Import of OpenSSH 5.1p1

[gssapi-openssh.git] / openssh / monitor.c

diff --git a/openssh/monitor.c b/openssh/monitor.c
index b7463400e688f0a3cf230ecd734b3744c8339e8a..73cf6bc9b9698aba41ac0cbef5aaad3611adf3cf 100644 (file)
--- a/openssh/monitor.c
+++ b/openssh/monitor.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: monitor.c,v 1.99 2008/07/10 18:08:11 markus Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -25,16 +26,39 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
 
-#include <openssl/dh.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include "openbsd-compat/sys-tree.h"
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
 #ifdef SKEY
 #include <skey.h>
 #endif
 
+#include <openssl/dh.h>
+
+#include "openbsd-compat/sys-queue.h"
+#include "xmalloc.h"
 #include "ssh.h"
+#include "key.h"
+#include "buffer.h"
+#include "hostfile.h"
 #include "auth.h"
+#include "cipher.h"
 #include "kex.h"
 #include "dh.h"
 #ifdef TARGET_OS_MAC   /* XXX Broken krb5 headers on Mac */
@@ -55,17 +79,16 @@ RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
 #include "servconf.h"
 #include "monitor.h"
 #include "monitor_mm.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "monitor_fdpass.h"
-#include "xmalloc.h"
 #include "misc.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "compat.h"
 #include "ssh2.h"
 
 #ifdef GSSAPI
-#include "ssh-gss.h"
 static Gssctxt *gsscontext = NULL;
 #endif
 
@@ -143,6 +166,11 @@ int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
 #endif
 
+#ifdef SSH_AUDIT_EVENTS
+int mm_answer_audit_event(int, Buffer *);
+int mm_answer_audit_command(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
 
@@ -166,6 +194,7 @@ struct mon_table {
 #define MON_ISAUTH     0x0004  /* Required for Authentication */
 #define MON_AUTHDECIDE 0x0008  /* Decides Authentication */
 #define MON_ONCE       0x0010  /* Disable after calling */
+#define MON_ALOG       0x0020  /* Log auth attempt without authenticating */
 
 #define MON_AUTH       (MON_ISAUTH|MON_AUTHDECIDE)
 
@@ -186,9 +215,12 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+#endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
+    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
 #endif
 #ifdef SKEY
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
@@ -211,6 +243,10 @@ struct mon_table mon_dispatch_postauth20[] = {
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
+#endif
     {0, 0, NULL}
 };
 
@@ -219,13 +255,13 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
     {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
-    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
+    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
+    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
     {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
     {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
+    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
 #endif
 #ifdef SKEY
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
@@ -238,6 +274,9 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
+#endif
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
 #endif
     {0, 0, NULL}
 };
@@ -246,6 +285,10 @@ struct mon_table mon_dispatch_postauth15[] = {
     {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef SSH_AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
+#endif
     {0, 0, NULL}
 };
 
@@ -291,6 +334,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
        authctxt = _authctxt;
        memset(authctxt, 0, sizeof(*authctxt));
 
+       authctxt->loginmsg = &loginmsg;
+
        if (compat20) {
                mon_dispatch = mon_dispatch_proto20;
 
@@ -305,7 +350,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 
        /* The first few requests do not require asynchronous access */
        while (!authenticated) {
-               authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
+               auth_method = "unknown";
+               authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
                if (authenticated) {
                        if (!(ent->flags & MON_AUTHDECIDE))
                                fatal("%s: unexpected authentication from %d",
@@ -327,7 +373,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 #endif
                }
 
-               if (ent->flags & MON_AUTHDECIDE) {
+               if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
                        auth_log(authctxt, authenticated, auth_method,
                            compat20 ? " ssh2" : "");
                        if (!authenticated)
@@ -337,6 +383,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 
        if (!authctxt->valid)
                fatal("%s: authenticated invalid user", __func__);
+       if (strcmp(auth_method, "unknown") == 0)
+               fatal("%s: authentication method name unknown", __func__);
 
        debug("%s: %s has been authenticated by privileged process",
            __func__, authctxt->user);
@@ -362,6 +410,7 @@ monitor_child_postauth(struct monitor *pmonitor)
        monitor_set_child_handler(pmonitor->m_pid);
        signal(SIGHUP, &monitor_child_handler);
        signal(SIGTERM, &monitor_child_handler);
+       signal(SIGINT, &monitor_child_handler);
 
        if (compat20) {
                mon_dispatch = mon_dispatch_postauth20;
@@ -516,7 +565,11 @@ mm_answer_sign(int sock, Buffer *m)
        keyid = buffer_get_int(m);
        p = buffer_get_string(m, &datlen);
 
-       if (datlen != 20)
+       /*
+        * Supported KEX types will only return SHA1 (20 byte) or
+        * SHA256 (32 byte) hashes
+        */
+       if (datlen != 20 && datlen != 32)
                fatal("%s: data length incorrect: %u", __func__, datlen);
 
        /* save session id, it will be passed on the first call */
@@ -593,6 +646,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        buffer_put_cstring(m, pwent->pw_shell);
 
  out:
+       buffer_put_string(m, &options, sizeof(options));
+       if (options.banner != NULL)
+               buffer_put_cstring(m, options.banner);
        debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
        mm_request_send(sock, MONITOR_ANS_PWNAM, m);
 
@@ -810,6 +866,7 @@ mm_answer_pam_account(int sock, Buffer *m)
        ret = do_pam_account();
 
        buffer_put_int(m, ret);
+       buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
 
        mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
 
@@ -842,8 +899,8 @@ int
 mm_answer_pam_query(int sock, Buffer *m)
 {
        char *name, *info, **prompts;
-       u_int num, *echo_on;
-       int i, ret;
+       u_int i, num, *echo_on;
+       int ret;
 
        debug3("%s", __func__);
        sshpam_authok = NULL;
@@ -868,6 +925,7 @@ mm_answer_pam_query(int sock, Buffer *m)
                xfree(prompts);
        if (echo_on != NULL)
                xfree(echo_on);
+       auth_method = "keyboard-interactive/pam";
        mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
        return (0);
 }
@@ -876,14 +934,14 @@ int
 mm_answer_pam_respond(int sock, Buffer *m)
 {
        char **resp;
-       u_int num;
-       int i, ret;
+       u_int i, num;
+       int ret;
 
        debug3("%s", __func__);
        sshpam_authok = NULL;
        num = buffer_get_int(m);
        if (num > 0) {
-               resp = xmalloc(num * sizeof(char *));
+               resp = xcalloc(num, sizeof(char *));
                for (i = 0; i < num; ++i)
                        resp[i] = buffer_get_string(m, NULL);
                ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
@@ -910,6 +968,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
        (sshpam_device.free_ctx)(sshpam_ctxt);
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+       auth_method = "keyboard-interactive/pam";
        return (sshpam_authok == sshpam_ctxt);
 }
 #endif
@@ -951,21 +1010,28 @@ mm_answer_keyallowed(int sock, Buffer *m)
        debug3("%s: key_from_blob: %p", __func__, key);
 
        if (key != NULL && authctxt->valid) {
-               switch(type) {
+               switch (type) {
                case MM_USERKEY:
                        allowed = options.pubkey_authentication &&
                            user_key_allowed(authctxt->pw, key);
+                       auth_method = "publickey";
+                       if (options.pubkey_authentication && allowed != 1)
+                               auth_clear_options();
                        break;
                case MM_HOSTKEY:
                        allowed = options.hostbased_authentication &&
                            hostbased_key_allowed(authctxt->pw,
                            cuser, chost, key);
+                       auth_method = "hostbased";
                        break;
                case MM_RSAHOSTKEY:
                        key->type = KEY_RSA1; /* XXX */
                        allowed = options.rhosts_rsa_authentication &&
                            auth_rhosts_rsa_key_allowed(authctxt->pw,
                            cuser, chost, key);
+                       if (options.rhosts_rsa_authentication && allowed != 1)
+                               auth_clear_options();
+                       auth_method = "rsa";
                        break;
                default:
                        fatal("%s: unknown key type %d", __func__, type);
@@ -985,10 +1051,16 @@ mm_answer_keyallowed(int sock, Buffer *m)
                key_blobtype = type;
                hostbased_cuser = cuser;
                hostbased_chost = chost;
+       } else {
+               /* Log failed attempt */
+               auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
+               xfree(blob);
+               xfree(cuser);
+               xfree(chost);
        }
 
        debug3("%s: key %p is %s",
-           __func__, key, allowed ? "allowed" : "disallowed");
+           __func__, key, allowed ? "allowed" : "not allowed");
 
        buffer_clear(m);
        buffer_put_int(m, allowed);
@@ -1154,7 +1226,7 @@ mm_answer_keyverify(int sock, Buffer *m)
 
        verified = key_verify(key, signature, signaturelen, data, datalen);
        debug3("%s: key %p signature %s",
-           __func__, key, verified ? "verified" : "unverified");
+           __func__, key, (verified == 1) ? "verified" : "unverified");
 
        key_free(key);
        xfree(blob);
@@ -1169,7 +1241,7 @@ mm_answer_keyverify(int sock, Buffer *m)
        buffer_put_int(m, verified);
        mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
 
-       return (verified);
+       return (verified == 1);
 }
 
 static void
@@ -1186,7 +1258,7 @@ mm_record_login(Session *s, struct passwd *pw)
        fromlen = sizeof(from);
        if (packet_connection_is_on_socket()) {
                if (getpeername(packet_get_connection_in(),
-                       (struct sockaddr *) & from, &fromlen) < 0) {
+                   (struct sockaddr *)&from, &fromlen) < 0) {
                        debug("getpeername: %.100s", strerror(errno));
                        cleanup_exit(255);
                }
@@ -1202,10 +1274,10 @@ mm_session_close(Session *s)
 {
        debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
        if (s->ttyfd != -1) {
-               debug3("%s: tty %s ptyfd %d",  __func__, s->tty, s->ptyfd);
+               debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
                session_pty_cleanup2(s);
        }
-       s->used = 0;
+       session_unused(s->self);
 }
 
 int
@@ -1247,8 +1319,9 @@ mm_answer_pty(int sock, Buffer *m)
 
        mm_request_send(sock, MONITOR_ANS_PTY, m);
 
-       mm_send_fd(sock, s->ptyfd);
-       mm_send_fd(sock, s->ttyfd);
+       if (mm_send_fd(sock, s->ptyfd) == -1 ||
+           mm_send_fd(sock, s->ttyfd) == -1)
+               fatal("%s: send fds failed", __func__);
 
        /* make sure nothing uses fd 0 */
        if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
@@ -1262,7 +1335,7 @@ mm_answer_pty(int sock, Buffer *m)
        /* no need to dup() because nobody closes ptyfd */
        s->ptymaster = s->ptyfd;
 
-       debug3("%s: tty %s ptyfd %d",  __func__, s->tty, s->ttyfd);
+       debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
 
        return (0);
 
@@ -1297,7 +1370,7 @@ mm_answer_sesskey(int sock, Buffer *m)
        int rsafail;
 
        /* Turn off permissions */
-       monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
+       monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
 
        if ((p = BN_new()) == NULL)
                fatal("%s: BN_new", __func__);
@@ -1349,6 +1422,7 @@ mm_answer_rsa_keyallowed(int sock, Buffer *m)
 
        debug3("%s entering", __func__);
 
+       auth_method = "rsa";
        if (options.rsa_authentication && authctxt->valid) {
                if ((client_n = BN_new()) == NULL)
                        fatal("%s: BN_new", __func__);
@@ -1478,6 +1552,11 @@ mm_answer_term(int sock, Buffer *req)
        /* The child is terminating */
        session_destroy_all(&mm_session_close);
 
+#ifdef USE_PAM
+       if (options.use_pam)
+               sshpam_cleanup();
+#endif
+
        while (waitpid(pmonitor->m_pid, &status, 0) == -1)
                if (errno != EINTR)
                        exit(1);
@@ -1488,6 +1567,48 @@ mm_answer_term(int sock, Buffer *req)
        exit(res);
 }
 
+#ifdef SSH_AUDIT_EVENTS
+/* Report that an audit event occurred */
+int
+mm_answer_audit_event(int socket, Buffer *m)
+{
+       ssh_audit_event_t event;
+
+       debug3("%s entering", __func__);
+
+       event = buffer_get_int(m);
+       switch(event) {
+       case SSH_AUTH_FAIL_PUBKEY:
+       case SSH_AUTH_FAIL_HOSTBASED:
+       case SSH_AUTH_FAIL_GSSAPI:
+       case SSH_LOGIN_EXCEED_MAXTRIES:
+       case SSH_LOGIN_ROOT_DENIED:
+       case SSH_CONNECTION_CLOSE:
+       case SSH_INVALID_USER:
+               audit_event(event);
+               break;
+       default:
+               fatal("Audit event type %d not permitted", event);
+       }
+
+       return (0);
+}
+
+int
+mm_answer_audit_command(int socket, Buffer *m)
+{
+       u_int len;
+       char *cmd;
+
+       debug3("%s entering", __func__);
+       cmd = buffer_get_string(m, &len);
+       /* sanity check command, if so how? */
+       audit_run_command(cmd);
+       xfree(cmd);
+       return (0);
+}
+#endif /* SSH_AUDIT_EVENTS */
+
 void
 monitor_apply_keystate(struct monitor *pmonitor)
 {
@@ -1543,8 +1664,7 @@ mm_get_kex(Buffer *m)
        void *blob;
        u_int bloblen;
 
-       kex = xmalloc(sizeof(*kex));
-       memset(kex, 0, sizeof(*kex));
+       kex = xcalloc(1, sizeof(*kex));
        kex->session_id = buffer_get_string(m, &kex->session_id_len);
        if ((session_id2 == NULL) ||
            (kex->session_id_len != session_id2_len) ||
@@ -1554,6 +1674,7 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+       kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1584,7 +1705,7 @@ mm_get_keystate(struct monitor *pmonitor)
        u_char *blob, *p;
        u_int bloblen, plen;
        u_int32_t seqnr, packets;
-       u_int64_t blocks;
+       u_int64_t blocks, bytes;
 
        debug3("%s: Waiting for new keys", __func__);
 
@@ -1617,11 +1738,13 @@ mm_get_keystate(struct monitor *pmonitor)
        seqnr = buffer_get_int(&m);
        blocks = buffer_get_int64(&m);
        packets = buffer_get_int(&m);
-       packet_set_state(MODE_OUT, seqnr, blocks, packets);
+       bytes = buffer_get_int64(&m);
+       packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
        seqnr = buffer_get_int(&m);
        blocks = buffer_get_int64(&m);
        packets = buffer_get_int(&m);
-       packet_set_state(MODE_IN, seqnr, blocks, packets);
+       bytes = buffer_get_int64(&m);
+       packet_set_state(MODE_IN, seqnr, blocks, packets, bytes);
 
  skip:
        /* Get the key context */
@@ -1713,9 +1836,8 @@ monitor_init(void)
        struct monitor *mon;
        int pair[2];
 
-       mon = xmalloc(sizeof(*mon));
+       mon = xcalloc(1, sizeof(*mon));
 
-       mon->m_pid = 0;
        monitor_socketpair(pair);
 
        mon->m_recvfd = pair[0];
@@ -1762,7 +1884,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        buffer_clear(m);
        buffer_put_int(m, major);
 
-       mm_request_send(sock,MONITOR_ANS_GSSSETUP, m);
+       mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
 
        /* Now we have a context, enable the step */
        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
@@ -1775,7 +1897,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
 {
        gss_buffer_desc in;
        gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
-       OM_uint32 major,minor;
+       OM_uint32 major, minor;
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -1792,7 +1914,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
 
        gss_release_buffer(&minor, &out);
 
-       if (major==GSS_S_COMPLETE) {
+       if (major == GSS_S_COMPLETE) {
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1841,7 +1963,7 @@ mm_answer_gss_userok(int sock, Buffer *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
-       auth_method="gssapi-with-mic";
+       auth_method = "gssapi-with-mic";
 
        /* Monitor loop will terminate if authenticated */
        return (authenticated);