1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This program is the ssh daemon. It listens for connections from clients, 6 * and performs authentication, executes use commands or shell, and forwards 7 * information to/from the application to the user client over an encrypted 8 * connection. This can also handle forwarding of X11, TCP/IP, and 9 * authentication agent connections. 10 * 11 * As far as I am concerned, the code I have written for this software 12 * can be used freely for any purpose. Any derived versions of this 13 * software must be clearly marked as such, and if the derived work is 14 * incompatible with the protocol description in the RFC file, it must be 15 * called by a name other than "ssh" or "Secure Shell". 16 * 17 * SSH2 implementation: 18 * Privilege Separation: 19 * 20 * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. 21 * Copyright (c) 2002 Niels Provos. All rights reserved. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the above copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 33 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 34 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 35 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 36 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 37 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 38 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 39 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 41 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 42 */ 43 44 #include "includes.h" 45 RCSID("$OpenBSD: sshd.c,v 1.301 2004/08/11 11:50:09 dtucker Exp $"); 46 RCSID("$FreeBSD$"); 47 48 #include <openssl/dh.h> 49 #include <openssl/bn.h> 50 #include <openssl/md5.h> 51 #include <openssl/rand.h> 52 #ifdef HAVE_SECUREWARE 53 #include <sys/security.h> 54 #include <prot.h> 55 #endif 56 57 #ifdef __FreeBSD__ 58 #include <resolv.h> 59 #endif 60 61 #include "ssh.h" 62 #include "ssh1.h" 63 #include "ssh2.h" 64 #include "xmalloc.h" 65 #include "rsa.h" 66 #include "sshpty.h" 67 #include "packet.h" 68 #include "log.h" 69 #include "servconf.h" 70 #include "uidswap.h" 71 #include "compat.h" 72 #include "buffer.h" 73 #include "bufaux.h" 74 #include "cipher.h" 75 #include "kex.h" 76 #include "key.h" 77 #include "dh.h" 78 #include "myproposal.h" 79 #include "authfile.h" 80 #include "pathnames.h" 81 #include "atomicio.h" 82 #include "canohost.h" 83 #include "auth.h" 84 #include "misc.h" 85 #include "msg.h" 86 #include "dispatch.h" 87 #include "channels.h" 88 #include "session.h" 89 #include "monitor_mm.h" 90 #include "monitor.h" 91 #include "monitor_wrap.h" 92 #include "monitor_fdpass.h" 93 94 #ifdef LIBWRAP 95 #include <tcpd.h> 96 #include <syslog.h> 97 int allow_severity = LOG_INFO; 98 int deny_severity = LOG_WARNING; 99 #endif /* LIBWRAP */ 100 101 #ifndef O_NOCTTY 102 #define O_NOCTTY 0 103 #endif 104 105 /* Re-exec fds */ 106 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 107 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 108 #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) 109 #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) 110 111 extern char *__progname; 112 113 /* Server configuration options. */ 114 ServerOptions options; 115 116 /* Name of the server configuration file. */ 117 char *config_file_name = _PATH_SERVER_CONFIG_FILE; 118 119 /* 120 * Flag indicating whether IPv4 or IPv6. This can be set on the command line. 121 * Default value is AF_UNSPEC means both IPv4 and IPv6. 122 */ 123 int IPv4or6 = AF_UNSPEC; 124 125 /* 126 * Debug mode flag. This can be set on the command line. If debug 127 * mode is enabled, extra debugging output will be sent to the system 128 * log, the daemon will not go to background, and will exit after processing 129 * the first connection. 130 */ 131 int debug_flag = 0; 132 133 /* Flag indicating that the daemon should only test the configuration and keys. */ 134 int test_flag = 0; 135 136 /* Flag indicating that the daemon is being started from inetd. */ 137 int inetd_flag = 0; 138 139 /* Flag indicating that sshd should not detach and become a daemon. */ 140 int no_daemon_flag = 0; 141 142 /* debug goes to stderr unless inetd_flag is set */ 143 int log_stderr = 0; 144 145 /* Saved arguments to main(). */ 146 char **saved_argv; 147 int saved_argc; 148 149 /* re-exec */ 150 int rexeced_flag = 0; 151 int rexec_flag = 1; 152 int rexec_argc = 0; 153 char **rexec_argv; 154 155 /* 156 * The sockets that the server is listening; this is used in the SIGHUP 157 * signal handler. 158 */ 159 #define MAX_LISTEN_SOCKS 16 160 int listen_socks[MAX_LISTEN_SOCKS]; 161 int num_listen_socks = 0; 162 163 /* 164 * the client's version string, passed by sshd2 in compat mode. if != NULL, 165 * sshd will skip the version-number exchange 166 */ 167 char *client_version_string = NULL; 168 char *server_version_string = NULL; 169 170 /* for rekeying XXX fixme */ 171 Kex *xxx_kex; 172 173 /* 174 * Any really sensitive data in the application is contained in this 175 * structure. The idea is that this structure could be locked into memory so 176 * that the pages do not get written into swap. However, there are some 177 * problems. The private key contains BIGNUMs, and we do not (in principle) 178 * have access to the internals of them, and locking just the structure is 179 * not very useful. Currently, memory locking is not implemented. 180 */ 181 struct { 182 Key *server_key; /* ephemeral server key */ 183 Key *ssh1_host_key; /* ssh1 host key */ 184 Key **host_keys; /* all private host keys */ 185 int have_ssh1_key; 186 int have_ssh2_key; 187 u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH]; 188 } sensitive_data; 189 190 /* 191 * Flag indicating whether the RSA server key needs to be regenerated. 192 * Is set in the SIGALRM handler and cleared when the key is regenerated. 193 */ 194 static volatile sig_atomic_t key_do_regen = 0; 195 196 /* This is set to true when a signal is received. */ 197 static volatile sig_atomic_t received_sighup = 0; 198 static volatile sig_atomic_t received_sigterm = 0; 199 200 /* session identifier, used by RSA-auth */ 201 u_char session_id[16]; 202 203 /* same for ssh2 */ 204 u_char *session_id2 = NULL; 205 u_int session_id2_len = 0; 206 207 /* record remote hostname or ip */ 208 u_int utmp_len = MAXHOSTNAMELEN; 209 210 /* options.max_startup sized array of fd ints */ 211 int *startup_pipes = NULL; 212 int startup_pipe; /* in child */ 213 214 /* variables used for privilege separation */ 215 int use_privsep; 216 struct monitor *pmonitor = NULL; 217 218 /* global authentication context */ 219 Authctxt *the_authctxt = NULL; 220 221 /* message to be displayed after login */ 222 Buffer loginmsg; 223 224 /* Prototypes for various functions defined later in this file. */ 225 void destroy_sensitive_data(void); 226 void demote_sensitive_data(void); 227 228 static void do_ssh1_kex(void); 229 static void do_ssh2_kex(void); 230 231 /* 232 * Close all listening sockets 233 */ 234 static void 235 close_listen_socks(void) 236 { 237 int i; 238 239 for (i = 0; i < num_listen_socks; i++) 240 close(listen_socks[i]); 241 num_listen_socks = -1; 242 } 243 244 static void 245 close_startup_pipes(void) 246 { 247 int i; 248 249 if (startup_pipes) 250 for (i = 0; i < options.max_startups; i++) 251 if (startup_pipes[i] != -1) 252 close(startup_pipes[i]); 253 } 254 255 /* 256 * Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; 257 * the effect is to reread the configuration file (and to regenerate 258 * the server key). 259 */ 260 static void 261 sighup_handler(int sig) 262 { 263 int save_errno = errno; 264 265 received_sighup = 1; 266 signal(SIGHUP, sighup_handler); 267 errno = save_errno; 268 } 269 270 /* 271 * Called from the main program after receiving SIGHUP. 272 * Restarts the server. 273 */ 274 static void 275 sighup_restart(void) 276 { 277 logit("Received SIGHUP; restarting."); 278 close_listen_socks(); 279 close_startup_pipes(); 280 execv(saved_argv[0], saved_argv); 281 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], 282 strerror(errno)); 283 exit(1); 284 } 285 286 /* 287 * Generic signal handler for terminating signals in the master daemon. 288 */ 289 static void 290 sigterm_handler(int sig) 291 { 292 received_sigterm = sig; 293 } 294 295 /* 296 * SIGCHLD handler. This is called whenever a child dies. This will then 297 * reap any zombies left by exited children. 298 */ 299 static void 300 main_sigchld_handler(int sig) 301 { 302 int save_errno = errno; 303 pid_t pid; 304 int status; 305 306 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 307 (pid < 0 && errno == EINTR)) 308 ; 309 310 signal(SIGCHLD, main_sigchld_handler); 311 errno = save_errno; 312 } 313 314 /* 315 * Signal handler for the alarm after the login grace period has expired. 316 */ 317 static void 318 grace_alarm_handler(int sig) 319 { 320 /* XXX no idea how fix this signal handler */ 321 322 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) 323 kill(pmonitor->m_pid, SIGALRM); 324 325 /* Log error and exit. */ 326 fatal("Timeout before authentication for %s", get_remote_ipaddr()); 327 } 328 329 /* 330 * Signal handler for the key regeneration alarm. Note that this 331 * alarm only occurs in the daemon waiting for connections, and it does not 332 * do anything with the private key or random state before forking. 333 * Thus there should be no concurrency control/asynchronous execution 334 * problems. 335 */ 336 static void 337 generate_ephemeral_server_key(void) 338 { 339 u_int32_t rnd = 0; 340 int i; 341 342 verbose("Generating %s%d bit RSA key.", 343 sensitive_data.server_key ? "new " : "", options.server_key_bits); 344 if (sensitive_data.server_key != NULL) 345 key_free(sensitive_data.server_key); 346 sensitive_data.server_key = key_generate(KEY_RSA1, 347 options.server_key_bits); 348 verbose("RSA key generation complete."); 349 350 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 351 if (i % 4 == 0) 352 rnd = arc4random(); 353 sensitive_data.ssh1_cookie[i] = rnd & 0xff; 354 rnd >>= 8; 355 } 356 arc4random_stir(); 357 } 358 359 static void 360 key_regeneration_alarm(int sig) 361 { 362 int save_errno = errno; 363 364 signal(SIGALRM, SIG_DFL); 365 errno = save_errno; 366 key_do_regen = 1; 367 } 368 369 static void 370 sshd_exchange_identification(int sock_in, int sock_out) 371 { 372 int i, mismatch; 373 int remote_major, remote_minor; 374 int major, minor; 375 char *s; 376 char buf[256]; /* Must not be larger than remote_version. */ 377 char remote_version[256]; /* Must be at least as big as buf. */ 378 379 if ((options.protocol & SSH_PROTO_1) && 380 (options.protocol & SSH_PROTO_2)) { 381 major = PROTOCOL_MAJOR_1; 382 minor = 99; 383 } else if (options.protocol & SSH_PROTO_2) { 384 major = PROTOCOL_MAJOR_2; 385 minor = PROTOCOL_MINOR_2; 386 } else { 387 major = PROTOCOL_MAJOR_1; 388 minor = PROTOCOL_MINOR_1; 389 } 390 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); 391 server_version_string = xstrdup(buf); 392 393 /* Send our protocol version identification. */ 394 if (atomicio(vwrite, sock_out, server_version_string, 395 strlen(server_version_string)) 396 != strlen(server_version_string)) { 397 logit("Could not write ident string to %s", get_remote_ipaddr()); 398 cleanup_exit(255); 399 } 400 401 /* Read other sides version identification. */ 402 memset(buf, 0, sizeof(buf)); 403 for (i = 0; i < sizeof(buf) - 1; i++) { 404 if (atomicio(read, sock_in, &buf[i], 1) != 1) { 405 logit("Did not receive identification string from %s", 406 get_remote_ipaddr()); 407 cleanup_exit(255); 408 } 409 if (buf[i] == '\r') { 410 buf[i] = 0; 411 /* Kludge for F-Secure Macintosh < 1.0.2 */ 412 if (i == 12 && 413 strncmp(buf, "SSH-1.5-W1.0", 12) == 0) 414 break; 415 continue; 416 } 417 if (buf[i] == '\n') { 418 buf[i] = 0; 419 break; 420 } 421 } 422 buf[sizeof(buf) - 1] = 0; 423 client_version_string = xstrdup(buf); 424 425 /* 426 * Check that the versions match. In future this might accept 427 * several versions and set appropriate flags to handle them. 428 */ 429 if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n", 430 &remote_major, &remote_minor, remote_version) != 3) { 431 s = "Protocol mismatch.\n"; 432 (void) atomicio(vwrite, sock_out, s, strlen(s)); 433 close(sock_in); 434 close(sock_out); 435 logit("Bad protocol version identification '%.100s' from %s", 436 client_version_string, get_remote_ipaddr()); 437 cleanup_exit(255); 438 } 439 debug("Client protocol version %d.%d; client software version %.100s", 440 remote_major, remote_minor, remote_version); 441 442 compat_datafellows(remote_version); 443 444 if (datafellows & SSH_BUG_PROBE) { 445 logit("probed from %s with %s. Don't panic.", 446 get_remote_ipaddr(), client_version_string); 447 cleanup_exit(255); 448 } 449 450 if (datafellows & SSH_BUG_SCANNER) { 451 logit("scanned from %s with %s. Don't panic.", 452 get_remote_ipaddr(), client_version_string); 453 cleanup_exit(255); 454 } 455 456 mismatch = 0; 457 switch (remote_major) { 458 case 1: 459 if (remote_minor == 99) { 460 if (options.protocol & SSH_PROTO_2) 461 enable_compat20(); 462 else 463 mismatch = 1; 464 break; 465 } 466 if (!(options.protocol & SSH_PROTO_1)) { 467 mismatch = 1; 468 break; 469 } 470 if (remote_minor < 3) { 471 packet_disconnect("Your ssh version is too old and " 472 "is no longer supported. Please install a newer version."); 473 } else if (remote_minor == 3) { 474 /* note that this disables agent-forwarding */ 475 enable_compat13(); 476 } 477 break; 478 case 2: 479 if (options.protocol & SSH_PROTO_2) { 480 enable_compat20(); 481 break; 482 } 483 /* FALLTHROUGH */ 484 default: 485 mismatch = 1; 486 break; 487 } 488 chop(server_version_string); 489 debug("Local version string %.200s", server_version_string); 490 491 if (mismatch) { 492 s = "Protocol major versions differ.\n"; 493 (void) atomicio(vwrite, sock_out, s, strlen(s)); 494 close(sock_in); 495 close(sock_out); 496 logit("Protocol major versions differ for %s: %.200s vs. %.200s", 497 get_remote_ipaddr(), 498 server_version_string, client_version_string); 499 cleanup_exit(255); 500 } 501 } 502 503 /* Destroy the host and server keys. They will no longer be needed. */ 504 void 505 destroy_sensitive_data(void) 506 { 507 int i; 508 509 if (sensitive_data.server_key) { 510 key_free(sensitive_data.server_key); 511 sensitive_data.server_key = NULL; 512 } 513 for (i = 0; i < options.num_host_key_files; i++) { 514 if (sensitive_data.host_keys[i]) { 515 key_free(sensitive_data.host_keys[i]); 516 sensitive_data.host_keys[i] = NULL; 517 } 518 } 519 sensitive_data.ssh1_host_key = NULL; 520 memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); 521 } 522 523 /* Demote private to public keys for network child */ 524 void 525 demote_sensitive_data(void) 526 { 527 Key *tmp; 528 int i; 529 530 if (sensitive_data.server_key) { 531 tmp = key_demote(sensitive_data.server_key); 532 key_free(sensitive_data.server_key); 533 sensitive_data.server_key = tmp; 534 } 535 536 for (i = 0; i < options.num_host_key_files; i++) { 537 if (sensitive_data.host_keys[i]) { 538 tmp = key_demote(sensitive_data.host_keys[i]); 539 key_free(sensitive_data.host_keys[i]); 540 sensitive_data.host_keys[i] = tmp; 541 if (tmp->type == KEY_RSA1) 542 sensitive_data.ssh1_host_key = tmp; 543 } 544 } 545 546 /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ 547 } 548 549 static void 550 privsep_preauth_child(void) 551 { 552 u_int32_t rnd[256]; 553 gid_t gidset[1]; 554 struct passwd *pw; 555 int i; 556 557 /* Enable challenge-response authentication for privilege separation */ 558 privsep_challenge_enable(); 559 560 for (i = 0; i < 256; i++) 561 rnd[i] = arc4random(); 562 RAND_seed(rnd, sizeof(rnd)); 563 564 /* Demote the private keys to public keys. */ 565 demote_sensitive_data(); 566 567 if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) 568 fatal("Privilege separation user %s does not exist", 569 SSH_PRIVSEP_USER); 570 memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); 571 endpwent(); 572 573 /* Change our root directory */ 574 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 575 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 576 strerror(errno)); 577 if (chdir("/") == -1) 578 fatal("chdir(\"/\"): %s", strerror(errno)); 579 580 /* Drop our privileges */ 581 debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, 582 (u_int)pw->pw_gid); 583 #if 0 584 /* XXX not ready, too heavy after chroot */ 585 do_setusercontext(pw); 586 #else 587 gidset[0] = pw->pw_gid; 588 if (setgroups(1, gidset) < 0) 589 fatal("setgroups: %.100s", strerror(errno)); 590 permanently_set_uid(pw); 591 #endif 592 } 593 594 static int 595 privsep_preauth(Authctxt *authctxt) 596 { 597 int status; 598 pid_t pid; 599 600 /* Set up unprivileged child process to deal with network data */ 601 pmonitor = monitor_init(); 602 /* Store a pointer to the kex for later rekeying */ 603 pmonitor->m_pkex = &xxx_kex; 604 605 pid = fork(); 606 if (pid == -1) { 607 fatal("fork of unprivileged child failed"); 608 } else if (pid != 0) { 609 debug2("Network child is on pid %ld", (long)pid); 610 611 close(pmonitor->m_recvfd); 612 pmonitor->m_pid = pid; 613 monitor_child_preauth(authctxt, pmonitor); 614 close(pmonitor->m_sendfd); 615 616 /* Sync memory */ 617 monitor_sync(pmonitor); 618 619 /* Wait for the child's exit status */ 620 while (waitpid(pid, &status, 0) < 0) 621 if (errno != EINTR) 622 break; 623 return (1); 624 } else { 625 /* child */ 626 627 close(pmonitor->m_sendfd); 628 629 /* Demote the child */ 630 if (getuid() == 0 || geteuid() == 0) 631 privsep_preauth_child(); 632 setproctitle("%s", "[net]"); 633 } 634 return (0); 635 } 636 637 static void 638 privsep_postauth(Authctxt *authctxt) 639 { 640 #ifdef DISABLE_FD_PASSING 641 if (1) { 642 #else 643 if (authctxt->pw->pw_uid == 0 || options.use_login) { 644 #endif 645 /* File descriptor passing is broken or root login */ 646 monitor_apply_keystate(pmonitor); 647 use_privsep = 0; 648 return; 649 } 650 651 /* Authentication complete */ 652 alarm(0); 653 if (startup_pipe != -1) { 654 close(startup_pipe); 655 startup_pipe = -1; 656 } 657 658 /* New socket pair */ 659 monitor_reinit(pmonitor); 660 661 pmonitor->m_pid = fork(); 662 if (pmonitor->m_pid == -1) 663 fatal("fork of unprivileged child failed"); 664 else if (pmonitor->m_pid != 0) { 665 debug2("User child is on pid %ld", (long)pmonitor->m_pid); 666 close(pmonitor->m_recvfd); 667 buffer_clear(&loginmsg); 668 monitor_child_postauth(pmonitor); 669 670 /* NEVERREACHED */ 671 exit(0); 672 } 673 674 close(pmonitor->m_sendfd); 675 676 /* Demote the private keys to public keys. */ 677 demote_sensitive_data(); 678 679 /* Drop privileges */ 680 do_setusercontext(authctxt->pw); 681 682 /* It is safe now to apply the key state */ 683 monitor_apply_keystate(pmonitor); 684 } 685 686 static char * 687 list_hostkey_types(void) 688 { 689 Buffer b; 690 const char *p; 691 char *ret; 692 int i; 693 694 buffer_init(&b); 695 for (i = 0; i < options.num_host_key_files; i++) { 696 Key *key = sensitive_data.host_keys[i]; 697 if (key == NULL) 698 continue; 699 switch (key->type) { 700 case KEY_RSA: 701 case KEY_DSA: 702 if (buffer_len(&b) > 0) 703 buffer_append(&b, ",", 1); 704 p = key_ssh_name(key); 705 buffer_append(&b, p, strlen(p)); 706 break; 707 } 708 } 709 buffer_append(&b, "\0", 1); 710 ret = xstrdup(buffer_ptr(&b)); 711 buffer_free(&b); 712 debug("list_hostkey_types: %s", ret); 713 return ret; 714 } 715 716 Key * 717 get_hostkey_by_type(int type) 718 { 719 int i; 720 721 for (i = 0; i < options.num_host_key_files; i++) { 722 Key *key = sensitive_data.host_keys[i]; 723 if (key != NULL && key->type == type) 724 return key; 725 } 726 return NULL; 727 } 728 729 Key * 730 get_hostkey_by_index(int ind) 731 { 732 if (ind < 0 || ind >= options.num_host_key_files) 733 return (NULL); 734 return (sensitive_data.host_keys[ind]); 735 } 736 737 int 738 get_hostkey_index(Key *key) 739 { 740 int i; 741 742 for (i = 0; i < options.num_host_key_files; i++) { 743 if (key == sensitive_data.host_keys[i]) 744 return (i); 745 } 746 return (-1); 747 } 748 749 /* 750 * returns 1 if connection should be dropped, 0 otherwise. 751 * dropping starts at connection #max_startups_begin with a probability 752 * of (max_startups_rate/100). the probability increases linearly until 753 * all connections are dropped for startups > max_startups 754 */ 755 static int 756 drop_connection(int startups) 757 { 758 double p, r; 759 760 if (startups < options.max_startups_begin) 761 return 0; 762 if (startups >= options.max_startups) 763 return 1; 764 if (options.max_startups_rate == 100) 765 return 1; 766 767 p = 100 - options.max_startups_rate; 768 p *= startups - options.max_startups_begin; 769 p /= (double) (options.max_startups - options.max_startups_begin); 770 p += options.max_startups_rate; 771 p /= 100.0; 772 r = arc4random() / (double) UINT_MAX; 773 774 debug("drop_connection: p %g, r %g", p, r); 775 return (r < p) ? 1 : 0; 776 } 777 778 static void 779 usage(void) 780 { 781 fprintf(stderr, "%s, %s\n", 782 SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); 783 fprintf(stderr, 784 "usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" 785 " [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" 786 ); 787 exit(1); 788 } 789 790 static void 791 send_rexec_state(int fd, Buffer *conf) 792 { 793 Buffer m; 794 795 debug3("%s: entering fd = %d config len %d", __func__, fd, 796 buffer_len(conf)); 797 798 /* 799 * Protocol from reexec master to child: 800 * string configuration 801 * u_int ephemeral_key_follows 802 * bignum e (only if ephemeral_key_follows == 1) 803 * bignum n " 804 * bignum d " 805 * bignum iqmp " 806 * bignum p " 807 * bignum q " 808 */ 809 buffer_init(&m); 810 buffer_put_cstring(&m, buffer_ptr(conf)); 811 812 if (sensitive_data.server_key != NULL && 813 sensitive_data.server_key->type == KEY_RSA1) { 814 buffer_put_int(&m, 1); 815 buffer_put_bignum(&m, sensitive_data.server_key->rsa->e); 816 buffer_put_bignum(&m, sensitive_data.server_key->rsa->n); 817 buffer_put_bignum(&m, sensitive_data.server_key->rsa->d); 818 buffer_put_bignum(&m, sensitive_data.server_key->rsa->iqmp); 819 buffer_put_bignum(&m, sensitive_data.server_key->rsa->p); 820 buffer_put_bignum(&m, sensitive_data.server_key->rsa->q); 821 } else 822 buffer_put_int(&m, 0); 823 824 if (ssh_msg_send(fd, 0, &m) == -1) 825 fatal("%s: ssh_msg_send failed", __func__); 826 827 buffer_free(&m); 828 829 debug3("%s: done", __func__); 830 } 831 832 static void 833 recv_rexec_state(int fd, Buffer *conf) 834 { 835 Buffer m; 836 char *cp; 837 u_int len; 838 839 debug3("%s: entering fd = %d", __func__, fd); 840 841 buffer_init(&m); 842 843 if (ssh_msg_recv(fd, &m) == -1) 844 fatal("%s: ssh_msg_recv failed", __func__); 845 if (buffer_get_char(&m) != 0) 846 fatal("%s: rexec version mismatch", __func__); 847 848 cp = buffer_get_string(&m, &len); 849 if (conf != NULL) 850 buffer_append(conf, cp, len + 1); 851 xfree(cp); 852 853 if (buffer_get_int(&m)) { 854 if (sensitive_data.server_key != NULL) 855 key_free(sensitive_data.server_key); 856 sensitive_data.server_key = key_new_private(KEY_RSA1); 857 buffer_get_bignum(&m, sensitive_data.server_key->rsa->e); 858 buffer_get_bignum(&m, sensitive_data.server_key->rsa->n); 859 buffer_get_bignum(&m, sensitive_data.server_key->rsa->d); 860 buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp); 861 buffer_get_bignum(&m, sensitive_data.server_key->rsa->p); 862 buffer_get_bignum(&m, sensitive_data.server_key->rsa->q); 863 rsa_generate_additional_parameters( 864 sensitive_data.server_key->rsa); 865 } 866 buffer_free(&m); 867 868 debug3("%s: done", __func__); 869 } 870 871 /* 872 * Main program for the daemon. 873 */ 874 int 875 main(int ac, char **av) 876 { 877 extern char *optarg; 878 extern int optind; 879 int opt, j, i, fdsetsz, on = 1; 880 int sock_in = -1, sock_out = -1, newsock = -1; 881 pid_t pid; 882 socklen_t fromlen; 883 fd_set *fdset; 884 struct sockaddr_storage from; 885 const char *remote_ip; 886 int remote_port; 887 FILE *f; 888 struct addrinfo *ai; 889 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 890 char *line; 891 int listen_sock, maxfd; 892 int startup_p[2], config_s[2]; 893 int startups = 0; 894 Key *key; 895 Authctxt *authctxt; 896 int ret, key_used = 0; 897 Buffer cfg; 898 899 #ifdef HAVE_SECUREWARE 900 (void)set_auth_parameters(ac, av); 901 #endif 902 __progname = ssh_get_progname(av[0]); 903 init_rng(); 904 905 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ 906 saved_argc = ac; 907 rexec_argc = ac; 908 saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1)); 909 for (i = 0; i < ac; i++) 910 saved_argv[i] = xstrdup(av[i]); 911 saved_argv[i] = NULL; 912 913 #ifndef HAVE_SETPROCTITLE 914 /* Prepare for later setproctitle emulation */ 915 compat_init_setproctitle(ac, av); 916 av = saved_argv; 917 #endif 918 919 if (geteuid() == 0 && setgroups(0, NULL) == -1) 920 debug("setgroups(): %.200s", strerror(errno)); 921 922 /* Initialize configuration options to their default values. */ 923 initialize_server_options(&options); 924 925 /* Parse command-line arguments. */ 926 while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) { 927 switch (opt) { 928 case '4': 929 IPv4or6 = AF_INET; 930 break; 931 case '6': 932 IPv4or6 = AF_INET6; 933 break; 934 case 'f': 935 config_file_name = optarg; 936 break; 937 case 'd': 938 if (debug_flag == 0) { 939 debug_flag = 1; 940 options.log_level = SYSLOG_LEVEL_DEBUG1; 941 } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) 942 options.log_level++; 943 break; 944 case 'D': 945 no_daemon_flag = 1; 946 break; 947 case 'e': 948 log_stderr = 1; 949 break; 950 case 'i': 951 inetd_flag = 1; 952 break; 953 case 'r': 954 rexec_flag = 0; 955 break; 956 case 'R': 957 rexeced_flag = 1; 958 inetd_flag = 1; 959 break; 960 case 'Q': 961 /* ignored */ 962 break; 963 case 'q': 964 options.log_level = SYSLOG_LEVEL_QUIET; 965 break; 966 case 'b': 967 options.server_key_bits = atoi(optarg); 968 break; 969 case 'p': 970 options.ports_from_cmdline = 1; 971 if (options.num_ports >= MAX_PORTS) { 972 fprintf(stderr, "too many ports.\n"); 973 exit(1); 974 } 975 options.ports[options.num_ports++] = a2port(optarg); 976 if (options.ports[options.num_ports-1] == 0) { 977 fprintf(stderr, "Bad port number.\n"); 978 exit(1); 979 } 980 break; 981 case 'g': 982 if ((options.login_grace_time = convtime(optarg)) == -1) { 983 fprintf(stderr, "Invalid login grace time.\n"); 984 exit(1); 985 } 986 break; 987 case 'k': 988 if ((options.key_regeneration_time = convtime(optarg)) == -1) { 989 fprintf(stderr, "Invalid key regeneration interval.\n"); 990 exit(1); 991 } 992 break; 993 case 'h': 994 if (options.num_host_key_files >= MAX_HOSTKEYS) { 995 fprintf(stderr, "too many host keys.\n"); 996 exit(1); 997 } 998 options.host_key_files[options.num_host_key_files++] = optarg; 999 break; 1000 case 't': 1001 test_flag = 1; 1002 break; 1003 case 'u': 1004 utmp_len = atoi(optarg); 1005 if (utmp_len > MAXHOSTNAMELEN) { 1006 fprintf(stderr, "Invalid utmp length.\n"); 1007 exit(1); 1008 } 1009 break; 1010 case 'o': 1011 line = xstrdup(optarg); 1012 if (process_server_config_line(&options, line, 1013 "command-line", 0) != 0) 1014 exit(1); 1015 xfree(line); 1016 break; 1017 case '?': 1018 default: 1019 usage(); 1020 break; 1021 } 1022 } 1023 if (rexeced_flag || inetd_flag) 1024 rexec_flag = 0; 1025 if (rexec_flag && (av[0] == NULL || *av[0] != '/')) 1026 fatal("sshd re-exec requires execution with an absolute path"); 1027 if (rexeced_flag) 1028 closefrom(REEXEC_MIN_FREE_FD); 1029 else 1030 closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); 1031 1032 SSLeay_add_all_algorithms(); 1033 channel_set_af(IPv4or6); 1034 1035 /* 1036 * Force logging to stderr until we have loaded the private host 1037 * key (unless started from inetd) 1038 */ 1039 log_init(__progname, 1040 options.log_level == SYSLOG_LEVEL_NOT_SET ? 1041 SYSLOG_LEVEL_INFO : options.log_level, 1042 options.log_facility == SYSLOG_FACILITY_NOT_SET ? 1043 SYSLOG_FACILITY_AUTH : options.log_facility, 1044 log_stderr || !inetd_flag); 1045 1046 #ifdef _AIX 1047 /* 1048 * Unset KRB5CCNAME, otherwise the user's session may inherit it from 1049 * root's environment 1050 */ 1051 unsetenv("KRB5CCNAME"); 1052 #endif /* _AIX */ 1053 #ifdef _UNICOS 1054 /* Cray can define user privs drop all privs now! 1055 * Not needed on PRIV_SU systems! 1056 */ 1057 drop_cray_privs(); 1058 #endif 1059 1060 seed_rng(); 1061 1062 sensitive_data.server_key = NULL; 1063 sensitive_data.ssh1_host_key = NULL; 1064 sensitive_data.have_ssh1_key = 0; 1065 sensitive_data.have_ssh2_key = 0; 1066 1067 /* Fetch our configuration */ 1068 buffer_init(&cfg); 1069 if (rexeced_flag) 1070 recv_rexec_state(REEXEC_CONFIG_PASS_FD, &cfg); 1071 else 1072 load_server_config(config_file_name, &cfg); 1073 1074 parse_server_config(&options, 1075 rexeced_flag ? "rexec" : config_file_name, &cfg); 1076 1077 if (!rexec_flag) 1078 buffer_free(&cfg); 1079 1080 /* Fill in default values for those options not explicitly set. */ 1081 fill_default_server_options(&options); 1082 1083 /* Check that there are no remaining arguments. */ 1084 if (optind < ac) { 1085 fprintf(stderr, "Extra argument %s.\n", av[optind]); 1086 exit(1); 1087 } 1088 1089 debug("sshd version %.100s", SSH_VERSION); 1090 1091 /* load private host keys */ 1092 sensitive_data.host_keys = xmalloc(options.num_host_key_files * 1093 sizeof(Key *)); 1094 for (i = 0; i < options.num_host_key_files; i++) 1095 sensitive_data.host_keys[i] = NULL; 1096 1097 for (i = 0; i < options.num_host_key_files; i++) { 1098 key = key_load_private(options.host_key_files[i], "", NULL); 1099 sensitive_data.host_keys[i] = key; 1100 if (key == NULL) { 1101 error("Could not load host key: %s", 1102 options.host_key_files[i]); 1103 sensitive_data.host_keys[i] = NULL; 1104 continue; 1105 } 1106 switch (key->type) { 1107 case KEY_RSA1: 1108 sensitive_data.ssh1_host_key = key; 1109 sensitive_data.have_ssh1_key = 1; 1110 break; 1111 case KEY_RSA: 1112 case KEY_DSA: 1113 sensitive_data.have_ssh2_key = 1; 1114 break; 1115 } 1116 debug("private host key: #%d type %d %s", i, key->type, 1117 key_type(key)); 1118 } 1119 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { 1120 logit("Disabling protocol version 1. Could not load host key"); 1121 options.protocol &= ~SSH_PROTO_1; 1122 } 1123 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { 1124 logit("Disabling protocol version 2. Could not load host key"); 1125 options.protocol &= ~SSH_PROTO_2; 1126 } 1127 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 1128 logit("sshd: no hostkeys available -- exiting."); 1129 exit(1); 1130 } 1131 1132 /* Check certain values for sanity. */ 1133 if (options.protocol & SSH_PROTO_1) { 1134 if (options.server_key_bits < 512 || 1135 options.server_key_bits > 32768) { 1136 fprintf(stderr, "Bad server key size.\n"); 1137 exit(1); 1138 } 1139 /* 1140 * Check that server and host key lengths differ sufficiently. This 1141 * is necessary to make double encryption work with rsaref. Oh, I 1142 * hate software patents. I dont know if this can go? Niels 1143 */ 1144 if (options.server_key_bits > 1145 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - 1146 SSH_KEY_BITS_RESERVED && options.server_key_bits < 1147 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + 1148 SSH_KEY_BITS_RESERVED) { 1149 options.server_key_bits = 1150 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + 1151 SSH_KEY_BITS_RESERVED; 1152 debug("Forcing server key to %d bits to make it differ from host key.", 1153 options.server_key_bits); 1154 } 1155 } 1156 1157 if (use_privsep) { 1158 struct passwd *pw; 1159 struct stat st; 1160 1161 if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) 1162 fatal("Privilege separation user %s does not exist", 1163 SSH_PRIVSEP_USER); 1164 if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || 1165 (S_ISDIR(st.st_mode) == 0)) 1166 fatal("Missing privilege separation directory: %s", 1167 _PATH_PRIVSEP_CHROOT_DIR); 1168 1169 #ifdef HAVE_CYGWIN 1170 if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && 1171 (st.st_uid != getuid () || 1172 (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) 1173 #else 1174 if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) 1175 #endif 1176 fatal("%s must be owned by root and not group or " 1177 "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); 1178 } 1179 1180 /* Configuration looks good, so exit if in test mode. */ 1181 if (test_flag) 1182 exit(0); 1183 1184 /* 1185 * Clear out any supplemental groups we may have inherited. This 1186 * prevents inadvertent creation of files with bad modes (in the 1187 * portable version at least, it's certainly possible for PAM 1188 * to create a file, and we can't control the code in every 1189 * module which might be used). 1190 */ 1191 if (setgroups(0, NULL) < 0) 1192 debug("setgroups() failed: %.200s", strerror(errno)); 1193 1194 if (rexec_flag) { 1195 rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2)); 1196 for (i = 0; i < rexec_argc; i++) { 1197 debug("rexec_argv[%d]='%s'", i, saved_argv[i]); 1198 rexec_argv[i] = saved_argv[i]; 1199 } 1200 rexec_argv[rexec_argc] = "-R"; 1201 rexec_argv[rexec_argc + 1] = NULL; 1202 } 1203 1204 /* Initialize the log (it is reinitialized below in case we forked). */ 1205 if (debug_flag && !inetd_flag) 1206 log_stderr = 1; 1207 log_init(__progname, options.log_level, options.log_facility, log_stderr); 1208 1209 /* 1210 * If not in debugging mode, and not started from inetd, disconnect 1211 * from the controlling terminal, and fork. The original process 1212 * exits. 1213 */ 1214 if (!(debug_flag || inetd_flag || no_daemon_flag)) { 1215 #ifdef TIOCNOTTY 1216 int fd; 1217 #endif /* TIOCNOTTY */ 1218 if (daemon(0, 0) < 0) 1219 fatal("daemon() failed: %.200s", strerror(errno)); 1220 1221 /* Disconnect from the controlling tty. */ 1222 #ifdef TIOCNOTTY 1223 fd = open(_PATH_TTY, O_RDWR | O_NOCTTY); 1224 if (fd >= 0) { 1225 (void) ioctl(fd, TIOCNOTTY, NULL); 1226 close(fd); 1227 } 1228 #endif /* TIOCNOTTY */ 1229 } 1230 /* Reinitialize the log (because of the fork above). */ 1231 log_init(__progname, options.log_level, options.log_facility, log_stderr); 1232 1233 /* Initialize the random number generator. */ 1234 arc4random_stir(); 1235 1236 /* Chdir to the root directory so that the current disk can be 1237 unmounted if desired. */ 1238 chdir("/"); 1239 1240 /* ignore SIGPIPE */ 1241 signal(SIGPIPE, SIG_IGN); 1242 1243 /* Start listening for a socket, unless started from inetd. */ 1244 if (inetd_flag) { 1245 int fd; 1246 1247 startup_pipe = -1; 1248 if (rexeced_flag) { 1249 close(REEXEC_CONFIG_PASS_FD); 1250 sock_in = sock_out = dup(STDIN_FILENO); 1251 if (!debug_flag) { 1252 startup_pipe = dup(REEXEC_STARTUP_PIPE_FD); 1253 close(REEXEC_STARTUP_PIPE_FD); 1254 } 1255 } else { 1256 sock_in = dup(STDIN_FILENO); 1257 sock_out = dup(STDOUT_FILENO); 1258 } 1259 /* 1260 * We intentionally do not close the descriptors 0, 1, and 2 1261 * as our code for setting the descriptors won't work if 1262 * ttyfd happens to be one of those. 1263 */ 1264 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { 1265 dup2(fd, STDIN_FILENO); 1266 dup2(fd, STDOUT_FILENO); 1267 if (fd > STDOUT_FILENO) 1268 close(fd); 1269 } 1270 debug("inetd sockets after dupping: %d, %d", sock_in, sock_out); 1271 if ((options.protocol & SSH_PROTO_1) && 1272 sensitive_data.server_key == NULL) 1273 generate_ephemeral_server_key(); 1274 } else { 1275 for (ai = options.listen_addrs; ai; ai = ai->ai_next) { 1276 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1277 continue; 1278 if (num_listen_socks >= MAX_LISTEN_SOCKS) 1279 fatal("Too many listen sockets. " 1280 "Enlarge MAX_LISTEN_SOCKS"); 1281 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, 1282 ntop, sizeof(ntop), strport, sizeof(strport), 1283 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 1284 error("getnameinfo failed"); 1285 continue; 1286 } 1287 /* Create socket for listening. */ 1288 listen_sock = socket(ai->ai_family, ai->ai_socktype, 1289 ai->ai_protocol); 1290 if (listen_sock < 0) { 1291 /* kernel may not support ipv6 */ 1292 verbose("socket: %.100s", strerror(errno)); 1293 continue; 1294 } 1295 if (set_nonblock(listen_sock) == -1) { 1296 close(listen_sock); 1297 continue; 1298 } 1299 /* 1300 * Set socket options. 1301 * Allow local port reuse in TIME_WAIT. 1302 */ 1303 if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 1304 &on, sizeof(on)) == -1) 1305 error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 1306 1307 debug("Bind to port %s on %s.", strport, ntop); 1308 1309 /* Bind the socket to the desired port. */ 1310 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1311 if (!ai->ai_next) 1312 error("Bind to port %s on %s failed: %.200s.", 1313 strport, ntop, strerror(errno)); 1314 close(listen_sock); 1315 continue; 1316 } 1317 listen_socks[num_listen_socks] = listen_sock; 1318 num_listen_socks++; 1319 1320 /* Start listening on the port. */ 1321 logit("Server listening on %s port %s.", ntop, strport); 1322 if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) 1323 fatal("listen: %.100s", strerror(errno)); 1324 1325 } 1326 freeaddrinfo(options.listen_addrs); 1327 1328 if (!num_listen_socks) 1329 fatal("Cannot bind any address."); 1330 1331 if (options.protocol & SSH_PROTO_1) 1332 generate_ephemeral_server_key(); 1333 1334 /* 1335 * Arrange to restart on SIGHUP. The handler needs 1336 * listen_sock. 1337 */ 1338 signal(SIGHUP, sighup_handler); 1339 1340 signal(SIGTERM, sigterm_handler); 1341 signal(SIGQUIT, sigterm_handler); 1342 1343 /* Arrange SIGCHLD to be caught. */ 1344 signal(SIGCHLD, main_sigchld_handler); 1345 1346 /* Write out the pid file after the sigterm handler is setup */ 1347 if (!debug_flag) { 1348 /* 1349 * Record our pid in /var/run/sshd.pid to make it 1350 * easier to kill the correct sshd. We don't want to 1351 * do this before the bind above because the bind will 1352 * fail if there already is a daemon, and this will 1353 * overwrite any old pid in the file. 1354 */ 1355 f = fopen(options.pid_file, "wb"); 1356 if (f == NULL) { 1357 error("Couldn't create pid file \"%s\": %s", 1358 options.pid_file, strerror(errno)); 1359 } else { 1360 fprintf(f, "%ld\n", (long) getpid()); 1361 fclose(f); 1362 } 1363 } 1364 1365 /* setup fd set for listen */ 1366 fdset = NULL; 1367 maxfd = 0; 1368 for (i = 0; i < num_listen_socks; i++) 1369 if (listen_socks[i] > maxfd) 1370 maxfd = listen_socks[i]; 1371 /* pipes connected to unauthenticated childs */ 1372 startup_pipes = xmalloc(options.max_startups * sizeof(int)); 1373 for (i = 0; i < options.max_startups; i++) 1374 startup_pipes[i] = -1; 1375 1376 /* 1377 * Stay listening for connections until the system crashes or 1378 * the daemon is killed with a signal. 1379 */ 1380 for (;;) { 1381 if (received_sighup) 1382 sighup_restart(); 1383 if (fdset != NULL) 1384 xfree(fdset); 1385 fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask); 1386 fdset = (fd_set *)xmalloc(fdsetsz); 1387 memset(fdset, 0, fdsetsz); 1388 1389 for (i = 0; i < num_listen_socks; i++) 1390 FD_SET(listen_socks[i], fdset); 1391 for (i = 0; i < options.max_startups; i++) 1392 if (startup_pipes[i] != -1) 1393 FD_SET(startup_pipes[i], fdset); 1394 1395 /* Wait in select until there is a connection. */ 1396 ret = select(maxfd+1, fdset, NULL, NULL, NULL); 1397 if (ret < 0 && errno != EINTR) 1398 error("select: %.100s", strerror(errno)); 1399 if (received_sigterm) { 1400 logit("Received signal %d; terminating.", 1401 (int) received_sigterm); 1402 close_listen_socks(); 1403 unlink(options.pid_file); 1404 exit(255); 1405 } 1406 if (key_used && key_do_regen) { 1407 generate_ephemeral_server_key(); 1408 key_used = 0; 1409 key_do_regen = 0; 1410 } 1411 if (ret < 0) 1412 continue; 1413 1414 for (i = 0; i < options.max_startups; i++) 1415 if (startup_pipes[i] != -1 && 1416 FD_ISSET(startup_pipes[i], fdset)) { 1417 /* 1418 * the read end of the pipe is ready 1419 * if the child has closed the pipe 1420 * after successful authentication 1421 * or if the child has died 1422 */ 1423 close(startup_pipes[i]); 1424 startup_pipes[i] = -1; 1425 startups--; 1426 } 1427 for (i = 0; i < num_listen_socks; i++) { 1428 if (!FD_ISSET(listen_socks[i], fdset)) 1429 continue; 1430 fromlen = sizeof(from); 1431 newsock = accept(listen_socks[i], (struct sockaddr *)&from, 1432 &fromlen); 1433 if (newsock < 0) { 1434 if (errno != EINTR && errno != EWOULDBLOCK) 1435 error("accept: %.100s", strerror(errno)); 1436 continue; 1437 } 1438 if (unset_nonblock(newsock) == -1) { 1439 close(newsock); 1440 continue; 1441 } 1442 if (drop_connection(startups) == 1) { 1443 debug("drop connection #%d", startups); 1444 close(newsock); 1445 continue; 1446 } 1447 if (pipe(startup_p) == -1) { 1448 close(newsock); 1449 continue; 1450 } 1451 1452 if (rexec_flag && socketpair(AF_UNIX, 1453 SOCK_STREAM, 0, config_s) == -1) { 1454 error("reexec socketpair: %s", 1455 strerror(errno)); 1456 close(newsock); 1457 close(startup_p[0]); 1458 close(startup_p[1]); 1459 continue; 1460 } 1461 1462 for (j = 0; j < options.max_startups; j++) 1463 if (startup_pipes[j] == -1) { 1464 startup_pipes[j] = startup_p[0]; 1465 if (maxfd < startup_p[0]) 1466 maxfd = startup_p[0]; 1467 startups++; 1468 break; 1469 } 1470 1471 /* 1472 * Got connection. Fork a child to handle it, unless 1473 * we are in debugging mode. 1474 */ 1475 if (debug_flag) { 1476 /* 1477 * In debugging mode. Close the listening 1478 * socket, and start processing the 1479 * connection without forking. 1480 */ 1481 debug("Server will not fork when running in debugging mode."); 1482 close_listen_socks(); 1483 sock_in = newsock; 1484 sock_out = newsock; 1485 close(startup_p[0]); 1486 close(startup_p[1]); 1487 startup_pipe = -1; 1488 pid = getpid(); 1489 if (rexec_flag) { 1490 send_rexec_state(config_s[0], 1491 &cfg); 1492 close(config_s[0]); 1493 } 1494 break; 1495 } else { 1496 /* 1497 * Normal production daemon. Fork, and have 1498 * the child process the connection. The 1499 * parent continues listening. 1500 */ 1501 if ((pid = fork()) == 0) { 1502 /* 1503 * Child. Close the listening and max_startup 1504 * sockets. Start using the accepted socket. 1505 * Reinitialize logging (since our pid has 1506 * changed). We break out of the loop to handle 1507 * the connection. 1508 */ 1509 startup_pipe = startup_p[1]; 1510 close_startup_pipes(); 1511 close_listen_socks(); 1512 sock_in = newsock; 1513 sock_out = newsock; 1514 log_init(__progname, options.log_level, options.log_facility, log_stderr); 1515 close(config_s[0]); 1516 break; 1517 } 1518 } 1519 1520 /* Parent. Stay in the loop. */ 1521 if (pid < 0) 1522 error("fork: %.100s", strerror(errno)); 1523 else 1524 debug("Forked child %ld.", (long)pid); 1525 1526 close(startup_p[1]); 1527 1528 if (rexec_flag) { 1529 send_rexec_state(config_s[0], &cfg); 1530 close(config_s[0]); 1531 close(config_s[1]); 1532 } 1533 1534 /* Mark that the key has been used (it was "given" to the child). */ 1535 if ((options.protocol & SSH_PROTO_1) && 1536 key_used == 0) { 1537 /* Schedule server key regeneration alarm. */ 1538 signal(SIGALRM, key_regeneration_alarm); 1539 alarm(options.key_regeneration_time); 1540 key_used = 1; 1541 } 1542 1543 arc4random_stir(); 1544 1545 /* Close the new socket (the child is now taking care of it). */ 1546 close(newsock); 1547 } 1548 /* child process check (or debug mode) */ 1549 if (num_listen_socks < 0) 1550 break; 1551 } 1552 } 1553 1554 /* This is the child processing a new connection. */ 1555 setproctitle("%s", "[accepted]"); 1556 1557 /* 1558 * Create a new session and process group since the 4.4BSD 1559 * setlogin() affects the entire process group. We don't 1560 * want the child to be able to affect the parent. 1561 */ 1562 #if !defined(SSHD_ACQUIRES_CTTY) 1563 /* 1564 * If setsid is called, on some platforms sshd will later acquire a 1565 * controlling terminal which will result in "could not set 1566 * controlling tty" errors. 1567 */ 1568 if (!debug_flag && !inetd_flag && setsid() < 0) 1569 error("setsid: %.100s", strerror(errno)); 1570 #endif 1571 1572 if (rexec_flag) { 1573 int fd; 1574 1575 debug("rexec start in %d out %d newsock %d pipe %d sock %d", 1576 sock_in, sock_out, newsock, startup_pipe, config_s[0]); 1577 dup2(newsock, STDIN_FILENO); 1578 dup2(STDIN_FILENO, STDOUT_FILENO); 1579 if (startup_pipe == -1) 1580 close(REEXEC_STARTUP_PIPE_FD); 1581 else 1582 dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD); 1583 1584 dup2(config_s[1], REEXEC_CONFIG_PASS_FD); 1585 close(config_s[1]); 1586 if (startup_pipe != -1) 1587 close(startup_pipe); 1588 1589 execv(rexec_argv[0], rexec_argv); 1590 1591 /* Reexec has failed, fall back and continue */ 1592 error("rexec of %s failed: %s", rexec_argv[0], strerror(errno)); 1593 recv_rexec_state(REEXEC_CONFIG_PASS_FD, NULL); 1594 log_init(__progname, options.log_level, 1595 options.log_facility, log_stderr); 1596 1597 /* Clean up fds */ 1598 startup_pipe = REEXEC_STARTUP_PIPE_FD; 1599 close(config_s[1]); 1600 close(REEXEC_CONFIG_PASS_FD); 1601 newsock = sock_out = sock_in = dup(STDIN_FILENO); 1602 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { 1603 dup2(fd, STDIN_FILENO); 1604 dup2(fd, STDOUT_FILENO); 1605 if (fd > STDERR_FILENO) 1606 close(fd); 1607 } 1608 debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d", 1609 sock_in, sock_out, newsock, startup_pipe, config_s[0]); 1610 } 1611 1612 /* 1613 * Disable the key regeneration alarm. We will not regenerate the 1614 * key since we are no longer in a position to give it to anyone. We 1615 * will not restart on SIGHUP since it no longer makes sense. 1616 */ 1617 alarm(0); 1618 signal(SIGALRM, SIG_DFL); 1619 signal(SIGHUP, SIG_DFL); 1620 signal(SIGTERM, SIG_DFL); 1621 signal(SIGQUIT, SIG_DFL); 1622 signal(SIGCHLD, SIG_DFL); 1623 signal(SIGINT, SIG_DFL); 1624 1625 /* Set SO_KEEPALIVE if requested. */ 1626 if (options.tcp_keep_alive && 1627 setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, 1628 sizeof(on)) < 0) 1629 error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); 1630 1631 #ifdef __FreeBSD__ 1632 /* 1633 * Initialize the resolver. This may not happen automatically 1634 * before privsep chroot(). 1635 */ 1636 if ((_res.options & RES_INIT) == 0) { 1637 debug("res_init()"); 1638 res_init(); 1639 } 1640 #endif 1641 1642 /* 1643 * Register our connection. This turns encryption off because we do 1644 * not have a key. 1645 */ 1646 packet_set_connection(sock_in, sock_out); 1647 1648 remote_port = get_remote_port(); 1649 remote_ip = get_remote_ipaddr(); 1650 1651 #ifdef LIBWRAP 1652 /* Check whether logins are denied from this host. */ 1653 if (packet_connection_is_on_socket()) { 1654 struct request_info req; 1655 1656 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); 1657 fromhost(&req); 1658 1659 if (!hosts_access(&req)) { 1660 debug("Connection refused by tcp wrapper"); 1661 refuse(&req); 1662 /* NOTREACHED */ 1663 fatal("libwrap refuse returns"); 1664 } 1665 } 1666 #endif /* LIBWRAP */ 1667 1668 /* Log the connection. */ 1669 verbose("Connection from %.500s port %d", remote_ip, remote_port); 1670 1671 /* 1672 * We don\'t want to listen forever unless the other side 1673 * successfully authenticates itself. So we set up an alarm which is 1674 * cleared after successful authentication. A limit of zero 1675 * indicates no limit. Note that we don\'t set the alarm in debugging 1676 * mode; it is just annoying to have the server exit just when you 1677 * are about to discover the bug. 1678 */ 1679 signal(SIGALRM, grace_alarm_handler); 1680 if (!debug_flag) 1681 alarm(options.login_grace_time); 1682 1683 sshd_exchange_identification(sock_in, sock_out); 1684 1685 packet_set_nonblocking(); 1686 1687 /* prepare buffers to collect authentication messages */ 1688 buffer_init(&loginmsg); 1689 1690 /* allocate authentication context */ 1691 authctxt = xmalloc(sizeof(*authctxt)); 1692 memset(authctxt, 0, sizeof(*authctxt)); 1693 1694 /* XXX global for cleanup, access from other modules */ 1695 the_authctxt = authctxt; 1696 1697 if (use_privsep) 1698 if (privsep_preauth(authctxt) == 1) 1699 goto authenticated; 1700 1701 /* prepare buffer to collect messages to display to user after login */ 1702 buffer_init(&loginmsg); 1703 1704 /* perform the key exchange */ 1705 /* authenticate user and start session */ 1706 if (compat20) { 1707 do_ssh2_kex(); 1708 do_authentication2(authctxt); 1709 } else { 1710 do_ssh1_kex(); 1711 do_authentication(authctxt); 1712 } 1713 /* 1714 * If we use privilege separation, the unprivileged child transfers 1715 * the current keystate and exits 1716 */ 1717 if (use_privsep) { 1718 mm_send_keystate(pmonitor); 1719 exit(0); 1720 } 1721 1722 authenticated: 1723 /* 1724 * In privilege separation, we fork another child and prepare 1725 * file descriptor passing. 1726 */ 1727 if (use_privsep) { 1728 privsep_postauth(authctxt); 1729 /* the monitor process [priv] will not return */ 1730 if (!compat20) 1731 destroy_sensitive_data(); 1732 } 1733 1734 /* Start session. */ 1735 do_authenticated(authctxt); 1736 1737 /* The connection has been terminated. */ 1738 verbose("Closing connection to %.100s", remote_ip); 1739 1740 #ifdef USE_PAM 1741 if (options.use_pam) 1742 finish_pam(); 1743 #endif /* USE_PAM */ 1744 1745 packet_close(); 1746 1747 if (use_privsep) 1748 mm_terminate(); 1749 1750 exit(0); 1751 } 1752 1753 /* 1754 * Decrypt session_key_int using our private server key and private host key 1755 * (key with larger modulus first). 1756 */ 1757 int 1758 ssh1_session_key(BIGNUM *session_key_int) 1759 { 1760 int rsafail = 0; 1761 1762 if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) { 1763 /* Server key has bigger modulus. */ 1764 if (BN_num_bits(sensitive_data.server_key->rsa->n) < 1765 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1766 fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", 1767 get_remote_ipaddr(), 1768 BN_num_bits(sensitive_data.server_key->rsa->n), 1769 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), 1770 SSH_KEY_BITS_RESERVED); 1771 } 1772 if (rsa_private_decrypt(session_key_int, session_key_int, 1773 sensitive_data.server_key->rsa) <= 0) 1774 rsafail++; 1775 if (rsa_private_decrypt(session_key_int, session_key_int, 1776 sensitive_data.ssh1_host_key->rsa) <= 0) 1777 rsafail++; 1778 } else { 1779 /* Host key has bigger modulus (or they are equal). */ 1780 if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) < 1781 BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1782 fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d", 1783 get_remote_ipaddr(), 1784 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), 1785 BN_num_bits(sensitive_data.server_key->rsa->n), 1786 SSH_KEY_BITS_RESERVED); 1787 } 1788 if (rsa_private_decrypt(session_key_int, session_key_int, 1789 sensitive_data.ssh1_host_key->rsa) < 0) 1790 rsafail++; 1791 if (rsa_private_decrypt(session_key_int, session_key_int, 1792 sensitive_data.server_key->rsa) < 0) 1793 rsafail++; 1794 } 1795 return (rsafail); 1796 } 1797 /* 1798 * SSH1 key exchange 1799 */ 1800 static void 1801 do_ssh1_kex(void) 1802 { 1803 int i, len; 1804 int rsafail = 0; 1805 BIGNUM *session_key_int; 1806 u_char session_key[SSH_SESSION_KEY_LENGTH]; 1807 u_char cookie[8]; 1808 u_int cipher_type, auth_mask, protocol_flags; 1809 u_int32_t rnd = 0; 1810 1811 /* 1812 * Generate check bytes that the client must send back in the user 1813 * packet in order for it to be accepted; this is used to defy ip 1814 * spoofing attacks. Note that this only works against somebody 1815 * doing IP spoofing from a remote machine; any machine on the local 1816 * network can still see outgoing packets and catch the random 1817 * cookie. This only affects rhosts authentication, and this is one 1818 * of the reasons why it is inherently insecure. 1819 */ 1820 for (i = 0; i < 8; i++) { 1821 if (i % 4 == 0) 1822 rnd = arc4random(); 1823 cookie[i] = rnd & 0xff; 1824 rnd >>= 8; 1825 } 1826 1827 /* 1828 * Send our public key. We include in the packet 64 bits of random 1829 * data that must be matched in the reply in order to prevent IP 1830 * spoofing. 1831 */ 1832 packet_start(SSH_SMSG_PUBLIC_KEY); 1833 for (i = 0; i < 8; i++) 1834 packet_put_char(cookie[i]); 1835 1836 /* Store our public server RSA key. */ 1837 packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n)); 1838 packet_put_bignum(sensitive_data.server_key->rsa->e); 1839 packet_put_bignum(sensitive_data.server_key->rsa->n); 1840 1841 /* Store our public host RSA key. */ 1842 packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); 1843 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e); 1844 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n); 1845 1846 /* Put protocol flags. */ 1847 packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); 1848 1849 /* Declare which ciphers we support. */ 1850 packet_put_int(cipher_mask_ssh1(0)); 1851 1852 /* Declare supported authentication types. */ 1853 auth_mask = 0; 1854 if (options.rhosts_rsa_authentication) 1855 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1856 if (options.rsa_authentication) 1857 auth_mask |= 1 << SSH_AUTH_RSA; 1858 if (options.challenge_response_authentication == 1) 1859 auth_mask |= 1 << SSH_AUTH_TIS; 1860 if (options.password_authentication) 1861 auth_mask |= 1 << SSH_AUTH_PASSWORD; 1862 packet_put_int(auth_mask); 1863 1864 /* Send the packet and wait for it to be sent. */ 1865 packet_send(); 1866 packet_write_wait(); 1867 1868 debug("Sent %d bit server key and %d bit host key.", 1869 BN_num_bits(sensitive_data.server_key->rsa->n), 1870 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); 1871 1872 /* Read clients reply (cipher type and session key). */ 1873 packet_read_expect(SSH_CMSG_SESSION_KEY); 1874 1875 /* Get cipher type and check whether we accept this. */ 1876 cipher_type = packet_get_char(); 1877 1878 if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) 1879 packet_disconnect("Warning: client selects unsupported cipher."); 1880 1881 /* Get check bytes from the packet. These must match those we 1882 sent earlier with the public key packet. */ 1883 for (i = 0; i < 8; i++) 1884 if (cookie[i] != packet_get_char()) 1885 packet_disconnect("IP Spoofing check bytes do not match."); 1886 1887 debug("Encryption type: %.200s", cipher_name(cipher_type)); 1888 1889 /* Get the encrypted integer. */ 1890 if ((session_key_int = BN_new()) == NULL) 1891 fatal("do_ssh1_kex: BN_new failed"); 1892 packet_get_bignum(session_key_int); 1893 1894 protocol_flags = packet_get_int(); 1895 packet_set_protocol_flags(protocol_flags); 1896 packet_check_eom(); 1897 1898 /* Decrypt session_key_int using host/server keys */ 1899 rsafail = PRIVSEP(ssh1_session_key(session_key_int)); 1900 1901 /* 1902 * Extract session key from the decrypted integer. The key is in the 1903 * least significant 256 bits of the integer; the first byte of the 1904 * key is in the highest bits. 1905 */ 1906 if (!rsafail) { 1907 BN_mask_bits(session_key_int, sizeof(session_key) * 8); 1908 len = BN_num_bytes(session_key_int); 1909 if (len < 0 || len > sizeof(session_key)) { 1910 error("do_connection: bad session key len from %s: " 1911 "session_key_int %d > sizeof(session_key) %lu", 1912 get_remote_ipaddr(), len, (u_long)sizeof(session_key)); 1913 rsafail++; 1914 } else { 1915 memset(session_key, 0, sizeof(session_key)); 1916 BN_bn2bin(session_key_int, 1917 session_key + sizeof(session_key) - len); 1918 1919 derive_ssh1_session_id( 1920 sensitive_data.ssh1_host_key->rsa->n, 1921 sensitive_data.server_key->rsa->n, 1922 cookie, session_id); 1923 /* 1924 * Xor the first 16 bytes of the session key with the 1925 * session id. 1926 */ 1927 for (i = 0; i < 16; i++) 1928 session_key[i] ^= session_id[i]; 1929 } 1930 } 1931 if (rsafail) { 1932 int bytes = BN_num_bytes(session_key_int); 1933 u_char *buf = xmalloc(bytes); 1934 MD5_CTX md; 1935 1936 logit("do_connection: generating a fake encryption key"); 1937 BN_bn2bin(session_key_int, buf); 1938 MD5_Init(&md); 1939 MD5_Update(&md, buf, bytes); 1940 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); 1941 MD5_Final(session_key, &md); 1942 MD5_Init(&md); 1943 MD5_Update(&md, session_key, 16); 1944 MD5_Update(&md, buf, bytes); 1945 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); 1946 MD5_Final(session_key + 16, &md); 1947 memset(buf, 0, bytes); 1948 xfree(buf); 1949 for (i = 0; i < 16; i++) 1950 session_id[i] = session_key[i] ^ session_key[i + 16]; 1951 } 1952 /* Destroy the private and public keys. No longer. */ 1953 destroy_sensitive_data(); 1954 1955 if (use_privsep) 1956 mm_ssh1_session_id(session_id); 1957 1958 /* Destroy the decrypted integer. It is no longer needed. */ 1959 BN_clear_free(session_key_int); 1960 1961 /* Set the session key. From this on all communications will be encrypted. */ 1962 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type); 1963 1964 /* Destroy our copy of the session key. It is no longer needed. */ 1965 memset(session_key, 0, sizeof(session_key)); 1966 1967 debug("Received session key; encryption turned on."); 1968 1969 /* Send an acknowledgment packet. Note that this packet is sent encrypted. */ 1970 packet_start(SSH_SMSG_SUCCESS); 1971 packet_send(); 1972 packet_write_wait(); 1973 } 1974 1975 /* 1976 * SSH2 key exchange: diffie-hellman-group1-sha1 1977 */ 1978 static void 1979 do_ssh2_kex(void) 1980 { 1981 Kex *kex; 1982 1983 if (options.ciphers != NULL) { 1984 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 1985 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; 1986 } 1987 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 1988 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); 1989 myproposal[PROPOSAL_ENC_ALGS_STOC] = 1990 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); 1991 1992 if (options.macs != NULL) { 1993 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 1994 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 1995 } 1996 if (!options.compression) { 1997 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 1998 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; 1999 } 2000 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2001 2002 /* start key exchange */ 2003 kex = kex_setup(myproposal); 2004 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 2005 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 2006 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2007 kex->server = 1; 2008 kex->client_version_string=client_version_string; 2009 kex->server_version_string=server_version_string; 2010 kex->load_host_key=&get_hostkey_by_type; 2011 kex->host_key_index=&get_hostkey_index; 2012 2013 xxx_kex = kex; 2014 2015 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2016 2017 session_id2 = kex->session_id; 2018 session_id2_len = kex->session_id_len; 2019 2020 #ifdef DEBUG_KEXDH 2021 /* send 1st encrypted/maced/compressed message */ 2022 packet_start(SSH2_MSG_IGNORE); 2023 packet_put_cstring("markus"); 2024 packet_send(); 2025 packet_write_wait(); 2026 #endif 2027 debug("KEX done"); 2028 } 2029 2030 /* server specific fatal cleanup */ 2031 void 2032 cleanup_exit(int i) 2033 { 2034 if (the_authctxt) 2035 do_cleanup(the_authctxt); 2036 _exit(i); 2037 } 2038