]> andersk Git - openssh.git/blame - channels.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Added INSTALL documentation
[openssh.git] / channels.c
CommitLineData
8efc0c15 1/*
2
3channels.c
4
5Author: Tatu Ylonen <ylo@cs.hut.fi>
6
7Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8 All rights reserved
9
10Created: Fri Mar 24 16:35:24 1995 ylo
11
12This file contains functions for generic socket connection forwarding.
13There is also code for initiating connection forwarding for X11 connections,
14arbitrary tcp/ip connections, and the authentication agent connection.
15
16*/
17
18#include "includes.h"
19RCSID("$Id$");
20
21#include "ssh.h"
22#include "packet.h"
23#include "xmalloc.h"
24#include "buffer.h"
25#include "authfd.h"
26#include "uidswap.h"
27#include "servconf.h"
28
29#include "channels.h"
30#include "nchan.h"
31#include "compat.h"
32
33/* Maximum number of fake X11 displays to try. */
34#define MAX_DISPLAYS 1000
35
36/* Max len of agent socket */
37#define MAX_SOCKET_NAME 100
38
39/* Pointer to an array containing all allocated channels. The array is
40 dynamically extended as needed. */
41static Channel *channels = NULL;
42
43/* Size of the channel array. All slots of the array must always be
44 initialized (at least the type field); unused slots are marked with
45 type SSH_CHANNEL_FREE. */
46static int channels_alloc = 0;
47
48/* Maximum file descriptor value used in any of the channels. This is updated
49 in channel_allocate. */
50static int channel_max_fd_value = 0;
51
52/* Name and directory of socket for authentication agent forwarding. */
53static char *channel_forwarded_auth_socket_name = NULL;
54static char *channel_forwarded_auth_socket_dir = NULL;
55
56/* Saved X11 authentication protocol name. */
57char *x11_saved_proto = NULL;
58
59/* Saved X11 authentication data. This is the real data. */
60char *x11_saved_data = NULL;
61unsigned int x11_saved_data_len = 0;
62
63/* Fake X11 authentication data. This is what the server will be sending
64 us; we should replace any occurrences of this by the real data. */
65char *x11_fake_data = NULL;
66unsigned int x11_fake_data_len;
67
68/* Data structure for storing which hosts are permitted for forward requests.
69 The local sides of any remote forwards are stored in this array to prevent
70 a corrupt remote server from accessing arbitrary TCP/IP ports on our
71 local network (which might be behind a firewall). */
72typedef struct
73{
74 char *host; /* Host name. */
75 int port; /* Port number. */
76} ForwardPermission;
77
78/* List of all permitted host/port pairs to connect. */
79static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
80/* Number of permitted host/port pairs in the array. */
81static int num_permitted_opens = 0;
82/* If this is true, all opens are permitted. This is the case on the
83 server on which we have to trust the client anyway, and the user could
84 do anything after logging in anyway. */
85static int all_opens_permitted = 0;
86
87/* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
88static int have_hostname_in_open = 0;
89
90/* Sets specific protocol options. */
91
92void channel_set_options(int hostname_in_open)
93{
94 have_hostname_in_open = hostname_in_open;
95}
96
97/* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
98 called by the server, because the user could connect to any port anyway,
99 and the server has no way to know but to trust the client anyway. */
100
101void channel_permit_all_opens()
102{
103 all_opens_permitted = 1;
104}
105
106/* Allocate a new channel object and set its type and socket.
107 This will cause remote_name to be freed. */
108
109int channel_allocate(int type, int sock, char *remote_name)
110{
5068f573 111 int i, found;
112 Channel *c;
8efc0c15 113
114 /* Update the maximum file descriptor value. */
115 if (sock > channel_max_fd_value)
116 channel_max_fd_value = sock;
117
118 /* Do initial allocation if this is the first call. */
119 if (channels_alloc == 0)
120 {
121 channels_alloc = 10;
122 channels = xmalloc(channels_alloc * sizeof(Channel));
123 for (i = 0; i < channels_alloc; i++)
124 channels[i].type = SSH_CHANNEL_FREE;
125
126 /* Kludge: arrange a call to channel_stop_listening if we terminate
127 with fatal(). */
128 fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL);
129 }
130
131 /* Try to find a free slot where to put the new channel. */
5068f573 132 for (found = -1, i = 0; i < channels_alloc; i++)
8efc0c15 133 if (channels[i].type == SSH_CHANNEL_FREE)
134 {
5068f573 135 /* Found a free slot. */
136 found = i;
137 break;
8efc0c15 138 }
139
5068f573 140 if (found == -1)
141 {
142 /* There are no free slots. Take last+1 slot and expand the array. */
143 found = channels_alloc;
144 channels_alloc += 10;
145 debug("channel: expanding %d", channels_alloc);
146 channels = xrealloc(channels, channels_alloc * sizeof(Channel));
147 for (i = found; i < channels_alloc; i++)
148 channels[i].type = SSH_CHANNEL_FREE;
149 }
150
151 /* Initialize and return new channel number. */
152 c=&channels[found];
153 buffer_init(&c->input);
154 buffer_init(&c->output);
155 chan_init_iostates(c);
156 c->self = found;
157 c->type = type;
5068f573 158 c->sock = sock;
159 c->remote_id = -1;
160 c->remote_name = remote_name;
161 debug("channel %d: new [%s]", found, remote_name);
162 return found;
8efc0c15 163}
164
165/* Free the channel and close its socket. */
166
167void channel_free(int channel)
168{
5bae4ab8 169 if (channel < 0 || channel >= channels_alloc ||
170 channels[channel].type == SSH_CHANNEL_FREE)
171 packet_disconnect("channel free: bad local channel %d", channel);
172
8efc0c15 173 if(compat13)
174 shutdown(channels[channel].sock, SHUT_RDWR);
175 close(channels[channel].sock);
176 buffer_free(&channels[channel].input);
177 buffer_free(&channels[channel].output);
178 channels[channel].type = SSH_CHANNEL_FREE;
179 if (channels[channel].remote_name)
180 {
181 xfree(channels[channel].remote_name);
182 channels[channel].remote_name = NULL;
183 }
184}
185
186/* This is called just before select() to add any bits relevant to
187 channels in the select bitmasks. */
188
189void channel_prepare_select(fd_set *readset, fd_set *writeset)
190{
191 int i;
192 Channel *ch;
193 unsigned char *ucp;
194 unsigned int proto_len, data_len;
195
196 for (i = 0; i < channels_alloc; i++)
197 {
198 ch = &channels[i];
199 redo:
200 switch (ch->type)
201 {
202 case SSH_CHANNEL_X11_LISTENER:
203 case SSH_CHANNEL_PORT_LISTENER:
204 case SSH_CHANNEL_AUTH_SOCKET:
205 FD_SET(ch->sock, readset);
206 break;
207
208 case SSH_CHANNEL_OPEN:
209 if(compat13){
210 if (buffer_len(&ch->input) < 32768)
211 FD_SET(ch->sock, readset);
212 if (buffer_len(&ch->output) > 0)
213 FD_SET(ch->sock, writeset);
214 break;
215 }
216 /* test whether sockets are 'alive' for read/write */
217 if (ch->istate == CHAN_INPUT_OPEN)
218 if (buffer_len(&ch->input) < 32768)
219 FD_SET(ch->sock, readset);
220 if (ch->ostate == CHAN_OUTPUT_OPEN || ch->ostate == CHAN_OUTPUT_WAIT_DRAIN){
221 if (buffer_len(&ch->output) > 0){
222 FD_SET(ch->sock, writeset);
223 }else if(ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
224 chan_obuf_empty(ch);
225 }
226 }
227 break;
228
229 case SSH_CHANNEL_INPUT_DRAINING:
230 if (!compat13)
231 fatal("cannot happen: IN_DRAIN");
232 if (buffer_len(&ch->input) == 0)
233 {
234 packet_start(SSH_MSG_CHANNEL_CLOSE);
235 packet_put_int(ch->remote_id);
236 packet_send();
237 ch->type = SSH_CHANNEL_CLOSED;
238 debug("Closing channel %d after input drain.", i);
239 break;
240 }
241 break;
242
243 case SSH_CHANNEL_OUTPUT_DRAINING:
244 if (!compat13)
245 fatal("cannot happen: OUT_DRAIN");
246 if (buffer_len(&ch->output) == 0)
247 {
248 /* debug("Freeing channel %d after output drain.", i); */
249 channel_free(i);
250 break;
251 }
252 FD_SET(ch->sock, writeset);
253 break;
254
255 case SSH_CHANNEL_X11_OPEN:
256 /* This is a special state for X11 authentication spoofing. An
257 opened X11 connection (when authentication spoofing is being
258 done) remains in this state until the first packet has been
259 completely read. The authentication data in that packet is
260 then substituted by the real data if it matches the fake data,
261 and the channel is put into normal mode. */
262
263 /* Check if the fixed size part of the packet is in buffer. */
264 if (buffer_len(&ch->output) < 12)
265 break;
266
267 /* Parse the lengths of variable-length fields. */
268 ucp = (unsigned char *)buffer_ptr(&ch->output);
269 if (ucp[0] == 0x42)
270 { /* Byte order MSB first. */
271 proto_len = 256 * ucp[6] + ucp[7];
272 data_len = 256 * ucp[8] + ucp[9];
273 }
274 else
275 if (ucp[0] == 0x6c)
276 { /* Byte order LSB first. */
277 proto_len = ucp[6] + 256 * ucp[7];
278 data_len = ucp[8] + 256 * ucp[9];
279 }
280 else
281 {
282 debug("Initial X11 packet contains bad byte order byte: 0x%x",
283 ucp[0]);
284 ch->type = SSH_CHANNEL_OPEN;
285 goto reject;
286 }
287
288 /* Check if the whole packet is in buffer. */
289 if (buffer_len(&ch->output) <
290 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
291 break;
292
293 /* Check if authentication protocol matches. */
294 if (proto_len != strlen(x11_saved_proto) ||
295 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0)
296 {
297 debug("X11 connection uses different authentication protocol.");
298 ch->type = SSH_CHANNEL_OPEN;
299 goto reject;
300 }
301
302 /* Check if authentication data matches our fake data. */
303 if (data_len != x11_fake_data_len ||
304 memcmp(ucp + 12 + ((proto_len + 3) & ~3),
305 x11_fake_data, x11_fake_data_len) != 0)
306 {
307 debug("X11 auth data does not match fake data.");
308 ch->type = SSH_CHANNEL_OPEN;
309 goto reject;
310 }
311
5bae4ab8 312 /* Check fake data length */
313 if (x11_fake_data_len != x11_saved_data_len)
314 {
315 error("X11 fake_data_len %d != saved_data_len %d",
316 x11_fake_data_len, x11_saved_data_len);
317 ch->type = SSH_CHANNEL_OPEN;
318 goto reject;
319 }
320
8efc0c15 321 /* Received authentication protocol and data match our fake data.
322 Substitute the fake data with real data. */
8efc0c15 323 memcpy(ucp + 12 + ((proto_len + 3) & ~3),
324 x11_saved_data, x11_saved_data_len);
325
326 /* Start normal processing for the channel. */
327 ch->type = SSH_CHANNEL_OPEN;
8efc0c15 328 goto redo;
329
330 reject:
331 /* We have received an X11 connection that has bad authentication
332 information. */
333 log("X11 connection rejected because of wrong authentication.\r\n");
334 buffer_clear(&ch->input);
335 buffer_clear(&ch->output);
336 if (compat13) {
337 close(ch->sock);
338 ch->sock = -1;
339 ch->type = SSH_CHANNEL_CLOSED;
340 packet_start(SSH_MSG_CHANNEL_CLOSE);
341 packet_put_int(ch->remote_id);
342 packet_send();
343 }else{
5068f573 344 debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
8efc0c15 345 chan_read_failed(ch);
346 chan_write_failed(ch);
5068f573 347 debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
8efc0c15 348 }
349 break;
350
351 case SSH_CHANNEL_FREE:
352 default:
353 continue;
354 }
355 }
356}
357
358/* After select, perform any appropriate operations for channels which
359 have events pending. */
360
361void channel_after_select(fd_set *readset, fd_set *writeset)
362{
363 struct sockaddr addr;
364 int addrlen, newsock, i, newch, len;
365 Channel *ch;
366 char buf[16384], *remote_hostname;
367
368 /* Loop over all channels... */
369 for (i = 0; i < channels_alloc; i++)
370 {
371 ch = &channels[i];
372 switch (ch->type)
373 {
374 case SSH_CHANNEL_X11_LISTENER:
375 /* This is our fake X11 server socket. */
376 if (FD_ISSET(ch->sock, readset))
377 {
378 debug("X11 connection requested.");
379 addrlen = sizeof(addr);
380 newsock = accept(ch->sock, &addr, &addrlen);
381 if (newsock < 0)
382 {
383 error("accept: %.100s", strerror(errno));
384 break;
385 }
386 remote_hostname = get_remote_hostname(newsock);
387 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
388 remote_hostname, get_peer_port(newsock));
389 xfree(remote_hostname);
390 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
391 xstrdup(buf));
392 packet_start(SSH_SMSG_X11_OPEN);
393 packet_put_int(newch);
394 if (have_hostname_in_open)
395 packet_put_string(buf, strlen(buf));
396 packet_send();
397 }
398 break;
399
400 case SSH_CHANNEL_PORT_LISTENER:
401 /* This socket is listening for connections to a forwarded TCP/IP
402 port. */
403 if (FD_ISSET(ch->sock, readset))
404 {
405 debug("Connection to port %d forwarding to %.100s:%d requested.",
406 ch->listening_port, ch->path, ch->host_port);
407 addrlen = sizeof(addr);
408 newsock = accept(ch->sock, &addr, &addrlen);
409 if (newsock < 0)
410 {
411 error("accept: %.100s", strerror(errno));
412 break;
413 }
414 remote_hostname = get_remote_hostname(newsock);
5068f573 415 snprintf(buf, sizeof buf, "listen port %d:%.100s:%d, connect from %.200s:%d",
416 ch->listening_port, ch->path, ch->host_port,
417 remote_hostname, get_peer_port(newsock));
8efc0c15 418 xfree(remote_hostname);
419 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
420 xstrdup(buf));
421 packet_start(SSH_MSG_PORT_OPEN);
422 packet_put_int(newch);
423 packet_put_string(ch->path, strlen(ch->path));
424 packet_put_int(ch->host_port);
425 if (have_hostname_in_open)
426 packet_put_string(buf, strlen(buf));
427 packet_send();
428 }
429 break;
430
431 case SSH_CHANNEL_AUTH_SOCKET:
432 /* This is the authentication agent socket listening for connections
433 from clients. */
434 if (FD_ISSET(ch->sock, readset))
435 {
436 int nchan;
437 len = sizeof(addr);
438 newsock = accept(ch->sock, &addr, &len);
439 if (newsock < 0)
440 {
441 error("accept from auth socket: %.100s", strerror(errno));
442 break;
443 }
444
445 nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock,
446 xstrdup("accepted auth socket"));
447 packet_start(SSH_SMSG_AGENT_OPEN);
448 packet_put_int(nchan);
449 packet_send();
450 }
451 break;
452
453 case SSH_CHANNEL_OPEN:
454 /* This is an open two-way communication channel. It is not of
455 interest to us at this point what kind of data is being
456 transmitted. */
457
458 /* Read available incoming data and append it to buffer;
459 shutdown socket, if read or write failes */
460 if (FD_ISSET(ch->sock, readset))
461 {
462 len = read(ch->sock, buf, sizeof(buf));
463 if (len <= 0)
464 {
465 if (compat13) {
466 buffer_consume(&ch->output, buffer_len(&ch->output));
467 ch->type = SSH_CHANNEL_INPUT_DRAINING;
468 debug("Channel %d status set to input draining.", i);
469 }else{
470 chan_read_failed(ch);
471 }
472 break;
473 }
474 buffer_append(&ch->input, buf, len);
475 }
476 /* Send buffered output data to the socket. */
477 if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
478 {
479 len = write(ch->sock, buffer_ptr(&ch->output),
480 buffer_len(&ch->output));
481 if (len <= 0)
482 {
483 if (compat13) {
484 buffer_consume(&ch->output, buffer_len(&ch->output));
485 debug("Channel %d status set to input draining.", i);
486 ch->type = SSH_CHANNEL_INPUT_DRAINING;
487 }else{
488 chan_write_failed(ch);
489 }
490 break;
491 }
492 buffer_consume(&ch->output, len);
493 }
494 break;
495
496 case SSH_CHANNEL_OUTPUT_DRAINING:
497 if (!compat13)
498 fatal("cannot happen: OUT_DRAIN");
499 /* Send buffered output data to the socket. */
500 if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
501 {
502 len = write(ch->sock, buffer_ptr(&ch->output),
503 buffer_len(&ch->output));
504 if (len <= 0)
505 buffer_consume(&ch->output, buffer_len(&ch->output));
506 else
507 buffer_consume(&ch->output, len);
508 }
509 break;
510
511 case SSH_CHANNEL_X11_OPEN:
512 case SSH_CHANNEL_FREE:
513 default:
514 continue;
515 }
516 }
517}
518
519/* If there is data to send to the connection, send some of it now. */
520
521void channel_output_poll()
522{
523 int len, i;
524 Channel *ch;
525
526 for (i = 0; i < channels_alloc; i++)
527 {
528 ch = &channels[i];
529 /* We are only interested in channels that can have buffered incoming
530 data. */
531 if (ch->type != SSH_CHANNEL_OPEN &&
532 ch->type != SSH_CHANNEL_INPUT_DRAINING)
533 continue;
534
535 /* Get the amount of buffered data for this channel. */
536 len = buffer_len(&ch->input);
537 if (len > 0)
538 {
539 /* Send some data for the other side over the secure connection. */
540 if (packet_is_interactive())
541 {
542 if (len > 1024)
543 len = 512;
544 }
545 else
546 {
547 if (len > 16384)
548 len = 16384; /* Keep the packets at reasonable size. */
549 }
550 packet_start(SSH_MSG_CHANNEL_DATA);
551 packet_put_int(ch->remote_id);
552 packet_put_string(buffer_ptr(&ch->input), len);
553 packet_send();
554 buffer_consume(&ch->input, len);
555 }
556 else if(ch->istate == CHAN_INPUT_WAIT_DRAIN)
557 {
558 if (compat13)
559 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
560 /* input-buffer is empty and read-socket shutdown:
561 tell peer, that we will not send more data: send IEOF */
562 chan_ibuf_empty(ch);
563 }
564 }
565}
566
567/* This is called when a packet of type CHANNEL_DATA has just been received.
568 The message type has already been consumed, but channel number and data
569 is still there. */
570
571void channel_input_data(int payload_len)
572{
573 int channel;
574 char *data;
575 unsigned int data_len;
576
577 /* Get the channel number and verify it. */
578 channel = packet_get_int();
579 if (channel < 0 || channel >= channels_alloc ||
580 channels[channel].type == SSH_CHANNEL_FREE)
581 packet_disconnect("Received data for nonexistent channel %d.", channel);
582
583 /* Ignore any data for non-open channels (might happen on close) */
584 if (channels[channel].type != SSH_CHANNEL_OPEN &&
585 channels[channel].type != SSH_CHANNEL_X11_OPEN)
586 return;
587
588 /* Get the data. */
589 data = packet_get_string(&data_len);
590 packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA);
591 buffer_append(&channels[channel].output, data, data_len);
592 xfree(data);
593}
594
595/* Returns true if no channel has too much buffered data, and false if
596 one or more channel is overfull. */
597
598int channel_not_very_much_buffered_data()
599{
600 unsigned int i;
601 Channel *ch;
602
603 for (i = 0; i < channels_alloc; i++)
604 {
605 ch = &channels[i];
606 switch (ch->type)
607 {
608 case SSH_CHANNEL_X11_LISTENER:
609 case SSH_CHANNEL_PORT_LISTENER:
610 case SSH_CHANNEL_AUTH_SOCKET:
611 continue;
612 case SSH_CHANNEL_OPEN:
613 if (buffer_len(&ch->input) > 32768)
614 return 0;
615 if (buffer_len(&ch->output) > 32768)
616 return 0;
617 continue;
618 case SSH_CHANNEL_INPUT_DRAINING:
619 case SSH_CHANNEL_OUTPUT_DRAINING:
620 case SSH_CHANNEL_X11_OPEN:
621 case SSH_CHANNEL_FREE:
622 default:
623 continue;
624 }
625 }
626 return 1;
627}
628
629/* This is called after receiving CHANNEL_CLOSE/IEOF. */
630
631void channel_input_close()
632{
633 int channel;
634
635 /* Get the channel number and verify it. */
636 channel = packet_get_int();
637 if (channel < 0 || channel >= channels_alloc ||
638 channels[channel].type == SSH_CHANNEL_FREE)
639 packet_disconnect("Received data for nonexistent channel %d.", channel);
640
641 if(!compat13){
642 /* proto version 1.5 overloads CLOSE with IEOF */
643 chan_rcvd_ieof(&channels[channel]);
644 return;
645 }
646
647 /* Send a confirmation that we have closed the channel and no more data is
648 coming for it. */
649 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
650 packet_put_int(channels[channel].remote_id);
651 packet_send();
652
653 /* If the channel is in closed state, we have sent a close request, and
654 the other side will eventually respond with a confirmation. Thus,
655 we cannot free the channel here, because then there would be no-one to
656 receive the confirmation. The channel gets freed when the confirmation
657 arrives. */
658 if (channels[channel].type != SSH_CHANNEL_CLOSED)
659 {
660 /* Not a closed channel - mark it as draining, which will cause it to
661 be freed later. */
662 buffer_consume(&channels[channel].input,
663 buffer_len(&channels[channel].input));
664 channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
665 /* debug("Setting status to output draining; output len = %d",
666 buffer_len(&channels[channel].output)); */
667 }
668}
669
670/* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
671
672void channel_input_close_confirmation()
673{
674 int channel;
675
676 /* Get the channel number and verify it. */
677 channel = packet_get_int();
678 if (channel < 0 || channel >= channels_alloc)
679 packet_disconnect("Received close confirmation for out-of-range channel %d.",
680 channel);
681
682 if(!compat13){
683 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
684 chan_rcvd_oclose(&channels[channel]);
685 return;
686 }
687
688 if (channels[channel].type != SSH_CHANNEL_CLOSED)
689 packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
690 channel, channels[channel].type);
691
692 /* Free the channel. */
693 channel_free(channel);
694}
695
696/* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
697
698void channel_input_open_confirmation()
699{
700 int channel, remote_channel;
701
702 /* Get the channel number and verify it. */
703 channel = packet_get_int();
704 if (channel < 0 || channel >= channels_alloc ||
705 channels[channel].type != SSH_CHANNEL_OPENING)
706 packet_disconnect("Received open confirmation for non-opening channel %d.",
707 channel);
708
709 /* Get remote side's id for this channel. */
710 remote_channel = packet_get_int();
711
712 /* Record the remote channel number and mark that the channel is now open. */
713 channels[channel].remote_id = remote_channel;
714 channels[channel].type = SSH_CHANNEL_OPEN;
715}
716
717/* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
718
719void channel_input_open_failure()
720{
721 int channel;
722
723 /* Get the channel number and verify it. */
724 channel = packet_get_int();
725 if (channel < 0 || channel >= channels_alloc ||
726 channels[channel].type != SSH_CHANNEL_OPENING)
727 packet_disconnect("Received open failure for non-opening channel %d.",
728 channel);
729
730 /* Free the channel. This will also close the socket. */
731 channel_free(channel);
732}
733
734/* Stops listening for channels, and removes any unix domain sockets that
735 we might have. */
736
737void channel_stop_listening()
738{
739 int i;
740 for (i = 0; i < channels_alloc; i++)
741 {
742 switch (channels[i].type)
743 {
744 case SSH_CHANNEL_AUTH_SOCKET:
745 close(channels[i].sock);
746 remove(channels[i].path);
747 channel_free(i);
748 break;
749 case SSH_CHANNEL_PORT_LISTENER:
750 case SSH_CHANNEL_X11_LISTENER:
751 close(channels[i].sock);
752 channel_free(i);
753 break;
754 default:
755 break;
756 }
757 }
758}
759
760/* Closes the sockets of all channels. This is used to close extra file
761 descriptors after a fork. */
762
763void channel_close_all()
764{
765 int i;
766 for (i = 0; i < channels_alloc; i++)
767 {
768 if (channels[i].type != SSH_CHANNEL_FREE)
769 close(channels[i].sock);
770 }
771}
772
773/* Returns the maximum file descriptor number used by the channels. */
774
775int channel_max_fd()
776{
777 return channel_max_fd_value;
778}
779
780/* Returns true if any channel is still open. */
781
782int channel_still_open()
783{
784 unsigned int i;
785 for (i = 0; i < channels_alloc; i++)
786 switch (channels[i].type)
787 {
788 case SSH_CHANNEL_FREE:
789 case SSH_CHANNEL_X11_LISTENER:
790 case SSH_CHANNEL_PORT_LISTENER:
791 case SSH_CHANNEL_CLOSED:
792 case SSH_CHANNEL_AUTH_SOCKET:
793 continue;
794 case SSH_CHANNEL_OPENING:
795 case SSH_CHANNEL_OPEN:
796 case SSH_CHANNEL_X11_OPEN:
797 return 1;
798 case SSH_CHANNEL_INPUT_DRAINING:
799 case SSH_CHANNEL_OUTPUT_DRAINING:
800 if (!compat13)
801 fatal("cannot happen: OUT_DRAIN");
802 return 1;
803 default:
804 fatal("channel_still_open: bad channel type %d", channels[i].type);
805 /*NOTREACHED*/
806 }
807 return 0;
808}
809
810/* Returns a message describing the currently open forwarded
811 connections, suitable for sending to the client. The message
812 contains crlf pairs for newlines. */
813
814char *channel_open_message()
815{
816 Buffer buffer;
817 int i;
818 char buf[512], *cp;
819
820 buffer_init(&buffer);
821 snprintf(buf, sizeof buf, "The following connections are open:\r\n");
822 buffer_append(&buffer, buf, strlen(buf));
823 for (i = 0; i < channels_alloc; i++){
824 Channel *c=&channels[i];
825 switch (c->type)
826 {
827 case SSH_CHANNEL_FREE:
828 case SSH_CHANNEL_X11_LISTENER:
829 case SSH_CHANNEL_PORT_LISTENER:
830 case SSH_CHANNEL_CLOSED:
831 case SSH_CHANNEL_AUTH_SOCKET:
832 continue;
833 case SSH_CHANNEL_OPENING:
834 case SSH_CHANNEL_OPEN:
835 case SSH_CHANNEL_X11_OPEN:
836 case SSH_CHANNEL_INPUT_DRAINING:
837 case SSH_CHANNEL_OUTPUT_DRAINING:
5068f573 838 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d o%d)\r\n",
839 c->self,c->remote_name,
840 c->type,c->remote_id, c->istate,c->ostate);
8efc0c15 841 buffer_append(&buffer, buf, strlen(buf));
842 continue;
843 default:
844 fatal("channel_still_open: bad channel type %d", c->type);
845 /*NOTREACHED*/
846 }
847 }
848 buffer_append(&buffer, "\0", 1);
849 cp = xstrdup(buffer_ptr(&buffer));
850 buffer_free(&buffer);
851 return cp;
852}
853
854/* Initiate forwarding of connections to local port "port" through the secure
855 channel to host:port from remote side. */
856
857void channel_request_local_forwarding(int port, const char *host,
858 int host_port)
859{
860 int ch, sock;
861 struct sockaddr_in sin;
862 extern Options options;
863
864 if (strlen(host) > sizeof(channels[0].path) - 1)
865 packet_disconnect("Forward host name too long.");
866
867 /* Create a port to listen for the host. */
868 sock = socket(AF_INET, SOCK_STREAM, 0);
869 if (sock < 0)
870 packet_disconnect("socket: %.100s", strerror(errno));
871
872 /* Initialize socket address. */
873 memset(&sin, 0, sizeof(sin));
874 sin.sin_family = AF_INET;
875 if (options.gateway_ports == 1)
876 sin.sin_addr.s_addr = htonl(INADDR_ANY);
877 else
878 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
879 sin.sin_port = htons(port);
880
881 /* Bind the socket to the address. */
882 if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
883 packet_disconnect("bind: %.100s", strerror(errno));
884
885 /* Start listening for connections on the socket. */
886 if (listen(sock, 5) < 0)
887 packet_disconnect("listen: %.100s", strerror(errno));
888
889 /* Allocate a channel number for the socket. */
890 ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
891 xstrdup("port listener"));
892 strcpy(channels[ch].path, host); /* note: host name stored here */
893 channels[ch].host_port = host_port; /* port on host to connect to */
894 channels[ch].listening_port = port; /* port being listened */
895}
896
897/* Initiate forwarding of connections to port "port" on remote host through
898 the secure channel to host:port from local side. */
899
900void channel_request_remote_forwarding(int port, const char *host,
901 int remote_port)
902{
903 int payload_len;
904 /* Record locally that connection to this host/port is permitted. */
905 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
906 fatal("channel_request_remote_forwarding: too many forwards");
907 permitted_opens[num_permitted_opens].host = xstrdup(host);
908 permitted_opens[num_permitted_opens].port = remote_port;
909 num_permitted_opens++;
910
911 /* Send the forward request to the remote side. */
912 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
913 packet_put_int(port);
914 packet_put_string(host, strlen(host));
915 packet_put_int(remote_port);
916 packet_send();
917 packet_write_wait();
918
919 /* Wait for response from the remote side. It will send a disconnect
920 message on failure, and we will never see it here. */
921 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
922}
923
924/* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
925 listening for the port, and sends back a success reply (or disconnect
926 message if there was an error). This never returns if there was an
927 error. */
928
929void channel_input_port_forward_request(int is_root)
930{
931 int port, host_port;
932 char *hostname;
933
934 /* Get arguments from the packet. */
935 port = packet_get_int();
936 hostname = packet_get_string(NULL);
937 host_port = packet_get_int();
938
939 /* Port numbers are 16 bit quantities. */
940 if ((port & 0xffff) != port)
941 packet_disconnect("Requested forwarding of nonexistent port %d.", port);
942
943 /* Check that an unprivileged user is not trying to forward a privileged
944 port. */
945 if (port < IPPORT_RESERVED && !is_root)
946 packet_disconnect("Requested forwarding of port %d but user is not root.",
947 port);
948
949 /* Initiate forwarding. */
950 channel_request_local_forwarding(port, hostname, host_port);
951
952 /* Free the argument string. */
953 xfree(hostname);
954}
955
956/* This is called after receiving PORT_OPEN message. This attempts to connect
957 to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
958 CHANNEL_OPEN_FAILURE. */
959
960void channel_input_port_open(int payload_len)
961{
962 int remote_channel, sock, newch, host_port, i;
963 struct sockaddr_in sin;
964 char *host, *originator_string;
965 struct hostent *hp;
966 int host_len, originator_len;
967
968 /* Get remote channel number. */
969 remote_channel = packet_get_int();
970
971 /* Get host name to connect to. */
972 host = packet_get_string(&host_len);
973
974 /* Get port to connect to. */
975 host_port = packet_get_int();
976
977 /* Get remote originator name. */
978 if (have_hostname_in_open)
979 originator_string = packet_get_string(&originator_len);
980 else
981 originator_string = xstrdup("unknown (remote did not supply name)");
982
983 packet_integrity_check(payload_len,
984 4 + 4 + host_len + 4 + 4 + originator_len,
985 SSH_MSG_PORT_OPEN);
986
987 /* Check if opening that port is permitted. */
988 if (!all_opens_permitted)
989 {
990 /* Go trough all permitted ports. */
991 for (i = 0; i < num_permitted_opens; i++)
992 if (permitted_opens[i].port == host_port &&
993 strcmp(permitted_opens[i].host, host) == 0)
994 break;
995
996 /* Check if we found the requested port among those permitted. */
997 if (i >= num_permitted_opens)
998 {
999 /* The port is not permitted. */
1000 log("Received request to connect to %.100s:%d, but the request was denied.",
1001 host, host_port);
1002 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1003 packet_put_int(remote_channel);
1004 packet_send();
1005 }
1006 }
1007
1008 memset(&sin, 0, sizeof(sin));
1009 sin.sin_addr.s_addr = inet_addr(host);
1010 if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1011 {
1012 /* It was a valid numeric host address. */
1013 sin.sin_family = AF_INET;
1014 }
1015 else
1016 {
1017 /* Look up the host address from the name servers. */
1018 hp = gethostbyname(host);
1019 if (!hp)
1020 {
1021 error("%.100s: unknown host.", host);
1022 goto fail;
1023 }
1024 if (!hp->h_addr_list[0])
1025 {
1026 error("%.100s: host has no IP address.", host);
1027 goto fail;
1028 }
1029 sin.sin_family = hp->h_addrtype;
1030 memcpy(&sin.sin_addr, hp->h_addr_list[0],
1031 sizeof(sin.sin_addr));
1032 }
1033 sin.sin_port = htons(host_port);
1034
1035 /* Create the socket. */
1036 sock = socket(sin.sin_family, SOCK_STREAM, 0);
1037 if (sock < 0)
1038 {
1039 error("socket: %.100s", strerror(errno));
1040 goto fail;
1041 }
1042
1043 /* Connect to the host/port. */
1044 if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1045 {
1046 error("connect %.100s:%d: %.100s", host, host_port,
1047 strerror(errno));
1048 close(sock);
1049 goto fail;
1050 }
1051
1052 /* Successful connection. */
1053
1054 /* Allocate a channel for this connection. */
1055 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1056 channels[newch].remote_id = remote_channel;
1057
1058 /* Send a confirmation to the remote host. */
1059 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1060 packet_put_int(remote_channel);
1061 packet_put_int(newch);
1062 packet_send();
1063
1064 /* Free the argument string. */
1065 xfree(host);
1066
1067 return;
1068
1069 fail:
1070 /* Free the argument string. */
1071 xfree(host);
1072
1073 /* Send refusal to the remote host. */
1074 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1075 packet_put_int(remote_channel);
1076 packet_send();
1077}
1078
1079/* Creates an internet domain socket for listening for X11 connections.
1080 Returns a suitable value for the DISPLAY variable, or NULL if an error
1081 occurs. */
1082
1083char *x11_create_display_inet(int screen_number)
1084{
1085 extern ServerOptions options;
1086 int display_number, port, sock;
1087 struct sockaddr_in sin;
1088 char buf[512];
1089 char hostname[MAXHOSTNAMELEN];
1090
1091 for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
1092 {
1093 port = 6000 + display_number;
1094 memset(&sin, 0, sizeof(sin));
1095 sin.sin_family = AF_INET;
1096 sin.sin_addr.s_addr = htonl(INADDR_ANY);
1097 sin.sin_port = htons(port);
1098
1099 sock = socket(AF_INET, SOCK_STREAM, 0);
1100 if (sock < 0)
1101 {
1102 error("socket: %.100s", strerror(errno));
1103 return NULL;
1104 }
1105
1106 if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1107 {
1108 debug("bind port %d: %.100s", port, strerror(errno));
1109 shutdown(sock, SHUT_RDWR);
1110 close(sock);
1111 continue;
1112 }
1113 break;
1114 }
1115 if (display_number >= MAX_DISPLAYS)
1116 {
1117 error("Failed to allocate internet-domain X11 display socket.");
1118 return NULL;
1119 }
1120
1121 /* Start listening for connections on the socket. */
1122 if (listen(sock, 5) < 0)
1123 {
1124 error("listen: %.100s", strerror(errno));
1125 shutdown(sock, SHUT_RDWR);
1126 close(sock);
1127 return NULL;
1128 }
1129
1130 /* Set up a suitable value for the DISPLAY variable. */
1131 if (gethostname(hostname, sizeof(hostname)) < 0)
1132 fatal("gethostname: %.100s", strerror(errno));
1133 snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
1134 display_number, screen_number);
1135
1136 /* Allocate a channel for the socket. */
1137 (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1138 xstrdup("X11 inet listener"));
1139
1140 /* Return a suitable value for the DISPLAY environment variable. */
1141 return xstrdup(buf);
1142}
1143
1144#ifndef X_UNIX_PATH
1145#define X_UNIX_PATH "/tmp/.X11-unix/X"
1146#endif
1147
1148static
1149int
1150connect_local_xsocket(unsigned dnr)
1151{
1152 static const char *const x_sockets[] = {
1153 X_UNIX_PATH "%u",
1154 "/var/X/.X11-unix/X" "%u",
1155 "/usr/spool/sockets/X11/" "%u",
1156 NULL
1157 };
1158 int sock;
1159 struct sockaddr_un addr;
1160 const char *const *path;
1161
1162 for (path = x_sockets; *path; ++path)
1163 {
1164 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1165 if (sock < 0)
1166 error("socket: %.100s", strerror(errno));
1167 memset(&addr, 0, sizeof(addr));
1168 addr.sun_family = AF_UNIX;
1169 snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1170 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1171 return sock;
1172 close(sock);
1173 }
1174 error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1175 return -1;
1176}
1177
1178
1179/* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1180 the remote channel number. We should do whatever we want, and respond
1181 with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1182
1183void x11_input_open(int payload_len)
1184{
1185 int remote_channel, display_number, sock, newch;
1186 const char *display;
1187 struct sockaddr_in sin;
1188 char buf[1024], *cp, *remote_host;
1189 struct hostent *hp;
1190 int remote_len;
1191
1192 /* Get remote channel number. */
1193 remote_channel = packet_get_int();
1194
1195 /* Get remote originator name. */
1196 if (have_hostname_in_open)
1197 remote_host = packet_get_string(&remote_len);
1198 else
1199 remote_host = xstrdup("unknown (remote did not supply name)");
1200
1201 debug("Received X11 open request.");
1202 packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN);
1203
1204 /* Try to open a socket for the local X server. */
1205 display = getenv("DISPLAY");
1206 if (!display)
1207 {
1208 error("DISPLAY not set.");
1209 goto fail;
1210 }
1211
1212 /* Now we decode the value of the DISPLAY variable and make a connection
1213 to the real X server. */
1214
1215 /* Check if it is a unix domain socket. Unix domain displays are in one
1216 of the following formats: unix:d[.s], :d[.s], ::d[.s] */
1217 if (strncmp(display, "unix:", 5) == 0 ||
1218 display[0] == ':')
1219 {
1220 /* Connect to the unix domain socket. */
1221 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1)
1222 {
1223 error("Could not parse display number from DISPLAY: %.100s",
1224 display);
1225 goto fail;
1226 }
1227 /* Create a socket. */
1228 sock = connect_local_xsocket(display_number);
1229 if (sock < 0)
1230 goto fail;
1231
1232 /* OK, we now have a connection to the display. */
1233 goto success;
1234 }
1235
1236 /* Connect to an inet socket. The DISPLAY value is supposedly
1237 hostname:d[.s], where hostname may also be numeric IP address. */
1238 strncpy(buf, display, sizeof(buf));
1239 buf[sizeof(buf) - 1] = 0;
1240 cp = strchr(buf, ':');
1241 if (!cp)
1242 {
1243 error("Could not find ':' in DISPLAY: %.100s", display);
1244 goto fail;
1245 }
1246 *cp = 0;
1247 /* buf now contains the host name. But first we parse the display number. */
1248 if (sscanf(cp + 1, "%d", &display_number) != 1)
1249 {
1250 error("Could not parse display number from DISPLAY: %.100s",
1251 display);
1252 goto fail;
1253 }
1254
1255 /* Try to parse the host name as a numeric IP address. */
1256 memset(&sin, 0, sizeof(sin));
1257 sin.sin_addr.s_addr = inet_addr(buf);
1258 if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1259 {
1260 /* It was a valid numeric host address. */
1261 sin.sin_family = AF_INET;
1262 }
1263 else
1264 {
1265 /* Not a numeric IP address. */
1266 /* Look up the host address from the name servers. */
1267 hp = gethostbyname(buf);
1268 if (!hp)
1269 {
1270 error("%.100s: unknown host.", buf);
1271 goto fail;
1272 }
1273 if (!hp->h_addr_list[0])
1274 {
1275 error("%.100s: host has no IP address.", buf);
1276 goto fail;
1277 }
1278 sin.sin_family = hp->h_addrtype;
1279 memcpy(&sin.sin_addr, hp->h_addr_list[0],
1280 sizeof(sin.sin_addr));
1281 }
1282 /* Set port number. */
1283 sin.sin_port = htons(6000 + display_number);
1284
1285 /* Create a socket. */
1286 sock = socket(sin.sin_family, SOCK_STREAM, 0);
1287 if (sock < 0)
1288 {
1289 error("socket: %.100s", strerror(errno));
1290 goto fail;
1291 }
1292 /* Connect it to the display. */
1293 if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1294 {
1295 error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1296 strerror(errno));
1297 close(sock);
1298 goto fail;
1299 }
1300
1301 success:
1302 /* We have successfully obtained a connection to the real X display. */
1303
1304 /* Allocate a channel for this connection. */
1305 if (x11_saved_proto == NULL)
1306 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1307 else
1308 newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1309 channels[newch].remote_id = remote_channel;
1310
1311 /* Send a confirmation to the remote host. */
1312 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1313 packet_put_int(remote_channel);
1314 packet_put_int(newch);
1315 packet_send();
1316
1317 return;
1318
1319 fail:
1320 /* Send refusal to the remote host. */
1321 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1322 packet_put_int(remote_channel);
1323 packet_send();
1324}
1325
1326/* Requests forwarding of X11 connections, generates fake authentication
1327 data, and enables authentication spoofing. */
1328
1329void x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1330{
1331 unsigned int data_len = (unsigned int)strlen(data) / 2;
1332 unsigned int i, value;
1333 char *new_data;
1334 int screen_number;
1335 const char *cp;
1336 u_int32_t rand = 0;
1337
1338 cp = getenv("DISPLAY");
1339 if (cp)
1340 cp = strchr(cp, ':');
1341 if (cp)
1342 cp = strchr(cp, '.');
1343 if (cp)
1344 screen_number = atoi(cp + 1);
1345 else
1346 screen_number = 0;
1347
1348 /* Save protocol name. */
1349 x11_saved_proto = xstrdup(proto);
1350
1351 /* Extract real authentication data and generate fake data of the same
1352 length. */
1353 x11_saved_data = xmalloc(data_len);
1354 x11_fake_data = xmalloc(data_len);
1355 for (i = 0; i < data_len; i++)
1356 {
1357 if (sscanf(data + 2 * i, "%2x", &value) != 1)
1358 fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1359 if (i % 4 == 0)
1360 rand = arc4random();
1361 x11_saved_data[i] = value;
1362 x11_fake_data[i] = rand & 0xff;
1363 rand >>= 8;
1364 }
1365 x11_saved_data_len = data_len;
1366 x11_fake_data_len = data_len;
1367
1368 /* Convert the fake data into hex. */
1369 new_data = xmalloc(2 * data_len + 1);
1370 for (i = 0; i < data_len; i++)
1371 sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]);
1372
1373 /* Send the request packet. */
1374 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1375 packet_put_string(proto, strlen(proto));
1376 packet_put_string(new_data, strlen(new_data));
1377 packet_put_int(screen_number);
1378 packet_send();
1379 packet_write_wait();
1380 xfree(new_data);
1381}
1382
1383/* Sends a message to the server to request authentication fd forwarding. */
1384
1385void auth_request_forwarding()
1386{
1387 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1388 packet_send();
1389 packet_write_wait();
1390}
1391
1392/* Returns the name of the forwarded authentication socket. Returns NULL
1393 if there is no forwarded authentication socket. The returned value
1394 points to a static buffer. */
1395
1396char *auth_get_socket_name()
1397{
1398 return channel_forwarded_auth_socket_name;
1399}
1400
1401/* removes the agent forwarding socket */
1402
1403void cleanup_socket(void) {
1404 remove(channel_forwarded_auth_socket_name);
1405 rmdir(channel_forwarded_auth_socket_dir);
1406}
1407
1408/* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1409 This starts forwarding authentication requests. */
1410
1411void auth_input_request_forwarding(struct passwd *pw)
1412{
1413 int sock, newch;
1414 struct sockaddr_un sunaddr;
1415
1416 if (auth_get_socket_name() != NULL)
1417 fatal("Protocol error: authentication forwarding requested twice.");
1418
1419 /* Temporarily drop privileged uid for mkdir/bind. */
1420 temporarily_use_uid(pw->pw_uid);
1421
1422 /* Allocate a buffer for the socket name, and format the name. */
1423 channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1424 channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1425 strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1426
1427 /* Create private directory for socket */
1428 if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1429 packet_disconnect("mkdtemp: %.100s", strerror(errno));
1430 snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME,
1431 "%s/agent.%d", channel_forwarded_auth_socket_dir, (int)getpid());
1432
1433 if (atexit(cleanup_socket) < 0) {
1434 int saved=errno;
1435 cleanup_socket();
1436 packet_disconnect("socket: %.100s", strerror(saved));
1437 }
1438
1439 /* Create the socket. */
1440 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1441 if (sock < 0)
1442 packet_disconnect("socket: %.100s", strerror(errno));
1443
1444 /* Bind it to the name. */
1445 memset(&sunaddr, 0, sizeof(sunaddr));
1446 sunaddr.sun_family = AF_UNIX;
1447 strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1448 sizeof(sunaddr.sun_path));
1449
1450 if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
1451 packet_disconnect("bind: %.100s", strerror(errno));
1452
1453 /* Restore the privileged uid. */
1454 restore_uid();
1455
1456 /* Start listening on the socket. */
1457 if (listen(sock, 5) < 0)
1458 packet_disconnect("listen: %.100s", strerror(errno));
1459
1460 /* Allocate a channel for the authentication agent socket. */
1461 newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1462 xstrdup("auth socket"));
1463 strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1464}
1465
1466/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1467
1468void auth_input_open_request()
1469{
1470 int remch, sock, newch;
1471 char *dummyname;
1472
1473 /* Read the remote channel number from the message. */
1474 remch = packet_get_int();
1475
1476 /* Get a connection to the local authentication agent (this may again get
1477 forwarded). */
1478 sock = ssh_get_authentication_socket();
1479
1480 /* If we could not connect the agent, send an error message back to
1481 the server. This should never happen unless the agent
1482 dies, because authentication forwarding is only enabled if we have an
1483 agent. */
1484 if (sock < 0){
1485 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1486 packet_put_int(remch);
1487 packet_send();
1488 return;
1489 }
1490
1491 debug("Forwarding authentication connection.");
1492
1493 /* Dummy host name. This will be freed when the channel is freed; it will
1494 still be valid in the packet_put_string below since the channel cannot
1495 yet be freed at that point. */
1496 dummyname = xstrdup("authentication agent connection");
1497
1498 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1499 channels[newch].remote_id = remch;
1500
1501 /* Send a confirmation to the remote host. */
1502 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1503 packet_put_int(remch);
1504 packet_put_int(newch);
1505 packet_send();
1506}
git-cvsimport mirror of OpenSSH
This page took 0.249403 seconds and 5 git commands to generate.