1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Server main loop for handling the interactive session. 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * SSH2 support by Markus Friedl. 14 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 /* 37 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 38 * Use is subject to license terms. 39 */ 40 41 #include "includes.h" 42 RCSID("$OpenBSD: serverloop.c,v 1.104 2002/09/19 16:03:15 stevesk Exp $"); 43 44 #pragma ident "%Z%%M% %I% %E% SMI" 45 46 #include "xmalloc.h" 47 #include "packet.h" 48 #include "buffer.h" 49 #include "log.h" 50 #include "servconf.h" 51 #include "canohost.h" 52 #include "sshpty.h" 53 #include "channels.h" 54 #include "compat.h" 55 #include "ssh1.h" 56 #include "ssh2.h" 57 #include "auth.h" 58 #include "session.h" 59 #include "dispatch.h" 60 #include "auth-options.h" 61 #include "serverloop.h" 62 #include "misc.h" 63 #include "kex.h" 64 65 #ifdef ALTPRIVSEP 66 #include "altprivsep.h" 67 #endif /* ALTPRIVSEP*/ 68 69 extern ServerOptions options; 70 71 /* XXX */ 72 extern Kex *xxx_kex; 73 static Authctxt *xxx_authctxt; 74 75 static Buffer stdin_buffer; /* Buffer for stdin data. */ 76 static Buffer stdout_buffer; /* Buffer for stdout data. */ 77 static Buffer stderr_buffer; /* Buffer for stderr data. */ 78 static int fdin; /* Descriptor for stdin (for writing) */ 79 static int fdout; /* Descriptor for stdout (for reading); 80 May be same number as fdin. */ 81 static int fderr; /* Descriptor for stderr. May be -1. */ 82 static long stdin_bytes = 0; /* Number of bytes written to stdin. */ 83 static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */ 84 static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */ 85 static long fdout_bytes = 0; /* Number of stdout bytes read from program. */ 86 static int stdin_eof = 0; /* EOF message received from client. */ 87 static int fdout_eof = 0; /* EOF encountered reading from fdout. */ 88 static int fderr_eof = 0; /* EOF encountered readung from fderr. */ 89 static int fdin_is_tty = 0; /* fdin points to a tty. */ 90 static int connection_in; /* Connection to client (input). */ 91 static int connection_out; /* Connection to client (output). */ 92 static int connection_closed = 0; /* Connection to client closed. */ 93 static u_int buffer_high; /* "Soft" max buffer size. */ 94 static int client_alive_timeouts = 0; 95 96 /* 97 * This SIGCHLD kludge is used to detect when the child exits. The server 98 * will exit after that, as soon as forwarded connections have terminated. 99 */ 100 101 static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ 102 103 /* prototypes */ 104 static void server_init_dispatch(void); 105 106 /* 107 * we write to this pipe if a SIGCHLD is caught in order to avoid 108 * the race between select() and child_terminated 109 */ 110 static int notify_pipe[2]; 111 static void 112 notify_setup(void) 113 { 114 if (pipe(notify_pipe) < 0) { 115 error("pipe(notify_pipe) failed %s", strerror(errno)); 116 } else if ((fcntl(notify_pipe[0], F_SETFD, 1) == -1) || 117 (fcntl(notify_pipe[1], F_SETFD, 1) == -1)) { 118 error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno)); 119 (void) close(notify_pipe[0]); 120 (void) close(notify_pipe[1]); 121 } else { 122 set_nonblock(notify_pipe[0]); 123 set_nonblock(notify_pipe[1]); 124 return; 125 } 126 notify_pipe[0] = -1; /* read end */ 127 notify_pipe[1] = -1; /* write end */ 128 } 129 static void 130 notify_parent(void) 131 { 132 if (notify_pipe[1] != -1) 133 (void) write(notify_pipe[1], "", 1); 134 } 135 static void 136 notify_prepare(fd_set *readset) 137 { 138 if (notify_pipe[0] != -1) 139 FD_SET(notify_pipe[0], readset); 140 } 141 static void 142 notify_done(fd_set *readset) 143 { 144 char c; 145 146 if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) 147 while (read(notify_pipe[0], &c, 1) != -1) 148 debug2("notify_done: reading"); 149 } 150 151 static void 152 sigchld_handler(int sig) 153 { 154 int save_errno = errno; 155 debug("Received SIGCHLD."); 156 child_terminated = 1; 157 #ifndef _UNICOS 158 mysignal(SIGCHLD, sigchld_handler); 159 #endif 160 notify_parent(); 161 errno = save_errno; 162 } 163 164 /* 165 * Make packets from buffered stderr data, and buffer it for sending 166 * to the client. 167 */ 168 static void 169 make_packets_from_stderr_data(void) 170 { 171 int len; 172 173 /* Send buffered stderr data to the client. */ 174 while (buffer_len(&stderr_buffer) > 0 && 175 packet_not_very_much_data_to_write()) { 176 len = buffer_len(&stderr_buffer); 177 if (packet_is_interactive()) { 178 if (len > 512) 179 len = 512; 180 } else { 181 /* Keep the packets at reasonable size. */ 182 if (len > packet_get_maxsize()) 183 len = packet_get_maxsize(); 184 } 185 packet_start(SSH_SMSG_STDERR_DATA); 186 packet_put_string(buffer_ptr(&stderr_buffer), len); 187 packet_send(); 188 buffer_consume(&stderr_buffer, len); 189 stderr_bytes += len; 190 } 191 } 192 193 /* 194 * Make packets from buffered stdout data, and buffer it for sending to the 195 * client. 196 */ 197 static void 198 make_packets_from_stdout_data(void) 199 { 200 int len; 201 202 /* Send buffered stdout data to the client. */ 203 while (buffer_len(&stdout_buffer) > 0 && 204 packet_not_very_much_data_to_write()) { 205 len = buffer_len(&stdout_buffer); 206 if (packet_is_interactive()) { 207 if (len > 512) 208 len = 512; 209 } else { 210 /* Keep the packets at reasonable size. */ 211 if (len > packet_get_maxsize()) 212 len = packet_get_maxsize(); 213 } 214 packet_start(SSH_SMSG_STDOUT_DATA); 215 packet_put_string(buffer_ptr(&stdout_buffer), len); 216 packet_send(); 217 buffer_consume(&stdout_buffer, len); 218 stdout_bytes += len; 219 } 220 } 221 222 static void 223 client_alive_check(void) 224 { 225 static int had_channel = 0; 226 int id; 227 228 id = channel_find_open(); 229 if (id == -1) { 230 if (!had_channel) 231 return; 232 packet_disconnect("No open channels after timeout!"); 233 } 234 had_channel = 1; 235 236 /* timeout, check to see how many we have had */ 237 if (++client_alive_timeouts > options.client_alive_count_max) 238 packet_disconnect("Timeout, your session not responding."); 239 240 /* 241 * send a bogus channel request with "wantreply", 242 * we should get back a failure 243 */ 244 channel_request_start(id, "keepalive@openssh.com", 1); 245 packet_send(); 246 } 247 248 /* 249 * Sleep in select() until we can do something. This will initialize the 250 * select masks. Upon return, the masks will indicate which descriptors 251 * have data or can accept data. Optionally, a maximum time can be specified 252 * for the duration of the wait (0 = infinite). 253 */ 254 static void 255 wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 256 int *nallocp, u_int max_time_milliseconds) 257 { 258 struct timeval tv, *tvp; 259 int ret; 260 int client_alive_scheduled = 0; 261 262 /* 263 * if using client_alive, set the max timeout accordingly, 264 * and indicate that this particular timeout was for client 265 * alive by setting the client_alive_scheduled flag. 266 * 267 * this could be randomized somewhat to make traffic 268 * analysis more difficult, but we're not doing it yet. 269 */ 270 if (compat20 && 271 max_time_milliseconds == 0 && options.client_alive_interval) { 272 client_alive_scheduled = 1; 273 max_time_milliseconds = options.client_alive_interval * 1000; 274 } 275 276 /* Allocate and update select() masks for channel descriptors. */ 277 channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, 0); 278 279 if (compat20) { 280 #ifdef ALTPRIVSEP 281 int pipe_fd; 282 283 if ((pipe_fd = altprivsep_get_pipe_fd()) != -1) { 284 *maxfdp = MAX(*maxfdp, pipe_fd); 285 FD_SET(altprivsep_get_pipe_fd(), *readsetp); 286 } 287 #endif /* ALTPRIVSEP */ 288 #if 0 289 /* wrong: bad condition XXX */ 290 if (channel_not_very_much_buffered_data()) 291 #endif 292 FD_SET(connection_in, *readsetp); 293 } else { 294 /* 295 * Read packets from the client unless we have too much 296 * buffered stdin or channel data. 297 */ 298 if (buffer_len(&stdin_buffer) < buffer_high && 299 channel_not_very_much_buffered_data()) 300 FD_SET(connection_in, *readsetp); 301 /* 302 * If there is not too much data already buffered going to 303 * the client, try to get some more data from the program. 304 */ 305 if (packet_not_very_much_data_to_write()) { 306 if (!fdout_eof) 307 FD_SET(fdout, *readsetp); 308 if (!fderr_eof) 309 FD_SET(fderr, *readsetp); 310 } 311 /* 312 * If we have buffered data, try to write some of that data 313 * to the program. 314 */ 315 if (fdin != -1 && buffer_len(&stdin_buffer) > 0) 316 FD_SET(fdin, *writesetp); 317 } 318 notify_prepare(*readsetp); 319 320 /* 321 * If we have buffered packet data going to the client, mark that 322 * descriptor. 323 */ 324 if (packet_have_data_to_write()) 325 FD_SET(connection_out, *writesetp); 326 327 /* 328 * If child has terminated and there is enough buffer space to read 329 * from it, then read as much as is available and exit. 330 */ 331 if (child_terminated && packet_not_very_much_data_to_write()) 332 if (max_time_milliseconds == 0 || client_alive_scheduled) 333 max_time_milliseconds = 100; 334 335 if (max_time_milliseconds == 0) 336 tvp = NULL; 337 else { 338 tv.tv_sec = max_time_milliseconds / 1000; 339 tv.tv_usec = 1000 * (max_time_milliseconds % 1000); 340 tvp = &tv; 341 } 342 343 /* Wait for something to happen, or the timeout to expire. */ 344 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); 345 346 if (ret == -1) { 347 memset(*readsetp, 0, *nallocp); 348 memset(*writesetp, 0, *nallocp); 349 if (errno != EINTR) 350 error("select: %.100s", strerror(errno)); 351 } else if (ret == 0 && client_alive_scheduled) 352 client_alive_check(); 353 354 notify_done(*readsetp); 355 } 356 357 /* 358 * Processes input from the client and the program. Input data is stored 359 * in buffers and processed later. 360 */ 361 static void 362 process_input(fd_set * readset) 363 { 364 int len; 365 char buf[16384]; 366 367 /* Read and buffer any input data from the client. */ 368 if (FD_ISSET(connection_in, readset)) { 369 len = read(connection_in, buf, sizeof(buf)); 370 if (len == 0) { 371 verbose("Connection closed by %.100s", 372 get_remote_ipaddr()); 373 connection_closed = 1; 374 if (compat20) 375 return; 376 fatal_cleanup(); 377 } else if (len < 0) { 378 if (errno != EINTR && errno != EAGAIN) { 379 verbose("Read error from remote host " 380 "%.100s: %.100s", 381 get_remote_ipaddr(), strerror(errno)); 382 fatal_cleanup(); 383 } 384 } else { 385 /* Buffer any received data. */ 386 packet_process_incoming(buf, len); 387 } 388 } 389 if (compat20) 390 return; 391 392 /* Read and buffer any available stdout data from the program. */ 393 if (!fdout_eof && FD_ISSET(fdout, readset)) { 394 len = read(fdout, buf, sizeof(buf)); 395 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { 396 /* EMPTY */ 397 } else if (len <= 0) { 398 fdout_eof = 1; 399 } else { 400 buffer_append(&stdout_buffer, buf, len); 401 fdout_bytes += len; 402 } 403 } 404 /* Read and buffer any available stderr data from the program. */ 405 if (!fderr_eof && FD_ISSET(fderr, readset)) { 406 len = read(fderr, buf, sizeof(buf)); 407 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { 408 /* EMPTY */ 409 } else if (len <= 0) { 410 fderr_eof = 1; 411 } else { 412 buffer_append(&stderr_buffer, buf, len); 413 } 414 } 415 } 416 417 /* 418 * Sends data from internal buffers to client program stdin. 419 */ 420 static void 421 process_output(fd_set * writeset) 422 { 423 struct termios tio; 424 u_char *data; 425 u_int dlen; 426 int len; 427 428 /* Write buffered data to program stdin. */ 429 if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) { 430 data = buffer_ptr(&stdin_buffer); 431 dlen = buffer_len(&stdin_buffer); 432 len = write(fdin, data, dlen); 433 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { 434 /* EMPTY */ 435 } else if (len <= 0) { 436 if (fdin != fdout) 437 (void) close(fdin); 438 else 439 (void) shutdown(fdin, SHUT_WR); /* We will no longer send. */ 440 fdin = -1; 441 } else { 442 /* Successful write. */ 443 if (fdin_is_tty && dlen >= 1 && data[0] != '\r' && 444 tcgetattr(fdin, &tio) == 0 && 445 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 446 /* 447 * Simulate echo to reduce the impact of 448 * traffic analysis 449 */ 450 packet_send_ignore(len); 451 packet_send(); 452 } 453 /* Consume the data from the buffer. */ 454 buffer_consume(&stdin_buffer, len); 455 /* Update the count of bytes written to the program. */ 456 stdin_bytes += len; 457 } 458 } 459 /* Send any buffered packet data to the client. */ 460 if (FD_ISSET(connection_out, writeset)) 461 packet_write_poll(); 462 } 463 464 /* 465 * Wait until all buffered output has been sent to the client. 466 * This is used when the program terminates. 467 */ 468 static void 469 drain_output(void) 470 { 471 /* Send any buffered stdout data to the client. */ 472 if (buffer_len(&stdout_buffer) > 0) { 473 packet_start(SSH_SMSG_STDOUT_DATA); 474 packet_put_string(buffer_ptr(&stdout_buffer), 475 buffer_len(&stdout_buffer)); 476 packet_send(); 477 /* Update the count of sent bytes. */ 478 stdout_bytes += buffer_len(&stdout_buffer); 479 } 480 /* Send any buffered stderr data to the client. */ 481 if (buffer_len(&stderr_buffer) > 0) { 482 packet_start(SSH_SMSG_STDERR_DATA); 483 packet_put_string(buffer_ptr(&stderr_buffer), 484 buffer_len(&stderr_buffer)); 485 packet_send(); 486 /* Update the count of sent bytes. */ 487 stderr_bytes += buffer_len(&stderr_buffer); 488 } 489 /* Wait until all buffered data has been written to the client. */ 490 packet_write_wait(); 491 } 492 493 static void 494 process_buffered_input_packets(void) 495 { 496 dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL); 497 } 498 499 /* 500 * Performs the interactive session. This handles data transmission between 501 * the client and the program. Note that the notion of stdin, stdout, and 502 * stderr in this function is sort of reversed: this function writes to 503 * stdin (of the child program), and reads from stdout and stderr (of the 504 * child program). 505 */ 506 void 507 server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 508 { 509 fd_set *readset = NULL, *writeset = NULL; 510 int max_fd = 0, nalloc = 0; 511 int wait_status; /* Status returned by wait(). */ 512 pid_t wait_pid; /* pid returned by wait(). */ 513 int waiting_termination = 0; /* Have displayed waiting close message. */ 514 u_int max_time_milliseconds; 515 u_int previous_stdout_buffer_bytes; 516 u_int stdout_buffer_bytes; 517 int type; 518 519 debug("Entering interactive session."); 520 521 /* Initialize the SIGCHLD kludge. */ 522 child_terminated = 0; 523 mysignal(SIGCHLD, sigchld_handler); 524 525 /* Initialize our global variables. */ 526 fdin = fdin_arg; 527 fdout = fdout_arg; 528 fderr = fderr_arg; 529 530 /* nonblocking IO */ 531 set_nonblock(fdin); 532 set_nonblock(fdout); 533 /* we don't have stderr for interactive terminal sessions, see below */ 534 if (fderr != -1) 535 set_nonblock(fderr); 536 537 if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) 538 fdin_is_tty = 1; 539 540 connection_in = packet_get_connection_in(); 541 connection_out = packet_get_connection_out(); 542 543 notify_setup(); 544 545 previous_stdout_buffer_bytes = 0; 546 547 /* Set approximate I/O buffer size. */ 548 if (packet_is_interactive()) 549 buffer_high = 4096; 550 else 551 buffer_high = 64 * 1024; 552 553 #if 0 554 /* Initialize max_fd to the maximum of the known file descriptors. */ 555 max_fd = MAX(connection_in, connection_out); 556 max_fd = MAX(max_fd, fdin); 557 max_fd = MAX(max_fd, fdout); 558 if (fderr != -1) 559 max_fd = MAX(max_fd, fderr); 560 #endif 561 562 /* Initialize Initialize buffers. */ 563 buffer_init(&stdin_buffer); 564 buffer_init(&stdout_buffer); 565 buffer_init(&stderr_buffer); 566 567 /* 568 * If we have no separate fderr (which is the case when we have a pty 569 * - there we cannot make difference between data sent to stdout and 570 * stderr), indicate that we have seen an EOF from stderr. This way 571 * we don\'t need to check the descriptor everywhere. 572 */ 573 if (fderr == -1) 574 fderr_eof = 1; 575 576 server_init_dispatch(); 577 578 /* Main loop of the server for the interactive session mode. */ 579 for (;;) { 580 581 /* Process buffered packets from the client. */ 582 process_buffered_input_packets(); 583 584 /* 585 * If we have received eof, and there is no more pending 586 * input data, cause a real eof by closing fdin. 587 */ 588 if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) { 589 if (fdin != fdout) 590 (void) close(fdin); 591 else 592 (void) shutdown(fdin, SHUT_WR); /* We will no longer send. */ 593 fdin = -1; 594 } 595 /* Make packets from buffered stderr data to send to the client. */ 596 make_packets_from_stderr_data(); 597 598 /* 599 * Make packets from buffered stdout data to send to the 600 * client. If there is very little to send, this arranges to 601 * not send them now, but to wait a short while to see if we 602 * are getting more data. This is necessary, as some systems 603 * wake up readers from a pty after each separate character. 604 */ 605 max_time_milliseconds = 0; 606 stdout_buffer_bytes = buffer_len(&stdout_buffer); 607 if (stdout_buffer_bytes != 0 && stdout_buffer_bytes < 256 && 608 stdout_buffer_bytes != previous_stdout_buffer_bytes) { 609 /* try again after a while */ 610 max_time_milliseconds = 10; 611 } else { 612 /* Send it now. */ 613 make_packets_from_stdout_data(); 614 } 615 previous_stdout_buffer_bytes = buffer_len(&stdout_buffer); 616 617 /* Send channel data to the client. */ 618 if (packet_not_very_much_data_to_write()) 619 channel_output_poll(); 620 621 /* 622 * Bail out of the loop if the program has closed its output 623 * descriptors, and we have no more data to send to the 624 * client, and there is no pending buffered data. 625 */ 626 if (fdout_eof && fderr_eof && !packet_have_data_to_write() && 627 buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { 628 if (!channel_still_open()) 629 break; 630 if (!waiting_termination) { 631 const char *s = "Waiting for forwarded connections to terminate...\r\n"; 632 char *cp; 633 waiting_termination = 1; 634 buffer_append(&stderr_buffer, s, strlen(s)); 635 636 /* Display list of open channels. */ 637 cp = channel_open_message(); 638 buffer_append(&stderr_buffer, cp, strlen(cp)); 639 xfree(cp); 640 } 641 } 642 max_fd = MAX(connection_in, connection_out); 643 max_fd = MAX(max_fd, fdin); 644 max_fd = MAX(max_fd, fdout); 645 max_fd = MAX(max_fd, fderr); 646 max_fd = MAX(max_fd, notify_pipe[0]); 647 648 /* Sleep in select() until we can do something. */ 649 wait_until_can_do_something(&readset, &writeset, &max_fd, 650 &nalloc, max_time_milliseconds); 651 652 /* Process any channel events. */ 653 channel_after_select(readset, writeset); 654 655 /* Process input from the client and from program stdout/stderr. */ 656 process_input(readset); 657 658 /* Process output to the client and to program stdin. */ 659 process_output(writeset); 660 } 661 if (readset) 662 xfree(readset); 663 if (writeset) 664 xfree(writeset); 665 666 /* Cleanup and termination code. */ 667 668 /* Wait until all output has been sent to the client. */ 669 drain_output(); 670 671 debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.", 672 stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes); 673 674 /* Free and clear the buffers. */ 675 buffer_free(&stdin_buffer); 676 buffer_free(&stdout_buffer); 677 buffer_free(&stderr_buffer); 678 679 /* Close the file descriptors. */ 680 if (fdout != -1) 681 (void) close(fdout); 682 fdout = -1; 683 fdout_eof = 1; 684 if (fderr != -1) 685 (void) close(fderr); 686 fderr = -1; 687 fderr_eof = 1; 688 if (fdin != -1) 689 (void) close(fdin); 690 fdin = -1; 691 692 channel_free_all(); 693 694 /* We no longer want our SIGCHLD handler to be called. */ 695 mysignal(SIGCHLD, SIG_DFL); 696 697 while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0) 698 if (errno != EINTR) 699 packet_disconnect("wait: %.100s", strerror(errno)); 700 if (wait_pid != pid) 701 error("Strange, wait returned pid %ld, expected %ld", 702 (long)wait_pid, (long)pid); 703 704 /* Check if it exited normally. */ 705 if (WIFEXITED(wait_status)) { 706 /* Yes, normal exit. Get exit status and send it to the client. */ 707 debug("Command exited with status %d.", WEXITSTATUS(wait_status)); 708 packet_start(SSH_SMSG_EXITSTATUS); 709 packet_put_int(WEXITSTATUS(wait_status)); 710 packet_send(); 711 packet_write_wait(); 712 713 /* 714 * Wait for exit confirmation. Note that there might be 715 * other packets coming before it; however, the program has 716 * already died so we just ignore them. The client is 717 * supposed to respond with the confirmation when it receives 718 * the exit status. 719 */ 720 do { 721 type = packet_read(); 722 } 723 while (type != SSH_CMSG_EXIT_CONFIRMATION); 724 725 debug("Received exit confirmation."); 726 return; 727 } 728 /* Check if the program terminated due to a signal. */ 729 if (WIFSIGNALED(wait_status)) 730 packet_disconnect("Command terminated on signal %d.", 731 WTERMSIG(wait_status)); 732 733 /* Some weird exit cause. Just exit. */ 734 packet_disconnect("wait returned status %04x.", wait_status); 735 /* NOTREACHED */ 736 } 737 738 static void 739 collect_children(void) 740 { 741 pid_t pid; 742 sigset_t oset, nset; 743 int status; 744 745 /* block SIGCHLD while we check for dead children */ 746 (void) sigemptyset(&nset); 747 (void) sigaddset(&nset, SIGCHLD); 748 (void) sigprocmask(SIG_BLOCK, &nset, &oset); 749 if (child_terminated) { 750 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 751 (pid < 0 && errno == EINTR)) 752 if (pid > 0) 753 session_close_by_pid(pid, status); 754 child_terminated = 0; 755 } 756 (void) sigprocmask(SIG_SETMASK, &oset, NULL); 757 } 758 759 #ifdef ALTPRIVSEP 760 /* 761 * For ALTPRIVSEP the wait_until_can_do_something function is very 762 * simple: select() on the read side of the pipe, and if there's packets 763 * to send, on the write side, and on the read side of the SIGCHLD 764 * handler pipe. That's it. 765 */ 766 static void 767 aps_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, 768 int *maxfdp, int *nallocp, u_int max_time_milliseconds) 769 { 770 int ret; 771 772 /* 773 * Use channel_prepare_select() to make the fd sets. 774 * 775 * This is cheating, really, since because the last argument in 776 * this call is '1' nothing related to channels will be done -- 777 * we're using this function only to callocate the fd sets. 778 */ 779 channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, 1); 780 781 if ((connection_in = packet_get_connection_in()) >= 0 && 782 !connection_closed) 783 FD_SET(connection_in, *readsetp); 784 785 notify_prepare(*readsetp); 786 787 if ((connection_out = packet_get_connection_out()) >= 0 && 788 packet_have_data_to_write() && !connection_closed) 789 FD_SET(connection_out, *writesetp); 790 791 /* Wait for something to happen, or the timeout to expire. */ 792 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL); 793 794 if (ret == -1) { 795 memset(*readsetp, 0, *nallocp); 796 memset(*writesetp, 0, *nallocp); 797 if (errno != EINTR) 798 error("select: %.100s", strerror(errno)); 799 } 800 801 notify_done(*readsetp); 802 } 803 804 /* 805 * Slightly different than collect_children, aps_collect_child() has 806 * only the unprivileged sshd to wait for, no sessions, no channells, 807 * just one process. 808 */ 809 static int 810 aps_collect_child(pid_t child) 811 { 812 pid_t pid; 813 sigset_t oset, nset; 814 int status; 815 816 /* block SIGCHLD while we check for dead children */ 817 (void) sigemptyset(&nset); 818 (void) sigaddset(&nset, SIGCHLD); 819 (void) sigprocmask(SIG_BLOCK, &nset, &oset); 820 if (child_terminated) { 821 while ((pid = waitpid(child, &status, WNOHANG)) > 0 || 822 (pid < 0 && errno == EINTR)) 823 if (pid == child) { 824 (void) sigprocmask(SIG_SETMASK, &oset, NULL); 825 return (1); 826 } 827 child_terminated = 0; 828 } 829 (void) sigprocmask(SIG_SETMASK, &oset, NULL); 830 return (0); 831 } 832 833 static int killed = 0; 834 835 static void 836 aps_monitor_kill_handler(int sig) 837 { 838 int save_errno = errno; 839 killed = 1; 840 notify_parent(); 841 mysignal(sig, aps_monitor_kill_handler); 842 errno = save_errno; 843 } 844 845 static void 846 aps_monitor_sigchld_handler(int sig) 847 { 848 int save_errno = errno; 849 debug("Monitor received SIGCHLD."); 850 child_terminated = 1; 851 mysignal(SIGCHLD, aps_monitor_sigchld_handler); 852 notify_parent(); 853 errno = save_errno; 854 } 855 856 void 857 aps_monitor_loop(Authctxt *authctxt, int pipe, pid_t child_pid) 858 { 859 fd_set *readset = NULL, *writeset = NULL; 860 int max_fd, nalloc = 0; 861 862 debug("Entering monitor loop."); 863 864 /* 865 * Awful hack follows: fake compat20 == 1 to cause process_input() 866 * and process_output() to behave as they would for SSHv2 because that's 867 * the behaviour we need in SSHv2. 868 * 869 * This same hack is done in packet.c 870 */ 871 compat20 = 1; /* causes process_input/output() to ignore stdio */ 872 873 mysignal(SIGHUP, aps_monitor_kill_handler); 874 mysignal(SIGINT, aps_monitor_kill_handler); 875 mysignal(SIGTERM, aps_monitor_kill_handler); 876 877 child_terminated = 0; 878 mysignal(SIGCHLD, aps_monitor_sigchld_handler); 879 880 packet_set_monitor(pipe); 881 882 connection_in = packet_get_connection_in(); 883 connection_out = packet_get_connection_out(); 884 885 notify_setup(); 886 887 max_fd = MAX(connection_in, connection_out); 888 max_fd = MAX(max_fd, notify_pipe[0]); 889 890 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 891 dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_MAX, 892 &dispatch_protocol_error); 893 dispatch_set(SSH2_PRIV_MSG_ALTPRIVSEP, &aps_input_altpriv_msg); 894 895 for (;;) { 896 process_buffered_input_packets(); 897 898 aps_wait_until_can_do_something(&readset, &writeset, &max_fd, 899 &nalloc, 0); 900 901 if (aps_collect_child(child_pid)) 902 break; 903 904 if (killed) { 905 /* fatal cleanups will kill child, audit logout */ 906 log("Monitor killed; exiting"); 907 fatal_cleanup(); 908 } 909 910 /* 911 * Unlike server_loop2() we don't care if connection_closed 912 * since we still want to wait for the monitor's child. 913 */ 914 process_input(readset); 915 process_output(writeset); 916 } 917 918 packet_close(); 919 } 920 #endif /* ALTPRIVSEP */ 921 922 void 923 server_loop2(Authctxt *authctxt) 924 { 925 fd_set *readset = NULL, *writeset = NULL; 926 int rekeying = 0, max_fd, nalloc = 0; 927 928 debug("Entering interactive session for SSH2."); 929 930 mysignal(SIGCHLD, sigchld_handler); 931 child_terminated = 0; 932 connection_in = packet_get_connection_in(); 933 connection_out = packet_get_connection_out(); 934 935 notify_setup(); 936 937 max_fd = MAX(connection_in, connection_out); 938 max_fd = MAX(max_fd, notify_pipe[0]); 939 940 xxx_authctxt = authctxt; 941 942 server_init_dispatch(); 943 944 for (;;) { 945 process_buffered_input_packets(); 946 947 rekeying = (xxx_kex != NULL && !xxx_kex->done); 948 949 if (!rekeying && packet_not_very_much_data_to_write()) 950 channel_output_poll(); 951 wait_until_can_do_something(&readset, &writeset, &max_fd, 952 &nalloc, 0); 953 954 collect_children(); 955 956 if (!rekeying) 957 channel_after_select(readset, writeset); 958 #ifdef ALTPRIVSEP 959 else 960 altprivsep_process_input(xxx_kex, readset); 961 #endif /* ALTPRIVSEP */ 962 963 process_input(readset); 964 if (connection_closed) 965 break; 966 process_output(writeset); 967 } 968 collect_children(); 969 970 if (readset) 971 xfree(readset); 972 if (writeset) 973 xfree(writeset); 974 975 /* free all channels, no more reads and writes */ 976 channel_free_all(); 977 978 /* free remaining sessions, e.g. remove wtmp entries */ 979 session_destroy_all(NULL); 980 } 981 982 static void 983 server_input_channel_failure(int type, u_int32_t seq, void *ctxt) 984 { 985 debug("Got CHANNEL_FAILURE for keepalive"); 986 /* 987 * reset timeout, since we got a sane answer from the client. 988 * even if this was generated by something other than 989 * the bogus CHANNEL_REQUEST we send for keepalives. 990 */ 991 client_alive_timeouts = 0; 992 } 993 994 995 static void 996 server_input_stdin_data(int type, u_int32_t seq, void *ctxt) 997 { 998 char *data; 999 u_int data_len; 1000 1001 /* Stdin data from the client. Append it to the buffer. */ 1002 /* Ignore any data if the client has closed stdin. */ 1003 if (fdin == -1) 1004 return; 1005 data = packet_get_string(&data_len); 1006 packet_check_eom(); 1007 buffer_append(&stdin_buffer, data, data_len); 1008 memset(data, 0, data_len); 1009 xfree(data); 1010 } 1011 1012 static void 1013 server_input_eof(int type, u_int32_t seq, void *ctxt) 1014 { 1015 /* 1016 * Eof from the client. The stdin descriptor to the 1017 * program will be closed when all buffered data has 1018 * drained. 1019 */ 1020 debug("EOF received for stdin."); 1021 packet_check_eom(); 1022 stdin_eof = 1; 1023 } 1024 1025 static void 1026 server_input_window_size(int type, u_int32_t seq, void *ctxt) 1027 { 1028 int row = packet_get_int(); 1029 int col = packet_get_int(); 1030 int xpixel = packet_get_int(); 1031 int ypixel = packet_get_int(); 1032 1033 debug("Window change received."); 1034 packet_check_eom(); 1035 if (fdin != -1) 1036 pty_change_window_size(fdin, row, col, xpixel, ypixel); 1037 } 1038 1039 static Channel * 1040 server_request_direct_tcpip(char *ctype) 1041 { 1042 Channel *c; 1043 int sock; 1044 char *target, *originator; 1045 int target_port, originator_port; 1046 1047 target = packet_get_string(NULL); 1048 target_port = packet_get_int(); 1049 originator = packet_get_string(NULL); 1050 originator_port = packet_get_int(); 1051 packet_check_eom(); 1052 1053 debug("server_request_direct_tcpip: originator %s port %d, target %s port %d", 1054 originator, originator_port, target, target_port); 1055 1056 /* XXX check permission */ 1057 sock = channel_connect_to(target, target_port); 1058 1059 xfree(target); 1060 xfree(originator); 1061 if (sock < 0) 1062 return NULL; 1063 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, 1064 sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, 1065 CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1); 1066 return c; 1067 } 1068 1069 static Channel * 1070 server_request_session(char *ctype) 1071 { 1072 Channel *c; 1073 1074 debug("input_session_request"); 1075 packet_check_eom(); 1076 /* 1077 * A server session has no fd to read or write until a 1078 * CHANNEL_REQUEST for a shell is made, so we set the type to 1079 * SSH_CHANNEL_LARVAL. Additionally, a callback for handling all 1080 * CHANNEL_REQUEST messages is registered. 1081 */ 1082 c = channel_new(ctype, SSH_CHANNEL_LARVAL, 1083 -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 1084 0, xstrdup("server-session"), 1); 1085 if (session_open(xxx_authctxt, c->self) != 1) { 1086 debug("session open failed, free channel %d", c->self); 1087 channel_free(c); 1088 return NULL; 1089 } 1090 channel_register_cleanup(c->self, session_close_by_channel); 1091 return c; 1092 } 1093 1094 static void 1095 server_input_channel_open(int type, u_int32_t seq, void *ctxt) 1096 { 1097 Channel *c = NULL; 1098 char *ctype; 1099 int rchan; 1100 u_int rmaxpack, rwindow, len; 1101 1102 ctype = packet_get_string(&len); 1103 rchan = packet_get_int(); 1104 rwindow = packet_get_int(); 1105 rmaxpack = packet_get_int(); 1106 1107 debug("server_input_channel_open: ctype %s rchan %d win %d max %d", 1108 ctype, rchan, rwindow, rmaxpack); 1109 1110 if (strcmp(ctype, "session") == 0) { 1111 c = server_request_session(ctype); 1112 } else if (strcmp(ctype, "direct-tcpip") == 0) { 1113 c = server_request_direct_tcpip(ctype); 1114 } 1115 if (c != NULL) { 1116 debug("server_input_channel_open: confirm %s", ctype); 1117 c->remote_id = rchan; 1118 c->remote_window = rwindow; 1119 c->remote_maxpacket = rmaxpack; 1120 if (c->type != SSH_CHANNEL_CONNECTING) { 1121 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1122 packet_put_int(c->remote_id); 1123 packet_put_int(c->self); 1124 packet_put_int(c->local_window); 1125 packet_put_int(c->local_maxpacket); 1126 packet_send(); 1127 } 1128 } else { 1129 debug("server_input_channel_open: failure %s", ctype); 1130 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1131 packet_put_int(rchan); 1132 packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); 1133 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1134 packet_put_cstring("open failed"); 1135 packet_put_cstring(""); 1136 } 1137 packet_send(); 1138 } 1139 xfree(ctype); 1140 } 1141 1142 static void 1143 server_input_global_request(int type, u_int32_t seq, void *ctxt) 1144 { 1145 char *rtype; 1146 int want_reply; 1147 int success = 0; 1148 1149 rtype = packet_get_string(NULL); 1150 want_reply = packet_get_char(); 1151 debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); 1152 1153 /* -R style forwarding */ 1154 if (strcmp(rtype, "tcpip-forward") == 0) { 1155 struct passwd *pw; 1156 char *listen_address; 1157 u_short listen_port; 1158 1159 pw = auth_get_user(); 1160 if (pw == NULL) 1161 fatal("server_input_global_request: no user"); 1162 listen_address = packet_get_string(NULL); /* XXX currently ignored */ 1163 listen_port = (u_short)packet_get_int(); 1164 debug("server_input_global_request: tcpip-forward listen %s port %d", 1165 listen_address, listen_port); 1166 1167 /* check permissions */ 1168 if (!options.allow_tcp_forwarding || 1169 no_port_forwarding_flag 1170 #ifndef NO_IPPORT_RESERVED_CONCEPT 1171 || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) 1172 #endif 1173 ) { 1174 success = 0; 1175 packet_send_debug("Server has disabled port forwarding."); 1176 } else { 1177 /* Start listening on the port */ 1178 success = channel_setup_remote_fwd_listener( 1179 listen_address, listen_port, options.gateway_ports); 1180 } 1181 xfree(listen_address); 1182 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { 1183 char *cancel_address; 1184 u_short cancel_port; 1185 1186 cancel_address = packet_get_string(NULL); 1187 cancel_port = (u_short)packet_get_int(); 1188 debug("%s: cancel-tcpip-forward addr %s port %d", __func__, 1189 cancel_address, cancel_port); 1190 1191 success = channel_cancel_rport_listener(cancel_address, 1192 cancel_port); 1193 xfree(cancel_address); 1194 } 1195 if (want_reply) { 1196 packet_start(success ? 1197 SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); 1198 packet_send(); 1199 packet_write_wait(); 1200 } 1201 xfree(rtype); 1202 } 1203 1204 static void 1205 server_input_channel_req(int type, u_int32_t seq, void *ctxt) 1206 { 1207 Channel *c; 1208 int id, reply, success = 0; 1209 char *rtype; 1210 1211 id = packet_get_int(); 1212 rtype = packet_get_string(NULL); 1213 reply = packet_get_char(); 1214 1215 debug("server_input_channel_req: channel %d request %s reply %d", 1216 id, rtype, reply); 1217 1218 if ((c = channel_lookup(id)) == NULL) 1219 packet_disconnect("server_input_channel_req: " 1220 "unknown channel %d", id); 1221 if (c->type == SSH_CHANNEL_LARVAL || c->type == SSH_CHANNEL_OPEN) 1222 success = session_input_channel_req(c, rtype); 1223 if (reply) { 1224 packet_start(success ? 1225 SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); 1226 packet_put_int(c->remote_id); 1227 packet_send(); 1228 } 1229 xfree(rtype); 1230 } 1231 1232 static void 1233 server_init_dispatch_20(void) 1234 { 1235 debug("server_init_dispatch_20"); 1236 dispatch_init(&dispatch_protocol_error); 1237 dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); 1238 dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); 1239 dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); 1240 dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); 1241 dispatch_set(SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open); 1242 dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1243 dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1244 dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req); 1245 dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); 1246 dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); 1247 /* client_alive */ 1248 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_channel_failure); 1249 /* rekeying */ 1250 1251 #ifdef ALTPRIVSEP 1252 /* unprivileged sshd has a kex packet handler that must not be reset */ 1253 debug3("server_init_dispatch_20 -- should we dispatch_set(KEXINIT) here? %d && !%d", 1254 packet_is_server(), packet_is_monitor()); 1255 if (packet_is_server() && !packet_is_monitor()) { 1256 debug3("server_init_dispatch_20 -- skipping dispatch_set(KEXINIT) in unpriv proc"); 1257 dispatch_range(SSH2_MSG_KEXINIT, SSH2_MSG_TRANSPORT_MAX, 1258 &altprivsep_rekey); 1259 return; 1260 } 1261 #endif /* ALTPRIVSEP */ 1262 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 1263 } 1264 static void 1265 server_init_dispatch_13(void) 1266 { 1267 debug("server_init_dispatch_13"); 1268 dispatch_init(NULL); 1269 dispatch_set(SSH_CMSG_EOF, &server_input_eof); 1270 dispatch_set(SSH_CMSG_STDIN_DATA, &server_input_stdin_data); 1271 dispatch_set(SSH_CMSG_WINDOW_SIZE, &server_input_window_size); 1272 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close); 1273 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation); 1274 dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); 1275 dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1276 dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1277 dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); 1278 } 1279 static void 1280 server_init_dispatch_15(void) 1281 { 1282 server_init_dispatch_13(); 1283 debug("server_init_dispatch_15"); 1284 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof); 1285 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose); 1286 } 1287 static void 1288 server_init_dispatch(void) 1289 { 1290 if (compat20) 1291 server_init_dispatch_20(); 1292 else if (compat13) 1293 server_init_dispatch_13(); 1294 else 1295 server_init_dispatch_15(); 1296 } 1297