1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Ssh client program. This program can be used to log into a remote machine. 6 * The software supports strong authentication, encryption, and forwarding 7 * of X11, TCP/IP, and authentication connections. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * Copyright (c) 1999 Niels Provos. All rights reserved. 16 * 17 * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> 18 * in Canada (German citizen). 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 30 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 31 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 32 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 33 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 34 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 35 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 36 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 37 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 */ 40 41 #include "includes.h" 42 RCSID("$OpenBSD: ssh.c,v 1.116 2001/04/17 12:55:04 markus Exp $"); 43 RCSID("$FreeBSD$"); 44 45 #include <openssl/evp.h> 46 #include <openssl/err.h> 47 48 #include "ssh.h" 49 #include "ssh1.h" 50 #include "ssh2.h" 51 #include "compat.h" 52 #include "cipher.h" 53 #include "xmalloc.h" 54 #include "packet.h" 55 #include "buffer.h" 56 #include "uidswap.h" 57 #include "channels.h" 58 #include "key.h" 59 #include "authfd.h" 60 #include "authfile.h" 61 #include "pathnames.h" 62 #include "clientloop.h" 63 #include "log.h" 64 #include "readconf.h" 65 #include "sshconnect.h" 66 #include "tildexpand.h" 67 #include "dispatch.h" 68 #include "misc.h" 69 #include "kex.h" 70 #include "mac.h" 71 #include "sshtty.h" 72 73 extern char *__progname; 74 75 /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. 76 Default value is AF_UNSPEC means both IPv4 and IPv6. */ 77 extern int IPv4or6; 78 79 /* Flag indicating whether debug mode is on. This can be set on the command line. */ 80 int debug_flag = 0; 81 82 /* Flag indicating whether a tty should be allocated */ 83 int tty_flag = 0; 84 int no_tty_flag = 0; 85 int force_tty_flag = 0; 86 87 /* don't exec a shell */ 88 int no_shell_flag = 0; 89 90 /* 91 * Flag indicating that nothing should be read from stdin. This can be set 92 * on the command line. 93 */ 94 int stdin_null_flag = 0; 95 96 /* 97 * Flag indicating that ssh should fork after authentication. This is useful 98 * so that the pasphrase can be entered manually, and then ssh goes to the 99 * background. 100 */ 101 int fork_after_authentication_flag = 0; 102 103 /* 104 * General data structure for command line options and options configurable 105 * in configuration files. See readconf.h. 106 */ 107 Options options; 108 109 /* 110 * Name of the host we are connecting to. This is the name given on the 111 * command line, or the HostName specified for the user-supplied name in a 112 * configuration file. 113 */ 114 char *host; 115 116 /* socket address the host resolves to */ 117 struct sockaddr_storage hostaddr; 118 119 /* 120 * Flag to indicate that we have received a window change signal which has 121 * not yet been processed. This will cause a message indicating the new 122 * window size to be sent to the server a little later. This is volatile 123 * because this is updated in a signal handler. 124 */ 125 volatile int received_window_change_signal = 0; 126 127 /* Private host keys. */ 128 struct { 129 Key **keys; 130 int nkeys; 131 } sensitive_data; 132 133 /* Original real UID. */ 134 uid_t original_real_uid; 135 136 /* command to be executed */ 137 Buffer command; 138 139 /* Should we execute a command or invoke a subsystem? */ 140 int subsystem_flag = 0; 141 142 /* Prints a help message to the user. This function never returns. */ 143 144 void 145 usage(void) 146 { 147 fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); 148 fprintf(stderr, "Options:\n"); 149 fprintf(stderr, " -l user Log in using this user name.\n"); 150 fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); 151 fprintf(stderr, " -A Enable authentication agent forwarding.\n"); 152 fprintf(stderr, " -a Disable authentication agent forwarding.\n"); 153 #ifdef AFS 154 fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); 155 #endif /* AFS */ 156 fprintf(stderr, " -X Enable X11 connection forwarding.\n"); 157 fprintf(stderr, " -x Disable X11 connection forwarding.\n"); 158 fprintf(stderr, " -i file Identity for public key authentication " 159 "(default: ~/.ssh/identity)\n"); 160 fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); 161 fprintf(stderr, " -T Do not allocate a tty.\n"); 162 fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); 163 fprintf(stderr, " Multiple -v increases verbosity.\n"); 164 fprintf(stderr, " -V Display version number only.\n"); 165 fprintf(stderr, " -P Don't allocate a privileged port.\n"); 166 fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); 167 fprintf(stderr, " -f Fork into background after authentication.\n"); 168 fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); 169 170 fprintf(stderr, " -c cipher Select encryption algorithm: " 171 "``3des'', ``blowfish''\n"); 172 fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); 173 fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); 174 fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); 175 fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); 176 fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); 177 fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); 178 fprintf(stderr, " -C Enable compression.\n"); 179 fprintf(stderr, " -N Do not execute a shell or command.\n"); 180 fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); 181 fprintf(stderr, " -1 Force protocol version 1.\n"); 182 fprintf(stderr, " -2 Force protocol version 2.\n"); 183 fprintf(stderr, " -4 Use IPv4 only.\n"); 184 fprintf(stderr, " -6 Use IPv6 only.\n"); 185 fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); 186 fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); 187 exit(1); 188 } 189 190 /* 191 * Connects to the given host using rsh (or prints an error message and exits 192 * if rsh is not available). This function never returns. 193 */ 194 void 195 rsh_connect(char *host, char *user, Buffer * command) 196 { 197 char *args[10]; 198 int i; 199 200 log("Using rsh. WARNING: Connection will not be encrypted."); 201 /* Build argument list for rsh. */ 202 i = 0; 203 #ifndef _PATH_RSH 204 #define _PATH_RSH "/usr/bin/rsh" 205 #endif 206 args[i++] = _PATH_RSH; 207 /* host may have to come after user on some systems */ 208 args[i++] = host; 209 if (user) { 210 args[i++] = "-l"; 211 args[i++] = user; 212 } 213 if (buffer_len(command) > 0) { 214 buffer_append(command, "\0", 1); 215 args[i++] = buffer_ptr(command); 216 } 217 args[i++] = NULL; 218 if (debug_flag) { 219 for (i = 0; args[i]; i++) { 220 if (i != 0) 221 fprintf(stderr, " "); 222 fprintf(stderr, "%s", args[i]); 223 } 224 fprintf(stderr, "\n"); 225 } 226 execv(_PATH_RSH, args); 227 perror(_PATH_RSH); 228 exit(1); 229 } 230 231 int ssh_session(void); 232 int ssh_session2(void); 233 void load_public_identity_files(void); 234 235 /* 236 * Main program for the ssh client. 237 */ 238 int 239 main(int ac, char **av) 240 { 241 int i, opt, optind, exit_status, ok; 242 u_short fwd_port, fwd_host_port; 243 char *optarg, *cp, buf[256]; 244 struct stat st; 245 struct passwd *pw; 246 int dummy; 247 uid_t original_effective_uid; 248 249 /* 250 * Save the original real uid. It will be needed later (uid-swapping 251 * may clobber the real uid). 252 */ 253 original_real_uid = getuid(); 254 original_effective_uid = geteuid(); 255 256 /* If we are installed setuid root be careful to not drop core. */ 257 if (original_real_uid != original_effective_uid) { 258 struct rlimit rlim; 259 rlim.rlim_cur = rlim.rlim_max = 0; 260 if (setrlimit(RLIMIT_CORE, &rlim) < 0) 261 fatal("setrlimit failed: %.100s", strerror(errno)); 262 } 263 /* Get user data. */ 264 pw = getpwuid(original_real_uid); 265 if (!pw) { 266 log("unknown user %d", original_real_uid); 267 exit(1); 268 } 269 /* Take a copy of the returned structure. */ 270 pw = pwcopy(pw); 271 272 /* 273 * Use uid-swapping to give up root privileges for the duration of 274 * option processing. We will re-instantiate the rights when we are 275 * ready to create the privileged port, and will permanently drop 276 * them when the port has been created (actually, when the connection 277 * has been made, as we may need to create the port several times). 278 */ 279 temporarily_use_uid(pw); 280 281 /* 282 * Set our umask to something reasonable, as some files are created 283 * with the default umask. This will make them world-readable but 284 * writable only by the owner, which is ok for all files for which we 285 * don't set the modes explicitly. 286 */ 287 umask(022); 288 289 /* Initialize option structure to indicate that no values have been set. */ 290 initialize_options(&options); 291 292 /* Parse command-line arguments. */ 293 host = NULL; 294 295 for (optind = 1; optind < ac; optind++) { 296 if (av[optind][0] != '-') { 297 if (host) 298 break; 299 if ((cp = strchr(av[optind], '@'))) { 300 if(cp == av[optind]) 301 usage(); 302 options.user = av[optind]; 303 *cp = '\0'; 304 host = ++cp; 305 } else 306 host = av[optind]; 307 continue; 308 } 309 opt = av[optind][1]; 310 if (!opt) 311 usage(); 312 if (strchr("eilcmpLRDo", opt)) { /* options with arguments */ 313 optarg = av[optind] + 2; 314 if (strcmp(optarg, "") == 0) { 315 if (optind >= ac - 1) 316 usage(); 317 optarg = av[++optind]; 318 } 319 } else { 320 if (av[optind][2]) 321 usage(); 322 optarg = NULL; 323 } 324 switch (opt) { 325 case '1': 326 options.protocol = SSH_PROTO_1; 327 break; 328 case '2': 329 options.protocol = SSH_PROTO_2; 330 break; 331 case '4': 332 IPv4or6 = AF_INET; 333 break; 334 case '6': 335 IPv4or6 = AF_INET6; 336 break; 337 case 'n': 338 stdin_null_flag = 1; 339 break; 340 case 'f': 341 fork_after_authentication_flag = 1; 342 stdin_null_flag = 1; 343 break; 344 case 'x': 345 options.forward_x11 = 0; 346 break; 347 case 'X': 348 options.forward_x11 = 1; 349 break; 350 case 'g': 351 options.gateway_ports = 1; 352 break; 353 case 'P': 354 options.use_privileged_port = 0; 355 break; 356 case 'a': 357 options.forward_agent = 0; 358 break; 359 case 'A': 360 options.forward_agent = 1; 361 break; 362 #ifdef AFS 363 case 'k': 364 options.krb4_tgt_passing = 0; 365 #ifdef KRB5 366 options.krb5_tgt_passing = 0; 367 #endif 368 options.afs_token_passing = 0; 369 break; 370 #endif 371 case 'i': 372 if (stat(optarg, &st) < 0) { 373 fprintf(stderr, "Warning: Identity file %s does not exist.\n", 374 optarg); 375 break; 376 } 377 if (options.num_identity_files >= SSH_MAX_IDENTITY_FILES) 378 fatal("Too many identity files specified (max %d)", 379 SSH_MAX_IDENTITY_FILES); 380 options.identity_files[options.num_identity_files++] = xstrdup(optarg); 381 break; 382 case 't': 383 if (tty_flag) 384 force_tty_flag = 1; 385 tty_flag = 1; 386 break; 387 case 'v': 388 if (0 == debug_flag) { 389 debug_flag = 1; 390 options.log_level = SYSLOG_LEVEL_DEBUG1; 391 } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { 392 options.log_level++; 393 break; 394 } else { 395 fatal("Too high debugging level."); 396 } 397 /* fallthrough */ 398 case 'V': 399 fprintf(stderr, 400 "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n", 401 SSH_VERSION, 402 PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, 403 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, 404 SSLeay()); 405 if (opt == 'V') 406 exit(0); 407 break; 408 case 'q': 409 options.log_level = SYSLOG_LEVEL_QUIET; 410 break; 411 case 'e': 412 if (optarg[0] == '^' && optarg[2] == 0 && 413 (u_char) optarg[1] >= 64 && (u_char) optarg[1] < 128) 414 options.escape_char = (u_char) optarg[1] & 31; 415 else if (strlen(optarg) == 1) 416 options.escape_char = (u_char) optarg[0]; 417 else if (strcmp(optarg, "none") == 0) 418 options.escape_char = -2; 419 else { 420 fprintf(stderr, "Bad escape character '%s'.\n", optarg); 421 exit(1); 422 } 423 break; 424 case 'c': 425 if (ciphers_valid(optarg)) { 426 /* SSH2 only */ 427 options.ciphers = xstrdup(optarg); 428 options.cipher = SSH_CIPHER_ILLEGAL; 429 } else { 430 /* SSH1 only */ 431 options.cipher = cipher_number(optarg); 432 if (options.cipher == -1) { 433 fprintf(stderr, "Unknown cipher type '%s'\n", optarg); 434 exit(1); 435 } 436 if (options.cipher == SSH_CIPHER_3DES) { 437 options.ciphers = "3des-cbc"; 438 } else if (options.cipher == SSH_CIPHER_BLOWFISH) { 439 options.ciphers = "blowfish-cbc"; 440 } else { 441 options.ciphers = (char *)-1; 442 } 443 } 444 break; 445 case 'm': 446 if (mac_valid(optarg)) 447 options.macs = xstrdup(optarg); 448 else { 449 fprintf(stderr, "Unknown mac type '%s'\n", optarg); 450 exit(1); 451 } 452 break; 453 case 'p': 454 options.port = a2port(optarg); 455 if (options.port == 0) { 456 fprintf(stderr, "Bad port '%s'\n", optarg); 457 exit(1); 458 } 459 break; 460 case 'l': 461 options.user = optarg; 462 break; 463 case 'R': 464 if (sscanf(optarg, "%hu/%255[^/]/%hu", &fwd_port, buf, 465 &fwd_host_port) != 3 && 466 sscanf(optarg, "%hu:%255[^:]:%hu", &fwd_port, buf, 467 &fwd_host_port) != 3) { 468 fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg); 469 usage(); 470 /* NOTREACHED */ 471 } 472 add_remote_forward(&options, fwd_port, buf, fwd_host_port); 473 break; 474 case 'L': 475 if (sscanf(optarg, "%hu/%255[^/]/%hu", &fwd_port, buf, 476 &fwd_host_port) != 3 && 477 sscanf(optarg, "%hu:%255[^:]:%hu", &fwd_port, buf, 478 &fwd_host_port) != 3) { 479 fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg); 480 usage(); 481 /* NOTREACHED */ 482 } 483 add_local_forward(&options, fwd_port, buf, fwd_host_port); 484 break; 485 486 case 'D': 487 fwd_port = a2port(optarg); 488 if (fwd_port == 0) { 489 fprintf(stderr, "Bad dynamic port '%s'\n", optarg); 490 exit(1); 491 } 492 add_local_forward(&options, fwd_port, "socks4", 0); 493 break; 494 495 case 'C': 496 options.compression = 1; 497 break; 498 case 'N': 499 no_shell_flag = 1; 500 no_tty_flag = 1; 501 break; 502 case 'T': 503 no_tty_flag = 1; 504 break; 505 case 'o': 506 dummy = 1; 507 if (process_config_line(&options, host ? host : "", optarg, 508 "command-line", 0, &dummy) != 0) 509 exit(1); 510 break; 511 case 's': 512 subsystem_flag = 1; 513 break; 514 default: 515 usage(); 516 } 517 } 518 519 /* Check that we got a host name. */ 520 if (!host) 521 usage(); 522 523 SSLeay_add_all_algorithms(); 524 ERR_load_crypto_strings(); 525 526 /* Initialize the command to execute on remote host. */ 527 buffer_init(&command); 528 529 /* 530 * Save the command to execute on the remote host in a buffer. There 531 * is no limit on the length of the command, except by the maximum 532 * packet size. Also sets the tty flag if there is no command. 533 */ 534 if (optind == ac) { 535 /* No command specified - execute shell on a tty. */ 536 tty_flag = 1; 537 if (subsystem_flag) { 538 fprintf(stderr, "You must specify a subsystem to invoke.\n"); 539 usage(); 540 } 541 } else { 542 /* A command has been specified. Store it into the 543 buffer. */ 544 for (i = optind; i < ac; i++) { 545 if (i > optind) 546 buffer_append(&command, " ", 1); 547 buffer_append(&command, av[i], strlen(av[i])); 548 } 549 } 550 551 /* Cannot fork to background if no command. */ 552 if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag) 553 fatal("Cannot fork into background without a command to execute."); 554 555 /* Allocate a tty by default if no command specified. */ 556 if (buffer_len(&command) == 0) 557 tty_flag = 1; 558 559 /* Force no tty*/ 560 if (no_tty_flag) 561 tty_flag = 0; 562 /* Do not allocate a tty if stdin is not a tty. */ 563 if (!isatty(fileno(stdin)) && !force_tty_flag) { 564 if (tty_flag) 565 log("Pseudo-terminal will not be allocated because stdin is not a terminal."); 566 tty_flag = 0; 567 } 568 569 /* 570 * Initialize "log" output. Since we are the client all output 571 * actually goes to stderr. 572 */ 573 log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, 574 SYSLOG_FACILITY_USER, 1); 575 576 /* Read per-user configuration file. */ 577 snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); 578 read_config_file(buf, host, &options); 579 580 /* Read systemwide configuration file. */ 581 read_config_file(_PATH_HOST_CONFIG_FILE, host, &options); 582 583 /* Fill configuration defaults. */ 584 fill_default_options(&options); 585 586 /* reinit */ 587 log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); 588 589 if (options.user == NULL) 590 options.user = xstrdup(pw->pw_name); 591 592 if (options.hostname != NULL) 593 host = options.hostname; 594 595 /* Find canonic host name. */ 596 if (strchr(host, '.') == 0) { 597 struct addrinfo hints; 598 struct addrinfo *ai = NULL; 599 int errgai; 600 memset(&hints, 0, sizeof(hints)); 601 hints.ai_family = IPv4or6; 602 hints.ai_flags = AI_CANONNAME; 603 hints.ai_socktype = SOCK_STREAM; 604 errgai = getaddrinfo(host, NULL, &hints, &ai); 605 if (errgai == 0) { 606 if (ai->ai_canonname != NULL) 607 host = xstrdup(ai->ai_canonname); 608 freeaddrinfo(ai); 609 } 610 } 611 /* Disable rhosts authentication if not running as root. */ 612 if (original_effective_uid != 0 || !options.use_privileged_port) { 613 debug("Rhosts Authentication disabled, " 614 "originating port will not be trusted."); 615 options.rhosts_authentication = 0; 616 } 617 /* 618 * If using rsh has been selected, exec it now (without trying 619 * anything else). Note that we must release privileges first. 620 */ 621 if (options.use_rsh) { 622 /* 623 * Restore our superuser privileges. This must be done 624 * before permanently setting the uid. 625 */ 626 restore_uid(); 627 628 /* Switch to the original uid permanently. */ 629 permanently_set_uid(pw); 630 631 /* Execute rsh. */ 632 rsh_connect(host, options.user, &command); 633 fatal("rsh_connect returned"); 634 } 635 /* Restore our superuser privileges. */ 636 restore_uid(); 637 638 /* Open a connection to the remote host. */ 639 640 ok = ssh_connect(host, &hostaddr, options.port, 641 options.connection_attempts, 642 original_effective_uid != 0 || !options.use_privileged_port, 643 pw, options.proxy_command); 644 645 /* 646 * If we successfully made the connection, load the host private key 647 * in case we will need it later for combined rsa-rhosts 648 * authentication. This must be done before releasing extra 649 * privileges, because the file is only readable by root. 650 */ 651 sensitive_data.nkeys = 0; 652 sensitive_data.keys = NULL; 653 if (ok && (options.rhosts_rsa_authentication || 654 options.hostbased_authentication)) { 655 sensitive_data.nkeys = 3; 656 sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); 657 sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, 658 _PATH_HOST_KEY_FILE, "", NULL); 659 sensitive_data.keys[1] = key_load_private_type(KEY_DSA, 660 _PATH_HOST_DSA_KEY_FILE, "", NULL); 661 sensitive_data.keys[2] = key_load_private_type(KEY_RSA, 662 _PATH_HOST_RSA_KEY_FILE, "", NULL); 663 } 664 /* 665 * Get rid of any extra privileges that we may have. We will no 666 * longer need them. Also, extra privileges could make it very hard 667 * to read identity files and other non-world-readable files from the 668 * user's home directory if it happens to be on a NFS volume where 669 * root is mapped to nobody. 670 */ 671 672 /* 673 * Note that some legacy systems need to postpone the following call 674 * to permanently_set_uid() until the private hostkey is destroyed 675 * with RSA_free(). Otherwise the calling user could ptrace() the 676 * process, read the private hostkey and impersonate the host. 677 * OpenBSD does not allow ptracing of setuid processes. 678 */ 679 permanently_set_uid(pw); 680 681 /* 682 * Now that we are back to our own permissions, create ~/.ssh 683 * directory if it doesn\'t already exist. 684 */ 685 snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_DIR); 686 if (stat(buf, &st) < 0) 687 if (mkdir(buf, 0700) < 0) 688 error("Could not create directory '%.200s'.", buf); 689 690 /* Check if the connection failed, and try "rsh" if appropriate. */ 691 if (!ok) { 692 if (options.port != 0) 693 log("Secure connection to %.100s on port %hu refused%.100s.", 694 host, options.port, 695 options.fallback_to_rsh ? "; reverting to insecure method" : ""); 696 else 697 log("Secure connection to %.100s refused%.100s.", host, 698 options.fallback_to_rsh ? "; reverting to insecure method" : ""); 699 700 if (options.fallback_to_rsh) { 701 rsh_connect(host, options.user, &command); 702 fatal("rsh_connect returned"); 703 } 704 exit(1); 705 } 706 /* load options.identity_files */ 707 load_public_identity_files(); 708 709 /* Expand ~ in known host file names. */ 710 /* XXX mem-leaks: */ 711 options.system_hostfile = 712 tilde_expand_filename(options.system_hostfile, original_real_uid); 713 options.user_hostfile = 714 tilde_expand_filename(options.user_hostfile, original_real_uid); 715 options.system_hostfile2 = 716 tilde_expand_filename(options.system_hostfile2, original_real_uid); 717 options.user_hostfile2 = 718 tilde_expand_filename(options.user_hostfile2, original_real_uid); 719 720 /* Log into the remote system. This never returns if the login fails. */ 721 ssh_login(sensitive_data.keys, sensitive_data.nkeys, 722 host, (struct sockaddr *)&hostaddr, pw); 723 724 /* We no longer need the private host keys. Clear them now. */ 725 if (sensitive_data.nkeys != 0) { 726 for (i = 0; i < sensitive_data.nkeys; i++) { 727 if (sensitive_data.keys[i] != NULL) { 728 /* Destroys contents safely */ 729 debug3("clear hostkey %d", i); 730 key_free(sensitive_data.keys[i]); 731 sensitive_data.keys[i] = NULL; 732 } 733 } 734 xfree(sensitive_data.keys); 735 } 736 737 exit_status = compat20 ? ssh_session2() : ssh_session(); 738 packet_close(); 739 return exit_status; 740 } 741 742 void 743 x11_get_proto(char *proto, int proto_len, char *data, int data_len) 744 { 745 char line[512]; 746 FILE *f; 747 int got_data = 0, i; 748 749 if (options.xauth_location) { 750 /* Try to get Xauthority information for the display. */ 751 snprintf(line, sizeof line, "%.100s list %.200s 2>" _PATH_DEVNULL, 752 options.xauth_location, getenv("DISPLAY")); 753 f = popen(line, "r"); 754 if (f && fgets(line, sizeof(line), f) && 755 sscanf(line, "%*s %s %s", proto, data) == 2) 756 got_data = 1; 757 if (f) 758 pclose(f); 759 } 760 /* 761 * If we didn't get authentication data, just make up some 762 * data. The forwarding code will check the validity of the 763 * response anyway, and substitute this data. The X11 764 * server, however, will ignore this fake data and use 765 * whatever authentication mechanisms it was using otherwise 766 * for the local connection. 767 */ 768 if (!got_data) { 769 u_int32_t rand = 0; 770 771 strlcpy(proto, "MIT-MAGIC-COOKIE-1", proto_len); 772 for (i = 0; i < 16; i++) { 773 if (i % 4 == 0) 774 rand = arc4random(); 775 snprintf(data + 2 * i, data_len - 2 * i, "%02x", rand & 0xff); 776 rand >>= 8; 777 } 778 } 779 } 780 781 void 782 ssh_init_forwarding(void) 783 { 784 int success = 0; 785 int i; 786 787 /* Initiate local TCP/IP port forwardings. */ 788 for (i = 0; i < options.num_local_forwards; i++) { 789 debug("Connections to local port %d forwarded to remote address %.200s:%d", 790 options.local_forwards[i].port, 791 options.local_forwards[i].host, 792 options.local_forwards[i].host_port); 793 success += channel_request_local_forwarding( 794 options.local_forwards[i].port, 795 options.local_forwards[i].host, 796 options.local_forwards[i].host_port, 797 options.gateway_ports); 798 } 799 if (i > 0 && success == 0) 800 error("Could not request local forwarding."); 801 802 /* Initiate remote TCP/IP port forwardings. */ 803 for (i = 0; i < options.num_remote_forwards; i++) { 804 debug("Connections to remote port %d forwarded to local address %.200s:%d", 805 options.remote_forwards[i].port, 806 options.remote_forwards[i].host, 807 options.remote_forwards[i].host_port); 808 channel_request_remote_forwarding( 809 options.remote_forwards[i].port, 810 options.remote_forwards[i].host, 811 options.remote_forwards[i].host_port); 812 } 813 } 814 815 void 816 check_agent_present(void) 817 { 818 if (options.forward_agent) { 819 /* Clear agent forwarding if we don\'t have an agent. */ 820 int authfd = ssh_get_authentication_socket(); 821 if (authfd < 0) 822 options.forward_agent = 0; 823 else 824 ssh_close_authentication_socket(authfd); 825 } 826 } 827 828 int 829 ssh_session(void) 830 { 831 int type; 832 int plen; 833 int interactive = 0; 834 int have_tty = 0; 835 struct winsize ws; 836 char *cp; 837 838 /* Enable compression if requested. */ 839 if (options.compression) { 840 debug("Requesting compression at level %d.", options.compression_level); 841 842 if (options.compression_level < 1 || options.compression_level > 9) 843 fatal("Compression level must be from 1 (fast) to 9 (slow, best)."); 844 845 /* Send the request. */ 846 packet_start(SSH_CMSG_REQUEST_COMPRESSION); 847 packet_put_int(options.compression_level); 848 packet_send(); 849 packet_write_wait(); 850 type = packet_read(&plen); 851 if (type == SSH_SMSG_SUCCESS) 852 packet_start_compression(options.compression_level); 853 else if (type == SSH_SMSG_FAILURE) 854 log("Warning: Remote host refused compression."); 855 else 856 packet_disconnect("Protocol error waiting for compression response."); 857 } 858 /* Allocate a pseudo tty if appropriate. */ 859 if (tty_flag) { 860 debug("Requesting pty."); 861 862 /* Start the packet. */ 863 packet_start(SSH_CMSG_REQUEST_PTY); 864 865 /* Store TERM in the packet. There is no limit on the 866 length of the string. */ 867 cp = getenv("TERM"); 868 if (!cp) 869 cp = ""; 870 packet_put_string(cp, strlen(cp)); 871 872 /* Store window size in the packet. */ 873 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 874 memset(&ws, 0, sizeof(ws)); 875 packet_put_int(ws.ws_row); 876 packet_put_int(ws.ws_col); 877 packet_put_int(ws.ws_xpixel); 878 packet_put_int(ws.ws_ypixel); 879 880 /* Store tty modes in the packet. */ 881 tty_make_modes(fileno(stdin), NULL); 882 883 /* Send the packet, and wait for it to leave. */ 884 packet_send(); 885 packet_write_wait(); 886 887 /* Read response from the server. */ 888 type = packet_read(&plen); 889 if (type == SSH_SMSG_SUCCESS) { 890 interactive = 1; 891 have_tty = 1; 892 } else if (type == SSH_SMSG_FAILURE) 893 log("Warning: Remote host failed or refused to allocate a pseudo tty."); 894 else 895 packet_disconnect("Protocol error waiting for pty request response."); 896 } 897 /* Request X11 forwarding if enabled and DISPLAY is set. */ 898 if (options.forward_x11 && getenv("DISPLAY") != NULL) { 899 char proto[512], data[512]; 900 /* Get reasonable local authentication information. */ 901 x11_get_proto(proto, sizeof proto, data, sizeof data); 902 /* Request forwarding with authentication spoofing. */ 903 debug("Requesting X11 forwarding with authentication spoofing."); 904 x11_request_forwarding_with_spoofing(0, proto, data); 905 906 /* Read response from the server. */ 907 type = packet_read(&plen); 908 if (type == SSH_SMSG_SUCCESS) { 909 interactive = 1; 910 } else if (type == SSH_SMSG_FAILURE) { 911 log("Warning: Remote host denied X11 forwarding."); 912 } else { 913 packet_disconnect("Protocol error waiting for X11 forwarding"); 914 } 915 } 916 /* Tell the packet module whether this is an interactive session. */ 917 packet_set_interactive(interactive); 918 919 /* Request authentication agent forwarding if appropriate. */ 920 check_agent_present(); 921 922 if (options.forward_agent) { 923 debug("Requesting authentication agent forwarding."); 924 auth_request_forwarding(); 925 926 /* Read response from the server. */ 927 type = packet_read(&plen); 928 packet_integrity_check(plen, 0, type); 929 if (type != SSH_SMSG_SUCCESS) 930 log("Warning: Remote host denied authentication agent forwarding."); 931 } 932 933 /* Initiate port forwardings. */ 934 ssh_init_forwarding(); 935 936 /* If requested, let ssh continue in the background. */ 937 if (fork_after_authentication_flag) 938 if (daemon(1, 1) < 0) 939 fatal("daemon() failed: %.200s", strerror(errno)); 940 941 /* 942 * If a command was specified on the command line, execute the 943 * command now. Otherwise request the server to start a shell. 944 */ 945 if (buffer_len(&command) > 0) { 946 int len = buffer_len(&command); 947 if (len > 900) 948 len = 900; 949 debug("Sending command: %.*s", len, buffer_ptr(&command)); 950 packet_start(SSH_CMSG_EXEC_CMD); 951 packet_put_string(buffer_ptr(&command), buffer_len(&command)); 952 packet_send(); 953 packet_write_wait(); 954 } else { 955 debug("Requesting shell."); 956 packet_start(SSH_CMSG_EXEC_SHELL); 957 packet_send(); 958 packet_write_wait(); 959 } 960 961 /* Enter the interactive session. */ 962 return client_loop(have_tty, tty_flag ? options.escape_char : -1, 0); 963 } 964 965 void 966 client_subsystem_reply(int type, int plen, void *ctxt) 967 { 968 int id, len; 969 970 id = packet_get_int(); 971 len = buffer_len(&command); 972 if (len > 900) 973 len = 900; 974 packet_done(); 975 if (type == SSH2_MSG_CHANNEL_FAILURE) 976 fatal("Request for subsystem '%.*s' failed on channel %d", 977 len, buffer_ptr(&command), id); 978 } 979 980 void 981 ssh_session2_callback(int id, void *arg) 982 { 983 int len; 984 int interactive = 0; 985 struct termios tio; 986 987 debug("client_init id %d arg %ld", id, (long)arg); 988 989 if (tty_flag) { 990 struct winsize ws; 991 char *cp; 992 cp = getenv("TERM"); 993 if (!cp) 994 cp = ""; 995 /* Store window size in the packet. */ 996 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) 997 memset(&ws, 0, sizeof(ws)); 998 999 channel_request_start(id, "pty-req", 0); 1000 packet_put_cstring(cp); 1001 packet_put_int(ws.ws_col); 1002 packet_put_int(ws.ws_row); 1003 packet_put_int(ws.ws_xpixel); 1004 packet_put_int(ws.ws_ypixel); 1005 tio = get_saved_tio(); 1006 tty_make_modes(/*ignored*/ 0, &tio); 1007 packet_send(); 1008 interactive = 1; 1009 /* XXX wait for reply */ 1010 } 1011 if (options.forward_x11 && 1012 getenv("DISPLAY") != NULL) { 1013 char proto[512], data[512]; 1014 /* Get reasonable local authentication information. */ 1015 x11_get_proto(proto, sizeof proto, data, sizeof data); 1016 /* Request forwarding with authentication spoofing. */ 1017 debug("Requesting X11 forwarding with authentication spoofing."); 1018 x11_request_forwarding_with_spoofing(id, proto, data); 1019 interactive = 1; 1020 /* XXX wait for reply */ 1021 } 1022 1023 check_agent_present(); 1024 if (options.forward_agent) { 1025 debug("Requesting authentication agent forwarding."); 1026 channel_request_start(id, "auth-agent-req@openssh.com", 0); 1027 packet_send(); 1028 } 1029 1030 len = buffer_len(&command); 1031 if (len > 0) { 1032 if (len > 900) 1033 len = 900; 1034 if (subsystem_flag) { 1035 debug("Sending subsystem: %.*s", len, buffer_ptr(&command)); 1036 channel_request_start(id, "subsystem", /*want reply*/ 1); 1037 /* register callback for reply */ 1038 /* XXX we asume that client_loop has already been called */ 1039 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply); 1040 dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply); 1041 } else { 1042 debug("Sending command: %.*s", len, buffer_ptr(&command)); 1043 channel_request_start(id, "exec", 0); 1044 } 1045 packet_put_string(buffer_ptr(&command), buffer_len(&command)); 1046 packet_send(); 1047 } else { 1048 channel_request(id, "shell", 0); 1049 } 1050 /* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */ 1051 1052 /* register different callback, etc. XXX */ 1053 packet_set_interactive(interactive); 1054 } 1055 1056 int 1057 ssh_session2_command(void) 1058 { 1059 int id, window, packetmax; 1060 int in, out, err; 1061 1062 if (stdin_null_flag) { 1063 in = open(_PATH_DEVNULL, O_RDONLY); 1064 } else { 1065 in = dup(STDIN_FILENO); 1066 } 1067 out = dup(STDOUT_FILENO); 1068 err = dup(STDERR_FILENO); 1069 1070 if (in < 0 || out < 0 || err < 0) 1071 fatal("dup() in/out/err failed"); 1072 1073 /* enable nonblocking unless tty */ 1074 if (!isatty(in)) 1075 set_nonblock(in); 1076 if (!isatty(out)) 1077 set_nonblock(out); 1078 if (!isatty(err)) 1079 set_nonblock(err); 1080 1081 window = CHAN_SES_WINDOW_DEFAULT; 1082 packetmax = CHAN_SES_PACKET_DEFAULT; 1083 if (!tty_flag) { 1084 window *= 2; 1085 packetmax *=2; 1086 } 1087 id = channel_new( 1088 "session", SSH_CHANNEL_OPENING, in, out, err, 1089 window, packetmax, CHAN_EXTENDED_WRITE, 1090 xstrdup("client-session"), /*nonblock*/0); 1091 1092 debug("channel_new: %d", id); 1093 1094 channel_open(id); 1095 channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, 1096 ssh_session2_callback, (void *)0); 1097 1098 return id; 1099 } 1100 1101 int 1102 ssh_session2(void) 1103 { 1104 int id; 1105 1106 /* XXX should be pre-session */ 1107 ssh_init_forwarding(); 1108 1109 id = no_shell_flag ? -1 : ssh_session2_command(); 1110 1111 /* If requested, let ssh continue in the background. */ 1112 if (fork_after_authentication_flag) 1113 if (daemon(1, 1) < 0) 1114 fatal("daemon() failed: %.200s", strerror(errno)); 1115 1116 return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id); 1117 } 1118 1119 void 1120 load_public_identity_files(void) 1121 { 1122 char *filename; 1123 Key *public; 1124 int i; 1125 1126 for (i = 0; i < options.num_identity_files; i++) { 1127 filename = tilde_expand_filename(options.identity_files[i], 1128 original_real_uid); 1129 public = key_load_public(filename, NULL); 1130 debug("identity file %s type %d", filename, 1131 public ? public->type : -1); 1132 xfree(options.identity_files[i]); 1133 options.identity_files[i] = filename; 1134 options.identity_keys[i] = public; 1135 } 1136 } 1137