src/usr.bin/ssh/ssh.c - diff

Return to ssh.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh.c between version 1.190 and 1.190.2.2

version 1.190, 2003/02/06 09:27:29

version 1.190.2.2, 2004/03/04 18:18:16

Line 13

* called by a name other than "ssh" or "Secure Shell".

* Modified to work with SSL by Niels Provos <provos@citi.umich.edu>

* in Canada (German citizen).

Line 75

extern char *__progname;

/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.

Default value is AF_UNSPEC means both IPv4 and IPv6. */

int IPv4or6 = AF_UNSPEC;

/* Flag indicating whether debug mode is on. This can be set on the command line. */

int debug_flag = 0;

Line 154

Line 150

_PATH_SSH_USER_CONFFILE);

fprintf(stderr, " -A Enable authentication agent forwarding.\n");

fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");

#ifdef AFS

fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");

#endif /* AFS */

fprintf(stderr, " -X Enable X11 connection forwarding.\n");

fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n");

fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");

fprintf(stderr, " -i file Identity for public key authentication "

"(default: ~/.ssh/identity)\n");

Line 207

Line 201

int i, opt, exit_status;

u_short fwd_port, fwd_host_port;

char sfwd_port[6], sfwd_host_port[6];

char *p, *cp, buf[256];

char *p, *cp, *line, buf[256];

struct stat st;

struct passwd *pw;

int dummy;

Line 240

Line 234

/* Get user data. */

pw = getpwuid(original_real_uid);

if (!pw) {

log("You don't exist, go away!");

logit("You don't exist, go away!");

exit(1);

}

/* Take a copy of the returned structure. */

Line 262

Line 256

again:

while ((opt = getopt(ac, av,

"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) {

"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) {

switch (opt) {

case '1':

options.protocol = SSH_PROTO_1;

Line 271

Line 265

options.protocol = SSH_PROTO_2;

break;

case '4':

IPv4or6 = AF_INET;

options.address_family = AF_INET;

break;

case '6':

IPv4or6 = AF_INET6;

options.address_family = AF_INET6;

break;

case 'n':

stdin_null_flag = 1;

Line 289

Line 283

case 'X':

options.forward_x11 = 1;

break;

case 'Y':

options.forward_x11 = 1;

options.forward_x11_trusted = 1;

break;

case 'g':

options.gateway_ports = 1;

break;

Line 301

Line 299

case 'A':

options.forward_agent = 1;

break;

#ifdef AFS

case 'k':

options.kerberos_tgt_passing = 0;

options.gss_deleg_creds = 0;

options.afs_token_passing = 0;

break;

#endif

case 'i':

if (stat(optarg, &st) < 0) {

fprintf(stderr, "Warning: Identity file %s "

Line 333

Line 328

tty_flag = 1;

break;

case 'v':

if (0 == debug_flag) {

if (debug_flag == 0) {

debug_flag = 1;

options.log_level = SYSLOG_LEVEL_DEBUG1;

} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {

} else {

options.log_level++;

if (options.log_level < SYSLOG_LEVEL_DEBUG3)

options.log_level++;

break;

} else

}

fatal("Too high debugging level.");

/* fallthrough */

case 'V':

fprintf(stderr,

"%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n",

"%s, SSH protocols %d.%d/%d.%d, %s\n",

SSH_VERSION,

PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,

PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,

SSLeay());

SSLeay_version(SSLEAY_VERSION));

if (opt == 'V')

exit(0);

break;

Line 445

Line 440

optarg);

exit(1);

}

add_local_forward(&options, fwd_port, "socks4", 0);

add_local_forward(&options, fwd_port, "socks", 0);

break;

case 'C':

Line 460

Line 455

break;

case 'o':

dummy = 1;

line = xstrdup(optarg);

if (process_config_line(&options, host ? host : "",

optarg, "command-line", 0, &dummy) != 0)

line, "command-line", 0, &dummy) != 0)

exit(1);

xfree(line);

break;

case 's':

subsystem_flag = 1;

Line 505

Line 502

SSLeay_add_all_algorithms();

ERR_load_crypto_strings();

channel_set_af(IPv4or6);

/* Initialize the command to execute on remote host. */

buffer_init(&command);

Line 546

Line 542

/* Do not allocate a tty if stdin is not a tty. */

if (!isatty(fileno(stdin)) && !force_tty_flag) {

if (tty_flag)

log("Pseudo-terminal will not be allocated because stdin is not a terminal.");

logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");

tty_flag = 0;

}

Line 577

Line 573

/* Fill configuration defaults. */

fill_default_options(&options);

channel_set_af(options.address_family);

/* reinit */

log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);

Line 586

Line 584

if (options.hostname != NULL)

host = options.hostname;

/* force lowercase for hostkey matching */

if (options.host_key_alias != NULL) {

for (p = options.host_key_alias; *p; p++)

if (isupper(*p))

*p = tolower(*p);

}

if (options.proxy_command != NULL &&

strcmp(options.proxy_command, "none") == 0)

options.proxy_command = NULL;

/* Disable rhosts authentication if not running as root. */

if (original_effective_uid != 0 || !options.use_privileged_port) {

debug("Rhosts Authentication disabled, "

"originating port will not be trusted.");

options.rhosts_authentication = 0;

}

/* Open a connection to the remote host. */

if (ssh_connect(host, &hostaddr, options.port,

if (ssh_connect(host, &hostaddr, options.port, IPv4or6,

options.address_family, options.connection_attempts,

options.connection_attempts,

original_effective_uid == 0 && options.use_privileged_port,

options.proxy_command) != 0)

exit(1);

Line 706

Line 704

packet_close();

* Send SIGHUP to proxy command if used. We don't wait() in

* case it hangs and instead rely on init to reap the child

if (proxy_command_pid > 1)

Line 715

Line 713

return exit_status;

}

#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"

static void

x11_get_proto(char **_proto, char **_data)

{

char cmd[1024];

char line[512];

char xdisplay[512];

static char proto[512], data[512];

FILE *f;

int got_data = 0, i;

int got_data = 0, generated = 0, do_unlink = 0, i;

char *display;

char *display, *xauthdir, *xauthfile;

struct stat st;

xauthdir = xauthfile = NULL;

*_proto = proto;

*_data = data;

proto[0] = data[0] = '\0';

if (!options.xauth_location ||

(stat(options.xauth_location, &st) == -1)) {

debug("No xauth program.");

Line 736

Line 740

debug("x11_get_proto: DISPLAY not set");

return;

}

/* Try to get Xauthority information for the display. */

if (strncmp(display, "localhost:", 10) == 0)

* Handle FamilyLocal case where $DISPLAY does

* not match an authorization entry. For this we

* Handle FamilyLocal case where $DISPLAY does

* just try "xauth list unix:displaynum.screennum".

* not match an authorization entry. For this we

* XXX: "localhost" match to determine FamilyLocal

* just try "xauth list unix:displaynum.screennum".

* is not perfect.

* XXX: "localhost" match to determine FamilyLocal

* is not perfect.

if (strncmp(display, "localhost:", 10) == 0) {

snprintf(xdisplay, sizeof(xdisplay), "unix:%s",

snprintf(line, sizeof line, "%s list unix:%s 2>"

display + 10);

_PATH_DEVNULL, options.xauth_location, display+10);

display = xdisplay;

else

}

snprintf(line, sizeof line, "%s list %.200s 2>"

if (options.forward_x11_trusted == 0) {

_PATH_DEVNULL, options.xauth_location, display);

xauthdir = xmalloc(MAXPATHLEN);

debug2("x11_get_proto: %s", line);

xauthfile = xmalloc(MAXPATHLEN);

f = popen(line, "r");

strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);

if (mkdtemp(xauthdir) != NULL) {

do_unlink = 1;

snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",

xauthdir);

snprintf(cmd, sizeof(cmd),

"%s -f %s generate %s " SSH_X11_PROTO

" untrusted timeout 120 2>" _PATH_DEVNULL,

options.xauth_location, xauthfile, display);

debug2("x11_get_proto: %s", cmd);

if (system(cmd) == 0)

generated = 1;

}

snprintf(cmd, sizeof(cmd),

"%s %s%s list %s . 2>" _PATH_DEVNULL,

options.xauth_location,

generated ? "-f " : "" ,

generated ? xauthfile : "",

display);

debug2("x11_get_proto: %s", cmd);

f = popen(cmd, "r");

if (f && fgets(line, sizeof(line), f) &&

sscanf(line, "%*s %511s %511s", proto, data) == 2)

got_data = 1;

if (f)

pclose(f);

}

if (do_unlink) {

unlink(xauthfile);

rmdir(xauthdir);

}

if (xauthdir)

xfree(xauthdir);

if (xauthfile)

xfree(xauthfile);

* If we didn't get authentication data, just make up some

* data. The forwarding code will check the validity of the

Line 769

Line 804

if (!got_data) {

u_int32_t rand = 0;

log("Warning: No xauth data; using fake authentication data for X11 forwarding.");

logit("Warning: No xauth data; "

strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);

"using fake authentication data for X11 forwarding.");

strlcpy(proto, SSH_X11_PROTO, sizeof proto);

for (i = 0; i < 16; i++) {

if (i % 4 == 0)

rand = arc4random();

snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff);

snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",

rand & 0xff);

rand >>= 8;

}

Line 849

Line 886

if (type == SSH_SMSG_SUCCESS)

packet_start_compression(options.compression_level);

else if (type == SSH_SMSG_FAILURE)

log("Warning: Remote host refused compression.");

logit("Warning: Remote host refused compression.");

else

packet_disconnect("Protocol error waiting for compression response.");

}

Line 888

Line 925

interactive = 1;

have_tty = 1;

} else if (type == SSH_SMSG_FAILURE)

log("Warning: Remote host failed or refused to allocate a pseudo tty.");

logit("Warning: Remote host failed or refused to allocate a pseudo tty.");

else

packet_disconnect("Protocol error waiting for pty request response.");

}

Line 906

Line 943

if (type == SSH_SMSG_SUCCESS) {

interactive = 1;

} else if (type == SSH_SMSG_FAILURE) {

log("Warning: Remote host denied X11 forwarding.");

logit("Warning: Remote host denied X11 forwarding.");

} else {

packet_disconnect("Protocol error waiting for X11 forwarding");

}

Line 925

Line 962

type = packet_read();

packet_check_eom();

if (type != SSH_SMSG_SUCCESS)

log("Warning: Remote host denied authentication agent forwarding.");

logit("Warning: Remote host denied authentication agent forwarding.");

}

/* Initiate port forwardings. */

Line 977

Line 1014

}

void

client_global_request_reply(int type, u_int32_t seq, void *ctxt)

client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt)

{

int i;

i = client_global_request_id++;

if (i >= options.num_remote_forwards) {

if (i >= options.num_remote_forwards)

debug("client_global_request_reply: too many replies %d > %d",

i, options.num_remote_forwards);

return;

}

debug("remote forward %s for: listen %d, connect %s:%d",

type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",

options.remote_forwards[i].port,

options.remote_forwards[i].host,

options.remote_forwards[i].host_port);

if (type == SSH2_MSG_REQUEST_FAILURE)

log("Warning: remote port forwarding failed for listen port %d",

logit("Warning: remote port forwarding failed for listen port %d",

options.remote_forwards[i].port);

}

Line 1108

Line 1142

c = channel_new(

"session", SSH_CHANNEL_OPENING, in, out, err,

window, packetmax, CHAN_EXTENDED_WRITE,

xstrdup("client-session"), /*nonblock*/0);

"client-session", /*nonblock*/0);

debug3("ssh_session2_open: channel_new: %d", c->self);

Line 1160

Line 1194

sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));

options.num_identity_files++;

options.identity_keys[0] = keys[i];

options.identity_files[0] = xstrdup("smartcard key");;

options.identity_files[0] = sc_get_key_label(keys[i]);

}

if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)

options.num_identity_files = SSH_MAX_IDENTITY_FILES;