1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This program is the ssh daemon. It listens for connections from clients, 6 * and performs authentication, executes use commands or shell, and forwards 7 * information to/from the application to the user client over an encrypted 8 * connection. This can also handle forwarding of X11, TCP/IP, and 9 * authentication agent connections. 10 * 11 * As far as I am concerned, the code I have written for this software 12 * can be used freely for any purpose. Any derived versions of this 13 * software must be clearly marked as such, and if the derived work is 14 * incompatible with the protocol description in the RFC file, it must be 15 * called by a name other than "ssh" or "Secure Shell". 16 * 17 * SSH2 implementation: 18 * Privilege Separation: 19 * 20 * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. 21 * Copyright (c) 2002 Niels Provos. All rights reserved. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the above copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 33 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 34 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 35 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 36 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 37 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 38 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 39 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 41 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 42 */ 43 44 #include "includes.h" 45 RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $"); 46 RCSID("$FreeBSD$"); 47 48 #include <openssl/dh.h> 49 #include <openssl/bn.h> 50 #include <openssl/md5.h> 51 #include <openssl/rand.h> 52 #ifdef HAVE_SECUREWARE 53 #include <sys/security.h> 54 #include <prot.h> 55 #endif 56 57 #ifdef __FreeBSD__ 58 #include <resolv.h> 59 #ifdef GSSAPI 60 #include <gssapi/gssapi.h> 61 #endif 62 #endif 63 64 #include "ssh.h" 65 #include "ssh1.h" 66 #include "ssh2.h" 67 #include "xmalloc.h" 68 #include "rsa.h" 69 #include "sshpty.h" 70 #include "packet.h" 71 #include "log.h" 72 #include "servconf.h" 73 #include "uidswap.h" 74 #include "compat.h" 75 #include "buffer.h" 76 #include "bufaux.h" 77 #include "cipher.h" 78 #include "kex.h" 79 #include "key.h" 80 #include "dh.h" 81 #include "myproposal.h" 82 #include "authfile.h" 83 #include "pathnames.h" 84 #include "atomicio.h" 85 #include "canohost.h" 86 #include "auth.h" 87 #include "misc.h" 88 #include "msg.h" 89 #include "dispatch.h" 90 #include "channels.h" 91 #include "session.h" 92 #include "monitor_mm.h" 93 #include "monitor.h" 94 #include "monitor_wrap.h" 95 #include "monitor_fdpass.h" 96 97 #ifdef LIBWRAP 98 #include <tcpd.h> 99 #include <syslog.h> 100 int allow_severity = LOG_INFO; 101 int deny_severity = LOG_WARNING; 102 #endif /* LIBWRAP */ 103 104 #ifndef O_NOCTTY 105 #define O_NOCTTY 0 106 #endif 107 108 /* Re-exec fds */ 109 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 110 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 111 #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) 112 #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) 113 114 extern char *__progname; 115 116 /* Server configuration options. */ 117 ServerOptions options; 118 119 /* Name of the server configuration file. */ 120 char *config_file_name = _PATH_SERVER_CONFIG_FILE; 121 122 /* 123 * Debug mode flag. This can be set on the command line. If debug 124 * mode is enabled, extra debugging output will be sent to the system 125 * log, the daemon will not go to background, and will exit after processing 126 * the first connection. 127 */ 128 int debug_flag = 0; 129 130 /* Flag indicating that the daemon should only test the configuration and keys. */ 131 int test_flag = 0; 132 133 /* Flag indicating that the daemon is being started from inetd. */ 134 int inetd_flag = 0; 135 136 /* Flag indicating that sshd should not detach and become a daemon. */ 137 int no_daemon_flag = 0; 138 139 /* debug goes to stderr unless inetd_flag is set */ 140 int log_stderr = 0; 141 142 /* Saved arguments to main(). */ 143 char **saved_argv; 144 int saved_argc; 145 146 /* re-exec */ 147 int rexeced_flag = 0; 148 int rexec_flag = 1; 149 int rexec_argc = 0; 150 char **rexec_argv; 151 152 /* 153 * The sockets that the server is listening; this is used in the SIGHUP 154 * signal handler. 155 */ 156 #define MAX_LISTEN_SOCKS 16 157 int listen_socks[MAX_LISTEN_SOCKS]; 158 int num_listen_socks = 0; 159 160 /* 161 * the client's version string, passed by sshd2 in compat mode. if != NULL, 162 * sshd will skip the version-number exchange 163 */ 164 char *client_version_string = NULL; 165 char *server_version_string = NULL; 166 167 /* for rekeying XXX fixme */ 168 Kex *xxx_kex; 169 170 /* 171 * Any really sensitive data in the application is contained in this 172 * structure. The idea is that this structure could be locked into memory so 173 * that the pages do not get written into swap. However, there are some 174 * problems. The private key contains BIGNUMs, and we do not (in principle) 175 * have access to the internals of them, and locking just the structure is 176 * not very useful. Currently, memory locking is not implemented. 177 */ 178 struct { 179 Key *server_key; /* ephemeral server key */ 180 Key *ssh1_host_key; /* ssh1 host key */ 181 Key **host_keys; /* all private host keys */ 182 int have_ssh1_key; 183 int have_ssh2_key; 184 u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH]; 185 } sensitive_data; 186 187 /* 188 * Flag indicating whether the RSA server key needs to be regenerated. 189 * Is set in the SIGALRM handler and cleared when the key is regenerated. 190 */ 191 static volatile sig_atomic_t key_do_regen = 0; 192 193 /* This is set to true when a signal is received. */ 194 static volatile sig_atomic_t received_sighup = 0; 195 static volatile sig_atomic_t received_sigterm = 0; 196 197 /* session identifier, used by RSA-auth */ 198 u_char session_id[16]; 199 200 /* same for ssh2 */ 201 u_char *session_id2 = NULL; 202 u_int session_id2_len = 0; 203 204 /* record remote hostname or ip */ 205 u_int utmp_len = MAXHOSTNAMELEN; 206 207 /* options.max_startup sized array of fd ints */ 208 int *startup_pipes = NULL; 209 int startup_pipe; /* in child */ 210 211 /* variables used for privilege separation */ 212 int use_privsep; 213 struct monitor *pmonitor = NULL; 214 215 /* global authentication context */ 216 Authctxt *the_authctxt = NULL; 217 218 /* message to be displayed after login */ 219 Buffer loginmsg; 220 221 /* Prototypes for various functions defined later in this file. */ 222 void destroy_sensitive_data(void); 223 void demote_sensitive_data(void); 224 225 static void do_ssh1_kex(void); 226 static void do_ssh2_kex(void); 227 228 /* 229 * Close all listening sockets 230 */ 231 static void 232 close_listen_socks(void) 233 { 234 int i; 235 236 for (i = 0; i < num_listen_socks; i++) 237 close(listen_socks[i]); 238 num_listen_socks = -1; 239 } 240 241 static void 242 close_startup_pipes(void) 243 { 244 int i; 245 246 if (startup_pipes) 247 for (i = 0; i < options.max_startups; i++) 248 if (startup_pipes[i] != -1) 249 close(startup_pipes[i]); 250 } 251 252 /* 253 * Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; 254 * the effect is to reread the configuration file (and to regenerate 255 * the server key). 256 */ 257 static void 258 sighup_handler(int sig) 259 { 260 int save_errno = errno; 261 262 received_sighup = 1; 263 signal(SIGHUP, sighup_handler); 264 errno = save_errno; 265 } 266 267 /* 268 * Called from the main program after receiving SIGHUP. 269 * Restarts the server. 270 */ 271 static void 272 sighup_restart(void) 273 { 274 logit("Received SIGHUP; restarting."); 275 close_listen_socks(); 276 close_startup_pipes(); 277 execv(saved_argv[0], saved_argv); 278 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], 279 strerror(errno)); 280 exit(1); 281 } 282 283 /* 284 * Generic signal handler for terminating signals in the master daemon. 285 */ 286 static void 287 sigterm_handler(int sig) 288 { 289 received_sigterm = sig; 290 } 291 292 /* 293 * SIGCHLD handler. This is called whenever a child dies. This will then 294 * reap any zombies left by exited children. 295 */ 296 static void 297 main_sigchld_handler(int sig) 298 { 299 int save_errno = errno; 300 pid_t pid; 301 int status; 302 303 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 304 (pid < 0 && errno == EINTR)) 305 ; 306 307 signal(SIGCHLD, main_sigchld_handler); 308 errno = save_errno; 309 } 310 311 /* 312 * Signal handler for the alarm after the login grace period has expired. 313 */ 314 static void 315 grace_alarm_handler(int sig) 316 { 317 /* XXX no idea how fix this signal handler */ 318 319 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) 320 kill(pmonitor->m_pid, SIGALRM); 321 322 /* Log error and exit. */ 323 fatal("Timeout before authentication for %s", get_remote_ipaddr()); 324 } 325 326 /* 327 * Signal handler for the key regeneration alarm. Note that this 328 * alarm only occurs in the daemon waiting for connections, and it does not 329 * do anything with the private key or random state before forking. 330 * Thus there should be no concurrency control/asynchronous execution 331 * problems. 332 */ 333 static void 334 generate_ephemeral_server_key(void) 335 { 336 u_int32_t rnd = 0; 337 int i; 338 339 verbose("Generating %s%d bit RSA key.", 340 sensitive_data.server_key ? "new " : "", options.server_key_bits); 341 if (sensitive_data.server_key != NULL) 342 key_free(sensitive_data.server_key); 343 sensitive_data.server_key = key_generate(KEY_RSA1, 344 options.server_key_bits); 345 verbose("RSA key generation complete."); 346 347 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 348 if (i % 4 == 0) 349 rnd = arc4random(); 350 sensitive_data.ssh1_cookie[i] = rnd & 0xff; 351 rnd >>= 8; 352 } 353 arc4random_stir(); 354 } 355 356 static void 357 key_regeneration_alarm(int sig) 358 { 359 int save_errno = errno; 360 361 signal(SIGALRM, SIG_DFL); 362 errno = save_errno; 363 key_do_regen = 1; 364 } 365 366 static void 367 sshd_exchange_identification(int sock_in, int sock_out) 368 { 369 u_int i; 370 int mismatch; 371 int remote_major, remote_minor; 372 int major, minor; 373 char *s; 374 char buf[256]; /* Must not be larger than remote_version. */ 375 char remote_version[256]; /* Must be at least as big as buf. */ 376 377 if ((options.protocol & SSH_PROTO_1) && 378 (options.protocol & SSH_PROTO_2)) { 379 major = PROTOCOL_MAJOR_1; 380 minor = 99; 381 } else if (options.protocol & SSH_PROTO_2) { 382 major = PROTOCOL_MAJOR_2; 383 minor = PROTOCOL_MINOR_2; 384 } else { 385 major = PROTOCOL_MAJOR_1; 386 minor = PROTOCOL_MINOR_1; 387 } 388 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); 389 server_version_string = xstrdup(buf); 390 391 /* Send our protocol version identification. */ 392 if (atomicio(vwrite, sock_out, server_version_string, 393 strlen(server_version_string)) 394 != strlen(server_version_string)) { 395 logit("Could not write ident string to %s", get_remote_ipaddr()); 396 cleanup_exit(255); 397 } 398 399 /* Read other sides version identification. */ 400 memset(buf, 0, sizeof(buf)); 401 for (i = 0; i < sizeof(buf) - 1; i++) { 402 if (atomicio(read, sock_in, &buf[i], 1) != 1) { 403 logit("Did not receive identification string from %s", 404 get_remote_ipaddr()); 405 cleanup_exit(255); 406 } 407 if (buf[i] == '\r') { 408 buf[i] = 0; 409 /* Kludge for F-Secure Macintosh < 1.0.2 */ 410 if (i == 12 && 411 strncmp(buf, "SSH-1.5-W1.0", 12) == 0) 412 break; 413 continue; 414 } 415 if (buf[i] == '\n') { 416 buf[i] = 0; 417 break; 418 } 419 } 420 buf[sizeof(buf) - 1] = 0; 421 client_version_string = xstrdup(buf); 422 423 /* 424 * Check that the versions match. In future this might accept 425 * several versions and set appropriate flags to handle them. 426 */ 427 if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n", 428 &remote_major, &remote_minor, remote_version) != 3) { 429 s = "Protocol mismatch.\n"; 430 (void) atomicio(vwrite, sock_out, s, strlen(s)); 431 close(sock_in); 432 close(sock_out); 433 logit("Bad protocol version identification '%.100s' from %s", 434 client_version_string, get_remote_ipaddr()); 435 cleanup_exit(255); 436 } 437 debug("Client protocol version %d.%d; client software version %.100s", 438 remote_major, remote_minor, remote_version); 439 440 compat_datafellows(remote_version); 441 442 if (datafellows & SSH_BUG_PROBE) { 443 logit("probed from %s with %s. Don't panic.", 444 get_remote_ipaddr(), client_version_string); 445 cleanup_exit(255); 446 } 447 448 if (datafellows & SSH_BUG_SCANNER) { 449 logit("scanned from %s with %s. Don't panic.", 450 get_remote_ipaddr(), client_version_string); 451 cleanup_exit(255); 452 } 453 454 mismatch = 0; 455 switch (remote_major) { 456 case 1: 457 if (remote_minor == 99) { 458 if (options.protocol & SSH_PROTO_2) 459 enable_compat20(); 460 else 461 mismatch = 1; 462 break; 463 } 464 if (!(options.protocol & SSH_PROTO_1)) { 465 mismatch = 1; 466 break; 467 } 468 if (remote_minor < 3) { 469 packet_disconnect("Your ssh version is too old and " 470 "is no longer supported. Please install a newer version."); 471 } else if (remote_minor == 3) { 472 /* note that this disables agent-forwarding */ 473 enable_compat13(); 474 } 475 break; 476 case 2: 477 if (options.protocol & SSH_PROTO_2) { 478 enable_compat20(); 479 break; 480 } 481 /* FALLTHROUGH */ 482 default: 483 mismatch = 1; 484 break; 485 } 486 chop(server_version_string); 487 debug("Local version string %.200s", server_version_string); 488 489 if (mismatch) { 490 s = "Protocol major versions differ.\n"; 491 (void) atomicio(vwrite, sock_out, s, strlen(s)); 492 close(sock_in); 493 close(sock_out); 494 logit("Protocol major versions differ for %s: %.200s vs. %.200s", 495 get_remote_ipaddr(), 496 server_version_string, client_version_string); 497 cleanup_exit(255); 498 } 499 } 500 501 /* Destroy the host and server keys. They will no longer be needed. */ 502 void 503 destroy_sensitive_data(void) 504 { 505 int i; 506 507 if (sensitive_data.server_key) { 508 key_free(sensitive_data.server_key); 509 sensitive_data.server_key = NULL; 510 } 511 for (i = 0; i < options.num_host_key_files; i++) { 512 if (sensitive_data.host_keys[i]) { 513 key_free(sensitive_data.host_keys[i]); 514 sensitive_data.host_keys[i] = NULL; 515 } 516 } 517 sensitive_data.ssh1_host_key = NULL; 518 memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); 519 } 520 521 /* Demote private to public keys for network child */ 522 void 523 demote_sensitive_data(void) 524 { 525 Key *tmp; 526 int i; 527 528 if (sensitive_data.server_key) { 529 tmp = key_demote(sensitive_data.server_key); 530 key_free(sensitive_data.server_key); 531 sensitive_data.server_key = tmp; 532 } 533 534 for (i = 0; i < options.num_host_key_files; i++) { 535 if (sensitive_data.host_keys[i]) { 536 tmp = key_demote(sensitive_data.host_keys[i]); 537 key_free(sensitive_data.host_keys[i]); 538 sensitive_data.host_keys[i] = tmp; 539 if (tmp->type == KEY_RSA1) 540 sensitive_data.ssh1_host_key = tmp; 541 } 542 } 543 544 /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ 545 } 546 547 static void 548 privsep_preauth_child(void) 549 { 550 u_int32_t rnd[256]; 551 gid_t gidset[1]; 552 struct passwd *pw; 553 int i; 554 555 /* Enable challenge-response authentication for privilege separation */ 556 privsep_challenge_enable(); 557 558 for (i = 0; i < 256; i++) 559 rnd[i] = arc4random(); 560 RAND_seed(rnd, sizeof(rnd)); 561 562 /* Demote the private keys to public keys. */ 563 demote_sensitive_data(); 564 565 if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) 566 fatal("Privilege separation user %s does not exist", 567 SSH_PRIVSEP_USER); 568 memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); 569 endpwent(); 570 571 /* Change our root directory */ 572 if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) 573 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, 574 strerror(errno)); 575 if (chdir("/") == -1) 576 fatal("chdir(\"/\"): %s", strerror(errno)); 577 578 /* Drop our privileges */ 579 debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, 580 (u_int)pw->pw_gid); 581 #if 0 582 /* XXX not ready, too heavy after chroot */ 583 do_setusercontext(pw); 584 #else 585 gidset[0] = pw->pw_gid; 586 if (setgroups(1, gidset) < 0) 587 fatal("setgroups: %.100s", strerror(errno)); 588 permanently_set_uid(pw); 589 #endif 590 } 591 592 static int 593 privsep_preauth(Authctxt *authctxt) 594 { 595 int status; 596 pid_t pid; 597 598 /* Set up unprivileged child process to deal with network data */ 599 pmonitor = monitor_init(); 600 /* Store a pointer to the kex for later rekeying */ 601 pmonitor->m_pkex = &xxx_kex; 602 603 pid = fork(); 604 if (pid == -1) { 605 fatal("fork of unprivileged child failed"); 606 } else if (pid != 0) { 607 debug2("Network child is on pid %ld", (long)pid); 608 609 close(pmonitor->m_recvfd); 610 pmonitor->m_pid = pid; 611 monitor_child_preauth(authctxt, pmonitor); 612 close(pmonitor->m_sendfd); 613 614 /* Sync memory */ 615 monitor_sync(pmonitor); 616 617 /* Wait for the child's exit status */ 618 while (waitpid(pid, &status, 0) < 0) 619 if (errno != EINTR) 620 break; 621 return (1); 622 } else { 623 /* child */ 624 625 close(pmonitor->m_sendfd); 626 627 /* Demote the child */ 628 if (getuid() == 0 || geteuid() == 0) 629 privsep_preauth_child(); 630 setproctitle("%s", "[net]"); 631 } 632 return (0); 633 } 634 635 static void 636 privsep_postauth(Authctxt *authctxt) 637 { 638 #ifdef DISABLE_FD_PASSING 639 if (1) { 640 #else 641 if (authctxt->pw->pw_uid == 0 || options.use_login) { 642 #endif 643 /* File descriptor passing is broken or root login */ 644 use_privsep = 0; 645 goto skip; 646 } 647 648 /* New socket pair */ 649 monitor_reinit(pmonitor); 650 651 pmonitor->m_pid = fork(); 652 if (pmonitor->m_pid == -1) 653 fatal("fork of unprivileged child failed"); 654 else if (pmonitor->m_pid != 0) { 655 debug2("User child is on pid %ld", (long)pmonitor->m_pid); 656 close(pmonitor->m_recvfd); 657 buffer_clear(&loginmsg); 658 monitor_child_postauth(pmonitor); 659 660 /* NEVERREACHED */ 661 exit(0); 662 } 663 664 close(pmonitor->m_sendfd); 665 666 /* Demote the private keys to public keys. */ 667 demote_sensitive_data(); 668 669 /* Drop privileges */ 670 do_setusercontext(authctxt->pw); 671 672 skip: 673 /* It is safe now to apply the key state */ 674 monitor_apply_keystate(pmonitor); 675 676 /* 677 * Tell the packet layer that authentication was successful, since 678 * this information is not part of the key state. 679 */ 680 packet_set_authenticated(); 681 } 682 683 static char * 684 list_hostkey_types(void) 685 { 686 Buffer b; 687 const char *p; 688 char *ret; 689 int i; 690 691 buffer_init(&b); 692 for (i = 0; i < options.num_host_key_files; i++) { 693 Key *key = sensitive_data.host_keys[i]; 694 if (key == NULL) 695 continue; 696 switch (key->type) { 697 case KEY_RSA: 698 case KEY_DSA: 699 if (buffer_len(&b) > 0) 700 buffer_append(&b, ",", 1); 701 p = key_ssh_name(key); 702 buffer_append(&b, p, strlen(p)); 703 break; 704 } 705 } 706 buffer_append(&b, "\0", 1); 707 ret = xstrdup(buffer_ptr(&b)); 708 buffer_free(&b); 709 debug("list_hostkey_types: %s", ret); 710 return ret; 711 } 712 713 Key * 714 get_hostkey_by_type(int type) 715 { 716 int i; 717 718 for (i = 0; i < options.num_host_key_files; i++) { 719 Key *key = sensitive_data.host_keys[i]; 720 if (key != NULL && key->type == type) 721 return key; 722 } 723 return NULL; 724 } 725 726 Key * 727 get_hostkey_by_index(int ind) 728 { 729 if (ind < 0 || ind >= options.num_host_key_files) 730 return (NULL); 731 return (sensitive_data.host_keys[ind]); 732 } 733 734 int 735 get_hostkey_index(Key *key) 736 { 737 int i; 738 739 for (i = 0; i < options.num_host_key_files; i++) { 740 if (key == sensitive_data.host_keys[i]) 741 return (i); 742 } 743 return (-1); 744 } 745 746 /* 747 * returns 1 if connection should be dropped, 0 otherwise. 748 * dropping starts at connection #max_startups_begin with a probability 749 * of (max_startups_rate/100). the probability increases linearly until 750 * all connections are dropped for startups > max_startups 751 */ 752 static int 753 drop_connection(int startups) 754 { 755 int p, r; 756 757 if (startups < options.max_startups_begin) 758 return 0; 759 if (startups >= options.max_startups) 760 return 1; 761 if (options.max_startups_rate == 100) 762 return 1; 763 764 p = 100 - options.max_startups_rate; 765 p *= startups - options.max_startups_begin; 766 p /= options.max_startups - options.max_startups_begin; 767 p += options.max_startups_rate; 768 r = arc4random() % 100; 769 770 debug("drop_connection: p %d, r %d", p, r); 771 return (r < p) ? 1 : 0; 772 } 773 774 static void 775 usage(void) 776 { 777 fprintf(stderr, "%s, %s\n", 778 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); 779 fprintf(stderr, 780 "usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" 781 " [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" 782 ); 783 exit(1); 784 } 785 786 static void 787 send_rexec_state(int fd, Buffer *conf) 788 { 789 Buffer m; 790 791 debug3("%s: entering fd = %d config len %d", __func__, fd, 792 buffer_len(conf)); 793 794 /* 795 * Protocol from reexec master to child: 796 * string configuration 797 * u_int ephemeral_key_follows 798 * bignum e (only if ephemeral_key_follows == 1) 799 * bignum n " 800 * bignum d " 801 * bignum iqmp " 802 * bignum p " 803 * bignum q " 804 * string rngseed (only if OpenSSL is not self-seeded) 805 */ 806 buffer_init(&m); 807 buffer_put_cstring(&m, buffer_ptr(conf)); 808 809 if (sensitive_data.server_key != NULL && 810 sensitive_data.server_key->type == KEY_RSA1) { 811 buffer_put_int(&m, 1); 812 buffer_put_bignum(&m, sensitive_data.server_key->rsa->e); 813 buffer_put_bignum(&m, sensitive_data.server_key->rsa->n); 814 buffer_put_bignum(&m, sensitive_data.server_key->rsa->d); 815 buffer_put_bignum(&m, sensitive_data.server_key->rsa->iqmp); 816 buffer_put_bignum(&m, sensitive_data.server_key->rsa->p); 817 buffer_put_bignum(&m, sensitive_data.server_key->rsa->q); 818 } else 819 buffer_put_int(&m, 0); 820 821 #ifndef OPENSSL_PRNG_ONLY 822 rexec_send_rng_seed(&m); 823 #endif 824 825 if (ssh_msg_send(fd, 0, &m) == -1) 826 fatal("%s: ssh_msg_send failed", __func__); 827 828 buffer_free(&m); 829 830 debug3("%s: done", __func__); 831 } 832 833 static void 834 recv_rexec_state(int fd, Buffer *conf) 835 { 836 Buffer m; 837 char *cp; 838 u_int len; 839 840 debug3("%s: entering fd = %d", __func__, fd); 841 842 buffer_init(&m); 843 844 if (ssh_msg_recv(fd, &m) == -1) 845 fatal("%s: ssh_msg_recv failed", __func__); 846 if (buffer_get_char(&m) != 0) 847 fatal("%s: rexec version mismatch", __func__); 848 849 cp = buffer_get_string(&m, &len); 850 if (conf != NULL) 851 buffer_append(conf, cp, len + 1); 852 xfree(cp); 853 854 if (buffer_get_int(&m)) { 855 if (sensitive_data.server_key != NULL) 856 key_free(sensitive_data.server_key); 857 sensitive_data.server_key = key_new_private(KEY_RSA1); 858 buffer_get_bignum(&m, sensitive_data.server_key->rsa->e); 859 buffer_get_bignum(&m, sensitive_data.server_key->rsa->n); 860 buffer_get_bignum(&m, sensitive_data.server_key->rsa->d); 861 buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp); 862 buffer_get_bignum(&m, sensitive_data.server_key->rsa->p); 863 buffer_get_bignum(&m, sensitive_data.server_key->rsa->q); 864 rsa_generate_additional_parameters( 865 sensitive_data.server_key->rsa); 866 } 867 868 #ifndef OPENSSL_PRNG_ONLY 869 rexec_recv_rng_seed(&m); 870 #endif 871 872 buffer_free(&m); 873 874 debug3("%s: done", __func__); 875 } 876 877 /* 878 * Main program for the daemon. 879 */ 880 int 881 main(int ac, char **av) 882 { 883 extern char *optarg; 884 extern int optind; 885 int opt, j, i, fdsetsz, on = 1; 886 int sock_in = -1, sock_out = -1, newsock = -1; 887 pid_t pid; 888 socklen_t fromlen; 889 fd_set *fdset; 890 struct sockaddr_storage from; 891 const char *remote_ip; 892 int remote_port; 893 FILE *f; 894 struct addrinfo *ai; 895 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 896 char *line; 897 int listen_sock, maxfd; 898 int startup_p[2] = { -1 , -1 }, config_s[2] = { -1 , -1 }; 899 int startups = 0; 900 Key *key; 901 Authctxt *authctxt; 902 int ret, key_used = 0; 903 Buffer cfg; 904 905 #ifdef HAVE_SECUREWARE 906 (void)set_auth_parameters(ac, av); 907 #endif 908 __progname = ssh_get_progname(av[0]); 909 init_rng(); 910 911 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ 912 saved_argc = ac; 913 rexec_argc = ac; 914 saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1)); 915 for (i = 0; i < ac; i++) 916 saved_argv[i] = xstrdup(av[i]); 917 saved_argv[i] = NULL; 918 919 #ifndef HAVE_SETPROCTITLE 920 /* Prepare for later setproctitle emulation */ 921 compat_init_setproctitle(ac, av); 922 av = saved_argv; 923 #endif 924 925 if (geteuid() == 0 && setgroups(0, NULL) == -1) 926 debug("setgroups(): %.200s", strerror(errno)); 927 928 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ 929 sanitise_stdfd(); 930 931 /* Initialize configuration options to their default values. */ 932 initialize_server_options(&options); 933 934 /* Parse command-line arguments. */ 935 while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) { 936 switch (opt) { 937 case '4': 938 options.address_family = AF_INET; 939 break; 940 case '6': 941 options.address_family = AF_INET6; 942 break; 943 case 'f': 944 config_file_name = optarg; 945 break; 946 case 'd': 947 if (debug_flag == 0) { 948 debug_flag = 1; 949 options.log_level = SYSLOG_LEVEL_DEBUG1; 950 } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) 951 options.log_level++; 952 break; 953 case 'D': 954 no_daemon_flag = 1; 955 break; 956 case 'e': 957 log_stderr = 1; 958 break; 959 case 'i': 960 inetd_flag = 1; 961 break; 962 case 'r': 963 rexec_flag = 0; 964 break; 965 case 'R': 966 rexeced_flag = 1; 967 inetd_flag = 1; 968 break; 969 case 'Q': 970 /* ignored */ 971 break; 972 case 'q': 973 options.log_level = SYSLOG_LEVEL_QUIET; 974 break; 975 case 'b': 976 options.server_key_bits = atoi(optarg); 977 break; 978 case 'p': 979 options.ports_from_cmdline = 1; 980 if (options.num_ports >= MAX_PORTS) { 981 fprintf(stderr, "too many ports.\n"); 982 exit(1); 983 } 984 options.ports[options.num_ports++] = a2port(optarg); 985 if (options.ports[options.num_ports-1] == 0) { 986 fprintf(stderr, "Bad port number.\n"); 987 exit(1); 988 } 989 break; 990 case 'g': 991 if ((options.login_grace_time = convtime(optarg)) == -1) { 992 fprintf(stderr, "Invalid login grace time.\n"); 993 exit(1); 994 } 995 break; 996 case 'k': 997 if ((options.key_regeneration_time = convtime(optarg)) == -1) { 998 fprintf(stderr, "Invalid key regeneration interval.\n"); 999 exit(1); 1000 } 1001 break; 1002 case 'h': 1003 if (options.num_host_key_files >= MAX_HOSTKEYS) { 1004 fprintf(stderr, "too many host keys.\n"); 1005 exit(1); 1006 } 1007 options.host_key_files[options.num_host_key_files++] = optarg; 1008 break; 1009 case 't': 1010 test_flag = 1; 1011 break; 1012 case 'u': 1013 utmp_len = atoi(optarg); 1014 if (utmp_len > MAXHOSTNAMELEN) { 1015 fprintf(stderr, "Invalid utmp length.\n"); 1016 exit(1); 1017 } 1018 break; 1019 case 'o': 1020 line = xstrdup(optarg); 1021 if (process_server_config_line(&options, line, 1022 "command-line", 0) != 0) 1023 exit(1); 1024 xfree(line); 1025 break; 1026 case '?': 1027 default: 1028 usage(); 1029 break; 1030 } 1031 } 1032 if (rexeced_flag || inetd_flag) 1033 rexec_flag = 0; 1034 if (rexec_flag && (av[0] == NULL || *av[0] != '/')) 1035 fatal("sshd re-exec requires execution with an absolute path"); 1036 if (rexeced_flag) 1037 closefrom(REEXEC_MIN_FREE_FD); 1038 else 1039 closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); 1040 1041 SSLeay_add_all_algorithms(); 1042 1043 /* 1044 * Force logging to stderr until we have loaded the private host 1045 * key (unless started from inetd) 1046 */ 1047 log_init(__progname, 1048 options.log_level == SYSLOG_LEVEL_NOT_SET ? 1049 SYSLOG_LEVEL_INFO : options.log_level, 1050 options.log_facility == SYSLOG_FACILITY_NOT_SET ? 1051 SYSLOG_FACILITY_AUTH : options.log_facility, 1052 log_stderr || !inetd_flag); 1053 1054 /* 1055 * Unset KRB5CCNAME, otherwise the user's session may inherit it from 1056 * root's environment 1057 */ 1058 if (getenv("KRB5CCNAME") != NULL) 1059 unsetenv("KRB5CCNAME"); 1060 1061 #ifdef _UNICOS 1062 /* Cray can define user privs drop all privs now! 1063 * Not needed on PRIV_SU systems! 1064 */ 1065 drop_cray_privs(); 1066 #endif 1067 1068 sensitive_data.server_key = NULL; 1069 sensitive_data.ssh1_host_key = NULL; 1070 sensitive_data.have_ssh1_key = 0; 1071 sensitive_data.have_ssh2_key = 0; 1072 1073 /* Fetch our configuration */ 1074 buffer_init(&cfg); 1075 if (rexeced_flag) 1076 recv_rexec_state(REEXEC_CONFIG_PASS_FD, &cfg); 1077 else 1078 load_server_config(config_file_name, &cfg); 1079 1080 parse_server_config(&options, 1081 rexeced_flag ? "rexec" : config_file_name, &cfg); 1082 1083 if (!rexec_flag) 1084 buffer_free(&cfg); 1085 1086 seed_rng(); 1087 1088 /* Fill in default values for those options not explicitly set. */ 1089 fill_default_server_options(&options); 1090 1091 /* set default channel AF */ 1092 channel_set_af(options.address_family); 1093 1094 /* Check that there are no remaining arguments. */ 1095 if (optind < ac) { 1096 fprintf(stderr, "Extra argument %s.\n", av[optind]); 1097 exit(1); 1098 } 1099 1100 debug("sshd version %.100s", SSH_RELEASE); 1101 1102 /* load private host keys */ 1103 sensitive_data.host_keys = xmalloc(options.num_host_key_files * 1104 sizeof(Key *)); 1105 for (i = 0; i < options.num_host_key_files; i++) 1106 sensitive_data.host_keys[i] = NULL; 1107 1108 for (i = 0; i < options.num_host_key_files; i++) { 1109 key = key_load_private(options.host_key_files[i], "", NULL); 1110 sensitive_data.host_keys[i] = key; 1111 if (key == NULL) { 1112 error("Could not load host key: %s", 1113 options.host_key_files[i]); 1114 sensitive_data.host_keys[i] = NULL; 1115 continue; 1116 } 1117 switch (key->type) { 1118 case KEY_RSA1: 1119 sensitive_data.ssh1_host_key = key; 1120 sensitive_data.have_ssh1_key = 1; 1121 break; 1122 case KEY_RSA: 1123 case KEY_DSA: 1124 sensitive_data.have_ssh2_key = 1; 1125 break; 1126 } 1127 debug("private host key: #%d type %d %s", i, key->type, 1128 key_type(key)); 1129 } 1130 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { 1131 logit("Disabling protocol version 1. Could not load host key"); 1132 options.protocol &= ~SSH_PROTO_1; 1133 } 1134 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { 1135 logit("Disabling protocol version 2. Could not load host key"); 1136 options.protocol &= ~SSH_PROTO_2; 1137 } 1138 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 1139 logit("sshd: no hostkeys available -- exiting."); 1140 exit(1); 1141 } 1142 1143 /* Check certain values for sanity. */ 1144 if (options.protocol & SSH_PROTO_1) { 1145 if (options.server_key_bits < 512 || 1146 options.server_key_bits > 32768) { 1147 fprintf(stderr, "Bad server key size.\n"); 1148 exit(1); 1149 } 1150 /* 1151 * Check that server and host key lengths differ sufficiently. This 1152 * is necessary to make double encryption work with rsaref. Oh, I 1153 * hate software patents. I dont know if this can go? Niels 1154 */ 1155 if (options.server_key_bits > 1156 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - 1157 SSH_KEY_BITS_RESERVED && options.server_key_bits < 1158 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + 1159 SSH_KEY_BITS_RESERVED) { 1160 options.server_key_bits = 1161 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + 1162 SSH_KEY_BITS_RESERVED; 1163 debug("Forcing server key to %d bits to make it differ from host key.", 1164 options.server_key_bits); 1165 } 1166 } 1167 1168 if (use_privsep) { 1169 struct passwd *pw; 1170 struct stat st; 1171 1172 if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) 1173 fatal("Privilege separation user %s does not exist", 1174 SSH_PRIVSEP_USER); 1175 if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || 1176 (S_ISDIR(st.st_mode) == 0)) 1177 fatal("Missing privilege separation directory: %s", 1178 _PATH_PRIVSEP_CHROOT_DIR); 1179 1180 #ifdef HAVE_CYGWIN 1181 if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && 1182 (st.st_uid != getuid () || 1183 (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) 1184 #else 1185 if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) 1186 #endif 1187 fatal("%s must be owned by root and not group or " 1188 "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); 1189 } 1190 1191 /* Configuration looks good, so exit if in test mode. */ 1192 if (test_flag) 1193 exit(0); 1194 1195 /* 1196 * Clear out any supplemental groups we may have inherited. This 1197 * prevents inadvertent creation of files with bad modes (in the 1198 * portable version at least, it's certainly possible for PAM 1199 * to create a file, and we can't control the code in every 1200 * module which might be used). 1201 */ 1202 if (setgroups(0, NULL) < 0) 1203 debug("setgroups() failed: %.200s", strerror(errno)); 1204 1205 if (rexec_flag) { 1206 rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2)); 1207 for (i = 0; i < rexec_argc; i++) { 1208 debug("rexec_argv[%d]='%s'", i, saved_argv[i]); 1209 rexec_argv[i] = saved_argv[i]; 1210 } 1211 rexec_argv[rexec_argc] = "-R"; 1212 rexec_argv[rexec_argc + 1] = NULL; 1213 } 1214 1215 /* Initialize the log (it is reinitialized below in case we forked). */ 1216 if (debug_flag && (!inetd_flag || rexeced_flag)) 1217 log_stderr = 1; 1218 log_init(__progname, options.log_level, options.log_facility, log_stderr); 1219 1220 /* 1221 * If not in debugging mode, and not started from inetd, disconnect 1222 * from the controlling terminal, and fork. The original process 1223 * exits. 1224 */ 1225 if (!(debug_flag || inetd_flag || no_daemon_flag)) { 1226 #ifdef TIOCNOTTY 1227 int fd; 1228 #endif /* TIOCNOTTY */ 1229 if (daemon(0, 0) < 0) 1230 fatal("daemon() failed: %.200s", strerror(errno)); 1231 1232 /* Disconnect from the controlling tty. */ 1233 #ifdef TIOCNOTTY 1234 fd = open(_PATH_TTY, O_RDWR | O_NOCTTY); 1235 if (fd >= 0) { 1236 (void) ioctl(fd, TIOCNOTTY, NULL); 1237 close(fd); 1238 } 1239 #endif /* TIOCNOTTY */ 1240 } 1241 /* Reinitialize the log (because of the fork above). */ 1242 log_init(__progname, options.log_level, options.log_facility, log_stderr); 1243 1244 /* Initialize the random number generator. */ 1245 arc4random_stir(); 1246 1247 /* Chdir to the root directory so that the current disk can be 1248 unmounted if desired. */ 1249 chdir("/"); 1250 1251 /* ignore SIGPIPE */ 1252 signal(SIGPIPE, SIG_IGN); 1253 1254 /* Start listening for a socket, unless started from inetd. */ 1255 if (inetd_flag) { 1256 int fd; 1257 1258 startup_pipe = -1; 1259 if (rexeced_flag) { 1260 close(REEXEC_CONFIG_PASS_FD); 1261 sock_in = sock_out = dup(STDIN_FILENO); 1262 if (!debug_flag) { 1263 startup_pipe = dup(REEXEC_STARTUP_PIPE_FD); 1264 close(REEXEC_STARTUP_PIPE_FD); 1265 } 1266 } else { 1267 sock_in = dup(STDIN_FILENO); 1268 sock_out = dup(STDOUT_FILENO); 1269 } 1270 /* 1271 * We intentionally do not close the descriptors 0, 1, and 2 1272 * as our code for setting the descriptors won't work if 1273 * ttyfd happens to be one of those. 1274 */ 1275 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { 1276 dup2(fd, STDIN_FILENO); 1277 dup2(fd, STDOUT_FILENO); 1278 if (fd > STDOUT_FILENO) 1279 close(fd); 1280 } 1281 debug("inetd sockets after dupping: %d, %d", sock_in, sock_out); 1282 if ((options.protocol & SSH_PROTO_1) && 1283 sensitive_data.server_key == NULL) 1284 generate_ephemeral_server_key(); 1285 } else { 1286 for (ai = options.listen_addrs; ai; ai = ai->ai_next) { 1287 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1288 continue; 1289 if (num_listen_socks >= MAX_LISTEN_SOCKS) 1290 fatal("Too many listen sockets. " 1291 "Enlarge MAX_LISTEN_SOCKS"); 1292 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, 1293 ntop, sizeof(ntop), strport, sizeof(strport), 1294 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { 1295 error("getnameinfo failed: %.100s", 1296 (ret != EAI_SYSTEM) ? gai_strerror(ret) : 1297 strerror(errno)); 1298 continue; 1299 } 1300 /* Create socket for listening. */ 1301 listen_sock = socket(ai->ai_family, ai->ai_socktype, 1302 ai->ai_protocol); 1303 if (listen_sock < 0) { 1304 /* kernel may not support ipv6 */ 1305 verbose("socket: %.100s", strerror(errno)); 1306 continue; 1307 } 1308 if (set_nonblock(listen_sock) == -1) { 1309 close(listen_sock); 1310 continue; 1311 } 1312 /* 1313 * Set socket options. 1314 * Allow local port reuse in TIME_WAIT. 1315 */ 1316 if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 1317 &on, sizeof(on)) == -1) 1318 error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 1319 1320 debug("Bind to port %s on %s.", strport, ntop); 1321 1322 /* Bind the socket to the desired port. */ 1323 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1324 if (!ai->ai_next) 1325 error("Bind to port %s on %s failed: %.200s.", 1326 strport, ntop, strerror(errno)); 1327 close(listen_sock); 1328 continue; 1329 } 1330 listen_socks[num_listen_socks] = listen_sock; 1331 num_listen_socks++; 1332 1333 /* Start listening on the port. */ 1334 logit("Server listening on %s port %s.", ntop, strport); 1335 if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) 1336 fatal("listen: %.100s", strerror(errno)); 1337 1338 } 1339 freeaddrinfo(options.listen_addrs); 1340 1341 if (!num_listen_socks) 1342 fatal("Cannot bind any address."); 1343 1344 if (options.protocol & SSH_PROTO_1) 1345 generate_ephemeral_server_key(); 1346 1347 /* 1348 * Arrange to restart on SIGHUP. The handler needs 1349 * listen_sock. 1350 */ 1351 signal(SIGHUP, sighup_handler); 1352 1353 signal(SIGTERM, sigterm_handler); 1354 signal(SIGQUIT, sigterm_handler); 1355 1356 /* Arrange SIGCHLD to be caught. */ 1357 signal(SIGCHLD, main_sigchld_handler); 1358 1359 /* Write out the pid file after the sigterm handler is setup */ 1360 if (!debug_flag) { 1361 /* 1362 * Record our pid in /var/run/sshd.pid to make it 1363 * easier to kill the correct sshd. We don't want to 1364 * do this before the bind above because the bind will 1365 * fail if there already is a daemon, and this will 1366 * overwrite any old pid in the file. 1367 */ 1368 f = fopen(options.pid_file, "wb"); 1369 if (f == NULL) { 1370 error("Couldn't create pid file \"%s\": %s", 1371 options.pid_file, strerror(errno)); 1372 } else { 1373 fprintf(f, "%ld\n", (long) getpid()); 1374 fclose(f); 1375 } 1376 } 1377 1378 /* setup fd set for listen */ 1379 fdset = NULL; 1380 maxfd = 0; 1381 for (i = 0; i < num_listen_socks; i++) 1382 if (listen_socks[i] > maxfd) 1383 maxfd = listen_socks[i]; 1384 /* pipes connected to unauthenticated childs */ 1385 startup_pipes = xmalloc(options.max_startups * sizeof(int)); 1386 for (i = 0; i < options.max_startups; i++) 1387 startup_pipes[i] = -1; 1388 1389 /* 1390 * Stay listening for connections until the system crashes or 1391 * the daemon is killed with a signal. 1392 */ 1393 for (;;) { 1394 if (received_sighup) 1395 sighup_restart(); 1396 if (fdset != NULL) 1397 xfree(fdset); 1398 fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask); 1399 fdset = (fd_set *)xmalloc(fdsetsz); 1400 memset(fdset, 0, fdsetsz); 1401 1402 for (i = 0; i < num_listen_socks; i++) 1403 FD_SET(listen_socks[i], fdset); 1404 for (i = 0; i < options.max_startups; i++) 1405 if (startup_pipes[i] != -1) 1406 FD_SET(startup_pipes[i], fdset); 1407 1408 /* Wait in select until there is a connection. */ 1409 ret = select(maxfd+1, fdset, NULL, NULL, NULL); 1410 if (ret < 0 && errno != EINTR) 1411 error("select: %.100s", strerror(errno)); 1412 if (received_sigterm) { 1413 logit("Received signal %d; terminating.", 1414 (int) received_sigterm); 1415 close_listen_socks(); 1416 unlink(options.pid_file); 1417 exit(255); 1418 } 1419 if (key_used && key_do_regen) { 1420 generate_ephemeral_server_key(); 1421 key_used = 0; 1422 key_do_regen = 0; 1423 } 1424 if (ret < 0) 1425 continue; 1426 1427 for (i = 0; i < options.max_startups; i++) 1428 if (startup_pipes[i] != -1 && 1429 FD_ISSET(startup_pipes[i], fdset)) { 1430 /* 1431 * the read end of the pipe is ready 1432 * if the child has closed the pipe 1433 * after successful authentication 1434 * or if the child has died 1435 */ 1436 close(startup_pipes[i]); 1437 startup_pipes[i] = -1; 1438 startups--; 1439 } 1440 for (i = 0; i < num_listen_socks; i++) { 1441 if (!FD_ISSET(listen_socks[i], fdset)) 1442 continue; 1443 fromlen = sizeof(from); 1444 newsock = accept(listen_socks[i], (struct sockaddr *)&from, 1445 &fromlen); 1446 if (newsock < 0) { 1447 if (errno != EINTR && errno != EWOULDBLOCK) 1448 error("accept: %.100s", strerror(errno)); 1449 continue; 1450 } 1451 if (unset_nonblock(newsock) == -1) { 1452 close(newsock); 1453 continue; 1454 } 1455 if (drop_connection(startups) == 1) { 1456 debug("drop connection #%d", startups); 1457 close(newsock); 1458 continue; 1459 } 1460 if (pipe(startup_p) == -1) { 1461 close(newsock); 1462 continue; 1463 } 1464 1465 if (rexec_flag && socketpair(AF_UNIX, 1466 SOCK_STREAM, 0, config_s) == -1) { 1467 error("reexec socketpair: %s", 1468 strerror(errno)); 1469 close(newsock); 1470 close(startup_p[0]); 1471 close(startup_p[1]); 1472 continue; 1473 } 1474 1475 for (j = 0; j < options.max_startups; j++) 1476 if (startup_pipes[j] == -1) { 1477 startup_pipes[j] = startup_p[0]; 1478 if (maxfd < startup_p[0]) 1479 maxfd = startup_p[0]; 1480 startups++; 1481 break; 1482 } 1483 1484 /* 1485 * Got connection. Fork a child to handle it, unless 1486 * we are in debugging mode. 1487 */ 1488 if (debug_flag) { 1489 /* 1490 * In debugging mode. Close the listening 1491 * socket, and start processing the 1492 * connection without forking. 1493 */ 1494 debug("Server will not fork when running in debugging mode."); 1495 close_listen_socks(); 1496 sock_in = newsock; 1497 sock_out = newsock; 1498 close(startup_p[0]); 1499 close(startup_p[1]); 1500 startup_pipe = -1; 1501 pid = getpid(); 1502 if (rexec_flag) { 1503 send_rexec_state(config_s[0], 1504 &cfg); 1505 close(config_s[0]); 1506 } 1507 break; 1508 } else { 1509 /* 1510 * Normal production daemon. Fork, and have 1511 * the child process the connection. The 1512 * parent continues listening. 1513 */ 1514 if ((pid = fork()) == 0) { 1515 /* 1516 * Child. Close the listening and max_startup 1517 * sockets. Start using the accepted socket. 1518 * Reinitialize logging (since our pid has 1519 * changed). We break out of the loop to handle 1520 * the connection. 1521 */ 1522 startup_pipe = startup_p[1]; 1523 close_startup_pipes(); 1524 close_listen_socks(); 1525 sock_in = newsock; 1526 sock_out = newsock; 1527 log_init(__progname, options.log_level, options.log_facility, log_stderr); 1528 if (rexec_flag) 1529 close(config_s[0]); 1530 break; 1531 } 1532 } 1533 1534 /* Parent. Stay in the loop. */ 1535 if (pid < 0) 1536 error("fork: %.100s", strerror(errno)); 1537 else 1538 debug("Forked child %ld.", (long)pid); 1539 1540 close(startup_p[1]); 1541 1542 if (rexec_flag) { 1543 send_rexec_state(config_s[0], &cfg); 1544 close(config_s[0]); 1545 close(config_s[1]); 1546 } 1547 1548 /* Mark that the key has been used (it was "given" to the child). */ 1549 if ((options.protocol & SSH_PROTO_1) && 1550 key_used == 0) { 1551 /* Schedule server key regeneration alarm. */ 1552 signal(SIGALRM, key_regeneration_alarm); 1553 alarm(options.key_regeneration_time); 1554 key_used = 1; 1555 } 1556 1557 arc4random_stir(); 1558 1559 /* Close the new socket (the child is now taking care of it). */ 1560 close(newsock); 1561 } 1562 /* child process check (or debug mode) */ 1563 if (num_listen_socks < 0) 1564 break; 1565 } 1566 } 1567 1568 /* This is the child processing a new connection. */ 1569 setproctitle("%s", "[accepted]"); 1570 1571 /* 1572 * Create a new session and process group since the 4.4BSD 1573 * setlogin() affects the entire process group. We don't 1574 * want the child to be able to affect the parent. 1575 */ 1576 #if !defined(SSHD_ACQUIRES_CTTY) 1577 /* 1578 * If setsid is called, on some platforms sshd will later acquire a 1579 * controlling terminal which will result in "could not set 1580 * controlling tty" errors. 1581 */ 1582 if (!debug_flag && !inetd_flag && setsid() < 0) 1583 error("setsid: %.100s", strerror(errno)); 1584 #endif 1585 1586 if (rexec_flag) { 1587 int fd; 1588 1589 debug("rexec start in %d out %d newsock %d pipe %d sock %d", 1590 sock_in, sock_out, newsock, startup_pipe, config_s[0]); 1591 dup2(newsock, STDIN_FILENO); 1592 dup2(STDIN_FILENO, STDOUT_FILENO); 1593 if (startup_pipe == -1) 1594 close(REEXEC_STARTUP_PIPE_FD); 1595 else 1596 dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD); 1597 1598 dup2(config_s[1], REEXEC_CONFIG_PASS_FD); 1599 close(config_s[1]); 1600 if (startup_pipe != -1) 1601 close(startup_pipe); 1602 1603 execv(rexec_argv[0], rexec_argv); 1604 1605 /* Reexec has failed, fall back and continue */ 1606 error("rexec of %s failed: %s", rexec_argv[0], strerror(errno)); 1607 recv_rexec_state(REEXEC_CONFIG_PASS_FD, NULL); 1608 log_init(__progname, options.log_level, 1609 options.log_facility, log_stderr); 1610 1611 /* Clean up fds */ 1612 startup_pipe = REEXEC_STARTUP_PIPE_FD; 1613 close(config_s[1]); 1614 close(REEXEC_CONFIG_PASS_FD); 1615 newsock = sock_out = sock_in = dup(STDIN_FILENO); 1616 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { 1617 dup2(fd, STDIN_FILENO); 1618 dup2(fd, STDOUT_FILENO); 1619 if (fd > STDERR_FILENO) 1620 close(fd); 1621 } 1622 debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d", 1623 sock_in, sock_out, newsock, startup_pipe, config_s[0]); 1624 } 1625 1626 /* 1627 * Disable the key regeneration alarm. We will not regenerate the 1628 * key since we are no longer in a position to give it to anyone. We 1629 * will not restart on SIGHUP since it no longer makes sense. 1630 */ 1631 alarm(0); 1632 signal(SIGALRM, SIG_DFL); 1633 signal(SIGHUP, SIG_DFL); 1634 signal(SIGTERM, SIG_DFL); 1635 signal(SIGQUIT, SIG_DFL); 1636 signal(SIGCHLD, SIG_DFL); 1637 signal(SIGINT, SIG_DFL); 1638 1639 #ifdef __FreeBSD__ 1640 /* 1641 * Initialize the resolver. This may not happen automatically 1642 * before privsep chroot(). 1643 */ 1644 if ((_res.options & RES_INIT) == 0) { 1645 debug("res_init()"); 1646 res_init(); 1647 } 1648 #ifdef GSSAPI 1649 /* 1650 * Force GSS-API to parse its configuration and load any 1651 * mechanism plugins. 1652 */ 1653 { 1654 gss_OID_set mechs; 1655 OM_uint32 minor_status; 1656 gss_indicate_mechs(&minor_status, &mechs); 1657 gss_release_oid_set(&minor_status, &mechs); 1658 } 1659 #endif 1660 #endif 1661 1662 /* 1663 * Register our connection. This turns encryption off because we do 1664 * not have a key. 1665 */ 1666 packet_set_connection(sock_in, sock_out); 1667 packet_set_server(); 1668 1669 /* Set SO_KEEPALIVE if requested. */ 1670 if (options.tcp_keep_alive && packet_connection_is_on_socket() && 1671 setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) 1672 error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); 1673 1674 if ((remote_port = get_remote_port()) < 0) { 1675 debug("get_remote_port failed"); 1676 cleanup_exit(255); 1677 } 1678 1679 /* 1680 * We use get_canonical_hostname with usedns = 0 instead of 1681 * get_remote_ipaddr here so IP options will be checked. 1682 */ 1683 remote_ip = get_canonical_hostname(0); 1684 1685 #ifdef SSH_AUDIT_EVENTS 1686 audit_connection_from(remote_ip, remote_port); 1687 #endif 1688 #ifdef LIBWRAP 1689 /* Check whether logins are denied from this host. */ 1690 if (packet_connection_is_on_socket()) { 1691 struct request_info req; 1692 1693 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); 1694 fromhost(&req); 1695 1696 if (!hosts_access(&req)) { 1697 debug("Connection refused by tcp wrapper"); 1698 refuse(&req); 1699 /* NOTREACHED */ 1700 fatal("libwrap refuse returns"); 1701 } 1702 } 1703 #endif /* LIBWRAP */ 1704 1705 /* Log the connection. */ 1706 verbose("Connection from %.500s port %d", remote_ip, remote_port); 1707 1708 /* 1709 * We don't want to listen forever unless the other side 1710 * successfully authenticates itself. So we set up an alarm which is 1711 * cleared after successful authentication. A limit of zero 1712 * indicates no limit. Note that we don't set the alarm in debugging 1713 * mode; it is just annoying to have the server exit just when you 1714 * are about to discover the bug. 1715 */ 1716 signal(SIGALRM, grace_alarm_handler); 1717 if (!debug_flag) 1718 alarm(options.login_grace_time); 1719 1720 sshd_exchange_identification(sock_in, sock_out); 1721 1722 packet_set_nonblocking(); 1723 1724 /* allocate authentication context */ 1725 authctxt = xmalloc(sizeof(*authctxt)); 1726 memset(authctxt, 0, sizeof(*authctxt)); 1727 1728 authctxt->loginmsg = &loginmsg; 1729 1730 /* XXX global for cleanup, access from other modules */ 1731 the_authctxt = authctxt; 1732 1733 /* prepare buffer to collect messages to display to user after login */ 1734 buffer_init(&loginmsg); 1735 1736 if (use_privsep) 1737 if (privsep_preauth(authctxt) == 1) 1738 goto authenticated; 1739 1740 /* perform the key exchange */ 1741 /* authenticate user and start session */ 1742 if (compat20) { 1743 do_ssh2_kex(); 1744 do_authentication2(authctxt); 1745 } else { 1746 do_ssh1_kex(); 1747 do_authentication(authctxt); 1748 } 1749 /* 1750 * If we use privilege separation, the unprivileged child transfers 1751 * the current keystate and exits 1752 */ 1753 if (use_privsep) { 1754 mm_send_keystate(pmonitor); 1755 exit(0); 1756 } 1757 1758 authenticated: 1759 /* 1760 * Cancel the alarm we set to limit the time taken for 1761 * authentication. 1762 */ 1763 alarm(0); 1764 signal(SIGALRM, SIG_DFL); 1765 if (startup_pipe != -1) { 1766 close(startup_pipe); 1767 startup_pipe = -1; 1768 } 1769 1770 #ifdef SSH_AUDIT_EVENTS 1771 audit_event(SSH_AUTH_SUCCESS); 1772 #endif 1773 1774 /* 1775 * In privilege separation, we fork another child and prepare 1776 * file descriptor passing. 1777 */ 1778 if (use_privsep) { 1779 privsep_postauth(authctxt); 1780 /* the monitor process [priv] will not return */ 1781 if (!compat20) 1782 destroy_sensitive_data(); 1783 } 1784 1785 /* Start session. */ 1786 do_authenticated(authctxt); 1787 1788 /* The connection has been terminated. */ 1789 verbose("Closing connection to %.100s", remote_ip); 1790 1791 #ifdef USE_PAM 1792 if (options.use_pam) 1793 finish_pam(); 1794 #endif /* USE_PAM */ 1795 1796 #ifdef SSH_AUDIT_EVENTS 1797 PRIVSEP(audit_event(SSH_CONNECTION_CLOSE)); 1798 #endif 1799 1800 packet_close(); 1801 1802 if (use_privsep) 1803 mm_terminate(); 1804 1805 exit(0); 1806 } 1807 1808 /* 1809 * Decrypt session_key_int using our private server key and private host key 1810 * (key with larger modulus first). 1811 */ 1812 int 1813 ssh1_session_key(BIGNUM *session_key_int) 1814 { 1815 int rsafail = 0; 1816 1817 if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) { 1818 /* Server key has bigger modulus. */ 1819 if (BN_num_bits(sensitive_data.server_key->rsa->n) < 1820 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1821 fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", 1822 get_remote_ipaddr(), 1823 BN_num_bits(sensitive_data.server_key->rsa->n), 1824 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), 1825 SSH_KEY_BITS_RESERVED); 1826 } 1827 if (rsa_private_decrypt(session_key_int, session_key_int, 1828 sensitive_data.server_key->rsa) <= 0) 1829 rsafail++; 1830 if (rsa_private_decrypt(session_key_int, session_key_int, 1831 sensitive_data.ssh1_host_key->rsa) <= 0) 1832 rsafail++; 1833 } else { 1834 /* Host key has bigger modulus (or they are equal). */ 1835 if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) < 1836 BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1837 fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d", 1838 get_remote_ipaddr(), 1839 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), 1840 BN_num_bits(sensitive_data.server_key->rsa->n), 1841 SSH_KEY_BITS_RESERVED); 1842 } 1843 if (rsa_private_decrypt(session_key_int, session_key_int, 1844 sensitive_data.ssh1_host_key->rsa) < 0) 1845 rsafail++; 1846 if (rsa_private_decrypt(session_key_int, session_key_int, 1847 sensitive_data.server_key->rsa) < 0) 1848 rsafail++; 1849 } 1850 return (rsafail); 1851 } 1852 /* 1853 * SSH1 key exchange 1854 */ 1855 static void 1856 do_ssh1_kex(void) 1857 { 1858 int i, len; 1859 int rsafail = 0; 1860 BIGNUM *session_key_int; 1861 u_char session_key[SSH_SESSION_KEY_LENGTH]; 1862 u_char cookie[8]; 1863 u_int cipher_type, auth_mask, protocol_flags; 1864 u_int32_t rnd = 0; 1865 1866 /* 1867 * Generate check bytes that the client must send back in the user 1868 * packet in order for it to be accepted; this is used to defy ip 1869 * spoofing attacks. Note that this only works against somebody 1870 * doing IP spoofing from a remote machine; any machine on the local 1871 * network can still see outgoing packets and catch the random 1872 * cookie. This only affects rhosts authentication, and this is one 1873 * of the reasons why it is inherently insecure. 1874 */ 1875 for (i = 0; i < 8; i++) { 1876 if (i % 4 == 0) 1877 rnd = arc4random(); 1878 cookie[i] = rnd & 0xff; 1879 rnd >>= 8; 1880 } 1881 1882 /* 1883 * Send our public key. We include in the packet 64 bits of random 1884 * data that must be matched in the reply in order to prevent IP 1885 * spoofing. 1886 */ 1887 packet_start(SSH_SMSG_PUBLIC_KEY); 1888 for (i = 0; i < 8; i++) 1889 packet_put_char(cookie[i]); 1890 1891 /* Store our public server RSA key. */ 1892 packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n)); 1893 packet_put_bignum(sensitive_data.server_key->rsa->e); 1894 packet_put_bignum(sensitive_data.server_key->rsa->n); 1895 1896 /* Store our public host RSA key. */ 1897 packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); 1898 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e); 1899 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n); 1900 1901 /* Put protocol flags. */ 1902 packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); 1903 1904 /* Declare which ciphers we support. */ 1905 packet_put_int(cipher_mask_ssh1(0)); 1906 1907 /* Declare supported authentication types. */ 1908 auth_mask = 0; 1909 if (options.rhosts_rsa_authentication) 1910 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1911 if (options.rsa_authentication) 1912 auth_mask |= 1 << SSH_AUTH_RSA; 1913 if (options.challenge_response_authentication == 1) 1914 auth_mask |= 1 << SSH_AUTH_TIS; 1915 if (options.password_authentication) 1916 auth_mask |= 1 << SSH_AUTH_PASSWORD; 1917 packet_put_int(auth_mask); 1918 1919 /* Send the packet and wait for it to be sent. */ 1920 packet_send(); 1921 packet_write_wait(); 1922 1923 debug("Sent %d bit server key and %d bit host key.", 1924 BN_num_bits(sensitive_data.server_key->rsa->n), 1925 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); 1926 1927 /* Read clients reply (cipher type and session key). */ 1928 packet_read_expect(SSH_CMSG_SESSION_KEY); 1929 1930 /* Get cipher type and check whether we accept this. */ 1931 cipher_type = packet_get_char(); 1932 1933 if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) 1934 packet_disconnect("Warning: client selects unsupported cipher."); 1935 1936 /* Get check bytes from the packet. These must match those we 1937 sent earlier with the public key packet. */ 1938 for (i = 0; i < 8; i++) 1939 if (cookie[i] != packet_get_char()) 1940 packet_disconnect("IP Spoofing check bytes do not match."); 1941 1942 debug("Encryption type: %.200s", cipher_name(cipher_type)); 1943 1944 /* Get the encrypted integer. */ 1945 if ((session_key_int = BN_new()) == NULL) 1946 fatal("do_ssh1_kex: BN_new failed"); 1947 packet_get_bignum(session_key_int); 1948 1949 protocol_flags = packet_get_int(); 1950 packet_set_protocol_flags(protocol_flags); 1951 packet_check_eom(); 1952 1953 /* Decrypt session_key_int using host/server keys */ 1954 rsafail = PRIVSEP(ssh1_session_key(session_key_int)); 1955 1956 /* 1957 * Extract session key from the decrypted integer. The key is in the 1958 * least significant 256 bits of the integer; the first byte of the 1959 * key is in the highest bits. 1960 */ 1961 if (!rsafail) { 1962 BN_mask_bits(session_key_int, sizeof(session_key) * 8); 1963 len = BN_num_bytes(session_key_int); 1964 if (len < 0 || (u_int)len > sizeof(session_key)) { 1965 error("do_connection: bad session key len from %s: " 1966 "session_key_int %d > sizeof(session_key) %lu", 1967 get_remote_ipaddr(), len, (u_long)sizeof(session_key)); 1968 rsafail++; 1969 } else { 1970 memset(session_key, 0, sizeof(session_key)); 1971 BN_bn2bin(session_key_int, 1972 session_key + sizeof(session_key) - len); 1973 1974 derive_ssh1_session_id( 1975 sensitive_data.ssh1_host_key->rsa->n, 1976 sensitive_data.server_key->rsa->n, 1977 cookie, session_id); 1978 /* 1979 * Xor the first 16 bytes of the session key with the 1980 * session id. 1981 */ 1982 for (i = 0; i < 16; i++) 1983 session_key[i] ^= session_id[i]; 1984 } 1985 } 1986 if (rsafail) { 1987 int bytes = BN_num_bytes(session_key_int); 1988 u_char *buf = xmalloc(bytes); 1989 MD5_CTX md; 1990 1991 logit("do_connection: generating a fake encryption key"); 1992 BN_bn2bin(session_key_int, buf); 1993 MD5_Init(&md); 1994 MD5_Update(&md, buf, bytes); 1995 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); 1996 MD5_Final(session_key, &md); 1997 MD5_Init(&md); 1998 MD5_Update(&md, session_key, 16); 1999 MD5_Update(&md, buf, bytes); 2000 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); 2001 MD5_Final(session_key + 16, &md); 2002 memset(buf, 0, bytes); 2003 xfree(buf); 2004 for (i = 0; i < 16; i++) 2005 session_id[i] = session_key[i] ^ session_key[i + 16]; 2006 } 2007 /* Destroy the private and public keys. No longer. */ 2008 destroy_sensitive_data(); 2009 2010 if (use_privsep) 2011 mm_ssh1_session_id(session_id); 2012 2013 /* Destroy the decrypted integer. It is no longer needed. */ 2014 BN_clear_free(session_key_int); 2015 2016 /* Set the session key. From this on all communications will be encrypted. */ 2017 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type); 2018 2019 /* Destroy our copy of the session key. It is no longer needed. */ 2020 memset(session_key, 0, sizeof(session_key)); 2021 2022 debug("Received session key; encryption turned on."); 2023 2024 /* Send an acknowledgment packet. Note that this packet is sent encrypted. */ 2025 packet_start(SSH_SMSG_SUCCESS); 2026 packet_send(); 2027 packet_write_wait(); 2028 } 2029 2030 /* 2031 * SSH2 key exchange: diffie-hellman-group1-sha1 2032 */ 2033 static void 2034 do_ssh2_kex(void) 2035 { 2036 Kex *kex; 2037 2038 if (options.ciphers != NULL) { 2039 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 2040 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; 2041 } 2042 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 2043 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); 2044 myproposal[PROPOSAL_ENC_ALGS_STOC] = 2045 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); 2046 2047 if (options.macs != NULL) { 2048 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 2049 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 2050 } 2051 if (options.compression == COMP_NONE) { 2052 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 2053 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; 2054 } else if (options.compression == COMP_DELAYED) { 2055 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 2056 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; 2057 } 2058 2059 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2060 2061 /* start key exchange */ 2062 kex = kex_setup(myproposal); 2063 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 2064 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 2065 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2066 kex->server = 1; 2067 kex->client_version_string=client_version_string; 2068 kex->server_version_string=server_version_string; 2069 kex->load_host_key=&get_hostkey_by_type; 2070 kex->host_key_index=&get_hostkey_index; 2071 2072 xxx_kex = kex; 2073 2074 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2075 2076 session_id2 = kex->session_id; 2077 session_id2_len = kex->session_id_len; 2078 2079 #ifdef DEBUG_KEXDH 2080 /* send 1st encrypted/maced/compressed message */ 2081 packet_start(SSH2_MSG_IGNORE); 2082 packet_put_cstring("markus"); 2083 packet_send(); 2084 packet_write_wait(); 2085 #endif 2086 debug("KEX done"); 2087 } 2088 2089 /* server specific fatal cleanup */ 2090 void 2091 cleanup_exit(int i) 2092 { 2093 if (the_authctxt) 2094 do_cleanup(the_authctxt); 2095 #ifdef SSH_AUDIT_EVENTS 2096 /* done after do_cleanup so it can cancel the PAM auth 'thread' */ 2097 if (!use_privsep || mm_is_monitor()) 2098 audit_event(SSH_CONNECTION_ABANDON); 2099 #endif 2100 _exit(i); 2101 } 2102