Annotation of src/usr.bin/ssh/ssh.h, Revision 1.60
1.1 deraadt 1: /*
1.25 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
1.38 markus 5: *
1.25 deraadt 6: * Generic header file for ssh.
1.38 markus 7: *
1.50 deraadt 8: * As far as I am concerned, the code I have written for this software
9: * can be used freely for any purpose. Any derived versions of this
10: * software must be clearly marked as such, and if the derived work is
11: * incompatible with the protocol description in the RFC file, it must be
12: * called by a name other than "ssh" or "Secure Shell".
1.25 deraadt 13: */
1.1 deraadt 14:
1.60 ! markus 15: /* RCSID("$OpenBSD: ssh.h,v 1.59 2001/01/19 12:45:27 markus Exp $"); */
1.1 deraadt 16:
17: #ifndef SSH_H
18: #define SSH_H
19:
20: #include "rsa.h"
21: #include "cipher.h"
22:
23: /* Cipher used for encrypting authentication files. */
24: #define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES
25:
26: /* Default port number. */
27: #define SSH_DEFAULT_PORT 22
28:
29: /* Maximum number of TCP/IP ports forwarded per direction. */
30: #define SSH_MAX_FORWARDS_PER_DIRECTION 100
31:
1.26 markus 32: /*
33: * Maximum number of RSA authentication identity files that can be specified
34: * in configuration files or on the command line.
35: */
1.1 deraadt 36: #define SSH_MAX_IDENTITY_FILES 100
37:
1.26 markus 38: /*
39: * Major protocol version. Different version indicates major incompatiblity
40: * that prevents communication.
1.37 markus 41: *
1.26 markus 42: * Minor protocol version. Different version indicates minor incompatibility
43: * that does not prevent interoperation.
44: */
1.37 markus 45: #define PROTOCOL_MAJOR_1 1
46: #define PROTOCOL_MINOR_1 5
47:
48: /* We support both SSH1 and SSH2 */
49: #define PROTOCOL_MAJOR_2 2
50: #define PROTOCOL_MINOR_2 0
1.1 deraadt 51:
1.26 markus 52: /*
53: * Name for the service. The port named by this service overrides the
54: * default port if present.
55: */
1.1 deraadt 56: #define SSH_SERVICE_NAME "ssh"
57:
1.26 markus 58: /*
59: * Name of the environment variable containing the pathname of the
60: * authentication socket.
61: */
1.60 ! markus 62: #define SSH_AGENTPID_ENV_NAME "SSH_AGENT_PID"
1.15 markus 63:
1.26 markus 64: /*
65: * Name of the environment variable containing the pathname of the
66: * authentication socket.
67: */
1.60 ! markus 68: #define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
1.29 markus 69:
70: /*
1.60 ! markus 71: * Environment variable for overwriting the default location of askpass
1.29 markus 72: */
73: #define SSH_ASKPASS_ENV "SSH_ASKPASS"
1.1 deraadt 74:
1.26 markus 75: /*
76: * Force host key length and server key length to differ by at least this
77: * many bits. This is to make double encryption with rsaref work.
78: */
1.1 deraadt 79: #define SSH_KEY_BITS_RESERVED 128
80:
1.26 markus 81: /*
82: * Length of the session key in bytes. (Specified as 256 bits in the
83: * protocol.)
84: */
1.1 deraadt 85: #define SSH_SESSION_KEY_LENGTH 32
86:
87: /* Name of Kerberos service for SSH to use. */
88: #define KRB4_SERVICE_NAME "rcmd"
89:
90:
91: /*------------ definitions for login.c -------------*/
92:
1.26 markus 93: /*
94: * Returns the time when the user last logged in. Returns 0 if the
95: * information is not available. This must be called before record_login.
96: * The host from which the user logged in is stored in buf.
97: */
1.56 markus 98: u_long
1.25 deraadt 99: get_last_login_time(uid_t uid, const char *logname,
1.56 markus 100: char *buf, u_int bufsize);
1.1 deraadt 101:
1.26 markus 102: /*
103: * Records that the user has logged in. This does many things normally done
104: * by login(1).
105: */
1.38 markus 106: void
1.39 deraadt 107: record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
1.32 markus 108: const char *host, struct sockaddr *addr);
1.1 deraadt 109:
1.26 markus 110: /*
111: * Records that the user has logged out. This does many thigs normally done
112: * by login(1) or init.
113: */
1.39 deraadt 114: void record_logout(pid_t pid, const char *ttyname);
1.1 deraadt 115:
116: /*------------ definitions for sshconnect.c ----------*/
117:
1.26 markus 118: /*
119: * Opens a TCP/IP connection to the remote server on the given host. If port
120: * is 0, the default port will be used. If anonymous is zero, a privileged
121: * port will be allocated to make the connection. This requires super-user
122: * privileges if anonymous is false. Connection_attempts specifies the
123: * maximum number of tries, one per second. This returns true on success,
124: * and zero on failure. If the connection is successful, this calls
125: * packet_set_connection for the connection.
126: */
1.38 markus 127: int
1.32 markus 128: ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
1.27 markus 129: u_short port, int connection_attempts,
1.25 deraadt 130: int anonymous, uid_t original_real_uid,
131: const char *proxy_command);
1.1 deraadt 132:
1.26 markus 133: /*
134: * Starts a dialog with the server, and authenticates the current user on the
135: * server. This does not need any extra privileges. The basic connection to
136: * the server must already have been established before this is called. If
137: * login fails, this function prints an error and never returns. This
138: * initializes the random state, and leaves it initialized (it will also have
139: * references from the packet module).
140: */
1.18 markus 141:
1.38 markus 142: void
1.25 deraadt 143: ssh_login(int host_key_valid, RSA * host_key, const char *host,
1.32 markus 144: struct sockaddr * hostaddr, uid_t original_real_uid);
1.1 deraadt 145:
146: /*------------ Definitions for various authentication methods. -------*/
147:
1.26 markus 148: /*
149: * Tries to authenticate the user using the .rhosts file. Returns true if
150: * authentication succeeds. If ignore_rhosts is non-zero, this will not
151: * consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
152: */
1.25 deraadt 153: int auth_rhosts(struct passwd * pw, const char *client_user);
1.1 deraadt 154:
1.26 markus 155: /*
156: * Tries to authenticate the user using the .rhosts file and the host using
157: * its host key. Returns true if authentication succeeds.
158: */
1.38 markus 159: int
1.34 markus 160: auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key);
1.1 deraadt 161:
1.26 markus 162: /*
163: * Tries to authenticate the user using password. Returns true if
164: * authentication succeeds.
165: */
1.25 deraadt 166: int auth_password(struct passwd * pw, const char *password);
1.1 deraadt 167:
1.26 markus 168: /*
169: * Performs the RSA authentication dialog with the client. This returns 0 if
170: * the client could not be authenticated, and 1 if authentication was
171: * successful. This may exit if there is a serious protocol violation.
172: */
1.25 deraadt 173: int auth_rsa(struct passwd * pw, BIGNUM * client_n);
1.1 deraadt 174:
1.26 markus 175: /*
176: * Parses an RSA key (number of bits, e, n) from a string. Moves the pointer
177: * over the key. Skips any whitespace at the beginning and at end.
178: */
1.56 markus 179: int auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n);
1.1 deraadt 180:
1.26 markus 181: /*
182: * Returns the name of the machine at the other end of the socket. The
183: * returned string should be freed by the caller.
184: */
1.25 deraadt 185: char *get_remote_hostname(int socket);
1.1 deraadt 186:
1.26 markus 187: /*
188: * Return the canonical name of the host in the other side of the current
189: * connection (as returned by packet_get_connection). The host name is
190: * cached, so it is efficient to call this several times.
191: */
1.1 deraadt 192: const char *get_canonical_hostname(void);
193:
1.26 markus 194: /*
195: * Returns the remote IP address as an ascii string. The value need not be
196: * freed by the caller.
197: */
1.1 deraadt 198: const char *get_remote_ipaddr(void);
199:
200: /* Returns the port number of the peer of the socket. */
1.25 deraadt 201: int get_peer_port(int sock);
1.1 deraadt 202:
1.32 markus 203: /* Returns the port number of the remote/local host. */
1.25 deraadt 204: int get_remote_port(void);
1.32 markus 205: int get_local_port(void);
206:
1.1 deraadt 207:
1.26 markus 208: /*
209: * Performs the RSA authentication challenge-response dialog with the client,
210: * and returns true (non-zero) if the client gave the correct answer to our
211: * challenge; returns zero if the client gives a wrong answer.
212: */
1.34 markus 213: int auth_rsa_challenge_dialog(RSA *pk);
1.1 deraadt 214:
1.26 markus 215: /*
216: * Reads a passphrase from /dev/tty with echo turned off. Returns the
217: * passphrase (allocated with xmalloc). Exits if EOF is encountered. If
218: * from_stdin is true, the passphrase will be read from stdin instead.
219: */
1.53 markus 220: char *read_passphrase(char *prompt, int from_stdin);
1.1 deraadt 221:
1.20 markus 222:
223: /*------------ Definitions for logging. -----------------------*/
224:
225: /* Supported syslog facilities and levels. */
1.25 deraadt 226: typedef enum {
227: SYSLOG_FACILITY_DAEMON,
228: SYSLOG_FACILITY_USER,
229: SYSLOG_FACILITY_AUTH,
230: SYSLOG_FACILITY_LOCAL0,
231: SYSLOG_FACILITY_LOCAL1,
232: SYSLOG_FACILITY_LOCAL2,
233: SYSLOG_FACILITY_LOCAL3,
234: SYSLOG_FACILITY_LOCAL4,
235: SYSLOG_FACILITY_LOCAL5,
236: SYSLOG_FACILITY_LOCAL6,
237: SYSLOG_FACILITY_LOCAL7
238: } SyslogFacility;
239:
240: typedef enum {
241: SYSLOG_LEVEL_QUIET,
242: SYSLOG_LEVEL_FATAL,
243: SYSLOG_LEVEL_ERROR,
1.58 markus 244: SYSLOG_LEVEL_INFO,
1.25 deraadt 245: SYSLOG_LEVEL_VERBOSE,
1.51 markus 246: SYSLOG_LEVEL_DEBUG1,
247: SYSLOG_LEVEL_DEBUG2,
248: SYSLOG_LEVEL_DEBUG3
1.25 deraadt 249: } LogLevel;
1.20 markus 250: /* Initializes logging. */
1.25 deraadt 251: void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr);
1.20 markus 252:
253: /* Logging implementation, depending on server or client */
1.25 deraadt 254: void do_log(LogLevel level, const char *fmt, va_list args);
1.22 markus 255:
256: /* name to facility/level */
257: SyslogFacility log_facility_number(char *name);
258: LogLevel log_level_number(char *name);
1.20 markus 259:
260: /* Output a message to syslog or stderr */
1.25 deraadt 261: void fatal(const char *fmt,...) __attribute__((format(printf, 1, 2)));
262: void error(const char *fmt,...) __attribute__((format(printf, 1, 2)));
263: void log(const char *fmt,...) __attribute__((format(printf, 1, 2)));
264: void verbose(const char *fmt,...) __attribute__((format(printf, 1, 2)));
265: void debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
1.51 markus 266: void debug2(const char *fmt,...) __attribute__((format(printf, 1, 2)));
267: void debug3(const char *fmt,...) __attribute__((format(printf, 1, 2)));
1.25 deraadt 268:
1.20 markus 269: /* same as fatal() but w/o logging */
1.25 deraadt 270: void fatal_cleanup(void);
1.20 markus 271:
1.26 markus 272: /*
273: * Registers a cleanup function to be called by fatal()/fatal_cleanup()
274: * before exiting. It is permissible to call fatal_remove_cleanup for the
275: * function itself from the function.
276: */
1.25 deraadt 277: void fatal_add_cleanup(void (*proc) (void *context), void *context);
1.20 markus 278:
279: /* Removes a cleanup function to be called at fatal(). */
1.25 deraadt 280: void fatal_remove_cleanup(void (*proc) (void *context), void *context);
1.1 deraadt 281:
1.36 markus 282: /* ---- misc */
283:
1.26 markus 284: /*
285: * Expands tildes in the file name. Returns data allocated by xmalloc.
286: * Warning: this calls getpw*.
287: */
1.25 deraadt 288: char *tilde_expand_filename(const char *filename, uid_t my_uid);
1.46 markus 289:
290: /* remove newline at end of string */
291: char *chop(char *s);
1.48 provos 292:
293: /* return next token in configuration line */
294: char *strdelim(char **s);
1.46 markus 295:
296: /* set filedescriptor to non-blocking */
297: void set_nonblock(int fd);
1.1 deraadt 298:
1.26 markus 299: /*
300: * Performs the interactive session. This handles data transmission between
301: * the client and the program. Note that the notion of stdin, stdout, and
302: * stderr in this function is sort of reversed: this function writes to stdin
303: * (of the child program), and reads from stdout and stderr (of the child
304: * program).
305: */
1.39 deraadt 306: void server_loop(pid_t pid, int fdin, int fdout, int fderr);
1.36 markus 307: void server_loop2(void);
1.1 deraadt 308:
309: /* Client side main loop for the interactive session. */
1.49 markus 310: int client_loop(int have_pty, int escape_char, int id);
1.1 deraadt 311:
312: /* Linked list of custom environment strings (see auth-rsa.c). */
313: struct envstring {
1.25 deraadt 314: struct envstring *next;
315: char *s;
1.1 deraadt 316: };
1.30 deraadt 317:
318: /*
319: * Ensure all of data on socket comes through. f==read || f==write
320: */
1.33 d 321: ssize_t atomicio(ssize_t (*f)(), int fd, void *s, size_t n);
1.30 deraadt 322:
1.1 deraadt 323: #ifdef KRB4
324: #include <krb.h>
1.26 markus 325: /*
326: * Performs Kerberos v4 mutual authentication with the client. This returns 0
327: * if the client could not be authenticated, and 1 if authentication was
328: * successful. This may exit if there is a serious protocol violation.
329: */
1.25 deraadt 330: int auth_krb4(const char *server_user, KTEXT auth, char **client);
331: int krb4_init(uid_t uid);
332: void krb4_cleanup_proc(void *ignore);
1.28 markus 333: int auth_krb4_password(struct passwd * pw, const char *password);
1.4 dugsong 334:
335: #ifdef AFS
336: #include <kafs.h>
337:
338: /* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
1.25 deraadt 339: int auth_kerberos_tgt(struct passwd * pw, const char *string);
340: int auth_afs_token(struct passwd * pw, const char *token_string);
1.1 deraadt 341:
1.56 markus 342: int creds_to_radix(CREDENTIALS * creds, u_char *buf, size_t buflen);
1.25 deraadt 343: int radix_to_creds(const char *buf, CREDENTIALS * creds);
344: #endif /* AFS */
1.1 deraadt 345:
1.25 deraadt 346: #endif /* KRB4 */
1.32 markus 347:
348: /* AF_UNSPEC or AF_INET or AF_INET6 */
349: extern int IPv4or6;
1.1 deraadt 350:
1.25 deraadt 351: #endif /* SSH_H */