[BACK]Return to ssh.c CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/ssh.c, Revision 1.4

1.1       deraadt     1: /*
                      2:
                      3: ssh.c
                      4:
                      5: Author: Tatu Ylonen <ylo@cs.hut.fi>
                      6:
                      7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
                      8:                    All rights reserved
                      9:
                     10: Created: Sat Mar 18 16:36:11 1995 ylo
                     11:
                     12: Ssh client program.  This program can be used to log into a remote machine.
                     13: The software supports strong authentication, encryption, and forwarding
                     14: of X11, TCP/IP, and authentication connections.
                     15:
1.2       provos     16: Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
                     17:
1.1       deraadt    18: */
                     19:
                     20: #include "includes.h"
1.4     ! deraadt    21: RCSID("$Id: ssh.c,v 1.3 1999/09/28 07:57:42 deraadt Exp $");
1.1       deraadt    22:
                     23: #include "xmalloc.h"
                     24: #include "ssh.h"
                     25: #include "packet.h"
                     26: #include "buffer.h"
                     27: #include "authfd.h"
                     28: #include "readconf.h"
                     29: #include "uidswap.h"
                     30:
                     31: /* Flag indicating whether debug mode is on.  This can be set on the
                     32:    command line. */
                     33: int debug_flag = 0;
                     34:
                     35: /* Flag indicating whether quiet mode is on. */
                     36: int quiet_flag = 0;
                     37:
                     38: /* Flag indicating whether to allocate a pseudo tty.  This can be set on the
                     39:    command line, and is automatically set if no command is given on the command
                     40:    line. */
                     41: int tty_flag = 0;
                     42:
                     43: /* Flag indicating that nothing should be read from stdin.  This can be set
                     44:    on the command line. */
                     45: int stdin_null_flag = 0;
                     46:
                     47: /* Flag indicating that ssh should fork after authentication.  This is useful
                     48:    so that the pasphrase can be entered manually, and then ssh goes to the
                     49:    background. */
                     50: int fork_after_authentication_flag = 0;
                     51:
                     52: /* General data structure for command line options and options configurable
                     53:    in configuration files.  See readconf.h. */
                     54: Options options;
                     55:
                     56: /* Name of the host we are connecting to.  This is the name given on the
                     57:    command line, or the HostName specified for the user-supplied name
                     58:    in a configuration file. */
                     59: char *host;
                     60:
                     61: #ifdef SIGWINCH
                     62: /* Flag to indicate that we have received a window change signal which has
                     63:    not yet been processed.  This will cause a message indicating the new
                     64:    window size to be sent to the server a little later.  This is volatile
                     65:    because this is updated in a signal handler. */
                     66: volatile int received_window_change_signal = 0;
                     67: #endif /* SIGWINCH */
                     68:
                     69: /* Value of argv[0] (set in the main program). */
                     70: char *av0;
                     71:
                     72: /* Flag indicating whether we have a valid host private key loaded. */
                     73: int host_private_key_loaded = 0;
                     74:
                     75: /* Host private key. */
1.2       provos     76: RSA *host_private_key = NULL;
1.1       deraadt    77:
                     78:
                     79: /* Prints a help message to the user.  This function never returns. */
                     80:
1.2       provos     81: void
                     82: usage()
1.1       deraadt    83: {
                     84:   int i;
                     85:
                     86:   fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
                     87:   fprintf(stderr, "Options:\n");
                     88:   fprintf(stderr, "  -l user     Log in using this user name.\n");
                     89:   fprintf(stderr, "  -n          Redirect input from /dev/null.\n");
                     90:   fprintf(stderr, "  -k          Disable authentication agent forwarding.\n");
                     91: #if defined(KERBEROS_TGT_PASSING) || defined(AFS)
                     92:   fprintf(stderr, "              This also disables passing of AFS tokens/Kerberos tickets.\n");
                     93: #endif /* KERBEROS_TGT_PASSING || AFS */
                     94:   fprintf(stderr, "  -x          Disable X11 connection forwarding.\n");
                     95:   fprintf(stderr, "  -i file     Identity for RSA authentication (default: ~/.ssh/identity).\n");
                     96:   fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
                     97:   fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
                     98:   fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
                     99:   fprintf(stderr, "  -f          Fork into background after authentication.\n");
                    100:   fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
                    101:
                    102:   fprintf(stderr, "  -c cipher   Select encryption algorithm: ");
                    103:   for (i = 1; i <= 6; i++)
                    104:     {
                    105:       const char *t = cipher_name(i);
                    106:       if (t[0] == 'n' && t[1] == 'o' && t[2] == ' ')
                    107:        continue;
                    108:       fprintf(stderr, "%s, ", t);
                    109:     }
                    110:   fprintf(stderr, "or none.\n");
                    111:
                    112:   fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
1.4     ! deraadt   113:   fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
1.1       deraadt   114:   fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
                    115:   fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
                    116:   fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", av0);
                    117:   fprintf(stderr, "              forward them to the other side by connecting to host:port.\n");
                    118: #ifdef WITH_ZLIB
                    119:   fprintf(stderr, "  -C          Enable compression.\n");
                    120: #endif /* WITH_ZLIB */
                    121:   fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
                    122:   exit(1);
                    123: }
                    124:
                    125: /* Connects to the given host using rsh (or prints an error message and exits
                    126:    if rsh is not available).  This function never returns. */
                    127:
1.2       provos    128: void
                    129: rsh_connect(char *host, char *user, Buffer *command)
1.1       deraadt   130: {
                    131: #ifdef RSH_PATH
                    132:   char *args[10];
                    133:   int i;
                    134:
                    135:   log("Using rsh.  WARNING: Connection will not be encrypted.");
                    136:   /* Build argument list for rsh. */
                    137:   i = 0;
                    138:   args[i++] = RSH_PATH;
                    139:   args[i++] = host;    /* may have to come after user on some systems */
                    140:   if (user)
                    141:     {
                    142:       args[i++] = "-l";
                    143:       args[i++] = user;
                    144:     }
                    145:   if (buffer_len(command) > 0)
                    146:     {
                    147:       buffer_append(command, "\0", 1);
                    148:       args[i++] = buffer_ptr(command);
                    149:     }
                    150:   args[i++] = NULL;
                    151:   if (debug_flag)
                    152:     {
                    153:       for (i = 0; args[i]; i++)
                    154:        {
                    155:          if (i != 0)
                    156:            fprintf(stderr, " ");
                    157:          fprintf(stderr, "%s", args[i]);
                    158:        }
                    159:       fprintf(stderr, "\n");
                    160:     }
                    161:   execv(RSH_PATH, args);
                    162:   perror(RSH_PATH);
                    163:   exit(1);
                    164: #else /* RSH_PATH */
                    165:   fatal("Rsh not available.");
                    166: #endif /* RSH_PATH */
                    167: }
                    168:
                    169: /* Main program for the ssh client. */
                    170:
1.2       provos    171: int
                    172: main(int ac, char **av)
1.1       deraadt   173: {
                    174:   int i, opt, optind, type, exit_status, ok, fwd_port, fwd_host_port, authfd;
                    175:   char *optarg, *cp, buf[256];
                    176:   Buffer command;
                    177:   struct winsize ws;
                    178:   struct stat st;
                    179:   struct passwd *pw, pwcopy;
                    180:   int interactive = 0, dummy;
                    181:   uid_t original_real_uid;
                    182:   uid_t original_effective_uid;
                    183:   int plen;
                    184:
                    185:   /* Save the original real uid.  It will be needed later (uid-swapping may
                    186:      clobber the real uid).  */
                    187:   original_real_uid = getuid();
                    188:   original_effective_uid = geteuid();
                    189:
                    190:   /* If we are installed setuid root be careful to not drop core. */
                    191:   if (original_real_uid != original_effective_uid)
                    192:     {
                    193: #ifdef HAVE_SETRLIMIT
                    194:       struct rlimit rlim;
                    195:       rlim.rlim_cur = rlim.rlim_max = 0;
                    196:       if (setrlimit(RLIMIT_CORE, &rlim) < 0)
                    197:        fatal("setrlimit failed: %.100s", strerror(errno));
                    198: #else
                    199:       fatal("ssh is installed setuid root.\n");
                    200: #endif
                    201:     }
                    202:
                    203:   /* Use uid-swapping to give up root privileges for the duration of option
                    204:      processing.  We will re-instantiate the rights when we are ready to
                    205:      create the privileged port, and will permanently drop them when the
                    206:      port has been created (actually, when the connection has been made, as
                    207:      we may need to create the port several times). */
                    208:   temporarily_use_uid(original_real_uid);
                    209:
                    210: #ifdef HAVE_UMASK
                    211:   /* Set our umask to something reasonable, as some files are created with
                    212:      the default umask.  This will make them world-readable but writable
                    213:      only by the owner, which is ok for all files for which we don't set
                    214:      the modes explicitly. */
                    215:   umask(022);
                    216: #endif /* HAVE_UMASK */
                    217:
                    218:   /* Save our own name. */
                    219:   av0 = av[0];
                    220:
                    221: #ifdef SOCKS
                    222:   /* Initialize SOCKS (the firewall traversal library). */
                    223:   SOCKSinit(av0);
                    224: #endif /* SOCKS */
                    225:
                    226:   /* Initialize option structure to indicate that no values have been set. */
                    227:   initialize_options(&options);
                    228:
                    229:   /* Parse command-line arguments. */
                    230:   host = NULL;
                    231:
                    232:   /* If program name is not one of the standard names, use it as host name. */
                    233:   if (strchr(av0, '/'))
                    234:     cp = strrchr(av0, '/') + 1;
                    235:   else
                    236:     cp = av0;
                    237:   if (strcmp(cp, "rsh") != 0 && strcmp(cp, "ssh") != 0 &&
                    238:       strcmp(cp, "rlogin") != 0 && strcmp(cp, "slogin") != 0)
                    239:     host = cp;
                    240:
                    241:   for (optind = 1; optind < ac; optind++)
                    242:     {
                    243:       if (av[optind][0] != '-')
                    244:        {
                    245:          if (host)
                    246:            break;
1.3       deraadt   247:           if ((cp = strchr(av[optind], '@'))) {
                    248:             options.user = av[optind];
                    249:             *cp = '\0';
                    250:             host = ++cp;
                    251:           }
                    252:           else
                    253:            host = av[optind];
1.1       deraadt   254:          continue;
                    255:        }
                    256:       opt = av[optind][1];
                    257:       if (!opt)
                    258:        usage();
                    259:       if (strchr("eilcpLRo", opt)) /* options with arguments */
                    260:        {
                    261:          optarg = av[optind] + 2;
                    262:          if (strcmp(optarg, "") == 0)
                    263:            {
                    264:              if (optind >= ac - 1)
                    265:                usage();
                    266:              optarg = av[++optind];
                    267:            }
                    268:        }
                    269:       else
                    270:        {
                    271:          if (av[optind][2])
                    272:            usage();
                    273:          optarg = NULL;
                    274:        }
                    275:       switch (opt)
                    276:        {
                    277:        case 'n':
                    278:          stdin_null_flag = 1;
                    279:          break;
                    280:
                    281:        case 'f':
                    282:          fork_after_authentication_flag = 1;
                    283:          stdin_null_flag = 1;
                    284:          break;
                    285:
                    286:        case 'x':
                    287:          options.forward_x11 = 0;
                    288:          break;
                    289:
                    290:        case 'X':
                    291:          options.forward_x11 = 1;
1.4     ! deraadt   292:          break;
        !           293:
        !           294:        case 'g':
        !           295:          options.gateway_ports = 1;
1.1       deraadt   296:          break;
                    297:
                    298:        case 'a':
                    299:          options.forward_agent = 0;
                    300: #ifdef KERBEROS_TGT_PASSING
                    301:          options.kerberos_tgt_passing = 0;
                    302: #endif
                    303: #ifdef AFS
                    304:          options.afs_token_passing = 0;
                    305: #endif
                    306:          break;
                    307:
                    308:        case 'i':
                    309:          if (stat(optarg, &st) < 0)
                    310:            {
                    311:              fprintf(stderr, "Warning: Identity file %s does not exist.\n",
                    312:                      optarg);
                    313:              break;
                    314:            }
                    315:          if (options.num_identity_files >= SSH_MAX_IDENTITY_FILES)
                    316:            fatal("Too many identity files specified (max %d)",
                    317:                  SSH_MAX_IDENTITY_FILES);
                    318:          options.identity_files[options.num_identity_files++] =
                    319:            xstrdup(optarg);
                    320:          break;
                    321:
                    322:        case 't':
                    323:          tty_flag = 1;
                    324:          break;
                    325:
                    326:        case 'v':
                    327:          debug_flag = 1;
                    328:          fprintf(stderr, "SSH Version %s, protocol version %d.%d.\n",
                    329:                  SSH_VERSION, PROTOCOL_MAJOR, PROTOCOL_MINOR);
                    330:          fprintf(stderr, "Compiled with SSL.\n");
                    331:          break;
                    332:
                    333:        case 'q':
                    334:          quiet_flag = 1;
                    335:          break;
                    336:
                    337:        case 'e':
                    338:          if (optarg[0] == '^' && optarg[2] == 0 &&
                    339:              (unsigned char)optarg[1] >= 64 && (unsigned char)optarg[1] < 128)
                    340:            options.escape_char = (unsigned char)optarg[1] & 31;
                    341:          else
                    342:            if (strlen(optarg) == 1)
                    343:              options.escape_char = (unsigned char)optarg[0];
                    344:            else
                    345:              if (strcmp(optarg, "none") == 0)
                    346:                options.escape_char = -2;
                    347:              else
                    348:                {
                    349:                  fprintf(stderr, "Bad escape character '%s'.\n", optarg);
                    350:                  exit(1);
                    351:                }
                    352:          break;
                    353:
                    354:        case 'c':
                    355:          options.cipher = cipher_number(optarg);
                    356:          if (options.cipher == -1)
                    357:            {
                    358:              fprintf(stderr, "Unknown cipher type '%s'\n", optarg);
                    359:              exit(1);
                    360:            }
                    361:          break;
                    362:
                    363:        case 'p':
                    364:          options.port = atoi(optarg);
                    365:          if (options.port < 1 || options.port > 65535)
                    366:            {
                    367:              fprintf(stderr, "Bad port %s.\n", optarg);
                    368:              exit(1);
                    369:            }
                    370:          break;
                    371:
                    372:        case 'l':
                    373:          options.user = optarg;
                    374:          break;
                    375:
                    376:        case 'R':
                    377:          if (sscanf(optarg, "%d:%255[^:]:%d", &fwd_port, buf,
                    378:                     &fwd_host_port) != 3)
                    379:            {
                    380:              fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg);
                    381:              usage();
                    382:              /*NOTREACHED*/
                    383:            }
                    384:          add_remote_forward(&options, fwd_port, buf, fwd_host_port);
                    385:          break;
                    386:
                    387:        case 'L':
                    388:          if (sscanf(optarg, "%d:%255[^:]:%d", &fwd_port, buf,
                    389:                     &fwd_host_port) != 3)
                    390:            {
                    391:              fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg);
                    392:              usage();
                    393:              /*NOTREACHED*/
                    394:            }
                    395:          if (fwd_port < 1024 && original_real_uid != 0)
                    396:            {
                    397:              fprintf(stderr,
                    398:                      "Privileged ports can only be forwarded by root.\n");
                    399:              exit(1);
                    400:            }
                    401:          add_local_forward(&options, fwd_port, buf, fwd_host_port);
                    402:          break;
                    403:
                    404: #ifdef WITH_ZLIB
                    405:        case 'C':
                    406:          options.compression = 1;
                    407:          break;
                    408: #endif /* WITH_ZLIB */
                    409:
                    410:        case 'o':
                    411:          dummy = 1;
                    412:          process_config_line(&options, host ? host : "", optarg,
                    413:                              "command-line", 0, &dummy);
                    414:          break;
                    415:
                    416:        default:
                    417:          usage();
                    418:        }
                    419:     }
                    420:
                    421:  /* Check that we got a host name. */
                    422:   if (!host)
                    423:     usage();
                    424:
                    425:   /* Initialize the command to execute on remote host. */
                    426:   buffer_init(&command);
                    427:
                    428:   /* Save the command to execute on the remote host in a buffer.  There is
                    429:      no limit on the length of the command, except by the maximum packet
                    430:      size.  Also sets the tty flag if there is no command. */
                    431:   if (optind == ac)
                    432:     {
                    433:       /* No command specified - execute shell on a tty. */
                    434:       tty_flag = 1;
                    435:     }
                    436:   else
                    437:     {
                    438:       /* A command has been specified.  Store it into the buffer. */
                    439:       for (i = optind; i < ac; i++)
                    440:        {
                    441:          if (i > optind)
                    442:            buffer_append(&command, " ", 1);
                    443:          buffer_append(&command, av[i], strlen(av[i]));
                    444:        }
                    445:     }
                    446:
                    447:   /* Cannot fork to background if no command. */
                    448:   if (fork_after_authentication_flag && buffer_len(&command) == 0)
                    449:     fatal("Cannot fork into background without a command to execute.");
                    450:
                    451:   /* Allocate a tty by default if no command specified. */
                    452:   if (buffer_len(&command) == 0)
                    453:     tty_flag = 1;
                    454:
                    455:   /* Do not allocate a tty if stdin is not a tty. */
                    456:   if (!isatty(fileno(stdin)))
                    457:     {
                    458:       if (tty_flag)
                    459:        fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n");
                    460:       tty_flag = 0;
                    461:     }
                    462:
                    463:   /* Get user data. */
                    464:   pw = getpwuid(original_real_uid);
                    465:   if (!pw)
                    466:     {
                    467:       fprintf(stderr, "You don't exist, go away!\n");
                    468:       exit(1);
                    469:     }
                    470:
                    471:   /* Take a copy of the returned structure. */
                    472:   memset(&pwcopy, 0, sizeof(pwcopy));
                    473:   pwcopy.pw_name = xstrdup(pw->pw_name);
                    474:   pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
                    475:   pwcopy.pw_uid = pw->pw_uid;
                    476:   pwcopy.pw_gid = pw->pw_gid;
                    477:   pwcopy.pw_dir = xstrdup(pw->pw_dir);
                    478:   pwcopy.pw_shell = xstrdup(pw->pw_shell);
                    479:   pw = &pwcopy;
                    480:
                    481:   /* Initialize "log" output.  Since we are the client all output actually
                    482:      goes to the terminal. */
                    483:   log_init(av[0], 1, debug_flag, quiet_flag, SYSLOG_FACILITY_USER);
                    484:
                    485:   /* Read per-user configuration file. */
                    486:   sprintf(buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_CONFFILE);
                    487:   read_config_file(buf, host, &options);
                    488:
                    489:   /* Read systemwide configuration file. */
                    490:   read_config_file(HOST_CONFIG_FILE, host, &options);
                    491:
                    492:   /* Fill configuration defaults. */
                    493:   fill_default_options(&options);
                    494:   if (options.user == NULL)
                    495:     options.user = xstrdup(pw->pw_name);
                    496:
                    497:   if (options.hostname != NULL)
                    498:     host = options.hostname;
                    499:
                    500:   /* Find canonic host name. */
                    501:   if (strchr(host, '.') == 0)
                    502:     {
                    503:       struct hostent *hp = gethostbyname(host);
                    504:       if (hp != 0)
                    505:        {
                    506:          if (strchr(hp->h_name, '.') != 0)
                    507:            host = xstrdup(hp->h_name);
                    508:          else if (hp->h_aliases != 0
                    509:                   && hp->h_aliases[0] != 0
                    510:                   && strchr(hp->h_aliases[0], '.') != 0)
                    511:            host = xstrdup(hp->h_aliases[0]);
                    512:        }
                    513:     }
                    514:
                    515:   /* Disable rhosts authentication if not running as root. */
                    516:   if (original_effective_uid != 0)
                    517:     {
                    518:       options.rhosts_authentication = 0;
                    519:       options.rhosts_rsa_authentication = 0;
                    520:     }
                    521:
                    522:   /* If using rsh has been selected, exec it now (without trying anything
                    523:      else).  Note that we must release privileges first. */
                    524:   if (options.use_rsh)
                    525:     {
                    526:       /* Restore our superuser privileges.  This must be done before
                    527:          permanently setting the uid. */
                    528:       restore_uid();
                    529:
                    530:       /* Switch to the original uid permanently. */
                    531:       permanently_set_uid(original_real_uid);
                    532:
                    533:       /* Execute rsh. */
                    534:       rsh_connect(host, options.user, &command);
                    535:       fatal("rsh_connect returned");
                    536:     }
                    537:
                    538:   /* Restore our superuser privileges. */
                    539:   restore_uid();
                    540:
                    541:   /* Open a connection to the remote host.  This needs root privileges if
1.2       provos    542:      rhosts_authentication is true. */
1.1       deraadt   543:   ok = ssh_connect(host, options.port, options.connection_attempts,
                    544:                   !options.rhosts_authentication &&
                    545:                   !options.rhosts_rsa_authentication,
1.2       provos    546:                   original_real_uid, options.proxy_command);
1.1       deraadt   547:
                    548:   /* If we successfully made the connection, load the host private key in
                    549:      case we will need it later for combined rsa-rhosts authentication.
                    550:      This must be done before releasing extra privileges, because the file
                    551:      is only readable by root. */
                    552:   if (ok)
                    553:     {
1.2       provos    554:       host_private_key = RSA_new();
                    555:       if (load_private_key(HOST_KEY_FILE, "", host_private_key, NULL))
1.1       deraadt   556:        host_private_key_loaded = 1;
                    557:     }
                    558:
                    559:   /* Get rid of any extra privileges that we may have.  We will no longer need
                    560:      them.  Also, extra privileges could make it very hard to read identity
                    561:      files and other non-world-readable files from the user's home directory
                    562:      if it happens to be on a NFS volume where root is mapped to nobody. */
                    563:   permanently_set_uid(original_real_uid);
                    564:
                    565:   /* Now that we are back to our own permissions, create ~/.ssh directory
                    566:      if it doesn\'t already exist. */
                    567:   sprintf(buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_DIR);
                    568:   if (stat(buf, &st) < 0)
                    569:     if (mkdir(buf, 0755) < 0)
                    570:       error("Could not create directory '%.200s'.", buf);
                    571:
                    572:   /* Check if the connection failed, and try "rsh" if appropriate. */
                    573:   if (!ok)
                    574:     {
                    575:       if (options.port != 0)
                    576:        log("Secure connection to %.100s on port %d refused%.100s.",
                    577:            host, options.port,
                    578:            options.fallback_to_rsh ? "; reverting to insecure method" : "");
                    579:       else
                    580:        log("Secure connection to %.100s refused%.100s.", host,
                    581:            options.fallback_to_rsh ? "; reverting to insecure method" : "");
                    582:
                    583:       if (options.fallback_to_rsh)
                    584:        {
                    585:          rsh_connect(host, options.user, &command);
                    586:          fatal("rsh_connect returned");
                    587:        }
                    588:       exit(1);
                    589:     }
                    590:
                    591:   /* Expand ~ in options.identity_files. */
                    592:   for (i = 0; i < options.num_identity_files; i++)
                    593:     options.identity_files[i] =
                    594:       tilde_expand_filename(options.identity_files[i], original_real_uid);
                    595:
                    596:   /* Expand ~ in known host file names. */
                    597:   options.system_hostfile = tilde_expand_filename(options.system_hostfile,
                    598:                                                  original_real_uid);
                    599:   options.user_hostfile = tilde_expand_filename(options.user_hostfile,
                    600:                                                original_real_uid);
                    601:
1.2       provos    602:   /* Log into the remote system.  This never returns if the login fails. */
                    603:   ssh_login(host_private_key_loaded, host_private_key,
1.1       deraadt   604:            host, &options, original_real_uid);
                    605:
                    606:   /* We no longer need the host private key.  Clear it now. */
                    607:   if (host_private_key_loaded)
1.2       provos    608:     RSA_free(host_private_key); /* Destroys contents safely */
1.1       deraadt   609:
                    610:   /* Close connection cleanly after attack. */
                    611:   cipher_attack_detected = packet_disconnect;
                    612:
                    613:   /* If requested, fork and let ssh continue in the background. */
                    614:   if (fork_after_authentication_flag)
                    615:     {
                    616:       int ret = fork();
                    617:       if (ret == -1)
                    618:        fatal("fork failed: %.100s", strerror(errno));
                    619:       if (ret != 0)
                    620:        exit(0);
                    621: #ifdef HAVE_SETSID
                    622:       setsid();
                    623: #endif /* HAVE_SETSID */
                    624:     }
                    625:
                    626: #ifdef WITH_ZLIB
                    627:   /* Enable compression if requested. */
                    628:   if (options.compression)
                    629:     {
                    630:       debug("Requesting compression at level %d.", options.compression_level);
                    631:
                    632:       if (options.compression_level < 1 || options.compression_level > 9)
                    633:        fatal("Compression level must be from 1 (fast) to 9 (slow, best).");
                    634:
                    635:       /* Send the request. */
                    636:       packet_start(SSH_CMSG_REQUEST_COMPRESSION);
                    637:       packet_put_int(options.compression_level);
                    638:       packet_send();
                    639:       packet_write_wait();
                    640:       type = packet_read(&plen);
                    641:       if (type == SSH_SMSG_SUCCESS)
                    642:        packet_start_compression(options.compression_level);
                    643:       else if (type == SSH_SMSG_FAILURE)
                    644:        log("Warning: Remote host refused compression.");
                    645:       else
                    646:        packet_disconnect("Protocol error waiting for compression response.");
                    647:     }
                    648: #endif /* WITH_ZLIB */
                    649:
                    650:   /* Allocate a pseudo tty if appropriate. */
                    651:   if (tty_flag)
                    652:     {
                    653:       debug("Requesting pty.");
                    654:
                    655:       /* Start the packet. */
                    656:       packet_start(SSH_CMSG_REQUEST_PTY);
                    657:
                    658:       /* Store TERM in the packet.  There is no limit on the length of the
                    659:          string. */
                    660:       cp = getenv("TERM");
                    661:       if (!cp)
                    662:        cp = "";
                    663:       packet_put_string(cp, strlen(cp));
                    664:
                    665:       /* Store window size in the packet. */
                    666:       if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
                    667:        memset(&ws, 0, sizeof(ws));
                    668:       packet_put_int(ws.ws_row);
                    669:       packet_put_int(ws.ws_col);
                    670:       packet_put_int(ws.ws_xpixel);
                    671:       packet_put_int(ws.ws_ypixel);
                    672:
                    673:       /* Store tty modes in the packet. */
                    674:       tty_make_modes(fileno(stdin));
                    675:
                    676:       /* Send the packet, and wait for it to leave. */
                    677:       packet_send();
                    678:       packet_write_wait();
                    679:
                    680:       /* Read response from the server. */
                    681:       type = packet_read(&plen);
                    682:       if (type == SSH_SMSG_SUCCESS)
                    683:        interactive = 1;
                    684:       else if (type == SSH_SMSG_FAILURE)
                    685:        log("Warning: Remote host failed or refused to allocate a pseudo tty.");
                    686:       else
                    687:        packet_disconnect("Protocol error waiting for pty request response.");
                    688:     }
                    689:
                    690:   /* Request X11 forwarding if enabled and DISPLAY is set. */
                    691:   if (options.forward_x11 && getenv("DISPLAY") != NULL)
                    692:     {
                    693:       char line[512], proto[512], data[512];
                    694:       FILE *f;
                    695:       int forwarded = 0, got_data = 0, i;
                    696:
                    697: #ifdef XAUTH_PATH
                    698:       /* Try to get Xauthority information for the display. */
                    699:       sprintf(line, "%.100s list %.200s 2>/dev/null",
                    700:              XAUTH_PATH, getenv("DISPLAY"));
                    701:       f = popen(line, "r");
                    702:       if (f && fgets(line, sizeof(line), f) &&
                    703:          sscanf(line, "%*s %s %s", proto, data) == 2)
                    704:        got_data = 1;
                    705:       if (f)
                    706:        pclose(f);
                    707: #endif /* XAUTH_PATH */
                    708:       /* If we didn't get authentication data, just make up some data.  The
                    709:         forwarding code will check the validity of the response anyway, and
                    710:         substitute this data.  The X11 server, however, will ignore this
                    711:         fake data and use whatever authentication mechanisms it was using
                    712:         otherwise for the local connection. */
                    713:       if (!got_data)
                    714:        {
1.2       provos    715:           u_int32_t rand;
                    716:
1.1       deraadt   717:          strcpy(proto, "MIT-MAGIC-COOKIE-1");
1.2       provos    718:           for (i = 0; i < 16; i++) {
                    719:             if (i % 4 == 0)
                    720:               rand = arc4random();
                    721:             sprintf(data + 2 * i, "%02x", rand & 0xff);
                    722:             rand >>= 8;
                    723:           }
1.1       deraadt   724:        }
                    725:
                    726:       /* Got local authentication reasonable information.  Request forwarding
                    727:         with authentication spoofing. */
                    728:       debug("Requesting X11 forwarding with authentication spoofing.");
1.2       provos    729:       x11_request_forwarding_with_spoofing(proto, data);
1.1       deraadt   730:
                    731:       /* Read response from the server. */
                    732:       type = packet_read(&plen);
                    733:       if (type == SSH_SMSG_SUCCESS)
                    734:        {
                    735:          forwarded = 1;
                    736:          interactive = 1;
                    737:        }
                    738:       else if (type == SSH_SMSG_FAILURE)
                    739:        log("Warning: Remote host denied X11 forwarding.");
                    740:       else
                    741:        packet_disconnect("Protocol error waiting for X11 forwarding");
                    742:     }
                    743:
                    744:   /* Tell the packet module whether this is an interactive session. */
                    745:   packet_set_interactive(interactive, options.keepalives);
                    746:
                    747:   /* Clear agent forwarding if we don\'t have an agent. */
                    748:   authfd = ssh_get_authentication_fd();
                    749:   if (authfd < 0)
                    750:     options.forward_agent = 0;
                    751:   else
                    752:     ssh_close_authentication_socket(authfd);
                    753:
                    754:   /* Request authentication agent forwarding if appropriate. */
                    755:   if (options.forward_agent)
                    756:     {
                    757:       debug("Requesting authentication agent forwarding.");
                    758:       auth_request_forwarding();
                    759:
                    760:       /* Read response from the server. */
                    761:       type = packet_read(&plen);
                    762:       packet_integrity_check(plen, 0, type);
                    763:       if (type != SSH_SMSG_SUCCESS)
                    764:        log("Warning: Remote host denied authentication agent forwarding.");
                    765:     }
                    766:
                    767:   /* Initiate local TCP/IP port forwardings. */
                    768:   for (i = 0; i < options.num_local_forwards; i++)
                    769:     {
                    770:       debug("Connections to local port %d forwarded to remote address %.200s:%d",
                    771:            options.local_forwards[i].port, options.local_forwards[i].host,
                    772:            options.local_forwards[i].host_port);
                    773:       channel_request_local_forwarding(options.local_forwards[i].port,
                    774:                                       options.local_forwards[i].host,
                    775:                                       options.local_forwards[i].host_port);
                    776:     }
                    777:
                    778:   /* Initiate remote TCP/IP port forwardings. */
                    779:   for (i = 0; i < options.num_remote_forwards; i++)
                    780:     {
                    781:       debug("Connections to remote port %d forwarded to local address %.200s:%d",
                    782:            options.remote_forwards[i].port, options.remote_forwards[i].host,
                    783:            options.remote_forwards[i].host_port);
                    784:       channel_request_remote_forwarding(options.remote_forwards[i].port,
                    785:                                        options.remote_forwards[i].host,
                    786:                                        options.remote_forwards[i].host_port);
                    787:     }
                    788:
                    789:   /* If a command was specified on the command line, execute the command now.
                    790:      Otherwise request the server to start a shell. */
                    791:   if (buffer_len(&command) > 0)
                    792:     {
                    793:       int len = buffer_len(&command);
                    794:       if (len > 900)
                    795:        len = 900;
                    796:       debug("Sending command: %.*s", len, buffer_ptr(&command));
                    797:       packet_start(SSH_CMSG_EXEC_CMD);
                    798:       packet_put_string(buffer_ptr(&command), buffer_len(&command));
                    799:       packet_send();
                    800:       packet_write_wait();
                    801:     }
                    802:   else
                    803:     {
                    804:       debug("Requesting shell.");
                    805:       packet_start(SSH_CMSG_EXEC_SHELL);
                    806:       packet_send();
                    807:       packet_write_wait();
                    808:     }
                    809:
                    810:   /* Enter the interactive session. */
                    811:   exit_status = client_loop(tty_flag, tty_flag ? options.escape_char : -1);
                    812:
                    813:   /* Close the connection to the remote host. */
                    814:   packet_close();
                    815:
                    816:   /* Exit with the status returned by the program on the remote side. */
                    817:   exit(exit_status);
                    818: }