xref: /titanic_50/usr/src/cmd/ssh/sshd/sshd.c (revision b9bd317cda1afb3a01f4812de73e8cec888cbbd7)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * This program is the ssh daemon.  It listens for connections from clients,
6  * and performs authentication, executes use commands or shell, and forwards
7  * information to/from the application to the user client over an encrypted
8  * connection.  This can also handle forwarding of X11, TCP/IP, and
9  * authentication agent connections.
10  *
11  * As far as I am concerned, the code I have written for this software
12  * can be used freely for any purpose.  Any derived versions of this
13  * software must be clearly marked as such, and if the derived work is
14  * incompatible with the protocol description in the RFC file, it must be
15  * called by a name other than "ssh" or "Secure Shell".
16  *
17  * SSH2 implementation:
18  * Privilege Separation:
19  *
20  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
21  * Copyright (c) 2002 Niels Provos.  All rights reserved.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  *
32  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
33  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
34  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
35  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
36  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
37  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
38  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
39  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
41  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42  */
43 /*
44  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
45  * Use is subject to license terms.
46  */
47 
48 #include "includes.h"
49 RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
50 
51 #pragma ident	"%Z%%M%	%I%	%E% SMI"
52 
53 #include <openssl/dh.h>
54 #include <openssl/bn.h>
55 #include <openssl/md5.h>
56 
57 #include <openssl/rand.h>
58 #ifdef HAVE_SECUREWARE
59 #include <sys/security.h>
60 #include <prot.h>
61 #endif
62 
63 #include "ssh.h"
64 #include "ssh1.h"
65 #include "ssh2.h"
66 #include "xmalloc.h"
67 #include "rsa.h"
68 #include "sshpty.h"
69 #include "packet.h"
70 #include "mpaux.h"
71 #include "log.h"
72 #include "servconf.h"
73 #include "uidswap.h"
74 #include "compat.h"
75 #include "buffer.h"
76 #include "cipher.h"
77 #include "kex.h"
78 #include "key.h"
79 #include "dh.h"
80 #include "myproposal.h"
81 #include "authfile.h"
82 #include "pathnames.h"
83 #include "atomicio.h"
84 #include "canohost.h"
85 #include "auth.h"
86 #include "misc.h"
87 #include "dispatch.h"
88 #include "channels.h"
89 #include "session.h"
90 #include "g11n.h"
91 #include "sshlogin.h"
92 #include "xlist.h"
93 
94 #ifdef HAVE_BSM
95 #include "bsmaudit.h"
96 adt_session_data_t *ah = NULL;
97 #endif /* HAVE_BSM */
98 
99 #ifdef ALTPRIVSEP
100 #include "altprivsep.h"
101 #endif /* ALTPRIVSEP */
102 
103 #ifdef HAVE_SOLARIS_CONTRACTS
104 #include <sys/ctfs.h>
105 #include <sys/contract.h>
106 #include <sys/contract/process.h>
107 #include <libcontract.h>
108 #endif /* HAVE_SOLARIS_CONTRACTS */
109 
110 #ifdef GSSAPI
111 #include "ssh-gss.h"
112 extern Gssctxt *xxx_gssctxt;
113 #endif /* GSSAPI */
114 
115 #ifdef LIBWRAP
116 #include <tcpd.h>
117 #include <syslog.h>
118 #ifndef lint
119 int allow_severity = LOG_INFO;
120 int deny_severity = LOG_WARNING;
121 #endif /* lint */
122 #endif /* LIBWRAP */
123 
124 #ifndef O_NOCTTY
125 #define O_NOCTTY	0
126 #endif
127 
128 #ifdef HAVE___PROGNAME
129 extern char *__progname;
130 #else
131 char *__progname;
132 #endif
133 
134 /* Server configuration options. */
135 ServerOptions options;
136 
137 /* Name of the server configuration file. */
138 static char *config_file_name = _PATH_SERVER_CONFIG_FILE;
139 
140 /*
141  * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
142  * Default value is AF_UNSPEC means both IPv4 and IPv6.
143  */
144 #ifdef IPV4_DEFAULT
145 int IPv4or6 = AF_INET;
146 #else
147 int IPv4or6 = AF_UNSPEC;
148 #endif
149 
150 /*
151  * Debug mode flag.  This can be set on the command line.  If debug
152  * mode is enabled, extra debugging output will be sent to the system
153  * log, the daemon will not go to background, and will exit after processing
154  * the first connection.
155  */
156 int debug_flag = 0;
157 
158 /* Flag indicating that the daemon should only test the configuration and keys. */
159 static int test_flag = 0;
160 
161 /* Flag indicating that the daemon is being started from inetd. */
162 static int inetd_flag = 0;
163 
164 /* Flag indicating that sshd should not detach and become a daemon. */
165 static int no_daemon_flag = 0;
166 
167 /* debug goes to stderr unless inetd_flag is set */
168 int log_stderr = 0;
169 
170 /* Saved arguments to main(). */
171 static char **saved_argv;
172 static int saved_argc;
173 
174 /*
175  * The sockets that the server is listening; this is used in the SIGHUP
176  * signal handler.
177  */
178 #define	MAX_LISTEN_SOCKS	16
179 static int listen_socks[MAX_LISTEN_SOCKS];
180 static int num_listen_socks = 0;
181 
182 /*
183  * the client's version string, passed by sshd2 in compat mode. if != NULL,
184  * sshd will skip the version-number exchange
185  */
186 static char *client_version_string = NULL;
187 static char *server_version_string = NULL;
188 
189 /* for rekeying XXX fixme */
190 Kex *xxx_kex;
191 
192 /*
193  * Any really sensitive data in the application is contained in this
194  * structure. The idea is that this structure could be locked into memory so
195  * that the pages do not get written into swap.  However, there are some
196  * problems. The private key contains BIGNUMs, and we do not (in principle)
197  * have access to the internals of them, and locking just the structure is
198  * not very useful.  Currently, memory locking is not implemented.
199  */
200 static struct {
201 	Key	*server_key;		/* ephemeral server key */
202 	Key	*ssh1_host_key;		/* ssh1 host key */
203 	Key	**host_keys;		/* all private host keys */
204 	int	have_ssh1_key;
205 	int	have_ssh2_key;
206 	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
207 } sensitive_data;
208 
209 /*
210  * Flag indicating whether the RSA server key needs to be regenerated.
211  * Is set in the SIGALRM handler and cleared when the key is regenerated.
212  */
213 static volatile sig_atomic_t key_do_regen = 0;
214 
215 /* This is set to true when a signal is received. */
216 static volatile sig_atomic_t received_sighup = 0;
217 static volatile sig_atomic_t received_sigterm = 0;
218 
219 /* session identifier, used by RSA-auth */
220 u_char session_id[16];
221 
222 /* same for ssh2 */
223 u_char *session_id2 = NULL;
224 int session_id2_len = 0;
225 
226 /* record remote hostname or ip */
227 u_int utmp_len = MAXHOSTNAMELEN;
228 
229 /* options.max_startup sized array of fd ints */
230 static int *startup_pipes = NULL;
231 static int startup_pipe = -1;	/* in child */
232 
233 #ifdef GSSAPI
234 static gss_OID_set mechs = GSS_C_NULL_OID_SET;
235 #endif /* GSSAPI */
236 
237 /* Prototypes for various functions defined later in this file. */
238 void destroy_sensitive_data(void);
239 static void demote_sensitive_data(void);
240 
241 static void do_ssh1_kex(void);
242 static void do_ssh2_kex(void);
243 
244 /*
245  * Close all listening sockets
246  */
247 static void
248 close_listen_socks(void)
249 {
250 	int i;
251 
252 	for (i = 0; i < num_listen_socks; i++)
253 		(void) close(listen_socks[i]);
254 	num_listen_socks = -1;
255 }
256 
257 static void
258 close_startup_pipes(void)
259 {
260 	int i;
261 
262 	if (startup_pipes)
263 		for (i = 0; i < options.max_startups; i++)
264 			if (startup_pipes[i] != -1)
265 				(void) close(startup_pipes[i]);
266 }
267 
268 /*
269  * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
270  * the effect is to reread the configuration file (and to regenerate
271  * the server key).
272  */
273 static void
274 sighup_handler(int sig)
275 {
276 	int save_errno = errno;
277 
278 	received_sighup = 1;
279 	(void) signal(SIGHUP, sighup_handler);
280 	errno = save_errno;
281 }
282 
283 /*
284  * Called from the main program after receiving SIGHUP.
285  * Restarts the server.
286  */
287 static void
288 sighup_restart(void)
289 {
290 	log("Received SIGHUP; restarting.");
291 	close_listen_socks();
292 	close_startup_pipes();
293 	(void) execv(saved_argv[0], saved_argv);
294 	log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
295 	    strerror(errno));
296 	exit(1);
297 }
298 
299 /*
300  * Generic signal handler for terminating signals in the master daemon.
301  */
302 static void
303 sigterm_handler(int sig)
304 {
305 	received_sigterm = sig;
306 }
307 
308 /*
309  * SIGCHLD handler.  This is called whenever a child dies.  This will then
310  * reap any zombies left by exited children.
311  */
312 static void
313 main_sigchld_handler(int sig)
314 {
315 	int save_errno = errno;
316 	pid_t pid;
317 	int status;
318 
319 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
320 	    (pid < 0 && errno == EINTR))
321 		;
322 
323 	(void) signal(SIGCHLD, main_sigchld_handler);
324 	errno = save_errno;
325 }
326 
327 /*
328  * Signal handler for the alarm after the login grace period has expired.
329  */
330 static void
331 grace_alarm_handler(int sig)
332 {
333 	/* XXX no idea how fix this signal handler */
334 
335 	/* Log error and exit. */
336 	fatal("Timeout before authentication for %s", get_remote_ipaddr());
337 }
338 
339 #ifdef HAVE_SOLARIS_CONTRACTS
340 static int contracts_fd = -1;
341 void
342 contracts_pre_fork()
343 {
344 	const char *during = "opening process contract template";
345 
346 	/*
347 	 * Failure should not be treated as fatal on the theory that
348 	 * it's better to start with children in the same contract as
349 	 * the master listener than not at all.
350 	 */
351 
352 	if (contracts_fd == -1) {
353 		if ((contracts_fd = open64(CTFS_ROOT "/process/template",
354 				O_RDWR)) == -1)
355 			goto cleanup;
356 
357 		during = "setting sundry contract terms";
358 		if ((errno = ct_pr_tmpl_set_param(contracts_fd, CT_PR_PGRPONLY)))
359 			goto cleanup;
360 
361 		if ((errno = ct_tmpl_set_informative(contracts_fd, CT_PR_EV_HWERR)))
362 			goto cleanup;
363 
364 		if ((errno = ct_pr_tmpl_set_fatal(contracts_fd, CT_PR_EV_HWERR)))
365 			goto cleanup;
366 
367 		if ((errno = ct_tmpl_set_critical(contracts_fd, 0)))
368 			goto cleanup;
369 	}
370 
371 	during = "setting active template";
372 	if ((errno = ct_tmpl_activate(contracts_fd)))
373 		goto cleanup;
374 
375 	debug3("Set active contract");
376 	return;
377 
378 cleanup:
379 	if (contracts_fd != -1)
380 		(void) close(contracts_fd);
381 
382 	contracts_fd = -1;
383 
384 	if (errno)
385 		debug2("Error while trying to set up active contract"
386 			" template: %s while %s", strerror(errno), during);
387 }
388 
389 void
390 contracts_post_fork_child()
391 {
392 	/* Clear active template so fork() creates no new contracts. */
393 
394 	if (contracts_fd == -1)
395 		return;
396 
397 	if ((errno = (ct_tmpl_clear(contracts_fd))))
398 		debug2("Error while trying to clear active contract template"
399 			" (child): %s", strerror(errno));
400 	else
401 		debug3("Cleared active contract template (child)");
402 
403 	(void) close(contracts_fd);
404 
405 	contracts_fd = -1;
406 }
407 
408 void
409 contracts_post_fork_parent(int fork_succeeded)
410 {
411 	char path[PATH_MAX];
412 	int cfd, n;
413 	ct_stathdl_t st;
414 	ctid_t latest;
415 
416 	/* Clear active template, abandon latest contract. */
417 	if (contracts_fd == -1)
418 		return;
419 
420 	if ((errno = ct_tmpl_clear(contracts_fd)))
421 		debug2("Error while clearing active contract template: %s",
422 			strerror(errno));
423 	else
424 		debug3("Cleared active contract template (parent)");
425 
426 	if (!fork_succeeded)
427 		return;
428 
429 	if ((cfd = open64(CTFS_ROOT "/process/latest", O_RDONLY)) == -1) {
430 		debug2("Error while getting latest contract: %s",
431 			strerror(errno));
432 		return;
433 	}
434 
435 	if ((errno = ct_status_read(cfd, CTD_COMMON, &st)) != 0) {
436 		debug2("Error while getting latest contract ID: %s",
437 			strerror(errno));
438 		(void) close(cfd);
439 		return;
440 	}
441 
442 	latest = ct_status_get_id(st);
443 	ct_status_free(st);
444 	(void) close(cfd);
445 
446 	n = snprintf(path, PATH_MAX, CTFS_ROOT "/all/%ld/ctl", latest);
447 
448 	if (n >= PATH_MAX) {
449 		debug2("Error while opening the latest contract ctl file: %s",
450 			strerror(ENAMETOOLONG));
451 		return;
452 	}
453 
454 	if ((cfd = open64(path, O_WRONLY)) == -1) {
455 		debug2("Error while opening the latest contract ctl file: %s",
456 			strerror(errno));
457 		return;
458 	}
459 
460 	if ((errno = ct_ctl_abandon(cfd)))
461 		debug2("Error while abandoning latest contract: %s",
462 			strerror(errno));
463 	else
464 		debug3("Abandoned latest contract");
465 
466 	(void) close(cfd);
467 }
468 #endif /* HAVE_SOLARIS_CONTRACTS */
469 
470 /*
471  * Signal handler for the key regeneration alarm.  Note that this
472  * alarm only occurs in the daemon waiting for connections, and it does not
473  * do anything with the private key or random state before forking.
474  * Thus there should be no concurrency control/asynchronous execution
475  * problems.
476  */
477 static void
478 generate_ephemeral_server_key(void)
479 {
480 	u_int32_t rnd = 0;
481 	int i;
482 
483 	verbose("Generating %s%d bit RSA key.",
484 	    sensitive_data.server_key ? "new " : "", options.server_key_bits);
485 	if (sensitive_data.server_key != NULL)
486 		key_free(sensitive_data.server_key);
487 	sensitive_data.server_key = key_generate(KEY_RSA1,
488 	    options.server_key_bits);
489 	verbose("RSA key generation complete.");
490 
491 	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
492 		if (i % 4 == 0)
493 			rnd = arc4random();
494 		sensitive_data.ssh1_cookie[i] = rnd & 0xff;
495 		rnd >>= 8;
496 	}
497 	arc4random_stir();
498 }
499 
500 static void
501 key_regeneration_alarm(int sig)
502 {
503 	int save_errno = errno;
504 
505 	(void) signal(SIGALRM, SIG_DFL);
506 	errno = save_errno;
507 	key_do_regen = 1;
508 }
509 
510 static void
511 sshd_exchange_identification(int sock_in, int sock_out)
512 {
513 	int i, mismatch;
514 	int remote_major, remote_minor;
515 	int major, minor;
516 	char *s;
517 	char buf[256];			/* Must not be larger than remote_version. */
518 	char remote_version[256];	/* Must be at least as big as buf. */
519 
520 	if ((options.protocol & SSH_PROTO_1) &&
521 	    (options.protocol & SSH_PROTO_2)) {
522 		major = PROTOCOL_MAJOR_1;
523 		minor = 99;
524 	} else if (options.protocol & SSH_PROTO_2) {
525 		major = PROTOCOL_MAJOR_2;
526 		minor = PROTOCOL_MINOR_2;
527 	} else {
528 		major = PROTOCOL_MAJOR_1;
529 		minor = PROTOCOL_MINOR_1;
530 	}
531 	(void) snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
532 	server_version_string = xstrdup(buf);
533 
534 	if (client_version_string == NULL) {
535 		/* Send our protocol version identification. */
536 		if (atomicio(write, sock_out, server_version_string,
537 		    strlen(server_version_string))
538 		    != strlen(server_version_string)) {
539 			log("Could not write ident string to %s", get_remote_ipaddr());
540 			fatal_cleanup();
541 		}
542 
543 		/* Read other sides version identification. */
544 		(void) memset(buf, 0, sizeof(buf));
545 		for (i = 0; i < sizeof(buf) - 1; i++) {
546 			if (atomicio(read, sock_in, &buf[i], 1) != 1) {
547 				log("Did not receive identification string from %s",
548 				    get_remote_ipaddr());
549 				fatal_cleanup();
550 			}
551 			if (buf[i] == '\r') {
552 				buf[i] = 0;
553 				/* Kludge for F-Secure Macintosh < 1.0.2 */
554 				if (i == 12 &&
555 				    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
556 					break;
557 				continue;
558 			}
559 			if (buf[i] == '\n') {
560 				buf[i] = 0;
561 				break;
562 			}
563 		}
564 		buf[sizeof(buf) - 1] = 0;
565 		client_version_string = xstrdup(buf);
566 	}
567 
568 	/*
569 	 * Check that the versions match.  In future this might accept
570 	 * several versions and set appropriate flags to handle them.
571 	 */
572 	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
573 	    &remote_major, &remote_minor, remote_version) != 3) {
574 		s = "Protocol mismatch.\n";
575 		(void) atomicio(write, sock_out, s, strlen(s));
576 		(void) close(sock_in);
577 		(void) close(sock_out);
578 		log("Bad protocol version identification '%.100s' from %s",
579 		    client_version_string, get_remote_ipaddr());
580 		fatal_cleanup();
581 	}
582 	debug("Client protocol version %d.%d; client software version %.100s",
583 	    remote_major, remote_minor, remote_version);
584 
585 	compat_datafellows(remote_version);
586 
587 	if (datafellows & SSH_BUG_PROBE) {
588 		log("probed from %s with %s.  Don't panic.",
589 		    get_remote_ipaddr(), client_version_string);
590 		fatal_cleanup();
591 	}
592 
593 	if (datafellows & SSH_BUG_SCANNER) {
594 		log("scanned from %s with %s.  Don't panic.",
595 		    get_remote_ipaddr(), client_version_string);
596 		fatal_cleanup();
597 	}
598 
599 	mismatch = 0;
600 	switch (remote_major) {
601 	case 1:
602 		if (remote_minor == 99) {
603 			if (options.protocol & SSH_PROTO_2)
604 				enable_compat20();
605 			else
606 				mismatch = 1;
607 			break;
608 		}
609 		if (!(options.protocol & SSH_PROTO_1)) {
610 			mismatch = 1;
611 			break;
612 		}
613 		if (remote_minor < 3) {
614 			packet_disconnect("Your ssh version is too old and "
615 			    "is no longer supported.  Please install a newer version.");
616 		} else if (remote_minor == 3) {
617 			/* note that this disables agent-forwarding */
618 			enable_compat13();
619 		}
620 		break;
621 	case 2:
622 		if (options.protocol & SSH_PROTO_2) {
623 			enable_compat20();
624 			break;
625 		}
626 		/* FALLTHROUGH */
627 	default:
628 		mismatch = 1;
629 		break;
630 	}
631 	chop(server_version_string);
632 	debug("Local version string %.200s", server_version_string);
633 
634 	if (mismatch) {
635 		s = "Protocol major versions differ.\n";
636 		(void) atomicio(write, sock_out, s, strlen(s));
637 		(void) close(sock_in);
638 		(void) close(sock_out);
639 		log("Protocol major versions differ for %s: %.200s vs. %.200s",
640 		    get_remote_ipaddr(),
641 		    server_version_string, client_version_string);
642 		fatal_cleanup();
643 	}
644 }
645 
646 /* Destroy the host and server keys.  They will no longer be needed. */
647 void
648 destroy_sensitive_data(void)
649 {
650 	int i;
651 
652 	if (sensitive_data.server_key) {
653 		key_free(sensitive_data.server_key);
654 		sensitive_data.server_key = NULL;
655 	}
656 	for (i = 0; i < options.num_host_key_files; i++) {
657 		if (sensitive_data.host_keys[i]) {
658 			key_free(sensitive_data.host_keys[i]);
659 			sensitive_data.host_keys[i] = NULL;
660 		}
661 	}
662 	sensitive_data.ssh1_host_key = NULL;
663 	(void) memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
664 }
665 
666 /* Demote private to public keys for network child */
667 static void
668 demote_sensitive_data(void)
669 {
670 	Key *tmp;
671 	int i;
672 
673 	if (sensitive_data.server_key) {
674 		tmp = key_demote(sensitive_data.server_key);
675 		key_free(sensitive_data.server_key);
676 		sensitive_data.server_key = tmp;
677 	}
678 
679 	for (i = 0; i < options.num_host_key_files; i++) {
680 		if (sensitive_data.host_keys[i]) {
681 			tmp = key_demote(sensitive_data.host_keys[i]);
682 			key_free(sensitive_data.host_keys[i]);
683 			sensitive_data.host_keys[i] = tmp;
684 			if (tmp->type == KEY_RSA1)
685 				sensitive_data.ssh1_host_key = tmp;
686 		}
687 	}
688 
689 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
690 }
691 
692 static char *
693 list_hostkey_types(void)
694 {
695 	Buffer b;
696 	char *p;
697 	int i;
698 
699 	buffer_init(&b);
700 	for (i = 0; i < options.num_host_key_files; i++) {
701 		Key *key = sensitive_data.host_keys[i];
702 		if (key == NULL)
703 			continue;
704 		switch (key->type) {
705 		case KEY_RSA:
706 		case KEY_DSA:
707 			if (buffer_len(&b) > 0)
708 				buffer_append(&b, ",", 1);
709 			p = key_ssh_name(key);
710 			buffer_append(&b, p, strlen(p));
711 			break;
712 		}
713 	}
714 	buffer_append(&b, "\0", 1);
715 	p = xstrdup(buffer_ptr(&b));
716 	buffer_free(&b);
717 	debug("list_hostkey_types: %s", p);
718 	return p;
719 }
720 
721 #ifdef lint
722 static
723 #endif /* lint */
724 Key *
725 get_hostkey_by_type(int type)
726 {
727 	int i;
728 
729 	for (i = 0; i < options.num_host_key_files; i++) {
730 		Key *key = sensitive_data.host_keys[i];
731 		if (key != NULL && key->type == type)
732 			return key;
733 	}
734 	return NULL;
735 }
736 
737 #ifdef lint
738 static
739 #endif /* lint */
740 Key *
741 get_hostkey_by_index(int ind)
742 {
743 	if (ind < 0 || ind >= options.num_host_key_files)
744 		return (NULL);
745 	return (sensitive_data.host_keys[ind]);
746 }
747 
748 #ifdef lint
749 static
750 #endif /* lint */
751 int
752 get_hostkey_index(Key *key)
753 {
754 	int i;
755 
756 	for (i = 0; i < options.num_host_key_files; i++) {
757 		if (key == sensitive_data.host_keys[i])
758 			return (i);
759 	}
760 	return (-1);
761 }
762 
763 /*
764  * returns 1 if connection should be dropped, 0 otherwise.
765  * dropping starts at connection #max_startups_begin with a probability
766  * of (max_startups_rate/100). the probability increases linearly until
767  * all connections are dropped for startups > max_startups
768  */
769 static int
770 drop_connection(int startups)
771 {
772 	double p, r;
773 
774 	if (startups < options.max_startups_begin)
775 		return 0;
776 	if (startups >= options.max_startups)
777 		return 1;
778 	if (options.max_startups_rate == 100)
779 		return 1;
780 
781 	p  = 100 - options.max_startups_rate;
782 	p *= startups - options.max_startups_begin;
783 	p /= (double) (options.max_startups - options.max_startups_begin);
784 	p += options.max_startups_rate;
785 	p /= 100.0;
786 	r = arc4random() / (double) UINT_MAX;
787 
788 	debug("drop_connection: p %g, r %g", p, r);
789 	return (r < p) ? 1 : 0;
790 }
791 
792 static void
793 usage(void)
794 {
795 	(void) fprintf(stderr, gettext("sshd version %s\n"), SSH_VERSION);
796 	(void) fprintf(stderr,
797 	    gettext("Usage: %s [options]\n"
798 		"Options:\n"
799 		"  -f file    Configuration file (default %s)\n"
800 		"  -d         Debugging mode (multiple -d means more "
801 		"debugging)\n"
802 		"  -i         Started from inetd\n"
803 		"  -D         Do not fork into daemon mode\n"
804 		"  -t         Only test configuration file and keys\n"
805 		"  -q         Quiet (no logging)\n"
806 		"  -p port    Listen on the specified port (default: 22)\n"
807 		"  -k seconds Regenerate server key every this many seconds "
808 		"(default: 3600)\n"
809 		"  -g seconds Grace period for authentication (default: 600)\n"
810 		"  -b bits    Size of server RSA key (default: 768 bits)\n"
811 		"  -h file    File from which to read host key (default: %s)\n"
812 		"  -4         Use IPv4 only\n"
813 		"  -6         Use IPv6 only\n"
814 		"  -o option  Process the option as if it was read from "
815 		"a configuration file.\n"),
816 	    __progname, _PATH_SERVER_CONFIG_FILE, _PATH_HOST_KEY_FILE);
817 	exit(1);
818 }
819 
820 /*
821  * Main program for the daemon.
822  */
823 int
824 main(int ac, char **av)
825 {
826 	extern char *optarg;
827 	extern int optind;
828 	int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1;
829 	pid_t pid;
830 	socklen_t fromlen;
831 	fd_set *fdset;
832 	struct sockaddr_storage from;
833 	const char *remote_ip;
834 	int remote_port;
835 	FILE *f;
836 	struct addrinfo *ai;
837 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
838 	int listen_sock, maxfd;
839 	int startup_p[2];
840 	int startups = 0;
841 	Authctxt *authctxt;
842 	Key *key;
843 	int ret, key_used = 0;
844 #ifdef HAVE_BSM
845 	au_id_t	    auid = AU_NOAUDITID;
846 #endif /* HAVE_BSM */
847 #ifdef ALTPRIVSEP
848 	pid_t aps_child;
849 #endif /* ALTPRIVSEP */
850 
851 	__progname = get_progname(av[0]);
852 
853 	(void) g11n_setlocale(LC_ALL, "");
854 
855 #ifdef HAVE_SECUREWARE
856 	(void)set_auth_parameters(ac, av);
857 #endif
858 
859 	init_rng();
860 
861 	/* Save argv. */
862 	saved_argc = ac;
863 	saved_argv = av;
864 
865 	/* Initialize configuration options to their default values. */
866 	initialize_server_options(&options);
867 
868 	/* Parse command-line arguments. */
869 	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:o:dDeiqtQ46")) != -1) {
870 		switch (opt) {
871 		case '4':
872 			IPv4or6 = AF_INET;
873 			break;
874 		case '6':
875 			IPv4or6 = AF_INET6;
876 			break;
877 		case 'f':
878 			config_file_name = optarg;
879 			break;
880 		case 'd':
881 			if (0 == debug_flag) {
882 				debug_flag = 1;
883 				options.log_level = SYSLOG_LEVEL_DEBUG1;
884 			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
885 				options.log_level++;
886 			} else {
887 				(void) fprintf(stderr,
888 					gettext("Debug level too high.\n"));
889 				exit(1);
890 			}
891 			break;
892 		case 'D':
893 			no_daemon_flag = 1;
894 			break;
895 		case 'e':
896 			log_stderr = 1;
897 			break;
898 		case 'i':
899 			inetd_flag = 1;
900 			break;
901 		case 'Q':
902 			/* ignored */
903 			break;
904 		case 'q':
905 			options.log_level = SYSLOG_LEVEL_QUIET;
906 			break;
907 		case 'b':
908 			options.server_key_bits = atoi(optarg);
909 			break;
910 		case 'p':
911 			options.ports_from_cmdline = 1;
912 			if (options.num_ports >= MAX_PORTS) {
913 				(void) fprintf(stderr, gettext("too many ports.\n"));
914 				exit(1);
915 			}
916 			options.ports[options.num_ports++] = a2port(optarg);
917 			if (options.ports[options.num_ports-1] == 0) {
918 				(void) fprintf(stderr, gettext("Bad port number.\n"));
919 				exit(1);
920 			}
921 			break;
922 		case 'g':
923 			if ((options.login_grace_time = convtime(optarg)) == -1) {
924 				(void) fprintf(stderr,
925 					gettext("Invalid login grace time.\n"));
926 				exit(1);
927 			}
928 			break;
929 		case 'k':
930 			if ((options.key_regeneration_time = convtime(optarg)) == -1) {
931 				(void) fprintf(stderr,
932 					gettext("Invalid key regeneration "
933 						"interval.\n"));
934 				exit(1);
935 			}
936 			break;
937 		case 'h':
938 			if (options.num_host_key_files >= MAX_HOSTKEYS) {
939 				(void) fprintf(stderr,
940 					gettext("too many host keys.\n"));
941 				exit(1);
942 			}
943 			options.host_key_files[options.num_host_key_files++] = optarg;
944 			break;
945 		case 'V':
946 			client_version_string = optarg;
947 			/* only makes sense with inetd_flag, i.e. no listen() */
948 			inetd_flag = 1;
949 			break;
950 		case 't':
951 			test_flag = 1;
952 			break;
953 		case 'o':
954 			if (process_server_config_line(&options, optarg,
955 			    "command-line", 0) != 0)
956 				exit(1);
957 			break;
958 		case '?':
959 		default:
960 			usage();
961 			break;
962 		}
963 	}
964 	SSLeay_add_all_algorithms();
965 	channel_set_af(IPv4or6);
966 
967 	/*
968 	 * Force logging to stderr until we have loaded the private host
969 	 * key (unless started from inetd)
970 	 */
971 	log_init(__progname,
972 	    options.log_level == SYSLOG_LEVEL_NOT_SET ?
973 	    SYSLOG_LEVEL_INFO : options.log_level,
974 	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
975 	    SYSLOG_FACILITY_AUTH : options.log_facility,
976 	    !inetd_flag);
977 
978 #ifdef _UNICOS
979 	/* Cray can define user privs drop all prives now!
980 	 * Not needed on PRIV_SU systems!
981 	 */
982 	drop_cray_privs();
983 #endif
984 
985 	seed_rng();
986 
987 	/* Read server configuration options from the configuration file. */
988 	read_server_config(&options, config_file_name);
989 
990 	/* Fill in default values for those options not explicitly set. */
991 	fill_default_server_options(&options);
992 
993 	utmp_len = options.lookup_client_hostnames ? utmp_len : 0;
994 
995 	/* Check that there are no remaining arguments. */
996 	if (optind < ac) {
997 		(void) fprintf(stderr, gettext("Extra argument %s.\n"), av[optind]);
998 		exit(1);
999 	}
1000 
1001 	debug("sshd version %.100s", SSH_VERSION);
1002 
1003 	/* load private host keys */
1004 	if (options.num_host_key_files > 0)
1005 		sensitive_data.host_keys =
1006 		    xmalloc(options.num_host_key_files * sizeof(Key *));
1007 	for (i = 0; i < options.num_host_key_files; i++)
1008 		sensitive_data.host_keys[i] = NULL;
1009 	sensitive_data.server_key = NULL;
1010 	sensitive_data.ssh1_host_key = NULL;
1011 	sensitive_data.have_ssh1_key = 0;
1012 	sensitive_data.have_ssh2_key = 0;
1013 
1014 	for (i = 0; i < options.num_host_key_files; i++) {
1015 		key = key_load_private(options.host_key_files[i], "", NULL);
1016 		sensitive_data.host_keys[i] = key;
1017 		if (key == NULL) {
1018 			error("Could not load host key: %s",
1019 			    options.host_key_files[i]);
1020 			sensitive_data.host_keys[i] = NULL;
1021 			continue;
1022 		}
1023 		switch (key->type) {
1024 		case KEY_RSA1:
1025 			sensitive_data.ssh1_host_key = key;
1026 			sensitive_data.have_ssh1_key = 1;
1027 			break;
1028 		case KEY_RSA:
1029 		case KEY_DSA:
1030 			sensitive_data.have_ssh2_key = 1;
1031 			break;
1032 		}
1033 		debug("private host key: #%d type %d %s", i, key->type,
1034 		    key_type(key));
1035 	}
1036 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1037 		log("Disabling protocol version 1. Could not load host key");
1038 		options.protocol &= ~SSH_PROTO_1;
1039 	}
1040 	if ((options.protocol & SSH_PROTO_2) &&
1041 	    !sensitive_data.have_ssh2_key) {
1042 #ifdef GSSAPI
1043 		if (options.gss_keyex)
1044 			ssh_gssapi_server_mechs(&mechs);
1045 
1046 		if (mechs == GSS_C_NULL_OID_SET) {
1047 			log("Disabling protocol version 2. Could not load host"
1048 			    "key or GSS-API mechanisms");
1049 			options.protocol &= ~SSH_PROTO_2;
1050 		}
1051 #else
1052 		log("Disabling protocol version 2. Could not load host key");
1053 		options.protocol &= ~SSH_PROTO_2;
1054 #endif /* GSSAPI */
1055 	}
1056 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
1057 		log("sshd: no hostkeys available -- exiting.");
1058 		exit(1);
1059 	}
1060 
1061 	/* Check certain values for sanity. */
1062 	if (options.protocol & SSH_PROTO_1) {
1063 		if (options.server_key_bits < 512 ||
1064 		    options.server_key_bits > 32768) {
1065 			(void) fprintf(stderr, gettext("Bad server key size.\n"));
1066 			exit(1);
1067 		}
1068 		/*
1069 		 * Check that server and host key lengths differ sufficiently. This
1070 		 * is necessary to make double encryption work with rsaref. Oh, I
1071 		 * hate software patents. I dont know if this can go? Niels
1072 		 */
1073 		if (options.server_key_bits >
1074 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
1075 		    SSH_KEY_BITS_RESERVED && options.server_key_bits <
1076 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1077 		    SSH_KEY_BITS_RESERVED) {
1078 			options.server_key_bits =
1079 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1080 			    SSH_KEY_BITS_RESERVED;
1081 			debug("Forcing server key to %d bits to make it differ from host key.",
1082 			    options.server_key_bits);
1083 		}
1084 	}
1085 
1086 	/* Configuration looks good, so exit if in test mode. */
1087 	if (test_flag)
1088 		exit(0);
1089 
1090 	/*
1091 	 * Clear out any supplemental groups we may have inherited.  This
1092 	 * prevents inadvertent creation of files with bad modes (in the
1093 	 * portable version at least, it's certainly possible for PAM
1094 	 * to create a file, and we can't control the code in every
1095 	 * module which might be used).
1096 	 */
1097 	if (setgroups(0, NULL) < 0)
1098 		debug("setgroups() failed: %.200s", strerror(errno));
1099 
1100 	/* Initialize the log (it is reinitialized below in case we forked). */
1101 	if (debug_flag && !inetd_flag)
1102 		log_stderr = 1;
1103 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1104 
1105 #ifdef HAVE_BSM
1106 	(void) setauid(&auid);
1107 #endif /* HAVE_BSM */
1108 
1109 	/*
1110 	 * If not in debugging mode, and not started from inetd, disconnect
1111 	 * from the controlling terminal, and fork.  The original process
1112 	 * exits.
1113 	 */
1114 	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
1115 #ifdef TIOCNOTTY
1116 		int fd;
1117 #endif /* TIOCNOTTY */
1118 		if (daemon(0, 0) < 0)
1119 			fatal("daemon() failed: %.200s", strerror(errno));
1120 
1121 		/* Disconnect from the controlling tty. */
1122 #ifdef TIOCNOTTY
1123 		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
1124 		if (fd >= 0) {
1125 			(void) ioctl(fd, TIOCNOTTY, NULL);
1126 			(void) close(fd);
1127 		}
1128 #endif /* TIOCNOTTY */
1129 	}
1130 	/* Reinitialize the log (because of the fork above). */
1131 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1132 
1133 	/* Initialize the random number generator. */
1134 	arc4random_stir();
1135 
1136 	/* Chdir to the root directory so that the current disk can be
1137 	   unmounted if desired. */
1138 	(void) chdir("/");
1139 
1140 	/* ignore SIGPIPE */
1141 	(void) signal(SIGPIPE, SIG_IGN);
1142 
1143 	/* Start listening for a socket, unless started from inetd. */
1144 	if (inetd_flag) {
1145 		int s1;
1146 		s1 = dup(0);	/* Make sure descriptors 0, 1, and 2 are in use. */
1147 		(void) dup(s1);
1148 		sock_in = dup(0);
1149 		sock_out = dup(1);
1150 		startup_pipe = -1;
1151 		newsock = sock_in;
1152 		/*
1153 		 * We intentionally do not close the descriptors 0, 1, and 2
1154 		 * as our code for setting the descriptors won\'t work if
1155 		 * ttyfd happens to be one of those.
1156 		 */
1157 		debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
1158 		if (options.protocol & SSH_PROTO_1)
1159 			generate_ephemeral_server_key();
1160 	} else {
1161 		for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
1162 			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1163 				continue;
1164 			if (num_listen_socks >= MAX_LISTEN_SOCKS)
1165 				fatal("Too many listen sockets. "
1166 				    "Enlarge MAX_LISTEN_SOCKS");
1167 			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
1168 			    ntop, sizeof(ntop), strport, sizeof(strport),
1169 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1170 				error("getnameinfo failed");
1171 				continue;
1172 			}
1173 			/* Create socket for listening. */
1174 			listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
1175 			if (listen_sock < 0) {
1176 				/* kernel may not support ipv6 */
1177 				verbose("socket: %.100s", strerror(errno));
1178 				continue;
1179 			}
1180 			if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
1181 				error("listen_sock O_NONBLOCK: %s", strerror(errno));
1182 				(void) close(listen_sock);
1183 				continue;
1184 			}
1185 			/*
1186 			 * Set socket options.
1187 			 * Allow local port reuse in TIME_WAIT.
1188 			 */
1189 			if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
1190 			    &on, sizeof(on)) == -1)
1191 				error("setsockopt SO_REUSEADDR: %s", strerror(errno));
1192 
1193 			debug("Bind to port %s on %s.", strport, ntop);
1194 
1195 			/* Bind the socket to the desired port. */
1196 			if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1197 				if (!ai->ai_next)
1198 				    error("Bind to port %s on %s failed: %.200s.",
1199 					    strport, ntop, strerror(errno));
1200 				(void) close(listen_sock);
1201 				continue;
1202 			}
1203 			listen_socks[num_listen_socks] = listen_sock;
1204 			num_listen_socks++;
1205 
1206 			/* Start listening on the port. */
1207 			log("Server listening on %s port %s.", ntop, strport);
1208 			if (listen(listen_sock, 5) < 0)
1209 				fatal("listen: %.100s", strerror(errno));
1210 
1211 		}
1212 		freeaddrinfo(options.listen_addrs);
1213 
1214 		if (!num_listen_socks)
1215 			fatal("Cannot bind any address.");
1216 
1217 		if (options.protocol & SSH_PROTO_1)
1218 			generate_ephemeral_server_key();
1219 
1220 		/*
1221 		 * Arrange to restart on SIGHUP.  The handler needs
1222 		 * listen_sock.
1223 		 */
1224 		(void) signal(SIGHUP, sighup_handler);
1225 
1226 		(void) signal(SIGTERM, sigterm_handler);
1227 		(void) signal(SIGQUIT, sigterm_handler);
1228 
1229 		/* Arrange SIGCHLD to be caught. */
1230 		(void) signal(SIGCHLD, main_sigchld_handler);
1231 
1232 		/* Write out the pid file after the sigterm handler is setup */
1233 		if (!debug_flag) {
1234 			/*
1235 			 * Record our pid in /var/run/sshd.pid to make it
1236 			 * easier to kill the correct sshd.  We don't want to
1237 			 * do this before the bind above because the bind will
1238 			 * fail if there already is a daemon, and this will
1239 			 * overwrite any old pid in the file.
1240 			 */
1241 			f = fopen(options.pid_file, "wb");
1242 			if (f) {
1243 				(void) fprintf(f, "%ld\n", (long) getpid());
1244 				(void) fclose(f);
1245 			}
1246 		}
1247 
1248 		/* setup fd set for listen */
1249 		fdset = NULL;
1250 		maxfd = 0;
1251 		for (i = 0; i < num_listen_socks; i++)
1252 			if (listen_socks[i] > maxfd)
1253 				maxfd = listen_socks[i];
1254 		/* pipes connected to unauthenticated childs */
1255 		startup_pipes = xmalloc(options.max_startups * sizeof(int));
1256 		for (i = 0; i < options.max_startups; i++)
1257 			startup_pipes[i] = -1;
1258 
1259 		/*
1260 		 * Stay listening for connections until the system crashes or
1261 		 * the daemon is killed with a signal.
1262 		 */
1263 		for (;;) {
1264 			if (received_sighup)
1265 				sighup_restart();
1266 			if (fdset != NULL)
1267 				xfree(fdset);
1268 			fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
1269 			fdset = (fd_set *)xmalloc(fdsetsz);
1270 			(void) memset(fdset, 0, fdsetsz);
1271 
1272 			for (i = 0; i < num_listen_socks; i++)
1273 				FD_SET(listen_socks[i], fdset);
1274 			for (i = 0; i < options.max_startups; i++)
1275 				if (startup_pipes[i] != -1)
1276 					FD_SET(startup_pipes[i], fdset);
1277 
1278 			/* Wait in select until there is a connection. */
1279 			ret = select(maxfd+1, fdset, NULL, NULL, NULL);
1280 			if (ret < 0 && errno != EINTR)
1281 				error("select: %.100s", strerror(errno));
1282 			if (received_sigterm) {
1283 				log("Received signal %d; terminating.",
1284 				    (int) received_sigterm);
1285 				close_listen_socks();
1286 				(void) unlink(options.pid_file);
1287 				exit(255);
1288 			}
1289 			if (key_used && key_do_regen) {
1290 				generate_ephemeral_server_key();
1291 				key_used = 0;
1292 				key_do_regen = 0;
1293 			}
1294 			if (ret < 0)
1295 				continue;
1296 
1297 			for (i = 0; i < options.max_startups; i++)
1298 				if (startup_pipes[i] != -1 &&
1299 				    FD_ISSET(startup_pipes[i], fdset)) {
1300 					/*
1301 					 * the read end of the pipe is ready
1302 					 * if the child has closed the pipe
1303 					 * after successful authentication
1304 					 * or if the child has died
1305 					 */
1306 					(void) close(startup_pipes[i]);
1307 					startup_pipes[i] = -1;
1308 					startups--;
1309 				}
1310 			for (i = 0; i < num_listen_socks; i++) {
1311 				if (!FD_ISSET(listen_socks[i], fdset))
1312 					continue;
1313 				fromlen = sizeof(from);
1314 				newsock = accept(listen_socks[i], (struct sockaddr *)&from,
1315 				    &fromlen);
1316 				if (newsock < 0) {
1317 					if (errno != EINTR && errno != EWOULDBLOCK)
1318 						error("accept: %.100s", strerror(errno));
1319 					continue;
1320 				}
1321 				if (fcntl(newsock, F_SETFL, 0) < 0) {
1322 					error("newsock del O_NONBLOCK: %s", strerror(errno));
1323 					(void) close(newsock);
1324 					continue;
1325 				}
1326 				if (drop_connection(startups) == 1) {
1327 					debug("drop connection #%d", startups);
1328 					(void) close(newsock);
1329 					continue;
1330 				}
1331 				if (pipe(startup_p) == -1) {
1332 					(void) close(newsock);
1333 					continue;
1334 				}
1335 
1336 				for (j = 0; j < options.max_startups; j++)
1337 					if (startup_pipes[j] == -1) {
1338 						startup_pipes[j] = startup_p[0];
1339 						if (maxfd < startup_p[0])
1340 							maxfd = startup_p[0];
1341 						startups++;
1342 						break;
1343 					}
1344 
1345 				/*
1346 				 * Got connection.  Fork a child to handle it, unless
1347 				 * we are in debugging mode.
1348 				 */
1349 				if (debug_flag) {
1350 					/*
1351 					 * In debugging mode.  Close the listening
1352 					 * socket, and start processing the
1353 					 * connection without forking.
1354 					 */
1355 					debug("Server will not fork when running in debugging mode.");
1356 					close_listen_socks();
1357 					sock_in = newsock;
1358 					sock_out = newsock;
1359 					startup_pipe = -1;
1360 					pid = getpid();
1361 					break;
1362 				} else {
1363 					/*
1364 					 * Normal production daemon.  Fork, and have
1365 					 * the child process the connection. The
1366 					 * parent continues listening.
1367 					 */
1368 #ifdef HAVE_SOLARIS_CONTRACTS
1369 					/*
1370 					 * Setup Solaris contract template so
1371 					 * the child process is in a different
1372 					 * process contract than the parent;
1373 					 * prevents established connections from
1374 					 * being killed when the sshd master
1375 					 * listener service is stopped.
1376 					 */
1377 					contracts_pre_fork();
1378 #endif /* HAVE_SOLARIS_CONTRACTS */
1379 					if ((pid = fork()) == 0) {
1380 						/*
1381 						 * Child.  Close the listening and max_startup
1382 						 * sockets.  Start using the accepted socket.
1383 						 * Reinitialize logging (since our pid has
1384 						 * changed).  We break out of the loop to handle
1385 						 * the connection.
1386 						 */
1387 #ifdef HAVE_SOLARIS_CONTRACTS
1388 						contracts_post_fork_child();
1389 #endif /* HAVE_SOLARIS_CONTRACTS */
1390 						xfree(fdset);
1391 						startup_pipe = startup_p[1];
1392 						close_startup_pipes();
1393 						close_listen_socks();
1394 						sock_in = newsock;
1395 						sock_out = newsock;
1396 						log_init(__progname, options.log_level, options.log_facility, log_stderr);
1397 						break;
1398 					}
1399 
1400 #ifdef HAVE_SOLARIS_CONTRACTS
1401 					contracts_post_fork_parent((pid > 0));
1402 #endif /* HAVE_SOLARIS_CONTRACTS */
1403 				}
1404 
1405 				/* Parent.  Stay in the loop. */
1406 				if (pid < 0)
1407 					error("fork: %.100s", strerror(errno));
1408 				else
1409 					debug("Forked child %ld.", (long)pid);
1410 
1411 				(void) close(startup_p[1]);
1412 
1413 				/* Mark that the key has been used (it was "given" to the child). */
1414 				if ((options.protocol & SSH_PROTO_1) &&
1415 				    key_used == 0) {
1416 					/* Schedule server key regeneration alarm. */
1417 					(void) signal(SIGALRM, key_regeneration_alarm);
1418 					(void) alarm(options.key_regeneration_time);
1419 					key_used = 1;
1420 				}
1421 
1422 				arc4random_stir();
1423 
1424 				/* Close the new socket (the child is now taking care of it). */
1425 				(void) close(newsock);
1426 			}
1427 			/* child process check (or debug mode) */
1428 			if (num_listen_socks < 0)
1429 				break;
1430 		}
1431 	}
1432 
1433 	/* This is the child processing a new connection. */
1434 #ifdef HAVE_BSM
1435 	audit_sshd_settid(newsock);
1436 #endif
1437 	/*
1438 	 * Create a new session and process group since the 4.4BSD
1439 	 * setlogin() affects the entire process group.  We don't
1440 	 * want the child to be able to affect the parent.
1441 	 */
1442 #if 0
1443 	/* XXX: this breaks Solaris */
1444 	if (!debug_flag && !inetd_flag && setsid() < 0)
1445 		error("setsid: %.100s", strerror(errno));
1446 #endif
1447 
1448 	/*
1449 	 * Disable the key regeneration alarm.  We will not regenerate the
1450 	 * key since we are no longer in a position to give it to anyone. We
1451 	 * will not restart on SIGHUP since it no longer makes sense.
1452 	 */
1453 	(void) alarm(0);
1454 	(void) signal(SIGALRM, SIG_DFL);
1455 	(void) signal(SIGHUP, SIG_DFL);
1456 	(void) signal(SIGTERM, SIG_DFL);
1457 	(void) signal(SIGQUIT, SIG_DFL);
1458 	(void) signal(SIGCHLD, SIG_DFL);
1459 	(void) signal(SIGINT, SIG_DFL);
1460 
1461 	/* Set keepalives if requested. */
1462 	if (options.keepalives &&
1463 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
1464 	    sizeof(on)) < 0)
1465 		debug2("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
1466 
1467 	/*
1468 	 * Register our connection.  This turns encryption off because we do
1469 	 * not have a key.
1470 	 */
1471 	packet_set_connection(sock_in, sock_out);
1472 
1473 	remote_port = get_remote_port();
1474 	remote_ip = get_remote_ipaddr();
1475 
1476 #ifdef LIBWRAP
1477 	/* Check whether logins are denied from this host. */
1478 	{
1479 		struct request_info req;
1480 
1481 		(void) request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
1482 		fromhost(&req);
1483 
1484 		if (!hosts_access(&req)) {
1485 			debug("Connection refused by tcp wrapper");
1486 			refuse(&req);
1487 			/* NOTREACHED */
1488 			fatal("libwrap refuse returns");
1489 		}
1490 	}
1491 #endif /* LIBWRAP */
1492 
1493 	/* Log the connection. */
1494 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
1495 
1496 	/*
1497 	 * We don\'t want to listen forever unless the other side
1498 	 * successfully authenticates itself.  So we set up an alarm which is
1499 	 * cleared after successful authentication.  A limit of zero
1500 	 * indicates no limit. Note that we don\'t set the alarm in debugging
1501 	 * mode; it is just annoying to have the server exit just when you
1502 	 * are about to discover the bug.
1503 	 */
1504 	(void) signal(SIGALRM, grace_alarm_handler);
1505 	if (!debug_flag)
1506 		(void) alarm(options.login_grace_time);
1507 
1508 	sshd_exchange_identification(sock_in, sock_out);
1509 	/*
1510 	 * Check that the connection comes from a privileged port.
1511 	 * Rhosts-Authentication only makes sense from privileged
1512 	 * programs.  Of course, if the intruder has root access on his local
1513 	 * machine, he can connect from any port.  So do not use these
1514 	 * authentication methods from machines that you do not trust.
1515 	 */
1516 	if (options.rhosts_authentication &&
1517 	    (remote_port >= IPPORT_RESERVED ||
1518 	    remote_port < IPPORT_RESERVED / 2)) {
1519 		debug("Rhosts Authentication disabled, "
1520 		    "originating port %d not trusted.", remote_port);
1521 		options.rhosts_authentication = 0;
1522 	}
1523 #if defined(KRB4) && !defined(KRB5)
1524 	if (!packet_connection_is_ipv4() &&
1525 	    options.kerberos_authentication) {
1526 		debug("Kerberos Authentication disabled, only available for IPv4.");
1527 		options.kerberos_authentication = 0;
1528 	}
1529 #endif /* KRB4 && !KRB5 */
1530 #ifdef AFS
1531 	/* If machine has AFS, set process authentication group. */
1532 	if (k_hasafs()) {
1533 		k_setpag();
1534 		k_unlog();
1535 	}
1536 #endif /* AFS */
1537 
1538 	packet_set_nonblocking();
1539 
1540 	/* perform the key exchange */
1541 	/* authenticate user and start session */
1542 	if (compat20) {
1543 		do_ssh2_kex();
1544 		authctxt = do_authentication2();
1545 	} else {
1546 		do_ssh1_kex();
1547 		authctxt = do_authentication();
1548 	}
1549 
1550 authenticated:
1551 	/* Authentication complete */
1552 	(void) alarm(0);
1553 
1554 	if (startup_pipe != -1) {
1555 		(void) close(startup_pipe);
1556 		startup_pipe = -1;
1557 	}
1558 
1559 #ifdef ALTPRIVSEP
1560 	if ((aps_child = altprivsep_start_monitor(authctxt)) == -1)
1561 		fatal("Monitor could not be started.");
1562 
1563 	if (aps_child > 0) {
1564 
1565 		/* ALTPRIVSEP Monitor */
1566 
1567 		/*
1568 		 * The ALTPRIVSEP monitor here does:
1569 		 *
1570 		 *  - record keeping and auditing
1571 		 *  - PAM cleanup
1572 		 */
1573 
1574 		/*
1575 		 * If the monitor fatal()s it will audit/record a logout, so
1576 		 * we'd better do something to really mean it: shutdown the
1577 		 * socket but leave the child alone -- it's been disconnected
1578 		 * and we hope it exits, but killing any pid from a privileged
1579 		 * monitor could be dangerous.
1580 		 *
1581 		 * NOTE: Order matters -- these fatal cleanups must come before
1582 		 * the audit logout fatal cleanup as these functions are called
1583 		 * in LIFO.
1584 		 *
1585 		 * NOTE: The monitor will packet_close(), which will close
1586 		 * "newsock," so we dup() it.
1587 		 */
1588 		newsock = dup(newsock);
1589 		fatal_add_cleanup((void (*)(void *))altprivsep_shutdown_sock,
1590 			(void *)&newsock);
1591 
1592 		if (compat20) {
1593 			debug3("Recording SSHv2 session login in wtmpx");
1594 			record_login(getpid(), NULL, "sshd", authctxt->user);
1595 		}
1596 
1597 #ifdef HAVE_BSM
1598 		fatal_remove_cleanup(
1599 			(void (*)(void *))audit_failed_login_cleanup,
1600 			(void *)authctxt);
1601 
1602 		/* Initialize the group list, audit sometimes needs it. */
1603 		if (initgroups(authctxt->pw->pw_name,
1604 		    authctxt->pw->pw_gid) < 0) {
1605 			perror("initgroups");
1606 			exit (1);
1607 		}
1608 		audit_sshd_login(&ah, authctxt->pw->pw_uid,
1609 			authctxt->pw->pw_gid);
1610 
1611 		fatal_add_cleanup((void (*)(void *))audit_sshd_logout,
1612 			(void *)&ah);
1613 #endif /* HAVE_BSM */
1614 
1615 #ifdef GSSAPI
1616 		fatal_add_cleanup((void (*)(void *))ssh_gssapi_cleanup_creds,
1617 			(void *)&xxx_gssctxt);
1618 #endif /* GSSAPI */
1619 
1620 		altprivsep_do_monitor(authctxt, aps_child);
1621 
1622 		/* If we got here the connection is dead. */
1623 		fatal_remove_cleanup((void (*)(void *))altprivsep_shutdown_sock,
1624 			(void *)&newsock);
1625 
1626 		if (compat20) {
1627 			debug3("Recording SSHv2 session logout in wtmpx");
1628 			record_logout(getpid(), NULL, "sshd", authctxt->user);
1629 		}
1630 
1631 		/*
1632 		 * Make sure the socket is closed. The monitor can't call
1633 		 * packet_close here as it's done a packet_set_connection()
1634 		 * with the pipe to the child instead of the socket.
1635 		 */
1636 		(void) shutdown(newsock, SHUT_RDWR);
1637 
1638 #ifdef GSSAPI
1639 		fatal_remove_cleanup((void (*)(void *))ssh_gssapi_cleanup_creds,
1640 			&xxx_gssctxt);
1641 		ssh_gssapi_cleanup_creds(xxx_gssctxt);
1642 		ssh_gssapi_server_mechs(NULL); /* release cached mechs list */
1643 #endif /* GSSAPI */
1644 
1645 #ifdef HAVE_BSM
1646 		fatal_remove_cleanup((void (*)(void *))audit_sshd_logout, (void *)&ah);
1647 		audit_sshd_logout(&ah);
1648 #endif /* HAVE_BSM */
1649 
1650 #ifdef USE_PAM
1651 		finish_pam(authctxt);
1652 #endif /* USE_PAM */
1653 
1654 		return (ret);
1655 
1656 		/* NOTREACHED */
1657 
1658 	} else {
1659 
1660 		/* ALTPRIVSEP Child */
1661 
1662 		/*
1663 		 * Drop privileges, access to privileged resources.
1664 		 *
1665 		 * Destroy private host keys, if any.
1666 		 *
1667 		 * No need to release any GSS credentials -- sshd only acquires
1668 		 * creds to determine what mechs it can negotiate then releases
1669 		 * them right away and uses GSS_C_NO_CREDENTIAL to accept
1670 		 * contexts.
1671 		 */
1672 		debug2("Unprivileged server process dropping privileges");
1673 		permanently_set_uid(authctxt->pw);
1674 		destroy_sensitive_data();
1675 		ssh_gssapi_server_mechs(NULL); /* release cached mechs list */
1676 
1677 #ifdef HAVE_BSM
1678 		fatal_remove_cleanup(
1679 			(void (*)(void *))audit_failed_login_cleanup,
1680 			(void *)authctxt);
1681 #endif /* HAVE_BSM */
1682 
1683 		/* Logged-in session. */
1684 		do_authenticated(authctxt);
1685 
1686 		/* The connection has been terminated. */
1687 		verbose("Closing connection to %.100s", remote_ip);
1688 
1689 		packet_close();
1690 
1691 		return (0);
1692 
1693 		/* NOTREACHED */
1694 	}
1695 #endif /* ALTPRIVSEP */
1696 }
1697 
1698 /*
1699  * Decrypt session_key_int using our private server key and private host key
1700  * (key with larger modulus first).
1701  */
1702 int
1703 ssh1_session_key(BIGNUM *session_key_int)
1704 {
1705 	int rsafail = 0;
1706 
1707 	if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {
1708 		/* Server key has bigger modulus. */
1709 		if (BN_num_bits(sensitive_data.server_key->rsa->n) <
1710 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1711 			fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
1712 			    get_remote_ipaddr(),
1713 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1714 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1715 			    SSH_KEY_BITS_RESERVED);
1716 		}
1717 		if (rsa_private_decrypt(session_key_int, session_key_int,
1718 		    sensitive_data.server_key->rsa) <= 0)
1719 			rsafail++;
1720 		if (rsa_private_decrypt(session_key_int, session_key_int,
1721 		    sensitive_data.ssh1_host_key->rsa) <= 0)
1722 			rsafail++;
1723 	} else {
1724 		/* Host key has bigger modulus (or they are equal). */
1725 		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
1726 		    BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1727 			fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
1728 			    get_remote_ipaddr(),
1729 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1730 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1731 			    SSH_KEY_BITS_RESERVED);
1732 		}
1733 		if (rsa_private_decrypt(session_key_int, session_key_int,
1734 		    sensitive_data.ssh1_host_key->rsa) < 0)
1735 			rsafail++;
1736 		if (rsa_private_decrypt(session_key_int, session_key_int,
1737 		    sensitive_data.server_key->rsa) < 0)
1738 			rsafail++;
1739 	}
1740 	return (rsafail);
1741 }
1742 /*
1743  * SSH1 key exchange
1744  */
1745 static void
1746 do_ssh1_kex(void)
1747 {
1748 	int i, len;
1749 	int rsafail = 0;
1750 	BIGNUM *session_key_int;
1751 	u_char session_key[SSH_SESSION_KEY_LENGTH];
1752 	u_char cookie[8];
1753 	u_int cipher_type, auth_mask, protocol_flags;
1754 	u_int32_t rnd = 0;
1755 
1756 	/*
1757 	 * Generate check bytes that the client must send back in the user
1758 	 * packet in order for it to be accepted; this is used to defy ip
1759 	 * spoofing attacks.  Note that this only works against somebody
1760 	 * doing IP spoofing from a remote machine; any machine on the local
1761 	 * network can still see outgoing packets and catch the random
1762 	 * cookie.  This only affects rhosts authentication, and this is one
1763 	 * of the reasons why it is inherently insecure.
1764 	 */
1765 	for (i = 0; i < 8; i++) {
1766 		if (i % 4 == 0)
1767 			rnd = arc4random();
1768 		cookie[i] = rnd & 0xff;
1769 		rnd >>= 8;
1770 	}
1771 
1772 	/*
1773 	 * Send our public key.  We include in the packet 64 bits of random
1774 	 * data that must be matched in the reply in order to prevent IP
1775 	 * spoofing.
1776 	 */
1777 	packet_start(SSH_SMSG_PUBLIC_KEY);
1778 	for (i = 0; i < 8; i++)
1779 		packet_put_char(cookie[i]);
1780 
1781 	/* Store our public server RSA key. */
1782 	packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
1783 	packet_put_bignum(sensitive_data.server_key->rsa->e);
1784 	packet_put_bignum(sensitive_data.server_key->rsa->n);
1785 
1786 	/* Store our public host RSA key. */
1787 	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1788 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
1789 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
1790 
1791 	/* Put protocol flags. */
1792 	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
1793 
1794 	/* Declare which ciphers we support. */
1795 	packet_put_int(cipher_mask_ssh1(0));
1796 
1797 	/* Declare supported authentication types. */
1798 	auth_mask = 0;
1799 	if (options.rhosts_authentication)
1800 		auth_mask |= 1 << SSH_AUTH_RHOSTS;
1801 	if (options.rhosts_rsa_authentication)
1802 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1803 	if (options.rsa_authentication)
1804 		auth_mask |= 1 << SSH_AUTH_RSA;
1805 #if defined(KRB4) || defined(KRB5)
1806 	if (options.kerberos_authentication)
1807 		auth_mask |= 1 << SSH_AUTH_KERBEROS;
1808 #endif
1809 #if defined(AFS) || defined(KRB5)
1810 	if (options.kerberos_tgt_passing)
1811 		auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
1812 #endif
1813 #ifdef AFS
1814 	if (options.afs_token_passing)
1815 		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
1816 #endif
1817 	if (options.challenge_response_authentication == 1)
1818 		auth_mask |= 1 << SSH_AUTH_TIS;
1819 	if (options.password_authentication)
1820 		auth_mask |= 1 << SSH_AUTH_PASSWORD;
1821 	packet_put_int(auth_mask);
1822 
1823 	/* Send the packet and wait for it to be sent. */
1824 	packet_send();
1825 	packet_write_wait();
1826 
1827 	debug("Sent %d bit server key and %d bit host key.",
1828 	    BN_num_bits(sensitive_data.server_key->rsa->n),
1829 	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1830 
1831 	/* Read clients reply (cipher type and session key). */
1832 	packet_read_expect(SSH_CMSG_SESSION_KEY);
1833 
1834 	/* Get cipher type and check whether we accept this. */
1835 	cipher_type = packet_get_char();
1836 
1837 	if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) {
1838 		packet_disconnect("Warning: client selects unsupported cipher.");
1839 	}
1840 
1841 	/* Get check bytes from the packet.  These must match those we
1842 	   sent earlier with the public key packet. */
1843 	for (i = 0; i < 8; i++) {
1844 		if (cookie[i] != packet_get_char()) {
1845 			packet_disconnect("IP Spoofing check bytes do not match.");
1846 		}
1847 	}
1848 
1849 	debug("Encryption type: %.200s", cipher_name(cipher_type));
1850 
1851 	/* Get the encrypted integer. */
1852 	if ((session_key_int = BN_new()) == NULL)
1853 		fatal("do_ssh1_kex: BN_new failed");
1854 	packet_get_bignum(session_key_int);
1855 
1856 	protocol_flags = packet_get_int();
1857 	packet_set_protocol_flags(protocol_flags);
1858 	packet_check_eom();
1859 
1860 	/* Decrypt session_key_int using host/server keys */
1861 	rsafail = ssh1_session_key(session_key_int);
1862 
1863 	/*
1864 	 * Extract session key from the decrypted integer.  The key is in the
1865 	 * least significant 256 bits of the integer; the first byte of the
1866 	 * key is in the highest bits.
1867 	 */
1868 	if (!rsafail) {
1869 		(void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
1870 		len = BN_num_bytes(session_key_int);
1871 		if (len < 0 || len > sizeof(session_key)) {
1872 			error("do_connection: bad session key len from %s: "
1873 			    "session_key_int %d > sizeof(session_key) %lu",
1874 			    get_remote_ipaddr(), len, (u_long)sizeof(session_key));
1875 			rsafail++;
1876 		} else {
1877 			(void) memset(session_key, 0, sizeof(session_key));
1878 			(void) BN_bn2bin(session_key_int,
1879 			    session_key + sizeof(session_key) - len);
1880 
1881 			compute_session_id(session_id, cookie,
1882 			    sensitive_data.ssh1_host_key->rsa->n,
1883 			    sensitive_data.server_key->rsa->n);
1884 			/*
1885 			 * Xor the first 16 bytes of the session key with the
1886 			 * session id.
1887 			 */
1888 			for (i = 0; i < 16; i++)
1889 				session_key[i] ^= session_id[i];
1890 		}
1891 	}
1892 	if (rsafail) {
1893 		int bytes = BN_num_bytes(session_key_int);
1894 		u_char *buf = xmalloc(bytes);
1895 		MD5_CTX md;
1896 
1897 		log("do_connection: generating a fake encryption key");
1898 		(void) BN_bn2bin(session_key_int, buf);
1899 		MD5_Init(&md);
1900 		MD5_Update(&md, buf, bytes);
1901 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
1902 		MD5_Final(session_key, &md);
1903 		MD5_Init(&md);
1904 		MD5_Update(&md, session_key, 16);
1905 		MD5_Update(&md, buf, bytes);
1906 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
1907 		MD5_Final(session_key + 16, &md);
1908 		(void) memset(buf, 0, bytes);
1909 		xfree(buf);
1910 		for (i = 0; i < 16; i++)
1911 			session_id[i] = session_key[i] ^ session_key[i + 16];
1912 	}
1913 	/* Destroy the private and public keys. No longer. */
1914 	destroy_sensitive_data();
1915 
1916 	/* Destroy the decrypted integer.  It is no longer needed. */
1917 	BN_clear_free(session_key_int);
1918 
1919 	/* Set the session key.  From this on all communications will be encrypted. */
1920 	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
1921 
1922 	/* Destroy our copy of the session key.  It is no longer needed. */
1923 	(void) memset(session_key, 0, sizeof(session_key));
1924 
1925 	debug("Received session key; encryption turned on.");
1926 
1927 	/* Send an acknowledgment packet.  Note that this packet is sent encrypted. */
1928 	packet_start(SSH_SMSG_SUCCESS);
1929 	packet_send();
1930 	packet_write_wait();
1931 }
1932 
1933 /*
1934  * SSH2 key exchange: diffie-hellman-group1-sha1
1935  */
1936 static void
1937 do_ssh2_kex(void)
1938 {
1939 	Kex *kex;
1940 	Kex_hook_func kex_hook = NULL;
1941 	char **locales;
1942 
1943 	if (options.ciphers != NULL) {
1944 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1945 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
1946 	}
1947 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1948 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
1949 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
1950 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
1951 
1952 	if (options.macs != NULL) {
1953 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
1954 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
1955 	}
1956 	if (!options.compression) {
1957 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1958 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
1959 	}
1960 
1961 	/*
1962 	 * Prepare kex algs / hostkey algs (excluding GSS, which is
1963 	 * handled in the kex hook.
1964 	 *
1965 	 * XXX This should probably move to the kex hook as well, where
1966 	 * all non-constant kex offer material belongs.
1967 	 */
1968 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
1969 
1970 	/* If we have no host key algs we can't offer KEXDH/KEX_DH_GEX */
1971 	if (myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] == NULL ||
1972 	    *myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] == '\0')
1973 		myproposal[PROPOSAL_KEX_ALGS] = "";
1974 
1975 	if ((locales = g11n_getlocales()) != NULL) {
1976 		/* Solaris 9 SSH expects a list of locales */
1977 		if (datafellows & SSH_BUG_LOCALES_NOT_LANGTAGS)
1978 			myproposal[PROPOSAL_LANG_STOC] = xjoin(locales, ',');
1979 		else
1980 			myproposal[PROPOSAL_LANG_STOC] =
1981 				g11n_locales2langs(locales);
1982 	}
1983 
1984 	if (locales != NULL)
1985 		g11n_freelist(locales);
1986 
1987 	if ((myproposal[PROPOSAL_LANG_STOC] != NULL) ||
1988 	    (strcmp(myproposal[PROPOSAL_LANG_STOC], "")) != 0)
1989 		myproposal[PROPOSAL_LANG_CTOS] =
1990 			xstrdup(myproposal[PROPOSAL_LANG_STOC]);
1991 
1992 #ifdef GSSAPI
1993 	if (options.gss_keyex)
1994 		kex_hook = ssh_gssapi_server_kex_hook;
1995 #endif /* GSSAPI */
1996 
1997 	/* start key exchange */
1998 	kex = kex_setup(NULL, myproposal, kex_hook);
1999 
2000 	if (myproposal[PROPOSAL_LANG_STOC] != NULL)
2001 		xfree(myproposal[PROPOSAL_LANG_STOC]);
2002 	if (myproposal[PROPOSAL_LANG_CTOS] != NULL)
2003 		xfree(myproposal[PROPOSAL_LANG_CTOS]);
2004 
2005 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2006 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2007 #ifdef GSSAPI
2008 	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
2009 #endif /* GSSAPI */
2010 	kex->server = 1;
2011 	kex->client_version_string=client_version_string;
2012 	kex->server_version_string=server_version_string;
2013 	kex->load_host_key=&get_hostkey_by_type;
2014 	kex->host_key_index=&get_hostkey_index;
2015 
2016 	xxx_kex = kex;
2017 
2018 	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2019 
2020 	if (kex->name) {
2021 		xfree(kex->name);
2022 		kex->name = NULL;
2023 	}
2024 	session_id2 = kex->session_id;
2025 	session_id2_len = kex->session_id_len;
2026 
2027 #ifdef DEBUG_KEXDH
2028 	/* send 1st encrypted/maced/compressed message */
2029 	packet_start(SSH2_MSG_IGNORE);
2030 	packet_put_cstring("markus");
2031 	packet_send();
2032 	packet_write_wait();
2033 #endif
2034 	debug("KEX done");
2035 }
2036