=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.147.2.5 retrieving revision 1.148 diff -u -r1.147.2.5 -r1.148 --- src/usr.bin/ssh/ssh.c 2002/10/11 14:53:07 1.147.2.5 +++ src/usr.bin/ssh/ssh.c 2001/10/24 08:41:20 1.148 @@ -13,7 +13,6 @@ * called by a name other than "ssh" or "Secure Shell". * * Copyright (c) 1999 Niels Provos. All rights reserved. - * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. * * Modified to work with SSL by Niels Provos * in Canada (German citizen). @@ -40,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.147.2.5 2002/10/11 14:53:07 miod Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.148 2001/10/24 08:41:20 markus Exp $"); #include #include @@ -53,6 +52,7 @@ #include "xmalloc.h" #include "packet.h" #include "buffer.h" +#include "uidswap.h" #include "channels.h" #include "key.h" #include "authfd.h" @@ -70,6 +70,7 @@ #include "sshtty.h" #ifdef SMARTCARD +#include #include "scard.h" #endif @@ -98,7 +99,7 @@ /* * Flag indicating that ssh should fork after authentication. This is useful - * so that the passphrase can be entered manually, and then ssh goes to the + * so that the pasphrase can be entered manually, and then ssh goes to the * background. */ int fork_after_authentication_flag = 0; @@ -123,11 +124,13 @@ struct sockaddr_storage hostaddr; /* Private host keys. */ -Sensitive sensitive_data; +struct { + Key **keys; + int nkeys; +} sensitive_data; /* Original real UID. */ uid_t original_real_uid; -uid_t original_effective_uid; /* command to be executed */ Buffer command; @@ -135,12 +138,6 @@ /* Should we execute a command or invoke a subsystem? */ int subsystem_flag = 0; -/* # of replies received for global requests */ -static int client_global_request_id = 0; - -/* pid of proxycommand child process */ -pid_t proxy_command_pid = 0; - /* Prints a help message to the user. This function never returns. */ static void @@ -169,6 +166,7 @@ fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); fprintf(stderr, " Multiple -v increases verbosity.\n"); fprintf(stderr, " -V Display version number only.\n"); + fprintf(stderr, " -P Don't allocate a privileged port.\n"); fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); fprintf(stderr, " -f Fork into background after authentication.\n"); fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); @@ -194,6 +192,44 @@ exit(1); } +/* + * Connects to the given host using rsh (or prints an error message and exits + * if rsh is not available). This function never returns. + */ +static void +rsh_connect(char *host, char *user, Buffer * command) +{ + char *args[10]; + int i; + + log("Using rsh. WARNING: Connection will not be encrypted."); + /* Build argument list for rsh. */ + i = 0; + args[i++] = _PATH_RSH; + /* host may have to come after user on some systems */ + args[i++] = host; + if (user) { + args[i++] = "-l"; + args[i++] = user; + } + if (buffer_len(command) > 0) { + buffer_append(command, "\0", 1); + args[i++] = buffer_ptr(command); + } + args[i++] = NULL; + if (debug_flag) { + for (i = 0; args[i]; i++) { + if (i != 0) + fprintf(stderr, " "); + fprintf(stderr, "%s", args[i]); + } + fprintf(stderr, "\n"); + } + execv(_PATH_RSH, args); + perror(_PATH_RSH); + exit(1); +} + static int ssh_session(void); static int ssh_session2(void); static void load_public_identity_files(void); @@ -204,13 +240,14 @@ int main(int ac, char **av) { - int i, opt, exit_status; + int i, opt, exit_status, cerr; u_short fwd_port, fwd_host_port; char sfwd_port[6], sfwd_host_port[6]; char *p, *cp, buf[256]; struct stat st; struct passwd *pw; int dummy; + uid_t original_effective_uid; extern int optind, optreset; extern char *optarg; @@ -221,15 +258,6 @@ original_real_uid = getuid(); original_effective_uid = geteuid(); - /* - * Use uid-swapping to give up root privileges for the duration of - * option processing. We will re-instantiate the rights when we are - * ready to create the privileged port, and will permanently drop - * them when the port has been created (actually, when the connection - * has been made, as we may need to create the port several times). - */ - PRIV_END; - /* If we are installed setuid root be careful to not drop core. */ if (original_real_uid != original_effective_uid) { struct rlimit rlim; @@ -247,6 +275,15 @@ pw = pwcopy(pw); /* + * Use uid-swapping to give up root privileges for the duration of + * option processing. We will re-instantiate the rights when we are + * ready to create the privileged port, and will permanently drop + * them when the port has been created (actually, when the connection + * has been made, as we may need to create the port several times). + */ + temporarily_use_uid(pw); + + /* * Set our umask to something reasonable, as some files are created * with the default umask. This will make them world-readable but * writable only by the owner, which is ok for all files for which we @@ -292,7 +329,7 @@ case 'g': options.gateway_ports = 1; break; - case 'P': /* deprecated */ + case 'P': options.use_privileged_port = 0; break; case 'a': @@ -425,7 +462,7 @@ /* NOTREACHED */ } if ((fwd_port = a2port(sfwd_port)) == 0 || - (fwd_host_port = a2port(sfwd_host_port)) == 0) { + (fwd_host_port = a2port(sfwd_host_port)) == 0) { fprintf(stderr, "Bad forwarding port(s) '%s'\n", optarg); exit(1); @@ -435,7 +472,7 @@ fwd_host_port); else if (opt == 'R') add_remote_forward(&options, fwd_port, buf, - fwd_host_port); + fwd_host_port); break; case 'D': @@ -541,7 +578,7 @@ if (buffer_len(&command) == 0) tty_flag = 1; - /* Force no tty */ + /* Force no tty*/ if (no_tty_flag) tty_flag = 0; /* Do not allocate a tty if stdin is not a tty. */ @@ -593,50 +630,52 @@ "originating port will not be trusted."); options.rhosts_authentication = 0; } + /* + * If using rsh has been selected, exec it now (without trying + * anything else). Note that we must release privileges first. + */ + if (options.use_rsh) { + /* + * Restore our superuser privileges. This must be done + * before permanently setting the uid. + */ + restore_uid(); + + /* Switch to the original uid permanently. */ + permanently_set_uid(pw); + + /* Execute rsh. */ + rsh_connect(host, options.user, &command); + fatal("rsh_connect returned"); + } + /* Restore our superuser privileges. */ + restore_uid(); + /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, IPv4or6, + cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6, options.connection_attempts, - original_effective_uid == 0 && options.use_privileged_port, - options.proxy_command) != 0) - exit(1); + original_effective_uid != 0 || !options.use_privileged_port, + pw, options.proxy_command); /* * If we successfully made the connection, load the host private key * in case we will need it later for combined rsa-rhosts * authentication. This must be done before releasing extra * privileges, because the file is only readable by root. - * If we cannot access the private keys, load the public keys - * instead and try to execute the ssh-keysign helper instead. */ sensitive_data.nkeys = 0; sensitive_data.keys = NULL; - sensitive_data.external_keysign = 0; - if (options.rhosts_rsa_authentication || - options.hostbased_authentication) { + if (!cerr && (options.rhosts_rsa_authentication || + options.hostbased_authentication)) { sensitive_data.nkeys = 3; - sensitive_data.keys = xmalloc(sensitive_data.nkeys * - sizeof(Key)); - - PRIV_START; + sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, _PATH_HOST_KEY_FILE, "", NULL); sensitive_data.keys[1] = key_load_private_type(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, "", NULL); sensitive_data.keys[2] = key_load_private_type(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL); - PRIV_END; - - if (options.hostbased_authentication == 1 && - sensitive_data.keys[0] == NULL && - sensitive_data.keys[1] == NULL && - sensitive_data.keys[2] == NULL) { - sensitive_data.keys[1] = key_load_public( - _PATH_HOST_DSA_KEY_FILE, NULL); - sensitive_data.keys[2] = key_load_public( - _PATH_HOST_RSA_KEY_FILE, NULL); - sensitive_data.external_keysign = 1; - } } /* * Get rid of any extra privileges that we may have. We will no @@ -645,10 +684,17 @@ * user's home directory if it happens to be on a NFS volume where * root is mapped to nobody. */ - seteuid(original_real_uid); - setuid(original_real_uid); /* + * Note that some legacy systems need to postpone the following call + * to permanently_set_uid() until the private hostkey is destroyed + * with RSA_free(). Otherwise the calling user could ptrace() the + * process, read the private hostkey and impersonate the host. + * OpenBSD does not allow ptracing of setuid processes. + */ + permanently_set_uid(pw); + + /* * Now that we are back to our own permissions, create ~/.ssh * directory if it doesn\'t already exist. */ @@ -657,6 +703,21 @@ if (mkdir(buf, 0700) < 0) error("Could not create directory '%.200s'.", buf); + /* Check if the connection failed, and try "rsh" if appropriate. */ + if (cerr) { + if (!options.fallback_to_rsh) + exit(1); + if (options.port != 0) + log("Secure connection to %.100s on port %hu refused; " + "reverting to insecure method", + host, options.port); + else + log("Secure connection to %.100s refused; " + "reverting to insecure method.", host); + + rsh_connect(host, options.user, &command); + fatal("rsh_connect returned"); + } /* load options.identity_files */ load_public_identity_files(); @@ -671,10 +732,9 @@ options.user_hostfile2 = tilde_expand_filename(options.user_hostfile2, original_real_uid); - signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ - /* Log into the remote system. This never returns if the login fails. */ - ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); + ssh_login(sensitive_data.keys, sensitive_data.nkeys, + host, (struct sockaddr *)&hostaddr, pw); /* We no longer need the private host keys. Clear them now. */ if (sensitive_data.nkeys != 0) { @@ -701,56 +761,23 @@ exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); - - /* - * Send SIGHUP to proxy command if used. We don't wait() in - * case it hangs and instead rely on init to reap the child - */ - if (proxy_command_pid > 1) - kill(proxy_command_pid, SIGHUP); - return exit_status; } static void -x11_get_proto(char **_proto, char **_data) +x11_get_proto(char *proto, int proto_len, char *data, int data_len) { char line[512]; - static char proto[512], data[512]; FILE *f; int got_data = 0, i; - char *display; - struct stat st; - *_proto = proto; - *_data = data; - proto[0] = data[0] = '\0'; - if (!options.xauth_location || - (stat(options.xauth_location, &st) == -1)) { - debug("No xauth program."); - } else { - if ((display = getenv("DISPLAY")) == NULL) { - debug("x11_get_proto: DISPLAY not set"); - return; - } + if (options.xauth_location) { /* Try to get Xauthority information for the display. */ - if (strncmp(display, "localhost:", 10) == 0) - /* - * Handle FamilyLocal case where $DISPLAY does - * not match an authorization entry. For this we - * just try "xauth list unix:displaynum.screennum". - * XXX: "localhost" match to determine FamilyLocal - * is not perfect. - */ - snprintf(line, sizeof line, "%s list unix:%s 2>" - _PATH_DEVNULL, options.xauth_location, display+10); - else - snprintf(line, sizeof line, "%s list %.200s 2>" - _PATH_DEVNULL, options.xauth_location, display); - debug2("x11_get_proto: %s", line); + snprintf(line, sizeof line, "%.100s list %.200s 2>" _PATH_DEVNULL, + options.xauth_location, getenv("DISPLAY")); f = popen(line, "r"); if (f && fgets(line, sizeof(line), f) && - sscanf(line, "%*s %511s %511s", proto, data) == 2) + sscanf(line, "%*s %s %s", proto, data) == 2) got_data = 1; if (f) pclose(f); @@ -766,12 +793,11 @@ if (!got_data) { u_int32_t rand = 0; - log("Warning: No xauth data; using fake authentication data for X11 forwarding."); - strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); + strlcpy(proto, "MIT-MAGIC-COOKIE-1", proto_len); for (i = 0; i < 16; i++) { if (i % 4 == 0) rand = arc4random(); - snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff); + snprintf(data + 2 * i, data_len - 2 * i, "%02x", rand & 0xff); rand >>= 8; } } @@ -789,7 +815,7 @@ options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port); - success += channel_setup_local_fwd_listener( + success += channel_request_local_forwarding( options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, @@ -816,8 +842,11 @@ { if (options.forward_agent) { /* Clear agent forwarding if we don\'t have an agent. */ - if (!ssh_agent_present()) + int authfd = ssh_get_authentication_socket(); + if (authfd < 0) options.forward_agent = 0; + else + ssh_close_authentication_socket(authfd); } } @@ -825,6 +854,7 @@ ssh_session(void) { int type; + int plen; int interactive = 0; int have_tty = 0; struct winsize ws; @@ -842,7 +872,7 @@ packet_put_int(options.compression_level); packet_send(); packet_write_wait(); - type = packet_read(); + type = packet_read(&plen); if (type == SSH_SMSG_SUCCESS) packet_start_compression(options.compression_level); else if (type == SSH_SMSG_FAILURE) @@ -880,7 +910,7 @@ packet_write_wait(); /* Read response from the server. */ - type = packet_read(); + type = packet_read(&plen); if (type == SSH_SMSG_SUCCESS) { interactive = 1; have_tty = 1; @@ -891,15 +921,15 @@ } /* Request X11 forwarding if enabled and DISPLAY is set. */ if (options.forward_x11 && getenv("DISPLAY") != NULL) { - char *proto, *data; + char proto[512], data[512]; /* Get reasonable local authentication information. */ - x11_get_proto(&proto, &data); + x11_get_proto(proto, sizeof proto, data, sizeof data); /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication spoofing."); x11_request_forwarding_with_spoofing(0, proto, data); /* Read response from the server. */ - type = packet_read(); + type = packet_read(&plen); if (type == SSH_SMSG_SUCCESS) { interactive = 1; } else if (type == SSH_SMSG_FAILURE) { @@ -919,8 +949,8 @@ auth_request_forwarding(); /* Read response from the server. */ - type = packet_read(); - packet_check_eom(); + type = packet_read(&plen); + packet_integrity_check(plen, 0, type); if (type != SSH_SMSG_SUCCESS) log("Warning: Remote host denied authentication agent forwarding."); } @@ -941,7 +971,7 @@ int len = buffer_len(&command); if (len > 900) len = 900; - debug("Sending command: %.*s", len, (u_char *)buffer_ptr(&command)); + debug("Sending command: %.*s", len, buffer_ptr(&command)); packet_start(SSH_CMSG_EXEC_CMD); packet_put_string(buffer_ptr(&command), buffer_len(&command)); packet_send(); @@ -959,7 +989,7 @@ } static void -client_subsystem_reply(int type, u_int32_t seq, void *ctxt) +client_subsystem_reply(int type, int plen, void *ctxt) { int id, len; @@ -967,33 +997,12 @@ len = buffer_len(&command); if (len > 900) len = 900; - packet_check_eom(); + packet_done(); if (type == SSH2_MSG_CHANNEL_FAILURE) fatal("Request for subsystem '%.*s' failed on channel %d", - len, (u_char *)buffer_ptr(&command), id); + len, buffer_ptr(&command), id); } -void -client_global_request_reply(int type, u_int32_t seq, void *ctxt) -{ - int i; - - i = client_global_request_id++; - if (i >= options.num_remote_forwards) { - debug("client_global_request_reply: too many replies %d > %d", - i, options.num_remote_forwards); - return; - } - debug("remote forward %s for: listen %d, connect %s:%d", - type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", - options.remote_forwards[i].port, - options.remote_forwards[i].host, - options.remote_forwards[i].host_port); - if (type == SSH2_MSG_REQUEST_FAILURE) - log("Warning: remote port forwarding failed for listen port %d", - options.remote_forwards[i].port); -} - /* request pty/x11/agent/tcpfwd/shell for channel */ static void ssh_session2_setup(int id, void *arg) @@ -1028,9 +1037,9 @@ } if (options.forward_x11 && getenv("DISPLAY") != NULL) { - char *proto, *data; + char proto[512], data[512]; /* Get reasonable local authentication information. */ - x11_get_proto(&proto, &data); + x11_get_proto(proto, sizeof proto, data, sizeof data); /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication spoofing."); x11_request_forwarding_with_spoofing(id, proto, data); @@ -1050,23 +1059,24 @@ if (len > 900) len = 900; if (subsystem_flag) { - debug("Sending subsystem: %.*s", len, (u_char *)buffer_ptr(&command)); + debug("Sending subsystem: %.*s", len, buffer_ptr(&command)); channel_request_start(id, "subsystem", /*want reply*/ 1); /* register callback for reply */ - /* XXX we assume that client_loop has already been called */ + /* XXX we asume that client_loop has already been called */ dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply); dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply); } else { - debug("Sending command: %.*s", len, (u_char *)buffer_ptr(&command)); + debug("Sending command: %.*s", len, buffer_ptr(&command)); channel_request_start(id, "exec", 0); } packet_put_string(buffer_ptr(&command), buffer_len(&command)); packet_send(); } else { - channel_request_start(id, "shell", 0); - packet_send(); + channel_request(id, "shell", 0); } + /* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */ + /* register different callback, etc. XXX */ packet_set_interactive(interactive); } @@ -1098,20 +1108,24 @@ window = CHAN_SES_WINDOW_DEFAULT; packetmax = CHAN_SES_PACKET_DEFAULT; - if (tty_flag) { - window >>= 1; - packetmax >>= 1; + if (!tty_flag) { + window *= 2; + packetmax *=2; } c = channel_new( "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, xstrdup("client-session"), /*nonblock*/0); + if (c == NULL) + fatal("ssh_session2_open: channel_new failed"); debug3("ssh_session2_open: channel_new: %d", c->self); channel_send_open(c->self); if (!no_shell_flag) - channel_register_confirm(c->self, ssh_session2_setup); + channel_register_callback(c->self, + SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, + ssh_session2_setup, (void *)0); return c->self; } @@ -1140,29 +1154,40 @@ load_public_identity_files(void) { char *filename; - int i = 0; Key *public; -#ifdef SMARTCARD - Key **keys; + int i = 0; +#ifdef SMARTCARD if (options.smartcard_device != NULL && - options.num_identity_files < SSH_MAX_IDENTITY_FILES && - (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { - int count = 0; - for (i = 0; keys[i] != NULL; i++) { - count++; - memmove(&options.identity_files[1], &options.identity_files[0], - sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); - memmove(&options.identity_keys[1], &options.identity_keys[0], - sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); - options.num_identity_files++; - options.identity_keys[0] = keys[i]; - options.identity_files[0] = xstrdup("smartcard key");; - } - if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) - options.num_identity_files = SSH_MAX_IDENTITY_FILES; - i = count; - xfree(keys); + options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES && + (public = sc_get_key(options.smartcard_device)) != NULL ) { + Key *new; + + if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES) + options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2; + memmove(&options.identity_files[2], &options.identity_files[0], + sizeof(char *) * options.num_identity_files); + options.num_identity_files += 2; + i = 2; + + /* XXX ssh1 vs ssh2 */ + new = key_new(KEY_RSA); + new->flags = KEY_FLAG_EXT; + BN_copy(new->rsa->n, public->rsa->n); + BN_copy(new->rsa->e, public->rsa->e); + RSA_set_method(new->rsa, sc_get_engine()); + options.identity_keys[0] = new; + options.identity_files[0] = xstrdup("smartcard rsa key");; + + new = key_new(KEY_RSA1); + new->flags = KEY_FLAG_EXT; + BN_copy(new->rsa->n, public->rsa->n); + BN_copy(new->rsa->e, public->rsa->e); + RSA_set_method(new->rsa, sc_get_engine()); + options.identity_keys[1] = new; + options.identity_files[1] = xstrdup("smartcard rsa1 key"); + + key_free(public); } #endif /* SMARTCARD */ for (; i < options.num_identity_files; i++) {