xref: /titanic_44/usr/src/cmd/ssh/sshd/sshd.c (revision db8b037b5616a366b7dfdc01ef9552f02f9adfdd)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * This program is the ssh daemon.  It listens for connections from clients,
6  * and performs authentication, executes use commands or shell, and forwards
7  * information to/from the application to the user client over an encrypted
8  * connection.  This can also handle forwarding of X11, TCP/IP, and
9  * authentication agent connections.
10  *
11  * As far as I am concerned, the code I have written for this software
12  * can be used freely for any purpose.  Any derived versions of this
13  * software must be clearly marked as such, and if the derived work is
14  * incompatible with the protocol description in the RFC file, it must be
15  * called by a name other than "ssh" or "Secure Shell".
16  *
17  * SSH2 implementation:
18  * Privilege Separation:
19  *
20  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
21  * Copyright (c) 2002 Niels Provos.  All rights reserved.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  *
32  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
33  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
34  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
35  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
36  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
37  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
38  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
39  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
41  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42  */
43 /*
44  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
45  */
46 
47 #include "includes.h"
48 RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
49 
50 #include <openssl/dh.h>
51 #include <openssl/bn.h>
52 #include <openssl/md5.h>
53 
54 #include <openssl/rand.h>
55 
56 #include "ssh.h"
57 #include "ssh1.h"
58 #include "ssh2.h"
59 #include "xmalloc.h"
60 #include "rsa.h"
61 #include "sshpty.h"
62 #include "packet.h"
63 #include "mpaux.h"
64 #include "log.h"
65 #include "servconf.h"
66 #include "uidswap.h"
67 #include "compat.h"
68 #include "buffer.h"
69 #include "cipher.h"
70 #include "kex.h"
71 #include "key.h"
72 #include "dh.h"
73 #include "myproposal.h"
74 #include "authfile.h"
75 #include "pathnames.h"
76 #include "atomicio.h"
77 #include "canohost.h"
78 #include "auth.h"
79 #include "misc.h"
80 #include "dispatch.h"
81 #include "channels.h"
82 #include "session.h"
83 #include "g11n.h"
84 #include "sshlogin.h"
85 #include "xlist.h"
86 #include "engine.h"
87 
88 #ifdef HAVE_BSM
89 #include "bsmaudit.h"
90 #endif /* HAVE_BSM */
91 
92 #ifdef ALTPRIVSEP
93 #include "altprivsep.h"
94 #endif /* ALTPRIVSEP */
95 
96 #ifdef HAVE_SOLARIS_CONTRACTS
97 #include <sys/ctfs.h>
98 #include <sys/contract.h>
99 #include <sys/contract/process.h>
100 #include <libcontract.h>
101 #endif /* HAVE_SOLARIS_CONTRACTS */
102 
103 #ifdef GSSAPI
104 #include "ssh-gss.h"
105 #endif /* GSSAPI */
106 
107 #ifdef LIBWRAP
108 #include <tcpd.h>
109 #include <syslog.h>
110 #ifndef lint
111 int allow_severity = LOG_INFO;
112 int deny_severity = LOG_WARNING;
113 #endif /* lint */
114 #endif /* LIBWRAP */
115 
116 #ifndef O_NOCTTY
117 #define O_NOCTTY	0
118 #endif
119 
120 #ifdef HAVE___PROGNAME
121 extern char *__progname;
122 #else
123 char *__progname;
124 #endif
125 
126 /* Server configuration options. */
127 ServerOptions options;
128 
129 /* Name of the server configuration file. */
130 static char *config_file_name = _PATH_SERVER_CONFIG_FILE;
131 
132 /*
133  * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
134  * Default value is AF_UNSPEC means both IPv4 and IPv6.
135  */
136 #ifdef IPV4_DEFAULT
137 int IPv4or6 = AF_INET;
138 #else
139 int IPv4or6 = AF_UNSPEC;
140 #endif
141 
142 /*
143  * Debug mode flag.  This can be set on the command line.  If debug
144  * mode is enabled, extra debugging output will be sent to the system
145  * log, the daemon will not go to background, and will exit after processing
146  * the first connection.
147  */
148 int debug_flag = 0;
149 
150 /* Flag indicating that the daemon should only test the configuration and keys. */
151 static int test_flag = 0;
152 
153 /* Flag indicating that the daemon is being started from inetd. */
154 static int inetd_flag = 0;
155 
156 /* Flag indicating that sshd should not detach and become a daemon. */
157 static int no_daemon_flag = 0;
158 
159 /* debug goes to stderr unless inetd_flag is set */
160 int log_stderr = 0;
161 
162 /* Saved arguments to main(). */
163 static char **saved_argv;
164 static int saved_argc;
165 
166 /*
167  * The sockets that the server is listening; this is used in the SIGHUP
168  * signal handler.
169  */
170 #define	MAX_LISTEN_SOCKS	16
171 static int listen_socks[MAX_LISTEN_SOCKS];
172 static int num_listen_socks = 0;
173 
174 /*
175  * the client's version string, passed by sshd2 in compat mode. if != NULL,
176  * sshd will skip the version-number exchange
177  */
178 static char *client_version_string = NULL;
179 static char *server_version_string = NULL;
180 
181 /* for rekeying XXX fixme */
182 Kex *xxx_kex;
183 
184 /*
185  * Any really sensitive data in the application is contained in this
186  * structure. The idea is that this structure could be locked into memory so
187  * that the pages do not get written into swap.  However, there are some
188  * problems. The private key contains BIGNUMs, and we do not (in principle)
189  * have access to the internals of them, and locking just the structure is
190  * not very useful.  Currently, memory locking is not implemented.
191  */
192 static struct {
193 	Key	*server_key;		/* ephemeral server key */
194 	Key	*ssh1_host_key;		/* ssh1 host key */
195 	Key	**host_keys;		/* all private host keys */
196 	int	have_ssh1_key;
197 	int	have_ssh2_key;
198 	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
199 } sensitive_data;
200 
201 /*
202  * Flag indicating whether the RSA server key needs to be regenerated.
203  * Is set in the SIGALRM handler and cleared when the key is regenerated.
204  */
205 static volatile sig_atomic_t key_do_regen = 0;
206 
207 /* This is set to true when a signal is received. */
208 static volatile sig_atomic_t received_sighup = 0;
209 static volatile sig_atomic_t received_sigterm = 0;
210 
211 /* session identifier, used by RSA-auth */
212 u_char session_id[16];
213 
214 /* same for ssh2 */
215 u_char *session_id2 = NULL;
216 int session_id2_len = 0;
217 
218 /* record remote hostname or ip */
219 u_int utmp_len = MAXHOSTNAMELEN;
220 
221 /* options.max_startup sized array of fd ints */
222 static int *startup_pipes = NULL;
223 static int startup_pipe = -1;	/* in child */
224 
225 /* sshd_config buffer */
226 Buffer cfg;
227 
228 #ifdef GSSAPI
229 static gss_OID_set mechs = GSS_C_NULL_OID_SET;
230 #endif /* GSSAPI */
231 
232 /* Prototypes for various functions defined later in this file. */
233 void destroy_sensitive_data(void);
234 static void demote_sensitive_data(void);
235 
236 static void do_ssh1_kex(void);
237 static void do_ssh2_kex(void);
238 
239 /*
240  * Close all listening sockets
241  */
242 static void
243 close_listen_socks(void)
244 {
245 	int i;
246 
247 	for (i = 0; i < num_listen_socks; i++)
248 		(void) close(listen_socks[i]);
249 	num_listen_socks = -1;
250 }
251 
252 static void
253 close_startup_pipes(void)
254 {
255 	int i;
256 
257 	if (startup_pipes)
258 		for (i = 0; i < options.max_startups; i++)
259 			if (startup_pipes[i] != -1)
260 				(void) close(startup_pipes[i]);
261 }
262 
263 /*
264  * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
265  * the effect is to reread the configuration file (and to regenerate
266  * the server key).
267  */
268 static void
269 sighup_handler(int sig)
270 {
271 	int save_errno = errno;
272 
273 	received_sighup = 1;
274 	(void) signal(SIGHUP, sighup_handler);
275 	errno = save_errno;
276 }
277 
278 /*
279  * Called from the main program after receiving SIGHUP.
280  * Restarts the server.
281  */
282 static void
283 sighup_restart(void)
284 {
285 	log("Received SIGHUP; restarting.");
286 	close_listen_socks();
287 	close_startup_pipes();
288 	(void) execv(saved_argv[0], saved_argv);
289 	log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
290 	    strerror(errno));
291 	exit(1);
292 }
293 
294 /*
295  * Generic signal handler for terminating signals in the master daemon.
296  */
297 static void
298 sigterm_handler(int sig)
299 {
300 	received_sigterm = sig;
301 }
302 
303 /*
304  * SIGCHLD handler.  This is called whenever a child dies.  This will then
305  * reap any zombies left by exited children.
306  */
307 static void
308 main_sigchld_handler(int sig)
309 {
310 	int save_errno = errno;
311 	pid_t pid;
312 	int status;
313 
314 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
315 	    (pid < 0 && errno == EINTR))
316 		;
317 
318 	(void) signal(SIGCHLD, main_sigchld_handler);
319 	errno = save_errno;
320 }
321 
322 /*
323  * Signal handler for the alarm after the login grace period has expired. This
324  * is for the (soon-to-be) unprivileged child only. The monitor gets an event on
325  * the communication pipe and exits as well.
326  */
327 static void
328 grace_alarm_handler(int sig)
329 {
330 	/* Log error and exit. */
331 	fatal("Timeout before authentication for %.200s", get_remote_ipaddr());
332 }
333 
334 #ifdef HAVE_SOLARIS_CONTRACTS
335 static int contracts_fd = -1;
336 void
337 contracts_pre_fork()
338 {
339 	const char *during = "opening process contract template";
340 
341 	/*
342 	 * Failure should not be treated as fatal on the theory that
343 	 * it's better to start with children in the same contract as
344 	 * the master listener than not at all.
345 	 */
346 
347 	if (contracts_fd == -1) {
348 		if ((contracts_fd = open64(CTFS_ROOT "/process/template",
349 				O_RDWR)) == -1)
350 			goto cleanup;
351 
352 		during = "setting sundry contract terms";
353 		if ((errno = ct_pr_tmpl_set_param(contracts_fd, CT_PR_PGRPONLY)))
354 			goto cleanup;
355 
356 		if ((errno = ct_tmpl_set_informative(contracts_fd, CT_PR_EV_HWERR)))
357 			goto cleanup;
358 
359 		if ((errno = ct_pr_tmpl_set_fatal(contracts_fd, CT_PR_EV_HWERR)))
360 			goto cleanup;
361 
362 		if ((errno = ct_tmpl_set_critical(contracts_fd, 0)))
363 			goto cleanup;
364 	}
365 
366 	during = "setting active template";
367 	if ((errno = ct_tmpl_activate(contracts_fd)))
368 		goto cleanup;
369 
370 	debug3("Set active contract");
371 	return;
372 
373 cleanup:
374 	if (contracts_fd != -1)
375 		(void) close(contracts_fd);
376 
377 	contracts_fd = -1;
378 
379 	if (errno)
380 		debug2("Error while trying to set up active contract"
381 			" template: %s while %s", strerror(errno), during);
382 }
383 
384 void
385 contracts_post_fork_child()
386 {
387 	/* Clear active template so fork() creates no new contracts. */
388 
389 	if (contracts_fd == -1)
390 		return;
391 
392 	if ((errno = (ct_tmpl_clear(contracts_fd))))
393 		debug2("Error while trying to clear active contract template"
394 			" (child): %s", strerror(errno));
395 	else
396 		debug3("Cleared active contract template (child)");
397 
398 	(void) close(contracts_fd);
399 
400 	contracts_fd = -1;
401 }
402 
403 void
404 contracts_post_fork_parent(int fork_succeeded)
405 {
406 	char path[PATH_MAX];
407 	int cfd, n;
408 	ct_stathdl_t st;
409 	ctid_t latest;
410 
411 	/* Clear active template, abandon latest contract. */
412 	if (contracts_fd == -1)
413 		return;
414 
415 	if ((errno = ct_tmpl_clear(contracts_fd)))
416 		debug2("Error while clearing active contract template: %s",
417 			strerror(errno));
418 	else
419 		debug3("Cleared active contract template (parent)");
420 
421 	if (!fork_succeeded)
422 		return;
423 
424 	if ((cfd = open64(CTFS_ROOT "/process/latest", O_RDONLY)) == -1) {
425 		debug2("Error while getting latest contract: %s",
426 			strerror(errno));
427 		return;
428 	}
429 
430 	if ((errno = ct_status_read(cfd, CTD_COMMON, &st)) != 0) {
431 		debug2("Error while getting latest contract ID: %s",
432 			strerror(errno));
433 		(void) close(cfd);
434 		return;
435 	}
436 
437 	latest = ct_status_get_id(st);
438 	ct_status_free(st);
439 	(void) close(cfd);
440 
441 	n = snprintf(path, PATH_MAX, CTFS_ROOT "/all/%ld/ctl", latest);
442 
443 	if (n >= PATH_MAX) {
444 		debug2("Error while opening the latest contract ctl file: %s",
445 			strerror(ENAMETOOLONG));
446 		return;
447 	}
448 
449 	if ((cfd = open64(path, O_WRONLY)) == -1) {
450 		debug2("Error while opening the latest contract ctl file: %s",
451 			strerror(errno));
452 		return;
453 	}
454 
455 	if ((errno = ct_ctl_abandon(cfd)))
456 		debug2("Error while abandoning latest contract: %s",
457 			strerror(errno));
458 	else
459 		debug3("Abandoned latest contract");
460 
461 	(void) close(cfd);
462 }
463 #endif /* HAVE_SOLARIS_CONTRACTS */
464 
465 /*
466  * Signal handler for the key regeneration alarm.  Note that this
467  * alarm only occurs in the daemon waiting for connections, and it does not
468  * do anything with the private key or random state before forking.
469  * Thus there should be no concurrency control/asynchronous execution
470  * problems.
471  */
472 static void
473 generate_ephemeral_server_key(void)
474 {
475 	u_int32_t rnd = 0;
476 	int i;
477 
478 	verbose("Generating %s%d bit RSA key.",
479 	    sensitive_data.server_key ? "new " : "", options.server_key_bits);
480 	if (sensitive_data.server_key != NULL)
481 		key_free(sensitive_data.server_key);
482 	sensitive_data.server_key = key_generate(KEY_RSA1,
483 	    options.server_key_bits);
484 	verbose("RSA key generation complete.");
485 
486 	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
487 		if (i % 4 == 0)
488 			rnd = arc4random();
489 		sensitive_data.ssh1_cookie[i] = rnd & 0xff;
490 		rnd >>= 8;
491 	}
492 	arc4random_stir();
493 }
494 
495 static void
496 key_regeneration_alarm(int sig)
497 {
498 	int save_errno = errno;
499 
500 	(void) signal(SIGALRM, SIG_DFL);
501 	errno = save_errno;
502 	key_do_regen = 1;
503 }
504 
505 static void
506 sshd_exchange_identification(int sock_in, int sock_out)
507 {
508 	int i, mismatch;
509 	int remote_major, remote_minor;
510 	int major, minor;
511 	char *s;
512 	char buf[256];			/* Must not be larger than remote_version. */
513 	char remote_version[256];	/* Must be at least as big as buf. */
514 
515 	if ((options.protocol & SSH_PROTO_1) &&
516 	    (options.protocol & SSH_PROTO_2)) {
517 		major = PROTOCOL_MAJOR_1;
518 		minor = 99;
519 	} else if (options.protocol & SSH_PROTO_2) {
520 		major = PROTOCOL_MAJOR_2;
521 		minor = PROTOCOL_MINOR_2;
522 	} else {
523 		major = PROTOCOL_MAJOR_1;
524 		minor = PROTOCOL_MINOR_1;
525 	}
526 	(void) snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
527 	server_version_string = xstrdup(buf);
528 
529 	if (client_version_string == NULL) {
530 		/* Send our protocol version identification. */
531 		if (atomicio(write, sock_out, server_version_string,
532 		    strlen(server_version_string))
533 		    != strlen(server_version_string)) {
534 			log("Could not write ident string to %s", get_remote_ipaddr());
535 			fatal_cleanup();
536 		}
537 
538 		/* Read other sides version identification. */
539 		(void) memset(buf, 0, sizeof(buf));
540 		for (i = 0; i < sizeof(buf) - 1; i++) {
541 			if (atomicio(read, sock_in, &buf[i], 1) != 1) {
542 				log("Did not receive identification string from %s",
543 				    get_remote_ipaddr());
544 				fatal_cleanup();
545 			}
546 			if (buf[i] == '\r') {
547 				buf[i] = 0;
548 				/* Kludge for F-Secure Macintosh < 1.0.2 */
549 				if (i == 12 &&
550 				    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
551 					break;
552 				continue;
553 			}
554 			if (buf[i] == '\n') {
555 				buf[i] = 0;
556 				break;
557 			}
558 		}
559 		buf[sizeof(buf) - 1] = 0;
560 		client_version_string = xstrdup(buf);
561 	}
562 
563 	/*
564 	 * Check that the versions match.  In future this might accept
565 	 * several versions and set appropriate flags to handle them.
566 	 */
567 	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
568 	    &remote_major, &remote_minor, remote_version) != 3) {
569 		s = "Protocol mismatch.\n";
570 		(void) atomicio(write, sock_out, s, strlen(s));
571 		(void) close(sock_in);
572 		(void) close(sock_out);
573 		log("Bad protocol version identification '%.100s' from %s",
574 		    client_version_string, get_remote_ipaddr());
575 		fatal_cleanup();
576 	}
577 	debug("Client protocol version %d.%d; client software version %.100s",
578 	    remote_major, remote_minor, remote_version);
579 
580 	compat_datafellows(remote_version);
581 
582 	if (datafellows & SSH_BUG_PROBE) {
583 		log("probed from %s with %s.  Don't panic.",
584 		    get_remote_ipaddr(), client_version_string);
585 		fatal_cleanup();
586 	}
587 
588 	if (datafellows & SSH_BUG_SCANNER) {
589 		log("scanned from %s with %s.  Don't panic.",
590 		    get_remote_ipaddr(), client_version_string);
591 		fatal_cleanup();
592 	}
593 
594 	mismatch = 0;
595 	switch (remote_major) {
596 	case 1:
597 		if (remote_minor == 99) {
598 			if (options.protocol & SSH_PROTO_2)
599 				enable_compat20();
600 			else
601 				mismatch = 1;
602 			break;
603 		}
604 		if (!(options.protocol & SSH_PROTO_1)) {
605 			mismatch = 1;
606 			break;
607 		}
608 		if (remote_minor < 3) {
609 			packet_disconnect("Your ssh version is too old and "
610 			    "is no longer supported.  Please install a newer version.");
611 		} else if (remote_minor == 3) {
612 			/* note that this disables agent-forwarding */
613 			enable_compat13();
614 		}
615 		break;
616 	case 2:
617 		if (options.protocol & SSH_PROTO_2) {
618 			enable_compat20();
619 			break;
620 		}
621 		/* FALLTHROUGH */
622 	default:
623 		mismatch = 1;
624 		break;
625 	}
626 	chop(server_version_string);
627 	debug("Local version string %.200s", server_version_string);
628 
629 	if (mismatch) {
630 		s = "Protocol major versions differ.\n";
631 		(void) atomicio(write, sock_out, s, strlen(s));
632 		(void) close(sock_in);
633 		(void) close(sock_out);
634 		log("Protocol major versions differ for %s: %.200s vs. %.200s",
635 		    get_remote_ipaddr(),
636 		    server_version_string, client_version_string);
637 		fatal_cleanup();
638 	}
639 }
640 
641 /* Destroy the host and server keys.  They will no longer be needed. */
642 void
643 destroy_sensitive_data(void)
644 {
645 	int i;
646 
647 	if (sensitive_data.server_key) {
648 		key_free(sensitive_data.server_key);
649 		sensitive_data.server_key = NULL;
650 	}
651 	for (i = 0; i < options.num_host_key_files; i++) {
652 		if (sensitive_data.host_keys[i]) {
653 			key_free(sensitive_data.host_keys[i]);
654 			sensitive_data.host_keys[i] = NULL;
655 		}
656 	}
657 	sensitive_data.ssh1_host_key = NULL;
658 	(void) memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
659 }
660 
661 /* Demote private to public keys for network child */
662 static void
663 demote_sensitive_data(void)
664 {
665 	Key *tmp;
666 	int i;
667 
668 	if (sensitive_data.server_key) {
669 		tmp = key_demote(sensitive_data.server_key);
670 		key_free(sensitive_data.server_key);
671 		sensitive_data.server_key = tmp;
672 	}
673 
674 	for (i = 0; i < options.num_host_key_files; i++) {
675 		if (sensitive_data.host_keys[i]) {
676 			tmp = key_demote(sensitive_data.host_keys[i]);
677 			key_free(sensitive_data.host_keys[i]);
678 			sensitive_data.host_keys[i] = tmp;
679 			if (tmp->type == KEY_RSA1)
680 				sensitive_data.ssh1_host_key = tmp;
681 		}
682 	}
683 
684 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
685 }
686 
687 static char *
688 list_hostkey_types(void)
689 {
690 	Buffer b;
691 	char *p;
692 	int i;
693 
694 	buffer_init(&b);
695 	for (i = 0; i < options.num_host_key_files; i++) {
696 		Key *key = sensitive_data.host_keys[i];
697 		if (key == NULL)
698 			continue;
699 		switch (key->type) {
700 		case KEY_RSA:
701 		case KEY_DSA:
702 			if (buffer_len(&b) > 0)
703 				buffer_append(&b, ",", 1);
704 			p = key_ssh_name(key);
705 			buffer_append(&b, p, strlen(p));
706 			break;
707 		}
708 	}
709 	buffer_append(&b, "\0", 1);
710 	p = xstrdup(buffer_ptr(&b));
711 	buffer_free(&b);
712 	debug("list_hostkey_types: %s", p);
713 	return p;
714 }
715 
716 #ifdef lint
717 static
718 #endif /* lint */
719 Key *
720 get_hostkey_by_type(int type)
721 {
722 	int i;
723 
724 	for (i = 0; i < options.num_host_key_files; i++) {
725 		Key *key = sensitive_data.host_keys[i];
726 		if (key != NULL && key->type == type)
727 			return key;
728 	}
729 	return NULL;
730 }
731 
732 #ifdef lint
733 static
734 #endif /* lint */
735 Key *
736 get_hostkey_by_index(int ind)
737 {
738 	if (ind < 0 || ind >= options.num_host_key_files)
739 		return (NULL);
740 	return (sensitive_data.host_keys[ind]);
741 }
742 
743 #ifdef lint
744 static
745 #endif /* lint */
746 int
747 get_hostkey_index(Key *key)
748 {
749 	int i;
750 
751 	for (i = 0; i < options.num_host_key_files; i++) {
752 		if (key == sensitive_data.host_keys[i])
753 			return (i);
754 	}
755 	return (-1);
756 }
757 
758 /*
759  * returns 1 if connection should be dropped, 0 otherwise.
760  * dropping starts at connection #max_startups_begin with a probability
761  * of (max_startups_rate/100). the probability increases linearly until
762  * all connections are dropped for startups > max_startups
763  */
764 static int
765 drop_connection(int startups)
766 {
767 	double p, r;
768 
769 	if (startups < options.max_startups_begin)
770 		return 0;
771 	if (startups >= options.max_startups)
772 		return 1;
773 	if (options.max_startups_rate == 100)
774 		return 1;
775 
776 	p  = 100 - options.max_startups_rate;
777 	p *= startups - options.max_startups_begin;
778 	p /= (double) (options.max_startups - options.max_startups_begin);
779 	p += options.max_startups_rate;
780 	p /= 100.0;
781 	r = arc4random() / (double) UINT_MAX;
782 
783 	debug("drop_connection: p %g, r %g", p, r);
784 	return (r < p) ? 1 : 0;
785 }
786 
787 static void
788 usage(void)
789 {
790 	(void) fprintf(stderr, gettext("sshd version %s\n"), SSH_VERSION);
791 	(void) fprintf(stderr,
792 	    gettext("Usage: %s [options]\n"
793 		"Options:\n"
794 		"  -f file    Configuration file (default %s)\n"
795 		"  -d         Debugging mode (multiple -d means more "
796 		"debugging)\n"
797 		"  -i         Started from inetd\n"
798 		"  -D         Do not fork into daemon mode\n"
799 		"  -t         Only test configuration file and keys\n"
800 		"  -q         Quiet (no logging)\n"
801 		"  -p port    Listen on the specified port (default: 22)\n"
802 		"  -k seconds Regenerate server key every this many seconds "
803 		"(default: 3600)\n"
804 		"  -g seconds Grace period for authentication (default: 600)\n"
805 		"  -b bits    Size of server RSA key (default: 768 bits)\n"
806 		"  -h file    File from which to read host key (default: %s)\n"
807 		"  -4         Use IPv4 only\n"
808 		"  -6         Use IPv6 only\n"
809 		"  -o option  Process the option as if it was read from "
810 		"a configuration file.\n"),
811 	    __progname, _PATH_SERVER_CONFIG_FILE, _PATH_HOST_KEY_FILE);
812 	exit(1);
813 }
814 
815 /*
816  * Main program for the daemon.
817  */
818 int
819 main(int ac, char **av)
820 {
821 	extern char *optarg;
822 	extern int optind;
823 	int opt, j, i, fdsetsz, sock_in = 0, sock_out = 0, newsock = -1, on = 1;
824 	pid_t pid;
825 	socklen_t fromlen;
826 	fd_set *fdset;
827 	struct sockaddr_storage from;
828 	const char *remote_ip;
829 	int remote_port;
830 	FILE *f;
831 	struct addrinfo *ai;
832 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
833 	int listen_sock, maxfd;
834 	int startup_p[2];
835 	int startups = 0;
836 	Authctxt *authctxt = NULL;
837 	Key *key;
838 	int ret, key_used = 0;
839 #ifdef HAVE_BSM
840 	au_id_t	    auid = AU_NOAUDITID;
841 #endif /* HAVE_BSM */
842 	int mpipe;
843 
844 	__progname = get_progname(av[0]);
845 
846 	(void) g11n_setlocale(LC_ALL, "");
847 
848 	init_rng();
849 
850 	/* Save argv. */
851 	saved_argc = ac;
852 	saved_argv = av;
853 
854 	/* Initialize configuration options to their default values. */
855 	initialize_server_options(&options);
856 
857 	/* Parse command-line arguments. */
858 	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:o:dDeiqtQ46")) != -1) {
859 		switch (opt) {
860 		case '4':
861 			IPv4or6 = AF_INET;
862 			break;
863 		case '6':
864 			IPv4or6 = AF_INET6;
865 			break;
866 		case 'f':
867 			config_file_name = optarg;
868 			break;
869 		case 'd':
870 			if (0 == debug_flag) {
871 				debug_flag = 1;
872 				options.log_level = SYSLOG_LEVEL_DEBUG1;
873 			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
874 				options.log_level++;
875 			} else {
876 				(void) fprintf(stderr,
877 					gettext("Debug level too high.\n"));
878 				exit(1);
879 			}
880 			break;
881 		case 'D':
882 			no_daemon_flag = 1;
883 			break;
884 		case 'e':
885 			log_stderr = 1;
886 			break;
887 		case 'i':
888 			inetd_flag = 1;
889 			break;
890 		case 'Q':
891 			/* ignored */
892 			break;
893 		case 'q':
894 			options.log_level = SYSLOG_LEVEL_QUIET;
895 			break;
896 		case 'b':
897 			options.server_key_bits = atoi(optarg);
898 			break;
899 		case 'p':
900 			options.ports_from_cmdline = 1;
901 			if (options.num_ports >= MAX_PORTS) {
902 				(void) fprintf(stderr, gettext("too many ports.\n"));
903 				exit(1);
904 			}
905 			options.ports[options.num_ports++] = a2port(optarg);
906 			if (options.ports[options.num_ports-1] == 0) {
907 				(void) fprintf(stderr, gettext("Bad port number.\n"));
908 				exit(1);
909 			}
910 			break;
911 		case 'g':
912 			if ((options.login_grace_time = convtime(optarg)) == -1) {
913 				(void) fprintf(stderr,
914 					gettext("Invalid login grace time.\n"));
915 				exit(1);
916 			}
917 			break;
918 		case 'k':
919 			if ((options.key_regeneration_time = convtime(optarg)) == -1) {
920 				(void) fprintf(stderr,
921 					gettext("Invalid key regeneration "
922 						"interval.\n"));
923 				exit(1);
924 			}
925 			break;
926 		case 'h':
927 			if (options.num_host_key_files >= MAX_HOSTKEYS) {
928 				(void) fprintf(stderr,
929 					gettext("too many host keys.\n"));
930 				exit(1);
931 			}
932 			options.host_key_files[options.num_host_key_files++] = optarg;
933 			break;
934 		case 'V':
935 			client_version_string = optarg;
936 			/* only makes sense with inetd_flag, i.e. no listen() */
937 			inetd_flag = 1;
938 			break;
939 		case 't':
940 			test_flag = 1;
941 			break;
942 		case 'o':
943 			if (process_server_config_line(&options, optarg,
944 			    "command-line", 0, NULL, NULL, NULL, NULL) != 0)
945 				exit(1);
946 			break;
947 		case '?':
948 		default:
949 			usage();
950 			break;
951 		}
952 	}
953 
954 	/*
955 	 * There is no need to use the PKCS#11 engine in the master SSH process.
956 	 */
957 	SSLeay_add_all_algorithms();
958 	seed_rng();
959 	channel_set_af(IPv4or6);
960 
961 	/*
962 	 * Force logging to stderr until we have loaded the private host
963 	 * key (unless started from inetd)
964 	 */
965 	log_init(__progname,
966 	    options.log_level == SYSLOG_LEVEL_NOT_SET ?
967 	    SYSLOG_LEVEL_INFO : options.log_level,
968 	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
969 	    SYSLOG_FACILITY_AUTH : options.log_facility,
970 	    !inetd_flag);
971 
972 #ifdef _UNICOS
973 	/* Cray can define user privs drop all prives now!
974 	 * Not needed on PRIV_SU systems!
975 	 */
976 	drop_cray_privs();
977 #endif
978 
979 	/* Fetch our configuration */
980 	buffer_init(&cfg);
981 	load_server_config(config_file_name, &cfg);
982 	parse_server_config(&options, config_file_name, &cfg, NULL, NULL, NULL);
983 
984 	/*
985 	 * ChallengeResponseAuthentication is deprecated for protocol 2 which is
986 	 * the default setting on Solaris. Warn the user about it. Note that
987 	 * ChallengeResponseAuthentication is on by default but the option is
988 	 * not set until fill_default_server_options() is called. If the option
989 	 * is already set now, the user must have set it manually.
990 	 */
991 	if ((options.protocol & SSH_PROTO_2) &&
992 	    !(options.protocol & SSH_PROTO_1) &&
993 	    options.challenge_response_authentication != -1) {
994 		log("ChallengeResponseAuthentication has been "
995 		"deprecated for the SSH Protocol 2. You should use "
996 		"KbdInteractiveAuthentication instead (which defaults to "
997 		"\"yes\").");
998 	}
999 
1000 	/*
1001 	 * While PAMAuthenticationViaKbdInt was not documented, it was
1002 	 * previously set in our default sshd_config and also the only way to
1003 	 * switch off the keyboard-interactive authentication. To maintain
1004 	 * backward compatibility, if PAMAuthenticationViaKbdInt is manually set
1005 	 * to "no" and KbdInteractiveAuthentication is not set, switch off the
1006 	 * keyboard-interactive authentication method as before. As with the
1007 	 * challenge response auth situation dealt above, we have not called
1008 	 * fill_default_server_options() yet so if KbdInteractiveAuthentication
1009 	 * is already set to 1 here the admin must have set it manually and we
1010 	 * will honour it.
1011 	 */
1012 	if (options.kbd_interactive_authentication != 1 &&
1013 	    options.pam_authentication_via_kbd_int == 0) {
1014 		options.kbd_interactive_authentication = 0;
1015 	}
1016 
1017 	/* Fill in default values for those options not explicitly set. */
1018 	fill_default_server_options(&options);
1019 
1020 	utmp_len = options.lookup_client_hostnames ? utmp_len : 0;
1021 
1022 	/* Check that there are no remaining arguments. */
1023 	if (optind < ac) {
1024 		(void) fprintf(stderr, gettext("Extra argument %s.\n"), av[optind]);
1025 		exit(1);
1026 	}
1027 
1028 	debug("sshd version %.100s", SSH_VERSION);
1029 
1030 	/* load private host keys */
1031 	if (options.num_host_key_files > 0)
1032 		sensitive_data.host_keys =
1033 		    xmalloc(options.num_host_key_files * sizeof(Key *));
1034 	for (i = 0; i < options.num_host_key_files; i++)
1035 		sensitive_data.host_keys[i] = NULL;
1036 	sensitive_data.server_key = NULL;
1037 	sensitive_data.ssh1_host_key = NULL;
1038 	sensitive_data.have_ssh1_key = 0;
1039 	sensitive_data.have_ssh2_key = 0;
1040 
1041 	for (i = 0; i < options.num_host_key_files; i++) {
1042 		key = key_load_private(options.host_key_files[i], "", NULL);
1043 		sensitive_data.host_keys[i] = key;
1044 		if (key == NULL) {
1045 			error("Could not load host key: %s",
1046 			    options.host_key_files[i]);
1047 			sensitive_data.host_keys[i] = NULL;
1048 			continue;
1049 		}
1050 		switch (key->type) {
1051 		case KEY_RSA1:
1052 			sensitive_data.ssh1_host_key = key;
1053 			sensitive_data.have_ssh1_key = 1;
1054 			break;
1055 		case KEY_RSA:
1056 		case KEY_DSA:
1057 			sensitive_data.have_ssh2_key = 1;
1058 			break;
1059 		}
1060 		debug("private host key: #%d type %d %s", i, key->type,
1061 		    key_type(key));
1062 	}
1063 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1064 		log("Disabling protocol version 1. Could not load host key");
1065 		options.protocol &= ~SSH_PROTO_1;
1066 	}
1067 	if ((options.protocol & SSH_PROTO_2) &&
1068 	    !sensitive_data.have_ssh2_key) {
1069 #ifdef GSSAPI
1070 		if (options.gss_keyex)
1071 			ssh_gssapi_server_mechs(&mechs);
1072 
1073 		if (mechs == GSS_C_NULL_OID_SET) {
1074 			log("Disabling protocol version 2. Could not load host"
1075 			    "key or GSS-API mechanisms");
1076 			options.protocol &= ~SSH_PROTO_2;
1077 		}
1078 #else
1079 		log("Disabling protocol version 2. Could not load host key");
1080 		options.protocol &= ~SSH_PROTO_2;
1081 #endif /* GSSAPI */
1082 	}
1083 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
1084 		log("sshd: no hostkeys available -- exiting.");
1085 		exit(1);
1086 	}
1087 
1088 	/* Check certain values for sanity. */
1089 	if (options.protocol & SSH_PROTO_1) {
1090 		if (options.server_key_bits < 512 ||
1091 		    options.server_key_bits > 32768) {
1092 			(void) fprintf(stderr, gettext("Bad server key size.\n"));
1093 			exit(1);
1094 		}
1095 		/*
1096 		 * Check that server and host key lengths differ sufficiently. This
1097 		 * is necessary to make double encryption work with rsaref. Oh, I
1098 		 * hate software patents. I dont know if this can go? Niels
1099 		 */
1100 		if (options.server_key_bits >
1101 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
1102 		    SSH_KEY_BITS_RESERVED && options.server_key_bits <
1103 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1104 		    SSH_KEY_BITS_RESERVED) {
1105 			options.server_key_bits =
1106 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1107 			    SSH_KEY_BITS_RESERVED;
1108 			debug("Forcing server key to %d bits to make it differ from host key.",
1109 			    options.server_key_bits);
1110 		}
1111 	}
1112 
1113 	/* Configuration looks good, so exit if in test mode. */
1114 	if (test_flag)
1115 		exit(0);
1116 
1117 	/*
1118 	 * Clear out any supplemental groups we may have inherited.  This
1119 	 * prevents inadvertent creation of files with bad modes (in the
1120 	 * portable version at least, it's certainly possible for PAM
1121 	 * to create a file, and we can't control the code in every
1122 	 * module which might be used).
1123 	 */
1124 	if (setgroups(0, NULL) < 0)
1125 		debug("setgroups() failed: %.200s", strerror(errno));
1126 
1127 	/* Initialize the log (it is reinitialized below in case we forked). */
1128 	if (debug_flag && !inetd_flag)
1129 		log_stderr = 1;
1130 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1131 
1132 	/*
1133 	 * Solaris 9 and systems upgraded from it may have the Ciphers option
1134 	 * explicitly set to "aes128-cbc,blowfish-cbc,3des-cbc" in the
1135 	 * sshd_config. Since the default server cipher list completely changed
1136 	 * since then we rather notify the administator on startup. We do this
1137 	 * check after log_init() so that the message goes to syslogd and not to
1138 	 * stderr (unless the server is in the debug mode). Note that since
1139 	 * Solaris 10 we no longer ship sshd_config with explicit settings for
1140 	 * Ciphers or MACs. Do not try to augment the cipher list here since
1141 	 * that might end up in a very confusing situation.
1142 	 */
1143 #define	OLD_DEFAULT_CIPHERS_LIST "aes128-cbc,blowfish-cbc,3des-cbc"
1144 	if (options.ciphers != NULL &&
1145 	    strcmp(options.ciphers, OLD_DEFAULT_CIPHERS_LIST) == 0) {
1146 		notice("Old default value \"%s\" for the \"Ciphers\" "
1147 		    "option found in use. In general it is prudent to let "
1148 		    "the server choose the defaults unless your environment "
1149 		    "specifically needs an explicit setting. See "
1150 		    "sshd_config(4) for more information.",
1151 		    OLD_DEFAULT_CIPHERS_LIST);
1152 	}
1153 
1154 #ifdef HAVE_BSM
1155 	(void) setauid(&auid);
1156 #endif /* HAVE_BSM */
1157 
1158 	/*
1159 	 * If not in debugging mode, and not started from inetd, disconnect
1160 	 * from the controlling terminal, and fork.  The original process
1161 	 * exits.
1162 	 */
1163 	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
1164 #ifdef TIOCNOTTY
1165 		int fd;
1166 #endif /* TIOCNOTTY */
1167 		if (daemon(0, 0) < 0)
1168 			fatal("daemon() failed: %.200s", strerror(errno));
1169 
1170 		/* Disconnect from the controlling tty. */
1171 #ifdef TIOCNOTTY
1172 		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
1173 		if (fd >= 0) {
1174 			(void) ioctl(fd, TIOCNOTTY, NULL);
1175 			(void) close(fd);
1176 		}
1177 #endif /* TIOCNOTTY */
1178 	}
1179 	/* Reinitialize the log (because of the fork above). */
1180 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1181 
1182 	/* Initialize the random number generator. */
1183 	arc4random_stir();
1184 
1185 	/* Chdir to the root directory so that the current disk can be
1186 	   unmounted if desired. */
1187 	(void) chdir("/");
1188 
1189 	/* ignore SIGPIPE */
1190 	(void) signal(SIGPIPE, SIG_IGN);
1191 
1192 	/* Start listening for a socket, unless started from inetd. */
1193 	if (inetd_flag) {
1194 		int s1;
1195 		s1 = dup(0);	/* Make sure descriptors 0, 1, and 2 are in use. */
1196 		(void) dup(s1);
1197 		sock_in = dup(0);
1198 		sock_out = dup(1);
1199 		startup_pipe = -1;
1200 		/* we need this later for setting audit context */
1201 		newsock = sock_in;
1202 		/*
1203 		 * We intentionally do not close the descriptors 0, 1, and 2
1204 		 * as our code for setting the descriptors won\'t work if
1205 		 * ttyfd happens to be one of those.
1206 		 */
1207 		debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
1208 		if (options.protocol & SSH_PROTO_1)
1209 			generate_ephemeral_server_key();
1210 	} else {
1211 		for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
1212 			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1213 				continue;
1214 			if (num_listen_socks >= MAX_LISTEN_SOCKS)
1215 				fatal("Too many listen sockets. "
1216 				    "Enlarge MAX_LISTEN_SOCKS");
1217 			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
1218 			    ntop, sizeof(ntop), strport, sizeof(strport),
1219 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1220 				error("getnameinfo failed");
1221 				continue;
1222 			}
1223 			/* Create socket for listening. */
1224 			listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
1225 			if (listen_sock < 0) {
1226 				/* kernel may not support ipv6 */
1227 				verbose("socket: %.100s", strerror(errno));
1228 				continue;
1229 			}
1230 			if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
1231 				error("listen_sock O_NONBLOCK: %s", strerror(errno));
1232 				(void) close(listen_sock);
1233 				continue;
1234 			}
1235 			/*
1236 			 * Set socket options.
1237 			 * Allow local port reuse in TIME_WAIT.
1238 			 */
1239 			if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
1240 			    &on, sizeof(on)) == -1)
1241 				error("setsockopt SO_REUSEADDR: %s", strerror(errno));
1242 
1243 			debug("Bind to port %s on %s.", strport, ntop);
1244 
1245 			/* Bind the socket to the desired port. */
1246 			if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1247 				if (!ai->ai_next)
1248 				    error("Bind to port %s on %s failed: %.200s.",
1249 					    strport, ntop, strerror(errno));
1250 				(void) close(listen_sock);
1251 				continue;
1252 			}
1253 			listen_socks[num_listen_socks] = listen_sock;
1254 			num_listen_socks++;
1255 
1256 			/* Start listening on the port. */
1257 			log("Server listening on %s port %s.", ntop, strport);
1258 			if (listen(listen_sock, 5) < 0)
1259 				fatal("listen: %.100s", strerror(errno));
1260 
1261 		}
1262 		freeaddrinfo(options.listen_addrs);
1263 
1264 		if (!num_listen_socks)
1265 			fatal("Cannot bind any address.");
1266 
1267 		if (options.protocol & SSH_PROTO_1)
1268 			generate_ephemeral_server_key();
1269 
1270 		/*
1271 		 * Arrange to restart on SIGHUP.  The handler needs
1272 		 * listen_sock.
1273 		 */
1274 		(void) signal(SIGHUP, sighup_handler);
1275 
1276 		(void) signal(SIGTERM, sigterm_handler);
1277 		(void) signal(SIGQUIT, sigterm_handler);
1278 
1279 		/* Arrange SIGCHLD to be caught. */
1280 		(void) signal(SIGCHLD, main_sigchld_handler);
1281 
1282 		/* Write out the pid file after the sigterm handler is setup */
1283 		if (!debug_flag) {
1284 			/*
1285 			 * Record our pid in /var/run/sshd.pid to make it
1286 			 * easier to kill the correct sshd.  We don't want to
1287 			 * do this before the bind above because the bind will
1288 			 * fail if there already is a daemon, and this will
1289 			 * overwrite any old pid in the file.
1290 			 */
1291 			f = fopen(options.pid_file, "wb");
1292 			if (f) {
1293 				(void) fprintf(f, "%ld\n", (long) getpid());
1294 				(void) fclose(f);
1295 			}
1296 		}
1297 
1298 		/* setup fd set for listen */
1299 		fdset = NULL;
1300 		maxfd = 0;
1301 		for (i = 0; i < num_listen_socks; i++)
1302 			if (listen_socks[i] > maxfd)
1303 				maxfd = listen_socks[i];
1304 		/* pipes connected to unauthenticated childs */
1305 		startup_pipes = xmalloc(options.max_startups * sizeof(int));
1306 		for (i = 0; i < options.max_startups; i++)
1307 			startup_pipes[i] = -1;
1308 
1309 		/*
1310 		 * Stay listening for connections until the system crashes or
1311 		 * the daemon is killed with a signal.
1312 		 */
1313 		for (;;) {
1314 			if (received_sighup)
1315 				sighup_restart();
1316 			if (fdset != NULL)
1317 				xfree(fdset);
1318 			fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
1319 			fdset = (fd_set *)xmalloc(fdsetsz);
1320 			(void) memset(fdset, 0, fdsetsz);
1321 
1322 			for (i = 0; i < num_listen_socks; i++)
1323 				FD_SET(listen_socks[i], fdset);
1324 			for (i = 0; i < options.max_startups; i++)
1325 				if (startup_pipes[i] != -1)
1326 					FD_SET(startup_pipes[i], fdset);
1327 
1328 			/* Wait in select until there is a connection. */
1329 			ret = select(maxfd+1, fdset, NULL, NULL, NULL);
1330 			if (ret < 0 && errno != EINTR)
1331 				error("select: %.100s", strerror(errno));
1332 			if (received_sigterm) {
1333 				log("Received signal %d; terminating.",
1334 				    (int) received_sigterm);
1335 				close_listen_socks();
1336 				(void) unlink(options.pid_file);
1337 				exit(255);
1338 			}
1339 			if (key_used && key_do_regen) {
1340 				generate_ephemeral_server_key();
1341 				key_used = 0;
1342 				key_do_regen = 0;
1343 			}
1344 			if (ret < 0)
1345 				continue;
1346 
1347 			for (i = 0; i < options.max_startups; i++)
1348 				if (startup_pipes[i] != -1 &&
1349 				    FD_ISSET(startup_pipes[i], fdset)) {
1350 					/*
1351 					 * the read end of the pipe is ready
1352 					 * if the child has closed the pipe
1353 					 * after successful authentication
1354 					 * or if the child has died
1355 					 */
1356 					(void) close(startup_pipes[i]);
1357 					startup_pipes[i] = -1;
1358 					startups--;
1359 				}
1360 			for (i = 0; i < num_listen_socks; i++) {
1361 				if (!FD_ISSET(listen_socks[i], fdset))
1362 					continue;
1363 				fromlen = sizeof(from);
1364 				newsock = accept(listen_socks[i], (struct sockaddr *)&from,
1365 				    &fromlen);
1366 				if (newsock < 0) {
1367 					if (errno != EINTR && errno != EWOULDBLOCK)
1368 						error("accept: %.100s", strerror(errno));
1369 					continue;
1370 				}
1371 				if (fcntl(newsock, F_SETFL, 0) < 0) {
1372 					error("newsock del O_NONBLOCK: %s", strerror(errno));
1373 					(void) close(newsock);
1374 					continue;
1375 				}
1376 				if (drop_connection(startups) == 1) {
1377 					debug("drop connection #%d", startups);
1378 					(void) close(newsock);
1379 					continue;
1380 				}
1381 				if (pipe(startup_p) == -1) {
1382 					(void) close(newsock);
1383 					continue;
1384 				}
1385 
1386 				for (j = 0; j < options.max_startups; j++)
1387 					if (startup_pipes[j] == -1) {
1388 						startup_pipes[j] = startup_p[0];
1389 						if (maxfd < startup_p[0])
1390 							maxfd = startup_p[0];
1391 						startups++;
1392 						break;
1393 					}
1394 
1395 				/*
1396 				 * Got connection.  Fork a child to handle it, unless
1397 				 * we are in debugging mode.
1398 				 */
1399 				if (debug_flag) {
1400 					/*
1401 					 * In debugging mode.  Close the listening
1402 					 * socket, and start processing the
1403 					 * connection without forking.
1404 					 */
1405 					debug("Server will not fork when running in debugging mode.");
1406 					close_listen_socks();
1407 					sock_in = newsock;
1408 					sock_out = newsock;
1409 					startup_pipe = -1;
1410 					pid = getpid();
1411 					break;
1412 				} else {
1413 					/*
1414 					 * Normal production daemon.  Fork, and have
1415 					 * the child process the connection. The
1416 					 * parent continues listening.
1417 					 */
1418 #ifdef HAVE_SOLARIS_CONTRACTS
1419 					/*
1420 					 * Setup Solaris contract template so
1421 					 * the child process is in a different
1422 					 * process contract than the parent;
1423 					 * prevents established connections from
1424 					 * being killed when the sshd master
1425 					 * listener service is stopped.
1426 					 */
1427 					contracts_pre_fork();
1428 #endif /* HAVE_SOLARIS_CONTRACTS */
1429 					if ((pid = fork()) == 0) {
1430 						/*
1431 						 * Child.  Close the listening and max_startup
1432 						 * sockets.  Start using the accepted socket.
1433 						 * Reinitialize logging (since our pid has
1434 						 * changed).  We break out of the loop to handle
1435 						 * the connection.
1436 						 */
1437 #ifdef HAVE_SOLARIS_CONTRACTS
1438 						contracts_post_fork_child();
1439 #endif /* HAVE_SOLARIS_CONTRACTS */
1440 						xfree(fdset);
1441 						startup_pipe = startup_p[1];
1442 						close_startup_pipes();
1443 						close_listen_socks();
1444 						sock_in = newsock;
1445 						sock_out = newsock;
1446 						log_init(__progname, options.log_level, options.log_facility, log_stderr);
1447 						break;
1448 					}
1449 
1450 					/* Parent.  Stay in the loop. */
1451 					if (pid < 0)
1452 						error("fork: %.100s", strerror(errno));
1453 					else
1454 						debug("Forked child %ld.", (long)pid);
1455 
1456 #ifdef HAVE_SOLARIS_CONTRACTS
1457 					contracts_post_fork_parent((pid > 0));
1458 #endif /* HAVE_SOLARIS_CONTRACTS */
1459 				}
1460 
1461 				(void) close(startup_p[1]);
1462 
1463 				/* Mark that the key has been used (it was "given" to the child). */
1464 				if ((options.protocol & SSH_PROTO_1) &&
1465 				    key_used == 0) {
1466 					/* Schedule server key regeneration alarm. */
1467 					(void) signal(SIGALRM, key_regeneration_alarm);
1468 					(void) alarm(options.key_regeneration_time);
1469 					key_used = 1;
1470 				}
1471 
1472 				arc4random_stir();
1473 
1474 				/*
1475 				 * Close the accepted socket since the child
1476 				 * will now take care of the new connection.
1477 				 */
1478 				(void) close(newsock);
1479 			}
1480 			/* child process check (or debug mode) */
1481 			if (num_listen_socks < 0)
1482 				break;
1483 		}
1484 	}
1485 
1486 	/*
1487 	 * This is the child processing a new connection, the SSH master process
1488 	 * stays in the ( ; ; ) loop above.
1489 	 */
1490 #ifdef HAVE_BSM
1491 	audit_sshd_settid(newsock);
1492 #endif
1493 	/*
1494 	 * Create a new session and process group since the 4.4BSD
1495 	 * setlogin() affects the entire process group.  We don't
1496 	 * want the child to be able to affect the parent.
1497 	 */
1498 #if 0
1499 	/* XXX: this breaks Solaris */
1500 	if (!debug_flag && !inetd_flag && setsid() < 0)
1501 		error("setsid: %.100s", strerror(errno));
1502 #endif
1503 
1504 	/*
1505 	 * Disable the key regeneration alarm.  We will not regenerate the
1506 	 * key since we are no longer in a position to give it to anyone. We
1507 	 * will not restart on SIGHUP since it no longer makes sense.
1508 	 */
1509 	(void) alarm(0);
1510 	(void) signal(SIGALRM, SIG_DFL);
1511 	(void) signal(SIGHUP, SIG_DFL);
1512 	(void) signal(SIGTERM, SIG_DFL);
1513 	(void) signal(SIGQUIT, SIG_DFL);
1514 	(void) signal(SIGCHLD, SIG_DFL);
1515 	(void) signal(SIGINT, SIG_DFL);
1516 
1517 	/* Set keepalives if requested. */
1518 	if (options.keepalives &&
1519 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
1520 	    sizeof(on)) < 0)
1521 		debug2("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
1522 
1523 	/*
1524 	 * Register our connection.  This turns encryption off because we do
1525 	 * not have a key.
1526 	 */
1527 	packet_set_connection(sock_in, sock_out);
1528 
1529 	remote_port = get_remote_port();
1530 	remote_ip = get_remote_ipaddr();
1531 
1532 #ifdef LIBWRAP
1533 	/* Check whether logins are denied from this host. */
1534 	{
1535 		struct request_info req;
1536 
1537 		(void) request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
1538 		fromhost(&req);
1539 
1540 		if (!hosts_access(&req)) {
1541 			debug("Connection refused by tcp wrapper");
1542 			refuse(&req);
1543 			/* NOTREACHED */
1544 			fatal("libwrap refuse returns");
1545 		}
1546 	}
1547 #endif /* LIBWRAP */
1548 
1549 	/* Log the connection. */
1550 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
1551 
1552 	sshd_exchange_identification(sock_in, sock_out);
1553 	/*
1554 	 * Check that the connection comes from a privileged port.
1555 	 * Rhosts-Authentication only makes sense from privileged
1556 	 * programs.  Of course, if the intruder has root access on his local
1557 	 * machine, he can connect from any port.  So do not use these
1558 	 * authentication methods from machines that you do not trust.
1559 	 */
1560 	if (options.rhosts_authentication &&
1561 	    (remote_port >= IPPORT_RESERVED ||
1562 	    remote_port < IPPORT_RESERVED / 2)) {
1563 		debug("Rhosts Authentication disabled, "
1564 		    "originating port %d not trusted.", remote_port);
1565 		options.rhosts_authentication = 0;
1566 	}
1567 #if defined(KRB4) && !defined(KRB5)
1568 	if (!packet_connection_is_ipv4() &&
1569 	    options.kerberos_authentication) {
1570 		debug("Kerberos Authentication disabled, only available for IPv4.");
1571 		options.kerberos_authentication = 0;
1572 	}
1573 #endif /* KRB4 && !KRB5 */
1574 #ifdef AFS
1575 	/* If machine has AFS, set process authentication group. */
1576 	if (k_hasafs()) {
1577 		k_setpag();
1578 		k_unlog();
1579 	}
1580 #endif /* AFS */
1581 
1582 	packet_set_nonblocking();
1583 
1584 	/*
1585 	 * Start the monitor. That way both processes will have their own
1586 	 * PKCS#11 sessions. See the PKCS#11 standard for more information on
1587 	 * fork safety and packet.c for information about forking with the
1588 	 * engine.
1589 	 *
1590 	 * Note that the monitor stays in the function while the child is the
1591 	 * only one that returns.
1592 	 */
1593 	altprivsep_start_and_do_monitor(options.use_openssl_engine,
1594 	    inetd_flag, newsock, startup_pipe);
1595 
1596 	/*
1597 	 * We don't want to listen forever unless the other side successfully
1598 	 * authenticates itself. So we set up an alarm which is cleared after
1599 	 * successful authentication. A limit of zero indicates no limit. Note
1600 	 * that we don't set the alarm in debugging mode; it is just annoying to
1601 	 * have the server exit just when you are about to discover the bug.
1602 	 */
1603 	(void) signal(SIGALRM, grace_alarm_handler);
1604 	if (!debug_flag)
1605 		(void) alarm(options.login_grace_time);
1606 
1607 	/*
1608 	 * The child is about to start the first key exchange while the monitor
1609 	 * stays in altprivsep_start_and_do_monitor() function.
1610 	 */
1611 	(void) pkcs11_engine_load(options.use_openssl_engine);
1612 
1613 	/* perform the key exchange */
1614 	/* authenticate user and start session */
1615 	if (compat20) {
1616 		do_ssh2_kex();
1617 		authctxt = do_authentication2();
1618 	} else {
1619 		do_ssh1_kex();
1620 		authctxt = do_authentication();
1621 	}
1622 
1623 	/* Authentication complete */
1624 	(void) alarm(0);
1625 	/* we no longer need an alarm handler */
1626 	(void) signal(SIGALRM, SIG_DFL);
1627 
1628 	if (startup_pipe != -1) {
1629 		(void) close(startup_pipe);
1630 		startup_pipe = -1;
1631 	}
1632 
1633 	/* ALTPRIVSEP Child */
1634 
1635 	/*
1636 	 * Drop privileges, access to privileged resources.
1637 	 *
1638 	 * Destroy private host keys, if any.
1639 	 *
1640 	 * No need to release any GSS credentials -- sshd only acquires
1641 	 * creds to determine what mechs it can negotiate then releases
1642 	 * them right away and uses GSS_C_NO_CREDENTIAL to accept
1643 	 * contexts.
1644 	 */
1645 	debug2("Unprivileged server process dropping privileges");
1646 	permanently_set_uid(authctxt->pw, options.chroot_directory);
1647 	destroy_sensitive_data();
1648 
1649 	/* Just another safety check. */
1650 	if (getuid() != authctxt->pw->pw_uid ||
1651 	    geteuid() != authctxt->pw->pw_uid) {
1652 		fatal("Failed to set uids to %u.", (u_int)authctxt->pw->pw_uid);
1653 	}
1654 
1655 	ssh_gssapi_server_mechs(NULL); /* release cached mechs list */
1656 	packet_set_server();
1657 
1658 	/* now send the authentication context to the monitor */
1659 	altprivsep_send_auth_context(authctxt);
1660 
1661 	mpipe = altprivsep_get_pipe_fd();
1662 	if (fcntl(mpipe, F_SETFL, O_NONBLOCK) < 0)
1663 		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
1664 
1665 #ifdef HAVE_BSM
1666 	fatal_remove_cleanup(
1667 		(void (*)(void *))audit_failed_login_cleanup,
1668 		(void *)authctxt);
1669 #endif /* HAVE_BSM */
1670 
1671 	if (compat20) {
1672 		debug3("setting handler to forward re-key packets to the monitor");
1673 		dispatch_range(SSH2_MSG_KEXINIT, SSH2_MSG_TRANSPORT_MAX,
1674 			&altprivsep_rekey);
1675 	}
1676 
1677 	/* Logged-in session. */
1678 	do_authenticated(authctxt);
1679 
1680 	/* The connection has been terminated. */
1681 	verbose("Closing connection to %.100s", remote_ip);
1682 
1683 	packet_close();
1684 
1685 #ifdef USE_PAM
1686 	finish_pam(authctxt);
1687 #endif /* USE_PAM */
1688 
1689 	return (0);
1690 }
1691 
1692 /*
1693  * Decrypt session_key_int using our private server key and private host key
1694  * (key with larger modulus first).
1695  */
1696 int
1697 ssh1_session_key(BIGNUM *session_key_int)
1698 {
1699 	int rsafail = 0;
1700 
1701 	if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {
1702 		/* Server key has bigger modulus. */
1703 		if (BN_num_bits(sensitive_data.server_key->rsa->n) <
1704 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1705 			fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
1706 			    get_remote_ipaddr(),
1707 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1708 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1709 			    SSH_KEY_BITS_RESERVED);
1710 		}
1711 		if (rsa_private_decrypt(session_key_int, session_key_int,
1712 		    sensitive_data.server_key->rsa) <= 0)
1713 			rsafail++;
1714 		if (rsa_private_decrypt(session_key_int, session_key_int,
1715 		    sensitive_data.ssh1_host_key->rsa) <= 0)
1716 			rsafail++;
1717 	} else {
1718 		/* Host key has bigger modulus (or they are equal). */
1719 		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
1720 		    BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1721 			fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
1722 			    get_remote_ipaddr(),
1723 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1724 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1725 			    SSH_KEY_BITS_RESERVED);
1726 		}
1727 		if (rsa_private_decrypt(session_key_int, session_key_int,
1728 		    sensitive_data.ssh1_host_key->rsa) < 0)
1729 			rsafail++;
1730 		if (rsa_private_decrypt(session_key_int, session_key_int,
1731 		    sensitive_data.server_key->rsa) < 0)
1732 			rsafail++;
1733 	}
1734 	return (rsafail);
1735 }
1736 /*
1737  * SSH1 key exchange
1738  */
1739 static void
1740 do_ssh1_kex(void)
1741 {
1742 	int i, len;
1743 	int rsafail = 0;
1744 	BIGNUM *session_key_int;
1745 	u_char session_key[SSH_SESSION_KEY_LENGTH];
1746 	u_char cookie[8];
1747 	u_int cipher_type, auth_mask, protocol_flags;
1748 	u_int32_t rnd = 0;
1749 
1750 	/*
1751 	 * Generate check bytes that the client must send back in the user
1752 	 * packet in order for it to be accepted; this is used to defy ip
1753 	 * spoofing attacks.  Note that this only works against somebody
1754 	 * doing IP spoofing from a remote machine; any machine on the local
1755 	 * network can still see outgoing packets and catch the random
1756 	 * cookie.  This only affects rhosts authentication, and this is one
1757 	 * of the reasons why it is inherently insecure.
1758 	 */
1759 	for (i = 0; i < 8; i++) {
1760 		if (i % 4 == 0)
1761 			rnd = arc4random();
1762 		cookie[i] = rnd & 0xff;
1763 		rnd >>= 8;
1764 	}
1765 
1766 	/*
1767 	 * Send our public key.  We include in the packet 64 bits of random
1768 	 * data that must be matched in the reply in order to prevent IP
1769 	 * spoofing.
1770 	 */
1771 	packet_start(SSH_SMSG_PUBLIC_KEY);
1772 	for (i = 0; i < 8; i++)
1773 		packet_put_char(cookie[i]);
1774 
1775 	/* Store our public server RSA key. */
1776 	packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
1777 	packet_put_bignum(sensitive_data.server_key->rsa->e);
1778 	packet_put_bignum(sensitive_data.server_key->rsa->n);
1779 
1780 	/* Store our public host RSA key. */
1781 	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1782 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
1783 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
1784 
1785 	/* Put protocol flags. */
1786 	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
1787 
1788 	/* Declare which ciphers we support. */
1789 	packet_put_int(cipher_mask_ssh1(0));
1790 
1791 	/* Declare supported authentication types. */
1792 	auth_mask = 0;
1793 	if (options.rhosts_authentication)
1794 		auth_mask |= 1 << SSH_AUTH_RHOSTS;
1795 	if (options.rhosts_rsa_authentication)
1796 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1797 	if (options.rsa_authentication)
1798 		auth_mask |= 1 << SSH_AUTH_RSA;
1799 #if defined(KRB4) || defined(KRB5)
1800 	if (options.kerberos_authentication)
1801 		auth_mask |= 1 << SSH_AUTH_KERBEROS;
1802 #endif
1803 #if defined(AFS) || defined(KRB5)
1804 	if (options.kerberos_tgt_passing)
1805 		auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
1806 #endif
1807 #ifdef AFS
1808 	if (options.afs_token_passing)
1809 		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
1810 #endif
1811 	if (options.challenge_response_authentication == 1)
1812 		auth_mask |= 1 << SSH_AUTH_TIS;
1813 	if (options.password_authentication)
1814 		auth_mask |= 1 << SSH_AUTH_PASSWORD;
1815 	packet_put_int(auth_mask);
1816 
1817 	/* Send the packet and wait for it to be sent. */
1818 	packet_send();
1819 	packet_write_wait();
1820 
1821 	debug("Sent %d bit server key and %d bit host key.",
1822 	    BN_num_bits(sensitive_data.server_key->rsa->n),
1823 	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1824 
1825 	/* Read clients reply (cipher type and session key). */
1826 	packet_read_expect(SSH_CMSG_SESSION_KEY);
1827 
1828 	/* Get cipher type and check whether we accept this. */
1829 	cipher_type = packet_get_char();
1830 
1831 	if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) {
1832 		packet_disconnect("Warning: client selects unsupported cipher.");
1833 	}
1834 
1835 	/* Get check bytes from the packet.  These must match those we
1836 	   sent earlier with the public key packet. */
1837 	for (i = 0; i < 8; i++) {
1838 		if (cookie[i] != packet_get_char()) {
1839 			packet_disconnect("IP Spoofing check bytes do not match.");
1840 		}
1841 	}
1842 
1843 	debug("Encryption type: %.200s", cipher_name(cipher_type));
1844 
1845 	/* Get the encrypted integer. */
1846 	if ((session_key_int = BN_new()) == NULL)
1847 		fatal("do_ssh1_kex: BN_new failed");
1848 	packet_get_bignum(session_key_int);
1849 
1850 	protocol_flags = packet_get_int();
1851 	packet_set_protocol_flags(protocol_flags);
1852 	packet_check_eom();
1853 
1854 	/* Decrypt session_key_int using host/server keys */
1855 	rsafail = ssh1_session_key(session_key_int);
1856 
1857 	/*
1858 	 * Extract session key from the decrypted integer.  The key is in the
1859 	 * least significant 256 bits of the integer; the first byte of the
1860 	 * key is in the highest bits.
1861 	 */
1862 	if (!rsafail) {
1863 		(void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
1864 		len = BN_num_bytes(session_key_int);
1865 		if (len < 0 || len > sizeof(session_key)) {
1866 			error("do_connection: bad session key len from %s: "
1867 			    "session_key_int %d > sizeof(session_key) %lu",
1868 			    get_remote_ipaddr(), len, (u_long)sizeof(session_key));
1869 			rsafail++;
1870 		} else {
1871 			(void) memset(session_key, 0, sizeof(session_key));
1872 			(void) BN_bn2bin(session_key_int,
1873 			    session_key + sizeof(session_key) - len);
1874 
1875 			compute_session_id(session_id, cookie,
1876 			    sensitive_data.ssh1_host_key->rsa->n,
1877 			    sensitive_data.server_key->rsa->n);
1878 			/*
1879 			 * Xor the first 16 bytes of the session key with the
1880 			 * session id.
1881 			 */
1882 			for (i = 0; i < 16; i++)
1883 				session_key[i] ^= session_id[i];
1884 		}
1885 	}
1886 	if (rsafail) {
1887 		int bytes = BN_num_bytes(session_key_int);
1888 		u_char *buf = xmalloc(bytes);
1889 		MD5_CTX md;
1890 
1891 		log("do_connection: generating a fake encryption key");
1892 		(void) BN_bn2bin(session_key_int, buf);
1893 		MD5_Init(&md);
1894 		MD5_Update(&md, buf, bytes);
1895 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
1896 		MD5_Final(session_key, &md);
1897 		MD5_Init(&md);
1898 		MD5_Update(&md, session_key, 16);
1899 		MD5_Update(&md, buf, bytes);
1900 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
1901 		MD5_Final(session_key + 16, &md);
1902 		(void) memset(buf, 0, bytes);
1903 		xfree(buf);
1904 		for (i = 0; i < 16; i++)
1905 			session_id[i] = session_key[i] ^ session_key[i + 16];
1906 	}
1907 	/* Destroy the private and public keys. No longer. */
1908 	destroy_sensitive_data();
1909 
1910 	/* Destroy the decrypted integer.  It is no longer needed. */
1911 	BN_clear_free(session_key_int);
1912 
1913 	/* Set the session key.  From this on all communications will be encrypted. */
1914 	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
1915 
1916 	/* Destroy our copy of the session key.  It is no longer needed. */
1917 	(void) memset(session_key, 0, sizeof(session_key));
1918 
1919 	debug("Received session key; encryption turned on.");
1920 
1921 	/* Send an acknowledgment packet.  Note that this packet is sent encrypted. */
1922 	packet_start(SSH_SMSG_SUCCESS);
1923 	packet_send();
1924 	packet_write_wait();
1925 }
1926 
1927 /*
1928  * Prepare for SSH2 key exchange.
1929  */
1930 Kex *
1931 prepare_for_ssh2_kex(void)
1932 {
1933 	Kex *kex;
1934 	Kex_hook_func kex_hook = NULL;
1935 	char **locales;
1936 	static char **myproposal;
1937 
1938 	myproposal = my_srv_proposal;
1939 
1940 	if (options.ciphers != NULL) {
1941 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1942 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
1943 	}
1944 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1945 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
1946 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
1947 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
1948 
1949 	if (options.macs != NULL) {
1950 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
1951 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
1952 	}
1953 	if (!options.compression) {
1954 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1955 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
1956 	}
1957 
1958 	/*
1959 	 * Prepare kex algs / hostkey algs (excluding GSS, which is
1960 	 * handled in the kex hook.
1961 	 *
1962 	 * XXX This should probably move to the kex hook as well, where
1963 	 * all non-constant kex offer material belongs.
1964 	 */
1965 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
1966 
1967 	/* If we have no host key algs we can't offer KEXDH/KEX_DH_GEX */
1968 	if (myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] == NULL ||
1969 	    *myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] == '\0')
1970 		myproposal[PROPOSAL_KEX_ALGS] = "";
1971 
1972 	if ((locales = g11n_getlocales()) != NULL) {
1973 		/* Solaris 9 SSH expects a list of locales */
1974 		if (datafellows & SSH_BUG_LOCALES_NOT_LANGTAGS)
1975 			myproposal[PROPOSAL_LANG_STOC] = xjoin(locales, ',');
1976 		else
1977 			myproposal[PROPOSAL_LANG_STOC] =
1978 				g11n_locales2langs(locales);
1979 	}
1980 
1981 	if (locales != NULL)
1982 		g11n_freelist(locales);
1983 
1984 	if ((myproposal[PROPOSAL_LANG_STOC] != NULL) &&
1985 	    (strcmp(myproposal[PROPOSAL_LANG_STOC], "")) != 0)
1986 		myproposal[PROPOSAL_LANG_CTOS] =
1987 			xstrdup(myproposal[PROPOSAL_LANG_STOC]);
1988 
1989 #ifdef GSSAPI
1990 	if (options.gss_keyex)
1991 		kex_hook = ssh_gssapi_server_kex_hook;
1992 #endif /* GSSAPI */
1993 
1994 	kex = kex_setup(NULL, myproposal, kex_hook);
1995 
1996 	/*
1997 	 * Note that the my_srv_proposal variable (ie., myproposal) is staticly
1998 	 * initialized with "" for the language fields; we must not xfree such
1999 	 * strings.
2000 	 */
2001 	if (myproposal[PROPOSAL_LANG_STOC] != NULL &&
2002 	    strcmp(myproposal[PROPOSAL_LANG_STOC], "") != 0)
2003 		xfree(myproposal[PROPOSAL_LANG_STOC]);
2004 	if (myproposal[PROPOSAL_LANG_CTOS] != NULL &&
2005 	    strcmp(myproposal[PROPOSAL_LANG_STOC], "") != 0)
2006 		xfree(myproposal[PROPOSAL_LANG_CTOS]);
2007 
2008 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2009 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2010 #ifdef GSSAPI
2011 	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
2012 #endif /* GSSAPI */
2013 	kex->server = 1;
2014 	kex->client_version_string = client_version_string;
2015 	kex->server_version_string = server_version_string;
2016 	kex->load_host_key = &get_hostkey_by_type;
2017 	kex->host_key_index = &get_hostkey_index;
2018 
2019 	xxx_kex = kex;
2020 	return (kex);
2021 }
2022 
2023 /*
2024  * Do SSH2 key exchange.
2025  */
2026 static void
2027 do_ssh2_kex(void)
2028 {
2029 	Kex *kex;
2030 
2031 	kex = prepare_for_ssh2_kex();
2032 	kex_start(kex);
2033 
2034 	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2035 
2036 	if (kex->name) {
2037 		xfree(kex->name);
2038 		kex->name = NULL;
2039 	}
2040 	session_id2 = kex->session_id;
2041 	session_id2_len = kex->session_id_len;
2042 
2043 #ifdef DEBUG_KEXDH
2044 	/* send 1st encrypted/maced/compressed message */
2045 	packet_start(SSH2_MSG_IGNORE);
2046 	packet_put_cstring("markus");
2047 	packet_send();
2048 	packet_write_wait();
2049 #endif
2050 	debug("KEX done");
2051 }
2052