src/usr.bin/ssh/monitor.c - diff

Return to monitor.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/monitor.c between version 1.49.2.2 and 1.50

version 1.49.2.2, 2004/08/19 22:37:31

version 1.50, 2003/09/23 20:17:11

Line 57

#include "bufaux.h"

#include "compat.h"

#include "ssh2.h"

#include "mpaux.h"

#ifdef GSSAPI

#include "ssh-gss.h"

Line 73

Line 74

extern Buffer input, output;

extern Buffer auth_debug;

extern int auth_debug_init;

extern Buffer loginmsg;

/* State exported from the child */

Line 125

int mm_answer_gss_setup_ctx(int, Buffer *);

int mm_answer_gss_accept_ctx(int, Buffer *);

int mm_answer_gss_userok(int, Buffer *);

int mm_answer_gss_checkmic(int, Buffer *);

#endif

static Authctxt *authctxt;

Line 177

Line 176

{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},

{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},

{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},

{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},

#endif

{0, 0, NULL}

};

Line 308

Line 306

}

static void

monitor_child_handler(int sig)

monitor_child_handler(int signal)

{

kill(monitor_child_pid, sig);

kill(monitor_child_pid, signal);

}

void

Line 425

Line 423

}

int

mm_answer_moduli(int sock, Buffer *m)

mm_answer_moduli(int socket, Buffer *m)

{

DH *dh;

int min, want, max;

Line 455

Line 453

DH_free(dh);

}

mm_request_send(sock, MONITOR_ANS_MODULI, m);

mm_request_send(socket, MONITOR_ANS_MODULI, m);

return (0);

}

int

mm_answer_sign(int sock, Buffer *m)

mm_answer_sign(int socket, Buffer *m)

{

Key *key;

u_char *p;

Line 496

Line 494

xfree(p);

xfree(signature);

mm_request_send(sock, MONITOR_ANS_SIGN, m);

mm_request_send(socket, MONITOR_ANS_SIGN, m);

/* Turn on permissions for getpwnam */

monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);

Line 507

Line 505

/* Retrieves the password entry and also checks if the user is permitted */

int

mm_answer_pwnamallow(int sock, Buffer *m)

mm_answer_pwnamallow(int socket, Buffer *m)

{

char *username;

char *login;

struct passwd *pwent;

int allowed = 0;

Line 518

Line 516

if (authctxt->attempt++ != 0)

fatal("%s: multiple attempts for getpwnam", __func__);

username = buffer_get_string(m, NULL);

pwent = getpwnamallow(username);

pwent = getpwnamallow(login);

authctxt->user = xstrdup(username);

authctxt->user = xstrdup(login);

setproctitle("%s [priv]", pwent ? username : "unknown");

setproctitle("%s [priv]", pwent ? login : "unknown");

xfree(username);

xfree(login);

buffer_clear(m);

if (pwent == NULL) {

buffer_put_char(m, 0);

authctxt->pw = fakepw();

goto out;

}

Line 549

Line 546

out:

debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);

mm_request_send(sock, MONITOR_ANS_PWNAM, m);

mm_request_send(socket, MONITOR_ANS_PWNAM, m);

/* For SSHv1 allow authentication now */

if (!compat20)

Line 564

Line 561

return (0);

}

int mm_answer_auth2_read_banner(int sock, Buffer *m)

int mm_answer_auth2_read_banner(int socket, Buffer *m)

{

char *banner;

buffer_clear(m);

banner = auth2_read_banner();

buffer_put_cstring(m, banner != NULL ? banner : "");

mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);

mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);

if (banner != NULL)

xfree(banner);

Line 580

Line 577

}

int

mm_answer_authserv(int sock, Buffer *m)

mm_answer_authserv(int socket, Buffer *m)

{

monitor_permit_authentications(1);

Line 598

Line 595

}

int

mm_answer_authpassword(int sock, Buffer *m)

mm_answer_authpassword(int socket, Buffer *m)

{

static int call_count;

char *passwd;

Line 616

Line 613

buffer_put_int(m, authenticated);

debug3("%s: sending result %d", __func__, authenticated);

mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);

mm_request_send(socket, MONITOR_ANS_AUTHPASSWORD, m);

call_count++;

if (plen == 0 && call_count == 1)

Line 630

Line 627

#ifdef BSD_AUTH

int

mm_answer_bsdauthquery(int sock, Buffer *m)

mm_answer_bsdauthquery(int socket, Buffer *m)

{

char *name, *infotxt;

u_int numprompts;

Line 647

Line 644

buffer_put_cstring(m, prompts[0]);

debug3("%s: sending challenge success: %u", __func__, success);

mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);

mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);

if (success) {

xfree(name);

Line 660

Line 657

}

int

mm_answer_bsdauthrespond(int sock, Buffer *m)

mm_answer_bsdauthrespond(int socket, Buffer *m)

{

char *response;

int authok;

Line 679

Line 676

buffer_put_int(m, authok);

debug3("%s: sending authenticated: %d", __func__, authok);

mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);

mm_request_send(socket, MONITOR_ANS_BSDAUTHRESPOND, m);

auth_method = "bsdauth";

Line 689

Line 686

#ifdef SKEY

int

mm_answer_skeyquery(int sock, Buffer *m)

mm_answer_skeyquery(int socket, Buffer *m)

{

struct skey skey;

char challenge[1024];

Line 703

Line 700

buffer_put_cstring(m, challenge);

debug3("%s: sending challenge success: %u", __func__, success);

mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);

mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);

return (0);

}

int

mm_answer_skeyrespond(int sock, Buffer *m)

mm_answer_skeyrespond(int socket, Buffer *m)

{

char *response;

int authok;

Line 727

Line 724

buffer_put_int(m, authok);

debug3("%s: sending authenticated: %d", __func__, authok);

mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);

mm_request_send(socket, MONITOR_ANS_SKEYRESPOND, m);

auth_method = "skey";

Line 747

Line 744

}

int

mm_answer_keyallowed(int sock, Buffer *m)

mm_answer_keyallowed(int socket, Buffer *m)

{

Key *key;

char *cuser, *chost;

Line 771

Line 768

debug3("%s: key_from_blob: %p", __func__, key);

if (key != NULL && authctxt->valid) {

if (key != NULL && authctxt->pw != NULL) {

switch(type) {

case MM_USERKEY:

allowed = options.pubkey_authentication &&

Line 817

Line 814

mm_append_debug(m);

mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);

mm_request_send(socket, MONITOR_ANS_KEYALLOWED, m);

if (type == MM_RSAHOSTKEY)

monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);

Line 938

Line 935

}

int

mm_answer_keyverify(int sock, Buffer *m)

mm_answer_keyverify(int socket, Buffer *m)

{

Key *key;

u_char *signature, *data, *blob;

Line 988

Line 985

buffer_clear(m);

buffer_put_int(m, verified);

mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);

mm_request_send(socket, MONITOR_ANS_KEYVERIFY, m);

return (verified);

}

Line 1030

Line 1027

}

int

mm_answer_pty(int sock, Buffer *m)

mm_answer_pty(int socket, Buffer *m)

{

extern struct monitor *pmonitor;

Session *s;

Line 1052

Line 1049

buffer_put_int(m, 1);

buffer_put_cstring(m, s->tty);

mm_request_send(socket, MONITOR_ANS_PTY, m);

mm_send_fd(socket, s->ptyfd);

mm_send_fd(socket, s->ttyfd);

/* We need to trick ttyslot */

if (dup2(s->ttyfd, 0) == -1)

fatal("%s: dup2", __func__);

Line 1062

Line 1063

/* Now we can close the file descriptor again */

close(0);

/* send messages generated by record_login */

buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));

buffer_clear(&loginmsg);

mm_request_send(sock, MONITOR_ANS_PTY, m);

mm_send_fd(sock, s->ptyfd);

mm_send_fd(sock, s->ttyfd);

/* make sure nothing uses fd 0 */

if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)

fatal("%s: open(/dev/null): %s", __func__, strerror(errno));

Line 1091

Line 1083

if (s != NULL)

mm_session_close(s);

buffer_put_int(m, 0);

mm_request_send(sock, MONITOR_ANS_PTY, m);

mm_request_send(socket, MONITOR_ANS_PTY, m);

return (0);

}

int

mm_answer_pty_cleanup(int sock, Buffer *m)

mm_answer_pty_cleanup(int socket, Buffer *m)

{

Session *s;

char *tty;

Line 1112

Line 1104

}

int

mm_answer_sesskey(int sock, Buffer *m)

mm_answer_sesskey(int socket, Buffer *m)

{

BIGNUM *p;

int rsafail;

Line 1133

Line 1125

BN_clear_free(p);

mm_request_send(sock, MONITOR_ANS_SESSKEY, m);

mm_request_send(socket, MONITOR_ANS_SESSKEY, m);

/* Turn on permissions for sessid passing */

monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);

Line 1142

Line 1134

}

int

mm_answer_sessid(int sock, Buffer *m)

mm_answer_sessid(int socket, Buffer *m)

{

int i;

Line 1160

Line 1152

}

int

mm_answer_rsa_keyallowed(int sock, Buffer *m)

mm_answer_rsa_keyallowed(int socket, Buffer *m)

{

BIGNUM *client_n;

Key *key = NULL;

Line 1200

Line 1192

mm_append_debug(m);

mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);

mm_request_send(socket, MONITOR_ANS_RSAKEYALLOWED, m);

monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);

monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);

Line 1208

Line 1200

}

int

mm_answer_rsa_challenge(int sock, Buffer *m)

mm_answer_rsa_challenge(int socket, Buffer *m)

{

Key *key = NULL;

u_char *blob;

Line 1234

Line 1226

buffer_put_bignum2(m, ssh1_challenge);

debug3("%s sending reply", __func__);

mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);

mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);

monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);

Line 1244

Line 1236

}

int

mm_answer_rsa_response(int sock, Buffer *m)

mm_answer_rsa_response(int socket, Buffer *m)

{

Key *key = NULL;

u_char *blob, *response;

Line 1283

Line 1275

buffer_clear(m);

buffer_put_int(m, success);

mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);

mm_request_send(socket, MONITOR_ANS_RSARESPONSE, m);

return (success);

}

int

mm_answer_term(int sock, Buffer *req)

mm_answer_term(int socket, Buffer *req)

{

extern struct monitor *pmonitor;

int res, status;

Line 1306

Line 1298

res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;

/* Terminate process */

exit(res);

exit (res);

}

void

Line 1373

Line 1365

fatal("mm_get_get: internal error: bad session id");

kex->we_need = buffer_get_int(m);

kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;

kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;

kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;

kex->server = 1;

kex->hostkey_type = buffer_get_int(m);

Line 1531

Line 1522

mon = xmalloc(sizeof(*mon));

mon->m_pid = 0;

monitor_socketpair(pair);

mon->m_recvfd = pair[0];

Line 1562

Line 1552

#ifdef GSSAPI

int

mm_answer_gss_setup_ctx(int sock, Buffer *m)

mm_answer_gss_setup_ctx(int socket, Buffer *m)

{

gss_OID_desc goid;

gss_OID_desc oid;

OM_uint32 major;

u_int len;

goid.elements = buffer_get_string(m, &len);

oid.elements = buffer_get_string(m, &len);

goid.length = len;

oid.length = len;

major = ssh_gssapi_server_ctx(&gsscontext, &goid);

major = ssh_gssapi_server_ctx(&gsscontext, &oid);

xfree(goid.elements);

xfree(oid.elements);

buffer_clear(m);

buffer_put_int(m, major);

mm_request_send(sock,MONITOR_ANS_GSSSETUP, m);

mm_request_send(socket,MONITOR_ANS_GSSSETUP, m);

/* Now we have a context, enable the step */

monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);

Line 1587

Line 1577

}

int

mm_answer_gss_accept_ctx(int sock, Buffer *m)

mm_answer_gss_accept_ctx(int socket, Buffer *m)

{

gss_buffer_desc in;

gss_buffer_desc out = GSS_C_EMPTY_BUFFER;

Line 1604

Line 1594

buffer_put_int(m, major);

buffer_put_string(m, out.value, out.length);

buffer_put_int(m, flags);

mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);

mm_request_send(socket, MONITOR_ANS_GSSSTEP, m);

gss_release_buffer(&minor, &out);

/* Complete - now we can do signing */

if (major==GSS_S_COMPLETE) {

monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);

monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);

monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);

}

return (0);

}

int

mm_answer_gss_checkmic(int sock, Buffer *m)

mm_answer_gss_userok(int socket, Buffer *m)

{

gss_buffer_desc gssbuf, mic;

OM_uint32 ret;

u_int len;

gssbuf.value = buffer_get_string(m, &len);

gssbuf.length = len;

mic.value = buffer_get_string(m, &len);

mic.length = len;

ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);

xfree(gssbuf.value);

xfree(mic.value);

buffer_clear(m);

buffer_put_int(m, ret);

mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);

if (!GSS_ERROR(ret))

monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);

return (0);

}

int

mm_answer_gss_userok(int sock, Buffer *m)

{

int authenticated;

authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);

Line 1655

Line 1617

buffer_put_int(m, authenticated);

debug3("%s: sending result %d", __func__, authenticated);

mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);

mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);

auth_method="gssapi-with-mic";

auth_method="gssapi";

/* Monitor loop will terminate if authenticated */

return (authenticated);