version 1.190.2.2, 2004/03/04 18:18:16 |
version 1.191, 2003/04/08 20:21:29 |
|
|
* called by a name other than "ssh" or "Secure Shell". |
* called by a name other than "ssh" or "Secure Shell". |
* |
* |
* Copyright (c) 1999 Niels Provos. All rights reserved. |
* Copyright (c) 1999 Niels Provos. All rights reserved. |
* Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved. |
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. |
* |
* |
* Modified to work with SSL by Niels Provos <provos@citi.umich.edu> |
* Modified to work with SSL by Niels Provos <provos@citi.umich.edu> |
* in Canada (German citizen). |
* in Canada (German citizen). |
|
|
|
|
extern char *__progname; |
extern char *__progname; |
|
|
|
/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. |
|
Default value is AF_UNSPEC means both IPv4 and IPv6. */ |
|
int IPv4or6 = AF_UNSPEC; |
|
|
/* Flag indicating whether debug mode is on. This can be set on the command line. */ |
/* Flag indicating whether debug mode is on. This can be set on the command line. */ |
int debug_flag = 0; |
int debug_flag = 0; |
|
|
|
|
_PATH_SSH_USER_CONFFILE); |
_PATH_SSH_USER_CONFFILE); |
fprintf(stderr, " -A Enable authentication agent forwarding.\n"); |
fprintf(stderr, " -A Enable authentication agent forwarding.\n"); |
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); |
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); |
|
#ifdef AFS |
|
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); |
|
#endif /* AFS */ |
fprintf(stderr, " -X Enable X11 connection forwarding.\n"); |
fprintf(stderr, " -X Enable X11 connection forwarding.\n"); |
fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n"); |
|
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); |
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); |
fprintf(stderr, " -i file Identity for public key authentication " |
fprintf(stderr, " -i file Identity for public key authentication " |
"(default: ~/.ssh/identity)\n"); |
"(default: ~/.ssh/identity)\n"); |
|
|
int i, opt, exit_status; |
int i, opt, exit_status; |
u_short fwd_port, fwd_host_port; |
u_short fwd_port, fwd_host_port; |
char sfwd_port[6], sfwd_host_port[6]; |
char sfwd_port[6], sfwd_host_port[6]; |
char *p, *cp, *line, buf[256]; |
char *p, *cp, buf[256]; |
struct stat st; |
struct stat st; |
struct passwd *pw; |
struct passwd *pw; |
int dummy; |
int dummy; |
|
|
|
|
again: |
again: |
while ((opt = getopt(ac, av, |
while ((opt = getopt(ac, av, |
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) { |
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { |
switch (opt) { |
switch (opt) { |
case '1': |
case '1': |
options.protocol = SSH_PROTO_1; |
options.protocol = SSH_PROTO_1; |
|
|
options.protocol = SSH_PROTO_2; |
options.protocol = SSH_PROTO_2; |
break; |
break; |
case '4': |
case '4': |
options.address_family = AF_INET; |
IPv4or6 = AF_INET; |
break; |
break; |
case '6': |
case '6': |
options.address_family = AF_INET6; |
IPv4or6 = AF_INET6; |
break; |
break; |
case 'n': |
case 'n': |
stdin_null_flag = 1; |
stdin_null_flag = 1; |
|
|
case 'X': |
case 'X': |
options.forward_x11 = 1; |
options.forward_x11 = 1; |
break; |
break; |
case 'Y': |
|
options.forward_x11 = 1; |
|
options.forward_x11_trusted = 1; |
|
break; |
|
case 'g': |
case 'g': |
options.gateway_ports = 1; |
options.gateway_ports = 1; |
break; |
break; |
|
|
case 'A': |
case 'A': |
options.forward_agent = 1; |
options.forward_agent = 1; |
break; |
break; |
|
#ifdef AFS |
case 'k': |
case 'k': |
options.gss_deleg_creds = 0; |
options.kerberos_tgt_passing = 0; |
|
options.afs_token_passing = 0; |
break; |
break; |
|
#endif |
case 'i': |
case 'i': |
if (stat(optarg, &st) < 0) { |
if (stat(optarg, &st) < 0) { |
fprintf(stderr, "Warning: Identity file %s " |
fprintf(stderr, "Warning: Identity file %s " |
|
|
tty_flag = 1; |
tty_flag = 1; |
break; |
break; |
case 'v': |
case 'v': |
if (debug_flag == 0) { |
if (0 == debug_flag) { |
debug_flag = 1; |
debug_flag = 1; |
options.log_level = SYSLOG_LEVEL_DEBUG1; |
options.log_level = SYSLOG_LEVEL_DEBUG1; |
} else { |
} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) { |
if (options.log_level < SYSLOG_LEVEL_DEBUG3) |
options.log_level++; |
options.log_level++; |
|
break; |
break; |
} |
} else |
|
fatal("Too high debugging level."); |
/* fallthrough */ |
/* fallthrough */ |
case 'V': |
case 'V': |
fprintf(stderr, |
fprintf(stderr, |
"%s, SSH protocols %d.%d/%d.%d, %s\n", |
"%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n", |
SSH_VERSION, |
SSH_VERSION, |
PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, |
PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, |
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, |
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, |
SSLeay_version(SSLEAY_VERSION)); |
SSLeay()); |
if (opt == 'V') |
if (opt == 'V') |
exit(0); |
exit(0); |
break; |
break; |
|
|
optarg); |
optarg); |
exit(1); |
exit(1); |
} |
} |
add_local_forward(&options, fwd_port, "socks", 0); |
add_local_forward(&options, fwd_port, "socks4", 0); |
break; |
break; |
|
|
case 'C': |
case 'C': |
|
|
break; |
break; |
case 'o': |
case 'o': |
dummy = 1; |
dummy = 1; |
line = xstrdup(optarg); |
|
if (process_config_line(&options, host ? host : "", |
if (process_config_line(&options, host ? host : "", |
line, "command-line", 0, &dummy) != 0) |
optarg, "command-line", 0, &dummy) != 0) |
exit(1); |
exit(1); |
xfree(line); |
|
break; |
break; |
case 's': |
case 's': |
subsystem_flag = 1; |
subsystem_flag = 1; |
|
|
|
|
SSLeay_add_all_algorithms(); |
SSLeay_add_all_algorithms(); |
ERR_load_crypto_strings(); |
ERR_load_crypto_strings(); |
|
channel_set_af(IPv4or6); |
|
|
/* Initialize the command to execute on remote host. */ |
/* Initialize the command to execute on remote host. */ |
buffer_init(&command); |
buffer_init(&command); |
|
|
/* Fill configuration defaults. */ |
/* Fill configuration defaults. */ |
fill_default_options(&options); |
fill_default_options(&options); |
|
|
channel_set_af(options.address_family); |
|
|
|
/* reinit */ |
/* reinit */ |
log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); |
log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); |
|
|
|
|
if (options.hostname != NULL) |
if (options.hostname != NULL) |
host = options.hostname; |
host = options.hostname; |
|
|
/* force lowercase for hostkey matching */ |
|
if (options.host_key_alias != NULL) { |
|
for (p = options.host_key_alias; *p; p++) |
|
if (isupper(*p)) |
|
*p = tolower(*p); |
|
} |
|
|
|
if (options.proxy_command != NULL && |
if (options.proxy_command != NULL && |
strcmp(options.proxy_command, "none") == 0) |
strcmp(options.proxy_command, "none") == 0) |
options.proxy_command = NULL; |
options.proxy_command = NULL; |
|
|
|
/* Disable rhosts authentication if not running as root. */ |
|
if (original_effective_uid != 0 || !options.use_privileged_port) { |
|
debug("Rhosts Authentication disabled, " |
|
"originating port will not be trusted."); |
|
options.rhosts_authentication = 0; |
|
} |
/* Open a connection to the remote host. */ |
/* Open a connection to the remote host. */ |
if (ssh_connect(host, &hostaddr, options.port, |
|
options.address_family, options.connection_attempts, |
if (ssh_connect(host, &hostaddr, options.port, IPv4or6, |
|
options.connection_attempts, |
original_effective_uid == 0 && options.use_privileged_port, |
original_effective_uid == 0 && options.use_privileged_port, |
options.proxy_command) != 0) |
options.proxy_command) != 0) |
exit(1); |
exit(1); |
|
|
packet_close(); |
packet_close(); |
|
|
/* |
/* |
* Send SIGHUP to proxy command if used. We don't wait() in |
* Send SIGHUP to proxy command if used. We don't wait() in |
* case it hangs and instead rely on init to reap the child |
* case it hangs and instead rely on init to reap the child |
*/ |
*/ |
if (proxy_command_pid > 1) |
if (proxy_command_pid > 1) |
|
|
return exit_status; |
return exit_status; |
} |
} |
|
|
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" |
|
|
|
static void |
static void |
x11_get_proto(char **_proto, char **_data) |
x11_get_proto(char **_proto, char **_data) |
{ |
{ |
char cmd[1024]; |
|
char line[512]; |
char line[512]; |
char xdisplay[512]; |
|
static char proto[512], data[512]; |
static char proto[512], data[512]; |
FILE *f; |
FILE *f; |
int got_data = 0, generated = 0, do_unlink = 0, i; |
int got_data = 0, i; |
char *display, *xauthdir, *xauthfile; |
char *display; |
struct stat st; |
struct stat st; |
|
|
xauthdir = xauthfile = NULL; |
|
*_proto = proto; |
*_proto = proto; |
*_data = data; |
*_data = data; |
proto[0] = data[0] = '\0'; |
proto[0] = data[0] = '\0'; |
|
|
if (!options.xauth_location || |
if (!options.xauth_location || |
(stat(options.xauth_location, &st) == -1)) { |
(stat(options.xauth_location, &st) == -1)) { |
debug("No xauth program."); |
debug("No xauth program."); |
|
|
debug("x11_get_proto: DISPLAY not set"); |
debug("x11_get_proto: DISPLAY not set"); |
return; |
return; |
} |
} |
/* |
/* Try to get Xauthority information for the display. */ |
* Handle FamilyLocal case where $DISPLAY does |
if (strncmp(display, "localhost:", 10) == 0) |
* not match an authorization entry. For this we |
/* |
* just try "xauth list unix:displaynum.screennum". |
* Handle FamilyLocal case where $DISPLAY does |
* XXX: "localhost" match to determine FamilyLocal |
* not match an authorization entry. For this we |
* is not perfect. |
* just try "xauth list unix:displaynum.screennum". |
*/ |
* XXX: "localhost" match to determine FamilyLocal |
if (strncmp(display, "localhost:", 10) == 0) { |
* is not perfect. |
snprintf(xdisplay, sizeof(xdisplay), "unix:%s", |
*/ |
display + 10); |
snprintf(line, sizeof line, "%s list unix:%s 2>" |
display = xdisplay; |
_PATH_DEVNULL, options.xauth_location, display+10); |
} |
else |
if (options.forward_x11_trusted == 0) { |
snprintf(line, sizeof line, "%s list %.200s 2>" |
xauthdir = xmalloc(MAXPATHLEN); |
_PATH_DEVNULL, options.xauth_location, display); |
xauthfile = xmalloc(MAXPATHLEN); |
debug2("x11_get_proto: %s", line); |
strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); |
f = popen(line, "r"); |
if (mkdtemp(xauthdir) != NULL) { |
|
do_unlink = 1; |
|
snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", |
|
xauthdir); |
|
snprintf(cmd, sizeof(cmd), |
|
"%s -f %s generate %s " SSH_X11_PROTO |
|
" untrusted timeout 120 2>" _PATH_DEVNULL, |
|
options.xauth_location, xauthfile, display); |
|
debug2("x11_get_proto: %s", cmd); |
|
if (system(cmd) == 0) |
|
generated = 1; |
|
} |
|
} |
|
snprintf(cmd, sizeof(cmd), |
|
"%s %s%s list %s . 2>" _PATH_DEVNULL, |
|
options.xauth_location, |
|
generated ? "-f " : "" , |
|
generated ? xauthfile : "", |
|
display); |
|
debug2("x11_get_proto: %s", cmd); |
|
f = popen(cmd, "r"); |
|
if (f && fgets(line, sizeof(line), f) && |
if (f && fgets(line, sizeof(line), f) && |
sscanf(line, "%*s %511s %511s", proto, data) == 2) |
sscanf(line, "%*s %511s %511s", proto, data) == 2) |
got_data = 1; |
got_data = 1; |
if (f) |
if (f) |
pclose(f); |
pclose(f); |
} |
} |
|
|
if (do_unlink) { |
|
unlink(xauthfile); |
|
rmdir(xauthdir); |
|
} |
|
if (xauthdir) |
|
xfree(xauthdir); |
|
if (xauthfile) |
|
xfree(xauthfile); |
|
|
|
/* |
/* |
* If we didn't get authentication data, just make up some |
* If we didn't get authentication data, just make up some |
* data. The forwarding code will check the validity of the |
* data. The forwarding code will check the validity of the |
|
|
if (!got_data) { |
if (!got_data) { |
u_int32_t rand = 0; |
u_int32_t rand = 0; |
|
|
logit("Warning: No xauth data; " |
logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); |
"using fake authentication data for X11 forwarding."); |
strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); |
strlcpy(proto, SSH_X11_PROTO, sizeof proto); |
|
for (i = 0; i < 16; i++) { |
for (i = 0; i < 16; i++) { |
if (i % 4 == 0) |
if (i % 4 == 0) |
rand = arc4random(); |
rand = arc4random(); |
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", |
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff); |
rand & 0xff); |
|
rand >>= 8; |
rand >>= 8; |
} |
} |
} |
} |
|
|
} |
} |
|
|
void |
void |
client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt) |
client_global_request_reply(int type, u_int32_t seq, void *ctxt) |
{ |
{ |
int i; |
int i; |
|
|
i = client_global_request_id++; |
i = client_global_request_id++; |
if (i >= options.num_remote_forwards) |
if (i >= options.num_remote_forwards) { |
|
debug("client_global_request_reply: too many replies %d > %d", |
|
i, options.num_remote_forwards); |
return; |
return; |
|
} |
debug("remote forward %s for: listen %d, connect %s:%d", |
debug("remote forward %s for: listen %d, connect %s:%d", |
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", |
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", |
options.remote_forwards[i].port, |
options.remote_forwards[i].port, |
|
|
c = channel_new( |
c = channel_new( |
"session", SSH_CHANNEL_OPENING, in, out, err, |
"session", SSH_CHANNEL_OPENING, in, out, err, |
window, packetmax, CHAN_EXTENDED_WRITE, |
window, packetmax, CHAN_EXTENDED_WRITE, |
"client-session", /*nonblock*/0); |
xstrdup("client-session"), /*nonblock*/0); |
|
|
debug3("ssh_session2_open: channel_new: %d", c->self); |
debug3("ssh_session2_open: channel_new: %d", c->self); |
|
|
|
|
sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); |
sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); |
options.num_identity_files++; |
options.num_identity_files++; |
options.identity_keys[0] = keys[i]; |
options.identity_keys[0] = keys[i]; |
options.identity_files[0] = sc_get_key_label(keys[i]); |
options.identity_files[0] = xstrdup("smartcard key");; |
} |
} |
if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) |
if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) |
options.num_identity_files = SSH_MAX_IDENTITY_FILES; |
options.num_identity_files = SSH_MAX_IDENTITY_FILES; |