xref: /freebsd/crypto/openssh/sshd.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * This program is the ssh daemon.  It listens for connections from clients,
7  * and performs authentication, executes use commands or shell, and forwards
8  * information to/from the application to the user client over an encrypted
9  * connection.  This can also handle forwarding of X11, TCP/IP, and
10  * authentication agent connections.
11  *
12  * As far as I am concerned, the code I have written for this software
13  * can be used freely for any purpose.  Any derived versions of this
14  * software must be clearly marked as such, and if the derived work is
15  * incompatible with the protocol description in the RFC file, it must be
16  * called by a name other than "ssh" or "Secure Shell".
17  *
18  * SSH2 implementation:
19  * Privilege Separation:
20  *
21  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
22  * Copyright (c) 2002 Niels Provos.  All rights reserved.
23  *
24  * Redistribution and use in source and binary forms, with or without
25  * modification, are permitted provided that the following conditions
26  * are met:
27  * 1. Redistributions of source code must retain the above copyright
28  *    notice, this list of conditions and the following disclaimer.
29  * 2. Redistributions in binary form must reproduce the above copyright
30  *    notice, this list of conditions and the following disclaimer in the
31  *    documentation and/or other materials provided with the distribution.
32  *
33  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
34  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
36  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
37  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
38  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
39  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
40  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
41  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
42  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
43  */
44 
45 #include "includes.h"
46 __RCSID("$FreeBSD$");
47 
48 #include <sys/types.h>
49 #include <sys/ioctl.h>
50 #include <sys/socket.h>
51 #ifdef HAVE_SYS_STAT_H
52 # include <sys/stat.h>
53 #endif
54 #ifdef HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 #endif
57 #include "openbsd-compat/sys-tree.h"
58 #include <sys/wait.h>
59 
60 #include <errno.h>
61 #include <fcntl.h>
62 #include <netdb.h>
63 #ifdef HAVE_PATHS_H
64 #include <paths.h>
65 #endif
66 #include <grp.h>
67 #include <pwd.h>
68 #include <signal.h>
69 #include <stdarg.h>
70 #include <stdio.h>
71 #include <stdlib.h>
72 #include <string.h>
73 #include <unistd.h>
74 
75 #include <openssl/dh.h>
76 #include <openssl/bn.h>
77 #include <openssl/md5.h>
78 #include <openssl/rand.h>
79 #ifdef HAVE_SECUREWARE
80 #include <sys/security.h>
81 #include <prot.h>
82 #endif
83 
84 #ifdef __FreeBSD__
85 #include <resolv.h>
86 #if defined(GSSAPI) && defined(HAVE_GSSAPI_H)
87 #include <gssapi.h>
88 #elif defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H)
89 #include <gssapi/gssapi.h>
90 #endif
91 #endif
92 
93 #include "xmalloc.h"
94 #include "ssh.h"
95 #include "ssh1.h"
96 #include "ssh2.h"
97 #include "rsa.h"
98 #include "sshpty.h"
99 #include "packet.h"
100 #include "log.h"
101 #include "buffer.h"
102 #include "servconf.h"
103 #include "uidswap.h"
104 #include "compat.h"
105 #include "cipher.h"
106 #include "key.h"
107 #include "kex.h"
108 #include "dh.h"
109 #include "myproposal.h"
110 #include "authfile.h"
111 #include "pathnames.h"
112 #include "atomicio.h"
113 #include "canohost.h"
114 #include "hostfile.h"
115 #include "auth.h"
116 #include "misc.h"
117 #include "msg.h"
118 #include "dispatch.h"
119 #include "channels.h"
120 #include "session.h"
121 #include "monitor_mm.h"
122 #include "monitor.h"
123 #ifdef GSSAPI
124 #include "ssh-gss.h"
125 #endif
126 #include "monitor_wrap.h"
127 #include "monitor_fdpass.h"
128 #include "version.h"
129 
130 #ifdef LIBWRAP
131 #include <tcpd.h>
132 #include <syslog.h>
133 int allow_severity = LOG_INFO;
134 int deny_severity = LOG_WARNING;
135 #endif /* LIBWRAP */
136 
137 #ifndef O_NOCTTY
138 #define O_NOCTTY	0
139 #endif
140 
141 /* Re-exec fds */
142 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
143 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
144 #define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
145 #define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
146 
147 extern char *__progname;
148 
149 /* Server configuration options. */
150 ServerOptions options;
151 
152 /* Name of the server configuration file. */
153 char *config_file_name = _PATH_SERVER_CONFIG_FILE;
154 
155 /*
156  * Debug mode flag.  This can be set on the command line.  If debug
157  * mode is enabled, extra debugging output will be sent to the system
158  * log, the daemon will not go to background, and will exit after processing
159  * the first connection.
160  */
161 int debug_flag = 0;
162 
163 /* Flag indicating that the daemon should only test the configuration and keys. */
164 int test_flag = 0;
165 
166 /* Flag indicating that the daemon is being started from inetd. */
167 int inetd_flag = 0;
168 
169 /* Flag indicating that sshd should not detach and become a daemon. */
170 int no_daemon_flag = 0;
171 
172 /* debug goes to stderr unless inetd_flag is set */
173 int log_stderr = 0;
174 
175 /* Saved arguments to main(). */
176 char **saved_argv;
177 int saved_argc;
178 
179 /* re-exec */
180 int rexeced_flag = 0;
181 int rexec_flag = 1;
182 int rexec_argc = 0;
183 char **rexec_argv;
184 
185 /*
186  * The sockets that the server is listening; this is used in the SIGHUP
187  * signal handler.
188  */
189 #define	MAX_LISTEN_SOCKS	16
190 int listen_socks[MAX_LISTEN_SOCKS];
191 int num_listen_socks = 0;
192 
193 /*
194  * the client's version string, passed by sshd2 in compat mode. if != NULL,
195  * sshd will skip the version-number exchange
196  */
197 char *client_version_string = NULL;
198 char *server_version_string = NULL;
199 
200 /* for rekeying XXX fixme */
201 Kex *xxx_kex;
202 
203 /*
204  * Any really sensitive data in the application is contained in this
205  * structure. The idea is that this structure could be locked into memory so
206  * that the pages do not get written into swap.  However, there are some
207  * problems. The private key contains BIGNUMs, and we do not (in principle)
208  * have access to the internals of them, and locking just the structure is
209  * not very useful.  Currently, memory locking is not implemented.
210  */
211 struct {
212 	Key	*server_key;		/* ephemeral server key */
213 	Key	*ssh1_host_key;		/* ssh1 host key */
214 	Key	**host_keys;		/* all private host keys */
215 	int	have_ssh1_key;
216 	int	have_ssh2_key;
217 	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
218 } sensitive_data;
219 
220 /*
221  * Flag indicating whether the RSA server key needs to be regenerated.
222  * Is set in the SIGALRM handler and cleared when the key is regenerated.
223  */
224 static volatile sig_atomic_t key_do_regen = 0;
225 
226 /* This is set to true when a signal is received. */
227 static volatile sig_atomic_t received_sighup = 0;
228 static volatile sig_atomic_t received_sigterm = 0;
229 
230 /* session identifier, used by RSA-auth */
231 u_char session_id[16];
232 
233 /* same for ssh2 */
234 u_char *session_id2 = NULL;
235 u_int session_id2_len = 0;
236 
237 /* record remote hostname or ip */
238 u_int utmp_len = MAXHOSTNAMELEN;
239 
240 /* options.max_startup sized array of fd ints */
241 int *startup_pipes = NULL;
242 int startup_pipe;		/* in child */
243 
244 /* variables used for privilege separation */
245 int use_privsep = -1;
246 struct monitor *pmonitor = NULL;
247 
248 /* global authentication context */
249 Authctxt *the_authctxt = NULL;
250 
251 /* sshd_config buffer */
252 Buffer cfg;
253 
254 /* message to be displayed after login */
255 Buffer loginmsg;
256 
257 /* Unprivileged user */
258 struct passwd *privsep_pw = NULL;
259 
260 /* Prototypes for various functions defined later in this file. */
261 void destroy_sensitive_data(void);
262 void demote_sensitive_data(void);
263 
264 static void do_ssh1_kex(void);
265 static void do_ssh2_kex(void);
266 
267 /*
268  * Close all listening sockets
269  */
270 static void
271 close_listen_socks(void)
272 {
273 	int i;
274 
275 	for (i = 0; i < num_listen_socks; i++)
276 		close(listen_socks[i]);
277 	num_listen_socks = -1;
278 }
279 
280 static void
281 close_startup_pipes(void)
282 {
283 	int i;
284 
285 	if (startup_pipes)
286 		for (i = 0; i < options.max_startups; i++)
287 			if (startup_pipes[i] != -1)
288 				close(startup_pipes[i]);
289 }
290 
291 /*
292  * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
293  * the effect is to reread the configuration file (and to regenerate
294  * the server key).
295  */
296 
297 /*ARGSUSED*/
298 static void
299 sighup_handler(int sig)
300 {
301 	int save_errno = errno;
302 
303 	received_sighup = 1;
304 	signal(SIGHUP, sighup_handler);
305 	errno = save_errno;
306 }
307 
308 /*
309  * Called from the main program after receiving SIGHUP.
310  * Restarts the server.
311  */
312 static void
313 sighup_restart(void)
314 {
315 	logit("Received SIGHUP; restarting.");
316 	close_listen_socks();
317 	close_startup_pipes();
318 	execv(saved_argv[0], saved_argv);
319 	logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
320 	    strerror(errno));
321 	exit(1);
322 }
323 
324 /*
325  * Generic signal handler for terminating signals in the master daemon.
326  */
327 /*ARGSUSED*/
328 static void
329 sigterm_handler(int sig)
330 {
331 	received_sigterm = sig;
332 }
333 
334 /*
335  * SIGCHLD handler.  This is called whenever a child dies.  This will then
336  * reap any zombies left by exited children.
337  */
338 /*ARGSUSED*/
339 static void
340 main_sigchld_handler(int sig)
341 {
342 	int save_errno = errno;
343 	pid_t pid;
344 	int status;
345 
346 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
347 	    (pid < 0 && errno == EINTR))
348 		;
349 
350 	signal(SIGCHLD, main_sigchld_handler);
351 	errno = save_errno;
352 }
353 
354 /*
355  * Signal handler for the alarm after the login grace period has expired.
356  */
357 /*ARGSUSED*/
358 static void
359 grace_alarm_handler(int sig)
360 {
361 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
362 		kill(pmonitor->m_pid, SIGALRM);
363 
364 	/* Log error and exit. */
365 	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
366 }
367 
368 /*
369  * Signal handler for the key regeneration alarm.  Note that this
370  * alarm only occurs in the daemon waiting for connections, and it does not
371  * do anything with the private key or random state before forking.
372  * Thus there should be no concurrency control/asynchronous execution
373  * problems.
374  */
375 static void
376 generate_ephemeral_server_key(void)
377 {
378 	u_int32_t rnd = 0;
379 	int i;
380 
381 	verbose("Generating %s%d bit RSA key.",
382 	    sensitive_data.server_key ? "new " : "", options.server_key_bits);
383 	if (sensitive_data.server_key != NULL)
384 		key_free(sensitive_data.server_key);
385 	sensitive_data.server_key = key_generate(KEY_RSA1,
386 	    options.server_key_bits);
387 	verbose("RSA key generation complete.");
388 
389 	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
390 		if (i % 4 == 0)
391 			rnd = arc4random();
392 		sensitive_data.ssh1_cookie[i] = rnd & 0xff;
393 		rnd >>= 8;
394 	}
395 	arc4random_stir();
396 }
397 
398 /*ARGSUSED*/
399 static void
400 key_regeneration_alarm(int sig)
401 {
402 	int save_errno = errno;
403 
404 	signal(SIGALRM, SIG_DFL);
405 	errno = save_errno;
406 	key_do_regen = 1;
407 }
408 
409 static void
410 sshd_exchange_identification(int sock_in, int sock_out)
411 {
412 	u_int i;
413 	int mismatch;
414 	int remote_major, remote_minor;
415 	int major, minor;
416 	char *s;
417 	char buf[256];			/* Must not be larger than remote_version. */
418 	char remote_version[256];	/* Must be at least as big as buf. */
419 
420 	if ((options.protocol & SSH_PROTO_1) &&
421 	    (options.protocol & SSH_PROTO_2)) {
422 		major = PROTOCOL_MAJOR_1;
423 		minor = 99;
424 	} else if (options.protocol & SSH_PROTO_2) {
425 		major = PROTOCOL_MAJOR_2;
426 		minor = PROTOCOL_MINOR_2;
427 	} else {
428 		major = PROTOCOL_MAJOR_1;
429 		minor = PROTOCOL_MINOR_1;
430 	}
431 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
432 	server_version_string = xstrdup(buf);
433 
434 	/* Send our protocol version identification. */
435 	if (atomicio(vwrite, sock_out, server_version_string,
436 	    strlen(server_version_string))
437 	    != strlen(server_version_string)) {
438 		logit("Could not write ident string to %s", get_remote_ipaddr());
439 		cleanup_exit(255);
440 	}
441 
442 	/* Read other sides version identification. */
443 	memset(buf, 0, sizeof(buf));
444 	for (i = 0; i < sizeof(buf) - 1; i++) {
445 		if (atomicio(read, sock_in, &buf[i], 1) != 1) {
446 			logit("Did not receive identification string from %s",
447 			    get_remote_ipaddr());
448 			cleanup_exit(255);
449 		}
450 		if (buf[i] == '\r') {
451 			buf[i] = 0;
452 			/* Kludge for F-Secure Macintosh < 1.0.2 */
453 			if (i == 12 &&
454 			    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
455 				break;
456 			continue;
457 		}
458 		if (buf[i] == '\n') {
459 			buf[i] = 0;
460 			break;
461 		}
462 	}
463 	buf[sizeof(buf) - 1] = 0;
464 	client_version_string = xstrdup(buf);
465 
466 	/*
467 	 * Check that the versions match.  In future this might accept
468 	 * several versions and set appropriate flags to handle them.
469 	 */
470 	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
471 	    &remote_major, &remote_minor, remote_version) != 3) {
472 		s = "Protocol mismatch.\n";
473 		(void) atomicio(vwrite, sock_out, s, strlen(s));
474 		close(sock_in);
475 		close(sock_out);
476 		logit("Bad protocol version identification '%.100s' from %s",
477 		    client_version_string, get_remote_ipaddr());
478 		cleanup_exit(255);
479 	}
480 	debug("Client protocol version %d.%d; client software version %.100s",
481 	    remote_major, remote_minor, remote_version);
482 
483 	compat_datafellows(remote_version);
484 
485 	if (datafellows & SSH_BUG_PROBE) {
486 		logit("probed from %s with %s.  Don't panic.",
487 		    get_remote_ipaddr(), client_version_string);
488 		cleanup_exit(255);
489 	}
490 
491 	if (datafellows & SSH_BUG_SCANNER) {
492 		logit("scanned from %s with %s.  Don't panic.",
493 		    get_remote_ipaddr(), client_version_string);
494 		cleanup_exit(255);
495 	}
496 
497 	mismatch = 0;
498 	switch (remote_major) {
499 	case 1:
500 		if (remote_minor == 99) {
501 			if (options.protocol & SSH_PROTO_2)
502 				enable_compat20();
503 			else
504 				mismatch = 1;
505 			break;
506 		}
507 		if (!(options.protocol & SSH_PROTO_1)) {
508 			mismatch = 1;
509 			break;
510 		}
511 		if (remote_minor < 3) {
512 			packet_disconnect("Your ssh version is too old and "
513 			    "is no longer supported.  Please install a newer version.");
514 		} else if (remote_minor == 3) {
515 			/* note that this disables agent-forwarding */
516 			enable_compat13();
517 		}
518 		break;
519 	case 2:
520 		if (options.protocol & SSH_PROTO_2) {
521 			enable_compat20();
522 			break;
523 		}
524 		/* FALLTHROUGH */
525 	default:
526 		mismatch = 1;
527 		break;
528 	}
529 	chop(server_version_string);
530 	debug("Local version string %.200s", server_version_string);
531 
532 	if (mismatch) {
533 		s = "Protocol major versions differ.\n";
534 		(void) atomicio(vwrite, sock_out, s, strlen(s));
535 		close(sock_in);
536 		close(sock_out);
537 		logit("Protocol major versions differ for %s: %.200s vs. %.200s",
538 		    get_remote_ipaddr(),
539 		    server_version_string, client_version_string);
540 		cleanup_exit(255);
541 	}
542 }
543 
544 /* Destroy the host and server keys.  They will no longer be needed. */
545 void
546 destroy_sensitive_data(void)
547 {
548 	int i;
549 
550 	if (sensitive_data.server_key) {
551 		key_free(sensitive_data.server_key);
552 		sensitive_data.server_key = NULL;
553 	}
554 	for (i = 0; i < options.num_host_key_files; i++) {
555 		if (sensitive_data.host_keys[i]) {
556 			key_free(sensitive_data.host_keys[i]);
557 			sensitive_data.host_keys[i] = NULL;
558 		}
559 	}
560 	sensitive_data.ssh1_host_key = NULL;
561 	memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
562 }
563 
564 /* Demote private to public keys for network child */
565 void
566 demote_sensitive_data(void)
567 {
568 	Key *tmp;
569 	int i;
570 
571 	if (sensitive_data.server_key) {
572 		tmp = key_demote(sensitive_data.server_key);
573 		key_free(sensitive_data.server_key);
574 		sensitive_data.server_key = tmp;
575 	}
576 
577 	for (i = 0; i < options.num_host_key_files; i++) {
578 		if (sensitive_data.host_keys[i]) {
579 			tmp = key_demote(sensitive_data.host_keys[i]);
580 			key_free(sensitive_data.host_keys[i]);
581 			sensitive_data.host_keys[i] = tmp;
582 			if (tmp->type == KEY_RSA1)
583 				sensitive_data.ssh1_host_key = tmp;
584 		}
585 	}
586 
587 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
588 }
589 
590 static void
591 privsep_preauth_child(void)
592 {
593 	u_int32_t rnd[256];
594 	gid_t gidset[1];
595 	int i;
596 
597 	/* Enable challenge-response authentication for privilege separation */
598 	privsep_challenge_enable();
599 
600 	for (i = 0; i < 256; i++)
601 		rnd[i] = arc4random();
602 	RAND_seed(rnd, sizeof(rnd));
603 
604 	/* Demote the private keys to public keys. */
605 	demote_sensitive_data();
606 
607 	/* Change our root directory */
608 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
609 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
610 		    strerror(errno));
611 	if (chdir("/") == -1)
612 		fatal("chdir(\"/\"): %s", strerror(errno));
613 
614 	/* Drop our privileges */
615 	debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
616 	    (u_int)privsep_pw->pw_gid);
617 #if 0
618 	/* XXX not ready, too heavy after chroot */
619 	do_setusercontext(privsep_pw);
620 #else
621 	gidset[0] = privsep_pw->pw_gid;
622 	if (setgroups(1, gidset) < 0)
623 		fatal("setgroups: %.100s", strerror(errno));
624 	permanently_set_uid(privsep_pw);
625 #endif
626 }
627 
628 static int
629 privsep_preauth(Authctxt *authctxt)
630 {
631 	int status;
632 	pid_t pid;
633 
634 	/* Set up unprivileged child process to deal with network data */
635 	pmonitor = monitor_init();
636 	/* Store a pointer to the kex for later rekeying */
637 	pmonitor->m_pkex = &xxx_kex;
638 
639 	pid = fork();
640 	if (pid == -1) {
641 		fatal("fork of unprivileged child failed");
642 	} else if (pid != 0) {
643 		debug2("Network child is on pid %ld", (long)pid);
644 
645 		close(pmonitor->m_recvfd);
646 		pmonitor->m_pid = pid;
647 		monitor_child_preauth(authctxt, pmonitor);
648 		close(pmonitor->m_sendfd);
649 
650 		/* Sync memory */
651 		monitor_sync(pmonitor);
652 
653 		/* Wait for the child's exit status */
654 		while (waitpid(pid, &status, 0) < 0)
655 			if (errno != EINTR)
656 				break;
657 		return (1);
658 	} else {
659 		/* child */
660 
661 		close(pmonitor->m_sendfd);
662 
663 		/* Demote the child */
664 		if (getuid() == 0 || geteuid() == 0)
665 			privsep_preauth_child();
666 		setproctitle("%s", "[net]");
667 	}
668 	return (0);
669 }
670 
671 static void
672 privsep_postauth(Authctxt *authctxt)
673 {
674 #ifdef DISABLE_FD_PASSING
675 	if (1) {
676 #else
677 	if (authctxt->pw->pw_uid == 0 || options.use_login) {
678 #endif
679 		/* File descriptor passing is broken or root login */
680 		use_privsep = 0;
681 		goto skip;
682 	}
683 
684 	/* New socket pair */
685 	monitor_reinit(pmonitor);
686 
687 	pmonitor->m_pid = fork();
688 	if (pmonitor->m_pid == -1)
689 		fatal("fork of unprivileged child failed");
690 	else if (pmonitor->m_pid != 0) {
691 		debug2("User child is on pid %ld", (long)pmonitor->m_pid);
692 		close(pmonitor->m_recvfd);
693 		buffer_clear(&loginmsg);
694 		monitor_child_postauth(pmonitor);
695 
696 		/* NEVERREACHED */
697 		exit(0);
698 	}
699 
700 	close(pmonitor->m_sendfd);
701 
702 	/* Demote the private keys to public keys. */
703 	demote_sensitive_data();
704 
705 	/* Drop privileges */
706 	do_setusercontext(authctxt->pw);
707 
708  skip:
709 	/* It is safe now to apply the key state */
710 	monitor_apply_keystate(pmonitor);
711 
712 	/*
713 	 * Tell the packet layer that authentication was successful, since
714 	 * this information is not part of the key state.
715 	 */
716 	packet_set_authenticated();
717 }
718 
719 static char *
720 list_hostkey_types(void)
721 {
722 	Buffer b;
723 	const char *p;
724 	char *ret;
725 	int i;
726 
727 	buffer_init(&b);
728 	for (i = 0; i < options.num_host_key_files; i++) {
729 		Key *key = sensitive_data.host_keys[i];
730 		if (key == NULL)
731 			continue;
732 		switch (key->type) {
733 		case KEY_RSA:
734 		case KEY_DSA:
735 			if (buffer_len(&b) > 0)
736 				buffer_append(&b, ",", 1);
737 			p = key_ssh_name(key);
738 			buffer_append(&b, p, strlen(p));
739 			break;
740 		}
741 	}
742 	buffer_append(&b, "\0", 1);
743 	ret = xstrdup(buffer_ptr(&b));
744 	buffer_free(&b);
745 	debug("list_hostkey_types: %s", ret);
746 	return ret;
747 }
748 
749 Key *
750 get_hostkey_by_type(int type)
751 {
752 	int i;
753 
754 	for (i = 0; i < options.num_host_key_files; i++) {
755 		Key *key = sensitive_data.host_keys[i];
756 		if (key != NULL && key->type == type)
757 			return key;
758 	}
759 	return NULL;
760 }
761 
762 Key *
763 get_hostkey_by_index(int ind)
764 {
765 	if (ind < 0 || ind >= options.num_host_key_files)
766 		return (NULL);
767 	return (sensitive_data.host_keys[ind]);
768 }
769 
770 int
771 get_hostkey_index(Key *key)
772 {
773 	int i;
774 
775 	for (i = 0; i < options.num_host_key_files; i++) {
776 		if (key == sensitive_data.host_keys[i])
777 			return (i);
778 	}
779 	return (-1);
780 }
781 
782 /*
783  * returns 1 if connection should be dropped, 0 otherwise.
784  * dropping starts at connection #max_startups_begin with a probability
785  * of (max_startups_rate/100). the probability increases linearly until
786  * all connections are dropped for startups > max_startups
787  */
788 static int
789 drop_connection(int startups)
790 {
791 	int p, r;
792 
793 	if (startups < options.max_startups_begin)
794 		return 0;
795 	if (startups >= options.max_startups)
796 		return 1;
797 	if (options.max_startups_rate == 100)
798 		return 1;
799 
800 	p  = 100 - options.max_startups_rate;
801 	p *= startups - options.max_startups_begin;
802 	p /= options.max_startups - options.max_startups_begin;
803 	p += options.max_startups_rate;
804 	r = arc4random() % 100;
805 
806 	debug("drop_connection: p %d, r %d", p, r);
807 	return (r < p) ? 1 : 0;
808 }
809 
810 static void
811 usage(void)
812 {
813 	fprintf(stderr, "%s, %s\n",
814 	    SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
815 	fprintf(stderr,
816 "usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
817 "            [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
818 	);
819 	exit(1);
820 }
821 
822 static void
823 send_rexec_state(int fd, Buffer *conf)
824 {
825 	Buffer m;
826 
827 	debug3("%s: entering fd = %d config len %d", __func__, fd,
828 	    buffer_len(conf));
829 
830 	/*
831 	 * Protocol from reexec master to child:
832 	 *	string	configuration
833 	 *	u_int	ephemeral_key_follows
834 	 *	bignum	e		(only if ephemeral_key_follows == 1)
835 	 *	bignum	n			"
836 	 *	bignum	d			"
837 	 *	bignum	iqmp			"
838 	 *	bignum	p			"
839 	 *	bignum	q			"
840 	 *	string rngseed		(only if OpenSSL is not self-seeded)
841 	 */
842 	buffer_init(&m);
843 	buffer_put_cstring(&m, buffer_ptr(conf));
844 
845 	if (sensitive_data.server_key != NULL &&
846 	    sensitive_data.server_key->type == KEY_RSA1) {
847 		buffer_put_int(&m, 1);
848 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->e);
849 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->n);
850 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->d);
851 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->iqmp);
852 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->p);
853 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->q);
854 	} else
855 		buffer_put_int(&m, 0);
856 
857 #ifndef OPENSSL_PRNG_ONLY
858 	rexec_send_rng_seed(&m);
859 #endif
860 
861 	if (ssh_msg_send(fd, 0, &m) == -1)
862 		fatal("%s: ssh_msg_send failed", __func__);
863 
864 	buffer_free(&m);
865 
866 	debug3("%s: done", __func__);
867 }
868 
869 static void
870 recv_rexec_state(int fd, Buffer *conf)
871 {
872 	Buffer m;
873 	char *cp;
874 	u_int len;
875 
876 	debug3("%s: entering fd = %d", __func__, fd);
877 
878 	buffer_init(&m);
879 
880 	if (ssh_msg_recv(fd, &m) == -1)
881 		fatal("%s: ssh_msg_recv failed", __func__);
882 	if (buffer_get_char(&m) != 0)
883 		fatal("%s: rexec version mismatch", __func__);
884 
885 	cp = buffer_get_string(&m, &len);
886 	if (conf != NULL)
887 		buffer_append(conf, cp, len + 1);
888 	xfree(cp);
889 
890 	if (buffer_get_int(&m)) {
891 		if (sensitive_data.server_key != NULL)
892 			key_free(sensitive_data.server_key);
893 		sensitive_data.server_key = key_new_private(KEY_RSA1);
894 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->e);
895 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->n);
896 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->d);
897 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp);
898 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->p);
899 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->q);
900 		rsa_generate_additional_parameters(
901 		    sensitive_data.server_key->rsa);
902 	}
903 
904 #ifndef OPENSSL_PRNG_ONLY
905 	rexec_recv_rng_seed(&m);
906 #endif
907 
908 	buffer_free(&m);
909 
910 	debug3("%s: done", __func__);
911 }
912 
913 /* Accept a connection from inetd */
914 static void
915 server_accept_inetd(int *sock_in, int *sock_out)
916 {
917 	int fd;
918 
919 	startup_pipe = -1;
920 	if (rexeced_flag) {
921 		close(REEXEC_CONFIG_PASS_FD);
922 		*sock_in = *sock_out = dup(STDIN_FILENO);
923 		if (!debug_flag) {
924 			startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
925 			close(REEXEC_STARTUP_PIPE_FD);
926 		}
927 	} else {
928 		*sock_in = dup(STDIN_FILENO);
929 		*sock_out = dup(STDOUT_FILENO);
930 	}
931 	/*
932 	 * We intentionally do not close the descriptors 0, 1, and 2
933 	 * as our code for setting the descriptors won't work if
934 	 * ttyfd happens to be one of those.
935 	 */
936 	if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
937 		dup2(fd, STDIN_FILENO);
938 		dup2(fd, STDOUT_FILENO);
939 		if (fd > STDOUT_FILENO)
940 			close(fd);
941 	}
942 	debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
943 }
944 
945 /*
946  * Listen for TCP connections
947  */
948 static void
949 server_listen(void)
950 {
951 	int ret, listen_sock, on = 1;
952 	struct addrinfo *ai;
953 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
954 
955 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
956 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
957 			continue;
958 		if (num_listen_socks >= MAX_LISTEN_SOCKS)
959 			fatal("Too many listen sockets. "
960 			    "Enlarge MAX_LISTEN_SOCKS");
961 		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
962 		    ntop, sizeof(ntop), strport, sizeof(strport),
963 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
964 			error("getnameinfo failed: %.100s",
965 			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
966 			    strerror(errno));
967 			continue;
968 		}
969 		/* Create socket for listening. */
970 		listen_sock = socket(ai->ai_family, ai->ai_socktype,
971 		    ai->ai_protocol);
972 		if (listen_sock < 0) {
973 			/* kernel may not support ipv6 */
974 			verbose("socket: %.100s", strerror(errno));
975 			continue;
976 		}
977 		if (set_nonblock(listen_sock) == -1) {
978 			close(listen_sock);
979 			continue;
980 		}
981 		/*
982 		 * Set socket options.
983 		 * Allow local port reuse in TIME_WAIT.
984 		 */
985 		if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
986 		    &on, sizeof(on)) == -1)
987 			error("setsockopt SO_REUSEADDR: %s", strerror(errno));
988 
989 		debug("Bind to port %s on %s.", strport, ntop);
990 
991 		/* Bind the socket to the desired port. */
992 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
993 			error("Bind to port %s on %s failed: %.200s.",
994 			    strport, ntop, strerror(errno));
995 			close(listen_sock);
996 			continue;
997 		}
998 		listen_socks[num_listen_socks] = listen_sock;
999 		num_listen_socks++;
1000 
1001 		/* Start listening on the port. */
1002 		if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
1003 			fatal("listen on [%s]:%s: %.100s",
1004 			    ntop, strport, strerror(errno));
1005 		logit("Server listening on %s port %s.", ntop, strport);
1006 	}
1007 	freeaddrinfo(options.listen_addrs);
1008 
1009 	if (!num_listen_socks)
1010 		fatal("Cannot bind any address.");
1011 }
1012 
1013 /*
1014  * The main TCP accept loop. Note that, for the non-debug case, returns
1015  * from this function are in a forked subprocess.
1016  */
1017 static void
1018 server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1019 {
1020 	fd_set *fdset;
1021 	int i, j, ret, maxfd;
1022 	int key_used = 0, startups = 0;
1023 	int startup_p[2] = { -1 , -1 };
1024 	struct sockaddr_storage from;
1025 	socklen_t fromlen;
1026 	pid_t pid;
1027 
1028 	/* setup fd set for accept */
1029 	fdset = NULL;
1030 	maxfd = 0;
1031 	for (i = 0; i < num_listen_socks; i++)
1032 		if (listen_socks[i] > maxfd)
1033 			maxfd = listen_socks[i];
1034 	/* pipes connected to unauthenticated childs */
1035 	startup_pipes = xcalloc(options.max_startups, sizeof(int));
1036 	for (i = 0; i < options.max_startups; i++)
1037 		startup_pipes[i] = -1;
1038 
1039 	/*
1040 	 * Stay listening for connections until the system crashes or
1041 	 * the daemon is killed with a signal.
1042 	 */
1043 	for (;;) {
1044 		if (received_sighup)
1045 			sighup_restart();
1046 		if (fdset != NULL)
1047 			xfree(fdset);
1048 		fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
1049 		    sizeof(fd_mask));
1050 
1051 		for (i = 0; i < num_listen_socks; i++)
1052 			FD_SET(listen_socks[i], fdset);
1053 		for (i = 0; i < options.max_startups; i++)
1054 			if (startup_pipes[i] != -1)
1055 				FD_SET(startup_pipes[i], fdset);
1056 
1057 		/* Wait in select until there is a connection. */
1058 		ret = select(maxfd+1, fdset, NULL, NULL, NULL);
1059 		if (ret < 0 && errno != EINTR)
1060 			error("select: %.100s", strerror(errno));
1061 		if (received_sigterm) {
1062 			logit("Received signal %d; terminating.",
1063 			    (int) received_sigterm);
1064 			close_listen_socks();
1065 			unlink(options.pid_file);
1066 			exit(255);
1067 		}
1068 		if (key_used && key_do_regen) {
1069 			generate_ephemeral_server_key();
1070 			key_used = 0;
1071 			key_do_regen = 0;
1072 		}
1073 		if (ret < 0)
1074 			continue;
1075 
1076 		for (i = 0; i < options.max_startups; i++)
1077 			if (startup_pipes[i] != -1 &&
1078 			    FD_ISSET(startup_pipes[i], fdset)) {
1079 				/*
1080 				 * the read end of the pipe is ready
1081 				 * if the child has closed the pipe
1082 				 * after successful authentication
1083 				 * or if the child has died
1084 				 */
1085 				close(startup_pipes[i]);
1086 				startup_pipes[i] = -1;
1087 				startups--;
1088 			}
1089 		for (i = 0; i < num_listen_socks; i++) {
1090 			if (!FD_ISSET(listen_socks[i], fdset))
1091 				continue;
1092 			fromlen = sizeof(from);
1093 			*newsock = accept(listen_socks[i],
1094 			    (struct sockaddr *)&from, &fromlen);
1095 			if (*newsock < 0) {
1096 				if (errno != EINTR && errno != EWOULDBLOCK)
1097 					error("accept: %.100s", strerror(errno));
1098 				continue;
1099 			}
1100 			if (unset_nonblock(*newsock) == -1) {
1101 				close(*newsock);
1102 				continue;
1103 			}
1104 			if (drop_connection(startups) == 1) {
1105 				debug("drop connection #%d", startups);
1106 				close(*newsock);
1107 				continue;
1108 			}
1109 			if (pipe(startup_p) == -1) {
1110 				close(*newsock);
1111 				continue;
1112 			}
1113 
1114 			if (rexec_flag && socketpair(AF_UNIX,
1115 			    SOCK_STREAM, 0, config_s) == -1) {
1116 				error("reexec socketpair: %s",
1117 				    strerror(errno));
1118 				close(*newsock);
1119 				close(startup_p[0]);
1120 				close(startup_p[1]);
1121 				continue;
1122 			}
1123 
1124 			for (j = 0; j < options.max_startups; j++)
1125 				if (startup_pipes[j] == -1) {
1126 					startup_pipes[j] = startup_p[0];
1127 					if (maxfd < startup_p[0])
1128 						maxfd = startup_p[0];
1129 					startups++;
1130 					break;
1131 				}
1132 
1133 			/*
1134 			 * Got connection.  Fork a child to handle it, unless
1135 			 * we are in debugging mode.
1136 			 */
1137 			if (debug_flag) {
1138 				/*
1139 				 * In debugging mode.  Close the listening
1140 				 * socket, and start processing the
1141 				 * connection without forking.
1142 				 */
1143 				debug("Server will not fork when running in debugging mode.");
1144 				close_listen_socks();
1145 				*sock_in = *newsock;
1146 				*sock_out = *newsock;
1147 				close(startup_p[0]);
1148 				close(startup_p[1]);
1149 				startup_pipe = -1;
1150 				pid = getpid();
1151 				if (rexec_flag) {
1152 					send_rexec_state(config_s[0],
1153 					    &cfg);
1154 					close(config_s[0]);
1155 				}
1156 				break;
1157 			}
1158 
1159 			/*
1160 			 * Normal production daemon.  Fork, and have
1161 			 * the child process the connection. The
1162 			 * parent continues listening.
1163 			 */
1164 			platform_pre_fork();
1165 			if ((pid = fork()) == 0) {
1166 				/*
1167 				 * Child.  Close the listening and
1168 				 * max_startup sockets.  Start using
1169 				 * the accepted socket. Reinitialize
1170 				 * logging (since our pid has changed).
1171 				 * We break out of the loop to handle
1172 				 * the connection.
1173 				 */
1174 				platform_post_fork_child();
1175 				startup_pipe = startup_p[1];
1176 				close_startup_pipes();
1177 				close_listen_socks();
1178 				*sock_in = *newsock;
1179 				*sock_out = *newsock;
1180 				log_init(__progname,
1181 				    options.log_level,
1182 				    options.log_facility,
1183 				    log_stderr);
1184 				if (rexec_flag)
1185 					close(config_s[0]);
1186 				break;
1187 			}
1188 
1189 			/* Parent.  Stay in the loop. */
1190 			platform_post_fork_parent(pid);
1191 			if (pid < 0)
1192 				error("fork: %.100s", strerror(errno));
1193 			else
1194 				debug("Forked child %ld.", (long)pid);
1195 
1196 			close(startup_p[1]);
1197 
1198 			if (rexec_flag) {
1199 				send_rexec_state(config_s[0], &cfg);
1200 				close(config_s[0]);
1201 				close(config_s[1]);
1202 			}
1203 
1204 			/*
1205 			 * Mark that the key has been used (it
1206 			 * was "given" to the child).
1207 			 */
1208 			if ((options.protocol & SSH_PROTO_1) &&
1209 			    key_used == 0) {
1210 				/* Schedule server key regeneration alarm. */
1211 				signal(SIGALRM, key_regeneration_alarm);
1212 				alarm(options.key_regeneration_time);
1213 				key_used = 1;
1214 			}
1215 
1216 			close(*newsock);
1217 
1218 			/*
1219 			 * Ensure that our random state differs
1220 			 * from that of the child
1221 			 */
1222 			arc4random_stir();
1223 		}
1224 
1225 		/* child process check (or debug mode) */
1226 		if (num_listen_socks < 0)
1227 			break;
1228 	}
1229 }
1230 
1231 
1232 /*
1233  * Main program for the daemon.
1234  */
1235 int
1236 main(int ac, char **av)
1237 {
1238 	extern char *optarg;
1239 	extern int optind;
1240 	int opt, i, on = 1;
1241 	int sock_in = -1, sock_out = -1, newsock = -1;
1242 	const char *remote_ip;
1243 	int remote_port;
1244 	char *line;
1245 	int config_s[2] = { -1 , -1 };
1246 	Key *key;
1247 	Authctxt *authctxt;
1248 
1249 #ifdef HAVE_SECUREWARE
1250 	(void)set_auth_parameters(ac, av);
1251 #endif
1252 	__progname = ssh_get_progname(av[0]);
1253 	init_rng();
1254 
1255 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
1256 	saved_argc = ac;
1257 	rexec_argc = ac;
1258 	saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
1259 	for (i = 0; i < ac; i++)
1260 		saved_argv[i] = xstrdup(av[i]);
1261 	saved_argv[i] = NULL;
1262 
1263 #ifndef HAVE_SETPROCTITLE
1264 	/* Prepare for later setproctitle emulation */
1265 	compat_init_setproctitle(ac, av);
1266 	av = saved_argv;
1267 #endif
1268 
1269 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
1270 		debug("setgroups(): %.200s", strerror(errno));
1271 
1272 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1273 	sanitise_stdfd();
1274 
1275 	/* Initialize configuration options to their default values. */
1276 	initialize_server_options(&options);
1277 
1278 	/* Parse command-line arguments. */
1279 	while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) {
1280 		switch (opt) {
1281 		case '4':
1282 			options.address_family = AF_INET;
1283 			break;
1284 		case '6':
1285 			options.address_family = AF_INET6;
1286 			break;
1287 		case 'f':
1288 			config_file_name = optarg;
1289 			break;
1290 		case 'd':
1291 			if (debug_flag == 0) {
1292 				debug_flag = 1;
1293 				options.log_level = SYSLOG_LEVEL_DEBUG1;
1294 			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3)
1295 				options.log_level++;
1296 			break;
1297 		case 'D':
1298 			no_daemon_flag = 1;
1299 			break;
1300 		case 'e':
1301 			log_stderr = 1;
1302 			break;
1303 		case 'i':
1304 			inetd_flag = 1;
1305 			break;
1306 		case 'r':
1307 			rexec_flag = 0;
1308 			break;
1309 		case 'R':
1310 			rexeced_flag = 1;
1311 			inetd_flag = 1;
1312 			break;
1313 		case 'Q':
1314 			/* ignored */
1315 			break;
1316 		case 'q':
1317 			options.log_level = SYSLOG_LEVEL_QUIET;
1318 			break;
1319 		case 'b':
1320 			options.server_key_bits = (int)strtonum(optarg, 256,
1321 			    32768, NULL);
1322 			break;
1323 		case 'p':
1324 			options.ports_from_cmdline = 1;
1325 			if (options.num_ports >= MAX_PORTS) {
1326 				fprintf(stderr, "too many ports.\n");
1327 				exit(1);
1328 			}
1329 			options.ports[options.num_ports++] = a2port(optarg);
1330 			if (options.ports[options.num_ports-1] == 0) {
1331 				fprintf(stderr, "Bad port number.\n");
1332 				exit(1);
1333 			}
1334 			break;
1335 		case 'g':
1336 			if ((options.login_grace_time = convtime(optarg)) == -1) {
1337 				fprintf(stderr, "Invalid login grace time.\n");
1338 				exit(1);
1339 			}
1340 			break;
1341 		case 'k':
1342 			if ((options.key_regeneration_time = convtime(optarg)) == -1) {
1343 				fprintf(stderr, "Invalid key regeneration interval.\n");
1344 				exit(1);
1345 			}
1346 			break;
1347 		case 'h':
1348 			if (options.num_host_key_files >= MAX_HOSTKEYS) {
1349 				fprintf(stderr, "too many host keys.\n");
1350 				exit(1);
1351 			}
1352 			options.host_key_files[options.num_host_key_files++] = optarg;
1353 			break;
1354 		case 't':
1355 			test_flag = 1;
1356 			break;
1357 		case 'u':
1358 			utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);
1359 			if (utmp_len > MAXHOSTNAMELEN) {
1360 				fprintf(stderr, "Invalid utmp length.\n");
1361 				exit(1);
1362 			}
1363 			break;
1364 		case 'o':
1365 			line = xstrdup(optarg);
1366 			if (process_server_config_line(&options, line,
1367 			    "command-line", 0, NULL, NULL, NULL, NULL) != 0)
1368 				exit(1);
1369 			xfree(line);
1370 			break;
1371 		case '?':
1372 		default:
1373 			usage();
1374 			break;
1375 		}
1376 	}
1377 	if (rexeced_flag || inetd_flag)
1378 		rexec_flag = 0;
1379 	if (rexec_flag && (av[0] == NULL || *av[0] != '/'))
1380 		fatal("sshd re-exec requires execution with an absolute path");
1381 	if (rexeced_flag)
1382 		closefrom(REEXEC_MIN_FREE_FD);
1383 	else
1384 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
1385 
1386 	SSLeay_add_all_algorithms();
1387 
1388 	/*
1389 	 * Force logging to stderr until we have loaded the private host
1390 	 * key (unless started from inetd)
1391 	 */
1392 	log_init(__progname,
1393 	    options.log_level == SYSLOG_LEVEL_NOT_SET ?
1394 	    SYSLOG_LEVEL_INFO : options.log_level,
1395 	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
1396 	    SYSLOG_FACILITY_AUTH : options.log_facility,
1397 	    log_stderr || !inetd_flag);
1398 
1399 	/*
1400 	 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
1401 	 * root's environment
1402 	 */
1403 	if (getenv("KRB5CCNAME") != NULL)
1404 		unsetenv("KRB5CCNAME");
1405 
1406 #ifdef _UNICOS
1407 	/* Cray can define user privs drop all privs now!
1408 	 * Not needed on PRIV_SU systems!
1409 	 */
1410 	drop_cray_privs();
1411 #endif
1412 
1413 	sensitive_data.server_key = NULL;
1414 	sensitive_data.ssh1_host_key = NULL;
1415 	sensitive_data.have_ssh1_key = 0;
1416 	sensitive_data.have_ssh2_key = 0;
1417 
1418 	/* Fetch our configuration */
1419 	buffer_init(&cfg);
1420 	if (rexeced_flag)
1421 		recv_rexec_state(REEXEC_CONFIG_PASS_FD, &cfg);
1422 	else
1423 		load_server_config(config_file_name, &cfg);
1424 
1425 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
1426 	    &cfg, NULL, NULL, NULL);
1427 
1428 	seed_rng();
1429 
1430 	/* Fill in default values for those options not explicitly set. */
1431 	fill_default_server_options(&options);
1432 
1433 	/* set default channel AF */
1434 	channel_set_af(options.address_family);
1435 
1436 	/* Check that there are no remaining arguments. */
1437 	if (optind < ac) {
1438 		fprintf(stderr, "Extra argument %s.\n", av[optind]);
1439 		exit(1);
1440 	}
1441 
1442 	debug("sshd version %.100s", SSH_RELEASE);
1443 
1444 	/* Store privilege separation user for later use if required. */
1445 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
1446 		if (use_privsep || options.kerberos_authentication)
1447 			fatal("Privilege separation user %s does not exist",
1448 			    SSH_PRIVSEP_USER);
1449 	} else {
1450 		memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
1451 		privsep_pw = pwcopy(privsep_pw);
1452 		xfree(privsep_pw->pw_passwd);
1453 		privsep_pw->pw_passwd = xstrdup("*");
1454 	}
1455 	endpwent();
1456 
1457 	/* load private host keys */
1458 	sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1459 	    sizeof(Key *));
1460 	for (i = 0; i < options.num_host_key_files; i++)
1461 		sensitive_data.host_keys[i] = NULL;
1462 
1463 	for (i = 0; i < options.num_host_key_files; i++) {
1464 		key = key_load_private(options.host_key_files[i], "", NULL);
1465 		sensitive_data.host_keys[i] = key;
1466 		if (key == NULL) {
1467 			error("Could not load host key: %s",
1468 			    options.host_key_files[i]);
1469 			sensitive_data.host_keys[i] = NULL;
1470 			continue;
1471 		}
1472 		switch (key->type) {
1473 		case KEY_RSA1:
1474 			sensitive_data.ssh1_host_key = key;
1475 			sensitive_data.have_ssh1_key = 1;
1476 			break;
1477 		case KEY_RSA:
1478 		case KEY_DSA:
1479 			sensitive_data.have_ssh2_key = 1;
1480 			break;
1481 		}
1482 		debug("private host key: #%d type %d %s", i, key->type,
1483 		    key_type(key));
1484 	}
1485 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1486 		logit("Disabling protocol version 1. Could not load host key");
1487 		options.protocol &= ~SSH_PROTO_1;
1488 	}
1489 	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
1490 		logit("Disabling protocol version 2. Could not load host key");
1491 		options.protocol &= ~SSH_PROTO_2;
1492 	}
1493 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
1494 		logit("sshd: no hostkeys available -- exiting.");
1495 		exit(1);
1496 	}
1497 
1498 	/* Check certain values for sanity. */
1499 	if (options.protocol & SSH_PROTO_1) {
1500 		if (options.server_key_bits < 512 ||
1501 		    options.server_key_bits > 32768) {
1502 			fprintf(stderr, "Bad server key size.\n");
1503 			exit(1);
1504 		}
1505 		/*
1506 		 * Check that server and host key lengths differ sufficiently. This
1507 		 * is necessary to make double encryption work with rsaref. Oh, I
1508 		 * hate software patents. I dont know if this can go? Niels
1509 		 */
1510 		if (options.server_key_bits >
1511 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
1512 		    SSH_KEY_BITS_RESERVED && options.server_key_bits <
1513 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1514 		    SSH_KEY_BITS_RESERVED) {
1515 			options.server_key_bits =
1516 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1517 			    SSH_KEY_BITS_RESERVED;
1518 			debug("Forcing server key to %d bits to make it differ from host key.",
1519 			    options.server_key_bits);
1520 		}
1521 	}
1522 
1523 	if (use_privsep) {
1524 		struct stat st;
1525 
1526 		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
1527 		    (S_ISDIR(st.st_mode) == 0))
1528 			fatal("Missing privilege separation directory: %s",
1529 			    _PATH_PRIVSEP_CHROOT_DIR);
1530 
1531 #ifdef HAVE_CYGWIN
1532 		if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
1533 		    (st.st_uid != getuid () ||
1534 		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
1535 #else
1536 		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
1537 #endif
1538 			fatal("%s must be owned by root and not group or "
1539 			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
1540 	}
1541 
1542 	/* Configuration looks good, so exit if in test mode. */
1543 	if (test_flag)
1544 		exit(0);
1545 
1546 	/*
1547 	 * Clear out any supplemental groups we may have inherited.  This
1548 	 * prevents inadvertent creation of files with bad modes (in the
1549 	 * portable version at least, it's certainly possible for PAM
1550 	 * to create a file, and we can't control the code in every
1551 	 * module which might be used).
1552 	 */
1553 	if (setgroups(0, NULL) < 0)
1554 		debug("setgroups() failed: %.200s", strerror(errno));
1555 
1556 	if (rexec_flag) {
1557 		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
1558 		for (i = 0; i < rexec_argc; i++) {
1559 			debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
1560 			rexec_argv[i] = saved_argv[i];
1561 		}
1562 		rexec_argv[rexec_argc] = "-R";
1563 		rexec_argv[rexec_argc + 1] = NULL;
1564 	}
1565 
1566 	/* Initialize the log (it is reinitialized below in case we forked). */
1567 	if (debug_flag && (!inetd_flag || rexeced_flag))
1568 		log_stderr = 1;
1569 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1570 
1571 	/*
1572 	 * If not in debugging mode, and not started from inetd, disconnect
1573 	 * from the controlling terminal, and fork.  The original process
1574 	 * exits.
1575 	 */
1576 	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
1577 #ifdef TIOCNOTTY
1578 		int fd;
1579 #endif /* TIOCNOTTY */
1580 		if (daemon(0, 0) < 0)
1581 			fatal("daemon() failed: %.200s", strerror(errno));
1582 
1583 		/* Disconnect from the controlling tty. */
1584 #ifdef TIOCNOTTY
1585 		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
1586 		if (fd >= 0) {
1587 			(void) ioctl(fd, TIOCNOTTY, NULL);
1588 			close(fd);
1589 		}
1590 #endif /* TIOCNOTTY */
1591 	}
1592 	/* Reinitialize the log (because of the fork above). */
1593 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1594 
1595 	/* Initialize the random number generator. */
1596 	arc4random_stir();
1597 
1598 	/* Chdir to the root directory so that the current disk can be
1599 	   unmounted if desired. */
1600 	chdir("/");
1601 
1602 	/* ignore SIGPIPE */
1603 	signal(SIGPIPE, SIG_IGN);
1604 
1605 	/* Get a connection, either from inetd or a listening TCP socket */
1606 	if (inetd_flag) {
1607 		server_accept_inetd(&sock_in, &sock_out);
1608 
1609 		if ((options.protocol & SSH_PROTO_1) &&
1610 		    sensitive_data.server_key == NULL)
1611 			generate_ephemeral_server_key();
1612 	} else {
1613 		server_listen();
1614 
1615 		if (options.protocol & SSH_PROTO_1)
1616 			generate_ephemeral_server_key();
1617 
1618 		signal(SIGHUP, sighup_handler);
1619 		signal(SIGCHLD, main_sigchld_handler);
1620 		signal(SIGTERM, sigterm_handler);
1621 		signal(SIGQUIT, sigterm_handler);
1622 
1623 		/*
1624 		 * Write out the pid file after the sigterm handler
1625 		 * is setup and the listen sockets are bound
1626 		 */
1627 		if (!debug_flag) {
1628 			FILE *f = fopen(options.pid_file, "w");
1629 
1630 			if (f == NULL) {
1631 				error("Couldn't create pid file \"%s\": %s",
1632 				    options.pid_file, strerror(errno));
1633 			} else {
1634 				fprintf(f, "%ld\n", (long) getpid());
1635 				fclose(f);
1636 			}
1637 		}
1638 
1639 		/* Accept a connection and return in a forked child */
1640 		server_accept_loop(&sock_in, &sock_out,
1641 		    &newsock, config_s);
1642 	}
1643 
1644 	/* This is the child processing a new connection. */
1645 	setproctitle("%s", "[accepted]");
1646 
1647 	/*
1648 	 * Create a new session and process group since the 4.4BSD
1649 	 * setlogin() affects the entire process group.  We don't
1650 	 * want the child to be able to affect the parent.
1651 	 */
1652 #if !defined(SSHD_ACQUIRES_CTTY)
1653 	/*
1654 	 * If setsid is called, on some platforms sshd will later acquire a
1655 	 * controlling terminal which will result in "could not set
1656 	 * controlling tty" errors.
1657 	 */
1658 	if (!debug_flag && !inetd_flag && setsid() < 0)
1659 		error("setsid: %.100s", strerror(errno));
1660 #endif
1661 
1662 	if (rexec_flag) {
1663 		int fd;
1664 
1665 		debug("rexec start in %d out %d newsock %d pipe %d sock %d",
1666 		    sock_in, sock_out, newsock, startup_pipe, config_s[0]);
1667 		dup2(newsock, STDIN_FILENO);
1668 		dup2(STDIN_FILENO, STDOUT_FILENO);
1669 		if (startup_pipe == -1)
1670 			close(REEXEC_STARTUP_PIPE_FD);
1671 		else
1672 			dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD);
1673 
1674 		dup2(config_s[1], REEXEC_CONFIG_PASS_FD);
1675 		close(config_s[1]);
1676 		if (startup_pipe != -1)
1677 			close(startup_pipe);
1678 
1679 		execv(rexec_argv[0], rexec_argv);
1680 
1681 		/* Reexec has failed, fall back and continue */
1682 		error("rexec of %s failed: %s", rexec_argv[0], strerror(errno));
1683 		recv_rexec_state(REEXEC_CONFIG_PASS_FD, NULL);
1684 		log_init(__progname, options.log_level,
1685 		    options.log_facility, log_stderr);
1686 
1687 		/* Clean up fds */
1688 		startup_pipe = REEXEC_STARTUP_PIPE_FD;
1689 		close(config_s[1]);
1690 		close(REEXEC_CONFIG_PASS_FD);
1691 		newsock = sock_out = sock_in = dup(STDIN_FILENO);
1692 		if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
1693 			dup2(fd, STDIN_FILENO);
1694 			dup2(fd, STDOUT_FILENO);
1695 			if (fd > STDERR_FILENO)
1696 				close(fd);
1697 		}
1698 		debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d",
1699 		    sock_in, sock_out, newsock, startup_pipe, config_s[0]);
1700 	}
1701 
1702 	/*
1703 	 * Disable the key regeneration alarm.  We will not regenerate the
1704 	 * key since we are no longer in a position to give it to anyone. We
1705 	 * will not restart on SIGHUP since it no longer makes sense.
1706 	 */
1707 	alarm(0);
1708 	signal(SIGALRM, SIG_DFL);
1709 	signal(SIGHUP, SIG_DFL);
1710 	signal(SIGTERM, SIG_DFL);
1711 	signal(SIGQUIT, SIG_DFL);
1712 	signal(SIGCHLD, SIG_DFL);
1713 	signal(SIGINT, SIG_DFL);
1714 
1715 #ifdef __FreeBSD__
1716 	/*
1717 	 * Initialize the resolver.  This may not happen automatically
1718 	 * before privsep chroot().
1719 	 */
1720 	if ((_res.options & RES_INIT) == 0) {
1721 		debug("res_init()");
1722 		res_init();
1723 	}
1724 #ifdef GSSAPI
1725 	/*
1726 	 * Force GSS-API to parse its configuration and load any
1727 	 * mechanism plugins.
1728 	 */
1729 	{
1730 		gss_OID_set mechs;
1731 		OM_uint32 minor_status;
1732 		gss_indicate_mechs(&minor_status, &mechs);
1733 		gss_release_oid_set(&minor_status, &mechs);
1734 	}
1735 #endif
1736 #endif
1737 
1738 	/*
1739 	 * Register our connection.  This turns encryption off because we do
1740 	 * not have a key.
1741 	 */
1742 	packet_set_connection(sock_in, sock_out);
1743 	packet_set_server();
1744 
1745 	/* Set SO_KEEPALIVE if requested. */
1746 	if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
1747 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
1748 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
1749 
1750 	if ((remote_port = get_remote_port()) < 0) {
1751 		debug("get_remote_port failed");
1752 		cleanup_exit(255);
1753 	}
1754 
1755 	/*
1756 	 * We use get_canonical_hostname with usedns = 0 instead of
1757 	 * get_remote_ipaddr here so IP options will be checked.
1758 	 */
1759 	(void) get_canonical_hostname(0);
1760 	/*
1761 	 * The rest of the code depends on the fact that
1762 	 * get_remote_ipaddr() caches the remote ip, even if
1763 	 * the socket goes away.
1764 	 */
1765 	remote_ip = get_remote_ipaddr();
1766 
1767 #ifdef SSH_AUDIT_EVENTS
1768 	audit_connection_from(remote_ip, remote_port);
1769 #endif
1770 #ifdef LIBWRAP
1771 	/* Check whether logins are denied from this host. */
1772 	if (packet_connection_is_on_socket()) {
1773 		struct request_info req;
1774 
1775 		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
1776 		fromhost(&req);
1777 
1778 		if (!hosts_access(&req)) {
1779 			debug("Connection refused by tcp wrapper");
1780 			refuse(&req);
1781 			/* NOTREACHED */
1782 			fatal("libwrap refuse returns");
1783 		}
1784 	}
1785 #endif /* LIBWRAP */
1786 
1787 	/* Log the connection. */
1788 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
1789 
1790 	/*
1791 	 * We don't want to listen forever unless the other side
1792 	 * successfully authenticates itself.  So we set up an alarm which is
1793 	 * cleared after successful authentication.  A limit of zero
1794 	 * indicates no limit. Note that we don't set the alarm in debugging
1795 	 * mode; it is just annoying to have the server exit just when you
1796 	 * are about to discover the bug.
1797 	 */
1798 	signal(SIGALRM, grace_alarm_handler);
1799 	if (!debug_flag)
1800 		alarm(options.login_grace_time);
1801 
1802 	sshd_exchange_identification(sock_in, sock_out);
1803 
1804 	packet_set_nonblocking();
1805 
1806 	/* allocate authentication context */
1807 	authctxt = xcalloc(1, sizeof(*authctxt));
1808 
1809 	authctxt->loginmsg = &loginmsg;
1810 
1811 	/* XXX global for cleanup, access from other modules */
1812 	the_authctxt = authctxt;
1813 
1814 	/* prepare buffer to collect messages to display to user after login */
1815 	buffer_init(&loginmsg);
1816 
1817 	if (use_privsep)
1818 		if (privsep_preauth(authctxt) == 1)
1819 			goto authenticated;
1820 
1821 	/* perform the key exchange */
1822 	/* authenticate user and start session */
1823 	if (compat20) {
1824 		do_ssh2_kex();
1825 		do_authentication2(authctxt);
1826 	} else {
1827 		do_ssh1_kex();
1828 		do_authentication(authctxt);
1829 	}
1830 	/*
1831 	 * If we use privilege separation, the unprivileged child transfers
1832 	 * the current keystate and exits
1833 	 */
1834 	if (use_privsep) {
1835 		mm_send_keystate(pmonitor);
1836 		exit(0);
1837 	}
1838 
1839  authenticated:
1840 	/*
1841 	 * Cancel the alarm we set to limit the time taken for
1842 	 * authentication.
1843 	 */
1844 	alarm(0);
1845 	signal(SIGALRM, SIG_DFL);
1846 	authctxt->authenticated = 1;
1847 	if (startup_pipe != -1) {
1848 		close(startup_pipe);
1849 		startup_pipe = -1;
1850 	}
1851 
1852 #ifdef SSH_AUDIT_EVENTS
1853 	audit_event(SSH_AUTH_SUCCESS);
1854 #endif
1855 
1856 	/*
1857 	 * In privilege separation, we fork another child and prepare
1858 	 * file descriptor passing.
1859 	 */
1860 	if (use_privsep) {
1861 		privsep_postauth(authctxt);
1862 		/* the monitor process [priv] will not return */
1863 		if (!compat20)
1864 			destroy_sensitive_data();
1865 	}
1866 
1867 	/* Start session. */
1868 	do_authenticated(authctxt);
1869 
1870 	/* The connection has been terminated. */
1871 	verbose("Closing connection to %.100s", remote_ip);
1872 
1873 #ifdef USE_PAM
1874 	if (options.use_pam)
1875 		finish_pam();
1876 #endif /* USE_PAM */
1877 
1878 #ifdef SSH_AUDIT_EVENTS
1879 	PRIVSEP(audit_event(SSH_CONNECTION_CLOSE));
1880 #endif
1881 
1882 	packet_close();
1883 
1884 	if (use_privsep)
1885 		mm_terminate();
1886 
1887 	exit(0);
1888 }
1889 
1890 /*
1891  * Decrypt session_key_int using our private server key and private host key
1892  * (key with larger modulus first).
1893  */
1894 int
1895 ssh1_session_key(BIGNUM *session_key_int)
1896 {
1897 	int rsafail = 0;
1898 
1899 	if (BN_cmp(sensitive_data.server_key->rsa->n,
1900 	    sensitive_data.ssh1_host_key->rsa->n) > 0) {
1901 		/* Server key has bigger modulus. */
1902 		if (BN_num_bits(sensitive_data.server_key->rsa->n) <
1903 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1904 		    SSH_KEY_BITS_RESERVED) {
1905 			fatal("do_connection: %s: "
1906 			    "server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
1907 			    get_remote_ipaddr(),
1908 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1909 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1910 			    SSH_KEY_BITS_RESERVED);
1911 		}
1912 		if (rsa_private_decrypt(session_key_int, session_key_int,
1913 		    sensitive_data.server_key->rsa) <= 0)
1914 			rsafail++;
1915 		if (rsa_private_decrypt(session_key_int, session_key_int,
1916 		    sensitive_data.ssh1_host_key->rsa) <= 0)
1917 			rsafail++;
1918 	} else {
1919 		/* Host key has bigger modulus (or they are equal). */
1920 		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
1921 		    BN_num_bits(sensitive_data.server_key->rsa->n) +
1922 		    SSH_KEY_BITS_RESERVED) {
1923 			fatal("do_connection: %s: "
1924 			    "host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
1925 			    get_remote_ipaddr(),
1926 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1927 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1928 			    SSH_KEY_BITS_RESERVED);
1929 		}
1930 		if (rsa_private_decrypt(session_key_int, session_key_int,
1931 		    sensitive_data.ssh1_host_key->rsa) < 0)
1932 			rsafail++;
1933 		if (rsa_private_decrypt(session_key_int, session_key_int,
1934 		    sensitive_data.server_key->rsa) < 0)
1935 			rsafail++;
1936 	}
1937 	return (rsafail);
1938 }
1939 /*
1940  * SSH1 key exchange
1941  */
1942 static void
1943 do_ssh1_kex(void)
1944 {
1945 	int i, len;
1946 	int rsafail = 0;
1947 	BIGNUM *session_key_int;
1948 	u_char session_key[SSH_SESSION_KEY_LENGTH];
1949 	u_char cookie[8];
1950 	u_int cipher_type, auth_mask, protocol_flags;
1951 	u_int32_t rnd = 0;
1952 
1953 	/*
1954 	 * Generate check bytes that the client must send back in the user
1955 	 * packet in order for it to be accepted; this is used to defy ip
1956 	 * spoofing attacks.  Note that this only works against somebody
1957 	 * doing IP spoofing from a remote machine; any machine on the local
1958 	 * network can still see outgoing packets and catch the random
1959 	 * cookie.  This only affects rhosts authentication, and this is one
1960 	 * of the reasons why it is inherently insecure.
1961 	 */
1962 	for (i = 0; i < 8; i++) {
1963 		if (i % 4 == 0)
1964 			rnd = arc4random();
1965 		cookie[i] = rnd & 0xff;
1966 		rnd >>= 8;
1967 	}
1968 
1969 	/*
1970 	 * Send our public key.  We include in the packet 64 bits of random
1971 	 * data that must be matched in the reply in order to prevent IP
1972 	 * spoofing.
1973 	 */
1974 	packet_start(SSH_SMSG_PUBLIC_KEY);
1975 	for (i = 0; i < 8; i++)
1976 		packet_put_char(cookie[i]);
1977 
1978 	/* Store our public server RSA key. */
1979 	packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
1980 	packet_put_bignum(sensitive_data.server_key->rsa->e);
1981 	packet_put_bignum(sensitive_data.server_key->rsa->n);
1982 
1983 	/* Store our public host RSA key. */
1984 	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1985 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
1986 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
1987 
1988 	/* Put protocol flags. */
1989 	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
1990 
1991 	/* Declare which ciphers we support. */
1992 	packet_put_int(cipher_mask_ssh1(0));
1993 
1994 	/* Declare supported authentication types. */
1995 	auth_mask = 0;
1996 	if (options.rhosts_rsa_authentication)
1997 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1998 	if (options.rsa_authentication)
1999 		auth_mask |= 1 << SSH_AUTH_RSA;
2000 	if (options.challenge_response_authentication == 1)
2001 		auth_mask |= 1 << SSH_AUTH_TIS;
2002 	if (options.password_authentication)
2003 		auth_mask |= 1 << SSH_AUTH_PASSWORD;
2004 	packet_put_int(auth_mask);
2005 
2006 	/* Send the packet and wait for it to be sent. */
2007 	packet_send();
2008 	packet_write_wait();
2009 
2010 	debug("Sent %d bit server key and %d bit host key.",
2011 	    BN_num_bits(sensitive_data.server_key->rsa->n),
2012 	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
2013 
2014 	/* Read clients reply (cipher type and session key). */
2015 	packet_read_expect(SSH_CMSG_SESSION_KEY);
2016 
2017 	/* Get cipher type and check whether we accept this. */
2018 	cipher_type = packet_get_char();
2019 
2020 	if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
2021 		packet_disconnect("Warning: client selects unsupported cipher.");
2022 
2023 	/* Get check bytes from the packet.  These must match those we
2024 	   sent earlier with the public key packet. */
2025 	for (i = 0; i < 8; i++)
2026 		if (cookie[i] != packet_get_char())
2027 			packet_disconnect("IP Spoofing check bytes do not match.");
2028 
2029 	debug("Encryption type: %.200s", cipher_name(cipher_type));
2030 
2031 	/* Get the encrypted integer. */
2032 	if ((session_key_int = BN_new()) == NULL)
2033 		fatal("do_ssh1_kex: BN_new failed");
2034 	packet_get_bignum(session_key_int);
2035 
2036 	protocol_flags = packet_get_int();
2037 	packet_set_protocol_flags(protocol_flags);
2038 	packet_check_eom();
2039 
2040 	/* Decrypt session_key_int using host/server keys */
2041 	rsafail = PRIVSEP(ssh1_session_key(session_key_int));
2042 
2043 	/*
2044 	 * Extract session key from the decrypted integer.  The key is in the
2045 	 * least significant 256 bits of the integer; the first byte of the
2046 	 * key is in the highest bits.
2047 	 */
2048 	if (!rsafail) {
2049 		(void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
2050 		len = BN_num_bytes(session_key_int);
2051 		if (len < 0 || (u_int)len > sizeof(session_key)) {
2052 			error("do_ssh1_kex: bad session key len from %s: "
2053 			    "session_key_int %d > sizeof(session_key) %lu",
2054 			    get_remote_ipaddr(), len, (u_long)sizeof(session_key));
2055 			rsafail++;
2056 		} else {
2057 			memset(session_key, 0, sizeof(session_key));
2058 			BN_bn2bin(session_key_int,
2059 			    session_key + sizeof(session_key) - len);
2060 
2061 			derive_ssh1_session_id(
2062 			    sensitive_data.ssh1_host_key->rsa->n,
2063 			    sensitive_data.server_key->rsa->n,
2064 			    cookie, session_id);
2065 			/*
2066 			 * Xor the first 16 bytes of the session key with the
2067 			 * session id.
2068 			 */
2069 			for (i = 0; i < 16; i++)
2070 				session_key[i] ^= session_id[i];
2071 		}
2072 	}
2073 	if (rsafail) {
2074 		int bytes = BN_num_bytes(session_key_int);
2075 		u_char *buf = xmalloc(bytes);
2076 		MD5_CTX md;
2077 
2078 		logit("do_connection: generating a fake encryption key");
2079 		BN_bn2bin(session_key_int, buf);
2080 		MD5_Init(&md);
2081 		MD5_Update(&md, buf, bytes);
2082 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
2083 		MD5_Final(session_key, &md);
2084 		MD5_Init(&md);
2085 		MD5_Update(&md, session_key, 16);
2086 		MD5_Update(&md, buf, bytes);
2087 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
2088 		MD5_Final(session_key + 16, &md);
2089 		memset(buf, 0, bytes);
2090 		xfree(buf);
2091 		for (i = 0; i < 16; i++)
2092 			session_id[i] = session_key[i] ^ session_key[i + 16];
2093 	}
2094 	/* Destroy the private and public keys. No longer. */
2095 	destroy_sensitive_data();
2096 
2097 	if (use_privsep)
2098 		mm_ssh1_session_id(session_id);
2099 
2100 	/* Destroy the decrypted integer.  It is no longer needed. */
2101 	BN_clear_free(session_key_int);
2102 
2103 	/* Set the session key.  From this on all communications will be encrypted. */
2104 	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
2105 
2106 	/* Destroy our copy of the session key.  It is no longer needed. */
2107 	memset(session_key, 0, sizeof(session_key));
2108 
2109 	debug("Received session key; encryption turned on.");
2110 
2111 	/* Send an acknowledgment packet.  Note that this packet is sent encrypted. */
2112 	packet_start(SSH_SMSG_SUCCESS);
2113 	packet_send();
2114 	packet_write_wait();
2115 }
2116 
2117 /*
2118  * SSH2 key exchange: diffie-hellman-group1-sha1
2119  */
2120 static void
2121 do_ssh2_kex(void)
2122 {
2123 	Kex *kex;
2124 
2125 	if (options.ciphers != NULL) {
2126 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
2127 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
2128 	}
2129 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
2130 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
2131 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
2132 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
2133 
2134 	if (options.macs != NULL) {
2135 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
2136 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
2137 	}
2138 	if (options.compression == COMP_NONE) {
2139 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2140 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
2141 	} else if (options.compression == COMP_DELAYED) {
2142 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2143 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
2144 	}
2145 
2146 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2147 
2148 	/* start key exchange */
2149 	kex = kex_setup(myproposal);
2150 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2151 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
2152 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2153 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2154 	kex->server = 1;
2155 	kex->client_version_string=client_version_string;
2156 	kex->server_version_string=server_version_string;
2157 	kex->load_host_key=&get_hostkey_by_type;
2158 	kex->host_key_index=&get_hostkey_index;
2159 
2160 	xxx_kex = kex;
2161 
2162 	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2163 
2164 	session_id2 = kex->session_id;
2165 	session_id2_len = kex->session_id_len;
2166 
2167 #ifdef DEBUG_KEXDH
2168 	/* send 1st encrypted/maced/compressed message */
2169 	packet_start(SSH2_MSG_IGNORE);
2170 	packet_put_cstring("markus");
2171 	packet_send();
2172 	packet_write_wait();
2173 #endif
2174 	debug("KEX done");
2175 }
2176 
2177 /* server specific fatal cleanup */
2178 void
2179 cleanup_exit(int i)
2180 {
2181 	if (the_authctxt)
2182 		do_cleanup(the_authctxt);
2183 #ifdef SSH_AUDIT_EVENTS
2184 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
2185 	if (!use_privsep || mm_is_monitor())
2186 		audit_event(SSH_CONNECTION_ABANDON);
2187 #endif
2188 	_exit(i);
2189 }
2190