 211 int dummy; 212 extern int optind, optreset; 213 extern char *optarg; 214 215 __progname = ssh_get_progname(av[0]); 216 init_rng(); 217 218 /* 219 * Save the original real uid. It will be needed later (uid-swapping 220 * may clobber the real uid). 221 */ 222 original_real_uid = getuid(); 223 original_effective_uid = geteuid(); 224 225 /* 226 * Use uid-swapping to give up root privileges for the duration of 227 * option processing. We will re-instantiate the rights when we are 228 * ready to create the privileged port, and will permanently drop 229 * them when the port has been created (actually, when the connection 230 * has been made, as we may need to create the port several times). 231 */ 232 PRIV_END; 233 234 #ifdef HAVE_SETRLIMIT 235 /* If we are installed setuid root be careful to not drop core. */ 236 if (original_real_uid != original_effective_uid) { 237 struct rlimit rlim; 238 rlim.rlim_cur = rlim.rlim_max = 0; 239 if (setrlimit(RLIMIT_CORE, &rlim) < 0) 240 fatal("setrlimit failed: %.100s", strerror(errno)); 241 } 242 #endif 243 /* Get user data. */ 244 pw = getpwuid(original_real_uid); 245 if (!pw) { 246 logit("You don't exist, go away!"); 247 exit(1); 248 } 249 /* Take a copy of the returned structure. */ 250 pw = pwcopy(pw); 251 252 /* 253 * Set our umask to something reasonable, as some files are created 254 * with the default umask. This will make them world-readable but 255 * writable only by the owner, which is ok for all files for which we 256 * don't set the modes explicitly. 257 */ 258 umask(022); 259 260 /* Initialize option structure to indicate that no values have been set. */ 261 initialize_options(&options); 262 263 /* Parse command-line arguments. */ 264 host = NULL; 265 266 again: 267 while ((opt = getopt(ac, av, 268 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { 269 switch (opt) { 270 case '1': 271 options.protocol = SSH_PROTO_1; 272 break; 273 case '2': 274 options.protocol = SSH_PROTO_2; 275 break; 276 case '4': 277 options.address_family = AF_INET; 278 break; 279 case '6': 280 options.address_family = AF_INET6; 281 break; 282 case 'n': 283 stdin_null_flag = 1; 284 break; 285 case 'f': 286 fork_after_authentication_flag = 1; 287 stdin_null_flag = 1; 288 break; 289 case 'x': 290 options.forward_x11 = 0; 291 break; 292 case 'X': 293 options.forward_x11 = 1; 294 break; 295 case 'g': 296 options.gateway_ports = 1; 297 break; 298 case 'P': /* deprecated */ 299 options.use_privileged_port = 0; 300 break; 301 case 'a': 302 options.forward_agent = 0; 303 break; 304 case 'A': 305 options.forward_agent = 1; 306 break; 307 case 'k': 308 /* ignored for backward compatibility */ 309 break; 310 case 'i': 311 if (stat(optarg, &st) < 0) { 312 fprintf(stderr, "Warning: Identity file %s " 313 "does not exist.\n", optarg); 314 break; 315 } 316 if (options.num_identity_files >= 317 SSH_MAX_IDENTITY_FILES) 318 fatal("Too many identity files specified " 319 "(max %d)", SSH_MAX_IDENTITY_FILES); 320 options.identity_files[options.num_identity_files++] = 321 xstrdup(optarg); 322 break; 323 case 'I': 324 #ifdef SMARTCARD 325 options.smartcard_device = xstrdup(optarg); 326 #else 327 fprintf(stderr, "no support for smartcards.\n"); 328 #endif 329 break; 330 case 't': 331 if (tty_flag) 332 force_tty_flag = 1; 333 tty_flag = 1; 334 break; 335 case 'v': 336 if (debug_flag == 0) { 337 debug_flag = 1; 338 options.log_level = SYSLOG_LEVEL_DEBUG1; 339 } else { 340 if (options.log_level < SYSLOG_LEVEL_DEBUG3) 341 options.log_level++; 342 break; 343 } 344 /* fallthrough */ 345 case 'V': 346 fprintf(stderr, 347 "%s, SSH protocols %d.%d/%d.%d, %s\n", 348 SSH_VERSION, 349 PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, 350 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, 351 SSLeay_version(SSLEAY_VERSION)); 352 if (opt == 'V') 353 exit(0); 354 break; 355 case 'q': 356 options.log_level = SYSLOG_LEVEL_QUIET; 357 break; 358 case 'e': 359 if (optarg[0] == '^' && optarg[2] == 0 && 360 (u_char) optarg[1] >= 64 && 361 (u_char) optarg[1] < 128) 362 options.escape_char = (u_char) optarg[1] & 31; 363 else if (strlen(optarg) == 1) 364 options.escape_char = (u_char) optarg[0]; 365 else if (strcmp(optarg, "none") == 0) 366 options.escape_char = SSH_ESCAPECHAR_NONE; 367 else { 368 fprintf(stderr, "Bad escape character '%s'.\n", 369 optarg); 370 exit(1); 371 } 372 break; 373 case 'c': 374 if (ciphers_valid(optarg)) { 375 /* SSH2 only */ 376 options.ciphers = xstrdup(optarg); 377 options.cipher = SSH_CIPHER_ILLEGAL; 378 } else { 379 /* SSH1 only */ 380 options.cipher = cipher_number(optarg); 381 if (options.cipher == -1) { 382 fprintf(stderr, 383 "Unknown cipher type '%s'\n", 384 optarg); 385 exit(1); 386 } 387 if (options.cipher == SSH_CIPHER_3DES) 388 options.ciphers = "3des-cbc"; 389 else if (options.cipher == SSH_CIPHER_BLOWFISH) 390 options.ciphers = "blowfish-cbc"; 391 else 392 options.ciphers = (char *)-1; 393 } 394 break; 395 case 'm': 396 if (mac_valid(optarg)) 397 options.macs = xstrdup(optarg); 398 else { 399 fprintf(stderr, "Unknown mac type '%s'\n", 400 optarg); 401 exit(1); 402 } 403 break; 404 case 'p': 405 options.port = a2port(optarg); 406 if (options.port == 0) { 407 fprintf(stderr, "Bad port '%s'\n", optarg); 408 exit(1); 409 } 410 break; 411 case 'l': 412 options.user = optarg; 413 break; 414 415 case 'L': 416 case 'R': 417 if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]", 418 sfwd_port, buf, sfwd_host_port) != 3 && 419 sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]", 420 sfwd_port, buf, sfwd_host_port) != 3) { 421 fprintf(stderr, 422 "Bad forwarding specification '%s'\n", 423 optarg); 424 usage(); 425 /* NOTREACHED */ 426 } 427 if ((fwd_port = a2port(sfwd_port)) == 0 || 428 (fwd_host_port = a2port(sfwd_host_port)) == 0) { 429 fprintf(stderr, 430 "Bad forwarding port(s) '%s'\n", optarg); 431 exit(1); 432 } 433 if (opt == 'L') 434 add_local_forward(&options, fwd_port, buf, 435 fwd_host_port); 436 else if (opt == 'R') 437 add_remote_forward(&options, fwd_port, buf, 438 fwd_host_port); 439 break; 440 441 case 'D': 442 fwd_port = a2port(optarg); 443 if (fwd_port == 0) { 444 fprintf(stderr, "Bad dynamic port '%s'\n", 445 optarg); 446 exit(1); 447 } 448 add_local_forward(&options, fwd_port, "socks", 0); 449 break; 450 451 case 'C': 452 options.compression = 1; 453 break; 454 case 'N': 455 no_shell_flag = 1; 456 no_tty_flag = 1; 457 break; 458 case 'T': 459 no_tty_flag = 1; 460 break; 461 case 'o': 462 dummy = 1; 463 if (process_config_line(&options, host ? host : "", 464 optarg, "command-line", 0, &dummy) != 0) 465 exit(1); 466 break; 467 case 's': 468 subsystem_flag = 1; 469 break; 470 case 'b': 471 options.bind_address = optarg; 472 break; 473 case 'F': 474 config = optarg; 475 break; 476 default: 477 usage(); 478 } 479 } 480 481 ac -= optind; 482 av += optind; 483 484 if (ac > 0 && !host && **av != '-') { 485 if (strrchr(*av, '@')) { 486 p = xstrdup(*av); 487 cp = strrchr(p, '@'); 488 if (cp == NULL || cp == p) 489 usage(); 490 options.user = p; 491 *cp = '\0'; 492 host = ++cp; 493 } else 494 host = *av; 495 if (ac > 1) { 496 optind = optreset = 1; 497 goto again; 498 } 499 ac--, av++; 500 } 501 502 /* Check that we got a host name. */ 503 if (!host) 504 usage(); 505 506 SSLeay_add_all_algorithms(); 507 ERR_load_crypto_strings(); 508 509 /* Initialize the command to execute on remote host. */ 510 buffer_init(&command); 511 512 /* 513 * Save the command to execute on the remote host in a buffer. There 514 * is no limit on the length of the command, except by the maximum 515 * packet size. Also sets the tty flag if there is no command. 516 */ 517 if (!ac) { 518 /* No command specified - execute shell on a tty. */ 519 tty_flag = 1; 520 if (subsystem_flag) { 521 fprintf(stderr, 522 "You must specify a subsystem to invoke.\n"); 523 usage(); 524 } 525 } else { 526 /* A command has been specified. Store it into the buffer. */ 527 for (i = 0; i < ac; i++) { 528 if (i) 529 buffer_append(&command, " ", 1); 530 buffer_append(&command, av[i], strlen(av[i])); 531 } 532 } 533 534 /* Cannot fork to background if no command. */ 535 if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag) 536 fatal("Cannot fork into background without a command to execute."); 537 538 /* Allocate a tty by default if no command specified. */ 539 if (buffer_len(&command) == 0) 540 tty_flag = 1; 541 542 /* Force no tty */ 543 if (no_tty_flag) 544 tty_flag = 0; 545 /* Do not allocate a tty if stdin is not a tty. */ 546 if (!isatty(fileno(stdin)) && !force_tty_flag) { 547 if (tty_flag) 548 logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); 549 tty_flag = 0; 550 } 551 552 /* 553 * Initialize "log" output. Since we are the client all output 554 * actually goes to stderr. 555 */ 556 log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, 557 SYSLOG_FACILITY_USER, 1); 558 559 /* 560 * Read per-user configuration file. Ignore the system wide config 561 * file if the user specifies a config file on the command line. 562 */ 563 if (config != NULL) { 564 if (!read_config_file(config, host, &options)) 565 fatal("Can't open user config file %.100s: " 566 "%.100s", config, strerror(errno)); 567 } else { 568 snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, 569 _PATH_SSH_USER_CONFFILE); 570 (void)read_config_file(buf, host, &options); 571 572 /* Read systemwide configuration file after use config. */ 573 (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options); 574 } 575 576 /* Fill configuration defaults. */ 577 fill_default_options(&options); 578 579 channel_set_af(options.address_family); 580 581 /* reinit */ 582 log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); 583 584 seed_rng(); 585 586 if (options.user == NULL) 587 options.user = xstrdup(pw->pw_name); 588 589 if (options.hostname != NULL) 590 host = options.hostname; 591 592 /* Find canonic host name. */ 593 if (strchr(host, '.') == 0) { 594 struct addrinfo hints; 595 struct addrinfo *ai = NULL; 596 int errgai; 597 memset(&hints, 0, sizeof(hints)); 598 hints.ai_family = options.address_family; 599 hints.ai_flags = AI_CANONNAME; 600 hints.ai_socktype = SOCK_STREAM; 601 errgai = getaddrinfo(host, NULL, &hints, &ai); 602 if (errgai == 0) { 603 if (ai->ai_canonname != NULL) 604 host = xstrdup(ai->ai_canonname); 605 freeaddrinfo(ai); 606 } 607 } 608 609 /* force lowercase for hostkey matching */ 610 if (options.host_key_alias != NULL) { 611 for (p = options.host_key_alias; *p; p++) 612 if (isupper(*p)) 613 *p = tolower(*p); 614 } 615 616 if (options.proxy_command != NULL && 617 strcmp(options.proxy_command, "none") == 0) 618 options.proxy_command = NULL; 619 620 /* Open a connection to the remote host. */ 621 if (ssh_connect(host, &hostaddr, options.port, 622 options.address_family, options.connection_attempts, 623 #ifdef HAVE_CYGWIN 624 options.use_privileged_port, 625 #else 626 original_effective_uid == 0 && options.use_privileged_port, 627 #endif 628 options.proxy_command) != 0) 629 exit(1); 630 631 /* 632 * If we successfully made the connection, load the host private key 633 * in case we will need it later for combined rsa-rhosts 634 * authentication. This must be done before releasing extra 635 * privileges, because the file is only readable by root. 636 * If we cannot access the private keys, load the public keys 637 * instead and try to execute the ssh-keysign helper instead. 638 */ 639 sensitive_data.nkeys = 0; 640 sensitive_data.keys = NULL; 641 sensitive_data.external_keysign = 0; 642 if (options.rhosts_rsa_authentication || 643 options.hostbased_authentication) { 644 sensitive_data.nkeys = 3; 645 sensitive_data.keys = xmalloc(sensitive_data.nkeys * 646 sizeof(Key)); 647 648 PRIV_START; 649 sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, 650 _PATH_HOST_KEY_FILE, "", NULL); 651 sensitive_data.keys[1] = key_load_private_type(KEY_DSA, 652 _PATH_HOST_DSA_KEY_FILE, "", NULL); 653 sensitive_data.keys[2] = key_load_private_type(KEY_RSA, 654 _PATH_HOST_RSA_KEY_FILE, "", NULL); 655 PRIV_END; 656 657 if (options.hostbased_authentication == 1 && 658 sensitive_data.keys[0] == NULL && 659 sensitive_data.keys[1] == NULL && 660 sensitive_data.keys[2] == NULL) { 661 sensitive_data.keys[1] = key_load_public( 662 _PATH_HOST_DSA_KEY_FILE, NULL); 663 sensitive_data.keys[2] = key_load_public( 664 _PATH_HOST_RSA_KEY_FILE, NULL); 665 sensitive_data.external_keysign = 1; 666 } 667 } 668 /* 669 * Get rid of any extra privileges that we may have. We will no 670 * longer need them. Also, extra privileges could make it very hard 671 * to read identity files and other non-world-readable files from the 672 * user's home directory if it happens to be on a NFS volume where 673 * root is mapped to nobody. 674 */ 675 seteuid(original_real_uid); 676 setuid(original_real_uid); 677 678 /* 679 * Now that we are back to our own permissions, create ~/.ssh 680 * directory if it doesn\'t already exist. 681 */ 682 snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); 683 if (stat(buf, &st) < 0) 684 if (mkdir(buf, 0700) < 0) 685 error("Could not create directory '%.200s'.", buf); 686 687 /* load options.identity_files */ 688 load_public_identity_files(); 689 690 /* Expand ~ in known host file names. */ 691 /* XXX mem-leaks: */ 692 options.system_hostfile = 693 tilde_expand_filename(options.system_hostfile, original_real_uid); 694 options.user_hostfile = 695 tilde_expand_filename(options.user_hostfile, original_real_uid); 696 options.system_hostfile2 = 697 tilde_expand_filename(options.system_hostfile2, original_real_uid); 698 options.user_hostfile2 = 699 tilde_expand_filename(options.user_hostfile2, original_real_uid); 700 701 signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ 702 703 /* Log into the remote system. This never returns if the login fails. */ 704 ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); 705 706 /* We no longer need the private host keys. Clear them now. */ 707 if (sensitive_data.nkeys != 0) { 708 for (i = 0; i < sensitive_data.nkeys; i++) { 709 if (sensitive_data.keys[i] != NULL) { 710 /* Destroys contents safely */ 711 debug3("clear hostkey %d", i); 712 key_free(sensitive_data.keys[i]); 713 sensitive_data.keys[i] = NULL; 714 } 715 } 716 xfree(sensitive_data.keys); 717 } 718 for (i = 0; i < options.num_identity_files; i++) { 719 if (options.identity_files[i]) { 720 xfree(options.identity_files[i]); 721 options.identity_files[i] = NULL; 722 } 723 if (options.identity_keys[i]) { 724 key_free(options.identity_keys[i]); 725 options.identity_keys[i] = NULL; 726 } 727 } 728 729 exit_status = compat20 ? ssh_session2() : ssh_session(); 730 packet_close(); 731 732 /* 733 * Send SIGHUP to proxy command if used. We don't wait() in 734 * case it hangs and instead rely on init to reap the child 735 */ 736 if (proxy_command_pid > 1) 737 kill(proxy_command_pid, SIGHUP); 738 739 return exit_status; 740 } 741 742 static void 743 x11_get_proto(char **_proto, char **_data) 744 { 745 char line[512]; 746 static char proto[512], data[512]; 747 FILE *f; 748 int got_data = 0, i; 749 char *display; 750 struct stat st; 751 752 *_proto = proto; 753 *_data = data; 754 proto[0] = data[0] = '\0'; 755 if (!options.xauth_location || 756 (stat(options.xauth_location, &st) == -1)) { 757 debug("No xauth program."); 758 } else { 759 if ((display = getenv("DISPLAY")) == NULL) { 760 debug("x11_get_proto: DISPLAY not set"); 761 return; 762 } 763 /* Try to get Xauthority information for the display. */ 764 if (strncmp(display, "localhost:", 10) == 0) 765 /* 766 * Handle FamilyLocal case where $DISPLAY does 767 * not match an authorization entry. For this we 768 * just try "xauth list unix:displaynum.screennum". 769 * XXX: "localhost" match to determine FamilyLocal 770 * is not perfect. 771 */ 772 snprintf(line, sizeof line, "%s list unix:%s 2>" 773 _PATH_DEVNULL, options.xauth_location, display+10); 774 else 775 snprintf(line, sizeof line, "%s list %.200s 2>" 776 _PATH_DEVNULL, options.xauth_location, display); 777 debug2("x11_get_proto: %s", line); 778 f = popen(line, "r"); 779 if (f && fgets(line, sizeof(line), f) && 780 sscanf(line, "%*s %511s %511s", proto, data) == 2) 781 got_data = 1; 782 if (f) 783 pclose(f); 784 } 785 /* 786 * If we didn't get authentication data, just make up some 787 * data. The forwarding code will check the validity of the 788 * response anyway, and substitute this data. The X11 789 * server, however, will ignore this fake data and use 790 * whatever authentication mechanisms it was using otherwise 791 * for the local connection. 792 */ 793 if (!got_data) { 794 u_int32_t rand = 0; 795 796 logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); 797 strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); 798 for (i = 0; i < 16; i++) { 799 if (i % 4 == 0) 800 rand = arc4random(); 801 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff); 802 rand >>= 8; 803 } 804 } 805 } 806 807 static void 808 ssh_init_forwarding(void) 809 { 810 int success = 0; 811 int i; 812 813 /* Initiate local TCP/IP port forwardings. */ 814 for (i = 0; i < options.num_local_forwards; i++) { 815 debug("Connections to local port %d forwarded to remote address %.200s:%d", 816 options.local_forwards[i].port, 817 options.local_forwards[i].host, 818 options.local_forwards[i].host_port); 819 success += channel_setup_local_fwd_listener( 820 options.local_forwards[i].port, 821 options.local_forwards[i].host, 822 options.local_forwards[i].host_port, 823 options.gateway_ports); 824 } 825 if (i > 0 && success == 0) 826 error("Could not request local forwarding."); 827 828 /* Initiate remote TCP/IP port forwardings. */ 829 for (i = 0; i < options.num_remote_forwards; i++) { 830 debug("Connections to remote port %d forwarded to local address %.200s:%d", 831 options.remote_forwards[i].port, 832 options.remote_forwards[i].host, 833 options.remote_forwards[i].host_port); 834 channel_request_remote_forwarding( 835 options.remote_forwards[i].port, 836 options.remote_forwards[i].host, 837 options.remote_forwards[i].host_port); 838 } 839 } 840 841 static void 842 check_agent_present(void) 843 { 844 if (options.forward_agent) { 845 /* Clear agent forwarding if we don\'t have an agent. */ 846 if (!ssh_agent_present()) 847 options.forward_agent = 0; 848 } 849 } 850 851 static int 852 ssh_session(void) 853 { 854 int type; 855 int interactive = 0; 856 int have_tty = 0; 857 struct winsize ws; 858 char *cp; 859 860 /* Enable compression if requested. */ 861 if (options.compression) { 862 debug("Requesting compression at level %d.", options.compression_level); 863 864 if (options.compression_level < 1 || options.compression_level > 9) 865 fatal("Compression level must be from 1 (fast) to 9 (slow, best)."); 866 867 /* Send the request. */ 868 packet_start(SSH_CMSG_REQUEST_COMPRESSION); 869 packet_put_int(options.compression_level); 870 packet_send(); 871 packet_write_wait(); 872 type = packet_read(); 873 if (type == SSH_SMSG_SUCCESS) 874 packet_start_compression(options.compression_level); 875 else if (type == SSH_SMSG_FAILURE) 876 logit("Warning: Remote host refused compression."); 877 else 878 packet_disconnect("Protocol error waiting for compression response."); 879 } 880 /* Allocate a pseudo tty if appropriate. */ 881 if (tty_flag) { 882 debug("Requesting pty."); 883 884 /* Start the packet. */ 885 packet_start(SSH_CMSG_REQUEST_PTY); 886 887 /* Store TERM in the packet. There is no limit on the 888 length of the string. */ 889 cp = getenv("TERM"); 890 if (!cp) 891 cp = ""; 892 packet_put_cstring(cp); 893 894 /* Store window size in the packet. */ 895 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 896 memset(&ws, 0, sizeof(ws)); 897 packet_put_int(ws.ws_row); 898 packet_put_int(ws.ws_col); 899 packet_put_int(ws.ws_xpixel); 900 packet_put_int(ws.ws_ypixel); 901 902 /* Store tty modes in the packet. */ 903 tty_make_modes(fileno(stdin), NULL); 904 905 /* Send the packet, and wait for it to leave. */ 906 packet_send(); 907 packet_write_wait(); 908 909 /* Read response from the server. */ 910 type = packet_read(); 911 if (type == SSH_SMSG_SUCCESS) { 912 interactive = 1; 913 have_tty = 1; 914 } else if (type == SSH_SMSG_FAILURE) 915 logit("Warning: Remote host failed or refused to allocate a pseudo tty."); 916 else 917 packet_disconnect("Protocol error waiting for pty request response."); 918 } 919 /* Request X11 forwarding if enabled and DISPLAY is set. */ 920 if (options.forward_x11 && getenv("DISPLAY") != NULL) { 921 char *proto, *data; 922 /* Get reasonable local authentication information. */ 923 x11_get_proto(&proto, &data); 924 /* Request forwarding with authentication spoofing. */ 925 debug("Requesting X11 forwarding with authentication spoofing."); 926 x11_request_forwarding_with_spoofing(0, proto, data); 927 928 /* Read response from the server. */ 929 type = packet_read(); 930 if (type == SSH_SMSG_SUCCESS) { 931 interactive = 1; 932 } else if (type == SSH_SMSG_FAILURE) { 933 logit("Warning: Remote host denied X11 forwarding."); 934 } else { 935 packet_disconnect("Protocol error waiting for X11 forwarding"); 936 } 937 } 938 /* Tell the packet module whether this is an interactive session. */ 939 packet_set_interactive(interactive); 940 941 /* Request authentication agent forwarding if appropriate. */ 942 check_agent_present(); 943 944 if (options.forward_agent) { 945 debug("Requesting authentication agent forwarding."); 946 auth_request_forwarding(); 947 948 /* Read response from the server. */ 949 type = packet_read(); 950 packet_check_eom(); 951 if (type != SSH_SMSG_SUCCESS) 952 logit("Warning: Remote host denied authentication agent forwarding."); 953 } 954 955 /* Initiate port forwardings. */ 956 ssh_init_forwarding(); 957 958 /* If requested, let ssh continue in the background. */ 959 if (fork_after_authentication_flag) 960 if (daemon(1, 1) < 0) 961 fatal("daemon() failed: %.200s", strerror(errno)); 962 963 /* 964 * If a command was specified on the command line, execute the 965 * command now. Otherwise request the server to start a shell. 966 */ 967 if (buffer_len(&command) > 0) { 968 int len = buffer_len(&command); 969 if (len > 900) 970 len = 900; 971 debug("Sending command: %.*s", len, (u_char *)buffer_ptr(&command)); 972 packet_start(SSH_CMSG_EXEC_CMD); 973 packet_put_string(buffer_ptr(&command), buffer_len(&command)); 974 packet_send(); 975 packet_write_wait(); 976 } else { 977 debug("Requesting shell."); 978 packet_start(SSH_CMSG_EXEC_SHELL); 979 packet_send(); 980 packet_write_wait(); 981 } 982 983 /* Enter the interactive session. */ 984 return client_loop(have_tty, tty_flag ? 985 options.escape_char : SSH_ESCAPECHAR_NONE, 0); 986 } 987 988 static void 989 client_subsystem_reply(int type, u_int32_t seq, void *ctxt) 990 { 991 int id, len; 992 993 id = packet_get_int(); 994 len = buffer_len(&command); 995 if (len > 900) 996 len = 900; 997 packet_check_eom(); 998 if (type == SSH2_MSG_CHANNEL_FAILURE) 999 fatal("Request for subsystem '%.*s' failed on channel %d", 1000 len, (u_char *)buffer_ptr(&command), id); 1001 } 1002 1003 void 1004 client_global_request_reply(int type, u_int32_t seq, void *ctxt) 1005 { 1006 int i; 1007 1008 i = client_global_request_id++; 1009 if (i >= options.num_remote_forwards) { 1010 debug("client_global_request_reply: too many replies %d > %d", 1011 i, options.num_remote_forwards); 1012 return; 1013 } 1014 debug("remote forward %s for: listen %d, connect %s:%d", 1015 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 1016 options.remote_forwards[i].port, 1017 options.remote_forwards[i].host, 1018 options.remote_forwards[i].host_port); 1019 if (type == SSH2_MSG_REQUEST_FAILURE) 1020 logit("Warning: remote port forwarding failed for listen port %d", 1021 options.remote_forwards[i].port); 1022 } 1023 1024 /* request pty/x11/agent/tcpfwd/shell for channel */ 1025 static void 1026 ssh_session2_setup(int id, void *arg) 1027 { 1028 int len; 1029 int interactive = 0; 1030 struct termios tio; 1031 1032 debug2("ssh_session2_setup: id %d", id); 1033 1034 if (tty_flag) { 1035 struct winsize ws; 1036 char *cp; 1037 cp = getenv("TERM"); 1038 if (!cp) 1039 cp = ""; 1040 /* Store window size in the packet. */ 1041 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 1042 memset(&ws, 0, sizeof(ws)); 1043 1044 channel_request_start(id, "pty-req", 0); 1045 packet_put_cstring(cp); 1046 packet_put_int(ws.ws_col); 1047 packet_put_int(ws.ws_row); 1048 packet_put_int(ws.ws_xpixel); 1049 packet_put_int(ws.ws_ypixel); 1050 tio = get_saved_tio(); 1051 tty_make_modes(/*ignored*/ 0, &tio); 1052 packet_send(); 1053 interactive = 1; 1054 /* XXX wait for reply */ 1055 } 1056 if (options.forward_x11 && 1057 getenv("DISPLAY") != NULL) { 1058 char *proto, *data; 1059 /* Get reasonable local authentication information. */ 1060 x11_get_proto(&proto, &data); 1061 /* Request forwarding with authentication spoofing. */ 1062 debug("Requesting X11 forwarding with authentication spoofing."); 1063 x11_request_forwarding_with_spoofing(id, proto, data); 1064 interactive = 1; 1065 /* XXX wait for reply */ 1066 } 1067 1068 check_agent_present(); 1069 if (options.forward_agent) { 1070 debug("Requesting authentication agent forwarding."); 1071 channel_request_start(id, "auth-agent-req@openssh.com", 0); 1072 packet_send(); 1073 } 1074 1075 len = buffer_len(&command); 1076 if (len > 0) { 1077 if (len > 900) 1078 len = 900; 1079 if (subsystem_flag) { 1080 debug("Sending subsystem: %.*s", len, (u_char *)buffer_ptr(&command)); 1081 channel_request_start(id, "subsystem", /*want reply*/ 1); 1082 /* register callback for reply */ 1083 /* XXX we assume that client_loop has already been called */ 1084 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply); 1085 dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply); 1086 } else { 1087 debug("Sending command: %.*s", len, (u_char *)buffer_ptr(&command)); 1088 channel_request_start(id, "exec", 0); 1089 } 1090 packet_put_string(buffer_ptr(&command), buffer_len(&command)); 1091 packet_send(); 1092 } else { 1093 channel_request_start(id, "shell", 0); 1094 packet_send(); 1095 } 1096 1097 packet_set_interactive(interactive); 1098 } 1099 1100 /* open new channel for a session */ 1101 static int 1102 ssh_session2_open(void) 1103 { 1104 Channel *c; 1105 int window, packetmax, in, out, err; 1106 1107 if (stdin_null_flag) { 1108 in = open(_PATH_DEVNULL, O_RDONLY); 1109 } else { 1110 in = dup(STDIN_FILENO); 1111 } 1112 out = dup(STDOUT_FILENO); 1113 err = dup(STDERR_FILENO); 1114 1115 if (in < 0 || out < 0 || err < 0) 1116 fatal("dup() in/out/err failed"); 1117 1118 /* enable nonblocking unless tty */ 1119 if (!isatty(in)) 1120 set_nonblock(in); 1121 if (!isatty(out)) 1122 set_nonblock(out); 1123 if (!isatty(err)) 1124 set_nonblock(err); 1125 1126 window = CHAN_SES_WINDOW_DEFAULT; 1127 packetmax = CHAN_SES_PACKET_DEFAULT; 1128 if (tty_flag) { 1129 window >>= 1; 1130 packetmax >>= 1; 1131 } 1132 c = channel_new( 1133 "session", SSH_CHANNEL_OPENING, in, out, err, 1134 window, packetmax, CHAN_EXTENDED_WRITE, 1135 "client-session", /*nonblock*/0); 1136 1137 debug3("ssh_session2_open: channel_new: %d", c->self); 1138 1139 channel_send_open(c->self); 1140 if (!no_shell_flag) 1141 channel_register_confirm(c->self, ssh_session2_setup); 1142 1143 return c->self; 1144 } 1145 1146 static int 1147 ssh_session2(void) 1148 { 1149 int id = -1; 1150 1151 /* XXX should be pre-session */ 1152 ssh_init_forwarding(); 1153 1154 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) 1155 id = ssh_session2_open(); 1156 1157 /* If requested, let ssh continue in the background. */ 1158 if (fork_after_authentication_flag) 1159 if (daemon(1, 1) < 0) 1160 fatal("daemon() failed: %.200s", strerror(errno)); 1161 1162 return client_loop(tty_flag, tty_flag ? 1163 options.escape_char : SSH_ESCAPECHAR_NONE, id); 1164 } 1165 1166 static void 1167 load_public_identity_files(void) 1168 { 1169 char *filename; 1170 int i = 0; 1171 Key *public; 1172 #ifdef SMARTCARD 1173 Key **keys; 1174 1175 if (options.smartcard_device != NULL && 1176 options.num_identity_files < SSH_MAX_IDENTITY_FILES && 1177 (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { 1178 int count = 0; 1179 for (i = 0; keys[i] != NULL; i++) { 1180 count++; 1181 memmove(&options.identity_files[1], &options.identity_files[0], 1182 sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); 1183 memmove(&options.identity_keys[1], &options.identity_keys[0], 1184 sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); 1185 options.num_identity_files++; 1186 options.identity_keys[0] = keys[i]; 1187 options.identity_files[0] = sc_get_key_label(keys[i]); 1188 } 1189 if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) 1190 options.num_identity_files = SSH_MAX_IDENTITY_FILES; 1191 i = count; 1192 xfree(keys); 1193 } 1194 #endif /* SMARTCARD */ 1195 for (; i < options.num_identity_files; i++) { 1196 filename = tilde_expand_filename(options.identity_files[i], 1197 original_real_uid); 1198 public = key_load_public(filename, NULL); 1199 debug("identity file %s type %d", filename, 1200 public ? public->type : -1); 1201 xfree(options.identity_files[i]); 1202 options.identity_files[i] = filename; 1203 options.identity_keys[i] = public; 1204 } 1205 } 1206